A novel trust-awa

2 downloads 0 Views 418KB Size Report
Corresponding Author's Institution: Technological Educational Institute of Chalkida ... Abstract: Wireless sensor networks are vulnerable to a wide set of security attacks, ..... using the JSim platform [24]. ...... interests lie in the area of protocol design for communication systems, access control mechanisms in broadband.
Editorial Manager(tm) for Wireless Personal Communications Manuscript Draft Manuscript Number: WIRE1913 Title: A novel trust-aware geographical routing scheme for wireless sensor networks Article Type: Manuscript Keywords: Wireless sensor networks; security; routing attacks; secure routing; trust model Corresponding Author: Helen Leligou, Corresponding Author's Institution: Technological Educational Institute of Chalkida First Author: Theodore Zahariadis Order of Authors: Theodore Zahariadis; Panagiotis Trakadas; Helen Leligou; Sotiris Maniatis; Panagiotis Karkazis Abstract: Wireless sensor networks are vulnerable to a wide set of security attacks, including those targeting the routing protocol functionality. The applicability of legacy security solutions is disputable (if not infeasible), due to severe restrictions in node and network resources. Although confidentiality, integrity and authentication measures assist in preventing specific types of attacks, they come at high cost and, in most cases, cannot shield against routing attacks. To face this problem, we propose a secure routing protocol which adopts the geographical routing principle to cope with the network dimensions, and relies on a distributed trust model for the detection and avoidance of malicious neighbours. A novel function which adaptively weights location, trust and energy information drives the routing decisions, allowing for shifting emphasis from security to path optimality. The proposed trust model relies on both direct and indirect observations to derive the trustworthiness of each neighboring node, while it is capable of defending against an increased set of routing attacks including attacks targeting the indirect trust management scheme. Extensive simulation results reveal the advantages of the proposed model.

*Manuscript Click here to download Manuscript: Leligou_secure_routing_for_WSNs_June2010_WPC.doc Click here to view linked References

A novel trust-aware geographical routing scheme for wireless sensor networks T. Zahariadis, P. Trakadas, H.C. Leligou, S. Maniatis, P. Karkazis

Technological Educational Institute of Chalkis, Dept. of Electrical Engineering, Psahna, 34400 Greece, Tel:+30-2228099550, E-mail: {zahariad, trakadasp, leligou, smaniatis, karpa}@teihal.gr Abstract – Wireless sensor networks are vulnerable to a wide set of security attacks, including those targeting the routing protocol functionality. The applicability of legacy security solutions is disputable (if not infeasible), due to severe restrictions in node and network resources. Although confidentiality, integrity and authentication measures assist in preventing specific types of attacks, they come at high cost and, in most cases, cannot shield against routing attacks. To face this problem, we propose a secure routing protocol which adopts the geographical routing principle to cope with the network dimensions, and relies on a distributed trust model for the detection and avoidance of malicious neighbours. A novel function which adaptively weights location, trust and energy information drives the routing decisions, allowing for shifting emphasis from security to path optimality. The proposed trust model relies on both direct and indirect observations to derive the trustworthiness of each neighboring node, while it is capable of defending against an increased set of routing attacks including attacks targeting the indirect trust management scheme. Extensive simulation results reveal the advantages of the proposed model.

Keywords –Wireless sensor networks, security, routing attacks, secure routing, trust model

Corresponding author: Helen C. Leligou Technological Educational Institute of Chalkis, Dept. of Electrical Engineering, Psahna, 34400 Greece, Tel:+30-2228099550, +306973249129 E-mail: [email protected]

A novel trust-aware geographical routing scheme for wireless sensor networks T. Zahariadis, P. Trakadas, H.C. Leligou, S. Maniatis, P. Karkazis Technological Educational Institute of Chalkis, Dept. of Electrical Engineering, Psahna, 34400 Greece, Tel:+30-2228099550, E-mail: {zahariad, trakadasp, leligou, smaniatis, karpa}@teihal.gr

Abstract – Wireless sensor networks are vulnerable to a wide set of security attacks, including

those targeting the routing protocol functionality. The applicability of legacy security solutions is disputable (if not infeasible), due to severe restrictions in node and network resources. Although confidentiality, integrity and authentication measures assist in preventing specific types of attacks, they come at high cost and, in most cases, cannot shield against routing attacks. To face this problem, we propose a secure routing protocol which adopts the geographical routing principle to cope with the network dimensions, and relies on a distributed trust model for the detection and avoidance of malicious neighbours. A novel function which adaptively weights location, trust and energy information drives the routing decisions, allowing for shifting emphasis from security to path optimality. The proposed trust model relies on both direct and indirect observations to derive the trustworthiness of each neighboring node, while it is capable of defending against an increased set of routing attacks including attacks targeting the indirect trust management scheme. Extensive simulation results reveal the advantages of the proposed model. Keywords –Wireless sensor networks, security, routing attacks, secure routing, trust model

I. INTRODUCTION Wireless Sensor Networks (WSNs) offer efficient, low-cost solutions for a great variety of application domains including military fields, healthcare, homeland security, industry control, intelligent green aircrafts and traffic control in smart roads [1]. Although networking and security technologies are in a mature stage, the limited sensor node resources in terms of memory space, processing power and energy availability, constrain the complexity of the security mechanisms that can be implemented, dictating the need for new protocol approaches design. Due to their distributed nature, WSNs are vulnerable to various attacks [2], including attacks targeting the disruption of the routing procedure ([3], [4], [5]) which is accomplished in a cooperative way. Malicious nodes may attack confidentiality, integrity and availability measures of their neighbors realizing routing attacks, a list of which is presented in Table 1.

Attack type Selfish behaviour (black-hole, grey-hole) Sinkhole attack Replay attack Link Spoofing Attack

Table 1: Routing attacks Attacker behaviour A malicious node denies to perform benign routing and drops part or all the received packets. A malicious node tries to attract traffic advertising fake routing information, and then it does not forward it. The original routing messages are repeated at a later time, thus deceiving the routing functionality. An adversary can spoof link layer acknowledgement for overheard packets to convince the sender that the packet has been forwarded successfully.

Modification attack Sybil attack Colluding nodes attack

An adversary modifies the data and/or routing packets it forwards. An attacker presents multiple identities. Many powerful attackers work in collusion to modify or drop routing packets.

Traffic analysis

A malicious node monitors the traffic flows in order to identify, locate and attack the critical nodes (typically the base station). The attacker overwhelms a victim‟s limited resources, (e.g. memory) flooding the network with packets, which could be either data or routing packets. As long as recommendations are taken into consideration, malicious parties provide dishonest recommendations to frame up good parties and/or boost trust values of malicious peers.

Flooding attack Bad mouthing attack

On-off Attack Conflicting Behavior Attack

Malicious entities behave well and badly alternatively, hoping that they can remain undetected while causing damage. An attacker behaves inconsistently in the user domain and impair good nodes‟ recommendation trust by performing differently to different peers.

