Using camouflaging mobility to protect privacy in mobile ad hoc networks

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks. 2009; 2:580–594Published online 4 February 2009 in Wiley InterScience(www.interscience.wiley.com) DOI: 10.1002/sec.101

Using camouflaging mobility to protect privacy in mobilead hoc networks‡

Lei Tang1∗,†, Xiaoyan Hong2 and Susan Vrbsky2

1Department of Computer Science, Rice University, Houston, TX 77005, U.S.A.2Department of Computer Science, University of Alabama, Tuscaloosa, AL 35487, U.S.A.

Summary

The open nature of wireless medium has left wireless communications vulnerable to various privacy attacks. Muchresearch work has been proposed to protect the identity anonymity of communicating parties, the anonymity ofnetwork routes and the location privacy of the message source and destination. However, with the advent of newradio identification and localization techniques, more advanced privacy attacks are possible. We describe a newprivacy attack in which the adversary tries to infer the itineraries of the nodes in the network. To protect itineraryprivacy, we design an algorithm, called �-camouflaging mobility algorithm, which changes the original motionsegments of a node into �-shaped camouflaging paths. Itinerary privacy, correspondent privacy, and route privacyare closely related so we propose a comprehensive anonymous routing scheme, called MARS, to protect these privacygoals. MARS exploits camouflaging mobility to protect itinerary privacy and uses motion pseudonyms generatedfrom the camouflaging mobility to protect correspondent privacy and route privacy without using cryptography.Our analysis results show that �-camouflaging mobility algorithm is cost-effective, which can significantly reducethe itinerary exposure probability at a small cost of extra travel distance. Moreover, our network simulation resultsillustrated that MARS anonymous routing scheme and �-camouflaging mobility algorithm did not reduce networklayer performance. Copyright © 2009 John Wiley & Sons, Ltd.

KEY WORDS: itinerary privacy; camouflaging mobility; anonymous routing; correspondent privacy; mobilead-hoc networks

1. Introduction

Privacy issues are becoming increasingly importantfor mobile ad hoc network (MANET) wirelesscommunications. Adversaries in the network are ableto eavesdrop on wireless communications to obtain the

∗Correspondence to: Lei Tang, Department of Computer Science, Rice University, Houston, TX 77005, U.S.A.†E-mail: [email protected]‡Part of this paper was presented in the IEEE WoWMoM 08, Workshop on Security, Privacy, and Authentication in WirelessNetworks, Newport Beach, CA, 23–27 June 2008.

information interested, for example, the IP addressesof message source and destination. Many privacypreserving schemes [1--6] have been proposed toaddress correspondent privacy, route privacy andlocation privacy. The objective of correspondentprivacy is to prevent adversaries from discovering who

Copyright © 2009 John Wiley & Sons, Ltd.

CAMOUFLAGING MOBILITY TO PROTECT PRIVACY 581

are the message source and destination (e.g., Reference[5]) whereas the objective of route privacy is toprevent adversaries from tracing the network routes ofa message (e.g., References [1,2]). And the objective oflocation privacy may include preventing the adversaryfrom determining the location of the message sourceand destination or preventing the adversaries fromtracing nodes in the network. Two approaches havebeen widely used in these work. One approach usescryptography to generate pseudonyms to hide thereal identities of correspondents or the identities ofthe nodes on a route (e.g., References [1--4]). Onepotential issue of this approach is that decrypting andencrypting cryptographical pseudonyms may causelarge computational overhead [4]. The other approachis to mixes the real correspondents among a set ofnodes to make it difficult for the adversary to pinpointa specific node (e.g., References [5--8]).

With the advent of new wireless localization tech-niques and radio identification techniques, adversariesare able to launch more advanced privacy attacks.The localization technique in Reference [9] is ableto localize indoor radio transmitters with an accuracyof 2 m based on the radio signals received. The radioidentification technique proposed in Reference [10] canrobustly identify a radio transmitter by its signalprint.

These localization techniques and radio identifica-tion techniques make new privacy attack possible.In this paper, we describe a new privacy attack,which aims at determining the itineraries of nodesbased on the above localization techniques andradio identification techniques. Nodes in the wirelessnetwork are unlikely to move totally randomly,but instead follow a certain schedule [11]. Wedefine itinerary privacy as a property with whichit is difficult for attackers to determine the itineraryof a node (i.e., when and where a node will appear).Itinerary privacy differs from location privacy in thatits emphasis is on discovering nodes’ repeatedly-occurring mobility patterns, which most likely reveal anode’s routine activities and the paths taken by the nodewhen conducting the activities. We call the path fromone activity to another activity as an itinerary segment.We believe itinerary privacy is important because wewant to prevent unauthorized tracking of wireless-communicating mobile hosts (e.g., patrol cars, cash-in-transit vehicles, etc.). Once the itinerary informationof a mobile host is mastered by the adversaries,adversaries may launch many attacks more intelligentlyand precisely with greater damages.

In our adversarial model, when a radio transmissionis detected by the adversary, the adversary stores the

transmission print of the radio transmission in itsdatabase, which includes the signalprint, location, andthe time of the radio transmission. The adversary infersa node’s itinerary by associating the transmission printswith the node.

Itinerary privacy is important for protectingcorrespondent privacy and route privacy. This isbecause after the itineraries of the nodes are exposed,the adversary can correlate a message detected with themessage sender. For example, if the adversary detectsa message M transmitted at location p at time t and theadversary knows that a node x was at p at t based on itsknowledge of x’s itinerary, then the adversary can inferthat x is the sender of M even if M does not expose anyidentity information of the sender.

On the other hand, to protect itinerary privacy,we need to protect correspondent privacy and routeprivacy. For example, if DSR [22] is used as the routingprotocol, then the adversary can infer the itinerariesof the message forwarders since their identities areincluded in the messages.

Therefore, the motivation for this paper is to designa comprehensive solution for protecting itineraryprivacy, correspondent privacy, and route privacy. Thesolution has two parts. The first part is an algorithm,called the �-camouflaging mobility algorithm, thatprotects itinerary privacy by camouflaging the nodes’mobility. The second part is an anonymous routingscheme that protects correspondent privacy, itineraryprivacy, and route privacy. Our scheme differs fromrelated work such as References [6--8,12,13] in that ourcamouflaging mobility algorithm proactively changesthe nodes’ mobility to protect itinerary privacy ofnodes, instead of: anonymizing the actual locationsof nodes at a trusted third-party [7,12], introducingrandom silent periods in wireless transmissions[8], sending decoy messages [13] or relying onmix zones in which the movements of nodes areanonymous [6].

