IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

Sybil-Proof Online Incentive Mechanisms for

Crowdsensing
Jian Lin, Ming Li, Dejun Yang, Guoliang Xue

Abstract—Crowdsensing leverages the rapid growth of sensor-

embedded smartphones and human mobility for pervasive infor- Dynamic
users Task description
mation collection. To incentivize smartphone users to participate Bid
in crowdsensing, many auction-based incentive mechanisms have Reject
Assignment
been proposed for both offline and online scenarios. It has Sensing data
been demonstrated that the Sybil attack may undermine these Payment
mechanisms. In a Sybil attack, a user illegitimately pretends Platform Time line Deadline
multiple identities to gain benefits. Sybil-proof incentive mecha-
nisms have been proposed for the offline scenario. However, the Fig. 1. Online crowdsensing system
problem of designing Sybil-proof online incentive mechanisms for
crowdsensing is still open. Compared to the offline scenario, the
online scenario provides users one more dimension of flexibility, At present, a number of auction-based incentive mecha-
i.e., active time, to conduct Sybil attacks, which makes this nisms have been proposed for crowdsensing. These incentive
problem more challenging. In this paper, we design Sybil- mechanisms model the interaction between the crowdsensing
proof online incentive mechanisms to deter the Sybil attack for platform and the smartphone users as a reverse auction. The
crowdsensing. Depending on users’ flexibility on performing their buyer is the platform, and the sellers are smartphone users
tasks, we investigate both single-minded and multi-minded cases
and propose SOS and SOM, respectively. SOS achieves compu- who bid to perform sensing tasks. In these mechanisms, the
tational efficiency, individual rationality, truthfulness, and Sybil- platform selects users according to their submitted bids. Most
proofness. SOM achieves individual rationality, truthfulness, and of existing incentive mechanisms (e.g., [10, 15, 31, 32, 36]) fo-
Sybil-proofness. Through extensive simulations, we evaluate the cus on offline scenario in which smartphone users are required
performance of SOS and SOM. to submit their bids at the beginning of the auction, and the
platform selects a subset of users according to some criteria for
I. I NTRODUCTION different objectives, e.g, maximize social welfare and platform
utility. Some works (e.g., [4, 5, 8, 9, 27, 37, 39, 40, 40])
In recent years, the rapid proliferation of smartphones with
consider a more practical yet dynamic online scenario in which
rich embedded sensors has attracted great attentions from both
smartphone users participate in the system in a random order,
academy and industry [7]. The effectiveness of crowdsensing
as shown in Fig. 1. Once a user arrives, the platform has to
to collect data enabled numerous crowdsensing applications in
make irrevocable decisions on whether to select it and how
a wide variety of domains, such as transportation [28], mar-
much it should be paid without knowing future information.
keting [6], environmental monitoring [22], cellular coverage
However, none of above mechanisms take into consideration
map [19], and etc.
the Sybil attack [2], also known as false-name attack [34].
The number of participating users is a critical factor for
In recent years, the potential threat from Sybil attack has
the success of a crowdsensing application. Most of the early
been investigated in various areas, such as cloud resource
systems [18, 22] assume that the smartphone users contribute
allocation [26], social networks [23, 24], and crowdsourced
to the platform voluntarily. In practice, however, smartphone
mobile apps [25]. These works focus on designing detection
users taking part in crowdsensing cause extra cost while
methods to eliminate Sybil attackers. The impact of Sybil
performing the sensing tasks, e.g., sensing time, battery expen-
attack in auctions has been analyzed in [33, 34].
diture, transmission expense and potential privacy threats from
the exposure of their locations. Therefore, it is necessary to In both offline and online crowdsensing systems, a user may
design incentive mechanisms to stimulate users to participate submit multiple bids under different fictitious identities in the
in crowdsensing. hope to increase its utility. This attack is easy to conduct
(e.g., creating multiple accounts) but difficult to detect. The
J. Lin, M. Li are with Colorado School of Mines, Golden, CO 80401
vulnerability to Sybil attack may make a mechanism fail to
USA. D. Yang (corresponding author) is with Colorado School of Mines, achieve its desired properties, and the fairness of the system
Golden, CO 80401 USA and Jiangsu Key Laboratory of Big Data Security and will be jeopardized, since the increase of an attacker’s utility
Intelligent Processing, Nanjing University of Posts and Telecommunications,
Nanjing, Jiangsu 210023 China (e-mail: {jilin, mili, djyang}@mines.edu).
may decrease other users’ utility.
G. Xue is with Arizona State University, Tempe, AZ 85287 USA (e-mail: Lin et al. [16] are the first to investigate the Sybil attack
[email protected]). This research was supported in part by NSF grants 1421685, in crowdsensing. They proposed two Sybil-proof incentive
1444059, 1717197, 1717315, and Jiangsu Key Laboratory of Big Data
Security & Intelligent Processing, NJUPT. The information reported here does mechanisms in the offline scenario. However, their mecha-
not reflect the position or the policy of the federal government. nisms cannot be directly applied to the online scenario, since

