Trustworthy Ubiquitous Computing PDF

ATLANTIS A MBIENT AND P ERVASIVE I NTELLIGENCE
VOLUME 6
S ERIES E DITOR : I SMAIL K HALIL

Atlantis Ambient and Pervasive Intelligence
Series Editor:
Ismail Khalil, Linz, Austria
(ISSN: 1875-7669)
Aims and scope of the series
The book series ‘Atlantis Ambient and Pervasive Intelligence’ publishes high quality ti-
tles in the fields of Pervasive Computing, Mixed Reality, Wearable Computing, Location-
Aware Computing, Ambient Interfaces, Tangible Interfaces, Smart Environments, Intelli-
gent Interfaces, Software Agents and other related fields. We welcome submission of book
proposals from researchers worldwide who aim at sharing their results in this important
research area.
For more information on this series and our other book series, please visit our website at:
www.atlantis-press.com/publications/books
A MSTERDAM – PARIS – B EIJING

c ATLANTIS PRESS
Trustworthy Ubiquitous Computing
Ismail Khalil (Ed.)

Institute of Telecooperation, Johannes Kepler University Linz,
Altenberger Strasse 69, A-4040 Linz, Austria
Teddy Mantoro (Ed.)

Advanced Informatics School, University of Technology Malaysia,
UTM International Campus, Jalan Semarak, 54100 Kuala Lumpur, Malaysia
A MSTERDAM – PARIS – B EIJING

Atlantis Press
8, square des Bouleaux
75019 Paris, France
For information on all Atlantis Press publications, visit our website at: www.atlantis-press.com
Copyright
This book, or any parts thereof, may not be reproduced for commercial purposes in any form or by
any means, electronic or mechanical, including photocopying, recording or any information storage
and retrieval system known or to be invented, without prior permission from the Publisher.
Atlantis Ambient and Pervasive Intelligence

Volume 1: Agent-Based Ubiquitous Computing - Eleni Mangina, Javier Carbo, José M. Molina
Volume 2: Web-Based Information Technologies and Distributed Systems - Alban Gabillon, Quan
Z. Sheng, Wathiq Mansoor
Volume 3: Multicore Systems On-Chip: Practical Software/Hardware Design - Abderazek Ben
Abdallah
Volume 4: Activity Recognition in Pervasive Intelligent Environments - L. Chen, C.D. Nugent, J.
Biswas, J. Hoey
Volume 5: Computer Vision and Action Recognition - Atiqur Rahman Ahad
ISBNs
Print: 978-94-91216-70-1
E-Book: 978-94-91216-71-8
ISSN: 1875-7669

c 2012 ATLANTIS PRESS
Editorial: Trustworthy Ubiquitous Computing
Ismail Khalil
Institute of Telecooperation, Johannes Kepler University Linz, Austria
Teddy Mantoro
Advanced Informatics School, University of Technology Malaysia, Malaysia
Ubiquitous Computing (UbiComp) is a vision of rich and seamless interaction with the
surrounding computing environment. In spite of the many applications and projects in the
area of ubiquitous and pervasive computing the success is still far away. One of the main
reasons is the lack of acceptance of and confidence in this technology. Although researchers
and industry are working in all of these areas, a forum to elaborate on security, reliability
and privacy issues, that resolve in trustworthy interfaces and computing environments for
people interacting within these ubiquitous environments is important. The user experience
factor of trust thus becomes a crucial issue for the success of UbiComp applications.
The goal of this book is to provide a state the art on trustworthy ubiquitous computing
to address recent research results and to present and discuss the ideas, theories, technolo-
gies, systems, tools, applications and experiences on all theoretical and practical issues in
developing a trustworthy interfaces which are more secure and richer.
The book compiles a series of interesting and timely papers in the areas of 1) trust and con-
text in UbiComp environments, 2) methods and concepts to enhance and ensure reliability
in UbiComp environments 3) distributed attacks detection and secure access protocol in
MANET, WSN and UbiComp environments and 4) access control and mobile payment in
Trustworthy UbiComp environment.
v
vi Trustworthy Ubiquitous Computing
Part 1: Trust and context in UbiComp environments
This part introduces the concepts of trust and trust in ubiquitous environments and consists
of three chapters: Chapter 1 presents automatic trust management of self-adaptive multi-
display environments which is an important issue in Trustworthy Ubiquitous Computing
due to the fact that during the use of multi-display systems, it can impair user trust and thus
user acceptance. Chapter 2 introduces malicious pixels using QR codes as attack vector.
This is a proof-of-concept phishing attack on QR codes, which is based on the idea of
changing the encoded data of a QR code by turning white modules into black ones. This
chapter proposes an algorithm for finding similar QR codes for the attack and showed its
feasibility with an example.
Chapter 3 presents a virtual performance stage as a space for children to create and per-
form stories. This study discusses the development of the Wayang Authoring tool, which
aims to assist young people in creating and performing stories, developing an appreciation
for cultural artifacts, and enhancing intercultural empathy while building a young story
teller community within a virtual world. Wayang Authoring is designed as a type of social
software for children to compose the story individually or collaboratively and be more on
creative production. By using Wayang Authoring children can express their creativity by
producing visual stories and sharing them. Wayang Authoring serves all three kinds of
a participatory including affiliation, expression and collaboration. The tagging system in
the authoring tool support children to have experiences in story structure. The children can
learn to structure and re-structure a story’s sequence by using the Wayang Authoring digital
tool. The aesthetic coupled with the interactive functions support children to explore vir-
tual and narrative worlds. This virtual creative production tool provides a space for young
people to change their role from a simple user to a (co-)creator.
Part 2: Methods and concepts to enhance and ensure reliability in UbiComp

environments
In this second part, the study on network forensics for detection and mitigation of botnet
malicious code via Darknet is presented in Chapter 4. The main types of malwares –
worms and botnet detection using Darknet is covered. This chapter shows how Darknet as
a network forensic technique perform passive detection of malware infected computers.
Chapter 5 introduces the trusted log management system, which can be used to handle the
accounting scandals. As the log system cannot guarantee the transfer of trusted logs across
Editorial: Trustworthy Ubiquitous Computing vii
a vulnerable transfer path, it is unacceptable for use in digital forensics. The solution of
this problem is by defining an efficient log file format by introducing a new CSV and using
YAML Ain’t Markup Language and making a transversal search among log files.
Chapter 6 introduces a framework for the reasoning of collaborative human behaviour in
security-critical work practices. The framework is based on cognitive-based human activ-
ities study and information security, in which it consists of a model and a process. Under
the security context, the model defines the properties and characteristics of collaborative
communication behavior of human users, while the process defines three main steps of
observation, simulation and reason and construction of practical security workflows. This
security framework evaluates and captures potential security “failure” and “conflict” and
envisages the framework to be used for effective handling of security incidents such as
information leakage. The resulting simulation and workflow can then be used to mini-
mize potential security incidents, devise better, easy to follow security policies, technical
mechanisms that may be automated, and better collaborative processes.
Part 3: Distributed attacks detection and secure access protocol in MANET,

WSN and UbiComp environments
Chapter 7 introduces mitigation of wormhole attack in wireless sensor networks, which

looks at the WSN in regard to security issues and challenges. This study proposed a net-
work discovery approach to mitigate its effect in the domain of hierarchal or cluster based
wireless sensor networks which use hierarchal routing protocols.
Chapter 8 presents the protocol for secure access in mobile ad-hoc network (MANET)
for emergency services using group based access control model. As MANET is operated
based on wireless environment, it is vulnerable to threats and intruders due to the fact that
information flow can be intercepted and tampered. To solve this problem, a protocol for se-
cure access in emergency services is constructed and implemented in Group Based Access
Control (GBAC) model. The goal of this security solution for MANETs is to provide se-
curity services such as authentication, confidentiality, integrity, trust and also authorization
or access privileges to mobile users. The GBAC model in this chapter presents a protocol
for secure access to information between MG and members in the same group, which is
known as Intra-access protocol. The protocol is constructed using various cryptographic
methods such as encryption, decryption, digital signature and hash functions. The protocol
employs three processes for secure access which are member registration, tag creation, and
the access control protocol. This study presents analyses using cryptographic and direct
viii Trustworthy Ubiquitous Computing
proofing method are applied to the protocol, to ensure that the protocol for secure access
meeting the security properties such as trust, authentication, authorization, confidentiality,
integrity and non-repudiation.
Chapter 9 presents the distributed attacks detection using a lightweight graph-based pat-
tern recognition scheme in mobile ad hoc networks, as the unique characteristics of
MANETs can also be their limitations. The shared wireless medium, distributed and
self-configuring network architecture and highly dynamic nodes have made them highly
susceptible to many attacks. This chapter proposes a distributed hierarchical graph neu-
ron (DHGN) to be incorporated into a cooperative intrusion detection system (IDS) us-
ing lightweight, low-computation, distributed intrusion detection scheme in mobile ad-hoc
networks (MANETs). To identify possible attacks, the collaborative IDS that incorporate
pattern discovery approach are presented.
Part 4: Access Control and Mobile Payment in Trustworthy UbiComp

environment
Chapter 10 presents security framework for mobile banking, as banking sector is always
looking for new services’ delivery platforms to improve customer confidence and satis-
faction. To achieve this, the banking service delivery platform must provide end-to-end
security to safeguard the information exchange between the bank and the customer. Un-
fortunately, many banks adopt generic user authentication systems that was developed for
the desktop environment or other complex authentication systems with a number of user
intrusive activities. Therefore, the usability and adoption of the mobile banking technology
has been extremely slow. This chapter proposes a protocol to solve this problem which
use a minimum number of communication messages in registration, authentication and
authorization processes by generation algorithm which is implemented using HASH func-
tions and Triple DES encryption algorithm. The authentication and authorization uses non-
intrusive methods and hence user inputs are not required for the process. The proposed
model improves the efficiency and the usability of the mobile banking services by using an
extra 4-digit user PIN to prevent SIM cloning and mobile user impersonation attacks. This
followed by the discussion on anonymous, secure and fair micropayment system to access
location-based services in Chapter 11.
Chapter 12 presents privacy preserving with a purpose-based privacy data graph. As pri-
vacy is critical before the implementation process privacy must be considered first to avoid
expensive errors in the deployed system. This chapter 1) expresses access policy by graph,
Editorial: Trustworthy Ubiquitous Computing ix
which describes the data access policy, and illustrates the direct-linkages and indirect-
linkages between data elements, 2) supports Role Based Access Control to allow admin-
istrator role to assign necessary role-level data access permissions. This simplifies the
specification and management on individual users, especially in the case of large number
of users and finally 3) provides role-level and personal-level access control to specific usage
of privacy data.
Trustworthy Ubiquitous Computing has been studied in a number of disciplinary areas such
as pervasive/ubiquitous computing, ambient intelligence, intelligent environments, mobile
computing and ambient assisted living, research results have been disseminated in a number
of conferences and journals. However, there is a lack of sources that can give a complete,
systematic view on the state of the art work on trustworthy ubiquitous computing. This
book intends to provide professional practitioners – researchers, technology and system
developers as well as application users, in various research communities with a one-stop
hand-on reference book for trustworthy ubiquitous computing in theoretical and practical
issues, which cover the full spectrum of research issues, novel approaches, algorithms,
robust technologies and exemplar applications.
Happy reading.
Ismail Khalil and Teddy Mantoro

Editors
Ismail Khalil (http://www.iiwas.org/ismail/) is a senior researcher and lecturer

at the institute of telecooperation, Johanes Kepler University Linz, Austria, since October
2002. He is the president of the international organization of Information Integration and
Web-based Applications & Services (@WAS). He holds a PhD in computer engineering
and received his habilitation degree in applied computer science on his work on agents’
interaction in ubiquitous environments in May 2008. He currently teaches, consults, and
conducts research in Mobile Multimedia, Cloud Computing, Agent Technologies, and the
Semantic Web and is also interested in the broader business, social, and policy implications
associated with the emerging information technologies. Before joining Johannes Kepler
University of Linz, he was a research fellow at the Intelligent Systems Group at Utrecht
University, Netherlands from 2001-2002 and the project manager of AgenCom project at
the Software Competence Center Hagenberg - Austria from 2000-2001. Dr. Khalil has
authored around 100 scientific publications, books, and book chapters. He is the editor
of the Handbook of Research on Mobile Multimedia series, the book Mobile Multimedia:
x Trustworthy Ubiquitous Computing
Communication Engineering Perspective, the book Multimedia Transcoding in Mobile and

Wireless Networks, the book Innovations in Mobile Multimedia Communications and Ap-
plications: New Technologies and the book Advancing the Next-Generation of Mobile
Computing: Emerging Technologies. He serves as the Editor-in-Chief of the International
Journal on Web Information Systems (IJWIS), International Journal on Pervasive Com-
puting and Communication (IJPCC) both published by Emerald Group publishing, UK,
Journal of Mobile Multimedia (JMM) published by Rinton Press, USA, International Jour-
nal of Mobile Computing and Multimedia Communication (IJMCMC) published by IGI
Global, USA, Advances in Next Generation Mobile Multimedia book series published by
IGI Global, USA, and Atlantis Ambient and Pervasive Intelligence book series published
by Atlantis. He is on the editorial board of several international journals. His work has
been published and presented at various conferences and workshops.
Teddy Mantoro is an associate professor at School of Advanced Informatics, University

of Technology Malaysia (UTM), Kuala Lumpur, Malaysia. He holds a PhD, an MSc and a
BSc, all in Computer Science. He was awarded a PhD from Research School of Computer
Science, the Australian National University (ANU), Canberra, Australia. His research in-
terest is in Ubiquitous Computing, Pervasive Computing, Context Aware Computing and
Intelligent Environment. He has authored several research papers, a book on Intelligent
Environment, several book chapters and has four patents pending to his credits in the area
of pervasive/ubiquitous computing.
Contents
Editorial: Trustworthy Ubiquitous Computing v
Part I Trust and Context in UbiComp Environments 1
1. The automatic Trust Management of self-adaptive Multi-Display

Environments 3
K. Bee, S. Hammer, Ch. Pratsch, and E. André
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Trust in Ubiquitous Display Environments . . . . . . . . . . . . . . . . . 6
1.4 Dimensions of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5 Empirical Validation of Trust Dimensions and User Feelings . . . . . . . 8
1.5.1 Experimental Setting . . . . . . . . . . . . . . . . . . . . . . . 9
1.5.2 Conducting the Experiment . . . . . . . . . . . . . . . . . . . . 11
1.5.3 Results and Discussion . . . . . . . . . . . . . . . . . . . . . . 11
1.6 Towards an Automatic Trust Management System . . . . . . . . . . . . . 12
1.6.1 Using Bayesian Networks to Model Trust . . . . . . . . . . . . . 13
1.6.2 Monitoring Trust over Time . . . . . . . . . . . . . . . . . . . . 15
1.6.3 Maintaining User Trust . . . . . . . . . . . . . . . . . . . . . . 17
1.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.8 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
xi
xii Trustworthy Ubiquitous Computing
2. Malicious Pixels – Using QR Codes as Attack Vector 21
P. Kieseberg, S. Schrittwieser, M. Leithner, M. Mulazzani, E. Weippl,

L. Munroe, M. Sinha
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.1 QR codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.2 Capacity and Error correction code . . . . . . . . . . . . . . . . 24
2.3 Security of QR Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.2 Attacking different parts . . . . . . . . . . . . . . . . . . . . . . 26
2.4 QR Codes as Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . 31
2.4.1 Attacking Automated Processes . . . . . . . . . . . . . . . . . . 31
2.4.2 Attacking Human Interaction . . . . . . . . . . . . . . . . . . . 32
2.5 Proof-of-Concept Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.5.1 Outline of the Attack . . . . . . . . . . . . . . . . . . . . . . . 33
2.5.2 Practical application details . . . . . . . . . . . . . . . . . . . . 35
2.5.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.6 Future research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3. A Virtual Performance Stage as a Space for Children to Create and

Perform Stories 39
W.A. Widjajanto, H. Schelhowe, and M. Lund
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.2 Storytelling, Technology and Children . . . . . . . . . . . . . . . . . . . 40
3.3 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3.1 Wayang Performance Workshops with Children . . . . . . . . . 44
3.3.2 Wayang Authoring Development . . . . . . . . . . . . . . . . . 44
3.3.3 Prototype Evaluation . . . . . . . . . . . . . . . . . . . . . . . 49
3.4 Results and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.1 Ability to Compose a Story . . . . . . . . . . . . . . . . . . . . 51
3.4.2 Story Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Contents xiii
3.4.3 Intercultural Aspect . . . . . . . . . . . . . . . . . . . . . . . . 56

3.4.4 Interaction between children and the authoring system . . . . . . 57
3.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Part II Methods and Concepts to Enhance and Ensure

Reliability in Ubicomp Environments 63
4. Network Forensics: Detection and Mitigation of Botnet and

Malicious Code via Darknet 65
R. Azrina, R. Othman, Normaziah A. Aziz, M. ZulHazmi, M. Khazin,

J. Dewakunjari
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.3 Motivation and Related Works . . . . . . . . . . . . . . . . . . . . . . . 67
4.4 Our Approach and Implementation . . . . . . . . . . . . . . . . . . . . . 68
4.5 Experimental Results and Analysis . . . . . . . . . . . . . . . . . . . . . 70
4.5.1 Further Analysis on Destination Port 445 Traffic . . . . . . . . . 71
4.5.2 Further Analysis on ICMP traffic . . . . . . . . . . . . . . . . . 72
4.5.3 Analysis of Suspected Client . . . . . . . . . . . . . . . . . . . 73
4.6 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.7 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5. Trusted Log Management System 79
A. Tomono, M. Uehara, and Y. Shimada
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.2 Related Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.2.1 ILM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.2.2 Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.2.3 Syslog and its Enhancements . . . . . . . . . . . . . . . . . . . 82
5.2.4 Secure Logging on a PC . . . . . . . . . . . . . . . . . . . . . . 83
5.2.5 VLSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
xiv Trustworthy Ubiquitous Computing
5.2.6 Security of the VLSD . . . . . . . . . . . . . . . . . . . . . . . 85

5.3 Design of a Log Management System . . . . . . . . . . . . . . . . . . . 86
5.3.1 System Overview . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.3.2 Collection and Management . . . . . . . . . . . . . . . . . . . . 89
5.3.3 Reference and Search . . . . . . . . . . . . . . . . . . . . . . . 89
5.4 Guaranteeing Logs in a Network . . . . . . . . . . . . . . . . . . . . . . 90
5.5 New CSV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.6 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.6.1 Collection of Logs . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.6.2 Construction of Storage for Logs . . . . . . . . . . . . . . . . . 96
5.6.3 Guaranteeing the Logs . . . . . . . . . . . . . . . . . . . . . . . 96
5.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6. Reasoning of Collaborative Human Behaviour in Security-Critical

Work Practices: A Framework 99
G.S. Poh, N.N. Abdullah, M.R. Z’aba, and M.R. Wahiddin
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.1.1 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
6.1.2 Our Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.2 Security Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.2.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.2.2 Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.2.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.2.4 Non-repudiation . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.2.5 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.3 Human Behaviour Security Framework . . . . . . . . . . . . . . . . . . 102
6.3.1 Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.3.2 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.4 Modeling Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.4.1 Work Practice Analysis . . . . . . . . . . . . . . . . . . . . . . 105
6.4.2 Formal model of the work practice . . . . . . . . . . . . . . . . 105
6.4.3 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.4.4 Observing the simulation . . . . . . . . . . . . . . . . . . . . . 105
Contents xv
6.5 Practical Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Part III Distributed Attacks Detection and Secure Access

Protocol in MANET, WSN and UbiComp Environments 107
7. Mitigation of Wormhole Attack in Wireless Sensor Networks 109
A. Modirkhazeni, M. Kadhum, and T. Mantoro
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

7.2 Wireless Sensor Network; Concepts and Applications . . . . . . . . . . . 110
7.2.1 Applications of Wireless Sensor Networks . . . . . . . . . . . . 110
7.2.2 Sensor Device Architecture . . . . . . . . . . . . . . . . . . . . 111
7.2.3 Routing in Wireless Sensor Networks . . . . . . . . . . . . . . . 112
7.3 Security Issues in Wireless Sensor Network . . . . . . . . . . . . . . . . 114
7.3.1 Basic Security Requirements in Wireless Sensor Network . . . . 114
7.3.2 Routing Attacks in Wireless Sensor Networks . . . . . . . . . . 116
7.3.3 Cryptographic Approaches in Wireless Sensor Networks . . . . . 117
7.3.4 Key Management Approaches in Wireless Sensor Network . . . 118
7.4 Wormhole Attack in Wireless Sensor Networks . . . . . . . . . . . . . . 121
7.4.1 Classification of Wormhole Attack . . . . . . . . . . . . . . . . 121
7.4.2 Wormhole Attack Countermeasures in Wireless Sensor Network 123
7.4.3 WSN Wormhole Attack Countermeasures; Analysis and Com-
parison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
7.5 Proposed Neighbor Discovery Approach . . . . . . . . . . . . . . . . . . 134
7.5.1 System Assumptions . . . . . . . . . . . . . . . . . . . . . . . 135
7.5.2 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
7.6 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
7.7 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.7.1 Effect of Wormhole Attack on Original Hierarchal Protocol . . . 139
7.7.2 Effect of Wormhole Attack on the Enhanced Protocol . . . . . . 141
7.7.3 Mitigation of Wormhole Attack through the Enhanced Protocol . 142
7.8 Conclusion and Future Works . . . . . . . . . . . . . . . . . . . . . . . 143
xvi Trustworthy Ubiquitous Computing
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
8. Protocol for Secure Access in Mobile Ad-hoc Network for

Emergency Services 149
A. Abu Bakar, R. Ismail, A.R. Ahmad, J.-l. Abdul Manan
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

8.2 MANET at Emergency Rescue Mission . . . . . . . . . . . . . . . . . . 151
8.3 Group Based Access Control (GBAC) model . . . . . . . . . . . . . . . 152
8.3.1 Components in GBAC model . . . . . . . . . . . . . . . . . . . 153
8.4 Delegation protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
8.4.1 Delegation protocol using Proxy Signature scheme . . . . . . . . 165
8.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Part IV Access Control and Mobile Payment in Trustworthy

UbiComp Environment 175
9. A Lightweight Graph-Based Pattern Recognition Scheme in Mobile

Ad Hoc Networks 177
R.A. Raja Mahmood, A.H. Muhamad Amin, A. Amir, A.I. Khan
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

9.2 MANETs Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . 178
9.2.1 Attacks in MANETs . . . . . . . . . . . . . . . . . . . . . . . . 179
9.2.2 Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . . . . 180
9.2.3 Black hole or Packet Drop or Sequence Number Attack . . . . . 181
9.2.4 Routing Disruption Attack . . . . . . . . . . . . . . . . . . . . 182
9.2.5 Flooding or Resource Consumption Attack . . . . . . . . . . . . 182
9.2.6 Dropping Routing Traffic Attack . . . . . . . . . . . . . . . . . 182
9.3 Intrusion Detection System in MANETs . . . . . . . . . . . . . . . . . . 183
9.3.1 Intrusion Detection System Architectures . . . . . . . . . . . . . 184
9.3.2 Intrusion Detection Decision Making . . . . . . . . . . . . . . . 184
9.3.3 Existing Intrusion Detection System Solutions . . . . . . . . . . 185
9.3.4 Intrusion Detection Schemes . . . . . . . . . . . . . . . . . . . 186
Contents xvii
9.4 Distributed Hierarchical Graph Neuron . . . . . . . . . . . . . . . . . . 188

9.4.1 Graph Neuron Theory . . . . . . . . . . . . . . . . . . . . . . . 188
9.4.2 Hierarchical Graph Neuron . . . . . . . . . . . . . . . . . . . . 190
9.4.3 Distributed Hierarchical Graph Neuron . . . . . . . . . . . . . . 192
9.5 Three-Stage Cooperative Intrusion Detection System using DHGN . . . . 194
9.5.1 Three-Stage Attack Recognition Process . . . . . . . . . . . . . 195
9.5.2 Challenges in Implementing DHGN in DDoS Detection . . . . . 197
9.6 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
9.6.1 Test1: Distorted images of distinct characters I, A, F and X . . . 199
9.6.2 Test2: Distorted images of low-percentage similar characters S,
F and J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
9.6.3 Test3: Distorted images of high-percentage similar characters I,
T and Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
9.7 Result and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
9.7.1 Classification Accuracy of Distinct Patterns . . . . . . . . . . . 200
9.7.2 Classification Accuracy of Low Similarity Patterns . . . . . . . . 201
9.7.3 Classification Accuracy of High Similarity Patterns . . . . . . . 201
9.7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
9.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
10. Security Framework for Mobile Banking 207
D. Weerasinghe, V. Rakocevic, and M. Rajarajan
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

10.2 Mobile Banking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
10.3 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
10.4 Security Protocol Design . . . . . . . . . . . . . . . . . . . . . . . . . . 213
10.4.1 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
10.4.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
10.4.3 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
10.5 Security Tokens and Data Key generation . . . . . . . . . . . . . . . . . 218
10.5.1 Security Token Design . . . . . . . . . . . . . . . . . . . . . . . 219
10.5.2 Data Key generation . . . . . . . . . . . . . . . . . . . . . . . . 221
10.5.3 Execution Challenge Response generation . . . . . . . . . . . . 221
xviii Trustworthy Ubiquitous Computing
10.6 Conclusion & Discussions . . . . . . . . . . . . . . . . . . . . . . . . . 222

Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
11. Anonymous, Secure and Fair Micropayment System to Access

Location-Based Services 227
Isern-Deyà, Payeras-Capellà, Mut-Puigserver and Ferrer-Gomila
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

11.2 Micropayment Schemes Overview . . . . . . . . . . . . . . . . . . . . . 228
11.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
11.4 Location-Based Services . . . . . . . . . . . . . . . . . . . . . . . . . . 230
11.4.1 Payment Methods to Access LBS . . . . . . . . . . . . . . . . . 231
11.5 LBS Access Protocol Description . . . . . . . . . . . . . . . . . . . . . 232
11.5.1 Initial Considerations . . . . . . . . . . . . . . . . . . . . . . . 233
11.5.2 Bank Account Setup . . . . . . . . . . . . . . . . . . . . . . . . 234
11.5.3 Services List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
11.5.4 Withdrawal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
11.5.5 Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
11.5.6 Deposit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
11.5.7 Refund . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
11.6 Informal Analysis of Properties . . . . . . . . . . . . . . . . . . . . . . . 241
11.6.1 Analysis of Security Properties . . . . . . . . . . . . . . . . . . 241
11.6.2 Analysis of Efficiency . . . . . . . . . . . . . . . . . . . . . . . 244
11.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
12. Privacy Preserving with A Purpose-based Privacy Data Graph 249
Y. Tian, B. Song, and E.-N. Huh
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

12.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
12.2.1 Privacy Principles & Policies . . . . . . . . . . . . . . . . . . . 251
12.2.2 RBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
12.2.3 User Privacy Preference . . . . . . . . . . . . . . . . . . . . . . 253
12.2.4 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Contents xix
12.3 Proposed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

12.3.1 Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 255
12.3.2 System Design Phase . . . . . . . . . . . . . . . . . . . . . . . 257
12.3.3 Role Level Design Phase . . . . . . . . . . . . . . . . . . . . . 258
12.3.4 Transforming Phase . . . . . . . . . . . . . . . . . . . . . . . . 258
12.3.5 Personal Level Design Phase . . . . . . . . . . . . . . . . . . . 260
12.4 Algorithms and Pseudo Code . . . . . . . . . . . . . . . . . . . . . . . . 260
12.4.1 Detection algorithm in role specification . . . . . . . . . . . . . 261
12.4.2 Privacy Preference Conversion Algorithm . . . . . . . . . . . . 263
12.5 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
12.5.1 Storage Space . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
12.5.2 Variety of Personal Privacy Policy . . . . . . . . . . . . . . . . 264
12.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
PART I
Trust and Context in UbiComp Environments

Chapter 1
The automatic Trust Management of

self-adaptive Multi-Display Environments
Karin Bee, Stephan Hammer, Christian Pratsch, and Elisabeth André

Augsburg University, Human-Centered Multimedia, Universitätsstr. 6a, 86159 Augsburg,
Germany
{karin.bee, hammer, andre}@hcm-lab.de1
This paper presents an approach to automatically manage user trust in self-adaptive ubiq-
uitous computing systems which grounds on a context interpreter and a Bayesian Network
as well as a feedback control loop that also provides solutions for a system adaptation.
Providing knowledge to the automatic trust management of self-adaptive ubiquitous sys-
tems is of special interest due to the fact that during the use of these systems situations
appear which can impair user trust and thus user acceptance. Some of these situations and
adaptation approaches are presented in this paper. A user study is also described which
provides knowledge about correlations of trust dimensions and user feelings on user trust.
Based on the results of the study, a Bayesian Network called User Trust Model (UTM)
is introduced which is the main focus of the paper. This model provides insights to the in-
terplay between different situations of the users and the consequence on their trust as well
as knowledge about appropriate system actions to re-establish trust.
1.1 Introduction
Based on Rothrock and colleagues [16], an adaptive system can suddenly change its
user interface by adapting the displayed content, dialogue, layout or the used modality.
The highly adaptive behavior of such systems is not always self-explanatory for the users.
If the user either cannot recognize the reason of an executed system adaptation or if the user
does not consider the executed system adaptation as plausible for the recognized reason of
the adjustment, user trust can be impaired which can lead to disuse of the system in the
worst case.
1 Human-Centered Multimedia.
I. Khalil and T. Mantoro (eds.), Trustworthy Ubiquitous Computing, 3

Atlantis Ambient and Pervasive Intelligence 6, DOI: 10.2991/978-94-91216-71-8_1,
Ó Atlantis Press 2012
4 Trustworthy Ubiquitous Computing
We aim at the problem of managing user trust in adaptive systems in the context of
ubiquitous display environments. Recent years have brought about a large variety of in-
teractive displays that are installed in many public, semi-public and private places. Apart
from simply providing information (e.g. news or weather) to people, ubiquitous display
environments make it possible for passing individuals to view, edit and exchange specific
data between each other.
Mobile phones represent a popular interaction device for interacting with these dis-
plays. They have become an everyday companion which maintains all kind of personal
data, such as music, videos and photos. Transferring such data to large screens comes with
a lot of benefits (e.g. usage of full screen mode) but also with a lot of risks, such as the
loss of data due to unstable transmission technologies. Bluetooth is often used for the com-
munication between mobile phones and ubiquitous display environments (e.g. Cheverest
and colleagues [5]). Typical problems of Bluetooth emerge in the discovery process and the
data transmission because they can unexpectedly require more time or even fail completely.
Such a behaviour can seriously affect trust in a system since it is no longer considered as
reliable and secure. The problem is aggravated by the fact that people usually interact with
ubiquitous display environments on a short-term basis without having the possibility to
verify the security of the underlying infrastructure.
In addition, the social setting with the possibility to view personalized information in
the presence of other people inevitably causes privacy concerns. Röcker and colleagues
[15] found that users wish to take advantage of large displays in public settings, however,
they are worried about the protection of their data.
Further, the high dynamics and unpredictability of such environments may negatively
affect the user’s trust. People may approach and leave a display at any time requiring
the systems to permanently adapt to a new situation. Due to the high complexity of the
adaptation process, the user may no longer be able to comprehend the rationale behind
the system’s decisions which may negatively affect the formation of trust. For example,
interviews with users of an adaptive digital signage system that automatically adapts to the
assumed interest of an audience revealed that some users had the feeling that the system
was presenting randomized information [13].
Finally, ubiquitous display environments are characterized by a high degree of auton-
omy which may leave the users with the feeling that they have no longer any control over
the system. It is evident that a loss control will eventually lead to a loss of trust. Summing
The automatic Trust Management of self-adaptive Multi-Display Environments 5
up, there is an enormous need for sophisticated trust management in ubiquitous display
environments in order to ensure that such environments will find acceptance among users.
In this paper we first describe a scenario that provides more insights to problems in
terms of user trust when interacting with ubiquitous display environments. After that, we
aim at related work and relevant trust dimensions. Finally, we describe a user study that
addresses the interplay between the trust dimensions and user trust as well as a first ver-
sion of a Bayesian Network called User Trust Model (UTM). By this means we also
introduce an architecture that embeds the UTM and provides knowledge about controlled
system adaptations based on different situations of the users.
1.2 Scenario
On Friday afternoon, Mary and her friend Anna are in a café in the old town. After
they have found a vacant table and sat down, they realise that it is not an ordinary table and
they wonder what it can be used for. When ordering, they ask the waiter and he explains to
them that the table has a touch-sensitive display and that they can interact with it using their
fingers. Furthermore, the waiter tells them that they also can transfer data, such as images
or video clips, from their mobile devices to the table in order to view, edit and exchange
them.
Since Mary has just returned from her vacation in Italy with her boyfriend Giorgio, she
has a lot of pictures on her mobile phone which she wants to show to Anna. Thus, Mary
decides to use this new touch-sensitive table. But in the same moment, Mary is afraid that
her private pictures – showing Mary and her boyfriend at the beach and drinking liquor –
can be seen by other people than her friend Anna. In addition, she does not fully trust the
system since she cannot be sure that only her selected data will be transferred to the table
because her mobile phone comes with a lot more intimate data, such as text messages she
was exchanging with her boyfriend which are not meant to be seen by anyone – not even
her best friend. In addition, she is concerned that her data could get lost by misuse of the
application. Mary is in the dilemma of initial trust [12]. She wants to use the ubiquitous
multi-display environment because it provides several benefits, but at the same time she
needs to take a risk and rely on a system which she does not own and which she has little
knowledge about.
Despite these concerns, Mary decides to send some pictures to the table in order to
view them in full size since the table looks rather professional which helps Mary to form
immediate trust. Now, Mary first selects the pictures on the mobile phone. Afterwards she
places the mobile phone on the table. After establishing a connection between the mobile
phone and the interactive table, she confirms the transfer of the selected images and the
progress is visualised on the phone. At that moment, Mary is hoping that everything goes
well and that her data does not get lost. Finally, her images become visible on the table
and she confirms the successful transfer on the mobile phone. Now, she realizes that some
critical parts of the pictures became unrecognizable. The system uses a built-in privacy
mechanism that recognises issues when other people are close to the table. Mary likes that
support and thus she is even more confident with the system. She enlarges some of the
pictures and tells her friend her holiday stories.
The illustrated incident was self-explanatory and positively perceived by Mary. Con-
sequently user trust was not impaired. But other adaptations could happen without being
self-explanatory, such as whenever some of the pictures would suddenly disappear which
could be seen as a system error. In this situation user trust could be harmed since the adap-
tation might be perceived as negatively. All in all, user trust is highly situation-dependent
and uncertain. A trust management is required to understand the relationship between all
facets of user trust and the user response.
1.3 Trust in Ubiquitous Display Environments
Most work that investigates trust issues in the context of ubiquitous displays environ-
ments focuses on the distribution of private and public data over various displays. Often
mobile phones are used as private devices that protect the personal component of interaction
from public observation. Röcker and colleagues [15] conducted a user study to identify pri-
vacy requirements of public display users. Based on the study, they developed a prototype
system that automatically detects people entering the private space around a public display
using Infrared and RFID technology and adapts the information that is visible based on the
privacy preferences of the users. An evaluation of the system revealed that users are willing
to use public displays in case there is a mechanism for privacy protection.
Based on the evaluation of two mobile guides, Graham and Cheverst [8] analyzed sev-
eral types of mismatch between the users’ physical environment and information given on
the screen and their influence on the formation of user trust. Examples of mismatches
include situations where the system is not able to correctly detect the user’s current loca-
tion or situations where the system conveys a wrong impression about the accuracy of its
descriptions. To help users form trust, Graham and Cheverst suggest employing different
kinds of guide, such as a chaperone, a buddy or a captain, depending on characteristics of
the situations, such as accuracy and transparency. For example, the metaphor of a buddy is
supposed to be more effective in unstable situations than the chaperone or the captain.
Cao and colleagues [3] introduce the notion of crossmodal displays that enable users
to access personalised information in public places while ensuring their anonymity. The
basic idea is to publicly display the main information, but to add cues for individual users
to prompt them to information that is relevant to them.
As a conclusion, there is a vivid research interest in the design of novel user interfaces
for heterogeneous display environments. However, the few approaches that address the
user experience factor of trust in such environments do not attempt to explicitly model the
user experience of trust as a prerequisite for a trust management system.
A number of approaches have been presented to model trust in computational systems.
Especially in the area of multi-agent systems (MAS), trust models have been researched
thoroughly (see, e.g., Castelfranci’s and Falcone’s introduction [4] to a formal modelling of
trust theory and its applications in agent-based systems). However, these approaches either
focus on trust in software components or aim at modelling trust in human behaviour.
1.4 Dimensions of Trust
Much of the original research on trust comes from the humanities. Psychologists and
sociologists have tried for a very long time to get a grasp of the inner workings of trust
in interpersonal and interorganisational relationships. Other fields, such as economics and
computer science, relied on their findings, but adapted them to the special requirements of
their respective fields and the new context they are applied to. There is consensus that trust
depends on a variety of trust dimensions. However, there is no fixed set of such dimensions.
Trust dimensions that have been researched in the context of internet applications and
e-commerce include reliability, dependability, honesty, truthfulness, security, competence,
and timeliness, see, for example, the work by Grandison and Sloman [9] or Kini and
Choobineh [10]. The more sociologically inclined authors [18] introduce willingness, vul-
nerability, benevolence, reliability, competence, honesty and openness as the constituting
facets of trust. Researchers working on adaptive user interfaces consider transparency as a
major facet of trust, see, for example, the work by Glass and colleagues [7].
Our set of trust dimensions is based on interviews with 20 students of computer science
who were asked to indicate trust factors of user interfaces that they felt contributed to
their assessment of trustworthiness. The most frequent mentions felt into the following
categories: comfort of use (“should be easy to handle”), transparency (“I need to understand
what is going on”), controllability (“want to use a program without automated updates”),
security (“should safely transfer data”), privacy (“should not ask for private information”),
seriousness (“professional appearance”) and reliability (“should run in a stable manner”).
The interviews gave a first impression on which factors influence the user’s trust in
a user interface. However, they do not provide any concrete information regarding their
relative importance. To acquire more quantitative data, we conducted an empirical study
which is described in the subsequent section.
1.5 Empirical Validation of Trust Dimensions and User Feelings
In order to determine the relative importance of trust dimensions in a ubiquitous display

environment, we prepared an experiment that was inspired by the scenario described in
Section 1.2. In particular, we presented our users with a setting consisting of a mobile
phone and an interactive table (Microsoft Surface). The table served as the central medium
for showing and editing multimedia data (see Figure 1.1) whereas the mobile phone was
used to send data to or receive data from the table. Thereby, the transmission and the point
of time of the presentation of the data on the table are critical moments for the user to trust.
The first objective of our study was to investigate the relationship between trust and
trust dimensions by means of concrete user data. In particular, we hypothesised that there
was a positive correlation between trust on the one hand and basic usability, controllability,
transparency, privacy, security and seriousness on the other hand.
A second objective of our study was to find out whether a low level of trust is reflected
by negative user feelings. Previous research investigates how the emotional state of a user
influences the establishment of trust (e.g. Dunn and Schweitzer [6]). There is empirical
evidence that positive emotions foster the establishment of trust while negative emotions
tend to decrease trust. Prior experiments focused in most cases on emotions that were not
related to the subsequent trust judgement task, see Dunn and Schweitzer [6]. We assume
that emotional states can also be directly associated with trust-related stimuli. In particular,
we hypothesise that uneasiness, uncertainty, irritation and surprise are negatively correlated
to trust.
Fig. 1.1 User interacts with the interactive table.
1.5.1 Experimental Setting
In order to get a sufficient variety of user ratings, we built a number of prototypes

where we manipulated the following variables: self-explainability, transparency, control-
lability and privacy. That is we produced a prototype that was less self-explainable (in-
terface included no help function and no descriptive labels), a second prototype that was
less transparent (system gave no reasons for its behaviour), a third prototype that was less
controllable (system did not ask for user confirmations before executing an action), a fourth
prototype that followed as less stricter privacy policy (system displayed all kinds of data
on user request on the table disregardless of whether they were private or not) and finally a
system that did not show any of these problems. In our first study, we decided not to ma-
nipulate the reliability of the prototypes and to present users only with prototypes showing
a proper behaviour.
Figure 1.2 illustrates the screens of the unproblematic prototype during the data transfer
from the mobile phone to the interactive table. At the beginning the user had to select the
images on the mobile phone (see Screen 1). Then, the user was asked to lay the mobile
phone on the interactive table in order to establish the connection between the mobile phone
and the table (see Screen 2). After establishing a Bluetooth connection between the mobile
phone and the interactive table, the user confirmed the sending of the selected images (see
Screen 3 – Do you really want to send these pictures?) and the progress (see Screen 4 –
Sending image 1/3. . . ) was visualized on the phone. Finally, the images became visible on
Fig. 1.2 The different screens of the unproblematic prototype.
the table and the user confirmed the successful transfer (see Screen 5 – transfer successful)
on the mobile phone. For the reverse procedure (transferring data from the table to the
mobile phone), the screens 2 and 4 of Figure 1.2 were used. Instead of confirming the
transmission of the data (see Screen 3), the user now confirmed the reception (see Screen 6).
For our experiment a within subjects design was used. Thus, all subjects participated
in all five conditions of the experiment. To prevent any ordering effects, we permuted
the sequence of the different conditions with almost equal distribution for each prototype.
After the successful completion of a condition with the prototype, the subjects filled in an
identical questionnaire.
In particular, the subjects had to rate the prototype according to the trust dimensions
identified earlier (basic usability, controllability, transparency, privacy, security, serious-
ness and trustworthiness) as well as their emotions (uneasiness, insecurity, irritation and
surprise) on a five point scale (from very low to very high). Afterwards, we used the results
of the questionnaire to validate the relationship between trust and its dimensions as well as
emotions.
1.5.2 Conducting the Experiment
We conducted the experiment with 20 people of which the majority (16 people) had a
background in computer science. The average age of the subjects was 23.75 years (STD
= 2.55) and except one person all subjects who participated in the test were male. The sub-
jects rated their general trust into software systems with a mean value of 3.10 (STD = 0.79)
and their knowledge about secure data transmission with a mean value of 3.5 (STD = 1.05).
Before we started the experiment, each subject was introduced to the correct usage of the
mobile phone and the interactive table which has a touch-sensitive display. Furthermore,
we explained the subjects the purpose of our application running on the mobile phone.
During the experiment, each subject had to perform the following tasks with each of
the five prototypes: (1) Select picture number one, three and five on the mobile phone and
send them to the table. (2) Interact with the three pictures on the table and edit their size.
(3) Send picture number three back to the mobile phone.
1.5.3 Results and Discussion
To measure the degree of relationship between the ratings for trust and the ratings for
the trust dimensions, we computed the Pearson product moment correlation coefficients.
The test revealed a moderate to high positive correlation between the ratings for trust on
the one hand and the ratings for seriousness (r = 0.724), controllability (r = 0.70), security
(r = 0.62), privacy (r = 0.61) and transparency (r = 0.56) on the other hand. For all items,
the correlation was very significant (p = 0.01). The better the ratings for controllability,
transparency, privacy, security and seriousness, the better were also the ratings for trust.
The strongest correlation was observed between the ratings for seriousness and the ratings
for trust. Since the users were confronted with the system for the first time, they obviously
had to rely on the first impression the system made on them when assessing the system’s
trustworthiness. As a consequence, there was a stronger correlation between the ratings for
seriousness and the ratings for trust than between the ratings for the other items and the
ratings for trust (which are too a larger extent based on experience). In our experiment,
we did not observe any correlation between trust and basic usability ratings. As a potential
reason, we indicate that no serious usability issues occurred when the users were interacting
with the presented prototypes. Indeed our users rated the usability of the prototypes with a
mean value of 4.01 (STD = 0.93) on a 5-ary scale. None of them thought the usability of
any of the prototypes was very bad. There is a moderate positive correlation between the
users’ rating of usability on the hand and the users’ rating of transparency (r = 0.22) and
controllability (r = 0.26) on the other hand at the significance level of p = 0.05. Obviously,
the subjects’ ratings of transparency and controllability influenced their ratings of basic
usability.
Finally, our results revealed a moderate negative correlation between trust on the one
hand and uneasiness (r = −0.629), insecurity (r = −0.533), irritation (r = −0.484) on the
other hand. For all items the correlation was very significant (p = 0.01). We conclude that
poor transparency, poor controllability, poor security, poor privacy and poor seriousness
result into a loss of trust which in turn leads to a feeling of uneasiness. Contrary to our
expectations, we did not find any correlation between the users’ ratings of surprise and the
user’s rating of trust.
1.6 Towards an Automatic Trust Management System
In the following, we describe first ideas regarding an automated trust management sys-
tem that assesses the user’s immediate trust in a system, monitors it over time and applies
appropriate approaches to maintain trust (see Yan and colleagues [19]). The trust man-
agement system is based on findings from the literature (e.g. Grandison and Sloman [9],
Kinni and Choobineh [10] and Tschannen-Moran and Hoy [18]) as well as our empirical
study that investigated the relationship between trust and its dimensions. Our model of trust
should account for the following characteristics of trust:
• Trust as a subjective concept

There is a consensus that trust is highly subjective. A person who is generally confiding
is also more likely to trust a software program. However, it is hard to formulate rules
that predict in a deterministic manner how a person will respond to a critical event. We
therefore aim at a model that is able to represent uncertainties.
• Trust as a multifaceted concept
As shown in Section 1.4, trust is a multi-faceted concept. We therefore aim at a com-
putational model that is able to explicitly represent the relative contribution of the trust
dimensions to the assessment of trust. In addition, the model should allow us to easily
add trust dimensions based on new experimental findings.
• Trust as a dynamic concept
Trust depends on experience and is subject to change over time. Lumsden [11] distin-
guishes between immediate trust dimensions and interaction-based trust dimensions.
Immediate trust dimensions, such as seriousness, come into effect as soon as a user
gets in touch with a software system while interaction-based trust dimensions, such
as transparency of system behavior, influence the users’ experience of trust during an
interaction.
1.6.1 Using Bayesian Networks to Model Trust
Based on the considerations, we have chosen to model the users’ feelings of trust by
means of Bayesian Networks. The structure of a Bayesian Network is a directed, acyclic
graph (DAG) in which the nodes represent random variables while the links or arrows
connecting nodes describe the direct influence in terms of conditional probabilities (see
Russell and Norvig [17]).
Bayesian Networks meet the requirements listed above very well. First of all, they
allow us to cope with trust as a subjective concept. For example, we may represent the
system’s uncertain belief about the user’s trust by a probability distribution over different
levels of trust. Furthermore, the connection between critical events and trust is inherently
non-deterministic. For example, we cannot always be absolutely sure that the user notices
a critical event at all. It may also happen that a user considers a critical event as rather
harmless. Bayesian Networks allow us to make predictions based on conditional probabil-
ities that model how likely the value of the child variable is given the value of the parent
variables. For example, we may model how likely it is that the user has a moderate level of
trust if the system’s behavior is moderately transparent.
Furthermore, Bayesian Networks enable to model the relationship between trust and its
dimension in a rather intuitive manner. For example, it is rather straightforward to model
that reduced transparency leads to a decrease of user trust. The exact probabilities are
usually difficult to determine. However, the conditional probabilities can also be (partially)
derived from the user data we collected in the experiment described in Section 1.5.
In Figure 1.3, a Bayesian Network is shown for modeling trust which is called User
Trust Model (UTM). Since trust depends on experience and changes over time. It needs
to be distinguished between immediate trust dimensions and interaction-based trust dimen-
sions [11]. A positive impression of the immediate trust dimensions helps establishing
initial trust in a system just on its first glance (left part of the UTM) while interaction-based
trust dimensions are just visible over the time once the users interact with the system (right
part of the UTM).
Immediate trust dimensions include Security (conveyed, for example, by the use of
certificates), Seriousness (reflected, for example, by the system’s look-and-feel) and Credi-
Fig. 1.3 The User Trust Model (UTM) – modeling trust by means of a Bayesian Network
bility (supported, for example, by company profile information). In this context, we would
like to emphasize that trust dimensions may only affect the user’s trust if the user is aware
of them. For example, high security standards will only have an impact on user trust if the
user knows that they exist.
To describe the determinants of Interaction-Based Trust, we further distinguish between
the Quality of Interaction, Privacy and Reliability. The Quality of Interaction is charac-
terized by Transparency, Controllability and Comfort of Use. Both, the development of
Immediate Trust and Interaction-Based Trust, depend on the user’s trust disposition which
is characterized by his or her Competence and his or her general Confidence into technical
systems.
Fig. 1.4 The architecture for managing user trust. It includes an context interpreter (upper part),
the User Trust Model (middle part) and a observer/controller component (lower part) based on
constraints.
1.6.2 Monitoring Trust over Time
After smoothly interacting with a system over a longer period of time, the users’ trust
into a system is likely to increase. However, it may also happen that an unexpected change
of context causes a sudden loss of trust. In the Bayesian Network (see Figure 1.3) we
therefore introduced the following context nodes which can provide details about changed
situations: Accuracy of Knowledge, User Activity, Social Context and Privacy of Content.
The values of these input nodes influence the values of the dimension variables Comfort
of Use, Transparency, Controllability, Privacy and Reliability and thus Interaction-Based
Trust and User Trust.
The node Accuracy of Knowledge provides details about the correctness of data that
are important for the system to work properly. Once GPS data of a navigation system,
for instance, are wrong or incomplete, the accuracy of knowledge is impaired and thus the
system hardly will be able to continue work well. This situation probably also negatively
impacts dimensions of trust (e.g. reliability) and thus the user’s trust in the system.
The input nodes User Activity and Social Context describe the current state of the users
and their social environments. Once a user, for instance, interacts with an ubiquitous dis-
play environment in a public space, the display of personal content in the presence of other
people will negatively affect the user’s felt privacy. This example shows that also the state
or, for the remaining paper, the context value of the node Privacy of Content is of interest
to completely describe the user’s current situation which might harm the user’s trust in the
system.
The determination of the current context values is performed based on context data of
sensors (e.g. a camera). This determination process called context interpretation is not al-
ways trivial. It is a challenge if the user’s situation is unknown which means that few or no
empirically validated context data exist for the context interpretation. To solve this prob-
lem, we developed an architecture (see Figure 1.4) that embeds the UTM (middle part)
and adds further components. The UTM gets the different context vales by the compo-
nent called Context Interpreter (upper part). This interpretor, for instance, provides
knowledge which context values exist for the Social Context (e.g. alone or in a group) or
for the User Activity (e.g. bored or busy). As mentioned, the interpretation is not a chal-
lenge if empirically validated context data exist for the corresponding situation. But if the
situation is unknown, the interpretor needs to make recommendations towards the different
context values. The approach of context-aware recommender systems (see Adomavicius
and Tuzhilin [1]) can be used in unknown situations since these recommender systems can
provide the required recommendations towards context values based on the most analogous
known empirically determined context data.
By means of the determined context values and the UTM, the development of user trust
can be continuously monitored at runtime in order to detect critical situations that require
adaptations of the system to re-establish trust. As a consequence, we do not only need
a model that describes the relationship between user trust and its dimensions, but also a
model that explains the dynamics of trust. Dynamic Bayesian Networks allow us to model
the dependencies between the current states of variables and earlier states of variables. In
the middle part of Figure 1.3, a fraction of the Bayesian Network is shown illustrating how
trust develops over time depending on the user’s immediate level of trust and a changed
situation occurring at time t = 1. Due to space limitations, we only present one time plate
t = 1. The node User Trust of t = 1 has an direct influence on the node User Trust of t = 2.
1.6.3 Maintaining User Trust
Fig. 1.5 A system adaptation as a consequence of a changed situation in terms of social context.
This adaptation follows the system action to provide a separate interaction and presentation space per
user.
The Bayesian Network presented above supports us in making decisions on how to

maintain trust in critical situations. Such situations arise, among other things, when other
people enter the user’s private space [15], when the system has to generate presentations
based on inaccurate user or context data [8] or when the system’s adaptation behavior mis-
matches the user’s expectations [7]. Within the Bayesian Networks such situations can be
handled by adding decision and utility nodes. A decision node represents all choices that
can be made by the system while a utility node indicates the utilities of all possible out-
comes. As an example, let us assume a user wishes to display data on a public display. To
cope with such a request, the system may consider four system actions: (1) transferring all
data to the public display, (2) filtering out data that the system considers as private and pro-
viding a separate interaction and presentation space per user (see Figure 1.5) or (3) asking
the user for confirmation.
In the Bayesian Network shown in Figure 1.3 we introduced a decision node called
System Action to represent all actions the system may decide to execute. In the example,
system action (1) may raise serious privacy concerns, system action (2) may confuse users
and system action (3) is rather cumbersome. In addition, system action (1) and (2) might
give users the feeling that they have no longer the system under control. The arc between
the decision node and the nodes for the dimensions of trust represents such influences. All
decisions are evaluated based on the usefulness of their consequences. The utility node
attached to the node called User Trust indicates the utility of the single decisions based on
user trust.
But even when having selected a system action based on the UTM, it still needs to be
revealed whether this system action fulfills constraints of the concrete system setting and
how, if possible, the system action has to be executed. In order to also cover these aspects,
an observer/controller component (see Richter and colleagues [14]) is used as a further
component of the architecture (see Figure 1.4 lower part). Its idea is as followed. The con-
straints provide knowledge about accepted corridors of system behaviour, such as whether
a transferring of user interface elements (system action (1)) is accepted for the available
devices. If the selected system action violates against a constraint, a loop provides direct
feedback for the UTM in order to adapt the selected system action otherwise the system
action and thus the system adaptation is executed. For the execution of the accepted system
action, the component also provides solutions, such as which content and which control
elements need to be displayed on which device and how. The constraint-solver called Cas-
sowary (see Badros and colleagues [2]), for instance, can be used to provide a solution how
the accepted system action can be executed in order to fulfill the constraints. A possible
solution is displayed in Figure 1.5. In this example, the interaction and presentation space
has been separated among the users. The constraint-solver provided the knowledge about
the appropriate layout for the different user interface elements.
1.7 Conclusion
This paper presented an approach of managing user trust in an ubiquitous display en-
vironment based on a Bayesian Network, a context interpreter and an observer/controller
component. The focus of this work was on the Bayesian Network called User Trust
Bibliography 19
Model (UTM). Based on context data and a context interpreter, the model is continu-
ously able to reveal situations which require system actions to re-establish user trust. The
UTM does not only provide a monitoring of user trust over the time and knowledge about
moments which require system actions for re-establishing trust, in combination with a
constraint-based observer/controller component it also enables the execution of system ac-
tions within controlled corridors of system behavior.
1.8 Acknowledgement
This research is partly sponsored by OC-Trust (FOR 1085) of the German research
foundation (DFG). A special thank to Georg Döhring, Jessica Eichberg, Dominik Hecht,
Michael Kutsch, André Lohrenz and Thuy Linh Nguyen for their work on the surface
application.
Bibliography
[1] G. Adomavicius and A. Tuzhilin. Context-aware recommender systems. In F. Ricci, L. Rokach,

B. Shapira, and P. B. Kantor, editors, Recommender Systems Handbook, pages 217–253.
Springer US, 2011.
[2] G. J. Badros, A. Borning, and P. J. Stuckey. The cassowary linear arithmetic constraint solving
algorithm. ACM Trans. Comput.-Hum. Interact., 8:267–306, December 2001.
[3] H. Cao, P. Olivier, and D. Jackson. Enhancing privacy in public spaces through crossmodal
displays. Soc. Sci. Comput. Rev., 26(1):87–102, 2008.
[4] C. Castelfranchi and R. Falcone. Trust Theory: A Socio-Cognitive and Computational Model.
Wiley, 2010.
[5] K. Cheverst, A. Dix, D. Fitton, C. Kray, M. Rouncefield, C. Sas, G. Saslis-Lagoudakis, and
J. G. Sheridan. Exploring bluetooth based mobile phone interaction with the hermes photo dis-
play. In MobileHCI ’05: Proceedings of the 7th international conference on Human computer
interaction with mobile devices & services, pages 47–54. ACM, 2005.
[6] J. Dunn and M. Schweitzer. Feeling and believing: The influence of emotion on trust. Journal
of Personality and Social Psychology, 88:736–748, 2005.
[7] A. Glass, D. L. McGuinness, and M. Wolverton. Toward establishing trust in adaptive agents. In
IUI ’08: Proceedings of the 13th international conference on Intelligent user interfaces, pages
227–236. ACM, 2008.
[8] C. Graham and K. Cheverst. Guides, locals, chaperones, buddies and captains: managing trust
through interaction paradigms. In 3rd Workshop ’HCI on Mobile Guides’ at the Sixth Interna-
tional Symposium on Human Computer Interaction with Mobile Devices and Services, pages
227–236, New York, NY, USA, 2004. ACM.
[9] T. Grandison and M. Sloman. A survey of trust in internet applications. IEEE Communications
Surveys and Tutorials, 3(4):2–16, 2000.
[10] A. Kini and J. Choobineh. Trust in electronic commerce: definition and theoretical considera-
tions. In Proc. of the Hawaii International Conference on System Sciences, volume 31, pages
51–61, 1998.
[11] J. Lumsden. Triggering trust: to what extent does the question influence the answer when eval-
uating the perceived importance of trust triggers? In BCS HCI ’09: Proceedings of the 2009
British Computer Society Conference on Human-Computer Interaction, pages 214–223. British
Computer Society, 2009.
[12] D. McKnight, L. Cummings, and N. Chervany. Initial trust formation in new organizational
relationships. The Academy of Management Review, 23(3):473–490, 1998.
[13] J. Müller, J. Exeler, M. Buzeck, and A. Krüger. Reflectivesigns: Digital signs that adapt to
audience attention. In H. Tokuda, M. Beigl, A. Friday, A. J. B. Brush, and Y. Tobe, editors,
Pervasive Computing, 7th International Conference, Pervasive 2009, Nara, Japan, May 11-14,
2009. Proceedings, volume 5538 of Lecture Notes in Computer Science, pages 17–24. Springer,
2009.
[14] U. Richter, M. Mnif, J. Branke, C. Müller-Schloer, and H. Schmeck. Towards a generic ob-
server/controller architecture for organic computing. In GI Jahrestagung (1), pages 112–119,
2006.
[15] C. Röcker, S. Hinske, and C. Magerkurth. Intelligent privacy support for large public displays.
In Proceedings of Human-Computer Interaction International 2007 (HCII’07), 2007.
[16] L. Rothrock, R. Koubek, F. Fuchs, M. Haas, and G. Salvendyk. Review and reappraisal of
adaptive interfaces: Toward biologically inspired paradigms. volume 3, pages 47–84, 2002.
[17] S. J. Russell and P. Norvig. Artificial Intelligence a modern approach. Prentice Hall, Upper
Saddle River, N.J., 2003.
[18] M. Tschannen-Moran and W. Hoy. A multidisciplinary analysis of the nature, meaning, and
measurement of trust. Review of Educational Research, 70(4):547, 2000.
[19] Z. Yan and S. Holtmanns. Trust modeling and management: from social trust to digital trust.
Book chapter of Computer Security, Privacy and Politics: Current Issues, Challenges and So-
lutions, 2008.
Chapter 2
Malicious Pixels
Using QR Codes as Attack Vector
Peter Kieseberg, Sebastian Schrittwieser, Manuel Leithner, Martin Mulazzani, Edgar

