Design and implementation of tarfa trust aware routing framework for ws ns.bak

Design and Implementation of TARF:A Trust-Aware Routing Framework for WSNs

Guoxing Zhan, Weisong Shi, Senior Member, IEEE, and Julia Deng

Abstract—The multihop routing in wireless sensor networks (WSNs) offers little protection against identity deception through replaying

routing information. An adversary can exploit this defect to launch various harmful or even devastating attacks against the routing

protocols, including sinkhole attacks, wormhole attacks, and Sybil attacks. The situation is further aggravated by mobile and harsh

network conditions. Traditional cryptographic techniques or efforts at developing trust-aware routing protocols do not effectively

address this severe problem. To secure the WSNs against adversaries misdirecting the multihop routing, we have designed and

implemented TARF, a robust trust-aware routing framework for dynamic WSNs. Without tight time synchronization or known

geographic information, TARF provides trustworthy and energy-efficient route. Most importantly, TARF proves effective against those

harmful attacks developed out of identity deception; the resilience of TARF is verified through extensive evaluation with both simulation

and empirical experiments on large-scale WSNs under various scenarios including mobile and RF-shielding network conditions.

Further, we have implemented a low-overhead TARF module in TinyOS; as demonstrated, this implementation can be incorporated

into existing routing protocols with the least effort. Based on TARF, we also demonstrated a proof-of-concept mobile target detection

application that functions well against an antidetection mechanism.

Index Terms—Wireless sensor networks, routing protocols, security.

Ç

1 INTRODUCTION

WIRELESSSENSOR networks (WSNs) [2] are ideal candi-dates for applications to report detected events of

interest, such as military surveillance and forest firemonitoring. A WSN comprises battery-powered sensornodes with extremely limited processing capabilities. Witha narrow radio communication range, a sensor nodewirelessly sends messages to a base station via a multihoppath. However, the multihop routing of WSNs oftenbecomes the target of malicious attacks. An attacker maytamper nodes physically, create traffic collision withseemingly valid transmission, drop or misdirect messagesin routes, or jam the communication channel by creatingradio interference [3]. This paper focuses on the kind ofattacks in which adversaries misdirect network traffic byidentity deception through replaying routing information.Based on identity deception, the adversary is capable oflaunching harmful and hard-to-detect attacks againstrouting, such as selective forwarding, wormhole attacks,sinkhole attacks and Sybil attacks [4].

As a harmful and easy-to-implement type of attack, amalicious node simply replays all the outgoing routingpackets from a valid node to forge the latter node’s identity;the malicious node then uses this forged identity toparticipate in the network routing, thus disrupting thenetwork traffic. Those routing packets, including their

original headers, are replayed without any modification.Even if this malicious node cannot directly overhear thevalid node’s wireless transmission, it can collude with othermalicious nodes to receive those routing packets and replaythem somewhere far away from the original valid node,which is known as a wormhole attack [5]. Since a node in aWSN usually relies solely on the packets received to knowabout the sender’s identity, replaying routing packets allowsthe malicious node to forge the identity of this valid node.After “stealing” that valid identity, this malicious node isable to misdirect the network traffic. For instance, it maydrop packets received, forward packets to another nodenot supposed to be in the routing path, or even form atransmission loop through which packets are passed amonga few malicious nodes infinitely. It is often difficult to knowwhether a node forwards received packets correctly evenwith overhearing techniques [4]. Sinkhole attacks are anotherkind of attacks that can be launched after stealing a valididentity. In a sinkhole attack, a malicious node may claimitself to be a base station through replaying all the packetsfrom a real base station [6]. Such a fake base station couldlure more than half the traffic, creating a “black hole.” Thissame technique can be employed to conduct another strongform of attack—Sybil attack [7]: through replaying therouting information of multiple legitimate nodes, an attackermay present multiple identities to the network. A valid node,if compromised, can also launch all these attacks.

The harm of such malicious attacks based on thetechnique of replaying routing information is furtheraggravated by the introduction of mobility into WSNs andthe hostile network condition. Though mobility is intro-duced into WSNs for efficient data collection and variousapplications [8], [9], [10], [11], it greatly increases the chanceof interaction between the honest nodes and the attackers.Additionally, a poor network connection causes muchdifficulty in distinguishing between an attacker and a

184 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012

. G. Zhan and W. Shi are with the Department of Computer Science, WayneState University, 5057 Woodward Avenue, Detroit, MI 48202.E-mail: {gxzhan, weisong}@wayne.edu.

. J. Deng is with the Intelligent Automation, Inc., 15400 Calhoun Drive,Suite 400, Rockville, MD 20855. E-mail: [email protected].

Manuscript received 16 Nov. 2010; revised 3 Sept. 2011; accepted 12 Sept.2011; published online 10 Nov. 2011.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TDSC-2010-11-0216.Digital Object Identifier no. 10.1109/TDSC.2011.58.

1545-5971/12/$31.00 � 2012 IEEE Published by the IEEE Computer Society

http://ieeexploreprojects.blogspot.com

honest node with transient failure. Without proper protec-tion, WSNs with existing routing protocols can be com-pletely devastated under certain circumstances. In anemergent sensing application through WSNs, saving thenetwork from being devastated becomes crucial to thesuccess of the application.

Unfortunately, most existing routing protocols for WSNseither assume the honesty of nodes and focus on energyefficiency [12], or attempt to exclude unauthorized partici-pation by encrypting data and authenticating packets.Examples of these encryption and authentication schemesfor WSNs include TinySec [13], Spins [14], TinyPK [15], andTinyECC [16]. Admittedly, it is important to considerefficient energy use for battery-powered sensor nodes andthe robustness of routing under topological changes as wellas common faults in a wild environment. However, it is alsocritical to incorporate security as one of the most importantgoals; meanwhile, even with perfect encryption and authen-tication, by replaying routing information, a malicious nodecan still participate in the network using another validnode’s identity. The gossiping-based routing protocols offercertain protection against attackers by selecting randomneighbors to forward packets [17], but at a price ofconsiderable overhead in propagation time and energy use.

In addition to the cryptographic methods, trust andreputation management has been employed in generic adhoc networks and WSNs to secure routing protocols.Basically, a system of trust and reputation managementassigns each node a trust value according to its pastperformance in routing. Then, such trust values are used tohelp decide a secure and efficient route. However, theproposed trust and reputation management systems forgeneric ad hoc networks target only relatively powerfulhardware platforms such as laptops and smartphones [18],[19], [20], [21]. Those systems cannot be applied to WSNsdue to the excessive overhead for resource-constrainedsensor nodes powered by batteries. As far as WSNs areconcerned, secure routing solutions based on trust andreputation management rarely address the identity decep-tion through replaying routing information [22], [23]. Thecountermeasures proposed so far strongly depends oneither tight time synchronization or known geographicinformation while their effectiveness against attacks ex-ploiting the replay of routing information has not beenexamined yet [4].

At this point, to protect WSNs from the harmful attacksexploiting the replay of routing information, we havedesigned and implemented a robust trust-aware routingframework, TARF, to secure routing solutions in wirelesssensor networks. Based on the unique characteristics ofresource-constrained WSNs, the design of TARF centers ontrustworthiness and energy efficiency. Though TARF can bedeveloped into a complete and independent routing proto-col, the purpose is to allow existing routing protocols toincorporate our implementation of TARF with the least effortand thus producing a secure and efficient fully functionalprotocol. Unlike other security measures, TARF requiresneither tight time synchronization nor known geographicinformation. Most importantly, TARF proves resilient undervarious attacks exploiting the replay of routing information,

which is not achieved by previous security protocols. Evenunder strong attacks such as sinkhole attacks, wormholeattacks as well as Sybil attacks, and hostile mobile networkcondition, TARF demonstrates steady improvement innetwork performance. The effectiveness of TARF is verifiedthrough extensive evaluation with simulation and empiricalexperiments on large-scale WSNs. Finally, we have imple-mented a ready-to-use TARF module with low overhead,which as demonstrated can be integrated into existingrouting protocols with ease; the demonstration of a proof-of-concept mobile target detection program indicates thepotential of TARF in WSN applications.

