Trust-Based and Energy-Aware Incentive Routing Protocol for Multi-hop Wireless Networks

Transcription

1 Trust-Based and Energy-Aware Incentive Routing Protocol for Multi-hop Wireless Networks Mohamed Elsalih Mahmoud and Xuemin (Sherman) Shen Department of Electrical and Computer Engineering, University of Waterloo, Canada s: {mmabdels, Abstract Node cooperation in relaying others packets and route stability are essential for high-performance multi-hop wireless networks and reliable data transmission. In this paper, we propose a protocol called TETO for stimulating the nodes cooperation and establishing stable routes. TETO uses credits (or micropayment) to stimulate the nodes cooperation and processes the payment receipts to evaluate the nodes packet relay probabilities in terms of trust values. Stable routes are established through the highly trusted nodes having sufficient energy. Extensive analysis and simulations demonstrate that TETO can secure the payment and trust calculation and significantly improve route stability and thus the packet delivery ratio. Index Terms Security; selfish nodes; trust-based routing protocol. I. INTRODUCTION The mobile nodes of the multi-hop wireless networks (MWNs) usually relay others packets for enhancing the network deployment and performance [1]. However, due to involving autonomous devices in packet relay, the routing process suffers from new security challenges that endanger the practical implementation of the MWNs. The selfish nodes will not relay others packets without benefits, and the misbehaving nodes involve themselves in routes and drop the packets, which jeopardizes the routes stability and the network availability. For example, some nodes may drop the packets because they do not have sufficient energy; the malfunctioned nodes drop the packets due to faulty hardware or software; and in hostile environments, the attackers launch denial-of-service attacks by dropping the packets. Moreover, the nodes may possess different hardware capabilities in terms of CPU cycles and buffer size, and mobility level, and thus the high-hardware-resource nodes with low mobility level are more capable of performing packet relay. Route stability and node cooperation are essential for highperformance MWNs and reliable data transmission. Frequent route failures adversely affect the network performance in terms of throughput and delay [2]. The presence of even a small number of misbehaving nodes could result in repeatedly broken routes. Hence, in order to enhance the route stability, it is essential to establish the routes through the nodes having sufficient energy and high packet-relay probability. Reputation and credit based mechanisms [2-7] have been proposed to force and stimulate the nodes cooperation, respectively. For reputation-based mechanisms [2-4], each node usually monitors the transmissions of its neighbors to measure how frequency they drop the packets in terms of reputation values. A node s reputation is increased when it relays a packet, but the reputation is decreased when the node drops a packet. Once a node s reputation degrades to a threshold, the node is identified as uncooperative and punished. However, the reputation-based mechanisms force the nodes to relay others packets without any benefits and cannot achieve fairness, e.g., although the nodes situated at the network center relay much more packets than those at the periphery, they are not compensated. For credit-based mechanisms [5-7], packet relay is a service not an obligation. The source and destination nodes pay credits (or micropayment) to the intermediate nodes to relay their packets. In addition to cooperation stimulation, these mechanisms can achieve fairness by rewarding credits to the nodes that relay more packets. However, cooperation stimulation alone is not sufficient for route stability that requires selecting the trusted nodes having sufficient energy. In this paper, we propose TETO, a Trust-based and Energy-aware routing and incentive protocol, for MWNs. TETO uses credits to stimulate the nodes cooperation and processes the payment receipts to evaluate the probability of packet relay in terms of trust value. A node s trust value is decreased whenever it is accused of packet drop, and increased whenever it relays a packet. TETO establishes routes through the highly trusted nodes having sufficient energy, which can minimize the probability of packet drop and session breakage. In this way, TETO stimulates the nodes not only to cooperate but also to provide high packet-relay quality and tell the truth about their residual energy to raise their chances to be selected in future routes. Our analysis and simulations demonstrate that TETO can secure the payment and trust calculation and significantly improve the packet delivery ratio due to making informed decisions