A Novel Trust-Aware Geographical Routing Scheme for Wireless Sensor Networks

Transcription

1 A Novel Trust-Aware Geographical Routing Scheme for Wireless Sensor Networks Theodore Zahariadis, Panagiotis Trakadas, Helen C. Leligou, Sotiris Maniatis & Panagiotis Karkazis Wireless Personal Communications An International Journal ISSN Wireless Pers Commun DOI 1.17/s

2 Your article is protected by copyright and all rights are held exclusively by Springer Science+Business Media, LLC.. This e-offprint is for personal use only and shall not be selfarchived in electronic repositories. If you wish to self-archive your work, please use the accepted author s version for posting to your own website or your institution s repository. You may further deposit the accepted author s version on a funder s repository at a funder s request, provided it is not made publicly available until 12 months after publication. 1 23

3 Wireless Pers Commun DOI 1.17/s A Novel Trust-Aware Geographical Routing Scheme for Wireless Sensor Networks Theodore Zahariadis Panagiotis Trakadas Helen C. Leligou Sotiris Maniatis Panagiotis Karkazis Springer Science+Business Media, LLC. 212 Abstract Wireless sensor networks are vulnerable to a wide set of security attacks, including those targeting the routing protocol functionality. The applicability of legacy security solutions is disputable (if not infeasible), due to severe restrictions in node and network resources. Although confidentiality, integrity and authentication measures assist in preventing specific types of attacks, they come at high cost and, in most cases, cannot shield against routing attacks. To face this problem, we propose a secure routing protocol which adopts the geographical routing principle to cope with the network dimensions, and relies on a distributed trust model for the detection and avoidance of malicious neighbours. A novel function which adaptively weights location, trust and energy information drives the routing decisions, allowing for shifting emphasis from security to path optimality. The proposed trust model relies on both direct and indirect observations to derive the trustworthiness of each neighboring node, while it is capable of defending against an increased set of routing attacks including attacks targeting the indirect trust management scheme. Extensive simulation results reveal the advantages of the proposed model. T. Zahariadis H. C. Leligou (B) Department of Electrical Engineering, Technological Educational Institute of Chalkis, Psahna 344, Greece leligou@teihal.gr T. Zahariadis zahariad@teihal.gr P. Trakadas S. Maniatis Hellenic Authority for Communications Security and Privacy (ADAE), Ierou Lochou 3, Amaroussio, Athens, Greece trakadasp@adae.gr S. Maniatis s.maniatis@adae.gr P. Karkazis Department of Electronic & Computer Engineering, Technical University of Crete, Chania, Greece pkarkazis@isc.tuc.gr

4 T. Zahariadis et al. Keywords Wireless sensor networks Security Routing attacks Secure routing Trust model 1 Introduction Wireless sensor networks (WSNs) offer efficient, low-cost solutions for a great variety of application domains including military fields, healthcare, homeland security, industry control, intelligent green aircrafts and traffic control in smart roads [1]. Although networking and security technologies are in a mature stage, the limited sensor node resources in terms of memory space, processing power and energy availability, constrain the complexity of the security mechanisms that can be implemented, dictating the need for new protocol approaches design. Due to their distributed nature, WSNs are vulnerable to various attacks [2], including attacks targeting the disruption of the routing procedure [3 5] which is accomplished in a cooperative way. Malicious nodes may attack confidentiality, integrity and availability measures of their neighbors realizing routing attacks, a list of which is presented in Table 1. To detect and combat malicious behaviours, a trust-management approach borrowed from human societies has been proposed in the literature: nodes monitor the behavior of their neigh- Table 1 Routing attacks Attack type Selfish behaviour (black-hole, grey-hole) Sinkhole attack Replay attack Link spoofing attack Modification attack Sybil attack Colluding nodes attack Traffic analysis Flooding attack Bad mouthing attack On-off attack Conflicting behavior attack Attacker behaviour A malicious node denies to perform benign routing and drops part or all the received packets A malicious node tries to attract traffic advertising fake routing information, and then it does not forward it The original routing messages are repeated at a later time, thus deceiving the routing functionality An adversary can spoof link layer acknowledgement for overheard packets to convince the sender that the packet has been forwarded successfully An adversary modifies the data and/or routing packets it forwards An attacker presents multiple identities Many powerful attackers work in collusion to modify or drop routing packets A malicious node monitors the traffic flows in order to identify, locate and attack the critical nodes (typically the base station) The attacker overwhelms a victim s limited resources, (e.g. memory) flooding the network with packets, which could be either data or routing packets. As long as recommendations are taken into consideration, malicious parties provide dishonest recommendations to frame up good parties and/or boost trust values of malicious peers Malicious entities behave well and badly alternatively, hoping that they can remain undetected while causing damage An attacker behaves inconsistently in the user domain and impair good nodes recommendation trust by performing differently to different peers