We start by stating the design considerations of TARF inSection 2. Then, we elaborate the design of TARF in Section3, including the routing procedure as well as the Energy-Watcher and TrustManager components. In Section 4, wepresent the simulation results of TARF against variousattacks through replaying routing information in static,mobile and RF-shielding conditions. Section 5 furtherpresents the implementation of TARF, empirical evaluationat a large sensor network and a resilient proof-of-conceptmobile target detection application based on TARF. Finally,we discuss the related work in Section 6 and conclude thispaper in Section 7.

2 DESIGN CONSIDERATIONS

Before elaborating the detailed design of TARF, we wouldlike to clarify a few design considerations first, includingcertain assumptions in Section 2.1 and the goals in Section 2.3.

2.1 Assumptions

We target secure routing for data collection tasks, which areone of the most fundamental functions of WSNs. In a datacollection task, a sensor node sends its sampled data to aremote base station with the aid of other intermediate nodes,as shown in Fig. 1. Though there could be more than one basestation, our routing approach is not affected by the numberof base stations; to simplify our discussion, we assume thatthere is only one base station. An adversary may forge theidentity of any legal node through replaying that node’soutgoing routing packets and spoofing the acknowledgmentpackets, even remotely through a wormhole.

Additionally, to merely simplify the introduction ofTARF, we assume no data aggregation is involved. None-theless, our approach can still be applied to cluster-basedWSNs with static clusters, where data are aggregated byclusters before being relayed [24]. Cluster-based WSNsallows for the great savings of energy and bandwidth

ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 185

Fig. 1. Multihop routing for data collection of a WSN.


through aggregating data from children nodes and per-forming routing and transmission for children nodes. In acluster-based WSN, the cluster headers themselves form asubnetwork; after certain data reach a cluster header, theaggregated data will be routed to a base station onlythrough such a subnetwork consisting of the clusterheaders. Our framework can then be applied to thissubnetwork to achieve secure routing for cluster-basedWSNs. TARF may run on cluster headers only and thecluster headers communicate with their children nodesdirectly since a static cluster has known relationshipbetween a cluster header and its children nodes, thoughany link-level security features may be further employed.

Finally, we assume a data packet has at least thefollowing fields: the sender id, the sender sequence number,the next-hop node id (the receiver in this one-hop transmis-sion), the source id (the node that initiates the data), and thesource’s sequence number. We insist that the source node’sinformation should be included for the following reasonsbecause that allows the base station to track whether a datapacket is delivered. It would cause too much overhead totransmit all the one-hop information to the base station.Also, we assume the routing packet is sequenced.

2.2 Authentication Requirements

Though a specific application may determine whether dataencryption is needed, TARF requires that the packets areproperly authenticated, especially the broadcast packetsfrom the base station. The broadcast from the base station isasymmetrically authenticated so as to guarantee that anadversary is not able to manipulate or forge a broadcastmessage from the base station at will. Importantly, withauthenticated broadcast, even with the existence of attack-ers, TARF may use TrustManager (Section 3.4) and thereceived broadcast packets about delivery information(Section 3.2.1) to choose trustworthy path by circumventingcompromised nodes. Without being able to physicallycapturing the base station, it is generally very difficult forthe adversary to manipulate the base station broadcastpackets which are asymmetrically authenticated. Theasymmetric authentication of those broadcast packets fromthe base station is crucial to any successful secure routingprotocol. It can be achieved through existing asymmetri-cally authenticated broadcast schemes that may requireloose time synchronization. As an example, �TESLA [14]achieves asymmetric authenticated broadcast through asymmetric cryptographic algorithm and a loose delayschedule to disclose the keys from a key chain. Otherexamples of asymmetric authenticated broadcast schemesrequiring either loose or no time synchronization are foundin [25], [26].

Considering the great computation cost incurred by astrong asymmetric authentication scheme and the difficultyin key management, a regular packet other than a basestation broadcast packet may only be moderately authenti-cated through existing symmetric schemes with a limitedset of keys, such as the message authentication codeprovided by TinySec [13]. It is possible that an adversaryphysically captures a nonbase legal node and reveals its keyfor the symmetric authentication [27]. With that key, theadversary can forge the identity of that nonbase legal node

and joins the network “legally.” However, when theadversary uses its fake identity to falsely attract a greatamount of traffic, after receiving broadcast packets aboutdelivery information, other legal nodes that directly orindirectly forwards packets through it will start to select amore trustworthy path through TrustManager (Section 3.4).

2.3 Goals

TARF mainly guards a WSN against the attacks misdirect-ing the multihop routing, especially those based on identitytheft through replaying the routing information. This paperdoes not address the denial-of-service (DoS) [3] attacks,where an attacker intends to damage the network byexhausting its resource. For instance, we do not address theDoS attack of congesting the network by replayingnumerous packets or physically jamming the network.TARF aims to achieve the following desirable properties:

High throughput. Throughput is defined as the ratio ofthe number of all data packets delivered to the base stationto the number of all sampled data packets. In ourevaluation, throughput at a moment is computed over theperiod from the beginning time (0) until that particularmoment. Note that single-hop retransmission may happen,and that duplicate packets are considered as one packet asfar as throughput is concerned. Throughput reflects howefficiently the network is collecting and delivering data.Here, we regard high throughput as one of our mostimportant goals.

Energy efficiency. Data transmission accounts for amajor portion of the energy consumption. We evaluateenergy efficiency by the average energy cost to successfullydeliver a unit-sized data packet from a source node to thebase station. Note that link-level retransmission should begiven enough attention when considering energy cost sinceeach retransmission causes a noticeable increase in energyconsumption. If every node in a WSN consumes approxi-mately the same energy to transmit a unit-sized data packet,we can use another metric hop-per-delivery to evaluateenergy efficiency. Under that assumption, the energyconsumption depends on the number of hops, i.e., thenumber of one-hop transmissions occurring. To evaluatehow efficiently energy is used, we can measure the averagehops that each delivery of a data packet takes, abbreviatedas hop-per-delivery.

Scalability and adaptability. TARF should work wellwith WSNs of large magnitude under highly dynamiccontexts. We will evaluate the scalability and adaptability ofTARF through experiments with large-scale WSNs andunder mobile and hash network conditions.

Here, we do not include other aspects such as latency,load balance, or fairness. Low latency, balanced networkload, and good fairness requirements can be enforced inspecific routing protocols incorporating TARF.

3 DESIGN OF TARF

TARF secures the multihop routing in WSNs againstintruders misdirecting the multihop routing by evaluatingthe trustworthiness of neighboring nodes. It identifies suchintruders by their low trustworthiness and routes datathrough paths circumventing those intruders to achieve



satisfactory throughput. TARF is also energy efficient, highlyscalable, and well adaptable. Before introducing the detaileddesign, we first introduce several necessary notions here.

Neighbor. For a node N , a neighbor (neighboring node)of N is a node that is reachable from N with one-hopwireless transmission.

Trust level. For a node N , the trust level of a neighbor isa decimal number in [0, 1], representing N’s opinion of thatneighbor’s level of trustworthiness. Specifically, the trustlevel of the neighbor is N’s estimation of the probability thatthis neighbor correctly delivers data received to the basestation. That trust level is denoted as T in this paper.

Energy cost. For a node N , the energy cost of a neighboris the average energy cost to successfully deliver a unit-sized data packet with this neighbor as its next-hop node,from N to the base station. That energy cost is denoted as Ein this paper.

3.1 Overview

For a TARF-enabled node N to route a data packet to thebase station, N only needs to decide to which neighboringnode it should forward the data packet considering both thetrustworthiness and the energy efficiency. Once the datapacket is forwarded to that next-hop node, the remainingtask to deliver the data to the base station is fully delegatedto it, and N is totally unaware of what routing decision itsnext-hop node makes. N maintains a neighborhood tablewith trust level values and energy cost values for certainknown neighbors. It is sometimes necessary to delete someneighbors’ entries to keep the table size acceptable. Thetechnique of maintaining a neighborhood table of amoderate size is demonstrated by Woo et al. [28]; TARFmay employ the same technique.

In TARF, in addition to data packet transmission, thereare two types of routing information that need to beexchanged: broadcast messages from the base station aboutdata delivery and energy cost report messages from eachnode. Neither message needs acknowledgment. A broad-cast message from the base station is flooded to the wholenetwork. The freshness of a broadcast message is checkedthrough its field of source sequence number. The other typeof exchanged routing information is the energy cost reportmessage from each node, which is broadcast to only itsneighbors once. Any node receiving such an energy costreport message will not forward it.

