A Secure Mobile Healthcare System using Trust-Based Multicast ...

3 downloads 735 Views 1MB Size Report
nologies in telemedicine services, the expeditious development of wireless and mobile networks has stimulated wide applications of mobile electronic ...
IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

387

A Secure Mobile Healthcare System using Trust-Based Multicast Scheme Azzedine Boukerche, and Yonglin Ren Abstract—Due to the introduction of telecommunication technologies in telemedicine services, the expeditious development of wireless and mobile networks has stimulated wide applications of mobile electronic healthcare systems. However, security is an essential system requirement since many patients have privacy concerns when it comes to releasing their personal information over the open wireless channels. For this reason, this study discusses the characteristics and security issues with wireless and pervasive data communications for a ubiquitous and mobile healthcare system which consists of a number of mobile devices and sensors attached to a patient. These devices form a mobile ad hoc sensor network and collect data that are sent to a hospital or healthcare center for monitoring. Subsequently, this paper discusses the innovation and design of a novel trust evaluation model. We then propose a secure multicast strategy that employs trust in order to evaluate the behavior of each node, so that only trustworthy nodes are allowed to participate in communications, while the misbehavior of malicious nodes is effectively prevented. We analyze the security properties of our multicast scheme and evaluate its performance based on simulation experiments. Our experimental results demonstrate that our scheme not only achieves the necessary data transmission in mobile environments, but also provides more security with reasonably little additional overhead. Index Terms—Mobile Healthcare Systems, Patient Monitoring, Mobile Ad hoc Networks, Pervasive and Ubiquitous Computing, Secure Multicast, Distributed Trust Evaluation.

I. I NTRODUCTION

T

HERE is much work on how to apply information and communication technologies to healthcare services, especially with regard to wireless networks and pervasive devices combined to provide more applications in electronic medical care. Thus, wireless and mobile communications lead to the emergence of a new type of advanced service for healthcare, making mobile healthcare systems more realistic and feasible in terms of providing expert-based medical care. For example, portable and wearable devices can automatically continuously monitor a medical user’s health status; wireless networks can make the medical user freely move regardless of his or her physical location; and pervasive sensors can exchange sensing medical information through these wireless networks. No doubt, mobile computing provides new opportunities to personal users of healthcare services, both technical and nontechnical.

Manuscript received 14 July 2008. This work is partially supported by NSERC, Canada Research Chairs program, MRI, Ontario Distinguished Researcher Award, EAR Award and ORF Funds. Azzedine Boukerche and Yonglin Ren are with the School of Information Technology and Engineering (SITE), University of Ottawa, Ottawa, Ontario, Canada, K1N 6N5 (e-mail: [email protected], and yren009@ site.uottawa.ca). Digital Object Identifier 10.1109/JSAC.2009.090504.

Fig. 1.

A schematic diagram of a Body Sensor Network.

Many successful case studies are found in areas such as emergency telemedicine, home monitoring, transmission of medical records, remote surgery and virtual hospitals. Wireless healthcare devices are often deployed in special scenarios, such as, rural health centers, ambulance vehicles, airplanes, in-home care, patient monitoring, and so on. With the development of mobile computing, one typical application is mobile ad hoc networks (MANETs), which allow their users to move randomly without any pre-deployed infrastructure or middleware. Another example of wearable computing is body sensor networks (BSNs), where portable or wearable sensor devices are attached to patients and healthcare sites. Since these sensors can monitor patients at any time and anywhere, health monitoring systems are being incorporated into our daily lives. As shown in Figure 1, a variety of sensors are integrated into a BSN, which can be used for computerassisted rehabilitation and even early detection of medical conditions. Obviously, these typical applications of wireless and mobile networks revolutionize today’s healthcare systems. Mobile healthcare (m-healthcare) is an important research direction for the application of wireless communications in healthcare systems. Therefore, many wireless technologies, including IEEE 802.11, Bluetooth, and Wi-Fi, are used to form wireless local area networks (WLAN) and connect to the Internet. Mobile networks not only provide mobility to patients, but also allow physicians so they can access patients’ data anytime and anywhere. This brings important benefits to both patient and medical service provider. During the process of constructing an m-healthcare system, wireless sensors act as personal digital assistants that monitor the state of a patient, while also working for physicians by sending or

c 2009 IEEE 0733-8716/09/$25.00 

388

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

receiving instant messages, either to hospitals to query about the patient’s information, or to the patient to remind him or her about necessary medication or examinations. In a word, m-healthcare environments can collect, transfer, and exchange medical information in a distributed method. This diminishes the administrative and medical costs for both hospital and patient, monitors the physical state of the patient, such as blood pressure, electroencephalogram (EEG), electrocardiogram (ECG), and reduces the risks of the patient under unexpected ailments. However, security is an essential requirement of the mobile healthcare system, since many patients have privacy concerns when it comes to releasing their personal information over the open wireless channels. Though real-time monitoring and data transmission provides necessary information quickly, it can also expose a patient’s medical data to malicious intruders or eavesdroppers. If an m-healthcare system lacks the necessary protection when communicating data, unauthorized parties or persons can easily access the private data of a patient; medical records may be modified freely by malicious attackers, and false information can be injected into the data stream by a prohibited node. Therefore, when planning mobile healthcare, security is indispensable because of the shared nature of wireless devices, the mobility of the patients, and the vulnerabilities of pervasive and ubiquitous environments [3]. This paper is devoted to an increasing important topic – mobile healthcare security. First, we discuss the characteristics of the mobile healthcare systems and consider their possible vulnerabilities. We then study the technique of trust and present a distinct Trust Evaluation model, which we refer to as TrE. The trust model is distributed to each node in the system, and trust evaluation is managed in a decentralized manner. Moreover, we propose a secure multicast mechanism based on a TrE trust evaluation model for data communication among mobile medical devices. This mechanism offers confidentiality protection via symmetrical cryptographic algorithms, as well as authentication based on asymmetrical algorithms. Unlike other related m-healthcare systems, our system takes historical trust records into account when evaluating a node’s new trust value. Also, the multicast mechanism and trust technique used in our system guarantee that only trustworthy nodes are allowed to participate in communications, and the misbehavior of malicious nodes is thus prevented. The remaining sections of this paper are as follows: Section II will review previous and related work; Section III discusses the security issues existing in mobile healthcare systems; Section IV describes the trust evaluation model upon which our algorithm relies upon; Section V proposes our secure multicast mechanism; and Section VI presents the main characteristics of our mechanism and analyzes its security properties. Finally, Section VII evaluates our scheme based on simulation experiments. The conclusion follows in Section VIII. II. L ITERATURE R EVIEW Mobile healthcare services have the potential to become integral components of a modern healthcare system, as they can provide alternative solutions to numerous medical and