The first part of the paper presents the �-camouflaging mobility algorithm, which can beapplied upon any mobility model by changing theoriginal motion segments into �-shaped camouflagingpaths. �-Camouflaging mobility algorithm is effectivebecause it significantly increases the number ofpossible motion traces. Also the motion traces ofthe nodes are ‘mixed’ and become less distinctive.Furthermore, it reduces the probability of generatingmatchable transmission prints since nodes are unlikelyto move on the same path, thereby making it difficultfor the adversary to confirm or eliminate a hypotheticalmotion trace.

Copyright © 2009 John Wiley & Sons, Ltd. Security Comm. Networks. 2009; 2:580–594

DOI: 10.1002/sec

582 L. TANG, X. HONG AND S. VRBSKY

In the second part of the paper, we propose ananonymous routing scheme, called MARS (Motionpseudonym based Anonymous Routing Scheme), toprotect itinerary privacy, correspondent privacy, androute privacy. We define a motion pseudonym of a nodeas a random point on the node’s �-shaped mobilitypaths and the corresponding arrival time. MARSexploits the �-camouflaging mobility algorithm toprotect itinerary privacy and uses motion pseudonymsgenerated from �-camouflaging mobility algorithmto protect correspondent privacy and route privacy.One important contribution of the paper is thatMARS provides a comprehensive anonymous MANETcommunication solution that protects itinerary privacy,correspondent privacy, and route privacy without usingcryptography.

Our mathematical analysis shows that �-camouflaging mobility algorithm is cost-effective,which decreases the itinerary exposure probabilitymore than 80% at a cost of less than 3% extra traveldistance in the cases we studied. We also conductsimulations under the Qualnet Network Simulator[14] to compare DSR routing performance undermobility models with/without the �-camouflagingmobility. Our simulation results show that the �-camouflaging mobility algorithm does not reducerouting performance in terms of message deliveryratio, delivery latency, and routing overhead. Throughsimulations, we also find that MARS anonymousrouting scheme does not cause network layerperformance degradation.

The rest of this paper is structured as follows.In Section 2, we introduce prior work on MANETprivacy issues and classify them according to theirapproaches and objectives. Section 3 introducesthe itinerary privacy attack and adversarial model.Section 4 presents �-camouflaging mobility algorithmand analyzes its effectiveness on reducing itineraryexposure probability and its overhead. In Section 5,we present the design of MARS routing scheme. InSection 6, we compare DSR routing performance undermobility models using and not using �-camouflagingmobility algorithm and evaluate the performance ofMARS routing scheme. We summarize our work andoutline future plans in Section 7.

2. Related Work

Much work on network privacy is to protect thefollowing three types of privacy: correspondentprivacy, route privacy, and location privacy. To realize

Table I. Privacy-preserving schemes.

Pseudonym-based MIX-type

Correspondent Privacy [1--4] [15]Route Privacy [1,2,4]Location Privacy [5--8,12,13]

these anonymity goals, two approaches are widelyused. One approach uses cryptographic pseudonymsto anonymize routes and hide the real identities ofthe nodes. The other approach is to ‘mix’ a nodeamong other nodes conducting radio transmissions.Our scheme can be categorized into the type using MIXmethodology, which ‘mixes’ the motion traces of thenodes and makes radio transmissions less identifiableso that it is difficult for the adversary to identifya node’s itinerary. Table I classifies some existingprivacy-preserving schemes based on their objectivesand approaches.

2.1. Pseudonym-based Schemes

ANODR [1] is an anonymous routing scheme usingcryptographic pseudonyms to achieve correspondentand route privacy. It consists of three phases (i.e.,route request (RREQ), route reply (RREP), and datatransfer). During the route request phase, the nodes onthe route encapsulate their identities in a cryptographicstructure called an onion. Every node tries to open acryptographic trapdoor to determine whether it is themessage destination. If it is the message destination,it sends a route reply that contains the cryptographiconion in the RREQ message and nodes on the routewill be able to construct the route by opening thecryptographic onion.

SDAR [3] is an anonymous routing scheme in whichmessages are only forwarded by the trustworthy nodesand message headers are encrypted. AnonDSR [2]creates a shared symmetric secret key between sourceand destination to reduce the overhead of asymmetriccryptographic operations for a better system scalability.

2.2. MIX-type Schemes

The idea of MIX is first presented in Reference [16],in which D. Chaum presented a technique to hidethe correspondences between input and output emailsby encrypting correspondent information and sendingemails randomly. The essential idea behind MIXtechnique is to ‘mix’ the real correspondents among


DOI: 10.1002/sec


a set of nodes so that it is difficult for the adversariesto pinpoint the real correspondents.

J. Kong et al. proposed a technique called Motion-MIX to hide the motion pattern of the nodes throughadding decoy messages [13]. A. Beresford et al.designed a method, called the mix zone, to enhanceuser location privacy when using location-awareservices [6]. AO2P [15] is a position-based anonymousrouting protocol which uses the present position ofa destination as the destination’s identifier to protectcorrespondent privacy. In the phantom routing scheme[5], messages are first sent to a fake source and thenare flooded to the destination to protect the locationprivacy of the source.

M. Mokbel proposes a location cloaking algorithmin Reference [7], that seeks to represent the accuratelocation of a location-based service user by a cloakedregion containing at least k users. In Reference [8], K.Sampigethaya et al. introduce random silent periodsin vehicle broadcast communications to mitigateunauthorized tracking of vehicles. B. Hoh et al. presentan algorithm [12] that protects location privacy byadding acceptable perturbations to the original locationdata.

Our �-camouflaging mobility algorithm is designedto protect itinerary privacy. It is different fromReferences [6,15] since we do not assume the existenceof mix zones in which the nodes’ movements areanonymous. Unlike References [8,13], our mobilityalgorithm does not send decoy messages nordoes it change the way nodes conduct wirelesscommunications. Different from references [7--12], ourmobility algorithm does not rely on a trusted third-partyto anonymize the actual location of nodes. Instead, inour mobility algorithm, nodes proactively change theirmobility to hide their intineraries.

