184                                         IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,                         ...
186                                   IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,      VOL. 9,   NO. 2,   MARCH/...
188                                 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,     VOL. 9,   NO. 2,   MARCH/APR...
190                                       IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,   VOL. 9,   NO. 2,   MARCH...
192                                     IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,            VOL. 9,   NO. 2, ...
194                                        IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,               VOL. 9,   N...
196                                          IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,                VOL. 9, ...
Upcoming SlideShare
Loading in …5

Design and implementation of tarf trust aware routing framework for ws ns.bak


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Design and implementation of tarf trust aware routing framework for ws ns.bak

  1. 1. 184 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012 Design and Implementation of TARF: A Trust-Aware Routing Framework for WSNs Guoxing Zhan, Weisong Shi, Senior Member, IEEE, and Julia Deng Abstract—The multihop routing in wireless sensor networks (WSNs) offers little protection against identity deception through replaying routing information. An adversary can exploit this defect to launch various harmful or even devastating attacks against the routing protocols, including sinkhole attacks, wormhole attacks, and Sybil attacks. The situation is further aggravated by mobile and harsh network conditions. Traditional cryptographic techniques or efforts at developing trust-aware routing protocols do not effectively address this severe problem. To secure the WSNs against adversaries misdirecting the multihop routing, we have designed and implemented TARF, a robust trust-aware routing framework for dynamic WSNs. Without tight time synchronization or known geographic information, TARF provides trustworthy and energy-efficient route. Most importantly, TARF proves effective against those harmful attacks developed out of identity deception; the resilience of TARF is verified through extensive evaluation with both simulation and empirical experiments on large-scale WSNs under various scenarios including mobile and RF-shielding network conditions. Further, we have implemented a low-overhead TARF module in TinyOS; as demonstrated, this implementation can be incorporated into existing routing protocols with the least effort. Based on TARF, we also demonstrated a proof-of-concept mobile target detection application that functions well against an antidetection mechanism. Index Terms—Wireless sensor networks, routing protocols, security. Ç1 INTRODUCTIONW IRELESSSENSOR networks (WSNs) [2] are ideal candi- original headers, are replayed without any modification. dates for applications to report detected events of Even if this malicious node cannot directly overhear theinterest, such as military surveillance and forest fire valid node’s wireless transmission, it can collude with othermonitoring. A WSN comprises battery-powered sensor malicious nodes to receive those routing packets and replay http://ieeexploreprojects.blogspot.comnodes with extremely limited processing capabilities. With them somewhere far away from the original valid node,a narrow radio communication range, a sensor node which is known as a wormhole attack [5]. Since a node in awirelessly sends messages to a base station via a multihop WSN usually relies solely on the packets received to knowpath. However, the multihop routing of WSNs often about the sender’s identity, replaying routing packets allowsbecomes the target of malicious attacks. An attacker may the malicious node to forge the identity of this valid node.tamper nodes physically, create traffic collision with After “stealing” that valid identity, this malicious node is able to misdirect the network traffic. For instance, it mayseemingly valid transmission, drop or misdirect messages drop packets received, forward packets to another nodein routes, or jam the communication channel by creating not supposed to be in the routing path, or even form aradio interference [3]. This paper focuses on the kind of transmission loop through which packets are passed amongattacks in which adversaries misdirect network traffic by a few malicious nodes infinitely. It is often difficult to knowidentity deception through replaying routing information. whether a node forwards received packets correctly evenBased on identity deception, the adversary is capable of with overhearing techniques [4]. Sinkhole attacks are anotherlaunching harmful and hard-to-detect attacks against kind of attacks that can be launched after stealing a validrouting, such as selective forwarding, wormhole attacks, identity. In a sinkhole attack, a malicious node may claimsinkhole attacks and Sybil attacks [4]. itself to be a base station through replaying all the packets As a harmful and easy-to-implement type of attack, a from a real base station [6]. Such a fake base station couldmalicious node simply replays all the outgoing routing lure more than half the traffic, creating a “black hole.” Thispackets from a valid node to forge the latter node’s identity; same technique can be employed to conduct another strongthe malicious node then uses this forged identity to form of attack—Sybil attack [7]: through replaying theparticipate in the network routing, thus disrupting the routing information of multiple legitimate nodes, an attackernetwork traffic. Those routing packets, including their may present multiple identities to the network. A valid node, if compromised, can also launch all these attacks. The harm of such malicious attacks based on the. G. Zhan and W. Shi are with the Department of Computer Science, Wayne State University, 5057 Woodward Avenue, Detroit, MI 48202. technique of replaying routing information is further E-mail: {gxzhan, weisong}@wayne.edu. aggravated by the introduction of mobility into WSNs and. J. Deng is with the Intelligent Automation, Inc., 15400 Calhoun Drive, the hostile network condition. Though mobility is intro- Suite 400, Rockville, MD 20855. E-mail: hdeng@i-a-i.com. duced into WSNs for efficient data collection and variousManuscript received 16 Nov. 2010; revised 3 Sept. 2011; accepted 12 Sept. applications [8], [9], [10], [11], it greatly increases the chance2011; published online 10 Nov. 2011. of interaction between the honest nodes and the attackers.For information on obtaining reprints of this article, please send e-mail to:tdsc@computer.org, and reference IEEECS Log Number TDSC-2010-11-0216. Additionally, a poor network connection causes muchDigital Object Identifier no. 10.1109/TDSC.2011.58. difficulty in distinguishing between an attacker and a 1545-5971/12/$31.00 ß 2012 IEEE Published by the IEEE Computer Society
  2. 2. ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 185honest node with transient failure. Without proper protec-tion, WSNs with existing routing protocols can be com-pletely devastated under certain circumstances. In anemergent sensing application through WSNs, saving thenetwork from being devastated becomes crucial to thesuccess of the application. Unfortunately, most existing routing protocols for WSNseither assume the honesty of nodes and focus on energyefficiency [12], or attempt to exclude unauthorized partici-pation by encrypting data and authenticating packets.Examples of these encryption and authentication schemes Fig. 1. Multihop routing for data collection of a WSN.for WSNs include TinySec [13], Spins [14], TinyPK [15], andTinyECC [16]. Admittedly, it is important to consider which is not achieved by previous security protocols. Evenefficient energy use for battery-powered sensor nodes and under strong attacks such as sinkhole attacks, wormholethe robustness of routing under topological changes as well attacks as well as Sybil attacks, and hostile mobile networkas common faults in a wild environment. However, it is also condition, TARF demonstrates steady improvement incritical to incorporate security as one of the most important network performance. The effectiveness of TARF is verifiedgoals; meanwhile, even with perfect encryption and authen- through extensive evaluation with simulation and empiricaltication, by replaying routing information, a malicious node experiments on large-scale WSNs. Finally, we have imple-can still participate in the network using another valid mented a ready-to-use TARF module with low overhead,node’s identity. The gossiping-based routing protocols offer which as demonstrated can be integrated into existingcertain protection against attackers by selecting random routing protocols with ease; the demonstration of a proof-neighbors to forward packets [17], but at a price of of-concept mobile target detection program indicates theconsiderable overhead in propagation time and energy use. potential of TARF in WSN applications. In addition to the cryptographic methods, trust and We start by stating the design considerations of TARF inreputation management has been employed in generic ad Section 2. Then, we elaborate the design of TARF in Sectionhoc networks and WSNs to secure routing protocols. 