For each node N in a WSN, to maintain such aneighborhood table with trust level values and energy costvalues for certain known neighbors, two components,EnergyWatcher and TrustManager, run on the node (Fig. 2).EnergyWatcher is responsible for recording the energy costfor each known neighbor, based on N’s observation of one-hop transmission to reach its neighbors and the energy costreport from those neighbors. A compromised node mayfalsely report an extremely low energy cost to lure itsneighbors into selecting this compromised node as theirnext-hop node; however, these TARF-enabled neighborseventually abandon that compromised next-hop node basedon its low trustworthiness as tracked by TrustManager.TrustManager is responsible for tracking trust level values ofneighbors based on network loop discovery and broadcastmessages from the base station about data delivery. Once N

is able to decide its next-hop neighbor according to itsneighborhood table, it sends out its energy report message: itbroadcasts to all its neighbors its energy cost to deliver apacket from the node to the base station. The energy cost iscomputed as in Section 3.3 by EnergyWatcher. Such anenergy cost report also serves as the input of its receivers’EnergyWatcher.

3.2 Routing Procedure

TARF, as with many other routing protocols, runs as aperiodic service. The length of that period determines howfrequently routing information is exchanged and updated.At the beginning of each period, the base station broadcasts amessage about data delivery during last period to the wholenetwork consisting of a few contiguous packets (one packetmay not hold all the information). Each such packet has afield to indicate how many packets are remaining tocomplete the broadcast of the current message. The comple-tion of the base station broadcast triggers the exchange ofenergy report in this new period. Whenever a node receivessuch a broadcast message from the base station, it knowsthat the most recent period has ended and a new period hasjust started. No tight time synchronization is required for anode to keep track of the beginning or ending of a period.During each period, the EnergyWatcher on a node monitorsenergy consumption of one-hop transmission to its neigh-bors and processes energy cost reports from those neighborsto maintain energy cost entries in its neighborhood table; itsTrustManager also keeps track of network loops andprocesses broadcast messages from the base station aboutdata delivery to maintain trust level entries in its neighbor-hood table.

To maintain the stability of its routing path, a node mayretain the same next-hop node until the next fresh broadcastmessage from the base station occurs. Meanwhile, to reducetraffic, its energy cost report could be configured to notoccur again until the next fresh broadcast message from thebase station. If a node does not change its next-hop nodeselection until the next broadcast message from the basestation, that guarantees all paths to be loop-free, as can bededucted from the procedure of next-hop node selection.However, as noted in our experiments, that would lead toslow improvement in routing paths. Therefore, we allow anode to change its next-hop selection in a period when itscurrent next-hop node performs the task of receiving anddelivering data poorly.


Fig. 2. Each node selects a next-hop node based on its neighborhoodtable, and broadcast its energy cost within its neighborhood. To maintainthis neighborhood table, EnergyWatcher and TrustManager on the nodekeep track of related events (on the left) to record the energy cost andthe trust level values of its neighbors.


Next, we introduce the structure and exchange ofrouting information as well as how nodes make routingdecisions in TARF.

3.2.1 Structure and Exchange of Routing Information

A broadcast message from the base station fits into at most afixed small number of packets. Such a message consists ofsome pairs of <node id of a source node, an undeliveredsequence interval [a, b] with a significant length>, <node idof a source node, minimal sequence number received in lastperiod, maximum sequence number received in lastperiod>, as well as several node id intervals of thosewithout any delivery record in last period. To reduceoverhead to an acceptable amount, our implementationselects only a limited number of such pairs to broadcast(Section 5.1) and proved effective (Sections 5.3, 5.4).Roughly, the effectiveness can be explained as follows: thefact that an attacker attracts a great deal of traffic frommany nodes often gets revealed by at least several of thosenodes being deceived with a high likelihood. The undeliv-ered sequence interval [a, b] is explained as follows: thebase station searches the source sequence numbers receivedin last period, identifies which source sequence numbers forthe source node with this id are missing, and choosescertain significant interval [a, b] of missing source sequencenumbers as an undelivered sequence interval. For example,the base station may have all the source sequence numbersfor the source node 2 as {109, 110, 111, 150, 151} in lastperiod. Then, [112, 149] is an undelivered sequence interval;[109, 151] is also recorded as the sequence boundary ofdelivered packets. Since the base station is usuallyconnected to a powerful platform such as a desktop, aprogram can be developed on that powerful platform toassist in recording all the source sequence numbers andfinding undelivered sequence intervals.

Accordingly, each node in the network stores a table of<node id of a source node, a forwarded sequence interval[a, b] with a significant length> about last period. The datapackets with the source node and the sequence numbersfalling in this forwarded sequence interval [a, b] havealready been forwarded by this node. When the nodereceives a broadcast message about data delivery, itsTrustManager will be able to identify which data packetsforwarded by this node are not delivered to the base station.Considering the overhead to store such a table, old entrieswill be deleted once the table is full.

Once a fresh broadcast message from the base station isreceived, a node immediately invalidates all the existingenergy cost entries: it is ready to receive a new energyreport from its neighbors and choose its new next-hop nodeafterward. Also, it is going to select a node either after atimeout is reached or after it has received an energy costreport from some highly trusted candidates with acceptableenergy cost. A node immediately broadcasts its energy costto its neighbors only after it has selected a new next-hopnode. That energy cost is computed by its EnergyWatcher(see Section 3.3). A natural question is which node startsreporting its energy cost first. For that, note that when thebase station is sending a broadcast message, a side effect isthat its neighbors receiving that message will also regardthis as an energy report: the base station needs 0 amount ofenergy to reach itself. As long as the original base station is

faithful, it will be viewed as a trustworthy candidate byTrustManager on the neighbors of the base station. There-fore, those neighbors will be the first nodes to decide theirnext-hop node, which is the base station; they will startreporting their energy cost once that decision is made.

3.2.2 Route Selection

Now, we introduce how TARF decides routes in a WSN.Each node N relies on its neighborhood table to select anoptimal route, considering both energy consumption andreliability. TARF makes good efforts in excluding thosenodes that misdirect traffic by exploiting the replay ofrouting information.

For a node N to select a route for delivering data to the

base station, N will select an optimal next-hop node from

its neighbors based on trust level and energy cost and

forward the data to the chosen next-hop node immediately.

The neighbors with trust levels below a certain threshold

will be excluded from being considered as candidates.

Among the remaining known neighbors, N will select its

next-hop node through evaluating each neighbor b based on

a tradeoff between TNb and ENbTNb

, with ENb and TNb being b’s

energy cost and trust level value in the neighborhood table,

respectively, (see Sections 3.3, 3.4). Basically, ENb reflects

the energy cost of delivering a packet to the base station

from N assuming that all the nodes in the route are honest;1TNb

approximately reflects the number of the needed

attempts to send a packet from N to the base station via

multiple hops before such an attempt succeeds, considering

the trust level of b. Thus, ENbTNbcombines the trustworthiness

and energy cost. However, the metric ENbTNb

suffers from the

fact that an adversary may falsely reports extremely low

energy cost to attract traffic and thus resulting in a low

value of ENbTNb

even with a low TNb. Therefore, TARF prefers

nodes with significantly higher trust values; this preference

of trustworthiness effectively protects the network from an

adversary who forges the identity of an attractive node

such as a base station. For deciding the next-hop node, a

specific tradeoff between TNb and ENbTNb

is demonstrated in

Fig. 5 (see Section 5.2).Observe that in an ideal misbehavior-free environment,

all nodes are absolutely faithful, and each node will choosea neighbor through which the routing path is optimized interms of energy; thus, an energy-driven route is achieved.