978-1-5386-4128-6/18/$31.00 ©2018 IEEE 2438

 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

the online scenario provides users one more dimension of paper, i.e., SPIM-S and SPIM-M. However, these two mech-
flexibility to conduct Sybil attacks, i.e., active time window (to anisms cannot be directly applied to the online scenario.
be elaborated latter). Existing online incentive mechanisms for Several works considered the online scenario where smart-
crowdsensing [4, 5, 9, 27, 37–39] are all vulnerable to Sybil phone users come to the system in a random order. Among
attack. Among them, the VCG-based incentive mechanism [5] them, some online pricing mechanisms have been analyzed
is not Sybil-proof, since the VCG auction has been proved in [8, 40]. In addition, a number of auction-based online incen-
not Sybil-proof in [34]. The mechanism proposed in [4] is tive mechanisms have been proposed for crowdsensing. Most
not Sybil-proof, since a user can increase its critical value of them aim to design online mechanisms, which have compa-
and thus increase its payment by submitting multiple bids. For rable performance to offline mechanisms. To get the informa-
mechanisms in [9, 30, 37, 38], a user can increase its utility by tion about upcoming users, two-sage based mechanisms have
changing from a loser to a winner via Sybil attack. We will use been proposed in [9, 37]. However, these mechanisms cannot
examples to demonstrate the vulnerability of existing online guarantee the consumer sovereignty, since the first batch of
mechanisms to Sybil attack in Section IV. Therefore, the users are rejected no matter how they bid. Zhao et al. [38, 39]
problem of designing Sybil-proof online incentive mechanisms proposed two multi-stage mechanisms, which satisfy consumer
for crowdsensing remains open. sovereignty. Furthermore, Gao et al. [5] proposed a VCG-
In this paper, we focus on designing Sybil-proof online in- based mechanism to invitivize users to participate in the
centive mechanisms for crowdsensing. A mechanism is Sybil- system for a long-term. Feng et al. [4] considered a system
proof if, participating in crowdsensing using a single identity with dynamic users and dynamic tasks. The users’ privacy
is a dominant strategy of each user. The main contributions of has been considered in [27]. However, none of existing online
this paper are as follows: mechanisms take into consideration the Sybil attack.
• To the best of our knowledge, we are the first to inves- Recently, the impact of Sybil attack has been widely
tigate Sybil attack in online incentive mechanisms for analyzed in areas including virtual machine instance allo-
crowdsensing. cation [26], social networks [23] and crowdsourced mobile
• We analyze existing online incentive mechanisms and apps [25]. As pioneers, Yokoo et al. [34] analyzed the effects
demonstrate that they are all vulnerable to Sybil attack. of Sybil attack on combinatorial auctions. They proved that
• Depending on users’ flexibility on performing their tasks, VCG auction is not Sybil-proof in this paper. In addition,
we consider both the single-minded and multi-minded the price-oriented rationing-free protocols, which characterize
cases. We design SOS and SOM for these two cases, re- the Sybil-proof protocols for combinatorial auction have been
spectively. In order to design SOS, we provide a sufficient proposed in [33].
condition for an online mechanism to be Sybil-proof. The problem of designing Sybil-proof online incentive
We prove that SOS achieves computational efficiency, mechanisms for crowdsensing is still open. All existing on-
individual rationality, truthfulness, and Sybil-proofness, line incentive mechanisms are vulnerable to Sybil attack as
and that SOM achieves individual rationality, truthfulness, explained in Section I, and we will show their vulnerabilities
and Sybil-proofness. to Sybil attack in Section IV.
The remainder of this paper is organized as follows. In III. M ODEL AND P ROBLEM F ORMULATION
Section II, we review the related work. In Section III, we A. System Model
introduce the system model and the objectives. In Section IV,
In this paper, we consider a crowdsensing system con-
we analyze the vulnerability of existing online mechanisms
sisting of a platform and a crowd of smartphone users
to Sybil attack. In Section V and Section VI, we present
U = {1, 2, . . . , n}, where n is unknown. The platform first
two online mechanisms for single-minded case and multi-
publicizes a set T = {τ1 , τ2 , . . . , τm } of m sensing tasks,
minded case and prove their desired properties, respectively.
aiming at finding some users to complete these tasks before
Performance evaluations are presented in Section VII. We
a specified deadline T , which is divided into slots of equal
conclude this paper in Section VIII.
size. Each task τi ∈ T has a value vi to the platform. We
use bundle to refer to any subset of T . There is a function
II. R ELATED W ORK
V (B) to calculate
P the value of bundle B to the platform, i.e.,
In recent years, a number of auction-based incentive mecha- V (B) = τi ∈B vi , B ⊆ T . Each user i has a active time
nisms have been proposed for crowdsensing. Most of them are window within which it promises to complete the tasks if it is
offline mechanisms with different objectives e.g., maximizing assigned, and a task set Γ̃i ⊆ T , which i can complete within
the utility of the platform under a budget constraint [35], its active time window. Let ãi ∈ {1, . . . , T } denote the begin
minimizing the social cost [3, 30], and preserving users’ of active time window and d˜i ∈ {1, . . . , T }, d˜i ≥ ãi denote the
privacy [12, 14, 17]. The quality of sensing data has been end of active time window. Note that the platform has to make
considered in [11, 13, 20, 29]. Lin et al. [16] formalized the decision to each user i by d˜i . As with [16], we assume that
Sybil attack in crowdsensing and demonstrated that previous each user i has a cost function c̃i (B), which determines the
offline mechanisms are all vulnerable to Sybil attack. Two cost for i to perform all tasks in bundle B. The cost function
Sybil-proof offline incentive mechanisms are prosed in this c̃i (·) satisfies the following properties:

2439
 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

• c̃i (∅) = 0; B. Attack Model

• c̃i ({τj }) = ∞, ∀τj ∈ T \ Γ̃i ;
In this paper, we assume that all users are selfish but
• c̃i (B 0 ) ≤ c̃i (B 00 ), ∀B 0 ⊆ B 00 ⊆ T ;
rational. Hence it is possible that user i submits a false bid to
• c̃i (B) ≤ c̃i (B 0 ) + c̃i (B 00 ), ∀B 0 , B 00 ⊆ T and B = B 0 ∪ B 00 .
maximizes its utility. Specifically, a false bid may have a false
The first two properties depict user’s capability. The third active time window, i.e., ai 6= ãi or di 6= d˜i . In addition, bi
property implies that a user may incur more cost by performing may not be true, i.e., bi 6= c̃i (Γ̃i ) in the SM case; bi 6= c̃i (·)
more tasks. The last property means that a user’s cost of in the MM case. Furthermore, user i could also misreport its
performing a set of tasks is not greater than that of performing task set i.e., Γi 6= Γ̃i .
these tasks separately. These four properties together closely We also assume that an attacker could conduct Sybil attack
characterize a user’s cost when participating in crowdsensing. at any time slot in its active time by submitting multiple bids
Depending on users’ flexibility on performing their task under fictitious identities. As a simple case, attacker i could
sets, we consider two cases in this paper: single-minded (SM) submit two bids under two identities i0 and i00 , respectively.
and multi-minded (MM). For the SM case, each user i ∈ U Note that i could submit these two bids simultaneously or at
is willing to perform only Γ̃i and behaves in a “win all or different time slots in its active time window. This case is
nothing” manner. For the MM case, each user i ∈ U is willing sufficient to represent the general Sybil attack. We extend the
to perform any subset of Γ̃i and behaves in a flexible manner. definition of attacker’s utility in the following two cases.
We use the sealed-bid reverse auction to model the inter- Single-Minded Case: Each attacker i is only willing to
action between the platform and the smartphone users. In our perform Γ̃i . Attacker i submits βi0 = (ai0 , di0 , Γi0 , bi0 ) and
model, the buyer is the platform buying sensing services, and βi00 = (ai00 , di00 , Γi00 , bi00 ) within [ãi , d˜i ] using identities i0 and
the sellers are smartphone users bidding for performing tasks. i00 , respectively, where Γi0 ∪ Γi00 = Γ̃i . Attacker i’s utility is
User i is a winner if it is assigned tasks, and a loser otherwise. 
Let βi = (ai , di , Γi , bi ) denote the bid of user i. Similar to pi0 + pi00 − c̃i (Γ̃i ), if Ai0 ∪ Ai00 = Γ̃i ;
ui = (4)
most online crowdsensing systems [4, 39], we assume that a 0, otherwise.
user cannot announce an earlier arrival or a later departure, Multi-Minded Case: Each attacker is willing to perform any
i.e., ãi ≤ ai ≤ di ≤ d˜i . A user is active at time slot t if subset of its task set. Attacker i submits βi0 = (ai0 , di0 , Γi0 , bi0 )
ai ≤ t ≤ di . Note that, bi is a value in the SM case, while bi and βi00 = (ai00 , di00 , Γi00 , bi00 ) within [ãi , d˜i ] using identities i0
is a cost function in the MM case. We call user i’s bid βi is true and i00 , respectively, where Γi0 ⊆ Γ̃i and Γi00 ⊆ Γ̃i . Attacker
if βi = (ãi , d˜i , Γ̃i , c̃(Γ̃i )) in the SM case; βi = (ãi , d˜i , Γ̃i , c̃(·)) i’s utility is
in the MM case. At each time slot t, each newly arriving user 
i, i.e., ai = t submits its bid to the platform, which is not pi0 + pi00 − c̃i (Ai0 ∪ Ai00 ), if Ai0 ∪ Ai00 ⊆ Γ̃i ;
ui = (5)
necessarily to be true. Given the bids of all active users at 0, otherwise.
any time slot t, the platform will assign each active user i a It is obvious that attacker i has an incentive to conduct
bundle Ati ⊆ Γ̃i to complete. Note that Ati = ∅ means user i Sybil attack if ui > ũi in either case. We will use examples to
is not assigned any task to perform at time t. In addition, the show the vulnerability of existing online incentive mechanisms
platform calculates the payment pti to user i for time slot t. to Sybil attack in Section IV. Note that any user can be an
Let At and pt denote the assignment profile and the payment attacher, we use attacker and user interchangeably in the rest
profile of Sall active users at time P slot t, respectively. Besides, of this paper.
di
let Ai = t∈[ai ,di ] Ati and pi = t=a i
pti denote the overall
assignment and overall payment to user i, respectively. At last, C. Desired Properties and Objective
let A = (A1 , . . . AT ) denote the overall assignment profile,
and p = (p1 , . . . pT ) denote the overall payment profile. The In this paper, we consider the following properties:
platform pays users once it receives the results of assigned • Computational Efficiency: A mechanism is computaion-
tasks. Note that pi = 0, if Ai = ∅ or user i fails to perform ally efficient if it terminates in polynomial time.
assigned tasks. The utility of i in SM case is • Individual Rationality: A mechanism is individually ra-
 tional if each user has a non-negative utility when bidding
pi − c̃i (Ai ), if Ai = Γ̃i ;
ũi = (1) its true bid.
0, otherwise.
• Truthfulness: A mechanism is truthful if any user’s utility
The utility of i in MM case is is maximized when bidding its true bid including both true
 active time window and true cost.
pi − c̃i (Ai ), if Ai ⊆ Γ̃i ; • Sybil-Proofness: A mechanism is Sybil-proof if any user’s
ũi = (2)
0, otherwise. utility is maximized when bidding its bid using a single
The utility of the platform is identity.
[ X The objective of this paper is to design Sybil-proof online
u0 = V ( Ai ) − pi . (3) incentive mechanisms satisfying above properties. The main
i∈U i∈U notations are summarized in Table I.