5 A Novel Trust-Aware Geographical Routing Scheme bors in order to evaluate their trustworthiness, which is then taken into account during routing decision making [6]. The trust evaluation can be based on direct interactions as well as on reputations provided by other neighbors. Reputation exchange can be beneficial for newly activated or mobile nodes, which can thus obtain (indirect) trust information for their neighbors, before they attempt direct interactions. Although ways to attack the reputation protocol have been described in the literature, countermeasures have also been specified in [5]. The trust knowledge can be exploited by benevolent nodes to avoid cooperation with malicious nodes to accomplish higher layer functionality such as routing (see e.g. [6]), data aggregation [7], cluster head election [8] and, more surprisingly, key distribution [9]. Although efficient trust models (e.g. [1 12]) as well as secure routing solutions (e.g. [13 16]) have been proposed in the literature, an easy-to-implement secure routing solution is missing. To facilitate cheap network deployment and maintenance, the algorithmic complexity needs to be of prime consideration during the design phase of such a routing scheme. In this paper, we present a novel, readily deployable trust- and energy-aware routing protocol. First, a geographical routing approach is adopted to efficiently cope with large network dimensions. Second, a distributed trust management system incorporating direct and indirect trust information is used to detect and avoid malicious nodes performing routing attacks as well as attacks threatening the reputation exchange process (e.g. bad-mouthing and conflicting behaviour attacks). Last but not least, energy-awareness is relied upon to extend the network lifetime. In the proposed scheme, routing decisions are based on a weighted routing cost function which incorporates trust, energy and location attributes. This novel ambient trust sensor routing (ATSR) solution has been carefully designed to limit the overhead introduced by the adoption of a reputation mechanism while it has been kept as simple as possible to allow for low cost implementation in resource constrained sensor nodes. In the rest of the paper, we first discuss the related work in Sect. 2, while in Sect. 3 our innovative secure routing protocol is detailed. Its performance is thoroughly evaluated in Sect. 4, while in Sect. 5 the implementation-related issues and experience from the real test-bed experiments are discussed. Finally, conclusions are drawn in Sect Related Work-Trusted Routing Solutions for Sensor Networks To shield a WSN against routing attacks, the realisation of a trust management system has been pursued. In this paper, trust is defined as the confidence of a node i that node j will perform as expected, i.e. on the node s j cooperation for the accomplishment of a specific action. The architecture under consideration is shown in Fig. 1, where multiple sensor nodes exist and send the sensed values to the Aggregator Nodes. Fig. 1 Aggregator Node collects data from the sensor nodes i Aggregator Node l j k m

6 T. Zahariadis et al. The methods for obtaining trust information and defining each node s trustworthiness are referred to as trust models, and can be classified according to a number of design options [1]. Depending on the distribution of the trust establishment functionality, the trust models can be distinguished in centralized [17], hierarchical [7] or fully distributed [6]. Trust is evaluated upon a number of event types that can be recorded and analyzed. Each event type (corresponding to a trust metric) allows the assessment of a specific node behavior aspect and consequently the detection of a specific attack type. For example, each node i can assess the forwarding behavior of its neighbor j by comparing the successfully forwarded packets to the total number of packets that i sent to j. A systematic failure reveals a malicious node, denying its routing tasks. The monitored behavior aspects proposed in the literature range from the sincere cooperation in forwarding [6] to location verification [16] and monitoring of the application level consistency of the reported data [7]. Analyzing the collected measurements, either a trust value can be derived (in many cases a ratio of successful over failed events), or distinct trust levels can be distinguished. To improve the reliability of the trust information and efficiently support mobility, reputation exchange schemes have been proposed (e.g. [11,14]). These schemes however increase the resource consumption while attacks targeting the reputation protocol itself have already been identified: for example, by spreading wrong information or behaving differently towards different neighbors, the reputation exchange protocol can be deceived [5]. Although equally interesting theoretical trust models based on the observation that trust evidence may be uncertain are provided in [17,1] and [14], their practical implementation in current sensor nodes is doubtful. An interesting solution which integrates location identification functionality with a trust building system based on both direct and indirect trust information has been proposed in [18], where the trust and reputation are modeled in a probabilistic way. Focusing on location-based routing protocols, interesting trust-based enhancements have been proposed in [15,16] and[19]. In all these approaches, a trust management system based on direct evidence is implemented while a reputation exchange mechanism has been introduced in [16] as an optional choice (without any rigorous specification of the relevant protocol). In this work, multipath routing is suggested, sacrificing node and network resources for the transmission of multiple copies of each packet, to increase the probability of reaching the destination. The implementation of location verification techniques is recommended for the detection of Sybil attacks. In [19], an interesting approach for extending the network lifetime is proposed, which however consumes significant node resources, since it requires the derivation of the coverage area of each neighbor based on Beacon messages and on exchanging the neighbor lists. In the same work, the packets travel through nodes exceeding a trust threshold. This choice introduces the need for selecting an application-dependent trust threshold and can result in limited connectivity in case nodes fulfilling this condition do not exist. Finally, the authors of [16] have investigated and proposed measures for detecting and defending against flooding attacks at the cost of implementing a rate-shaper on each sensor node which is a costly solution. The security features of these three approaches are summarized in Table 2 where the features of the proposed ATSR solution are also included. ATSR protocol is the first to incorporate a reputation scheme in a location-based algorithm, taking at the same time security measures to defend against the trust model vulnerabilities. Targeting a lightweight protocol that can be implemented in current motes (MICAz, IRIS), in ATSR, energy awareness is built based on information directly obtained from the neighbours while no tool for flooding attack protection is currently implemented. As regards location verification, distance measurement algorithms based either on the Received Signal Strength or the time of arrival (ToA) can be implemented at low cost. Alternatively, geographical routing based on virtual node coordi-

