Identifying Time Measurement Tampering in the Traversal Time and Hop Count Analysis (TTHCA) Wormhole Detection Algorithm

Traversal time and hop count analysis (TTHCA) is a recent wormhole detection algorithm for mobile ad hoc networks (MANET) which provides enhanced detection performance against all wormhole attack variants and network types. TTHCA involves each node measuring the processing time of routing packets during the route discovery process and then delivering the measurements to the source node. In a participation mode (PM) wormhole where malicious nodes appear in the routing tables as legitimate nodes, the time measurements can potentially be altered so preventing TTHCA from successfully detecting the wormhole. This paper analyses the prevailing conditions for time tampering attacks to succeed for PM wormholes, before introducing an extension to the TTHCA detection algorithm called ΔT Vector which is designed to identify time tampering, while preserving low false positive rates. Simulation results confirm that the ΔT Vector extension is able to effectively detect time tampering attacks, thereby providing an important security enhancement to the TTHCA algorithm.

The traversal time and hop count analysis (TTHCA) algorithm is a new wormhole detection technique [17] designed as a security extension to the ad hoc on demand distance vector (AODV) [18] routing protocol. It combines the benefits of RTT-based approaches with HC analysis, to provide improved detection for all wormhole types, under a variety of network scenarios. RTT-based wormhole detection schemes, such as wormhole attack prevention (WAP) [13], transmission time-based mechanism (TTM) [15] and delay per hop indication (DelPHI) [14], offer low overhead solutions in terms of hardware, computation and throughput, but have the limitation that variations in a node's packet processing time i.e., the sum of the queuing delay and service time must be small. In a real MANET, nodes can exhibit high packet processing time variations, a feature the neighbour probe acknowledge (NPA) method [16] addresses by employing the standard deviation of the RTT as an accurate metric. NPA has not however, been tested in large scale networks and is inherently computationally heavier than either TTHCA or other RTT-based techniques because it uses encryption and time-stamped digital signatures to guarantee the security of the routing packets. In TTHCA, packet traversal times (PTT) are measured instead of the RTT of a routing packet, as this more accurately reflects the distance between a source and destination node. The corollary is that TTHCA affords significantly superior wormhole detection and lower false positive (FP) performance than RTT-based solutions, while concomitantly affording low computational overheads.
A potential drawback of TTHCA is that under specific conditions, PM wormhole nodes can alter the time measurements and prevent the wormhole from being detected. In TTHCA, PTT is estimated by initially allowing each intermediate node to measure the packet processing time of the AODV route request (RREQ) and route reply (RREP) packets, before adding this measurement value ∆T i to a ∆T TOT parameter in the RREP packet. Upon receiving the RREP, the source node can calculate PTT by subtracting ∆T TOT from the RTT. A wormhole is suspected if the PTT is unrealistically high in relation to the HC. By falsely increasing ∆T TOT , a PM wormhole node can evade being detected because this results in a smaller PTT than is in fact, the case. Time tampering attacks are not relevant to HM wormholes because as mentioned above, they never process the routing packets.
This paper analyses the time tampering problem and investigates its impacts on TTHCA wormhole detection performance. A solution is presented to accurately identify time tampering in PM I-B wormholes by introducing a ∆T Vector extension into the TTHCA algorithm. The ∆T Vector replaces the ∆T TOT parameter in the RREP packet with a list of the individual ∆T i values from all intermediate nodes. A malicious node must thus produce a falsely inflated ∆T i in order to perform a successful time tampering attack. By using the ∆T Vector extension, a tampered ∆T i can be accurately identified by the source node as it typically is significantly higher than a healthy ∆T i .
The remainder of the paper is organized as follows: Section 2 presents a brief overview of the TTHCA algorithm before Section 3 investigates time tampering attacks and the specific conditions necessary for this security breach to ensue. The new ∆T Vector extension is then introduced in Section 4 and its performance analysed in Section 5 for diverse MANET scenarios. Finally, some concluding comments are provided in Section 6.