2440
 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

TABLE I threshold for the user selection in the next stage, where vi
N OTATIONS is user i’s marginal value and bi is its bid. In the second
Symbol Description stage, the first user i whose vi /bi value is no less than the
T , m, τj set of tasks, number of tasks, and one task
threshold will be selected as a winner. We use the example
U , n, i set of users, number of users, and one user in TABLE II. to show that these mechanisms are not Sybil-
Ut active users at time slot t proof. In this example, the value of τ1 is 1 and the value
V (B) value of bundle B to the platform
vit marginal value of user i at time slot t
of τ2 is 3. The mechanism will reject the first user (User1)
ũi , ui i’s utility and i’s utility via Sybil attack since n = 5 and b 5e c = 1. Next, assume user 1 conducts
u0 platform utility Sybil attack by submitting two bids βi0 = (1, 1, {τ1 }, 2)
T , t, t[i] deadline, each time slot, and time slot i wins
ãi , ai i’s true and submitted start of its active time window
and βi00 = (2, 2, {τ2 }, 2) under fictitious identities 10 and
d˜i , di i’s true and submitted end of its active time window 100 , respectively. In this case, the first two users (User 10
Γ̃i , Γi , Γti i’s true and submitted task set, and tasks i can perform and User 2) are rejected since n = 6 and b 6e c = 2, and
at time t the threshold is 0.5. User i00 is the third arrived user whose
c̃(·), c(·) i’s true and submitted cost function
Ati , At , A i’s and all active users’ assignment at time slot t, and
vi00 /bi00 = 1.5 > 0.5, and thus it is selected as a winner.
overall assignment profile Because these mechanisms satisfy individual rationality, user
pti , pt , p i’s and all active users’ payment at time slot t, i00 has a non-negative utility. Therefore, these mechanisms
and overall payment profile
Bti (B) set of subsets of Γti that intersect with B
are not Sybil-proof, since a user can increase its utility by
changing from a loser to a winner via Sybil attack.
IV. V ULNERABILITY OF E XISTING O NLINE M ECHANISMS The second group comprises of an improved two-
TO S YBIL ATTACK
stage mechanism [27] and a multi-stage mechanism called
OMG [38, 39]. Given the deadline T and budget B, these two
In this section, we use examples to show existing online mechanisms will set the cutoff time of the first stage by 2blnT T c
incentive mechanisms are vulnerable to Sybil attack. and 2blogT2 T c , respectively, and allocate the first stage a stage-
A. Mechanism Classification budget 2blnBT c and 2blogB2 T c , respectively. We take the OMG as
We classify existing online incentive mechanisms into three an example and show that it is still not Sybil-proof using the
categories according to their vulnerabilities to Sybil attack. example in TABLE II. In the first stage, OMG selects users
The first category is the VCG-based mechanism [5]. The iteratively according to users’ marginal density, vi /bi , where vi
second category is the critical value-based mechanism in [4] is user i’s marginal value, and bi is its bid. In each iteration, the
where each winner is paid its critical value. The third category user with the largest marginal value will be selected, and if its
consists of threshold-based mechanisms [9, 27, 37–39]. The marginal density is not less than a preset density threshold ρ∗
mechanism in the first category is not Sybil-proof since VCG and its bid does not exceed the stage-budget, it will be selected
auction is proved not Sybil-proof in [34]. Next, we analyze as a winner. In this example, density threshold ρ∗ = 0.5,
the vulnerabilities to Sybil attack for the last two categories. T = 8 and B = 16, and thus the first stage ends at time
slot 1 and the stage-budget in the first stage is 2. The value of
B. Vulnerabilities of Critical Value-based Mechanisms τ1 is 1 and the value of τ2 is 2. In this case, user 1 will not
The mechanism in [4] executes a reverse auction round by be selected since its bid is greater than the stage-budget. Next,
round. In one round of auction, the mechanism sorts all active assume user 1 conducts Sybil attack by submitting two bids
users in a non-decreasing order by their bids. The first mt βi0 = (1, 2, {τ1 }, 2) and βi00 = (2, 2, {τ2 }, 2) under fictitious
users will be selected as winners, where mt is the number of identities 10 and 100 , respectively. In this case, user 10 will win
tasks at time slot t. At last, the payment to each winner i is set with non-negative utility since OMG is individually rational.
to its critical value. Let ti denote the time slot i wins. Winner Therefore, OMG is not Sybil-proof, since a user can increase
i’s critical value is the largest of all the mt -th users’ bids at its utility by changing from a loser to a winner via Sybil attack.
each time slot t ∈ [ti , di ]. It is obvious that at any time slot
t ∈ [ti , di ] in which the mt -th user does not exist, i can submit TABLE II
a higher bid using a fictitious identity to take the mt -th place. E XAMPLE SHOWING VULNERABILITIES TO S YBIL ATTACK
Therefore, i can increase its critical value and thus increase User Bid (ai , di , Γi , bi )
its payment via Sybil attack.
1 (1,2,{τ1 , τ2 }, 4)
2 (2,2,{τ1 }, 2)
C. Vulnerabilities of Threshold-based Mechanisms 3 (3,4,{τ1 }, 3)
Within this category, we further divide the mechanisms into 4 (3,3,{τ2 }, 4)
5 (3,4,{τ1 , τ2 }, 4)
two groups. The first group comprises mechanisms in [9, 37].
These two mechanisms are two-stage mechanisms in which
the first arrived b ne c users are rejected and their bids are used V. SOS: S YBIL -P ROOF O NLINE I NCENTIVE M ECHANISM
as the sample for the next stage, where n is the number of FOR S INGLE -M INDED C ASE
participating users and e is the base of the natural logarithm. In this section, we design and analyze SOS, a Sybil-proof
In the first stage, the largest vi /bi value will be used as a online incentive mechanism for SM case.

