Transcript of "Adaptation of Reputation Management Systems to Dynamic Network Conditions in Ad Hoc Networks"
IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 5, MAY 2010 707 Adaptation of Reputation Management Systems to Dynamic Network Conditions in Ad Hoc Networks Mohamed Tamer Refaei, Luiz A. DaSilva, Senior Member, IEEE, Mohamed Eltoweissy, Senior Member, IEEE, and Tamer Nadeem, Member, IEEE Abstract—Reputation management systems have been proposed as a cooperation enforcement solution in ad hoc networks. Typically, the functions of reputation management (evaluation, detection, and reaction) are carried out homogeneously across time and space. However, the dynamic nature of ad hoc networks causes node behavior to vary both spatially and temporally due to changes in local and network-wide conditions. When reputation management functions do not adapt to such changes, their effectiveness, measured in terms of accuracy (correct identification of node behavior) and promptness (timely identification of node misbehavior), may be compromised. We propose an adaptive reputation management system that realizes that changes in node behavior may be driven by changes in network conditions and that accommodates such changes by adapting its operating parameters. We introduce a time-slotted approach to allow the evaluation function to quickly and accurately capture changes in node behavior. We show how the duration of an evaluation slot can adapt according to the network’s activity to enhance the system accuracy and promptness. We then show how the detection function can utilize a Sequential Probability Ratio Test (SPRT) to distinguish between cooperative and misbehaving neighbors. The SPRT adapts to changes in neighbors’ behavior that are a by-product of changing network conditions, by using the node’s own behavior as a benchmark. We compare our proposed solution to a nonadaptive system, showing the ability of our system to achieve high accuracy and promptness in dynamic environments. To the best of our knowledge, this is the first work to explore the adaptation of the reputation management functions to changes in network conditions. Index Terms—Reputation management, ad hoc networks, cooperation, adaptation, node misbehavior. Ç1 INTRODUCTION discourage nodes in an ad hoc network from misbehavingC OOPERATION among nodes is essential to the survival of an ad hoc network, as it forms the basis for keynetwork functions such as packet forwarding. In particular, with respect to packet forwarding. The goals of a reputation management system are to: evaluate nodes’ behavior basednodes are expected to cooperate by forwarding packets on on packet forwarding (evaluation), distinguish betweenbehalf of one another, enabling the delivery of packets over cooperative and misbehaving nodes (detection), and appro-a multihop route. If nodes refuse to cooperate in packet priately react to nodes according to their behavior (reaction)forwarding, end-to-end packet delivery may not be possi- . It is commonly assumed that reputation managementble. Such uncooperative behavior can greatly degrade systems at different nodes carry out these functionsnetwork performance and may even result in total commu- (evaluation, detection, and reaction) homogeneously acrossnication breakdown. It is important to detect and isolate time and space. In other words, the evaluation criteria,uncooperative nodes to limit their negative impact on the detection decision factors, and reactive measures are thenetwork performance. same at all nodes at all times. The homogeneous application Reputation management systems (RMSs) have been of reputation decisions does not take into account theproposed in the literature to promote cooperation and dynamics of the environment in which ad hoc networks operate, where local and network-wide conditions change frequently, impacting node behavior. Such behavior may be. M.T. Refaei is with the MITRE Corporation, 7515 Colshire Drive, perceived differently from one node to another. At times, the McLean, VA 22102-7539. E-mail: email@example.com. network conditions are such that a node i that chooses to act. L.A. DaSilva is with the Department of Electrical and Computer Engineering, Virginia Polytechnic Institute and State University, cooperatively can successfully do so by forwarding all traffic Arlington, VA 22203, and the CTVR, Trinity College Dublin, Dublin 2, routed through it (due to moderate traffic activity, favorable Ireland. E-mail: firstname.lastname@example.org. channel conditions, etc.). At other times, network conditions. M. Eltoweissy is with the Bradley Department of Electrical and Computer are such that node i may not be able to successfully forward Engineering, Virginia Tech, 4300 Wilson Blvd., Suite 750, Arlington, VA 22203. E-mail: email@example.com. traffic routed through it due to adverse conditions (such as. T. Nadeem is with Siemens Corporate Research, Inc., 755 College Road, high congestion, channel impairments, etc.). Therefore, node Princeton, NJ 08540. E-mail: firstname.lastname@example.org. behavior may vary from one node to another and from timeManuscript received 25 Apr. 2008; revised 13 Feb. 2009; accepted 5 Oct. 2009; to time due to changes in local and network-wide condi-published online 29 Jan. 2010. tions, affecting the ability of the reputation managementRecommended for acceptance by Y. Yang.For information on obtaining reprints of this article, please send e-mail to: mechanism to distinguish between a node’s willful email@example.com, and reference IEEECS Log Number TC-2008-04-0177. not to forward packets (misbehavior) and its inability to doDigital Object Identifier no. 10.1109/TC.2010.34. so due to adverse network conditions. 0018-9340/10/$26.00 ß 2010 IEEE Published by the IEEE Computer Society
708 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 5, MAY 2010 The effectiveness of a reputation management system, the slot duration is key to maintaining good system accuracywhich is usually measured in terms of its ability to and promptness and illustrate how traffic activity can beaccurately and promptly distinguish between cooperative used as a point of reference for setting the evaluation slotand misbehaving nodes, may deteriorate if it does not adapt duration. Second, we show that by using a node’s ownto network conditions. If the perception of cooperative behavior as a benchmark for judging others’ behavior, thebehavior remains the same under both adequate and detection function can effectively adapt to changes inadverse network conditions, a node may be incorrectly network conditions. Additionally, we show that an SPRTidentified as misbehaving during unfavorable network can accurately and adaptively distinguish between coopera-conditions and inappropriate reaction may be taken against tive and misbehaving nodes under different networkit (e.g., isolation from the network). Hence, in a reputation conditions.management system, the evaluation criteria, detection 1.1 Scopedecision factors, and reactive measures should be adaptiveacross time and space to changes in network conditions. In this paper, we are concerned with node behavior withWe, herein, refer to such a system as an adaptive reputation respect to packet forwarding at the