The Traversal Time and Hop Count Analysis (TTHCA) Algorithm
In TTHCA, a source node firstly measures the RTT of the AODV route discovery packets, which is the time between sending the RREQ packet and receiving the RREP packet. Each intermediate node measures the processing time of the RREQ and RREP packets (∆T i ) and this is added to the ∆T TOT parameter in the RREP packet. Hence, once a RREP packet is received by the source node: (1) and the PTT is calculated from: A wormhole is then suspected if: where R and S are respectively the maximum radio range per node and the propagation speed (i.e., 3  10 8 m/s).
When a wormhole is suspected, all intermediate nodes on the route are added to a graylist [12] which is broadcasted throughout the MANET together with a new RREQ. All graylist nodes are then omitted during the next route discovery procedure resulting in a new unique route. Graylist broadcasting is repeated until a healthy route is found.

Time Tampering in TTHCA
The TTHCA wormhole detection algorithm is predicated on the assumption that a wormhole route will exhibit an unrealistically high PTT per HC. Wormhole nodes however, can potentially prevent TTHCA from detecting infected routes by adding a fictive packet processing time ∆T F to the ∆T TOT parameter of the RREP packet. It is important to stress that time tampering is not a modification attack per se as the PM wormhole node never alters any routing packet parameters, but instead produces false measurement information. This means schemes designed to prevent packet alteration by for example, encrypting all routing packet parameters, will be ineffectual against a TTHCA time tampering attack.
As a wormhole infected route has a high PTT/HC, the malicious nodes must artificially produce a lower PTT than in reality for that route to avoid detection and this can be accomplished by increasing ∆T TOT . Since ∆T TOT >> PTT and ∆T i may incur large fluctuations due to for example, variable network traffic loads, it is difficult for the wormhole nodes to be aware of exactly how to set ∆T F as it must be precisely defined within the narrow time window that exists to effectively achieve time measurement tampering. This window is bounded by: So if the tampered ∆T F is too small, TTHCA is still able to detect the route as a wormhole because PTT/HC is higher than the threshold in Equation (3). Conversely, if ∆T F is made too high the resulting PTT at the source node will be negative.
Pragmatically it is not feasible for a malicious node to exactly know the time tampering window since it can only be aware of the values of R and S in Equation (4). Successful time tampering is still feasible however, if the malicious nodes (M 1 and M 2 ) can estimate the RTT of the wormhole link (RTT WH ). In an I-B link, RTT WH can have high variations due to variable packet processing times at the nodes through which the wormhole is tunnelled, making the precise estimation of RTT WH challenging. One approach for estimating RTT WH for PM wormhole links is to use tightly synchronized clocks. During route discovery, wormhole node M 1 adds exact time information as an adjunct parameter within the tunnelled packet as it forwards the RREQ to the other malicious node M 2 . Upon receiving this tunnelled RREQ, M 2 estimates the precise propagation delay of the RREQ through the wormhole t RREQ by comparing the received time information with its own clock. A similar process occurs when M 2 returns RREP to M 1 , with time information again being added as the RREP is tunnelled to M 2 . When M 1 receives the tunnelled RREP, it calculates t RREP to give: M 1 then adds the fictive time value ∆T F defined as: (6) to ∆T TOT of the RREP in addition to its own ∆T i .
Alternatively, the wormhole nodes can split the time tampering attack into two steps. Firstly, M 2 adds the fictive value: (7) before M 1 adds: (8) So ∆T F = ∆T F1 + ∆T F2 is then added to ∆T TOT . To illustrate the conditions that must exist for TTHCA time tampering to be achieved, consider the MANET example in Figure 1, where a PM I-B wormhole is formed by nodes M 1 and M 2 which tunnel routing packets between each other via I 2 and I 3 .
It is assumed for simplicity that all nodes are in an idle state, have identical hardware and the inter-node distance is the same, so the t i and ∆T j values are constant. Let t i = 1,600 ns for all i and ∆T j = 8 ms for all j, where j = i + 1. If RTT WH = 16.0048 ms then RTT = 56.0112 ms. For this PM I-B scenario, the HC is 5 and ∆T TOT = 40 ms, so from Equation (2), source node A calculates PTT = 8.0056 ms giving PTT/HC = 1.60112 ms. If it is assumed R = 250 m, then from Equation (3) the upper bound for PTT/HC = 833 ns which means TTHCA will successfully detect the wormhole. Using Equation (4), it can be determined that both I 2 and I 5 are able to prevent detection by increasing ∆T TOT within the range: This means the time tampering window is only 8.33 s wide and while this is a stringent constraint, if synchronized clocks are being used by both M 1 and M 2 , it is still realistically an achievable design tolerance. Figure 1. MANET scenario where A and B are the source and destination nodes, M 1 and M 2 are malicious wormhole nodes, t i is 2 x PTT between two successive nodes, ∆T i is the routing packet processing time, RTT is the round trip time of the route, and RTT WH is the RTT of the wormhole link.
Analysis for a wide range of network and wormhole attack conditions reveals that a sufficient and necessary condition for a wormhole to avoid being detected is to uphold either Equations (6) or (7) and (8). In this PM I-B example, both M 1 and M 2 will calculate ∆T F = 16.003133 ms which implies the tampered value falls within the window Equation (4) to avoid being discovered. In these circumstances, the false measurement ∆T TOT = 56.003133 ms so from Equation (2), the source node A measures PTT = 4,033 ns and PTT/HC = 806 ns meaning this wormhole route will go undetected by TTHCA.