2441
 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

A. Design Rationale The payment determination is illustrated in Algorithm 2.

The input are user i’s ID, the time slot t[i] in which i is
In SM case, a user could maximize its utility by submitting
assigned tasks, and the set Rt[i] of unassigned tasks at the
multiple subsets of its task set using multiple identities with
beginning of time slot t[i]. For each time slot in [t[i], di ],
different active time window in the hope that all the identities
Algorithm 2 calculates the highest price i can bid in order
will be selected as winners. In order to design Sybil-proof
to be a winner. At last, the payment to user i is set to the
mechanisms, we provide a sufficient condition for an online
highest price among these prices. Note that
mechanism to be Sybil-proof in the following theorem.
Theorem 1: An online mechanism is Sybil-proof if it pi = arg max {vit − ct }, (6)
t∈[t[i],di ]
satisfies the following two conditions: If any user i pretends
where ct = max{0, vitj − bij }, and ij is the user with the
two identities i0 and i00 , and both i0 and i00 are selected as
largest criterion value at time slot t when i is not in U t .
winners with assignment Ai0 and Ai00 , respectively within
The main algorithm of SOS is illustrated in Algorithm 3.
[ãi , d˜i ], then
Note that, there is at most one winner at each time slot
1) i should be selected as a winner with assignment Ai = according to Algorithm 1. Therefore, SOS iterates all time
Ai0 ∪ Ai00 within [ãi , d˜i ] while using only one identity; slots and calculates the payment for the winner at each time
2) pi ≥ pi0 + pi00 . slot using Algorithm 2.
Proof: Assume user i pretends two identities i0 and i00 ,
Algorithm 1: SOS-WSA(T , T )
and both i0 and i00 are winners within its true active time
1 W ← ∅, At ← ∅, ∀t ∈ [1, T ], t ← 1, Rt ← T ;
window with assignment Ai0 and Ai00 , respectively. According 2 while Rt 6= ∅ and t ≤ T do
to 1), i would have been a winner within its true active time 3 U t ← the set of active users at time slot t;
window with assignment Ai = Ai0 ∪ Ai00 . According to (1), 4 Atj ← ∅, ∀j ∈ U t ;
user i’s utility is ũi = pi − c̃i (Ai ). According to (4), user i’s 5 i ← arg maxj∈U t (vjt − bj );
6 if bi ≤ vit then
utility via Sybil attack is ui = pi0 + pi00 − c̃i (Ai ). Because of
7 W ← W ∪ {i}, Ati ← Γi , Rt+1 ← Rt \ Γi ;
2), we have pi ≥ pi0 + pi00 , and thus ũi ≥ ui . Therefore, user 8 end
i cannot increase its utility via Sybil attack. 9 t ← t + 1;
10 end
The following theorem will be used to guarantee the truth-
11 A ← (A1 , . . . AT );
fulness of SOS. 12 return (A, W).
Theorem 2: [4] An online mechanism is truthful iff:
• The winner selection rule is monotone: If user i wins the Algorithm 2: SOS-PD(i, t[i], Rt[i] )
auction by bidding βi = (ai , di , Γi , bi ), it also wins by t[i]
t ← t[i], pi ← 0;
bidding βi0 = (a0i , d0i , Γ0i , b0i ), where a0i ≤ ai , d0i ≥ di , Γi ⊆ 2
1
while t ≤ di and Rt 6= ∅ do
Γ0i , b0i ≤ bi ; 3 U t ← the set of active users at time slot t;
• Each winner is paid the critical value, which is the smallest 4 U t ← U t \ {i};
value such that user i would lose the auction if it bids 5 ij ← arg maxj∈U t (vjt − bj );
6 if bij ≤ vitj then
higher than this value. t[i] t[i]
7 pi ← max{pi , vit − (vitj − bij )};
In order to guarantee Sybil-proofness and truthfulness, SOS 8 Rt+1 ← Rt \ Γi ;
should satisfy both Theorem 1 and Theorem 2. 9 else
t[i] t[i]
10 pi ← max{pi , vit };
B. Design of Mechanism 11 end
12 t ← t + 1;
In this section, we describe the details of SOS, which is 13 end
t[i]
comprised of two subroutines: winner selection with assign- 14 return pi .
ment and payment determination.
The winner selection with assignment is illustrated in Al- Algorithm 3: SOS(T , T )
gorithm 1. It selects winners iteratively at each time slot until 1 t ← 1 , Rt ← T ;
all tasks are assigned or deadline T is reached. Let Rt denote 2 (A, W) ← SOS-WSA(T , T );
the set of currently unassigned tasks and vit = V (Rt ∩ Γi ) 3 while Rt 6= ∅ and t ≤ T do
4 i ← j ∈ W s.t. Atj 6= ∅ ;
denote the marginal value of user i to the platform at time slot 5 pti ← SOS-PD(i, t, Rt );
t. At each time slot t, Algorithm 1 selects the user with the 6 Rt+1 ← Rt \ Ati ;
largest criterion value, vit −bi , from all active users in U t . If its 7 t ← t + 1;
criterion value is non-negative, this user will be put into winner 8 end
9 return (A, p).
set W and assigned the tasks it submits. Otherwise, it will not
be assigned tasks. All active users’ task assignments constitute
the assignment profile At of time slot t. The assignment profile C. Analysis of SOS
of every time slot constitutes the overall assignment profile A. In this section, we prove the properties of SOS in the
The outcome of Algorithm 1 are A and W. following theorem.