3.3 EnergyWatcher

Here, we describe how a node N ’s EnergyWatcher computesthe energy cost ENb for its neighbor b in N’s neighborhoodtable and how N decides its own energy cost EN . Beforegoing further, we will clarify some notations. ENb men-tioned is the average energy cost of successfully delivering aunit-sized data packet from N to the base station, with b asN’s next-hop node being responsible for the remainingroute. Here, one-hop retransmission may occur until theacknowledgment is received or the number of retransmis-sions reaches a certain threshold. The cost caused by one-hop retransmissions should be included when computingENb. Suppose N decides that A should be its next-hop nodeafter comparing energy cost and trust level. Then, N ’s



energy cost is EN ¼ ENA. Denote EN!b as the averageenergy cost of successfully delivering a data packet from Nto its neighbor b with one hop. Note that the retransmissioncost needs to be considered. With the above notations, it isstraightforward to establish the following relation:

ENb ¼ EN!b þ Eb:

Since each known neighbor b of N is supposed to broadcastits own energy cost Eb to N , to compute ENb, N still needsto know the value EN!b, i.e., the average energy cost ofsuccessfully delivering a data packet from N to its neighborb with one hop. For that, assuming that the endings (beingacknowledged or not) of one-hop transmissions from N to bare independent with the same probability psucc of beingacknowledged, we first compute the average number ofone-hop sendings needed before the acknowledgment isreceived as follows:

X1i¼1

i � psucc � ð1� psuccÞi�1 ¼ 1

psucc:

Denote Eunit as the energy cost for node N to send a unit-sized data packet once regardless of whether it is receivedor not. Then, we have

ENb ¼Eunit

psuccþ Eb:

The remaining job for computingENb is to get the probabilitypsucc that a one-hop transmission is acknowledged. Con-sidering the variable wireless connection among wirelesssensor nodes, we do not use the simplistic averaging methodto compute psucc. Instead, after each transmission from N tob, N’s EnergyWatcher will update psucc based on whether thattransmission is acknowledged or not with a weightedaveraging technique. We use a binary variable Ack to recordthe result of current transmission: 1 if an acknowledgment isreceived; otherwise, 0. Given Ack and the last probabilityvalue of an acknowledged transmission pold succ, an intuitiveway is to use a simply weighted average of Ack and pold succ

as the value of pnew succ. That is what is essentially adopted inthe aging mechanism [29]. However, that method usedagainst sleeper attacks still suffers periodic attacks [30]. Tosolve this problem, we update the psucc value using twodifferent weights as in our previous work [30], a relativelybig wdegrade 2 ð0; 1Þ and a relatively small wupgrade 2 ð0; 1Þ asfollows:

pnew succ ¼

ð1� wdegradeÞ � pold succ þ wdegrade �Ack;if Ack ¼ 0:ð1� wupgradeÞ � pold succ þ wupgrade �Ack;if Ack ¼ :1:

8>><>>:

The two parameters wdegrade and wupgrade allow flexibleapplication requirements. wdegrade and wupgrade represent theextent to which upgraded and degraded performance arerewarded and penalized, respectively. If any fault andcompromise is very likely to be associated with a high risk,wdegrade should be assigned a relatively high value topenalize fault and compromise relatively heavily; if a fewpositive transactions can’t constitute evidence of goodconnectivity which requires many more positive transac-tions, then wupgrade should be assigned a relatively low value.

3.4 TrustManager

A node N ’s TrustManager decides the trust level of eachneighbor based on the following events: discovery ofnetwork loops, and broadcast from the base station aboutdata delivery. For each neighbor b of N , TNb denotes thetrust level of b in N’s neighborhood table. At the beginning,each neighbor is given a neutral trust level 0.5. After any ofthose events occurs, the relevant neighbors’ trust levels areupdated.

Note that many existing routing protocols have theirown mechanisms to detect routing loops and to reactaccordingly [31], [32], [28]. In that case, when integratingTARF into those protocols with antiloop mechanisms,TrustManager may solely depend on the broadcast fromthe base station to decide the trust level; we adopted such apolicy when implementing TARF later (see Section 5). Ifantiloop mechanisms are both enforced in the TARFcomponent and the routing protocol that integrates TARF,then the resulting hybrid protocol may overly react towardthe discovery of loops. Though sophisticated loop-discov-ery methods exist in the currently developed protocols, theyoften rely on the comparison of specific routing cost to rejectroutes likely leading to loops [32]. To minimize the effort tointegrate TARF and the existing protocol and to reduce theoverhead, when an existing routing protocol does notprovide any antiloop mechanism, we adopt the followingmechanism to detect routing loops. To detect loops, theTrustManager on N reuses the table of <node id of a sourcenode, a forwarded sequence interval [a, b] with a significantlength> (see Section 3.2) in last period. If N finds that areceived data packet is already in that record table, not onlywill the packet be discarded, but the TrustManager on N

also degrades its next-hop node’s trust level. If that next-hop node is b, then Told Nb is the latest trust level value of b.We use a binary variable Loop to record the result of loopdiscovery: 0 if a loop is received; 1 otherwise. As in theupdate of energy cost, the new trust level of b is

Tnew Nb ¼

ð1� wdegradeÞ � Told Nb þ wdegrade � Loop;if Loop ¼ 0:ð1� wupgradeÞ � Told Nb þ wupgrade � Loop;if Loop ¼ 1:

8>><>>:

Once a loop has been detected by N for a few times sothat the trust level of the next-hop node is too low, N willchange its next-hop selection, thus that loop is broken.Though N cannot tell which node should be heldresponsible for the occurrence of a loop, degrading itsnext-hop node’s trust level gradually leads to the breakingof the loop. On the other hand, to detect the trafficmisdirection by nodes exploiting the replay of routinginformation, TrustManager on N compares N’s stored tableof <node id of a source node, forwarded sequence interval[a, b] with a significant length> recorded in last period withthe broadcast messages from the base station about datadelivery. It computes the ratio of the number of successfullydelivered packets which are forwarded by this node to thenumber of those forwarded data packets, denoted asDeliveryRatio. Then, N’s TrustManager updates its next-hop node b’s trust level as follows:



Tnew Nb ¼

ð1� wdegradeÞ � Told Nb

þ wdegrade �DeliveryRatio;if DeliveryRatio < Told Nb:

ð1� wupgradeÞ � Told Nb

þ wupgrade �DeliveryRatio;if DeliveryRatio >¼ Told Nb:

8>>>>>>>><>>>>>>>>:

3.5 Analysis on EnergyWatcher and TrustManager

Now that a node N relies on its EnergyWatcher andTrustManager to select an optimal neighbor as its next-hopnode, we would like to clarify a few important points on thedesign of EnergyWatcher and TrustManager.

First, as described in Section 3.1, the energy cost reportis the only information that a node is to passively receiveand take as “fact.” It appears that such acceptance ofenergy cost report could be a pitfall when an attacker or acompromised node forges false report of its energy cost.Note that the main interest of an attacker is to prevent datadelivery rather than to trick a data packet into a lessefficient route, considering the effort it takes to launch anattack. As far as an attack aiming at preventing datadelivery is concerned, TARF well mitigates the effect of thispitfall through the operation of TrustManager. Note that theTrustManager on one node does not take any recommenda-tion from the TrustManager on another node. If an attackerforges false energy report to form a false route, suchintention will be defeated by TrustManager: when theTrustManager on one node finds out the many deliveryfailures from the broadcast messages of the base station, itdegrades the trust level of its current next-hop node; whenthat trust level goes below certain threshold, it causes thenode to switch to a more promising next-hop node.

Second, TrustManager identities the low trustworthinessof various attackers misdirecting the multihop routing,especially those exploiting the replay of routing informa-tion. It is noteworthy that TrustManager does not distin-guish whether an error or an attack occurs to the next-hopnode or other succeeding nodes in the route. It seems unfairthat TrustManager downgrades the trust level of an honestnext-hop node while the attack occurs somewhere after thatnext-hop node in the route. Contrary to that belief,TrustManager significantly improves data delivery ratio inthe existence of attack attempts of preventing data delivery.First of all, it is often difficult to identify an attacker whoparticipates in the network using an id “stolen” fromanother legal node. For example, it is extremely difficult todetect a few attackers colluding to launch a combinedwormhole and sinkhole attack [4]. Additionally, despite thecertain inevitable unfairness involved, TrustManager en-courages a node to choose another route when its currentroute frequently fails to deliver data to the base station.Though only those legal neighboring nodes of an attackermight have correctly identified the adversary, our evalua-tion results indicate that the strategy of switching to a newroute without identifying the attacker actually significantlyimproves the network performance, even with the existenceof wormhole and sinkhole attacks. Fig. 3 gives an example toillustrate this point. In this example, nodes A, B, C, and Dare all honest nodes and not compromised. Node A hasnode B as its current next-hop node while node B has an

attacker node as its next-hop node. The attacker drops everypacket received and thus any data packet passing node Awill not arrive at the base station. After a while, node Adiscovers that the data packets it forwarded did not getdelivered. The TrustManager on node A starts to degradethe trust level of its current next-hop node B although nodeB is absolutely honest. Once that trust level becomes toolow, node A decides to select node C as its new next-hopnode. In this way, node A identifies a better and successfulroute (A - C - D - base). In spite of the sacrifice of node B’strust level, the network performs better. Further, concerningthe stability of routing path, once a valid node identifies atrustworthy honest neighbor as its next-hop node, it tendsto keep that next-hop selection without considering otherseemingly attractive nodes such as a fake base station. Thattendency is caused by both the preference to maintain stableroutes and the preference to highly trustable nodes.