3. Itinerary Privacy Attack

Since nodes in the network are unlikely to move totallyrandomly, but instead follow a certain schedule [11],we design a mobility model, called rendezvous visitingor RV in short to model the mobility scenario when thenodes move according to their itineraries. RV mobilitymodel can be viewed as a simplified agenda mobilitymodel in Reference [17]. In the RV model, a node visitsthe rendezvous in the network based on its itinerary andthe path from one rendezvous to another rendezvous isdefined as an itinerary segment. The itinerary of a nodeconsists of itinerary segments. An itinerary segmentcomprises a starting and an ending rendezvous. For

instance, an itinerary segment of a patrol car maystart from location A to location B, which should beprevented from unauthorized tracking.

In this section, we describe a new privacy attackthat aims at discovering the itineraries of the nodesin the network by using two important techniques,i.e., signalprint and multiple target tracking (MTT)[18]. The network scenario considered in the paperis a wireless MANET and we assume wirelesscommunications are symmetric (i.e., if node A can hearnode B, then B can hear A).

The signalprint of a wireless transmission is a vectorof signal strength measurements [10]. Signalprint hasthe following properties [10]. First, it is hard tospoof because radio transmitters have no control oversignal attenuations within the network [10]. Second,signalprints are strongly correlated with the locationof the radio transmitter and a stationary transmittergenerates similar signalprints with high probability[10]. In Reference [10], D.B. Faria et al. propose aradio identification technique that robustly identifies aradio-transmitting device by its signalprints.

Multi target tracking (MTT) algorithm is a well-studied technique to link location samples of the nodesto individual nodes based on the temporal and spatialcorrelation between successive location samples [12].The MTT algorithm proposed in Reference [18]generates a set of hypotheses about the possible motiontraces of the nodes. The hypothetical motion traces areconfirmed or eliminated when more location samplesare processed. The algorithm stops when all locationsamples have been processed. For the details of theMTT algorithm, interested readers are referred toReference [18].

In our system, we assume that the adversary deploysa sufficient number of snoopers in the network tocover the entire network, which passively eavesdropon the radio transmissions in the network and sendthe collected signalprints to the adversary. Meanwhile,the adversary uses a localization technique similar tothe one proposed by Tao et al. in [9] to determine thelocation of the radio transmitter with a precision of2 m. The localization system in Reference [9] uses theMarkov localization algorithm [19] to determine thelocation of the radio transmitter based on the signalstrength information.

We assume that the adversary divides the networkinto a grid of equal-sized cells. From the experimentresults of Reference [10], a node generates similarsignalprints with high probability at locations less than5 m apart [10]. So we select 5 × 5 m as the area of a gridcell such that a node will generate the same signalprint


DOI: 10.1002/sec


Fig. 1. Adversarial model.

if it conducts multiple radio transmissions at the samecell. Once a radio transmission occurs in the network,the adversary locates the radio transmitter to a grid cell.Figure 1 illustrates our adversarial model.

We define some of the terms used in the paper asfollows.

� Itinerary segment: The itinerary of a node comprisesa set of itinerary segments. When a node conductsan itinerary segment, it moves from one rendezvousto another rendezvous. An itinerary segment isrepresented as {start, end, time, speed}, in whichstart, end is the starting and ending rendezvous,respectively. time specifies when the node starts theitinerary segment and speed specifies the movingspeed of the node on the itinerary segment. Segments1, 2, 3, and 4 in Figure 1 are some examples ofitinerary segments.

� Transmission print: The adversaries store theinformation of each radio transmission as atransmission print, which includes the followinginformation {signalprint, location, time}. locationand time record where and when the radiotransmission occurs, respectively.

� Matchable transmission print: We call the transmis-sions prints generated by the same node at the samecell as matchable transmission prints.

We now describe how the adversary launches theitinerary privacy attack to discover the itineraries ofthe nodes in the network.

After a radio transmission is detected, the snooperssend the signal strength measurements of the radiotransmission to the adversary. These signal strengthmeasurements are used by the adversary to calculate thelocation and the signalprint of the radio transmission.Finally, the adversary stores the transmission printof the detected radio transmission in a database. Forsome non-anonymous routing schemes (e.g., DSR), theidentity of the radio transmitter can be obtained fromthe message transmitted. Therefore, the adversary caneasily draw the motion traces of the nodes based on thelocations of the radio transmissions and the identitiesof the radio transmitters. So here we assume that thenodes use the anonymous routing technique describedin Section 5 to prevent the adversary from obtainingthe identity of the radio transmitter.

Since the adversary cannot obtain the identityinformation directly from the messages detected, ituses the MTT technique to associate the transmissionprints with individual radio transmitters. First theadversary uses the MTT algorithm to construct all thepossible motion traces by exploiting the temporal andspatial correlations between subsequent transmissionprints. Then the adversary uses signalprint informationin the transmission prints to confirm or eliminatethe hypothetical traces by finding the matchabletransmission prints.

The signalprint technique makes it much easier forthe adversary to confirm or eliminate the hypotheticalmotion traces during the MTT computation process.Without matchable transmission prints, the MTTalgorithm can only exploit the temporal and spatialcorrelations between radio transmissions to determinenodes’ possible traces. For example, in Figure 2,without using signalprints, 10 radio transmissions canbe from 10 different transmitters. Since a node willgenerate the same signalprints at the same cell, withsignalprints the adversary can figure out which radiotransmissions are from the same node to greatly reducethe number of possible transmitters and hypotheticalmotion traces.

Fig. 2. Illustration of radio transmissions.


DOI: 10.1002/sec


The transmission prints at a cell can be categorizedinto two types: matchable/non-matchable transmissionprints. From the matchable transmission prints, theadversary learns when the node travels the celland the interval between its tours. On the otherhand, the number of non-matchable transmissionprints reveals the number of transmitters touringthe cell. With the above information, the adversaryruns the MTT algorithm to eliminate or confirm thehypothetical motion traces. After the adversary is ableto associate transmission prints with the motion traces,the itineraries of the nodes are exposed. For example,after a radio transmission of node x is detected by theadversary, the adversary can associate the transmissionprint of the radio transmission to a determinedmotion trace and predict the future motion ofnode x.

4. �-Camouflaging Mobility Algorithm

We propose �-camouflaging mobility algorithm tomake it difficult for the adversary to determine theitineraries of the nodes. The �-mobility camouflagingalgorithm is effective because of the following reasons.

