Fault Tolerant Triangulation in Distributed Aircraft Networks with Automatic Dependent Surveillance Broadcast (ADS-B) Daniel Uhlig, Negar Kiyavash and Natasha Neogi Coordinated Science Laboratory University of Illinois Urbana-Champaign Email: {duhlig2, kiyavash, neogi}@illinos.edu Abstract—Air traffic control relies on the ability of aircraft to determine their position, and effectively project the position of surrounding aircraft, in order to avoid conflicts. However, all aircraft in the National Airspace System do not possess the same fidelity of equipage; sensors can range from modern GPS to old fashioned pressure gauges. In this work, we present a novel framework for a fault tolerant triangulation algorithm for aircraft in the presence of Automatic Dependent Surveillance Broadcasts. Additionally, we propose a practical randomized algorithm in the framework, which efficiently detects incorrect measurement broadcasts. The algorithm comes to a consensus regarding its positioning to within a specified tolerance of consistency and reliability. Theoretical bounds necessary for correct termination in a minimized number of iterations are developed for both faulty and collusive (Byzantine) aircraft. An optimal ratio approaching 1:1 of correct to collusive aircraft in order to successfully terminate is derived, which is a novel result in the field of collusive fault tolerance in a distributed setting. The performance of the proposed algorithm is evaluated and compared to state-of-the-art robust positioning algorithms, both for accidental faults and colluding attackers. While our method performs the same or better compared to the other algorithms against collusion attacks, it is significantly more robust to accidental faults, in terms of both the position estimation error and attack diagnosis and isolation.

I. I NTRODUCTION Automated Dependent Surveillance Broadcast (ADS–B) is the state of the art technology employed for inter-aircraft communication in today’s National Airspace System (NAS). All commercial aircraft are ADS-B equipped. A typical ADS– B message can contain the aircraft’s unique identifier, its position, velocity and heading, among other things. As air traffic spreads out, it is possible for the number of aircraft within ADS–B range of a location to becomes small. Air traffic is divided into sectors for air traffic controllers to manage, with each controller designed to typically handle 20-30 aircraft. In busy airspace, the sectors are small, while in areas with little overflight, the sectors can be quite large. As the number of ADS–B aircraft decrease, the opportunity for a few malicious nodes to affect the system becomes more pronounced. Location information, based on the position of sensor nodes, is useful in networks with varying node capabilities. Networks must handle faulty nodes. Depending on the level of oversight in the network, differing incorrect behaviors must be handled. Networked agents with different properties must interact to

achieve greater overall information. The research application studied in the following paper is the ADS-B aircraft communication network. The network was selected because of the available data (accurate time, position, speed) and the fact that there is some level of government oversight over this emerging technology. GPS has seemingly solved the positioning problem for many users, but shortcomings still exist [1]. A variety of methods relying on alternative broadcast data have been proposed to overcome these shortcomings. One method employs existing radio signals, such as radio or TV, to triangulate within cities [2]. Triangulation based on existing signals must undergo more robust metrics to filter out faulty or malicious data. ADS-B information is available anywhere there is air traffic, including most large urban areas, due to large international airports possessing significant air traffic and ADS-B signals. Beyond ADS-B, the ideas within this paper can be applied to numerous applications, such as undersea buoy navigation systems [3]. In this case we look at the mixed equipage scenario, where there are position aware and non-aware nodes. Through communication, the non-aware nodes can gather additional information. However, establishing the trustworthiness of a received broadcast becomes a major issue, and the ability of these non-aware nodes to correctly conclude their position is highly dependent on the accuracy of the broadcast. Aircraft are not allowed to query other aircraft directly, so it becomes a problem of detecting outliers, and removing untrustworthy aircraft broadcast messages from each successive iteration. In this paper, we will outline an algorithm that is fault tolerant to both malicious and accidental faulty aircraft broadcast messages. The theoretical results derived improve upon the fundamental result of Byzantine fault tolerance in the face of consensus, where generally the number of malicious aircraft must be slightly less than one third of the total number of aircraft. Our algorithm is able, in the theoretical limit, to tolerate a ratio approaching 1:1 of correct aircraft to Byzantine (or colluding) aircraft. In the face of purely accidental faulty aircraft (non-colluding), the algorithm is able to terminate correctly even when the number of faulty aircraft significantly outnumbers correct aircraft. A theoretical upper limit to the number of iterations necessary for algorithmic convergence is shown, and experimental simulations of scenarios improve

greatly upon these limits. A comparison with other work in position detection is explored, and complexity results are highlighted with reference to state of the art algorithms presently in use. II. R ELATED W ORK AND O UTLINE Several popular position estimation algorithms that do not use GPS-like infrastructure are presented in [4], [5], [6]. Li et al. propose the use of robust outlier detection statistical models to achieve robust position estimation [7]. They propose a probabilistic approximation to the least median of squares (LMS) approach [8] in order to circumvent computational complexity. Liu et al. presented a greedy algorithm to filter out the attacker’s data on the basis of a consistent minimum mean square error (MMSE) criterion between received measurements from multiple beacons [9]. As shown in [10], the approach of Kiyavash and Koushanfar removes the anomalies in a shorter runtime than both the greedy algorithm of [9] and LMS with superior accuracy. For accidental faults, the performance of all three algorithms is comparable, with algorithm of [10] having a slight edge. However, when attackers collude, the new approach clearly dominates both the greedy algorithm of [9] and LMS. In the context of sensor networks, randomized consensus has been applied to distributed object tracking [11] and time-synchronization [12]. The Byzantine generals problem is one of the most studied scenarios in computer science [13],[14],[15]. The problem arose during the design of a provably correct aircraft control system, where there could be no assumptions made regarding the nature of faults. The seminal paper of Lamport [16] demonstrated that consensus under the presence of failures could be reached in a distributed synchronous system only if the number of faulty agents was less than one third of the correct agents. Fischer and Lynch provided a lower timing bound on the number of rounds necessary to reach consensus [17]. Furthermore, they developed the impossibility result that there is no algorithm that will guarantee consensus in the presence of failures in a distributed asynchronous system. Turpin and Coan [18] showed that any value representable by k bits could be agreed upon by performing k iterations of the consensus algorithm. Once again, it is shown that there must be more than three times as many correct messages as incorrect messages, even in the case of only needing to reach approximate agreement. Dolev and Reischuk [19] give a lower bound on the message size necessary to reach consensus. It should be noted that Byzantine agreement becomes much simpler if messages are authenticated or signed. Trivially, the connectivity of the communication graph must exceed the number of faulty agents. Dolev and Reischuk gave an algorithm that uses authenticated messages that is linear in the number of faulty agents, both in terms of communication rounds and messages, which they prove is a lower bound [19]. In practice, cryptographic techniques may be used for authentication if the associated overhead is not prohibitive. The remainder of the paper is organized as follows: the problem of aircraft positioning using ADS-B is described