Finally, we would like to stress that TARF is designed toguard a WSN against the attacks misdirecting the multihoprouting, especially those based on identity theft throughreplaying the routing information. Other types of attackssuch as the denial-of-service [3] attacks are out of thediscussion of this paper. For instance, we do not address theattacks of injecting into the network a number of data packetscontaining false sensing data but authenticated (possiblythrough hacking). That type of attacks aim to exhaust thenetwork resource instead of misdirecting the routing.However, if the attacker intends to periodically inject a fewrouting packets to cause wrong route, such attacks can stillbe defended by TARF through TrustManager.

4 SIMULATION

We have developed a reconfigurable emulator of wirelesssensor networks on a 2D plane with Matlab to test TARF.We have conducted extensive simulation experiments;however, due to the page limit, interested readers mayrefer to our technical report [33] and the conference versionof paper [1] for detailed simulation settings and experi-mental results. In our experiments, initially, 35 nodes arerandomly distributed within a 300�300 rectangular area,with unreliable wireless transmission. All the nodes havethe same power level and the same maximal transmissionrange of 100 m. Each node samples six times in everyperiod; the timing gap between every two consecutivesamplings of the same node is equivalent. We simulate thesensor network in 1,440 consecutive periods.

Regarding the network topology, we set up three typesof network topologies. The first type is the static-locationcase under which all nodes stand still. The second type is acustomized group-motion-with-noise case based on Refer-ence Point Group Mobility (RPGM) model that mimics the


Fig. 3. An example to illustrate how TrustManager works.


behavior of a set of nodes moving in one or more groups[34], [35]. The last type of dynamic network incorporated inthe experiments is the addition of scattered RF-shieldedareas to the aforementioned group-motion-with-noise case.

The performance of TARF is compared to that of a linkconnectivity-based routing protocol adapted from whatis proposed by Woo et al. [28]. We denote the linkconnectivity-based routing protocol as Link connectivity.With the Link-connectivity protocol, each node selects itsnext-hop node among its neighborhood table according toan link estimator based on exponentially weighted movingaverage (EWMA). The simulation results show, in thepresence of misbehaviors, the throughput in TARF is oftenmuch higher than that in Link connectivity; the hop-per-delivery in the Link-connectivity protocol is generally at leastcomparable to that in TARF.

Under a misbehavior-free environment, the simulationresults show that TARF and Link connectivity have compar-able performance when there is no adversary. Bothprotocols are also evaluated under three common types ofattacks: 1) a certain node forges the identity of the basedstation by replaying broadcast messages, also known asthe sinkhole attack; 2) a set of nodes colludes to form aforwarding loop; and 3) a set of nodes drops received datapackets. These experiments were conducted in the staticcase, the group-motion-with-noise case, and the addition ofRF-shielded areas to the group-motion-with-noise caseseparately. Generally, under these common attacks, TARFproduces a substantial improvement over Link connectivityin terms of data collection and energy efficiency. Further,we have evaluated TARF under more severe attacks:multiple moving fake bases and multiple Sybil attackers.As before, the experiments are conducted under all thethree types of network topology. Under these two types ofmost severe attacks which almost devastates the Link-connectivity protocol, TARF succeeds in achieving a steadyimprovement over the Link-connectivity protocol. Finally, wehave conducted certain experiments to explore the choice ofthe period length and the trust updating scheme. Ourexperiments reveal that a shorter period or a faster trustupdating scheme may not necessarily benefit TARF.

5 IMPLEMENTATION AND EMPIRICAL EVALUATION

In order to evaluate TARF in a real-world setting, weimplemented the TrustManager component on TinyOS 2.x,which can be integrated into the existing routing protocolsfor WSNs with the least effort. Originally, we hadimplemented TARF as a self-contained routing protocol[1] on TinyOS 1.x before this second implementation.However, we decided to redesign the implementationconsidering the following factors. First, the first implemen-tation only supports TinyOS 1.x, which was replaced byTinyOS 2.x; the porting procedure from TinyOS 1.x toTinyOS 2.x tends to frustrate the developers. Second, ratherthan developing a self-contained routing protocol, thesecond implementation only provides a TrustManagercomponent that can be easily incorporated into the existingprotocols for routing decisions. The detection of routingloops and the corresponding reaction are excluded from theimplementation of TrustManager since many existing pro-tocols, such as Collection Tree Protocol [32] and the linkconnectivity-based protocol [28], already provide that

feature. As we worked on the first implementation, wenoted that the existing protocols provide many nicefeatures, such as the analysis of link quality, the loopdetection and the routing decision mainly considering thecommunication cost. Instead of providing those features,our implementation focuses on the trust evaluation basedon the base broadcast of the data delivery, and such trustinformation can be easily reused by other protocols. Finally,instead of using TinySec [13] exclusively for encryption andauthentication as in the first implementation on TinyOS 1.x,this re-implementation let the developers decide whichencryption or authentication techniques to employ; theencryption and authentication techniques of TARF may bedifferent than that of the existing protocol.

5.1 TrustManager Implementation Details

The TrustManager component in TARF is wrapped into anindependent TinyOS configuration named TrustMana-

gerC. TrustManagerC uses a dedicated logic channel forcommunication and runs as a periodic service with aconfigurable period, thus not interfering with the applica-tion code. Though it is possible to implement TARF with aperiod always synchronized with the routing protocol’speriod, that would cause much intrusion into the sourcecode of the routing protocol. The current TrustManagerCuses a period of 30 seconds; for specific applications, bymodifying a certain header file, the period length may bereconfigured to reflect the sensing frequency, the energyefficiency, and trustworthiness requirement. TrustMana-gerC provides two interfaces (see Fig. 4), TrustControland Record, which are implemented in other modules. TheTrustControl interface provides the commands to enableand disable the trust evaluation, while the Record interfaceprovides the commands for a root, i.e., a base station, to adddelivered message record, for a nonroot node to addforwarded message record, and for a node to retrieve thetrust level of any neighboring node. The implementation ona root node differs from that on a nonroot node: a root nodestores the information of messages received (delivered)during the current period into a record table and broadcastdelivery failure record; a nonroot node stores the informa-tion of forwarded messages during the current period alsoin a record table and compute the trust of its neighborsbased on that and the broadcast information. Noting that


Fig. 4. TrustManager component.


much implementation overhead for a root can always betransferred to a more powerful device connected to the root,it is reasonable to assume that the root would have greatcapability of processing and storage.

A root broadcasts two types of delivery failure record: atmost three packets of significant undelivered intervals forindividual origins and at most two packets of the id’s of theorigins without any record in the current period. For eachorigin, at most three significant undelivered intervals arebroadcast. For a nonroot node, considering the processingand memory usage overhead, the record table keeps theforwarded message intervals for up to 20 source nodes,with up to five nonoverlapped intervals for each individualorigin. Our later experiments verify that such size limit ofthe table on a nonroot node produces a resilient TARF withmoderate overhead. The record table on a node keepsadding entries for new origins until it is full.

With our current implementation, a valid trust value is aninteger between 0 and 100, and any node is assigned an initialtrust value of 50. The weigh parameters are: wupgrade ¼ 0:1,wdegrade ¼ 0:3. The trust table of a nonroot node keeps thetrust level for up to 10 neighbors. Considering that anattacker may present multiple fake id’s, the implementationevicts entries with a trust level close to the initial trust of anynode. Such eviction policy is to ensure that the trust tableremembers those neighbors with high trust and low trust;any other neighbor not in this table is deemed to have theinitial trust value of 50.