2442
 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

Theorem 3: SOS is computationally efficient, individually that Γi0 ∪ Γi00 = Γ̃i . The second inequation is based on
rational, truthful and Sybil-proof in SM case. the 0 fourth property of the cost function. Therefore, we have
t[i ] t[i0 ] t[i00 ]
We prove this theorem with the following lemmas. vi − bi ≥ vi0 − bi0 since vi00 − bi00 ≥ 0. This implies
Lemma 1: SOS is computationally efficient. that i wins at t[i0 ] at the latest while using a single identity.
Due to space limit, we omit the proof for this lemma. Therefore, the first condition in Theorem 1 is satisfied.
Lemma 2: SOS is individually rational. We next prove that SOS satisfies the second condition in
Proof: For any winner i, assume it is selected at time Theorem 1. We know that user i wins at t[i] ≤ t[i0 ]. Let tc ,
slot t[i] with its true bid, i.e., bi = c̃(Γ̃i ). If there exists a t0c and t00c denote the time that determine the payment of i,
winner j at time slot t[i] when i is not in U t[i] , we have i0 and i00 according to (6), respectively. We know that tc ∈
t[i] t[i]
vi − bi ≥ vj − bj ≥ 0 since i was the winner at time [t[i], di ], t0c ∈ [t[i0 ], di0 ], and t00c ∈ [t[i00 ], di00 ] according to
slot t[i]. Then according to Line 7 in Algorithm 2, we have Algorithm 2. We then prove by cases. In Case 1, tc ∈ [t[i0 ], di ]
t[i] t[i] t[i] t0 0
pi ≥ vi −(vj −bj ) ≥ bi . If there is no winner at time slot and t0c ≤ t00c . According to (6), we have pi ≥ vi c − ctc ≥
t[i] 0 00 0
t t
t[i] when i is not in U t[i] , we have pi ≥ vi ≥ bi according vi0c + vi00c − ctc ≥ pi0 + pi00 . The first inequation results from
to Line 10. Therefore, ui = pi − c̃(Γ̃i ) = pi − bi ≥ 0, and 0
the fact tc ∈ [t[i], di ]. The second inequation is based on the
SOS is individually rational. fact Γi0 ∪ Γi000 = Γ̃i . The third 00inequation is based on the
t 0 t
Lemma 3: SOS is truthful. fact pi0 = vi0c − ctc and pi00 ≤ vi00c according to (6). In Case
Proof: We first prove that user i cannot increase its utility 2, tc ∈ [t[i0 ], di ] and t0c > t00c . Similar to Case 1, we can
by submitting a false task set. We then prove that user i cannot t00 00 t0 t00 00
prove that pi ≥ vi c − ctc ≥ vi0c + vi00c − ctc ≥ pi0 + pi00 .
increase its utility by submitting a false active time window In Case 3, tc ∈ [t[i], t[i0 ]). Because tc < t[i0 ], we have pi ≥
or a false cost. If user i submits a false task set Γi ⊂ Γ̃i , the t0 0 t00 00
max{vi c − ctc , vi c − ctc } ≥ pi0 + pi00 based on the proofs of
utility of i is 0 according to (1). On the contrary, if Γi \ Γ̃i 6= ∅,
Case 1 and Case 2. Therefore, we have pi ≥ pi0 + pi00 . Hence,
user i will not be paid since it cannot finish all the tasks in
the second condition in Theorem 1 is satisfied.
Γi . Thus, there is no incentive for i to submit a false task set.
Therefore, SOS is Sybil-proof according to Theorem 1. We
To prove that user i cannot increase its utility by submitting
can use a similar proof for the case where a user pretends
a false active time window or a false cost, it suffices to prove
more than two identities.
that the selection rule of SOS is monotone and the payment
to each winner is its critical value according to Theorem 2. VI. SOM: S YBIL -P ROOF O NLINE I NCENTIVE M ECHANISM
Obviously, the criterion value of a user will increase with the FOR M ULTI -M INDED C ASE
decrease of user’s cost. Meanwhile, due to the submodularity In this section, we design and analyze SOM, a Sybil-proof
of user’s marginal value, the criterion value of a user at each online incentive mechanism for MM case.
time slot will not decrease if it bids a wider active time
window. Therefore, the selection rule of SOS is monotone. A. Design Rationale
Next, we prove that the payment pi to winner i is its critical In MM case, a user is willing to perform any subset of its
value. Assume i was selected at time slot t[i] with bi , and thus task set and tries to maximize its utility by submitting multiple
t[i]
pi = pi ≥ bi . If user i bids b̃i > pi , it is obvious that i still bids under fictitious identities. To guarantee that each user
loses at any time slot t ∈ [ai , t[i]) since its criterion value is submits its true cost function, SOM gives the payment to each
less than that when i bids bi but loses in [ai , t[i]). At any time user, which is independent of its own cost function. The time-
slot t ∈ [t[i], di ], i still loses since there always exists a user truthfulness is based on the monotonic task assignment rule
ij such that vit − b̃i < vitj − bij according to (6). If user i bids and the submodularity of users’ marginal value. To achieve
b̃i < pi , i wins at least within [t[i], di ], according to (6), if not Sybil-proofness, we extend the characterization of Sybil-proof
earlier. Therefore, pi is the critical value for user i. mechanisms in [33] to the online scenario.
Lemma 4: SOS is Sybil-proof.
B. Design of Mechanism
Proof: We prove SOS is Sybil-proof by proving it satisfies
the sufficient conditions in Theorem 1. Assume user i submits The main algorithm of SOM is shown in Algorithm 4. It
(ai0 , di0 , Γi0 , bi0 ) and (ai00 , di00 , Γi00 , bi00 ) using two fictitious selects users iteratively at each time slot until all tasks are
identities i0 and i00 , respectively, where Γi0 ∪ Γi00 = Γ̃i . assigned or deadline T is reached. Given the sensing tasks T
We first prove that SOS satisfies the first condition in The- and deadline T , SOM outputs the overall assignment profile
orem 1. We assume that both i0 and i00 are selected as winner A and the overall payment profile p.
at time t[i0 ] and t[i00 ] ( w.l.o.g. t[i0 ] < t[i00 ]), respectively. It Let Γti ⊆ Γ̃i denote a set of unassigned tasks that i can
implies that Γi0 ⊂ Γ̃i and Γi0 ⊂ Γ̃i , since one0 will make perform at time slot t. Let Bti (B) = {B 0 |B 0 ⊆ Γti , B 0 ∩B 6= ∅}.
the other lose otherwise. In addition, we have vi0 ≥ bi0 and
t[i ] At each time slot t, SOM first calculates the payment pti,B
t[i00 ]
vi00 ≥ bi00 , since both i0 and i00 are winners. If user i use to each active user i for any bundle B ⊆ Γti . Note that the
payment to user i for any bundle B ⊆ Γti is independent of its
a single identity and submits its true bid (ãi , d˜i , Γ̃i , bi ). At
t[i0 ] t[i0 ] t[i00 ] cost function ci (·), i.e.,
time slot t[i0 ], we have vi − bi ≥ vi0 + vi00 − bi ≥
t[i0 ] t[i00 ] pti,B = V (B)−max{0, max (V (B 0 )−cj (B 0 ))}. (7)
vi0 + vi00 − bi0 − bi00 . The first inequation lies in the fact j6=i,B0 ∈Btj (B)