in Section III. In Section IV, we describe the geometrically feasible collusion strategies. We explain our proposed algorithm for attack-resistant position discovery in Section V. Sections VI and VII describe theoretical bounds for correct termination of our proposed algorithm and the methodology for selection of its parameters, respectively. A variant of our algorithm suited for dynamic elimination of accidental faults appears in Section VIII. A comparison of performance of our proposed algorithm with regards to accidental faults and collusion attacks against other state-of-the-art algorithms, as well as its implementation cost, obtained from computer simulations, are presented in Section IX. Finally we interpret our results in the context of the field in Section X. III. P ROBLEM S TATEMENT A. ADS-B Not all aircraft are ADS–B enabled. In fact, the vast majority of non-commercial, general aviation aircraft do not possess onboard GPS capabilities. The ability of these general aviation aircraft to determine their position currently relies on a ground based network of navigational beacons, established primarily in the 1960s. These beacons broadcast their position continuously, and can be omni-directional; they are often used to verify range, as well as azimuthal angle of the aircraft. This requires that these general aviation aircraft adhere to precise flight plans that overfly these beacons in regular intervals. Naturally, this places a burden on the air traffic controller to monitor the conformance of these aircraft. General aviation aircraft require strict oversight, as they comprise approximately up to 80 % of all aircraft accidents and incidents. There is a great deal of congestion over the commonly flown airways that link proximal beacons, as all aircraft wish to fly the shortest route between them, in a straight line. These general aviation aircraft commingle with commercial aircraft, though they are almost always separated by large altitude differences. Since ADS–B is not, at present, an encrypted broadcast, general aviation aircraft can access the messages broadcast by ADS–B enabled aircraft. If a general aviation aircraft is equipped with an ADS–B receiver tuned to the Mode–S range of frequencies, it can theoretically eavesdrop on all ADS-B traffic within broadcast range. Based on these eavesdropped messages, it becomes possible for general aviation aircraft to triangulate their position, as long as there are sufficient ADS– B enabled aircraft within their proximity. As ADS–B becomes more prevalent in highly instrumented aircraft, at any given location the data will be available from numerous sources within range of a receiver. The instrumented aircraft form a grid of moving sensors continually broadcasting position information. Using this network and triangulation methods, the receivers (non ADS-B enabled aircraft) can discover their position. The ADS–B protocol facilitates datalink communication between enabled aircraft [20]. It automatically broadcasts at regular (1 Hz) intervals without pilot input. ADS–B is dependent surveillance technology since the existing aircraft navigation solution yielded by onboard sensors and the flight management system is used. The signal is

received by everyone within range of the broadcast. The goal of ADS–B is to improve airspace congestion by increasing the awareness of air traffic. The signals can be broadcast on a number of different frequencies, but generally they are restricted to approximately the 900-1100 MHz bandwidth. For the treatment of this paper, we consider the Mode-S solution(1030/1090 MHz) as the carry frequency, but the ideas expounded can be generalized to other frequencies. ADS–B broadcasts have a range of 90% probability of reception at 150 km decreasing to 0% at 190 km [21]. The ADS–B broadcast contains a number of different parameters that are updated for each new packet. The parameters included are still being finalized, but the position, velocity and time (based off GPS) form the most basic layer [22]. When many aircraft are broadcasting ADS–B information within range, they form a sensor network of beacons that can be utilized by receivers. By combining time stamp and location information the receivers can triangulate their own location within the sensor network of aircraft. B. Limitations and Ordering of ADS-B Broadcast The ADS–B protocol is designed to broadcast at a frequency of 1 Hz. There is an implicit assumption of synchronicity, as all ADS–B aircraft are assumed to be broadcasting at the same rate. The ADS–B enabled aircraft, (or beacons, as we often refer to them) in the ADS-B network are unreliable black boxes. Each node operates with its own goals (delivering cargo or passengers to an airport) and the information being broadcast is not guaranteed to be reliable, as the hardware and software are situated onboard the aircraft. However, all legitimate aircraft in the National Airspace system must operate under stringent FAA regulations. The regulations and oversight do not guarantee data correctness, but they do limit malicious actions. An incorrect broadcast message can be sent by an aircraft in one of two fashions: the data can be incorrect either due to faulty sensors or transmission errors, or a malicious aircraft can alter the parameters of its broadcast. Faulty sensors can occur at anytime due to inaccuracies in GPS measurements, or other instrumentation problems. The malicious aircraft can modify anything within the message (time stamp, position, velocity) to deceive a receiver node. However, they cannot modify the time at which the message is received by the other aircraft within broadcast range. If an airline-wide fault causes all ADS-B broadcasts from one airline (or airplane type) to be incorrect in a similar fashion, multiple correlated accidental faults can occur that will seem collusive. While oversight of the ADS-B network limits the extent of faults, the algorithm presented was designed to handle widespread faults and colluding aircraft. The order that the messages are received, as well as the unique identifier that is associated with a beacon, cannot be altered. Thus, under ADS-B, the aircraft implement a totally ordered broadcast protocol. Messages are processed in the order in which they arrive. An aircraft position measurement that does not correspond to the time it would have taken to arrive at the receiver node can easily be identified. Similarly, a

message arrival that purports to be from a further distance, but arrives before a closer broadcast message, is easily discerned. Thus, there is an inherent assumption of rate synchronization of the broadcasts. C. Triangulation Existing triangulation methods [23] are implemented to resolve the GPS positioning problem. They take the location of each broadcast beacon (satellite) along with a time stamp and calculate a travel time between the beacon and receiver. The travel time is proportional to the distance between the two nodes. The intersection of four spheres can uniquely define a single point in three dimensional space [24]. These concepts underpin the GPS navigation system. [25] To find the intersection of spheres, we begin with the following equation. The sphere i is centered at xoi , yoi , zoi with radius ri . (x − xoi )2 + (y − yoi )2 + (z − zoi )2 = ri2

(1)

For four independent sphere equations, there is a single point at which they intersect. There can be a number of degenerate cases wherein the spheres do not intersect or the equations are not independent. Aircraft are primarily deconflicted using altitude separation. It is crucial for aircraft who are at the same altitude to be aware of their relative position, thereby leading to a two dimensional formulation of the problem. Hence, we concentrate on triangulation in two dimensions where the intersection of three circles can uniquely define a single point [26]. There are also a number of degenerate cases where the intersection does not result in a point (i.e. two of the circles are identical, etc.). The process used to solve for the common point of intersection begins with finding the points of intersection of any two of the circles. After checking that the circles intersect non-degenerately, the two points of intersection are found. The geometry is shown in figure 1 and the triangulation algorithm is outlined below [27].

Fig. 1.