Weippl, Lindsay Munroe, Mayank Sinha
SBA Research gGmbH, 1040 Vienna, Austria
[1stletterfirstname][lastname]@sba-research.org
This work examines QR codes and how they can be used to attack both human interaction
and automated systems. As the encoded information is intended to be machine readable
only, a human cannot distinguish between a valid and a maliciously manipulated QR code.
While humans might fall for phishing attacks, automated readers are most likely vulnerable
to well-known types of attacks where input data is not sanitized properly such as SQL and
command injections. Our contribution consists of an analysis of the QR code as an attack
vector, showing different attack strategies from the attackers point of view and exploring
their possible consequences in a proof-of-concept phishing attack against QR codes, that
is based on the idea of changing the content of a QR code by just turning white modules
(pixels) into black ones.
2.1 Introduction
A QR (“quick response”) code is a two dimensional barcode invented by the Japanese

corporation Denso Wave. Information is encoded in both the vertical and horizontal di-
rection, thus holding up to several hundred times more data than a traditional bar code
(Figure 2.1). Data is accessed by taking a picture of the code using a camera (e.g. built into
a smartphone) and processing the image with a QR code reader.
QR codes have rapidly gained international popularity and found widespread adoption,
especially in Japan where its ability to encode Kanji symbols by default makes it espe-
cially suitable. Popular uses include storing URLs, addresses and various forms of data on
posters, signs, business cards, public transport vehicles, etc. Indeed, this mechanism has
a vast number of potential applications [1–5]. For instance, the sports brand Umbro has

contains no data
contains data
9 771473 968012
contains data contains data
Fig. 2.1 2D and 3D codes
embedded QR codes into the collars of England football shirts, sending fans to a secret
website where prizes can be won.
In this chapter, we explore the structure and creation process of QR codes as well as
potential attacks against or utilizing QR codes. We give an overview of the error correction
capabilities and possible ways to alter both error correction data and payload in order to
either modify or inject information into existing codes. Furthermore, we explore numer-
ous vectors that might enable an attacker to exploit either the user’s trust in the content
embedded in the code or automated processes handling such codes.
Our main contributions are:
• to outline possible modifications to different parts of QR codes such as error correction

codes or masking,
• to describe resulting attack vectors, both against humans (e.g. phishing attacks) and
automated processes (e.g. SQL injections).
• to introduce a proof-of-concept phishing attack against QR codes.
2.2 Background
QR codes [6] have already overtaken the classical barcode in popularity in some areas.
This stems in many cases from the fact that a typical barcode can only hold a maximum
of 20 digits, whereas as QR code can hold up to 7,089 characters. Combined with the
diversity and extendability offered, this makes the use of QR codes much more appealing
than that of barcodes. Statistically, QR codes are capable of encoding the same amount of
data in approximately one tenth the space of a traditional bar code. An important feature
of QR codes is that they do not need to be scanned from one particular angle, as QR codes
can be read regardless of their positioning. QR codes scanners are capable of determining
Malicious Pixels – Using QR Codes as Attack Vector 23
the correct way to decode the image due to the three specific squares that are positioned in
the corners of the symbol and the alignment blocks.
QR codes were initially used by vehicle manufacturers for tracking parts. After a while,
companies began to see the variety of different use cases for QR codes. The most popular
commercial use for QR codes is in the telecommunications industry, where the increasing
adoption of smartphones seems to be the biggest driver of their popularity [4, 7, 8]. With
the technology of mobile phones constantly evolving, especially in the area of mobile inter-
net access, QR codes seem to be an adequate tool to quickly and efficiently communicate
URLs to users. This also allows offline media such as magazines, newspapers, business
cards, public transport vehicles, signs, t-shirts or any other medium that can hold the print
of a QR code to be used as carriers for advertisements for online products [9].
2.2.1 QR codes
There are 40 versions (sizes) of QR codes that consist of different areas that are reserved
for specific purposes. In the following we refer to version 2 of QR codes (Figure 2.2),
because version 1 does not contain all areas.
Fig. 2.2 Structure of QR code Version 2

• Finder Pattern (1): The finder pattern consists of three identical structures that are
located in all corners of the QR code except from the bottom right one. Each pattern
is based on a 3 × 3 matrix of black modules surrounded by white modules that are
again surrounded by black modules. The Finder Patterns enable the decoder software
to recognize the QR code and determine the correct orientation.
• Separators (2): The white separators have a width of one pixel and improve the rec-
ognizability of the Finder Patters as they separate them from the actual data.
• Timing Pattern (3): Alternating black and white modules in the Timing Pattern enable
the decoder software to determine the width of a single module.
• Alignment Patterns (4): Alignment Patterns support the decoder software in com-
pensating for moderate image distortions. Version 1 QR codes do not have Alignment
Patterns. With growing size of the code, more Alignment Patterns are added.
• Format Information (5): The Formation Information section consists of 15 bits next
to the separators and stores information about the error correction level of the QR code
and the chosen masking pattern.
• Data (6): Data is converted into a bit stream and then stored in 8 bit parts (called
codewords) in the data section.
• Error Correction (7): Similar to data codes, error correction codes are stored in 8 bit
long codewords in the error correction section.
• Remainder Bits (8): This section consists of empty bits if data and error correction
bits can not be divided into 8 bit codewords without remainder.
The entire QR code has to be surrounded by the so-called Quiet Zone, an area in the
same color shade as white modules, to improve code recognition by the decoder software.
2.2.2 Capacity and Error correction code
The capacity of a QR code depends on several factors. Besides the version of the code
that defines its size (number of modules), the chosen error correction level and the type of
encoded data influence capacity.
• Version: The 40 different versions of QR codes mainly differ in the number of mod-
ules. Version 1 consists of 21 × 21 modules, up to 133 (lowest error correction level)
of which can be used for storing encoded data. The largest QR code (Version 40) has
a size of 177 × 177 modules and can store up to 23,648 data modules.
• Error Correction Level: Error correction in QR codes is based on Reed-Solomon

Codes [10], a specific form of BCH error correction codes [11, 12]. There are four
levels of error correction that can be chosen by the user at generation time. Higher
error correction levels increase the percentage of codewords used for error correction
and therefore decrease the amount of data that can be stored inside the code.
• Encoded Data: QR codes can use different data encodings (see Section 3.2.2 for
detailed information on character encoding modes). Their complexity influences the
amount of actual characters that can be stored inside the code. For example, a QR code
version 2 with lowest error correction level can hold up to 77 numeric characters, but
only 10 Kanji characters.
2.3 Security of QR Codes
2.3.1 Threat Model
One can distinguish two different threat models for manipulating QR codes. First, an
attacker may invert any module, changing it either from black to white or the other way
round. Second, a more restricted attacker can only change white modules to black and not
vice versa.
2.3.1.1 Both colors
The easiest approach for attacking an existing QR code is by generating a sticker con-
taining a QR code with the manipulated QR code in the same style as the original QR code
and position it over the code on the advertisement. Of course this would either require
some preparation or a mobile printer and design applications for a mobile device. At least
when attacking on a large scale against one chosen target, the time needed for preparation
should not pose a serious limitation.
Since this attack is trivial, we have decided to exclude it from the scope of this work.
However, we believe that using this method in an attack against a real-world advertisement
is a viable option for large-scale attacks.
2.3.1.2 Single color
In this case we restrict ourselves to the modification of a single color only. The back-
ground for this restriction lies in the scenario of an attacker seeking to modify a single
poster on the fly just by using a pen (thereby reducing the possible modifications to chang-
ing white modules to black). This restriction is the basis for the attacks further outlined
throughout this chapter.
2.3.2 Attacking different parts
Since QR codes contain a lot of different information, including meta information on

version, maskings and source encoding, several different regions exist that can be targeted
for the attack either individually or in combination.
2.3.2.1 The masks
Masks are used to generate QR codes with a even distribution of black and white mod-
ules (close to 50:50 and distributed well over the entire code). This increases the contrast
of the picture and thus helps devices to decode it. According to the standard, when gen-
erating a QR code, every mask of the 8 specified ones is applied and each result is rated.
The mask that results in the best distribution according to the rating is chosen. The effect
of using correct masks can be seen in Figure 2.3. The left-hand side of the figure shows
the distribution of black and white modules after applying the masking step based on the
analysis of 20,000 randomly generated QR codes. The second graph shows the module
distribution of the same 20,000 QR codes before masking, where, on average, the number
of white modules (represented by the red curve) is approximately two-times the number of
black modules.

Fig. 2.3 Ratio of black and white modules with (left) and without (right) masking
There is always only one mask in use in a given QR code and it is encoded together
with the version in a separate block of the code using strong BCH encoding.
Table 2.1 Mask Pattern References and conditions.

Mask Pattern Condition
000 (i + j) mod 2 = 0
001 i mod 2 = 0
010 j mod 3 = 0
011 (i + j) mod 3 = 0
100 ((i/2) + ( j/3)) mod 2 = 0
101 (i j) mod 2 + (i j) mod 3 = 0
110 ((i j) mod 2 + (i j) mod 3) mod 2 = 0
111 ((i j) mod 3 + (i j) mod 2) mod 2 = 0
In the conditions in Table 2.1, i refers to the row position of the module and j to its
column position. The mask is black for every module the condition is valid for and white
for the rest.
Targeting the mask can change quite a lot in the whole data and error correction part,
still, this can be a useful basis for additionally applying other methods. A problem when
changing the masking is that it is encoded separately, utilizing a strong error correction
algorithm.
2.3.2.2 The character encoding (mode)
There are several different source encodings (Table 2.2) specified for the information
contained in the code, thereby maximizing the capacity in exchange for decreased com-
plexity:
• Numeric mode (just encoding digits, thus being able to pack a lot of data in one pic-
ture),
• Alphanumeric mode (a set of characters containing upper case letters and several ad-
ditional characters like $ or whitespace),
• 8-bit mode (able to encode the JIS 8-bit character set (Latin and Kana) in accordance
with JIS X 0201)
• Kanji characters (Shift JIS character set in accordance with JIS X 0208 Annex 1 Shift
Coded Representation)
to name the most popular.

The character encoding itself is defined at the beginning of the data part by the leading
4 bits. Table 2.2 gives an overview on the possible values for the mode:
Changing the mode indicator gives the encoded data a whole new meaning. Especially
when considering 8-bit Byte mode instead of other modes, or even alphanumeric mode in-
Table 2.2 Mode indicators.

indicator mode
0001 Numeric mode
0010 Alphanumeric mode
0100 8-bit Byte mode
1000 Kanji mode
0011 Structured append
0101 FNC1 (first position)
1001 FNC1 (second position)
0000 Terminator
stead of e.g. Numeric mode, launching code injections (e.g. SQL injections) could become
feasible (8-bit mode even allows for even more complex attacks using control characters).
An advanced attack against the mode can be mounted by mixing different modes in one
QR code (see the section below).
2.3.2.3 Character Count Indicator
Right after the mode indicator, the next bits indicate the character count of the data that
follows. The actual size of the character count indicator largely depends on the mode in
use and the version of the QR code (higher versions contain more data, thus the character
count indicator is longer). Refer to Table 2.3 for lengths for the most popular modes.
Table 2.3 Length of character count indicator.

Version Numeric Alphanumeric 8-bit Kanji
1-9 10 9 8 8
10-26 12 11 16 10
27-40 14 13 16 12
Looking at this target we see two main approaches for an attack: Producing buffer
overflows or buffer underflows.
• Buffer underflow: We change the character count indicator to resemble a lower num-
ber than in the original QR code. Thus, a decoding device should only decode the first
few characters as message, leaving out the rest. This is especially useful in case the
original link that was encoded contained suffixes. Since the size of the data part is
fixed, everything after the anticipated number of bytes is either seen as a new segment
(see mixed modes), or (in case of a terminator mode indicator) as filler. Since this is
only a minor change in the data part (only the length is changed), this should in turn
result in only a minor change in the error correction values and might still be decod-
able. Special attention should also be paid to a possible combination of this attack with
other targets in case mixed modes are used.
• Buffer overflow: We change the character count indicator to a higher number, so
the decoding device tries to decode parts of the filler as data (if we can even change
the filler we gain valuable space for including additional data). Again, one of the
drawbacks of this method lies in the error correcting (and especially error detecting)
abilities of the Reed-Solomon-Code, which make it difficult to perform this attack in
real-life scenarios.
2.3.2.4 Mixing modes
It is possible to use several different modes within one QR code (this is especially
useful to increase density when encoding different types of data). To achieve this, several
data segments with their own mode indicators and character count indicators simply get
concatenated (see Figure 2.4).
Segment 1 Segment 2 Segment n
Mode Character Mode Character Mode Character

Indicator Count Data Indicator Count Data ... Indicator Count Data
1 Indicator 1 2 Indicator 2 n Indicator n
Fig. 2.4 Message containing several modes
Again, we can identify four approaches of utilizing this feature of QR codes for attacks:
• Changing modes of segments: This works similar to an attack on the mode of a QR

code that does not use mixed modes, but is reduced to one segment only, thus leaving
other parts of the data untouched.
• Inserting new segments: Split an existing segment into two new segments, one with
the old header (mode indicator and character count indicator) and one with a newly
defined header.
• Deleting existing segments: Overwrite the space used by the mode indicator and the
character count indicator of the segment with additional data, thus reducing the number
of segments. Additionally the character count indicator of the segment before can be
changed to allow the data of the deleted segment to be appended.
• Structured Append: The structured append mode allows for the concatenation of up
to 16 QR code symbols, so a lot of data can be stored in this sequence of QR codes. It
is designed in a way that decoding is independent from the order the symbols are read.
The basic idea of exploiting this lies in adding such a segment that points to another QR
code that is stuck right beneath the original one. However, this attack requires stickers
prepared in advance, making it less practical (it is far more work than just putting a
prepared sticker on top of the original QR code, especially since the structured append
mode is quite complex).
The main problem with all attacks against the mode (especially insertion and deletion of
segments) is that they usually have a very high impact on the error correction codewords.
Probably this attack can be used in combination with an attack on the error correction part
itself.
Changing modes of existing segments should be attempted to be combined with color
changes in the data section (and of course the error correction part), since it could be a
valuable aid in case there are not enough white modules left for changing (remember that,
as a prerequisite, we only consider changing one color to the other without the possibility
to do the reverse). Also changing modes like numeric and alphanumeric to 8-bit would
suddenly allow for unprintable control characters like delete.
2.3.2.5 Data part and error correction
The largest part of a QR code is made up of the parts containing data and error cor-
rection codewords. The data part itself can consist of segments using several different
encodings, each with its own header specifying the mode in use and the length of the data
following (see subsections on modes above). For a given version and error correction level,
the part in the QR code that represents the data codewords and the part representing the
error correction codewords can be defined easily without decoding, since the length of the
data part is not depending on the actual length of the data (the data is filled up with padding
patterns to the full length). For the position of the data part, refer to Figure 2.2. The exact
length of the data part can be derived from the standard.
By design, any changes in the underlying data directly reflect on both the data and the
error correction part. The Reed-Solomon encoding is able to detect several changes in ei-
ther the data or the error correction part and provides decoding to the original message even
after a moderate number of modifications/errors have been introduced, i.e. if Qi denotes
the 100% correct QR code for message Mi , then a QR codes Qi with only minor deviations
to the original code Qi can still be decoded back to Mi . This feature, while designed to
protect the integrity of the code as much as possible, serves as an important prerequisite
for our attack: We don’t need to change the meaning of the original QR code Qi to exactly
match the QR code Q j , i = j containing our manipulated QR code M j , we just need to

reach a code Qj that is decoded to the same message. In traditional computer security, this
is analogous to NOP sleds that are used in buffer overflow attacks.
Figure 2.5 illustrates the outline of this attack. The green circles denote QR codes
representing exact messages (i.e. containing no errors), the blue circles the set of erroneous
QR codes that get decoded to the same message due to the error correcting features of the
Reed-Solomon code. F denotes the set of QR codes that get detected as incorrect by the
encoding but can not be corrected.
F
Q’n
Qn
F
Q2
Q’2
Q’1
Q1 F
Qx
Q’x
F
Fig. 2.5 Attacking data codewords
2.4 QR Codes as Attack Vectors
We believe that manipulated QR codes can be used for a plethora of attacks. Depending
on whether the reader is a human or an automated program (e.g., in logistics), different
scenarios are possible and outlined in this section.
2.4.1 Attacking Automated Processes
As QR codes are a standardized way of encoding information we strongly believe that

the majority of software developers do not treat the encoded information as possibly inse-
cure input. As described in detail in the previous section, different parts of the QR code
could be manipulated in order to change the encoded information. Depending on the ap-
plications that process the encoded information, whether this would be in logistics, public
transportation or in a fully automated assembly line, attacks on the reader software as well
as the backend are theoretically possible. Without proper sanitation this could by used by
an adversary for the following, non-exhaustive list of attacks. Similar attacks using RFID
chips and SQL injections have been shown to be very effective [13], as input sanitation was
not employed in these examples.
• SQL injection: Many automated systems store and process the encoded information
in a relational database. By appending a semicolon followed by a SQL query like
;drop table <tablename> to the encoded information, manipulations to the back-
end database can be possible. This would delete the table specified in the command,
resulting in a denial-of-service attack. More specific attacks may include adding a
user, executing system commands (e.g., by using the stored procedure xp_cmdshell
on Microsoft SQL Server), or altering data such as prices or passwords stored in the
database.
• Command injection: If the encoded information is used as a command line parameter
without being sanitized, this could be easily exploited to run arbitrary commands on
behalf of the attacker, which may have disastrous consequences for the security of
the operating system e.g., installing rootkits, DoS, or connecting a shell to a remote
computer under the control of the attacker.
• Fraud: Changes to the automated system can be used to commit fraud, by tricking
the system e.g., into believing that it processes a cheap product A while processing the
more expensive product B.
2.4.2 Attacking Human Interaction
Humans can not read a QR code without a reader software, the information stored in the
code is completely obfuscated for them. Hence, humans can not decide on the malicious-
ness of a code with decoding it with a reader software, whereby however a vulnerability in
the application might get triggered.
• Phishing and Pharming: If QR codes are used for URLs in augmented reality sce-
narios, an attacker might set up a fake website and redirect users by changing the QR
code. This is dangerous if some form of credentials are needed to access the website.
The user has no possibility to verify that the URL is not modified. In section 2.5 this
form of attack is demonstrated as a proof of concept.
• Fraud: QR codes are often used in advertisements to direct the target audience to
special offers or additional information about specific products. If the QR code can
be manipulated to redirect the user to a cloned website, an adversary could sell the
solicited product without ever fulfilling the contract. The victim implicitly trusts the
advertising company by following the URL.
• Attacking reader software: Different implementations of the reader software on com-
puters or smartphones might be attackable via command injection or traditional buffer
overflows if the encoded information is not sanitized. An attacker might gain control
over the entire smartphone, including contact information or the victim’s communica-
tion data like e-mail or SMS.
• Social engineering attacks: Building on these attacks, more specific attacks like spear
phishing or other variants of social engineering are possible, depending on the goal of
the attacker. Leaving a poster of a QR code on the parking lot of a company (compare
to the traditional attack with an USB drive) offering discount in a nearby restaurant is
a new attack vector which is likely to be successful.
2.5 Proof-of-Concept Attack
In this section we propose a phishing-attack against printed QR codes, mainly consid-

ering codes placed in the public like on advertisements. Often these QR codes point to a
website of the advertising company, thus being a valuable target for phishing.
An easy solution would be printing new QR codes (containing the phishing-address)
on stickers and putting them on top of the original code. But after all, this can not be done
unplanned, since every poster has got a different style, thus making stickers prepared in
advance easily detectable. So we just want to use a simple device to devise the phishing-
attack on the QR codes: A black pencil/marker. This results in the effect that changes of
the QR code are reduced to changing white modules to black modules.
2.5.1 Outline of the Attack
Efficiently calculating similar code patterns is a difficult task, because the BCH codes
produce unpredictable patterns in the error correction section of the QR code and we do
not have influence on this part of the code. Our approach is to keep the data section as
similar as possible (i.e. we make only changes in one codeword of the data section) and
then calculate the number of changed modules in the resulting error correction section.
This section describes the approach of the proposed attack. The vital steps are discussed
in detail below, the approach for a practical implementation is discussed in the following
subsection.
(1) Scan the QR code (Q0 ) with a mobile device capable of decoding QR codes and re-
trieve the corresponding Message M0 . For the rest of the paper we assume that M0 is a
URL to a website.
(2) Generate several messages Mi , i = 1, . . . , n, that contain URLs to possible phishing
sites (the new messages are generated in a way to make them look similar to the origi-
nal one, e.g. by systematically changing characters in the original URL).
(3) Generate the corresponding QR codes Qi for the messages Mi , i = 1, . . . , n. The new
QR codes should use the same version and mask as the original QR code, so no changes
in these regions of the Code need to be done.
(4) Construct the symmetric difference Di of the generated QR code to the original: Di =
Q0 Qi , i = 1, . . . , n. The symmetric difference is defined as the set of modules on the
same positions in their respective QR codes that differ in color.
(5) Calculate the ratios ri of modules in the symmetric differences that indicate a change
from white to black (thus fulfilling our initial condition):
|{di j ∈ Di : di j . . . white}|
ri = ,
|Di |
where di j denotes the jth module of Di .
(6) Order the QR codes by ratio ri , descending. Codes where the number of codewords
(not modules) that need to get changed from black to white is higher than the error-
correcting capacity of the code can be omitted.
(7) Start with the first QR code Q1 (now sorted) and color white modules of Q0 that are
black in Q1 black. Check after every module, whether the meaning of the QR code
can be decoded and results in a different message than the original. Repeat this until
a valid coloring is found (for the first b elements the check can be omitted, where b
denotes the number of errors the BCH-encoding is capable of correcting plus one. If
the resulting code Qi can get decoded to message Mi , a solution was found.
(8) The last step can be repeated for all Qi where the number of black modules in the
symmetric difference Di is greater than the number of errors that can be corrected by
the BCH-encoding (b).
In step two, the reason why we choose websites similar to the original one is that usually
when a mobile device decodes a QR code, the content is displayed to the user. Thus the
new message should look as unsuspicious as possible, i.e. the phishing must not be obvious
to heighten the success of our attack. Moreover we need the message to contain a valid
internet domain that we can register for setting up the phishing-site. Using this approach
we can validate the availability of the address before undergoing the more expensive task
of trying to change the QR code to resemble it.
In practice we use the following optimization for steps four and five: Our QR codes Q0
and Qx are given in the form of matrices, where 1 denotes a black module and 0 a white
module. The matrix symmetric difference can then be calculated using the element-wise
XOR-function: Dx = Q0 ⊗ Qx . In this matrix, a 1 denotes a field that needs to get changed
and a 0 fields that contain the same color. The matrix Rx of the elements that need to get
changed from white to black is defined by Rx = (Qx ∧ Dx ), where ∧ denotes the element-
wise AND-function. The ratio r can then get calculated by using the 1-norm:
Rx 1
rx =
Dx 1
In step seven, the following optimization can be used: Instead of coloring module by
module, we simply change all modules that can be changed by only using black color
at once and thus generate Qx by applying the fast and simple element-wise OR-function:
Qx = Q0 ∨ Rx .
2.5.2 Practical application details
To increase efficiency, the whole procedure should be placed in a small mobile applica-
tion that automatizes the generation and validation of the new codes as much as possible.
The attacker scans the QR code Q0 with his mobile device (e.g. a smartphone). Then the
application on the device decodes the QR code and generates n messages Mi , i = 1, . . . , n
containing similar domain names. It is important to choose a value n that is large enough
to result in a good success-probability, but small enough to guarantee high run-times. Eval-
uating the size of this number with respect to the QR code parameters could pose an in-
teresting question for future research. Furthermore, the application should check the web,
whether these domains are available for registration, or not, in order to find a suitable
phishing site. The QR codes Qi are generated and rated. Thus the application iterates
through all Qi , i = 1, . . . , n and calculates the symmetric difference Di = Q0 Qi by XOR-
ing the respective matrices, as well as calculates the black/white-ration ri of the resulting
Di , ∀ i = 1, . . . , n. Rating is achieved by ordering the Qi in descending order according to
their respective ri . The application searches for the first suitable Qi that will be decoded to
a message Mi = M0 . The application then automatically registers the domain and displays
a detailed description to the user (i.e. in form of a matrix), how to change the original QR
code Q0 to the new phishing-version Qi . Additionally the application could iterate through
all Mi and display all possible solutions, allowing the attacker to choose one of them.
2.5.3 Example
We developed a proof-of-concept application that finds collisions to a given QR code

based on the attack strategy outlined in the previous section. Figure 2.6 explains the
attack based on the example URL http://yahoo.at. With only 20 white modules
turned into black ones, the content of the QR code can be changed to the phishing URL
http://yghqo.at which was not registered at the time we conducted this experiment.
Given the small display size and the general trust of people towards automation, we are
sure that a lot of people would fall for this phishing attack. In Figure 2.6 we show the orig-
inal Q0 (first square) for Message M0 =http://yahoo.at, a solution Qi (third square) that
is “corrected” to QR code Qi (fourth square), encoding message Mi =http://yahoo.at,
as well as the modules needing a black coloring in order to achieve this transformation
(second square). Note that in this example, we do not have to turn any black modules into
white ones in order to change the encoded message of the QR code.
+ = ≈
http://yahoo.at http://yghqo.at
Fig. 2.6 Example phishing attack.
2.6 Future research
The possibilities for attacks proposed in this paper open up a quite large field for further
research. The main target lies in the accurate analysis and practical application of one or
more of the outlined attacks on a given target. Furthermore, it should be investigated which
parts of a QR code are the easiest to attack, and what countermeasures can be taken to
thwart attacks like the ones proposed in this paper. In even more general terms, it would
be very interesting to find metrics that can be used to measure the vulnerability of QR
codes depending on a given type of attack outline and with respect to characteristics like
black/white-distribution, version, masking, etc. In addition, other 2D-Codes such as Aztec
[14] or DataMatrix [15] need to be analyzed in the same way to identify possible attack
vectors and find suitable countermeasures.
We further want to expand our proof-of-concept attack to consider multiple masks and
to take advantage of the balancing effects of the masking itself, as well as switching to
different encoding-levels. Especially encoding to different masks could lead to a black-
white ratio in our favor. Additionally it would be interesting to determine best-values for
the number n of messages
There is also some room for performance optimizations:
• Defining knock-out criterions for the Qi s based on the hamming distance to Q0 , to

speed up the validation process.
• Refining these criterions to be applicable to the actual messages Mi to reduce unneces-
sary code-generation.
• Using a genetic approach for constructing the messages Mi .
Combining all the proposed optimizations, would allow us to perform the attack on
devices with limited memory and processing power such as smartphones.
2.7 Conclusion
In this paper we outlined the dangers of possible attacks utilizing manipulated QR

codes. Since QR codes gain increasing popularity through their use for marketing purposes,
we expect that this kind of attack will receive more and more attention by the hacking
community in the future. Furthermore, many mobile devices (e.g., smartphones) are able
to decode QR codes and access the URLs contained in them. This adds a new dimension
to the topic of trust, especially since most users are not security-conscious enough when
using their mobile phones (which also enables the use of novel phishing techniques). We
introduced a proof-of-concept phishing attack on QR codes, that is based on the idea of
changing the encoded data of a QR code by just turning white modules into black ones. We
proposed an algorithm for finding similar QR codes for the attack and showed its feasibility
with the help of an example.
In addition to phishing, a multitude of other attack methods, both against humans and
automated systems, might be performed using QR codes. This especially holds true if
proper input sanitization is not performed prior to processing the contained data.
Acknowledgements
This research was funded by COMET K1, FFG – Austrian Research Promotion
Agency.
Bibliography
[1] M. Canadi, W. Höpken, and M. Fuchs. Application of qr codes in online travel distribution. In
ENTER, pp. 137–148, (2010).
[2] H. S. Al-Khalifa. Utilizing qr code and mobile phones for blinds and visually impaired people.
In ICCHP, pp. 1065–1069, (2008).
[3] A. Alapetite, Dynamic 2d-barcodes for multi-device web session migration including mobile
phones, Personal and Ubiquitous Computing. 14(1), 45–52, (2010).
[4] S. Lisa and G. Piersantelli. Use of 2d barcode to access multimedia content and the web from a
mobile handset. In GLOBECOM, pp. 5594–5596, (2008).
[5] Y.-P. Huang, Y.-T. Chang, and F. E. Sandnes, Ubiquitous information transfer across different
platforms by qr codes, J. Mobile Multimedia. 6(1), 3–14, (2010).
[6] ISO 18004:2006, QR Code bar code symbology specification. (ISO, Geneva, Switzerland.
[7] J. Gao, V. Kulkarni, H. Ranavat, L. Chang, and H. Mei. A 2d barcode-based mobile payment
system. In MUE, pp. 320–329, (2009).
[8] J. Z. Gao, L. Prakash, and R. Jagatesan. Understanding 2d-barcode technology and applications
in m-commerce - design and implementation of a 2d barcode processing solution. In COMPSAC
(2), pp. 49–56, (2007).
[9] J. Z. Gao, H. Veeraragavathatham, S. Savanur, and J. Xia. A 2d-barcode based mobile advertis-
ing solution. In SEKE, pp. 466–472, (2009).
[10] I. Reed and G. Solomon, Polynomial codes over certain finite fields, Journal of the Society for
Industrial and Applied Mathematics. 8(2), 300–304, (1960).
[11] R. Bose and D. Ray-Chaudhuri, On a class of error correcting binary group codes*, Information
and control. 3(1), 68–79, (1960).
[12] A. Hocquenghem, Codes correcteurs d’erreurs, Chiffres. 2(147-156), 4, (1959).
[13] M. R. Rieback, B. Crispo, and A. S. Tanenbaum. Is your cat infected with a computer virus?
In PERCOM ’06: Proceedings of the Fourth Annual IEEE International Conference on Per-
vasive Computing and Communications, pp. 169–179, Washington, DC, USA, (2006). IEEE
Computer Society.
[14] ISO 24778:2008, Aztec Code bar code symbology specification. (ISO, Geneva, Switzerland.
[15] ISO 16022:2006, Data Matrix bar code symbology specification. (ISO, Geneva, Switzerland.
Chapter 3
A Virtual Performance Stage as a Space for

Children to Create and Perform Stories
Wahju Agung Widjajanto, Heidi Schelhowe, and Michael Lund

Digital Media in Education Research Group, University of Bremen, Bibliothekstraße 1,
28359 Bremen, Germany
E-mail: wahju@tzi.de, schelhow@tzi.de, mlund@tzi.de
This research focuses on the development of the Wayang Authoring tool, which aims to as-
sist children in creating and performing stories, developing an appreciation for cultural ar-
tifacts, and enhancing intercultural empathy while building a young storyteller community
within a virtual world. This study seeks a framework of interaction design of an authoring
media, which is appropriate for supporting a child’s narrative development. To understand
the user’s requirements and to evaluate the tool, children, teacher and story performers
who use wayang have been involved in the development process. This virtual creative pro-
duction tool is expected to provide a space for young people to change their role from a
simple user to a (co-)creator in both the virtual and narrative worlds. This research found
that a better understanding of how stories are crafted and brought to life in a performance
tradition offers a better design of interaction of an authoring media.
3.1 Introduction
Storytelling is an ancient art through which meaning, experiences, events and actions
are conveyed through words, images and sounds. This art form is traditionally an oral
performance with an interactive relation between storyteller and audience [1]. Storytelling
is first and foremost an interactive performance art form, and it is a co-creative process
between the storyteller and the audience.
Children particularly use storytelling to experiment with their developing notions of a
societal role. Children tell stories, which are part of their everyday experience, in order to
understand the world, develop a sense of self, and to actively participate in their culture [2].

Currently, almost all technologies for children are becoming very sophisticated and
more attractive. Many researchers are trying to develop new technologies in order to facil-
itate personal expression and storytelling. With a closer look at storytelling technologies,
attractive kinds of application currently being developed to facilitate various aspects of
children’s storytelling can be found.
The widespread adoption of the World Wide Web has primarily changed the landscape
of software development. The web has become the de-facto development environment
for applications and new software systems in the past few years. In the new era of web-
based software, applications run on the web as services. Even though virtual worlds cannot
substitute the rich experience of performing with real puppets and a face-to-face audience,
we want to ponder the potentials of web design and usage for the field.
Wayang Authoring [3] has been implemented in order to show how an authoring tool
can support creative storytelling and self-expression, and simultaneously contribute to the
field of storytelling as an interaction design for children. This paper focuses on the use and
evaluation of the Wayang Authoring tool as it aims to assist children in creating stories, de-
veloping an appreciation for cultural artifacts, and enhancing intercultural empathy while
building a young storyteller community within a virtual world. The idea of Wayang Author-
ing is based on the ancient Indonesian art form wayang [4, 5], a traditional two-dimensional
shadow puppet theater.
This paper is divided into four main sections: in the second section, we review the
field of storytelling technologies for children. In the ‘Methods’ section, we explain the
methodology for this research including the development process of the prototype and the
evaluation of the use of the technique with the children. The major findings are discussed
in the ‘Results and Discussion’ section.
3.2 Storytelling, Technology and Children
Storytelling and the development of media have alternately influenced each other, and
each new medium has established a new kind of storytelling. By using digital media as a
major medium, various new kinds of storytelling are created, such as interactive fiction, text
adventures, role plays and games with story elements. The advantages of digital storytelling
are that the stories can be easily stored, retrieved and retold. The creators can rework their
stories and even enable a kind of reflection. Authors can publish their digital stories to
readers worldwide who have internet access. They can also extend their network as they
A Virtual Performance Stage as a Space for Children to Create and Perform Stories 41
share their work and cooperate with others on collaborative stories, and enable interaction
between authors and readers, authors and authors, and even readers and readers.
At the commercial level, the available storytelling software that tells stories to children
encourages them to learn how to read by relating passages from children’s literature, en-
abling them to illustrate stories or by filling in the blanks in incomplete stories [6]. Some
provide them with a kind of pseudo-authoring environment, where children can choose
some texts or characters to build stories, or allow children to illustrate stories through using
a word processor (e.g., Kid Works Deluxe1 , The Amazing Writing Machine2 ). FluxTime
Studio3 and Flip Boom Cartoon4 are two examples of authoring media that enable children
to create animation and cartoons that they can save or send to friends.
There are some commonalities in the objectives of the different storytelling software
systems available, e.g., supporting self-expression and collaboration. Examples of such
technologies are KidPad, FaTe2, and StoryBuilder. KidPad is a children’s spatial story-
telling application. This technology is a zooming storytelling that enables children to in-
dividually or collaboratively create stories [7, 8]. KidPad provides a single display with
multiple mice, so two or more children can independently use different tools at the same
time using their own mouse. FaTe2 (Fairy Tales and Technology) is a web-based, multi-
user, multi-dimensional hyperspace, where children (aged 8-11) can meet, chat, play, and
perform storytelling activities in collaboration [9]. In contrast, StoryBuilder is a comic-style
version of the add-a-sentence-to-a-story activity that allows children to create and submit
the next page in an ongoing story using pre-existing elements. The goal is to provide a
place where children can create stories reflecting their own voice while collaborating in a
storytelling process [10].
Social communication is also an important objective of storytelling systems. Besides
FaTe2, KidCam is also intended to support social communication. KidsCam is a ‘wearable’
device that audio-visually records events in the child’s everyday life, and connects them to
a collective memory of interrelated episodes. This technology facilitates and supports the
development of social, emotional and communicative skills of children in the context of the
everyday activities [11].
From the accounts of and descriptions of some storytelling technologies (KidPad, Sto-
ryBuilder, The MUST [12], and Fate2), it has been found that web technology is a good
1 http://www.smartkidssoftware.com/nddav13.htm
2 http://www.smartkidssoftware.com/ndbro18.htm
3 http://www.fluxtime.com/
4 http://www.toonboom.com/products/flipboomcartoon/
choice to build an online environment which facilitates children in collaborative story-

building. Besides, hyper technology is one solution to support an understanding of story
structure by connecting several scenes. However, it has been noticed that none of these
technologies is planned or designed based on a particular cultural tradition.
In order to see if and how traditional art forms had been reflected or put on a virtual
stage, we did exploration on some researches. There are Real-Time Visual Simulation
and Interactive Animation of Shadow Play Puppets Using OpenGL [13], I-Shadows [14],
and ShadowStory [15]. In the Real-Time Visual Simulation and Interactive Animation of
Shadow Play Puppets Using OpenGL project, the authors introduced an approach that is
based on the Malaysian traditional art form of shadow puppet shows. Here, the focus is on
the simulation of virtual puppets that can move like real physical puppets on a stage. This
specific development copes with the variety of problems that are known from other special
effects technologies either for movies or computer games. This approach is contributing to
the field of special effects technologies and the visual representation of traditional artifacts
and the use of those artifacts, but the narrative tradition or the creative potential of the
storytelling tradition for our current culture is not in focus.
The I-Shadow is an agent-based system for human learning and entertainment. This
project is aimed to create an interactive storytelling application where the user can act out
freely stories. The base for this system is the Chinese shadow play that is taken as an aes-
thetic role model that influences the visual appearance. The system provides a virtual stage
and virtual characters to play a story-based game. The core of the system is an Emotional
Agent Architecture (FAtiMA). The autonomous characters are having a behavior that is
controlled by FAtiMA. According to narrative structures, the author had implemented these
structures and patterns into this drama system. An important question of interactive narra-
tion which is how to design a system that enables interaction with a story is discussed by
this approach. In this way, the system is more like a game, and the user is collaborating
with the system. The creative challenge to tell a story by imagination and invention is not
in focus. It seems that acting with the system is the main activity of the user. How can a
user explore own imagination, diving in storytelling and learn about narrative structures?
These questions are still remaining.
ShadowStory is a digital storytelling system inspired by traditional Chinese’s shadow
puppetry. This system is designed to allow children to create and collaborate through play-
ing them. By this, the cultural heritage should be experienced. The focus of this system
is to design puppets as a preparation for real physical performances. The target to involve
children in approaching a traditional art form is presented. However, the own creative in-
vention of stories and exchange of stories to reflect narrative structures are not the focus of
this system. Providing the potential of a traditional art form for a creative approach towards
storytelling that foster self-expression still remains as a challenge in designing storytelling
applications. Therefore, Wayang Authoring is a new system proposed to fulfill the aims of
providing a storytelling system that supports creative storytelling and self-expression, and
simultaneously contributes to the field of storytelling as an interaction design for children in
its relevance to the understanding of story structure, builds a young storyteller community
in a virtual world and supports intercultural empathy.
3.3 Methods
Wayang Authoring as an environment that builds on cultural understanding and diver-

sity was implemented in order to bring this concept to life and to provide evidence of its
benefits. Literature research was carried out to discover the state of the art of several as-
pects, such as storytelling, storytelling technology for children and social software. To
understand the user’s requirements, children and professional story performers who use
wayang have been involved in the design process. In order to evaluate the tool, a number
of discussions and several workshops have been conducted with experts and with children
from different cultural backgrounds as well as with their teachers.
Fig. 3.1 Wayang performance by children from Rockwinkel School Bremen at Übersee Museum,
Bremen. The puppeteers, gamelan (traditional musical instruments from Indonesia) players and au-
dience are children, parents and teachers.
3.3.1 Wayang Performance Workshops with Children
In order to better understand how children prepare and perform a story for a wayang
performance (see Figure 3.1), we worked together with a ‘Gamelan Kancil’ group in a
school in Bremen, Germany for children aged 6 to 13 called Schulzentrum Rockwinkel.
There, students are familiar with both the traditional musical instruments and the shadow
puppet performance from Indonesia. A second workshop was conducted at a school in
Kassel lasting two months.
3.3.2 Wayang Authoring Development
Fig. 3.2 Basic elements of Wayang Authoring are composed from three components: the imagina-
tion step, creative step, and social step.
Wayang Authoring is designed as a multimedia-authoring-tool web-based application

for children to create stories and a virtual community of storytellers. This prototype is
implemented by utilizing the most important recent feature of the web, namely the ability
to run scripts on a client through JavaScript.
3.3.2.1 Elements of prototype
The prototype consists of three elements: the imagination-building element, the creative
working element, and the social interaction element as can be seen in Figure 3.2. With the
imagination-building element children can obtain ideas or inspiration from the tutorial or
from stories that already exist, which have been stored and shared by other users. This
element is expected to support children in building their imagination. The creative acting
element usually enables the children as members of the Wayang Authoring community to
compose a story and save, replay and perform it. This element is projected to give the
children an avenue to express their imagination through these stories. Moreover, they can
reflect on and play with their creation. Then in the social interaction element, the children
can share their stories, give comments and rank other children’s stories. This process is
designed to support children to find friends and to connect with friends in the context of
this social network. This element is designed to provide the children with the chance to
experience community building and its communication, as well as the way to control their
story building.
3.3.2.2 Main features of prototype
The main features of this prototype are composing stories, playing stories, managing
stories such as sharing or unsharing stories, rating and commenting on stories, and grouping
the authors based on the authors’ location.
Fig. 3.3 Screenshot of Wayang Authoring’s prototype for composing a story. Three main parts of
the page are a stage where a user creates a story by putting and moving figures on it; three containers,
which contain available figures; and a panel button. Properties of the figures such as dialogue text,
sound, or rotation can be manipulated using a context menu or a pop-up panel property which appears
if the user clicks on the figure.
Composing stories: This feature is the main function of this tool. The web-based GUI
of this “composing a story” is shown in Figure 3.3. Recording process will be automati-
cally started at the moment the user puts a figure on the stage. This tool allows users to
record the movements of the figures. The user can define the movement of a figure using
the dragging capability of that figure. The direction and speed of the movement are auto-
matically recorded, so that the user can record all movements very easily without defining
a time line. A start/end point of the object’s movement can be fixed.
Playing stories: The user can play a story by choosing it from a list of stories. An item
in the list contains information about the story’s title, author, date, and main actors. As a
default all stories will be displayed sorted by date. However, this tool provides features
to list stories based on author or actor. The user can also search for stories based on a
combination of title, actor, and author. Color or black-and-white mode can be selected
when a story is played as seen in Figure 3.4.
Fig. 3.4 Color and black/white mode during playing a story.
Rating and commenting: Each story, which is displayed on the list, has information
added about its rating and how many times it has been viewed. This tool provides rating
and commenting features. The rating feature allows users to rate the story on a 1-5 scale.
Another option that can be used is the commenting feature. Users can leave comments
to share their opinion about the story. This feature is designed to enable communication
between the author and the audience or between the authors themselves in order to support
the user to have experiences in communication.
Managing stories: This feature enables users to manage their stories and provide expe-
rience with control. They can share their stories or decide not to share them, delete stories,
download stories, and edit story properties.
Connecting authors: An additional tool’s feature should enhance the cooperation
among authors and promote the exchange of stories. In a mash-up, Google map is used to
Fig. 3.5 Author grouping based on location.
visualize the authors according to their location on the globe as seen in Figure 3.5. A profile
can be added and also connected to the authors easily. This feature is expected to give an
opportunity to build a trans-cultural community. The coordinate information—latitude and
longitude values which uniquely reference a point on the world—is automatically detected
by the system based on the IP address of the user.
3.3.2.3 Model of story’s structure
A model for building non-linear stories by utilizing a tagging system is designed. The
Wayang Authoring tool provides a feature for children to build a non-linear story from
story units that are existing in the system by using a tagging system [21, 22]. A model for
building a non-linear story has been designed as shown in Figure 3.6 and 3.7 as well as the
interface has been implemented as shown in Figure 3.8 and 3.9.
3.3.2.4 Organizing story in a visual symbolic way
In order to support children in gaining an understanding of the structure of a wayang

story in a symbolic way, a functionality to show or play a story using signs and story lines
is implemented. Position or distance between actors can be identified from the story line.
Each actor will be symbolized as a colored line. Activities of the actors, such as dialogue,
flipping, changing mood, etc., are shown using small symbols.
Fig. 3.6 Illustration of the model of a non-linear story. A single story, which is tagged by other
stories, will have two new properties. The first property is called follower. The second property is
called leader which contains the title of a story from a story that followed. Using this method we
can compose a non-linear story. If a story has more than one leader it means that at that point a story
branch will be created.
This story line model is expected to help children to enhance their imagination and cre-
ativity because to symbolize is an act of construction and a very important act of thinking.
Language and script make up the basic symbol set of our culture. In order to progress
in mental processes the subjects are supposed to translate experiences into symbolic rep-
resentations. Symbolization is, in this view, the basis of invention and creation of ideas.
Symbols are not only surrogates of the objects of this world; they are also a vehicle that
helps to picture and understand real objects.
3.3.2.5 XML structure
In the Wayang Authoring tool, XML format is used in this system to record a story’s
data. An example of structure of the XML of a story is shown in Figure 3.11. Two major
elements of the XML file are the info element and the scenes element. The info element
contains information such as the author’s name, story’s title, main actors, date of the story,
and a short description of the story. The scenes element contains information about the
story itself. All of an actor’s movements will be recorded in the scene element, including
coordinates, dialogue text, and other properties such as sound, flip status, and rotate status.
XML is chosen to support compatibility with another authoring tool, which is called
Wayang Composing, an authoring tool which runs on a PC as a desktop application as seen
Fig. 3.7 Illustration of a non-linear story. The story B has two leaders (story C and E) and a follower
(story A). The story C has one leader (story D) and one follower (story B). The story F has one leader
(story D) and one follower (the story E). This means that the story D has two followers (story C and
F). The reader at point B will have an opportunity to continue the story through story E or through
story C.
in Figure 3.12. Wayang Composing was developed to support users who do not have an
internet connection. The features of this tool are similar to the Wayang Authoring tool
except the sharing story online and displaying storyteller groups features. However, users
can still share their stories using the upload facility of the Wayang Authoring tool as long
as they have an account for it. Furthermore, they can download stories from the Wayang
Authoring tool and play them using the Wayang Composing tool.
3.3.3 Prototype Evaluation
The Wayang Authoring system is evaluated in order to show that the tool can support
creative storytelling and self-expression, the understanding of story structure, and intercul-
tural empathy as well.
Evaluation was carried out throughout the Wayang Authoring prototype through usabil-
ity tests, focus group, interview, observation, and comparison as well as story document
analysis. We conducted nine workshops with different groups of children with different
cultural backgrounds. Interviews have been held with experts, teachers, and children. The
interviews were conducted using semi-structured questions. The interviews with children
were aimed at finding information about their personal motivation and experiences in cre-
Fig. 3.8 Non-linear stories interface. Users choose a story from the story tag cloud instead of using
a search tool. To connect this story to another story, users use the tag tool.
Fig. 3.9 A non-linear story path. Each story which has more than one leader will have a story
branch.
ating stories with or without the authoring tool. In order to find out the different processes
of creating stories with or without the authoring tool, a comparison has been made between
children who prepare a real wayang performance and children who compose stories using
the authoring tool.
Fig. 3.10 In this story, an elephant comes onto the stage in a happy mood, indicated by a green
circle. But a tiger then appears that is in a bad mood, indicated by a black circle. The tiger and the
elephant start a dialogue, symbolized by a bubble symbol. A triangle symbol indicates that the actors
have turned back (flip) from their current position. At the end, the tiger becomes happy; the black
circle on the red line is changed into a green circle and then the tiger rolls away, symbolized by a
circular arrow.
3.4 Results and Discussion
This section discusses the findings from the development process and evaluation of
Wayang Authoring system.
3.4.1 Ability to Compose a Story
This part discusses facts about how the children build a story. This discussion is im-
portant for analyzing whether a part of the goal, which provides an authoring tool that
supports creative storytelling and self-expression, has been reached. Several methods have
been used such as observation, interviews, and focus group. The process of composing a
story by using our prototype with the real story preparation for a wayang performance is
compared.
Firstly, it was found in the wayang performance workshop with physical puppets that
children were encouraged to build a story from their imagination. They started to build
a story in their imagination from the moment they held a puppet. They built a relation-
ship with the puppet. Then they communicated with others to share their imaginative ideas
in order to arrange and develop the story. Through the communication of ideas, children
can be put into an imaginative context and through their physical actions they may gain
new meanings. From this imaginative activity children learned to manage complex con-
texts, take different roles and views and act in fictive situations as well. Furthermore, the
child by using real puppets or digital puppets in Wayang Authoring gains experience in
<story>
<info>
<author>joachim</author>
<title>joachim-34</title>
<actors>elephant, tiger<actors/>
<date>06/01/2011</date>
<description>no description</description>
</info>
<scenes title="tester-34" sound="default no sound">