∆T Vector TTHCA Extension
Section 3 showed that the essential condition for the TTHCA algorithm to be unable to detect a wormhole route is for the malicious nodes to increase ∆T TOT within the strict bounds defined in Equation (4). Any successful tampered ∆T TOT will always be greater than the actual ∆T TOT though simply analysing ∆T TOT as a sum of individual ∆T i values will not necessarily identify the wormhole route because these usually exhibit high variance.
In this paper, to analyse ∆T i for each intermediate node, ∆T TOT is replaced by a new ∆T Vector comprising all the measured ∆T i values. This extension means that some new features for the TTHCA route discovery process are introduced to support the embedding of the ∆T Vector as shown in the Figure 2 flowchart, with the shaded blocks highlighting these new elements.
The RREQ and graylist broadcast procedures remain as in original TTHCA [17], but instead of using a ∆T TOT parameter, the ∆T Vector is included in the RREP packet by the destination node. The time taken from receiving the RREQ until sending the RREP at the destination node is added as the first element ∆T 1 . Each intermediate node receiving and forwarding the RREP then adds its ∆T i (∆T RREQ + ∆T RREP ) as a new element in the ∆T Vector.
When the RREP is received by the source node, each ∆T i element of the ∆T Vector consists of the processing times incurred by the RREQ and RREP packets. If a PM wormhole attack is launched alongside a time tampering attack, at least one of the ∆T Vector elements will be falsely increased in accordance with Equations (6), (7) and (8). A suitable outlier detection technique can then be applied to identify tampered ∆T i values (see Section 4.1) from the ∆T Vector dataset. If a suspicious ∆T i is identified, TTHCA then requests a new route by issuing a graylist broadcast. If no suspicious ∆T i is found, the normal PTT/HC analysis is performed for both HM and PM wormhole detection.

Identifying Tampered ∆T i Measurement
The ∆T Vector extension is founded on the premise a malicious node can only modify its own ∆T i which is a pragmatic assumption since in real MANET environments routing packets must be secured from modification attacks for the routing process to be trustworthy. A wormhole link typically consists of two malicious nodes, so a ∆T Vector received through any wormhole infected route will include either one or two tampered ∆T i values. It is possible to distinguish tampered ∆T i values from healthy ∆T i measurements by applying an appropriate outlier detection technique, such as the Grubb's test [19], Dixon's Q-test [20] or the Box plot method [21], though several conditions can affect the performance of the chosen outlier method. In this context, two distinct MANET scenarios are defined: CASE 1: A node has been a part of the network for some time and generated a track record of ∆T i values gained from ∆T Vectors from earlier route discovery procedures. In this scenario, the availability of a large number of ∆T i samples can be reasonably assumed. CASE 2: A node has joined the MANET for the first time and so the only available ∆T i values are those existing in the ∆T Vector.
Due to the inherently dynamic nature of a MANET, several different types of ∆T i distributions can arise which will impact on the performance of the outlier detection scheme. The ideal is when all MANET nodes have identical hardware and the network traffic loads are low. Such a condition would result in negligible ∆T i variations and time tampering is then straightforward to detect. This is not however, a realistic MANET situation because there are a myriad of factors which can cause ∆T i variations. For example, mixed node processing capacities and packet service times, allied with high network traffic loads in certain parts of the MANET can lead to queuing delays at specific nodes.
In a heterogeneous MANET consisting of uniformly distributed nodes where the network traffic load is low and there are no queuing delays, the ∆T i values can be assumed to follow a linear distribution. In MANETs with high network traffic load variations however, some of the ∆T i values will include queuing delays which will be much greater than the actual packet service times [22]. The ∆T i values will then tend to follow a nonlinear distribution where a small portion of the ∆T i values are significantly higher than the average. For such a distribution, it is very challenging to discriminate a tampered from a normal ∆T i value as a modified ∆T i can potentially be lower than a healthy ∆T i if the tampered measurement contains no queuing delay, while the healthy ∆T i does.
The outlier detection method selected for time tampering detection purposes must therefore be applicable to both large and small ∆T i datasets i.e., CASE 1 and CASE 2 respectively, as well as for both linearly and non-linearly distributed measurements.