7 A Novel Trust-Aware Geographical Routing Scheme Table 2 The security features of trust-aware location-based routing solutions Trusted routing approach Trusted GPSR (Pirzada [15]) Resilient GR (Kang [16]) Trust-based GR (Hung [19]) ATSR Forwarding attack detection Integrity attacks detection Trust model attacks detection Lifetime consideration Location verification Detection of flooding attack nates calculated by the nodes themselves is also possible [2] obviating the need for further verifications. We also believe that the defense against flooding attacks should be charged to a set of (selected) more powerful nodes in the network, to avoid exhausting the scarce sensor resources. 3 The ATSR Protocol Design Designing a routing protocol which is capable of defending against the attacks identified in the literature is a really challenging task. The reason is that despite the scientists effort to define countermeasures for each attack and build resilient trust-aware routing schemes, their implementation seems unaffordable due to the severely constrained node resources. In this work, our main objective is to design a scalable routing protocol of low-complexity, suitable for large wireless sensor nodes, which makes use of a distributed trust model to avoid malicious nodes issuing routing and trust model related attacks. To efficiently deal with the network dimensions and support node mobility, we adopt a geographical routing approach following which routing is performed on a hop-by-hop basis relying on localized interactions for obtaining routing information, avoiding both the complexity introduced by path calculations and the energy consumption required for topology information distribution brought by other routing protocols. 3.1 The Distributed Trust Model For the detection of routing attacks in a large WSN, we have designed a fully distributed trust model which mandates that each node combines direct trust information and indirect trust information to define the trustworthiness of all its one-hop distance neighbours. In the following design, we have assumed that the participating nodes support promiscuous mode operation, are equipped with bidirectional transceivers with comparable transmission and reception ranges. In the sequel, we first describe the direct trust value derivation and then we describe the reputation protocol in detail Direct Trust One of the most important issues during the trust model design is to define the set of behaviour aspects/metrics against which each node is evaluated. Table 3 lists the selected trust metrics and the attack(s) each one assists on detecting. On each sensor node, a trust repository is used to store trust information per neighbor and trust metric. The monitored trust metrics include:

8 T. Zahariadis et al. Table 3 The trust metrics of the proposed trust model based on which routing attacks can be detected Trust metric Detected attack 1 Forwarding All types of dropping (black hole, grey hole, selective forwarding, etc.) 2 Network-ACK All types of dropping for the whole path 3 Packet precision All types of modification 4 Authentication Authentication-related attacks 5 Confidentiality To prefer nodes that offer cryptography 6 Reputation responses Sincerity in reputation protocol execution 7 Reputation validation Bad mouthing attack 8 Remaining energy Traffic analysis attack and load balancing Packet forwarding: To detect nodes that deny to or selectively forward packets, each time a source node transmits a packet for forwarding, it enters the promiscuous mode and overhears the wireless medium to check whether the packet was actually forwarded by the selected neighbor. If positive, this is accounted as a successful interaction; otherwise, it is considered a failure. Network layer Acknowledgements (ACK): To detect nodes that collude with other adversaries (which possibly drop packets) disrupting the network operation, we suggest that each source node waits for a network-layer ACK to check whether its message has successfully reached a higher layer node (i.e. the base station). Packet precision: Each time a source node transmits a packet for forwarding and then overhears the wireless medium to ensure that the packet was forwarded, it additionally processes it to check the packet s integrity i.e. that no unexpected modification has occurred. It thus detects modification attacks. Node authentication message encryption: In case there is an option for a node to select between a neighbor supporting encryption or authentication and another which doesn t, this metric allows for this discrimination. (If the node supports cryptography-authentication, the respective value is equal to 1;, otherwise.) Reputation response: To check the sincere execution of the reputation protocol, each time a node transmits a reputation request message to a neighbor, the reputation requests number stored in the trust table for this neighbor increases while the reputation response number increases only if the neighbor replies (i.e. the reputation response message is received). This way, nodes that do not cooperate in the execution of the reputation protocol are assigned lower trust values. Reputation Validation: To protect against bad-mouthing attacks and wrong reputations being spread around, each time a node i receives a reputation response message from node k regarding node j, if node i is confident about the direct trust value it has calculated for node j, it compares the received value (i.e. the reputation provided from node k) with its own direct trust on node j. If the difference exceeds a predefined threshold, then the provided reputation is considered as wrong reputation ; otherwise it is a correct reputation. Node i is confident for the trust value it has calculated for node j only if it has performed an adequate number of interactions (noi). For this reason, this information is also kept in the trust repository of the sensor node. Remaining energy: Systematically selecting a highly trusted node for forwarding the packets may lead to the exhaustion of its energy. Additionally, fixed traffic flows are