(1) With �-camouflaging mobility, nodes take randomcamouflaging movements to cover their itinerarysegments. Hence, the number of possible motiontraces is significantly increased. Also the motiontraces of the nodes are ‘mixed’ and become lessdistinctive.

(2) The probability of generating matchable transmis-sion prints is reduced since nodes are unlikely tomove in the same path. Hence, it becomes moredifficult for the adversary to confirm or eliminate ahypothetical motion trace.

In this section, we first analyze the probability ofexposing a node’s itinerary when the node takes nocamouflaging movements (i.e., move straight fromone rendezvous to another). Then we propose our�-camouflaging mobility algorithm and analyze itsimprovement on reducing the probability of exposingthe itinerary. Note we use the term ‘�-camouflagingmobility’ interchangeably with the term ‘�-mobility’in this paper.

4.1. Terminology and Notations

The terminologies and notations used in the paper aredefined as follows.

� di: the distance from the start to the end of an itinerarysegment i.

� e1i : the mobility displacement of an itinerary segment

i when using �-camouflaging mobility.� ξi: the number of grid cells on an itinerary segment

i when the node uses straight-line mobility.� ξ′

i: the number of grid cells on an itinerary segmenti when the node uses �-camouflaging mobility.

� ωi: the average number of radio transmissionsconducted by a node on an itinerary segment i.

� µi: the travel overhead of an itinerary segment i whenusing �-camouflaging mobility.

� Pτ : the probability of exposing an itinerary segmentwhen using straight-line mobility.

� P ′τ : the probability of exposing an itinerary segment

when using �-camouflaging mobility.� αi: the camouflaging angle of an itinerary segment i

when using �-camouflaging mobility.� αmax: the maximum camouflaging angle in �-

camouflaging mobility.� S, D: source and destination;� LS, LD: a random location on the �-camouflaging

mobility paths of the message source and destination,respectively;

� TAS, TAD: time of arrival of LS and LD, respectively.

4.2. Analysis of Non-camouflaging Mobility

The scenario when the nodes take no camouflagingmovements (i.e., straight-line mobility from the startto the end of an itinerary segment) is illustratedin Figure 3. Based on the collected transmissionprints, the adversary calculates all the hypotheticalmotion traces of the nodes using the MTT algorithm.Then it confirms/eliminates the hypothetical motiontraces using the information mined from transmissionprints.

In our adversarial model, we assume that theadversary is able to associate two matchabletransmission prints with the transmitter based on thetemporal and spatial correlation of the transmissionprints. Here we give a simple example to illustratehow the adversary exploits temporal and spatialinformation in the matchable transmission prints.For example, the adversary collected two matchabletransmission prints: {signalprint1, location1, time1}and {signalprint2, location2, time2}. The adversarycan calculate the traveling speed between these twomatchable transmission prints as |location1−location2|

|time1−time2| . Ifthe traveling speed approximates the estimated speed ofa node, then the adversary tentatively associates thesetwo transmission prints with the node.


DOI: 10.1002/sec


Fig. 3. Straight-line mobility.

Since it requires only two different points on aline to determine the line, the adversary will beable to discover an itinerary segment of a node ifthe node leaves two matchable transmission printson the itinerary segment. For the MTT details ofconstructing hypothetical motion traces, confirmingand eliminating hypothetical motion traces, interestedreaders are referred to Reference [18].

Let P0match be the probability of generating no

matchable transmission prints on an itinerary segmentand P1

match be the probability of generating only onematchable transmission print. We have

Pτ(ξi, ωi) = 1 − P0match(ξi, ωi) − P1

match(ξi, ωi) (1)

Based on Equation (1), Equation (2) calculatesPτ when ωi is smaller than ξi. To generate amatchable transmission print, there must be at leasttwo transmissions. Given ωi transmissions, P0

match isωi∏

k=2( ξi−(k−1)

ξi) (no two or more transmissions occurring

in the same cell).∑ωi

k=2(ωik

) × ξi ×(ξi−1) P(ωi−k)

ξωii

calculates

P1match, in which (ξi−1)P(ωi−k) denotes the number of

permutations of size ωi − k from a set of size ξi − 1,

and(ωik

) × ξi×(ξi−1) P(ωi−k)

ξωii

is the probability of k radio

transmissions of a node occurring in one cell and theother ωi − k transmissions occurring in different cells.

Pτ(ξi, ωi) = 1 −ωi∏

k=2

(ξi − (k − 1)

ξi

)

−ωi∑

k=2

(ωi

k

) × ξi × (ξi−1)P(ωi−k)

ξωii

,

ξi ≥ ωi ≥ 2 (2)

Figure 4 shows that when ξi = 400, it takes only 80radio transmission for Pτ to approach 1. And when ωi

approaches ξi, Pτ becomes 1. From the above results,we know that a node exposes an itinerary segmentquickly when taking no camouflaging mobility. Nextwe will analyze the itinerary exposure probability whenusing our �-camouflaging mobility algorithm.

Fig. 4. Pτ when taking no camouflaging movements.

4.3. Analysis of �-camouflaging MobilityAlgorithm

The �-camouflaging mobility algorithm makes itdifficult for the adversary to distinguish the motiontraces of the nodes by randomly distributing thetransmission prints of the nodes and by avoidinggenerating matchable transmission prints.

�-camouflaging mobility is shown in Figure 5.Each time a node tours an itinerary segment i, thenode randomly selects a camouflaging angle α ≤αmax and a displacement e1

i . The node will firstwalk along the camouflaging angle α for e1

i thenhead for the end of the segment. Thus when using�-camouflaging mobility, an itinerary segment i isrepresented as: {starti, endi, αi, e

1i , timei, speedi}, in

which starti, endi and timei are the starting rendezvous,ending rendezvous, and starting time of the itinerary i,respectively.

In Figure 6, a node x has an itinerary segment startingfrom A and going to B whereas a node y has anitinerary segment from C to D. Figure 6 shows thetransmission prints left by x and y when they takerandom triangle-shaped pathes generated by the �-camouflaging mobility algorithm and the straight-linepaths. We can see that the transmission prints of �-camouflaging mobility are ‘mixed’ together whereasthe transmission prints of straight-line mobility show adistinctive pattern. Moreover, the transmission printsof �-camouflaging mobility are distributed over a

Fig. 5. �-Camouflaging mobility for an itinerary segment.


DOI: 10.1002/sec


Fig. 6. �-Camouflaging mobility.

larger area while the transmission prints of straight-line mobility are focused on a narrow straight-line area. Hence, �-camouflaging mobility reducesthe probability of generating matchable transmissionprints.