social requirements. The ongoing development of wearable sensors and mobile networks is closely linked to advances in a range of digital hardware and wireless communication technologies. These mobile devices and systems work in a very different manner than conventional medical equipment [15]. A. Telemedicine Systems The applications of pervasive healthcare services have high requirements for wireless and mobile networks, such as secure information exchange, reliable remote control, confidential data storage, effective mobility management, rapid emergency response, and continuous monitoring of a patient’s medical conditions. Hameed [16] describes the importance of mobile computing and the benefits of using wireless technologies in healthcare, since wireless and mobile hand-held or wearable devices help patients obtain central healthcare services quickly. Varshney [35] discusses the applications and requirements of telemedicine systems, which include pervasive patient monitoring, remote data access, and intelligent emergency management. The author then presents a comprehensive wireless health monitoring concept that provides contextaware and reliable ubiquitous mobile telemedicine. Ganguly and Ray [14] develop a network-based computing application under some existing international healthcare informatics standards, and use the telecardiogram issue as a case study in distributed cardiac care. Kang et al. [19] propose a healthcare system based on a multi-agent system (MAS) that would provide a series of services, such as mobile telemedicine, continuous monitoring, emergency processing, etc. These functions are achieved by various agents in combination with both medical sensors and wireless communication technologies. Additionally, their proposed healthcare system makes decisions about a patient’s present health by employing real-time data sensing as well as the patient’s medical history. Jen et al. [17] design a mobile outpatient service system (MOSS) to achieve illness treatment, illness prevention and patient relation management. By using wireless and mobile devices, MOSS improves the management efficiency of a hospital and shortens the response time to emergency cases. Thus, wireless technologies can help telemedicine systems make mighty advances. B. Pervasive Healthcare Systems Telemedicine was developed several decades ago with the introduction of computer technologies such as computer assistant therapy, interactive video and pattern recognition, and so on. Nevertheless, wireless technologies further advance the development of healthcare services by facilitating mobile, reliable, and comprehensive healthcare, such as the provision of mobile emergency care and medical surveillance to understaffed environments at any moment. Pattichis et al. [30] investigate the existing wireless telemedicine systems from the current wireless technologies applied in healthcare, to the applications in wireless telemedicine systems. Specifically, pervasive devices and wireless networks are used for remote monitoring and provide much convenience to elderly users of healthcare systems. Wu et al. [38] discuss the motivation for

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

developing mobile healthcare systems (MHS), and propose a conceptual model to examine what determines medical professionals’ acceptance of mobile healthcare systems. The authors also explore the relationships between the potential determinants of MHS and the intention of medical professionals. Konstantas et al. [22] introduce an MHS project, called MobiHealth, which aims to support fast and reliable remote assistance and allows the paramedics to directly communicate to accident sites. In the MobiHealth project, many of wearable devices, such as sensors and actuators, form the proposed system based on 2.5G and 3G technologies. Chung et al. [11] propose a query-driven healthcare monitoring system based on wireless sensor networks (WSNs), in which a unique identifier is used to identify each patient, so that health data from multiple patients can be transferred using a multi-hop routing scheme via a wireless channel to a central management centre. Song et al. [33] model a RFID-based ubiquitous healthcare system by dividing the workflow of such a system into different subsystems. They introduce a security control subsystem that provides private and public keys in order to protect patients’ medical privacy. Thus, any information exchanged between a patient and his or her healthcare provider can be effectively protected over the open medical service. Kirn [21] explains the concept of ubiquitous healthcare, which allows individual patients to be equipped with mobile computing devices and then proposes a virtual medical organization that could diagnose cancers. A variety of roles are involved into the virtual system including patient, relative, nurse, and cancer specialist. The system’s main purpose is to support communications, coordination, and collaborations among different roles, through the mobile agent technique. Lin et al. [26] present a system infrastructure for pervasive healthcare applications, in which daily communication networks such as WLAN and cable television (CATV) networks are used as the communication platform for medical monitoring services. Thus, the patients in this system can be monitored at home or even in other public places, and some vital signs can be recorded at any time, including heart rate, blood pressure and body temperature. Kroc and Delic [23] present a mobile telemedicine system that utilizes intelligent wearable sensors and Bluetooth technology. In their system, mobile sensors are organized in a personal area network (PAN). It can constantly monitor and record a patient’s healthy data regardless of the patient’s location or activity, without the need for regular examinations with physicians face-to-face. Dagtas et al. [12] describe a mobile solution for monitoring patients in need of medical assistance. In their scheme, sensors and cell phones are the primary mobile devices fulfilling the functions of sign monitoring, data collection, and real-time alerts.

389

mobile bi-directional telephone links to communicate with specialists with a hand-free mode. In their systems, they especially consider the security of exchanged messages between the hospital units and their corresponding users, and add the option of encryption to enhance the security of this system. Chakravorty [10] introduces a health-related service architecture (MobiCare) for mobile patient care, which not only satisfies the needs of patient medical monitoring by deploying medical sensors to form a body sensor network, but also provides the necessary protection to clinical services by applying secure and reliable dynamic software. The author then discusses issues with MobiCare, which include confidentiality, integrity, and privacy of patient’s information; many techniques are suggested, such as authentication, access control, encryption, and so on. Kim et al. [20] discuss some potential threats for ubiquitous healthcare systems and describe the security requirements for these u-healthcare systems. They propose a systematic architecture in order to design a security policy for such healthcare systems and to allow a patient to control access to any sensing data recorded by a personal healthcare device. Bao et al. [1] propose a scheme that would solve the issue of entity authentication for BSN, in which the notion of biometrics is applied as an authentication approach that automatically verifies an individual’s identity. In the established BSN, peer authentication can ensure secure connections between different entities. Jeong et al. [18] present a mobile collaboration framework based on distributed systems, which supports the necessary security services by checking access rights for corresponding users, and dividing the collected data into two categories: secure and public, and applying the access control technique to specify that each security object needs the corresponding access privilege. Marti et al. [28] present a specification of integrated network and security services for mobile e-health environments, in which different security mechanisms are applied to address threats such as eavesdropping or manipulating patients information, and to guarantee the patient data confidentiality and integrity. Markovic et al. [27] consider the issues of mobile healthcare security and employ cryptographic techniques to address possible vulnerabilities. They make use of symmetrical cryptographic methods to protect data confidentiality, and asymmetrical cryptographic algorithms such as Public Key Infrastructure (PKI) and digital signature technique to achieve data integrity. Bones et al. [2] propose a secure enterprise instant messaging (IM) service for use in healthcare, which supports IM clients using ordinary mobile devices such as PDA and cell phones, when communicating with desktopbased clients. However, their service focuses more on information security via the analysis of a number of potential threats, and possible countermeasures are presented for individual threat accordingly.

C. Secure Mobile Healthcare Security is becoming an important research topic in mobile healthcare systems and many solutions are applied to prevent malicious behavior from disclosing confidential data. Kyriacou et al. [24] develop a medical service for multipurpose healthcare systems that allows patients to uses the

III. T HE F EATURES OF M OBILE H EALTHCARE In this section, we discuss some important features in the context of mobile healthcare, as well as security and privacy concerns.

390

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

mobility of users gives mobile ad hoc networks a high level of autonomy: each user is free to move on its own and all users organize themselves in an arbitrary fashion [4].

Fig. 2.

An overview of mobile healthcare system.