9 A Novel Trust-Aware Geographical Routing Scheme vulnerable to traffic analysis attacks. In this view, we have enriched our trust model with energy information. In our novel routing protocol, the basic routing message indicating the node availability and position (the Beacon message defined in all location-based routing protocols) is extended to include the remaining energy field of the source node based on which the energy-knowledge is built. Although it is possible to infer the remaining energy of a neighboring node counting the interactions it has been involved in [21], the implementation of such an approach consumes significant processing power Direct Trust Quantification Coming to the quantification of trust, it is worth stressing that trust is inherently probabilistic in the sense that it reflects the expectation of a node that a specific neighbour will cooperate honestly given the past experience. Based on this rationale, the probability theory has been adopted to evaluate the trustworthiness in many articles. For example in [18] and[22], the Beta distribution has been used to model the trust. However, when a node needs to choose from a neighbour set the most trusted neighbour for cooperation, the comparison can be based on the expected (mean) values. To achieve low cost implementation, we have chosen a rather simple equation to quantify trust which reflects the average value of the Beta distribution: for each trust metric m associated with successful/failed interactions, two counters (2-byte wide) are used to store the number of successful/failed interactions respectively. Based on their content, each node i calculates the trust value for each metric m regarding node j (denoted as Tm i, j ) using the following equation: T i, j m = S i, j m S i, j m + F i, j m where Sm i, j and Fm i, j stand for the number of successful and failed co-operations of type m between i and j. The eight trust values are then combined in a weighted sum to produce the total Direct Trust value: DT i, j = 8 1 (1) (W m T i, j m ) (2) where W m stands for the weight of trust metric m. All weights sum up to 1 so that the total direct trust value ranges from to Indirect Trust Model The indirect trust (IT) value is important mainly for newly initialized nodes or recently arrived nodes (in case of mobility). To trigger the indirect trust exchange process, each node periodically issues a reputation request message. A crucial design issue affecting the produced network load and the consumed node resources is to decide which nodes should be queried for indirect trust evidence. Given that the trust model will be incorporated in a locationbased routing solution, the candidate nodes are all one-hop neighbors (this may change if another type of routing protocol was selected). If all N one-hop neighbors are asked triggering the generation of N reputation response (RepRes) messages, the network load would be significantly burdened (increasing collision probability) and the node resource (memory, processing and energy) consumption would also increase significantly. In ATSR, we opted for requesting reputation information from a limited number (four) of neighbors, as a first

10 T. Zahariadis et al. action towards limiting the introduced overhead. In more detail, the source node randomly selects one node per quadrant so that only four unicast reputation request (RepReq) and four unicast reputation response (RepRes) messages are generated (instead of N + 1, in case all neighbors were requested using one broadcast message and N replies). Although the selection of the four nodes could be performed based on direct trust information (i.e. ask the most trusted nodes) or on the remaining energy information, this would reveal to an adversary (performing traffic analysis) certain attributes of the selected (requested) nodes. Moreover, the source node needs to obtain indirect trust information for all its one-hop neighbours and this can be achieved only by asking uniformly geographically distributed nodes. Since the reputation exchange is mainly implemented to assist nodes with no or limited (direct) trust knowledge to reach a more reliable conclusion for the trustworthiness of nodes they are interested in, a requested node provides its opinion for its neighbors only if it is confident about the direct trust value it has calculated. This is decided upon the so-called confidence factor C i, j of node i considering node j, which is calculated based on the following equation: C i, j = noi noi + m (3) where noi stands for the number of interactions (noi) between node i and node j (kept in the trust repository of the sensor node) and m a fixed integer. The confidence factor ranges from (for interactions) to values very close to 1 when a large number of interactions have been completed. The parameter m determines how fast the confidence factor approaches 1 as the number of interactions increases. For higher values of m, more interactions are needed for the confidence factor to approach 1, i.e. each node needs to perform a higher number of interactions to feel confident about the trust value it has calculated. The confidence factor will also be used to balance the direct with the indirect trust to reach the total trust value, as will be detailed later on. So, following this novel scheme, the requested node scans its trust table and includes in its reputation response message, the direct trust value it has calculated for all neighbors corresponding to confidence factor exceeding a predefined threshold (e.g. above.85). To avoid the disadvantages of reporting only positive/negative trust information, we have chosen to report only confident trust information, limiting this way the amount of communicated data (overhead) and economizing resources. (This confidence factor is also used in the reputation validation process mentioned earlier). Once node i that transmitted the reputation request message receives the reputation responses from its neighbours (say k 1, k 2, k 3, k 4 ), containing their trust info DT k l, j for each neighboring node j, nodei calculates the Indirect Trust value for node j using the following equation: IT i, j = ( DT i,k l DT k l, j ) l=4 l=1 l=4 l=1 DTi,k l The received values are summed up adopting the relevant direct trust as weight factors, so that a reputation provided by a highly trusted node counts more. (If a neighbour has not provided reputation information then the relevant product is omitted and its direct trust is not included in the sum appearing in the denominator.) Finally, the total trust (TT) value for a neighbor j is produced combining direct and indirect trust values in the following formula: TT i, j = C i, j DT i, j + (1 C i, j ) IT i, j (5) (4)