5.2 Incorporation of TARF into Existing Protocols

To demonstrate how this TARF implementation can beintegrated into the exiting protocols with the least effort, weincorporated TARF into a collection tree routing protocol(CTP) [32]. The CTP protocol is efficient, robust, and reliablein a network with highly dynamic link topology. It quantifieslink quality estimation in order to choose a next-hop node.The software platform is TinyOS 2.x. To perform theintegration, after proper interface wiring, invoke the Trust-Control.start command to enable the trust evaluation;call the Record.addForwarded command for a nonrootnode to add forwarded record once a data packet has beenforwarded; call theRecord.addDelivered command for aroot to add delivered record once a data packet has beenreceived by the root. Finally, inside the CTP’s task to updatethe routing path, call the Record.getTrust command toretrieve the trust level of each next-hop candidate; analgorithm taking trust into routing consideration is executedto decide the new next-hop neighbor (see Fig. 5).

Similar to the original CTP’s implementation, the im-plementation of this new protocol decides the next-hopneighbor for a node with two steps (see Fig. 5): Step 1traverses the neighborhood table for an optimal candidatefor the next hop; Step 2 decides whether to switch from thecurrent next-hop node to the optimal candidate found. ForStep 1, as in the CTP implementation, a node would notconsider those links congested, likely to cause a loop, orhaving a poor quality lower than a certain threshold. Thisnew implementation prefers those candidates with highertrust levels; in certain circumstances, regardless of the linkquality, the rules deems a neighbor with a much higher trustlevel to be a better candidate (see Fig. 5). The preference ofhighly trustable candidates is based on the followingconsideration: on the one hand, it creates the least chance

for an adversary to misguide other nodes into a wrongrouting path by forging the identity of an attractive nodesuch as a root; on the other hand, forwarding data packets toa candidate with a low trust level would result in manyunsuccessful link-level transmission attempts, thus leadingto much retransmission and a potential waste of energy.When the network throughput becomes low and a node has alist of low-trust neighbors, the node will exclusively use thetrust as the criterion to evaluate those neighbors for routingdecisions. As shown in Fig. 5, it uses trust/cost as a criteriaonly when the candidate has a trust level above certainthreshold. The reason is, the sole trust/cost criteria could beexploited by an adversary replaying the routing informationfrom a base station and thus pretending to be an extremelyattractive node. As for Step 2, compared to the CTPimplementation, we add two more circumstances when anode decides to switch to the optimal candidate found atStep 1: that candidate has a higher trust level, or the currentnext-hop neighbor has a too low trust level.

This new implementation integrating TARF requiresmoderate program storage and memory usage. We im-plemented a typical TinyOS data collection application,MultihopOscilloscope, based on this new protocol. TheMultihopOscilloscope application, with certain modifiedsensing parameters for our later evaluation purpose,periodically makes sensing samples and sends out thesensed data to a root via multiple routing hops. Originally,MultihopOscilloscope uses CTP as its routing protocol.Now, we list the ROM and RAM sizes requirement of bothimplementation of MultihopOscilloscope on nonroot Telosbmotes in Table 1. The enabling of TARF in MultihopOscillo-scope increases the size of ROM by around 1.3 KB and thesize of memory by around 1.2 KB.

5.3 Empirical Evaluation on Motelab

We evaluated the performance of TARF against a combinedsinkhole and wormhole attack on Motelab [36] at Harvard


Fig. 5. Routing decision incorporating trust management.


University. One-hundred eighty-four TMote Sky sensormotes were deployed across many rooms at three floors inthe department building (see Fig. 6), with two to four motesin most rooms. Around 97 nodes functioned properly whilethe rest were either removed or disabled. Each mote has a2.4 GHz Chipcon CC2420 radio with an indoor range ofapproximately 100 meters. In Fig. 6, the thin green linesindicate the direct (one-hop) wireless connection betweenmotes. Certain wireless connection also exists betweennodes from different floors.

We developed a simple data collection application inTinyOS 2.x that sends a data packet every five seconds to abase station node (root) via multihop. This application wasexecuted on 91 functioning nonroot nodes on Motelab. Forcomparison, we used CTP and the TARF-enabled CTPimplementation as the routing protocols for the datacollection program separately. The TARF-enabled CTPhas a TARF period of 30 seconds. We conducted an attackwith five fake base stations that formed a wormhole. As inFig. 6, whenever the base station sent out any packet, threefake base stations which overheard that packet replayed thecomplete packet without changing any content includingthe node id. Other fake base stations overhearing thatreplayed packet would also replay the same packet. Eachfake base station essentially launched a sinkhole attack. Notethat there is a distinction between such malicious replayand the forwarding when a well-behaved node receives abroadcast from the base station. When a well-behaved nodeforwards a broadcast packet from the base station, it willinclude its own id in the packet so that its receivers will notrecognize the forwarder as a base station. We conductedthe first experiment by uploading the program with theCTP protocol onto 91 motes (not including those fiveselected motes as fake bases in later experiments), and noattack was involved here. Then, in another experiment, inaddition to programming those 91 motes with CTP, we alsoprogrammed the five fake base stations so that they stolethe id the base station through replaying. In the lastexperiment, we programmed those 91 motes with theTARF-enabled CTP, and programmed the five fake basestations as in the second experiment. Each of our programsrun for 30 minutes.

As illustrated in Fig. 7a, the existence of the five wormholeattackers greatly degraded the performance of CTP: thenumber of the delivered data packets in the case of CTPwith the five-node wormhole is no more than 14 percent thatin the case of CTP without adversaries. The TARF-enabledCTP succeeded in bringing an immense improvement overCTP in the presence of the five-node wormhole, almostdoubling the throughput. That improvement did not showany sign of slowing down as time elapsed. The number ofnodes from each floor that delivered at least one data packetin each six-minute subperiod is plotted in Figs. 7a, 7b, and

7c separately. On each floor, without any adversary, at least24 CTP nodes were able to find a successful route in each sixminute. However, with the five fake base stations in thewormhole, the number of CTP nodes that could find asuccessful route goes down to nine for the first floor; itdecreases to no more than four for the second floor; as theworst impact, none of the nodes on the third floor everfound a successful route. A further look at the data showedthat all the nine nodes from the first floor with successfuldelivery record were all close to the real base station. TheCTP nodes relatively far away from the base station, such asthose on the second and the third floor, had little luck inmaking good routing decisions. When TARF was enabledon each node, most nodes made correct routing decisionscircumventing the attackers. That improvement can beverified by the fact that the number of the TARF-enablednodes with successful delivery record under the threat ofthe wormhole is close to that of CTP nodes with no attackers,as shown in Figs. 7a, 7b, and 7c.

5.4 Application: Mobile Target Detection in thePresence of an Antidetection Mechanism

To demonstrate how TARF can be applied in networkedsensing systems, we developed a proof-of-concept resilientapplication of target detection. This application relies on adeployed wireless sensor network to detect a target that couldmove, and to deliver the detection events to a base station viamultiple hops with the TARF-enabled CTP protocol. Forsimplification, the target is a LEGO MINDSTORM NXT 2.0vehicle robot equipped with a TelosB mote that sends out anActive Message AM packet every three seconds. A sensornode receiving such a packet from the target issues a detectionreport, which will be sent to the base station with theaforementioned TARF-enabled CTP protocol.

The experiment is set up within a clear floor space of 90by 40 inches with 15 TelosB motes (see Fig. 8a). To make themultihop delivery necessary, the transmission power of allthe Telosb motes except two fake base stations in thenetwork is reduced through both software reduction andattenuator devices to within 30 inches. The target uses anantidetection mechanism utilizing a fake base station closeto the real base station, and another remote base stationclose to the target and mounted on another LEGO vehiclerobot. The two fake base stations, with a transmission rangeof at least 100 feet, collude to form a wormhole: the fake base


TABLE 1Size Comparison of MultihopOscilloscope

Implementation

Fig. 6. Connectivity map of Motelab (not including the inter-floorconnectivity), adapted from Motelab [Motelab].


station close to the base station replays all the packets fromthe base station immediately; the remote fake base station,after receiving those packets, immediately replays it again.This antidetection mechanism tricks some network nodesinto sending their event reports into these fake base stationsinstead of the real base station. Though the fake base station

close to the real base station is capable of cheating the wholenetwork alone by itself with its powerful radio for a certainamount of time, it can be easily recognized by remote nodesas a poor next-hop candidate soon by most routingprotocols based on link quality: that fake base station doesnot acknowledge the packets “sent” to it from remote nodeswith a weak radio via a single hop since it cannot reallyreceive them. Thus, the antidetection mechanism needs tocreate such a wormhole to replay the packets from the basestation remotely.