Performance Analysis
The performance of the ∆T Vector extension has been rigorously analysed using the Dixon Q-test [20] as the outlier detection technique to identify tampered ∆T i values for a PM I-B wormhole infected route. The Q-test was chosen because of its simplicity and applicability to small and large datasets, making it appropriate for both the CASE 1 and CASE 2 scenarios. While the Q-test is only capable per se of detecting a single outlier, it can be applied to detect either one or two tampered ∆T i values provided the right-tailed variant is used to separately test the two largest ∆T i values. The outlier test is thus performed by first ranking the ∆T vector in order and then respectively calculating two Q values: Time tampering is suspected if either Q 1 or Q 2 is greater than the corresponding critical Q-value for the chosen confidence level. For this analysis, a low confidence level (80%) has been chosen, since from a security perspective, a higher time tampering detection rate is preferable to a low FP detection.
Both the time tampering and FP detection performance for the ∆T Vector extension were analysed using a custom designed tool which simulated differently sized ∆T Vectors to reflect variable HC routes. ∆T i values were produced by randomly generating packet processing times for each node, with variable inter-node distances considered for each route.
The operating system (OS) for each MANET node was assumed to support multiprogramming with a scheduler assigning equal time slices to each process in rotation. Such an OS approximately implements processor-sharing so a logical processor executes each multiprogrammed task, with the processing capacity of a logical processor being the ratio of the physical processor capacity and the multiprogramming level. While nodes will typically have different physical processing capacities and multiprogramming levels, the equivalent multiprogramming level for each node will be relatively stable. A MANET having logical processors with diverse, yet stable processing capabilities is thus assumed to handle routing packets, so the corresponding packet service times for each node is assumed to be constant. Many concurrent route detection procedures can lead to routing packet queues in MANET nodes, since received routing packets must be sequentially processed to uphold route table updating requirements. For this reason, the packet processing times (∆T RREQ/RREP ) have been generated using the M/D/1 queuing model [23], which assumes Poisson-distributed packet arrivals, deterministic service times of routing packets, a single central processing unit and an infinite maximum queue length. Hence, at each node: (11) where T S and ρ are the routing packet service time and network traffic load upon a node respectively. Variations in both node processing capacity and multiprogramming level are reflected by using random T S values from a linear probability distribution of different intervals denoted by the relative standard deviation (σ R ), which is the standard deviation of all the packet service times divided by their average. Variable network traffic loads between nodes are mirrored by randomly selecting ρ on each node within the interval 0 ≤ ρ ≤ ρ max , where ρ max is the maximum network traffic load per node.
Time tampering detection performance for the CASE 1 and CASE 2 scenarios will now be respectively considered, where time tampering attacks on TTHCA are simulated in accordance with Equations (7) and (8). Note that the results presented relate solely to the ∆T Vector time tampering detection performance of the TTHCA algorithm, and not to the wormhole attack detection rates, which have already been rigorously presented in [17]. The simulation parameter settings used throughout the experiments are given in Table 1, with a detailed description of the customised simulation tool being provided in Appendix A.  (7) and (8)