11 A Novel Trust-Aware Geographical Routing Scheme where C i, j is the confidence factor described previously. It is obvious that as the number of interactions (and thus the confidence factor, C) increases, the direct trust value becomes more significant than the reputation information. 3.2 Trust-Aware Routing Cost Function The combination of a fully distributed trust management scheme with a geographical routing approach renders the proposed routing solution suitable for large scale WSNs, since scalability is a dominant feature of all location-based protocols, such as the Greedy Perimeter Stateless Routing GPSR [23], which rely on local topology information only. Following this approach, each node is characterized by its coordinates and packets are forwarded to the neighboring node which is the closest to the destination (based on geographical information). Nodes only need to announce their coordinates to their one hop neighbours, through the so-called Beacon messages, which are not further propagated, hence saving node and network resource. Furthermore, the routing table maintained in each node includes only one hop neighbors and its size depends only on the network density (number of nodes in the neighborhood) and not on the overall WSN dimensions. Location knowledge can be provided by a GPS device (if the cost is considered affordable), can be preprogrammed in case of fixed sensor networks operating in an attended and controllable environment or can be calculated/defined based on some location definition and verification techniques (as discussed in [16]). However, these location identification schemes assume the existence of few anchor nodes which are aware of their physical location. This requirement does not hold in recent works on geographical routing based on virtual coordinates calculated based on local connectivity. For example, in [24] only two location-aware nodes are assumed while any location knowledge requirement is removed in [2], where no node is aware of its location and they all manage to define their virtual coordinates providing the relative to the base station position based on simple equations and data reported in the Beacon message. It is worth stressing that once the location has been verified, Sybil attack is prevented when location (either physical or virtual)-based routing is adopted. The objective of our protocol is to choose for forwarding the node that optimizes the following three factors: (1) highly trusted (2) as close to the destination as possible and (3) enough remaining energy to complete its forwarding task. As regards the distance of each neighbor to the base station, we define the distance metric which is quantified as follows: T i, j d = 1 d j D where d j is the Euclidean distance of neighbor j to the base station and D = N l d l stands for the sum of the distance of all its N neighbors to the base station, which can be calculated based on their coordinates and the coordinates of the base station. Following Eq. (6), the shortest distance to the destination maximizes the T i, j d value. The distance metric T i, j d and the total trust value (which has already incorporated the remaining energy value) are summed up in a weighted manner and are used to calculate the Routing Function (RF i, j ): RF i, j = W d T i, j d + W t TT i, j (7) where W d,andw t represent the significance of distance and trust criterion respectively with W d + W t = 1. Based on this equation, a routing value for each neighbor is calculated and the node that corresponds to the maximum value is selected for forwarding the packet as it (6)

12 T. Zahariadis et al. represents a good candidate satisfying an integrated set of requirements: trust, energy and proximity to the destination. The weight factors can play an important role as will be shown in the performance section where we will also show the flexibility and efficiency of the proposed trusted routing protocol. It is worth mentioning that throughout the design phase, one of our main concerns was to keep algorithmic complexity and memory allocation needs as low as possible (without jeopardizing the reliability of sensor communications), to achieve an efficient deployment of our trust model to sensor nodes available in the market. Results regarding the implementation cost are presented in Sect The Threat Model and the Defended Attacks Based on the above trust-aware routing protocol, it is possible to detect a set of routing attacks and avoid the malicious nodes that cause them. The considered threat model consists of malicious (or compromised) nodes that are deployed after the setup phase of the network and the ability to collude. It is stressed that we focus on the detection and defense against routing attacks leaving tamper proof techniques out of scope. The model of threats efficiently detected by our protocol include: 1. black-hole or grey-hole attacks, i.e. nodes that do not forward all or part of the received traffic 2. colluding nodes in the path can be detected based on the network acknowledgement trust metric (unless they generate false net ack messages pr a more powerful node, e.g. a laptop adversary, can issue a net ack message to mislead the source node. 3. unexpected modification of messages 4. selfish behaviour not only regarding the forwarding but also regarding the reputation exchange protocol, i.e. nodes that receive a reputation request and do not respond to this request are detected 5. bad-mouthing attack: A malicious node i that announces to node j wrong trust information for a common neighbour k. 6. conflicting behaviour: A malicious node i behaves differently to different neighbours, i.e. it forwards packets received from node j and not packets from node k. Routing attacks that are not detected by the proposed ATSR solution include Sybil attacks and traffic analysis attacks. However, we consider that Sybil attacks can be avoided realizing location verification techniques while for traffic analysis attacks more powerful nodes are required. The only measure taken by the proposed approach is that making routing decisions based on the neighbours available energy, a certain degree of load balancing it achieved. This way the identification of the nodes that handle the majority of the traffic becomes more difficult. 4 Performance Evaluation To quantify the performance of the proposed trust-aware routing protocol, we have modeled it using the JSim platform [25]. The simulated network topology includes 1 sensor nodes (n to n 99 ) placed on fixed locations (pre-set in the JSIM tool), organized on a 1 1 grid and communicating based on the IEEE standard. No key distribution was modeled as this enhances the communication security while our focus is on the routing security. The simulated application issues one packet of 31 bytes every two seconds while the Beacon