To detect and combat malicious behaviours, a trust-management approach borrowed from human societies has been proposed in the literature: nodes monitor the behavior of their neighbors in order to evaluate their trustworthiness, which is then taken into account during routing decision making [6]. The trust evaluation can be based on direct interactions as well as on reputations provided by other neighbors. Reputation exchange can be beneficial for newly activated or mobile nodes, which can thus obtain (indirect) trust information for their neighbors, before they attempt direct interactions. Although ways to attack the reputation protocol have been described in the literature, countermeasures have also been specified in [5]. The trust knowledge can be exploited by benevolent nodes to avoid cooperation with malicious nodes to accomplish higher layer functionality such as routing (see e.g. [6]), data aggregation [7], cluster head election [8] and, more surprisingly, key distribution [9]. Although efficient trust models (e.g. [11]-[13]) as well as secure routing solutions (e.g. [14][17]) have been proposed in the literature, an easy-to-implement secure routing solution is missing. To facilitate cheap network deployment and maintenance, the algorithmic complexity needs to be of prime consideration during the design phase of such a routing scheme. In this paper, we present a novel, readily deployable trust- and energy-aware routing

protocol. First, a geographical routing approach is adopted to efficiently cope with large network dimensions. Second, a distributed trust management system incorporating direct and indirect trust information is used to detect and avoid malicious nodes performing routing attacks as well as attacks threatening the reputation exchange process (e.g. bad-mouthing and conflicting behaviour attacks). Last but not least, energy-awareness is relied upon to extend the network lifetime. In the proposed scheme, routing decisions are based on a weighted routing cost function which incorporates trust, energy and location attributes. This novel Ambient Trust Sensor Routing (ATSR) solution has been carefully designed to limit the overhead introduced by the adoption of a reputation mechanism while it has been kept as simple as possible to allow for low cost implementation in resource constrained sensor nodes. In the rest of the paper, we first discuss the related work in section II, while in section III our innovative secure routing protocol is detailed. Its performance is thoroughly evaluated in section IV, while in section V the implementation-related issues and experience from the real test-bed experiments are discussed. Finally, conclusions are drawn in section VI.

II. RELATED WORK- TRUSTED ROUTING SOLUTIONS FOR SENSOR NETWORKS To shield a WSN against routing attacks, the realisation of a trust management system has been pursued. In this paper, trust is defined as the confidence of a node i that node j will perform as expected, i.e. on the node‟s j cooperation for the accomplishment of a specific action. The architecture under consideration is shown in Figure 1, where multiple sensor nodes exist and send the sensed values to the Aggregator Nodes.

Aggregator Node

i l

j m k

Figure 1: Aggregator Node collects data from the sensor nodes

The methods for obtaining trust information and defining each node‟s trustworthiness are referred to as trust models, and can be classified according to a number of design options [11]. Depending on the distribution of the trust establishment functionality, the trust models can be distinguished in centralized [10], hierarchical [7] or fully distributed [6]. Trust is evaluated upon a number of event types that can be recorded and analyzed. Each event type (corresponding to a trust metric) allows the assessment of a specific node behavior aspect and consequently the detection of a specific attack type. For example, each node i can assess the forwarding behavior of its neighbor j by comparing the successfully forwarded packets to the total number of packets that i sent to j. A systematic failure reveals a malicious node, denying its routing tasks. The monitored behavior aspects proposed in the literature range from the sincere cooperation in forwarding [6] to location verification [17] and monitoring of the application level consistency of the reported data [7]. Analyzing the collected measurements, either a trust value can be derived (in many cases a ratio of successful over failed events), or distinct trust levels can be distinguished. To improve the reliability of the trust information and efficiently support mobility, reputation exchange schemes have been proposed (e.g. [12], [15]). These schemes however increase the resource consumption while attacks targeting the reputation protocol itself have already been identified: for example, by spreading wrong information or behaving differently towards different neighbors, the reputation exchange protocol can be deceived [5]. Although equally interesting theoretical trust models based on the observation that trust evidence may be uncertain are provided in [10], [11] and [15], their practical implementation in current sensor nodes is doubtful. An interesting solution which integrates location identification functionality with a trust building system based on both direct and indirect trust information has been proposed in [26], where the trust and reputation are modeled in a probabilistic way. Focusing on location-based routing protocols, interesting trust-based enhancements have been proposed in [16], [17] and [18]. In all these approaches, a trust management system based on direct evidence is implemented while a reputation exchange mechanism has been introduced in [17] as an optional choice (without any rigorous specification of the relevant protocol). In this work, multipath routing is suggested, sacrificing node and network resources for the transmission of multiple copies of each packet, to increase the probability of reaching the destination. The implementation of location verification techniques is recommended for the detection of Sybil attacks. In [18], an interesting approach for extending the network lifetime is proposed, which however consumes significant node resources, since it requires the derivation of the coverage area of each neighbor based on Beacon messages and on

exchanging the neighbor lists. In the same work, the packets travel through nodes exceeding a trust threshold. This choice introduces the need for selecting an application-dependent trust threshold and can result in limited connectivity in case nodes fulfilling this condition do not exist. Finally, the authors of [17] have investigated and proposed measures for detecting and defending against flooding attacks at the cost of implementing a rate-shaper on each sensor node which is a costly solution. The security features of these three approaches are summarized in Table 2 where the features of the proposed ATSR solution are also included. ATSR protocol is the first to incorporate a reputation scheme in a location-based algorithm, taking at the same time security measures to defend against the trust model vulnerabilities. Targeting a lightweight protocol that can be implemented in current motes (MICAz, IRIS), in ATSR, energy awareness is built based on information directly obtained from the neighbours while no tool for flooding attack protection is currently implemented. As regards location verification, distance measurement algorithms based either on the Received Signal Strength or the Time of Arrival (ToA) can be implemented at low cost. Alternatively, geographical routing based on virtual node coordinates calculated by the nodes themselves is also possible [19] obviating the need for further verifications. We also believe that the defense against flooding attacks should be charged to a set of (selected) more powerful nodes in the network, to avoid exhausting the scarce sensor resources. Table 2: The security features of trust-aware location-based routing solutions Trusted Forwarding Integrity Trust model Lifetime Location Routing attack attacks attacks consideration verification Approach detection detection detection Trusted GPSR (Pirzada, [16])



Resilient GR (Kang, [17])



Trust-based GR (Hung, [18])



ATSR



Detection of flooding attack

√ √



√ √





III. THE ATSR PROTOCOL DESIGN Designing a routing protocol which is capable of defending against the attacks identified in the literature is a really challenging task. The reason is that despite the scientists‟ effort to define countermeasures for each attack and build resilient trust-aware routing schemes, their

implementation seems unaffordable due to the severely constrained node resources. In this work, our main objective is to design a scalable routing protocol of low-complexity, suitable for large wireless sensor nodes, which makes use of a distributed trust model to avoid malicious nodes issuing routing and trust model related attacks. To efficiently deal with the network dimensions and support node mobility, we adopt a geographical routing approach following which routing is performed on a hop-by-hop basis relying on localized interactions for obtaining routing information, avoiding both the complexity introduced by path calculations and the energy consumption required for topology information distribution brought by other routing protocols.

A. The distributed trust model For the detection of routing attacks in a large WSN, we have designed a fully distributed trust model which mandates that each node combines direct trust information and indirect trust information to define the trustworthiness of all its one-hop distance neighbours. In the following design, we have assumed that the participating nodes support promiscuous mode operation, are equipped with bidirectional transceivers with comparable transmission and reception ranges. In the sequel, we first describe the direct trust value derivation and then we describe the reputation protocol in detail. 1) Direct trust One of the most important issues during the trust model design is to define the set of behaviour aspects/metrics against which each node is evaluated. Table 3 lists the selected trust metrics and the attack(s) each one assists on detecting. On each sensor node, a trust repository is used to store trust information per neighbor and trust metric. The monitored trust metrics include: 

Packet forwarding: To detect nodes that deny to or selectively forward packets, each time a source node transmits a packet for forwarding, it enters the promiscuous mode and overhears the wireless medium to check whether the packet was actually forwarded by the selected neighbor. If positive, this is accounted as a successful interaction; otherwise, it is considered a failure.



Network layer Acknowledgements (ACK). To detect nodes that collude with other adversaries (which possibly drop packets) disrupting the network operation, we suggest

that each source node waits for a network-layer ACK to check whether its message has successfully reached a higher layer node (i.e. the base station). 