<scene number="1" time="1" isFigure="true" flip="false"
sound="true" dialog="false" rotationL="false"
rotationR="false">
<actor>elephant</actor>
<pos-x>81</pos-x>
<pos-y>169</pos-y>
<text-dialog> </text-dialog>
</scene>
<scene number="2" time="2" isFigure="true" flip="false"
sound="true" dialog="false" rotationL="false"
rotationR="false">
<actor>elephant</actor>
<pos-x>81</pos-x>
<pos-y>169</pos-y>
<text-dialog> </text-dialog>
</scene>
.
.
.
</scenes>
</story>
Fig. 3.11 An example of XML structure of a story’s file.
learning to act with the use of symbols instead of just using objects. The framework also
demands opportunities to set and bargain with the rules and the adapted activity asks for
self-monitoring of one’s own behaviors and to cooperate with others. Altogether, it can be
best described that tasks that involved the children in role-playing and fiction-playing can
be used as an effective exercise to help children discover imagination, concepts, models,
ideas and meanings and to act with them as if they were objects [16]. Furthermore, the
teacher believes that through these tasks, abstract thinking will be enhanced and language
skills will be fostered.
We found that there are no significant differences in the process of composing a story
when using either the traditional puppets or the authoring media. However, it was found
Fig. 3.12 Stories exchange between Wayang Authoring (web-based application) and Wayang Com-
posing (desktop application).
that children had different experiences. Experiences in the body movements and wayang
puppet’s gestures are prominent in composing a story using the real puppets. Children can
learn much easier to make and control a gesture and give effects on the puppet’s movement.
The combination of movements between the puppet’s arms and body creates a complex
gesture. This property of real wayang puppets cannot and is not supposed to be handled
by Wayang Authoring. In other ways, Wayang Authoring offers different experiences in
developing and performing stories.
During a workshop the children produced several single stories by using an interface
as shown in Figure 3.3. From the chart in Figure 3.13 it can be observed that the average
number of single stories that can be produced by a child is five stories. Two interesting
pieces of data have been found: Child (C4) produced nine stories (above the average), and
child (C8) produced two stories (below the average). To get more information about this, a
talk has been held with the two children separately. They were asked what their impressions
were of our authoring tool. Both answered that they liked and enjoyed using the tool. It
needed to be explored more in order to gain the answer as to why there was such a large
difference in the amount of stories produced. From the exploration it was found that the
child who produced nine stories is used to telling stories at home, but the other child rarely
tells stories, so he needs support in developing an idea to tell or create a story including
when using our tool.
Fig. 3.13 The average number of story’s components of the children during the workshop. The
XML story documents are analyzed to extract several components of the story such as actors, dia-
logues and character properties. The result is used to analyze the complexity of a story.
Furthermore, the analysis of the XML story files were conducted in order to find out
some information in their stories, such as how many actors they used, whether they built
dialogues between the actors, and did they manipulate the figures’ properties. They used
at least two actors and combined several figures. The variation of figures and story themes
is much greater than in the previous wayang performance workshop. This study did not
explore the meaning of the stories. Figure 3.13 shows the results of the examination. The
average number of actors, dialogues and other figures’ properties (e.g., rotation, flip), which
appeared in the children’s stories are counted. It can be obtained one particularly interesting
result from the chart: a child (C8), who created two stories made six dialogues in average
in his stories. In discussion with the teacher, it was informed that he is normally a quiet
child in class. He has difficulties focusing on subjects in class and rarely talks with others.
During the workshop, the teacher and the researcher observed him, and it was found out
that the child was very engaged and focused on creating stories. He expressed his ideas by
moving the figures, creating dialogues, and changing the actors’ properties.
Based on the workshop and the evaluation processes, it has been found that the Wayang
Authoring tool can support creative storytelling and self-expression. Children take existing
materials as an inspiration tool, imagine what they themselves want to tell, create a story
based on their own ideas, play with their creations, share their stories and creations with
others, and reflect on their experiences at the end. However, this study cannot offer em-
pirical evidence for reflection experiences. From the observation and discussion with the
children and teachers, some hints were found that indicate the children have this experience
during using the tool. Wayang Authoring supports reflection on the creation of an artifact
(Reggio Emilia approach [17]) and important reflection on the ideas that guided the design,
or strategies for refining and improving the design (Kindergarten approach to learning from
Resnick [18]). Children can reflect on the story or on the process of creating the story.
This digital authoring tool has several advantages in comparison to the traditional
wayang storytelling. The digital tool facilitates children to explore the figure’s charac-
ter information by themselves. The children are able to share their stories broadly, and they
have an opportunity to communicate their ideas with others in a worldwide scope. A list of
stories related to a specific actor or story library, which can be used to evoke imagination
and ideas to create a story, can be easily added to and retrieved from the database. The
children have two roles when using the digital tool. They act as the ‘writers’ and, at the
same time, as the ‘readers’ as well. Moreover, this digital tool enables children to reflect
on their stories by playing and re-playing, and by reading comments of their stories.
3.4.2 Story Structure
This part discusses how our authoring tool can support story structure understanding for
children. A story can be viewed as an ensemble of story units and a story unit in this study
is a single story. Therefore, story structure in this context is a relation schema between
single stories.
Linear stories have linear processes and non-linear stories have non-linear processes.
Non-linear story is a structure which is important to be understood even for young chil-
dren especially when they use hypermedia such as web applications. A characteristic of
hypermedia is non-linearity structure, which allows us to navigate through an information
space using associative linking [19, 20]. The user action determines a pathway through the
material. Similarly, hypertext fictions are about the journey as much as they are about the
narrative that waits to be pieced together.
The children were interviewed in order to explore their understanding of story struc-
ture and what they had gained from the tagging system in context story structure. It was
found some interesting results from the interviews. Two children asked what the meaning
of ‘Followers’ and ‘Leaders’ is. They also asked why the information in ‘Leaders’ is only
changed when they have tagged a story to another story. To answer the questions an illus-
tration was provided to show them the effect of a tag on the story’s sequence. If a story has
more than one leader, at that point an option will appear to ask the user to decide which
story will then be played.
There were indications that they understood the effect of tags on a story. Two boys
reflected and interpreted their understanding in a different way. These are examples of
their quotes:
“... it looks like a sign on the street... I saw the arrows on the street... [hmm]... yes,
left and right...”
“... I saw an option in a game... I have to choose something... but... I didn’t tag
anything...”
Even though they did not explicitly mention the story’s branching, indications can be
seen that they understand that a path is not always a straight (linear) path.
In discussion with the drama teachers, they said that by using the tool the children
can be trained as story composers who have the opportunity to think about possible story
combinations. The tagging system can help children to construct meaning in a playful
way. This non-linear story object visualizes a possible ways to create a story that evokes
curiosity to explore different and diverse combination of stories.
3.4.3 Intercultural Aspect
The concept of Wayang Authoring has been designed as a reference to the traditional
wayang theater. Putting the specifications of wayang on a screen was meant to translate the
aesthetic language of one media into the possibilities and the restrictions of another media.
Of course Wayang Authoring can, but it should not replace the rich tradition of wayang;
instead it can foster the understanding, especially of the users who have diverse cultural
backgrounds other than the Indonesian.
The puppet images in the tool are taken from the iconic tradition of wayang. Because
of the difference of cultural codes, the appearance of the puppets of mother and father, for
example, look different to western presentations of mother and father. In wayang tradition
a specific gesture describes a particular meaning of a character. With Wayang Authoring
children easily detected what symbols should represent mother, father and child. During
the workshop, some children tried to imitate a gesture or position of the arms or legs. They
also asked some questions:
“... why his legs... like this...? “(he showed his legs position)
“... what is the meaning with this...? (imitated a puppet’s arm position) and this...?
(imitated another position)”
These indications show that tool has a potential to evoke the children to understand
different cultural codes.
In a group discussion after the workshop, a boy from Turkey reported that he had seen
a similar puppet theater in Istanbul. That is the shadow puppet Karagöz, and the famous
figure is Havicat. Another boy from India said that he had seen similar images when he was
in India. He described to the group in which aspects the Indian characters are different and
how they had been used. A girl from Italy talked about the traditional style of Italian string
puppets. This indicated that our tool can also be used to evocate discussion and expression
of different cultural experiences among the group of children.
The handling of cultural artifacts helps support the ability to understand different cul-
tural codes, and there were indications from the workshop and discussion with experts that
it also supports the children’s curiosity to learn more about the culture lying behind these
artifacts. This would in turn enhance the intercultural empathy between children.
3.4.4 Interaction between children and the authoring system
In this section the interaction between children and the authoring system are evaluated.
Several methods have been used such as observation, interview, and document analysis.
An interactive authoring system is a system-based agent. There are at least two agents
who do the actions. An agent is ‘one who initiates and performs actions’ [23]. The user
who performs actions is an agent and another agent is the system which carries out any
actions in response to the user. If one action is accomplished those agents can continue to
the next actions. The sequence of those actions can be drawn as shown in Figure 3.14 and
follows Freytag’s dramatic pyramid [24].
Figure 3.14 illustrates a series of dialogues between the user and the system. On the first
state, the user enters to the system or a part of it. Based on the possibilities from the system,
the user makes a decision and will go to the next state. In that state, the system gives the
response. This response leads the user to make another decision and reach another state.
This process happens repeatedly until the resolution phase has been reached. Complex
dialogues and decisions can occur in the climax phase.
One feature of Wayang Authoring can be used as the case in this context which is
composing a single story. When the user enters to this feature, she/he comes to the first
Fig. 3.14 Agents’ actions and Frytag’s dramatic pyramid. Freytag’s pyramid is a way to examine a
plot consisting of five components in an ascending and descending manner, introduction (exposition,
inciting moment) – rising action – climax – falling action – denouement (catastrophe, resolution).
The user is symbolized by an orange circle. The system is represented by a green circle, and the state
is marked by a square.
state and has several options, such as searching for any actor from actors? containers or
put an actor to the stage. If the user decides to put an actor onto the stage, a new state is
created. The system offers other possibilities to the user in this state. The next decision
or action from the user leads her/him to the new state and this process is repeated until the
user decides to finish her/his story.
It is defined in this feature that the dramatic actions start from when the user observes
and browses through actors. The inciting moment begins when the user puts an actor onto
the stage. The user then causes the level of action to rise and achieves the climax phase
when she/he moves or manipulates the figures. When the user decides to play her/his story,
it means that she/he has arrived at the resolution phase.
From the observation and analysis of the story files, we came to the result that the
authoring tool enables the child to act out dialogues with the system. The authoring tool
provides features that lead the child to accomplish the task to create a story. The dialogue
with the system started from the selection of the actors. The intensive dialogues with the
system happened when the child made a lot of manipulations of the figure’s properties and
made many dialogues between the actors in his story. It means that the interaction between
the children and system which follows the dramatic schema fosters the engagement of the
user with the system and leads the user to accomplish the task.
3.5 Conclusions
Wayang Authoring is designed and implemented as a type of social software for chil-
dren, but focused more on creative production. By using Wayang Authoring children can
express their creativity by producing visual stories and sharing them. They can compose
the story individually or collaboratively. The expression can be noticed in different forms
and anchors, as can be seen in the movements of the object, the dialogues between actors,
the collections of objects without movement as a pictorial moment, or in commenting on a
story. Children take existing materials as an inspiration tool, imagine what they themselves
want to tell, create a story based on their own ideas, play with their creations, share their
stories and creations with others, and reflect on their experiences at the end.
The tagging system in the authoring tool has a good potential to be used to support
children to have experiences in story structure. The children can learn to structure and
re-structure a story’s sequence by using the digital tool. By this feature, children gained
experiences in control a story’s structure. They connected some stories by using the tagging
system. They could decide if a story will follow a certain story. They trained as a story
composer by structuring a story sequence. Moreover, they put their creative product in
the context of the entire story as a part of the storyteller community. When children use
this web-based authoring media, they put themselves into the process of developing stories.
When they are connecting stories, they connect and immerse themselves with other children
as well. They have to act and play by themselves or with others, within the stories in order
to experience the narratives.
Tagging model in this study is not only to share web resources in a web-based sharing
platform. By using the tagging model to build a story sequence the children occupy two
roles. They act as the ‘writers’ when they write or create a story. In the same time, they act
as the ‘readers’ as well. They ‘read’ the language of the (hyper)media. By transforming
understanding of the (hyper)media’s language into an active and critical process, they can
gain an understanding of the narrative’s structure. Furthermore, they train to have the skills
to interact, to share their ideas and to collaborate constructively. This is making them
possible to participate in today’s media-driven culture.
Wayang Authoring serves all three kinds of a participatory culture from Jenkins [25]:
(i) Affiliation – through creating a user profile and joining a group centered on its fa-
vorite character.
(ii) Expression – through creating a new story with the authoring tool and rating and
commenting on other children’s stories.
(iii) Collaboration – through composing a collaborative story and connecting one story
to others.
Interaction design of an authoring media which is appropriate to support children’s

creative storytelling and self-expression should be designed by considering the dramatic
flow of a story. The communication between user and system should be facilitated in order
to help the user make a decision to go to the next state, and to lead the user to accomplish
the task. The aesthetic coupled with the interactive functions support children to explore
virtual and narrative worlds. This virtual creative production tool provides a space for
young people to change their role from a simple user to a (co-)creator.
Bibliography
[1] R. McKee, Story: Substance, Structure, Style and the Principles of Screenwriting, 1st ed.
(HarperCollins, New York, 1997).
[2] A. Boltman, Childrens Storytelling Technologies: Differences in Elaboration and Recall, Dis-
sertation, University of Maryland (2001).
[3] W.A. Widjajanto, M. Lund, und H. Schelhowe, Wayang Authoring: a web-based authoring
tool for visual storytelling for children, Proceedings of the 6th International Conference on
Advances in Mobile Computing and Multimedia (ACM, Linz, Austria, 2008), pp. 464–467.
[4] UNESCO, UNESCO Culture Sector – Intangible Heritage – 2003 Convention: The Wayang
Puppet Theatre (2003). Retrieved September 30, 2009, from http://www.unesco.org/
culture/ich/index.php?RL=00039&topic=desc
[5] J. Mrázek, Phenomenology of a Puppet Theatre: Contemplations on the Art of Javanese
Wayang Kulit, (KITLV Press, Leiden, 2005).
[6] M.U. Bers and J. Cassell, in J. Interact. Learn. Res., Interactive storytelling systems for chil-
dren: using technology to explore language and identity, 9(2), 183–215 (1999).
[7] S. Benford, B.B. Bederson, K. Åkesson, V. Bayon, A. Druin, P. Hansson, and J.P. Hour-
cade, Designing storytelling technologies to encouraging collaboration between young chil-
dren, Proceedings of the SIGCHI conference on Human factors in computing systems (ACM,
The Hague, The Netherlands 2000), pp. 556–563.
[8] A. Druin, J. Stewart, D. Proft, B. Bederson, and J. Hollan, KidPad: a design collaboration
between children, technologists, and educators, Proceedings of the SIGCHI conference on Hu-
man factors in computing systems (ACM, Atlanta, Georgia, United States 1997), pp. 463–470.
Bibliography 61
[9] F. Garzotto and M. Forfori, FaTe2: storytelling edutainment experiences in 2D and 3D collab-
orative spaces, Proceedings of the 2006 conference on Interaction design and children (ACM,
Tampere, Finland 2006), pp. 113–116.
[10] A. Antle, Case study: the design of CBC4Kids’ StoryBuilder, Proceedings of the 2003 confer-
ence on Interaction design and children (ACM, Preston, England 2003), pp. 59–68.
[11] M. Panayi, W.V.D. Velde, D. Roy, O. Cakmakci, K.D. Paepe, and N.O. Bernsen, Today’s Sto-
ries, Handheld and Ubiquitous Computing, LNCS, vol. 1707 (Springer, Heidelberg 1999), pp.
320–323.
[12] F. Garzotto and F. Rizzo, The MUST Tool: Exploiting Propp’s Theory, World Conference
on Educational Multimedia, Hypermedia and Telecommunications 2005 (Montreal, Canada,
2005), pp. 3887–3893.
[13] T.K. Lam, A. Zawawi and M.A. Osman, in J. World Academy of Science, Engineering and
Technology, Real-Time Visual Simulation and Interactive Animation of Shadow Play Puppets
using OpenGL, 45, 212–218 (2008).
[14] A. Brisson, J. Dias, and A. Paiva, From chinese shadows to interactive shadows: building a
storytelling application with autonomous shadows, Proceedings of the Workshop on Agent-
Based Systems for Human Learning and Entertainment (ABSHLE), AAMAS 2007 (ACM
Press, 2007).
[15] F. Lu, F. Tian, Y. Jiang, X. Cao, W. Luo, G. Li, X. Zhang, G. Dai, and H. Wang, ShadowStory:
creative and collaborative digital storytelling inspired by cultural heritage, Proceedings of the
2011 annual conference on Human factors in computing systems, (Vancouver, BC, Canada,
2011), pp. 1919–1928.
[16] L.S. Vygotsky, Thought and Language, (The MIT Press, 1986).
[17] V.M. Hewett, in J. Early Childhood Education, Examining the Reggio Emilia Approach to Early
Childhood Education, 29(2), 95–100 (2001).
[18] M. Resnick, All I really need to know (about creative thinking) I learned (by studying how
children learn) in kindergarten, Proceedings of the 6th ACM SIGCHI conference on Creativity
& Cognition (ACM, Washington, USA 2007), pp. 1–6.
[19] P. Delany and G.P. Landow, Hypermedia and Literary Studies. Technical communications,
(Cambridge, Mass., MIT Press, 1994).
[20] D. Davidson, Stories in between: narratives and mediums @ play, (ETC Press 2008).
[21] C. Marlow, M. Naaman, D. Boyd, and M. Davis, HT06, tagging paper, taxonomy, Flickr, aca-
demic article, to read, Proceedings of the seventeenth conference on Hypertext and hypermedia
(ACM, Odense, Denmark, 2006), pp. 31–40.
[22] E. Santos-Neto, D. Condon, N. Andrade, A. Iamnitchi, and M. Ripeanu, Individual and so-
cial behavior in tagging systems, Proceedings of the 20th ACM Conference on Hypertext and
Hypermedia (ACM, Torino, Italy, 2009), pp. 183–192.
[23] B. Laurel, Computers as Theatre, (Addison-Wesley Longman Publishing Co., Inc., 1993).
[24] G. Freytag, Technique of The Drama: An Exposition of Dramatic Composition and Art, Tran.
E. J. MacEwan, Third Edition (Chicaho, Scott, Foresman and Company, 1900).
[25] H. Jenkins, Confronting the Challenges of Participatory Culture: Media Education for the 21st
Century, Ed. John D. and Catherine T. (MacArthur Foundation Reports on Digital Media and
Learning, 2009).
PART II
Methods and Concepts to Enhance and Ensure

Reliability in Ubicomp Environments
Chapter 4
Network Forensics – Detection and Mitigation of

Botnet Malicious Code via Darknet
R. Azrina, R. Othman, Normaziah A. Aziz, M. ZulHazmi, M. Khazin, J. Dewakunjari

Department of Computer Science, Kulliyyah of ICT, International Islamic University
Malaysia
P.O. Box 10,50728 Kuala Lumpur, Malaysia
E-mail: razrina.rothman@jaring.my, naa@iium.edu.my
Computer malwares are major threats that always find a way to penetrate the network,
posing threats to the confidentiality, integrity and the availability of data. Network-borne
malwares penetrate networks by exploiting vulnerabilities in networks and systems. IT
administrators in campus wide network continue to look for security control solutions to
reduce exposure and magnitude of potential threats. However, with multi-user computers
and distributed systems, the campus wide network often becomes a breeding ground for
botnets. We present our work that applies the network forensic techniques via Darknet im-
plementation for passive detection of malware infected computers; primarily botnets, in a
campus wide network. Verification activities were conducted on the infected hosts. This
work analyses the effectiveness of network forensics capability and the accurate detection
of malicious traffic. An accurate detection of malware-infected host enables enforcement
of security policies through isolation of hosts and eventually will enhance network per-
formance. Alongside presenting various aspects of our work, some recommendation are
proposed for preventive measurements to avoid further propagation of bots and network-
borne malwares within campus wide network.
4.1 Introduction
Network is now pervasive and a critical entity in our every day working and learning
environment. Despite increasing devices being connected to the TCP/IP network such as
mobile phones, GPS, and iPads, personal computers are current main targets of exploits,
primarily for malware and bot infection and propagation. The infection of personal comput-
ers with malware can compromise confidentiality, integrity and availability of information
as well as take up unnecessary bandwidth.

Network forensics is the use of scientifically proven techniques to collect, fuse, iden-
tify, examine, correlate, analyze, and document digital evidence from multiple, actively
processing and transmitting digital sources for the purpose of uncovering facts related to
the planned intent, or measured success of unauthorized activities meant to disrupt, cor-
rupt, and or compromise system components as well as providing information to assist in
response to orrecovery from these activities [1]. In order to capture network activities for
analysis, a sensor is deployed in the network. The type of sensor and its location in the
network influence the traffic being captured. Darknet [2] sensor is one of the available
methods that is used and described in this chapter.
Network forensics can detect mainly two types of malwares – worms and botnet. Worm
is a kind of malware that propagates via network; by network scanning and self-replicating
email. Botnet is a collection of software robots, or in short termed ‘bots’, that run au-
tonomously and automatically. The term botnet [3, 4] can also be used to refer to any
group of bots, such as IRC bots (Internet Relay Chat bots). In general, botnet refers to a
collection of compromised computers, or Zombie computers that receive instructions from
command and control (C&C) servers. The command-and-control can take place via IRC
server or a specific channel on a public IRC network, http, DNS and peer-to-peer appli-
cation. The communication is encrypted for stealth and protection against detection and
intrusion into the botnet network.
The chapter discusses on network forensics via implementation of Darknet and the
sensors as an effort to detect computers that are infected with bots in campus wide network.
A more interactive system implementation involving capturing of malware is outside the
scope of this work.
The rest of the chapter is arranged as follows: Section 4.2 describes the background of
the work, Section 4.3, presents the motivation for this work along with the related works.
Section 4.4 talks about our approach used in carrying out this project. Section 4.5 presents
the acquired results of our research implementation. We also discuss the possible coun-
termeasures and recommend some steps to deal with the issues. And finally, Section 4.6
concludes the paper with some remarks about the outcome of the work.
4.2 Background
The key mechanism for bot propagation is via worm behaviour, which is network borne.
It is noted that bots may also spread via email spam, web page drive-by affect and mo-
Network Forensics: Detection and Mitigation of Botnet and Malicious Code via Darknet 67
bile storage media. Botnets usually gain new victims through network scanning to detect
available vulnerable systems and remotely exploiting the vulnerabilities of systems and
applications running on networked host. Botnets borrow infection strategies from several
classes of malware, including self-replicating wormsande-mail viruses, among others [5].
Once infected; a script (known as shell code) is executed which connects to another bot at
a specified location which hosts malware binaries and fetches the actual bot binary. Upon
completion of the download, the bot binary installs itself to the target machine so that it
starts automatically each time the victim is rebooted. Figure 4.1 illustrates the botnet’s
lifecycle [6].
Fig. 4.1 Lifecycle of Botnet
4.3 Motivation and Related Works
Industry analysts estimate that about 5% to 10% of all PCs are infected with sophis-
ticated, remotely controlled malware. The current defences of layering firewall, Intrusion
Prevention System (IPS) and anti-virus are ineffective in stopping advanced malware, zero-
day and targeted attacks once it enters into the network [7]. Network Intrusion Detection
System (NIDS) conducts passive has evolved into IPS, and the detection technique, very
much depends on the signature had matched a known exploit or having to know the vulner-
abilities. Both these aspects require a challenging effort in keeping up with the exponential
growth of exploit signature and vulnerabilities.
A similar approach of using darknet for detection of botnet was used by researchers
in the John Hopkins University. Their work involved measuring botnet traffic, in the size
of hundreds to thousands. Their findings revealed botnets are a major contributor to the
overall unwanted traffic on the Internet. They confirmed that although the scan generated
by botnet are primarily to recruit new victims, the behavior is markedly different from
autonomous malware, worms, because of its manual orchestration. They also discovered
that IRC remain to be the dominant protocol for C&C communication [8].
A lot of the work done has been to quantify the size of botnets, the growth, and their
behavior. In the context of our work, the main objective is to apply darknet technique to
accurately detect bots and network-borne malware and eventually confirm via live forensics
the type of infection on the affected hosts in a campus wide network. As such the darknet
is ideally deployed in a LAN environment to enable verification of hosts to be conducted.
This will also provide insight on the effectiveness of security controls within the campus
wide network and the computers in defending against bot and network-borne malware.
The specific objectives of this project are to: a) passively identify infected computers in
the network; b) analyse the types of botnets that are infecting the computers in the campus;
c) identify the attack vector or how the bot penetrated into the host or computer, if possible;
d) identify the source of the bot or malware, if possible; e) provide recommendations on
countermeasures against future attacks.
4.4 Our Approach and Implementation
Monitoring all traffic within a large-scale network to track compromised computer

client and malicious traffic requires a lot of resources; Intruder Detection System (IDS)
(with packet processing capability to carry out packet capture and analysis) as well as
large capacity of storage. Once the data are captured, there is an issue on the preserving
of confidentiality of the information, which may contain legitimate traffic with sensitive
information such as passwords.
On the other hand, the above issues are not present in the Darknetimplementation.
Darknet involves capturing and monitoring traffic communication to unused IP Addresses.
Darknet is a portion of routed, allocated IP space in which no active services or servers
reside. Any packet that enters a Darknet is by its presence aberrant because no legitimate
Fig. 4.2 Network diagram
packet should be sent to a Darknet. Such packets may have arrived by mistake or wrong
configuration, but the majority of such types of packets are sent by malware.
Figure 4.2 demonstrates the network used for the implementation and analysis of this
research. The network consists of two parts with a /24 mask. We chose to have one of
the /24 network to be assigned to a Darknet 1, while another ten IP Address is assigned to
Darknet 2. The Darknet 2 is part of IP range within a computing lab, that is used actively
on daily basis. A sensor server is setup with 2 network interfaces, one to passively capture
packets destined to the darknet, while the other network interface is used for administrative
access to the sensor from the management console. In order to have any traffic destined to
the Darknet, diverted to the sensor, the router needs to be configured to send all Darknet
prefix traffic to the Darknet Sensor interface.
outer#conf t
router(config)# ip route 10.X.136.0 255.255.255.0 10.X.1.2
router(config)# ^Z
router# wr
The sensor requires a separate network interface for the management console access
primarily to prevent poisoning the Darknet with legitimate traffic. The setup immediately
generated records showing network traffic activity entering the Darknet from various in-
ternal hosts. Further analysis was done on the infected computer to identify the type of
malware as well as other security controls present in the system.
4.5 Experimental Results and Analysis
After appropriate configurations of all necessary parts of our network, data were col-
lected from the Darknet throughout a one month period. This implementation produced
very significant results. In this section, we will discuss in our findings.
Upon analysis of the data, a few anomalous network traffic communications can be
observed on destination port 445 and ICMP.
Fig. 4.3 Time series of SYN packets of port 445
Based on the data obtained at the sensor server, which can consists of any sniffer based
technology such as tcpdump, all the ICMP communication sent to the Darknet are identified
as echo requests. Figures 4.3 and 4.4 show the network communication to port 445 and
ICMP. As shown in the Figure 4.3, the network activities were decreasing in the middle of
the month which is due to the mid-semester break and other vacation period. Therefore,
most computer clients were not active during those times. However, the network activities
began to increase after the semester vacation.
Fig. 4.4 Time series of incoming ICMP packet
Referring to the Figure 4.4, the ICMP traffic shows similar pattern as port 445 network
activities, in which low network activities were observed in the middle of the month due
to the fact that most of the computers remained turned off during the semester breaks. The
network activities began to increase again after the semester breaks.
4.5.1 Further Analysis on Destination Port 445 Traffic
Destination port 445/TCP is commonly used and assigned for Microsoft-DS Active Di-
rectory and Windows shares. Thus, this port is to be used when the organization is using
Microsoft Domain Service Active Directory and Windows File Sharing [9, 10]. However,
all identified computer clients were not using Microsoft Domain Service Active Directory
and had insignificant usage of Windows File Sharing. Each computer suspected to be in-
fected with malwares sent 20 TCP SYN requests of size 64 bytes to each unique destination
IP address as shown in Figure 4.5.
Fig. 4.5 TCP/445 probes summary generated by host 10.x.128.103
4.5.2 Further Analysis on ICMP traffic
The ICMP echo requests (commonly known as “ping”) are used primarily for trou-
bleshooting network connection. Most Internet gateways now block incoming echo re-
quests in order to avoid Distributed Denial of Service (DDoS) [11] attacks. Historically,
several malwares that propagate via ICMP echo request include Nachi worm [12]. The
collected data indicate that each infected host generated only a single ping probe to each
sequence of unique IP, as shown in Figure 4.6. This indicates ping sweep, not ping flood.
Ping sweep would be relevant for the purpose of determining whether the host is alive or
not.
Fig. 4.6 Summary of ICMP Echo Request generated by host 10.x.125.34
4.5.3 Analysis of Suspected Client
Four of the suspected (infected) computers were selected for our analysis. The selection
was mainly based on the ability to gain physical access to the computers within the dura-
tion of the project. Table 4.1 shows the information gathered pertaining to the suspected
computers that were analyzed. One of the hosts had most recent updated antivirus signa-
ture, while three other hosts had the antivirus signature outdated, and in which one of them
apparently has the license expired. All four hosts sampled, were running on Windows XP.
Table 4.1 Selected Computer System’s Information

Client No / System
Client 1 Client 2 Client 3 Client 4
Info
MS Windows MS Windows MS Windows MS Windows
Operating System
XP SP 2 XP SP 2 XP SP 3 XP SP 3
Avira -
Avira -
Antivirus Name and eScan - eScan - outdated and
recently
Signature Status outdated outdated license
updated
expired
Further analysis was conducted on each host via live forensics, using tools such as
Sysinternals Suite [13] as well as other standard tools such as Netstat [14]. The investigation
revealed that the hosts were not only infected with multiple malwares but also they were
actively establishing connection to foreign hosts in the Internet. Based on the analysis of
the reputation of the foreign hosts’ IP addresses, they wereconfirmed to be rated high risk
and minimal risk, as well as reputed to be malicious C&C and Backdoor Trojan sites. The
host running the antivirus with recently updated signature was found to be infected with the
Conficker malware [15] as well as possibly Autoit malware [16], while the IP Address of
the remote host in Hong Kong is reputed as High Risk. The acquired information is shown
in Table 4.2.
Table 4.2 Suspected Client System’s Information 2
Client No Client 1 Client 2

Conficker, Mabezat,
Malware Conficker, Mabezat,
IRC Trojan Backdoor,
Detected IRC Trojan Backdoor
Trojan Dropper, Sality
Foreign 149.9.1.16 Minimal Risk - 85.25.176.33 High Risk
Addresses - IRC Server (TrustedSource)
Reputation (TrustedSource)
C&C
(Emerging
Thread)
74.208.64.145 High Risk -
Malicious Sites,
Phishing (TrustedSource)
IRC Trojan Backdoor
(ThreatExpert)
89.149.227.194 High Risk -
Malicious Sites
Sality Virus
(ThreatExpert)
87.106.24.200 High Risk -
SmartFilter Category:
Malicious Sites,
Phishing (TrustedSource)
IRC Trojan Backdoor
(ThreatExpert)
Client No Client 3 Client 4

Malware Conficker, Autoit Autoit
Detected
Foreign 110.44.0.50 High Risk - 204.12.222.155 Minimal Risk -
Addresses Malicious Sites Not Categorized
with Bad (TrustedSource) (TrustedSource)
Reputation Autoit
(ThreadExpert)
McAfee
R
TrustedSourceTM is a global threat correlation engine and intelligence base of global mes-
saging and communication behavior, including reputation volume, and trends, including email, web
traffic and malware. Refer to http://www.trustedsource.org/ ThreatExpert is an advanced
automated threat analysis system designed to analyze and report the behavior of computer viruses,
worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. Refer
tohttp://www.threatexpert.com/
Figure 4.7 illustrates how the botnets propagate within the campus wide network (based
on the findings). The computer was confirmed to be infected with IRC Trojan backdoor and
Conficker worm. They were scanning the LAN network for other vulnerable computers.
Fig. 4.7 Botnet attack on a campus network

Despite having perimeter defence which included the firewall, the infected hosts were
able to establish outgoing connection to unauthorized external hosts, due to the lack for
policy enforcement for outgoing traffic. The internal scanning activity generated by the
infected host also caused unnecessary utilization of the bandwidth.
4.6 Future Work
There are several areas in which this research can contribute. In addressing operational
level security, an organization requires sufficient skilled manpower to effectively apply
enforcement measures at the system and network level. The use of remote management
system will enable real-time alerts and integration to other application and systems that
can enforce more restrictive policies. The Darknet can be integrated with Walled Garden
method [17] to isolate the infected computer. The system can also be integrated with IPS
to prevent unauthorized outgoing traffic from infected hosts. A graphical interface or dash-
board can be integrated to provide visual status of malicious network activities. The use of
Darknet is one practical solution, which requires low amount of resources to process the
gathered data.
4.7 Concluding Remarks
The study identified a total of 31 computers suspected to be infected with malwares

and 4 of them were proven to be infected by malwares; mainly Conficker which had caused
high network traffic to destination port 445 and Autoit malware contributed high ICMP
network traffic. This further confirms that high amount of ICMP traffic generally indicates
a virus [18]. Using the Darknet, small amount of captured anomalous data were sufficient
to elevate the attention to the problem. There was no need to sift through legitimate data to
identify anomalous traffic.
Based on the analysis of our work, it can be concluded that the security controls at
network and host level at certain segments of the network are insufficient and not effectively
protecting the campus wide network from malware and bot propagation and infection. We
present our recommendations to deal with this issue which we believe will be useful for
similar settings.
Bibliography 77
Acknowledgments
This work was supported by the International Islamic University Malaysia particularly
the Department of Computer Science and the university’s central Information Technol-
ogy Division. Credit goes to our Information Security Research Group (ISRG), Network
Forensics team – Mohamed ZulHazmi, Dewakunjari J., Pengiran, A. Khaliq Ismail, Khair-
ilFahmi, Ahmad Hassan and Mukmin for their determination and commitment in this re-
search.
Bibliography
[1] G. Palmer, A Road Map for Digital Forensic Research, DFRWS Technical Report, DTR-T001-
01 Final, (Air Force Research Laboratory, Rome, New York, 2001).
[2] Team Cymru, “The Darknet Project”, Internet Security Research and Insight (2009). Available:
http://www.team-cymru.org/Services/darknets.html [Last accessed: 1st November
2009].
[3] Seewalda, A.K. and Gansterer, W.N., “On the detection and identification of botnets,” Comput-
ers & Security, Volume 29, Issue 1, (Elsevier, February 2010), pp. 45–58.
[4] Wang, P., Sparks, S., and Zou, C.C., “An Advanced Hybrid Peer-to-Peer Botnet,” IEEE Trans-
actions on Dependable and Secure Computing, Vol. 7, No. 2, (April-June 2010), pp. 113–127.
[5] A.B. Moheeb, J. Zarfoss, M. Fabian, and T. Andres, “A Multifaceted Approach to Understand-
ing the Botnet Phenomenon.” In 6th ACM SIGCOMM conference on Internet measurement,
(2006), pp. 41–52.
[6] C. Jaideep, L. Carl, O. Steve, and S. Eve, “The Dark Cloud: Understanding and De-
fending against Botnets and Stealthy Malware”, infoq.com, (Aug. 04, 2009). Available:
www.infoq.com/.../intel-botnets-malware-security [Last accessed: Oct. 12, 2009].
[7] Advanced Malware Exposed, Fire Eye Whitepaper, (FireEye Inc. California, 2011).
[8] A.B. Moheeb, J. Zarfoss, M. Fabian, and T. Andres, “A Multifaceted Approach to Understand-
ing the Botnet Phenomenon.” In 6th ACM SIGCOMM conference on Internet measurement,
(2006), p. 51.
[9] Internet Assigned Numbers Authority (IANA), “Port Numbers,” Internet Corporation for
Assigned Names and Numbers(2009). Available: http://www.iana.org/assignments/
port-numbers [Last accessed 13 November 2009].
[10] “List of TCP and UDP port numbers” (2009). Available: http://en.wikipedia.org/wiki/
List_of_TCP_and_UDP_port_numbers [Last accessed: 13th November 2009].
[11] Sun, X., Torres, R., and Rao, S., “Preventing DDoS attacks on internet servers exploiting P2P
systems,” Computer Networks, Volume 54, Issue 15, Elsevier, (28 October 2010), pp. 2756–
2774.
[12] Cisco Security Notice: Nachi Worm Mitigation Recommendations, available at: http://www.
cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml [Last accessed: 25th
September, 2010]
[13] Sysinternals Suite. http://technet.microsoft.com/en-us/sysinternals/bb842062.
aspx [last accessed: 10th Sept 2010]
[14] http://www.netstat.net/ [Last accessed 5th Sept 2010]
[15] Conficker Malware. http://mtc.sri.com/Conficker/ [Last accessed 6th October 2010]
[16] Autoit Malware. http://www.threatexpert.com/report.aspx?md5=

ef0c08d5d1ebc1f792a617580263a42c [Last accessed 5th Sept 2010]
[17] MAAWG Best Practices for the Use of a Walled Garden, MAAWG Whitepaper (October,
2007).
[18] Skyway West, “Basic Security Requirements: ICMP Rate Limit,” Skyway West Busi-
ness Internet Services, (2009). Available: http://www.skywaywest.com/support/
basic-security-requirements.php [Last accessed: 18 November 2009]
Chapter 5
Trusted Log Management System
Akihiro Tomono, Minoru Uehara, and Yuji Shimada

Department of Open Information Systems, Toyo University
2100 Kujirai, Kawagoe, Saitama 3508585, Japan
With the many accounting scandals that have been reported in companies around the world,
the need for internal control has steadily grown. Many different kinds of logs exist, and
storing them over the long-term is necessary to realize internal control systems based on
logs. Previously, we proposed a low-cost system to store logs semi-permanently using a
Virtual Large Scale Disk. However, as this log system cannot guarantee the transfer of
trusted logs across a vulnerable transfer path, it is unacceptable for use in digital forensics.
Therefore, we propose a trusted log transfer method that satisfies the requirements of digital
forensics. Moreover, logs of a single file type are generally not employed alone, because
such logs would contain insufficient information. Instead, several types of logs are often
written to another file, making a transversal search necessary. A further consideration is
the possibility of changing the schema. Therefore, an efficient log file format, called New
CSV and using YAML Ain’t Markup Language, is proposed to solve these issues.
5.1 Introduction
In recent years, many scandals arising from irregularities in the accounting records of a
number of companies have been reported, not only in the United States, but also in Japan.
Internal control is the process of managing and monitoring each service based on prescribed
standards and procedures to provide an assurance of efficient, effective, and legal operation
of the organization, devoid of fraud, and without the mistakes and errors of companies in
general. The series of mechanisms used to implement this process is called an internal
control system. An internal control system needs to include the following three elements:
authentication, authorization, and auditing.

Major companies such as IBM and Oracle have already introduced their own systems
of internal control. However, where systems are outsourced, the cost of the internal control
system tends to be proportional to the size of the company.
Corporations typically utilize one of the available tools as the basis for compliance.
However, current commercial products tend to be expensive, especially when considering
both the initial and running costs. Raw logs are highly valued as evidence in digital foren-
sics. However, large storage capacity is required to manage these raw logs over the long
term. Thus, we have developed a raw log management system based on a VLSD [9]. Using
the VLSD toolkit, a large capable storage can be implemented at low cost and without us-
ing highly expensive NAS (Network Attached Storage) and SAN (Storage Area Network)
products. This type of raw log management system, however, only guarantees that a por-
tion of each raw log is complete since some of the paths used to transfer the logs may be
vulnerable. This does not satisfy the requirements of digital forensics, where all logs must
be guaranteed complete.
Additionally, utilizing only a single log occurs infrequently, since a single type of log
does not contain sufficient information. Typically, logs of various types are written to a
separate file, making it necessary to search transversely through log files. It is not, however,
easy to perform such a transversal search across a system, since there is a high possibility
that the output of each application will be different. In general, a log is stored as a database.
However, the possibility of having a null value in a tuple is high in a log where the number
of columns has increased subsequent to the creation of the table. This is not efficient.
In addition, to preserve logs over the long-term, we must consider the possibility of
the schema changing due to a change in the system or an update to the application in the
organization. Requiring that all preserved logs in a database be changed when a column is
added or removed will result in substantial overhead.
Consequently, in this paper, we propose a method that guarantees the completeness of
raw logs transferred from clients to the server via vulnerable routers. We present various
models as examples for considering this utility.
In addition, we propose a log that copes with changing schema on demand by inte-
grating several kinds of logs into YAML [4] format. The proposed log format is also able
to accommodate searches across several kinds of logs by consolidating the different log
formats and combining the logs into a single file.
The resulting structured log is text-based, enabling changes in columns to be dealt
with seamlessly. Moreover, such a log can also accommodate a transversal search through
Trusted Log Management System 81
integration into a single file. The search is performed after storing a portion of the log in a
database. The efficiency of the search is improved since only the necessary parts of the log
are stored.
5.2 Related Techniques
In this section, we discuss related studies that are key to the implementation of the
proposed system. These are ILM, digital forensics, Syslog, and the VLSD including the
security thereof.
5.2.1 ILM
ILM (Information Lifecycle Management) [1] is a way of thinking that realizes effective
information use and returns from storage investment by storing data according to changes,
such as the importance of the information or a use purpose and frequency. Thus information
that is important and has a high use frequency is managed either in high-end storage, which
has high reliability and high performance, or in a disk array. Information such as general
office duties, is kept in medium to small storage such as HDDs, while information that is
important to keep, but is not frequently accessed or updated, is stored in low cost storage,
such as DVDs. When repositioning information of a particular nature in the right place, we
should ensure the use of the correct storage. Storage such as DVDs is referred to as offline
because stored information cannot be read directly, whereas a disk array is referred to as
online storage. Storage that falls between these two extremes is known as nearline storage.
The definition of nearline storage is based on the fact that it is similar to offline storage,
but is online, for example a low speed HDD such as a serial ATA. Usually, the number of
RPMs (revolutions per minute) is smaller than that for online storage, whereas the physical
memory capacity is greater. Storing all data in high speed, expensive storage raises the
cost of the storage significantly, making it necessary to use media classified as nearline
or offline, such as DVDs, depending on the value of the information. Nearline storage is
considered optimal in terms of the performance/cost tradeoff.
5.2.2 Digital Forensics
Digital forensics [2] is a technique for collecting and analyzing digital data that can
subsequently be used as evidence in courts of law. In Japanese law, only physical objects
are regarded as evidence and thus digital data cannot be used as evidence. As a result, we
not only need digital data, but also physical storage to store the digital data. In an actual
forensic process, the entire digital data is copied and analyzed and then a paper report is
submitted. For this method, a finger print of the digital data such as MD5 or SHA-1 is
required to guarantee the completeness of the digital data.
Logs are usually used to identify illegal access by intruders. Servers record entries
in logs for a variety of actions such as the behavior of users, issues encountered, system
errors, and so on. These logs are often useful as evidence of illegal access. In an actual
network system, there are many types of logs, including the Windows event log, the UNIX-
like Syslog, and Apache access logs amongst others. However, for logs to be acceptable
as evidence we have to prove that the logs have not been modified. It is, therefore, not
sufficient to extract information from a single log. Instead, we have to match information
extracted from multiple sources with different time frames. However, it is impossible to
extract sufficient information if no previous logs exist. According to the current laws, server
administrators are obliged to record logs, but not to retain these for any extended period
of time. For example, the legal requirement for maintenance of logs is 30 days according
to the law on snooping for criminal investigation 7.1, and 90 days according to the law on
cyber-crime 16.2. However, this is not enforced because of the exorbitant cost to service
providers.
On the other hand, several large corporations such as KDDI and NISSAN have set out to
keep logs indefinitely [3]. However, in these corporations considerable leakage of privacy
information has occurred. Thus, internal control is regarded as a necessity for long-term
log management. Permanent preservation of logs is not efficient from an ROI (return of
investment) perspective. The requirement for preserving logs is set as 3–5 years according
to the law on illegal access and fraud. As such, we have to preserve evidence logs for at
least 5 years. In the case of permanent preservation of logs, as in KDDI and NISSAN,
privacy protection is one of the major issues, as information leaks must be avoided at all
costs.
5.2.3 Syslog and its Enhancements
Syslog is a client-server protocol for security and monitoring purposes, which has been
standardized by the Syslog working group and includes the Syslog library and Syslog dae-
mon. The Syslog library provides an interface to transmit logs, while the Syslog daemon
is used for logging, analysis, and for outputting to log files. Syslog is known to have some
problems. Packets may be lost since UDP is used for communication. Additionally, in large
networks, as the size of the logs grows, older logs may not be available for access because
they have been overwritten. Therefore, logs need to be saved in another directory or even
on a completely different server to ensure that they are available for reference purposes.
Syslog-ng and rsyslog are enhanced versions of the Syslog daemons providing improved
reliability in the remote transfer of logs through the use of TCP. They also provide improved
encryption and authentication.
5.2.4 Secure Logging on a PC
If a program that outputs logs to a file is attacked, logs cannot be recovered even if
enhanced Syslog daemons are used. Syslog is used in Linux for standard logging. The
log management schema that is used in syslog, is a log-collection program that writes the
log file after collecting data from the user process and kernel. However, a user with ad-
ministrator privileges can easily manipulate these logs, since they are saved in text format.
Therefore, if an attacker were to compromise processes executing with administrator priv-
ileges, the log could easily be tampered with. The OS from which logs are compiled runs
in a virtual machine in [8]. Kernel logs and user logs for the monitored OS are compiled
by the Virtual Machine Monitor (VMM). In retrieving a user log, the VMM detects the
output log and obtains the log by hooking a system call of the monitored OS. This system
allows no possibility of log tampering, since the logs are obtained immediately after issuing
a system call. Moreover, the VMM transfers the obtained logs to the OS for log storage.
5.2.5 VLSD
To create large-scale storage, we first considered mounting multiple unused sections of

disks in a distributed file system. However, file system level distributed storage such as
NFS is not suitable for connecting unused sections into a single storage system because
it is dependent on the platform. Disk level distributed storage is thus needed. The VLSD
(Virtual Large-Scale Disk) [9] is a toolkit for constructing large-scale storage that includes
the implementation of software RAID and NBD in Java. VLSD is 100% pure Java, and
runs on any platform that supports Java. Therefore, it is suitable for use in coexisting
environments such as Windows and Linux. It is possible to combine any NBD device and
RAID freely without restriction from the OS when using VLSD. The minimum number of
NBD devices required is one, in other words, a single file server.
By connecting unused resources (empty capacity of HDDs) of PCs in a lab or office

environment, a single large virtual storage can be created. The VLSD toolkit realizes large-
scale storage up to 8 EB by combining various classes.
Fig. 5.1 Composition of RAID66
Fig. 5.2 VLSD system configuration
With this toolkit, we have successfully created prototype storage of 70 TB in a PC

lab with 512 PCs. However, as the storage size increases, the reliability decreases and it
becomes important to improve the reliability using RAID. Therefore, we have divided the
512 disks (one disk = 170 GB) into 32 groups and built RAID66 as illustrated in Fig. 5.1.
In addition, disk level distributed storage that is independent of the file system is re-
alized by using NBD. As a result, there is no longer the need for expensive storage. The
cost of such distributed storage compares favorably with the cost of dedicated storage as
distributed storage incurs only the cost of an extra HDD. Figure 5.2 illustrates the system
configuration with a 64 bit file server and a disk server. The virtual disk of the disk server
consists of various OSs such as Linux or Windows, and provides functions for disk read and
write through RMI in Java. The file server is connected to a prepared disk and implements
RAID66.
RAID66 comprises two classes of RAID6. The NBD Server, having started an NBD
client, formats the disk in XFS and waits for access from the NBD Client using RAID66. A
Windows client accesses the file server through Samba, whereas a Linux client uses NFS.
With regard the NBD protocol, this is critical on a network lacking in security. How-
ever, it is possible to manage this safely because NBD is only used for interprocess com-
munication on a single server in our method. Communication between a real client and
server is realized using a protocol based on RMI that considers security.
5.2.6 Security of the VLSD
A VLSD solves the problem of providing sufficient capacity for logs, but in terms of
real management, it has a problem with security in realizing internal control [10]. Specifi-
cally the following problems exist:
• wiretapping and manipulation in the PC,

• wiretapping and manipulation on the channel, and
• pretending to be a normal user.
It is thus necessary to consider security techniques to solve these problems. Security of

the VLSD is based on the AAA architecture, which stands for authentication, authorization,
and audit.
Large-scale storage using a VLSD is built by collecting the unused capacity of many
client machines. Therefore, direct access from a client is possible even if the server OS
restricts such access. Clients can then read the content and grant access to the remote disk.
Since the client provides a disk, it is extremely difficult to solve the problem of access
privileges, especially as there is the possibility that a user might have administrator rights.
However, if the latter problem is solved, it is possible to protect data because the content
cannot be read. It is possible to use ciphering of the disk to achieve this. VLSD has a
class for ciphers that ensures that the content from a client machine cannot be read after
ciphering. In addition, there is a method that prohibits write access and this can be used to
prevent manipulation. When write access is required, this can be done as another disk and
should be monitored. VLSD has a wrapper class called ReadOnlyDisk, which can solve
the problem. An overhead of coding is the fact that we cannot ignore normal disk access.
However, as the logs are only referenced infrequently, it is preferable to choose safety from
ciphering instead of rapid access.
Fig. 5.3 Layers of log management
5.3 Design of a Log Management System
5.3.1 System Overview
Log management requires several layers: a layer to collect and store raw logs, a layer to
liaise with databases, and a layer to analyze the logs and to create reports including graphs.
The layers of a log management system are illustrated in Fig. 5.3.
Today, logs are generally compiled into a database for management and analysis. How-
ever in this study, we focus on raw logs that have not had anything added or removed, to
increase the reliability of the storage and management thereof. Raw logs gathered from a
system have the greatest weight in terms of evidence.
Although usability is improved by compiling logs into a database, there is the possibil-
ity that some of the information is lost in the process. In addition, to be precise, database
compilation involves processing a log and there is no guarantee that this process does not
involve tampering and the subsequent loss of usable evidence.
As mentioned above, the current trend is to compile logs into a database, and to achieve
this many products are available. On the other hand, most systems that store and manage
raw logs are not popular and do not usually adopt such a management method. The problem
of capacity is the main reason for this. It is sometimes difficult to imagine that a simple
log file can grow extremely large, but over time any log file will certainly put pressure on
disk capacity if log data is continually added. Therefore, we make use of a VLSD to store
and manage the raw logs. Since only unused resources of existing computers are used, it is
not necessary to add new facilities. Furthermore, we are able to liaise with a DBMS at any
time after having stored the raw logs.
Fig. 5.4 Configuration of system used in this study
Fig. 5.5 Server farm

It is necessary to normalize a log between Level0 and Level1 to balance the potential
evidence of the log with the functionality thereof. The configuration of the system used in
this study is depicted in Fig. 5.4.
We have developed the system using a function like Syslog or Logrotate that already
exists in most OSs.
Typically a log captured by Syslog is overwritten making it impossible to refer to the
old log. The oldest log available is only four weeks old, because the default setting of
Logrotate rotates a log once a week, and overwrites the old logs. This problem can be
solved to some extent by increasing the number of rotations.
Fig. 5.6 Directory for storing logs
It is also useful to copy the older logs to nearline storage, and to manage them there.
The nearline storage collects idle resources from 25 servers that are always online, such
as Web servers or file servers, to build the required storage. Figure 5.5 shows the resulting
configuration.
A log collected on a server for log collection is rotated by Logrotate as follows: the log
that is comparatively just older than the given log is stored in nearline storage, while the
oldest log is stored in offline storage. In addition, to enable searching, a user can acquire the
necessary information from the Syslog of the server machine. For example, the following
searches are possible:
• count of the use time of a computer by a user,

• count of the use time for any one computer,
• count of the simultaneous execution of applications, and
• count of the use time of an application.
These searches can be done by setting Syslog-ng and using various programs.
5.3.2 Collection and Management
In the case of a Windows machine, a log is transferred with NTsyslog [7], whereas
with a Linux machine, it is transferred with Syslog-ng. Then the standards are unified
according to the Syslog form, and transferred to a log collection server, after each log has
been transferred to a server with the same OS. The server for log collection rotates each log
using Logrotate. Directories depicting the kinds of logs are created beforehand in nearline
storage. In addition, year, month, and day directories are created by executing a script
called Logdir for each day. Two log files that are newer than the log in question are both
transferred by executing a script called Logscp, while logs with the same date are stored as
one file in the directory created by executing a script called Daydiv. If Logrotate rotates
daily, it needs to read 2 log files because one log file has 2 days’ worth of logs. Currently,
the date of the previous day is ascertained using a time function. The hierarchy of the
directory used for storing logs is shown in Fig. 5.6.
In addition, an MD5 file is created prior to transferring a log file. This enables us to
confirm that the file has not been damaged during the transfer by comparing the MD5 cre-
ated after the transfer with the original MD5 file. In addition, this can be used as evidence
that the log file has not been tampered with.
5.3.3 Reference and Search
Although the logs are stored individually, it is necessary to be able to refer to them as
a single log file, for example, in processing the request to read all log files stored in the
messages directory and to display these from the command-line sequentially by date. We
have created a shell command, called Logcat, which, given a required date, displays only
the relevant logs. Additionally, we have implemented a script that displays only the log that
matches a specified arbitrary character string. We call this script Loggrep.
When investigating the use time of a computer by an arbitrary user, it is necessary to

take the difference of the login and logout times of the user. We can also calculate the use
time of any one computer from the grand total.
5.4 Guaranteeing Logs in a Network
It is important to maintain consistency in logs for digital forensics. When transferring

a log or keeping it on a temporary server, it must not be tampered with. Systems should,
therefore, be able to detect whether any tampering has taken place. This evidence capability
of logs is necessary for digital forensics. In other words, it must be possible to verify
a log as being original in court. We implement this as part of the current system, but
whenever transferring a log, it must be inspected. We present some models as examples for
considering this utility. In the transfer of logs, it is assumed that any malice happens in the
relay server, and that the log output by a client does not suffer from packet loss and has not
been tampered with.
Fig. 5.7 Flow of the hash (a)
Fig. 5.8 Flow of the hash (b)

(a) Transfer only to server
First, before the log is output by the client, a hash file is created from it and transferred
to the server used to detect any manipulation or lost packets. The hash file is kept together
with the log file in nearline storage. This process is illustrated in Fig. 5.7.
However, in the case of several relay servers, it is not possible to ascertain where the
tampering took place. For example, if a log that is being transferred to the server from
a client is tampered with, either LogRouter1 or LogRouter2 is responsible and must be
isolated from the network. We must be able to detect which relay server was responsible
for the tampering.
(b) Transfer to adjoining router
Next, we consider creating a hash file from the log file at each server as illustrated in
Fig. 5.8. This guarantees the integrity of the log between consecutive machines. However,
if the log is tampered with at LogRouter1 and both the log and hash files are transferred,
evidence of the tampering is unavailable after LogRouter2.
Fig. 5.9 Flow of the hash (c)
Fig. 5.10 Flow of the hash (d)

(c) Broadcast upper
The previous models, (a) and (b), each have a problem, and thus, we propose a new
method to resolve these problems. The method assumes that the log transferred from the
client is correct and can thus be used for comparison with other hash files. We propose
keeping a copy of each hash file in each subsequent server through which the log passes,
as illustrated in Fig. 5.9. Manipulation can be detected by comparing the client hash file
with the hash file created in each server. For example, if the log has been tampered with
and the hash file is transferred from LogRouter1 to LogRouter2, the client hash file is
compared with that created in LogRouter2. This enables us to detect the manipulation in
LogRouter1. Keeping a copy of all the hash files in each server is, however, a waste of
resources. Moreover, a LogRouter is not a VLSD and thus cannot store many files.
(d) Transfer to server with middle hash
The final attempt, method (d), reduces the number of hash files in each LogRouter as
illustrated in Fig. 5.10. The hash files are all transmitted to the server, which then compares
each hash file with the client hash file. Storing the logs in a VLSD resolves the capacity
problem and the hash files can be stored semi-permanently together with the log.
The method involves first comparing the hash file of the transferred log with the client
hash file. If they are the same, it means that the log has not been tampered with. In other
words, this log can be used as evidence in digital forensics. If they are not the same, the
client hash file is compared with the one created by LogRouter1, and then with the one
created by LogRouter2, and so on. This enables us to identify the server where the log was
tampered with.
5.5 New CSV
When storing a number of different types of logs in a database, we generally prepare a

single table that can accommodate all the types. However, the possibility of storing a null
value for a certain column is high when storing several types of logs using a single schema.
This is why such storage is ineffective. On the other hand, if multiple tables are prepared,
it is not easy to traverse the multiple logs searching for a particular date and time.
Therefore, we proposed a log format that can be searched transversely, but which can
also be structured and stored as simply as text-based logs.
Having structured logs is possible with YAML, which is a well-known structured lan-
guage that is superior to XML when used in a similar way, for the reasons listed below.
• It is easy for humans to read.