3, including the routing procedure as well as the Energy-Basically, a system of trust and reputation management Watcher and TrustManager components. In Section 4, weassigns each node a trust value according to its past present the simulation results of TARF against variousperformance in routing. Then, such trust values are used to attacks through replaying routing information in static, http://ieeexploreprojects.blogspot.comhelp decide a secure and efficient route. However, the mobile and RF-shielding conditions. Section 5 furtherproposed trust and reputation management systems for presents the implementation of TARF, empirical evaluationgeneric ad hoc networks target only relatively powerful at a large sensor network and a resilient proof-of-concept mobile target detection application based on TARF. Finally,hardware platforms such as laptops and smartphones [18], we discuss the related work in Section 6 and conclude this[19], [20], [21]. Those systems cannot be applied to WSNs paper in Section 7.due to the excessive overhead for resource-constrainedsensor nodes powered by batteries. As far as WSNs areconcerned, secure routing solutions based on trust and 2 DESIGN CONSIDERATIONSreputation management rarely address the identity decep- Before elaborating the detailed design of TARF, we wouldtion through replaying routing information [22], [23]. The like to clarify a few design considerations first, includingcountermeasures proposed so far strongly depends on certain assumptions in Section 2.1 and the goals in Section 2.3.either tight time synchronization or known geographicinformation while their effectiveness against attacks ex- 2.1 Assumptionsploiting the replay of routing information has not been We target secure routing for data collection tasks, which areexamined yet [4]. one of the most fundamental functions of WSNs. In a data At this point, to protect WSNs from the harmful attacks collection task, a sensor node sends its sampled data to aexploiting the replay of routing information, we have remote base station with the aid of other intermediate nodes,designed and implemented a robust trust-aware routing as shown in Fig. 1. Though there could be more than one baseframework, TARF, to secure routing solutions in wireless station, our routing approach is not affected by the numbersensor networks. Based on the unique characteristics of of base stations; to simplify our discussion, we assume thatresource-constrained WSNs, the design of TARF centers on there is only one base station. An adversary may forge thetrustworthiness and energy efficiency. Though TARF can be identity of any legal node through replaying that node’sdeveloped into a complete and independent routing proto- outgoing routing packets and spoofing the acknowledgmentcol, the purpose is to allow existing routing protocols to packets, even remotely through a wormhole.incorporate our implementation of TARF with the least effort Additionally, to merely simplify the introduction ofand thus producing a secure and efficient fully functional TARF, we assume no data aggregation is involved. None-protocol. Unlike other security measures, TARF requires theless, our approach can still be applied to cluster-basedneither tight time synchronization nor known geographic WSNs with static clusters, where data are aggregated byinformation. Most importantly, TARF proves resilient under clusters before being relayed [24]. Cluster-based WSNsvarious attacks exploiting the replay of routing information, allows for the great savings of energy and bandwidth
  3. 3. 186 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012through aggregating data from children nodes and per- and joins the network “legally.” However, when theforming routing and transmission for children nodes. In a adversary uses its fake identity to falsely attract a greatcluster-based WSN, the cluster headers themselves form a amount of traffic, after receiving broadcast packets aboutsubnetwork; after certain data reach a cluster header, the delivery information, other legal nodes that directly oraggregated data will be routed to a base station only indirectly forwards packets through it will start to select athrough such a subnetwork consisting of the cluster more trustworthy path through TrustManager (Section 3.4).headers. Our framework can then be applied to thissubnetwork to achieve secure routing for cluster-based 2.3 GoalsWSNs. TARF may run on cluster headers only and the TARF mainly guards a WSN against the attacks misdirect-cluster headers communicate with their children nodes ing the multihop routing, especially those based on identitydirectly since a static cluster has known relationship theft through replaying the routing information. This paperbetween a cluster header and its children nodes, though does not address the denial-of-service (DoS) [3] attacks,any link-level security features may be further employed. where an attacker intends to damage the network by Finally, we assume a data packet has at least the exhausting its resource. For instance, we do not address thefollowing fields: the sender id, the sender sequence number, DoS attack of congesting the network by replayingthe next-hop node id (the receiver in this one-hop transmis- numerous packets or physically jamming the network. TARF aims to achieve the following desirable properties:sion), the source id (the node that initiates the data), and thesource’s sequence number. We insist that the source node’s High throughput. Throughput is defined as the ratio ofinformation should be included for the following reasons the number of all data packets delivered to the base stationbecause that allows the base station to track whether a data to the number of all sampled data packets. In ourpacket is delivered. It would cause too much overhead to evaluation, throughput at a moment is computed over thetransmit all the one-hop information to the base station. period from the beginning time (0) until that particularAlso, we assume the routing packet is sequenced. moment. Note that single-hop retransmission may happen, and that duplicate packets are considered as one packet as2.2 Authentication Requirements far as throughput is concerned. Throughput reflects howThough a specific application may determine whether data efficiently the network is collecting and delivering data.encryption is needed, TARF requires that the packets are Here, we regard high throughput as one of our mostproperly authenticated, especially the broadcast packets important goals.from the base station. The broadcast from the base station is Energy efficiency. Data transmission accounts for aasymmetrically authenticated so as to guarantee that an major portion of the energy consumption. We evaluate http://ieeexploreprojects.blogspot.comadversary is not able to manipulate or forge a broadcast energy efficiency by the average energy cost to successfullymessage from the base station at will. Importantly, with deliver a unit-sized data packet from a source node to theauthenticated broadcast, even with the existence of attack- base station. Note that link-level retransmission should beers, TARF may use TrustManager (Section 3.4) and the given enough attention when considering energy cost sincereceived broadcast packets about delivery information each retransmission causes a noticeable increase in energy(Section 3.2.1) to choose trustworthy path by circumventing consumption. If every node in a WSN consumes approxi-compromised nodes. Without being able to physically mately the same energy to transmit a unit-sized data packet,capturing the base station, it is generally very difficult for we can use another metric hop-per-delivery to evaluatethe adversary to manipulate the base station broadcast energy efficiency. Under that assumption, the energypackets which are asymmetrically authenticated. The consumption depends on the number of hops, i.e., theasymmetric authentication of those broadcast packets from number of one-hop transmissions occurring. To evaluatethe base station is crucial to any successful secure routing how efficiently energy is used, we can measure the averageprotocol. It can be achieved through existing asymmetri- hops that each delivery of a data packet takes, abbreviatedcally authenticated broadcast schemes that may require as hop-per-delivery.loose time synchronization. As an example, TESLA [14] Scalability and adaptability. TARF should work wellachieves asymmetric authenticated broadcast through a with WSNs of large magnitude under highly dynamicsymmetric cryptographic algorithm and a loose delay contexts. We will evaluate the scalability and adaptability ofschedule to disclose the keys from a key chain. Other TARF through experiments with large-scale WSNs andexamples of asymmetric authenticated broadcast schemes under mobile and hash network conditions.requiring either loose or no time synchronization are found Here, we do not include other aspects such as latency,in [25], [26]. load balance, or fairness. Low latency, balanced network Considering the great computation cost incurred by a load, and good fairness requirements can be enforced instrong asymmetric authentication scheme and the difficulty specific routing protocols incorporating TARF.in key management, a regular packet other than a basestation broadcast packet may only be moderately authenti-cated through existing symmetric schemes with a limited 3 DESIGN OF TARFset of keys, such as the message authentication code TARF secures the multihop routing in WSNs againstprovided by TinySec [13]. It is possible that an adversary intruders misdirecting the multihop routing by evaluatingphysically captures a nonbase legal node and reveals its key the trustworthiness of neighboring nodes. It identifies suchfor the symmetric authentication [27]. With that key, the intruders by their low trustworthiness and routes dataadversary can forge the identity of that nonbase legal node through paths circumventing those intruders to achieve