network layer. A nodemanagement system. can be classified as cooperative or misbehaving. Coopera- In this paper, we focus on enhancing the system’s tive nodes do not deliberately drop traffic forwardedeffectiveness through adaptability of the evaluation and through them. We only consider selfish misbehavior in this work, although the concept introduced applies to somedetection functions. We rely on two simple premises to guide types of malicious misbehavior as well, such as black holethis adaptation: 1) a sound evaluation of reputation requires and gray hole attacks . Selfishness is intentionalthe observation of other nodes’ behavior for longer periods of misbehavior, where a node chooses not to fully participatetime when there is less traffic in the network; and 2) the in packet forwarding to conserve its own resources. Aassessment of other nodes’ behavior should be in comparison selfish node may drop some or all packets forwardedto one’s own behavior. We propose a time-slotted approach through it. A selfish node i is characterized by a selfishnessfor node behavior evaluation. We illustrate how this mechan- rate, which we denote as si , representing the proportion ofism can effectively recognize fluctuations in node behavior packets a selfish node will drop among all packetsand how the slot duration impacts the accuracy and forwarded through it. Selfish nodes typically do not colludepromptness of the system in recognizing misbehavior. A slot with each other or exert additional effort to camouflageduration that is too short reduces the system’s accuracy, while their behavior, such as slander attacks . Other classes ofone that is too long reduces its promptness. We propose a outsider attacks or insider node misbehavior at layers otherlocalized approach whereby the slot duration adapts to the than the network layer are outside the scope of this paper.traffic activity each node is witnessing. We focus on network factors that have a long term effect We, then, introduce an adaptive detection function on a node’s ability to successfully forward packets routedwhereby a cooperative node uses its self-assessed behavior through it, which we categorize into two classes: 1) nodeas a benchmark for judging the behavior of other nodes misbehavior and 2) network environment factors such aswithin its local neighborhood. This function takes advantage congestion at the network layer, contention at the data linkof the observation that in some environments cooperative layer, and physical communication impairments such asnodes within close proximity experience similar network shadowing and path loss. We consider a network environ-conditions , . The detection function devises an SPRT to ment where detection and isolation of misbehaving nodes isdistinguish between cooperative and misbehaving nodes crucial to the survival of the network. Typically, this is thewithin each evaluation slot. The SPRT uses packet receiving case when the negative impact of node misbehavior on theand packet forwarding events noted for each node within network performance is dominant compared to deteriorat-each slot to evaluate node behavior. The SPRT infers ing channel and/or network conditions.network conditions using the node’s self-assessed behavior In the next section, we briefly describe the functions ofand takes that inference into consideration when evaluating reputation management. In Sections 3 and 4, we discussother nodes. A merit of the SPRT is that the number of adaptability of the evaluation and detection functions. Weobservations required to accurately evaluate node behavior demonstrate the effectiveness of our system in Section 5.depends on the local network conditions perceived by the Finally, we discuss related work in Section 6 and concludeevaluator (hence, localized adaptive detection is possible). in Section 7.Further, the number of observations used in SPRTs is greatlyreduced (by 50 percent or more in many cases) whencompared to other methods that use a fixed number of 2 FUNCTIONS OF A REPUTATION MANAGEMENTobservations . This allows for prompt decision making, SYSTEMwhich limits the scope of damage to the network that can be Behavior evaluation, behavior detection, and reaction are thecaused by a misbehaving node. Our goal is to build an three main functions of reputation management (Fig. 1). Theeffective reputation management system for dynamically behavior evaluation function adopts an evaluation metric andchanging ad hoc network environments. Such a system must monitors it for nodes whose behavior it is evaluating. Theadapt to changes in the network conditions. evaluation metric is used to assign each node a score, which Our contribution in this paper is twofold. First, we show is a quantification of the node’s behavior with respect tothat a slotted evaluation function can properly recognize packet forwarding. In this paper, we use packet forwardingfluctuations in node behavior. We also show that adapting ratio (the ratio of the number of packets forwarded by a node
REFAEI ET AL.: ADAPTATION OF REPUTATION MANAGEMENT SYSTEMS TO DYNAMIC NETWORK CONDITIONS IN AD HOC NETWORKS 709 TABLE 1 Notation Used throughout the Paper 3 ADAPTIVE EVALUATION FUNCTION An adaptive evaluation function must quickly capture changes in node behavior. Node behavior may be impacted by changes in the local and network-wide conditions. An adaptive evaluation function should assign each node a score that reflects its recent behavior. Our approach (illustrated in Fig. 2) is to perform node behavior evaluation in a time-slotted manner, with slot duration varying according to observed volume of traffic. InFig. 1. Functions of reputation management.to the number of packets routed through it) as the evaluationmetric (other metrics have been analyzed in ). Hence, eachnode will monitor packet forwarding request events (whichwe denote as RCV events) and packet forwarding events(which we denote as F W D events) for all its neighbors assuggested in . A node’s assigned score (i.e., the estimatedpacket forwarding ratio) ranges from 0 to 1. The detection function uses the nodes’ scores assignedby the evaluation function (and possibly the sequence ofevents that led to each score) to distinguish betweencooperative and misbehaving nodes. A common approachis to compare a node’s score to a threshold score T H. Forexample, in the case of packet forwarding ratio, if thethreshold score is 0.8, a node whose score is higher than orequal to 0.8 (i.e., it forwards at least 80 percent of datapackets routed through it) is considered cooperative. Nodeswith lower scores are considered misbehaving. Finally, the reaction function takes action against nodesaccording to their behavior. The reaction taken towardnodes identified by the detection function as misbehavingcan be informative, by notifying other nodes about themisbehaving nodes, and/or disciplinary, by penalizingthe misbehaving nodes. On the other hand, the reactiontaken toward nodes identified as cooperative can rewardcooperation by offering these nodes differentiated levelsof service according to their level of cooperation. Table 1 provides a list of notation used throughout the Fig. 2. Flowchart showing the operation of the adaptive evaluation andpaper. detection functions.