2443
 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

Algorithm 4: SOM(T , T ) SOM only considers Γti for each active user i at any time slot
1 F ← ∅, At ← ∅, ∀t ∈ [1, T ], t ← 1; t. Besides, the size of Γti is non-increasing with time. Thus,
2 while F 6= T and t ≤ T do a narrow time window will not increase a user’s chance to be
3 U t ← the set of active users at time slot t; a winner. Therefore, a user has no incentive to submit a false
4 Γti ← Γi \ F , ∀i ∈ U t ;
5 foreach i ∈ U t do time window.
6 Calculate the payment to i for any bundle B ⊆ Γti , pti,B ← At last, a false cost function ci (·) 6= c̃i (·) can only affect
V (B) − max{0, maxj6=i,B0 ∈Bt (B) (V (B0 ) − cj (B0 ))}; the result of (8) according to SOM. Let Ati and Ãti denote the
j
7 end assignments to i when i submits ci (·) and the true cost function
8 foreach i ∈ U t do
9 Ati ← arg maxB⊆Γt (pti,B − ci (B)); c̃i (·), respectively. It is obvious that the utility of i will not
10 pti ← pti,At ;
i
change if Ati = Ãti . If Ati 6= Ãti , we have pi,Ãt − c̃i (Ãti ) ≥
i
i
11 F ← F ∪ Ati ; pi,Ati − c̃i (Ati ) because of both Ati and Ãti are the subset of
12 end Γti , and Ãti is the bundle maximizing i’s utility. Thus, user i
13 t ← t + 1;
14 end cannot increase its utility by submitting ci (·).
15 A = A1 , . . . AT ); Therefore, SOM is truthful.
16 p = (p1 , . . . , pT );
17 return A and p.
Lemma 7: SOM is Sybil-proof.
Proof: We assume that user i pretends two identities i0
and i00 who are assigned Ai0 and Ai00 , respectively. Let ui (Ai )
At last, SOM will assign each active user i a set of tasks Ati ,
denote the utility of user i when assigned Ai . For any time slot
which is a bundle B ⊆ Γti maximizing its utility based on the
t ∈ [ai , di ], we have ui (Ati ) ≥ ui (Ati0 ∪Ati00 ) since Ati0 ∪Ati00 ⊆
calculated payment, i.e.,
Γti and SOM assigns i the bundle that maximizes its utility.
Ati = arg maxt (pti,B − ci (B)). (8) Next, we prove that ui (Ati0 ∪ Ati00 ) ≥ pti0 + pti00 − ci (Ati0 ∪
B⊆Γi
Ati00 ). Let mi0 denote maxj6=i0 ,B∈Btj (At0 ) (V (B)− cj (B)), and
The payment pti
to each user i at time slot t for assignment i

Ati is pti,At . Note that pti = pti,At = 0, if Ati = ∅. mi00 denote maxj6=i00 ,B∈Btj (At00 ) (V (B) − cj (B)). By (7), the
i
i i payments to i0 and i00 at any time slot t are
C. Analysis of SOM
pti0 = pti0 ,At0 = V (Ati0 ) − max {0, mi0 } ,
In this section, we prove the properties of SOM in the i

following theorem. pti00 = pti00 ,At00 = V (Ati00 ) − max {0, mi00 } .

i
Theorem 4: SOM is individually rational, truthful and
Sybil-proof in MM case. Let Ãti = Ati0 ∪ Ati00 , the payment to i when assigned Ãti is
We prove this theorem with the following lemmas. ( )
Lemma 5: SOM is individually rational. pti,Ãt = V (Ãti ) − max 0, max (V (B) − cj (B)) .
Proof: The utility of any active user i at any time slot t i j6=i,B∈Btj (Ãti )
is 0 when the assignment Ati = ∅ according to (2). According
to (8), at any time slot t, SOM assigns any active user i a In addition, we know that
bundle Ati maximizing its utility. It implies that Ati 6= ∅ only [ [ [
Btj (Ãti ) = Btj (Ati0 ) ∪ Btj (Ati00 ).
if ui = pti,At − c̃i (Ati ) > 0, and thus the utility of any user i
i ∀j∈S t ,j6=i ∀j∈S t ,j6=i0 ∀j∈S t ,j6=i00
is non-negative. Therefore, SOM is individually rational.
Lemma 6: SOM is truthful. Let mi denote maxj6=i,B∈Bt (Ãt ) (V (B)−cj (B)). Thus we have
j i
Proof: We first prove that user i cannot increase its utility mi = max{mi0 , mi00 }, and thus mi ≤ mi0 + mi00 . In addition,
by submitting a false task set. Then, we prove that user i we can prove that Ati0 ∩ Ati00 = ∅ by contradiction. Assume
cannot increase its utility by submitting a false active time Ati0 ∩ Ati00 6= ∅, the payments to i0 is
window or a false cost function. Assume user i submits a
false bid βi = (ai , di , Γi , ci (·)). By (7), at any time slot pti0 ,At0 = V (Ati0 )−max{0, mi0 } ≤ V (Ati0 )−(V (Ati00 )−ci (Ati00 ))
i
t, the payment to i for any bundle B ⊆ Γti is calculated t t
independently of i’s own cost function. If Γi ⊂ Γ̃i , the t
S from the tfact t V (Ai00 ) − ci (Ai00 ) ≤
The inequality results
payment to i for any subset of Γi is the same as that when i mi0 , since Ai00 ∈ ∀j∈S t ,j6=i0 Bj (Ai0 ). Similarly, we have
submits Γ̃i . In addition, at each time slot t, SOM assigns i a pti00 ,At ≤ V (Ati00 ) − (V (Ati0 ) − ci (Ati0 )). Therefore, the
i00
bundle maximizing its utility by (8). Therefore, user i cannot summation of the utilities of i0 and i00 at any time slot t is
increase its utility by submitting Γi ⊂ Γ̃i . On the contrary, if
pti0 ,At0 − ci (Ati0 ) + pti00 ,At00 − ci (Ati00 )
Γi \ Γ̃i 6= ∅, it will not be assigned tasks in Γi \ Γ̃i 6= ∅, since i i

its utility is negative according to the second property of the ≤ V (Ati0 ) − (V (Ati00 ) − ci (Ati00 )) − c̃i (Ati0 )
cost function. Therefore, user i has no incentive to submit a + V (Ati00 ) − (V (Ati0 ) − ci (Ati0 )) − ci (Ati00 ) = 0.
false task set.
Next, we prove that user i has no incentive to submit a It implies that Ati0 = Ati00 = ∅ since SOM is individually
false active time window, i.e., ai > ãi or di < d˜i . By (7), rational, which contradicts the assumption. Therefore, Ati0 ∩

2444
 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

Ati00 = ∅. We also have V (Ãti ) = V (Ati0 ∪ Ati00 ) = V (Ati0 ) + from 100 to 300 with a step of 50. All the results are averaged
V (Ati00 ), since Ãti = Ati0 ∪ Ati00 . By (7), the payment to i is over 1000 independent runs.
pti,Ãt = V (Ãti ) − max{0, mi } B. Evaluation of Total Payment
i

≥ V (Ãti ) − (mi0 + mi00 ) The impacts of m and n on the total payment to users
= V (Ati0 ∪ Ati00 ) − (mi0 + mi00 ) are shown in Fig. 2. In Fig. 2 (a), we see that the total
payment of both offline and online mechanisms increase with
= V (Ati0 ) − mi0 + V (Ati00 ) − mi00
the increase of m. This is because the platform may recruit
≥ pti0 ,At0 + pti00 ,At00 . more users when m increase, and thus has a higher payment.
i i