  4. 4. ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 187satisfactory throughput. TARF is also energy efficient, highlyscalable, and well adaptable. Before introducing the detaileddesign, we first introduce several necessary notions here. Neighbor. For a node N, a neighbor (neighboring node)of N is a node that is reachable from N with one-hopwireless transmission. Trust level. For a node N, the trust level of a neighbor isa decimal number in [0, 1], representing N’s opinion of thatneighbor’s level of trustworthiness. Specifically, the trustlevel of the neighbor is N’s estimation of the probability that Fig. 2. Each node selects a next-hop node based on its neighborhoodthis neighbor correctly delivers data received to the base table, and broadcast its energy cost within its neighborhood. To maintainstation. That trust level is denoted as T in this paper. this neighborhood table, EnergyWatcher and TrustManager on the node keep track of related events (on the left) to record the energy cost and Energy cost. For a node N, the energy cost of a neighbor the trust level values of its neighbors.is the average energy cost to successfully deliver a unit-sized data packet with this neighbor as its next-hop node, is able to decide its next-hop neighbor according to itsfrom N to the base station. That energy cost is denoted as E neighborhood table, it sends out its energy report message: itin this paper. broadcasts to all its neighbors its energy cost to deliver a3.1 Overview packet from the node to the base station. The energy cost isFor a TARF-enabled node N to route a data packet to the computed as in Section 3.3 by EnergyWatcher. Such anbase station, N only needs to decide to which neighboring energy cost report also serves as the input of its receivers’node it should forward the data packet considering both the EnergyWatcher.trustworthiness and the energy efficiency. Once the data 3.2 Routing Procedurepacket is forwarded to that next-hop node, the remaining TARF, as with many other routing protocols, runs as atask to deliver the data to the base station is fully delegated periodic service. The length of that period determines howto it, and N is totally unaware of what routing decision its frequently routing information is exchanged and updated.next-hop node makes. N maintains a neighborhood table At the beginning of each period, the base station broadcasts awith trust level values and energy cost values for certain message about data delivery during last period to the wholeknown neighbors. It is sometimes necessary to delete someneighbors’ entries to keep the table size acceptable. The network consisting of a few contiguous packets (one packet http://ieeexploreprojects.blogspot.comtechnique of maintaining a neighborhood table of a may not hold all the information). Each such packet has amoderate size is demonstrated by Woo et al. [28]; TARF field to indicate how many packets are remaining tomay employ the same technique. complete the broadcast of the current message. The comple- In TARF, in addition to data packet transmission, there tion of the base station broadcast triggers the exchange ofare two types of routing information that need to be energy report in this new period. Whenever a node receivesexchanged: broadcast messages from the base station about such a broadcast message from the base station, it knowsdata delivery and energy cost report messages from each that the most recent period has ended and a new period hasnode. Neither message needs acknowledgment. A broad- just started. No tight time synchronization is required for acast message from the base station is flooded to the whole node to keep track of the beginning or ending of a period.network. The freshness of a broadcast message is checked During each period, the EnergyWatcher on a node monitorsthrough its field of source sequence number. The other type energy consumption of one-hop transmission to its neigh-of exchanged routing information is the energy cost report bors and processes energy cost reports from those neighborsmessage from each node, which is broadcast to only its to maintain energy cost entries in its neighborhood table; itsneighbors once. Any node receiving such an energy cost TrustManager also keeps track of network loops andreport message will not forward it. processes broadcast messages from the base station about For each node N in a WSN, to maintain such a data delivery to maintain trust level entries in its neighbor-neighborhood table with trust level values and energy cost hood table.values for certain known neighbors, two components, To maintain the stability of its routing path, a node mayEnergyWatcher and TrustManager, run on the node (Fig. 2). retain the same next-hop node until the next fresh broadcastEnergyWatcher is responsible for recording the energy cost message from the base station occurs. Meanwhile, to reducefor each known neighbor, based on N’s observation of one- traffic, its energy cost report could be configured to nothop transmission to reach its neighbors and the energy cost occur again until the next fresh broadcast message from thereport from those neighbors. A compromised node may base station. If a node does not change its next-hop nodefalsely report an extremely low energy cost to lure its selection until the next broadcast message from the baseneighbors into selecting this compromised node as their station, that guarantees all paths to be loop-free, as can benext-hop node; however, these TARF-enabled neighbors deducted from the procedure of next-hop node selection.eventually abandon that compromised next-hop node based However, as noted in our experiments, that would lead toon its low trustworthiness as tracked by TrustManager. slow improvement in routing paths. Therefore, we allow aTrustManager is responsible for tracking trust level values of node to change its next-hop selection in a period when itsneighbors based on network loop discovery and broadcast current next-hop node performs the task of receiving andmessages from the base station about data delivery. Once N delivering data poorly.
  5. 5. 188 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012 Next, we introduce the structure and exchange of faithful, it will be viewed as a trustworthy candidate byrouting information as well as how nodes make routing TrustManager on the neighbors of the base station. There-decisions in TARF. fore, those neighbors will be the first nodes to decide their next-hop node, which is the base station; they will start3.2.1 Structure and Exchange of Routing Information reporting their energy cost once that decision is made.A broadcast message from the base station fits into at most afixed small number of packets. Such a message consists of 3.2.2 Route Selectionsome pairs of node id of a source node, an undelivered Now, we introduce how TARF decides routes in a WSN.sequence interval [a, b] with a significant length, node id Each node N relies on its neighborhood table to select anof a source node, minimal sequence number received in last optimal route, considering both energy consumption andperiod, maximum sequence number received in last reliability. TARF makes good efforts in excluding thoseperiod, as well as several node id intervals of those nodes that misdirect traffic by exploiting the replay ofwithout any delivery record in last period. To reduce routing information.overhead to an acceptable amount, our implementation For a node N to select a route for delivering data to theselects only a limited number of such pairs to broadcast(Section 5.1) and proved effective (Sections 5.3, 5.4). base station, N will select an optimal next-hop node fromRoughly, the effectiveness can be explained as follows: the its neighbors based on trust level and energy cost andfact that an attacker attracts a great deal of traffic from forward the data to the chosen next-hop node immediately.many nodes often gets revealed by at least several of those The neighbors with trust levels below a certain thresholdnodes being deceived with a high likelihood. The undeliv- will be excluded from being considered as candidates.ered sequence interval [a, b] is explained as follows: the Among the remaining known neighbors, N will select itsbase station searches the source sequence numbers received next-hop node through evaluating each neighbor b based onin last period, identifies which source sequence numbers for a tradeoff between T and ENb , with E and T being b’s Nb TNb Nb Nbthe source node with this id are missing, and chooses energy cost and trust level value in the neighborhood table,certain significant interval [a, b] of missing source sequencenumbers as an undelivered sequence interval. For example, respectively, (see Sections 3.3, 3.4). Basically, ENb reflectsthe base station may have all the source sequence numbers the energy cost of delivering a packet to the base stationfor the source node 2 as {109, 110, 111, 150, 151} in last from N assuming that all the nodes in the route are honest;period. Then, [112, 149] is an undelivered sequence interval; T1 approximately reflects the number of the needed Nb[109, 151] is also recorded as the sequence boundary of attempts to send a packet from N to the base station viadelivered packets. Since the base station is usually multiple hops before such an attempt succeeds, considering http://ieeexploreprojects.blogspot.comconnected to a powerful platform such as a desktop, a the trust level of b. Thus, ENb combines the trustworthiness Tprogram can be developed on that powerful platform to and energy cost. However,Nbthe metric ENb suffers from theassist in recording all the source sequence numbers and TNb fact that an adversary may falsely reports extremely lowfinding undelivered sequence intervals. Accordingly, each node in the network stores a table of energy cost to attract traffic and thus resulting in a low ENbnode id of a source node, a forwarded sequence interval