The geometry of circle-circle intersection

The two circles centered at x01 , y01 and x02 , y02 with radii r1 and r2 are defined by equations: (x − xo1 )2 + (y − yo1 )2 2

(x − xo2 ) + (y − yo2 )

2

= r12

(2)

= r22

(3)

First, the distance between the circle centers is found = xo2 − xo1

(4)

= yo2 − yo1 q d = (yd2 + x2d )

(5)

xd yd

(6)

The points of interest are on a line perpendicular to the line that connects the circle centers. The two lines intersect at a point labeled H. This point is distance a from the center of the first circle. a

=

(r12 − r22 + d2 )/(2d)

(7)

Hx

= xo1 + (xd a/d)

(8)

Hy

= yo1 + (yd a/d)

(9)

The length of v can be found using a and the radius of the first circle, via the Pythagorean theorem. This is the final piece of data needed to find the two possible points of intersection. The points of intersection are: px

=

Hx ± v(yo2 − y01 )

(10)

py

=

Hy ± v(xo2 − x01 )

(11)

Once the two points are found (via ±), the correct point can be selected by verifying the distance from each potential point and the third circle. The point that lies on the third circle is the point of intersection. This is the fundamental principle upon which all two dimensional triangulation is based. If the three circles do not result in an intersection, then the triangulation fails to find a common point and generates an error with no point of intersection. IV. C OLLUDING S TRATEGIES In this section, we study that the worst-case collusion strategy Malicious aircraft have long been a concern in military aviation. The military equivalent to ADS–B communications protocols is heavily encrypted. At present, ADS–B is not encrypted, leaving the application vulnerable to eavesdropping, spoofing and tampering. The presence of malicious airborne aircraft attempt to hide or misrepresent their position and flight plans is a concern in the National Airspace System. The classic example of such an instance occurred when several hijacked aircraft switched off their Mode-C transponders. On September 11, 2001, United Flight 93 switched off its Mode-C transponder while crossing paths with Delta Flight 1989 over the Cleveland Enroute Center. This resulted in the conforming aircraft being mistaken for the hijacked aircraft. Delta Flight 1989 was forced to land in Cleveland, Ohio, and the passengers and crew were detained for several hours under the highest security. Malicious behavior in civil aviation aircraft is not limited to hijacking situations. Since commercial aircraft are penalized for delayed arrivals at airports, airlines have a vested

Fig. 2.

Triangulation with ADS-B

interest in making sure all of their aircraft arrive in a timely fashion. Since delayed arrivals mean a potential loss of landing slot and gate, an airline would wish for its own aircraft to arrive at a common destination before that of another carrier. This leads to corporate maliciousness, where aircraft of a given airline collude together to ensure that all aircraft misrepresent their positions to aircraft of a different airline. For example, if there is a thunderstorm in a sector, and several aircraft of the same airline are present, they may misrepresent their trajectories. This will cause other aircraft to believe the thunderstorm is in a different area, and may result in delays on their part. If we consider a malicious aircraft as possessing the ability to intelligently and consistently misrepresent themselves to other aircraft, it becomes difficult to determine the position of a given aircraft. Consider three ADS–B enabled aircraft (i.e. A, B, and C in Figure 2), one of which is non-conforming (i.e. C), and a single aircraft P attempting to triangulate its position with respect to the three aircraft. Assume, without loss of generality, aircraft A and B broadcast their messages simultaneously (containing position, velocity and unaltered time stamp). The messages are received by the aircraft P at times tA and tB respectively. Since the protocol is a totally ordered broadcast, the message which is received first must originate from a closer destination than the second message. The onboard computer for P converts the time difference in receiving the signals into the distance difference: −→ −−→ | tA − tB | vc =| P A | − | P B |

(12)

where vc is the speed of light. For tA > tB , this locates the aircraft P on one branch of the hyperbola defined by: x2 y2 − =1 a2 b2

(13)

where: −→ −−→ | P A | − | P B | = ±2a (14) −−→ AB 2 | | = a2 + b2 (15) 2 −−→ and the x-axis lies along the line | AB | with the origin taken at its midpoint. Now, the message from the third aircraft C is used to fix the position of the aircraft P on the branch of the hyperbola given by (13). However, for any two broadcasting aircraft, there are only two points at which the receiving aircraft can be: P , and P˜ , where P˜ is the reflection of P on the hyperbolic branch about the x-axis. If C is faulty, and generates randomly incorrect broadcasts, then the triangulation using (A,B,C) will most likely not generate a position. Any faulty broadcast of C that results in a successful triangulation, must place the aircraft at P˜ . However, C’s faulty behavior will become apparent after several successive broadcasts. P can store its possible positions pairs {P, P˜ }(A,B) with respect to the broadcasting aircraft (A, B). Given that P knows its own velocity ~v , and receives successive broadcasts from the pair (A, B), P can then compare its projected positions {P + ~v ∆t, P˜ + ~v ∆t}, to the elements of the position pair {P 0 , P˜ 0 }(A,B) . Unless C’s second broadcast is consistent with the position P˜ 0 , as well as P ’s and its own velocity, it will be revealed as being faulty. Thus, to estimate its position, instead of processing broadcasts from a large number of aircraft, P could start with the smaller subset of its nearest three neighbors. P can then determine whether or not a consistent position is achieved by processing the broadcasts of all pairings over two successive broadcast intervals. If C does not create its initial and successive broadcast such that it is consistent with the velocity of P , as well as the projected position and velocity of one of the two other aircraft (say B), it will be identified as faulty in the second round of broadcast. This will result in P gaining the correct estimate of its position. For C to be consistently faulty over several successive broadcasts, C must be able to adjust the timestamp of its broadcasts. The time at which its broadcast is received by P must reflect the parameterized trajectory given by one of {P (t),P˜ (t)}(C,B) and be consistent with the velocity of P . This would require that C either alter its broadcast rate (or time stamp), or that there exists a flight trajectory for C such −−→ −−→ that | CP (t) |=| CP (C,B) | for all successive broadcast times. Since the broadcast rate of ADS–B equipment is fixed via both hardware and software mechanisms, it is extremely difficult to alter the broadcast rate in a real-time, adaptive fashion, as would be required to continuously drive the position selection to P˜ (t)C,B . ADS–B broadcasts are assumed to be rate synchronous. The original timestamp of the ADS–B message is far easier to alter, it can be done by simply resetting the internal clock of the broadcast mechanism. However, it is not trivial for an aircraft to pretend to be a farther distance (d0 ) away than it actually is from a given aircraft (d). It would have to alter its position and timestamp to make the message

appear to have been sent prior to its actual broadcast time. The message must appear to traverse the distance d0 in the allotted time between the fake timestamp and time at which it is received. This constrains the malicious aircraft to being able to lie effectively to only one aircraft at any given broadcast. Furthermore, in that first malicious broadcast, it is immediately exposed to all other aircraft. Its broadcast position and timestamp would obviously be inconsistent to all other aircraft, unless the other aircraft are exactly distance d from the malicious aircraft. If there is a flight trajectory for C such −−→ −−→ that | CP (t) |=| CP (C,B) | for all successive broadcast times, C must be able to fly an extremely precise route, with respect to P and B. Considering the oversight of the ADS–B network, such behavior would be quickly detected by all other aircraft, as well as air traffic control authorities. If an additional aircraft D is considered, even if it is faulty, after two successive broadcasts, C will be revealed as faulty, unless C and D are both in collusion. Thus, for a malicious aircraft to be able to go undetected, it must be able to either successively alter its broadcast rate (or time stamp), or it must be consistent with respect to at least two of the other conforming aircraft, and collude with all other non-conforming aircraft. Statistically, only a small number of aircraft need be sampled over two subsequent broadcast in order to identify maliciousness. More generally, the malicious aircraft can lie for one broadcast, then resume correct behavior, or it can remain faulty for several successive (or all) broadcasts. If an aircraft periodically injects faults at the k th broadcast, it will be detected if there is a common aircraft in the network for 2k + 1 successive broadcasts under regular flight rules. It is certainly possible for a set of aircraft to be in collusion with one another. The larger the set of collusive aircraft, the greater the number of communications necessary from non-collusive aircraft in order for a triangulating aircraft to determine its correct position. Of course, if there are more collusive aircraft than correct aircraft at all times, it becomes impossible to distinguish the collusive set from the correct set. Thus, a triangulating aircraft cannot estimate its position correctly. The question of interest becomes: What is the minimum ratio of correct aircraft to collusive aircraft sufficient for correct termination? This greatly resembles the problem of reaching consensus in a distributed setting in the presence of faulty and possibly malicious agents, called the Byzantine Generals Problem. Consider the Byzantine Generals problem for processors executing in a distributed environment. If m processors (one of which is the source processor) try to agree on a value = 0or1, and messages can be passed, is there an algorithm whereby: 1) Each correct processor terminates with the same value. 2) If the source processor is correct, all correct processors terminates with the source processor’s value. In a Byzantine synchronous system, consensus can only be reached if and only if there are m ≥ 3k + 1 processes when k of the processes can fail. This is the landmark result of Byzantine consensus in synchronous distributed systems [16],