regarding route selection. The main contribution of the paper is three-fold: (1) This is the first incentive protocol that can evaluate the nodes packet-relay probability and proposes a trust system to quantify this probability; (2) TETO is the first protocol that can stimulate the nodes cooperation and make informed routing decisions based on the nodes past behavior and residual energy; and (3) The proposed protocol stimulates the nodes not only to cooperate but also to provide high packetrelay ratio and tell the truth about their energy. The remainder of this paper is organized as follows. Section II reviews the related work. Section III gives the network and threat models. Section IV proposes TETO. Security and performance evaluations are given in Sections V and VI, respectively, followed by conclusion in Section VII. II. RELATED WORK A. Reputation-Based Mechanisms The proposed mechanism in [2] establishes routes that avoid the uncooperative nodes without punishing them, which /11/$ IEEE

2 imposes extra load on the cooperative nodes without any benefits. In [3], each node counts the packets relayed both by and for a neighboring node and the ratio of these counts is combined with reports from other nodes to calculate the node s reputation. However, the nodes that are less frequently selected, such as those at the network perimeter, have falsely bad reputation. DRIPO [4] identifies the broken links from the payment receipts, and the nodes that are frequently involved in broken links are identified as malicious and evicted. Nevertheless, determining a good threshold to differentiate between the malicious and the honest nodes is not easy. B. Credit-Based Mechanisms In credit-based mechanisms, the nodes usually submit receipts (proofs of packet relay) to a central unit called trusted party (TP) to claim the payment. In [5], the source node signs the identities of the route s nodes and appends the signature to each message. Unlike Sprite that charges only the source node, PIS [6] charges both the source and destination nodes when both of them benefit from the communication. In [7], each node submits a report containing its alleged charges and rewards. The truthful reports are cleared with almost no processing overhead, and lightweight statistical methods are used to identify the cheating nodes that submit incorrect reports. destination, and the nodes in the route compose payment receipts. In Credit-Account and Trust Update phases, the TP updates the nodes credit account and trust values, respectively. Finally, in Route Establishment phase, TETO establishes routes through the highly trusted nodes having sufficient energy. Certificates with updated trust values The network nodes Route Establishment The trusted party Trust Update Data Transmission Credit-Account Update Fig. 1: The architecture of TETO. Payment receipts III. SYSTEM MODELS A. Network Model The considered MWN has mobile nodes, the TP, and base stations in some networks. The source nodes messages may be relayed in several hops by the intermediate nodes to the destination nodes. The TP generates public/private key pair and certificate for each node to participate in the network. Each node contacts the TP periodically to submit the receipts and renew its certificate. This connection can occur via the base stations, Wi-Fi hotspots, or the Internet. Once the TP receives the receipts, it updates the nodes credit accounts and trust values. A node s certificate has short lifetime, e.g., two weeks, and contains the node s trust value. For the payment model, the source and destination nodes are charged for every transmitted message even if it does not reach the destination, but the intermediate nodes are rewarded only for the delivered messages. B. Threat and Trust Models The mobile nodes and the base stations are probable attackers, but the TP is fully secure. The attackers aim to communicate freely and steal credits. They also may launch trust-boost attacks to augment their trust illegally and false-accusation attacks to defame the honest nodes trust. The attackers may also launch denial-of-service attacks by dropping the packets. Our objective is to protect the payment against singular and colluding attackers, and protect the trust calculation against singular attackers and make collusion attacks difficult, expensive, and less effective. Thwarting collusion attacks has been extensively studied in Web-related trust systems [8]. These solutions can be implemented more effectively in TETO because it is difficult to obtain multiple identities compared to Web applications. For the trust models, the nodes fully trust the TP to perform billing and trust calculation, but the TP does not trust any node. IV. THE PROPOSED TETO Fig. 1 shows that TETO has four main phases. In Data Transmission phase, the source node transmits messages