Next we analyze the overhead of �-camouflagingmobility, the probability of exposing an itinerarysegment and the probability of the nodes generatingthe same �-camouflaging mobility.

4.3.1. Overhead analysis of ∆-camouflagingmobility

Compared with straight-line mobility, �-camouflagingmobility incurs extra travel distance, which is calledtravel overhead. As illustrated in Figure 5, we cancompute the travel overhead µi for an itinerarysegment i with travel distance di (di = |starti − endi|)as follows:

µi = e1i + e2

i

di

= e1i +

√(e1i

)2 + (di)2 − 2die1i cos αi

di

= e1i

di

+

√√√√(e1i

di

)2

+ 1 − 2e1i

di

cos αi (3)

From Equation (3), we know that overhead µi isdetermined by the largest possible αi (i.e., αmax) ande1i

di. Figure 7 shows that when αi ≤ 15◦ and

e1i

di≤ 0.4,

the travel overhead is always smaller than 0.03. Also,it is easy to control the overhead µi by tuning αmax ande1i

di. For instance, if

e1i

diis known and we want the travel

Fig. 7. Travel overhead versus αi ande1i

di.

overhead to be no larger than µi, we can set αmax as

− arccos

((di)2 − (µidi)2 + 2µidie

1i

2e1i di

)≤ αmax

≤ arccos

((di)2 − (µidi)2 + 2µidie

1i

2e1i di

)(4)

4.3.2. Privacy analysis of ∆-camouflagingmobility

Now we calculate the itinerary exposure probability.In our evaluation of itinerary privacy, we assume asufficient number of snoopers are distributed to coverthe whole network. Each grid cell has a dimension of5 × 5 m.

As illustrated in Figure 5, for an itinerary segmenti, �-camouflaging mobility has a smaller probabilityof generating matchable transmission prints thanstraight-line mobility because its transmission printsare distributed to large triangle shapes with areae1i di sin αmax instead of a small straight-line shape with

area 5di. Hence, Equation (5) calculates the expected

value ofξ′i

ξi, in which ξ′

i and ξi are the number ofcells that a node possibly visits when touring itinerarysegment i using �-camouflaging mobility and straight-line mobility, respectively. Note that when using �-camouflaging mobility, it is easy to choose e1

i and αmax

to ensureξ′i

ξi> 1.

ξ′i

ξi

= e1i di sin αmax

5di

= 0.2e1i sin αmax (5)

The calculation of P ′τ is similar to the calculation of

Pτ , the result of which is shown in Equation (6).


DOI: 10.1002/sec


P ′τ(ξ′

i, ξi, ωi)

= 1 −

ωi∑s=0

(ws

)ξiPs × (ξ′

i − ξi)ωi−s

ξ′ωii

−

ωi∑s=2

s∑k=2

(ws

) (sk

)ξi × (ξi−1)P(s−k)(ξ′

i − ξi)ωi−s

ξ′ωii

(6)

Combining Equations (5) and (6), we have

P ′τ (ξi, e

1i , αmax, ωi)

= 1 −

ωi∑s=0

(ws

)ξiPs × [0.2e1

i ξi sin(αmax) − ξi]ωi−s

[0.2e1i ξisin(αmax)]ωi

−ωi∑

s=2

s∑k=2

[(ws

)(sk

)ξi × (ξi−1)P(s−k)[0.2e1

i ξi sin(αmax) − ξi]ωi−s

[0.2e1i ξi sin(αmax)]

ωi

]

(7)

Using Equations (7) and (2), we compare theitinerary exposure probability of straight-line mobility

and �-camouflaging mobility. We sete1i

di= 0.4 and

ξi = 80. The result is shown in Figure 8. Ourresults indicate that as ωi increases both Pτ and P ′

τ

increase while P ′τ is significantly smaller than Pτ . For

example, when ωi = 32, Pτ is 0.99 whereas P ′τ is only

0.014.A larger αmax will achieve a better itinerary privacy

at the cost of a higher travel distance overhead, whichis shown in Figures 7 and 8. In contrast, a smaller αmaxwill incur a smaller travel distance overhead but obtainless itinerary privacy. From Figures 7 and 8, we can see

Fig. 8. Itinerary exposure probability comparison.

that in general cases, �-camouflaging mobility reducesthe itinerary exposure probability more than 80% witha travel overhead less than 0.03.

4.3.3. Analysis of ∆-camouflaging mobilitycollision

Now we measure the probability of having a mobilitycollision, i.e., two or more nodes generating thesame �-camouflaging mobility. In our model, weassume there are Nr rendezvous in the networkand the number of nodes in the network is n. Weassume a node has equal probability of choosingany two rendezvous as the endpoints of an itinerarysegment.

Equation (8) calculates the probability of hav-ing a �-camouflaging mobility collision assumingall nodes may simultaneously generate their �-camouflaging mobility. Figure 9 shows the collisionprobability when we vary Nr and n and setαmax = 30◦ and e1

i = 160 m. From Figure 9, weknow that the probability of collision is negligible(< 0.02%).

Pcollision(Nr, αmax, e

1i , n

)

= 1 −

n∏i=1

(Nr × Nr × αmax × e1i − i + 1)

(2 × Nr × Nr × αmax × e1i )n

(8)

5. MARS System Design

Itinerary privacy, correspondent privacy, and routeprivacy are closely related so that we need to design a

Fig. 9. �-Camouflaging mobility collision probability.


DOI: 10.1002/sec


system that protects these privacy goals together. Fromthe result of Section 4.3.3, we know the probability ofnodes generating the same �-camouflaging mobilityis negligible. We define the motion pseudonym of anode as a random point on the node’s �-camouflagingmobility paths and the corresponding arrival time. Forexample, {LS, TAS} is a motion pseudonym of S, inwhich TAS is the arrival time of a random location LSon the �-camouflaging mobility of S. Due to the lackof knowledge of the itineraries of nodes, the adversaryis unable to correlate a node’s motion pseudonymswith the node. Therefore, the idea behind MARS isto protect correspondent and route privacy of nodesby exploiting the nodes’ motion pseudonyms. In thissection, we present the design of MARS. The definitionof the notations used in this section can be found inSection 4.1.