710 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 5, MAY 2010 TABLE 2 Simulation Configuration Fig. 3. System accuracy: comparing Adiff; for high and low trafficthis approach, a node’s behavior is evaluated and assigned a activities as a function of evaluation slot duration. The values in thescore (equal to its estimated packet forwarding ratio) by each y-axis are expressed as percentages (i.e., the ratio is multiplied by 100).of its neighbors based on its behavior within each time slot.Given a slot duration , a node i 2 N is assigned a score aj;i;k in D ¼ f1; 2; 4; 8; 18; 36; 75; 150; 300; 600g seconds. We mea-by each of its neighbors j 2 Gi that reflects its behavior sure accuracy based on the difference between the averagewithin slot k 0 (between times ðk À 1Þ and k) as score assigned to misbehaving nodes by their cooperativeperceived by j. The evaluation function also self-assesses neighbors and that assigned to cooperative nodes by theirnode i’s own behavior by noting its own RCV and cooperative neighbors. We denote the difference as Adiff ,F W D events and assigns itself a score ai;i;k accordingly; this which we calculate as Adiff ¼ absðAcoop À Amisb Þ, wherescore will be used later by the adaptive detection function. 8 X 1 In a time-slotted behavior evaluation function, the value Ai ; if jMj jNj; Acoop ¼ jNj À jMj i2NnMof the slot duration affects the accuracy and the promptness :of the reputation management system. This is intuitive since, 0; otherwise; 8statistically, determines the number of samples that will be 1 Xconsidered to estimate a process parameter in a population. Ai ; if jMj 0; Amisb ¼ jMj i2MIn our case, we are trying to estimate the packet forwarding : 0; otherwise;ratio of a node. It is well known that as the sample size P Psincreases the accuracy increases. However, collecting too Ai ¼ jGi j j2Gi Aj;i , Aj;i ¼ 1 k¼1 aj;i;k , and s is the total 1 smany samples may waste time. We illustrate this point in the number of evaluation slots (s ¼ Simulation Duration=).example that follows, which is intended as a case study and For each 2 D, we calculate Adiff , which we denote asis followed in the next section by the theoretical foundation Adiff; . Note that 0 Adiff; 1 and that as the value of Adiff;of this work (based on an SPRT) and a more comprehensive decreases it becomes more difficult for the detectionsimulation study. function to distinguish between cooperative and misbehav- Consider a network with low traffic activity. Selecting a ing nodes, which increases false positives as well as falsesmall for such a network reduces the system’s accuracy. A negatives (i.e., decreases accuracy). We use two differentshort slot may not comprise enough packet forwarding levels of traffic activity: high (200 short-lived flows withactivity to be representative of node behavior, which mayresult in false positives (cooperative nodes incorrectly randomly selected sources and destinations) and lowidentified as misbehaving) or false negatives (misbehaving (20 short-lived flows with randomly selected sources andnodes incorrectly identified as cooperative). On the other destinations). Fig. 3 indicates that as the value of increases,hand, consider a network with high traffic activity. Since the value of Adiff; also increases. Increasing the value of node behavior evaluation is triggered at the end of each slot, allows for more packet forwarding activity to take placeselecting a value of that is too high may impact the within a slot so as to be representative of node behavior.system’s promptness (i.e., timely identification of node Note the clear difference between low and high trafficbehavior). Accordingly, the slot duration must adapt activities. For the high traffic activity, high values of Adiff;according to the traffic activity in the network. As the traffic occur even with small slot durations, as the number ofactivity increases, the slot duration should decrease. There interactions within a slot is higher. If the system, foris also a trade-off between slot duration and overhead. instance, requires Adiff; ! 0:25 to achieve a target accuracyDecreasing the slot duration in a network with high trafficachieves better promptness but may also result in increased level, this corresponds to slot duration ! 2 seconds for thecomputational overhead. high traffic activity case and ! 75 seconds for the low We illustrate the relationship between traffic activity and traffic activity case.the value of through a sensitivity analysis conducted using The trade-off to the increase in accuracy as a result ofns-2 simulations (the simulation parameters are shown in increasing the value of is the decrease in promptness. Here,Table 2). We consider a network of jNj ¼ 64 nodes and jMj ¼ 5 we define promptness as the earliest time Adiff can achieve amisbehaving nodes. We evaluated the accuracy and prompt- target accuracy level. Fig. 4 plots the promptness of theness of node behavior evaluation using different values of system with the accuracy level used earlier (Adiff; ! 0:25)
REFAEI ET AL.: ADAPTATION OF REPUTATION MANAGEMENT SYSTEMS TO DYNAMIC NETWORK CONDITIONS IN AD HOC NETWORKS 711Fig. 4. System promptness: misbehavior detection time for high and low Fig. 5. Comparing the ideal value of to the average value of traffic activities as a function of evaluation slot duration. assessed based on route activity.denoting promptness of a particular value of 2 D as the and from time to time according to the traffic activity eachearliest time when Adiff; ! 0:25. The figure shows that node is witnessing (e.g., a node located in the center of theunnecessarily increasing the value of may decrease network will typically experience higher traffic activitypromptness (noting that behavior evaluation is triggered at compared to nodes located close to the network boundaries).the end of each evaluation slot, followed by triggering of the We demonstrate our approach for the adaptation of detection function as shown in Fig. 1). It also shows that using ns-2 simulations. In Fig. 5, we show the average slotthere is a particular value of where the required accuracy duration for periods of high and low traffic compared to thelevel is reached fastest. This is the ideal slot duration where ideal values obtained from Fig. 4. Fig. 6 shows, forenough packet forwarding activity is present at the earliest 10 different traffic activity levels, how the increase in traffictime to distinguish between the behavior of cooperative activity decreases the value of .nodes and that of misbehaving nodes at the requiredaccuracy level. Shorter slot durations do not take into 4 ADAPTIVE DETECTION FUNCTIONconsideration enough packet forwarding activity, while An adaptive detection function is able to distinguishlonger slot durations unnecessarily delay node evaluation, between cooperative and misbehaving nodes under differentboth resulting is lower promptness. From the figure, the slot network conditions. Consider first a nonadaptive detectionduration in which misbehaving nodes are detected fastest at function. Such a detection function uses a fixed threshold T Hthe required accuracy level is ¼ 8 seconds for the high whose value is identical for all nodes in the network (astraffic activity case and ¼ 150 seconds for the low traffic described in Section 2). T H is usually assigned to reflectactivity case. acceptable node behavior under normal network conditions. We propose an adaptive approach whereby the value of However, if network conditions change (e.g., due to a adapts automatically to the traffic activity. We consider sudden deterioration of the channel), the selected value ofroute activity as a measure of traffic activity. The frequency T H may no longer be appropriate, resulting in inaccuraciesof route establishment, route update, and route expiration in the detection function. An adaptive detection function, onevents (what we mean by route activity) increases as traffic the other hand, adapts its criteria for cooperative behavioractivity increases (otherwise, routes cannot be established, according to the state of the network.end-to-end packet delivery is hindered, and the network Our adaptive detection function (described in Fig. 2)becomes unstable). Whenever a route establishment, route makes a decision about node behavior within eachupdate, or a route expiration event occurs, each node that behavior evaluation slot based on an SPRT. We considerbecomes aware of the update (the route event affects one or each node’s self-assigned score as well as the F W D andmore fields in the node’s routing table) triggers the behavior RCV observation events it noted for each of its neighborsevaluation function to evaluate its neighbors by assigning in the SPRT. In the next sections, we provide an overvieweach a score based on the F W D and RCV events noted foreach since the last evaluation. For a given node i, if weconsider routing activities to be indexed by r, where r ¼ 0corresponds to the first routing activity noted by the node.If we consider ti;r to be the time of arrival of the routerequest, update, or expiration message, then the value of noted by node i at time t (which we denote as i;t ) can berepresented as ti;r À ti;rÀ1 ; if r 0; i;t ¼ ti;r ; otherwise:The distribution of the interarrival time of routing messagesat a given node will induce the distribution for at that Fig. 6. Average value of assessed based on route activity for 10node. Hence, the value of differs from one node to another different traffic activity levels.