A. The Features of Pervasive and Mobile Healthcare Pervasive and mobile healthcare environments include a number of mobile devices, sensors and communication infrastructures, as illustrated in Figure 2. For example, ambulances are equipped with wireless communication devices, so that the paramedics can start expert-based care at the stage of accidents; a patient wearing medical sensors can be monitored with flexible mobility; and hospital management systems can issue timely responses to emergency cases. Due to the attractive characteristics of wireless and mobile communications, mobile healthcare has many distinct features over traditional healthcare systems [38]. 1) Wearable Devices: A wearable medical device can be described as an autonomous, non-invasive system that performs a specified medical action or operation, such as monitoring or support, in collaboration with other devices in a network [15]. Typical examples of wearable devices are personal digital assistant (PDA), cell phone, all kinds of sensors such as EEG sensors, ECG sensors, speedometers, and blood pressure meters. The primary functions of wearable sensors normally include physiological monitoring, information storage, data transmission and instruction receiving. These devices can be directly attached to either the human body or a piece of clothing, and they thus support continuous patient monitoring. Through the discussion of related work in Section II, we found that modern electronic healthcare systems have a tight to medical sensors. 2) User Mobility: The development of mobile devices avoids the need to deploy any infrastructure and thus forms a new type of networks. Flexible mobility allows patient monitoring outside of a hospital, so the activities of the patient are not limited to the hospital. When the patient moves around, the wearable devices equipped with him or her monitor the status of the patient, send relevant medical information to a hospital information processing center, and receive instructions from the hospital or medical professionals. Therefore, based on the mobility provided by wearable devices, a user of m-healthcare can be served by continuous patient monitoring anywhere and anytime. On the other hand, since the users of m-healthcare are mobile, the network topology may change rapidly and unpredictably over time, and communicating data would be transmitted only by relying on intermediate peers. Additionally, the

3) Data Transmission: Unlike traditional hospital management schemes, where most patients only can access medical care or monitoring in a particular place at a specific time, current healthcare equipment can provide continuous monitoring of patients, as well as maximal mobility for them. Here, data communications rely on wireless channels instead of wires. However, mobility takes difficulty for data exchange as well because the requirements of the deployment of a number of infrastructures are able to increase the cost of mobile healthcare systems. Thus, wearable devices are designed to construct a mobile ad hoc sensor network; and two medical sensors can thus communicate directly with each other when they are within their direct transmission ranges. Otherwise, other sensors can cooperate in order to relay the exchanged information. In other words, these intermediate nodes in such systems work as routers for all other nodes in the network. Therefore, these wearable devices and medical monitoring sensors consist of a collection of wireless mobile nodes, to form a network that does not need any pre-deployed infrastructure, and where information exchanged is transmitted only by relying on the intermediate peers. 4) Flexibility of Medical Service: Both patients and healthcare providers benefit from the introduction of pervasive communications and mobile devices. Since the current method of patient monitoring is continuous and automatic, which can reveal problems at an early stage and lead to better control in advance, a patient can obtain better medical care and more mobility. Mobile healthcare also allows medical professionals to access the patient’s medical records at any place and at any time; this means they can more flexibly diagnose and monitor the patient’s status, and issue prescriptions accordingly. For instance, a medical professional Emma does not need to access a patient’s (Justin) medical record through a standard desktop workstation which requires Emma to be in a healthcare or rehabilitation center at a specific time; instead, she can take advantage of mobile devices such as a laptop, cell phone, or handheld computer, and browse Justin’s medical records regardless of her location. Many studies have shown that electronic clinical systems and mobile healthcare systems have a positive influence on clinical practice and flexible services [1], [13], [17]. 5) Remote Medical Control: As an important requirement of m-healthcare, real-time monitoring and data transmission facilitate remote medical control. A medical professional can carry out remote diagnosis, surgery, and other operations on a patient even if they are not physically in the same location. Neither surgeon nor patient needs to travel beyond their local areas for a specific medical operation [37]. Beyond the techniques of wireless and pervasive communications, many other technologies, including high-speed data connection, interactive video, haptics, and robotics help achieve remote medical control as well.

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

B. The Open Issues in Security Mobile healthcare systems have unsurpassed advantages in comparison to traditional healthcare systems; however, protecting a patient’s medical records and privacy has become an important topic with the prevalence of m-healthcare. Generally, in order to enhance the security of a mobile healthcare system, a number of security mechanisms are used to ensure both data confidentiality and user privacy. The fundamental goals of secure mobile healthcare systems are safely exchanging the patient’s information issued by mobile devices, and preventing improper use of illegal devices, such as intercepting transferred data, eavesdropping communicating data, replaying out-of-date information, or revealing the patient’s medical conditions. Based on the potential threats of mobile healthcare [20], [28], specific security requirements will have a significant influence on the performance of mhealthcare as follows. 1) Data Confidentiality: Most patients do not want anyone to know their medical information, except their family doctor or medical specialist. Thus, it is important to keep their medical information confidential, so that unauthorized parties cannot access this information. Some solutions have been presented to prevent malicious intruders and intentional eavesdroppers from intercepting or overhearing this information communicated in an open wireless environment. One of these solutions is to use a cryptographic algorithm to encrypt medical information and protect the necessary data. 2) Authentication: As discussed above, patients usually prefer their family doctor or corresponding medical specialist to access and review their medical records, so authentication is important during information retrieval. Only an authenticated entity can access the corresponding data that are available for that entity; unauthenticated entities are denied access when they visit data information that they do not have the rights to obtain. Sometimes, cryptographic keys can be used as the means of authentication in current authentication technologies. For example, asymmetric cryptography (i.e. PKI) is often used, because these private keys are credentials shared only by the communicating parties. 3) Access Control: In traditional network security models, access control determines whether a subject can access an object based on an access control list (ACL). Assume that Alice attempts to access a printer. She must first contact an authority after being authenticated. The authority checks whether Alice has been granted permission to use the printer. Thus, access control can be achieved by combining authentication and authorization. These solutions can work well in wired networks; however, they are obviously not sufficient for pervasive and wireless networks because the dynamic topology of wireless networks changes quickly, and the scalability of these networks sometimes needs to be handled [6], [32]. 4) Privacy Concerns: Though many healthcare researchers are interested in collecting and recording medical sensor data, these data may contain many personal facts, meaning patients are not willing to reveal them [20]. Especially in an open wireless environment, an intruder may observe network traffic and thereby infer the relationships and identities of the communicating nodes. For instance, a lot of sensing data are sent centrally to a handful of nodes, which indicates

391

that these nodes may be the medical professionals who are reviewing patients’ records. Traffic analysis may reveal the private information of the communicating parties, such as identity, location, and relationships; malicious nodes can thus influence the network and become a major threat. IV. T HE F ORMATION OF A T RUST M ODEL Empirical studies of wireless security have demonstrated that traditional strategies for network security that are applied to wired networks do not work well in mobile healthcare due to the special characteristics of wireless communications. Hence, solutions oriented to wireless and mobile networks must improve the security of such networks. One direction of current research is to apply the theory of trust to identify malicious nodes and thereby exclude them from a presently healthy network. To study the information security properties of trust evaluation, we devised a preliminary description for a novel trust evaluation scheme that employs different increaseshapes to evaluate a node’s trust value. Additionally, other information security techniques, such as encryption, are used in our system with high security requirements. This proposed trust evaluation model will serve as the basis for the multicast mechanism presented later in this paper. A. Trust Evaluation As an emerging technique, trust is defined as “the degree to which a node should be trustworthy, secure, or reliable during any interaction with the node” [6]. The concept of trust has been introduced into mobile healthcare security with wide application in the realm of network and information security. Thereby, trust represents a mutual relationship established between any two trustworthy medical nodes (sensors) for a specific purpose: one node, called the Object, can forward packets for another node, called the Subject. In this way, the notation T(Subject,Object) denotes the trust relationship between node Subject and node Object. Let us assume that node A is the Subject and node B is the Object; in this case • The trust of A to B is T(B,A) ; and • The trust of B to A is T(A,B) . If one node trusts another node to perform the intended operation, the trust relationship between these two nodes can be established reliably from the communicating initiator’s point of view. As we have already discussed above, if A successfully forwards a packet for B, then A is considered to be an honest node for B, and B thus increases its trust value T(B,A) for A’s good behavior. If A lies about or exaggerates its contribution to routing, then A is a suspicious node that will be penalized and T(B,A) decreases accordingly. In m-healthcare, a mobile node can obtain new trust credits or lose its trust based on its behavior within a dynamic environment, so only when the node is trustworthy enough for another node can it participate in the communication initiated by that node. To that end, a node can also have different trust values when it is evaluated by different nodes. Much research has been done on how to evaluate a node’s trust behavior and compute the node’s trust value. Theodorakopoulos and Baras [34] design a trust control scheme based

392

Fig. 3.