In addition, we have ci (Ãti ) ≤ ci (Ati0 ) + ci (Ati00 ) because of In addition, we see that the total payment of the online
the fourth property of the cost function. By (2) and (5), the mechanisms (Greedy, SOS, SOM) are higher than that of the
utility of i when using two identities is not greater than that offline mechanisms (SPIM-S, SPIM-M). This is because the
obtained by using a single identity at any time slot t. User online mechanisms may recruit more users when users arrives
i’s utility via Sybil attack is not greater than that obtained by in different time slots, and thus has a higher payment. In
using a single identity. Fig. 2 (b), we observe that the total payment of SPIM-M
Therefore, SOM is Sybil-proof. decrease with the increase of n. This is because, with more
Remark: We can use a proof similar to that in Lemma 7 to users, SPIM-M may find more low-cost users to perform the
prove that Ai ∩ Aj = ∅ for any two users i and j. In addition, tasks. The total payment of the other four mechanisms increase
SOM does not satisfy computational efficiency, since at each slightly with the increase of n. This is because, with more
time slot t it calculates the payments to each active user i for users, these mechanisms may assign more tasks incurring a
every subset of Γti , and the time complexity is exponential to higher payment. In addition, we see that the total payment
the largest |Γti | for all i ∈ S t . In reality, however, the number of the online mechanisms are higher than that of the offline
of tasks each user can perform is very small because of various mechanisms as explained before. Note that, SOS has a similar
constraints, e.g., travel budget [21], and thus the execution time performance as Greedy, which is not Sybil-proof.
of SOM is still practical. 120 130 SOS
Total payment

Greedy

Total payment
100 SPIM-S
VII. P ERFORMANCE E VALUATION 80 100 SOM
SPIM-M

60
In this section, we compare the performances of SOS and SOS
Greedy 70
40 SPIM-S
SOM
SOM with three benchmarks. The first benchmark is an online 20
SPIM-M
40
20 30 40 50 60 100 150 200 250 300
mechanism adapted from [4] for SM case, denoted by Greedy. Number of sensing tasks Number of users
Note that, this mechanism is not Sybil-proof. The second (a) Impact of m (b) Impact of n
Fig. 2. Total payment
benchmark is SPIM-S [16], which is a Sybil-proof mechanism
for SM case. The third benchmark is SPIM-M [16], which C. Evaluation of Platform Utility
is a Sybil-proof mechanism for MM case. The performance
metrics include total payment, platform utility and Sybil- The impacts of m and n on the platform utility are shown
proofness. in Fig. 3. In both Fig. 3 (a) and Fig. 3 (b), we see that the
platform utilities achieved by the offline mechanisms (SPIM-S,
A. Evaluation Setup SPIM-M) are larger than that achieved by online mechanisms
For a fair comparison with SPIM-S and SPIM-M, we use (Greedy, SOS, SOM). This is because offline mechanisms
the same dataset, which is a real-world dataset consisting know all users’ bids before making decision, while online
of the traces of taxi drivers [1]. As in [16], we consider a mechanisms have no information of future users. In addition,
crowdsensing system in which the tasks are measuring the we see that SOM outperforms SOS in term of the platform
Wi-Fi signal strength at specific locations. In this system, tasks utility. This is because SOM assigns each task to at most one
are represented by GPS locations of the taxi drivers in the user, and thus avoids paying users to perform duplicated tasks.
dataset, and users are all the taxi drivers. 50 SOS 25 SOS
In our evaluation, we randomly select locations on taxi Greedy
Platform utility

Greedy
Platform utility

40 SPIM-S 20 SPIM-S
SOM SOM
drivers’ traces as the sensing tasks. The value of each task 30 SPIM-M
15 SPIM-M

is uniformly distributed over [1, 5], and users’ cost for each 20 10
10 5
task is uniformly distributed over [1, 5]. We set the deadline
0 0
(T ) to 60 (min), each user i’s ãi is uniformly distributed over 20 30 40 50 60 100 150 200 250 300
Number of sensing tasks Number of users
[0, 60], and the active time window (d˜i − ãi ) of each user is (a) Impact of m (b) Impact of n
uniformly distributed over [0, 5]. To evaluate the impact of the Fig. 3. Platform utility
number of sensing tasks (m) on the performance metrics, we
fix the number of users (n) at 200 and vary m from 20 to 60 D. Evaluation of Sybil-proofness
with a step of 10. To evaluate the impact of the number of Fig. 4 shows the utility of Sybil attacker and the other users
users on the performance metrics, we fix m at 150 and vary n without Sybil attack, denoted by Attacker and Other, and that

2445
 IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

via Sybil attack, denoted by Attacker-Sybil and Other-Sybil. In [15] I. Koutsopoulos, “Optimal incentive-driven design of participatory sens-
both Fig. 4 (a) and Fig. 4 (b), we see that the attacker increase ing systems,” in INFOCOM, 2013, pp. 1402–1410.
[16] J. Lin, M. Li, D. Yang, G. Xue, and J. Tang, “Sybil-proof incentive
its utility while decreasing the utility of others’ in Greedy. This mechanisms for crowdsensing,” in INFOCOM, 2017, pp. 2088–2096.
is because Greedy is vulnerable to Sybil attack. However, the [17] J. Lin, D. Yang, M. Li, J. Xu, and G. Xue, “BidGuard: A framework for
attacker cannot increase its utility in SPIM-S, SOS and SOM, privacy-preserving crowdsensing incentive mechanisms,” in CNS, 2016,
pp. 439–447.
since they are Sybil-proof. [18] M. Mun, S. Reddy, K. Shilton, N. Yau, J. Burke, D. Estrin, M. Hansen,
E. Howard, R. West, and P. Boda, “Peir, the personal environmental
10 Attacker
15 Attacker
impact report, as a platform for participatory sensing systems research,”
Attacker-Sybil Attacker-Sybil
8 Other Other in MobiSys, 2009, pp. 55–68.
Other-Sybil Other-Sybil
10 [19] “Opensignal,” http://opensignal.com/.
6
Utility

