Trust mechanisms in wireless sensor networks Attack ...

Journal of Network and Computer Applications 35 (2012) 867–880

Contents lists available at ScienceDirect

Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca

Trust mechanisms in wireless sensor networks: Attack analysis and countermeasures Yanli Yu a,b, Keqiu Li a,, Wanlei Zhou b, Ping Li b a b

School of Computer Science and Technology, Dalian University of Technology, No. 2 Ligong Road, Dalian 116023, China School of Information Technology, Deakin University, 221 Burwood Hwy, Burwood, Victoria 3125, Australia

a r t i c l e i n f o

abstract

Article history: Received 12 July 2010 Received in revised form 3 January 2011 Accepted 9 March 2011 Available online 21 March 2011

As the trust issue in wireless sensor networks is emerging as one important factor in security schemes, it is necessary to analyze how to resist attacks with a trust scheme. In this paper we categorize various types of attacks and countermeasures related to trust schemes in WSNs. Furthermore, we provide the development of trust mechanisms, give a short summarization of classical trust methodologies and emphasize the challenges of trust scheme in WSNs. An extensive literature survey is presented by summarizing state-of-the-art trust mechanisms in two categories: secure routing and secure data. Based on the analysis of attacks and the existing research, an open field and future direction with trust mechanisms in WSNs is provided. & 2011 Elsevier Ltd. All rights reserved.

Keywords: Trust Attack Network security WSNs

1. Introduction The issue of trust topic in WSNs (wireless sensor networks) has been gradually studied by current researchers and remains an open and challenging field. Research on security in WSNs has also advanced, showing cryptography mechanisms, intrusion detection systems, and efficient routing protocols. However, using those traditional techniques to eliminate insider attacks is possible. In order to filter out compromised nodes from sensor networks, some trust-based systems have recently been modelled. The trust concept was firstly proposed in the realm of E-commerce to select reliable transaction objects, and subsequently developed by many researchers in different fields. This policy could be more efficient because the evaluation of trust is usually directly linked with past behaviors of participants or indirectly combined with the reputation from the other recommenders. Nevertheless, the limitation of energy, the restriction of storage space and the inherent vulnerabilities of wireless communication lead to higher requirements to design an efficient trust framework in WSNs. In this paper, we analyze current threats and attacks in wireless sensor networks, and conclude a classification of attacks with feature and consequence. Then we survey the leading trust models in WSNs, and identify which attacks these trust models intend to resist; which attacks could be solved using the trust method; and which attacks come into being caused by the trust

scheme itself. Through analyzing the existing and potential threats and related methods, our objective is to gain a deeper understanding of ‘trust’ in WSNs, and to give a clear direction to design and construction of trust mechanisms in WSNs. We survey state-of-the-art trust schemes inn WSNs, and classify them into two aspects: secure routing and secure data. A few existing surveys on trust and security issues can be found (FernańdezGago et al., 2007; Chapin et al., 2008; Chen et al., 2009b; Sun et al., 2006; Peng et al., 2007; Hoffman et al., 2009). Although these articles do not focus on attack analysis within trust schemes in WSNs, they are important in developing trust theory from different perspectives. The remainder of this paper is organized as follows: In Section 2, we introduce some background information on sensor network security, including analysis of threats and attacks, an explanation of the relationship between attacks and security countermeasures using a series of diagrams, and presentation of the security requirements and existing security techniques used in WSNs. Section 3 gives a short summarization of the development of trust schemes with diverse methodologies, and emphasizes the challenges of trust mechanisms in WSNs. In Sections 4 and 5, we then focus on an analysis of attacks and consider trust issues in two categories: secure routing and secure data. Section 6 concludes the paper by emphasizing our contributions and discusses future work.