Fig. 4.

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

Graphs of exponential functions.

Graphs of logarithmic functions.

on an additive increase for a successful report and a multiplicative decrease for a failed report. Wang et al. [36] adopt a linear trust evaluation method based on self-observed information of a certain node and other nodes’ trust evaluation to the same evaluated node. Zouridaki et al. [39] propose a trust establishment scheme for the reliability of packet forwarding over a multi-hop route, modeling the evaluation of trust in a linear increase manner. In our simulation experiments, we compare our trust evaluation scheme with the above trust computation models. B. The Observations of Different Mathematical Functions First, we will investigate several different types of mathematical functions and observe their shapes. We then explain how our trust scheme is deduced, based on these mathematical functions. 1) Exponential Functions: Exponential functions are functions of the form f (x) = ax for a fixed base a which could be any positive real number. Exponential functions are characterized by the fact that their growth rate is proportional to their value. Though the shape of the graph y = ax depends on whether a < 1, a = 1, or a > 1, we only use a > 1 to describe a node’s trust increase in our scheme. Thus, the exponential function y = ax (a > 1) has a slow increase shape when x is not a large number (for example, x < 1), and y will increase slowly with the increase of x. Such functions are suitable for measuring the nodes with low packet forwarding or significant uncooperative behavior. Figure 3 illustrates a few of exponential functions such as y = 2x , y = 2.5x , and y = 3x .

Fig. 5.

Graphs of linear functions.

2) Logarithmic Functions: The logarithmic function is sometime defined as the inverse function of the exponential function, and it has the form f (x) = log xa . As we know, the graphs of logarithmic functions and exponential functions are symmetrical with respect to the straight line y = x. Figure 4 shows that logarithmic functions y = log x2 , y = log x2.5 , and y = log x3 increase quickly with the increase of x, when x is not a large number (for example, x < 1). Therefore, logarithmic functions have a fast increase shape when compared with exponential functions. In our research, logarithmic functions are used to measure the nodes with a large number of packet forwarding or little uncooperative behavior. 3) Linear Functions: Finally, we discuss the simple linear functions, which generally they have the form of f (x) = ax+ b. Here, we only consider the simplest linear functions whose graphs pass through the point (0, 0); these functions have the form f (x) = ax. Since linear functions have a stable increase shape, they are used to measure the nodes with a stable change in trust or constantly cooperative behavior. As shown in Figure 5, linear functions y = x, y = 0.5x, and y = 1.5x increase moderately with the increase of x. Thus, we conclude that linear functions have a medium increase shape when compared to logarithmic functions and exponential functions. 4) Our Proposed Trust Evaluation Theory: Based on the above discussion and observations of different mathematical functions, we propose our trust evaluation scheme: • A node is only allowed to participate in the communication initiated by the source node when this node is trustworthy enough for the source node. • A cooperative node will be rewarded for honest behavior, such as successfully forwarding; an uncooperative node will be penalized for malicious behavior, such as packet dropping. • A node’s past historical trust records are introduced as a significant factor in order to measure its current trustworthiness. • The principle of trust evaluation will reward nodes with good past trust records more; nodes with bad past trust records will be rewarded less and nodes with medium past trust records will be moderately rewarded. C. A Trust Evaluation Model As discussed in Section IV.A, most trust evaluation models compute an object’s trust value based on linear function;

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

however, we propose a novel trust evaluation prototype that will update trust value based on different increase-shapes, which we refer to as TrE. In our TrE model, a node’s past historical trust records have a significant effect on its current trust evaluation, so the recent trust of the node ni is denoted as rt, which reflects ni ’s past behavior. For the trust metric, two factors are taken into account: the residential time Time and the recent activity ra. When a node ni stays in another node’s community, the residential time of the node indicates the extent of its trustworthiness, since the longer Time is, the longer ni stays in the community and thus the more trustworthy ni is. Otherwise, a malicious node would be removed from the community and could not survive for a long time afterwards. Specifically, the time Time is measured in a time unit such as ms. The recent activity records the amount of the node’s past activities. As shown below, ω denotes the time factor ω = κT ime × ra

(1)

where κ is a discount factor between 0 and 1 and ra represents the node’s recent activities; this can include a successful forwarding or a deliberate exaggeration. Thus, we define trust as a function that depends on the time that a node has spent in the community and on the past trust which this node has acquired in recent periods. Finally, we examine the value of recent trust rt: • If rt > 0.5, the logarithmic function is used as follows: T = λ × logω (1+rt) •

If rt < 0.5, the exponential function is used as follows: T = λ × (0.5 + rt)ω



(2) (3)

If rt = 0.5, the linear function is used as follows: T = λ × rt × ω

(4)

where λ is a scaling factor to keep the trust value T within a certain range such as between 0 and 1. Each node selects the values for κ and λ independently. Accordingly, the increase in trust will have three shapes depending on the past trust value and the time that the node has stayed in the community. If the node ni has had a good trust record in the past, then its current trust will increase quickly; if ni has fewer trust credits, its trust will increase slowly; finally, for a node ni with a medium trust record, its trust will increase moderately as well. V. A S ECURE M ULTICAST S TRATEGY BASED ON T RUST E VALUATION A mobile healthcare system is a typical example of MANETs, and each mobile medical device or sensor can be seen as a mobile node. Therefore, a trust-based evaluation model can manage nodes dynamically, and the nodes’ activities are efficiently evaluated in a distributed manner. Furthermore, the mechanism of multicast is applied to achieve secure communication among nodes, and malicious nodes can be detected based on their trust evaluations, so that they are not used in any communication within the m-healthcare system. Thus, a selective multicast mechanism based on trust evaluation is helpful for the improvement of the network’s security and reliability.