[17]. This leads us to the next section ,we study the problem of triangulation in a distributed synchronous environment. V. FAULT T OLERANT T RIANGULATION A LGORITHM FOR A D ISTRIBUTED A IRCRAFT N ETWORK Let us formally define the problem of triangulation in the static sense. Consider N ADS-B aircraft each of which sends a message consisting of one vector, containing its own current position (x, y), velocity (V x, V y), and time t. The algorithm receives one vector from each aircraft and matrix of N vectors. Instance. The problem is composed of: • an aircraft with unknown location s0 = (x0 , y0 ) • a set S of N ADS–B broadcasts where each broadcast contains position, velocity, and time information tuple (xn , yn , V xn , V yn , tn ) corresponding to the n-th ADS–B enabled aircraft where – sn = (xn , yn ) is the coordinates of the n-th aircraft – (V xn , V yn ) is its velocity – tn is the time of the broadcast • a consistency metric δ(sn , s0 ) • a consensus threshold Ct Problem. Find an estimate for the unknown coordinates of s0 denoted by sˆ0 = (ˆ x0 , yˆ0 ), such that it is at least δ-consistent with Ct tuples in the set S of messages. A measurement (xn , yn ) is δ-consistent with the estimate sˆ0 if and only if δ(sn , sˆ0 ) is within a given confidence interval CI. We call the set of δ-consistent points with the estimate sˆ0 = (ˆ x0 , yˆ0 ), consensus set of sˆ0 . The parameter Ct is the consensus threshold (i.e., the minimum size of the consensus set). We choose the metric δ as the Euclidean distance. A. Attack Model In our attack model, malicious aircraft modify the position measurements without any restrictions. However, each aircraft has a unique identifier coded into its ADS–B broadcasts. This identifier is not modifiable, so the same attacker cannot impersonate other aircraft. Thus, at any round, data from a malicious aircraft is entered only once in the overall data set available to the receiver aircraft. B. Position Estimation in Presence of Faulty and Malicious Aircraft In presence of faulty broadcasts, we seek to construct a good estimate of the unknown. A good estimate is the one that is consistent with benign measurements, and it differs from the incorrect measurements according to a given criteria. In our proposed framework, this criteria is a consistency metric δ. The metric δ is selected by the user and it is driven by nature of the of the incorrect messages, i.e., the statistical properties of the faults, or the likelihood of collusive attacks. C. Fault Tolerant Triangulation Algorithm Unlike the previous approaches to fault tolerant position estimation under consensus [8], [7], [9], which use as much data as possible to estimate the unknown coordinates, our

approach starts by picking a small (but sufficient) subset of the data and subsequently augments it with consistent data. The proposed framework arbitrarily selects an initial subset and employs a randomized algorithm to determine the set of consistent measurements. The pseudocode is formally stated in Algorithm 1. Algorithm 1. Fault Tolerant Triangulation Input: set S of N messages, δ-consistency interval CI, consensus threshold Ct , maximum number of iterations imax . 1. Initialize i=1, L = ∅; 2. While (i < imax ) { 3. Randomly draw a unique subset Si of size 3 from S\L1 ; 4. Use Si to estimate the position sˆ0 ; 5. Calculate K, the number of δ-consistent points with respect to the estimate sˆ0 in S\Si ; 6. If (K > Ct ) { 7. Form new estimate sˆ0 from K consistent points; 8. Terminate the program and return sˆ0 ;} 9. Increment L ← Si; } 10. Increment i; } 11. Terminate program by announcing failure

In light of the algorithm’s minimalist methodology, the approach first estimates the position of the unknown node sˆ0 from some randomly selected unique subset of 3 nodes, Si (Steps 3 − 4). The motivation for keeping record of already picked triplets (Step 3) is to save on storage and computational complexity. Thus, every subsequent triple drawn is compared against the list of stored trials, and discarded if it already appears, leading to another drawing, without incrementing i. If a lexicographical order is applied to each triple as it is stored, then comparing and storage can be reduced to the act of inserting unique items into an ordered list. The triangulation process outlined in subsection III-C is then applied (Step 4), and an estimate for the position, sˆ0 , is calculated, and stored in a linked fashion. Using the new position, sˆ0 , the consensus with all beacons is checked (Step 5). The check compares the δ-consistency of each beacon’s reported measurement with the estimated sˆ0 . To check if a consensus is reached, the number of beacons , K, in consensus with the estimate position, is compared against a threshold Ct . Once a consistency set has been identified, the algorithm uses all points in the consensus set to form the final estimate of sˆ0 , then terminates (Steps 7-8). We use a MMSE procedure for computing both the initial estimate sˆ0 from the subset Si and for the final estimate derived from the consensus set. If the algorithm performs imax iterations and does not find a consensus set of at least size Ct , it declares a failure and terminates (Step 11). This algorithm runs in a distributed fashion on all triangulating aircraft. On the surface, imax and Ct are fixed input quantities, and the computational complexity of the algorithm is a function of these two variables. The storage complexity is 1 With abuse of notation, we will use S\L to denote the set of nodes excluding the triplets already chosen. More precisely, this does not exclude picking an already selected node, but prevents picking an already selected triplet.

a function of imax . The dependence of these quantities on the size of S (i.e. N ), in order to guarantee correct termination, is the subject of the next section. VI. T HEORETICAL B OUNDS FOR C ORRECT T ERMINATION The theoretical bounds on the selection of imax , Ct and CI are directly coupled to the fault tolerance exhibited by the algorithm, in the presence of accidental faults as well as malicious attacks. We introduce the following notation: N = Ng + Nf ,

(16)

where Nf denotes the total number of faulty measurements and Ng is the total number of correct (good) messages. Recall that N is the total number of ADS–B broadcast messages (each corresponding to a unique aircraft). For the purpose of analysis of the algorithm, we only care whether the faults are δ-consistent or not regardless of whether the consistency is the result of collusion, common-cause failures, or pure coincidence. In other words, if an aircraft in Nf is δ-consistent with the estimated position resulting from collusive strategy, it is regarded as being a part of the corresponding collusion. Therefore, the set of faults Nf can be further partitioned to Ni accidental faults that are not δ-consistent and Nc δ-consistent and possibly collusive messages, or Nf = Ni + Nc .