The target node 14 and the fake base station 13 close to itmove across the network along two parallel tracks of22 inches back and forth (see Fig. 8b); they travel on eachforward or backward path of 22 inches in around 10 minutes.The experiment lasts 30 minutes. For comparison, threenodes 9, 10, and 11 programmed with the CTP protocol arepaired with another three nodes 6, 7, and 8 programmed withthe TARF-enabled CTP (see Fig. 8b); each pair of nodes arephysically placed close enough. All the other nodes, exceptfor the fake base stations and the target node, are pro-grammed with the TARF-enabled CTP. To fairly compare theperformance between CTP and the TARF-enabled CTP, wenow focus on the delivered detection reports originatingfrom these three pairs of nodes: pair (9, 6), (10, 7), and (11, 8).For the time stamp of each detection report from these sixnodes, we plot a corresponding symbol: a purple circle for thenodes with the TARF-enabled CTP; a black cross for the CTPnodes. The resulting detection report is visualized in Fig. 9a.Roughly, the TARF nodes report the existence of the targetseven times as often as the CTP nodes do. More specifically,


Fig. 8. Deployment of a TARF-enabled wireless sensor network todetect a moving target under the umbrella of two fake base stations in awormhole.

Fig. 7. Empirical comparison of CTP and TARF-enabled CTP onMotelab: (a) number of all delivered data packets since the beginning;number of nodes on (b) the first floor, (c) the second floor and (d) thethird floor that delivered at least one data packet in subperiods.


as shown in Fig. 9b, in the pair (9, 6), no report from CTP

node 9 is delivered while 46 reports from TARF node 6 is

delivered; in the pair (10, 7), no report from CTP node 10 is

delivered while 80 reports from TARF node 7 is delivered; in

the pair (11, 8), 40 reports from CTP node 11 is delivered

while 167 reports from TARF node 8 is delivered. Taking into

account the spatial proximity between each pair of nodes, the

TARF-enabled CTP achieves an enormous improvement in

target detection over the original CTP.The demonstration of our TARF-based target detection

application implies the significance of adopting a secure

routing protocol in certain critical applications. The experi-

mental results indicate that TARF greatly enhances the

security of applications involving multihop data delivery.

6 RELATED WORK

We discuss more related work here in addition to the

introduction in Section 1. It is generally hard to protect

WSNs from wormhole attacks, sinkhole attacks, and Sybil

attacks based on identity deception. The countermeasures

often requires either tight time synchronization or known

geographic information [4]. FBSR [37], as a feedback-based

secure routing protocol for WSNs, uses a statistics-based

detection on a base station to discover potentially compro-

mised nodes. But the claim that FBSR is resilient against

wormhole and Sybil attacks is never evaluated or examined;

the Keyed-OWHC-based authentication used by FBSR also

causes considerable overhead. There also exists other work

on trust-aware secure routing that is evaluated only

through computer simulation, such as [38].There are certain existing secure routing solutions for

WSNs based on trust and reputation management; how-ever, they rarely address the “identity theft” exploiting thereplay of routing information. Two such representativesolutions are ATSR [22] and TARP [23]. Neither ATSR norTARP offers protection against the identity deceptionthrough replaying routing information. ATSR [22] is alocation-based trust-aware routing solution for large WSNs.ATSR incorporates a distributed trust model utilizing bothdirect and indirect trust, geographical information as wellas authentication to protect the WSNs from packet mis-forwarding, packet manipulation, and acknowledgmentsspoofing. Another trust-aware routing protocol for WSNs isTARP [23], which exploits nodes’ past routing behavior andlink quality to determine efficient paths.

7 CONCLUSIONS

We have designed and implemented TARF, a robust trust-

aware routing framework for WSNs, to secure multihop

routing in dynamic WSNs against harmful attackers exploit-

ing the replay of routing information. TARF focuses on

trustworthiness and energy efficiency, which are vital to the

survival of a WSN in a hostile environment. With the idea of

trust management, TARF enables a node to keep track of the

trustworthiness of its neighbors and thus to select a reliable

route. Our main contributions are listed as follows:

1. Unlike previous efforts at secure routing for WSNs,TARF effectively protects WSNs from severe attacksthrough replaying routing information; it requiresneither tight time synchronization nor known geo-graphic information.

2. The resilience and scalability of TARF are provedthrough both extensive simulation and empiricalevaluation with large-scale WSNs; the evaluationinvolves both static and mobile settings, hostilenetwork conditions, as well as strong attacks such aswormhole attacks and Sybil attacks.

3. We have implemented a ready-to-use TinyOSmodule of TARF with low overhead; as demon-strated in the paper, this TARF module can beintegrated into existing routing protocols with theleast effort, thus producing secure and efficient fullyfunctional protocols.

4. Finally, we demonstrate a proof-of-concept mobiletarget detection application that is built on top ofTARF and is resilient in the presence of anantidetection mechanism that indicates the potentialof TARF in WSN applications.

ACKNOWLEDGMENTS

This work is in part supported by AFRL contract FA8650-10-C-1740 and US National Science Foundation (NSF)Career Award CCF-0643521. The authors also would liketo thank the program manager Mr. John Woods for his greatsupport as well as the anonymous reviewers for theirconstructive comments and suggestions.


Fig. 9. Comparison of CTP and the TARF-enabled CTP in detecting themoving target.


REFERENCES

[1] G. Zhan, W. Shi, and J. Deng, “Tarf: A Trust-Aware RoutingFramework for Wireless Sensor Networks,” Proc. Seventh EuropeanConf. Wireless Sensor Networks (EWSN ’10), 2010.

[2] F. Zhao and L. Guibas, Wireless Sensor Networks: An InformationProcessing Approach. Morgan Kaufmann, 2004.

[3] A. Wood and J. Stankovic, “Denial of Service in Sensor Net-works,” Computer, vol. 35, no. 10, pp. 54-62, Oct. 2002.

[4] C. Karlof and D. Wagner, “Secure Routing in Wireless SensorNetworks: Attacks and Countermeasures,” Proc. First IEEE Int’lWorkshop Sensor Network Protocols and Applications, 2003.

[5] M. Jain and H. Kandwal, “A Survey on Complex WormholeAttack in Wireless Ad Hoc Networks,” Proc. Int’l Conf. Advances inComputing, Control, and Telecomm. Technologies (ACT ’09), pp. 555-558, 2009.

[6] I. Krontiris, T. Giannetsos, and T. Dimitriou, “Launching aSinkhole Attack in Wireless Sensor Networks; The Intruder Side,”Proc. IEEE Int’l Conf. Wireless and Mobile Computing, Networking andComm. (WIMOB ’08), pp. 526-531, 2008.

[7] J. Newsome, E. Shi, D. Song, and A. Perrig, “The Sybil Attackin Sensor Networks: Analysis and Defenses,” Proc. Third Int’lConf. Information Processing in Sensor Networks (IPSN ’04), Apr.2004.

[8] L. Bai, F. Ferrese, K. Ploskina, and S. Biswas, “PerformanceAnalysis of Mobile Agent-Based Wireless Sensor Network,” Proc.Eighth Int’l Conf. Reliability, Maintainability and Safety (ICRMS ’09),pp. 16-19, 2009.

[9] L. Zhang, Q. Wang, and X. Shu, “A Mobile-Agent-BasedMiddleware for Wireless Sensor Networks Data Fusion,” Proc.Instrumentation and Measurement Technology Conf. (I2MTC ’09),pp. 378-383, 2009.

[10] W. Xue, J. Aiguo, and W. Sheng, “Mobile Agent Based MovingTarget Methods in Wireless Sensor Networks,” Proc. IEEE Int’lSymp. Comm. and Information Technology (ISCIT ’05), vol. 1, pp. 22-26, 2005.

[11] J. Hee-Jin, N. Choon-Sung, J. Yi-Seok, and S. Dong-Ryeol, “AMobile Agent Based Leach in Wireless Sensor Networks,” Proc.10th Int’l Conf. Advanced Comm. Technology (ICACT ’08), vol. 1,pp. 75-78, 2008.

[12] J. Al-Karaki and A. Kamal, “Routing Techniques in WirelessSensor Networks: A Survey,” Wireless Comm., vol. 11, no. 6, pp. 6-28, Dec. 2004.

[13] C. Karlof, N. Sastry, and D. Wagner, “Tinysec: A Link LayerSecurity Architecture for Wireless Sensor Networks,” Proc. ACMInt’l Conf. Embedded Networked Sensor Systems (SenSys ’04), Nov.2004.