13 A Novel Trust-Aware Geographical Routing Scheme interval is two seconds on average (following the original GPSR implementation [23]), and the reputation request interval is three seconds (unless otherwise stated). The initial trust value for all neighbors has been set equal to 1 (i.e. all nodes are considered to be trusted a priori) and the simulation run time was equal to 4, s for all scenarios (unless otherwise stated). For the calculation of the confidence factor, we have used Eq. (3) and chosen m equal to 1, so that the node relies on the direct trust value it has calculated even from the first few direct interactions, instead of relying on its neighbours indirect trust information, which introduces vulnerabilities. To enlighten various aspects of the proposed solution, we have performed different sets of simulation runs. For each scenario, the presented results were obtained after 7 replications. The performance of the proposed secure routing solution depends on a variety of factors including the topology of the sensor nodes, the quantity and location of malicious nodes in the topology (also discussed in [16]), the types of issued attacked, the weights used for the trust metrics, as well as the weights W d and W t of the routing function. As the target of the presented ATSR is the detection of malicious nodes that prevent the packets from reaching their destination, a major performance metric is packet loss. However, packet loss may occur due to physical layer collisions, controlled by the MAC layer. In the model we used for the evaluation of the ATSR, the nodes cannot distinguish between a MAC layer collision and an unsuccessful forwarding due to malicious behaviour of a neighbour. Thus, the calculated trust values are lower than the value a neighbour would deserve. However, first, it is not the absolute, but the relative trust value that drives the routing decision since the node associated with the highest value in the routing function is selected and second, in the real deployment, we consider that the trust module will interface the MAC module so as to distinguish the two reasons of unsuccessful forwarding. 4.1 The Impact of the Distance and Trust Weights on the Performance of the ATSR Routing Cost Function In our secure routing approach, by varying the weights of the geographical and trust information used in the routing cost function, importance can be shifted from distance to trust. To investigate the impact of these weights (W d and W t ), we have run a scenario set for different values of the weight factor W d and different number of grey-hole attackers (25 and 5 %) uniformly distributed in the network. These nodes randomly drop the received traffic. The weights of the trust metrics (listed in Table 3) were set equal to W 1 =.5, W 2 =.2, W 3 =.1, W 4 = W 5 = W 6 = W 7 = andw 8 =.2. The obtained results are included in Figs. 2 and 3 where the packet loss expressing the percentage of the transmitted packets that were lost, the average experienced latency and the performed attacks are shown. Starting from the packet loss, the lower values are observed when W d =.4, i.e. when distance and trust are well balanced and almost equally respected. Significant higher loss ratio values are observed when W d increases towards 1, as expected, since trust is sacrificed to distance criteria. When W d equals 1, our solution ignores trust and becomes equivalent to GPSR which suffers 57 and 66 % packet loss for 25 and 5 % grey hole attackers respectively. For high W d values, the latency decreases, since the packets that manage to reach the destination follow a near-optimal path. When W d decreases towards.1, the loss ratio slightly increases while the delay increases as well, (especially when 5 % malicious nodes exist) because, paying less attention to distance criteria, the data packets travel longer paths to the destination through highly trusted nodes sometimes failing to reach their destination. Comparing the performance achieved for 25 and 5 % malicious nodes respectively, it is clear that better performance both as regards packet loss and latency is observed for 25 % grey

14 T. Zahariadis et al. (a) Packet loss (%) Grey hole attackers 5 grey hole attackers (b) Mean packet Latency (ms) grey hole attackers 5 grey hole attackers W d W d Fig. 2 The impact of the distance and trust weight factors on packet loss and mean packet latency for 25 and 5 % grey hole attackers grey hole attacks grey hole attackers 5 grey hole attackers Fig. 3 The impact of the distance and trust weight factors on the number of the performed attacks for 25 and 5 % grey hole attackers W d hole attackers. It is also important to note that for 25 % malicious nodes, either W d =.4 or W d =.5 provide very good performance while for 5 % malicious nodes, significantly better performance is achieved when W d =.4 (instead of.5) assigning higher emphasis on trust over distance. The number of attacks (representing in this scenario dropped packets) included in Fig. 3 reflects the responsiveness of our solution, i.e. shows how fast the benevolent nodes detect their malicious neighbors and avoid them, saving energy in transmitting packets in vain, as would happen adopting any non trust-aware routing algorithm. The number of attacks observed for W d =.4 is an order of magnitude lower than the attacks measured for W d = 1, i.e. no trust awareness. Turning our attention to the latency distribution, we present here results regarding the packet latency for three W d values and for two sessions, one connecting nodes to 99 (which follows a diagonal path in the grid) and another (shorter) connection between node 86 and 99 (the node positions are shown in Fig. 9). The results obtained for 25 malicious nodes have been used to calculate the cumulative distribution function of the packet latency shown in Fig. 4. Starting from the longer connection, an average latency value of 13 ms has been observed for all the W d values reported here. For W d equal to.7, the lower variance is observed and latency values greater than 13 ms have been observed with probability equal to