• Descriptions can be done with a minimum of programming since nesting is expressed
by indentation.
• It has simple data types whereby data can be expressed as an array, a hash table, or a
scalar.
XML can express an inline element such as "<strong>emphasize</strong> in

the middle of a sentence" naturally, because it uses start and end tags.
As such, XML is suitable for expressing a sentence such as in an article or a paper, and
variable forms of data. On the other hand, YAML is not good at expressing data such as a
sentence. It is, however, suitable for expressing fixed form data such as an address book or
a configuration file. A structured log using YAML is illustrated in Fig. 5.11. The meaning
of the data can easily be grasped because the format relies on "key:value" pairs.
---
ProcLog:
- Proc:
- ExecTime: "02:22:41.2812500"
PID: <4488>
ProcessName: WINWORD
TIME:
- EndDate: 2010/02/28
StartTime: "11:54:37"
StartDate: 2010/02/28
EndTime: "14:17:19"
RECORD_No.: 64
Fig. 5.11 Example log structured using YAML
YAML uses "---" to collate a single record. Furthermore, a new line has the same
meaning as the end tag in XML. When a log is replaced by YAML format, the order of the
hash keys is undefined. However, this is not a problem since records are searched using the
key/value pairs.
Fig. 5.12 def record
Fig. 5.13 Unified log
Finally, we convert a log in YAML format into CSV format. This CSV is different from
the general CSV format as it allows multiple logs to be integrated into a single file. Each
of the log schemas is then defined by a def record.
A def record contains a variety of information: the timestamp, types of log, and defini-
tion of the schema. Figure 5.12 illustrates an example of this information.
The log format is always the newest version. This is achieved by referring to the newest
def record even if the definition has been updated. Figure 5.13 shows an example of an
integrated log.
Integrating the format and extraction are performed on text-based files. For preserving
logs over the long-term, the raw log format is important to maintain the high evidence
capability of the log. However, for data mining including analysis of an external service
request, text-based files are cumbersome. Therefore, it is necessary to store the extracted
log in a database.
When storing such databases, we need to consider the possibility that log formats pro-
posed in previous studies may be of multiple types and furthermore, we should allow for an
increase/decrease in columns. For example, it should be possible to add a new column to
a log dynamically, if the log format defines such an addition. Despite the fact that records
that do not have the additional column information will have null values in the new col-
umn, the purpose of this step is to analyze the log, and not to preserve it. Therefore, we
Fig. 5.14 Process flow of a log file in a server
do not need to consider the efficiency of this process for data storage since the database is
temporary.
All data records must be stored, whereas def records provide updated column informa-
tion only. In other words, def records are not stored in the actual database. Figure 5.14
illustrates the process flow of a log file in the proposed system.
5.6 Evaluation
5.6.1 Collection of Logs
As the initial step in our experiments, we obtained a total of 6,605 Kbytes of uncom-
pressed logs over 30 days. This was reduced to 1,581 Kbytes when compressed with gzip,
which is about 1/4 of the original size. In addition, the average log created per day was 220
Kbytes, while the largest was 2,239 Kbytes. Taking into consideration the largest possible
log from 512 PCs in a lab, storage of about 413 GB is required per year. This means that
2.1 TB is required when considering a five year lease. In addition, to service the PC labs
from all four campuses of our university, the storage requirement increases to 1.65 TB per
year.
The hash file created from the largest log, which has 25,652 records and is 847 Kbytes
in size is about 40% of the size of the original log file. In other words, about 1.4 times the
previously calculated capacity is required to store both the log and hash together.
Thus, storage of about 156 GB is required per year when considering the capacity of the
hash for the largest log. This means about 781 GB is required when considering a five year
lease. Thus, a total capacity of 2.9 TB is needed to satisfy the total storage requirements of
the university.
Since we have succeeded in manufacturing a prototype large-scale storage using the
VLSD tool kit, storage capacity is no longer a problem.
5.6.2 Construction of Storage for Logs
Using the VLSD toolkit, we collected 500 GB from 25 servers and created virtual
storage of 4.7 TB. Because XFS is adopted as the file system, it is theoretically feasible to
increase the size to 8 EB. This virtual storage is then assigned as a network drive within
Windows as shown in Fig. 5.11. Now, we consider the cost of using the VLSD for storage.
In an environment such as a PC lab, containing several hundred PCs, we need large-scale
storage. Typically, an expensive file server with the required number of TBs is installed,
due to its reliability and ease of management.
Let us now consider the cost of adding an additional 500 GB HDD to each server. This
amounts to 250,000 Yen for 25 servers assuming the unit cost of a HDD is 10,000 Yen. The
monthly electricity consumption of a desktop PC operating 24 hours per day is about 44
kWh, giving an electricity bill of 908 Yen. This amounts to about 270,000 Yen per year for
all 25 servers. On the contrary, a file server with 60 TB capacity costs about 250 million
Yen at our university, making this option unviable. Although reliability is an important
issue, distributed storage is still preferable, given the significant reduction in cost.
5.6.3 Guaranteeing the Logs
The SHA-1 function generates a 20 byte (160 bits) hash value from a log. The hash
is added to the size of log. The increase in size due to the SHA-1 hash is very different
when applying the SHA-1 function to a record or to a whole file. The size of a record
generated by Syslog is about 100 bytes. Therefore, the total size is calculated as the num-
ber of records multiplied by 16 bytes. However, trustworthiness is increased by hashing
each record instead of each file. Using record-based hashing, it is easy to detect illegally
modified records. So, this is ideally suited to the requirements of digital forensics.
There is a potential weakness in the hash created by SHA-1. It is possible that the same
hash value can be calculated from two different documents. In other words, the unique
characteristic of the hash would be lost. However, we consider it to be difficult to create
the same hash value from a meaningful log. For example, if a record of a particular log is
deleted, it is necessary to add a corresponding record with an appropriate meaning instead.
In addition, changing only part of a record such as a user name or execution time is difficult
as stated before. However, a log that is difficult to tamper with can be obtained by taking a
hash at every record.
The number of connections, which is proportional to the number of clients, must be
considered when sending logs from clients. If there are too many clients, it is difficult
to transfer logs correctly. This is a serious issue in digital forensics too. For example,
when transferring logs via a 1 Mbps line, assuming that the average size of the logs is 220
KB [11], the transfer time is 1.76 s. If a server can process 10,000 transactions per second,
this corresponds to 5,600 clients simultaneously. This sounds sufficient. For example, there
are about 1,000 PCs in our university. This is the same scale as an SMB (small to medium
scale business), which means this method can easily be applied to an SMB.
5.7 Conclusion
In this paper, we proposed a method that guarantees that logs are transferred correctly
and completely across a vulnerable path. Such a guarantee is very important in digital
forensics. In law courts, evidence must be completely trustworthy, and therefore we need
to provide this guarantee for logs. The proposed method guarantees the correctness of logs
by using a fingerprint such as MD5 or SHA-1. In this way, transferred logs can also be
used as evidence in digital forensics.
In addition, we proposed a log that can cope with changing schema on demand by
unifying several kinds of logs into YAML. In general, logs tend not to be used on their
own, which means that a transversal search is needed if several types of logs are included.
The proposed log format that combines multiple log types in a single file extends the CSV
format and is text-based. Hence, a simple transversal search can easily be implemented.
When more detailed analysis is needed, the log can be stored in a database and an advanced
search can be performed faster than on a text file.
While the long-term preservation of logs is itself important, its value can be enhanced
if it is exploited through integration and storage in a database.
In the future, we need to increase the number of formats supported, and perform quan-
titative evaluations such as the time to convert a form and a comparison of the search time
using a database.
Bibliography
[1] Storage Basics: Information Lifecycle Management – EnterpriseStorageForum.com, http:

//www.enterprisestorageforum.com/management/features/article.php/
3299031/Storage-Basics-Information-Lifecycle-Management.htm
[2] Shigeo Tsuji, “Encyclopedia of Digital Forensics”, JUSE Press, pp. 33–36, (2006.12) (in
Japanese)
[3] Koji Oga Tatsuo Asai, “A Proposal for Effective Risk Assessment against Unintended Informa-
tion Leakage”, the 37th Abstracts of the Annual Conference of Japan Association for Manage-
ment Systems, pp. 192–195 (2006.12.8) (in Japanese)
[4] The Official YAML Web Site, http://yaml.org/
[5] IETF Syslog Working Group Home Page, http://www.employees.org/~lonvick/index.
shtml
[6] syslog-ng – Multiplatform Syslog Server and Logging Daemon, http://www.balabit.com/
network-security/syslog-ng
[7] NTsyslog | Download NTsyslog software for free at SourceForge.net, http://sourceforge.
net/projects/ntsyslog/
[8] Masaya Sato, Toshihiro Yamauchi, VMBLS: Virtual Machine Based Logging Scheme for Pre-
vention of Tampering and Loss, 2011 International Workshop on Security and Cognitive Infor-
matics for Homeland Defense (SeCIHD’11) (In conjunction with ARES 2011), (2011.8).
[9] Minoru Uehara: “A Toolkit for Virtual Large-Scale Storage in a Learning Environment”, In
Proc. of 21th International Conference on Advanced Information Networking and Applications
Workshops/Symposia 2007, Vol. 1, pp. 888–893, (2007.5.23)
[10] Minoru Uehara: “Security Framework in a Virtual Large-Scale Disk System”, In Proc. of IEEE
10th International Workshop on Multimedia Network Systems and Applications (MNSA2008),
pp. 30–35, (2008.6.20)
[11] Akihiro Tomono, Minoru Uehara, Makoto Murakami, Motoi Yamagiwa: “A Log Management
System for Internal Control”, In Proc. of 2009 International Conference on Network-Based
Information Systems (NBiS2009), pp. 432–439, (2009.8.19-21)
Chapter 6
Reasoning of Collaborative Human Behaviour in

Security-Critical Work Practices: A Framework
Geong Sen Poh 1 , Nik Nailah Abdullah 2 , Muhammad Reza Z’aba 1 , and
Mohamed Ridza Wahiddin 3
1 Cryptography Lab, ADAM, MIMOS Berhad, 57000 Kuala Lumpur, Malaysia
2 Mathematical Modeling Lab, ADAM, MIMOS Berhad, 57000 Kuala Lumpur, Malaysia
3 Department of Computer Science, Kulliyyah of ICT, International Islamic University
Malaysia, PO Box 10, 50728 Kuala Lumpur, Malaysia
E-mail: gspoh@mimos.my, reza.zaba@mimos.my, nailah.abdullah@mimos.my,

mridza@iium.edu.my
A framework is developed to study the security effects of human activities across an or-
ganisation. These activities can be simulated using software agents. The simulation results
assist one to identify weak links in the overall workflow that may potentially cause security
incidents, for example, leakage of information. This subsequently allows one to set better
processes to more effectively handle such incidents. The main tools to realise the model
are conventional cryptographic approaches and induction of communication protocols and
situated cognition.
6.1 Introduction
Information security has always played a crucial role in protecting sensitive informa-
tion in an organisation from unauthorised access. Security systems were well-established
using cryptographic mechanisms and security policies. However, these existing mecha-
nisms do not take into account human actions and responses on the security systems. It
is thus not surprising that many successful attacks exploit the errors of human operating
the systems instead of exploiting the underlying security mechanisms. Examples include
social engineering in the form of pretexting, phishing, leaking of classified information and
deception using human weaknesses in perceiving risks, privacy and security [1]. Further-
more, with the collaborative natures of work environments and ubiquitous computing being

the norm (e.g. smart phones, tablets), it is now harder to control the movement of critical
information, both through online system and offline physical movements.
Therefore, relying only on technical means is not sufficient and security measures must
encompass both technical and human aspects. Current proposals that factor in human ac-
tions is in the form of secure human computer interaction, better usable security system
and security management, which include designing well-defined set of security policies,
such as Information Security Management System (ISMS) standardisation under ISO/IEC
27001 [2]. One emerging area in policy is the security and privacy policies for handling sen-
sitive data in private organisations and health care services described in [3, 4]. However, se-
curity policies require proper enforcement and training. As mentioned before, human tends
to avoid cumbersome policies, which is evident from the many security incidents reported
on the media. High profile examples are the many information leakages to Wikileaks [5],
demonstrating that policy and security technology are still not sufficient to protect sensitive
information.
New approaches are required to complement the existing mechanisms and one of them
is to study and handle how human collaborate, act and response to threats, system errors
and security measurements, resulting in more secure and error prevention environments.
Such an approach is multi-disciplinary, involving domain in psychology, cognitive science
and information security.
6.1.1 Related Works
Study on human behaviour in the security perspective is a new area of research that has
gained increasing interests through the introduction of the security and human behaviour
workshops [6–8]. This new area provide new insights and approaches, for example, using
the notion of anthropology to confine users to specific tasks so that they will not mistakenly
provide sensitive information to unauthorised web automated agents [9]. Similarly, one
may devise methods to detect deception, such as phishing [10], and privacy measurements
in different application domains [1, 11, 12].
Nevertheless, the various proposals are still mostly exploring insights and concepts for
potential collaboration and seamless operations between human and security technologies,
without a model and potential simulation tools for practical collaborative work practice.
This includes a framework proposed in [13]. The proposal in [14], on the other hand, gives
a preliminary framework but focus only on a communication-processing model involving
an act and a response on a communication sent to a human user; for example, how a human
Reasoning of Collaborative Human Behaviour in Security-Critical Work Practices: A Framework 101
user responses to phishing email. Instead, we are interested in not just a single human user
scenario, but in collaborative behaviour (or rather activities) between a group of human
users. We believe this gives a more comprehensive framework in simulating, reasoning
and tracing of potential security “conflict” points since in an organisation human users
always work collaboratively with one another. Most importantly we want to emphasise the
security conflict points that takes place online, as well as offline, and how the two relates
to one another. We note that the framework in paper [14] is used as a base to construct our
collaborative framework.
6.1.2 Our Contribution
Our main contribution is a security framework that can be deployed to simulate and rea-
son human behaviour in a security focused collaborative work practice in a way to evaluate
and capture potential security “failure” and “conflict”. We also envisage the framework to
be used for effective handling of security incidents such as information leakage. The re-
sulting simulation and workflow can then be used to minimise potential security incidents,
devise better, easy to follow security policies, technical mechanisms that may be automated,
and better collaborative processes. The framework is based on cognitive-based human ac-
tivities study and information security, in which it consists of a model and a process. Under
the security context, the model defines the properties and characteristics of collaborative
communication behaviour of human users, while the process defines three main steps of
observation, simulation & reason and construction of practical security workflows.
6.2 Security Goals
In defining a security framework we need to know what we are trying to achieve (or
fulfill) in the security context. In brief, following the well-established cryptographic no-
tions [15, 16], an organisation that has security processes needs to fulfill four standard
security requirements, which are confidentiality, data integrity, authentication and non-
repudiation. In many cases, availability of information services is also crucial to the effec-
tive operations of an organisation. Thus our framework must be able to cater for these goals
from the human perspective, in compliment of existing technical mechanisms and security
policies. We briefly describe these five goals in the followings by adapting the description
from Menezes et al. [16].
6.2.1 Confidentiality
It keeps secret information from being accessed and used by unauthorised entities. The
common cryptographic mechanisms providing confidentiality are encryption schemes. In
a practical scenario, for example, we want to make sure that secret information stored in a
USB drive of an authorised user to be encrypted. In the case where the USB drive is stolen,
an attacker will not be able to decrypt and access the encrypted secret information in the
USB drive.
6.2.2 Data Integrity
It means ensuring that the information sent or received has not been modified by unau-
thorised entities or other means. The common cryptographic mechanisms used to provide
data integrity are hash functions. In a practical scenario, for example, an attacker might at-
tempt to modify an email containing sensitive information, a digital invoice, a digital tender
document or financial statements of an organisation for his or her own financial gains.
6.2.3 Authentication
It means ensuring: (i) Entity Authentication (Identification). This is provided by en-

tity authentication and authenticated key exchange protocols. (ii) Message Authentication
(Data Origin Authentication). This is provided by Message Authentication Code (MAC).
6.2.4 Non-repudiation
The inability to refute the sender of whatever message that has already been transmitted.
6.2.5 Availability
Data that is available on demand.

All in all, the framework seeks to provide one or more or the combination of all security
goals.
6.3 Human Behaviour Security Framework
In brief, the Human Behaviour Security Framework (HBSF) is a framework of predic-

tion of the most likely security threats context. Enabling a predictive framework would
allow us to anticipate security context that would lead to designing innovative tools and
practices. These tools and practices should help to anticipate the security incidents under
the framework. Furthermore, human behaviour is ‘autonomous’ thus the framework should
allow better governance to security threats through innovative tools. In order to realise the
practices and tools for anticipation and control of security incidents, we define the frame-
work as the combination of a model of collaborative activities, and a process of constructing
practical system. We shall examine the model and process in the following sections.
6.3.1 Model
Modeling actual human activity in our security context involves many factors including
communication, collaboration, team work, workspace and device usage, problem solving
and learning behaviour. Our approach is based on computer collaborative protocols and
systems for security applications leveraging on human communication protocols [17–19]
and Brahms model [20].
Typically our model will involve Actor(s), Action, and PoI (Point of Interests); One-
to-one, One-to-Many, Many-to-Many, Many-to-One, Closed System, Open System as de-
picted in Figure 6.1. On the other hand a characteristic interaction between Actor, Action
and PoI is shown in Figure 6.2.
Fig. 6.1 An example workflow in our model.
In order to develop a model for our work practice we need to sketch a Brahms model
by initially specifying the groups and geography. Work practice is defined as a set of re-
Fig. 6.2 The HBSF Model: Interaction between Actor, Action and PoI.
lated independent models comprising of [21]: Agent, Object, Geography, Activity, Timing,
Knowledge and Communication.
6.3.2 Process
We also propose a process consisting of three steps in the framework:
• Observing natural construct of human behaviour inorganizations in the context of in-

formation security in particular on deception detection, privacy and secure communi-
cations,
• Constructing human computer collaborative protocols and systems for security appli-
cations, and
• Instantiating practical workflow system to demonstrate how including human be-
haviour in information security measurements improves the overall security assurance
to the operations of an organisation compared to a pure technology and policies based
security approach.
6.4 Modeling Tools [21]
The work practice of a human activity system modeling involves a dynamic model
depicting the temporal behaviour of the system. The Brahms modeling consists of the
following phases.
6.4.1 Work Practice Analysis
The aim is to observe and analyse a human activity system with the goal of gathering
useful data that informally describes work practice and then to create a formal model of it.
6.4.2 Formal model of the work practice
This is where the informal data gathered in the previous phase is formalised.
6.4.3 Simulation
The formal modelers run the Brahms simulator with the model as input and the work
practice simulation as output.
6.4.4 Observing the simulation
Here the work practice simulation output is observed and studied to be compared with
the human activity system with the objective to improve the prediction of interest.
6.5 Practical Scenario
A typical practical scenario where our framework can potentially be applied to min-
imise the probability of a security incident from occurring and to minimise damages when
a security incident does happen concerns information leakage. We are interested in mod-
eling the activities of personnel in an organisation, how they handle sensitive documents
and communicate sensitive information with internal and external people. We need to mea-
sure and evaluate these activities to monitor and pinpoint possible leakages. This is due to
the pervasive nature of communications nowadays, including Skype, chat email and per-
sonal portable devices carried in and out the organisations. Consider a small department
of 6 employees, each having their roles and different levels of access to information. This
department in turn links to other different departments which are required to interact with.
6.6 Conclusion
We have proposed a security framework to simulate and reason how human collaborate,
act and respond to threats, system errors and security measurements in order to evaluate
and capture potential information security failure and conflict. The research is based on
cognitive-based human activities study and information security, in which it consists of a
model and a process. Under the security context, the model defines the properties and char-
acteristics of collaborative communication behaviour of human users, while the process
defines three main steps of observation, simulation & reason and construction of practical
security workflows.
Acknowledgment
This research is supported by the Ministry of Higher Education Grant

IIUM/504/RES/G/14/3/2/2/ERGS.
Bibliography
[1] R.J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems,
2nd Edition, (Wiley PublishingInc., 2008).
[2] ISO 27001 Standard, available at: http://www. 27000. org/iso-27001. htm.
[3] J. Karat, C.-M. Karat, C. Brodie, and J. Feng, International Journal of Human-Computer Stud-
ies, 63, 153 (2005).
[4] K.C. for Health & Family Services, Kentucky e-Health Privacy and Security Collaboration
Implementation Plan, theUniversity of Louisville and the University of Kentucky (2005).
[5] Wikileaks, http://213.251.145.96/
[6] R.J. Anderson, B. Schneier, A. Acquisti, and G. Loewenstein, Eds., Security and Human Be-
haviour Workshop 2008, (Boston, 2008).
[7] R.J. Anderson, Ed., Security and Human Behaviour Workshop 2009, (Cambridge, 2009).
[8] R.J. Anderson, Ed., Security and Human Behaviour Workshop 2010, (Cambridge, 2010).
[9] R.J. Anderson and F. Stajano, R.J. Anderson, Ed., Security and Human Behaviour Workshop
2010, (Cambridge, 2010).
[10] P. Kumaraguru, S. Sheng, A. Acquisti, L.F. Cranor, and J. Hong, ACM Transactions on Internet
Technology, 10 (2010).
[11] A. Acquisti and J. Grossklags, IEEE Security & Privacy, 3, 26 (2005).
[12] A. Acquisti, R. Dingledine, and P.F. Syverson, Financial Cryptography – FC2003, Lecture
Notes in Computer Science, R.N. Wright, Ed., vol. 2742 (Springer, 2003) p. 84.
[13] J.J. Gonzalez and A. Sawicka, WSEAS International Conference on Information Security
(2002).
[14] L.F. Cranor, 1st Conference on Usability, Psychology and Security – UPSEC ’08. USENIX
Association (2008).
[15] D.R. Stinson, Cryptography Theory and Practice. Third Edition, Series on Discrete Mathemat-
ics and Its Applications (Chapman & Hall/CRC, 2006).
[16] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, Fifth
Printing (CRC Press, 2001).
[17] N.N. Abdullah and S.A. Cerri, 27th Annual Meeting of the Cognitive Science Society (2005).
[18] N.N. Abdullah, International Joint Conference on Autonomous Agents and Multi Agent System
(2005) p. 1381.
[19] N.N. Abdullah, Ph.D. dissertation, Universite Montpellier II, Montpellier, France (2006).
[20] W.J. Clancey, Cognitive Systems Research, 3, 471 (2002).
[21] M. Sierhuis and W.J. Clancey, IEEE Intelligent Systems (September/October 2002).
PART III
Distributed Attacks Detection and Secure Access

Protocol in MANET, WSN and UbiComp
Environments
Chapter 7
Mitigation of Wormhole Attack in Wireless

Sensor Networks
Ali Modirkhazeni 1 , Norafida Ithnin 1 , Mohammed M. Kadhum 2 , and Teddy Mantoro 3

1Faculty of Computer Science and Information Systems, University Technology Malaysia,
81310 UTM Skudai, Johor Darultakzim, Malaysia
2 School of Computing, College of Art and Sciences, University Utara Malaysia, 06010
UUM Sintok, Kedah Darulaman, Malaysia
3 Department of Computer Science, KICT, International Islamic University Malaysia Jl
Sungai Pusu, Kuala Lumpur, Malaysia
E-mail: mali25@live.utm.my, kadhum@uum.edu.my, teddy@iium.edu.my
Wireless Sensor Networks is consisting of number of limited sensor devices which are com-
municated over the wireless media and it offers variety of solutions to military, healthcare
and industrial applications. As sensor devices are resource restricted, the networks exposed
to different types of attacks and conventional techniques against these attacks are not desir-
able and consequently utilizing WSNs with security services is a challenging. One severe
attack, to detect and mitigate, is wormhole attack in which traffic will be forwarded from a
location of network to another through the wormhole tunnel. In this paper we review WSN
concepts and applications and discuss about security issues and challenges. Then we fo-
cused on wormhole attack and proposed network discovery approach to mitigate its effect
in the domain of hierarchal or cluster based wireless sensor networks which use hierarchal
routing protocols. According to the simulation our approach can mitigated almost 100% of
wormhole attack overload in the environment where above 50% of nodes are affected with
the wormhole.
7.1 Introduction
Wireless Sensor Network (WSN) is a growing technology which is offering solution

to variety of application areas such as health care, military and industry. These kinds of
networks usually apply number of devices known as sensor devices. These sensors which
are limited are distributed over the environment and communicate through the wireless

media. They are also responsible of sensing environment and transmission information as
well. Usually the transmission task is critical as there are huge amount of data and sensors
devices are restricted. As sensor devices are limited the network exposed to variety of
attacks. Conventional security mechanisms are not suitable for WSNs as they are usually
heavy and nodes are limited.
The rest of the paper is organized as follow: Section 7.2 presents general concepts
about WSN and reviews its applications and comes up with the matrix which classifies the
WSN’s applications. Section 7.3 will discuss about the security issues in WSNs. After that
we are focusing on wormhole attack in wireless sensor networks. Then Section 7.5 presents
our proposed approach to deal with wormhole attack and our simulation factors as well as
results will presented in Sections 7.6 and 7.7 respectively. Finally Section 7.8 concludes
the paper.
7.2 Wireless Sensor Network; Concepts and Applications
Advantages in communication technology allow us to build the networks where large

numbers of low-power and inexpensive sensor devices are integrated in the physical envi-
ronment and operating together over a wireless media. There is usually a base (sink) which
is the ultimate receivers of the sensors data. Please note that in some applications there can
be multiple sinks and depending on the application sink(s) can move. For example in bor-
der surveillance application, as border area may be quiet large, there are multiple moving
sinks which monitor different part of the border and periodically ask for the sensors data in
specific location.
To deal with WSN we have to understand its architecture and components as well as its
limitations in order to offer efficient solutions to the applications. Each application needs
its own requirements, including security requirements, therefore providing any services and
more specifically security services for wireless sensor networks requires of clarification of
the application. In this section we briefly review the application of WSN and then discuss
about most wildly used elements in these kinds of networks.
7.2.1 Applications of Wireless Sensor Networks
Nowadays there are many of WSN applications in industry, military and health care.
According to functionality of network we can classify WSN’s applications into: into Event
Detection and Reporting, Data Gathering and Periodic Reporting, Sink-initiated Querying
Mitigation of Wormhole Attack in Wireless Sensor Networks 111
and Tracking-based Applications (Rosenberg, 2008). In the event detection and reporting
applications such as intruder detection systems in military, detecting unusual behavior or
failures in a manufacturing process or detection of forest fires, the infrequency of occur-
rence of specific events has been detected via WSN. In data gathering and periodic Report-
ing applications such as monitoring temperature, humidity and lighting in office buildings,
data gathered and reported in the specific periods of time. In sink-initiated querying sce-
narios the process of gathering and reporting environment data had been asked through
the base, or sink. In tracking-based application such as surveillance, WSN may be used
in order to track of specific objects in the environment. According to the domain of ap-
plication we can classify WSN application into Environmental, Industrial, Healthcare and
Security/Critical applications. This classification is shown in Figure 7.1.
Fig. 7.1 Classification of WSN applications
Environmental application such as structure monitoring, habit monitoring and under-

ground monitoring usually verifications will be done on the specific environment or the
things inside that environment. In the industrial application such as control process appli-
cation, wireless sensor network technology will be applied in the industry. Healthcare is
another classification which applies WSN solutions to variety of applications such patient
monitoring. WSNs are also being applied in security application such as boarder surveil-
lance or intruder detection system.
7.2.2 Sensor Device Architecture
Perhaps the most widely used element in wireless sensor networks is sensor device,
also may be referred as sensor node or node. Sensor nodes in WSNs are responsible of
both sensing environment data and transmission as well. They are usually consisting of
limited processor, memory, battery, sensor(s) and transceiver. Verdone et al. consider the
five elements for sensor device which are shown in Figure 7.2.
Fig. 7.2 Node Architecture (Verdone, Dardari, Mazzini, & Conti, 2008)
According to Verdone et al. sensor node device has the Microcontroller which handles
tasks. It also has memory which is used to store sensed data. The radio transceiver applied
to transmit data. Additionally it has the sensor(s) to sense environment. And finally the
power source, the battery, which is used to provide required power for the other elements.
7.2.3 Routing in Wireless Sensor Networks
As it mentioned in previous section, sensor devices are usually restricted in case of

memory, processor and power. Additionally they are responsible for sensing and transmis-
sion of data as well. Data transmission task is critical and challenging as there are usually
huge amount of data and sensor devices are limited. So designing the routing protocol for
these kinds of networks should consider these limitations in mind. Additionally different
types of WSNs may need different routing protocols.
Routing protocols as it is illustrated in Figure 7.3. can be categorized into the follow-
ing categories base on how protocol selects the next hop for packet forwarding (Acs &
Buttyán, 2007): Content-base routing protocols which in order to forward the data, selects
the next node base on the content of the query, this query usually issues by sink. Another
category in this classification is probabilistic routing protocols which randomly select the
next hop in order to mitigate the load and improve the robustness of the network. Location-
based routing protocol is also placed in this classification. These kinds of protocols select
the next hop base on the position of the destination and neighbors as well. Hierarchical-
based routing protocols are in this category as well. Sensor nodes in hierarchal routing
protocols, forward the data to a node(s) which is placed in the higher hierarchy than the
sender, this sensor node is called aggregator, and then be forwarded to base via aggrega-
tors. Another category in this classification is Broadcast-based routing protocols which
every sensor node individually decides to forward the data or to drop it. If it wants to
forward the data, it simply broadcast it again.
Fig. 7.3 Illustration of Acs and Butty’s routing protocols classification in WSNs
In another classification routing protocols in wireless sensor networks were classified

into Data-Centric, Flat, QoS-Based, Geographical, Multipath and hierarchal base on the
deployment of the network (Boukerche, Turgut, & Turgut, 2009). In data-centric routing,
usually sink ask for specific node data by broadcasting a message. After this message is
reached to the specific node which sink is interested in its data, it will send the informa-
tion back to sink. Flat routing uses tremendous equal sensor nodes (in case of memory,
processor and so on) which collaborate together in order to sense the environment. In the
QoS-based routing, routing is performed by applying QoS parameters which usually con-
trol packet overhead and energy efficiency. Geographical routing uses location information
of the node to forward data. By applying this approach, overhead may significantly de-
creases. In the multipath routing, multiple paths from source to destination are created
and packets will send to destination through these paths. In the hierarchal routing (also
called as cluster-based routing), the virtual tree is made by the nodes. Each node sends the
packet to base (root of the tree) through the parent node. This classification is shown in the
Figure 7.4.
Fig. 7.4 Illustration of Boukerche et al. routing classification in wireless Sensor Network
In this section some different points of view concerning with routing classification in
wireless sensor networks were represented. They were different from each other as they
were made considering different factors such as deployment of network and protocol func-
tionality.
7.3 Security Issues in Wireless Sensor Network
Security will be critical in WSNs and achieving security objectives is a challenging

task as resources are limited in wireless sensor networks. Many of traditional security
techniques are not desirable for WSNs due to the resource constrained nature of these
kinds of networks. Brief introduction of security issues is presented in this section.
7.3.1 Basic Security Requirements in Wireless Sensor Network
In order to achieve security in wireless sensor networks security requirements should

be provided. These security requirements are as follow, system may satisfy some of these
requirements depend on application (Zia & Zomaya, 2009), (Rehana, 2009), (Chen, Makki,
Yen, & Pissinou, 2009) and (Paul Walters, Liang, Shi, & Chaudhary, 2006). The basic
security requirements in WSNs are shown in Figure 7.5.
Confidentiality is the ability of hiding message to an unauthorized attacker. It means
that if an illegal and unauthorized adversary access to the message, it cannot understand
it. Integrity provides a mechanism in order to know whether the message had been tam-
pered or not. Authentication is ability to identify the reliability of message origin. And
Fig. 7.5 Basic Security Requirements in WSNs
Table 7.1 Minimum Security Requirements Regarding to Different Applications in WSNs

Basic Security Requirements
Application
Confidentiality Integrity Authentication Availability
Environmental X X
Industrial X X
Healthcare X X X
Security/Critical X X X X
availability grantees that network services are on hand as they needed. This factor identify
whether message can move on to network or not. If the node can use its resource, then the
availability is provided to the network for forwarding the message.
Although security in wireless sensor networks depends on the application, there are
some basic security requirements which proposed by researchers. System may satisfy some
of them as it needed. We try to extract minimum security requirements for different types
of application in sensor networks which is mentioned in Section 7.2.1. Table 7.1 illustrates
the security requirement regarding to different application categories.
As it is illustrated in Table 7.1, different kinds of application in WSN, need different
level of security. Base on study of (Shi & Perrig, 2004), (Shuo, Xueye, & Yu, 2009), (Guo,
Wang, Huang, Tan, & Zhang, 2007), (Yang & Huang, 2007) and (Bauge, 2009) authenti-
cation and integrity is the minimum basic security requirements which should be satisfied
to make environmental applications such as habit monitoring and industrial applications
such as controlling process be reliable. Healthcare application should keep patients con-
fidential. The reliability of these systems are also very important so the authentication,
integrity and confidentiality is the minimum security requirements that should be achieved
in healthcare applications (Poon, Zhang, & Bao, 2006), (Luna, Dikaiakos, Kyprianou, Bi-
las, & Marazakis, 2008), (Milenkovic, Otto, & Jovanov, 2006), (Steele, Loa, Secombeb, &
Wongc, 2009), (Alemdar & Ersoy, 2010), (Toninelli, Montanari, & Corradi, 2009), (Huang,
Hsieh, Chao, Hung, & Park, 2009), (Barnickel, Karahan, & Meyer, 2010), (Tounsi, Garcia-
Alfaro, Cuppens-Boulahia, & Cuppens, 2010), (Boyle & Newe, 2008). Security and criti-
cal application such as intruder detection and boarder surveillance should satisfy maximum
level of basic security requirements (Stavrou & Pitsillides, 2010), (Boyle & Newe, 2008),
(Defense Advanced Research Projects Agency, 2008). Therefore the security in wireless
sensor network is depending on the application and different types of application needs dif-
ferent levels of security. Consequently system may satisfy some basic security requirement
as it required.
7.3.2 Routing Attacks in Wireless Sensor Networks
Due to the limitations of resources in wireless sensor networks, these kinds of networks
exposed to variety of attacks. Routing attacks which target the network layer in wireless
sensor networks are shown in Figure 7.6 and the brief description of them will be presented
in this subsection (Rehana, 2009), (Chen, Makki, Yen, & Pissinou, 2009), (Lee & Choi,
2006), (Karlof & Wanger, Secure Routing in Wireless Sensor Network: Attacks adn Coun-
termeasures, 2003), (Paul Walters, Liang, Shi, & Chaudhary, 2006) and (Zia & Zomaya,
2009).
Fig. 7.6 Routing Attacks in WSNs
In selective forwarding attack, certain messages will be dropped by malicious node.

Two factors are important in this attack. First is location of attacker, if the location of
malicious node is close to base, it will attract more traffic. Another factor is the amount
of dropped messages, the more it drops, the more energy it has in order to attack. In the
case of sinkhole attack, also known as black-hole attack, attacker surprisingly announces
the short path to sink in order to attract traffic. And when it attracts the messages drop them
or run selective forwarding attack.
In scenario of Spoofed, Altered or replayed routing information, attacker targets at the
routing information as it exchanged among neighbors. In this case, attacker may spoof,
alter or replay the routing packets, creates the loops in networks, repel the network traffic
and etc. The adversary in Sybil attack announces multiple identities by fabricating and
stealing the identity of the legal nodes. The fast tunnel will made by adversary attacker
in wormhole attack. The attacker will forward the traffic of one place in the network to
another place through this tunnel in wormhole attack. In case of hello flood attack, attacker
broadcasts Hello message with the strong transmission power to the networks and make
itself as a fake sink.
7.3.3 Cryptographic Approaches in Wireless Sensor Networks
Sometimes malfunctioning of network is not aim of the attacker; instead it has intent of
accessing and interpreting the data which it collected. Therefore in order to prevent attacker
from eavesdropping, cryptography will be applied. Cryptography, simply, aims at making
data not understandable to an unauthorized adversary which has the goal of data interpre-
tation. In order to apply cryptography in any system including wireless sensor networks,
cryptographic keys should be distributed among the parties, sensor node in this case, and
this task is the responsibility of key management system. Cryptographic algorithms use
these keys for data encryption and decryption. Depending on the key, there are two types
of cryptography: symmetric cryptography – mostly referred as secret key cryptography –
which will use the same key for encryption and decryption and asymmetric cryptography,
also known as public key cryptography, which uses public/private pair key for encryp-
tion and decryption. Conventional public key cryptographic algorithms are not desirable
for wireless sensor networks due to the limited resources (Sabbah & Kang, Security in
Wireless Sensor Networks, 2009), (Paul Walters, Liang, Shi, & Chaudhary, 2006), (Wang,
Attebury, & Ramamurthy, 2006) and (Kizza, 2009).
Unlike public key cryptography, symmetric cryptographic techniques more be used in
wireless sensor networks. There are some symmetric encryption algorithms which are also
used in wireless sensor networks (Slijepcevic, Potkonjak, Tsiatsis, Zimbeck, & Srivastava,
Table 7.2 Cryptographic algorithms in WSNs

Name Key length Block Length
AES (Daemen & Rijmen, 1998) 128 bits 128 bits
RC5 (Rivest, The RC5 Encryption Algorithm, 1995) 128 bits 64 bits
RC6 (Rivest, Robshaw, Yin, & Sidney, 1998) 128 bits 128 bits
Misty1 (Matsui, 1997) 128 bits 64 bits
2002), (Madria & Yin, 2009) and (Lan, Zhibin, Fuxiang, & Ge, 2006), (Modirkhazeni,
Ithnin, & Ibrahim, Secure Multipath routing protocol in wireless sensor network; A security
survey analysis, 2010). Table 7.2, shows some of these algorithms accompany with their
features.
Law et al. tried to evaluate these algorithms on wireless sensor networks. According to
their findings, AES is more desirable in order to providing high security and efficient energy
consumption. They also claimed that Misty1 is more suitable for good memory and energy
efficiency. This is against some of other works such as (Slijepcevic, Potkonjak, Tsiatsis,
Zimbeck, & Srivastava, 2002), which rather to use RC6 as the cryptographic algorithm.
Choosing cryptographic method in wireless sensor networks is critical task due to the
resource constrained nature of these kinds of networks. It should be chosen concerning
with the factors such as energy consumption efficiency and required memory and security
level. Electing unsuitable cryptographic scheme and algorithm for wireless sensor network
consequences the negative effect on network.
7.3.4 Key Management Approaches in Wireless Sensor Network
In order to perform cryptographic operation on data in any cipher system, it is needed

to distribute the corresponding keys among the parties. And this is the goal of key man-
agement system. In the sensor networks, key management protocols are the core of secure
communication and they are focusing at making the secure connection between two nodes.
These will be happened by establishment and distribution of keys among the parties. De-
pending on cryptographic schemes we can have Symmetric and Asymmetric key manage-
ment protocols in wireless sensor networks. (Although some protocols use the combination
of these two schemes (Huang, Cukier, Kobayashi, Liu, & Zhang, 2003)). The brief intro-
duction of symmetric key management schemes is presented as follow.
Symmetric key management approaches as they need less computation time are more
desirable to apply in wireless sensor networks. Here are some symmetric key management
schemes in wireless sensor network: Entity base, Pair-wise, Pure probabilistic, Polynomial
based, Matrix based and Tree based key pre-distribution schemes. Figure 7.7 illustrates
symmetric key management schemes in wireless sensor network.
Fig. 7.7 Symmetric Key Management Schemes in WSNs
In the entity based schemes such as (Lai, Kim, & Verbauwhede, 2002) and (Chan &
Perrig, PIKE: peer intermediaries for key establishment in sensor networks, 2005) key es-
tablishment and distributions will be done by trusted entity. Pair-wise key management
schemes such as (Chan, Perrig, & Song, Random key predistribution schemes for sensor
network, 2003) pair wised key between neighbors is distributed and stored directly in the
sensor nodes before network will be deployed. Pure probabilistic key managements pro-
tocols such as (Eschenauer & Gligor, 2002) which mostly be referred as the basic scheme
distribute the key among the parties concerning the given probability so nodes do not need
huge amount of memory to store the keys. Basic scheme has three phases which are key
pre-distribution, shared-key discovery, and path key establishment. This phase ensures that
any two nodes share at least a key with a chosen probability; for example in order to have
a probability of 0.5 only 75 keys should be drawn out of a key pool with the length of
10,000 to form any key ring. The second phase is responsible of discovery of the neighbors
in the sensor network. Finally the last phase is focusing at assigning a path-key to select
those sensor nodes in network that do not share a key but are connected by two or more
communication links at the end of the shared-key discovery phase.
Polynomial based key management schemes which first proposed by Blundo et al.
(Blundo, Santis, Herzberg, Kutten, Vaccaro, & Yung, 1992) and based pair wise approach,
use the polynomial mathematics in order to generate key pool and key assignment among
the parties. In the matrix based key pre-distribution schemes such as (Blom, 1985) the
matrix Kn×n is responsible of storing all pair wise keys. The element ki j represents the
shared key between node i and j in the network. This matrix is made under the condi-
tion which says the element ki j is equal to element k ji . K = (DG)T G, where D(λ +1)×(λ +1)
and G(λ +1)×n . G is known as public matrix and (DG)T is called secret matrix so must be
confidential to all nodes. In order to generate the pair wise key, node i only store i-th row
of secret matrix. And after deployment of network nodes i and j compute the shared key
ki j = k ji by exchanging their stored rows.
In the tree base schemes, key generation and distribution will be done base on the tree
structure. As an example in deterministic key pre distribution which is proposed by Lee
and Stinson(Lee & Stinson, 2005) uses regular graph and one way hash function in order
to generate the keys and store (not entire keys) them in the nodes.
Asymmetric schemes are mostly based on RSA and elliptic curves cryptography which
are two widely used public key cryptographic techniques consider being heavy to be ap-
plied in WSNs. Although symmetric key management protocols are more desirable to be
applied in wireless sensor network there are some researches such as (Gura, Patel, Wander,
Eberle, & Shantz, 2004) and (Karlof, Sastry, & Wagner, TinySec: A Link Layer Secu-
rity Architecture for Wireless Sensor Networks, 2004) show asymmetric schemes are also
viable in these kinds of networks.
As the summary of this subsection, depending upon the cryptographic scheme we
can have symmetric and asymmetric cryptographic protocols in wireless sensor networks.
Symmetric key management approaches are more suitable to be applied in WSNs as they
have less computational time even though asymmetric key management approaches are
also viable in sensor networks.
In this section variety of issues regarding to the security in wireless sensor networks
were reviewed. You were familiar with security requirements in WSNs in the first sub-
section. After that brief introduction of attacks in sensor networks were presented in the
second subsection. Next subsection reviewed cryptographic approaches in WSNs and the
last one briefly presented key management approaches in these kinds of networks. In order
to provide security for routing protocol in wireless sensor network, these issues should be
considered.
7.4 Wormhole Attack in Wireless Sensor Networks
One of the most severe attacks to detect and defend in wireless sensor network is worm-
hole attack (Zhao, Wei, Dong, Yao, & Gao, 2010) (Prasannajit B., Anupama, Vindhyku-
mari, Subhashini, & Vinitha, 2010) (Karlof & Wanger, Secure Routing in Wireless Sensor
Network: Attacks and Countermeasures, 2003), (Rehana, 2009), (Chen, Makki, Yen, &
Pissinou, 2009). In this attack, a malicious attacker receives packets from one location
of network, forwards them through the tunnel (wormhole) and releases them into another
location. The illustration of wormhole attack in wireless sensor networks is shown in Fig-
ure 7.8.
Fig. 7.8 Illustration of Wormhole Attack
7.4.1 Classification of Wormhole Attack
Wormhole attack can be classified base on different criteria and researchers came up
with different classifications. As a result of work in (Khalil, Bagchi, & Shroff, 2005)
wormhole attack had been classified base on the techniques which is used to attack lunching
into five classifications which are shown in the Figure 7.9.
Fig. 7.9 Illustration of Khalil et al. (2005) Wormhole Attack Classification
In the first category, wormhole using encapsulation, attacker capsulate the routing in-
formation and send it through the other nodes to its cooperator. In this kind of wormhole
attack at least two attackers are needed and as tunnel made via usual nodes in the network,
there is no need to any additional tools. Wormhole attack using out of band channel is
another category in this classification which attacker use long range wireless or wired link
directly to its cooperator. In the wormhole with high power scenario once malicious at-
tacker receives a route request message, it broadcasts it with high power signal which is
not available to the usual nodes in the network and by doing so it will establish tunnel,
through itself, from source to destination. Wormhole using packet relay will be done as at-
tacker convinces two nodes (usually far from each other) that they are neighbor by relaying
packets. Finally as some protocols such as ARAN (Sanzgiri, Dahill, Levine, Shields, &
Belding-Royer, 2002) uses the path which has less packet delivery delay wormhole attack
can be lunched using protocol deviation. In this case attack can be lunched as some nodes
back off during the forwarding of route request and attacker only needs to forward route
request packet without backing off.
In another classification which was done by Graaf et al. (Graaf, Hegazy, Horton, &
Safavi-Naini, 2010) wormhole attack were categorized into active and passive attacks. In
the active wormhole attack the endpoints of wormhole tunnel are two sensor nodes which
are belonged to the network. As a matter of fact in this case the tunnel’s endpoints are part
of WSN. In the passive attack, the endpoints of the wormhole tunnel are not belonging to
the network. In this case of wormhole the tunnel usually made by repeater that simply get
the message and forward it. The Figure 7.10 illustrates this classification.
Fig. 7.10 Illustration of Graaf et al. classification of wormhole attack in WSN
(Graaf, Hegazy, Horton, & Safavi-Naini, 2010) As it illustrated in Figure 7.10 (a), m
and n are two compromised nodes of network which establish the wormhole tunnel. While
in (b), m and n do not belong to the network. Wang et al. also classified wormhole attack
into closed, half open and open attacks. (Wang, Bhargava, Lu, & XiaoxinWu, 2006). This
classification is base on the meaning of the term “close” and “open” where the former
is referring to “start from and include” and the latter is referring to “start from and not
include”. This classification is illustrated in the Figure 7.11.
As it can be seen in the Figure 7.7, in the closed wormhole two malicious nodes which
are made tunnel endpoints, M1 and M2, do not visible to the source. In this case source
thinks it directly connected to the destination. In the case of half open wormhole only one
malicious node is visible to the source and destination. Finally in the open wormhole, both
endpoints are visible to the network.
In this section different classification of wormhole attack were represented. These clas-
sifications differ from each other as they were made through different criteria. Next section
will discuss about existing countermeasures of wormhole attack in wireless sensor net-
works.
7.4.2 Wormhole Attack Countermeasures in Wireless Sensor Network
This section will present countermeasures in order to detect, defend or mitigate the ef-
fect of wormhole attack in wireless sensor networks. In general the common method in
order to detect wormhole attack in wireless sensor network is to use neighbor discovery
techniques. Sometimes this will be achieved through applying special equipments such
Fig. 7.11 Illustration of Wang et al. wormhole attack classification
as antenna (Hu & Evans, 2004). Other approaches may use accurate time synchroniza-
tion in order to detect whether packets are received from the authorized neighbors or not
(Sun, Ning, & Wang, 2006) (Poturalski, Papadimitratos, & Hubaux, 2008). Additionally
protocols may estimate the distance of the sender through the signal straight and verify
whether data comes from the node within the range of communication or not (Papadimi-
tratos, et al., 2008). Some other approaches in this regards apply centralized mechanisms
which uses statistical analysis and methods to detect wormhole attack (Buttyán, Dóra, &
Vajda, 2005). These approaches will detect wormhole existence due to specific changes in
certain statistical pattern. The rest of this section will review selected approaches regarding
to wormhole attack detection and mitigation in wireless sensor network.
Lee, Kim and Seo (Lee, Kim, & Seo, 2008) proposed a method to mitigate wormhole
attack in wireless ad hoc networks. Basic idea of this approach is to check whether for-
warded packet is from authorized neighbor. Therefore they proposed each node gathers
information about its first and second hop neighbors. They use pair wise key management
scheme in their approach (Cha, Wang, & Cho, 2004).
The proposed approach begins to work by broadcasting the announcement message to
network. Every node broadcasts this message which contains Time To Live (TTL) equal
to two, announcer identity and encrypted identity of announcer. When announce message
receives to the first-hop neighbor, TTL will be checked, it TTL equals to two, then first-hop
neighbor stores sender identity and its encrypted identity. Then decrease value of TTL and
forward it to second-hop neighbors. It also sends ACK to announcer which contains its
identity, encrypted identity and differ-hellman key exchange algorithm.
After forwarded message reaches to second-hop neighbor, it will check TTL. If TTL
is equal to one, then it store announcer’s identity and encrypted one and send ACK to an-
nouncer. When ACK receives to announcer, it saves sender’s identity and encrypted iden-
tity then it generates session key using differ-hellman parameter and responds the sender
by sending response message which contains other differ-hellman parameter and nonce and
secret key. It is notable that nonce and secret key are encrypted with the session key which
is made by differ-hellman algorithm.
When response reaches to the neighbors, first they generate session key using other
differ-hellman parameter which is in response message. Second they store secret key of
announcer and nonce after decrypt it using session key. And finally they send confirmation
message to announcer. This message contains incremented value of nonce by one and
secret key of the sender which is encrypted by computed session key. Once announcer
receives confirmation message, it verifies it and add the neighbor to its neighbor list. The
neighbor list contains ID1 and ID2 topples in which the former is related to the first-hop
neighbor and the later is related to second-hop neighbor.
It is noticeable that in this method every node attaches its identity accompany with the
message authentication code (MAC) of its identity to the packet as it forwards received
packet. This MAC computed by keyed hash function such as HMAC (Krawczyk, Bellare,
& Canetti, 1997).
When announcer receives a packet, it first checks the forwarder ID is in its list. If it
can find equivalent ID in the neighbor list, second, it computes MAC of identity using
secret key corresponding to that ID. If the value of computed hash will be equal to stored
hash in the packet, announcer will accept the packet; otherwise packet would be directed
to announcer by wormhole.
Alzer, El-Kassas and El-Soudani (Azer, El-Kassas, & El-Soudani, 2010) proposed
method for wormhole attack detection and prevention base on social science theory of
diffusion of innovations which has been introduced in (Rogers, 1996). The mentioned the-
ory is deal with cultural and social behavior concerning how innovations to be selected or
ignored by society members. Diffusion of innovations applies five stages with innovation
decision process and these five stages are knowledge, persuasion, decision, implementation
and confirmation. Therefore set of actors will be defined by theory of diffusion of inno-
vations which play role in the process. These actors are: Innovators, early adopters, early
majority, late majority and laggards.
Base on theory of diffusion of innovations, they proposed decentralized schemed for
intrusion detection. Their approach uses Network Monitor elements which monitors pa-
rameters such as transmission power, the back off and total number of packets which will
be used further to detect wormhole attack. They presented five phases approach for in-
trusion detection and prevention. These phases are: Normal Network Routing, Wormhole
Parameter Measurement, Actor’s Network Formation, Route Selection using Penalties and
intrusion detection.
Normal network routing as the first phase applies Ad Hoc on Demand Distance Vector
(AODV) routing protocol such as (Perkins & Royer, 1999) in which path will be selected
according to the minimum number of hops. In the second phase, wormhole parameter
measurement, some parameter such as speed of packet arrival, power of node transmission
and actual location of source and destination will be examined. Actor’s network formation
phase will deal with construction of Innovators, early adopters (EA), early majority (EM),
late majority (LM) and laggards (LD) which are defined actors in theory of diffusion of
innovations.
Next phase is route selection using penalties. In this phase the process of path election
is differ from the original AODV routing. After foundation of the actors the penalties will
be given to some node base on the actor. After a node, say X, receives signaling packet
from the other node, say N, it checks whether N belongs to its address table, if not it assigns
a penalty to N regarding of the N’s actor involved for forwarding signaling packets. Then
X select the node M with minimum number of hops and add corresponding penalty to it
and after that compares M and N and select the best for transmission the packets. The last
phase removes the malicious node from the network. In this phase threshold of the early
adopter of certain node will be checked. If it exceeds the threshold value T the message
will be broadcast to the network to remove that node(s) and treat it like a malicious nodes.
The following Figure shows the complete process.
Qian et al. (Qian, Song, & Li, 2007) propose simple scheme named SMR to detect
wormhole attack in wireless ad hoc and sensor networks. SMR which operates on the
multipath routing protocols uses statistical approach to detect this attack. The main idea
of SMR is to find dramatic change in certain statistics which obtained by routing protocol.
Their schemes tries to, first, perform statistical analysis of the network. If the analysis
result is similar to certain pattern they will, second, test the path to confirm the wormhole
attack. SMR does so by sending probe packet and waiting for acknowledgement. And
finally if the attack is conformed, they report it to make the network isolate. They assume
that environment is bidirectional and wormhole attack has strong attack on the network and
that is mean attacker can connect more than one hop.
It is also assumed that attacker cannot modify and fabricate the packets. SMR uses
some measurements; let R be the set of all obtained routes, L be the set of all distinctive
links in R, li be the i-th link in L, ni be the times that li appears in R, n be a random variable
representing number of times that a link appears in R, N total number of non-distinctive
links in R and finally Pi be the relative frequency that li appears in R.
As wormhole attack makes tunnel between two attackers, and attackers are attractive
to routes discovery packets, it is expected that the following measurements which are pre-
sented in Eq. (7.1) help to detect wormhole attack.
ni
Pi = where N = ∑ ni (7.1)
N i
The maximum relative frequency can be computed using Eq. (7.2).
Pmax = max(Pi ) (7.2)
The values of nmax , imax can be found in Eq. (7.3).
nmax = max(ni ) and imax = argument (nmax ) (7.3)
Φ and n2nd are also computing as they have been showed in equations (7.4) and (7.5).
n2nd = max (ni ) (7.4)

i=i
max
nmax − n2nd
Φ= (7.5)
nmax
Base on their claim, it is expected that the value of Pmax and Φ will be much higher
under wormhole attack. SMR will find suspicious nodes as it has the highest Pi .
In order to wormhole attack confirmation, first destination sends the prove packets to
source using the suspicious route, the source identify the probe packet and then sends ACKs
through the same route to destination and Finally base on the percentage of arrived ACKs,
destination will verify the existence of wormhole attack.
In other attempt for wormhole attack detection in wireless sensor networks, Graaf et al.
presented a distributed intrusion detection system which monitors the data exchanges in
the network (Graaf, Hegazy, Horton, & Safavi-Naini, 2010). They assume network has
additional intrusion detection (ID) nodes which monitor the communication and does not
have the limitations of ordinary nodes. The wormhole attack will be identified through
these ID nodes. Additionally they assume that the arrangement of ID nodes should be in
the way that every sensor node and its valid neighbor are monitored with at least one ID. In
the other words a sensor say s with its neighbor say n, is fully-monitored by an ID say x, if
both s and n are in the communication range of x. The proposed method detects wormhole
attack if there will be no ID which fully monitors two endpoints of communication.
Base on the work which had done by Rasheed and Mahapatra (Rasheed & Mahapa-
tra, 2009), the novel scheme proposed to defend the wormhole attack in wireless sensor
network. Their approach is base on mobile sink (MS) and multiple radio channels. The
proposed method applies polynomial key pool pair wise key distribution scheme which in-
troduced in (Liu & Ning, 2003). The proposed method needs to have radio transmission
system for every element in the network. In this approach, every node including MS, tunes
its radio channel to pre-selected common channel called network discovery channel at the
beginning. Then MS sends beacon messages the nodes while it traverses over the network.
Then nodes use polynomial key management scheme and establish the pair wise key with
MS. Then MS assigns channel fi to every node which has a pair wise key ki and sends an
encrypted message containing assigned frequency fi to the node has corresponding key ki .
This frequency will be used in order to transmit data. The wormhole can be detected if MS
receives a data from node containing unknown pair wise key or thorough the invalid data
transmission channel.
As a result of work in (Buttyán, Dóra, & Vajda, 2005), two statistical approaches were
proposed to detect wormhole attack in wireless sensor networks. This approach neither re-
quires any additional hardware such as antenna or GPS nor accurate time synchronization.
But it assumed that nodes can build their neighbor list and send it to the base. And after
neighbor lists from all nodes be sent to the base, base runs the algorithm and detect whether
there is wormhole or not. First scheme called Neighbor Number Test (NNT). This test is
based on the idea of increasing the number of neighbor after lunching wormhole. In or-
der to explain how NNT works consider Figure 7.8. In this figure the thick circle shows
the communication range for a valid node in the network. As it can be seen in the Fig-
ure 7.12, the actual neighbors of node A are N1 , N2 and N3 while after lunching wormhole
the neighbors will be N1 , N2 , N3 , W1 , W2 , W3 , W4 and W5 .
Fig. 7.12 Illustration of the sensor network (Buttyán, Dóra, & Vajda, 2005)
In order NNT to work, first base computes the expected histogram of neighbors using
hypothetical distribution of number of neighbors. Second it gathers neighbor list updates
from the nodes and constructs real neighbor histogram. And then it compare these two his-
togram using x2 test (Bronshtein, Semendyayev, Musiol, & Muehlig, 2007). If the value of
computed x2 is larger than specific threshold then wormhole is detected. In order to com-
pute x2 value, first consider that sensor node with communication range r, are uniformly
distributed over sphere area T and the probability of two nodes being neighbor is shown in
Eq. (7.6).
r2 · π
q= (7.6)
T
And the probability of a node that have exactly K neighbors is computed in Eq. (7.7).