value of TNb even with a low TNb . Therefore, TARF prefers[a, b] with a significant length about last period. The data nodes with significantly higher trust values; this preferencepackets with the source node and the sequence numbers of trustworthiness effectively protects the network from anfalling in this forwarded sequence interval [a, b] have adversary who forges the identity of an attractive nodealready been forwarded by this node. When the node such as a base station. For deciding the next-hop node, areceives a broadcast message about data delivery, its specific tradeoff between TNb and ENb is demonstrated in T NbTrustManager will be able to identify which data packets Fig. 5 (see Section 5.2).forwarded by this node are not delivered to the base station. Observe that in an ideal misbehavior-free environment,Considering the overhead to store such a table, old entries all nodes are absolutely faithful, and each node will choosewill be deleted once the table is full. a neighbor through which the routing path is optimized in Once a fresh broadcast message from the base station is terms of energy; thus, an energy-driven route is achieved.received, a node immediately invalidates all the existingenergy cost entries: it is ready to receive a new energy 3.3 EnergyWatcherreport from its neighbors and choose its new next-hop node Here, we describe how a node N’s EnergyWatcher computesafterward. Also, it is going to select a node either after a the energy cost ENb for its neighbor b in N’s neighborhoodtimeout is reached or after it has received an energy cost table and how N decides its own energy cost EN . Beforereport from some highly trusted candidates with acceptable going further, we will clarify some notations. ENb men-energy cost. A node immediately broadcasts its energy cost tioned is the average energy cost of successfully delivering ato its neighbors only after it has selected a new next-hop unit-sized data packet from N to the base station, with b asnode. That energy cost is computed by its EnergyWatcher N’s next-hop node being responsible for the remaining(see Section 3.3). A natural question is which node starts route. Here, one-hop retransmission may occur until thereporting its energy cost first. For that, note that when the acknowledgment is received or the number of retransmis-base station is sending a broadcast message, a side effect is sions reaches a certain threshold. The cost caused by one-that its neighbors receiving that message will also regard hop retransmissions should be included when computingthis as an energy report: the base station needs 0 amount of ENb . Suppose N decides that A should be its next-hop nodeenergy to reach itself. As long as the original base station is after comparing energy cost and trust level. Then, N’s
  6. 6. ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 189energy cost is EN ¼ ENA . Denote EN!b as the average 3.4 TrustManagerenergy cost of successfully delivering a data packet from N A node N’s TrustManager decides the trust level of eachto its neighbor b with one hop. Note that the retransmission neighbor based on the following events: discovery ofcost needs to be considered. With the above notations, it is network loops, and broadcast from the base station aboutstraightforward to establish the following relation: data delivery. For each neighbor b of N, TNb denotes the ENb ¼ EN!b þ Eb : trust level of b in N’s neighborhood table. At the beginning, each neighbor is given a neutral trust level 0.5. After any ofSince each known neighbor b of N is supposed to broadcast those events occurs, the relevant neighbors’ trust levels areits own energy cost Eb to N, to compute ENb , N still needs updated.to know the value EN!b , i.e., the average energy cost of Note that many existing routing protocols have theirsuccessfully delivering a data packet from N to its neighbor own mechanisms to detect routing loops and to reactb with one hop. For that, assuming that the endings (being accordingly [31], [32], [28]. In that case, when integratingacknowledged or not) of one-hop transmissions from N to b TARF into those protocols with antiloop mechanisms,are independent with the same probability psucc of being TrustManager may solely depend on the broadcast fromacknowledged, we first compute the average number of the base station to decide the trust level; we adopted such aone-hop sendings needed before the acknowledgment is policy when implementing TARF later (see Section 5). Ifreceived as follows: antiloop mechanisms are both enforced in the TARF X1 1 component and the routing protocol that integrates TARF, i Á psucc Á ð1 À psucc ÞiÀ1 ¼ : then the resulting hybrid protocol may overly react toward i¼1 psucc the discovery of loops. Though sophisticated loop-discov-Denote Eunit as the energy cost for node N to send a unit- ery methods exist in the currently developed protocols, theysized data packet once regardless of whether it is received often rely on the comparison of specific routing cost to rejector not. Then, we have routes likely leading to loops [32]. To minimize the effort to integrate TARF and the existing protocol and to reduce the Eunit overhead, when an existing routing protocol does not ENb ¼ þ Eb : psucc provide any antiloop mechanism, we adopt the followingThe remaining job for computing ENb is to get the probability mechanism to detect routing loops. To detect loops, thepsucc that a one-hop transmission is acknowledged. Con- TrustManager on N reuses the table of node id of a sourcesidering the variable wireless connection among wireless node, a forwarded sequence interval [a, b] with a significant http://ieeexploreprojects.blogspot.comsensor nodes, we do not use the simplistic averaging method length (see Section 3.2) in last period. If N finds that ato compute psucc . Instead, after each transmission from N to received data packet is already in that record table, not onlyb, N’s EnergyWatcher will update psucc based on whether that will the packet be discarded, but the TrustManager on Ntransmission is acknowledged or not with a weighted also degrades its next-hop node’s trust level. If that next-averaging technique. We use a binary variable Ack to record hop node is b, then Told Nb is the latest trust level value of b.the result of current transmission: 1 if an acknowledgment is We use a binary variable Loop to record the result of loopreceived; otherwise, 0. Given Ack and the last probability discovery: 0 if a loop is received; 1 otherwise. As in thevalue of an acknowledged transmission pold succ , an intuitive update of energy cost, the new trust level of b isway is to use a simply weighted average of Ack and pold succ 8as the value of pnew succ . That is what is essentially adopted in ð1 À wdegrade Þ Â Told Nb þ wdegrade  Loop; the aging mechanism [29]. However, that method used if Loop ¼ 0: Tnew Nb ¼against sleeper attacks still suffers periodic attacks [30]. To ð1 À wupgrade Þ Â Told Nb þ wupgrade  Loop; :solve this problem, we update the psucc value using two if Loop ¼ 1:different weights as in our previous work [30], a relatively Once a loop has been detected by N for a few times sobig wdegrade 2 ð0; 1Þ and a relatively small wupgrade 2 ð0; 1Þ as that the trust level of the next-hop node is too low, N willfollows: change its next-hop selection, thus that loop is broken. 8 ð1 À wdegrade Þ Â pold succ þ wdegrade  Ack; Though N cannot tell which node should be held if Ack ¼ 0: responsible for the occurrence of a loop, degrading its pnew succ ¼ next-hop node’s trust level gradually leads to the breaking ð1 À wupgrade Þ Â pold succ þ wupgrade  Ack; : of the loop. On the other hand, to detect the traffic if Ack ¼ :1: misdirection by nodes exploiting the replay of routingThe two parameters wdegrade and wupgrade allow flexible information, TrustManager on N compares N’s stored tableapplication requirements. wdegrade and wupgrade represent the of node id of a source node, forwarded sequence intervalextent to which upgraded and degraded performance are [a, b] with a significant length recorded in last period withrewarded and penalized, respectively. If any fault andcompromise is very likely to be associated with a high risk, the broadcast messages from the base station about datawdegrade should be assigned a relatively high value to delivery. It computes the ratio of the number of successfullypenalize fault and compromise relatively heavily; if a few delivered packets which are forwarded by this node to thepositive transactions can’t constitute evidence of good number of those forwarded data packets, denoted asconnectivity which requires many more positive transac- DeliveryRatio. Then, N’s TrustManager updates its next-tions, then wupgrade should be assigned a relatively low value. hop node b’s trust level as follows:
  7. 7. 190 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012 8 ð1 À wdegrade Þ Â Told Nb þw degrade  DeliveryRatio; if DeliveryRatio Told Nb : Tnew Nb ¼ ð1 À wupgrade Þ Â Told Nb þ wupgrade  DeliveryRatio; : if DeliveryRatio ¼ Told Nb :3.5 Analysis on EnergyWatcher and TrustManager Fig. 3. An example to illustrate how TrustManager works.Now that a node N relies on its EnergyWatcher andTrustManager to select an optimal neighbor as its next-hop attacker node as its next-hop node. The attacker drops everynode, we would like to clarify a few important points on the packet received and thus any data packet passing node Adesign of EnergyWatcher and TrustManager. will not arrive at the base station. After a while, node A First, as described in Section 3.1, the energy cost report discovers that the data packets it forwarded did not getis the only information that a node is to passively receive delivered. The TrustManager on node A starts to degradeand take as “fact.” It appears that such acceptance of the trust level of its current next-hop node B although nodeenergy cost report could be a pitfall when an attacker or a B is absolutely honest. Once that trust level becomes toocompromised node forges false report of its energy cost. low, node A decides to select node C as its new next-hopNote that the main interest of an attacker is to prevent data node. In this way, node A identifies a better and successfuldelivery rather than to trick a data packet into a less route (A - C - D - base). In spite of the sacrifice of node B’sefficient route, considering the effort it takes to launch an trust level, the network performs better. Further, concerningattack. As far as an attack aiming at preventing data the stability of routing path, once a valid node identifies adelivery is concerned, TARF well mitigates the effect of this trustworthy honest neighbor as its next-hop node, it tendspitfall through the operation of TrustManager. Note that the to keep that next-hop selection without considering otherTrustManager on one node does not take any recommenda- seemingly attractive nodes such as a fake base station. Thattion from the TrustManager on another node. If an attacker tendency is caused by both the preference to maintain stableforges false energy report to form a false route, such routes and the preference to highly trustable nodes.intention will be defeated by TrustManager: when the Finally, we would like to stress that TARF is designed to guard a WSN against the attacks misdirecting the multihopTrustManager on one node finds out the many delivery routing, especially those based on identity theft throughfailures from the broadcast messages of the base station, it http://ieeexploreprojects.blogspot.com information. Other types of attacks replaying the routingdegrades the trust level of its current next-hop node; when such as the denial-of-service [3] attacks are out of thethat trust level goes below certain threshold, it causes the discussion of this paper. For instance, we do not address thenode to switch to a more promising next-hop node. attacks of injecting into the network a number of data packets Second, TrustManager identities the low trustworthiness containing false sensing data but authenticated (possiblyof various attackers misdirecting the multihop routing, through hacking). That type of attacks aim to exhaust theespecially those exploiting the replay of routing informa- network resource instead of misdirecting the routing.tion. It is noteworthy that TrustManager does not distin- However, if the attacker intends to periodically inject a fewguish whether an error or an attack occurs to the next-hop routing packets to cause wrong route, such attacks can stillnode or other succeeding nodes in the route. It seems unfair be defended by TARF through TrustManager.that TrustManager downgrades the trust level of an honestnext-hop node while the attack occurs somewhere after thatnext-hop node in the route. Contrary to that belief, 4 SIMULATIONTrustManager significantly improves data delivery ratio in We have developed a reconfigurable emulator of wirelessthe existence of attack attempts of preventing data delivery. sensor networks on a 2D plane with Matlab to test TARF.First of all, it is often difficult to identify an attacker who We have conducted extensive simulation experiments;participates in the network using an id “stolen” from however, due to the page limit, interested readers mayanother legal node. For example, it is extremely difficult to refer to our technical report [33] and the conference versiondetect a few attackers colluding to launch a combined of paper [1] for detailed simulation settings and experi-wormhole and sinkhole attack [4]. Additionally, despite the mental results. In our experiments, initially, 35 nodes arecertain inevitable unfairness involved, TrustManager en- randomly distributed within a 300à 300 rectangular area,courages a node to choose another route when its current with unreliable wireless transmission. All the nodes haveroute frequently fails to deliver data to the base station. the same power level and the same maximal transmissionThough only those legal neighboring nodes of an attacker range of 100 m. Each node samples six times in everymight have correctly identified the adversary, our evalua- period; the timing gap between every two consecutivetion results indicate that the strategy of switching to a new samplings of the same node is equivalent. We simulate theroute without identifying the attacker actually significantly sensor network in 1,440 consecutive periods.improves the network performance, even with the existence Regarding the network topology, we set up three typesof wormhole and sinkhole attacks. Fig. 3 gives an example to of network topologies. The first type is the static-locationillustrate this point. In this example, nodes A, B, C, and D case under which all nodes stand still. The second type is aare all honest nodes and not compromised. Node A has customized group-motion-with-noise case based on Refer-node B as its current next-hop node while node B has an ence Point Group Mobility (RPGM) model that mimics the
  8. 8. ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 191behavior of a set of nodes moving in one or more groups[34], [35]. The last type of dynamic network incorporated inthe experiments is the addition of scattered RF-shieldedareas to the aforementioned group-motion-with-noise case. The performance of TARF is compared to that of a linkconnectivity-based routing protocol adapted from whatis proposed by Woo et al. [28]. We denote the linkconnectivity-based routing protocol as Link connectivity.With the Link-connectivity protocol, each node selects itsnext-hop node among its neighborhood table according toan link estimator based on exponentially weighted movingaverage (EWMA). The simulation results show, in thepresence of misbehaviors, the throughput in TARF is oftenmuch higher than that in Link connectivity; the hop-per-delivery in the Link-connectivity protocol is generally at leastcomparable to that in TARF. Under a misbehavior-free environment, the simulation Fig. 4. TrustManager component.results show that TARF and Link connectivity have compar-able performance when there is no adversary. Both feature. As we worked on the first implementation, weprotocols are also evaluated under three common types of noted that the existing protocols provide many niceattacks: 1) a certain node forges the identity of the based features, such as the analysis of link quality, the loopstation by replaying broadcast messages, also known as detection and the routing decision mainly considering thethe sinkhole attack; 2) a set of nodes colludes to form a communication cost. Instead of providing those features,forwarding loop; and 3) a set of nodes drops received data our implementation focuses on the trust evaluation basedpackets. These experiments were conducted in the static on the base broadcast of the data delivery, and such trustcase, the group-motion-with-noise case, and the addition of information can be easily reused by other protocols. Finally,RF-shielded areas to the group-motion-with-noise case instead of using TinySec [13] exclusively for encryption andseparately. Generally, under these common attacks, TARF authentication as in the first implementation on TinyOS 1.x,produces a substantial improvement over Link connectivity this re-implementation let the developers decide whichin terms of data collection and energy efficiency. Further, encryption or authentication techniques to employ; the more severe attacks: encryption and authentication techniques of TARF may bewe have evaluated TARF under http://ieeexploreprojects.blogspot.commultiple moving fake bases and multiple Sybil attackers. different than that of the existing protocol.As before, the experiments are conducted under all thethree types of network topology. Under these two types of 5.1 TrustManager Implementation Detailsmost severe attacks which almost devastates the Link- The TrustManager component in TARF is wrapped into anconnectivity protocol, TARF succeeds in achieving a steady independent TinyOS configuration named TrustMana-improvement over the Link-connectivity protocol. Finally, we gerC. TrustManagerC uses a dedicated logic channel forhave conducted certain experiments to explore the choice of communication and runs as a periodic service with athe period length and the trust updating scheme. Our configurable period, thus not interfering with the applica-experiments reveal that a shorter period or a faster trust tion code. Though it is possible to implement TARF with aupdating scheme may not necessarily benefit TARF. period always synchronized with the routing protocol’s period, that would cause much intrusion into the source code of the routing protocol. The current TrustManagerC5 IMPLEMENTATION AND EMPIRICAL EVALUATION uses a period of 30 seconds; for specific applications, byIn order to evaluate TARF in a real-world setting, we modifying a certain header file, the period length may beimplemented the TrustManager component on TinyOS 2.x, reconfigured to reflect the sensing frequency, the energywhich can be integrated into the existing routing protocols efficiency, and trustworthiness requirement. TrustMana-for WSNs with the least effort. Originally, we had gerC provides two interfaces (see Fig. 4), TrustControlimplemented TARF as a self-contained routing protocol and Record, which are implemented in other modules. The[1] on TinyOS 1.x before this second implementation. TrustControl interface provides the commands to enableHowever, we decided to redesign the implementation and disable the trust evaluation, while the Record interfaceconsidering the following factors. First, the first implemen- provides the commands for a root, i.e., a base station, to addtation only supports TinyOS 1.x, which was replaced byTinyOS 2.x; the porting procedure from TinyOS 1.x to delivered message record, for a nonroot node to addTinyOS 2.x tends to frustrate the developers. Second, rather forwarded message record, and for a node to retrieve thethan developing a self-contained routing protocol, the trust level of any neighboring node. The implementation onsecond implementation only provides a TrustManager a root node differs from that on a nonroot node: a root nodecomponent that can be easily incorporated into the existing stores the information of messages received (delivered)protocols for routing decisions. The detection of routing during the current period into a record table and broadcastloops and the corresponding reaction are excluded from the delivery failure record; a nonroot node stores the informa-implementation of TrustManager since many existing pro- tion of forwarded messages during the current period alsotocols, such as Collection Tree Protocol [32] and the link in a record table and compute the trust of its neighborsconnectivity-based protocol [28], already provide that based on that and the broadcast information. Noting that