to the Fig. 2: The exchanged security tags in a session. Fig. 3: The format of a session receipt. A. Data Transmission As shown in Fig. 2, the source node (S) sends its signature Sig S (R, TS, C, H(M C )) in the Cth data packet in the session. The signature contains the identities of the nodes in the route (e.g., R = ID S, ID W, ID X, ID Y, ID Z, ID D in Fig. 2), the message s hash value (H(M C )), the message s number (C), and time stamp (TS). This signature can ensure the message s authenticity and integrity. Signing H(M C ) instead of M C can reduce the receipt size because the smaller-size H(M C ) is attached to the receipt. Each intermediate node verifies the source node s signature. The destination node (D) generates a hash chain by iteratively hashing a random value h S S times to produce the hash chain root or h 0, where h i-1 = H(h i ) and 1 i S. From Fig. 2, after receiving the Cth data packet, the destination node sends back ACK packet containing the pre-image of the last hash value (h C ) as a proof for receiving C messages. The nodes save the last hash value and signature for the receipt composition. Each node in the session composes and submits a receipt to the TP. From Fig. 3, a session receipt contains the identities of the payers and payees (R), TS, C, H(M C ), h 0, h C, the messages number that the intermediate nodes committed to relay (C m ), and undeniable security token for preventing payment manipulation. The security token contains the hash value of the last source node s signature and the authentication code (Auth_Code) that authenticates the hash chain and the intermediate nodes to hold them accountable for packet drop. Attach-

3 ing the hash value instead of the signatures reduces the receipt size significantly. In Route Establishment phase, we will discuss how the Auth_Code and C m are computed. B. Credit-Account Update Once the TP receives a receipt, it first checks if the receipt has been deposited before using its unique identifier (R, TS). Then, the TP verifies the receipt s credibility by generating the nodes signatures and hashing them. A receipt is credible if the resultant hash value is identical to the receipt s security token. The TP verifies the destination node s hash chain by hashing h C C times to produce h 0. Finally, the TP clears the receipt according to the payment model discussed in Section III-A. C. Trust Update The TP considers that a node relayed a message if there is a successor in the route reports receiving the message, i.e., the possession of Sig S (R, TS, C, H(M C )) by node W entails that all the nodes before W in the route indeed relayed C messages. For example, in Fig. 4(a), node W received C messages because its receipt contains a signature for C messages, and it relayed all of them because the receipt of X is for C messages. The link between X and Y is broken because X and Y submit receipts for C and C-1 messages. The TP cannot accuse only X of dropping the packet because Y may drop the packet and submit Sig S (R, TS, C-1, H(M C-1 )) instead of Sig S (R, TS, C, H(M C )) to circumvent the TP. The rationale here is that the nodes that drop the packets more frequently will be accused more and thus suffer from more trust degradation. Moreover, an honest node can protect its trust value by not involving itself in sessions with a neighbor that frequently drops the packets. The neighbors of the malicious nodes change due to the nodes mobility and thus the accusations are distributed instead of focusing them on few nodes. Fig. 4(a) shows that Z received C-1 messages and relayed all of them because the receipt of D is for C-1 messages. The ACK packets are also analyzed by the same way, e.g., in Fig, 4(b), the session was broken by Y or X during relaying the Cth ACK packet because they submit h C and h C-1, respectively. T A a. A broken session during relaying the Cth data packet. b. A broken session during relaying the Cth ACK packet. Fig. 4: Evaluating the nodes trust values. of relayed messages in the last ω sessions of received messages in the last ω sessions The notion of trust used in this paper is defined as the probability that a node relays a packet. T(A) refers to the trust value of node A, which is represented with a number in the range [0, +1] signifying a continuous range from complete distrust (0) to complete trust (+1). From Eq. 1, T(A) is the number of relayed messages to the number of received messages by A in the last ω sessions. If A drops a large ratio of the packets, e.g., due to malicious action or high mobility, T (A) will be very low. The trust value is calculated only for the last ω sessions, e.g., 100 to sessions, because recent steady behavior is a better predictor for future behavior than behavior observed a long time ago. Route reliability can be computed using the nodes trust values to get