CASE 1: MANET Nodes with ∆T i Track Records
In the first series of experiments, the situation where a node has been in the MANET for a period of time is analysed and there are at least 15 ∆T i values available. Figure 3 shows the impact of variations in both routing packet service time (σ R ) and network traffic load (ρ max ) upon the time tampering detection performance for different wormhole lengths.
The results reveal that for the ideal case where ∆T i is constant, so all nodes have identical hardware and multiprogramming level (σ R = 0), and each node carries negligible network traffic load (ρ max = 0), then 100% time tampering detection is achieved for all wormhole lengths with no corresponding FP being detected (see Figure 4). Predictably, as variations in ∆T i increase, the detection rate falls and FP increase, though the time tampering detection rate is still at least 86% for all wormhole lengths analysed even when σ R = 0.35 and ρ max = 0.6.
For wormhole lengths ≥5 hops, at least 94% of tampered ∆T i values can be successfully detected under all conditions when σ R = 0.5 and ρ max = 0.9, with the detection rate being 87% for a wormhole HC of 5. A notably aspect of the performance of the ∆T Vector extension, is that a minimum of 74% of tampered ∆T i values can still be detected even when the wormhole HC is 4. Pragmatically, this means that successful time tampering in wormholes ≥4 hops will be extremely difficult to achieve since the probability of avoiding detection is less than 30%.
For 3 HC wormholes, the time tampering detection performance drops markedly when there are variations in either network traffic load or routing packet service times, because a healthy node can then often produce a higher ∆T i than a tampered ∆T i . This reflects the situation of when heavy network traffic loads (ρ  1) unavoidably cause longer queuing delays and/or high multiprogramming levels lead to increased service times for routing packets. In contrast, the wormhole nodes and those nodes through which routing packets are tunneled may continue to have negligible loads (ρ  0) and correspondingly short packet service times.  Despite this decline in performance, tampered ∆T i values can still be detected with an accuracy of 57% for 3 HC wormholes, when σ R = 0.5 and ρ max = 0.9. This still characterises a noteworthy enhancement to TTHCA, especially when cognisance is made of the stringent criteria necessary to launch a time tampering attack in the first instance.
The corresponding FP detection rate remains 20% for the σ R range considered, provided ρ max ≤ 0.6 because the Q-test compares the difference between the two largest ∆T i values in relation to the difference between ∆T MAX and ∆T MIN , which will be approximately constant, regardless of the interval, provided the ∆T i values are linearly distributed. When ρ max = 0.9, the FP rate rises because the queuing delay of a node increases rapidly as ρ tends to 1, and the ∆T i distributions are no longer linear. This means that a ∆T i value produced by a node with a high network traffic load can easily become confused with a tampered ∆T i . Realistically however, even a FP rate of 30% is still a satisfactory outcome since FP detection does not automatically mean that a route between a source and destination node cannot be established, but rather that an alternative route must be chosen other than the shortest path in terms of HC.

CASE 2: MANET Nodes without ∆T i Track Records
The second set of experiments analysed the situation when a new node joins the MANET and requests a route for the first time. The same conditions are employed as in Section 5.1, though now it is assumed that only between three and 15 ∆T i values are available for the node requesting the new route, since there is no a priori knowledge about previously measured ∆T i values. The corresponding time tampering detection results are displayed in Figure 5.
The absence of any track record meant that detection performance was not as consistent as CASE 1, though a time tampering detection rate of ≥80% has still been achieved for all wormhole HC when σ R ≤ 0.2 and ρ max ≤ 0.6. For wormholes ≥5 hops, at least 68% of tampered ∆T i values were correctly detected even when σ R = 0.5 and ρ max = 0.9. The equivalent FP detection rates displayed in Figure 6, were slightly higher than in CASE 1 for ρ max ≤ 0.6 for example, and performance was more sensitive to high network traffic load variations (ρ max = 0.9) due to the smaller number of ∆T i samples. Nevertheless, even a FP rate of 45% when ρ max = 0.9 can still be deemed acceptable as more than half of all possible routes are available.
The time tampering detection performance is thus less robust in CASE 2 when no ∆T i track record is available, though this does represent the worst possible MANET situation, when a new node performs its first route discovery procedure. As a node runs the route discovery procedure more often, the corresponding time tampering detection rate will quickly improve and converge towards the results presented for CASE 1. This infers that to strengthen the time tampering detection performance for new nodes, it is prudent to run a few route discovery procedures before starting to communicate within the network. This could for instance, be accomplished by specifying within the routing protocol that a node is not allowed to communicate within the network until it has collected a minimum of 15 ∆T i samples.