  9. 9. 192 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012much implementation overhead for a root can always betransferred to a more powerful device connected to the root,it is reasonable to assume that the root would have greatcapability of processing and storage. A root broadcasts two types of delivery failure record: atmost three packets of significant undelivered intervals forindividual origins and at most two packets of the id’s of theorigins without any record in the current period. For eachorigin, at most three significant undelivered intervals arebroadcast. For a nonroot node, considering the processingand memory usage overhead, the record table keeps theforwarded message intervals for up to 20 source nodes,with up to five nonoverlapped intervals for each individualorigin. Our later experiments verify that such size limit ofthe table on a nonroot node produces a resilient TARF withmoderate overhead. The record table on a node keepsadding entries for new origins until it is full. With our current implementation, a valid trust value is aninteger between 0 and 100, and any node is assigned an initialtrust value of 50. The weigh parameters are: wupgrade ¼ 0:1,wdegrade ¼ 0:3. The trust table of a nonroot node keeps thetrust level for up to 10 neighbors. Considering that anattacker may present multiple fake id’s, the implementationevicts entries with a trust level close to the initial trust of anynode. Such eviction policy is to ensure that the trust table Fig. 5. Routing decision incorporating trust management.remembers those neighbors with high trust and low trust;any other neighbor not in this table is deemed to have the for an adversary to misguide other nodes into a wronginitial trust value of 50. routing path by forging the identity of an attractive node such as a root; on the other hand, forwarding data packets to5.2 Incorporation of TARF into Existing Protocols a candidate with a low trust level would result in manyTo demonstrate how this TARF implementation can be unsuccessful link-level transmission attempts, thus leading http://ieeexploreprojects.blogspot.comintegrated into the exiting protocols with the least effort, we to much retransmission and a potential waste of energy.incorporated TARF into a collection tree routing protocol When the network throughput becomes low and a node has a(CTP) [32]. The CTP protocol is efficient, robust, and reliable list of low-trust neighbors, the node will exclusively use thein a network with highly dynamic link topology. It quantifies trust as the criterion to evaluate those neighbors for routinglink quality estimation in order to choose a next-hop node. decisions. As shown in Fig. 5, it uses trust/cost as a criteriaThe software platform is TinyOS 2.x. To perform the only when the candidate has a trust level above certainintegration, after proper interface wiring, invoke the Trust- threshold. The reason is, the sole trust/cost criteria could beControl.start command to enable the trust evaluation; exploited by an adversary replaying the routing informationcall the Record.addForwarded command for a nonroot from a base station and thus pretending to be an extremelynode to add forwarded record once a data packet has been attractive node. As for Step 2, compared to the CTPforwarded; call the Record.addDelivered command for a implementation, we add two more circumstances when aroot to add delivered record once a data packet has been node decides to switch to the optimal candidate found atreceived by the root. Finally, inside the CTP’s task to update Step 1: that candidate has a higher trust level, or the currentthe routing path, call the Record.getTrust command to next-hop neighbor has a too low trust level.retrieve the trust level of each next-hop candidate; an This new implementation integrating TARF requiresalgorithm taking trust into routing consideration is executed moderate program storage and memory usage. We im-to decide the new next-hop neighbor (see Fig. 5). plemented a typical TinyOS data collection application, Similar to the original CTP’s implementation, the im- MultihopOscilloscope, based on this new protocol. Theplementation of this new protocol decides the next-hop MultihopOscilloscope application, with certain modifiedneighbor for a node with two steps (see Fig. 5): Step 1 sensing parameters for our later evaluation purpose,traverses the neighborhood table for an optimal candidate periodically makes sensing samples and sends out thefor the next hop; Step 2 decides whether to switch from the sensed data to a root via multiple routing hops. Originally,current next-hop node to the optimal candidate found. For MultihopOscilloscope uses CTP as its routing protocol.Step 1, as in the CTP implementation, a node would not Now, we list the ROM and RAM sizes requirement of bothconsider those links congested, likely to cause a loop, or implementation of MultihopOscilloscope on nonroot Telosbhaving a poor quality lower than a certain threshold. This motes in Table 1. The enabling of TARF in MultihopOscillo-new implementation prefers those candidates with higher scope increases the size of ROM by around 1.3 KB and thetrust levels; in certain circumstances, regardless of the link size of memory by around 1.2 KB.quality, the rules deems a neighbor with a much higher trustlevel to be a better candidate (see Fig. 5). The preference of 5.3 Empirical Evaluation on Motelabhighly trustable candidates is based on the following We evaluated the performance of TARF against a combinedconsideration: on the one hand, it creates the least chance sinkhole and wormhole attack on Motelab [36] at Harvard
  10. 10. ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 193 TABLE 1 Size Comparison of MultihopOscilloscope ImplementationUniversity. One-hundred eighty-four TMote Sky sensormotes were deployed across many rooms at three floors inthe department building (see Fig. 6), with two to four motesin most rooms. Around 97 nodes functioned properly whilethe rest were either removed or disabled. Each mote has a2.4 GHz Chipcon CC2420 radio with an indoor range ofapproximately 100 meters. In Fig. 6, the thin green linesindicate the direct (one-hop) wireless connection between Fig. 6. Connectivity map Motelab [Motelab].including the inter-floor connectivity), adapted from of Motelab (notmotes. Certain wireless connection also exists betweennodes from different floors. 7c separately. On each floor, without any adversary, at least We developed a simple data collection application in 24 CTP nodes were able to find a successful route in each sixTinyOS 2.x that sends a data packet every five seconds to a minute. However, with the five fake base stations in thebase station node (root) via multihop. This application was wormhole, the number of CTP nodes that could find aexecuted on 91 functioning nonroot nodes on Motelab. For successful route goes down to nine for the first floor; itcomparison, we used CTP and the TARF-enabled CTP decreases to no more than four for the second floor; as theimplementation as the routing protocols for the data worst impact, none of the nodes on the third floor evercollection program separately. The TARF-enabled CTP found a successful route. A further look at the data showedhas a TARF period of 30 seconds. We conducted an attack that all the nine nodes from the first floor with successfulwith five fake base stations that formed a wormhole. As in delivery record were all close to the real base station. TheFig. 