393

A. Secure Multicast based on Trust Evaluation Many existing wireless communications solutions utilize cluster-based group management and broadcast mechanism as the methods of network management and communication. However, the concept of “group” is complex and not easily managed, since it classifies the nodes in a network into different clusters based on certain rules [9]. We introduce the concept of community: for a node that is a central node, this node and all of its one-hop neighboring nodes are defined as a community in which some malicious nodes might be included. Although this concept is somewhat similar to the protocol of SDAR [5], there is a great difference between them, in that SDAR inherits the traditional concept of “group” in order to classify nodes into High, Medium, and Low levels according to the nodes’ trusts. Our community model does not classify nodes at all but possesses a richer trust management mechanism. Each node has its own community centered at itself in our one-hop community. When a newly joined node moves into the neighborhood of a central node, it will first inform the central node of its public key for the authentication between them. The central node then assigns an initial trust value to the newly joined node and sends it a secret key based on the initial trust value. In order to distribute the secret key securely, the central node will encrypt it using the public key of the intended neighboring node before sending it. Moreover, the central node generates different secret keys for different neighbors. Thus, each neighboring node has an independent secret key known only to itself, and the central node for their communication and all information exchanged is encrypted using the corresponding secret key. The mobility of nodes means that, whenever a node leaves or joins the neighborhood of the central node, the central node keeps its list of neighboring nodes as fresh as possible. Additionally, the broadcast mechanism allows information to be sent to all neighbors rather than to a specific one, which takes unsecure factors to information exchange since all nodes are treated as secure next-hop destinations and can obtain the transmitted message. Thus, in the process of our data communication, we do not employ the mechanism of broadcast or flooding algorithm to transmit data to each neighboring node. Based on our TrE model, we make use of trust as a criterion for choosing proper neighbors in order to forward packets for a central node in the one-hop community; multicast is the mechanism of data transmission. Figure 6 shows that node S sends messages to node D through nodes A and B instead of E, since E does not meet the trust requirement TR established by S. When a source node wants to communicate with another node, called destination node, the source node will choose a trust value as the trust requirement of this conversation. The source node then checks the trust values of all of its one-hop neighbors and selects those neighbors which meet this trust requirement in order to form a subnet. Thus, the source node encrypts transmitted information using the corresponding secret key and then takes advantage of the multicast mechanism to send the encrypted information to each of those qualified neighboring nodes. However, if there is no neighboring node

394

Fig. 6.

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

An example of trust-based multicast.

that satisfies this trust requirement, the source node will iteratively lower its trust requirement and continue checking, until some neighbors meet the new requirement. When those qualified neighbors receive the encrypted message, they will follow the same procedure for selecting neighbors that satisfy the trust requirement. Here, a trust value becomes a selective criterion for choosing qualified nodes for multicast. The evaluation of a node’s trust enables a trust system to track the behavior of each node, record feedback about the security evaluations of other nodes, and make corresponding reactions to the tracked behavior, e.g. rewarding an honest node for successfully forwarding, or penalizing a dishonest node for malicious dropping. In particular, our TrE model can be resilient to a node’s temporary disability (e.g. channel problems or temporary unavailability) and does not directly judge a temporarily uncooperative node as a malicious node, since, in theory, all of nodes may eventually experience these problems in MANETs, based on a statistical analysis. We formally describe the algorithm by means of pseudocode based on different phases in Figure 7. As for the maintenance of the community, a method similar to that used by the AODV ad hoc routing protocol [31] is employed to periodically broadcast HELLO messages from the central node. In this way, it updates the trust value each time, based on the HELLO messages. We define the time interval between two consecutive updates of HELLO messages as a session. At the end of each session, the central node will clear the variables Time and ra respectively, and use each node’s current trust value T to replace its corresponding recent trust rt. Through our efficient trust evaluation model, TrE can be applied to wireless environments and mobile healthcare systems. B. A Typical Example Due to the shared nature of mobile nodes, effective resource management mechanisms should be employed to ensure the proper use of these nodes’ resources. In the above sections, we have introduced the trust evaluation model and multicast mechanism. Here, we make use of a typical example to explain how a node’s trust is evaluated based on its behavior, and how information is exchanged based on our trust-based multicast mechanism. The two nodes S and D, do not communicate because they are not in each other’s direct transmission ranges. Therefore, they have to establish a route through a series of intermediate

Fig. 7.

Secure trust-based multicast scheme.

nodes, where S is the sender of the routing and D is the destination. First, node S checks its neighborhood and finds its one-hop neighbors A (T(S,A) = 0.1), B (T(S,B) = 0.4), C (T(S,C) = 0.8) and E (T(S,E) = 0.2); S then chooses a trust value 0.3 as its routing trust requirement T RS , based on the current trust information of its neighbors. Next, S checks which nodes satisfy its issued trust requirement and finds that the trust values of B and C are above T RS . Hence, neighbors B and C are selected as its trustworthy intermediate nodes to transfer packets for its communication with D. Iteratively, the communication between S and D can be established in this way. Let us assume that, in node B’s recent activities, it successfully forwarded 5 packets (raB = 5) for the central node S within 5 time units (T ime = 5), and that it also had a recent trust value 0.4 (rtB = 0.4). Also, let us suppose that κ = 0.7, and that ωB = κT ime × raB = (0.7)5 × (5) = 0.8404 Finally, because rtB < 0.5, which indicates that B was not an active packet forwarder in the past, we use the exponential function to measure its current trust. In the meantime, λ = 0.5, and the new trust value TB can be evaluated as follows TB = λ × (0.5 + rtB )ω = 0.5 × (0.5 + 0.4)0.8404 = 0.4576 Thus, we obtain the new trust value for node B through our TrE model, in which the trust of node B has increased from

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

TABLE I BASIC N OTATIONS AND S TATEMENTS Ci NiC PK SK F (x) Pi  A

The central node of a community One of the neighbors in community Ci The public key of a certain node The secret key generated by Ci for neighbor NiC The function or operation is specified by x A principal Pi possesses a specific action A

Pi −→ Pj

The principal Pi transfers O to another principal Pj

O

0.4 to 0.4576. TB does not increase in a linear manner, but in a more intelligent one. Thus, if a node’s trust, such as that of node A, does not satisfy the initiator’s trust requirement, this node cannot forward packets for others and its trust credits will increase slowly. Our model demonstrates that different nodes with different contributions for packet forwarding are treated differently. VI. S ECURITY S TUDY AND A NALYSIS In this section, we provide a formal analysis of our secure multicast mechanism in mobile healthcare systems and prove that system security can be protected effectively through the use of our trust evaluation model. The methodology related to security analysis [3], [25] is utilized in this analysis. To simplify the security analysis, we focus only on the critical components of our system, such as its trust model, secure transmission and authentication. The basic notations are in Table 1 [8]. Theorem 1: If a node makes the trust requirement the selective condition of multicast, then the initiated transmission or communication is considered to be secure and reliable. Proof: During node communications, only when it is trustworthy enough for another node and satisfies the trust requirement can it participate in the communication initiated by that node. Thus, the initiating node autonomously selects the joining criterion for communication with its neighbors in its community. The trust requirement means that these neighbors are trustworthy and reliable; otherwise, neighbors whose trust falls short of the trust requirement cannot be allowed to forward packets at this time. Additionally, trust evaluations have predetermined characteristics, which means that the initiating node thinks the communication with its neighboring nodes is secure and reliable from the initiator’s point of view. Lemma 1: Any central node is able to classify its neighbors based on their past behavior and reputations. Proof: (1) For a node nC i that is a member of the community C, if the node nC implements the operations F (c) designated by the i community C and confirms the specifications of the system, then the node nC i is considered a well-behaved neighbor of the central node ci . (2) Similarly, for the member nC i of the community C, if this node does not follow the specifications of the system and finish the function F (c) designated by the community C, then nC i is judged as a misbehaving neighbor of the central node ci . Lemma 2: Trust can be updated sensitively for nodes based on their past behavior and reputations.