712 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 5, MAY 2010of SPRT, introduce the SPRT for judging node behavior, of node i’s behavior by node j 2 Gi within the current timeand then illustrate how the test adapts to changes in slot. T ðj; iÞn considers all F W D and DRP observationnetwork conditions. events noted for node i within the current evaluation slot. Upon encountering an event xn that is noted for node i by4.1 Overview of SPRT node j, node j then evaluatesConsider two hypotheses H1 and H0 , where either H1 or H0 8is true but not both. In traditional hypothesis testing, one of T ðj; iÞ P ½F W DjH1 nÀ1 Ã ; if xn ¼ F W D;the decisions (H1 or H0 ) is made after a random sample is P ½F W DjH0 observed. In some cases, the evidence in the random sample T ðj; iÞn ¼ T ðj; iÞ P ½DRP jH1 observed may be enough to make the decision while in other : nÀ1 Ã ; if xn ¼ DRP ; P ½DRP jH0 cases it may not. Traditional hypothesis testing mechanismsmake a decision either way. Sequential probability ratio where T ðj; iÞ0 ¼ 1. If T ðj; iÞn ! A, the test concludes that H1testing defers the decision if the evidence in the random is true and that node i has been misbehaving during the lastsample observed is not sufficient to make an accurate n events. If T ðj; iÞn B, the test concludes that H0 is truedecision and requests more observations. The test continues and that node i has been acting cooperatively during the lastuntil the evidence is strong enough to make a decision . n events. The outcome of the test is recorded and the test is SPRTs consider two conditional probabilities, P ½xjH1 restarted for another evaluation round starting at eventand P ½xjH0 . To decide whether H1 or H0 is true we make a xnþ1 . At the end of the evaluation slot, all events have been considered and a number of outcomes have been recorded.sequence of observations x1 ; x2 ; . . . . For each observation All recorded test outcomes are considered to decide uponxn ; n ! 1, if P ½xn jH0 6¼ 0 we calculate the ratio P ½xn jH1 and P ½x n jH0 node i’s behavior. We consider node i misbehaving if most P ½xn jH1 accumulate the value Tn ¼ TnÀ1 Ã P ½xn jH0 , where T0 ¼ 1. We test outcomes concluded H1 . We consider node i coopera-then examine the value of Tn . If Tn is large, it implies that tive otherwise.the sequence of observations x1 ; . . . ; xn made so far are The SPRT considers and
to be configurable systemmore likely to have been generated under H1 than under parameters that represent the level of false positives andH0 . If Tn is small, the converse is true. If Tn is not sufficiently false negatives that are tolerable by the system. From the configured values of and
, the threshold values of A andsmall or large to choose between H1 and H0 , we make B are set (as suggested ) to A ¼ 1À
another observation xnþ1 . that the use of T H in nonadaptive reputation management In selecting between H1 and H0 , it is possible to systems can be related to the use of A in our adaptive systemerroneously decide that H1 is true while in reality H0 is since both are considered the boundary toward misbeha-true (a false positive), or that H0 is true while in reality H1 is vior. Their values, however, cannot be equated since A is atrue (a false negative). To limit the probability of false probability ratio (calculated based on the false positives andpositives to and that of false negatives to
, we select two false negatives the system can tolerate) and T H is a score. The values of P ½F W D j H1 , P ½F W D j H0 , P ½DRP j H1 ,threshold values A and B, with B A. After making a and P ½DRP j H0 depend on the probability of packet dropssequence of observations x1 ; . . . ; xn , a decision is made that in the network due to misbehavior and due to networkH1 is true if Tn ! A, or that H0 is true if Tn B and the test environment factors (such as congestion at the networkterminates. We make an additional observation xnþ1 if layer, contention at the data link layer, physical commu-B Tn A. It was shown in  that the values of A and B nication impairments such as fading, etc.), which we denoteare bounded by A 1À
as Pmisbehavior and Pdrop , respectively. The conditional prob- 1À
values of A ¼ and B ¼ 1À the test provides adequate abilities can then be obtained as shown in :level of precision. . P ½F W D j H1 ¼ ð1 À Pdrop Þ Ã ð1 À Pmisbehavior Þ.4.2 SPRT for Judging Node Behavior . P ½F W D j H0 ¼ ð1 À Pdrop Þ.At the end of each evaluation slot k, the behavior evaluation . P ½DRP j H1 ¼ 1 À ð1 À Pdrop Þ Ã ð1 À Pmisbehavior Þ.function of node j 2 NnM passes to the detection function . P ½DRP j H0 ¼ Pdrop .the list of scores assigned to each neighbor and the sequence Note that according to the definition of P ½F W D j H1 andof events that led to each score (RCV and F W D observation P ½F W D j H0 , the probability ratio will only dependevents noted for each neighbor i 2 Gj during time slot k). on Pmisbehavior when a F W D event is witnessed (sinceThe behavior evaluation function also passes the node’s P ½F W DjH1 P ½F W DjH0 ¼ 1 À Pmisbehavior ).self-assigned score aj;j;k to the detection function. The The value of Pmisbehavior can be viewed as a networkdetection function analyzes the list of RCV and F W D parameter that is set according to the network objective. Forevents and infers observations DRP for each packet routed example, setting the value of Pmisbehavior to 50 percentthrough the node but not forwarded, denoting that the indicates that the network aims to detect all misbehavingpacket was most likely dropped.1 nodes i 2 M where si ! 50 percent. This also implies that The SPRT considers two hypotheses H1 and H0 . H1 is the the network can tolerate some false negatives when it comeshypothesis that a given node is misbehaving while H0 is the to detecting misbehaving nodes whose si 50 percent.hypothesis that it is cooperative. Let T ðj; iÞn be an evaluation Setting the value of Pmisbehavior is analogous to setting the security mode of an Intrusion Detection System (IDS). 1. Node j assigns a time-out for each RCV event of a packet routedthrough node during which an F W D event of the same packet must be Setting the security mode of an IDS too high is likely tonoted. Otherwise, the packet is judged to have been dropped by node i. expose the network to fewer threats (i.e., low false
REFAEI ET AL.: ADAPTATION OF REPUTATION MANAGEMENT SYSTEMS TO DYNAMIC NETWORK CONDITIONS IN AD HOC NETWORKS 713negatives) but may also trigger a large number of false TABLE 3positives. Setting the security mode of an IDS too low may Summarizing the Parameters of theexpose the network to a lot of threats (i.e., high false Adaptive Reputation Management Systemnegatives) but reduces the number of false positives. Theideal setting may vary depending on the level of the threatthat the network is likely to be exposed to and the likelyoutcome if any such threats prevail. Much like the securitymode of an intrusion detection system, the value ofPmisbehavior should be set according to the perception of thelevel of misbehavior that is likely to exist in the network andits impact on each node. We will discuss setting the value ofPdrop in the next section.4.3 Adaptation of the SPRTThe goal of our adaptive reputation management system isto adapt node behavior evaluation and detection todynamic changes in network conditions. Our goal is notto adapt the system to changes in the threat level that thenetwork is exposed to. Hence, the values of ,