Packet precision: Each time a source node transmits a packet for forwarding and then overhears the wireless medium to ensure that the packet was forwarded, it additionally processes it to check the packet‟s integrity i.e. that no unexpected modification has occurred. It thus detects modification attacks.



Node Authentication – Message Encryption: In case there is an option for a node to select between a neighbor supporting encryption or authentication and another which doesn‟t, this metric allows for this discrimination. (If the node supports cryptographyauthentication, the respective value is equal to 1; 0, otherwise.)



Reputation Response: To check the sincere execution of the reputation protocol, each time a node transmits a reputation request message to a neighbor, the reputation requests number stored in the trust table for this neighbor increases while the reputation response number increases only if the neighbor replies (i.e. the reputation response message is received). This way, nodes that do not cooperate in the execution of the reputation protocol are assigned lower trust values.



Reputation Validation: To protect against bad-mouthing attacks and wrong reputations being spread around, each time a node i receives a reputation response message from node k regarding node j, if node i is confident about the direct trust value it has calculated for node j, it compares the received value (i.e. the reputation provided from node k) with its own direct trust on node j. If the difference exceeds a predefined threshold, then the provided reputation is considered as “wrong reputation”; otherwise it is a “correct reputation”. Node i is confident for the trust value it has calculated for node j only if it has performed an adequate Number Of Interactions (noi). For this reason, this information is also kept in the trust repository of the sensor node.



Remaining Energy: Systematically selecting a highly trusted node for forwarding the packets may lead to the exhaustion of its energy. Additionally, fixed traffic flows are vulnerable to traffic analysis attacks. In this view, we have enriched our trust model with energy information. In our novel routing protocol, the basic routing message indicating the node availability and position (the Beacon message defined in all location-based routing protocols) is extended to include the “remaining energy” field of the source node based on which the energy-knowledge is built. Although it is possible to infer the

remaining energy of a neighboring node counting the interactions it has been involved in ([21]), the implementation of such an approach consumes significant processing power. Table 3: The trust metrics of the proposed trust model based on which routing attacks can be detected 1 2 3 4 5 6 7 8

Trust metric

Detected attack

Forwarding Network-ACK Packet precision Authentication Confidentiality Reputation Responses Reputation Validation Remaining Energy

All types of dropping (black hole, grey hole, selective forwarding, e.t.c.) All types of dropping for the whole path All types of modification Authentication-related attacks To prefer nodes that offer cryptography Sincerity in reputation protocol execution Bad - mouthing attack Traffic analysis attack and load balancing

2) Direct trust quantification Coming to the quantification of trust, it is worth stressing that trust is inherently probabilistic in the sense that it reflects the expectation of a node that a specific neighbour will cooperate honestly given the past experience. Based on this rationale, the probability theory has been adopted to evaluate the trustworthiness in many articles. For example in [26] and [27], the Beta distribution has been used to model the trust. However, when a node needs to choose from a neighbour set the most trusted neighbour for cooperation, the comparison can be based on the expected (mean) values. To achieve low cost implementation, we have chosen a rather simple equation to quantify trust which reflects the average value of the Beta distribution: for each trust metric m associated with successful/failed interactions, two counters (2-byte wide) are used to store the number of successful/failed interactions respectively. Based on their content, each node i calculates the trust value for each metric m regarding node j (denoted as

Tmi , j ) using the following equation:

Tmi , j  i, j

S mi , j S mi , j  Fmi , j

(1)

i, j

where S m and Fm stand for the number of successful and failed co-operations of type m between i and j. The eight trust values are then combined in a weighted sum to produce the total Direct Trust value: 8

DT i , j   (Wm * Tmi , j )

(2)

1

where Wm stands for the weight of trust metric m. All weights sum up to 1 so that the total direct trust value ranges from 0 to 1.

3) Indirect trust model The indirect trust (IT) value is important mainly for newly initialized nodes or recently arrived nodes (in case of mobility). To trigger the indirect trust exchange process, each node periodically issues a reputation request message. A crucial design issue affecting the produced network load and the consumed node resources is to decide which nodes should be queried for indirect trust evidence. Given that the trust model will be incorporated in a location–based routing solution, the candidate nodes are all one-hop neighbors (this may change if another type of routing protocol was selected). If all N one-hop neighbors are asked triggering the generation of N reputation response (RepRes) messages, the network load would be significantly burdened (increasing collision probability) and the node resource (memory, processing and energy) consumption would also increase significantly. In ATSR, we opted for requesting reputation information from a limited number (four) of neighbors, as a first action towards limiting the introduced overhead. In more detail, the source node randomly selects one node per quadrant so that only four unicast reputation request (RepReq) and four unicast reputation response (RepRes) messages are generated (instead of N+1, in case all neighbors were requested using one broadcast message and N replies). Although the selection of the four nodes could be performed based on direct trust information (i.e. ask the most trusted nodes) or on the remaining energy information, this would reveal to an adversary (performing traffic analysis) certain attributes of the selected (requested) nodes. Moreover, the source node needs to obtain indirect trust information for all its one-hop neighbours and this can be achieved only by asking uniformly geographically distributed nodes. Since the reputation exchange is mainly implemented to assist nodes with no or limited (direct) trust knowledge to reach a more reliable conclusion for the trustworthiness of nodes they are interested in, a requested node provides its opinion for its neighbors only if it is confident about the direct trust value it has calculated. This is decided upon the so-called confidence factor C i , j of node i considering node j, which is calculated based on the following equation: C i, j 

noi noi  m

(3)

where noi stands for the Number Of Interactions (noi) between node i and node j (kept in the trust repository of the sensor node) and m a fixed integer. The confidence factor ranges from 0 (for 0 interactions) to values very close to 1 when a large number of interactions have been completed. The parameter m determines how fast the confidence factor approaches 1 as the number of interactions increases. For higher values of m, more interactions are needed for the

confidence factor to approach 1, i.e. each node needs to perform a higher number of interactions to “feel” confident about the trust value it has calculated. The confidence factor will also be used to balance the direct with the indirect trust to reach the total trust value, as will be detailed later on. So, following this novel scheme, the requested node scans its trust table and includes in its reputation response message, the direct trust value it has calculated for all neighbors corresponding to confidence factor exceeding a predefined threshold (e.g. above 0.85). To avoid the disadvantages of reporting only positive/negative trust information, we have chosen to report only confident trust information, limiting this way the amount of communicated data (overhead) and economizing resources. (This confidence factor is also used in the reputation validation process mentioned earlier). Once node i that transmitted the reputation request message receives the reputation responses from its neighbours (say k1, k2, k3, k4), containing their trust info DT kl , j for each neighboring node j, node i calculates the Indirect Trust value for node j using the following equation:

 DT l 4

IT

i, j



l 1

i , kl

* DT k , j

(4)

l 4

 DT



i , kl

l 1

The received values are summed up adopting the relevant direct trust as weight factors, so that a reputation provided by a highly trusted node counts more. (If a neighbour has not provided reputation information then the relevant product is omitted and its direct trust is not included in the sum appearing in the denominator.) Finally, the Total Trust (TT) value for a neighbor j is produced combining direct and indirect trust values in the following formula:

TT i , j  C i , j *DT i , j  (1  C i , j ) *IT i , j

(5)

where C i , j is the confidence factor described previously. It is obvious that as the number of interactions (and thus the confidence factor, C) increases, the direct trust value becomes more significant than the reputation information. B. Trust-aware routing cost function The combination of a fully distributed trust management scheme with a geographical routing approach renders the proposed routing solution suitable for large scale WSNs, since scalability is a dominant feature of all location - based protocols, such as the Greedy Perimeter Stateless Routing – GPSR [25], which rely on local topology information only. Following this approach, each node is characterized by its coordinates and packets are forwarded to the neighboring node which is the closest to the destination (based on

geographical information). Nodes only need to announce their coordinates to their one hop neighbours, through the so-called Beacon messages, which are not further propagated, hence saving node and network resource. Furthermore, the routing table maintained in each node includes only one hop neighbors and its size depends only on the network density (number of nodes in the neighborhood) and not on the overall WSN dimensions. Location knowledge can be provided by a GPS device (if the cost is considered affordable), can be preprogrammed in case of fixed sensor networks operating in an attended and controllable environment or can be calculated/defined based on some location definition and verification techniques (as discussed in [17]). However, these location identification schemes assume the existence of few anchor nodes which are aware of their physical location. This requirement does not hold in recent works on geographical routing based on virtual coordinates calculated based on local connectivity. For example, in [22] only two locationaware nodes are assumed while any location knowledge requirement is removed in [19], where no node is aware of its location and they all manage to define their virtual coordinates providing the relative to the base station position based on simple equations and data reported in the Beacon message. It is worth stressing that once the location has been verified, Sybil attack is prevented when location (either physical or virtual) - based routing is adopted. The objective of our protocol is to choose for forwarding the node that optimizes the following three factors: 1) highly trusted, 2) as close to the destination as possible and 3) enough remaining energy to complete its forwarding task. As regards the distance of each neighbor to the base station, we define the distance metric which is quantified as follows:

Tdi , j  1 

dj D

(6) N

where d j is the Euclidean distance of neighbor j to the base station and D =  d l stands for l

the sum of the distance of all its N neighbors to the base station, which can be calculated based on their coordinates and the coordinates of the base station. Following equation (6), the shortest distance to the destination maximizes the Tdi , j value. The distance metric Tdi , j and the total trust value (which has already incorporated the remaining energy value) are summed up in a weighted manner and are used to calculate the Routing Function ( RF i , j ): RF i , j  Wd *Tdi , j  Wt *TT i , j (7)

where Wd , and Wt represent the significance of distance and trust criterion respectively with

Wd + Wt =1. Based on this equation, a routing value for each neighbor is calculated and the node that corresponds to the maximum value is selected for forwarding the packet as it represents a good candidate satisfying an integrated set of requirements: trust, energy and proximity to the destination. The weight factors can play an important role as will be shown in the performance section where we will also show the flexibility and efficiency of the proposed trusted routing protocol. It is worth mentioning that throughout the design phase, one of our main concerns was to keep algorithmic complexity and memory allocation needs as low as possible (without jeopardizing the reliability of sensor communications), to achieve an efficient deployment of our trust model to sensor nodes available in the market. Results regarding the implementation cost are presented in section V.

C. The threat model and the defended attacks Based on the above trust-aware routing protocol, it is possible to detect a set of routing attacks and avoid the malicious nodes that cause them. The considered threat model consists of malicious (or compromised) nodes that are deployed after the setup phase of the network and the ability to collude. It is stressed that we focus on the detection and defense against routing attacks leaving tamper proof techniques out of scope. The model of threats efficiently detected by our protocol include: 1. black-hole or grey-hole attacks, i.e. nodes that do not forward all or part of the received traffic 2. colluding nodes in the path can be detected based on the network acknowledgement trust metric (unless they generate false net ack messages pr a more powerful node, e.g. a laptop adversary, can issue a net ack message to mislead the source node. 3. unexpected modification of messages 4. selfish behaviour not only regarding the forwarding but also regarding the reputation exchange protocol, i.e. nodes that receive a reputation request and do not respond to this request are detected 5. bad-mouthing attack: A malicious node i that announces to node j wrong trust information for a common neighbour k.

6. conflicting behaviour: A malicious node i behaves differently to different neighbours, i.e. it forwards packets received from node j and not packets from node k. Routing attacks that are not detected by the proposed ATSR solution include Sybil attacks and traffic analysis attacks. However, we consider that Sybil attacks can be avoided realizing location verification techniques while for traffic analysis attacks more powerful nodes are required. The only measure taken by the proposed approach is that making routing decisions based on the neighbours‟ available energy, a certain degree of load balancing it achieved. This way the identification of the nodes that handle the majority of the traffic becomes more difficult.

IV. PERFORMANCE EVALUATION To quantify the performance of the proposed trust-aware routing protocol, we have modeled it using the JSim platform [24]. The simulated network topology includes 100 sensor nodes (n0 to n99) placed on fixed locations (pre-set in the JSIM tool), organized on a 10x10 grid and communicating based on the IEEE 802.15.4 standard. No key distribution was modeled as this enhances the communication security while our focus is on the routing security. The simulated application issues one packet of 31 bytes every two seconds while the Beacon interval is two seconds on average (following the original GPSR implementation [25]), and the reputation request interval is three seconds (unless otherwise stated). The initial trust value for all neighbors has been set equal to 1 (i.e. all nodes are considered to be trusted a priori) and the simulation run time was equal to 4000s for all scenarios (unless otherwise stated). For the calculation of the confidence factor, we have used equation (3) and chosen m equal to 1, so that the node relies on the direct trust value it has calculated even from the first few direct interactions, instead of relying on its neighbours indirect trust information, which introduces vulnerabilities. To enlighten various aspects of the proposed solution, we have performed different sets of simulation runs. For each scenario, the presented results were obtained after 70 replications. The performance of the proposed secure routing solution depends on a variety of factors including the topology of the sensor nodes, the quantity and location of malicious nodes in the topology (also discussed in [17]), the types of issued attacked, the weights used for the trust metrics, as well as the weights Wd and Wt of the routing function. As the target of the presented ATSR is the detection of malicious nodes that prevent the packets from reaching their destination, a major performance metric is packet loss. However,

packet loss may occur due to physical layer collisions, controlled by the MAC layer. In the model we used for the evaluation of the ATSR, the nodes cannot distinguish between a MAC layer collision and an unsuccessful forwarding due to malicious behaviour of a neighbour. Thus, the calculated trust values are lower than the value a neighbour would deserve. However, first, it is not the absolute, but the relative trust value that drives the routing decision since the node associated with the highest value in the routing function is selected and second, in the real deployment, we consider that the trust module will interface the MAC module so as to distinguish the two reasons of unsuccessful forwarding. A. The impact of the distance and trust weights on the performance of the ATSR routing cost function In our secure routing approach, by varying the weights of the geographical and trust information used in the routing cost function, importance can be shifted from distance to trust. To investigate the impact of these weights (Wd and Wt), we have run a scenario set for different values of the weight factor Wd and different number of grey-hole attackers (25% and 50%) uniformly distributed in the network. These nodes randomly drop the received traffic. The weights of the trust metrics (listed in table 3) were set equal to W1=0.5, W2 = 0.2, W3 =0.1, W4= W5= W6= W7=0 and W8 = 0.2. The obtained results are included in Figure 2 where the packet loss expressing the percentage of the transmitted packets that were lost, the average

80 25 Grey hole attackers

Packet loss (%)

70

50 grey hole attackers

60 50 40 30 20 10 0 0.1

0.2 0.3 0.4 0.5

Wd

0.6 0.7 0.8

0.9

1

12

1600

25 grey hole attackers

10

50 grey hole attackers

8 6 4 2

grey hole attacks

Mean packet Latency (ms)

experienced latency and the performed attacks are shown. 1400 1200

25 grey hole attackers 50 grey hole attackers

1000 800 600 400 200

0

0 0.1

0.2

0.3

0.4

0.5

0.6

Wd

0.7 0.8

0.9

1

0.1 0.2

0.3 0.4 0.5

0.6 0.7

0.8 0.9

1

Wd

Figure 2: The impact of the distance and trust weight factors on ATSR performance for 25% and 50% grey hole attackers