2. Attacks and security Corresponding author.

E-mail addresses: [email protected] (Y. Yu), [email protected] (K. Li), [email protected] (W. Zhou), [email protected] (P. Li). 1084-8045/$ - see front matter & 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.jnca.2011.03.005

A wireless sensor network is a highly distributed network, which is deployed using a large number of sensor nodes in harsh environments. According to various requirements of concrete

868

Y. Yu et al. / Journal of Network and Computer Applications 35 (2012) 867–880

environments, networks are organized in two structures based on an underlying topology: one is flat and the other is hierarchical. In the former architecture, all sensor nodes have the same roles: sensing data, reporting the event, processing information and transferring data through multi-hop routing. In the latter case, a cluster-head node manages the same cluster nodes and aggregates data from local non-cluster head nodes to forward it to the sink. Whatever roles those tiny and low cost sensor nodes perform, they are essential in security that should be selfadaptive and self-healing to maintain the longevity the whole network. In addition, although there may be cases that some sensor nodes need to move to carry out the assigned jobs (e.g. Mobile Agent wireless sensor network), most sensor nodes are usually fixed in their life cycles. For this reason, we do not discuss such structures of wireless sensor networks in this paper. Since security is an important issue for wireless sensor networks, there are many security considerations that should be investigated. In this section, we analyze the diverse attacks and explain how these attacks relate to trust and why traditional security techniques do not face certain security problems. We also review the essential security requirements and security mechanisms summarized by Lopez et al. (2009). This section paves the way for the direction of trust schemes in WSNs. 2.1. Threats and attacks The critical goal of security in any network is to protect the network against various attacks. This is especially so in wireless sensor networks due to inherent vulnerabilities of easily suffering from external and internal attacks via a variety of methods, including eavesdropping, fabrication, modification of packets, clones of nodes and so on. (1) External attacks: The adversary adopts the means to eavesdrop on information, injecting fractional data, and fabricating non-existent records to disturb the normal running of the whole network. It does not control any legitimate sensor nodes thoroughly. (2) Internal attacks: The invader breaks through some traditional safeguard (e.g. cryptography and authentication) to capture sensor nodes and learn crucial information from them. These are then turned into traitorous nodes. However, it is hard to judge which type of attack the compromised sensor nodes suffer from. The widespread deployment of individual nodes is in an open and unmonitored environment. And each sensor node cannot confirm whether the compromised sensor node is completely betrayed, because both types of attack might have similar malicious behaviors and most intruders make assaults in various ways and to different degrees. So the lining to divide an external or internal attack is not always marked and clear to detect. The diverse attacks (Hoffman et al., 2009; Lopez et al., 2009; Karlof and Wagner, 2003; Xiao and Yu, 2006; Xiao et al., 2007a) that target sensor networks will be concluded as the Table 1. During the above attacks, it is possible that some could be handled via existing state-of-the-art traditional security schemes to a certain degree through the use of cryptography, authentication, authorization, intrusion detection etc. Some are pending issues due to complex applied environments and new derivative problems accompanied with immature security technologies. For instance, a trust system itself is an attractive target for attackers and the latter five attacks in Table 1 are newcomers accompanying the rise of trust theory. Intelligent behavior attack, the last attack in Table 1, is used for the first time in this paper. In this attack, an intruder automatically adjusts the behaviors based on intercepted data which affects trust or reputation evaluation. Just like an On–off attack and conflicting behavior attack, intelligent behavior attack also belongs to the same sub-category as Fig. 1: Inconsistent behavior. (1) On–off attack behaves inconsistently in the time domain; (2) conflicting behavior attack behaves inconsistently in