(17)

A. Fault Tolerance with Malicious Behavior For the algorithm to terminate correctly, it is obvious that there must be at least Ct correct (non-outlying) aircraft present in the total N aircraft (Step 6 of the algorithm). Thus the condition Ng ≥ C t (18) is necessary for the system. In the remainder of this section we will show that in presence of collusive attackers, it is necessary that the number of non-faulty aircraft exceed the number of the largest possible δ-consistent collusive aircraft subset by at least three, in order for the algorithm to terminate. This constraint is relatively straightforward, as the collusive aircraft can use two correct aircraft without their knowledge to devise their optimal strategy. To be able to distinguish between collusive and correct aircraft, there must be at least three more correct aircraft than collusive ones. That is: Ng ≥ Nc + 3

(19)

This condition is representative of air traffic control situations, as the number of collusive aircraft in a given sector is usually much smaller than the total number of aircraft. The presence of a large group of malicious aircraft is detectable by human air traffic controllers in a relatively straightforward fashion (i.e. checking their flight plan clearances). Since the collusive strategy must be devised by aircraft who do not have access to the flight plans of correct aircraft, this alteration of their flight plans would become apparent quickly. The following theorem then arises:

Theorem 1. Let the largest set of δ-consistent collusive aircraft in Nf have cardinality Nc , and Ng ≥ Nc + 3. Then all P triangulating aircraft in the broadcast range of the N aircraft terminate

with the correct δ-consistent position in at most N3 − N3g + 1 iterations of the algorithm, for choice of Ct ≥ Nc + 3. Proof of Theorem 1: By contradiction. Suppose not. For P not to terminate with the correct δ-consistent position, it must either terminate with an incorrect δ-consistent position estimate, terminate in failure, or not terminate. Case 1: Terminates with incorrect δ-consistent position estimate. The optimal collusive strategy has all possible collusive aircraft utilize the same two correct aircraft, say (A, B) and attempts to weight the consensus towards the incorrect position solution P˜ (see Figure 2). Hence, the number of aircraft that yield messages that are δ-consistent with the collusive strategy is Nc + 2. As the selection of Ct is user defined, choose Ct = Nc +3. For the algorithm to terminate and return sˆ0 = P˜ there must be at least Ct = Nc +3 aircraft that are δ-consistent with this incorrect position estimate. Thus, there must be one additional aircraft that is not in the collusion subset of this strategy, which is δ-consistent with the estimate. This extra aircraft must either be in Ng or Ni , but this is in contradiction with definition of these sets. Case 2: Terminates in Failure. For Ng ≥ Ct , there is only one way in which the algorithm terminates in failure. This

f requires that there be N3 − N −N + 1 ways to draw three 3 unique messages for each of the imax unique trials, where one element of each trial is an incorrect

(outlying) broadcast Ng f message. Since there are N −N = ways to draw 3 3
trials
N comprised of only correct messages, there exist 3 − N3g ways to draw trials containing at least
one
incorrect message. Thus, the only way to draw N3 − N3g + 1 trials, each containing at least one incorrect message, requires that at least one of the trials be non-unique (i.e. contains the same three messages as one of the other trials). This is a contradiction to Step 3 of the algorithm. Case 3: Non-Termination of the Algorithm. For the algorithm not to terminate, implies that i < imax for all time. This means that either imax → ∞ or i is not incrementing, meaning unique trials

are not being drawn.
Since
we can set imax = N3 − N3g + 1, and draw N3 − N3g + 1 unique trials out of the N received broadcasts,
we will
be able to increment i, the loop counter variable, N3 − N3g + 1 times, thereby leading to i = imax , and causing termination. This is a direct contradiction. B. Fault Tolerance with δ-Consistent Faulty Behavior In the case where there are no δ-consistent faulty aircraft, and no collusive aircraft, theoretically the user can set the consensus threshold, Ct = 4. That is, you only need four correct aircraft in the network in order for any triangulating aircraft to arrive at their correct position. Three correct aircraft are required to triangulate to the correct estimated position, and the fourth aircraft needs to be δ-consistent with this estimate. No other incorrect successful triangulation will have

any additional aircraft that will be δ-consistent, as no faulty aircraft are δ-consistent. This theoretical lower bound for faulty (but non δ-consistent or non-collusive) behavior allows for the algorithm to terminate correctly in a network where faulty aircraft outnumber correct aircraft greatly. That is, we can perform fault tolerant triangulation when Nf > Ng . Realistically, when Nf grows large, there will be some δconsistent faulty aircraft, even if all of the faults are randomly caused . However, δ-consistent faulty aircraft can be treated similarly to collusive aircraft. The only difference between a set of δ-consistent faulty aircraft and a set of collusive aircraft is the fact that the collusive aircraft can use two correct aircraft in order to form their δ-consistent position estimate. Therefore, we have the following corollary for δ-consistent faulty behavior (in the absence of any collusive aircraft). Corollary to Theorem 1. For at most Nc δ-consistent faulty aircraft, in the absence of collusive behavior, all P triangulating aircraft terminate

with the correct δ-consistent position in at most N3 − N3g + 1 iterations with choice of Ct ≥ Nc + 1. This follows directly from the fact that the δ-consistent faulty aircraft cannot use two correct aircraft to augment the cardinality of their consensus set. If we choose Ct ≥ Nc + 1, the statement is equivalent to the theorem regarding collusive aircraft. For accidental faults in messages, the chance of drawing a single incorrect position repeatedly grows increasingly unlikely for a small-enough δ-consistency interval of CI (see subsection VII-B). By increasing the consensus threshold, we become more robust against higher levels of δ-inconsistency. This relationship is linear in the number of δ-consistent aircraft: C t ≤ Ng . (20) The corollary to Theorem 1 also guarantees the successful termination of the algorithm in a finite number of steps, thus providing an upper bound on the number of iterations necessary. Note that in the worst case, where
Ni =
0, and Ng = N − Nc , imax must be set to N3 − N3g + 1 to ensure correct termination. Performing this combinatorially increasing number of triangulations becomes the most computationally intensive step in the algorithm. VII. PARAMETER S ELECTION Ideally,
one would like to test all possible subsets of size 3, i.e. N3 and select the one with largest consistency set. However, for large N , this is computationally intractable. Instead, we attempt a total of imax iterations where the quantity imax is the predetermined total number of the trials. In Section VII-A we demonstrate how to choose imax such that the algorithm can find a consensus set with high probability. A. Choice of Total Number of Iterations It is expected that the number of iterations imax of Algorithm 1 depends on the percentage of the faulty measurements. Let the algorithm succeed at picking a good subset of size 3

from the data set S at the i-th trial. We can base the termination criteria on the expected number of trials E[i]. Let Nf denote the number of the faults in the data set S and let q be the probability that a randomly drawn data point is consistent with the model. Given that the algorithm prevents picking the same triplet twice E[i] depends on outcome of previous trials. We can upper bound E[i] with the case where the trials are done with replacement. In which case, the expected value, denoted by ER [i] is easy to compute and is given by the mean of the geometric distribution which equals q13 . Thus the expected number of trials with replacement E[i] ≤ ER [i] = q13 . One way of choosing imax is to exceed E[i] by say two standard deviations of i. In case of trials with replacement, it is shown in [28] that the standard deviation of i is approximately equal to ER [i]. Therefore, we can choose imax ≈ 3ER [i]. Another approach for choosing imax is to ensure that the probability of missing a good subset is below a threshold η. Again approximating with the case of trials with replacement, we have that the total number of iterations imax must satisfy: (1 − q 3 )imax = η, or equivalently, imax =

ln η ln(1 − q 3 )