6, whenever the base station sent out any packet, three CTP nodes relatively far away from the base station, such asfake base stations which overheard that packet replayed the those on the second and the third floor, had little luck incomplete packet without changing any content including making good routing decisions. When TARF was enabled http://ieeexploreprojects.blogspot.comthe node id. Other fake base stations overhearing that on each node, most nodes made correct routing decisionsreplayed packet would also replay the same packet. Each circumventing the attackers. That improvement can befake base station essentially launched a sinkhole attack. Note verified by the fact that the number of the TARF-enabledthat there is a distinction between such malicious replay nodes with successful delivery record under the threat ofand the forwarding when a well-behaved node receives a the wormhole is close to that of CTP nodes with no attackers,broadcast from the base station. When a well-behaved node as shown in Figs. 7a, 7b, and 7c.forwards a broadcast packet from the base station, it will 5.4 Application: Mobile Target Detection in theinclude its own id in the packet so that its receivers will not Presence of an Antidetection Mechanismrecognize the forwarder as a base station. We conducted To demonstrate how TARF can be applied in networkedthe first experiment by uploading the program with the sensing systems, we developed a proof-of-concept resilientCTP protocol onto 91 motes (not including those five application of target detection. This application relies on aselected motes as fake bases in later experiments), and no deployed wireless sensor network to detect a target that couldattack was involved here. Then, in another experiment, in move, and to deliver the detection events to a base station viaaddition to programming those 91 motes with CTP, we also multiple hops with the TARF-enabled CTP protocol. Forprogrammed the five fake base stations so that they stole simplification, the target is a LEGO MINDSTORM NXT 2.0the id the base station through replaying. In the last vehicle robot equipped with a TelosB mote that sends out anexperiment, we programmed those 91 motes with the Active Message AM packet every three seconds. A sensorTARF-enabled CTP, and programmed the five fake base node receiving such a packet from the target issues a detectionstations as in the second experiment. Each of our programs report, which will be sent to the base station with therun for 30 minutes. aforementioned TARF-enabled CTP protocol. As illustrated in Fig. 7a, the existence of the five wormhole The experiment is set up within a clear floor space of 90attackers greatly degraded the performance of CTP: the by 40 inches with 15 TelosB motes (see Fig. 8a). To make thenumber of the delivered data packets in the case of CTP multihop delivery necessary, the transmission power of allwith the five-node wormhole is no more than 14 percent that the Telosb motes except two fake base stations in thein the case of CTP without adversaries. The TARF-enabled network is reduced through both software reduction andCTP succeeded in bringing an immense improvement over attenuator devices to within 30 inches. The target uses anCTP in the presence of the five-node wormhole, almost antidetection mechanism utilizing a fake base station closedoubling the throughput. That improvement did not show to the real base station, and another remote base stationany sign of slowing down as time elapsed. The number of close to the target and mounted on another LEGO vehiclenodes from each floor that delivered at least one data packet robot. The two fake base stations, with a transmission rangein each six-minute subperiod is plotted in Figs. 7a, 7b, and of at least 100 feet, collude to form a wormhole: the fake base
  11. 11. 194 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012 Fig. 8. Deployment of a TARF-enabled wireless sensor network to detect a moving target under the umbrella of two fake base stations in a wormhole. http://ieeexploreprojects.blogspot.com close to the real base station is capable of cheating the whole network alone by itself with its powerful radio for a certain amount of time, it can be easily recognized by remote nodes as a poor next-hop candidate soon by most routing protocols based on link quality: that fake base station does not acknowledge the packets “sent” to it from remote nodes with a weak radio via a single hop since it cannot really receive them. Thus, the antidetection mechanism needs to create such a wormhole to replay the packets from the base station remotely. The target node 14 and the fake base station 13 close to it move across the network along two parallel tracks of 22 inches back and forth (see Fig. 8b); they travel on each forward or backward path of 22 inches in around 10 minutes. The experiment lasts 30 minutes. For comparison, three nodes 9, 10, and 11 programmed with the CTP protocol are paired with another three nodes 6, 7, and 8 programmed with the TARF-enabled CTP (see Fig. 8b); each pair of nodes are physically placed close enough. All the other nodes, except for the fake base stations and the target node, are pro-Fig. 7. Empirical comparison of CTP and TARF-enabled CTP on grammed with the TARF-enabled CTP. To fairly compare theMotelab: (a) number of all delivered data packets since the beginning; performance between CTP and the TARF-enabled CTP, wenumber of nodes on (b) the first floor, (c) the second floor and (d) thethird floor that delivered at least one data packet in subperiods. now focus on the delivered detection reports originating from these three pairs of nodes: pair (9, 6), (10, 7), and (11, 8).station close to the base station replays all the packets from For the time stamp of each detection report from these sixthe base station immediately; the remote fake base station, nodes, we plot a corresponding symbol: a purple circle for theafter receiving those packets, immediately replays it again. nodes with the TARF-enabled CTP; a black cross for the CTPThis antidetection mechanism tricks some network nodes nodes. The resulting detection report is visualized in Fig. 9a.into sending their event reports into these fake base stations Roughly, the TARF nodes report the existence of the targetinstead of the real base station. Though the fake base station seven times as often as the CTP nodes do. More specifically,
  12. 12. ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 195 on trust-aware secure routing that is evaluated only through computer simulation, such as [38]. There are certain existing secure routing solutions for WSNs based on trust and reputation management; how- ever, they rarely address the “identity theft” exploiting the replay of routing information. Two such representative solutions are ATSR [22] and TARP [23]. Neither ATSR nor TARP offers protection against the identity deception through replaying routing information. ATSR [22] is a location-based trust-aware routing solution for large WSNs. ATSR incorporates a distributed trust model utilizing both direct and indirect trust, geographical information as well as authentication to protect the WSNs from packet mis- forwarding, packet manipulation, and acknowledgments spoofing. Another trust-aware routing protocol for WSNs is TARP [23], which exploits nodes’ past routing behavior and link quality to determine efficient paths. 7 CONCLUSIONS We have designed and implemented TARF, a robust trust- aware routing framework for WSNs, to secure multihop routing in dynamic WSNs against harmful attackers exploit- ing the replay of routing information. TARF focuses on trustworthiness and energy efficiency, which are vital to the survival of a WSN in a hostile environment. With the idea of trust management, TARF enables a node to keep track of theFig. 9. Comparison of CTP and the TARF-enabled CTP in detecting the trustworthiness of its neighbors and thus to select a reliablemoving target. route. Our main contributions are listed as follows: http://ieeexploreprojects.blogspot.comas shown in Fig. 9b, in the pair (9, 6), no report from CTP 1. Unlike previous efforts at secure routing for WSNs,node 9 is delivered while 46 reports from TARF node 6 is TARF effectively protects WSNs from severe attacksdelivered; in the pair (10, 7), no report from CTP node 10 is through replaying routing information; it requiresdelivered while 80 reports from TARF node 7 is delivered; in neither tight time synchronization nor known geo-the pair (11, 8), 40 reports from CTP node 11 is delivered graphic information.while 167 reports from TARF node 8 is delivered. Taking into 2. The resilience and scalability of TARF are provedaccount the spatial proximity between each pair of nodes, the through both extensive simulation and empiricalTARF-enabled CTP achieves an enormous improvement in evaluation with large-scale WSNs; the evaluation involves both static and mobile settings, hostiletarget detection over the original CTP. network conditions, as well as strong attacks such as The demonstration of our TARF-based target detection wormhole attacks and Sybil attacks.application implies the significance of adopting a secure 3. We have implemented a ready-to-use TinyOSrouting protocol in certain critical applications. The experi- module of TARF with low overhead; as demon-mental results indicate that TARF greatly enhances the strated in the paper, this TARF module can besecurity of applications involving multihop data delivery. integrated into existing routing protocols with the least effort, thus producing secure and efficient fully6 RELATED WORK functional protocols. 4. Finally, we demonstrate a proof-of-concept mobileWe discuss more related work here in addition to the target detection application that is built on top ofintroduction in Section 1. It is generally hard to protect TARF and is resilient in the presence of anWSNs from wormhole attacks, sinkhole attacks, and Sybil antidetection mechanism that indicates the potentialattacks based on identity deception. The countermeasures of TARF in WSN applications.often requires either tight time synchronization or knowngeographic information [4]. FBSR [37], as a feedback-based ACKNOWLEDGMENTSsecure routing protocol for WSNs, uses a statistics-based This work is in part supported by AFRL contract FA8650-detection on a base station to discover potentially compro- 10-C-1740 and US National Science Foundation (NSF)mised nodes. But the claim that FBSR is resilient against Career Award CCF-0643521. The authors also would likewormhole and Sybil attacks is never evaluated or examined; to thank the program manager Mr. John Woods for his greatthe Keyed-OWHC-based authentication used by FBSR also support as well as the anonymous reviewers for theircauses considerable overhead. There also exists other work constructive comments and suggestions.