Starting from the packet loss, the lower values are observed when Wd=0.4, i.e. when distance and trust are well balanced and almost equally respected. Significant higher loss ratio values are observed when Wd increases towards „1‟, as expected, since trust is sacrificed to distance criteria. When Wd equals „1‟, our solution ignores trust and becomes equivalent to GPSR which suffers 57% and 66% packet loss for 25% and 50% grey hole attackers respectively. For high Wd values, the latency decreases, since the packets that manage to reach the destination follow a near-optimal path. When Wd decreases towards 0.1, the loss ratio slightly

increases while the delay increases as well, (especially when 50% malicious nodes exist) because, paying less attention to distance criteria, the data packets travel longer paths to the destination through highly trusted nodes sometimes failing to reach their destination. Comparing the performance achieved for 25% and 50% malicious nodes respectively, it is clear that better performance both as regards packet loss and latency is observed for 25% grey hole attackers. It is also important to note that for 25% malicious nodes, either Wd=0.4 or Wd=0.5 provide very good performance while for 50% malicious nodes, significantly better performance is achieved when Wd=0.4 (instead of 0.5) assigning higher emphasis on trust over distance. The number of attacks (representing in this scenario dropped packets) included in the right hand part of the figure reflects the responsiveness of our solution i.e. shows how fast the benevolent nodes detect their malicious neighbors and avoid them, saving energy in transmitting packets in vain, as would happen adopting any non trust-aware routing algorithm. The number of attacks observed for Wd=0.4 is an order of magnitude lower than the attacks measured for Wd=1, i.e. no trust awareness. Turning our attention to the latency distribution, we present here results regarding the packet latency for three Wd values and for two sessions, one connecting nodes 0 to 99 (which follows a diagonal path in the grid) and another (shorter) connection between node 86 and 99 (the node positions are shown in Figure 8). The results obtained for 25 malicious nodes have been used to calculate the cumulative distribution function of the packet latency shown in Figure 3. Starting from the longer connection, an average latency value of 13ms has been observed for all the Wd values reported here. For Wd equal to 0.7, the lower variance is observed and latency values greater than 13ms have been observed with probability equal to 0.07. Slightly higher variance is observed for lower Wd values (0.4 and 0.3) as trust is left to play a more important role, although the difference is quite small. 1.0

1

0.9

0.9

0.8

Wd=0.7

0.7

Wd=0.4 Wd=0.3

CDF

CDF

0.6

0.8

0.5

0.7

Wd=0.3

0.6

Wd=0.4

0.5

Wd=0.7

0.4

0.4

0.3

0.3

0.2

0.2

0.1

0.1

0.0

0 12

12.5

13

13.5

14

14.5

15

Latency (ms)

15.5

16

16.5

17

2.4

2.6

2.8

3.0

3.2

3.4

3.6

3.8

4.0

4.2

4.4

Latency (m s)

Figure 3: CDF of the latency observed for packets of session a) between nodes 0-99 on the left and b) between nodes 86-99 on the right

4.6

The same effects were observed for the second connection of interest where the average latency was 4.5ms. For all the tested Wd values, latency values between 2.7ms and 3ms were observed with probability higher than 0.94 while for Wd=0.7 this probability was equal to 0.986. Summing up the latency discussion, the obtained results show that the quality of service (in terms of packet latency) is not severely compromised when Wd decreases in favor of Wt to allow for efficient detection of malicious nodes. To investigate whether the observations regarding Wd, hold for other types of attacks, we have also run simulations for 5, 20, 35 and 50% malicious nodes performing four different attack types: grey-hole, integrity attacks (nodes alter the forwarded packet fields), nodes that do not perform authentication and nodes that do not support encryption. The results in terms of number of performed attacks and latency are included in Figure 4.

2000

120

50 malicious nodes

1800

50 malicious nodes 35 malicious nodes

35 malicious nodes 1600

mean packet latency (ms)

5 malicious nodes

1400

performed attacks

100

20 malicious nodes

20 malicious nodes

1200 1000 800 600

5 malicious nodes 80

60

40

400

20 200 0

0 0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.1

0.2

0.3

Wdi

0.4

0.5

0.6

0.7

0.8

0.9

1

Wdi

Figure 4: Performance results for various attacks (Left: Total number of attacks, Right: Mean Packet Latency)

Better results (lower number of attacks and low latency) are achieved when Wd ranges from 0.2 to 0.5. It is very interesting to point out that the best performance results are achieved for different Wd values depending on the number of malicious nodes. For example, for 50% malicious nodes, the best result is achieved for Wd=0.2, while for 35% malicious nodes the best performance is measured for Wd=0.3 or 0.4. This observation guides us to investigate, in future work, whether these weights can be dynamically adjusted: i.e. each node could set its own pair of values, depending on the detection of a small or big number of attack nodes around it in the network. However, if we need to reach a recommendation for fixed Wd and Wt values, we would set them equal to 0.4 and 0.6, accordingly, which represents a good balance between trust and geographic metric. (Extreme values either in favour of trust or in favour of distance lead to high latency and high packet loss, respectively.)

B. Efficiency in attack detection attacks and the impact of the trust metrics weights In this section, our aim is to evaluate the efficiency of our trust-aware routing protocol in detecting different types of attacks and to provide further insight on the impact of the weights assigned to the different trust metrics when defining the direct trust. To evaluate the improvement that ATSR brings, we have run two different scenario sets using Wd = 0.4 and Wt = 0.6 as previously recommended. In both scenarios, we varied the number of malicious nodes in the network from 0 to 50%, with a step of 5%. The malicious nodes were uniformly spread in the network. In the first scenario set, different number of malicious nodes issuing only grey-hole attacks (i.e. randomly dropping half of the received traffic on average) were used. We did not choose black-hole attacks, since it is easier for our protocol to detect and avoid them, while grey-hole attacks allow a minimum connectivity, even when non trust-aware protocols, like GPSR, are used, favouring them. Three different trust metrics weight combinations were tested: in scenario ATSR-1 W1=0.7, W2=0.3, in scenario ATSR-2 W1=0.5, W2=0.5, and in ATSR-3 W1=0.3, and W2=0.7. The second scenario set employs four different types of attack: nodes that perform grey-hole attacks, nodes that perform integrity attacks, nodes that do not perform authentication and nodes that do not support encryption. Three different weight combinations were used: in scenario ATSR-1 W1=0.3, W2=0.1, W3=0.2, W4=0.2, W5=0.2, in scenario ATSR-2, W1=0.25, W2=0, W3=0.25, W4=0.25, W5=0.25, in scenario ATSR-3, W1=0.2, W2=0.1, W3=0.2, W4=0.2, W5=0.2 and W8=0.1. The performance results in terms of packet loss are included in Figure 5. As expected, our trust-aware routing protocol outperforms GPSR in the presence of malicious nodes, since it is capable of detecting and avoiding attacks by finding alternative paths to the destination. Focusing on scenarios including only grey-hole attackers, the proposed ATSR achieves a packet loss ratio of 15% when half of the network nodes are acting as grey-hole as shown at the left hand side of Figure 5. In the same figure, the different weight combinations tested present different performance only when the malicious nodes exceed 35%, with better results observed for ATSR-1 when W1=0.7 while W2 =0.3. It is worth stressing that when all malicious nodes perform grey-hole attacks, we can only use the forwarding and net-ack trust

metrics to detect the adversaries. Thus, in this scenario set (with only grey-hole attackers) all trust weights apart from W1 and W2 are set equal to zero. Equally excellent performance is achieved when malicious nodes performing different types of attacks are used in the second scenario set. As shown at the right hand side of Figure 5, again less than 10% of packet loss is achieved when 50% of malicious nodes exist. The performance difference for different weight factors is now reduced, since more trust metrics have to be taken into account contending for the weight factor. So, when the number of trust metric upon which a node is evaluated increases, the weight factor is shared, thus different weight combination bring negligible performance difference.