(21) N

Let I denote the set of inliers. If ρ = 1 − Nf is the percentage Q2 (I ) of inliers, then q = N3 = j=0 NI−j −j and for large data set, (3) 3 −9 q ≈ ρ and E[i] = ρ . Substituting for q in (21), gives the number of iterations imax in terms of the percentage of the ln η faults in the data set S, imax = ln(1−ρ 9) . Note that, if an estimate of the number of the faults Nf is available, then (21) gives the maximum number of subsets Algorithm 1 must try before quitting to search for fault free subsets of size 3. B. Determining δ-Consistency Interval Our assumption is that non-malicious (benign) distance measurement errors are i.i.d Gaussian random variables distributed according to N (0, σ 2 ). The consistency metric δ calculates the distance between the real position of s0 (x0 , y0 ) with respect to the position reference (xn , yn ), i.e. δ(sn , s0 ) = p dn − (x0 − xn )2 + (y0 − yn )2 . The assumption of Normal distribution for the errors is based on s0 ’s real position (x0 , y0 ). We apply the same distribution to approximate the distribution of δ which measures the error in estimated position coordinates sˆ0 =(ˆ x0 , yˆ0 ). For example, under the assumption of Normality, the 95% confidence interval (CI) that a given δn0 is drawn from the Normal distribution N (0, σ 2 ), is [-1.96 σ, 1.96 σ]. In other words, given δn0 a realization of the random variable δn , the confidence interval CI determines whether δn0 is drawn from the same distribution as δn , with more than 95% probability. We refer to the confidence interval as the δ-consistency interval CI, which is an input to the Position Estimation Algorithm 1. Note that the error variance σ 2 is usually dependent on the distance measurement technique (e.g., RSSI, TDoA) and

the environment where the aircraft fly. Therefore, the error variance can be estimated via a set of offline measurements. C. Consensus with Respect to Ct The randomized paradigm presented in Algorithm 1 assumes that Ct , the estimate of the size of the consensus set is given. If the number of malicious aircraft (Nc ) are known a priori, one could set the size of the consensus set equal to N −Nc . However, in many practical scenarios one would need to estimate Ct . In [10], we offer two methods for estimating Ct . One is to employ the threshold selection strategy proposed by Liu et al. [9]. The second method is based on dynamic search to determine the number of collusive faults Nc . We use mean square error (MSE) of the distance measurements as our error metric. The selection of MSE metric is driven by its asymptotic optimality in presence the Gaussian noise, and its pervasive usage in position estimation literature in WSNs [9], [5]. MSE also facilitate sound formal analysis and creation of effective algorithms. The position estimation procedure in Algorithm 1 can be made to minimize the MSE of sˆ0 with respect to the beacons that participate in the position estimation procedure (step 8). This is done by finding sˆM M SE , the location estimate that minimizes the MSE from all the measurements in the consensus set. The MSE of the estimated position sˆ0 is denoted as ∆2M SE : p N X x0 − xn )2 + (ˆ y0 − yn )2 )2 (dn − (ˆ 2 ∆M SE = N n=1 To ensure that the final consensus set includes only the consistent points within a statistical error interval, we compute the Q-th quantile of the inverse probability of ∆2M SE for K points. This quantile corresponds to a τ , such that Prob(∆2M SE ≤ τ ) = Q. We derive the distribution of ∆2M SE to find the value of τ . Note that, since the quantile distribution function is monotonic (non-decreasing), there is a monotonic transformation between Ct and τ . Under the assumption that the measurement errors are distributed i.i.d Gaussian with N (0, σ 2 ) for n = 1, . . . , K, the distribution of the mean square error ∆2M SE is Chi-square (χ2K ) with K degrees of freedom (DF). The probability distribution of ∆2M SE is based on s0 ’s real positions (x0 , y0 ); this distribution is used to approximate the cases where we have an estimate (ˆ x0 , yˆ0 ) for s0 ’s position. Note that, under the assumption of Uniform distribution of errors, Liu et al. [9] have previously used the central limit theorem to approximate the distribution of ∆2M SE as a Gaussian. Our approach is different and it improves their results in at least two ways: First, we believe that the assumption of Gaussian distribution of errors is more realistic than the Uniform distribution; it is much more likely than smaller values of error occur more frequently than the larger ones (at least in the case of faults). Second, as the landmark results by Pearson and Fisher [29] have indicated, the chisquare and F- distribution are the exact models for smaller values of N rather than the Gaussian distribution. Since ∆2M SE ∼ χ2K , then as K tends to infinity, the distribution of

∆2M SE tends to normality but the tendency is very slow [30]. To determine the threshold, we employ the same method as [9], except that we use χ2K instead of the Gaussian distribution. VIII. DYNAMIC E LIMINATION OF ACCIDENTAL FAULTS IN S IMULATION In a dynamic environment, we can take advantage of successive broadcasts from each aircraft. By utilizing the position and velocity estimates from the previous broadcast interval, the receiver can identify inconsistent behavior. By removing these inconsistent aircraft, we can reduce the number of trials necessary to triangulate correctly. The first step in this consistency check is to validate each aircraft’s reported velocity and position change, with respect to the values stored from the previous time step. If the projected position and the reported position at the present time step are sufficiently inconsistent, then the aircraft can be labeled as ‘lying’ before triangulation. This eliminates faulty or malicious messages a priori to drawing trials for triangulation. The list of incorrect aircraft is saved for all future time steps of the process. All aircraft on this list have their messages discarded for all successive rounds. This reduces the numbers of trials necessary in order to triangulate to the correct position. This strategy is explicitly shown in Algorithm 2. Algorithm 2. Position Estimation Implementation Input: buffer B, List of previous liars (Badlist)* Consensus Threshold Ct 1. Initialize T=1; 2. Add velocity liars in B to Badlist; * 3. Remove Badlist beacons from B; * 4. Initialize N = size(B); 5. While (T < N ) { 6. Randomly draw a unique subset Si of size 3 from B\L; 7. Use Si to estimate the position sˆi ; 8. If sˆi is new add to L, otherwise redraw Si; 9. Calculate K, the number of δ-consistent points with sˆi ; 10. If (K > Ct ) { 11. Position Known=True; 12. Terminate while loop; } 13. Increment T ; } 14. If (Position Known) { 15. Traverse B to find liars; 16. Add each liar to Badlist; } 17. Terminate program returning position and Badlist or return failure; * items needed for dynamic case only

The additional steps from the previous algorithm (c.f. Algorithm 1) are as follows. Steps (1-3) are used to compare the position and velocity measurements of the current timestep against those of the previous timestep, for all consecutively broadcasting aircraft. If the message reported in the current timestep is not dynamically consistent with the previous message, the aircraft is added to “Badlist”. “Badlist” stores inconsistent aircraft, and is used to eliminate their messages from the current round’s triangulation process. Steps (4-13) are the same as in Algorithm 1. If consensus is reached, Steps 1416 are used to update the list of aircraft that are not consistent

Comparison of Algorithm to RLMS and Greedy MMSE RLMS

Greedy MMSE

9

8

8

7

7 6

6

Distance (m)

Processing Time (s)

Algorithm1

5 4

5 4 3

3

2

2

1

1

0 0

10

20

30

0

40

50

60

70

80

90

100

Percentage Accidental Faults

0

10

20

30

40

50

Percentage Liars

Fig. 3.