395

Proof: (1) For those nodes that are classified in the well-behaved cluster, TrE uses a logarithmic function to calculate the changes in trust, so the trust model thus entails a fast increase in the trust of well-behaved nodes. This matches the theory of giving greater rewards to well-behaved nodes. (2) For the nodes that are classified in the uncooperative cluster, TrE uses an exponential function to describe the changes in trust, so that the trust model provides a slow increase in trust for uncooperative nodes. In contrast to wellbehaved nodes, this matches the theory of punishing more quickly for malicious nodes. (3) TrE utilizes a linear-shape function to simulate the change in trust for those nodes with medium trusts. It is reasonable to make a linear-like increase for these nodes. Lemma 3: TrE can identify malicious behavior and exclude malicious nodes. Proof: In TrE, trust is an effective approach for detecting malicious nodes, and our trust model is efficient in calculating the trust of each individual node. First, based on the notion of trust, each node is associated with a reputation that evaluates its behavior. The critical part of our system is that the evaluation is not performed by the individual node itself, but by the other node that it serves. The possibility of the individual node overestimating its contribution to other nodes is thus avoided, leading to an objective evaluation. Secondly, the central node in a community will always overhear its neighbors and monitor their behavior. It then calculates the trust of each neighbor based on their corresponding actions. Any malicious behavior can be detected by the central node and reflected in the TrE computation model. Third, once the trust value of a node falls into the threshold for malicious nodes, its trust is computed based on an exponential function that is used only for malicious nodes and thereby excluding this node from the central node’s community. However, if the trust value of the node exceeds the threshold for well-behaved nodes, this node’s trust will be calculated based on a logarithmic function that is designed especially for honest nodes. The node will therefore be kept in the central node’s community, so that a node in TrE can identify a neighbor’s malicious behavior and malicious nodes are then excluded from the community. Lemma 4: The TrE model guarantees the prevention of malicious nodes from participating in the community. Proof: Based on the TrE model and secure multicast mechanism, the trust values of any individual node can be calculated based on the node’s past behavior, and the trust can be updated sensitively, rather than simply linearly. Thus, the central node can identify the malicious behavior of its neighbors by overhearing the neighbors’ behavior, and can thereby detect and exclude the malicious nodes based on their trust. The multicast mechanism using TrE can guarantee that malicious nodes will be prevented from participating in the community. For instance, the central node will not forward packets to its neighbors if they have lower trust than the established trust requirement. Because each community selects qualifying and trustworthy neighbors for forwarding routing information and data, any communication in the mobile health-

396

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

care environment would be secure, involving as few malicious node as much as possible, if any at all. Lemma 5: c  Encryption(P Ki ), c

P Ki {SKi }

−→

SKi {MSG}

nC i ;

−→ nC c  Encryption(SKi ), c i ; Proof: In a community, the data exchanged between the central node c and its neighbors nC i is encrypted by their session keys SKi ; moreover, the distribution of session keys is protected by the destined nodes’ public keys P Ki . That is, the destined node nC i can obtain the encrypted session keys SKi through its own private keys P Ri by decrypting P Ki {SKi }. At the same time, it also can obtain the encrypted message SKi {M SG} by using its corresponding session key SKi . Thus, the entire procedure for data transmission is protected through a combination of public key and session key encryptions. Theorem 2: In a community, each neighbor uses an independent session key to communicate with the central node, and avoids disclosing the same session key to other neighbors. Proof: In a one-hop community C, the central node c will assign an independent session key to each of its neighbors, so no nodes share the same session key in the same community. This prevents the data from being deciphered by other neighbors with the same session keys. When the central node c wants to communicate with one of its neighbors nC i , it encrypts the communicated information SKi {M SG} using a session key SKi , which is only issued between c and the corresponding neighbor nC i . During the process of transmission, even if other neighbors nC j can intercept the encrypted message, they still cannot decrypt the message encrypted by SKi since the corresponding session key SKi is restricted to this community. Therefore, the mechanism of one neighbor one session key can effectively prevent the data disclosure that occurs when the same session keys are shared with other nodes. Lemma 6: Session and public keys are both independent and guarantee the necessary authentication between the central node and its neighbors. Proof: During the process of community management, the public keys of the destined nodes can provide an effective authentication mechanism. Since the central node c in a community C maintains the public keys P Ki of all neighbors nC i , it will use the corresponding public key of each neighboring node to encrypt the session keys SKi generated in the initial key-distribution phase. Next, the encrypted session keys P Ki {SKi } are sent along a unicast route to each corresponding node, and only the destined node nC i will be able to decrypt the distributed message by using its own private key P Ri . Therefore, in a community, the session key and public key are both independent, and can thus guarantee the necessary authentication between the central node and its neighbors. VII. F EASIBILITY S IMULATION A ND E VALUATION For this section, we carried out an extensive set of simulation experiments based on the Network Simulator ns-2 [29], in order to evaluate the performance of our system and to observe its behavior. The experimental environment was constructed within a rectangular area of 670m × 670m and was comprised

of 30 nodes. These nodes moved around at a maximum speed of 5m/s, based on the random waypoint model where each node randomly chooses its initial position, moves at a speed distributed randomly between 0 and some maximum speed, and remains stationary for a given period of pause time [3], [7]. At the same time, we set up the pause time at 20 seconds before each node could move to its next destination, and we set the transmission range for each node at 250m without a fading effect. In addition, each experiment was run for 4000s of simulated time. TrE employs the standard DES algorithm for communication in a community, and the secret keys have a length of 64 bits. This is dependent on the computational capability and characteristics of the nodes within the mobile healthcare networks. During the simulation experiments described from this point onward, the trust systems that are used for comparison are all run under identical conditions. We have chosen the following performance metrics for evaluating our trust system: • Trust Requirement: the extent of trustworthiness that the central node sets for its neighboring nodes when determining whether they can participate in communications; • The Size of Community: the size of one community, including the central node and all of its neighbors; • Malicious Nodes: the number of malicious nodes indicates the amount of malicious nodes that are included in the communicating process, while the percentage of malicious nodes refers to the proportion of malicious nodes that take part in communication within the entire community; • Security Overhead: the ratio of the number of messages sent for updating all nodes’ trust values, to the total number of packets used for the formal communication among all nodes. A. An Additive Increase and Multiplicative Decrease Trust Model We compare TrE with currently accepted trust schemes in [5], [34], [39], where all nodes in a wireless environment are clustered into different groups based on their trust extents, and where their trust changes are evaluated based on an additive increase for a successful report and a multiplicative decrease for a failed report. We use the following functions to describe the trust within the interaction of nodes. Cooperative behavior: Current Trust = Recent Trust + α; Uncooperative behavior: Current Trust = β× Recent Trust. where α and β are the respective scaling factors for successful behavior and unsuccessful behavior. In these traditional trust schemes, the nodes are managed based on the evaluation of trust values and are thereby classified into different groups; the values for differentiating these groups are empirically selected as 0.3 and 0.6. Thus, the present trust model, called the AIMD system, can realistically reflect basic trust schemes according to most of these trust systems. B. A Comparison between the TrE and AIMD Models Section VII.A introduced the traditional trust scheme called the AIMD system. Here, we compare the security and efficiency of TrE to the linear AIMD system.

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

Fig. 8.

Trust requirement of TrE vs. AIMD.

Fig. 9. Percentage of malicious nodes of TrE vs. AIMD based on the size of community.