120.00

80

GPSR ATSR-1 100.00

ATSR-1 ATSR-2

60

ATSR-3

ATSR-3

80.00

packet loss ratio (%)

packet loss ratio (%)

GPSR

70

ATSR-2

60.00

40.00

50

40

30

20 20.00

10 0.00 0

5

10

15

20

25

30

35

40

malicious nodes (% )

45

50

0 0

5

10

15

20

25

30

35

40

45

50

malicious nodes (% )

Figure 5 : Packet loss results for different number of malicious nodes in the network.

Left: grey-hole attacks only, Right: various attacks

Looking at Figure 6, one can observe that ATSR achieves a significantly smaller total number of attacks in both scenarios, while at the same time it is obvious that higher efficiency is observed in the first scenario, since it focuses only on the mitigation of the grey-hole attacks. So, when 50% of grey-hole attackers exist, only 100 attacks are observed (for ATSR-1) while for 50% of mixed type attackers 450 attacks are experienced, which is however much lower than the GPSR case (1600 attacks).

900

1800

800

1600

700

1400

GPSR ATSR-1

ATSR-1

600

performed attacks

Performed attacks

GPSR ATSR-2 500

ATSR-3

400

1200

ATSR-2 ATSR-3

1000 800

300

600

200

400

100

200

0

0 0

5

10

15

20

25

30

35

40

45

50

0

5

10

15

malicious nodes (% )

20

25

30

35

40

45

50

malicious nodes (% )

Figure 6 : Total number of attacks for different number of malicious nodes in the network.

Left: grey-hole attacks only, Right: various attacks

Finally, the mean packet latency for the two scenario sets are included in Figure 7. It is observed that ATSR results in greater mean packet latency times, since packets follow longer paths (i.e. they traverse a higher number of transient nodes) trying to avoid the malicious nodes. This becomes more evident as the number of malicious nodes increases, when either one or more types of attack are issued by malicious nodes. It is worth pointing out that while the number of malicious nodes seems to have no impact on the mean packet latency, when the originial GPSR protocol is used this is due to the fact that the small percentage of packets that succeeds in reaching their destination follow the optimal path. 25

18

GPSR

16

ATSR-1 ATSR-2

14

mean packet latency (ms)

mean packet latency (ms)

20

ATSR-3 15

10

12 10 8

GPSR

6

ATSR-1 ATSR-2

4

5

ATSR-3 2 0

0 0

5

10

15

20

25

30

35

40

45

malicious nodes (% )

50

0

5

10

15

20

25

30

35

40

45

50

malicious nodes (% )

Figure 7 : Mean packet latency in ms for different number of malicious nodes in the network.

Left: grey-hole attacks only, Right: various attacks

C. Indirect trust evaluation results Since the implementation of the reputation exchange scheme assists mainly new-comers in obtaining trust knowledge, to evaluate the introduced benefits, we have run a scenario set where 6 connections are active from the beginning of the simulation runs while node 22 is turned on at T1=700s and initiates a seventh connection at time T2 = 800s. The interval between the node switch on time and the connection initiation, leaves enough time (100s) for

the node 22 to collect indirect trust information. To make the situation more difficult, node 22 is surrounded by 23 grey-hole nodes as shown in Figure 8 while four bad-mouthers will be activated in certain scenario runs. The weight factors used were: Wd=0.6, Wt=0.4, while W1 = 0.55, W2=0.15, W6=0.15, W7=0.15 for this simulation set. n9

n19

n29

n39

n49

n59

n69

n79

n89

n99

n8

n18

n28

n38

n48

n58

n68

n78

n88

n98

n7

n17

n27

n37

n47

n57

n67

n77

n87

n97

n6

n5

n16

n15

n26

n25

n36

n35

n46

n45

n56

n55

n66

n65

n76

n75

n86

n85

n96

nxx

Nodes that participate in sessions

nxx

Black Holes

nxx

Gray Holes

nxx

Integrity Holes

nxx

Bad-mouth nodes

n95

n4

n14

n24

n34

n44

n54

n64

n74

n84

n94

n3

n13

n23

n33

n43

n53

n63

n73

n83

n93

n2

n12

n22

n32

n42

n52

n62

n72

n82

n92

n1

n11

n21

n31

n41

n51

n61

n71

n81

n91

n0

n10

n20

n30

n40

n50

n60

n70

n80

n90

Figure 8: WSN Topology for indirect trust scenarios

To investigate different design alternatives related to the reputation exchange protocol, we have run seven simulation scenarios as shown in Table 4, for different reputation exchange frequencies, with and without bad-mouthing malicious nodes around node 22, while scenarios based only on direct trust information were also included for comparison reasons. Each node triggers the reputation exchange procedure (transmitting four Reputation Request messages) periodically, with this period denoted as RRP in the table. Focusing on the results for the flow initiated by the “newcomer” node 22, (shown in the 3rd column), the number of successfully received packets increases when indirect trust information is exchanged. Namely, the 93.3% achieved when only direct trust is relied upon (DT scenario), is outperformed reaching 99.6% in the IT3 scenario, when reputation information is exchanged every 3s, demonstrating that the adoption of the indirect trust exchange protocol enables node 22 to perform trust-wise decisions from the very beginning of the flow lifetime. This is also proved by the number of issued attacks from time T2 when node 22 is activated to the end of the simulations, also included in the table (4th column). These attacks are experienced by node 22 before it detects its malicious neighbors. All other nodes have already completed an adequate number of interactions with their neighbors and experienced the number of attacks shown in the 5th column, and thus have already calculated a reliable direct trust value. If trust is derived based

only on direct evidence, node 22 attempts cooperation with all its neighbors and hence, 20 grey-hole attacks take place before node 22 discovers the malicious ones. A significantly lower number is experienced for all cases where indirect trust is involved. In IT3 and IT5 scenarios, less than 10 grey-hole attacks are measured even in the existence of bad-mouthing nodes which provide wrong trust information. Table 4: Performance results for scenarios using direct or both direct and indirect trust information for different reputation exchange frequencies in the presense of bad-mouthing nodes. Scenario Description Delivery Attacks Mean Delivery ratio Attacks ratio for experienced packet for connections observed session 22 from node latency established before T1 (ms) -> 29 22 before T1 (%) (%) DT direct trust only 93.3 20 12.700 96,8 90 IT3 indirect trust, RRP=3s 99.6 1 12.657 96,1 94 IT3-BM IT3 and 4 bad-mouthers 99 6 13.881 96,2 100 IT5 indirect trust, RRP=5s 97.6 8 12.683 96,4 113 IT5-BM IT 5 and 4 bad-mouthers 98.3 9 20.383 96,7 114 IT7 indirect trust, RRP=7s 93.6 16 15.143 94,3 129 IT7-BM IT7 with 4 bad-mouthers 99.3 6 12.671 88,2 252