[14] A. Perrig, R. Szewczyk, W. Wen, D. Culler, and J. Tygar, “SPINS:Security Protocols for Sensor Networks,” Wireless Networks J.,vol. 8, no. 5, pp. 521-534, Sept. 2002.

[15] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus,“Tinypk: Securing Sensor Networks with Public Key Technology,”Proc. Second ACM Workshop Security of Ad Hoc and Sensor Networks(SASN ’04), pp. 59-64, 2004.

[16] A. Liu and P. Ning, “Tinyecc: A Configurable Library forElliptic Curve Cryptography in Wireless Sensor Networks,”Proc. Seventh Int’l Conf. Information Processing in Sensor Networks(IPSN ’08), pp. 245-256, 2008.

[17] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “ASurvey on Sensor Networks,” IEEE Comm. Magazine, vol. 40, no. 8,pp. 102-114, Aug. 2002.

[18] H. Safa, H. Artail, and D. Tabet, “A Cluster-Based Trust-AwareRouting Protocol for Mobile Ad Hoc Networks,” Wireless Net-works, vol. 16, no. 4, pp. 969-984, 2010.

[19] W. Gong, Z. You, D. Chen, X. Zhao, M. Gu, and K. Lam, “TrustBased Routing for Misbehavior Detection in Ad Hoc Networks,” J.Networks, vol. 5, no. 5, pp. 551-558, May 2010.

[20] Z. Yan, P. Zhang, and T. Virtanen, “Trust Evaluation BasedSecurity Solution in Ad Hoc Networks,” Proc. Seventh NordicWorkshop Secure IT Systems, 2003.

[21] J.L.X. Li and M.R. Lyu, “Taodv: A Trusted Aodv Routing Protocolfor Mobile Ad Hoc Networks,” Proc. Aerospace Conf., 2004.

[22] T. Zahariadis, H. Leligou, P. Karkazis, P. Trakadas, I. Papaef-stathiou, C. Vangelatos, and L. Besson, “Design and Implementa-tion of a Trust-Aware Routing Protocol for Large WSNs,” Int’l J.Network Security and Its Applications, vol. 2, no. 3, pp. 52-68, July2010.

[23] A. Rezgui and M. Eltoweissy, “Tarp: A Trust-Aware RoutingProtocol for Sensor-Actuator Networks,” Proc. IEEE Int’l Conf.Mobile Adhoc and Sensor Systems (MASS ’07), 2007.

[24] A. Abbasi and M. Younis, “A Survey on Clustering Algorithms forWireless Sensor Networks,” Computer Comm., vol. 30, pp. 2826-2841, Oct. 2007.

[25] S. Chang, S. Shieh, W. Lin, and C. Hsieh, “An Efficient BroadcastAuthentication Scheme in Wireless Sensor Networks,” Proc. ACMSymp. Information, Computer and Comm. Security (ASIACCS ’06),pp. 311-320, 2006.

[26] K. Ren, W. Lou, K. Zeng, and P. Moran, “On BroadcastAuthentication in Wireless Sensor Networks,” IEEE Trans. WirelessComm., vol. 6, no. 11, pp. 4136-4144, Nov. 2007.

[27] P. De, Y. Liu, and S.K. Das, “Modeling Node CompromiseSpread in Wireless Sensor Networks Using Epidemic Theory,”Proc. Int’l Symp. World of Wireless, Mobile and Multimedia Networks(WoWMoM ’06), pp. 237-243, 2006.

[28] A. Woo, T. Tong, and D. Culler, “Taming the UnderlyingChallenges of Reliable Multihop Routing in Sensor Networks,”Proc. First ACM Int’l Conf. Embedded Networked Sensor Systems(SenSys ’03), Nov. 2003.

[29] S. Ganeriwal, L. Balzano, and M. Srivastava, “Reputation-BasedFramework for High Integrity Sensor Networks,” ACM Trans.Sensor Networks, vol. 4, pp. 1-37 2008.

[30] G. Zhan, W. Shi, and J. Deng, “Poster Abstract: Sensortrust—AResilient Trust Model for WSNs,” Proc. Seventh Int’l Conf.Embedded Networked Sensor Systems (SenSys ’09), 2009.

[31] C. Perkins and P. Bhagwat, “Highly Dynamic Destination-Sequenced Distance-Vector Routing (dsdv) for Mobile Compu-ters,” ACM SIGCOMM Computer Comm. Rev., vol. 24, no. 4,pp. 234-244, 1994.

[32] O. Gnawali, R. Fonseca, K. Jamieson, D. Moss, and P. Levis,“Collection Tree Protocol,” Proc. Seventh ACM Conf. EmbeddedNetworked Sensor Systems (SenSys ’09), pp. 1-14, 2009.

[33] G. Zhan, W. Shi, and J. Deng, “Design, Implementation andEvaluation of Tarf: A Trust-Aware Routing Framework forDynamic WSNs,” Technical Report MIST-TR-2010-003, WayneState Univ., http://mine.cs.wayne.edu/~guoxing/tarf.pdf, Oct.2010.

[34] Q. Zheng, X. Hong, and S. Ray, “Recent Advances in MobilityModeling for Mobile Ad Hoc Network Research,” Proc. 42nd Ann.Southeast Regional Conf. (ACM-SE 42), pp. 70-75, 2004.

[35] X. Hong, M. Gerla, G. Pei, and C. Chiang, “A Group MobilityModel for Ad Hoc Wireless Networks,” Proc. Second ACM Int’lWorkshop Modeling, Analysis and Simulation of Wireless and MobileSystems (MSWiM ’99), pp. 53-60, 1999.

[36] “Motelab,” http://motelab.eecs.harvard.edu, 2005.[37] Z. Cao, J. Hu, Z. Chen, M. Xu, and X. Zhou, “FBSR: Feedback-

Based Secure Routing Protocol for Wireless Sensor Networks,”Int’l J. Pervasive Computing and Comm., vol. 4, pp. 61-76, 2008.

[38] T. Ghosh, N. Pissinou, and K. Makki, “Collaborative Trust-BasedSecure Routing against Colluding Malicious Nodes in Multi-HopAd Hoc Networks,” Proc. 29th Ann. IEEE Int’l Conf. Local ComputerNetworks, pp. 224-231, Nov. 2004.

Guoxing Zhan received the MS degree inmathematics from Chinese Academy ofSciences in 2007 and another MS degree incomputer science from Wayne State Universityin 2009. He is currently working toward the PhDdegree in the Department of Computer Scienceat Wayne State University. He is interested inresearch on participatory sensing, wirelesssensor network, mobile computing, networking,and systems Security, trust Management, and

information processing. Several of his research papers have beenpresented at international conferences or published in journals.Additionally, he has instructed a few computer science laboratoriesconsisting of interactive short lectures and hands-on experience.



Weisong Shi received the BS degree fromXidian University in 1995 and the PhD degreefrom the Chinese Academy of Sciences in 2000,both in computer engineering. He is an associ-ate professor of computer science at WayneState University. His current research focuseson computer systems, mobile and cloud comput-ing. He has published more than 100 peerreviewed journal and conference papers. He isthe author of the book “Performance Optimiza-

tion of Software Distributed Shared Memory Systems” (High EducationPress, 2004). He has served the program chairs and technical programcommittee members of several international conferences. He is arecipient of the US National Science Foundation (NSF) CAREER award,one of 100 outstanding PhD dissertations (China) in 2002, CareerDevelopment Chair Award of Wayne State University in 2009, and the“Best Paper Award” of ICWE ’04 and IPDPS ’05. He is a senior memberof the IEEE.

Julia Deng received the PhD degree in theDepartment of Electrical Engineering from theUniversity of Cincinnati in 2004, majoring incommunications and computer networks. She iscurrently a principal scientist at Intelligent Auto-mation, Inc. Her primary research interestsinclude protocol design, analysis, and imple-mentation in wireless ad hoc/sensor networks,network security, information assurance, andnetwork management. At IAI, she serves as the

PI and leads many network and security-related projects, such assecure routing for airborne Networks, network service for airborneNetworks, DoS mitigation for tactical networks, trust-aware querying forsensor networks, trusted routing for sensor networks, agent-basedintrusion detection system, just to name a few.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.



Design and implementation of tarfa trust aware routing framework for ws ns.bak

Documents

Transcript of Design and implementation of tarfa trust aware routing framework for ws ns.bak