N
p(k) = · qk · (1 − q)N−k (7.7)
k
Where (N + 1) is total number of nodes. Let us split set of {1, 2, 3, . . .} to {B1 , B2 , . . . , Bm }
such that for each k ∈ Bi the expression e(i) which defined below in Eq. (7.8), will be larger
than 5.
e(i) = (N + 1) ∑ p(k) (7.8)

i
And then the x2 value can be computed as defined in Eq. (7.9).

r(i) − e(i)
x2 = ∑ (7.9)
∀i e(i)
Another proposed approach called All Distance Test (ADT). The idea of ADT is very
simple; it express that the distance of the neighbors become short after wormhole attack be
lunched. In other words wormhole distorts the deployment of length of the shortest route
among all pairs of nodes. In this method, like NNT, base estimates the histogram related
the neighbor distances in network and then collects real information about the neighbor
distances. After that it runs x2 test and indicate whether wormhole exists in the network or
not.
7.4.3 WSN Wormhole Attack Countermeasures; Analysis and Comparison
This section is presented in order to analyze the selected approaches regarding to the
wormhole attack detection and mitigation. We analyzed each technique, presented it fea-
tures and drawbacks and generalized them.
Although proposed approach (Lee, Kim, & Seo, 2008) has some advantages such as
no addition equipment applied and there is no need to accurate time synchronization, there
would be a disadvantage that make it undesirable to be applied in resource limited ad hoc
networks such as wireless sensor networks. It uses differ-hellman key exchange algorithm
which is heavy to be applied in wireless sensor networks (Amin, Jahangir, & Rasifard,
2008) (Sabbah & Kang, Security in Wireless Sensor Networks, 2009), (Paul Walters, Liang,
Shi, & Chaudhary, 2006), (Wang, Attebury, & Ramamurthy, 2006) and (Kizza, 2009).
We have seen benefits from the proposed techniques by Poovendaran & Lozos such as it
was designed for limited resources and, itself, it does not required additional hardware, but
it will need additional antenna. This antenna is used in order to perform key establishment
which is an internal process related to this method and this is a major drawback of this
method. Additionally it applies two kinds of node, ordinary and guards. Guards are not
limited nodes and have a better communication range. Therefore it may cause extra costs
and expenses. Furthermore as there are two kinds of node in the network, this method may
not be suitable for protocols which apply only one type of sensor device such as SeRINS
(Lee & Choi, 2006).
The proposed approach by Alzer, El-Kassas and El-Soudani, applies AODV routing
protocol and may not be suitable for other routing protocols such as cluster base routing
protocols. And the criteria of path selection is minimum number of hops make protocol
vulnerable to the attacks such as black hole or sink hole. It also checks the actual location
of source and destination in the second phase which required additional hardware such as
GPS and this may not be available to all kinds of nodes.
The presented method by Qian et al. has some advantages as it uses statistical approach
to detect wormhole attack therefore it will apply no additional hardware but it was designed
to be applied in multipath routing protocols which may not be suitable to other routing
protocol. Additionally it is centralized method as base should compute and there should be
some way that information reach to base correctly and this assumption may not be viable
in real environments.
The method which proposed by Graaf et al relies on the use of additional devices as
intrusion detection nodes. According to their assumption, deployment of the networks
should be in the way that every sensor node accompany with its neighbor be monitored
with at least one ID which make arrangement not suitable for dynamic deployment or
scalability. Another drawback of this approach is that, active wormhole attack will often
not be detected if the length of the tunnel is less than two times of ID’s communication
range and passive attacks will not be identified if the length of tunnel is greater than three
times of ID’s communication range.
Other approach which was proposed in (Rasheed & Mahapatra, 2009) uses mobile sink,
it will be suitable for only some kinds of applications which required MS and also applies
additional hardware in order to provide its mobility. Also, it applies multiple channel radio
transmission which may not be available for all kinds of nodes.
And finally suggested statistical methods in (Buttyán, Dóra, & Vajda, 2005) are base
on the assumption that says nodes can securely send their neighbor list to the base sta-
tion, if that assumption is true, they can use the same way, as it mentioned in assumption,
to transfer data to base. Therefore underling this assumption made the proposed method
not suitable for many application of WSNs which do not have reliable media to transfer
neighbor list to the base.
We try to generalize previous findings and the results of previous selected research are
shown as matrix in Table 7.3. This matrix summarizes different points of view regarding
to the selected wormhole countermeasures. It shows whether scheme is centralized or
decentralized. The mark ‘D’ indicates the method is decentralized and ‘C’ indicates it is
centralized. Additionally it indicates whether additional tools are used in the proposed
scheme or not. The mark ‘Y’ and ‘N’ indicates the existence of additional tools or the
absence of that respectively. Furthermore in order to provide better analysis of the methods,
we present advantages and disadvantages of each method in the matrix.
Table 7.3 Wormhole Attack Countermeasures in WSN

Dec/Cen
Additional Tools
Method Ref Advantages Disadvantages
No Additional tools
(Lee, Kim, & Uses differ-hellman which
D N No accurate clock
Seo, 2008) is heavy for WSNs
synchronization
Two kinds of nodes were
Designed to be applied applied
in restricted resources Not suitable to single
(Poovendran &
D Y sensor network nodes protocols
Lazos, 2007)
No accurate clock Increase in expenses
synchronization (additional tools may
required)
Designed to be applied Uses AODV and may not
(Azer, El-Kassas, in restricted resources be suitable for other
& El-Soudani, D Y sensor network routing protocols
2010) No accurate clock Required additional
synchronization hardware such as GPS
It is only for multipath
No Additional tools
(Qian, Song, & protocols
C N No accurate clock
Li, 2007) There should be safe route
synchronization
to base
Continued on next page
Table 7.3 – continued from previous page
Dec/Cen
Additional Tools
Method Ref Advantages Disadvantages
Two kinds of nodes were

applied
Active wormhole attack
will often not be detected
(Graaf, Hegazy, if the length of the tunnel
Horton, & No accurate clock is less than two times of
D Y
Safavi-Naini, synchronization ID’s communication range
2010) Passive attacks will not be
identified if the length of
tunnel is greater than three
times of ID’s
communication range
Using of MS requires
additional hardware and
may not be suitable to all
(Rasheed & No accurate clock applications and protocols
D Y
Mahapatra, 2009) synchronization Using of multiple channel
radio transmission which
may not be available for
all kinds of nodes
No Additional tools
(Buttyán, Dóra, There should be safe route
C N No accurate clock
& Vajda, 2005) to base
synchronization
As it can be seen in the Table 7.3, most of the wormhole countermeasures applied
additional tools to deal with the wormhole expect methods proposed in (Buttyán, Dóra,
& Vajda, 2005) and (Lee, Kim, & Seo, 2008). Between mentioned methods the method
proposed by Butty’ et al. used the centralized scheme in which there should be secure line
of transmission among the nodes and data should be sent to base securely. This assumption
made approach unreliable in the real situation. If there is secure path from nodes to base, we
can use the same path to send data to base. Therefore method proposed by Lee et al. can be
select as the better approach although it used differ-hellman key exchange algorithm which
is heavy to be applied in wireless sensor networks (Amin, Jahangir, & Rasifard, 2008)
(Sabbah & Kang, Security in Wireless Sensor Networks, 2009), (Paul Walters, Liang, Shi,
& Chaudhary, 2006), (Wang, Attebury, & Ramamurthy, 2006) and (Kizza, 2009).
In this section we discussed about wormhole attack in wireless sensor network. Addi-
tionally varies types of mentioned attack in these kinds of networks were reviewed. Worm-
hole attack countermeasures were presented Afterward. And finally analysis and compari-
son of selected countermeasures were discussed at the end of this section.
7.5 Proposed Neighbor Discovery Approach
Base on the discussions in Section 7.4, in order to mitigate effect of wormhole attack
in wireless sensor network, a neighbor discovery process has been proposed. There are
some criteria to determine whether wormhole attack is performing in the network or not.
For example some methods use statistical approach. They find dramatic changes in the cer-
tain statistical patterns and then decide on existence of wormhole in the network. Longer
propagation can be another symptom of wormhole existence. Additionally we can deter-
mine the existence of wormhole in the network by checking the parameters such as bigger
transmission range than that of normal condition, and previous node is not a neighbor as
well. The proposed method is based on the fact that mentioned wormhole data comes from
unauthorized and illegal neighbors.
In order to illustrate the idea of the proposed neighbor discovery technique, consider
Figure 7.13 presented at below. This figure illustrates of network with 12 nodes. Consider
tow nodes ‘A’ and ‘B’. The actual neighbors of node ‘A’ are ‘A1’ and ‘A2’ and the real
neighbor of node ‘B’ are ‘B1’ and ‘B2’. This means that node ‘A’ receives information
only form nodes ‘A1’ and ‘A2’ and nodes ‘B1’ and ‘B2’ only send data to node ‘B’. As
it is shown in the Figure 7.4-2, node ‘A’ is connected to node ‘B’ through the wormhole.
Therefore node ‘A’ can also receive data from node ‘B’ and vice versa.
The problem of wormhole attack will be solved if the receiving node can determine
whether arrival data comes from actual neighbor or not. Therefore in order to mitigate the
effect of passive wormhole attack which attacker is not belong to the network and does
Fig. 7.13 Illustration of network affected with wormhole
not use the sensor devices to receive and forward the data through the wormhole tunnel,
neighbor discovery protocol has been proposed.
7.5.1 System Assumptions
It has been assumed that each two neighbor nodes have the secret share key which has
been shared after deployment of network and cannot be captured by attacker as it needs
more time to capture. It is also assumed that attacker cannot lunch wormhole attack before
certain time Tn which illustrates the time to complete neighbor discovery.
As we focus on passive wormhole attack, attacker uses its own devices and cannot use
network nodes to lunch attack. After certain amount of time (which is not considerable)
attacker can lunch wormhole attack and it can also lunch selective forwarding attack which
data randomly forwarded by attacker after message was forwarded to other tunnel end-
point. It has been also assumed that attacker cannot modify the data and only transmit and
rebroadcast it (man-in-the-middle attack).
7.5.2 Definition
The proposed method starts to work as every node, say ‘A’, sends HELLO message to
the all of on hop neighbors. This message is encrypted with secret shared key between
each two neighbors, say KAB which is the shared secret key between two nodes ‘A’ and
‘B’. It contains the ID of sender, a random number as nonce and message digest. The
message digest is computed using hash algorithms such as SHA1 and MD5. We use MD5
algorithm in order to generates hash values as it is recommended in the literatures (Choi &
Song, 2006) and (Cho, Kang, & Nyang, 2007) which claimed MD5 is suitable to be used
in wireless sensor network. Figure 7.14 shows the illustration of HELLO message.
Fig. 7.14 HELLO message
When a neighbor, say ‘B’, receives a HELLO message, it will decrypt the message
using a shared key between itself and the sender of the message. After that it computes the
hash of ‘Sender ID’ concatenation of ‘Nonce’. If result is equal to what is in the message,
the HELLO message is authenticated and from an authorized neighbor. Once HELLO
message is authenticated, RESPONSE message will be sent back. RESPONSE message
contains the identity of sender (a node which sends a RESPONSE message), ‘Nonce’ under
the simple function F and message digest of ‘Sender ID’ concatenation of ‘F(Nonce)’. It
is considerable that F is a simple function such as F(n) = n + 1 and message is encrypted
via shared key among the sender and receiver. Figure 7.15 illustrates the structure of the
RESPONSE message.
Fig. 7.15 RESPONSE message

After RESPONSE message has been received to the destination, it will be decrypted
via shared key between two neighbors. After RESPONSE message was decrypted, node
‘A’ verifies node ‘B’ through the authentication steps. First it checks weather hash value
of ‘IDB ’ and ‘F(Nonce)’ is equal to the hash value in the RESPONSE message or not.
Secondly it check for the value of ‘F(Nonce)’. If these two tests are successfully achieved
the neighbor is authenticated, otherwise it is fake neighbor and RESPONSE message will
be deleted.
When a neighbor is authenticated through the verification of RESPONSE message as
it mentioned, its information saved into the destination node, node ‘A’ in our example, and
constructs data structure called neighbor list NA (NI illustrates the neighbor list of node
‘I’). We assume as neighbor list of each node constructed, it will keep safely in node. The
constructed neighbor list will be used in order to make sure message is received from the
authorized neighbor. For our research this list only contains the identity of the neighbors.
It also can integrate with key materials as needed.
In order to illustrates how proposed protocol works consider the network consists of
five nodes which is illustrated in Figure 7.16. Consider node ‘A’, the neighbors of this node
are ‘A1’, ‘A2’, ‘A3’ and ‘A4’. Network discovery for node ‘A’ begins by sending HELLO
message.
Fig. 7.16 Illustration of network consists of five nodes
Node ‘A’ sends HELLO message to all of its neighbors, one-hop broadcast. HELLO
contains “ENC{A, 145, D025D1D5289530613A01CCA997B0D22}”.
Table 7.4 Illustration of neighbor lists

Node A Node A1 Node A2 Node A3 Node A4
A1 A A A A
A2 — — — —
A3 — — — —
A4 — — — —
When this message reaches to the destine neighbors it will first decrypt using the shared
key among two nodes and then verified through computing hash value of the sender ID and
nonce. Once it verifies the function F(n) = n + 1 is applied on the nonce and RESPONSE
message will send back to the node ‘A’. The content of RESPONSE message for neighbors
‘A1’, ‘A2’, ‘A3’ and ‘A4’ are as follow:
RESPONSEA1: ENC{ A1, 146, F5EDD7A804ED22E15C81 E934115EFC2A },
RESPONSEA2: ENC{ A2, 146, 2ADF90CD66ADDC5B03BAB BCB6B546FD5 },
RESPONSEA3: ENC{ A3, 146, 264F063D6566CE6DC2 F1DD0D990C4FFF },
and
RESPONSEA4: ENC{ A4, 146, D866C400582D583 3D2D F5958E88164C0 }.
These RESPONSE messages will arrive to the node ‘A’ and then they will decrypt and
will be verified as it mentioned. Then the list of the authorized neighbor of node ‘A’ will
be created. The same steps will be performed to construct list of other neighbors. There-
fore after neighbor discovery protocol finishes its work, every node knows its neighbors.
Table 7.4 represents the neighbor lists of the nodes ‘A’, ‘A1’, ‘A2’, ‘A3’ and ‘A4’.
After network discovery finishes his work, every node check for the receiving data
whether they come from the authorized neighbors or not. If they are coming from autho-
rized neighbor which is the neighbor lists, node accepts data otherwise drops it.
7.6 Simulation
In order to evaluate the effectiveness of our approach, OMNET++ was applied. In our
simulation we focus on the measurement the total number of send and receive, as it has
a direct relationship with energy consumption, in the ideal condition as well as affected
network with wormhole.
In our work we used secure hierarchal routing protocol which had been reviewed in
(Modirkhazeni, Ithning, & Ibrahim, Empirical Study on Secure Routing Protocols in Wire-
less Sensor Networks, 2010). Deployment of the network was achieved by randomly dis-
tribution of 25 and 50 nodes over the areas of 450 × 223 and 476 × 303 meter square which
made hierarchal network in which data will be sent to base through the parent. These num-
bers of nodes are selected to cover up previous researches parameters (Lee & Choi, 2006),
(Buttyán, Dóra, & Vajda, 2005), although we have seen variety of parameter values pro-
posed by researchers in the literature. Table 7.5 shows the network parameter which are
used in our simulation.
Table 7.5 Network Parameters
Network Parameter Value
Number of nodes 25, 50
Communication Range of Nodes 50 m
Extent of territories 450 × 223, 476 × 303
Average percentage of affected nodes with wormhole 54
Number of Iteration 1000
Type of Routing Protocol Hierarchal
7.7 Results
The intent of research is to mitigate the effect of wormhole attack in the wireless sensor
network. Therefore we proposed neighbor discovery approach to mitigate the wormhole
effect in the mentioned network and in order to evaluate our approach we set up the simu-
lation using C++ and OMNEP++. In this section we present the results of the simulation.
7.7.1 Effect of Wormhole Attack on Original Hierarchal Protocol
This section illustrates the effect of wormhole attack in network. In our simulation
we focus of the network load. We run the simulation for original protocol and original
protocol under the passive wormhole attack in different scenarios with 25 and 50 nodes
which randomly developed in the ground. Figure 7.17 shows the total number of send and
receives of entire network in the slice in the normal situation.
As it mentioned, Figure 7.17 shows the total number of sends and receives in the en-
tire network for four networks with 25 and 50 nodes in every time slice. As it had been
shown in the Figure 7.17, the number of sends and receives related to the entire network is
decreasing by time. This is happening as sink periodically ask the node to send their data
Fig. 7.17 Total Number of Sends and Receives of Original Protocol
to the base and when a node forward its data and those which arrived, it will be idle for
routing and performing sensing operation. Therefore number of sends and receives become
less and less by passing time from order message and will be increased as order message ar-
rives. For illustration the effect of wormhole attack on number of sends and receives of the
network, we repeat the experiment with same condition as before. But this time we lunch
wormhole attack which affects average 54% of the entire nodes in the network. The result
of wormhole attack on the number of sends and receives of entire network is illustrated in
Figure 7.18.
Fig. 7.18 Total Number of Sends and Receives of Original Protocol under Wormhole Attack
As it can be seen in the Figure 7.18, unlike the original network, total number of sends
and receives dramatically increase by the time. This is happened as each attacker on the
one endpoint of wormhole tunnel, receives the data packets and broadcasts them into other
endpoint. For instance consider the wormhole tunnel with tow endpoints ‘A’ and ‘B’. Once
packets were received on the one side of the tunnel, say ‘A’, it will forwarded to other side,
say ‘B’, and then forwarded packets will be broadcasted by tunnel endpoint ‘B’. The same
thing will be happed when ‘B’ receives data. Therefore number of sends and receives in
network will increase and as the energy consume more and more as energy consumption
has direct relationship with number of send and receives. Consequently network services
will be unavailable as there is no energy for performing send and receiving operations.
7.7.2 Effect of Wormhole Attack on the Enhanced Protocol
In order to mitigate the effect of wormhole attack, enhancement has been done base
on discussion in Section 7.5. To evaluate enhanced network under wormhole attack we
run the experiment with same condition as previous section, but this time researchers used
enhanced protocol. Researchers measure the total number of sends and receive of the
network and effect of wormhole on it. Figure 7.19 shows number of sends and receives of
enhanced network under wormhole attack in 2 scenarios with 25 and 50 nodes.
Fig. 7.19 Total Number of Sends and Receives of Enhanced Protocol under Wormhole Attack
As it can be seen in the Figure 7.19, number of sends and receives in entire networks
will increase right after starting the attack and then will decrease and tries to converge to
the original protocol.
7.7.3 Mitigation of Wormhole Attack through the Enhanced Protocol
We had shown the effect of wormhole attack on both original and enhanced network so
far.
In this section we measure the mitigation of the mentioned attack through the proposed
approach. Figure 7.20 illustrates the comparison between the original and enhanced net-
work under the passive wormhole attack in the network consist of 25 nodes.
Fig. 7.20 Comparison of the Total Number of Sends and Receives between Original and Enhanced
Protocol under Wormhole Attack in the Network with 25 Nodes
Figure 7.21 shows the comparison between the original and enhanced network under
the passive wormhole attack in the network consist of 50 nodes.
It is important to notice that the scale of charts in Figures 20 and 21 is logarithmic
as differences among the values of original and enhanced network are quiet high. It can
be seen from the Figure 7.20 and Figure 7.21 that original network suffers from dramatic
increase in number of sends and receives. But the enhanced network mitigates the effect
of wormhole attack, which is dramatic overload in the network. Base on the values in
charts presented in mentioned figures; we measure the mitigation percentage of the network
overload due to wormhole attack. The results are presented in Figure 7.22.
Figure 7.22 shows the percentage related to overload mitigation of passive wormhole
attack through the enhanced protocol. It consists of group of bars which illustrate different
parameter value of node number. Additionally it shows the amount of mitigation percentage
by the time slice. For example the mitigation percentage of the network consists of 50
Fig. 7.21 Comparison of the Total Number of Sends and Receives between Original and Enhanced
Protocol under Wormhole Attack in the Network with 50 Nodes.
Fig. 7.22 Mitigation Percentage of the Wormhole Attack Overload through the Enhanced Protocol
nodes at second 2.7 is 99.39%. It also shows that mitigation percentage value converge to
the 100% by the time.
7.8 Conclusion and Future Works
In this paper, we briefly introduced wireless sensor network, its application and most
wildly used elements in WSN which is sensor device. Then routing in wireless sensor
networks was discussed. Additionally we reviewed some on concepts and issues concerns
with security in WSN. Then we focused on the wormhole attack in these kinds of networks
and presented selected countermeasures. Afterward we generalized previous countermea-
sures, analyzed them. And then base on the presented results we proposed network discov-
ery approach base on distributed scheme which needs no additional tools or accurate time
synchronization. According to the simulation proposed approach acted efficiently and mit-
igated almost 100% of wormhole attack overload in the environment where 54% of nodes
are affected with the wormhole. In the future we plan to integrate our approach with the
secure routing protocols in wireless sensor networks.
Bibliography
[1] Acs, G., & Buttyán, L. (2007). A Taxonomy of Routing Protocols for Wireless Sensor Networks.
[2] Alemdar, H., & Ersoy, C. (2010). Article in Press: Wireless sensor networks for healthcare: A
survey. The International Journal of Computer and Telecommunications Networking.
[3] Amin, F., Jahangir, A.H., & Rasifard, H. (2008). Analysis of Public-Key Cryptography for
Wireless Sensor Networks Security. World Academy of Science, Engineering and Technology
41, 529–534.
[4] Azer, M.A., El-Kassas, S.M., & El-Soudani, M.S. (2010). An innovative approach for worm-
hole attack detection and prevention in wireless sensor networks. International conference on
Networking, Sensing and Control (ICNSC) (pp. 366–371). IEEE.
[5] Barnickel, J., Karahan, H., & Meyer, U. (2010). Security and privacy for mobile electronic
health monitoring and recording systems. 2010 IEEE International Symposium on a World of
Wireless Mobile and Multimedia Networks (WoWMoM) (pp. 1–6). IEEE.
[6] Bauge, T. (2009). Wireless Sensor Networks. Thales Research and Technology (UK).
[7] Blom, R. (1985). Theory and application of cryptographic techniques. Eurocrypt 84 Workshop
on Advances in Cryptology (pp. 335–338). Berlin: Springer.
[8] Blundo, C., Santis, A.D., Herzberg, A., Kutten, S., Vaccaro, U., & Yung, M. (1992). Perfectly-
secure key distribution for dynamic conferences. 12th Annual International Cryptology Con-
ference on Advances in Cryptology (pp. 471–486). Springer.
[9] Boukerche, A., Turgut, M.Z., & Turgut, B. (2009). A Taxonomy of Routing Protocols in Sensor
Networks. In Algorithm and Protocols for Wireless Sensor Networks. Wiley.
[10] Boyle, D., & Newe, T. (2008). Securing wireless sensor networks: Security architecture. Jour-
nal of Networks, Vol. 3, No. 1, 65–77.
[11] Bronshtein, I., Semendyayev, K., Musiol, G., & Muehlig, H. (2007). Handbook of Mathematics.
Springer.
[12] Buttyán, L., Dóra, L., & Vajda, I. (2005). Statistical Wormhole Detection in Sensor Networks.
In Authenticated Queries in Sensor Networks, Lecture Notes in Computer Science (pp. 128–
141). Springer.
[13] Cha, W., Wang, G., & Cho, G. (2004). A Pair-Wise Key Agreement Scheme in Ad Hoc Net-
works. In Lecture Notes in Computer Science. Springer.
[14] Chan, H., & Perrig, A. (2005). PIKE: peer intermediaries for key establishment in sensor net-
works. 24th Annual Joint Conference of the IEEE Computer and Communications Societies,
(pp. 524–535). Pittsburgh.
[15] Chan, H., Perrig, A., & Song, D. (2003). Random key predistribution schemes for sensor net-
work. 2003 Symposium on Security and Privacy, (pp. 197–213).
Bibliography 145
[16] Chen, X., Makki, K., Yen, K., & Pissinou, N. (2009). Sensor Network Security: A Survey.
IEEE Communications Surveys & Tutorials, Vol. 11, 52–73.
[17] Cho, Y.-G., Kang, J., & Nyang, D. (2007). Proactive Code Verification Protocol in Wireless
Sensor Network. In Lecture Notes in Computer Science (pp. 1085–1096). Springer.
[18] Choi, K.J., & Song, J.-I. (2006). Investigation of feasible cryptographic algorithms for wireless
sensor network. Advanced Communication Technology, 2006. ICACT 2006, (pp. 1379–1381).
[19] Daemen, J., & Rijmen, V. (1998). AES Proposal: Rijndael. submitted to NIST as a candidate
for the AES.
[20] (2008). Defense Advanced Research Projects Agency. DARPA,
http://www.darpa.mil/index.html.
[21] Eschenauer, L., & Gligor, V.D. (2002). A Key-Management Scheme for Distributed Sensor
Network. The 9th ACM conference on computer and communication security, (pp. 41–47).
Washington.
[22] Graaf, R.D., Hegazy, I., Horton, J., & Safavi-Naini, R. (2010). Distributed Detection of Worm-
hole Attacks in Wireless Sensor Networks. In Lecture Notes of the Institute for Computer Sci-
ences, Social Informatics and Telecommunications Engineering (pp. 208–223). Springer.
[23] Guo, Y., Wang, Q., Huang, H., Tan, W., & Zhang, G. (2007). The research and design of routing
protocols of wireless sensor network in coal mine data acquisition. Information Acquisition
ICIA ’07 (pp. 25–28). IEEE.
[24] Gura, N., Patel, A., Wander, A., Eberle, H., & Shantz, S.C. (2004). Comparing Elliptic Curve
Cryptography and RSA on 8-bit CPUs.
[25] Hu, L., & Evans, D. (2004). Using Directional Antennas to Prevent Wormhole Attacks. Net-
work and Distributed System Security Symposium (NDSS).
[26] Huang, Q., Cukier, J., Kobayashi, H., Liu, B., & Zhang, J. (2003). Fast authenticated key
establishment protocols for self-organizing sensor networks. 2nd ACM international conference
on Wireless sensor networks and applications (pp. 141–150). ACM Press.
[27] Huang, Y.M., Hsieh, M.Y., Chao, H.C., Hung, S.H., & Park, J.H. (2009). Pervasive, secure ac-
cess to a hierarchical sensor-based healthcare monitoring architecture in wireless heterogeneous
networks. IEEE Journal on Selected Areas in Communications, 400–411.
[28] Karlof, C., & Wanger, D. (2003). Secure Routing in Wireless Sensor Network: Attacks adn
Countermeasures. IEEE, 113-127.
[29] Karlof, C., & Wanger, D. (2003). Secure Routing in Wireless Sensor Network: Attacks and
Countermeasures. IEEE, 113–127.
[30] Karlof, C., Sastry, N., & Wagner, D. (2004). TinySec: A Link Layer Security Architecture for
Wireless Sensor Networks. Second ACM conference on embedded networked sensor systems
(SensSys 2004), (pp. 162–175).
[31] Khalil, I., Bagchi, S., & Shroff, N. B. (2005). LITEWORP: A lightweight countermeasure
for wormhole attack in multihop wireless networks. International conference on depandable
systems and networks (pp. 1–10). IEEE.
[32] Kizza, J. (2009). A Guide to Computer Network Security. Springer.
[33] Krawczyk, H., Bellare, M., & Canetti, R. (1997). HMAC: Keyed-Hashing for Message Au-
thentication, RFC 2014.
[34] Lai, B., Kim, S., & Verbauwhede, I. (2002). Scalable session key construction protocol for
wireless sensor networks. IEEE workshop on Large Scale RealTime and Embedded Systems
LARTES.
[35] Lan, Y., Zhibin, Z., Fuxiang, G., & Ge, Y. (2006). The Research on Certainty-Based Secure
Routing Protocol in Wireless Sensor Networks., (pp. 1–5).
[36] Lee, G., Kim, D.-K., & Seo, J. (2008). An approach to mitigate wormhole attack in wireless ad
hoc network. International conference on information security and assurance, (pp. 220–225).
[37] Lee, J., & Stinson, D.R. (2005). Deterministic Key Predistribution Schemes for Distributed
Sensor Networks. In Selected Areas in Cryptography (pp. 294–307). Springer.
[38] Lee, S.-B., & Choi, Y.-H. (2006). A Secure althernate path routing in sensor netwroks. Science
Direct Computer Communication, 153–165.
[39] Liu, D., & Ning, P. (2003). Establishing pairwise keys in distributed sensor networks. 10th
ACM conference on Computer and communications security, (pp. 52–61).
[40] Luna, J., Dikaiakos, M.D., Kyprianou, T., Bilas, A., & Marazakis, M. (2008). Data Privacy
Considerations in Intensive Care Grids. HealthGrid.
[41] Madria, S., & Yin, J. (2009). SeRWA: A secure routing protocol against wormhole attack. Ad
Hoc Networks 7, 1051–1063.
[42] Matsui, M. (1997). New Block Encryption Algorithm MISTY. Fast Software Encryption Work-
shop (pp. 54–68). Springer.
[43] Milenkovic, A., Otto, C., & Jovanov, E. (2006). Wireless sensor networks for personal health
monitoring: Issues and an implementation. The International Journal for the Computer and
Telecommunications Industry, 2521–2533.
[44] Modirkhazeni, A., Ithnin, N., & Ibrahim, O. (2010). Secure Multipath routing protocol in wire-
less sensor network; A security survey analysis. 2th international conference on network appli-
cations, protocols and services. Alor Setar: IEEE Explore.
[45] Modirkhazeni, A., Ithning, N., & Ibrahim, O. (2010). Empirical Study on Secure Routing Pro-
tocols in Wireless Sensor Networks. 2 (5), 25–41.
[46] Muruganathan, S.D., Ma., D., Bhasin, R., & Fapojuwo, A. (2005). A Centerilzed Energy-
Efficient Routing Protocol for Wireless Sensor Networks. IEEE Communication Magazine Vol.
43.
[47] Papadimitratos, P., Poturalski, M., Schaller, P., Lafourcade, P., Basin, D., Capkun, S., et al.
(2008). Secure neighborhood discovery: a fundamental element for mobile ad hoc networking.
IEEE Communications Magazine, 132–139.
[48] Paul Walters, J., Liang, Z., Shi, W., & Chaudhary, V. (2006). Wireless Sensor Network Security:
A Survey. Security in Distributed, Grid, and Pervasive Computing.
[49] Perkins, C.E., & Royer, E.M. (1999). Ad-hoc on-demand distance vector routing. Second IEEE
workshop on Mobile Computing Systems and Applications, (pp. 90–100).
[50] Poon, C.C., Zhang, Y.-T., & Bao, S.-D. (2006). A Novel Biometrics Method to Secure Wireless
Body Area Sensor Networks for Telemedicine and M-Health. IEEE Communications Maga-
zine, 73–81.
[51] Poovendran, R., & Lazos, L. (2007). A graph theoretic framework for preventing the wormhole
attack in wireless ad hoc networks. Wireless Networks, 27–59.
[52] Poturalski, M., Papadimitratos, P., & Hubaux, J.-P. (2008). Secure neighbor discovery in wire-
less networks: formal investigation of possibility. 2008 ACM symposium on Information, com-
puter and communications security. New York: ACM.
[53] Prasannajit B, V., Anupama, S., Vindhykumari, K., Subhashini, S. R., & Vinitha, G. (2010).
An Approach towards Detection of Wormhole Attack in Sensor Networks. WASE International
Conference on Information Engineering, (pp. 283–389).
[54] Qian, L., Song, N., & Li, X. (2007). Detection of wormhole attack in multipath routed wireless
ad hoc networks; statistical analysis approach. 30.
[55] Rasheed, A., & Mahapatra, R. (2009). Mobile Sink Using Multiple Channels to Defend Against
Wormhole Attacks in Wireless Sensor Networks. 2009 IEEE 28th International Performance
Computing and Communications Conference (IPCCC) (pp. 216–222). Scottsdale, AZ: IEEE
Explorer.
[56] Rehana, J. (2009). Security of Wireless Sensor Networks. Seminar on Internetworking.
[57] Rivest, R.L. (1995). The RC5 Encryption Algorithm.
Bibliography 147
[58] Rivest, R.L., Robshaw, M.J., Yin, Y., & Sidney, R. (1998). The RC6 Block Cipher. submitted
to NIST as a candidate for the AES.
[59] Rogers, E. M. (1996). Diffusion of Innovations. Free Press.
[60] Rosenberg, A.I. (2008). A Taxonomy-based Approach to Design of Large-scale Sensor net-
work. Springer.
[61] Sabbah, E., & Kang, K.-D. (2009). Security in Wireless Sensor Networks. In Guide to Wireless
Sensor Networks (pp. 491–512). Springer.
[62] Sabbah, E., & Kang, K.-D. (2009). Security in Wireless Sensor Networks. In Guide to Wireless
Sensor Networks (pp. 491–512). Springer.
[63] Sanzgiri, K., Dahill, B., Levine, B.N., Shields, C., & Belding-Royer, E.M. (2002). A secure
routing protocol for ad hoc networks. 10th IEEE International Conference on, (pp. 78–87).
[64] Shi, E., & Perrig, A. (2004). Designing secure sensor networks. IEEE Wireless Communica-
tions, 38–43.
[65] Shuo, X., Xueye, W., & Yu, W. (2009). A multipath routing protocol for wireless sensor net-
work for mine security monitoring. 148–151.
[66] Slijepcevic, S., Potkonjak, M., Tsiatsis, V., Zimbeck, S., & Srivastava, M.B. (2002). On Com-
munication Security inWireless Ad-Hoc Sensor Networks. Eleventh IEEE International Work-
shops on Enabling Technologies: Infrastructure for Collaborative Enterprises, (pp. 139–144).
[67] Stavrou, E., & Pitsillides, A. (2010). A survey on secure multipath routing protocols in WSNs.
Computer Networks: The International Journal of Computer and Telecommunications Net-
working, 2215–2238.
[68] Steele, R., Loa, A., Secombeb, C., & Wongc, Y.K. (2009). Elderly persons’ perception and ac-
ceptance of using wireless sensor networks to assist healthcare. International Journal of Medical
Informatics, 788–801.
[69] Sun, K., Ning, P., & Wang, C. (2006). Secure and resilient clock synchronization in wireless
sensor networks. IEEE Journal on Selected Areas in Communications, 395–408.
[70] Toninelli, A., Montanari, R., & Corradi, A. (2009). Enabling secure service discovery in mobile
healthcare enterprise networks. IEEE Wireless Communications, 24–32.
[71] Tounsi, W., Garcia-Alfaro, J., Cuppens-Boulahia, N., & Cuppens, F. (2010). Securing the com-
munications of home health care systems based on RFID sensor networks. Communication
Networks and Services Research Conference (CNSR) (pp. 284–291). IEEE.
[72] Verdone, R., Dardari, D., Mazzini, G., & Conti, A. (2008). Wireless Sensor and Actuator Net-
works. Elsevier/Academic Press.
[73] Verdonel, R., Dardari, D., Mazzini, G., & Conti, A. (2008). Wireless Sensor and Actuator
Networks.
[74] Wang, W., Bhargava, B., Lu, Y., & XiaoxinWu. (2006). Defending against wormhole attacks in
mobile ad hoc networks. Wireless Communications & Mobile Computing.
[75] Wang, Y., Attebury, G., & Ramamurthy, B. (2006). A Survey of Security Issues in Wireless
Sensor Networks. IEEE Communications Surveys and Tutorials.
[76] Yang, W., & Huang, Y. (2007). Wireless Sensor Network Based Coal Mine Wireless and Inte-
grated Security Monitoring Information System. Sixth International Conference on Networking
(ICN’07) (pp. 13–13). IEEE.
[77] Zhao, Z., Wei, B., Dong, X., Yao, L., & Gao, F. (2010). Detecting Wormhole Attacks in Wire-
less Sensor Networks with Statistical Analysis. WASE International Conference on Information
Engineering (pp. 251–254). IEEE.
[78] Zhu, S., Setia, S., & Jajodia, S. (2003). LEAP: Efficient Security Mechanisms for Larg-Scale
Distributed Sensor Networks. ACM Conference on Computer and Communication Security.
Washing.
[79] Zia, T., & Zomaya, A.Y. (2009). Security Issues and Countermeasures in Wireless Sensor Net-
works. In Algorithms and protocols for wireless sensor networks. John Wiley & Sons, Inc.
Chapter 8
Protocol for Secure Access in Mobile Ad-hoc

Network for Emergency Services Using Group
Based Access Control Model
Asmidar Abu Bakar, Roslan Ismail, Abdul Rahim Ahmad, Jamalul-lail Abdul Manan
Department of System and Networking, Universiti Tenaga Nasional, KM 7, Jalan Kajang
Puchong, Selangor, Malaysia
MIMOS BHD, Malaysia
E-mail: asmidar@uniten.edu.my
Research on MANET as a platform for supporting emergency and rescue operations has
been studied by many researchers. Throughout emergency situations, the needs of sharing
the information among the rescuers are enormously vital. However, since this network is
operated based on wireless environment, it is vulnerable to threats and intruders. Infor-
mation flow in MANET can be intercepted and tampered. This raised a security issues
in assured that information shared between nodes in emergency situation using MANET
secure as the goal of security solutions for MANETs is to provide security services such
as authentication, confidentiality, integrity, trust and also authorization or access privileges
to mobile users. To solve this problem, a protocol for secure access in emergency services
is constructed and implemented in Group Based Access Control (GBAC) model. There
are three protocols in GBAC for secure access which are member registration, tag creation,
and the access control protocol. A scenario that showed the used of this protocol is demon-
strated and analyzes in order to make sure it meets the desired security properties. Since
node in MANET operated under battery, thus a delegation protocol is introduced in the
GBAC model to ensure access to information is always obtained from secure resources.
8.1 Introduction
The Federal Emergency Management Agency (FEMA) has classified disaster into two
categories; natural disaster such as earthquake, wildlife fires, flood etc or technological dis-
aster such as terrorism, hazardous material, massive accidents etc Hristidis et al., 2010 [13].
In recent years, the world had seen huge and fatal disasters appeared such as massive earth-
quake in Sichuan’s province, China, the cyclone Nargis in Burma and the Atlantis hurricane

Ike in Cuba [40]. In such cases, to count on fixed infrastructure to be operational after the
disaster is impossible since normally the existing information and communication systems
in the affected areas can be destroyed or partially destroyed. Therefore, to launch a rescue
operation, a temporary network communication and information infrastructure needs to be
constructed at the disaster area. Rescuers need to communicate among team members and
to coordinate the rescue mission. Information needs to traverse from the groups and the
rescue center and vice versa in order for the rescue work to run smoothly and able to save
lives. The temporary communication and information system at the disaster area, required
technology that can be quickly setup with less human intervention [11].
The used of MANET as network structure for supporting communication and informa-
tion sharing in emergency rescue mission has been proposed by many researchers such as
Graaf et al. [11], Mahaputra et al. [23], Puzar et al. [31, 32], Plagemann et al. [29, 30],
Catarci et al. [6], Hong et al. [12], Lien et al. [20], Aschenbruck et al. [1], Jang, H.-
C.,et al. [15], Scavalino et al. [36], and Tornqvist et al. [40]. Plagemann et al. [29] stated
that organizations involved in rescue operations such as fire departments, police depart-
ments and medical organizations acknowledged that the flow of information throughout
the disaster cycle is extremely crucial for effective humanitarian operation. Therefore,
the individuals involved in the operations within these organizations require collaboration
among themselves to allow information to be effectively shared during the rescue opera-
tion. Scalavino et al. [36] quoted an example of a massive car accident which happened
in Mont Blanc Tunnel in 1999 which has caused the death of 39 people. In the rescue
operation many agencies gathered and formed rescue teams to handle the situation. In such
an emergency incident, information that rescuers need to exchange and must be protected
among various agencies include personal and medical information of the victims, informa-
tion on the tunnels and sewer plants, information on affected housing areas, information on
the state of accidents and details of the rescue operations itself. The information received
from the center of operation or gathered and collected during a rescue mission must be se-
cured and made private among the rescuers and cannot be simply broadcasted to the public.
This is crucial in order to avoid any panic situation and the spreading of rumors which lead
to information inconsistency.
The above emergency scenario implies the need for effective information sharing and
raised an important issue on the control of access to the information among rescuers during
the rescue work. Since MANET is a wireless network, it is more vulnerable to both passive
and active attacks. In addition, the dynamic topology nature of it allows for anonymous
Protocol for Secure Access in Mobile Ad-hoc Network for Emergency Services 151
nodes whether a trusted or not a trusted one to join the network. This creates difficulties
in managing information sharing in MANET hence the need for a manageable and secure
mechanism to control access.
8.2 MANET at Emergency Rescue Mission
Mobile Ad-hoc network (MANET) is a suitable mechanisms for the situation at a dis-
aster since the deployment of the network using portable devices is easy to implement with
its unique characteristics such as self organization, autonomous and very light as compared
to desktop and it supports multi-hop routing. The network can also easily be setup using
the existing technology embedded in laptops such as WiFi. WiFi-ready notebook PC is
becoming very popular since its battery life can be several hours. It is also compatible with
many other devices (Lien et al. [20]). Figure 8.1 shows an example network created at the
rescue area during a disaster. In this figure, there are a few groups (labeled as GP, GM and
GF, which represents Policeman Group, Medical Group and Fireman Group respectively)
that setup the MANET at the rescue area. There are two types of user in the group which
is the group leader known as Master Group (MG) and members (M).
Fig. 8.1 MANET at Emergency Rescue Mission
The connection between MG and off-site rescue center make use of technologies such
as satellite network or Universal Mobile Telecommunication System (UMTS) or Terres-
trial Trunked Radio (Tetra) [16]. MG in each group is also connected with other MGs in
other groups using access points (if available) or relay packet between adjacent members.
Members (M) in each group communicate via wireless links with their neighbors peers and
those non-neighbors communicate via intermediate nodes that relay the packets 3. Member
use the information obtained from own MG or from other MGs in doing their work. It is as-
sumed that all nodes maintain routing tables in order to identify path for packet forwarding.
Members in each group can randomly move and mix around the surrounding disaster area
while MG is static at the base center for each group. Data or information at the rescue area
is can be publicly shared among groups or accessible only by certain groups or members.
8.3 Group Based Access Control (GBAC) model
Group Based Access Control (GBAC) model is derived based on group and role con-
cept, and according to Maki et al. [24], group can be defined as “a set of entities that want
to communicate with each other and to co-operate for some purposes”, while Sandhu [35],
defined group as “a collection of users who have similar security attributes”. The group
concept is chosen as this is the foundation for ad-hoc concept [24]. In this work, group is
defined as follow:
Definition 8.3.1. Group (G) consists of sets of users (U) under the same organization and
set of objects (O) related to group’s function. G can be described as follows:
G = {U, O} where U = {U1 ,U2 , . . . ,Ui }, O = {O1 , O2 , . . . , Oi }
An object represents the information that each group is holding which are related to
their roles in ERM. Object can be categorize into two categorises; sensitive or general. For
example, in group medical, victim’s health information can be classified under sensitive,
while information on status of emergency situation can be classified as general since all
groups involved in emergency rescue mission as well as society needs to know this type
of information. In the GBAC model, each group have objects related to their roles and
object’s owner is responsible in classifying the objects.
A role in RBAC is a set of users and permission (Sandhu [35]). A role can also be
defined as a job function within the context of an organization with some authority and
responsibility given to the user (Memon [26]). In GBAC, the definition of role given by
Memon is used. Thus in GBAC model, each group has a predefined roles or tasks which
was given prior to network setup at ERM and it is determined by the group-role relation-
ship. The definition of group-role is given below:
Definition 8.3.2. Group-role (GR) refers to role that each group is assigned with prior to
temporary network setup at the ERM.
For an example, the core task of group policemen is taking care of the road safety and
kept information with regards to the road safety and group medical handles the injured
victim and safeguard information related to medical.
Each type of user in GBAC model is assigned a role which lead to permission on ob-
ject and it is determined by user-roles relationship and roles-permission relationship. The
definition on user-roles and roles-permission is given as below:
Definition 8.3.3. User-roles (UR) determine the roles that each user performed based on
their core task in the group.
Definition 8.3.4. Roles-permission (RP) determines the permission given to member to-
wards object based on member’s role.
The relationship between user-roles (UR) and roles-permission (RP) in each group (G)
is as follow:
Given G = {U, O}, then UR P, RP O, therefore U P O based on UR in the group.
For an example, the role of the Master Group is to lead and to coordinate the group. Master
Group also holds the objects related to group’s role in the emergency rescue mission. Hence
Master Group has a set of permission on object such as “read”, “write”, “delete”, “update”.
Normal member of group only used the object thus their permission is only “read”.
8.3.1 Components in GBAC model
The GBAC model consists of Trust Management, Access Policy and Cryptographic
protocols. The trust management which is based on Hierarchical Public Key Infrastructure
(HPKI) is needed for node’s authentication, access policy is derived from group and role
concepts is required for node’s authorization and the cryptographic protocols for ensuring
secure access in MANET. Figure 8.2 shows the components in GBAC. These components
reside in Master Group in all groups that setup the network at rescue areas.
Fig. 8.2 The GBAC model
8.3.1.1 Access Control policy in GBAC model
The access control policy (ACP) in the GBAC model is derived based on group-role
and use-role relationship. The policies assume that members in the group are homogenous
where all members have same level of trust except for MG. As the leader in the group, MG
has more authority than other members. Group-role determines which information is ac-
cessible between groups. User-role relationship determines action on information received
between MG and M. Examples of actions (A) are “Read” denoted as (R), “Write” denoted
as (W), and “Delete” denoted as (D). Since members are homogeneous, thus member can
only “Read” or “View” the information. Only MG has the authorization on other actions.
The policies are stated in the definitions below. Table 8.1 shows the notations and the
description of the notations used in the policy.
Definition 8.3.5. For all members in Group P or Group F they can READ object related to
security and general info.
• ∀ M ∈ GP ∨ GF ∧ A = R ∧ (O = (Os ∧ Og))
Definition 8.3.6. For all Master Group in Group P or Group F, they can READ and WRITE
object related to security and general info.
Table 8.1 Notation and the descriptions

Notation Descriptions
GP – Policeman Group
GP, GM, GF GF – Fireman Group
GM – Medical Group
Os – object related to security information,
Os, Om, Og Om – object related to medical information,
Og – object related to general information
Member – is the structured user.
This type of user is a member of group GP, GM or GF that
M
created the temporary network. Member collects or used infor-
mation and does the rescue works.
Master Group – is the structured user.
MG is the group leader in each group. MG coordinates all mem-
MG bers belong to his own group and attain request for sharing the
information within own group and between groups.
MG keeps all information related to group.
• ∀ MG ∈ GP ∨ GF ∧ A = R ∧ W ∧ (O = (Os ∧ Og))
Definition 8.3.7. For all members in Group M, they can READ only object related to med-
ical and general info.
• ∀ M ∈ GM ∧ A = R ∧ (O = (Os ∧ Og))
Definition 8.3.8. For all Master Group in Group M, they can READ and WRITE object
related to medical and general info.
• ∀ MG ∈ GM ∧ A = R ∧ W ∧ (O = (Os ∧ Og))
These policies are kept by each MG in a group. MG is given the authority to modify or
to update the policy. This is because MG is given action “READ” and “WRITE”. READ
means a copy of information is given to member for doing the rescue works. Any changes
to this information will not affect the original copy kept by MG. WRITE means any changes
made to the object will erase the old contents. These policies ensured the integrity of
information is preserved during emergency.
8.3.1.2 Trust in the GBAC model
Trust in GBAC model is using the concept of hierarchical public key infrastructure
(HPKI). Since there are groups in the GBAC model, they will be root certificate author-
ity (R-CA) that issued certificate or credential for all members (M) or to other certificate
authorities (CAs). For example, in Policeman Group (GP) there is a National Head of
Policeman (NHOP) which can acts as R-CA for policeman group, while District Head of
Policeman (DHOP) can act as a CA for each district and members (M) of policeman group
in each district obtained the certificate from each district head. The trust chain follows the
top to bottom approach where R-CA is a trusted entity and when R-CA issues certificates
to other CAs (CA1, CA2, CAi) or members (M) it showed that the issued CAs or Ms are
also trusted. Figure 8.3 is used to illustrate this example.

Fig. 8.3 Trust in GBAC
8.3.1.3 Protocols in the GBAC model
There are three protocols in the GBAC model as stated below.
• Member’s registration protocol

• Tag creation and signing protocol
• Protocol for access information
i. Member’s registration protocol
Prior to network setup at ERM, MG for each group is selected by the R-CA. Other mem-
bers of the group are required to re-register with this newly selected MG. For example, in
policeman group, (denote as GP), members of GP re-registered with MG P. The purpose
of the member’s registration protocol is to control and to monitor members who involved
during the rescue operation at the emergency area. This process also ensures trust will be
obtained hierarchically from top to bottom as in HPKI approach. This re-registration also
will allow members to request for information hold by each MG or by other MGs in the
ERM. The registration process is conducted offline prior to ERM and the protocol is as
below.
Protocol
1. The process starts when a member (M) submits his/her certificate that is signed by
his/her original central authority (CA) or root authority (R-CA) to MG.
2. MG upon received the certificate; verified the certificate with the original CAs or R-
CAs.
3. Upon confirmation; MG created a temporary tag for a member (discussed in the follow-
ing section). MG also created a unique password denoted as P which matched the tag for
each registered member. The password will be stored as an image f (P) under the one-way
function f . The security of the password depends on the security of the one-way function.
In this work, it is assumed that one-way function is secured.
4. Both, tag and password are given to all registered member and this information are
kept in MG’s database. MG also stores all related information regarding members such as
member’s name, member identification and member’s public key.
ii. Tag creation and signing protocol
Tag is a token given to a registered member in ERM, similar to the ticket given to a user
person to play at the theme park or enter a cinema. Tag creation is done offline prior to ERM
once, during the registration protocol. The tag binds user with his public key, group and
what user is authorized to do. This concept is similar to Simple Public key infrastructure
(SPKI) certificate (Smart [38]) since user’s identity bind with its authorization. The fields
in the tag are shown in Figure 8.4 and the description on each field is given in Table 8.2.
U_ID G_ID U_Pk MG_Pk A T_C T_E SignMG
Fig. 8.4 Example of Tag

Table 8.2 Symbols in the tag and its descriptions

Symbols Descriptions
U_ID UserID – the identification of user
G_ID Group identification
U_Pk User public key
MG_Pk Master Group’s public key
Refer to action entity obtained. Since user is member
A
therefore user can only do action READ or VIEW.
T_C T_C is the time created for the tag
T_E T_E is the time expires for the tag
SignMG Refer to MG signature on tag
Protocol
The design protocol concentrates on producing a legitimate tag for members in ERM. Le-
gitimate tag is a tag created for each registered member, M and signed digitally by his/her
MG. The RSA signature scheme with hash function is used to sign the tag. Using the cryp-
tographic hash function, h, it is possible to make the RSA signature into signature scheme
without message recovery which is suitable and efficient for long messages [5].
System setup: Let MG public key be (N, e) and his corresponding secret key is d. A sign-
ing function denoted by Sx (message) means message digitally signed by x and h(·) is a one
way function.
Signing and verification process
The signing process commences once the tag as in Figure 8.4 has been created for each
member. In the signing process, MG signs the hash value of tag, m and then send the tag,
m with the signature S, together as a pair (m, S) to registered member, M.
Once the tag has been signed by the MG, member, M can use the tag to request for
information at the ERM. The tag needs to be verified by MG which requests for information
is made to. The verification protocol is conducted online. The tag verification protocol uses
the public key of MG, which is a master group for M. Assume that MG X needs to verify
the tag given by M. The verification process is given below.
a. Upon receiving the tag and signature, MG X computes the signature, S using the MG’s
public key, (N, e).
b. MG X then computes the hash value of tag (m).

c. Check h = h(m), if they are same then accept the signature as valid otherwise reject it.
d. The valid signature on tag indicates that tag is valid.
iii. Protocol for access the information
The interaction in the access protocol is between member (M) and master group (MG) in
the same group and also between member (M) and master group (MG) in the different
groups at the ERM. The interaction is following the concept of client-server where MG
acts as server and M as a client. The intermediate nodes between MG and M, act as routers
that helps in forwarding the message.
1. Intra-access protocol
The scenario for intra-access protocol is as follows.
M, a member, from Group P, denoted as Mp, requests to access the information regarding
road safety from his own master group denotes as MG P.
The message sequence diagram in Figure 8.5 shows the interaction between MG P and M
for the scenario. The sequence below, occur from the registration process and tag creation
until request to the information. The member’s registration, tag creation and tag signing
protocol are conducted offline. Interactions for these processes are as shown in sequence 1
and 2. Request for information between Mp and MG P are shown in sequences 3 until 9.
The protocols are conducted as follows:
System setup: Let MG P’s public key be (N, e) and the secret key be d. Let the public
key of Mp’s be pk and the corresponding secret key be sk. The tag is denoted as m and
S denotes the signature on tag and message or object. The encryption and decryption is
using the notation E and D respectively and h(·) is a one-way function. Let Os represent
information requested and let (m · S) denotes the tag and signature of it.
Protocol
1. Mp encrypts the information requested (Os) and his tag (m, S) using MG P’s public-key,
(N, e). Mp then sends the encrypted message E(Os, m, S) to MG P.
2. Upon received the message E(Os, m, S), MG P decrypts the message using his secret
key; d. MG P need to verify the tag given. MG P checks the information in tag. The
user identification, U_ID and group identification fields indicate that Mp is from GP. MG
Fig. 8.5 Message sequence between MG P and Mp in intra-access protocol
P checks this information in the database for confirmation. MG P then uses his public key,
(N, e) to verify the signature on the tag. If the signature in the tag is valid, this confirms
that MG P is the one that created the tag since the signature is created using MG P’s secret
key, d, hence MG P must be the one that have the pair of keys. This also verifies that the
tag is created for GP.
To ensure that the tag is not expired; MG P needs to verify tag validity by checking the
time_expires in the tag. The algorithm for checking the tag validity is shown in Figure 8.6.
If time_submitted >= time_created and < time_expires
Check tag information //proceed with step
else
terminate the process //tag is expired
Fig. 8.6 Algorithm to evaluate tag’s validity

Verify tag’s validity
The time_submitted is the time when the tag is submitted to MG by M. time_submitted

is not constant instead it is dynamic. In each tag, there is time_created and time_expired.
time_created is the time when the tag is created by respective MG for the respective mem-
ber in the group during the re-registration process. The time_expired is the expired time for
the tag to be used. For example, time_created is 7 am, and time_expired is 24 hours. This
means that if the tag is created at 7 am today then it is valid until 7 am the next day, for 24
hours. If Mp submits the request together with tag within the permitted 24 hours, then the
tag is valid. If the duration is valid, then the protocol continues to step 3, otherwise, the
communication is stopped.
The purpose of having tag validity is to ensure that the tag is only valid during the
duration of the rescue works at that particular ERM. For example, if the rescue works
at that ERM is last for 24 hours then after that, the created tag is no longer valid. This
mechanism can ensure that the security of information to be accessed within the specific
ERM is secure. This process ensures that even though the entity has a valid tag but the
entity cannot gain access to the information. For any expired tag, member needs to re-
register again to obtain the valid tag with own Master Group at the ERM.
3. To confirm the valid tag is given by a registered member which is also a legitimate owner
of the tag, MG P request for password that matches the tag given.
4. Mp sends password to MG P.
5. MG P checks the given password. If it match with the one stored in MG P’s database,
this authenticates Mp as a legitimate owner of the tag.
6. To give authorization to Mp, MG P checks the access policy for each valid tag. If the
policy matches, access is given. To ensure object’s integrity is preserved and to ensure that
Mp can verify the object’s received, MG P creates hash value of object Os and signed Os
using MG P’s secret key, d. MG P then encrypts the message and signature (Os, S) using
Mp’s public key, pk. This pair of encrypted message (Os, S) is sent to Mp. If access is not
given, then no object is given to the requester and the communication will be terminated.
9. Once Mp receives the message, (Os, S), Mp decrypts it using his secret key, sk. Mp
verifies the signature on Os using MG P’s public key, (N, e). Mp also computes the hash
value of Os. If the hash value calculated is same with the signature verification this means
signature on object is valid and indicates that object’s integrity is preserved.
Analysis of Intra-access protocol
An analysis of the proposed protocol is provided below. The analysis is done using the
direct approach method (S. Epp [34], Gossett [10]) and cryptographic approach. The pro-
posed protocol is claimed to successfully achieve the desired properties such as authenti-
cation, authorization, trust, confidentiality, integrity and non-repudiation.
i. Proof of authentication and authorization
After receiving the encrypted tag, MG P first decrypts the tag and checks the information
in the tag. The tag indicates that U_ID equal to Mp and G_ID equal to GP. This shows that
the tag is created for GP. To verify this information, MG P verifies the signature attached to
the tag. This is because if the tag created is for GP then MG P must be the one that creates
the tag since the tag is created using MG P’s secret key. MG P used his public key to verify
the signatures.
To prove that the tag belongs to Mp, MG P requests for password. The password, P
which was created for each registered member is unique and created using one-way func-
tion. The security of the password is based on the difficulty to reveal back the password.
Hence, if the given password is matched with the tag given, it shows that Mp is a regis-
tered member thus a legitimate owner of a valid tag. This ensures that no other entity can
masquerade as Mp hence authenticates Mp. Theorem 8.3.1 states this preposition.
Definition 8.3.9. The term valid means that the tag is proven to be authentic via tag verifi-
cation process.
Theorem 8.3.1. If tag is valid based on Definition 8.3.9, and member is registered, then
member is authenticated.
Proof. Let P be the tag, Q be the registered member and R denotes authenticated member.
If P is valid and Q is not a registered member, then Q is not authenticated. This means
Q = R. In this case, the tag can be verified to belong to the Group P via G_ID, U_ID
and signature of the master group (MG P) attached with the tag, however since Q is not a
registered member, thus Q is not an authentic member of Group P. Q is a malicious user
who does not know the password.
To get authorization on the requested object, there are two conditions to be met. The
first condition is that the access is given only if nodes are proven authentic. This is achieved
using Theorem 8.3.1 above. The second condition is, once the node is proven authentic;
the access to information must match the access control policy.
Theorem 8.3.2. If Theorem 8.3.1 is achievable, this confirms that the member is authentic.
If the member is authenticated and the tag matches with access policy, then access to object
is obtained.
Proof. Let P be the tag, Q be the registered entity and R denotes the authenticated mem-
ber. Let O denotes the object and Pp denotes the policy.
Theorem 8.3.1 states that, if P is valid and Q is a registered member, then then Q is
authenticated, means Q = R is true. Theorem 8.3.2 states that, if Q is authenticated and P
matches the policy, Pp, then Q can access object. Theorem 8.3.2 depends on Theorem 8.3.1
and the access policy. This means that if Q, the authenticated entity and the legitimate
owner of the valid tag, matches the policy then Q will get an access to the object requested.
ii. Trust
In this protocol, trust property is obtained via the hierarchical public key infrastructure.
All MG is assumed trusted, and members re-registered with MG when they joined the
group. MG verifies the credential of registered members from their CA offline. Once their
credentials are verified, MG then created tag and password that matched the tag for the
registered member. By this way, a trust chain between MG and the registered members are
created.
iii. Confidentiality
Confidentiality ensures that no other nodes in the network can read the information
except the sender and the receiver. This means that entities that confirm to comply with
Theorem 8.3.1 and Theorem 8.3.2 are only given access to the object. Theorem 8.3.1 states
that if tag is valid and the member is registered, then entity is authenticated. Theorem 8.3.2
states that if the entity is authenticated and tag matched policy then access to information is
given. In this case, Mp has been proven valid via Theorem 8.3.1 and using theorem 8.3.2,
Mp has the authority to read the information. MG P encrypts the information using Mp’s
public key, which can only be decrypted by Mp’s secret key since only Mp has a pair of
key for encryption and decryption. Since the authentication and the authorization prop-
erties are achieved; and the information is encrypted using Mp’s public key therefore the
confidentiality properties are also achieved.
iv. Integrity and non-repudiation
Integrity property is related to making sure that the requested object that is sent between
MG P and Mp is not altered in transit. Non-repudiation is a security property that is to
confirm that only MG P has sent the object. Both properties are achieved using the signature
scheme with cryptographic hash function applied on the requested object. MG P uses a one
way hash function to create the hash value of object S (Os), h = h(Os). The one way hash
function ensures that it is hard to get the message given only the hash code.
MG P then signed the hash value and encrypts the object and the signature using Mp’s
public key. Mp decrypts the message using his secret key, sk, and uses MG P’s public key
to verify the signature on the object. Mp uses the cryptographic hash function to calculate
the hash value of object S, Os that is received from MG P. If the hash value sent by MG P
and the newly calculated hash values by Mp are matched, it is confirmed that the received
object is not altered and achieved the integrity property. To verify the signature S such as
S = h(Os)d (mod N) attached in the message, Mp uses the MG P’s public key on signature
and compute h = se (mod N). If h = h(Os) then Mp can prove that only MG P has the key
pairs to sign and create the signature on object. With this the non-repudiation properties is
achieved and MG P later cannot deny sending the requested object to Mp.
8.4 Delegation protocol
Delegation protocol in ERM is important as MG is a transient central authority (T-CA),

therefore before any T-CA collapse or step out from the network, a new T-CA is needed.
MG in ERM signs all the related documents in the group prior to the request and the sign-
ing operation, offline for information collected prior to the disaster online for information
collected during the disaster. The current MG delegate his role to new appointed MG to
make sure access to information is signed by a trusted MG. The concept of proxy signature
has been first introduced by Mambo et al. [25]. Various extensions of the basic proxy signa-
ture have been proposed by many researchers such as the work on threshold proxy signature
(Zhang [44], Hwang et al. [14], Liu et al. [21], Chang et al. [7], Shao [37]), nominative proxy
signature (Park et al. [28], Lee et al. [19], Tan et al. [39], Chuan-gui et al. [8]), one-time
proxy signatures (Kim et al. [17], M. Mehta et al. [22], Bicakci [3]), blind proxy signa-
ture (Lal et al. [18], Awasthi et al. [2], Park et al. [28]), designated-verifier proxy signature
(Wang [41]), proxy signature with warrants (Lal et al. [18], Das et al. [9]), identity-based ag-
gregate signature scheme (Wun-She Yap [42]) and anonymous proxy signature (Yong [43]).
Recently the use of proxy signature in an application can be found in distributed systems,
grid computing, and also in mobile communications (Boldyreva et al. [4]). This indicates
that many applications had gained benefits from using this scheme.
8.4.1 Delegation protocol using Proxy Signature scheme
The building block for the delegation protocol proposed in this work is based on work
by Das et al. [9]. The Das et al.’s scheme (Das scheme hereafter) is chosen since it easy to
implement and suits the requirement to work in ERM since the verification operation using
RSA is faster as compared to DSA (RSA lab [33], Paar et al. [27]) hence making it practical
to be used in ERM since nodes needs to verify the signature more frequent.
System settings:
Let O, the original signer generate RSA public key and secret key where the certified public
key of O is (eO , nO ) and the secret key is dO with nO is the product of two large safe primes.
Let P, the proxy signer which is a member of O has a certified public key (e p , n p ) and secret
key is d p and n p is the product of two large safe primes. The notation h(·) is a one-way
hash function and h(m1 || m2 ) is the message concatenation. The original signer creates a
warrant, mw and signed it using his secret key. A warrant mw consists of the delegation
information such as the identity of the original signer, proxy signer, the messages that the
proxy signer can sign on behalf of proxy signer etc. A proxy signer uses a warrant to create
a proxy key.
There are 4 phases involved in proxy delegation which are generation of a proxy key,
proxy key verification, signing using the proxy key and proxy signature verification.
Generation of proxy key. O creates a signature sO , by computing sO = h(mw || e p )dO mod
nO . O sends the pair signature sO and the warrant, mw , (sO , mw ) to the proxy signer, P over
a public channel.
e
Proxy key verification. Upon receiving (sO , mw ), P checks whether h(mw e p ) = sOO mod
nO . If this test holds, P accepts it as a valid proxy key.
Signing using the proxy key. To sign message m on behalf of O, P does the following:
Table 8.3 Notations and their descriptions