, andPmisbehavior need not be adaptive but the value of Pdrop needsto adapt to reflect current network conditions. Consider a cooperative node j 2 NnM that is evaluatingthe behavior of its neighbor i 2 Gj . The time-slottedevaluation function of node j has evaluated node j’s ownbehavior at the current evaluation slot k based on the ratiobetween the number of its own RCV and F W D events (i.e.,the ratio of the number of packets node j forwarded to the . The SPRT at node j will move faster towardnumber of packets routed through it) and assigned itself a threshold B for any F W D event observed forscore aj;j;k . The evaluation function then passes the score to node i if node j experienced a high value of Pdropthe detection function. during slot k. Hence, the number of observations Our detection function makes use of the observation that needed to make an H0 decision will be small in casecooperative nodes within close proximity may experience of a high value of Pdrop .similar network conditions , . If node j’s cooperative The SPRT offers a systematic approach to select thebehavior under the current network conditions granted it a thresholds and adapt node evaluation to network conditions.score of aj;j;k then the value of aj;j;k can be used to estimate As indicated above, adaptation is accomplished by weighingthe expected behavior of other cooperative nodes within events (i.e., DRP or F W D) differently depending on thenode j’s local neighborhood, which operate under similar network conditions. We envision that it is also possible tolocal network conditions. Additionally, 1 À aj;j;k can be used devise a heuristic approach (as opposed to the systematicto estimate the probability of packet drop due to network approach offered by SPRTs) that varies T H according to theenvironment factors in the node’s local neighborhood network conditions.(i.e., packets dropped despite the node’s intention to act Let us briefly consider what happens if a selfish nodecooperatively). Note that both estimates continuously adapt adopts the same reputation management mechanismsto changes in the node’s local network conditions. In our proposed here. If a selfish node considers packets droppeddetection function, we use Pdrop ¼ 1 À aj;j;k . The adaptation due to its selfish nature as DRP events during self-of the detection function is realized as follows: assessment, its self-assigned score will most likely be lower than that of its cooperative neighbors. Hence, the self- . The SPRT at node j will move faster toward assigned score will not accurately reflect the behavior of a threshold A for any DRP event observed for node cooperative node within the selfish node’s locality, which i if node j experienced a low value of Pdrop during may increase false negatives. On the other hand, a selfish slot k. Hence, the number of observations needed to node may chose to ignore the effect of its selfish behavior make an H1 decision will be small in case of a low during self-assessment by assuming DRP events due to the value of Pdrop . node’s selfishness as F W D events. This results in a self- . The SPRT at node j will move more slowly toward assigned score that reflects more closely the behavior of a threshold B for any F W D event observed for node i if cooperative node within the selfish node’s locality. node j experienced a low value of Pdrop during slot k. Table 3 summarizes the parameters used in our adaptive Hence, the number of observations needed to make reputation management system and how the value of each an H0 decision will be large for a low value of Pdrop . is set. We also summarize the advantages of using SPRTs in . The SPRT at node j will move more slowly toward node behavior evaluation in the following points: threshold A for any packet drop event observed at node i if node j experienced a high value of Pdrop 1. Ease of implementation. during slot k. Hence, the number of observations 2. Sequential evaluation: The number of observations needed to make an H1 decision will be large in case (i.e., FWD and DRP events) required to evaluate of a high value of Pdrop . node behavior need not be determined in advance.
714 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 5, MAY 2010 TABLE 4 Simulation Configuration Fig. 7. SC-1—SE-1: All nodes are cooperative. Cooperative nodes can forward almost all data packets routed through them. We consider a configuration of our adaptive reputation This property of SPRTs suits well the dynamic management system that uses Pmisbehavior ¼ 50 percent. As nature of ad hoc networks where the rate and the mentioned before, this indicates that the network is keen to significance of such observations may change spa- detect all misbehaving nodes whose selfishness rate is tially and temporally. greater than or equal to 50 percent (which also implies that 3. Configurable accuracy: The specified degree of accu- the network can tolerate some false negatives when it comes racy can be set by configuring and
. to detecting misbehaving nodes whose selfishness rate is 4. Prompt decision making: The number of observations less than 50 percent). We consider ¼ 10 percent and
¼ used to evaluation node behavior (at the configured 10 percent to be the target accuracy level of the system. For accuracy level) using an SPRT is greatly reduced the nonadaptive system, we consider a range of values for when compared to other methods that use a fixed T H. All our results are averaged over 20 runs. Each run number of observations . This allows for prompt considers a different randomly generated topology. decision making, which limits the scope of damage to the network that can be caused by misbehaving nodes. 5.1 Static Environment We show in this section that the adaptive reputation management system can operate effectively under different5 DEMONSTRATION OF EFFECTIVENESS network conditions, while the settings of the nonadaptiveIn this section, we demonstrate the effectiveness of our reputation management system must be customized for aadaptive system under different network conditions. We given network condition for the system to be effective. Wealso aim to show the shortcomings of nonadaptive ap- consider three scenarios with respect to the networkproaches. We consider network environments with varying conditions:rates of change in network conditions as well as varyinglevels of misbehavior in the network. . SE-1: The network conditions are such that a We consider two types of network environments in our cooperative node can forward almost all packetsevaluation: static and dynamic. An environment is static if forwarded through it.the network conditions in that environment do not change . SE-2: The network conditions are such that athroughout one run of the simulation. A dynamic environ- cooperative node can forward at most 80 percentment is one where the network conditions change fre- of all packets forwarded through it.quently. Further, our simulations account for the impact . SE-3: The network conditions are such that aof different levels of misbehavior in the network. Two cooperative node can forward at most 60 percentparameters control the level of misbehavior in the network: of all packets forwarded through it.1) the number of misbehaving nodes, and 2) the selfishness Since the environment is static, we let the adaptiverate of each misbehaving node. By devising network approach evaluate node behavior using a fixed value of .scenarios that use different ratios of misbehaving to well- We compare against a nonadaptive approach by assessing thebehaved nodes and different selfishness rates, we can false positives and false negatives. Our comparison considersmodel varying levels of misbehavior in the network. different values of T H for the nonadaptive approach. We consider three sets of network scenarios denoted as The results in Figs. 7, 8, 9, 10, 11, 12, 13, 14, and 15 showSC-1, SC-2, and SC-3. All three scenarios share the that the adaptive system can operate under all conditionssimulation parameters shown in Table 4. In SC-1, we considered with low false positives and false negatives. Theconsider all nodes to be cooperative (i.e., jMj ¼ 0). In SC-2, maximum false positives over all scenarios was 11.60 percentwe consider 20 percent of the nodes in the network to be (within reasonably range of ), and the maximum falseselfish (i.e., jMj ¼ 5). In SC-3, we consider 40 percent of all positives was at 3.12 percent (bounded by
). This indicatesnodes in the network to be selfish (i.e., jMj ¼ 10). The value that the adaptive approach self-adapts its criteria forof si for a misbehaving node in SC-2 and SC-3 is randomly identifying cooperative and misbehaving behaviors accord-selected from the set f50 percent; 75 percent; 100 percentg. ing to the network condition it is operating in. On the other
REFAEI ET AL.: ADAPTATION OF REPUTATION MANAGEMENT SYSTEMS TO DYNAMIC NETWORK CONDITIONS IN AD HOC NETWORKS 715Fig. 8. SC-1—SE-2: All nodes are cooperative. Cooperative nodes can Fig. 12. SC-2—SE-3: 20 percent of all nodes are selfish. Cooperativeforward at most 80 percent of data packets routed through them. nodes can forward at most 60 percent of data packets routed through them.Fig. 9. SC-1—SE-3: All nodes are cooperative. Cooperative nodes canforward at most 60 percent of data packets routed through them. Fig. 13. SC-3—SE-1: 40 percent of all nodes are selfish. Cooperative nodes can forward almost all data packets routed through them.Fig. 10. SC-2—SE-1: 20 percent of all nodes are selfish. Cooperativenodes can forward almost all data packets routed through them. Fig. 14. SC-3—SE-2: 40 percent of all nodes are selfish. Cooperative nodes can forward at most 80 percent of data packets routed through them.Fig. 11. SC-2—SE-2: 20 percent of all nodes are selfish. Cooperativenodes can forward at most 80 percent of data packets routed throughthem. Fig. 15. SC-3—SE-3: 40 percent of all nodes are selfish. Cooperative nodes can forward at most 60 percent of data packets routed through them.