Comparing scenarios IT3, IT5 and IT7, it is evident that the best performance in all measured metrics (delivery ratio, attacks, latency) is achieved in IT3 scenario, i.e. when the reputation exchange process is triggered more frequently, because, in this way, node 22 collects more indirect trust information in the available timespan of 100s (before the flow is initiated). In IT3 scenario, even in the presence of bad-mouthers (IT3-BM), higher performance than IT5 and IT7 is achieved. However, this performance improvement comes at the cost of extra overhead and energy consumption. It is worth stressing that further performance improvements choosing shorter RRP values cannot be achieved, because message congestion becomes the dominant performance factor, canceling the benefits of frequent reputation exchange. For RRP=2s, the delivery ratio of the flow initiated by node 22 decreases to 82.3% while for the other connections it reduces to 77.1%. As mentioned earlier, the shortcoming of introducing a reputation exchange scheme is the additional processing and storage required on each sensor node and more significantly the energy consumption caused by the transmission and reception of the reputation request and response messages. The additional energy consumption mainly depends on the number and frequency of exchanged messages, which implies that IT3 scenario leads to higher energy consumption than IT5 and IT7. Although this could be easily compared with the DT case, to provide valuable information, an energy consumption profile should be first outlined: energy is spent for the transmission, reception and processing of data messages, Beacon messages

and reputation related messages. The percentage spent on each type of messages mainly depends on the relevant exchange frequency. The data message exchange frequency depends on the application while the Beacon exchange frequency depends on the mobility level that has to be supported. In light of these observations, we consider that the value of providing any absolute percentages based on assumptions for the relevant frequencies is disputable. Instead, in our future work, we intend to investigate the case where the reputation message exchange frequency changes (namely, decreases) when a node has already collected enough direct trust evidence (to economise energy) and compare this new approach with the currently presented. D. Energy consumption improvements In the presented ATSR solution, the neighbours remaining energy is taken into accout when the next hop node is decided. Assuming that at the beginning all nodes have the same energy resources and an T0 a session is initiated, each source node (say i) selects the next hop node (say node j) based on distance and trust criteria. If the number and positions of the malicious nodes does not change, continuously using the same (benevolent) nodes for forwarding would result in the exhaustion of their energy. Adopting the ATSR protocol and based on the energy metric, each node in the path will select a different neighbour (say k) for forwarding after node j has forwarded a certain number of packets cuasing a reduction in remaining energy levels (due to packet reception and transmission) and the routing cost function value of node k, which is a neighbour slightly closer to the source, becomes greater than that of node j. The simulation results have shown that the proposed ATSR brings no energy-related benefit for nodes not participating in forwarding since these nodes only transmit and receive the regularly exchanged routing messages. The benefits concern the nodes participating in forwarding which is more important. The achieved advantages depend on the value of the W8 i.e. the weight factor of the energy metric, which will be denoted in this section as We, since this affects the sensitivity of the algorithm on the remaining energy levels, while the absolute values depend on the scenario parameters values. To quantify the energy savings, we have run a simulation scenario set for different values of the energy weight factor We, with the reputation protocol activated (Indirect Trust ON – IT ON) or not (IT-OFF). During the simulation runs, the number and positions of the malicious nodes are assumed fixed. We have measured the energy consumption rate for two nodes: one forwarding packets generated from 7 sessions and another not partipcating in forwarding. Each session periodically generates packets. It is important to note that the absolute values of the energy consumption and the improvements brought by the proposed ATSR depend on the

relation among the periods of beacon, reputation request and data generation process. In the scenarios presented here, the beacon period is assumed 2s, the reputation request 3s and the data generation 2s. The simulation results are included in Figure 9 which shows the energy consumption rate expressed as the percentage of the initial energy value consumed per 1000s of operation. It is clear that the energy consumption for the node not participating in forwarding is independent of the value of We, for both the cases of indirect trust ON and OFF. A clear impact is observed for the node participating in forwarding, showing the advantages of the presented scheme for the suffering nodes. As expected, as the We increases, greater reduction in the energy consumption rate is achieved with direct consequences on the network lifetime. Although the maximum improvement is achieved for We =1, such a choice would cancel the attack detection functionality since the rest trust metrics weight factors should be set equal to 0. Choosing We values equal to 0.3 or 0.4, energy reduction of 4% is possible, allowing enough space for the rest trust metrics. In the case of de-activating the indirect trust, the trust metrics 6 and 7 (reputation responses and reputation validation) are no longer usefull, leaving more room for increasing the We weight value.

Energy consumption rate

40 Node not forw arding, IT OFF

35

Node not forw arding, IT ON

30

Forw arding node, IT OFF Forw arding node, IT ON

25 20 15 10 5 0 0

0.2

0.4

0.6

0.8

1

We

Figure 9: Energy consumption rate epxressed as percentage of the initial energy value consumed per 1000s of operation for different values of energy weight factor We

For the presented results, it is also clear that for the activation of indirect trust (IT) exchange mechanism (marked as IT ON case on the figure) dramatically increases the energy consumption. For example, the node not participating in forwarding consumes 7% more energy when the IT information is exchanged, driving the designer to consider that the implementation of such schemes should be well justified by the benefits ut brings (e.g. in case of mobility).

V. IMPLEMENTATION COST AND TEST-BED EXPERIMENTS After the fine-tuning and evaluation process, the presented ATSR protocol was implemented in IRIS motes [23] in the framework of the FP7- ICT AWISSENET project. The implementation of the proposed trust model occupies 1795bytes of RAM and 3752bytes of ROM, while the complete ATSR block occupies 35kbytes of ROM and about 4kbytes of RAM. The ATSR block was successfully integrated with other security-related modules realizing location identification, intrusion detection and secure service discovery schemes. The tests carried out in the real test-bed have shown that the forwarding metric (even when it is associated with a low weight factor) enables the detection of nodes denying forwarding and the detection time is significantly lower than that observed for the network acknowledgment metric. As regards the remaining energy metric, its efficiency was also verified during the test-bed experiments. Even though the energy benefits may not be impressive (4-5% when indirect trust mechanism is ON), they very well justify the associated implementation requirements which are 146 bytes of RAM and 514 bytes of ROM. Coming to the indirect trust mechanism, the main conclusion is that it helps mobile nodes to find a trusted path to the destination in less time compared to relying only on the direct trust calculation (resulting in a slightly increased number of successfully delivered packets to destination), but the main drawback of the solution is the increase in energy consumption which is caused by the exchange and processing of the reputation and request messages. The trade-off between performance gain and energy consumption is a very important factor that should be considered before enabling the indirect trust mechanism. Apart from the efficiency of the trust metrics, we also verified our simulation-based findings regarding the impact of the trust and distance weight factors, coming to the conclusion that neither a greedy geographic protocol, nor a pure trust-aware management mechanism is leading to high performance. To maintain the benefits stemming from the geographical routing (e.g. scalability) and those stemming from the implementation of a trust model (i.e. resilience to specific routing attacks), the trust-aware routing solution needs to carefully balance trust with location information.

VI. CONCLUSIONS A novel trust-aware routing solution which supports large wireless sensor networks and efficiently reveals malicious node behaviors has been presented. The proposed ATSR adopts a

location-based approach to reduce the routing protocol storage and processing requirements, while it realises a distributed trust model incorporating both direct and indirect trust information. Routing is performed on a hop-by-hop basis and the next hop selection is decided upon a novel routing function which allows for balancing between pure routing and security criteria. The weights introduced in the calculation of the total trust value as well as those introduced in the routing function allow for flexible configuration, trade-offs and fine tuning of the algorithm as has been shown through computer simulations. The simulation results prove that ATSR successfully reveals malicious nodes even when they represent the 50% of the network nodes and even if they perform different attack types, and defines alternative trusted routes to the destination. The adopted reputation exchange protocol assists nodes in discovering adversaries existing in their neighborhood reaching a delivery ratio of more than 99%. Last but not least, an important advantage of the presented ATSR protocol is that it represents a readily deployable solution.