Notation Descriptions
MG that act as T-CA in the group.
A
A represent the original signer
The requestor in ERM. B can be own
B member or other group’s member or N.
B represent the verifier
The member of MG/T-CA
C
C is a proxy signer
The member of MG/T-CA
D
D represent a second proxy signer
i. Compute s p = (sO ⊕ h(m || mw || e p )dp mod n p , ⊕ is an XOR operation.

ii. The proxy signature of message m is (m, mw , s p , eO , e p ).
Proxy signature verification. V denotes that the verifier received the document sign by
P. To confirm the signature on m, V needs to verify whether h(mw || e p ) = (sep p mod n p ⊕
h(m || mw || e p ))eO mod nO . If this test holds, then B accepts it as a valid proxy signature on
message m.
Delegation Scenario
In the proposed work, the new T-CA is selected when current T-CA’s battery level reaches
50 percent of overall capacity. All related documents that belong to the groups will be
transferred to new T-CA, and new T-CA will be in operation once former T-CA released
his power. The broadcast delegation packet will be sent out by current T-CA once the
battery level reaching 90 percent of overall capacity. To illustrate the delegation protocol
in ERM using the proxy signature scheme, two cases are used. The first case involves the
delegation of original signer to the proxy signer and the verifier. The second case involves
a delegation from one proxy signer to another proxy signer and the verifier. In both cases,
it is assumed that the verifier is a trusted entity. To ease the understanding on the proposed
delegation protocol, notations in Table 8.3 is used.
Delegation protocol for case 1
Case 1: Original signer A, delegates signing capability to C, verified by B. Figure 8.7

shows the delegation for case 1. When B requests to share document or information denoted
Fig. 8.7 Delegation from original signer to proxy signer and verified by the verifier
as m1, it will be served by C, the proxy signer and C signs this document on behalf of A.
Therefore B needs to verify C as a valid proxy signer. There are two parts in the delegation
protocol. The first part is the delegation of signing capability from A to C. The second part
is the verification of proxy signer, C by the verifier, B.
First part
1. A create warrant (mw ). The information in mw contains the identification of A and C
such as their names, their public keys and delegation messages, Msg as shows in Figure 8.8.
Group ID in Figure 8.8 indicates A’s group. The original signer will only delegate signing
capability to his own group member. Delegation message, Msg contains the type of infor-
mation that C can sign on behalf of A. In the warrant, there is no information related to
duration of proxy signer since C is a mobile node which operates on battery. There is no
certain duration that C will serve as proxy signer. The longer C operates on signing the
documents on behalf of A, there is a huge possibility that the battery will degrade fast. Due
to these reasons, the delegation of proxy signer to another proxy signer is required in ERM
operated using MANET, which will be discussed in the next case. The original signer wills
only delegates sign capability to his own group member.
A’s name C’s name Group id (eA, nA) (eC, nC) Msg
Fig. 8.8 Information in warrant
2. To delegate, A needs to create a proxy key. Using the Das scheme, A executes a proxy
key generation by computing A = h(mw || eC)dA mod nA on the warrant, mw . A sends the
pair signature sA and the warrant, mw , (sA, mw ) to the proxy signer, C over a public channel.
3. C receives sA and the warrants, mw . C checks these information by computes the proxy
key verification scheme, h(mw || eC) = sAeA mod nA, using A’s public key. If h(mw || eC) =
sAeA mod nA match, C accepts this as valid proxy key.
4. When the battery level reaches 90 percents of it usage, as describe on the scenario above,
the original signer A, broadcasts a delegation packet which contains the following message
to the network.
{A delegate to C, its signing capability, C is the proxy signer of GF, C signs object related
to GF}
Second part
Second part of the delegation protocol is involved when there is a request to share the
information from member or new node, denoted as B.
5. B request document m1 from C. C generates the sign on m1 using proxy key by executing
the proxy signature generation phase in Das scheme. C does the following:
i. C compute: sC = sA ⊕ h(m1 || mw || eC)dC mod nC,

ii. C then sends the signed document, m1 to B.
6. To verify the signature on message m1, B executes the proxy signature verification
phase. B need to verify whether h(mw || eC) = (sC eC mod nC ⊕ h(m || mw || eC))eA mod nA.
If this verification succeeds, then B is convinced that the signature on m1 is valid.
Case 2: The proxy signer C delegates his signature to new proxy signer, D. MANET
comprises of many mobile nodes and these nodes have the power constraints. There is a
situation whereby the original signal will be inactive from the network and the delegated
proxy signer will become inactive as well. Therefore the first delegated proxy signer, C,
needs to delegate his signing capability to new selected proxy signer, D, before he steps
out. This is shown in Figure 8.9. In this figure, assume that A, the original signer, is not
active in the network and the first delegated proxy signer C, is almost reaching 50 percent
of battery usage and needs to delegate his signing capability to some other nodes so that
the new MG can sign the requested document during ERM which can be valid and can be
verified.
To allow this, a new delegation protocol is required whereby the first delegated proxy
signer delegates signing capability to another proxy signer. Similar to case 1, there are
two parts in this protocol. The first part shows that the first proxy signer, C, delegates the
Fig. 8.9 Proxy signature delegation – from C to D, verified by B
signing capability to a new proxy signer, D. The second part shows the requestor which is
also the verifier, B, requests to share information (object) from D, the new proxy signer.
System setup: Let C, the proxy signer generates RSA public key and secret key, where
C’s public key is (eC, nC) and his secret key is dC, and D, the second proxy and D’s public
key is (eD, nD) and his secret key is dD.
First part
1. C creates a signature sC on the warrant, mw2 that contains the information about C and
also D. The information in warrant is the identity of C and D such as their name and also
their public key. The mw2 also contains information, Msg which states that C delegates the
signing ability to D and the type of information that D is delegated to sign with. C notifies
that D is the new proxy signer. C concatenates the first warrant, mw1 , which he obtains
from A with the new warrant, mw2 that C created for D. All the fields in warrant are shown
in Figure 8.10.
A’s name C’s name G_ID (eA, nA) (eC, nC) Msg mw1
C’s name D’s name G_ID (eC, nC) (eD, nD) Msg mw2
Fig. 8.10 Information in warrant for node A and C

C then creates the proxy key by computing a signature, sC on (h(mw1 mw2 ed)dC mod
nC. C then sends, (sC, mw1 , mw2 ) to the new proxy signer, D over a public channel.
2. D, upon receiving (sC, mw1 , mw2 ) needs to verify that sC comes from C. D checks,
h (mw1 mw2 ed) = sCeC mod nC. D accepts sC as valid proxy key if this holds.
3. Similar to step 4 in case 1, the first proxy signer, C, broadcasts delegation packet, which
contains the following message, to the network when its battery level reaches 90 percents
usage.
{A delegates to C, C delegates to D, signing capability, D is the new proxy signer of GF}
Assumed now that, B upon receiving the broadcast packet needs to use some information
from Group F. B then sends request for document from D. B needs to verify D as the new
proxy signer.
Second part
1. To sign document y on behalf of C, D generates the proxy signature using C’s signature
with D’s secret key. D compute, sD = sC ⊕ h(y, mw1 mw2 ed)dD mod nD. D sends the
signature, sD and attach to message, y with warrant mw1 and mw2 to B.
2. B verifies sD by computing h(mw1 mw2 ed) = (sDed mod nD ⊕ h(y, mw1 mw2 ed))eC
mod nC. If correct then it is proven that the proxy signature is valid.
8.5 Conclusions
A solution based on Group Based Access Control (GBAC) is presented in this chapter.
In this model, the components of the security architecture namely access policy, trust man-
agement and cryptographic protocols are established. Trust between MG and its members
are created via the tags given during the registration process prior to network setup at the
rescue area. The GBAC model present protocol for secure access to information between
MG and members in the same group which known as Intra-access protocol. The protocol
is constructed using various cryptographic methods such as encryption, decryption, digi-
tal signature and hash function. Analyses using cryptographic and direct proofing method
are applied to the protocol. This is to ensure that the protocol for secure access meeting
the security properties such as trust, authentication, authorization, confidentiality, integrity
and non-repudiation. In order to ensure access is obtained via trusted authorities and since
MANET is operated based on batteries, delegation of MG’s role is presented in the GBAC
Bibliography 171
model. The delegation protocol is is constructed using proxy signature mechanism which
is based on Das scheme.
Acknowledgments
I would like to thank those who provided preprints or unpublished material that was
used in this article.
Bibliography
[1] Aschenbruck, N., Frank, M., Martini, P., & Tolle, J. (2004). Human Mobility in MANET Disas-
ter Area Simulation-A realistic Approach. Proceedings of the 29th Annual IEEE International
Conference on Local Computer Networks (LCN’04).
[2] Awasthi, A.K. & Lal, S.(2005). Proxy Blind Signature Scheme: Revised. Transaction on Cryp-
tology, vol. 2, no. 1, pp. 5–11
[3] Bicakci, K. (2006). One-time proxy signatures revisited. Computer Standards & Interfaces,
Elsevier, 29(4), 499–505.
[4] Boldyreva, A., Palacio, A., & Warinschi, B. (2003). Secure Proxy Signature Schemes for Dele-
gation of Signing Rights. Date of access: 20 Mei 2008, http://eprint.iacr.org/2003/096
[5] Buchmann, J.A. (2001). Introduction to Crytography: Springer-Verlag, New York Inc.
[6] Catarci, T., Leoni, M.d., Marrella, A., Mecella, M., Salvatore, B., Vetere, G., et al. (2008). Per-
vasive Software Enviornments for Supporting Disaster Responses. IEEE Internet Computing.
[7] Chang, Y.-F., & Chang, C.-C. (2007). An RSA-based (t, n) threshold proxy signature scheme
with freewill identities. Int. Journal Information and Computer Security 1(1/2).
[8] Chuan-gui, M., Feng-xiu, G., & Yan, W. (2005). A nominative multi-proxy signature scheme
based on ECC. Wuhan University Journal of Natural Sciences, 10(1).
[9] Das, M.L., Saxena, A., & Gulati, V.P. (2004). An Efficient Proxy Signature Scheme with Re-
vocation, Informatica, Vol. 15 (4), 455–464.
[10] Gossett, E. (2003). Discrete Mathematics with Proof. Prentice Hall-Pearson Education Inc.
[11] Graaf, M.D., Berg, H.V., J.Boucherie, R., Brouwer, F., Bruin, I.D., Elfrink, H., et al. (2007, June
12-15). Easy Wireless: Broadband ad-hoc networking for emergency services. Paper presented
at the The sixth Annual Mediterranean Ad Hoc Networking Workshop, Corfu, Greece.
[12] Hong, F., Yi, T., Zhao, H., & Xin, B. (2009). Developing Test system of Ad Hoc Network
for Emergency Communications. Paper presented at the 2009 World Congress on Computer
Science and Information engineering.
[13] Hristidis, V., Chen, S.-C., Li, T., Luis, S., & Deng, Y. (2010). Survey of Data Management and
Analysis in Disaster Situations. Journal of Systems and Software 83(10), 1701–1714.
[14] Hwang, M.-S., Lu, E. J.-L., & Lin, I.-C. (2003). A Practical (t, n) Threshold Proxy Signature
Scheme Based on the RSA Cryptosystem, Vol. 15(6), pp. 1552–1560.
[15] Jang, H.-C., Lien, Y.-N., & Tsai, T.-C. (2009). Rescue Information System for Earthquake
Disasters Based on MANET Emergency Communication Platform. Paper presented at the
IWCMC’09, Leipzig, Germany.
[16] Kanchanasut, K., Tunpan, A., Awal, M.A., Das, D.K., Wongsaardsakul, T., & Tsuchimoto,
Y. (2007). A Multimedia Communication System for Collaborative Emergency Response Op-
eration in Disaster-affected Areas. International Journal of Emergency Management 4(4), pp.
670–681.
[17] Kim, Y.-S., & Chang, J.H. (2007). New One-Time Proxy Signature Scheme based on DLP
using the Warrant. International Journal of Computer Science and Network Security, 7(2).
[18] Lal, S., & Awasthi, A.K. (2003). A scheme for obtaining a warrant message from the proxy
signatures. Crptology ePrint Archive, Report 2003. http://eprint.iacr.org/2003/073. Accessed
on 12 January 2010.
[19] Lee, S.-H. S. a. S.-H. (2003). New Nominative Proxy Signature Scheme for Mobile Communi-
cation. Proc. of SPI’2003, Security and Protection of Information, ISBN.
[20] Lien, Y.-N., Jang, H.-C., & Tsai, T.-C. (2009). Design of P2Pnet:An Autonomous P2P Ad-
hoc Group Communication System. Paper presented at the Tenth International Conference on
Mobile Data Management: Systems, Services and Middleware.
[21] Liu, W., Yang, J., & Wei, L. (2006). A Secure Threshold Proxy Signature Scheme for Mo-
bile Agent-Based Electronic Commerce Transactions. Paper presented at the Seventh Inter-
national Conference on Parallel and Distributed Computing, Applications and Technologies
(PDCAT’06), Taipei, Taiwan.
[22] Mehta, M., & Harn L. (2005). Efficient one-time proxy signatures. IEE Proc-Communication
152(2).
[23] Mahaputra, R.P., Abbasi, T.A., & Abbasi, M.S. (2010). A Propose Architecture of MANET for
Disaster Area Architecture. International Journal of Computer Theory and Engineering, 2(1),
1793–8201.
[24] Maki, S., Aura, T., & Hietalahti, M. (2000). Robust Membership Management for Ad-Hoc
Groups. Proceeding 5th Nordic Workshop on Secure IT Systems (NORDSEC 2000), Reyk-
javik, Iceland.
[25] Mambo, M., Usuda, K., & Okamoto, E. (1996). Proxy Signatures for Delegating Signing Op-
eration. Paper presented at the CCS’96 New Delhi, India.
[26] Memon A.Q., (2009). Implementing Role Based Access in HealthCare Ad Hoc networks. Jour-
nal of Networks, Vol. 4. No 3, pp. 192–199.
[27] Paar, C., Pelzi, J., & Becker, G. (2009). Understanding Cryptography – A Textbook for Students
and Practitioners. Chapter 10-Digital Signature, http://www.crypto-textbook.com., Accessed
on 13 January 2010.
[28] Park, J.-H., Kim, Y.-S., & Chang, J. H. (2007). A Proxy Blind Signature Scheme with Proxy
Revocation. Paper presented at the International Conference on Computational Intelligence and
Security Workshops.
[29] Plagemann, T., Andersson, J., Drugan, O., Goebel, V., Griwodz, C., Halvorsen, P., et al. (2005).
Middleware Services for Information Sharing in Mobile Ad-Hoc Networks-Challenges and Ap-
proach. In Brodband Satellite Communication System and the Challenge of Mobility, Springer,
Boston.
[30] Plagemann, T., Munthe-Kaas, E., S.Skjelsvik, K., Puzar, M., Goebel, V., Johansen, U., et al.
(2007). A Data Sharing Facility for Mobile Ad-Hoc Emergency and Rescue Applications. Paper
presented at the 27th International Conference on Distributed Computing System Workshops
(ICDCSW’07).
[31] Puzar, M., Plagemann, T., & Roudier, Y. (2008, January 30-February 2). Security and Privacy
Issues in Middleware for Emergency and Rescue Applications. Paper presented at the 2nd Inter-
national Conference on Pervasive Computing Technologies for Healthcare, Tampere, Findland.
[32] Puzar, M., Skjelsvik, K.S., Plagemann, T., & Munthe-Kaas, E. (2009). Information Sharing in
Mobile Ad-Hoc Networks: Evaluation of the MIDAS Data Space Prototype. Paper presented at
the 29th IEEE International Conference on Distributed Computing Workshops.
[33] RSA Lab. (2010). Cryptography. http://www.rsa.com/rsalabs/
[34] Epp, S. (1995). Discrete Mathematics with Applications (2ed.): International Thomson Pub-
lishing.
Bibliography 173
[35] Sandhu, R.S., J. Coyne, E., Feinstein, H.L., & Youman, C.E. (1996). Role-Based Access Con-
trol Models. IEEE Computer, 29(2), 38–47.
[36] Scalavino, E., Rusello, G., Ball, R., Gowadia, V., & C.Lupu, E. (2010, April 13-16). An Op-
portunistic Authority Evaluation Scheme for Data Security in Crisis Management Scenarions.
Paper presented at the ASIACCS’10, Beijing, China.
[37] Shao, Z. (2009). A Provably Secure Proxy Signature Scheme with multiple Threshold Values
Based on Elliptic Curve. Paper presented at the 2009 International Workshop on Information
Security and Application (IWISA 2009).
[38] Smart, N. (2003). Cryptography: An Introduction. McGraw-Hill Publication.
[39] Tan, Z.-W., & Lin, Z.-J. (2004). Nominative Proxy Signature Schemes. http://eprint.iacr.org.
Accessed on 12 January 2010.
[40] Tornqvist, E., Sigholm, J., & Nadjm-Tehrani, S. (2009). Hastily formed networks for disaster
response: Technical Heterogeneity and Virtual Pockets of Local Order. Proceedings of the 6th
International ISCRAM Conference, Gothenburg, Sweden.
[41] Wang, G. (2005). Designated-Verifier Proxy Signature Schemes. Paper presented at the 20th
International Information Security Conference (SEC 2005), Chiba, Japan.
[42] Wun-She Yap, S.-H. H. B.-M.G. (2008). On the Security of an Identity-Based Aggregate Signa-
ture Scheme. Paper presented at the 22nd International Conference on Advanced Information
Networking and Applications – Workshops, Okinawa, Japan.
[43] Yong Yu , C.X., Xinyi Huang , Yi Mu. (17 May 2008). An efficient anonymous proxy signature
scheme with provable security. Computer Standards & Interfaces 31 (2009) 348–353, Elsevier.
[44] Zhang, K. (1997). Threshold proxy signature scheme. Proceeding ISW ’97 Proceedings of the
First International Workshop on Information Security.
PART IV
Access Control and Mobile Payment in

Trustworthy UbiComp Environment
Chapter 9
A Lightweight Graph-Based Pattern Recognition

Scheme in Mobile Ad Hoc Networks
R.A. Raja Mahmood 1 , A.H. Muhamad Amin 2 , Amiza Amir 3 , Asad I. Khan 3
1Faculty of Computer Science and Information Technology, Universiti Putra Malaysia,
43400 Serdang Selangor, Malaysia
2 Computer & Information Sciences Department, Universiti Teknologi PETRONAS
Bandar Seri Iskandar, 31750 Tronoh Perak, Malaysia
3 Clayton School of Information Technology, Monash University Wellington Road,
Monash University, VIC 3800, Australia

E-mails: azlina@fsktm.upm.edu.my, ananghudaya@petronas.com.my,
{amiza.amir, asad.khan}@infotech.monash.edu.au
A lightweight, low-computation, distributed intrusion detection scheme termed the dis-

tributed hierarchical graph neuron (DHGN) was proposed to be incorporated into a coop-
erative intrusion detection system (IDS) in mobile ad hoc networks (MANETs). Its one-
cycle learning and divide-and-distribute recognition task approach allows DHGN to detect
similar patterns in short of time. An IDS of such properties is essential in the resource con-
strained MANETs environment. MANETs are distributed and self-configuring networks,
with limited resources and dynamic nodes. Their characteristics have made them highly
susceptible to many attacks and securing the networks a challenging task. This paper dis-
cusses the operations of the proposed three-stage cooperative IDS in detecting packet drop
attacks. The comparison study between DGHN and the iterative, highly computational
self organizing map (SOM) is also reviewed. Both algorithms show comparable detection
results. Thus, the lightweight, low computation DHGN-based detection scheme offers an
effective security solution in MANETs.
9.1 Introduction
Mobile ad hoc networks, also known as MANETs are one type of wireless networks
heavily studied these days. Due to their unique network characteristics, they are beneficial
to many application areas, ranging from the critical military to industrial and civilian. The
army tactical network, battlefield surveillance network, post-disaster emergency network,

environment and habitat monitoring system, machine health monitoring system and traffic
control system are some of the applications using these wireless networks. These networks
possess some unique characteristics and they are as follows:
• Distributed and self-configuring networks: MANETs are distributed networks, which

adopt peer-to-peer network architecture with no centralized administration. Every
node is to participate in the packets delivery process in the network but any node may
join or leave the network without interrupting the whole network performance;
• Autonomous terminal: each of the mobile nodes is autonomous, acts as a host and a
router. Each node is expected to forward packets for its neighbors when required;
• Dynamic topology: as nodes are to join or leave the networks at their own will and to
roam freely in MANETs, the network topology changes frequently and unpredictably
over time;
• Multi-hop routing: in order for nodes to cooperate to deliver packets from the source
to destination, each node is to employ multi-hop routing;
• Low computational capabilities: the mobile nodes are often hand-held battery-powered
devices, such as laptops or mobile radios with less powerful CPU and memory capa-
bilities;
• Low bandwidth: the 802.11b-based wireless nodes are often adopted in MANETs
mainly due to the availability of free spectrum and cheap interface hardware.
9.2 MANETs Security Threats
Their inherent wireless characteristics, multi-hop routing adoption, ad hoc nature and
battery-powered nodes have made them highly vulnerable to many attacks. However, in
order to deploy MANETs for tactical networks purposes, proper security mechanisms are
needed as it involves highly classified military data. Without such measurements in place,
the highly classified tactical networks can be sniffed, taken over or even collapse com-
pletely.
Deploying security measurements in MANETs is far challenging than in other net-
works. In particular, the gathering and assessing of the network activities is made more
difficult with the distributed and dynamic nature of the network. In addition, robust analy-
sis of the network activities cannot be done due to the low processing capabilities and low
energy resources of the mobile nodes. Thus, it is our aim to propose an efficient security
A Lightweight Graph-Based Pattern Recognition Scheme in Mobile Ad Hoc Networks 179
Table 9.1 Security attacks on MANET protocol stacks [1].

Layer Attacks
Application layer repudiation, data corruption
Transport layer session hijacking, SYN flooding
wormhole, blackhole, Byzantine, flooding, resource consumption,
Network layer
location disclosure attacks
Link layer traffic analysis, monitoring, disruption MAC, WEP weakness
Physical layer jamming, interceptions, eavesdropping
Multi-layer DoS, impersonation, replay, man-in-the-middle
measurement, while taking into the consideration of the networks limitations. The next
subsections discuss some of MANETs attacks.
9.2.1 Attacks in MANETs
Attacks in MANETs, as depicted in Table 9.1, are classified into active and passive
attacks. The passive attacks include monitoring, eavesdropping and location disclosure
attacks, while others are active attacks.
The attackers are known by few names, namely malicious, selfish and misbehaving
nodes. In general, the nodes that attack with the intention of bringing down the network,
such as performing denial of service (DoS) attack are called malicious nodes. Whereas
selfish nodes are those that optimize their own gain and neglect the welfare of other nodes,
such as by dropping other nodes’ packets in order to conserve their own energy. These
nodes are sometimes called misbehaving nodes, as they are not being cooperative or do not
follow the protocols specifications.
Network layer or routing attacks are the current attack trends been heavily studied by
many [2–12]. Among ad hoc routing protocols, the reactive Ad Hoc On-Demand Dis-
tance Vector (AODV) [13] and Dynamic Source Routing (DSR) [14] protocols are the most
widely deployed. In response to any link breakage or changes in the network topology,
the protocols perform route discovery to quickly find optimal routes. The source node
floods the network with control messages known as Route Request (RREQ) and expects a
Route Reply (RREP) packet in return. In AODV, the intermediate nodes with the best path
value to the destination node will response to the source node. Figure 9.1 briefly illustrates
the route discovery process in AODV. In DSR, only the destination node returns a RREP
message containing a list of the best path from the source to the destination. One metric
often used to define the best source-to-destination path is the one that has the lowest delay
value. Hence, each packet contains an ordered list of address through which the packets
should pass to get to the destination node. DSR is costly due to the high overhead as each
packet must carry the complete path to its destination in its packet header. However, unlike
AODV, the source routing method avoids the need to keep up-to-date routing information
in the intermediate nodes.

Fig. 9.1 An AODV discovery process illustration. Node Src generates a RREQ message and broad-
casts it to its neighbours; A, C, and D. The RREQ contains the last known destination sequence
number, the Dst sequence number. The destination sequence number is an important attribute in
RREQ that determines the freshness of a particular route. Thus, if any of the neighbouring nodes
has a fresh enough route to Dst, it will send a RREP message to Src. On the contrary, in case where
it does not have a fresh enough route to Dst, it will forward the RREQ packet to its neighbors, and
this activity is repeated until the packet reaches Dst. When Dst receives the RREQ packet, it sends
a RREQP packet to Src. When node Src receives the RREP, a route is established. In case where
Src receives multiple RREP messages, it will select the message with the largest destination sequence
number value.
In the next section, we provide an overview of some known routing attacks, in particular
those that have been launched against reactive routing protocols. These attacks result into
the adversary to have full control and able to perform arbitrary activities to disrupt the
whole network operation.
9.2.2 Wormhole Attack
In this type of attack, two attackers collude by tunneling packets between each other
in order to create a shortcut or known as wormhole in the network. Figure 9.2 illustrates a
wormhole attack. Nodes A1 and A2 are two colluding attackers with node S is the target to
be attacked. During the attack, when source node S broadcasts a request to find a route to
a destination node D, its neighbors C and E forward this request as usual. However, node
A1, which received the request which was forwarded by node C, records and tunnels the
request to its colluding partner A2. Then, node A2 rebroadcasts this request to its neighbor
H. Since this request normally passes through a high speed channel, it will reach node D
first. Therefore, node D will choose route D → H → C → S to send a reply to the source
node S. S will select route S → C → H → D and a forged route is established. Consequently,
S will send its data through attackers A1 and A2. This attack can be used as the first step
to the man-in-middle attack, where the malicious node may monitor, delay, delete or even
manipulate the data packets.
Fig. 9.2 An illustration of wormhole attack [1]. A1 and A2 are the colluding attackers that able to
create a tunnel, a forged route for target S.
9.2.3 Black hole or Packet Drop or Sequence Number Attack
This attack is easily implemented in AODV during the route discovery process. In this
attack, a malicious node advertises itself as having the shortest path to the destination node.
The attacker forges its destination sequence number by having a relatively high destina-
tion sequence number, thus pretending to have the fresh enough route to destination. This
node will then be in favored against others and once the forged route has been established,
it becomes a member of the active route and intercepts the communicating packets. The
attacker can then drop selected or all of the incoming packets routed through itself and cre-
ates a black hole. Besides black hole attack, this attack is also known as packet drop as well
as sequence number attack [9]. This type of attack is one form of denial-of-service attack.
Moreover, this attack can be used as the first step to the man-in-middle attack, where the
malicious node may monitor, delay, delete or manipulate the data packets.
9.2.4 Routing Disruption Attack
This attack is implemented in DSR. In this attack, the attacker generates falsified,
randomly-constructed reply or RREP packets and disseminates them in the network [10].
Such falsified routing information can prevent the source node from establishing a correct
path to the destination during the route discovery process. It disrupts the routing logic in
the network and similar to previously discussed AODV packet dropping attack, the mali-
cious node is capable of dropping, monitoring, delaying, deleting or manipulating the data
packets.
9.2.5 Flooding or Resource Consumption Attack
In AODV protocol, a malicious node can send a large number of request or RREQ
messages with a non-existent destination node address [2]. Being cooperative and oblivious
of the malicious intent, the neighboring nodes then process and forward these falsified
packets. Ultimately, these huge numbers of request messages will be propagated to the
whole network and flood the whole network. As a result, nodes’ resources, such as battery
life and network’s resources such as the bandwidth are consumed unnecessarily to process
these packets. Thus, besides flooding, this attack is also known as a resource consumption
attack. This attack may cause severe degradation of the network performance and lead to
denial-of-service eventually.
9.2.6 Dropping Routing Traffic Attack
Due to limited battery lifetime and limited processing capabilities, some nodes may
decide not to participate in the routing process in order to conserve their own energy.
These nodes also known as selfish nodes, that only process routing packets related to them-
selves [8]. Upon receiving routing packets that are not destined for them, these selfish nodes
deliberately drop them. This causes a network segmentation situation, in which some par-
ticipating nodes that are only connected through the selfish node then become unreachable
and isolated from the rest of the network. This behavior somehow creates network insta-
bility.
9.3 Intrusion Detection System in MANETs
Due to the numerous vulnerabilities in MANETs, a number of security mechanisms,

both prevention and detection methods have been proposed. Our research focuses on the
intrusion detection method. We propose an advanced intrusion detection system (IDS) that
employs a lightweight graph-based detection scheme.
IDS is a defence mechanism that detects malicious activities in a computer system
(called the host-based IDS) or/and network system (called the network-based IDS). Typ-
ically, there are three modules in an IDS; information collector, analyser and response
modules. There are three detection approaches, namely misused-based, anomaly-based
and specification-based. The misuse or signature-based detection systems only recognize
known attacks by matching the observed data with the known attacks signatures. The
anomaly-based detection systems assume that attacks cause deviation from the normal be-
haviors. The attacks are detected by comparing actual activities with known correct be-
haviors. The specification-based systems use a formal specification to describe the correct
system behavior. Attacks are detected by comparing the actual activities with the predefined
formal specification. Hybrid approach such as the specification-based anomaly detection
technique has also been proposed [15].
Implementing IDS in MANET poses some challenges, mainly due to the fact that the
network is decentralised and distributed. The traditional IDS in wired networks is deployed
at the gateway such as centralised firewall, to collect and analyse the audit data of the
networks. The infrastructure-less MANET however lacks of a single point of administrative
point, the gateway. Thus IDS needs to be deployed in many points in the networks in order
to have a complete and global audit data as each of these IDS works only with localized
and partial audit data.
Another challenge is to distinguish between normal and malicious activities due to the
networks dynamic nature. False routing information could originate from either legitimate
or malicious node. That is because a legitimate node with volatile physical conditions
may have stale routing information which is also considered as false routing information
and could be mistakenly identified as being malicious. Due to MANET highly dynamic
network condition, the global view of this network becomes quickly outdated and hence a
real-time detection system is required.
The limitation in computational power and memory of the mobile nodes prohibits the
deployment of robust and highly efficient detection scheme, which normally requires high
computation. The limited bandwidth within the networks calls for a detection system in-
frastructure with minimal communication overhead. In the next section, we provide an

overview of the existing intrusion detection architectures and schemes in MANETs.
9.3.1 Intrusion Detection System Architectures
Different MANET applications require different level of security and in general, three
IDS architectures provide different level of security. The first architecture is the stand-alone
IDS, which each host in the network detects attacks independently. There is no coopera-
tion among nodes and all decision is based on individual nodes. This type of architecture
may not be effective but is adopted in an environment where bandwidth is very limited
and accuracy is not the priority. The second is the distributed and cooperative IDS, which
each node is an IDS that does local detection. All the nodes then participate in a global
detection-making. This is more effective than the previous architecture, and suitable for
a flat and purely distributed networks [16]. The final architecture, called the Hierarchical
IDS, is designed for multi-layer MANETs to provide some sort of centralized authority
mechanisms [17, 18]. Such architecture well suits an organizational army chain of com-
mand. The authority mechanism, known by different names such as cluster head or gateway
or critical node, manages the centralized routing as well as IDS for all nodes in its cluster.
In general, different application may adopt different type of IDS architecture depending on
its security requirements.
9.3.2 Intrusion Detection Decision Making
Based on the architectures discussed earlier, there are two possible types of decision-
making, namely the collaborative decision-making and independent decision-making.
In the collaborative decision-making approach, each node participates actively in the
intrusion detection process. Once a node detects an intrusion with high enough confidence,
this node can start responding to the intrusion. Zhang and Lee implemented this decision
making approach and used majority-voting scheme is used to determine attacks occur-
rences [19]. This approach however has its security weak points including susceptible to
denial of service attacks and spoofed intrusion [20]. In the independent decision-making
approach, only certain nodes are assigned to detect possible intrusions. These privileged
nodes collect the intrusion alerts from other nodes and determine whether any node in the
network is under attack. These nodes do not need other nodes’ participation in its decision-
making process. However, collecting a large amount of data from other nodes, in making an
effective decision, is very expensive in MANETs, due to its limited bandwidth resources.
9.3.3 Existing Intrusion Detection System Solutions
This section compares and elaborates some of the different IDS implementations in
MANETs in recent years. One of the early works on intrusion detection in MANETs is
by Albers and Camp [21]. They proposed the stand-alone architecture, whereby each node
runs independent IDS. Each node detects intrusion locally and uses external data to verify
the detection result. They proposed the use of mobile agents for the nodes to communicate
and collaborate among themselves. They claimed there are two-fold advantages for using
mobile agents. Firstly, additional functionality can be easily incorporated into the mobile
agents. Secondly, it can reduce the network traffic. Such approach however incurs high
computational complexity especially in creating and managing all the detection agents [22].
Zhang, Lee and Huang were among the early researchers who implemented a dis-
tributed and cooperative detection architecture [23]. They proposed an anomaly-based de-
tection deploying both local and collaborative decision-making approaches. Each agent
carries out an independent detection activity and all of these agents then collaborate in
making a decision. Every node monitors its local activities and if it detects a local intrusion
with strong evidence, it initiates an alarm response. However, if the evidence is not strong
enough then this agent initiates a collaborate procedure, called the distributed consensus
algorithm, and an investigation in a wider area of the network is then performed.
Kachirski and Guha implement a hierarchical IDS architecture that performs detection
at multiple levels [20]. Clusters are formed and each cluster head monitors and gathers
activities information of nodes within its cluster before independently decides based on
the information. Utilizing only cluster heads to perform detection limits this considerably
expensive monitoring and high computation classifying activities to few selected nodes. An
anomaly-based detection technique is adopted in this work and mobile agents are proposed
for the communications among nodes. Adopting mobile agents can reduce network traffic
but they themselves can be the primary attacks targets [24]. Follow suit the work of [20],
Huang et al. also proposed similar architecture [25]. They however have able to improve
the detection rate and reduce the false alarm rate, by adopting a data mining approach for its
detection scheme. Moreover, instead of using mobile agents, they proposed using network
messages to communicate among the nodes.
Another hierarchical-based IDS architecture known as the Zone-Based IDS implements
an anomaly-based detection and uses collaboration mechanism [26]. The network is divided
into few logical zones with each zone has a gateway node and individual nodes. Each of
these individual nodes detects intrusion activities individually. Once an individual node de-
tects intrusion, it generates an alert message. Gateway node aggregates and correlates the
alerts generated by the individual nodes in its zone, and initiates alarms. Markov Chain al-
gorithm has been used in the anomaly-based detection process and hence has significantly
improved the detection rate and reduced the false alarm rate. However, the zone establish-
ment protocol and communication protocol between nodes during the detection process are
complicated and require significant amount of resources [22].
9.3.4 Intrusion Detection Schemes
Data mining, one popular pattern recognition scheme, has been widely adopted in de-
tecting intrusions due to its high detection rate and low false alarm rate. Although such
approach is known to incur high computational cost to deploy, the advancement in high
performance computing in wired networks makes this an insignificant, negligible problem.
Kohonen self-organizing map (SOM) and evolutionary-based artificial immune system
(AIS) are among the widely used data-mining-based intrusion detection schemes [27–34].
SOM is a feed-forward neural network that has the ability to learn the characteristics of
similar items and group them into different classes or clusters [35]. It maps similar input
values onto closely neighboring neurons in a predefined number of iteration. SOM consists
of two layers: the input layer and the Kohonen layer (refer to Figure 9.3), with both layers
fully interconnected. The input vector xi and the weight vector wi have the same number
of dimensions, based on the number of variables in the data set under consideration.
Fig. 9.3 An illustration of Kohonen SOM with Kohonen feature map. Both input layer and Kohonen
map layer are interconnected.
In the first step, all weight vectors of the Kohonen layer are initialized with random val-
ues. In each iteration, a single input neuron is randomly selected and the distance between
this neuron and each neuron in the Kohonen layer is then calculated. Euclidean distance
metric is usually used for this purpose. The Kohonen neuron with the least Euclidean dis-
tance to the selected input neuron, that is the closest to the selected input neuron, is chosen
as the winner neuron or Best Matching Unit (BMU). Its weight vector is then moved to-
wards the weight vector of the selected input neuron using the following formula for time k:
wi (k + 1) = wi (k) + α ∗C ∗ (xi − wi (k)) (9.1)
C = e(−de /2∗σ
2 2)
(9.2)
The coefficient C describes the size of the neighborhood around the winning neuron in
Kohonen layer. Parameters α and σ are monotonically decreasing during the training,
leading to convergence of the Kohonen layer. This process is iterated until a predefined
number of cycles until a stable state is reached. By doing so, SOM is able to preserve the
original topological relationship among the objects in the input data set.
AIS are computational systems inspired by the principles and processes of the biolog-
ical immune system. The biological immune system is a highly parallel, distributed, and
adaptive system. It uses learning, memory, and associative retrieval to solve recognition
and classification tasks. In particular, it learns to recognize relevant patterns, remember
patterns that have been seen previously, and use combinatorics to construct pattern detec-
tors efficiently. In general, the immune inspired algorithms can be classified into three
categories: negative selection, clonal selection and gene library evolution.
The negative selection model has been widely adopted as the method of generation
a population of detectors in building IDSes [31, 32]. The purpose of negative selection
process performed by human immune system is to eliminate the immature detectors which
bind to self cells. This training is taken place in the thymus. All the B-cells will be screened
out to eliminate the detectors that mistakenly detect self cell as an invader. The detectors
which pass the test, are released to roam the body and fight against invading pathogens.
Below is the outline of the negative selection algorithm.
1. Define self (normal traffic)
2. Generate detectors
3. Perform training
For each detector, match the against self
if they match (complement)
eliminate the detectors
else
the detector becomes mature

4. The mature detectors will monitor the occurrence of anomaly..
SOM and AIS-based intrusion detection systems have been successfully deployed in
wired networks for years. Thus, few have employed such approaches in MANETs [36–40].
Although they have been proven robust and efficient classification techniques, they are
computationally expensive to deploy. In particular, SOM requires thousands of iterations
to be performed, while AIS requires many detectors to be installed per node in order to ob-
tain such highly accurate detection results. Hence, they are impractical to be adopted in the
resource-constrained mobile ad hoc networks. Utilizing the nodes scarce resources for such
time consuming and resource intensive detection task can be overwhelming. The limited
resources should be conserved for nodes to perform routing for others as well as stay alive.
Thus, we have proposed a low computation, lightweight detection scheme within MANETs
that is also capable of providing accurate intrusion analysis, namely the distributed hierar-
chical graph neuron.
9.4 Distributed Hierarchical Graph Neuron
9.4.1 Graph Neuron Theory
Graph Neuron (GN) is a new form of neural network with its structure and data rep-
resentations are analogous to a directed graph [41]. In particular, this network consists of
processing nodes with each node holds a {value, position} pair information and the network
represents all possible data points in the reference pattern space.
GN networks are represented in a 2-dimensional array formation, with the rows repre-
sent the possible elements in the pattern and columns represent the positions of the element.
Figure 9.4 shows a 2-dimensional GN graph-based structure for a given input pattern AB-
BAB. Each GN acts as a vertex that holds pattern element information and the adjacency
communication between two or more GNs is represented by the edge of a graph. GN
array compares the edges of the graph with the subsequent inputs for memorization (sig-
nifies a new input pattern) or recall (signifies an old pattern). The emphasis of GN is such
that it would be able to carry out parallel in-network processing as compared to the other
recognition algorithms that mainly implementing CPU-sequential processing in their ap-
proaches [42]. This allows GN to perform fast recognition regardless of the size of input
patterns. Moreover, message communications in GN network are restricted only to the
adjacent nodes, hence there is no increase in the communication overheads with corre-
sponding to increases in the number of nodes in the network.
The GN recognition process is discussed. An input pattern is defined as a stimulus or a
signal spike produced within the network. In Figure 9.4, each GN can analyze a value (‘A’
or ‘B’) of a pattern comprising of a string of these values. All GNs in the same column
would receive the same value, however, only GN with matching value in the row would
respond. If the pattern is ABBAB, then both GNs in the second column will receive B, but
only the matched GN, in this case GN on the top row would respond to this input value. The
activated GN then sends a report to all GNs in the adjacent columns. The report contains
the activated GN’s column and row indices information, that is a pair value p(left, right),
represents the activated row index reported from the left side and the activated row index
reported from the right side of this GN. Following the example in Figure 9.4, the GN in
column 2, row 2 would produce p(1, 2), the GN in column 4, row 1 would produce p(2, 2)
and the GN in column 5, row 2 would produce p(1, 0). The value 0 indicates there is no
column on this side of the GN. Each received pair value p(left, right) is analyzed by the
GN and if the pair value has already been recorded, then the activated GN would raise a
recall, otherwise it will record the new pair value in a table. Each unique recorded pair in
a GN is referred to as a bias entry and the table of which these pairs are stored is known
as the bias entry. Each GN would hold a single bias array containing all the bias entries
obtained in the recognition processes.
Fig. 9.4 An illustration of GN network. The network is of 5-bit input pattern size with input values
of A and B, and in this case, the input pattern is ABBAB.
In graph-matching representation, pattern recognition involving GN network imple-

ments graph comparison approach by treating each pattern as a graph with each element
within a pattern as a vertex and the position between elements as an edge. Consider the
following example: Given two patterns Pin and Pst , pattern Pin is said to match pattern Pst
where the following conditions are met:
(i) Number of vertices, Vin is equivalent to the number of vertices V st, i.e. |Vin | = |Vst |.
(ii) Number of edges, Ein is equivalent to the number of edges Est, i.e. |Ein | = |Est |.
(iii) Bias entry, b ∈ Bin for each vertex v ∈ Vin is a subset of bias array Bst for each vertex
v ∈ Vst , i.e. b ∈ Bst .

Fig. 9.5 An illustration of crosstalk phenomenon that occurs due to GN limited view of the network.
Since all of the subpatterns of the input pattern 3 has been recognized in previous patterns, i.e. input
pattern 1 and input pattern 2, thus GN network assumes it has seen input pattern 3 as well.
GN however suffers from crosstalk phenomenon due to its limited perspective of the
patterns [43]. Suppose that there is a GN network which can allocate 6 possible element
values, e.g. u, v, w, x, y, and z, for a 5-element pattern. A pattern uvwxz, followed by zvwxy
is introduced. These two patterns would be stored by the GN array. Next, we introduce the
pattern uvwxy, which then produces a false recall due to its inability to obtain an overview
of the pattern’s composition. After 2 input patterns are presented to GN network, segments
uv, uvw, vwx, wxy, xy are stored. Input pattern 3 though different from the two previous
input patterns, however contains all the segments of the previously stored patterns. Thus,
GN network assumes it has seen this input pattern, which is incorrect. Figure 9.5 simplifies
this example in graphical representation.
9.4.2 Hierarchical Graph Neuron
To solve such crosstalk problem, the capability of “perceiving neighbors” on each GN

needs to be expanded. Each GN must be able to monitor the condition of not just the
adjacent columns but also the ones further away. Hierarchical Graph Neuron (HGN) was
then developed to provide this bird’s eye view of the overall pattern structure and thus
eliminates the possibility of false recalls in the recognition process [43]. Figure 9.6 shows
the hierarchical layout for a GN array. By having higher layers or levels of GN neurons,
the entire pattern information can be captured.
Fig. 9.6 An illustration of Hierarchical Graph Neuron (HGN) network with binary pattern of size 7
bits.
HGN implementation also follows similar GN approach. In addition to this, HGN also
has a requirement for the size of patterns. Patterns used in HGN recognition scheme must
be in odd-size length format. This requirement is to cater for hierarchical structure of HGN
network with the top neuron overseeing the overall pattern structure. Thus, any pattern
with even-size length should add a ‘dummy’ value at the end of the pattern, as to form an
odd-size pattern length.
HGN pattern recognition procedure involves a number of stages that include recogni-
tion at every layer within the hierarchical structure. The communication paths within the
HGN layers are similar to the traditional GN. The HGN communications propagate from
the base layer GNs to the top GN, and consequently, from the top GN to the base layer
GNs.
The HGN communications occur in the following procedure [43]. Each GN at the base
layer receives an input pattern from an external entity, which is known as the Stimulator and
Interpreter (SI) module. Each GN that receives an input is called an active GN. Active GN
at the base layer would send its p(column, row) pair to all the adjacent GNs, acknowledging
that it has been activated. The p(column, row) pairs make up the GN’s bias array entry for
the current input pattern for all GNs at the base layer. In the end, each neuron would
have received two pairs from its adjacent neurons, with the exception of the neurons on
the edges, which will receive a single pair. Each active GN must then calculate its bias
index. If the incoming pair combination is found in its bias array, then the index of the
entry would be noted. Otherwise a new index would be generated to store and reference
the pattern. Each active GN would then send its index value to its corresponding higher
layer GN within the same column, except for the GNs on the edges. This process continues
until the top most layer has been reached. The top layer GNs decide whether the input is to
be treated as a new pattern and stored or it is a previously known pattern which needs to be
recalled. A new index value is propagated downwards for a stored pattern and an existing
index value is propagated downwards for a recalled pattern.
In relation to the HGN recognition procedure, GN’s bias array structure within the hi-
erarchical composition also follows the bias array formation in GN network. Nevertheless,
a modification has been made to cater the functionality of higher layer GNs to conduct
recognition based upon the results of adjacency comparison made at lower layer GNs. The
followings are bias entry conditions for GNs within any HGN network:
(i) For GNs at the base layer, their bias entry takes the form of {left, right}, where left and
right represent the row number of left-adjacent and right-adjacent neuron respectively.
(ii) For GNs at the middle layer, their bias entry takes the form of {left-index, lower-
index, right-index}, where left-, lower-, and right- indices represent indices obtained
from its left, lower (within the same column), and right GNs respectively.
(iii) The bias entry structure of top layer GNs is in the form of {lower-index}, which is
the index obtained from its lower layer GN (within the same column).
9.4.3 Distributed Hierarchical Graph Neuron
HGN pattern recognition scheme has the capability to perform highly-accurate analysis
on patterns using in-network processing approach. However, the number of neurons gen-
erated in HGN implementation increases quadratically with an increase in the size of the
pattern [44]. Thus, a different arrangement of HGN composition is proposed, that could
be distributed across physical network with low interdependency among hosts and low re-
quirement for the number of GN within its structure [45].
HGN with distributed approach implements divide-and-distribute techniques by divid-
ing pattern into subpatterns, and delegating these subpatterns to each available host that
carries out recognition procedure using HGN sub-composition. Distributed HGN essen-
tially extends the original HGN infrastructure wherein its composition is decomposed into
several sub-compositions. However, this is different from the previous approach, in which
the whole HGN structure is decomposed and delegated to available hosts. Distributed HGN
decomposes HGN network by creating smaller subnetworks, each acting as an actual HGN
network that performs recognition on subpatterns. Instead of using the whole patterns as
inputs, each pattern is segmented into smaller parts and each of the pattern segments acts
as an input to the respective HGN sub-network composition (refer Figure 9.7).
Fig. 9.7 An illustration of distributed hierarchical graph neuron (HGN) network. An input pattern
of size 35 bits has been decomposed into 7 subpatterns of size 5 bits. Each of the subpattern is process
cocurrently.
An important consideration in proposing this approach is that the distribution of large

HGN network into smaller HGN subnets allows each subnet to be assigned to a specific
host within a physical network. Having a smaller composition on each host will provide a
two-fold advantage [46]:
(i) Smaller capacity of memory space to be allocated for each HGN subnet, due to small
HGN structure
(ii) Reducing communication costs for inter-GN communications, while only maintain-
ing inter-HGN communications
Within each host, HGN subnet is structured as an executable code and each GN is repre-
sented as an associative data structure in a block of memory space for storing and recalling
patterns. The communications between GNs could be achieved either using a sequential or
parallel processing approach, via message passing infrastructure such as Message Passing
Interface (MPI). Each GN could also be represented as a processing unit in a multi-core
processor machine.
9.5 Three-Stage Cooperative Intrusion Detection System using DHGN
We propose a three-stage cooperative IDS using distributed HGN in detecting a dis-

tributed denial of service (DDoS) attack, in particular packet dropping attack, in MANETs.
As described earlier, the attacker deliberately drops every packet or selected packets for-
warded to it and thus creating a blackhole in the network.
There are few assumptions made in this proposed implementation, and they are as fol-
lows: (1) there is an initialisation stage, which normal network condition or attack-free
network pattern is obtained and defined during this stage, (2) the network employs reactive
AODV routing protocol, in which the source node floods network with request message
in finding the fresh enough route to the destination node, (3) each node manages its own
traffic flow, that is either to forward or drop the incoming packets, and (4) the attack detec-
tion process occurs at every pre-defined interval, with a snapshot of the overall network’s
pattern is assessed during that particular interval.
There are four major components in the proposed system: (1) local detectors (LDs),
each node is a local detector that analyzes the local state or local traffic patterns, (2) global
detectors (GDs) are few selected nodes, i.e. nodes with relatively high resources within
each transmission range. They generate views of attacks within their subnetworks by ana-
lyzing the information on the status of various LDs using DHGN, (3) master node, a trusted
node that is responsible to generate global views of attacks in the whole network and also
holds the attack-free network pattern reference in its database, and (4) status-aggregating
system (SAS) uses an advertisement approach for GDs to aggregate the status from every
LDs within their respective subnets.
Assume we have MANET network of 13 nodes labelled from A to M as shown in
Figure 9.8. There are a total of 4 subnetworks, also known as subnets within the network.
A subnet is represented by one wireless transmission range. Nodes may overlap between
two subnets, i.e. D, F and I. The detection is described in the following section.
Fig. 9.8 An illustration of physical MANET layout. There are 4 subnets or wireless transmission
ranges with a total of 13 nodes. Nodes D, F and I are nodes that reside in two transmission ranges,
known as the overlapping nodes.
9.5.1 Three-Stage Attack Recognition Process
The first stage involves each LD to monitor its local traffic pattern. In identifying
a packet dropping attack, LD only monitors and examines few selected traffic attributes,
namely the incoming, outgoing and forwarding packet counts in each node. In particular,
the packet delivery percentage of each LD is calculated, i.e. ratio of the number of outgoing
packets and the number of incoming packets. The LD uses a binary classifier in analyzing
this packet delivery percentage. Alert is raised if a configured threshold that has been
defined during the initialization stage is crossed.
The second stage involves the GDs to aggregate the status of their respective LDs and
analyse the traffic patterns in their subnets. For each transmission range, at least one node
is selected as GD, based on certain criterias namely being secure, with high resources and
with low mobility. The LDs and GDs communicate using the SAS. Upon been selected
as GDs, they advertise themselves to their subnets at regular interval. In response, the
respective LDs send in their status value. With the aggregated status information in hand
(in binary form), the GDs then perform HGN concurrently.
For discussion purpose we assume the maximum number of nodes for the network is
13. This is important as it determines the input size pattern for the HGN structure. With its
own processing neurons, each GD has its own HGN structure as shown in Figure 9.9. We
assume that node B has been selected as the GD for subnet 1, node D has been selected as
the GD for subnet 2, node H has been selected as the GD for subnet 3 and node M has been
selected as the GD for subnet 4.
Fig. 9.9 An illustration of logical layout of distributed hierarchical graph neuron (HGN) network.
Global detector for each subnet performs the HGN concurrently, with a pattern index produced by
each top neuron.
The GN node in the HGN structure has a binary value. The value 0 indicates the packet
delivery percentage for the respective node is within the acceptable value, whereas value
1 indicates otherwise, that is possible packet dropping attacker. The GN value for nodes
that are not within the respective subnet has been assigned to 0, and thus negligible. Thus,
input pattern of value 1111000000000 for HGN structure 1 means that all nodes A, B, C
and D raise concerns while other nodes’ network traffics are normal. Input pattern of value
0001010000000 for HGN structure 2 means that only nodes D and F raise alerts while other
nodes’ traffic are normal.
The third stage involves each GD to communicate its top-neuron index information to
a trusted decision-making module, known as the master node. The selection of the master
node is critical as it holds the reference pattern of attack-free network, and thus may involve
a large database. Having long battery life, high processing power and secure are some
of the properties required for master node, and hence GDs are the potential candidates.
Assume at this point, node H has been appointed as a master node. In HGN terminology,
the master node is also known as the SI. Alternatively, several master nodes can also be
selected for redundancy purpose, that is to avoid a single point of failure in the network,
should the master node dies off. This however results in high communication overheads in
the network, due to the communication cost between all GDs and few master nodes, instead
of between all GDs and only one master node.
Assume, at interval ti , the top neuron of GD B produces index ‘1’, GD D produces
index ‘3’, GD H produces index ‘2’ and GD M produces index ‘1’, concurrently.ăIn other
words, this list of index has been produced by the distributed HGN structure. This list of
index ‘1321’ is then communicated to the master node; indicates the global traffic pattern
of the network. The master node then compares the obtained list of index with the list of
attack-free pattern index in its bias array in determining the DDoS attack presence.
One of the main concerns of this implementation is that malicious node may not raise
any alert even though it has crossed the threshold value, in order to save oneself from
being detected. Hence alternatively, GDs may operate on promiscuous mode, thus they are
able to overhear the traffic activities of all the nodes within their observable radio range or
subnets. In doing so, the GDs then must have high resources. This approach also reduces
the communication overhead between the LDs and GDs, as LDs are no longer required to
forward their alerts to their respective GDs.
9.5.2 Challenges in Implementing DHGN in DDoS Detection
In implementing distributed HGN in detecting DDOS attack in MANETs, there are few
issues to be addressed:
• the highly volatile nature of the network produces different threshold value for dif-
ferent situation. For example, within high mobility network, 20% of total number of
dropped packets in network may be considered as normal whereas in a low mobility
environment, 10% of total number of dropped packets in network raises a concern.
Our implementation assumes the SI or master node contains trained attack-free pattern
for specific condition, such as specific for low mobility or specific for high mobility
environment. Thus the SI needs to be retrained if the network environment changes;
• the input pattern size needs to be determined beforehand in order to create a HGN
structure. In this case, the input pattern size is the total number of mobile nodes within
the network. However with the dynamicity of the network topology, the total number
of nodes may vary. Thus, we assume during the initialization stage, the maximum
number of nodes within the network has been set. Thus, no node is allowed to join
after the network has reached its maximum number of node count;
• the pattern size in SI’s bias array is proportional to the number of subnets within the
network. Thus, we have to set the maximum number of allowed subnets during the
initialization stage as well. Index list produced by the distributed HGN in Figure 9.9
will always be of size 4, e.g. 1321 or 1111 or 2122;
• at least two GDs is proposed for redundancy purpose. A GD may decide to move from
one subnet to another and thus all the bias array information of that particular subnet
may be lost if no back up is available. Thus, it is also important to choose a resourceful
node with low mobility to be a GD;
Table 9.2 Testing data and their characteristics.

Features Test 1 Test 2 Test 3
Alphabets I, A, F, X S, F, J I, T, Z
Similarity (I) with A = 34% (S) with F = 71% (I) with T = 89%
percentage (I) with F = 49% (S) with J = 63% (I) with Z = 77%
(I) with X = 49% (F) with J = 60% (T) with Z = 66%
(A) with F = 69% (average = 64.67%) (average = 77.33%)
(A) with X = 46%
(F) with X = 46%
(average = 49.33%)
Test Data 4000 for each 3000 for each 3000 for each
distortion bit distortion bit distortion bit
(Total = 28,000) (Total = 21,000) (Total = 21,000)
• in order to reduce the communication overhead between GDs and master node, in
communicating the subnet pattern index, an overlapping node should be selected as a
GD. The number of communication hops can then be significantly reduced.
9.6 Experiments
The main objective of the experiments is to investigate the classification performance of

distributed HGN in a supervised environment. The highly accurate, highly computational
and iterative SOM is used in comparison. We study the performance of both algorithms in
classifying (1) distinct patterns, (2) low-percentage similar patterns and (3) high-percentage
similar patterns when the system is presented with various distorted patterns.
Only synthetic data is used in these experiments, instead of the MANETs networks
simulated data. The applied distortion percentage ranges from 3 percents to 60 percents or
from 1 bit to 21 bits. The size of the input pattern is 35-bit with binary values or in the
MANET environment, there is a total of maximum 35 nodes altogether. The data summary
used in this study is presented in Table 9.2.
A high performance PC running a SOM Toolbox [47] was used. In implementing the
distributed HGN algorithm, we employed MPICH2 message passing library on C pro-
gramming language, on a considerably low performance PC. A total of 18 processes were
required at a time to classify each 5-bit subpattern. A total of 126 (18 processes × 7 sub-
patterns) processes were used altogether to recognize and classify a 35-bit input pattern.
9.6.1 Test1: Distorted images of distinct characters I, A, F and X
The distinct characters of I, A, F, X were used in this experiment, as shown in Fig-

ure 9.10. The average similarity percentage among these characters is 49.33% (or below
50% similarity) and hence classified as distinct characters. Supervised learning was de-
ployed in this study, with the training data comprising only I, A, F and X perfect characters.
The total testing data used in this experiment were 28,000 or four thousands test data for
each different number of distortion bit.