716 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 5, MAY 2010 TABLE 5 Ideal TH for the Nonadaptive Approachhand, the nonadaptive approach requires the value of T H tobe customized to reflect the network conditions where itoperates. If the value of T H is not set correctly the system Fig. 16. False positives of the three simulation scenarios.will yield high false positives and/or false negatives. Forexample, if T H is set to 0.90 in SC-1—SE-3, the system will rather than with every packet. We modified the shadowingyield close to 90 percent false positives. Table 5 lists the ideal propagation model in ns-2 so that the value of sh devvalues of T H for the nonadaptive approach in all considered changes every t seconds (rather than with every packet),scenarios. We consider the ideal value as the one that yields where t is generated according to an exponential distribu-the lowest average false positives and false negatives. Note tion with mean of 5 seconds. When a node receives a packet,how the ideal value of T H changes as the network the received signal strength will depend on the value of conditions, as well as the level of misbehavior in the and the current value of sh dev. Hence, network conditionsnetwork, vary. remain stable for a period of time. In our simulation, we used path loss exponent ¼ 2:55.2 Dynamic Environment (which can model communication in outdoor urban envir-This section presents results regarding the resilience of the onments and some indoor office environments , ). Weadaptive reputation management system to variable net- increase from 0 to 10 to model different levels of fluctuationwork conditions. We show that the adaptive reputation in network conditions, where ¼ 10 indicates high variationmanagement system can operate effectively under changing in the received signal strength for a given distance d. Thisnetwork conditions, achieving false positives and false causes node behavior to vary by up to 20 percent (i.e., thenegatives that are close to the values of and
, respectively. packet forwarding ratio of a node may vary by up to We let adapt according to the traffic activity as 20 percent depending on the network condition).explained in Section 3. We modified the ns-2 simulator to Figs. 16 and 17 show the false positives and falsecreate simulation scenarios where network conditions negatives of our adaptive system. The total number offluctuate consistently. We consider the shadowing propa- SPRT decisions made ranged between 3,000 and 7,000 (forgation model, which consists of two parts: the path loss the values of between 0 and 10). The highest falsemodel and the shadowing deviation model . The path positives reported is 13.32 percent for SC-1, 14.81 percentloss model predicts the received power of a signal as it for SC-2, and 16.86 percent for SC-3. All values are close to propagates through space from a transmitter to a receiver.The received signal strength depends on the euclidean as noted in Section 4.1. The highest false negatives reporteddistance d between the transmitter and the receiver and the are 8.4 percent for SC-2 and 9.1 percent for SC-3. SC-1 hascharacteristic of the environment the signal propagates in no false negatives since no misbehavior exists in that case.(e.g., indoor line of sight, indoor obstructed, outdoor free All false negative values are bounded by
.space, outdoor urban, etc.). The path loss model defines a The results from both the static and the dynamicparameter known as the path loss exponent, which is environments show the shortcomings of the nonadaptiveused to reflect the signal propagation characteristic of reputation management systems. A nonadaptive reputationdifferent environments. The power loss in the environment management system requires the value of T H to be(expressed in dB) is predicted as Loss ¼ À10 Ã log10 ðdÞ. carefully set and constantly updated to reflect the networkSome typical values for the path loss exponent in ns-2 arelisted in . The shadowing deviation model considers variations inthe received signal strength for a given distance d. Powerloss is calculated as Loss ¼ À10 Ã log10 ðdÞ þ sh dev,where sh dev is a Gaussian random variable with zeromean and standard deviation . Hence, increasing thevalue of means that the variation in the received signalstrength will be higher for any given distance d. In ns-2, a single value for each and is used in thenetwork and a different value of sh dev is generated foreach packet that is received anywhere in the network. Inreality, however, network conditions may be different atdifferent locations and may fluctuate in epochs of time Fig. 17. False negatives of the three simulation scenarios.
REFAEI ET AL.: ADAPTATION OF REPUTATION MANAGEMENT SYSTEMS TO DYNAMIC NETWORK CONDITIONS IN AD HOC NETWORKS 717conditions where it operates (otherwise, the system accu- such systems and suggest that mobility should be lowracy will be compromised). In contrast, results show that enough to allow efforts carried during the evaluation andour adaptive reputation management system works well detection phases to be recouped in the reaction phase. Anunder both static and dynamic environments. It automati- investigation of the performance of our adaptive reputationcally self-adapts its criteria for identifying cooperative and management system under varying levels of mobility is leftmisbehaving behaviors according to the network condition for future work. We expect our system, similar to otherit is operating in. systems, to perform better at lower levels of mobility. However, our adaptation capability should give our system5.3 System Overhead the edge over others.In this section, we discuss the computation, communication,and storage overhead of our adaptive reputation manage-ment system on nodes in an ad hoc network. 6 RELATED WORK Our adaptive reputation management system relies on Reputation management systems have been proposed tolocalized observations to assess node behavior. Our system address insider misbehavior security concerns (i.e., selfish ashas no communication overhead since we do not rely on the well as malicious misbehavior) in self-organized commu-exchange of observations between nodes. Exchange of nication systems such as ad hoc networks , , , ,observations may increase the system promptness but it , , , , , , , , , peer-to-peeralso increases communication overhead and exposes the systems , and in systems utilizing artificial intelligencesystem to misreporting and collusion-based attacks (such as . Reputation management systems for ad hoc networksthe slander attack ), which decreases system accuracy. In can be classified based on the source of the observations usedaddition, network conditions may vary spatially. Hence, by the evaluation function to assign reputation scores. Thereflecting on observations about the behavior of distant first class uses only observations that are collected locally bynodes without knowing the network conditions under which a node. These local observations used can be collected eitherthese observations were made may reduce the accuracy of passively or actively. Passively collected observations arenode behavior evaluation. usually acquired by promiscuously monitoring neighbors’ Our mechanism requires nodes to gather localized actions. Actively collected observations are based on theobservations (RCV , F W D, and DRP events) that reflect receipt of evidence, such as an acknowledgment, whichtheir neighbors’ behavior. This requires each node to act in could be used as an indication of node behavior. An examplepromiscuous mode (capturing packets that may not be of a system that uses passively collected observations is thedestined to it) and distinguish data packets that reflect RCV watchdog mechanism introduced in . For each packetor F W D events related to its neighbors. Each node then that a node forwards, it monitors its next hop neighborstores packet traces for data packets that reflect an RCV through which the packet