Utility
[20] D. Peng, F. Wu, and G. Chen, “Pay as how well you do: A quality based
4 incentive mechanism for crowdsensing,” in MobiHoc, 2015.
5
2 [21] L. Pournajaf, L. Xiong, V. Sunderam, and S. Goryczka, “Spatial task
assignment for crowd sensing with cloaked locations,” in MDM, vol. 1,
0 0
Greedy SOS SPIM-S Greedy SOM 2014, pp. 73–82.
(a) Single-minded case (b) Multi-minded case [22] R. K. Rana, C. T. Chou, S. S. Kanhere, N. Bulusu, and W. Hu, “Ear-
Fig. 4. Sybil-proofness phone: an end-to-end participatory urban noise mapping system,” in
IPSN, 2010, pp. 105–116.
VIII. C ONCLUSION [23] B. Viswanath, A. Post, K. P. Gummadi, and A. Mislove, “An analysis of
social network-based sybil defenses,” in SIGCOMM, 2010, pp. 363–374.
In this paper, we demonstrated that existing online in- [24] B. Wang, L. Zhang, and N. Z. Gong, “SybilSCAR: Sybil detection in
centive mechanisms for crowdsensing are all vulnerable to online social networks via local rule based propagation,” in INFOCOM,
2017, pp. 1099–1107.
Sybil attack. We proposed two Sybil-proof online incentive [25] G. Wang, B. Wang, T. Wang, A. Nika, H. Zheng, and B. Y. Zhao,
mechanisms SOS and SOM for single-minded case and multi- “Defending against sybil devices in crowdsourced mapping services,”
minded case, respectively. Specifically, SOS achieves computa- in MobiSys, 2016, pp. 179–191.
[26] Q. Wang, B. Ye, B. Tang, S. Guo, and S. Lu, “eBay in the clouds: False-
tional efficiency, individual rationality, truthfulness and Sybil- name-proof auctions for cloud resource allocation,” in ICDCS, 2015, pp.
proveness. SOM achieves individual rationality, truthfulness 153–162.
and Sybil-proveness. We rigorously proved the desired prop- [27] Y. Wang, Z. Cai, G. Yin, Y. Gao, X. Tong, and G. Wu, “An incentive
mechanism with privacy protection in mobile crowdsourcing systems,”
erties of the mechanisms and evaluated their performances Computer Networks, vol. 102, pp. 157–171, 2016.
through extensive simulations. [28] “Waze,” https://www.waze.com/.
[29] Y. Wen, J. Shi, Q. Zhang, X. Tian, Z. Huang, H. Yu, Y. Cheng, and
R EFERENCES X. Shen, “Quality-driven auction based incentive mechanism for mobile
[1] L. Bracciale, M. Bonola, P. Loreti, G. Bianchi, R. Amici, and A. Rabuffi, crowd sensing,” IEEE Trans. Veh. Technol., vol. 64, no. 9, pp. 4203–
“CRAWDAD data set roma/taxi (v. 2014-07-17),” Downloaded from 4214, 2015.
http://crawdad.org/roma/taxi/, Jul. 2014. [30] J. Xu, J. Xiang, and D. Yang, “Incentive mechanisms for time win-
[2] J. R. Douceur, “The sybil attack,” in IPTPS, 2002, pp. 251–260. dow dependent tasks in mobile crowdsensing,” IEEE Transactions on
[3] Z. Feng, Y. Zhu, Q. Zhang, L. M. Ni, and A. V. Vasilakos, “TRAC: Wireless Communications, vol. 14, no. 11, pp. 6353–6364, 2015.
Truthful auction for location-aware collaborative sensing in mobile [31] D. Yang, G. Xue, X. Fang, and J. Tang, “Crowdsourcing to smartphones:
crowdsourcing,” in INFOCOM, 2014, pp. 1231–1239. incentive mechanism design for mobile phone sensing,” in MobiCom,
[4] Z. Feng, Y. Zhu, Q. Zhang, H. Zhu, J. Yu, J. Cao, and L. M. Ni, 2012, pp. 173–184.
“Towards truthful mechanisms for mobile crowdsourcing with dynamic [32] D. Yang, G. Xue, X. Fang, and J. Tang, “Incentive mechanisms for
smartphones,” in ICDCS, 2014, pp. 11–20. crowdsensing: Crowdsourcing with smartphones,” IEEE/ACM Trans.
[5] L. Gao, F. Hou, and J. Huang, “Providing long-term participation Netw., vol. 24, no. 3, pp. 1732–1744, 2016.
incentive in participatory sensing,” in INFOCOM, 2015, pp. 2803–2811. [33] M. Yokoo, “Characterization of strategy/false-name proof combinatorial
[6] “Gigwalk,” http://www.gigwalk.com/. auction protocols: price-oriented, rationing-free protocol,” in IJCAI,
[7] B. Guo, Z. Wang, Z. Yu, Y. Wang, N. Y. Yen, R. Huang, and X. Zhou, 2003, pp. 733–742.
“Mobile crowd sensing and computing: The review of an emerging [34] M. Yokoo, Y. Sakurai, and S. Matsubara, “The effect of false-name bids
human-powered sensing paradigm,” ACM Computing Surveys, vol. 48, in combinatorial auctions: New fraud in internet auctions,” Games and
no. 1, p. 7, 2015. Economic Behavior, vol. 46, no. 1, pp. 174–188, 2004.
[8] K. Han, Y. He, H. Tan, S. Tang, H. Huang, and J. Luo, “Online pricing [35] Q. Zhang, Y. Wen, X. Tian, X. Gan, and X. Wang, “Incentivize crowd
for mobile crowdsourcing with multi-minded users,” in MobiHoc, 2017, labeling under budget constraint,” in INFOCOM, 2015, pp. 2812–2820.
pp. 18:1–18:10. [36] X. Zhang, G. Xue, R. Yu, D. Yang, and J. Tang, “Truthful incentive
[9] K. Han, C. Zhang, J. Luo, M. Hu, and B. Veeravalli, “Truthful scheduling mechanisms for crowdsourcing,” in INFOCOM, 2015, pp. 2830–2838.
mechanisms for powering mobile crowdsensing,” IEEE Trans. Comput., [37] X. Zhang, Z. Yang, Z. Zhou, H. Cai, L. Chen, and X. Li, “Free market of
vol. 65, no. 1, pp. 294–307, 2016. crowdsourcing: Incentive mechanism design for mobile sensing,” IEEE
[10] L. G. Jaimes, I. Vergara-Laurens, and A. Raij, “A crowd sensing incen- Trans. Parallel Distrib. Syst., vol. 25, no. 12, pp. 3190–3200, 2014.
tive algorithm for data collection for consecutive time slot problems,” [38] D. Zhao, X.-Y. Li, and H. Ma, “How to crowdsource tasks truthfully
in LATINCOM, 2014, pp. 1–5. without sacrificing utility: Online incentive mechanisms with budget
[11] H. Jin, L. Su, D. Chen, K. Nahrstedt, and J. Xu, “Quality of information constraint,” in INFOCOM, 2014, pp. 1213–1221.
aware incentive mechanisms for mobile crowd sensing systems,” in [39] D. Zhao, X.-Y. Li, and H. Ma, “Budget-feasible online incentive mech-
MobiHoc, 2015, pp. 167–176. anisms for crowdsourcing tasks truthfully,” IEEE/ACM Trans. Netw.,
[12] H. Jin, L. Su, B. Ding, K. Nahrstedt, and N. Borisov, “Enabling privacy- vol. 24, no. 2, pp. 647–661, 2016.
preserving incentives for mobile crowd sensing systems,” in ICDCS, [40] Z. Zheng, Y. Peng, F. Wu, S. Tang, and G. Chen, “An online pricing
2016, pp. 344–353. mechanism for mobile crowdsensing data markets,” in MobiHoc, 2017,
[13] H. Jin, L. Su, and K. Nahrstedt, “Theseus: Incentivizing truth discovery pp. 26:1–26:10.
in mobile crowd sensing systems,” in MobiHoc, 2017, pp. 1:1–1:10.
[14] H. Jin, L. Su, H. Xiao, and K. Nahrstedt, “INCEPTION: incentivizing
privacy-preserving data aggregation for mobile crowd sensing systems,”
in MobiHoc, 2016, pp. 341–350.

2446