  13. 13. 196 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012REFERENCES [23] A. Rezgui and M. Eltoweissy, “Tarp: A Trust-Aware Routing Protocol for Sensor-Actuator Networks,” Proc. IEEE Int’l Conf.[1] G. Zhan, W. Shi, and J. Deng, “Tarf: A Trust-Aware Routing Mobile Adhoc and Sensor Systems (MASS ’07), 2007. Framework for Wireless Sensor Networks,” Proc. Seventh European [24] A. Abbasi and M. Younis, “A Survey on Clustering Algorithms for Conf. Wireless Sensor Networks (EWSN ’10), 2010. Wireless Sensor Networks,” Computer Comm., vol. 30, pp. 2826-[2] F. Zhao and L. Guibas, Wireless Sensor Networks: An Information 2841, Oct. 2007. Processing Approach. Morgan Kaufmann, 2004. [25] S. Chang, S. Shieh, W. Lin, and C. Hsieh, “An Efficient Broadcast[3] A. Wood and J. Stankovic, “Denial of Service in Sensor Net- Authentication Scheme in Wireless Sensor Networks,” Proc. ACM works,” Computer, vol. 35, no. 10, pp. 54-62, Oct. 2002. Symp. Information, Computer and Comm. Security (ASIACCS ’06),[4] C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor pp. 311-320, 2006. Networks: Attacks and Countermeasures,” Proc. First IEEE Int’l [26] K. Ren, W. Lou, K. Zeng, and P. Moran, “On Broadcast Workshop Sensor Network Protocols and Applications, 2003. Authentication in Wireless Sensor Networks,” IEEE Trans. Wireless[5] M. Jain and H. Kandwal, “A Survey on Complex Wormhole Comm., vol. 6, no. 11, pp. 4136-4144, Nov. 2007. Attack in Wireless Ad Hoc Networks,” Proc. Int’l Conf. Advances in [27] P. De, Y. Liu, and S.K. Das, “Modeling Node Compromise Computing, Control, and Telecomm. Technologies (ACT ’09), pp. 555- Spread in Wireless Sensor Networks Using Epidemic Theory,” 558, 2009. Proc. Int’l Symp. World of Wireless, Mobile and Multimedia Networks[6] I. Krontiris, T. Giannetsos, and T. Dimitriou, “Launching a (WoWMoM ’06), pp. 237-243, 2006. Sinkhole Attack in Wireless Sensor Networks; The Intruder Side,” [28] A. Woo, T. Tong, and D. Culler, “Taming the Underlying Proc. IEEE Int’l Conf. Wireless and Mobile Computing, Networking and Challenges of Reliable Multihop Routing in Sensor Networks,” Comm. (WIMOB ’08), pp. 526-531, 2008. Proc. First ACM Int’l Conf. Embedded Networked Sensor Systems[7] J. Newsome, E. Shi, D. Song, and A. Perrig, “The Sybil Attack (SenSys ’03), Nov. 2003. in Sensor Networks: Analysis and Defenses,” Proc. Third Int’l [29] S. Ganeriwal, L. Balzano, and M. Srivastava, “Reputation-Based Conf. Information Processing in Sensor Networks (IPSN ’04), Apr. Framework for High Integrity Sensor Networks,” ACM Trans. 2004. Sensor Networks, vol. 4, pp. 1-37 2008.[8] L. Bai, F. Ferrese, K. Ploskina, and S. Biswas, “Performance [30] G. Zhan, W. Shi, and J. Deng, “Poster Abstract: Sensortrust—A Analysis of Mobile Agent-Based Wireless Sensor Network,” Proc. Resilient Trust Model for WSNs,” Proc. Seventh Int’l Conf. Eighth Int’l Conf. Reliability, Maintainability and Safety (ICRMS ’09), Embedded Networked Sensor Systems (SenSys ’09), 2009. pp. 16-19, 2009. [31] C. Perkins and P. Bhagwat, “Highly Dynamic Destination-[9] L. Zhang, Q. Wang, and X. Shu, “A Mobile-Agent-Based Sequenced Distance-Vector Routing (dsdv) for Mobile Compu- Middleware for Wireless Sensor Networks Data Fusion,” Proc. ters,” ACM SIGCOMM Computer Comm. Rev., vol. 24, no. 4, Instrumentation and Measurement Technology Conf. (I2MTC ’09), pp. 234-244, 1994. pp. 378-383, 2009. [32] O. Gnawali, R. Fonseca, K. Jamieson, D. Moss, and P. Levis,[10] W. Xue, J. Aiguo, and W. Sheng, “Mobile Agent Based Moving “Collection Tree Protocol,” Proc. Seventh ACM Conf. Embedded Target Methods in Wireless Sensor Networks,” Proc. IEEE Int’l Networked Sensor Systems (SenSys ’09), pp. 1-14, 2009. Symp. Comm. and Information Technology (ISCIT ’05), vol. 1, pp. 22- [33] G. Zhan, W. Shi, and J. Deng, “Design, Implementation and 26, 2005. Evaluation of Tarf: A Trust-Aware Routing Framework for[11] J. Hee-Jin, N. Choon-Sung, J. Yi-Seok, and S. Dong-Ryeol, “A Dynamic WSNs,” Technical Report MIST-TR-2010-003, Wayne Mobile Agent Based Leach in Wireless Sensor Networks,” Proc. State Univ., http://mine.cs.wayne.edu/~guoxing/tarf.pdf, Oct. http://ieeexploreprojects.blogspot.com 10th Int’l Conf. Advanced Comm. Technology (ICACT ’08), vol. 1, 2010. pp. 75-78, 2008. [34] Q. Zheng, X. Hong, and S. Ray, “Recent Advances in Mobility Modeling for Mobile Ad Hoc Network Research,” Proc. 42nd Ann.[12] J. Al-Karaki and A. Kamal, “Routing Techniques in Wireless Southeast Regional Conf. (ACM-SE 42), pp. 70-75, 2004. Sensor Networks: A Survey,” Wireless Comm., vol. 11, no. 6, pp. 6- [35] X. Hong, M. Gerla, G. Pei, and C. Chiang, “A Group Mobility 28, Dec. 2004. Model for Ad Hoc Wireless Networks,” Proc. Second ACM Int’l[13] C. Karlof, N. Sastry, and D. Wagner, “Tinysec: A Link Layer Workshop Modeling, Analysis and Simulation of Wireless and Mobile Security Architecture for Wireless Sensor Networks,” Proc. ACM Systems (MSWiM ’99), pp. 53-60, 1999. Int’l Conf. Embedded Networked Sensor Systems (SenSys ’04), Nov. [36] “Motelab,” http://motelab.eecs.harvard.edu, 2005. 2004. [37] Z. Cao, J. Hu, Z. Chen, M. Xu, and X. Zhou, “FBSR: Feedback-[14] A. Perrig, R. Szewczyk, W. Wen, D. Culler, and J. Tygar, “SPINS: Based Secure Routing Protocol for Wireless Sensor Networks,” Security Protocols for Sensor Networks,” Wireless Networks J., Int’l J. Pervasive Computing and Comm., vol. 4, pp. 61-76, 2008. vol. 8, no. 5, pp. 521-534, Sept. 2002. [38] T. Ghosh, N. Pissinou, and K. Makki, “Collaborative Trust-Based[15] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus, Secure Routing against Colluding Malicious Nodes in Multi-Hop “Tinypk: Securing Sensor Networks with Public Key Technology,” Ad Hoc Networks,” Proc. 29th Ann. IEEE Int’l Conf. Local Computer Proc. Second ACM Workshop Security of Ad Hoc and Sensor Networks Networks, pp. 224-231, Nov. 2004. (SASN ’04), pp. 59-64, 2004.[16] A. Liu and P. Ning, “Tinyecc: A Configurable Library for Guoxing Zhan received the MS degree in Elliptic Curve Cryptography in Wireless Sensor Networks,” mathematics from Chinese Academy of Proc. Seventh Int’l Conf. Information Processing in Sensor Networks Sciences in 2007 and another MS degree in (IPSN ’08), pp. 245-256, 2008. computer science from Wayne State University[17] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A in 2009. He is currently working toward the PhD Survey on Sensor Networks,” IEEE Comm. Magazine, vol. 40, no. 8, degree in the Department of Computer Science pp. 102-114, Aug. 2002. at Wayne State University. He is interested in[18] H. Safa, H. Artail, and D. Tabet, “A Cluster-Based Trust-Aware research on participatory sensing, wireless Routing Protocol for Mobile Ad Hoc Networks,” Wireless Net- sensor network, mobile computing, networking, works, vol. 16, no. 4, pp. 969-984, 2010. and systems Security, trust Management, and[19] W. Gong, Z. You, D. Chen, X. Zhao, M. Gu, and K. Lam, “Trust information processing. Several of his research papers have been Based Routing for Misbehavior Detection in Ad Hoc Networks,” J. presented at international conferences or published in journals. Networks, vol. 5, no. 5, pp. 551-558, May 2010. Additionally, he has instructed a few computer science laboratories[20] Z. Yan, P. Zhang, and T. Virtanen, “Trust Evaluation Based consisting of interactive short lectures and hands-on experience. Security Solution in Ad Hoc Networks,” Proc. Seventh Nordic Workshop Secure IT Systems, 2003.[21] J.L.X. Li and M.R. Lyu, “Taodv: A Trusted Aodv Routing Protocol for Mobile Ad Hoc Networks,” Proc. Aerospace Conf., 2004.[22] T. Zahariadis, H. Leligou, P. Karkazis, P. Trakadas, I. Papaef- stathiou, C. Vangelatos, and L. Besson, “Design and Implementa- tion of a Trust-Aware Routing Protocol for Large WSNs,” Int’l J. Network Security and Its Applications, vol. 2, no. 3, pp. 52-68, July 2010.
  14. 14. ZHAN ET AL.: DESIGN AND IMPLEMENTATION OF TARF: A TRUST-AWARE ROUTING FRAMEWORK FOR WSNS 197 Weisong Shi received the BS degree from Julia Deng received the PhD degree in the Xidian University in 1995 and the PhD degree Department of Electrical Engineering from the from the Chinese Academy of Sciences in 2000, University of Cincinnati in 2004, majoring in both in computer engineering. He is an associ- communications and computer networks. She is ate professor of computer science at Wayne currently a principal scientist at Intelligent Auto- State University. His current research focuses mation, Inc. Her primary research interests on computer systems, mobile and cloud comput- include protocol design, analysis, and imple- ing. He has published more than 100 peer mentation in wireless ad hoc/sensor networks, reviewed journal and conference papers. He is network security, information assurance, and the author of the book “Performance Optimiza- network management. At IAI, she serves as thetion of Software Distributed Shared Memory Systems” (High Education PI and leads many network and security-related projects, such asPress, 2004). He has served the program chairs and technical program secure routing for airborne Networks, network service for airbornecommittee members of several international conferences. He is a Networks, DoS mitigation for tactical networks, trust-aware querying forrecipient of the US National Science Foundation (NSF) CAREER award, sensor networks, trusted routing for sensor networks, agent-basedone of 100 outstanding PhD dissertations (China) in 2002, Career intrusion detection system, just to name a few.Development Chair Award of Wayne State University in 2009, and the“Best Paper Award” of ICWE ’04 and IPDPS ’05. He is a senior memberof the IEEE. . For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib. http://ieeexploreprojects.blogspot.com