Fig. 4.

Position estimation error v.s. number of accidental faults.

Algorithm 1 has a shorter processing time.

with the estimated position. The messages from aircraft on this list are disregarded in the next round of execution. IX. S IMULATION R ESULTS We compare the performance of the various methods, both in terms of their processing time and the position estimation error, both for accidental faults and collusion attacks in Subsection IX-A. We assume there are N = 30 aircraft in a 100×100m2 space. In the case of accidental faults, up to Ni = 26 faults were allowed. In the case of collusive attacks, it was assumed that no more than 14 measurements can be collusive. The measurements are corrupted by Gaussian noise N (0, σ 2 ) where σ 2 = 100. Moreover, in our implementation of RLMS, the parameters were chosen to be M = 10, n = 4; γ = 1(c.f [7]). In Subsection IX-B, we discuss the implementation cost of Algorithm 1 and its variant Algorithm 2.

The processing time of the three algorithms were compared in the case of collusive attacks. Figure 3 shows that Algorithm 1 has shorter processing time with respect to both Greedy MMSE and RLMS. When the percentage of liars is below 30%, the first three points picked at random by the algorithm are often correct measurements. This results in a quick termination of the algorithm with only one triangulation. 1) Accidental Faults: The performance of the three algorithms are compared in Figure 4. Greedy MMSE constantly performs poorly compared to Algorithm 1 and RLMS. As long as the percentage of faults does not exceed 30%, i.e., Ni ≤ 10 for N = 30, the performance of the RLMS is comparable to Algorithm 1. For higher percentage of faults, the RLMS is not as robust as Algorithm 1. More importantly RLMS position estimation algorithm has a breakpoint of 50% (as expected theoretically). However, Algorithm 1 has a breakpoint of 80% (shown by simulation). If the accidental faults occasionally become δ-consistent with the correct measurements, this break point can improve. Position Estimate Deviation from Truth

A. Comparison with Other Attack-Resistant Algorithms 12 10 8 Distance (m)

We compare the performance of the algorithm with the state-of-the-art position estimation methods: robust least median of squares (RLMS) algorithm of [7] and greedy minimum mean square error (MMSE) algorithm of [9]. Hereon, we refer to the new randomized position estimation algorithm of Section V-C as Algorithm 1. The first method, RLMS, is a probabilistic approximation of least median of squares (LMS) algorithm of Rousseeuw and Leroy [8]. RLMS solves the position estimation problem by minimizing a least median of squares (LMS) error metric over all the nodes. The second method, Greedy MMSE, is a greedy algorithm that minimizes the M SE error metric subject to a consistency threshold τ 0 . Instead of exhaustively searching all combinations of the variables for the best estimate, the authors propose using a stepwise backward deletion algorithm. This is a greedy algorithm that at each stage, deletes the largest fault. This method works well when there are only a few accidental faults, but fails as the number of attackers increase or the attackers collude.

6 4 2 0 0

5

10

15

20

25

30

35

40

45

50

Percentage Liars RLMS

Fig. 5.

Algorithm 1

MMSE

Position estimation error v.s. number of Colluders (liars).

2) Collusive Behavior: In case of colluding attackers, when the percentage of the attackers goes beyond 50% all three algorithms fail (see Figure 5). However before the breakpoint

Fig. 6. Histogram showing the number of attempted triangulations for three percentages of accidental faults.

Fig. 7. Average number of checks performed to reach consensus versus percentage of faulty agents. Note the average is over 100 runs.

Algorithm 1 exhibits a robust behavior while RLMS and Greedy MMSE rapidly deteriorate.

Figure 7 shows how many checks are required on average with increasing number of collusive aircraft. As the number of collusive aircraft increases, the probability of getting a successful incorrect triangulation increases, causing both the triangulation and consensus check tasks to be run more frequently. This acts to increase the overall execution time. If the consensus check is successful, the algorithm returns the estimated position, along with a list of faulty aircraft and terminates. Once the estimated position reaches consensus, it is checked against all aircraft to determine which aircraft are faulty. This step involves exactly N comparisons for each triangulating aircraft. It should also be noted that as the number of aircraft increases, the storage and communication complexity increases. The relationship between the execution time and percentage of faulty agents is seen in Figure 8. The histogram (Figure 9) shows that the increase in average execution time can be attributed to a small percentage of very large execution times. These outlying execution times are due to the number of triangulations that needed to be attempted to initially get a valid position. The execution time of the triangulation task dominates that of the consensus check. The greatest advantage of the dynamic fault elimination process of Algorithm 2 is the increase in speed via elimination of incorrect agents. This requires that fewer triangulations be performed, greatly reducing execution time. However, an aircraft that is faulty for one round, and then behaves correctly for successive rounds is ignored. If too many aircraft, exhibiting occasional accidental faults are eliminated, the triangulating aircraft becomes susceptible to small coordinated attacks. An “amnesty” condition that allows data from faulty aircraft to be incorporated back into the triangulation process, when the ratio of correct beacons drops very low, would limit this danger.

B. Algorithmic Costs The execution speed of the Algorithm 1 and its variant Algorithm 2 depends primarily on the total number of aircraft N , and percentage of faulty aircraft Nf /N . Each time the algorithm is executed, there is an implicit overhead, which contributes the total cost. The overhead is incurred due to reading in the aircraft messages, and parsing the message data. This overhead scales directly with N . The two main tasks that contribute to the algorithm’s execution cost are triangulation and checking for consensus. Triangulation involves randomly choosing three aircraft and calculating a position estimate. If any of the three aircraft are from the set of Ni (accidental faults), the triangulation usually does not terminate in a valid position. If a trial containing faulty aircraft does terminate in a valid position, this position is normally a collusive position. Thus, the trial most likely contains three collusive aircraft. The probability of drawing such a group of aircraft is proportional to Nc /N . So, as depicted in Figure 6, the time needed to successfully triangulate is related directly to the percentage of faulty aircraft Nf /N . Once the three randomly selected aircraft result in an valid position, the consensus check is run. Each aircraft is checked for δ-consistency against the estimated position. The total number of δ-consistent aircraft is then compared to the consensus threshold Ct . The execution time of this task is upper bounded by N . If the threshold is not met, the estimated position is stored, and the triangulation task is executed again. With each successive triangulation, the new estimated position is checked against previously rejected positions. If it matches any rejected position, the triangulation is executed again until a new position is found. Once the resulting estimated position is novel, the consensus check is re-executed.