the user domain; while (3) intelligent behavior attack behaves inconsistently in the content domain. An intelligent invader could detect crucial information, such as properties of trust ranking, and furtively make adjustments. For example, in TRANS (Tanachaiwiwat et al., 2004), which is one of the trust evaluation mechanisms for the routing of wireless sensor networks, packet forwarding (P) and encouragement factor (b) are two underlying parameters that directly influence the ability to update trust values. If the trust value continually drops below a certain threshold, the potential misbehaving insecure location will be geocasted or embedded in the blacklist. As long as an invader ensures a certain forwarding rate the same as or slightly higher than the threshold, the assault is implicit but not that bad. However, if an invader only drops large or important packets, the trust value could be controlled to maintain it on the verge of the threshold, even though it would be difficult to detect and vital to the whole network. Since a new method is often accompanied by a number of other new problems, what we should do is consider how to keep improving those immature technologies. The trust scheme is one of many underdeveloped but important theories to protect sensor networks from attacks. As previously mentioned, some new attacks even occur with the aim to directly affect the trust or reputation system itself. Nevertheless, it can solve problems beyond the power of some traditional mechanisms, such as the complicated cryptographic, authentication and so on. Table 2 shows the characters of attacks related with trust, which attacks can be solved with trust schemes, which attacks even aim directly at trust system, and which attacks come into being with the appearance of the trust concept. 2.2. Security requirements and security mechanisms As we have seen, the variety and the complexity of attacks has increased, as has the security measurements required to prevent the attacks from influencing the functionality of the network in an effort to minimize the negative effects of such threats. Security mechanisms are devised according to a set of security requirements. These requirements depend on some underlying security properties and some concrete security strategies within inherent resource constraints of wireless sensor networks. 2.2.1. Security properties Lopez et al. (2009) have exhaustively summarized security properties, and existing security mechanisms in wireless sensor networks. By using the existing security mechanisms, Lopez et al. believe the following would typically be part of the security requirements in WSNs: 1. Confidentiality: A given message must not be understood by anyone other than the desired recipients. 2. Integrity: The data produced and consumed by the sensor network must not be maliciously altered. 3. Authentication: Data authentication allows a receiver to verify that the data is really sent by the claimed sender. 4. Authorization: Only authorized entities can perform certain operations in the network. 5. Availability: The users of a sensor network must be capable of accessing its services whenever they need them. 6. Freshness: The data produced by the sensor network must be recent. 7. Forward and backward secrecy: Forward secrecy is when a sensor should not be able to read any future messages after it leaves the network. Backward secrecy is when a joining sensor should not be able to read any previously transmitted message.


869

Table 1 Attacks in wireless sensor networks. Attacks

Type

Features

Consequences

Sniffing attack

Ex

Overhear valuable data from the proximity nodes

Eavesdrop Information

HELLO flood attack

Spoofed, altered, replayed information

Ex

Ex & In

Establish the attacker as a the data destined for the base station through it

Fabricate non-existent information Modify partial data Replay messages

Selective forwarding attack (Greyhole attack)

Ex & In

Blackhole attack

Ex & In

Energy drain attack

Ex & In

Drop certain type of packets Forward from certain users Forward to certain destinations Attract the entire traffic to be routed through it by advertising itself as the shortest route and drop all received messages Radiate a large amount of traffic and require other nodes to respond

DoS attack

Ex & In

Prevent any part of WSNs from functioning correctly or in a timely manner

Sybil attack (Node replication attack)

Ex & In

Clone several nodes and return replicas by capturing at least one node

Sinkhole attack

Wormhole attack

In

In

Attract nearby network traffic through compromised node

Create a ‘low-latency out-ofbound’channel to another part of the network where messages are replayed

Acknowledgement spoofing

In

Spoof acknowledgement messages to trick the sender into believing that a weak link is strong or a dead node is alive

Stealthy attack

In

Bad mouthing attack (RepBad Yang et al., 2008) On–off attack

In In

Cause the querier to accept a false aggregate that is higher or lower than the true aggregate value Propagate negative reputation information about good nodes Behave well or badly by exploiting the dynamic properties of trust through timedomain inconsistent behaviors

Whitewashing

In

Conflicting behavior attack

In

Intelligent behavior attack

In

Re-enter the system with a new identity and a fresh reputation Impair good nodes’ recommendation trust by performing differently to different nodes Selectively provide services good or bad, high or low values of recommendation according to threshold of trust rating etc