Fig. 9.10 An illustration of four distinct alphabets. They are 7 × 5 bitmap of letters I, A, F and X.
9.6.2 Test2: Distorted images of low-percentage similar characters S, F and J
The low-percentage similar characters of S, F, J were used in this experiment, as shown

in Figure 9.11. The average similarity percentage among these characters is 64.67% (or
below 65% similarity) and hence classified as low-percentage similar characters. Super-
vised learning was deployed in this study, with the training data comprising only S, F and
J perfect characters. The total testing data used in this experiment were 21,000 or three
thousands test data for each different number of distortion bit.

Fig. 9.11 An illustration of three alphabets of low similar percentages. They are 7 × 5 bitmap of
letters S, F and J.
9.6.3 Test3: Distorted images of high-percentage similar characters I, T and Z
The high-percentage similar characters of I, T, Z were used in this experiment, as shown

in Figure 9.12. The average similarity percentage among these characters is 77.33% (or
above 75% similarity) and hence classified as high-percentage similar characters. Super-
vised learning was deployed in this study, with the training data comprising only I, T and
Z perfect characters. The total testing data used in this experiment were 21,000 or three
thousands test data for each different number of distortion bit.

Fig. 9.12 An illustration of three alphabets of high similar percentages. They are 7 × 5 bitmap of
letters I, T and Z.
9.7 Result and Discussion
9.7.1 Classification Accuracy of Distinct Patterns
Figure 9.13 shows the classification accuracy of the distributed HGN and SOM algo-
rithms in detecting distinct patterns, in this case alphabets I, A, F and X. In general, SOM is
superior to that of DHGN except for a range of 37% to 49% bits distortion. The greatest dif-
ference in the performance occurs at the 23% bits distortion with huge difference of 24.22%
(SOM achieved 92.2% accuracy while DHGN only able to achieve 68.68% accuracy). On
average, SOM outperforms DHGN by 7.14%. However, achieving high accuracy in SOM
requires a large number of iterations, usually in the thousands, to be performed during the
learning process. SOM optimizes its classification results by adjusting the weight of the
neurons many times and only stops when the errors have been minimized. DHGN’s result
is satisfactory considering that it employs a faster one-cycle learning process, in opposed
to thousands of iterations by SOM.
Fig. 9.13 The classification results of SOM and distributed HGN in detecting the distorted distinct
characters. On average, SOM outperforms DHGN by 7.14%.
9.7.2 Classification Accuracy of Low Similarity Patterns
Figure 9.14 shows the classification accuracy algorithms in detecting low-percentage

similar patterns, in this case alphabets S, F and J. It is expected that SOM to outperform
distributed HGN due to its iterative optimization process. The graph shows comparable
results between the two algorithms. In general, SOM is superior to that of DHGN until
the 54% bits distortion. We consider 50% or more distortion in any patterns as relatively
high and the results should not be taken into account. This is because with 50% or more
distortion imposed on a pattern, the structural information of the pattern may have been lost
and thus it is relatively difficult, even for human eyes, to recognize the distorted pattern.
The greatest difference in the performance occurs at the 34% bits distortion with marginal
difference of 11.57% (SOM achieved 74.4% accuracy while DHGN only able to achieve
62.83% accuracy). On average, SOM only outperforms DHGN by 4.72% when similar
patterns, in this case low similarity, were presented to the system.
9.7.3 Classification Accuracy of High Similarity Patterns
The resulting graph in Figure 9.15 is similar to that of Figure 9.14. In recognizing high-
percentage similarity alphabets, that is I, T and Z, distributed HGN performs somewhat
better than that of recognizing low-percentage similarity patterns. The greatest difference
Fig. 9.14 The classification results of SOM and distributed HGN in detecting the characters with
low similar percentages. On average, SOM outperforms DHGN by 4.72%.
in the performance of this experiment is considerably small, which is only 9.63% that
occurs at the 37% bits distortion (SOM achieved 63.7% accuracy while DHGN only able
to achieve 54.1% accuracy). On average, SOM outperforms DHGN by 5.43% in detecting
high-percentage similarity patterns. Again, we do not consider detection results above 49%
distortion rate since detection at this high distortion rate is similar to human guessing the
heavily distorted pattern, as the pattern’s structure is almost non-existent.
9.7.4 Summary
On average SOM outperforms DHGN classification performance only by less than 6%

in all experiments. It is expected of SOM to provide high accuracy results due to its re-
source intensive algorithm. On the contrary, the one-cycle, light weight distributed HGN
recognition algorithm has shown comparable accuracy results with SOM. In our previous
work [48], we have also compared the computational complexity of both algorithms, in
which the iterative SOM algorithm has resulted in exponential complexity result, whereas
the one-cycle learning approach by DHGN has resulted in linear result. Employing re-
source intensive recognition algorithm in resource-constrained MANETs environment is
impractical. Thus, we believe the DHGN-based recognition scheme is a working solution
for attacks detection system in MANETs.
Fig. 9.15 The classification results of SOM and distributed HGN in detecting the characters with
high similar percentages. On average, SOM outperforms DHGN by 5.43%.
9.8 Conclusion
The unique characteristics of MANETs can also be their limitations. The shared wire-
less medium, distributed and self-configuring network architecture and highly dynamic
nodes have made them highly susceptible to many attacks. We propose collaborative IDS
that incorporates pattern discovery approach to identify possible attacks. We employ dis-
tributed HGN, a lightweight, low-computation and distributed pattern recognition scheme,
in our proposed three-stage cooperative IDS. The process flow of the IDS in detecting
DDoS attack, packet drop attack in specific, was presented. The challenges of imple-
menting DHGN in this proposed solution were also discussed. The experimental results
have shown that the DHGN scheme has performed comparatively well to the SOM al-
gorithm. Both algorithms are presented with thousands of distorted patterns of varying
degrees and they are to classify specific patterns from these distorted patterns. SOM outper-
forms DHGN in the classification accuracy by less than 6% on average. However, iterative
SOM algorithm is computationally expensive to deploy and hence is impractical to be em-
ployed in the resource-scarce wireless networks. Through its one-cycle learning approach
and divide-and-distribute recognition task process, DHGN is capable of detecting similar
patterns but with less accurate in short of time. Thus, we believe DHGN-based classifier
is an effective solution for intrusion detection systems in these networks for it saves en-
ergy, time, and is comparatively accurate. This paper, an improved version of our previous
work [49], discussed in-depth on the proposed collaborative IDS operations in detecting a
distributed packet drop attacks, and the challenges of employing the DHGN-based detec-
tion system in such volatile networks. In future work, we plan to use simulated MANETs
distributed packet drop attack data in the experiments.
Bibliography
[1] B. Wu, J. Chen, J. Wu, and M. Cardei, in A Survey of Attacks and Countermeasures in Mobile
Ad Hoc Networks. Wireless Network Security. Ed. Y. Xiao, X. Shen, and D.-Z. Du (Springer,
2006)
[2] D. Djenouri, O. Mahmoudi, M. Bouamama, D. Llewellyn-Jones and M. Merabti, in On Secur-
ing MANET Routing Protocol Against Control Packet Dropping, Proceedings of IEEE Interna-
tional Conference on Pervasive Services (ICPS 2007), p. 100.
[3] M. Hollick, J. Schmitt, C. Seipl and R. Steinmetz, in On the effect of node misbehavior in ad
hoc networks, Proceedings of IEEE International Conference on Communications (ICC2004),
p. 3759.
[4] Y.A. Huang and W. Lee, in Attack analysis and detection for ad hoc routing protocols, 7th
International Symposium on Recent Advances in Intrusion Detection (RAID 2004), p. 125.
[5] S. Kurosawa, H. Nakayama, N. Kato, A. Jamalipour and Y. Nemoto, Detecting blackhole attack
on AODV-based mobile ad hoc networks by Dynamic Learning Method, International Journal
of Network Security. Vol. 5(3), p. 338 (2007).
[6] S. Marti, T. Giuli, K. Lai and M. Baker, in Mitigating routing misbehavior in mobile ad hoc
networks, Proceedings of the Sixth Annual International Conference on Mobile Computing and
Networking (MOBICOM 2000), p. 255.
[7] P. Ning and K. Sun, in How to Misuse AODV: a Case Study of Insider Attacks Against Mobile
Ad-hoc Routing Protocols, Proceedings of the 2003 IEEE Workshop on Information Assurance
(2003), p. 60.
[8] I. Stamouli, P.G. Argyroudis and H. Tewari, in Real-time intrusion detection for ad hoc Net-
works, Sixth IEEE International Symposium on a World of Wireless Mobile and Multimedia
Networks (WoWMoM 2005), p. 374.
[9] M.AI. Shurman, S.M. Yoo and S. Park, in Black Hole Attack in Wireless Ad Hoc Networks,
Proceedings of ACM 42nd Southeast Conference (ACMSE 2004), p. 96.
[10] B. Sun, Y. Guan, J. Chen and U.W. Pooch, in Detecting black-hole attack in mobile ad hoc net-
works, Proceedings 5th European Personal Mobile Communications Conference (2003), p. 490.
[11] E. Yi, Y.E. Hou, Y. Zhong, S. Zhang and Z. Dai, Flooding Attack and Defence in Ad hoc
Networks, Systems Engineering and Electronics, Vol. 17(2), p. 410 (2006).
[12] W. Ren, D.-Y. Yeung, H. Jin and M. Yang, Pulsing RoQ DDoS attack and defense scheme in
mobile ad hoc networks, International Journal of Network Security, Vol. 4(2) p. 227 (2007).
[13] C.E. Perkins and E.M. Royer, in Ad-Hoc On-Demand Distance Vector Routing, Proceedings of
IEEE WMCSA ‘99 (1999), p. 90.
[14] D.B. Johnson and D.A. Maltz, in Dynamic Source Routing in Ad Hoc Wireless Networks, Mo-
bile Computing. Ed. T. Imielinski and H. Korth (Kluwer Publishing Company, 1996), p. 153.
[15] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang and S. Zhou, in Specification-
based anomaly detection: a new approach for detecting network intrusions, Proceedings of the
9th ACM Conference on Computer and Communications Security (2002), p. 265.
[16] P. Brutch and C. Ko, in Challenges in Intrusion Detection for Wireless Ad-hoc Networks, Sym-
posium on Applications and the Internet (SAINT 2003), p. 368.
Bibliography 205
[17] E.C.H. Ngai and M.R. Lyu, in Trust- and Clustering-Based Authentication Services in Mobile
Ad Hoc Networks, 24th International Conference on Distributed Computing Systems Work-
shops (ICDCSW 2004), p. 582.
[18] A. Karygiannis, E. Antonakakis and A. Apostolopoulos, in Host-based Network Monitoring
Tools for MANETs, 9th Annual International Symposium on Modeling, Analysis and Simulation
of Wireless and Mobile Systems (MSWiM 2006), p. 153.
[19] Y. Zhang and W. Lee, in Intrusion detection in wireless ad-hoc networks, Proceedings of the
6th Annual International Conference on Mobile Computing and Networking (2000), p. 275.
[20] O. Kachirski and R. Guha, in Effective Intrusion Detection Using Multiple Sensors in Wire-
less Ad Hoc Networks, Proceedings of the 36th Hawaii International Conference On System
Sciences (2002).
[21] P. Albers and O. Camp, in Security in Ad Hoc Networks: a General Intrusion Detection Archi-
tecture Enhancing Trust Based Approaches, 1st International Workshop on Wireless Informa-
tion Systems’ (WIS-2002).
[22] Y. Li and J. Wei, in Guidelines on Selecting Intrusion Detection Methods in MANET,ă The
Proceedings of ISECON (2004).
[23] Y. Zhang, W. Lee and Y. Huang, Intrusion Detection Techniques for Mobile Wireless Networks,
ACM/Kluwer Wireless Networks Journal, Vol. 9(5), p. 545 (2003).
[24] X. Guan, Y. Yang and J. You, in POM-A Mobile Agent Security Model against Malicious Hosts,
Proceedings of the 4th International Conference on High Performance Computing in the Asia-
Pacific Region (2000), p. 1165.
[25] Y. Huang, W. Fan, W. Lee and P.S. Yu, in Cross-Feature Analysis for Detecting Ad-Hoc Rout-
ing Anomalies, Proceedings of the 23rd International Conference on Distributed Computing
Systems (2003), p. 478.
[26] B. Sun, K. Wu, K. and U. Pooch, in Routing anomaly detection in mobile ad hoc networks,
Proceedings of the 12th International Conference on Computer Communications and Networks
(2003), p. 20.
[27] D. Jiang, Y. Yang and M. Xia, in Research on Intrusion Detection Based on an Improved SOM
Neural Network, Fifth International Conference on Information Assurance and Security (2009)
Vol. 1, p. 400.
[28] P. Lichodzijewski, A.N. Zincir-Heywood and M.I. Heywood, in Host-Based Intrusion Detec-
tion Using Self-Organizing Feature Maps, Proceedings of the IEEE International Joint Confer-
ence on Neural Networks (2002), p. 1714.
[29] A. Mitrokotsa and C. Douligeris, in Detecting denial of service attacks using emergent self-
organizing maps, Proceedings of the Fifth IEEE International Symposium on Signal Processing
and Information Technology (2005), p. 375.
[30] S.T. Sarasamma, Q.A. Zhu and J. Huff, Hiearchical Kohonen net for anomaly detection in
network security, IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics,
Vol. 35(2), pp. 302 (2005).
[31] J. Kim and P. Bentley, in The Artificial Immune Model for Network Intrusion Detection, 7th
European Congress on Intelligent Techniques and Soft Computing (EUFIT’99).
[32] A. Hofmeyr, A. Somayaji, and S. Forrest, Intrusion Detection using Sequences of System Calls,
Journal of Computer Security, Vol. 6, p. 151 (1998).
[33] S. Forrest, A.S. Perelson and L. Allen, in Self-Nonself Discrimination in a Computer, Proceed-
ings of the IEEE on Research in Security and Privacy (1994).
[34] U. Aickelin, J.Greensmith and J.Twycross, in Immune system approaches to intrusion detection
– a review, ICARIS 2004 LNCS. Vol. 3239, Ed. G. Nicosia,V. Cutello, P.J. Bentley and J.
Timmis (Springer, Heidelberg, 2004), p. 316.
[35] T. Kohonen, Self-Organising Maps, Springer, Berlin (2001).
[36] S. Sarafijanovic and J.-Y. Le Boudec, An Artificial Immune System Approach with Secondary
Response for Misbehavior Detection in Mobile Ad-Hoc Networks, IEEE Transactions on Neu-
ral Networks, Special Issue on Adaptive Learning Systems in Communication Networks, Vol.
16(5), p. 1076 (2005).
[37] N. Mazhar and M. Farooq, in BeeAIS: artificial immune system security for nature inspired,
MANET routing protocol, BeeADHoc, Proceedings of the 6th International Conference on Ar-
tificial Immune Systems (ICARIS 2007), p. 370).
[38] A. Mitrokotsa, N. Komninos and C. Douligeris, in Intrusion Detection with Neural Networks
and Watermarking Techniques for MANET, IEEE International Conference on Pervasive Ser-
vices (2007), p. 118.
[39] T. Srinivasan, V. Vijaykumar and R. Chandrasekar, in A Self-organized Agent-based architec-
ture for Power-aware Intrusion Detection in wireless ad-hoc networks, International Confer-
ence on Computing & Informatics (ICOCI 2006), p. 1.
[40] T. Avram, O. Seungchan and S. Hariri, in Analyzing Attacks in Wireless Ad Hoc Network
with Self-Organizing Maps, Annual Conference on Communication Networks and Services
Research (CNSR 2007), p. 166.
[41] A.I. Khan, in A peer-to-peer associative memory network for intelligent information systems,
Proceedings of The Thirteenth Australasian Conference on Information Systems (2002), p. 317.
[42] A.I. Khan, M. Isreb and R.S. Spindler, in A parallel distributed application of the wireless
sensor network, Proceedings of the High Performance Computing and Grid in Asia Pacific
Region (HPCASIA 2004), p. 81.
[43] B.B. Nasution and A.I. Khan, A hierarchical graph neuron scheme for real-time pattern recog-
nition, IEEE Trans. Neural Networks, Vol. 19(2), p. 212 (2008).
[44] A. Muhamad Amin and A.I. Khan, in Single-cycle image recognition using an adap-
tive granularity associative memory network, Advances in Artificial Intelligence (Springer,
Berlin/Heidelberg, 2008) p. 386.
[45] A.H.M. Amin and A.I. Khan, in Parallel pattern recognition using a single cycle learning
approach within wireless sensor networks, International Conference on Parallel and Distributed
Computing, Applications and Technologies (PDCAT 2008), p. 305.
[46] A.H. Muhamad Amin, R.A. Raja Mahmood and A.I. Khan in Analysis of pattern recogni-
tion algorithms using associative memory approach: A comparative study between the hop-
field network and distributed hierarchical graph neuron (DHGN), Proceedings of the 2008
IEEE 8th International Conference on Computer and Information Technology Workshops (CIT-
WORKSHOPS 2008), p. 153.
[47] J. Vesanto, E. Alhoniemi, J. Himberg, K. Kiviluoto and J. Parviainen, in Self Organizing Map
for Data Mining in Matlab: The SOM Toolbox, Simulation NewsEurope (1999).
[48] R.A. Raja Mahmood, A. Muhamad Amin and A. Khan, A lightweight, fast and efficient dis-
tributed hierarchical graph neuron-based pattern classifier, International Journal of Intelligent
Engineering and Systems, Vol. 1(4), p. 9 (2008).
[49] R.A. Raja Mahmood, A.H. Muhammad Amin, A. Amir and A.I. Khan, in Lightweight and
Distributed Attack Detection Scheme in Mobile Ad Hoc Networks, 7th Conference on Advances
in Mobile Computing and Multimedia (MoMM 2009), p. 162.
Chapter 10
Security Framework for Mobile Banking
Dasun Weerasinghe, Veselin Rakocevic, and Muttukrishnan Rajarajan

School of Engineering and Mathematical Sciences, City University London, Northampton
Square, London, EC1V 0HB, UK
E-mail: dasun99@yahoo. com
The banking sector is always looking for new services delivery platforms to improve cus-
tomer confidence and satisfaction. To achieve this, the banking service delivery platform
must provide end-to-end security to safeguard the information exchange between the bank
and the customer. With the increased penetration of mobile phones in the market place
the banks are looking for mobile phones as the major revenue generating platform for the
delivery of banking and financial services. Today a number of banks offer mobile bank-
ing service to their customers. However, still banks have been adopting the generic user
authentication systems that was developed for the desktop environment or other complex
authentication systems with a number of user intrusive activities. Therefore, the usabil-
ity and adoption of the mobile banking technology has been extremely slow. This paper
presents a novel authentication and authorization framework for secure mobile banking ap-
plications. The proposed protocol enables users to authenticate with the banking services
with minimum user interactions but with novel advance security features.
10.1 Introduction
The wide penetrations of mobile phone usage and the availability of more powerful
mobile handsets and network bandwidth have made mobile devices an attractive candidate
for value added services. Today mobile users can carry out basic banking transactions such
as transfer money, check balances or pay a bill or statement. Mobile banking services will
be a value added service for mobile users due to the fact that the users can carry out banking
from anywhere anytime at their convenience. It also gives the opportunity for people who
do not have broadband connectivity to carry out mobile banking. According to the Juniper

Research, by the end of 2011 more than 150 million subscribers worldwide will have used
mobile banking services and this represents a growth of more than three fold since 2008 [1].
However, security is one of the main areas of concern when introducing banking ser-
vices in mobile devices. During the recent past there has been a number of mobile banking
solutions emerged in the market place that are complex and hence have slowed the adop-
tion. This paper will review the existing mobile banking solutions and propose a novel
security framework that will provide increased security and usability features.
The mobile banking association has recently highlighted the following main security
issues that should be addressed in order to encourage the adoption of mobile banking [2].
(i) Data transmission must be secured: for the confidentiality, the connection between
the bank and the device should be encrypted.
(ii) Application and data access must be controlled: before users can receive any sen-
sitive information related to their bank accounts, a certain degree of verification must
be completed.
(iii) Data integrity must be provided: Any critical data to the mobile phone must be
protected against unauthorized modification.
(iv) Loss of device must have limited impact: The mobile banking service should be
designed so that there’s limited impact when customers lose their mobile phones.
10.2 Mobile Banking
Mobile bankingăis a term used for performing online banking services such as money
transactions, view account balance, etc using a mobile device such as aămobile phone.
Mobile banking today is most often performed usingăShort Message Service (SMS) com-
municationăor theăMobile Internetăbut can also use special programs called mobile ap-
plications downloaded onto the mobile device. We did a comparative study on security
features in different banking applications in UK, USA and Asia. We have identified three
main techniques in mobile banking and security features associated with each technique.
SMS Banking: The short message services in the mobile network are used to commu-
nicate between the mobile user and the bank. This is one of the most popular techniques
and SMS banking offers features like check account balance, do micro payments and view
mini statements. The user is registered with the bank using the mobile phone number and a
password or PIN and those parametersare used to authenticate the user. The bank provides
a set of SMS codes for different banking functions (e. g. ‘bank_balance’ to enquire the
Security Framework for Mobile Banking 209
bank balance) or user has to send messages to different destination numbers for different
services. Memorizing different SMS codes for different banking functions is cumbersome
to the mobile users and there is no nationally or internationally accepted standard code of
practice available to-date.
WAP-GPRS: Wireless application protocol (WAP) browser provides all the basic ser-
vices of a web browser but simplified for a mobile phone. WAP banking in other terms
is mobile Internet banking such as mobile user’s access banking websites designed to be
accessed from mobile phones. This mobile banking would require all or a part of the
authentication credentials used in Internet banking. Mostly, the users have to enter the
username, password and account number. The extra security is added by some banks with
introducing a One Time Password service. The bank issues a password that is valid for just
single login or single transaction. So every time when user makes a new transaction the
One Time Password is sent through SMS to the mobile phone. The user has to enter the
password in the WAP site to authenticate. However, entering all the security parameters
using a mobile phone with restricted key pad (e. g. most of the mobile phones represent
4 letters by a single key in the key pad. ) is not a user-friendly authentication method in
mobile banking.
Mobile Application based Banking: Most banks are in the process of adopting this
technology. The banking application is downloaded to the mobile device and then user
is authenticated using username and password technique and the mobile number is used
for the user identification in some of the existing applications. However, still the user
entered password is required by the bank for the user authentication. This password is
recommended to be strong characters to prevent security attacks. Meanwhile, Interactive
Voice Response (IVR) calls are implemented in the mobile banking platform by some of
the banks to improve the security features.
The Bank of America provides the mobile banking to their customers and it has three
levels of security such as Online ID is entered by the user (Online ID is considered as a
secure information), the site key is sent by the bank to the mobile device and it is identified
by the mobile user and finally password is entered by the user. Barclays bank in the United
Kingdom provides a WAP based mobile banking platform and users have to enter the com-
plete login details such as username, membership number, passcode and memorable name
from the mobile device. The HSBC and NatWest banks in the UK provide mobile ap-
plication based banking services. The application is installed onto the mobile device and
security is established using the phone number and the password. The HDFC bank in India
provides WAP and SMS based mobile banking services. However, they do not provide
more sensitive functions such as money transactions and the security is implemented using
a user PIN.
Most of the mobile banking services inherituser authentication using one or more com-
binations of username, password, PIN, phone number and IVR calls [3]. Meanwhile, an
extra PIN or password based authentication is required to authorize money transactions
in mobile banking. However, according to the article [4], the number of user inputs to
the mobile application using the mobile key pad should be minimized since it should be
convenient for users to operate while on the move. Clarke and Furnell [5] presented secu-
rity weaknesses in PIN and other user intrusive authentication systems in mobile devices.
They highlighted the importance of non-user intrusive authentication methods for sensitive
service access at mobile devices.
Merita Bank in Finland did a case study in mobile banking and they used the WAP
technology with the username and password based authentication. The final outcome of
the report was to setup a public key infrastructure in the mobile device to authenticate
the mobile users to the banking services [3]. Horn G. et al. [6] evaluated the design of
public key based protocols suitable for applications in 3G mobile systems. The protocols
were considered for the authentication of a mobile user to value-added financial services.
However, special Wireless Identity Module technology (WIM) is required in the mobile
device or in the smart card to store long term secret keys in a mobile device [7]. Meanwhile,
Dodis et al. [8] highlighted threats to cryptography when installing a private key in a
device and especially when a user carries the mobile device which allows remote access
from public or foreign domains. They recommended having a key as an output from a
combination of different types of physical and logical cryptographic inputs.
The researches have investigated the use of mobile operator issued SIM card as an
authentication unit for mobile banking. The SIM card is used by the mobile operator to
identify the subscriber but the same SIM card was used for mobile banking by Radiomobil
(today TMobile Czech) together with several Czech banks. These mobile SIM cards were
specifically developed since then for mobile banking. Besides the GSM credentials they
contained a collection of credentials (access keys) for mobile banking [9]. This security
approach is not presently used due to the complexity of key management. CamWebSIM
[10] is the platform for a variety of identification and security solutions. It is based on
Windows for SmartCard and its integrated SIM functionality is combined with a small
HTTP server on the card. By making the SIM accessible over HTTP, the phone and the
SIM becomes a personal security server on the Internet. Meanwhile as specified in [11], the
SIM can be used to generate a secure verifiable electronic consent of the mobile user using
the electronic signature on SIM-created credentials that may contain information about
time, intent and recipient.
The security framework proposed in this paper uses the SIM based authentication at the
mobile operator to authenticate the mobile users to the mobile banking services. Then iden-
tity and attribute (parameter) based key generation functionality is proposed to authorize
more sensitive banking services at the mobile device. The combination of SIM authentica-
tion and parameter based authorization generates a simple security framework for mobile
banking.
10.3 Architecture
The mobile service environment has three main actors such as the consumer, mobile
operator and the bank. The consumer is the mobile user with a mobile device and the
mobile device has a SIM card connected to a mobile network. The proposed security
framework allows mobile users to use the SIM based authentication mechanisms at the
bank to access the mobile banking services. The authentication functionality is based on
Federated Identity Management (FIM) technologies with the standard 3G authentication
techniques [12] at the mobile operator. The FIM is an extended version of the Single-
Sign-On (SSO) technique and it enables a single authentication system to be shared across
multiple trust domains. The mobile operator and the bank are in two trust domains but
the user authentication is linked using the FIM technology. This proposed environment is
implemented based on the guidelines of Liberty Identity Federation Framework (ID-FF)
[13]. The mobile users and the bank are connected to the mobile operator to access the
outsourced SIM based credentials for authentication in the proposed model as shown in
Figure 10.1.
Fig. 10.1 Mobile Banking Environment

The implementation of security framework for mobile banking is based on Web service
architecture such as:
• The mobile device has an over-the-air installed application that uses the SIM card as
one of its security elements. This application is named as the Security Capsule.
• The banking services content is provided by the services provider in accordance with
the Web services standard over the SOAP messaging.
• The mobile operator provides the authentication service using the Generic Bootstrap-
ping Architecture (GBA) architecture of Generic Authentication Architecture (GAA)
as specified by the 3GPP specification [12], and the bank establishes a trust relation-
ship with the mobile operator and implements the Federated Identity Management
technology.
The banking services are available to mobile users from the bank and the service must
be capable of being set-up using over-the-air techniques. The actors interface to the system
using the standard and the internationally agreed protocols such as SOAP and HTTP over
the Internet or mobile network.
The Security Capsule is a mobile application and it establishes the mobile device com-
munication with the bank. The bank uniquely identifies the mobile device for authentica-
tion and authorization before the service delivery and the bank issued security tokens to
the Security Capsule to confirm the valid authentication and authorization activities at the
mobile device. The unique identity is derived in the Security Capsule using the logical and
physical identity parameters at the mobile device. Meanwhile, the Security Capsule main-
tains the key credentials for the authentication at the mobile operator and the bank. The
unique identity and key credentials are used to present the final user authorization to access
services. The user authorization is performed by generating a cryptographic key with dif-
ferent input parameters. Meanwhile, the Security Capsule utilizes and verifies the security
tokens and secure messages during the registration and authentication with the bank.
The novel key generation process at the Security Capsule enables a new way of mobile
banking framework without consuming number of user inputs for the security validation.
The Security Capsule uses the physical and logical identities and key credentials at the
mobile device as inputs. Therefore, the key generation process automatically guarantees
and verifies the mobile user identity and authentication to access banking services. The
cryptographic key will not be generated unless relevant identities are presented else the
authentication is unsuccessful. The following are the necessary credentials and identity
parameters for the key generation process.
• IMPI (IP Multimedia Private Identity): The mobile operator assigned identity for the
mobile user. This identity is stored in the USIM of the mobile device.
• IMEI (International Mobile Equipment Identity): The unique identity of the mobile
device and this is issued by the mobile device manufacturer.
• UID: The identity provider issued unique identity for the security capsule. The UID
is inserted into the source code of the Security Capsule and it can’t be retrieved by
external parties. The UID is an alphanumeric value in the security capsule and it is
un-accessible to the device users.
• Token Key: This cryptographic key is issued by the bank as a result of successful
mobile user authentication and authorization.
The key generation using the above functions will enable SIM dependent, mobile device
dependent, mobile user dependent and bank authentication dependent data access property
at the mobile device.
10.4 Security Protocol Design
The bank has the main role in the security framework such as registering, identifying,
authenticating and authorizing mobile users to the banking services. The mobile user’s SIM
deployed in mobile device with the Security Capsule acts as an authentication authority
to the bank. The identification and authentication information about the mobile user are
exchanged from the mobile operator to the bank.
Figure 10.2 presents the main communication links between the bank, mobile operator
and mobile userand our mobile banking framework consists of 3 main stages such as:
Registration: a mobile user registers with the bank for mobile banking services. The
mobile user downloads the security capsule and then shares some secret credential informa-
tion with the bank for the authentication. The mobile user registers for the mobile banking
services by downloading the Security Capsule from the bank. The Security Capsule is
downloaded and installed to the mobile device using over-the-air technique of the mobile
network. It contains a unique identification number (UID) and it is used to identify the
mobile user at the identity provider. The security capsule sends a registration acknowl-
edgement to the bank after the successful installation. The registration acknowledgement
consists of the UID and identification parameters at the mobile handset.
Authentication: the mobile user authenticates with the bank to access services on the
bank account. The secret credentials are exchanged and parties are mutually authenticated
with each other. The mobile device uses the Bootstrapping Server Function at the mobile
operator to create the application layer credentials. The generation of the application layer
credentials is presented by the messages (1) and (2) in Figure 10.2. The B-TID is a mobile
operator generated reference to the application layer credentials. These credentials are then
shared with the bank according to the GBA of GAA [35]. The messages (3) and (4) in
Figure 10.2 are referred to the GAA function between the mobile operator and the bank.
The knowledge of the shared secret mutually authenticates the mobile user and the bank to
the mobile banking framework as shown in messages (5) and (6) in Figure 10.2. The bank
uses its public key certificate to authenticate with the mobile user and Security Capsule
generated shared key is used for the secure communication after the authentication.
Authorization: this is an extended security feature in mobile banking and bank would
use the authorization before any financially valuable transactions. For an example, activi-
ties such as money transfer from account, setting up direct debit, change personal informa-
tion, etc. These activities have to be authorized with special credentials compared to the
authentication.
Fig. 10.2 Communication links

The detailed description of the security protocol in the banking framework is presented
in the below sub sections.
10.4.1 Registration
The mobile user downloads the security capsule to the mobile device for mobile bank-
ing services. The capsule can be downloaded either by visiting the WAP web site of the
bank using a WAP browser in the mobile device or by clicking on the Security Capsule
download link sent as a text message. The Security Capsule is downloaded using over-the-
air or wired techniques. The following are the main steps in the registration process and
the steps are presented in Figure 10.3.
(1) The mobile device requests to download security capsule.

(2) The security capsule is downloaded onto the mobile device.
(3) The mobile user verifies the authentication of the bank and the integrity of the down-
loaded Security Capsule using the following steps. These steps are carried out prior to
the Security Capsule installation process.
• The public key certificate of the bank is used to authenticate the bank.
• The calculated hash value of the Security Capsule binary installation is compared
with the hash value at the bank for the security capsule integrity. The hash value
is signed using the bank’s private key to present the authentication.
(4) The Security Capsule is installed into the mobile device as a mobile application. The
downloaded Security Capsule is uniquely identified using the UID. The UID is used to
present the Security Capsule identification to the bank during the future communica-
tions.
(5) The execution of Bootstrapping function will generate a new shared secret key (Ks)
between the mobile device and the mobile operator. The Ks is generated in the device
and mobile operator sends the B-TID as a reference to the shared secret key (Ks).
(6) The Security Capsule accesses the IMPI and IMEI values from the mobile device and
it generates the KIMPI and KIMEI using an inbuilt hash function.
HASH ( IMPI ) = KIMPI
HASH ( IMEI ) = KIMEI
B-TID, KIMPI and KIMEI are transmitted to the bank by encrypting them using the
bank’s public key.
(7) The bank sends the B-TID to the mobile operator and requests the shared secret key
(Ks).
(8) The mobile operator sends the shared secret key (Ks) to the bank.
Fig. 10.3 Registration Process
(9) The bank generates a random challenge using the Ks and a random number. The ran-
dom challenge is sent to the security capsule and it is used to validate the mobile users’
ownership to the B-TID and Ks.
(10) The Security Capsule generates the Challenge Response using the Ks and returns the
Challenge Response to the bank.
10.4.2 Authentication
The authentication phase starts when the user wants to login to the mobile banking
service. The login function in the Security Capsule is initiated by the user. The following
are the main steps in the authentication process and the steps are summarized in Figure 10.4.
(1) The Security Capsule accesses the present B-TID in the mobile device and sends the
UID and the B-TID to the bank. If the B-TID is not available then Bootstrapping
function is executed at the mobile operator. The B-TID and the UID are encrypted
using the bank’s public key.
(2) The bank sends the B-TID to the mobile operator to obtain the relevant Ks for the
communication.
(3) The mobile operator checks the B-TID and send the associated Ks to the bank
Fig. 10.4 Authentication Process
(4) The bank generates a random challenge using the Ks and a random number. The ran-
dom challenge is sent to the Security Capsule and the challenge is used to validate the
mobile users’ ownership to the B-TID and the Ks.
(5) The Security Capsule generated the Challenge Response using the Ks and returns the
Challenge Response to the bank. Meanwhile, the Security Capsule generates session
key (tsk) and sends it to the bank. This session key is used for all the future communi-
cation with the bank. The complete message to the bank is encrypted using the bank’s
public key.
(6) At this stage, the Security Capsule and the bank are mutually authenticated to each
other. The bank uses the Ks knowledge at the Security Capsule to authenticate the Se-
curity Capsule. The B-TID and the UID are encrypted using the public key of the bank
by the Security Capsule. The knowledge of the banks private key at the bank is used
to authenticate the bank to the Security capsule. The Service Token is generated by the
bank and the token is sent to the Security Capsule as the authentication confirmation.
Service requests from the mobile user to the banks should consist of the Service Token
and the service requests and service responses are encrypted by the tsK.
10.4.3 Authorization
The authorization phase is required when a mobile user wants to access or execute
more sensitive activities. The user authorization is presented to the bank by generating the
Data Key at the Security Capsule. The Data Key is generated using a number of identity
and credential parameters at the mobile device. The following are the main steps in the
authorization process and the steps are also presented in Figure 10.5.
(1) The user requests to execute a sensitive activity. The request for the execution is trans-
ferred to the bank with the Service Token.
(2) The bank generates an Execution Token and returns to the Security Capsule. The
Execution Token is the authorization token for the activity execution. The bank issues
the Execution Token based on the user access privileges evaluation at the bank.
Fig. 10.5 Authorization Process
(3) The bank generates the Data Key and sends the Execution Challenge to the Security
Capsule. The Data Key generation process at the bank is explained in Section 10.4.
The Execution Challenge is encrypted using the Data Key. The Execution Challenge
is generated to verify the successful end-user level authorization.
(4) The Security Capsule generates the Data Key and then generates the Execution Chal-
lenge Response using the Data Key. The Execution Challenge Response is sent to the
bank. The Data Key generation at the Security Capsule is explained in Section 10.4.
(5) If the Execution Challenge Response is successfully verified then execution of the ac-
tivity is authorized to the user.
10.5 Security Tokens and Data Key generation
The proposed protocol is optimized for minimum number of communication messages

in registration, authentication and authorization processes. We have done a number of evo-
lution design cycles to improve the communication messages during last couple of years.
Some of our engineering principles for protocol design are presented on [14,15]. The size
and the complexity of the tokens are reduced as much as possible, due to the processing
power constrains of the mobile device and bandwidth constrains in the mobile networks.
Therefore, the proposed schema is suitable for mobile environment with minimum process-
ing power and low bandwidth constrains.
10.5.1 Security Token Design
The authentication and authorization are granted using the XML tokens. This section
describes the token structures and the abbreviations below are used for the token represen-
tation.
[Y]ID = unique identification of Y in the system
TS = Timestamp
tsK = temporary session Key
TK = Token Key
SN:SK (X) = The signature of data X using secret key (from the confidentiality key pair)
of entity N
EN:PK (X) = The encryption of data X using public key (from the integrity key pair) of
entity N
EKa (X) = The encryption of data X using symmetric key Ka
10.5.1.1 Service Token
Service Token = S Bank:SK (E Bank:PK (UID | TS)) | E Bank:PK (UID | TS);

The token is used to identify the authenticated mobile users to access the banking ser-
vices. It consists of the user identifier (UID) and the timestamp. The Service Token is
encrypted by the public key of the bank and it is signed by the secret key of the bank.
There are two public key pairs that are maintained for the signature and encryption oper-
ations at the bank. This token is a property of the bank and the bank uses the token to
identify the authenticated mobile devices. Therefore, the bank is the only entity that can
decrypt the token. However, the mobile user validates the token signature to verify the
bank’s authentication to the communication channel.
<ST>
<UID>String</UID>
<TS>Timestamp</TS>
</ST>
Size of the Service Token;
Before XML Security: 61 bytes
After XML Security: 2.23 KB
10.5.1.2 Execution Token
Execution Token = Etsk (SBank:PK (ETID | Token Life Time | TS | TK), (ETID | Token
Life Time |TS | TK));
The Execution Tokens are the authorization objects for mobile users to access and uti-
lize the sensitive services and data from the bank. The Execution Token identification
(ETID) is a unique identity in each token. A unique execution token is generated for each
execution service request message and the presence of the Execution Token in the mobile
device is required to generate the Data Key for the data decryption. The service provider
generates the Token Key (TK) to secure the user authorization at the mobile device. This
key is inserted into the Execution Token with the token life time and the timestamp. If the
token life time is expired then the Security Capsule has to request a new token by the send-
ing the Service Token. The Execution Token is signed by the private key of the bank for
the integrity protection and the confidentiality is protected by encrypting the token using
the tsK (temporary session key between the Security Capsule and the bank).
<ET>
<ETID>String</ETID>
<TokenLifeTime>Int</TokenLifeTime>
<TS>Timestamp</TS>
<TK>Key</TK>
</ET>
Size of the Service Token;
Before XML Security: 173 bytes After XML Security: 3.06 KB
10.5.2 Data Key generation
The Data Key is generated at the Security Capsule to present the mobile legitimacy and
authorization to access the requested sensitive services from the bank. The Data Key is a
short term cryptographic key and it does not transmit over-the-air but the key is generated
at the bank and the mobile device. This key is generated using some of the shared attributes
and key credentials between the mobile device and the bank.
10.5.2.1 Data Key generation at the Bank
The Data Key is generated at the bank using the SHA-1 hash function and the Data
Key is a 168 bit cryptographic key. The bank generates the Token Key for the Execution
Token and this key will be an input to the Data Key generation function. This Token Key
presents the user’s authentication to access banking services. The following is the Data
Key generation hash function (Function Data Key ) with the input parameters.
Function Data Key (Token Key, KIMPI , KIMEI , UID) = Data Key
The generated Data Key is used to produce a value that can be used to challenge the
mobile user’s authorization to execute an activity. The bank generates a random number
and it is named as Execution Challenge. The Function Execution Challenge Res is a Hash-based
Message Authentication Code (HMAC) function and it generates the Execution Challenge
Response. The bank generates the Execution Challenge Response, sends the Execution
Challenge to the Security Capsule and requests the Security Capsule to generate the Execu-
tion Challenge Response. Finally, the bank compares both Execution Challenge Response
outputs before authoring mobile users to execute services.
Function Execution Challenge Res (Data Key, Execution Challenge) = Execution Chal-
lenge Response
10.5.3 Execution Challenge Response generation
The Security Capsule obtains the request for the Execution Challenge Response from
the bank and it retrieves relevant Execution Token from the device memory. The Data
Key is generated as the initial step and then the Execution Challenge Response will be
generated. The following are the Data Key generation steps at the security capsule.
(1) Validates the Execution Token integrity and the freshness. If the token is not valid then
it is deleted from the Security Capsule and a new token is requested from the bank.
• The XML signature of the token is verified with the bank’s public key certificate
for the token integrity and authorization.
• The timestamp of the token and the token lifetime are compared with the present
timestamp from the bank.
(2) The Security Capsule obtains the IMPI and IMEI from the mobile device and the UID
from the internal data storage.
(3) The Data Key for the Execution Challenge Response generation is generated using
the hash function based key generation algorithm as shown in Figure 10.6. The key
generation algorithm is designed using the hash functions.
Fig. 10.6 Key generation at the Security Capsule
(4) The Security Capsule generates the Execution Challenge Response using the Data Key
and the Execution Challenge as shown in the below function. Then Data key is perma-
nently deleted from the device memory after the process.
Function Execution Challenge Res (Data Key, Execution Challenge) = Execution Chal-
lenge Response
The Data Key generation and Execution Challenge Response generation functions are
presented in Figure 10.7.
10.6 Conclusion & Discussions
The research novelty discussed in this paper leads to a standard secure mobile banking
framework for mobile users to access their banking services from anywhere. The present
mobile banking solutions require number of user intrusive activities during the authentica-
tion but our solution presents effective and user-friendly authentication solution for mobile
devices.
We have evaluated our framework using the Scyther model checking security protocol
verification tool [16]. Scyther is an automatic push-button tool for the verification and
Fig. 10.7 Security Capsule Functionality
falsification of security protocols. The secure banking protocol is written using the SPDL
(Security Protocol Description Language) and then validated using “Automatic claim” and
“Verification claim” procedures in the Scyther tool. We have developed a proof of concept
prototype for the evaluation. The prototype was successfully evaluated using number of
know security attacks such as Hardware based memory attacks, phishing attacks, source
substitution attack, time-memory trade-off attack, codebook attack and known key attack.
We have taken good care during the protocol design phase to reduce the complexity
and size of the messages and tokens. The proposed protocol is optimized to use a mini-
mum number of communication messages in registration, authentication and authorization
processes. The maximum message size was recorded as 3. 06 KB and the Security Capsule
installation is 90.7 KB. Therefore, our solution is suitable for processing power, memory
and bandwidth constrained mobile devices. According to the GSM Association annual re-
port on mobile banking for unbanked population [17], the mobile banking services are very
much required in rural villages in African and Asian countries since banks in the city are
normally far from the remote villages. Most of the villagers have low-tech mobile phones
and our proposed mobile banking model can be developed in those countries due to the
light weight application and message sizes.
The session key generation in the mobile device enables the secure message transmis-
sion independent from the mobile operator though mobile operator is a part of the authenti-
cation process. The session key is 112 bit key and it uses with the Triple DES algorithm for
the message security between the mobile device and the bank. The use of 112 bit key pro-
vides adequate security and according to the “lower bounds of computationally equivalent
key size table” [18] and the 112 bit key size encrypted message is secured beyond 2050.
Meanwhile, the Data Key for the HMAC function is designed as 168 bit key to prevent
brute force attacks [8] on Execution Challenge Response.
The Data Key generation process is one of the novel key generation mechanism in our
research compared to storing long term secret keys in the mobile device. The identity
and attribute based key generation methods are presented in [19, 20]. However, those en-
cryption and decryption methods are implemented with special encryption and decryption
algorithms. Our key generation algorithm is implemented using publically available HASH
functions and encryption is done using publicly available Triple DES algorithm. The Exe-
cution Challenge Response is generated using the HMAC function and it is a combination
of SHA-1 with a key. Therefore, all the algorithms that we use in our security framework
are publically available and proven algorithm. Meanwhile, these algorithms are available
in Java environments suitable for current mobile devices.
A number of user intrusive activities for the authentication and authorization in the cur-
rent mobile banking frameworks are one of the major drawbacks for users on the present
authentication services for mobile banking and hence are not suitable for users to use at
anywhere. However, the user authentication and authorization in our model is done using
non-intrusive methods and hence user inputs are not required for the process. The proposed
model will improve the efficiency and the usability of the mobile banking services. How-
ever, an extra 4 digit user PIN is recommended to prevent SIM cloning and mobile user
impersonation attacks.
Using the parameter based access control techniques the banks will be able to intro-
duced more identities and attributes to the key generation process. This will lead to differ-
ent authorization levels based on the sensitive nature of the banking data involved in each
transaction.
Finally, the proposed mobile banking security framework will be an effective and se-
cure solution for present mobile banking applications. The solution will present novel
secure authentication and authorization mechanisms to improve the customer confidence
and satisfaction.
Bibliography
[1] H. Wilcox, Mobile Banking Strategies, Applications & Markets 2008-2013, Juniper Research
Limited, January (2009).
Bibliography 225
[2] Mobile Banking Overview, Mobile Banking Association, version 1. 0, December (2009).
[3] T. Halonen, Authentication and Authorization in Mobile Environment, Seminar on Network
Security, HUT TML (2000).
[4] M. Wu, S. Garfinkel, and R. Miller, Secure Web Authentication with Mobile Phones, DIMACS
Workshop on Usable Privacy and Security Software (2004).
[5] N.L. Clarke and S.M. Furnell, Authentication of users on mobile telephones – A survey of
attitudes and practices, Computers & Security, 24 (7):519–527, (2005).
[6] G. Horn, K. Martin and C. Mitchell, Authentication protocols for mobile network environment
value-added services, IEEE Transactions on Vehicular Technology, vol. 51, no. 2, pp. 383–392
(2002).
[7] T. Weigold, Java-Based Wireless Identity Module, Proc. London Comm. Symp. 2002 (LCS
2002), (2002).
[8] S.U. Shin and K. H. Rhee, Hash functions and the MAC using all-or-nothing property, In Proc.
of Public Key Cryptography, LNCS, 1560:263–275, (1999).
[9] K. Rannenberg, Identity Management in Mobile Cellular Networks and Related Applications,
Information Security Technical Report, vol. 9, no. 1, pp. 77–85, ISSN 1363-4127, Elsevier
Sciences (2004).
[10] K. Rannenberg, CamWebSIM and Friends: Steps towards Personal Security Assistants, pp.
173–176 in Viktor Seige et al.: The Trends and Challenges of Modern Financial Services –
Proceedings of the Information Security Summit, May 29-30, (2002).
[11] H. Rossnagel, Mobile Qualified Electronic Signatures and Certification on Demand, Proceed-
ings of the 1st European PKI Workshop – Research and Applications (2004).
[12] Interworking of Liberty Alliance ID-FF, ID-WSF and Generic Authentication Architecture,
Technical Report, 3GPP 3rd Generation Partnership Project, 3GPP TR 33. 980; Technical
Specification Group Services and System Aspect, Release 4, version 1.0.0., July (2007).
[13] I.M. Kalden and M. Meyer, Wireless internet access based on GPRS, IEEE Personal Commu-
nications, vol. 7, no. 2, pp. 8–18 (2000).
[14] D. Weerasinghe, K. Elmufti, M. Rajarajan, and V. Rakocevic, Securing electronic health records
with novel mobile encryption schemes, International Journal of Electronic Healthcare (IJEH),
v. 3, n. 4, pp. 395–416 (2007).
[15] J. MacDonald, K. Elmufti, D. Weerasinghe, M. Rajarajan, V. Rakocevic, and S. Khan, A Web
Services Shopping Mall for Mobile Users, The 4th IEEE European Conference on Web Services
(ECOWS’06), Switzerland, December (2006).
[16] C. Cremers, TheScyther Tool: Verification, falsification, and analysis of security protocols. In
Proc. of the 20th Int. Conf. Computer Aided Verification (CAV’08). Lecture Notes in Computer
Science, vol. 5123. Springer Verlag, 414–418 (2008).
[17] Mobile Money for the Unbanked, Annual Report 2009, GSM Association (2009).
[18] A.K. Lenstra and E.K. Verheul, Selecting cryptographic key sizes, Journal of Cryptology, 14
(4):255–293 (2001).
[19] A. Sahai and B. Waters, Fuzzy Identity Based Encryption, In Advances in Cryptology – Euro-
crypt, volume 3494 of LNCS, pp. 457–473, Springer (2005).
[20] J. Bethencourt, A. Sahai, and B. Waters, Ciphertext-Policy Attribute-Based Encryption, In Pro-
ceedings of the 2007 IEEE Symposium on Security and Privacy, May 20-23, (2007).
Chapter 11
Anonymous, Secure and Fair Micropayment

System to Access Location-Based Services
Andreu Pere Isern-Deyà and M. Magdalena Payeras-Capellà and Macià Mut-Puigserver

and Josep-Lluis Ferrer-Gomila
Departament de Ciències Matemàtiques i Informàtica, Universitat de les Illes Balears,
Ctra. de Valldemossa, km 7.5.
E-07122 Palma de Mallorca, Spain
Some Internet service providers establish a fare for each access to the service. Micropay-
ments are useful for the payment of low value services. One kind of service that can be
benefited from the micropayment is the group of services based on location. Brand new
mobile devices are capable to access data networks and also they can execute complex
applications. Furthermore, these devices implement location systems like GPS. The com-
bination of both capabilities can be useful to build new ubiquitous applications based on
user location. These applications provide valuable information related to their location to
the customers of the service. We present a new scheme to access Location-Based Ser-
vices (LBS) and pay for the access, which achieves both the anonymity of its users and the
privacy of their data. The protocol we describe here, based on a micropayment scheme,
also adds for the first time, in this kind of protocols, a fair exchange between the service
provider and the user.
11.1 Introduction
Micropayments are a kind of electronic payment system adapted to the requirements of

payment of low value. Micropayments have to be efficient, that is, the cost associated with
the payment must be lower that the benefit obtained from it. For this reason security or
privacy are requirements not always fulfilled in micropayment systems. Recently, micro-
payments have been related to the use of mobile devices, like smartphones.
Several kinds of applications require a payment to access the service. Among these ap-
plications we can find applications that manage private data. In this case, privacy has to be
guaranteed. Location-based services (hereafter LBS) are an example of this kind of appli-

cations that gather private information of the user that could be used to generate a location
profile of the user in order to know usual movements. In particular, the LBS applications
that use the trail of the users must have more privacy requirements.
The use of mobile devices is increasing day after day and these terminals are used for data
networks, not only for voice networks. Moreover, many new devices have spatial location
systems like GPS or others based on location techniques like GSM or WiFi. So, if we
combine the best of both technologies in a mobile device, we can build new ubiquitous
services and applications based on the user location called LBS. These services provide
value added information related to the context where the users are located. We can list
some examples of LBS: general social networks like Twitter [25], mobile social networks
like Foursquare [5] or some Google applications [9, 10].
In the current chapter we propose for the first time a novel, efficient and anonymous mi-
cropayment protocol to pay for the access to location based services. In our proposal, cus-
tomers can access LBS avoiding the creation of a register of user’s locations and so assuring
their privacy. This is possible due to an anonymous exchange with the provider. Moreover,
providers can charge users for their services. We adapt the micropayment concept due to
the fact that LBS are normally charged with small fees. Furthermore, the proposed scheme
implements a fair exchange between the provider and the user, which is a micropayment
for a service: the location-based response.
11.2 Micropayment Schemes Overview
Micropayment schemes are a kind of electronic payment systems designed to pay small
amounts of money. These systems are developed to maximize their efficiency and also
to reduce the storage and processing costs. With this aim, these types of payment systems
allow the relaxation of the security measures since the financial risk is more controlled than
in regular payment schemes.
The typical model and the involved parties in a micropayment scheme are [21, 24]:
• Customer or User. The party who wants to buy a good or service.

• Merchant or Provider. The party who wants to sell a good or service.
• Broker or Bank. The party who issues coins and manages payment accounts.
So, the common model consists on an user who withdraws a coin from his bank account
(withdrawal or issuing procedure) in order to purchase (payment, spend or transaction
Anonymous, Secure and Fair Micropayment System to Access Location-Based Services 229
procedure) a good or electronic service (henceforth service) offered by a provider. Finally,

provider can request a deposit (deposit procedure) in his bank account in exchange of a
received coin from the user.
A summary of the main characteristics of an ideal micropayment scheme [17, 24] fol-
lows:
• Security. The scheme must ensure privacy, integrity and authentication of the involved
parties and their data. It should also preserve the anonymity of their users.
• Fair exchange. In a purchase the payment and the good transfer should be made in an
atomic way [26]. Nobody have to be able to achieve the benefits of a partial exchange.
• Reduced costs. The cost of each micropayment should be small enough to ensure the
system feasibility.
• Reliability and Scalability. These schemes should be accessible and scalable even if
the system load is high during peaks of demand.
Therefore, a micropayment scheme should be suitable to pay for low cost digital goods
like music or files from an online store. So, the challenge to design a micropayment scheme
is to find a compromise between functional features, like efficiency and cost, and the usually
opposed security requirements, like anonymity.
11.3 Related Work
In this section we are going to make a brief review to the related work about micropay-
ments.
Almost all the reviewed schemes share the same model explained in §11.2. In addition to
this basic model, there are other proposals like one of Wang et al. [27] which defines a new
protocol called revocation that acts as a refund protocol in order to exchange unused coins.
In general, micropayments are based on the use of hash chains, but there are some of
them that are not based on it like the proposal by Wang et al. [27] which is based mainly
on encryption.
Hash chain based schemes use hash chains in different ways. Most of them use single
chains as original Payword [23] scheme does. For example, the scheme of Zhao et al. [29]
establishes long term relationships between users and merchants through the use of a single
hash chains, where each pair of parties shares a single secret key. In this scheme, each
coin can only be used to pay a single merchant. Another micropayment system where
customers establish long term relationships with a single merchant is the scheme of Payeras
et al. [22]. Moreover, in this proposal, customers remain anonymous. In contrast, the
scheme proposed by Esmaeli et al. [3] also uses a single hash chain but it can be used to pay
various merchants. However, this scheme does not provide customer anonymity. Because
of this, Hosseinkhani et al. [13] improve the last scheme adding anonymity in the customer-
merchant relation thanks to the use of a commitment. Jiang et al. [15] micropayment is
based on chaotic single hash chain which provides partial fairness and customer anonymity
by the use of a one-way function based on chaos.
Another way to use hash chains is using more than one single chain. Inside this group
of micropayment schemes, Fan et al. [4] scheme uses a dual hash chain composed by two
chains with the same length in order to introduce partial fairness in the protocol. However,
this scheme does not provide any kind of anonymity to the customer since it uses digital sig-
natures. There are other schemes that use multiple hash chains. For example, Nguyen [20]
and Wang et al. [28] use multiple hash chains in order to achieve multiple denominations
(different monetary values per chain) and the ability to pay multiple merchants. On one
hand, the first scheme uses RSA modular exponentiation as one-way hash function, where
each dimension is generated by the use of different RSA exponents. On the other hand, the
second system simply uses multiples Payword hash chains.
Finally, we have detected new applications of micropayments appeared due to the increas-
ing use of mobile devices and wireless networks. Inside this trend, Jeong et al. [14] scheme
is designed to pay IPTV services using RFID modules. Hao et al. [12] present a micropay-
ment scheme to pay real-time SIP services through new generation networks. In addition,
Jiang et al. [15] scheme is designed to be used by mobile devices. Another interesting future
line is the application of micropayments in peer-to-peer networks as Chaudhary et al. [1]
do, transferring Payword chains between peers. To conclude, it is also interesting the use
of NFC technology (Near-Field Communication) to design a mobile payment service as
Kadambi et al. [16] do in their proposal.
11.4 Location-Based Services
LBS are a new kind of pervasive services that make use of location data in a mobile
environment to provide their customers specific and valuable information about the context
where they are located. For example, users can ask to LBS providers where is the nearest
hospital or where their friends are located.
From the security viewpoint, it is clear that the use of private data opens many threats
related to users security because either providers or observers should not have access to
both user identity and his location. So, we need techniques to ensure the secure use of
these applications.
A LBS can be classified into three types, depending of the user anonymity require-
ments [18]:
• Anonymous. The user can be fully anonymous, because the service does not need any
type of identification nor pseudonym. An example could be a service of meteorological
alerts for the city where the user is located.
• Identified. It only can work if the user provides his true identity. An example could be
an application to alert about a broken protective order by an assailant.
• Pseudonym based. The user does not show his true identity but he only shows a
pseudonym. For example, a dating application, where it is not mandatory to show
the real identity although other personal data could be shared, like age or sex.
Several protocols designed to access to LBS are focused to protect both users and queries
privacy. Some of them use obfuscation algorithms to hide the exact user location [6, 11],
while others try to allow private requests using a technique called PIR [7]. But none of
them take into account the ability of the service providers to charge their users. So, our
goal is to propose a solution which joins together the customer privacy with the ability of
providers to charge their users.
11.4.1 Payment Methods to Access LBS
The access to LBS offered by providers could be classified depending on the payment
method as follows:
• Free of charge. The user can send requests to providers free of charge and so, provi-
ders have not any profit. However, providers can obtain benefits through advertising
banners.
• Subscription. The provider charges the user by a subscription that is paid in advance
by the user. It is valid for a limited number of accesses or a limited time. It assumes a
long term relationship. That is, the whole package should be used by the user or it will
be lost, because a refund is not possible.
• Full payment. A full payment is a type of electronic payment scheme designed to

pay large amounts of money with plenty of security mechanisms. Since in LBS each
request has low cost and we need the maximal efficiency within the minimal cost, it is
not a good idea to use a full payment scheme to pay for LBS.
• Micropayment. A micropayment fits the requirements of providers and users. Its cost
is low, it is suitable for the payment of small amounts of money and the user pays only
for the consumed services.
Therefore, it seems that micropayment is the best method to charge users to access LBS.
11.5 LBS Access Protocol Description
The scheme we depict here aims to build an anonymous and secure solution to access
to the LBS but at the same time allowing the providers to charge their users. We think
that the micropayments general characteristics (Section 11.2) and some specific features
of the micropayment scheme by Payeras et al. [22] are ideal to build an access protocol
to LBS where providers can earn money and users can remain fully anonymous. The
protocol uses a specific coin for a single provider to improve the efficiency of the scheme.
This coin does not have any user identity information and it only could be used to pay
a single provider. The coin is build as a hash chain [23] where each element is called a
coupon. Each coupon will be used by users to access and pay the location provider. The
user could refund unused coupons if he does not use them. The protocol also implements a
multiple spending prevention algorithm which can avoid the risk of coin reuse. Moreover,
the proposed scheme adds for the first time a fair exchange between a micropayment and a
service.
The parties involved and the notation used in the protocol description can be found in
Table 11.1. The protocol is divided in subprotocols which will be described in the next
sections: service list, withdrawal, transfer, deposit and refund.
Table 11.1 Parties and notation used along the protocol description.
Protocol Parties
U User of the service

P LBS provider
B Bank
Used Notation
H(x) One-way collision resistant hash function applied over the element x
H i (x) Hash function H applied i times over the element x
skA and pkA Pair of secret and public keys of a public key cryptosystem of party A
CertA Digital public key certificate of A
SignA (x) A’ signature over the element x
SignA.Q (x) A’ signature for the quantity Q over the element x
Y ∗ = (Y, SignA (Y )) Element Y and the signature over Y made by A
R
x ← Zq Element x randomly chosen from Zq
KS Symmetric key
EK [x] Encryption of x using key KS
DK [x] Decryption of x using key KS
11.5.1 Initial Considerations
Before we describe each subprotocol, we list some starting considerations which deter-
mine the protocol design:
• It is designed for user constrained mobile devices.