was forwarded to ensure that itevent in a lookup table in order to identify any subsequent further forwards the packet to the next hop node toward theF W D events. Each RCV event in the lookup table will have packet’s destination. The drawbacks of the watchdoga time-out associated with it. If an F W D event is not noted mechanism are analyzed in . In , a testbed is used towithin the duration of that time-out, a DRP event is evaluate the watchdog mechanisms under a number oftriggered and the corresponding RCV event entry in the misbehavior attacks. In contrast, reputation managementlookup table is purged. This process results in computation systems proposed in , , ,  rely on activelyand storage overhead. collected observations. These systems use acknowledgments In , we considered a number of approaches to reduce received for each packet sent as indications of good behavior.the types of computation and storage overheads that our The lack of acknowledgments or the presence of retransmis-adaptive reputation management system may induce. One sions is used as indications of misbehavior.approach we considered is hashing of packet trace entries. The second class of reputation mechanisms collectsWe evaluated this approach and showed that it reduces the observations based on hearsay (the sharing of observationssize of the lookup table significantly and has almost no that are indicative of node behavior among nodes in theeffect on the system effectiveness. A second technique that network) , , . In , Yau and Mitchell qualita-we considered is to set an upper bound on the size of the tively analyze the drawbacks and attacks against systemslookup table. We evaluated this approach as well and where observations are shared and indicate that the mostshowed that it can reduce overhead. reliable evaluations are those which a node makes based on While computation and storage overhead result from local observations. Sharing observations has potential draw-nodes acting in promiscuous mode (processing and storing backs, mainly related to overhead, misreporting, and collu-traces of packets), we believe that this overhead is low but sion . The overhead of sharing escalates as the size of themost importantly warranted especially when considering network increases. However, He et al.  succeed in limitingthe impact of misbehavior on the network if a reputation sharing to local neighbors, thus, reducing communicationmanagement system is not implemented . overhead. Moreover, nodes may falsely report observations While mobility was not explicitly considered in this work, that are indicative of bad behavior (to damage the reputationit is known that reputation-based mechanisms are most of others). In , the robustness of a reputation managementreliable when mobility is limited. Buchegger et al.  system that employs sharing was increased against falseconcluded that reputation mechanisms are most effective accusations by introducing a Bayesian-based estimationwhen based on direct observation. In , Buttyan and mechanism. Additionally, Buchegger and Boudec  in-Hubaux note that node mobility can have a negative effect on troduced a node redemption technique that readmits
718 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 5, MAY 2010misbehaved nodes to the network for reevaluation, and a TABLE 6reputation fading technique that mitigates against sudden Illustrating Differences between EigenTrust,exploitation of built-up reputation. On the other hand, PeerTrust, and Our Adaptive RMSsystems that employ sharing of observations can detect nodemisbehavior more quickly compared to systems that rely onlocal observations , . This is due to the increasedamount of information regarding a particular node’sbehavior. In , a sequential probability ratio test based algorithmwas introduced to detect misbehavior at the MAC layer in adhoc networks. In , we introduced a sequential probabilityratio test based algorithm to detect selfish misbehaviorwith respect to packet forwarding in ad hoc networks. Thealgorithm relied on actively collected localized observations(while the work on this paper relies on passively collectedlocalized observations) by requiring destination-based ac-knowledgments for each packet sent by the source. EigenTrust  is a reputation management system forpeer-to-peer networks. The EigenTrust algorithm is basedon the notion of transitive trust. It suggests that if a peer itrusts another peer j, it can also trust all the peers that peertrusts. It also assumes a set of pretrusted peers, which arethe ones a new peer joining the P2P network would trust.Trust relationships are built, thereafter, based on interac-tions between peers. EigenTrust addresses mostly the issuesof collusion among malicious users but does not explicitlyconsider adaptation to varying peer behavior. PeerTrust  is another reputation management systemfor peer-to-peer networks. It considers five trust parametersin evaluating trustworthiness of a peer. Two of theseparameters are adaptive. One of the adaptive parameters network, and compared the results against a nonadaptiveconsiders the context of a transaction. This takes into system. The results obtained show that our adaptive systemconsideration factors such as the time and size of a can operate under a wide range of network conditions andtransaction in an attempt to profile the behavior of a peer yields low false positives and false negatives with fastas a function of these factors (e.g., does the peer actcooperatively when the size of a transaction is small but detection, thus, reducing the impact of misbehaving nodesmaliciously otherwise?). The notion of adaptation in on the network.PeerTrust is different from the notion of adaptation we In our future work, we will assess the effectiveness of ourconsider in this work. PeerTrust adapts to varying peer adaptive reputation management system under morebehavior while our system adapts to dynamically changing complex network environments where network conditions,network conditions. PeerTrust also uses the notion of network structure (e.g., topology, node density, etc.), andpersonalized similarities to rate the credibility of peers. nodes’ intent (i.e., to act cooperatively versus to misbehave)Credibility of peers is needed to assess the credibility of may change rapidly.feedback given by a peer to another (this is not needed inour system since we rely solely on localized observationsand do not share any trust/reputation information). To rate ACKNOWLEDGMENTSthe credibility of a peer P2, a given peer P1 will use the Part of this work was done while M.T. Refaei was at NIST,similarities between itself and P2 to weight the feedback byP2 on other peers. Table 6 summarizes the similarities and Gaithersburg, MD 20899.differences between EigenTrust, PeerTrust, and this work. To the best of our knowledge, no work prior to ours REFERENCEShas proposed adaptation of the reputation management  M.T. Refaei, “Adaptation in Reputation Management Systems forfunctions to dynamically changing network conditions in Ad hoc Networks,” PhD dissertation, Virginia Polytechnic Inst.ad hoc networks. and State Univ., 2007.  X. Yingqi and L. Wang-Chien, “Exploring Spatial Correlation for Link Quality Estimation in Wireless Sensor Networks,” Proc.7 CONCLUSION Fourth Ann. IEEE Int’l Conf. Pervasive Computing and Comm., 2006.  T.K. Forde, L.E. Doyle, and D. O’Mahony, “Ad Hoc Innovation:In this paper, we have demonstrated the importance of Distributed Decision Making in Ad Hoc Networks,” IEEE Comm.adaptation in reputation management systems in dynamic Magazine, vol. 44, no. 4, pp. 131-137, Apr. 2006.  A. Wald, Sequential Analysis. J. Wiley Sons, 1947.network environments such as ad hoc networks. We  Y.-C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A Secure On-introduced adaptive evaluation and detection functions, Demand Routing Protocol for Ad Hoc Networks,” Proc.demonstrated their effectiveness in a dynamic ad hoc MobiCom ’02, pp. 12-23, 2002.