Be related to military or industrial espionage Expand crisis by easily combining with other attacks Control the data flow Expand crisis by easily combining with other attacks Be an alternative to the black hole attack Create routing loops Attract or repel network traffic Extend or shorten source routes Generate false error messages Partition network Increase end-to-end latency Drop certain data Damage data integrity Increase risk and cost implicitly Block the traffic to the sink Expand crisis by easily combining with other extra attacks Paralyze whole network Split the network grid and take control of part of the network by inserting a new sink node Jam and temper network

Exhaust power energy of nodes Eavesdrop links between valid nodes Misroute packets Insert false sensing data Confuse location aware routing. Create false routing Jam network traffic Paralyze the whole network Undermine cryptography protection;

Confuse routing and normal function Create a sinkhole Confuse routing and normal function

Mount a selective forwarding attack Prevent or mislead the querier from getting any aggregation result Block valid path by confusing reputation system Remain undetected while causing damage

Increase the cost of reputation evaluation Detour the defence of a reputation system Cause conflicting opinions and lead to decrease trust value indirectly Increase the cost of reputation evaluation Combine with sniffing attack

Disrupt trust system order indistinguishably Increase the cost of reputation evaluation Ex: external and In: internal.

870


8. Self-organization: Sensor nodes must be independent and flexible enough to autonomously react against problematic situations, and be able to organize and heal themselves. 9. Auditing: The elements of a sensor network must be able to store any significant events that occur inside the network. 10. Non-repudiation: A node cannot deny sending a message it has previously sent.

Acknowledgement Spoofing

Spoofed, altered, replayed

Stealthy Attack

Energy Drain Attack

DoS Attack

Others

User

Content

Negative

Refresh

Positive

Intelligent Behavior Attack

Bad Mouthing Attack

Whitewashing Attack

SelfPromoting Attack

Value Propagate

Conflict Behavior Attack

Inconsistent Behavior

Time

On-Off Attack

Data

Energy

Wormhole Attack

Sinkhole Attack

Blackhole Attack

Routing Traffic

Greyhole Attack (Seletive forwarding)

Collude Sybil Attack

Fig. 1. Categories of attacks related with trust.

11. Privacy and anonymity: The location and identities of the base station and the nodes that generated information should be hidden or protected. 2.2.2. Security mechanisms The security mechanisms for sensor networks have been raised by many researchers (Chen et al., 2009b; Lopez et al., 2009; Law and Havinga, 2005; Kyriazanos et al., 2008). The overview of existing security mechanisms are: 1. Security primitives: The security primitives for sensor networks provide the confidentiality, integrity, authentication, and non-repudiation properties, which includes Symmetric Key Cryptography (SKC), Public Key Cryptography (PKC), Hash functions and Message Authentication Code (MAC). 2. Key management and secure channels: Key Management Systems (KMS) aim to solve the problem of creating, distributing, and maintaining secret keys, in order to construct secure channels. Spanning many different types of protocols, the Key Management Systems can be classified into four major frameworks: ‘Key-pool’ Framework, Mathematical Framework, Negotiation Framework and Public Key Framework. 3. Network core protocols: Network ‘core’ protocols refer to routing, data aggregation and time synchronization. The behavior and the properties of these protocols are highly dependent on the characteristics of the sensor network application where they are running, because they must be adapted to the requirement of the ‘de-facto’ scenario. 4. Self-healing and self-management protocols: Self-awareness mechanisms provide such information (e.g. whether a certain node has disappeared from a neighborhood) to the protocols of the sensor node. Self-healing mechanisms can facilitate the creation of security services such as intrusion detection systems and trust management systems. 5. Privacy and anonymity: As for certain scenario, the privacy of the elements of the network needs to be taken into account.