• The scheme works as a debit system, i.e., the bank account balance of U is decre-
mented in the withdrawal subprotocol.
• B is a trusted party who will not disclose any information about any party involved in
the protocol.
• P provides its services in packages, so it allows the access to its systems a fixed number
of times. However, the package can also be spent partially.
• Each coupon has enough small value so it has not to be divided in smaller pieces.
• We use ElGamal key exchange [2] scheme, but another algorithm can be used.
• In order to fix time intervals to control the life cycle of the protocol and the actions that
can be done by parties in each subprotocol, we define some time values (see Fig. 11.1).
The time periods τ1 and τ2 are parameters fixed by the system.
– τexp is an expiration date. It is included in the coin and marks the date up to U
can spend the coin to access P.
– τd , defined like τexp + τ1 , marks the date up to P is able to deposit the received
coupons. It also marks when U could ask for refund of not spent coupons.
– τr , computed as τd + τ2 , marks the maximum time in which U can refund the
unused coupons. From τr , the coin will not be longer valid.
Fig. 11.1 Coins’ life cycle.
11.5.2 Bank Account Setup
U and P must setup a bank account in B. In this step, the bank B will link a digital
certificate to each bank account. B will use these certificates to authenticate his customers
in the withdrawal, deposit and refund subprotocols.
11.5.3 Services List
The service list subprotocol (Table 11.2) allows U to obtain the list of available services
in P. P answers the request with an array of services, where each item is described as:
• The cost of each request (c);

• The number of requests allowed for each package (n);
• A brief textual description (d) about the service.
As we can see, P builds an identifier W0P applying a hash function over a random element
W1P , which must be stored secretly by P because it identifies P. Finally, U stores the
received elements, chooses the desired service and calculates its total cost (Q).
Table 11.2 Services List Subprotocol
requestCapabilities. U follows the next step:
U → P: Request
responseCapabilities. P follows the next steps:
Builds a list of available services: list(ci , ni , di )

R
Picks W1P ← Zq and stores it in secret
Computes W0P = H(W1P )
Signs SignP (W0p ) = skP (H(W0P ))
R
Picks x ← Zq , stores it in secret and computes h = gx
P → U: W0P , SignP (W0P ), list(c, n, d),CertP , h, q, g
chooseService. U follows the next steps:
Stores W0P , SignP (W0P )

Chooses the service s and computes its cost: Q = ns · cs
11.5.4 Withdrawal
In the withdrawal subprotocol (Table 11.3) U and B are involved. The subprotocol allows
U to withdraw coins from his account in B. B creates a specific coin which will be used to
access the services of P.
Table 11.3 Withdrawal Subprotocol
requestCoupons. U follows the next steps:

R
Picks WMU ← Zq
Builds the coupons chain:
Wiu = H(W(i+1)U ) where 0 i M − 1 and M = 2n
Signs the last coupon and Q:
SignU (W0U , Q) = skU [H(W0U , Q)]
U → B: W0p , Q, 2n,W0U , SignU (W0U , Q),CertU
issueCoupons. B follows the next steps:
Verifies if SignU (W0U , Q) is valid

U’s account must meet balance
Q, otherwise
deny
Generates the coin C = W0P ,W0U , 2n, τexp
B.Q (C) = skB.Q [H(C)]
Signs the coin Sign
Compose C∗ = C, SignB.Q (C)
B → U: C∗
storeCoupons. U follows the next steps:
Verifies if C∗ is correct
Stores C∗
U builds a hash chain using a seed element obtained randomly (WMU ), applying recur-
sively 2n times a hash function, where n is the number of requests to the LBS allowed
by the chosen package. With this process, U obtains 2n + 1 chained elements. After U’s
identification in front of B, U sends the signature over the last digest of the chain (W0U ),
the amount of money requested (Q), the number of coupons (2n) and P’s identifier (W0P ).
Then, B should check the correction of the received elements. If they are valid and the
balance of U’s account is enough, B builds the element C∗ and B sends it to U, who stores
it.
11.5.5 Transfer
The transfer subprotocol (Table 11.4) is an offline protocol because only involves U and
P, without the participation of B. U can execute this subprotocol while the coin is valid,
so while τ < τexp . This subprotocol defines a three step fair exchange scheme between a
request (together with a coupon) and the location-based response. To accomplish the fair
exchange, we divide the elements of the hash chain into two groups (see Table 11.5):
• elements of the first group will be called payment coupons. They have monetary value
and an odd index.
• elements of the other group will be called proof coupons. They are used together with
the payment coupons and validate them. They have an even index.
Each payment coupon (WiU ) is related to a proof coupon (W(i+1)U ). Then, U sends the
coupons in pairs for each request/response cycle so the reception of a payment coupon by
P is not enough for him to do a deposit in B, because he needs to know the related proof
coupon.
Table 11.4 Transfer Subprotocol
makeRequest. U follows the next steps:

R R
Picks KS ← Zq and y ← Zq
Computes Z1 = gy and Z2 = KS · hy
Builds the request req(lat, long) = [(lat, long), question]
Encrypts the request reqKS = EKS [req(lat, long)]
Encrypts the coupon cpayKS = EKS [WiU ]
U → P: Z1 , Z2 , reqKS , cpayKS ,C∗
verifyRequest. P follows the next steps:
Recovers the session key: KS = Z2 · Z1−x = KS · gxy · g−xy

Decrypts the received coupon: WiU = DKS [cpayKS ]
Verifies that τ < τexp
Verifies the signature of C∗
Checks multiple uses:
IF (i j) → reuse: P sends deny message
ELSE continue
?
Verifies the received coupon H (i− j) (WiU ) = W jU
Stores in the BBDD (i,WiU ,C∗ )
Decrypts received reqKS : req(lat, long) = DKS [reqKS ]
Searches in the location BBDD to built answer
Computes res(lat, long) = [H(req(lat, long)), answer]
Encrypts the response resKS = EKS [res(lat, long)]
P → U: res
sendProof. U follows the next steps:
Decrypts res(lat, long) = DKS [resKS ]

Extracts the proof coupon: W(i+1)U
Encrypts the proof coupon cproo fKS = EKS W(i+1)U
U → P: cproo fKS
verifyProof. P follows the next steps:
Decrypts W(i+1)U = DKS [cproo fKS ]

?
Verifies H W(i+1)U = WiU

Stores i + 1,W(i+1)U ,C∗
Table 11.5 Built of coupons chain
Element M = 2n + 1 coupons
2n coupons for transfer subprotocol Last identifier
Hash
WMu W(M−1)u W(M−2)u ... W(i+1)u Wiu ... W3u W2u W1u W0u
chain
Payment
W(M−1)u ... Wiu ... W3u W1u
coupons
Proof
WMu W(M−2)u ... W(i+1)u ... W2u
coupons
U uses KS as a symmetric key which is exchanged using ElGamal key exchange scheme
in order to ensure the privacy of the communication between U and P. This key will be
renewed for each new coin issued or after a period of time. Then, U encrypts his request
with KS and he sends it together with the coin to P. Then, P checks the request and verifies
if the coin is valid and not expired and the correctness of the received coupon. To do this, P
compares the index of the received coupon (i) with the previous coupon index ( j). If i j
P detects an attempt of reuse and P sends a deny message to U. P will deny the service
to U until U sends the related proof coupon or an unused payment coupon with a higher
index. Otherwise, if the elements received are correct, P stores in his database the received
coupon, its index and the coin C∗ . Then P decrypts and answers the request and he sends
the response encrypted to U. Then, U must send the proof coupon W(i+1)U to P. Finally, P
verifies if the proof coupon is correct and stores it in his database. Otherwise, P will deny
the service to U.
Table 11.6 Deposit subprotocol.
requestDeposit. P follows the next steps:
Builds the request r = (C∗ ,W1P ,WkU , k)

Encrypts the request: pkB (r)
P → B: pkB (r),CertP
doDeposit. B follows the next steps:
Verifies that τexp < τ < τd

?
Checks secret proof of P: W0P = H(W1P )
IF (k j) → reuse: P sends deny message
ELSE continue
?
Checks coupon H (k− j) (WkU ) = W jU
Deposits in the P’s account the value of the coupons
depending if (k − j) is:
k− j
even then P deposits 2 coupons
k− j−1
odd then P deposits 2 coupons
11.5.6 Deposit
The deposit subprotocol (Table 11.6) allows P to exchange the received coupons from
users for a deposit in his account in B. P can deposit coupons although he has not received
the whole coupon chain and if the current time accomplishes that τexp < τ < τd . In order
to make a deposit, P must show his secret proof W1P which proves that P is the intended
receiver. P also has to show the last received proof coupon (WkU ), the corresponding index
(k), the coin (C∗ ) and also any element for his identification against B. Then, B checks the
correctness of the request, verifies if the secret proof of P is authentic and also B verifies if
P tries to do a multiple deposit if k j. If the verification is valid, B can deposit the value
k− j k− j−1
of 2 coupons if the number of coupons is even, or 2 if the number is odd in P’s
account. We divide the number of coupons by 2 because only half of the received coupons
have monetary value (the payment coupons).
Table 11.7 Refund subprotocol.
requestRefund. U follows the next steps:
Builds the request r = (C∗ ,WiU , i)

Encrypts the request: pkB (r)
U → B: pkB (r),CertU
doRefund. B follows the next steps:
Verifies that τd < τ < τr

IF (i j) → reuse: P sends deny message
ELSE continue
?
Checks coupon H (i− j) (WiU ) = W jU
Refunds in the U’s account the value of the coupons
depending if (i − j) is:
i− j
even then P refunds 2 coupons
i− j−1
odd then P refunds 2 coupons
11.5.7 Refund
The refund subprotocol (Table 11.7) is almost the same as the deposit subprotocol and
allows U to refund the unused coupons in his bank account. This subprotocol can only be
executed during the period of time τ2 , i.e., τd < τ < τr . If all the verifications are correct,
B refunds the value of the requested coupons to U’s account.
11.6 Informal Analysis of Properties
In this section we carry out an informal analysis of security and performance aspects of
the proposed protocol.
11.6.1 Analysis of Security Properties
We begin with a security analysis in order to prove that our proposal meets the security
requirements.
U IS ANONYMOUS AGAINST P. The communications between U and P with B cannot

be anonymous, because customers should be authenticated in order to access their bank
accounts. Instead, U is anonymous when he interacts with P through transfer subprotocol.
Neither the coin nor the coupons have any kind of user identification, so P cannot deduce
the identity of U.
T HE SYSTEM IS JUST N- LINKABLE . The payments made with coupons of the same
coin are linkable because they are related with the same element W0U . However, either the
provider or any intruder cannot reveal the identity of the user who made the payment. Pro-
viders can build a payment history, but never can link payments sent to different recipients.
The system linkability could be controlled by the coupon chain length 2n.
T HE SCHEME IS UNTRACEABLE UNLESS A COLLUSION BETWEEN B AND P. The pay-

ments can be traced by B, because B can know where U had spent his coin in the deposit
and refund subprotocol. However, neither B nor P can build a complete user profile. Only
if B colludes with providers they could make a complete user profile and in the current
proposal it is not possible since B is a trusted party who does not reveal any information
about users. We are working to improve this property in the next version of the scheme.
T HE EXCHANGE BETWEEN A MICROPAYMENT AND THE LOCATION RESPONSE IS

FAIR . In the transfer subprotocol, a micropayment is exchanged for a service. Some trou-
ble situations could arise which can affect the fairness of the exchange.
Case 1: P maliciously does not send the location response in the second step. P damages
himself because he cannot do a deposit in B since he only has the payment coupon. U does
not send the proof coupon if U does not receive the location response from P.
Case 2: U does not send the proof coupon in the third step. U has the desired location
response and P does not have the proof coupon, so P is in disadvantage against U. In this
case, P will reject the service to the following requests made by U until U sends the proof
coupon or a new payment coupon with a higher identifier. P can only loss one coupon in
the worst situation (the last coupon). It is assumable because each coupon has a low value.
Even if P losses a coupon, P will be able to deposit the other received coupons until the
last one.
U SER PRIVACY IS ACHIEVED . The privacy of the messages exchanged between U and P
is assured by the use of a shared key KS which is only known by U and P, because this key
has been exchanged securely using a key exchange protocol. P knows the location data of
U because P must know this information in order to provide a good service. P could build
a location history of U, but always will be limited by the N-linkability of the coupons of a
single coin, but P never will be able to discover the identity of U, that is, he cannot link the
profile with an identity.
T HEFT OF COINS OR COUPONS IS NOT POSSIBLE . Coins and coupons cannot be stolen
because each coupon is protected with a secure symmetric key and they are only revealed
one by one. If a theft of the whole coin is intended, the attacker cannot deposit the coin
without knowing the secret proof W1P , which is only known by P.
T HE SCHEME PREVENTS A DOUBLE SPENDING . P and B maintain a tuple (i,WiU ,C∗ )

for all valid and unexpired coins. When P receives a new coupon from U in the transfer
subprotocol, P stores it and increases the new index. Then, P prevents a double spending
if U tries to use a coupon with an index less or equal than the index stored in the database
of P. If it happens, P will deny the service to U. Although the reuse can be detected and
avoided, this process does not reveal the identity of the user.
In the deposit and refund subprotocols, the reuse prevention is similar, because B also
maintains a list of valid and unexpired coins with the index of the last deposited coupon.
The comparison between current and previous indexes allows B to prevent double spending
as P does. In the deposit subprotocol the user identification is automatic, because only the
intended P can deposit the coin with the knowledge of his secret proof.
T HE SYSTEM PROTECTS FROM FORGEABILITY. The coin forgery is not possible because
the coin creation requires the knowledge of B’s private key for the quantity Q applied for.
T HE SYSTEM AVOIDS OVERSPENDING . When withdrawal subprotocol is executed, due

to the fact that it is based on a debit system, B decreases the amount of money of U’s
account. So it is not possible that a customer spends more money than the balance of his
bank account.
T HE SCHEME ALLOWS U TO ASK FOR A REFUND . The definition of three temporal

periods for the transfer, deposit and refund subprotocol allows users to spend partially the
service packages. It also avoids U to lose unused coupons. The separation between the
refund and deposit gaps disallows the case where U could ask for the refund of a set of
already used coupons but not yet deposited by P.
11.6.2 Analysis of Efficiency
In this section we expose a brief study about the protocol efficiency based on the storage
and computational costs of the parties involved in the protocol. It shows that the scheme is
very efficient.
All the parties (U, B and P) need to store in their systems the signed coin issued
by B in the withdrawal subprotocol. This element is C∗ = (C, SignB.Q (C)) where C =
(W0P ,W0U , 2n, τexp ). It contains two hash strings (size LH bits), one integer (size LI bits),
one timestamp (size LT bits) and one signature (size LS bits), so we define the storage as:
size(coin) = 2LH + LI + LT + LS bits
If we suppose we are using RSA signature scheme with key size of 1024 bits, SHA-1 as
the hash function that outputs 160 bit strings, a timestamp as an integer of size 40 bits and
finally an integer of 10 bits, we have that the element size is:
size(coin) = 2 · 160 + 10 + 40 + 1024 = 1384bits = 173Bytes
Then, the size of the hash chain could be defined as:
size(chain) = LH · coupons
If the number of coupons is 1024, U needs to store:
size(chain) = 160 · 1024 = 163840bits = 20480Bytes
So, the user has to keep 20480 bytes for the whole hash chain and 173 bytes for the signed
coin so the total is around 20.2KiB for each coin. On the other hand, P and B need to store
173 bytes for each valid and unexpired coin. Then, as it shows, the storage cost is very low.
Besides the storage costs, the computational cost is analyzed. It shows that the protocol
has low computational cost due to the use of hash functions and hash chains.
In the withdrawal subprotocol, U builds the hash chain of length 2n + 1 applying 2n
times a hash function over a random element. It also needs public key cryptography to
authenticate U against B. This subprotocol is only executed when U needs a new coin and
U does not need to execute it until U spends n coupons to the service provider.
The transfer subprotocol needs only symmetric encryption to protect messages. The ver-
ification process only needs integer comparison and limited application of hash function
over coupons. This subprotocol does not use public key cryptography, and it is important
because the transfer subprotocol is executed n times for each coin.
The deposit and refund subprotocols need public key cryptography in order to authenticate
parties. They also need a limited number of applications of hash function and an integer
comparison. The deposit subprotocol is executed when P requests a deposit and the refund
subprotocol is executed when U requests a refund. Each subprotocol will be executed few
times respect to n.
11.7 Conclusions
In this chapter we have described the first anonymous, efficient and secure protocol to
access location-based services subject to payment. The protocol uses the idea of micropay-
ment schemes where the payment have been made using a fair exchange protocol (there is
an exchange of a coin against a LBS service). The depicted scheme ensures the privacy of
location data exchanged between parties, so the user is not afraid of the risk to disclose her
private data. The user could act anonymously when he is talking with the LBS provider,
because the access to this provider does not need any kind of user identification. Further-
more, the user has the possibility to refund the coins that are not spent, so users have not the
risk to lose money. Finally, at the end of the chapter, an informal analysis of the protocol
properties has been included.
The future improvements of such schemes have to be in the direction of making protocols
with untrusted and verifiable banks in order to accomplish the untraceability property (un-
trusted and verifiable Trusted Third Parties are defined by Mut et al. [19]). Another main
target will be the improvement of the privacy between users and providers through the
study of techniques based on PIR [7] or real location obfuscation methods [11]. Moreover,
we wish to propose new schemes for other kind of location-based services, as for example,
applications to warn about broken protective orders with high requirements of privacy or
about real traffic conditions. Finally, we are starting to implement the described scheme
over a real environment based on the new mobile Android Platform [8].
Acknowledgement
This work is partially supported by MEC and FEDER under projects CICYT TSI2007-
62986 and ARES-CONSOLIDER INGENIO 2010 CSD2007-004.
Bibliography
[1] K. Chaudhary, X. Dai, and J. Grundy. Experiences in Developing a Micro-payment System for
Peer-to-Peer Networks. International Journal of Information Technology and Web Engineering,
5(1):23–42, 2010.
[2] T. Elgamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms.
IEEE Transactions on Information Theory, 31(4), 1985.
[3] A. Esmaeeli and M. Shajari. MVPayword: Secure and efficient Payword-based micropayment
scheme. In Second International Conference on the Applications of Digital Information and
Web Technologies. ICADIWT ’09, pages 609–614, 2009.
[4] L. Fan and J. Liao. Discrete micropayment protocol based on master-slave payword chain. The
Journal of China Universities of Posts and Telecommunications, 14(1):58–84, 2007.
[5] Foursquare. http://www.foursquare.com.
[6] B. Gedik and L. Liu. A Customizable k-Anonymity Model for Protecting Location Privacy.
Technical report, Georgia Institute of Technology, 2004.
[7] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan. Private queries in location
based services: anonymizers are not necessary. In Proceedings of the 2008 ACM SIGMOD
international conference on Management of data, SIGMOD ’08, pages 121–132, New York,
NY, USA, 2008. ACM.
[8] Google. Android Platform http://www.android.com.
[9] Google. Google Latitude http://latitude.google.com.
[10] Google. Google Maps http://maps.google.com.
[11] M. Gruteser and D. Grunwald. Anonymous Usage of Location-Based Services Through Spatial
and Temporal Cloaking. In MobiSys ’03: Proceedings of the 1st international conference on
Mobile systems, applications and services, pages 31–42, New York, NY, USA, 2003. ACM.
[12] J. Hao, J. Zou, and Y. Dai. A Real-Time Payment Scheme for SIP Service Based on Hash
Chain. In IEEE International Conference on e-Business Engineering, 2008. ICEBE ’08, pages
279–286, 2008.
[13] M. Hosseinkhani, E. Tarameshloo, and M. Shajari. AMVPayword: Secure and Efficient Anony-
mous Payword-Based Micropayment Scheme. pages 551–555. IEEE Computer Society, 2010.
[14] Y.-S. Jeong, N. Sun, and S.-H. Lee. IPTV Micropayment System Based on Hash Chain Using
RFID-USB Module. In IEEE 34th Annual Computer Software and Applications Conference
(COMPSAC), pages 155 –160, july 2010.
[15] N. Jiang, X.-d. Liu, J.-y. Zhao, and D.-l. Yang. A Mobile Micropayment Protocol Based on
Chaos. In Proceedings of the Eighth International Conference on Mobile Business. ICMB 2009,
pages 284–289, 2009.
[16] K. S. Kadambi, J. Li, and A. H. Karp. Near-field communication-based secure mobile payment
service. In Proceedings of the 11th International Conference on Electronic Commerce, ICEC
’09, pages 142–151. ACM, 2009.
[17] J. Kytöjoki and V. Kärpijoki. Micropayments - Requirements and solutions. Proceedings
of the Helsinki University of Technology, Seminar on Network Security, Security in Elec-
tronic Transactions, 2000. URL: http://www.tml.tkk.fi/Opinnot/Tik-110.501/1999/
papers/micropayments/.
[18] L. Liu. Privacy and location anonymization in location-based services. SIGSPATIAL Special,
Volume 1, Issue 2 (July 2009), pp. 15–22, 2009.
[19] M. Mut-Puigserver, J. Ferrer-Gomila, and L. Huguet-Rotger. Certified e-mail Protocol with
Verificable Third Party. In IEEE International Conference on e-Technology, e-Commerce and
e-Services, 2005 (EEE’05), pages 548–551, 2005.
[20] Q. Nguyen. Multi-Dimensional Hash Chains and Application to Micropayment Schemes. In
Coding and Cryptography, volume 3969 of Lecture Notes in Computer Science, pages 218–
Bibliography 247
228. 2006.
[21] I. Papaefstathiou and C. Manifavas. Evaluation of Micropayment Transaction Costs. Journal of
Electronic Commerce Research, 5(2):99–113, 2004.
[22] M. Payeras-Capellà, J. Ferrer-Gomila, and L. Huguet-Rotger. An efficient anonymous scheme
for secure micropayments. In Web Engineering, volume 2722 of Lecture Notes in Computer
Science, pages 227–246. 2003.
[23] R. Rivest and A. Shamir. PayWord and MicroMint: Two simple micropayment schemes. In
Security Protocols, volume 1189 of Lecture Notes in Computer Science, pages 69–87. 1997.
[24] C. Schmidt and R. Müller. A framework for micropayment evaluation. NETNOMICS, 1:187–
200, 1999.
[25] Twitter. http://www.twitter.com.
[26] J. Tygar. Atomicity in electronic commerce. 15th annual ACM Symposium on Principles of
Distributed Computing, pp. 8–26, 1996.
[27] F. Wang, W. Dong, and Y. Ji. A New Credit Based Micropayment Scheme. pages 596–601,
2008.
[28] H. Wang, J. Ma, and J. Sun. Micro-payment Protocol Based on Multiple Hash Chains. In Sec-
ond International Symposium on Electronic Commerce and Security, 2009. ISECS’09., vol-
ume 1, pages 71–74, 2009.
[29] X. Zhao, Y. Lv, and W. He. A Novel Micropayment Scheme with Complete Anonymity. Inter-
national Symposium on Information Assurance and Security, 1:638–642, 2009.
Chapter 12
Privacy Preserving with A Purpose-based

Privacy Data Graph
Yuan Tian, Biao Song, Eui-Nam Huh1

Department of Computer Engineering, Kyung Hee University Global Campus, South
Korea
E-mail: {ytian, bsong, johnhuh}@khu.ac.kr
Privacy issue is receiving a great deal of attention since the need of privacy is increasing
and new threats are emerging. The growing concern of users for their personal information
has made it critical to implant effectivetechnologiesforprivacy anddata management. A
common way for privacy preservation is restricting access to data like the classic Role-
based Access Control (RBAC) Model. But the RBAC is limited as it does not provide
users enough flexibilities and functionalities. In order to minimize the disclosure of data
and support higher flexibilities for users to manage their privacy information, this paper
provides a privacy data graph based on the traditional RBAC model toillustrate the linkage
between data elements. Moreover, the notion of purpose is added to specify the intended
usage of data and allow users to set personal privacy preferences through purpose. A case
study in the healthcare domain is provided. As our model is generic, it can be also adapted
to other fields. Adetailed view of our proposed privacy system withexperimental result is
provided.
12.1 Introduction
In the last few years, privacy has been acknowledged as a very important issue in many
fields. It is not surprising that a great deal of attention by customers, enterprises and re-
searchers have been paid to privacy as their needs for data protection are increasing and new
threats are emerging. Privacy is particularly critical because we must consider privacy first
before the implement process, thus avoid expensive errors in the deployed system (Guarda
et al., 2009).
1 Corresponding Author

The concept of privacy is defined by (Westin, 1967) as “the claim of individuals, groups or
institutions to determine for themselves when, how, and to what extent information about
them is communicated to others”. However, most of the time, privacy is far more than
the individual’s desirable to control. A survey in Federal Trade Commission (FTC, 2009)
shows that nearly all web sites collect users’ names, mobile numbers and other identifying
information, which induce potential discloser of users’ personal information.
The privacy threat in patient records posed by healthcare industry is a key concern. A
survey in LA Times (Judy, 2006) shows that in a hospital roughly 150 people (includ-
ing doctors, nurses, technicians and billing clerks) have at least part of access to patient’s
records during a hospitalization. The National Academy of Sciences report points out, the
health care industry in 1996 spent almost $10 to $15 billion on creating electronic records
systems and converting conventionally stored data to electronic formats (US Secretary’s
Advisory Committee, 1973). Compare with the paper record, Electronic Medical Record
(EMR) or Electronic health record (EHR) presents new threats for the characteristicăof
wide distribution.
In the hospital system, there are some special characteristics we need to notice. The main
features are discussed below:
– Associated release may be raised after certain data is disclosed. For instance, from the
menu for a patient we can speculate what disease he may contract.
– Data can be requested through role-level or user-level. A doctor may need data from
all the users under a “patient” role for a medical experiment, or just requests single
personal information to diagnose a specific patient.
A hospital is quite different from other scenarios like social networks or business process
as some treatments/services are only provided at the expense of users’ sensitive data dis-
closure. For example, a patient has to give his medical history or even family pedigree, if
his doctor needs, during a diagnosis of a heart disease. So in the healthcare system, users
have to commit some data access request but have the right to know who can access what
information about them is being disclosed.
In this chapter, a privacy data graph is applied to healthcare domain to preserve patient
privacy and at the same time, ensure the quality of their medical care. As some vulnerability
may be raised after certain sensitive data is disclosed, with the help of privacy data graph,
our proposed system can avoid privacy data breaches caused by related privacy data access.
The proposed privacy system introduced in this chapter has the capabilities to:
Privacy Preserving with A Purpose-based Privacy Data Graph 251
(1) Properly express access policy by graph, which not only describes the data access pol-
icy, but also illustrates the direct-linkages and indirect-linkages between data elements.
Moreover, the disclosure of linkages and further data disclosure caused by these link-
ages can be reflected in our graph.
(2) Support RBAC (He, 2003). Our system allows role-administrators to assign necessary
role-level data access permissions. This, undoubtedly, simplifies the specification and
management on individual users, especially in the case of large number of users.
(3) Provide Role-level purpose and personal-level purpose are provided to specify the in-
tended usage of privacy data.
(4) Allow users to set privacy preferences (Lederer, 2003) by adding, deleting or modifying
some data in the proposed privacy data graph when access purposes are required to their
data.
(5) Permit further detection and modification if uses’ preferences have conflicts with the
one defined by system administrator. With such capabilities user can declare their
privacy preferences more accurately and flexibly.
The remainder of this chapter is organized as follows. Section 12.2 discusses the back-
ground and relevant work. Section 12.3 presents our proposed model and some basic def-
initions and notions are expressed. The main algorithms are presented in Section 12.4 and
the experimental results are shown in Section 12.5. The last section is conclusions.
12.2 Background
Our research is related to many areas of privacy protection. Accordingly, in this section
we briefly review related issues which motivate our work.
12.2.1 Privacy Principles & Policies
Privacy policy is a set of legal regulations that define some or all of the ways in which a
party retains, processes, discloses and purges their customer’s data (COPPA, 2009). The
contents of a privacy policy depend on the applicable laws. Government agencies in differ-
ent countries enact a series of guidelines, principles and laws, among which is the widely
accepted privacy legislation concerning fair information practices. The notion of Fair In-
formation Practice (FIP) was initially proposed (FIP, 2009) in a 1973 report by the U.S.
Secretary’s Advisory Committee on Automated Personal Data Systems. FIP is a general
term used to describe a set of standards that addresses privacy issues. Different commit-
tees and countries use their own terms to describe these issues, for example, in the U.K.
they use the term “Data Protection”, the European term is “Personal Data Privacy”, and the
Organization of Economic Cooperation and Development (OECD) has written guidelines
about the protection of privacy and trans border flows of personal data (OECT, 2009). The
core principles of FIPare as follows:
1. Notice/Awareness: consumers should be given notice of an entity’s information prac-

tices before any personal information is collected from them.
2. Choice/Consent: it is not enough for an entity to just announce that they are collecting
data, explicit consent from the data subjects is also required by the collectors.
3. Anonymity and Pseudonymity: these principles offer a number of choices so that those
subjects who wish to remain anonymous can do so and they also enable the legal col-
lection of data without requiring user consent.
4. Access and Participation: this principal refers to an individual’s ability to both access
his or her data and to question that data’s accuracy and completeness.
5. Purpose Specification: the purposes for personal data collection should be specified
prior to data collection and the subsequent use should be limited to the fulfillment of
those purposes or other purposes that are compatible with the original purposes. The
subjects should be notified of each change in purpose.
12.2.2 RBAC
Role-based Access Control (RBAC) (Sandhu et al., 1996; Ferraiolo et al., 2001; Ferraiolo
et al., 1992) was the primary concept from previous studies that we took into consideration
for this study.
RBAC was proposed by (Ferraiolo et al., 1992) to ensure that certain data or resources
could only be accessed by authorized users. The RBAC models are widely used in the
healthcare field (Martino et al., 2008), because the typical hospital roles (patient, doctor,
nurse, etc.) can be used to describe the hospital scenario quite clearly. The classic RBAC
system is illustrated in Fig. 12.1. The roles are created by the system administrator to
represent a specific task competency which determines what types of resources each role
can access. Individual users are assigned to certain roles according to their job functions.
Each role is associated with a set of permissions. A many-to-many mapping exists between
users to roles and roles to permissions.
Fig. 12.1 RBAC Model
12.2.3 User Privacy Preference
Most people will readily proclaim a desire about how to control their privacy although
they usually have little experience articulating a comprehensive set of privacy preferences
or rules for a user agent (Bresciani et al., 2004; Proctor, 2007). Many works proposed meth-
ods which facilitates users to set their privacy preferences. In (Cranor et al., 2006), users
could use a 5-point scale to express their privacy preferences for the data analysis where 5
equals to “strongly agree”? and 1 equals to “strongly disagree”. The Netscape interface of-
fers prepackaged high, medium and low settings that result in the automatic selection of the
corresponding custom settings. (Bodorik, 2008) proposed a Consistent Privacy Preferences
(CPP) model for circumstances in which requests and preferences are formally defined in
order to provide a simple and efficient method for managing user privacy preference rules.
The technology that is most relevant to privacy preference is the Platform for Privacy
Preferences (P3P) (Agrawal et al., 2003; Yu et al., 2004; Cranor, 2003), which is based
on the World Wide Web Consortium (W3C) (W3C, 2009; W3C draft, 2002) platform for
privacy protection. As a browser side technology, P3P ensures that users are automatically
informed about a website’s privacy policy so that they can compare the policy with their pri-
vacy preferences. At the same time, a P3P Preference Exchange Language (APPEL) (W3C
Working Draft, 2002) was used to describe the collections of preferences with regard to
the P3P policies. However, problems are encountered when using APPEL; for instance,
users cannot directly specify what is acceptable in a policy, and it is difficult to express
their simple preferences. An XPath-based privacy preference language (XPref) (Agrawal
et al., 2003) is an alternative which was explored by Agrawal to overcome the drawbacks
of P3P and APPEL, as it includes the full functionality of APPEL. However, XPref cannot
solve all of the problems with APPEL because it is still a syntax-based preference lan-
guage. Therefore, (Yu et al., 2004) defined formal semantics to specifically identify the
relationships between the components of the P3P.
12.2.4 Purpose
Information is collected and processed for a specific purpose. A purpose fills a key role in
data management by setting a data processing boundary in order to control the intended data
usage. According to the specification and generalization policies (E. Bertino et al., 2005;
Byun et al., 2005; Byun et al., 2008) proposed a hierarchical structure for organizing a set
of purposes in a purpose tree in order to simplify data management. For example, multiple
purposes can be represented by a more general purpose. However, not every company in
the business field can provide all of the required services, therefore they have to delegate a
portion of the purposes to third parties. (Agrawal et al., 2002) proposed a partial solution
by separating one generic purpose into more specific purposes and then storing them in the
Hippocratic database. The purpose is stored in the database as an attribute which specifies
the reasons for which a piece of information can be used. However, Agrawal’s proposed
method does not reflect the logical relation between the purpose and its sub-purposes. The
mechanism of Hippocratic database was expanded upon by (Massacci et al., 2006), who
used goal-oriented approaches (Bresciani et al., 2004) to organize purposes into AND/OR
tree hierarchies by modeling and analyzing the purposes. These approaches assumed that
“customers should be able to understand how their personal data will be used and, if they
agree with the use, to disclose the data”. In other words, an AND-decomposition defines
the process of achieving a purpose, and an OR-decomposition defines alternatives methods
for achieving a purpose.
12.3 Proposed System
The work flow diagram of our proposed system is presented in Fig. 12.2. There are five
major phases in the system. The first two phases belong to role level and the last two belong
to personal level. The middle phase is used to transform role level to personal level.
Fig. 12.2 The Work Flow Diagram of Proposed System
12.3.1 Basic Concepts
In this section, we first introduce some basicconcepts and notations. Then based on a
hospital scenario we explain each phase in the diagram to makesure readers can understand
our system very well.
Definition 12.3.1 (Role). Let R = {ri | i = 1, 2, . . . , l} be the set of roles in our system
where each ri ∈ R denotes a specific role that any user can take.
Definition 12.3.2 (Privacy data graph). Let Di = (V, A) be the privacy data graph of
role ri .
A privacy data graph comprises a set of vertices V = {v j | j = 1, 2, . . . , m} together with a
set of arcs (directed edges) A = {ak | k = 1, 2, . . . , n}. In Di , let V be the set of privacy data
elements of ri . v j ∈ V indicates data element j. Meanwhile, let A be the set of linkages
between the data elements of ri . For any ak ∈ A, ak = (vx , vy ) is considered to be directed
from vx to vy where vy is called the head of ak and vx is called the tail of ak . In our system,
ak indicates the relevance between two data elements vx and vy .
We give an example of privacy data graph shown Di in Fig. 12.3. Suppose role ri is
“Patient”. In the tree hierarchy structure, leaf nodes are data elements of ri which can be
“Name” or “ID”. Other nodes represent higher classified elements defined by data hierar-
chy. Thearcsin this graph indicate the linkages between two data elements, like the arc
between “ID” and “Name”.
Fig. 12.3 The Privacy Data Graph D p of the Patient
Definition 12.3.3 (Role level purpose). Givena pair of roles ri , ri , Pii = {ph | h =
1, 2, . . . , g} denotes ri ’s role level access purposes to ri . Each ph ∈ Pii contains access
permission with a set of vertices V ph (denotes data elements) and a set of arcs Aph (de-
notes revealed linkages).
Definition 12.3.4 (Access policy graph). A weighted privacy data graph Dii denotes ri ’s
privacy data access policy for ri .
Let w(v j ) and w(ak ) be the weight of v j and ak , respectively. The value of w(v j ) and
w(ak ) can be chosen from {0, 1}. w(v j ) = 0 denotes that the data elements indicated by v j
cannot be accessed and w(v j ) = 1 means it can be accessed. For w(ak ), the value of w(ak )
denotes whether the linkage indicated by ak is disclosed or not. Di is the graph which sets
the weights of all vertices in Di as “0” to denote initial prohibition to any data access. Dii
is a combination of Di and Pii . The procedure of combination is shown as follows:
Suppose V Pii = {∪V ph | ph ∈ Pii } and APii = {∪Aph | ph ∈ Pii }. Set w(v j ) = 1 in Di if
v j ∈ V Pii , and set w(ak ) = 1 in Di if ak ∈ APii . After checking potential data disclosure in
Di , let Di be the weighted privacy data graph Dii .
Definition 12.3.5 (Personal level purpose). Given a pair of roles ri , ri , Pii = {ph | h =
1, 2, . . . , g }, denotes ri ’s personal level purposes to ri . Each ph ∈ Pii contains access
permission with a set of personal data elements V ph . Individual user of ri is allowed to
give consent or rejection to any personal level purpose. These consents and rejections
represent personal privacy preference.
Definition 12.3.6 (Personal data access state). Given a pair of roles ri , ri and a pair of
users ua , ub where takes ua role of ri and ub takes role of ri . The state of personal data
access PV ua , ub illustrates which data elements of ua are disclosed to ub .
For any pvi ∈ PV ua , ub , w(pvi ) = 1 denotes ub can access ua ’s personal information
indicated by pvi . w(pvi ) = 0 denotes ub cannot access the information. Let PVii be the
default state for personal data disclosure between ri and ri . P ua , ub is a set of access
purpose ua consents to ub . By combining P ua , ub and Vii , we can get PV ua , ub .
12.3.2 System Design Phase
Let r p and rd bethe Patient and Doctor, respectively. The weighed privacy policy graph
Dp in Fig. 12.4 is built from the D p in Fig. 12.3.
Fig. 12.4 Patient’s Initial Weighting Privacy Data Graph Dii
Dp represents initial state of patient’s personal information in the system. We suppose no
data access is permitted in the initial system design phase so all the data elements are set
to “0”. But the inherent tree hierarchy linkages and associated linkages like the relevance
between “Pathography” and “Medication” still exist. Thus the weights on such linkages
are set as “1” and others are set as “0”.
Table 12.1 Role Level Purpose Set Ppd

Purpose Description Revealed Data Elements Revealed Linkages
Medication Analysis “Medication” —
Checking Payment — ( “ID” , “Payment” )
Medication-Menu “Medication” ( “Menu” , “Medication” )
Analysis “Menu” ( “Medication” , “Menu” )
12.3.3 Role Level Design Phase
The access purpose could contain both the wanted data elements and the relevancebe-
tween such data elements. We give three instances to explain the different types of access
purposes in Ppd , which are shown in Table 12.1.
The first one is getting data elements only. In the scenario of a hospital, doctor may need
large number of medical data from patients to do some medical experiments. This kind of
access purpose like “Medication Analysis” can be realized by querying “Medication” from
corresponding database table. So this access purpose gets all the “Medication” information
from the data subjects who take Patient role.
Another kind of purpose can not be realized by getting data elements directly. Instead,
it needs the linkage between data elements. Like the example shown in Table 12.1, the
purpose “Checking Payment” needs the linkage between “ID” and “Payment”. Only the
doctor who is permitted to access patients’ “ID” can get their corresponding “Payment” by
using this access purpose.
The third type of purpose is getting both the data elements and linkages. For example, if
a doctor wants to analyze whether patients’ menus are influenced by their medications (we
assume k-similar problem (Sweeney, 2002) exists between “Menu” and “Medication”),
he/she has to get all “Medication” information as well as “Menu” from patients. At the
same time, the linkages between patients’ “Menu” and “Medication” are also revealed.
After analyzing the description of purpose, we add data elements and linkages which are
disclosed in the access purpose to the original Dp . The final Patient-Doctor Access policy
graph D pd is presented in Fig. 12.5. It is easy to notice that “Pathography” is also marked
as “1” for thedisclosure from “Medication”.
12.3.4 Transforming Phase
The transforming graph in Fig. 12.6 contains all the arcs in Fig. 12.5, and also, these arcs
retain the same weights as D pd .
Fig. 12.5 Patient-Doctor Access Policy Graph D pd
Fig. 12.6 IntermediateGraph Transformed from D pd .
If a personal relationship is established between a data subject and a data requester,

w(“ID”) should be set as “1” for other personal information in this graph should be queried
by this ID information.
By the checking algorithm, we find the “Payment” information is disclosed by “ID” and
set w(“Payment”) to “1”. After that, we remove all the arcs in Fig. 12.6 and get initial state
of personal data access graph PVii , which is shown in Fig. 12.7.
Fig. 12.7 Initial Personal Data Access Condition PVii
Table 12.2 Personal Level Purposes

Purpose Description Revealed Data Elements
Diet Therapy “Menu”
Personal Medical Archive “Illness Information”

“Name”
12.3.5 Personal Level Design Phase
Because access purposes in personal level do not include any data linkages, only the data
elements are required. Table 12.2 shows examples of personal level purposes which are
included in Pii . If a doctor wants to provide diet therapy to one of his/her patients, the
doctor should ask for “Menu” from this patient. Another example is the establishment of
personal medical archives, which requires both personal “Illness Information” and “Name”.
Assume a patient consent the access purpose for diet therapy from his doctor. It seems
that only “Menu” information will be disclosed. However, from Fig. 12.8 we can see that
both “Pathography” and “Medication” would be potentially disclosed to the doctor. So by
this kind of detection, patient can realize potential data disclosure and reconsider about his
previous consent.
12.4 Algorithms and Pseudo Code
The Pseudo Code and annotation of two main algorithms in our system are presented as
follows:
Fig. 12.8 Personal Privacy Preference
12.4.1 Detection algorithm in role specification
In this algorithm, the input contains a privacy graph D and one or many changed nodes
in V . If the access policy of one arc is changed, it can be easily converted to the changing
for its head’s node and then our detection algorithm can be applied. Furthermore, we only
focus on disclosure case in which each modified vi in V is going to be disclosed rather than
blocked. Graph traversal process from modified nodes is used in this algorithm. The output
of this algorithm contains two sets, node confliction set and the node disclosure set. Pseudo
code and annotation is clearly presented in Fig. 12.9:
Fig. 12.9 Conflict and Data Disclosure Detection Algorithm

12.4.2 Privacy Preference Conversion Algorithm
In this algorithm, the input contains privacy graph D. Graph traversal process from the
Name node is used in this algorithm. The output of this algorithm contains personal data
privacy preference PV . Pseudo code and annotation is presented in Fig. 12.10:
Fig. 12.10 Personal preference conversion Algorithm
12.5 Comparison
The main goal of our experiment is to investigate the performance of our approach by
comparing with general RBAC system. We implemented all of the algorithms in Visual
C++. All of the experiments were conducted on a Windows machine with a Pentium
Celeron 1.6 GHz CPU and 2 GB primary memory. The operating system on the machine
was Microsoft Windows XP Professional Edition, and the programming tool was Microsoft
Visual C++ 6.0. We used Microsoft Access 2007 as our database.
12.5.1 Storage Space
We first developed three privacy aware systems. System 1 simulated traditional RBAC
system, System 3 is a system which allows personal level access control, and System 2 is
our proposed system. Our first comparison in Fig. 12.11 is conducted between System 2
and System 3 to understand how much storage space can be saved, whereas the potential
data disclosure can be detected. During this comparison, we fix the number of roles as 10
in System 3 and the number of personal data elements as 10. We generate 100 users for
each role in System 3 and 1 000 users in System 2. We compare the storage space used to
store same privacy policy data in System 2 and System 3.
Fig. 12.11 Top line represents our system
The figure shows that System 3 can save a great amount of storage space by using privacy
data graph in role level and data set in personal level. As we known, the space complicity
of maintaining a graph structure is O(n2 ), and the space complicity of maintaining a data
set is O(n). For System 2, it must create and maintain one graph for each individual user to
illustrate the linkages between data elements. So we conclude that role level access control
does not only facilitate the management of privacy policies, but also reduce the overhead
of storage space.
12.5.2 Variety of Personal Privacy Policy
We also compare the variety of personal privacy policies, which represents how flexible
a privacy-aware system is. The comparison is conducted between System 1 and System 3.
During this comparison, we fix the number of roles as 10 and the number of personal data
elements as 10. 100 users are assigned to each role. Then, we vary the number of personal
level purposes in System 3 and compare the number of privacy polices for single user. The
results are shown in Fig. 12.12.
Bibliography 265
Fig. 12.12 Top line represents our system
In System 3, since an individual user can consent or rejectany personal level purpose to
any other user, the total number of possible policy is large. In System 1, individual users
are not allowed to make any personal level access policy. Thus, System 3 is more flexible
than System 1.
12.6 Conclusion
Privacy and management of sensitive data protection is a very critical issue in now adays
society because of the growing attention of users to their personal information. We pro-
posed a privacy data graph in this chapter to enable RBAC as well as personal level access
control. Moreover, the notion of purpose is added to specify the intended usage of data
and allow users to set personal privacy preferences through purpose. A case study was car-
ried out inorder to obtain preliminary validation of the system. In the end, we provided a
simulation and comparative results which suffice to supportthe claims made in this chapter.
Bibliography
[1] Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A., (2004), TROPOS: An
agent-oriented software development methodology, JAAMAS 8(3), 203–236.
[2] Cranor, L.F., (2003), P3P: making privacy policies more useful,ăă Security & Privacy, IEEE,
pp. 50–55.
[3] COPPA, (2009), Cybertelecom Federal Internet Law & Policy – an Educational Project, Krohn
& Moss Consumer Law Center, http://www.cybertelecom.org/privacy/coppasafe.
htm (Accessed: 22 Dec, 2009).
[4] David F. Ferraiolo, Ravi S. Sandhu, Serban Gavrila, D. Richard Kuhn, and Ramaswamy Chan-
dramouli, (2001), Proposed NIST standard for role-based access control, ACM Transactions on
Information and Systems Security, 4(3):224–274.
[5] D. Ferraiolo and R. Kuhn, (1992), “Role-Based Access Controls,” Proc. 15th NIAR-NCSC
Nat’l Computer Security Conf., Nat’l Inst.Standards and Technology, Gaithersburg, Md., pp.
554–563.
[6] E. Bertino, J.-W. Byun, N. Li, (2005), Privacy-preserving database systems, in: FOSAD
2004/2005, LNCS, vol. 3655, Springer-Verlag, 2005, pp. 178–206.
[7] Foreman, Judy, (2006),ă“At risk of exposure”. Los Angeles Times.(Accessed: September
2010).
[8] Fabio Massacci, John P. Mylopoulos, Nicola Zannone, (2006), Hierarchical hippocratic
databases with mnimal disclosure for virtual organizations, Springer-Verlag New York, Inc.
Secaucus, NJ, USA, pp. 370–387.
[9] FIP, (2009), Fair Information Practices, http://whatis.techtarget.com/definition/0,
sid9_gci213501,00.html (Accessed: 3 Dec, 2009).
[10] FTC Fair Information Practice Principles, (2009), http://www.ftc.gov/reports/
privacy3/fairinfo.shtm (Accessed: 10 Dec, 2009).
[11] Ji WonByun, Elisa Bertino, and Ninghui Li, (2005), Purpose based access control of complex
data for privacy protection, Symposium on Access Control Models and Technologies, ACM,
New York, NY, USA, pp. 102–110.
[12] Ji-Won Byun, Ninghui Li, (2008), Purpose Based Access Control for Privacy Protection in
Relational Database, Springer Berlin / Heidelberg, Volume 17, Number 4 / July, 2008, pp.
603–619.
[13] Lorenzo D. Martino, Qun Ni, Dan Lin, and Elisa Bertino, (2008), Multi-domain and Privacy-
aware Role Based Access Control in eHealth. In the International Conference on Pervasive
Computing Technologies for Healthcare, Tampere, Finland.
[14] L. Sweeney, (2002), k-anonymity: a model for protecting privacy, International Journal on
Uncertainty, Fuzziness and Knowledge-based Systems, 10(5), 2002; 557–570.
[15] Lorrie Faith Cranor, Praveen Guduru, Manjula Arjula, (2006). User Interfaces for Privacy
Agents, ACM Transactions on Computer-Human Interaction, Vol. 13, No.2, pp. 135–178.
[16] OECT, (2009), A Review of the Fair Information Principles: The Foundation of Privacy Pub-
lic Policy, http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_
1_1_1,00.html (Accessed: 3 Dec, 2009).
[17] Paolo Guarda, Nicola Zannone, (2009), Towards the development of privacy-aware systems,
Information and Software Technology, Butterworth-Heinemann, Newton, MA, USA, pp. 337–
350ă.
[18] Peter Bodorik, Dawn Jutla, Mike Xuehai Wang, (2008), Consistent privacy preferences (CPP):
model, semantics, and properties, Symposium on Applied Computing, ACM New York, NY,
USA, pp. 2368–2375.
[19] Q. He, (2003), Privacy enforcement with an extended role-based access control model, NCSU
Computer Science Technical Report TR-2003-09, February 28.
[20] R. Agrawal, J. Kiernan, R. Srikant and Y. Xu, (2002), Hippocratic databases, In: Proceedings
of the 28th VLDB Conference, Hong Kong, China, pp. 143–154.
[21] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, (2003), An XPath-based preference language
for P3P, in: Proceedings of WWW’03, ACM Press, pp. 629–639.
[22] Robert W. Proctor, Kim-Phuong L. Vu, and M. Athar Ali, (2007), Usability of User Agents for
Privacy-Preference Specification, Human Inerface, Part 2, HCII2007, LNCS 4558, Springer
Bibliography 267
Berlin/Heidelberg, pp. 766–776.

[23] Sandhu, R., Coyne, E.J., Feinstein, H.L., and Youman, C.E., (1996), Role-Based Access Con-
trol Models, IEEE Computer (IEEE Press) 29 (2): 38–47.
[24] Scott Lederer, Jennifer Mankoff, Anind K. Dey, (2003), Who wants to know what when? pri-
vacy preference determinants in ubiquitous computing, Conference on Human Factors in Com-
puting Systems, Ft. Lauderdale, Florida, USA, pp. 724–725.
[25] T. Yu, N. Li, A.I., (2004), Antón, A formal semantics for P3P, in: Proceedings of SWS’04,
ACM Press, pp. 1–8.
[26] US Secretary’s Advisory Committee on Automated Personal Data Systems, (1973), Records,
Computers and the Rights of Citizens, Chapter IV: Recommended Safeguards for Administra-
tive Personal Data Systems.
[27] W3C Working Draft (2002), 15 April 2002, http://www.w3.org/TR/P3P-preferences
(Accessed: 5 Aug, 2009).
[28] World Wide Web (W3C), (2009), Platform for Privacy Preferences (P3P), http://www.w3.
org/P3P (Accessed: 5 Aug, 2009).
[29] W3C Working Draft (2002), http://www.w3.org/TR/P3P-preferences (Accessed: 5
Aug, 2009).
[30] Westin, A.F., (1967), Privacy and Freedom. New York NY: Atheneum.

Trustworthy Ubiquitous Computing PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Trustworthy Ubiquitous Computing PDF

Hochgeladen von

Copyright:

Verfügbare Formate

ATLANTIS A MBIENT AND P ERVASIVE I NTELLIGENCE

S ERIES E DITOR : I SMAIL K HALIL

Ismail Khalil, Linz, Austria

Aims and scope of the series

A MSTERDAM – PARIS – B EIJING

Ismail Khalil (Ed.)

Teddy Mantoro (Ed.)

A MSTERDAM – PARIS – B EIJING

Atlantis Ambient and Pervasive Intelligence

Part 1: Trust and context in UbiComp environments

Part 2: Methods and concepts to enhance and ensure reliability in UbiComp

Part 3: Distributed attacks detection and secure access protocol in MANET,

Chapter 7 introduces mitigation of wormhole attack in wireless sensor networks, which

Part 4: Access Control and Mobile Payment in Trustworthy UbiComp

Ismail Khalil and Teddy Mantoro

Ismail Khalil (http://www.iiwas.org/ismail/) is a senior researcher and lecturer

Communication Engineering Perspective, the book Multimedia Transcoding in Mobile and

Teddy Mantoro is an associate professor at School of Advanced Informatics, University

Editorial: Trustworthy Ubiquitous Computing v

Part I Trust and Context in UbiComp Environments 1

1. The automatic Trust Management of self-adaptive Multi-Display

K. Bee, S. Hammer, Ch. Pratsch, and E. André

2. Malicious Pixels – Using QR Codes as Attack Vector 21

P. Kieseberg, S. Schrittwieser, M. Leithner, M. Mulazzani, E. Weippl,

3. A Virtual Performance Stage as a Space for Children to Create and

W.A. Widjajanto, H. Schelhowe, and M. Lund

3.4.3 Intercultural Aspect . . . . . . . . . . . . . . . . . . . . . . . . 56

Part II Methods and Concepts to Enhance and Ensure

4. Network Forensics: Detection and Mitigation of Botnet and

R. Azrina, R. Othman, Normaziah A. Aziz, M. ZulHazmi, M. Khazin,

5. Trusted Log Management System 79

A. Tomono, M. Uehara, and Y. Shimada

5.2.6 Security of the VLSD . . . . . . . . . . . . . . . . . . . . . . . 85

6. Reasoning of Collaborative Human Behaviour in Security-Critical

G.S. Poh, N.N. Abdullah, M.R. Z’aba, and M.R. Wahiddin

6.5 Practical Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Part III Distributed Attacks Detection and Secure Access

7. Mitigation of Wormhole Attack in Wireless Sensor Networks 109

A. Modirkhazeni, M. Kadhum, and T. Mantoro

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

8. Protocol for Secure Access in Mobile Ad-hoc Network for

A. Abu Bakar, R. Ismail, A.R. Ahmad, J.-l. Abdul Manan

8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Part IV Access Control and Mobile Payment in Trustworthy

9. A Lightweight Graph-Based Pattern Recognition Scheme in Mobile

R.A. Raja Mahmood, A.H. Muhamad Amin, A. Amir, A.I. Khan

9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

9.4 Distributed Hierarchical Graph Neuron . . . . . . . . . . . . . . . . . . 188

10. Security Framework for Mobile Banking 207

D. Weerasinghe, V. Rakocevic, and M. Rajarajan

10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

10.6 Conclusion & Discussions . . . . . . . . . . . . . . . . . . . . . . . . . 222

11. Anonymous, Secure and Fair Micropayment System to Access

Isern-Deyà, Payeras-Capellà, Mut-Puigserver and Ferrer-Gomila

11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

12. Privacy Preserving with A Purpose-based Privacy Data Graph 249

Y. Tian, B. Song, and E.-N. Huh

12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

12.3 Proposed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Trust and Context in UbiComp Environments

The automatic Trust Management of

Karin Bee, Stephan Hammer, Christian Pratsch, and Elisabeth André

{karin.bee, hammer, andre}@hcm-lab.de1