5.1. Motion Pseudonym Generation andRecognition

When two nodes Alice and Bob want to communicate,they exchange the information of a subset oftheir itinerary segments based on their negotiatedcommunication periods. Within the negotiated periods,Alice and Bob will be able to generate and recognizethe motion pseudonyms of each other using theitinerary information. In order to protect privacy anddefend against malicious attacks, Alice does not givesout her itinerary information in plain text. Instead,she dispenses a motion pseudonym generator andrecognizer function to Bob, which are encryptedusing anti-reverse engineering technologies such asReference [20], so that if Bob is compromised bythe adversary, the adversary is only able to identifythe motion pseudonyms of Alice but unable toobtain the itinerary of Alice. Meanwhile, since anode does not have the motion pseudonym generatorand recognizer function of another node other thanduring the negotiated communication periods, theman-in-the-middle type of attacks only has limitedeffects.

The motion pseudonym generator of Alice randomlyselects a point and the corresponding arrival time onone of the itinerary segments of Alice as a motionpseudonym of Alice. On the other hand, the motionpseudonym recognizer of Alice can recognize a motionpseudonym of Alice by verifying that the tuple (i.e.,location and arrival time) included in the motionpseudonym matches one of Alice’s itinerary segments.We now give an example for verifying whether a motionpseudonym {L1, T1} matches the itinerary segment

showed in Figure 5. First we check whether locationL1 is on edge AC or BC. If not, {L1, T1} is not on theitinerary segment. If yes, we need to further verify thatEquation (9) is satisfied, in which TA is the startingtime of the itinerary segment, LA is the location ofA, LC is the location of C and speed is the travelingspeed of the node on the segment. If Equation (9) issatisfied, we know that {L1, T1} is on the itinerarysegment.

T1 = TA + |LA−L1|speed

, if L1 on AC

T1 = TA + |LC−LA| + |LC−L1|speed

, if L1 on BC(9)

5.2. Intuitive Approach

We now give a high-level description of how MARSroutes messages. When not knowing the route to Dbut having a message for D, S broadcasts a RREQ todiscover the route to D. S generates a random motionpseudonym of D (i.e., {LD, TAD}) and includes it inRREQ as a trapdoor for D. Upon receiving an unseenRREQ, a node i will try to open the trapdoor bymatching the motion pseudonym in the trapdoor to itsitinerary segments. If it matches, node i knows thatthe RREQ is targeted for itself (i.e., it is D) and nodei returns a RREP to S. Otherwise, node i appends anunused random motion pseudonym to the RREQ andlocally broadcasts the RREQ.

During the process of RREP being propagated fromD to S, a node i receiving RREP will check whether itis on the route by verifying that a motion pseudonymof i is included in RREP. If node i is on the route,it stores the motion pseudonyms of the next hop andthe previous hop in its routing table to identify theroute.

After S receives the RREP, it will be able to send datato the destination by assembling a message M whichincludes the data, a motion pseudonym on its itineraryas its identifier, a motion pseudonym on D’s itineraryas the identifier of D, and the motion pseudonymcorresponding to the next hop on the route to D receivedin RREP. When a node on the route from S to D receivesM, it will find the next hop for M in its routing tablebased on the motion pseudonym of the previous hopand send M to the next hop. When D receives M, Dis able to identify the message source by matching themotion pseudonym of S in M to the itineraries knownby D.


DOI: 10.1002/sec


5.3. MARS Routing Scheme

MARS routing scheme consists of three phases.Figure 10 illustrates the route discovery of MARS. Theroute discovery starts from S sending RREQ and endswhen S receives RREP.

(1) RREQ phase: In this phase, a RREQ isbroadcasted in the network until it reachesD. The RREQ initiated by S is of theformat: 〈RREQ, LS, TAS, LD, TAD〉. An interme-diate node i receiving a RREQ will verify whetherit is the destination by matching {LD, TAD} to itsitinerary. If node i is not the destination and it hasnot forwarded the RREQ before, it will append (Li,TAi) to the RREQ and broadcast the RREQ.

(2) RREP phase: After RREQ reaches the destinationD, D will send a RREP to S as follows:

RREPD = 〈RREP, LS, TAS, L1, TA1, . . .

Li, TAi, . . . LD, TAD〉

Suppose there are h hops between S and D,which means the route from S to D is: S →n1 → n2 · · · → nh → D. After a node ni on theroute receives a RREP from ni+1, it checkswhether the pseudonym (Li, TAi) in the RREPwas generated by itself. If (Li, TAi) was generatedby ni, ni knows that it is on the route and itstores the {(Li−1, TAi−1), (Li+1, TAi+1)} into itsrouting table as the route pseudonyms to identifyits upstream hop and downstream hop. Finally, itrevises RREP received and broadcasts it locally.The RREP transmitted by ni is as follows:

RREPi = 〈RREP, LS, TAS, L1, TA1, . . . Li, TAi〉

Eventually, S receives RREP and every node on theroute from S to D stored its downstream node andupsteam node in its routing table.

(3) Data transmission phase: When S needs to senda data message to D, S searches its routing tableto find the next hop (i.e., n1) to D. The motionpseudonym of n1 is denoted as (L1, TA1). Thefollowing message M is generated by S and is

Fig. 10. Route discovery.

unicast to n1

M = 〈LS, TAS, LD, TAD, L1, TA1, data〉

in which, (LS, TAS) and (LD, TAD) is the randommotion pseudonym of S and D used in routediscovery, respectively. When a node i on the route(S → n1 → n2 · · · → ni · · · → D) receives M, itwill find the route pseudonym of the next hop ni+1according to the route pseudonym of the previoushop (i.e., (Li−1, TAi−1) for i ≥ 1 or (LS, TAS) fori = 1) from its routing table. Then it revises M andlocally broadcasts the revised M to next hop. Therevised M sent by ni is

M = 〈LS, TAS, LD, TAD, Li, TAi, Li+1, TAi+1,

data〉

5.4. Anonymity Analysis

We now analyze correspondent privacy, route privacy,and itinerary privacy of MARS.

� Correspondent privacy: During route discoveriesand data transmissions, S and D are representedby their motion pseudonyms, which are notrecognizable to the adversary unless it knows theitineraries of the source and destination. Hence thecorrespondent privacy is protected.

� Route privacy: From RREQ and RREP messages,the adversary is unable to determine which nodesare on the routes because the identities of the nodesin RREQ and RREP are represented by their motionpseudonyms. Furthermore, when a data message M isforwarded on its route, the adversary can only obtainthe motion pseudonyms of S, D, the previous hop andthe next hop of M. Hence, the adversary is unable toknow the identities of the nodes on the route of thedata messages detected.