Figures 8 and 9 present comparisons of the factors affecting the percentages of malicious nodes in the TrE and AIMD systems. These graphs show that community size and trust requirement both affect the percentages of malicious nodes in different systems. In TrE, the percentage of malicious nodes indicates that fewer malicious nodes are included in the course of forwarding messages for the central node; this shows that taking the exact trust value as the trust requirement plays an important role in this regard. At the same time, it is very reasonable that TrE performs better than the linear AIMD system even though the variations for the malicious nodes reveal the same trends. Figure 10 shows that TrE has a lower security overhead used for community management than that of the AIMD trust system based on the size of community. This is mainly because our TrE system does not classify all neighbors into different groups, and it only needs to communicate with individual neighbors each time. Unlike the group-based AIMD system, each node clusters all of its neighbors into three groups. This means that, if a neighbor changes its reputation value from one level to another, each group needs to be updated accordingly. Figure 11 compares the security overhead spent on the TrE and AIMD systems, showing that TrE has an almost equivalent security overhead when compared to the linear AIMD system, as the security overhead increases slightly with the percentage of malicious nodes. It is understood that TrE will incur a somewhat higher cost since it adopts a more precise manner of managing the community, whereas the AIMD system classifies the nodes more roughly.

Fig. 10.

Security overhead of TrE vs. AIMD based on community size.

Fig. 11.

Security overhead of TrE vs. AIMD based on malicious nodes.

397

VIII. C ONCLUSION The introduction of mobile healthcare systems can greatly improve the benefits for patients and hospitals, by not only providing better quality of patient care, but by also reducing administrative and medical costs for both patients and hospitals. The topic of security has raised interesting research issues in wireless and pervasive healthcare networks. In this paper, we introduce the technique of trust evaluation without a centralized trust management authority and propose a novel trust evaluation model that can efficiently calculate the trustworthiness of mobile healthcare devices and dynamically manage medical nodes. Furthermore, we present a secure multicast mechanism based on our trust evaluation model, which offers flexible protection to dynamic and agile environments and improves the security of a pervasive and mobile healthcare system. The analysis of our experimental results clearly demonstrates that, compared to traditional schemes, such as the linear trust computation model or the group-based management system, our trust model can genuinely improve the security and reliability of the network while also reducing the complexity of the traditional trust schemes and thus improving efficiency. Therefore, our trust-based multicast strategy provides an excellent solution for guaranteeing secure and reliable communications in wireless and pervasive healthcare networks. R EFERENCES [1] S.-D. Bao, Y.-T. Zhang, and L.-F. Shen, “Physiological Signal Based Entity Authentication for Body Area Sensor Networks and Mobile

398

[2]

[3] [4] [5] [6] [7]

[8] [9]

[10] [11]

[12]

[13] [14] [15] [16] [17] [18]

[19]

[20] [21] [22] [23]

[24]

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

Healthcare Systems”, Proc. 27th Annual International Conference of Engineering in Medicine and Biology Society, pp. 2455–2458, 2005. E. Bones, P. Hasvold, E. Henriksen, and T. Strandenes, “Risk analysis of information security in a mobile instant messaging and presence system for healthcare”, International J. Medical Informatics, Vol. 76, pp. 677– 687, 2007. A. Boukerche, “Performance Evaluation of Routing Protocols for Ad Hoc Wireless Networks”, ACM/Springer Mobile Networks and Applications, Vol. 9, pp. 333–342, 2004. A. Boukerche, Handbook of Algorithms for Wireless Networking and Mobile Computing, New York: CRC/Chapman Hall, 2005. A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, “Performance evaluation of an anonymity providing protocol for wireless ad hoc networks”, Performance Evaluation, Vol. 63, pp. 1094–1109, 2006. A. Boukerche, and Y. Ren, “A trust-based security system for ubiquitous and pervasive computing environments”, Computer Communications, Vol. 31, pp. 4343–4351, 2008. J. Broch, D. A. Maltz, D. B. Johnson, Y. C. Hu, and J. Jetcheva, “A Performance Comparison of Multi-Hop Wireless Ad Hoc Network Routing Protocols”, Proc. ACM/IEEE Annual International Conference on Mobile Computing and Networking, pp. 85–97, 1998. M. Burrows, M. Abadi, and R. Needham, “A logic of authentication”, ACM T. Computer Systems, Vol. 8, pp. 18–36, 1990. R. Carruthers, and I. Nikolaidis, “Certain limitations of reputation– based schemes in mobile environments”, Proc. 8th ACM international symposium on modeling, analysis and simulation of wireless and mobile systems, pp. 2–11, 2005. R. Chakravorty, “A Programmable Service Architecture for Mobile Medical Care”, Proc. 4th Annual IEEE International Conference on Pervasive Computing and Communications, 2006. W.-Y. Chung, G. Walia, Y.-D. Lee, and R. Myllyla, “Design Issues and Implementation of Query-Driven Healthcare System Using Wireless Sensor Ad-hoc Network”, Proc. 4th International Workshop on Wearable and Implantable Body Sensor Networks (BSN), pp. 99–104, 2007. S. Dagtas, Y. Natchetoi, and H. Wu, “An Integrated Wireless Sensing and Mobile Processing Architecture for Assisted Living and Healthcare Applications”, Proc. 1st ACM international workshop on systems and networking support for healthcare and assisted living environments, pp. 70–72, 2007. C. M. Farquhar, E. W. Kofa, and J. R. Slutsky, “Clinicians’ attitudes to clinical practice guidelines: a systematic review”, Medical Journal of Australia, Vol. 177, pp. 502–506, 2002. P. Ganguly and P. Ray, “Telemedicine over enterprise-wide networks: a case study”, Proc. IEEE Global Telecommunications Conference (GLOBECOM), pp. 1297–1302, 1998. C. Glaros, and D. I. Fotiadis, “Wearable Devices in Healthcare”, Intelligent Paradigms for Healthcare Enterprises: Systems Thinking, Springer-Verlag, pp. 237–264, 2005. K. Hameed, “The application of mobile computing and technology to health care services”, Telematics and Informatics, Vol. 20, pp. 99–106, 2003. W. Jen, C. Chao, M. Hung, Y. Li, and Y. Chi, “Mobile information and communication in the hospital outpatient service”, International Journal of Medical Informatics, Vol. 76, pp. 565–574, 2007. C.-W. Jeong, D.-H. Kim, and S.-C. Joo, “Mobile Collaboration Framework for u-Healthcare Agent Services and Its Application Using PDAs”, Proc. 1st KES International Symposium on Agent and Multi-Agent Systems: Technologies and Applications, pp. 747–756, 2007. E. Kang, H. Y. Youn, and U. Kim, “Mining Based Decision Support Multi-agent System for Personalized e-Healthcare Service”, Proc. 2nd KES International Symposium on Agent and Multi-Agent Systems, pp. 733–742, 2008. J. Kim, A. R. Beresford, and F. Stajano, “Towards a Security Policy for Ubiquitous Healthcare Systems”, Proc. 1st International Conference on Ubiquitous Convergence Technology, pp. 263–272, 2006. S. Kirn, “Ubiquitous Healthcare: The OnkoNet Mobile Agents Architecture”, Proc. Workshop on Mobile Computing in Medicine, pp. 105–118, 2002. D. Konstantas, V. Jones, R. Bults, and R. Herzog, “Mobihealth innovative 2.5/3g mobile services and applications for healthcare”, Proc. 11th IST Mobile and Wireless Telecommunications Summit, 2002. S. Kroc, and V. Delic, “Personal Wireless Sensor Network for Mobile Health Care Monitoring”, Proc. 6th International Conference on Telecommunications in Modern Satellite, Cable and Broadcasting Service, pp. 471–474, 2003. E. Kyriacou, S. Pavlopoulos, A. Berler, Eds., “Multi-purpose HealthCare Telemedicine Systems with mobile communication link support”, BioMedical Engineering OnLine, Vol. 2, 2003.