probabilistic information about the route stability, which can be used in route selection. Eq. 2 gives the probability that a packet can be transferred through a route with nodes W, X, Y, and Z. Comparing the reliabilities of routes 1 and 2 in Table 1, the low-trust node, such as X in route 2, has very little chance to be involved in a session because it significantly degrades the route reliability. Although the nodes trust values of route 3 are the same as those of route 1, route 3 has higher reliability, which demonstrates that the shortest routes are preferable. The probability that a packet is transferred through route 4 is close to zero because the nodes have very low trust values, which demonstrates the importance of choosing good nodes. T WXYZ T W T X T Y T Z Table 1: Numerical examples for route reliability. Route T(W) T(X) T(Y) T(Z) T(WXYZ) D. Route Establishment In this section, we propose two routing protocols called the Shortest Reliable Route (SRR) and the Best Available Route (BAR). The SRR protocol establishes the shortest route that meets the source node s requirements, but the destination node selects the best route in the BAR protocol. 1) The SRR Routing Protocol RREQ Delivery: To establish a route to the destination node D, the source node S broadcasts the Route Request Packet (RREQ) that contains the identities of the source (ID S ) and the destination (ID D ) nodes, time stamp (TS), the Time-To-Live (TTL) or the maximum number of intermediate nodes, and the trust and energy requirements. The trust requirement is the minimum trust value an intermediate node can have, and the energy requirement (C m ) is the minimum number of messages an intermediate node commits to relay in the session, which is related to the node s energy. If a node breaks the route before relaying C m messages, the node s trust value is decreased. The route reliability is bounded by the minimum trust value raised to the TTL-th power. A node broadcasts the packet after attaching its identity if it can meet the source node s requirements and TS is within a proper range. Only the first RREQ is broadcasted and the subsequent requests for the same session are discarded. The source node s requirements cannot be achieved if it does not receive the Route Reply Packet (RREP) within τ S time period. The source node can send a second round of RREQ after reducing its requirements, or revert to the BAR protocol. The rationale of the SRR protocol is that the node that satisfies the requirements is trusted enough to act as a relay. Route Selection: The first received RREQ packet is the shortest route that achieves the source node s requirements. The destination node composes the RREP packet for the first received RREQ packet and sends it back to the source node. RREP Delivery: The RREP packet contains R, h 0, and the destination node s signature Sig D (R, TS, h 0, C m ) and certificate. This signature authenticates the hash chain and links it to the 2

4 session, and proves the destination node s approval to pay for the session, which is impotent to secure the payment. Each intermediate node signs the RREP packet s signature to authenticate itself and relays the packet after attaching its certificate. It also verifies the RREP packet s signatures to authenticate the nodes between itself and the destination node, and saves h 0 for the receipt composition. The source node receives the RREP packet containing the nodes authentication code (Auth_Code), e.g., Auth_Code = Sig W (Sig X (Sig Y (Sig Z (Sig D (R, TS, h 0, C m ))))) for the session shown in Fig. 2. This signature chain authenticates the nodes with less packet space than attaching separate signatures. This authentication process is important to make sure that the nodes are indeed participated in the session, and thus hold them accountable for the packet drop. The source node verifies the Auth_Code and the nodes certificates to make sure that the nodes meet its trust requirements. If a node lies in its residual energy, the route will be broken at this node and thus its trust value degrades. In the first data packet, the source node attaches the Auth_Code to enable the nodes to authenticate the previous nodes in the route. For example, in Fig. 2, node X authenticates D, Z, and Y from their signatures in the RREP packet and authenticates W from the Auth_Code. This signature verification process is necessary to make sure that the Auth_Code is correct and thus to ensure the receipt integrity to protect the payment. Fig. 5: Broadcasting the RREQ packets in the BAR routing protocol. 