ACKNOWLEDGEMENT The work presented in this paper was partially supported by the EU-funded FP7 211998 AWISSENET project. REFERENCES

[1] Ian F. Akyildiz, Tommaso Melodia, Kaushik R. Chowdury, “Wireless Multimedia Sensor Networks: A Survey”, IEEE Wireless Communications, December 2007, pp. 32- 39. [2] V. C. Giruka, M. Singhal, J. Royalty, S. Varanasi, “Security in wireless sensor networks”, Wireless Communications Mob. Comput. 2008; 8:1–24. [3] Chris Karlof David Wagner, “Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures”, Ad Hoc Networks Elsevier ed. Vol. 1 (2003) pp. 293–315. [4] Bounpadith Kannhavong, Hidehisa Nakayama, Yoshiaki Nemoto, And Nei Kato, Abbas Jamalipour, “A survey of routing attacks in mobile ad hoc networks”, IEEE Wireless Communications, October 2007, pp. 85-91. [5] Yan (Lindsay) Sun, Zhu Han, K. J. Ray Liu, “Defense of Trust Management Vulnerabilities in Distributed Networks”, IEEE Communications Magazine, Vol. 25, No.2, February 2008, pp. 112-119. [6] A.A. Pirzada and C. McDonald, “Trust Establishment In Pure Ad-hoc Networks”, Wireless Personal Communications Vol. 37, 2006, pp: 139–163 [7] Junbeom Hur, Younho Lee, Hyunsoo Yoon, Daeseon Choi, Seunghun Jin “Trust evaluation model for wireless sensor networks” Advanced Communication Technology Conference, 2005, ICACT 2005, Page(s):491 – 496 [8] Garth V. Crosby and Niki Pissinou, “Cluster-based Reputation and Trust for Wireless Sensor Networks” Consumer Communications and Networking Conference, 2007. CCNC 2007Las Vegas, NV, USA, Jan. 2007 [9] Nathan Lewis, Noria Foukia, “Using Trust for Key Distribution and Route Selection in Wireless Sensor Networks” IEEE Globecom 2007, 26-30 Nov. 2007 [10] Yan Sun, Wei Yu, Zhu Han, and K. J. Ray Liu, "Information Theoretic Framework of Trust Modeling and Evaluation for Ad Hoc Networks", IEEE JSAC special issue on security in wireless ad hoc networks, Vol 24, no.2, February, 2006.

[11] G. Theodorakopoulos and J. S. Baras, "On Trust Models and Trust Evaluation Metrics for AdHoc Networks," IEEE Journal on Selected Areas in Communications (JSAC), Vol. 24, No. 2, Feb. 2006 pp. 318-328. [12] Saurabh Ganeriwal, Laura K. Balzano, Mani B. Srivastava, “Reputation-Based Framework for High Integrity Sensor Networks” ACM Transactions on Sensor Networks, November 2007. [13] Guangjie Han, Deokjai Choi and Wontaek Lim, “A Reliable Approach of Establishing Trust for Wireless Sensor Networks” 2007 IFIP International Conference on Network and Parallel Computing. [14] Sapon Tanachaiwiwat, Pinalkumar Dave, Rohan Bhindwale, Ahmed Helmy “Location-centric Isolation of Misbehavior and Trust Routing in Energy-constrained Sensor Networks” IEEE International Conference on Performance, Computing, and Communications, 2004 [15] H. Li, M. Singhal, “A Secure Routing Protocol for Wireless ad hoc Networks”, Proceedings of the 39th Hawaii International Conference on system Sciences, 2006 [16] Asad Amir Pirzada and Chris McDonald, “Trusted Greedy Perimeter Stateless Routing”, IEEE ICON 2007. [17] K.D. Kang, K. Liu, and N. Abu-Ghazaleh “Securing Geographic Routing in Wireless Sensor Networks”, 9th Annual NYS Cyber Security Conference: Symposium on Information Assurance, Albany, New York, June 14-15, 2006 [18] Ka-Shun Hung, King-Shan Lui, and Yu-Kwong Kwok, “A Trust-Based Geographical Routing Scheme in Sensor Networks”, IEEE WCNC 2007, 11-15 March, 2007, Hong Kong. [19] T. Watteyne, I. Augé-Blum, M. Dohler, S. Ubéda, D. Barthel, “Centroid Virtual Coordinates A Novel Near-Shortest Path Routing Paradigm”, Elsevier Computer Networks Journal, Special Issue on Autonomic and Self-Organising Systems, October 2008. [20] Steven Lanzisera, David T. Lin, Kristofer S. J. Pister, “RF Time of Flight Ranging for Wireless SensorNetwork Localization”, 4th Workshop on Intelligent Solutions in Embedded Systems (WISES'06), Austria, June 30, 2006. [21] Y. Yu, D. Estrin, and R. Govindan. “Geographical and Energy-Aware Routing: A Recursive Data Dissemination Protocol for Wireless Sensor Networks”. UCLA Computer Science Department Technical Report, UCLA-CSD TR-01-0023, May 2001.Information Theoretic Framework of Trust [22] Ananth Rao Sylvia Ratnasamy Christos Papadimitriou Scott Shenker Ion Stoica “Geographic Routing without Location Information” In MobiCom, 2003, September 14-19, 2003, San Diego, California [23] http://www.xbow.com [24] http://www.j-sim.org/ [25] Brad Karp, H. T. Kung, “GPSR: Greedy Perimeter Stateless Routing for WirelessNetworks”, MobiCom 2000. [26] Garth Crosby, Niki Pissinou and Kia Makki, “Location-aware, Trust-based Detection and Isolation of Compromised Nodes in Wireless Sensor Networks”, International Journal of Network Security, 2006, pp. [27] A. Jøsang and R. Ismail, "The Beta Reputation System," presented at the 15th Bled Electronic Commerce Conference, Bled, Slovenia, 2002.

author's picture & biography Click here to download author's picture & biography: biographies.doc

Helen C. Leligou received the Dipl.-Ing. and Ph.D. degrees, both in Electrical and Computer Engineering, from the National Technical University of Athens (NTUA), Athens, Greece, in 1995 and 2002, respectively. Her research interests lie in the area of protocol design for communication systems, access control mechanisms in broadband networks including HFC, PON, WDMmetro and core networks. Currently she is working on security protocols for wireless sensor networks. Her research results have been published in more than 80 scientific journals and conferences. She has participated in several EU-funded ACTS, IST and ICT research projects in the above areas. Since 2007 she is a lecturer at Technological Educational Institute of Chalkida. Theodore Zahariadis received his Ph.D. degree in Electrical and Computer Engineering from the National Technical University of Athens, Greece, and his Dipl.-Ing. degree in Computer Engineering from the University of Patras, Greece. Currently, he is the project manager of the STREP ICT/AWISSENET-028097. In the past, he has been with Ellemedia Technologies as the Technical Director; the Hellenic Aerospace Industry (HAI) as chief engineer; the Lucent Technologies/Bell-Laboratories, Holmdel, NJ as a senior consultant; Intrasoft, Intracom and the Telecommunications Laboratory of NTUA as senior researcher. Since 1994, he has participated in many ACTS, ESPRIT and IST projects as senior researcher or Technical manager. His research interests are in the fields of broadband and wireline/wireless/mobile communications, interactive service deployment over IP networks, management of IP networks, embedded systems and multimedia home networks. He is currently an assoc. professor at the Technological Educational Institute of Chalkida. Dr Zahariadis has published more than 90 papers in magazines, journals and conferences and he is the author of the book ‘Home Networking: Technologies and Standards’ published by Artech House. The rest biographies will be provided at a later step.