[25] G. Li, R. Needham, and R. Yahalom, “Reasoning about Belief in Cryptographic Protocols”, Proc. IEEE Symposium on Security and Privacy, pp. 234–248, 1990. [26] C. C. Lin, R. G. Lee, and C. C. Hsiao, “A pervasive health monitoring service system based on ubiquitous network technology”, International Journal of Medical Informatics, Vol. 77, pp. 461–469, 2008. [27] M. Markovic, Z. Savic, and B. Kovacevic, Secure mobile health systems: principles and solutions, M-Health: Emerging Mobile Health Systems, Kluwer Academic Publishers, pp. 81–106, 2007. [28] R. Marti, J. Delgado, and X. Perramon, “Network and Application Security in Mobile e-Health Applications”, Proc. International Conference on Networking Technologies for Broadband and Mobile Networks, pp. 995–1004, 2004. [29] NS-2, Information Sciences Institute, University of Southern California, Available: http://www.isi.edu/nsnam/ns/. [30] C. S. Pattichis, E. Kyriacou, S. Voskarides, Eds., “Wireless Telemedicine Systems: An Overview”, IEEE Antennas and Propagat. Mag., Vol. 44, pp. 143–153, 2002. [31] C. E. Perkins and M. E. Royer, “Ad hoc on demand distance vector (AODV) routing”, IETF Internet Draft, 1997. Available: www.ietf.org. [32] Y. Ren, and A. Boukerche, “Modeling and Managing the Trust for Wireless and Mobile Ad Hoc Networks”, Proc. IEEE International Conference on Communications, pp. 2129–2133, 2008. [33] W. J. Song, M. K. Cho, I. S. Ha, and M. K. Choi, “Healthcare System Architecture, Economic Value, and Policy Models in LargeScale Wireless Sensor Networks”, Proc. 25th International Conference on Computer Safety, Reliability, and Security, pp. 233–246, 2006. [34] G. Theodorakopoulos, and J. S. Baras, “Trust Evaluation in Ad-Hoc Networks”, Proc. 3rd ACM workshop on wireless security, pp. 1–10, 2005. [35] U. Varshney, Pervasive healthcare and wireless health monitoring, Mobile Networks and Applications, Kluwer Academic Publishers, Vol. 12, pp. 113–127, 2007. [36] K. Wang, M. Wu, and S. Shen, “A Trust Evaluation Method for Node Cooperation in Mobile Ad Hoc Networks”, Proc. 5th International Conference on Information Technology: New Generations, pp. 1000– 1005, 2008. [37] Wikipedia contributors, “Remote surgery”, Wikipedia, The Free Encyclopedia, July 2008. Available: http://en.wikipedia.org/. [38] J.-H. Wu, S.-C. Wang, and L.-M. Lin, “What Drives Mobile Health Care? An Empirical Evaluation of Technology Acceptance”, Proc. 38th Annual Hawaii International Conference on System Sciences (HICSS), pp. 143–153, 2005. [39] C. Zouridaki, B. L. Mark, M. Hejmo, Eds., “A quantitative trust establishment framework for reliable data packet delivery in MANETs”, Proc. 3rd ACM workshop on security of ad hoc and sensor networks, pp. 1–10, 2005.

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

Azzedine Boukerche is a Full Professor and holds a Canada Research Chair position at the University of Ottawa. He is the Founding Director of PARADISE Research Laboratory at Ottawa. Prior to this, he held a Faculty position at the University of North Texas, U.S.A., and he was working as a Senior Scientist at the Simulation Sciences Division, Metron Corporation located in San Diego. He was also employed as a Faculty at the School of Computer Science McGill University and taught at Polytechnic of Montreal. He spent a year at the JPL/NASA-California Institute of Technology where he contributed to a project centered about the specification and verification of the software used to control interplanetary spacecraft operated by JPL/NASA Laboratory. His current research interests include wireless ad hoc and sensor networks, wireless networks, mobile and pervasive computing, wireless multimedia, QoS service provisioning, performance evaluation and modeling of large-scale distributed systems, distributed computing, largescale distributed interactive simulation, and parallel discrete-event simulation. Dr. Boukerche has published several research papers in these areas. He was the recipient of the Best Research Paper Award at IEEE/ACM PADS’97, and ACM MobiWac’06 the recipient of the 3rd National Award for Telecommunication Software 1999 for his work on a distributed security systems on mobile phone operations, and has been nominated for the best Paper Award at the IEEE/ACM PADS’99, and ACM MSWiM 2001. Dr. A. Boukerche is a holder of an Ontario Early Research Excellence Award (previously known as Premier of Ontario Research Excellence Award), Ontario Distinguished Researcher Award, and Glinski Research Excellence Award. He is a CoFounder of QShine Int’l Conference, on Quality of Service for Wireless/Wired Heterogeneous Networks (QShine 2004), served as a General Chair for the 8th ACM/IEEE Symposium on modeling, analysis and simulation of wireless and mobile systems, and the 9th ACM/IEEE Symposium on distributed simulation and real time application, a Program Chair for ACM Workshop on QoS and Security for Wireless and Mobile networks, ACM/IFIPS Europar 2002 Conference, IEEE/SCS Annual Simulation Symposium ANNS 2002, ACM WWW’02, IEEE MWCN 2002, IEEE/ACM MASCOTS 2002, IEEE Wireless Local Networks WLN 03-04, IEEE WMAN 04-05, ACM MSWiM 98-99,

399

and TPC member of numerous IEEE and ACM sponsored conferences. He served as a Guest Editor for the Journal of Parallel and Distributed Computing (JPDC) (Special Issue for Routing for mobile Ad hoc, Special Issue for wireless communication and mobile computing, Special Issue for mobile ad hoc networking and computing), and ACM/Kluwer Wireless Networks and ACM/Kluwer Mobile Networks Applications, and the Journal of Wireless Communication and Mobile Computing. He serves as Vice General Chair for the 3rd IEEE Distributed Computing for Sensor Networks (DCOSS) Conference 2007, as Program Co-Chair for Globecom 2007 and 2008 Symposium on Wireless Ad Hoc and Sensor Networks, and a Finance Chair for ACM Multimedia 2008. Dr. A. Boukerche serves as an Associate Editor for ACM/Springer Wireless Networks, IEEE Wireless Communication Magazine, IEEE Transaction on Parallel and Distributed Systems, Wiley Int’l Journal of Wireless Communication and Mobile Computing, Wiley’s Security and Communication Network Journal, Wiley’s Pervasive and Mobile Computing Journal, the Elsevier’s Journal of Parallel and Distributed Computing, and the SCS Transactions on Simulation. He also serves as a Steering Committee Chair for the ACM Modeling, Analysis and Simulation for Wireless and Mobile Systems Symposium, the ACM Workshop on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks and the IEEE/ACM Distributed Simulation, and Real-Time Applications Symposium (DS-RT).

Yonglin Ren has finished his Master degree in Computer Science from the University of New Brunswick (UNB) in Canada. Currently he is working toward his Ph.D. degree in computer science at University of Ottawa. His main areas of interest include network security, wireless and mobile security, trust-based communication schemes, key management, and anonymity.