15 A Novel Trust-Aware Geographical Routing Scheme CDF Wd= Wd=.4.7 Wd=.3.6 Wd=.3.6 Wd= Wd= Latency (ms) CDF Latency (ms) Fig. 4 CDF of the latency observed for packets of session a between nodes 99 on the left and b between nodes on the right performed attacks (a) malicious nodes 35 malicious nodes 2 malicious nodes 5 malicious nodes Wdi (b) mean packet latency (ms) Wdi 5 malicious nodes 35 malicious nodes 2 malicious nodes 5 malicious nodes Fig. 5 Performance results for various attacks: a Total number of attacks. b Mean packet latency.7. Slightly higher variance is observed for lower W d values (.4 and.3) as trust is left to play a more important role, although the difference is quite small. The same effects were observed for the second connection of interest where the average latency was 4.5 ms. For all the tested W d values, latency values between 2.7 and 3 ms were observed with probability higher than.94 while for W d =.7 this probability was equal to.986. Summing up the latency discussion, the obtained results show that the quality of service (in terms of packet latency) is not severely compromised when W d decreases in favor of W t to allow for efficient detection of malicious nodes. To investigate whether the observations regarding W d, hold for other types of attacks, we have also run simulations for 5, 2, 35 and 5 % malicious nodes performing four different attack types: grey-hole, integrity attacks (nodes alter the forwarded packet fields), nodes that do not perform authentication and nodes that do not support encryption. The results in terms of number of performed attacks and latency are included in Fig. 5a, b respectively. Better results (lower number of attacks and low latency) are achieved when W d ranges from.2 to.5. It is very interesting to point out that the best performance results are achieved for different W d values depending on the number of malicious nodes. For example, for 5 % malicious nodes, the best result is achieved for W d =.2, while for 35 % malicious nodes the best performance is measured for W d =.3 or.4. This observation guides us to investigate, in future work, whether these weights can be dynamically adjusted: i.e. each node could set its own pair of values, depending on the detection of a small or big number of attack nodes around it in the network. However, if we need to reach a recommendation for fixed W d and

16 T. Zahariadis et al. packet loss ratio (%) GPSR ATSR-1 ATSR-2 ATSR malicious nodes (%) packet loss ratio (%) GPSR ATSR-1 ATSR-2 ATSR-3 malicious nodes (%) Fig. 6 Packet loss results for different number of malicious nodes in the network. Left: grey-hole attacks only, Right: various attacks W t values, we would set them equal to.4 and.6, accordingly, which represents a good balance between trust and geographic metric. (Extreme values either in favour of trust or in favour of distance lead to high latency and high packet loss, respectively.) 4.2 Efficiency in Attack Detection Attacks and the Impact of the Trust Metrics Weights In this section, our aim is to evaluate the efficiency of our trust-aware routing protocol in detecting different types of attacks and to provide further insight on the impact of the weights assigned to the different trust metrics when defining the direct trust. To evaluate the improvement that ATSR brings, we have run two different scenario sets using W d =.4andW t =.6 as previously recommended. In both scenarios, we varied the number of malicious nodes in the network from to 5 %, with a step of 5 %. The malicious nodes were uniformly spread in the network. In the first scenario set, different number of malicious nodes issuing only grey-hole attacks (i.e. randomly dropping half of the received traffic on average) were used. We did not choose black-hole attacks, since it is easier for our protocol to detect and avoid them, while greyhole attacks allow a minimum connectivity, even when non trust-aware protocols, like GPSR, are used, favouring them. Three different trust metrics weight combinations were tested: in scenario ATSR-1 W 1 =.7, W 2 =.3, in scenario ATSR-2 W 1 =.5, W 2 =.5, and in ATSR-3 W 1 =.3, and W 2 =.7. The second scenario set employs four different types of attack: nodes that perform greyhole attacks, nodes that perform integrity attacks, nodes that do not perform authentication and nodes that do not support encryption. Three different weight combinations were used: in scenario ATSR-1 W 1 =.3, W 2 =.1, W 3 =.2, W 4 =.2, W 5 =.2, in scenario ATSR-2, W 1 =.25, W 2 =, W 3 =.25, W 4 =.25, W 5 =.25, in scenario ATSR-3, W 1 =.2, W 2 =.1, W 3 =.2, W 4 =.2, W 5 =.2 andw 8 =.1. The performance results in terms of packet loss are included in Fig. 6. As expected, our trust-aware routing protocol outperforms GPSR in the presence of malicious nodes, since it is capable of detecting and avoiding attacks by finding alternative paths to the destination. Focusing on scenarios including only grey-hole attackers, the proposed ATSR achieves a packet loss ratio of 15 % when half of the network nodes are acting as grey-hole as shown at the left hand side of Fig. 6. In the same figure, the different weight combinations tested present different performance only when the malicious nodes exceed 35 %, with better results observed for ATSR-1 when W 1 =.7 while W 2 =.3. It is worth stressing that when all malicious nodes perform grey-hole attacks, we can only use the forwarding and net-ack trust