2) The BAR Routing Protocol RREQ Delivery: The RREQ packet contains ID S, ID D, TS, TTL, the route reliability field (R_reliability) that is initialized to one, and the expected number of transmitted messages (C m (S)). For the first received RREQ packet, an intermediate node A attaches its identity ID A and the number of messages it commits to relay (C m (A)), and updates R_reliability by multiplying it with its trust value. The route lifetime (R_lifetime or C m in Fig. 3) is the minimum number of messages the intermediate nodes commit to relay. Blind flooding generates few routes because each node broadcasts the RREQ once, which disables potential better routes. To solve this issue, BAR allows each node to broadcast the RREQ more than once if the R_reliability or the R_lifetime of the recently received packet is greater than those of the last broadcasted packet. For example, in Fig. 5, node M receives the first RREQ at time t 1 with R_reliability T(AB) of 0.3. At t 2, M broadcasts the packet after updating the R_reliability to be T(ABM), where T(ABM) = T(AB) T(M). At t 3, M receives the second RREQ packet for the same session with R_reliability of T(NFK) which is less than T(AB), so it discards the RREQ packet. At t 4, M receives RREQ packet with R_reliability of T(XYZW) which is larger than that of the last broadcasted packet, so it broadcasts the packet at t 5 after updating the R_reliability. Route Selection: After receiving the first RREQ packet, the destination node waits for τ D time window and keeps receiving other RREQ packets if there are, and then selects the best available route. First, the destination node excludes the routes with very low reliability. If there are multiple routes with lifetimes at least C m (S), the destination node selects the most reliable route, otherwise, the destination node establishes multiple routes with a total lifetime of C m (S) or more in such a way that reduces the routes number and maximizes the reliability. RREP Delivery: This phase is identical to that of the SRR routing protocol. V. SECURITY ANALYSIS The objectives of implementing trust in route selection are as follows: (1) To foster trust among the nodes by making knowledge about the nodes past behaviors available; (2) To encourage the nodes to provide high packet-relay success ratio and tell the truth about their residual energy by giving more preference to the highly trusted nodes in route selection; and (3) To punish the nodes that have low packet-relay success ratio because any loss of trust means loss of potential earnings. Unlike the reputation-based mechanisms that have to determine a good threshold to differentiate between the malicious and the honest nodes, with TETO, once a node s trust values fall behind those of the majority of the nodes, the node almost does not participate in the routing without the need for deciding good thresholds. The reputation-based mechanisms may not have sufficient time to judge a node s real behavior as the period of interaction with any node may be brief due to the node mobility, but TETO can monitor the nodes behaviors over long time and different sessions. Singular attackers cannot launch trust boost attacks in TETO. Credit clearance fee can be imposed to clear the payment to make fabricating sessions by colluding nodes to boost their trust expensive. For false accusation attack, the attacker has to neighbor the victim node and drop the packets intentionally to let the TP accuse its neighbor. First, neighboring a node is not easy due to the node mobility. Second, the attacker is also accused of dropping the packet, which may discourage the attack. Third, frequently launching the attack reduces its effectiveness because the attacker will be less frequently selected in routes due to its low trust. Finally, falsely accusing a node does not guarantee that this accusation will be effective because the node can improve its trust from other sessions. In free riding attack, two colluding intermediate nodes on a legitimate session manipulate the packets to add their data to communicate freely. Since the packets integrity is verified at each node, the intermediate nodes can thwart the attack by dropping the manipulated packets. The attackers may record valid packets and replay them to establish sessions under the names of others to communicate freely. A time stamp is used to thwart packet-replay attack. For receipt-manipulation-andforgery attack, the attackers try to manipulate valid receipts or forge receipts to steal credits. These attacks are not possible with using secure hash function and signature scheme because it is not possible to compute h i from h i-1 and forge the nodes signatures. Our payment model encourages node cooperation and discourages cheating actions. If the end nodes are charged only for the delivered messages, the destination node may claim that the route was broken in order not to pay. If the intermediate nodes are rewarded for relaying the undelivered messages, the colluding intermediate nodes can steal credits with consuming low resources by relaying only the security tag but not the message.