X. D ISCUSSION We have proved that in the presence of a maximal collusive strategy encompassing Nc collusive messages, no triangulating

Fig. 8. Average execution time for varying percentage of faulty aircraft. Note the average is over 100 runs.

Fig. 9. A histogram of the average time to complete the algorithm at different lying percentages.

aircraft can come to an incorrect solution as long as there are at least Nc + 3 correct aircraft broadcasting correct messages in range. This allows the algorithm to be resilient to collusive attacks in an almost one-to-one ratio for correct to collusive aircraft. This far outstrips the Byzantine fault tolerance results from distributed systems, which usually require a three-toone ratio for correct to collusive aircraft. The improvement seen in this result arises from the fact that the operation of triangulation has both spatial and temporal structure. In a given communication round, a single aircraft who misrepresents position value must be constrained by the geometry of the real world. It is physically impossible to have a message with a correct timestamp arrive at a time less than required to cross the distance to the receiver (i.e. limited by the speed of light). Thus, the Byzantine failures are spatially constrained, and cannot be completely arbitrary. Over successive time intervals, a Byzantine aircraft is constrained by dynamics of the real world and performance limitations. It cannot move faster that the maximum allowable speed of an aircraft, nor can it have any discontinuities in its trajectory. Thus there is further implicit information inherent in the broadcast messages. The algorithm takes advantage of this implicit information, and improves on the traditional required ratio of 3Nc + 1 : Nc good aircraft to bad aircraft, yielding a ratio of Nc + 3 : Nc . This ratio approaches 1:1, as the number of good and collusive aircraft becomes equally large, the algorithm is still able to terminate correctly.

[4] N. Priyantha, A. Chakraborty, and H. Balakrishnan, “The Cricket Location-Support System,” in Proceedings of ACM International Conference on Mobile Computing and Networking (MobiCom), 2000, pp. 32–43. [5] A. Savvides, C. Han, and M. Strivastava, “Dynamic fine-grained localization in ad-hoc networks of sensors,” in Proceedings of AC International Conference on Mobile Computing and Networking (MobiCom), 2001, pp. 166–179. [6] D. Niculescu and B. Nath, “Ad hoc positioning system (APS) using AoA,” in Proceedings of IEEE Conference on Computer Communications (INFOCOM), 2003, pp. 1734 – 1743. [7] Z. Li, W. Trappe, Y. Zhang, and B. Nath, “Robust statistical methods for securing wireless localization in sensor networks.” in Proceedings of The International Symposium on Information Processing in Sensor Networks (IPSN), 2005, pp. 91–98. [8] P. Rousseeuw and A. Leroy, Robust Regression & Outlier Detection. New York, NY: John Wiley & Sons, 1987. [9] D. Liu, P. Ning, and W. Du, “Attack-resistant location estimation in sensor networks,” in Proceedings of International Symposium on Information Processing in Sensor Networks (IPSN), 2005, pp. 99– 106. [10] N. Kiyavash and F. Koushanfar, “Anti-Collusion Position Estimation in Wireless Sensor Networks,” in IEEE International Conference on Mobile Adhoc and Sensor Systems (MASS), Pisa, Italy, 2007, pp. 1–9. [11] T. Roosta, M. Meingast, and S. Sastry, “Distributed reputation system for tracking applications in sensor networks,” in International Workshop on Advances in Sensor Networks (IWASN), 2006. [12] M. Manzo, T. Roosta, and S. Sastry, “Time synchronization attacks in sensor networks,” in Proceedings of the ACM workshop on Security of ad hoc and sensor networks (SASN), 2005, pp. 107–116. [13] M. D. Mare and L. Decoursey, “A survey of the timestamping problem,” Tech. Rep., 2004. [14] M. Barborak, A. Dahbura, and M. Malek, “The consensus problem in fault-tolerant computing,” ACM Comput. Surv., vol. 25, no. 2, pp. 171– 220, 1993. [15] K. Driscoll, B. Hall, H. Sivencrona, and P. Zumsteg, “Byzantine fault tolerance, from theory to reality,” in Computer Safety, Reliability, and Security, Lecture Notes in Computer Science, 2003, pp. 235–248. [16] R. S. L. Lamport and M. Pease, “The byzantine generals problem.” ACM Trans. Prog. Lang. Sys., vol. 4, pp. 382–401, 1982. [17] M. J. Fischer and N. A. Lynch, “A lower bound for the time to assure interactive consistency,” Information Processing Letters, vol. 14, pp. 183–186, 1982. [18] R. Turpin and B. A. Coan, “Extending binary Byzantine Agreement to multivalued Byzantine Agreement,” vol. 18, no. 2, pp. 73–76, Feb. 1984. [19] D. Dolev and R. Reischuk, “Bounds on information exchange for byzantine agreement,” J. ACM, vol. 32, no. 1, pp. 191–204, 1985. [20] G. Loveness and R. Barhydt, “ADS-B and AOP Performance within a

R EFERENCES [1] Y. Cui and S. S. Ge, “Autonomous Vehicle Positioning With GPS in Urban Canyon Environments,” IEEE Transactions on Robotics and Automation, vol. 19, pp. 15–28, 2003. [2] J. Dittmer, “Solving the GPS Urban Canyon Problem,” Frost & Sullivan Market Insight, 2005. [3] A. P. A. Alcocer, P. Oliveira, “Underwater Acoustic Positioning Systems Based on Buoys with GPS,” Proceedings of the Eighth European Conference on Underwater Acoustics, 2006.

[21] [22] [23] [24] [25] [26] [27] [28]

[29] [30]

Multi-Aircraft Simulation for Distributed Air-Ground Traffic Management.” J. Scardina, “Overview of FAA ADS-B Link Decision,” 2002. E. Valovage, “Enhanced ADS-B Research,” IEEE A&E Systems Magazine, pp. 35–39, 2006. J. L. Awange and E. W. Grafarend, “Algebraic Solution of GPS Pseudo Ranging,” GPS Solutions, vol. 5, pp. 20–32, 2002. E. W. Weisstein, “Sphere-Sphere Intersection,” From MathWorld– A Wolfram Web Resource. http://mathworld.wolfram.com/SphereSphereIntersection.html, 2008. B. W. Parkinson and S. W. Gilbert, “ NAVSTAR: Global positioning systemTen years later,” Proceedings of the IEEE. E. W. Weisstein, “Circle-Circle Intersection,” From MathWorld– A Wolfram Web Resource. http://mathworld.wolfram.com/CircleCircleIntersection.html, 2008. P. Bourke, “Intersection of two circles,” website: http://local.wasp.uwa.edu.au/ pbourke/geometry/2circle/, 1997. M. A. Fischler and R. C. Bolles, “Random sample consensus: a paradigm for model fitting with applications to image analysis and automated cartography,” Communications of the ACM, vol. 24, no. 6, pp. 381–395, 1981. M. Evans, N. Hastings, and B. Peacock, Statistical Distributions. New York, NY: John Wiley and Sons, 2000. E. Wilson and M. Hilferty, “The distribution of chi-square,” in Proceedings of National Academy Science, USA, vol. 17, pp. 684–686, 1931.