� Itinerary privacy: MARS relies on �-camouflagingmobility to protect itinerary privacy.

5.5. Discussion: MARS in DTN Networks

Motion pseudonyms can be used in MANET andother network scenarios. Here we discuss using motionpseudonyms in delay-tolerant networks (DTNs) toprovide correspondent and itinerary privacy. DTNrouting [11,21] is quite different from MANET routingsince most of time the network is disconnected and


DOI: 10.1002/sec


messages are delivered in a store-and-forward mannerwithout constructing a route prior to sending themessages. A message can be stored on an intermediatenode for a long time and then forwarded to otherintermediate nodes until it reaches the destination.The correspondent privacy of message source anddestination and the itinerary privacy of nodes haveremained largely unaddressed by existing DTN routingschemes.

Essentially, in DTN we can use the �-camouflagingmobility algorithm to protect itinerary privacy anduse motion pseudonyms generated by �-camouflagingmobility to anonymize the message source anddestination. Hence, a message in DTN can be sent usingthe following format:

M = {LS, TAS, LD, TAD, seqnum, data} (10)

in which seqnum is a message sequence numbergenerated by message source S.

When M is forwarded to destination D, D can verifythat M is destined to it based on (LD, TAD) andidentify the message source according to the motionpseudonym of S (i.e., LS, TAS). Due to the lack ofitinerary knowledge, it will be difficult for the adversaryto associate motion pseudonyms with the nodes.

6. Performance Evaluation

In this section, we evaluate the influences of �-camouflaging mobility algorithm on the network layerperformance and the routing performance of MARS.We conduct simulations using the Qualnet NetworkSimulator [14] and DSR [22] routing protocol. In DSRrouting, when a source does not have the route to thedestination, it launches route discovery to find the routeto the destination.

We focus on comparing the following three metrics:

� Message delivery ratio: This metric measures thepercentage of data messages that are delivered todestinations.

� Message delivery latency: This metric measures howlong it takes for a data message to be delivered.

� Routing overhead: This metric measures the ratio ofthe number of bytes sent (data plus control messages)to the number of delivered data bytes.

Table II summarizes the simulation configurations.We run each simulation six times (each with a differentrandom seed) and obtain the results by taking average.

Table II. Simulation configuration.

Parameter Value

Number of nodes 64Terrain dimension 1024 × 1024 mSimulation time 800 sRadio model IEEE 802.11a radio 24 Mb/sMobility model RW, RW-�, RV, RV-�αmax 15◦e1i /di 0.2 ≤ e1

i /di ≤ 0.4Node speed 2–14 m/sMessage sending speed Six concurrent traffic flows,

each with speed 20–80 pkts/sData message size 512 bytes

One mobility model we use in our simulationsis the random-waypoint mobility model or RW inshort. In the random waypoint mobility model, a noderandomly selects a position, moves to the position,stays there for a period of time and repeats theprocess again [22]. We then add the �-camouflagingmobility to RW model for each movement segment.We denote DSR routing using the RW mobility modelas DSR-RW and denote DSR routing using the RWmobility model plus the �-camouflaging mobility asDSR-RW-� .

Another mobility model we designed for testing the�-camouflaging mobility algorithm is the RV mobilitymodel. In contrast to the random movement of the RWmobility model, the movements of the nodes in theRV mobility model follow their itineraries. Here wepredefine the itineraries for the nodes. �-camouflagingmobility is also added to this model for each itinerarysegment. DSR using RV and RV plus �-camouflagingmobility alternative are denoted as DSR-RV and DSR-RV-�, respectively.

6.1. Influences of �-camouflaging Mobilityon Network Layer Performance

We first assess the influence of �-camouflagingmobility algorithm on network layer performance bycomparing DSR routing performance with/without �-camouflaging mobility. In our communication model,at any time there are six concurrent transmissionflows with randomly-chosen message sources anddestinations. In the first set of simulations, we fix datamessage sending speed to be 40 messages per secondand evaluate the routing performance of the above-mentioned mobility models under different mobilityspeeds. In the second set of simulations, we measurethe routing performance of these mobility models


DOI: 10.1002/sec


Fig. 11. Comparison of delivery ratio with/without �-camouflaging mobility when varying node mobility.

under increasing traffic loads when the mobility speedis 4 m/s.

The delivery ratio curves shown in Figures 11 and 12indicate that all four mobility models are able to delivermore than 99% of the data messages. More importantly,the figures show that, under different node mobility andtraffic load conditions, adding �-motion causes almostno degradation of message delivery ratio.

From Figures 13 and 14, we can see that the changeof delivery latency caused by the �-camouflagingmobility is negligible. Also it can be noticed thatusing the RW mobility leads to a slightly largerlatency than using the RV mobility when node movingspeed increases. This is because the connectivityof nodes using the RW mobility is more easily tobe influenced by increasing mobility than that ofnodes using RV mobility due to the randomnessof node movements of RW mobility. Because the

Fig. 12. Comparison of delivery ratio with/without �-camouflaging mobility when varying traffic load.

Fig. 13. Comparison of delivery latency with/without �-camouflaging mobility when varying node mobility.

Fig. 14. Comparison of delivery latency with/without �-camouflaging mobility when varying traffic load.

movements of nodes using the RV mobility modelare determined by their itineraries, the connectivityamong the nodes is relatively stable and the deliverylatency shows little variation as mobility speedincreases.

Figures 15 and 16 show that �-camouflagingmobility algorithm does not increase routing overhead,which is about 4 on average in our simulations.The routing overhead comprises the overhead oftransmitting data messages hop by hop on the routefrom the source to the destination and the messageoverhead to construct routes (e.g., RREQ and RREPpackets). Since the data message size (i.e., 512 bytes)is much larger than the control message size (it takes2 bytes to describe a hop on a route), in our simulationsthe routing overhead is primarily determined by theaverage length of routes. Thus, the overhead differencebetween the RV and RW mobility models results fromtheir difference on the average length of routes.


DOI: 10.1002/sec


Fig. 15. Comparison of routing overhead with/without �-camouflaging mobility when varying node mobility.

Fig. 16. Comparison of routing overhead with/without �-camouflaging mobility when varying traffic load.