Network Overheads and Computational Complexity
One of the consequences of the ∆T Vector extension is a larger RREP packet as it must contain the individual ∆T i values of all intermediate nodes of a route, while the original TTHCA mechanism only requires the sum ∆T TOT . The size of the ∆T Vector is dependent on the route HC, so if for example each ∆T i value is represented by 32 bits, then on a route from a source node S to a destination node D with intermediate nodes I 1 and I 2 , RREP will comprise a ∆T Vector length of 32 bits, 64 bits and 96 bits when respectively received by I 2 , I 1 and S. This contrasts with the corresponding RREP packet in the TTHCA algorithm which will have a 32 bits ∆T TOT value for each node. While a ∆T Vector with more than one element theoretically increases the transmission and reception time requirements for the routing packet, when cognisance is taken of the high bandwidths available in modern wireless technologies, the extended RREP packets will have negligible impact upon performance.
A second ramification of the ∆T Vector extension is the increased FP detection rate. From the network performance perspective, this means that the shortest route in terms of HC is not always available, as highlighted in both Sections 5.1 and 5.2. This does not necessarily imply decreased performance in terms of route delay since FP detection can in many cases lead to a positive outcome as routes with intermediate nodes with very high traffic loads will be omitted.
A formal complexity analysis for the new ∆T Vector extension reveals the only supplementary cost incurred compared with the original TTHCA algorithm is the outlier detection scheme performed by the source node. If the Dixon Q-test is used as the outlier method, the only extra computations needing to be performed relate to the ranking of ∆T Vector values. Since the ∆T Vector length equals the route HC, the time complexity for ranking is O(HC 2 ). This ranking however, can be implemented as a linear search of 4 ∆T values, since the Q-test only uses the three largest and the smallest ∆T value. This results in a time complexity for the new ∆T Vector extension of O(HC), which is the same as TTCHA [17]. The corresponding FP performance of ∆T Vector extension also needs to be analysed because these are identified even when there are no errors in the measured node processing times. If the probability of a FP is p, then the probability of i FP occurring before a healthy route is located will be (1−p)•pi. The average number <i> of route discovered before a healthy route can therefore be expressed as p/(1−p). So for p < 0.5, on average up to one FP will be discovered before a healthy route is identified for the ∆T Vector extension. The worst case in a single wormhole MANET is thus, on average three algorithm executions when a wormhole infected route is found before a healthy route is located. In contrast, the impact of FP on the TTHCA algorithm is less problematic because a FP is only identified when there are time measuring errors [17].
In summary, this formal analysis has shown the new ∆T Vector extension has the same linear time complexity as the original TTHCA algorithm, with the rider that because of FP occurrences, one additional execution cycle of the ∆T Vector extension may be necessitated, though this still affords a very effective lightweight protection mechanism against time tampering for TTHCA.

Conclusions and Future Research
The traversal time and hop count analysis (TTHCA) algorithm is a MANET wormhole detection technique, introduced as an extension to the ad hoc distance vector (AODV) routing protocol. A latent security threat to TTHCA is that as each intermediate node and the destination node measures the packet traversal time, a participation mode (PM) wormhole node can potentially provide false measurement values and avoid detection. This paper has analysed the conditions for a time tampering attack and proposed a security mechanism for TTHCA called the ∆T Vector extension for detecting false time values in PM in-band (I-B) wormholes. This requires the destination node and each intermediate node to add their individual processing times of the route request (RREQ) and route reply (RREP) packages (∆T i ) to a vector parameter in the RREP instead of using a single total packet processing time parameter (∆T TOT ) as in the original TTHCA algorithm. This makes each individual ∆T i measurement available for a node requesting a route and suspicious ∆T i values caused by PM I-B wormhole nodes can thus be identified by an outlier detection method. The ∆T Vector extension offers a notable security enhancement to the original TTHCA wormhole detection algorithm by providing an effective time tampering detection mechanism for PM wormholes, while retaining many of the smart features of TTHCA, particularly being a low-cost algorithm in terms of both computational complexity and network overheads.
In terms of future research, minimisation of false positive (FP) detections incurred by the ∆T Vector extension is an important objective. The FP rate can potentially be decreased by not including nodes suspected of time tampering to the graylist, since a high ∆T i caused by time tampering is permanent compared with a temporarily high ∆T i due to queuing delays. An alternative strategy is to choose a higher confidence level for the outlier detection, though this will proportionally reduce the corresponding time tampering detection performance of the ∆T Vector mechanism.