REFAEI ET AL.: ADAPTATION OF REPUTATION MANAGEMENT SYSTEMS TO DYNAMIC NETWORK CONDITIONS IN AD HOC NETWORKS 719 W. Yu and K.J.R. Liu, “Attack-Resistant Cooperation Stimulation Mohamed Tamer Refaei received the PhD in Autonomous Ad Hoc Networks,” IEEE J. Selected Areas in degree from Virginia Tech’s Bradley Department Comm., vol. 23, no. 12, pp. 2260-2271, Dec. 2005. of Electrical and Computer Engineering in 2007. S. Buchegger, C. Tissieres, and J.-Y.L. Boudec, “A Test-Bed for He is currently a senior information security Misbehavior Detection in Mobile Ad-Hoc Networks—How Much engineer/scientist at the MITRE Corporation in Can Watchdogs Really Do?” Proc. Sixth IEEE Workshop Mobile McLean, Virginia. Prior to working at the MITRE Computing Systems and Applications (WMCSA), pp. 102-111, 2004. Corporation, he worked at the National Institute M.T. Refaei, Y. Rong, L. DaSilva, and H.-A. Choi, “Detecting Node of Standard and Technologies. His research Misbehavior in Ad Hoc Networks,” Proc. IEEE Int’l Conf. Comm. interests include reputation management sys- (ICC ’07), pp. 3425-3430, 2007. tems for ad hoc networks, cognitive radio J. Liu and V. Issarny, “Enhanced Reputation Mechanism for networks, and delay-tolerant networks. Mobile Ad Hoc Networks,” Proc. Second Int’l Conf. Trust Manage- ment (iTrust), 2004. Luiz A. DaSilva joined Trinity College Dublin in K. Pahlavan, Wireless Information Networks. J. Wiley Sons, 2005. 2009, where he currently holds the Stokes S. Buchegger, J. Mundinger, and J.-Y.L. Boudec, “Reputation Professorship in telecommunications in the Systems for Self-Organized Networks: Lessons Learned,” IEEE Department of Electronic and Electrical Engi- Technology and Soc. Magazine, vol. 27, no. 1, pp. 41-47, Mar. 2008. neering. He has also been a faculty member at L. Buttyan and J.-P. Hubaux, Security and Cooperation in Wireless Virginia Tech’s Bradley Department of Electrical Networks. Cambridge Univ. Press, 2007. and Computer Engineering since 1998. His K. Balakrishnan, J. Deng, and P. Varshney, “TWOACK: Prevent- research focuses on distributed and adaptive ing Selfishness in Mobile Ad Hoc Networks,” Proc. IEEE Wireless resource management in wireless networks, Comm. and Networking Conf. (WCNC), vol. 4, pp. 2137-2142, 2005. and in particular cognitive radio networks. He S. Buchegger and J.-Y.L. Boudec, “A Robust Reputation System for is a senior member of the IEEE and a member of the ASEE and of the Mobile Ad Hoc Networks,” EPFL Technical Report No. IC/2003/ ACM. In 2006, he was named a college of engineering faculty fellow at 50, July 2003. Virginia Tech. S. Buchegger and J.-Y.L. Boudec, “The Effect of Rumor Spreading in Reputation Systems for Mobile Ad-Hoc Networks,” Proc. Mohamed Eltoweissy received the MS and BS Modeling and Optimization in Mobile Ad Hoc and Wireless Networks degrees in computer science and automatic (WiOpt), Mar. 2003. control from Alexandria University, Egypt, in S. Buchegger and J.Y. LeBoudec, “Performance Analysis of the 1989 and 1986, respectively, and the PhD CONFIDANT Protocol (Cooperation Of Nodes—Fairness In degree in computer science from Old Dominion Dynamic Ad-hoc NeTworks),” Proc. ACM MobiHoc, pp. 226-236, University in 1993. He is an associate professor June 2002. in the Bradley Department of Electrical and M. Conti, E. Gregori, and G. Maselli, “Towards Reliable Computer Engineering at Virginia Tech. He also Forwarding for Ad Hoc Networks,” Proc. Personal Wireless Comm. holds a courtesy appointment in the Department (PWC), pp. 790-804, 2003. of Computer Science. His research interests are P. Dewan, P. Dasgupta, and A. Bhattacharya, “On Using in the areas of information assurance and trust, networking and security Reputations in Ad Hoc Networks to Counter Malicious Nodes,” in large-scale, ubiquitous cyber-physical systems, and group commu- Proc. 10th Int’l Conf. Parallel and Distributed Systems (ICPADS), nications. His contributions include concern-oriented architecture and pp. 665-672, July 2004. cell-based network model, dynamic key management in sensor net- Q. He, D. Wu, and P. Khosla, “SORI: A Secure and Objective works, and elastic sensor-actuator networks. He has more than Reputation-Based Incentive Scheme for Ad Hoc Networks,” Proc. 130 publications in archival journals and respected books and IEEE Wireless Comm. and Networking Conf. (WCNC), vol. 2, pp. 825- conference proceedings. He is a senior member of the IEEE and a 830, 2004. senior member of the ACM, the ACM SIGBED, and the ACM SIGSAC. S. Marti, T.J. Giuli, K. Lai, and M. Baker, “Mitigating Routing He received the nomination for the Virginia SCHEV outstanding faculty Misbehavior in Mobile Ad Hoc Networks,” Proc. MobiCom, awards, the highest honor for faculty in Virginia. pp. 255-265, Apr. 2000. M.T. Refaei, V. Srivastava, L. DaSilva, and M. Eltoweissy, “A Tamer Nadeem received the PhD degree from Reputation-Based Mechanism for Isolating Selfish Nodes in Ad the University of Maryland, College Park, in Hoc Networks,” Proc. Second Int’l Conf. Mobile and Ubiquitous 2006. He is currently a research scientist at Systems: Networking and Services (Mobiquitous), pp. 3-11, July 2005. Siemens Corporate Research in Princeton. His P. Michiardi and R. Molva, “CORE: A Collaborative Reputation research interest includes radio management Mechanism to Enforce Node Cooperation in Mobile Ad Hoc for wireless networks, vehicular networking, Networks,” Proc. IFIP TC6/TC11 Sixth Joint Working Conf. Comm. pervasive computing, sensor networks, and and Multimedia Security, pp. 107-121, 2002. peer-to-peer systems. He has published more P.-W. Yau and C.J. Mitchell, “Reputation Methods for Routing than 40 technical papers in refereed confer- Security for Mobile Ad Hoc Networks,” Proc. Joint First Workshop ences and journals including the Journal on Mobile Future and Symp. Trends in Comm. (SympoTIC), pp. 130-137, Selected Areas of Communication (JSAC), the IEEE Transaction on Oct. 2003. Mobile Computing, the IEEE Infocom, and the ACM IMC. He is a K. Aberer, Z. Despotovic, W. Galuba, and W. Kellerer, “The member of the ACM, the IEEE, the IEEE Computer Society, and the Complex Facets of Reputation and Trust,” Computational Intelli- IEEE Communication Society. gence, Theory and Application, Springer, 2006. J. Sabater and C. Sierra, “Review on Computational Trust and Reputation Models,” Artificial Intelligence Rev., vol. 24, pp. 33-60, 2005. . For more information on this or any other computing topic, Y. Rong, S.K. Lee, and H.-A. Choi, “Detecting Stations Cheating please visit our Digital Library at www.computer.org/publications/dlib. on Backoff Rules in 802.11 Networks Using Sequential Analysis,” Proc. 25th Joint Conf. IEEE Computer and Comm. Soc., 2006.