From the simulation results of the RW and RVmobility models under different traffic loads andnode mobility speed conditions, we can see that �-camouflaging mobility algorithm does not degradeDSR’s routing performance.

6.2. Routing Performance Comparison ofMARS and DSR

Next we compare the routing performance of MARSwith that of DSR. In this set of simulations, wevary message sending speed from 20 messages to80 messages per second and fix the node mobilityspeed to be 4 m/s. Since MARS uses motionpseudonyms to achieve correspondent and routeprivacy, we first measure the computational overheadof generating/recognizing a motion pseudonym on aDell Axim X51v handheld PDA with Intel X-Scale624 MHz processor. We find that when a node x has63 correspondents and each correspondent of x negoti-

Fig. 17. Delivery ratio of DSR and MARS.

ates 20 itinerary segments with x, it takes less than 1 msfor node x to generate/recognize a motion pseudonym.

The delivery ratios of DSR and MARS are shown inFigure 17. We can see that message delivery ratios ofMARS and DSR are very close and both of them areable to deliver at least 98% of the data messages.

Figure 18 shows that the routing overhead of MARSis very close to that of DSR, which is about 4 on averagein our simulations. From the previous analysis in thissection, the routing overhead is primarily determinedby the average length of route.

Moreover, as illustrated in Figure 19, MARS andDSR have an almost identical delivery latency becausethe anonymization measures of MARS incur a verysmall computational overhead (less than 1 ms togenerate/match a motion pseudonym in our cases).

In summary, from the simulation results, we learnthat the routing performance of MARS is close to thatof DSR. �-camouflaging mobility algorithm and theanonymization measures of MARS only cause verysmall network layer performance changes.

Fig. 18. Routing overhead of DSR and MARS.


DOI: 10.1002/sec


Fig. 19. Delivery latency of DSR and MARS.

7. Conclusion

This paper has described the itinerary privacy attackand a model to measure itinerary privacy. We designed�-camouflaging mobility algorithm, which proactivelychanges nodes’ mobility to protect itinerary privacyof nodes. Through mathematical analysis, we haveshown that in general cases, �-camouflaging mobilitydecreases the itinerary exposure probability by morethan 80% with less than 3% extra travel distance.In addition, our simulation results show that using�-camouflaging mobility does not lead to DSRrouting performance degradation under different nodemobility and traffic load conditions. Exploiting themotion pseudonyms generated from �-camouflagingmobility, we designed MARS anonymous routingscheme to protect correspondent, route and itineraryprivacy for MANET wireless communications. MARSanonymous routing scheme does not rely oncryptography nor does it require nodes to change theircommunication model. Our analysis and simulationresults show that MARS has almost the same routingperformance as DSR while providing protection for theabove stated privacy goals.

References

1. Kong J, Hong X. ANODR: anonymous on demand routingwith untraceable routes for mobile ad-hoc networks. In ACMMOBIHOC’03, 2003; 291–302.

2. Song R, Korba L, Yee G. AnonDSR: efficient anonymousdynamic source routing for mobile ad-hoc networks. InSASN’05: Proceedings of the 3rd ACM Workshop on Securityof Ad Hoc and Sensor Networks, New York, NY, USA, 2005;33–42.

3. Boukerche A, El-Khatib K, Xu L, Korba L. SDAR: a securedistributed anonymous routing protocol for wireless and mobilead hoc networks. In LCN’04: Proceedings of the 29th AnnualIEEE International Conference on Local Computer Networks(LCN’04), USA, 2004; 618–624.

4. Liu Yang SW, Jakobsson M. Discount anonymous on demandrouting for mobile ad hoc networks. In SecureComm, MD, USA,September 2006.

5. Kamat P, Zhang Y, Trappe W, Ozturk C. Enhancing source-location privacy in sensor network routing. In ICDCS’05, USA,2005; 599–608.

6. Beresford AR, Stajano F. Mix zones: user privacy in location-aware services. In PERCOMW’04, Washington, DC, USA, 2004;127.

7. Mokbel MF. Towards privacy-aware location-based databaseservers. In ICDEW’06, Washington, DC, USA, 2006;93–102.

8. Sampigethaya K, Li M, Huang L, Poovendran R. AMOEBA:robust location privacy scheme for VANET. IEEE Journal onSelected Areas in Communications 2007; 25: 1569–1589.

9. Tao P, Rudys A, Ladd AM, Wallach DS. Wireless LAN location-sensing for security applications. In WiSe’03, New York, NY,USA, 2003; 11–20.

10. Faria DB, Cheriton DR. Detecting identity-based attacks inwireless networks using signalprints. In WiSe’06, New York,NY, USA, 2006; 43–52.

11. Lindgren A, Doria A, Schelen O. Probabilistic routing inintermittently connected networks. In SIGMOBILE MobileComputing Communications Review, Vol. 7, July 2003; 19–20.

12. Hoh B, Gruteser M. Protecting location privacy through pathconfusion. Securecomm, 2005; 194–205.

13. Kong J, Wu D, Hong X, Gerla M. Mobile traffic sensor networkversus motion-mix: tracing and protecting mobile wirelessnodes. In SASN’05, New York, NY, USA, 2005; 97–106.

14. Scalable Network Technologies (SNT). Qualnet NetworkSimulator, http://www.qualnet.com/

15. Wu X, Bhargava B. AO2P: ad hoc on-demand position-based private routing protocol. IEEE Transactions on MobileComputing 2005; 4(4): 335–348.

16. Chaum DL. Untraceable electronic mail, return addresses, anddigital pseudonyms. Communications of the ACM 1981; 24(2):84–90.

17. Zheng Q, Hong X, Liu J. An agenda based mobility model. In39th Annual Simulation Symposium, 2006.

18. Reid D. An algorithm for tracking multiple targets.IEEE Transactions on Automatic Control 1979; AC-24:843–854.

19. Fox D, Burgard W, Thrun S. Markov localization formobile robots in dynamic environments. Journal of ArtificialIntelligence Research 1999; 11: 391–427.

20. ASProtect. AsPack Software. http://www.aspack.com/21. Vahdat A, Becker D. Epidemic routing for partially-connected

ad hoc networks. In Technical report, Duke University, 2000.22. Johnson DB, Maltz DA. Dynamic source routing in ad hoc

wireless networks. In Mobile Computing, 1996; 153–181.


DOI: 10.1002/sec

Documents

Using camouflaging mobility to protect privacy in mobile ad hoc networks