5 Fig. 6: The packet delivery ratio VS n L. Fig. 7: The number of broadcasts VS n L. Fig. 8: The network connectivity VS n L. VI. PERFORMANCE EVALUATION In our simulation, 70 nodes with 125 m transmission range are randomly deployed in 1000 m by 1000 m. n L is the number of nodes providing low packet-relay-success ratio with trust values uniformly distributed in [0.6, 0.995), but 70-n L is the number of nodes providing high packet-relay-success ratio with trust values of All the nodes start the simulation with initial energy that is sufficient for relaying 100 messages. The given results are averaged over 30 simulation runs. In each run, 300 communication sessions with randomly chosen source and destination pairs are established. The route is re-established if it is broken before sending 15 messages. The TTL is 10, and the source node s energy and trust requirements in the SRR protocol are 5 and 0.88, respectively. We do not simulate node mobility because it is already included in the trust values, i.e., if T(A) is 0.6, that means that node A drops the messages with the probability of 0.4. As we intend to study the effect of the node selection on the network performance but not the communication interface, our simulation is written in Matlab instead of NS2. The packet delivery ratio (PDR) is the number of messages received by the destination nodes to the number of messages sent by the source nodes. The PDR is a good measurement for route stability. From Fig. 6, TETO outperforms the dynamic source routing (DSR) protocol because unlike the DSR that randomly chooses the nodes, TETO makes informed routing decisions. Thus, TETO can establish more stable routes compared to the DSR. We can see that the increase of n L raises the chance of involving nodes with low trust values in routes in the DSR, but TETO can avoid these nodes and select the highly trusted nodes. Fig. 7 shows that the numbers of broadcasts in the DSR and the BAR do not depend on n L, but the increase of n L decreases the broadcasts number in the SRR because more nodes cannot satisfy the source nodes trust requirement. The BAR requires more broadcasts than the DSR because some nodes may broadcast the RREQ more than once in the BAR. In Fig. 8, the network connectivity is the number of connected routes to the total number of route establishment trials. We can see that the network connectivity in the DSR and BAR do not depend on the n L, but the increase of n L decreases the network connectivity in the SRR because more nodes cannot satisfy the source node s requirements and thus more routes cannot be established. The SRR protocol may not establish a route if the source node s requirements are not adequately decided. In order to increase the probability of establishing a route in SRR, the source node can periodically tune its requirements by learning from its past trials. VII. CONCLUSION In this paper, we have proposed TETO, a trust-based and energy-aware routing and incentive protocol for MWNs. Our protocol can make intelligent routing decisions based on the nodes past behavior and residual energy. It stimulates the nodes not only to cooperate but also to provide high packetrelay-success ratio. The simulation results demonstrate that our protocol can establish stable routes due to directing the traffic through the highly trusted nodes having sufficient energy, which can significantly improve the packet delivery ratio. Acknowledgement This work has been partially supported by a research grant from the Natural Science and Engineering Research Council (NSERC) of Canada. REFERENCES [1] G. Shen, J. Liu, D. Wang, J. Wang, and S. Jin, Multi-hop relay for next-generation wireless access networks, Bell Labs Technical Journal, vol. 13, no. 4, pp , [2] S. Marti, T. Giuli, K. Lai, and M. Baker, Mitigating routing misbehavior in mobile ad hoc networks, Proc. of IEEE/ACM MobiCom 00, pp , Boston, MA, August 6-11, [3] S. Bansal and M. Baker, Observation-based cooperation enforcement in ad-hoc networks, Techical Report, Computer Science Department, Stanford University, CA, USA, July [4] M. Mahmoud and X. Shen, Credit-based mechanism protecting multihop wireless networks from rational and irrational packet drop, Proc. IEEE Globecom, Miami, Florida, USA, December 6-10, [5] S. Zhong, J. Chen, and R. Yang, Sprite: A simple, cheat-proof, credit based system for mobile ad-hoc networks, Proc. of IEEE INFOCOM, vol. 3, pp , San Francisco, CA, March 30- April 3, [6] M. Mahmoud and X. Shen, PIS: A practical incentive system for multihop wireless networks, IEEE Transactions on Vehicular Technology, in press, [7] M. Mahmoud and X. Shen, Stimulating cooperation in multi-hop wireless networks using cheating detection system, Proc. of IEEE INFOCOM, pp , San Diego, CA, March 14 19, [8] A. Withby, A. Jøsang, and J. Indulska, Filtering out unfair ratings in bayesian reputation systems, The Icfain Journal of Management Research, vol. 4, no. 2, pp , 2005.