17 A Novel Trust-Aware Geographical Routing Scheme Performed attacks malicious nodes (%) GPSR ATSR-1 ATSR-2 ATSR-3 performed attacks malicious nodes (%) GPSR ATSR-1 ATSR-2 ATSR-3 Fig. 7 Total number of attacks for different number of malicious nodes in the network. Left: grey-hole attacks only, Right: various attacks mean packet latency (ms) GPSR ATSR-1 ATSR-2 ATSR-3 mean packet latency (ms) GPSR ATSR-1 ATSR-2 ATSR malicious nodes (%) malicious nodes (%) Fig. 8 Mean packet latency in ms for different number of malicious nodes in the network. Left: grey-hole attacks only, Right: various attacks metrics to detect the adversaries. Thus, in this scenario set (with only grey-hole attackers) all trust weights apart from W 1 and W 2 are set equal to zero. Equally excellent performance is achieved when malicious nodes performing different types of attacks are used in the second scenario set. As shown at the right hand side of Fig. 6, again less than 1 % of packet loss is achieved when 5 % of malicious nodes exist. The performance difference for different weight factors is now reduced, since more trust metrics have to be taken into account contending for the weight factor. So, when the number of trust metrics upon which a node is evaluated increases, the weight factor is shared, thus different weight combinations bring negligible performance difference. Looking at Fig. 7, one can observe that ATSR achieves a significantly smaller total number of attacks in both scenarios, while at the same time it is obvious that higher efficiency is observed in the first scenario, since it focuses only on the mitigation of the grey-hole attacks. So, when 5 % of grey-hole attackers exist, only 1 attacks are observed (for ATSR-1) while for 5 % of mixed type attackers 45 attacks are experienced, which is however still much lower than the GPSR case (1,6 attacks). Finally, the mean packet latency for the two scenario sets is shown in Fig. 8. It is observed that ATSR results in greater mean packet latency times, since packets follow longer paths (i.e. they traverse a higher number of transient nodes) trying to avoid the malicious nodes. This becomes more evident as the number of malicious nodes increases, when either one or

18 T. Zahariadis et al. n9 n19 n29 n39 n49 n59 n69 n79 n89 n99 n8 n18 n28 n38 n48 n58 n68 n78 n88 n98 n7 n17 n27 n37 n47 n57 n67 n77 n87 n97 nxx Nodes that participate in sessions n6 n16 n26 n36 n46 n56 n66 n76 n86 n96 nxx Black Holes nxx Gray Holes n5 n15 n25 n35 n45 n55 n65 n75 n85 n95 nxx Integrity Holes n4 n14 n24 n34 n44 n54 n64 n74 n84 n94 nxx Bad-mouth nodes n3 n13 n23 n33 n43 n53 n63 n73 n83 n93 n2 n12 n22 n32 n42 n52 n62 n72 n82 n92 n1 n11 n21 n31 n41 n51 n61 n71 n81 n91 n n1 n2 n3 n4 n5 n6 n7 n8 n9 Fig. 9 WSN topology for indirect trust scenarios more types of attack are issued by malicious nodes. It is worth pointing out that while the number of malicious nodes seems to have no impact on the mean packet latency, when the original GPSR protocol is used this is due to the fact that the small percentage of packets that succeeds in reaching their destination follow the optimal path. 4.3 Indirect Trust Evaluation Results Since the implementation of the reputation exchange scheme assists mainly new-comers in obtaining trust knowledge, to evaluate the introduced benefits, we have run a scenario set where six connections are active from the beginning of the simulation runs while node 22 is turned on at T 1 = 7 s and initiates a seventh connection at time T 2 = 8 s. The interval between the node switch on time and the connection initiation, leaves enough time (1 s) for the node 22 to collect indirect trust information. To make the situation more difficult, node 22 is surrounded by 23 grey-hole nodes as shown in Fig. 9 while four bad-mouthers will be activated in certain scenario runs. The weight factors used were: W d =.6, W t =.4, while W 1 =.55, W 2 =.15, W 6 =.15, W 7 =.15 for this simulation set. To investigate different design alternatives related to the reputation exchange protocol, we have run seven simulation scenarios as shown in Table 4, for different reputation exchange frequencies, with and without bad-mouthing malicious nodes around node 22, while scenarios based only on direct trust information were also included for comparison reasons. Each node triggers the reputation exchange procedure (transmitting four Reputation Request messages) periodically, with this period denoted as RRP in the table. Focusing on the results for the flow initiated by the newcomer node 22, (shown in the 3rd column), the number of successfully received packets increases when indirect trust information is exchanged. Namely, the 93.3 % achieved when only direct trust is relied upon (DT scenario), is outperformed