Table 2 Analysis of attacks related with trust mechanisms. Attacks

Characters

Description

Sniffing attack

V

Spoofed, altered, replayed information

V

Greyhole attack (Selective forwarding) (Xiao et al., 2007b) Blackhole attack Energy drain attack DoS attack

R&V R R R&V

Sybil attack (Node replication attack)

R&V

Sinkhole attack

R&V

Wormhole attack Acknowledgement spoofing

R R&V

Stealthy attack Bad mouthing attack On–off attack Whitewashing Conflicting behavior attack Intelligent behavior attack

R N N N N N

V: to overhear any data, including information related to trust. The difference is that the attacker needs to break through ID or data authentication etc. V: to spoof, alter and replay any data, including information related with trust or reputation value R: to eliminate distrusted nodes via the corresponding rules of trust ranking V: to assault the trust system itself, just like Intelligent Behavior Attack R: to eliminate distrusted nodes via the corresponding rules of trust ranking R: to eliminate distrusted nodes as long as energy is one of the trust factors R: to suspect nodes if the number of packet sent exceeds trust threshold V: to send a large number of recommendations requests via broadcast at the same time R: to eliminate distrusted nodes via the corresponding rules of trust ranking V: to counterfeit corresponding nodes to boost its own reputation or reduce the reputation of others. In Yang et al. (2008) positive feedback behavior is called Self-Promoting, and negative feedback behavior is called Slandering (or RepTrap Yang et al., 2008) for in the reputation system R: to eliminate distrusted nodes via the corresponding rules of trust ranking V: to attract nearby nodes via counterfeit reputation R: to eliminate distrusted nodes via the corresponding rules of trust ranking R: to eliminate distrusted nodes via the corresponding rules of trust ranking V: to spoof recommendation values to trick the requestor R: to aggregate data from trusted data or trusted nodes N: The same as previous mentioned in Table 1 N: The same as previous mentioned in Table 1 N: The same as previous mentioned in Table 1 N: The same as previous mentioned in Table 1 N: The same as previous mentioned in Table 1

R: the attack could be resolved with trust technology to some degree; V: the attack could violate the trust/reputation system itself; and N: the attack is a newcomer accompanied with trust technology.


The threats faced by privacy come mainly from content, location, and identity. 6. Software-based protection and testing: Depending on certain software-based techniques, such as Remote Attestation and radio fingerprinting, subverted or replicated nodes can be recognized from valid nodes. 7. Other protocols and mechanisms for specific WSNs: Beyond the ‘core’ protocols, there exist other services and protocols that can be useful to improve the functionality of the network, such as group management. Furthermore, other aspects of security in WSNs that need further research are: the relationship between the security and the QoS requirements of the network, methodologies (such as attacks trees applied to WSN in order to quantify their risks), development of secure location algorithms, analysis of name and addressing vulnerabilities, creation of secure architectures and middle-wares that use cross-layer optimizations, distributed computing, data redundancy and survivability, mechanisms for the protection of the MAC layer, and so on. Furthermore, Hoffman et al. (2009) surveyed the defense mechanisms employed by existing reputation systems and suggests five defense strategies against attackers for reputation systems in common networks. These are: 1. Preventing multiple identities (Sybil attacks): Proposed solutions to deal with Sybil attacks fall into centralized and decentralized approaches: in a centralized approach, a central authority issues and verifies credentials unique to each entity, increasing the cost of obtaining multiple identities by requirements of monetary or computational payment for each entity. In the latter one, the decentralized approaches do not rely on a central entity. Some solutions proposed include binding a ‘unique’ identifier or using network coordinates to detect nodes with multiple identities. Other solutions propagate a reputation originating from trusted sources along the edges of a directed graph, thereby creating a ‘web of trust’. 2. Mitigating generation of false rumors: Some approaches prevent the generation of false rumors by means of digital signatures and irrefutable proofs to integrate accountability, although it is not an efficient defense against the collusion attack. 3. Mitigating spreading of false rumors: Two methods have been proposed to reduce the spreading and aggregation of false reputations. The first one depends on pre-trusted identities but is accompanied with additional risk (it will be more harmful if they are compromised); the other one is to use statistical methods (ex. Bayesian theory) to build a precise feedback system, specifying a certain threshold for bad behaviors. 4. Preventing short-term abuse of the system: To avoid some attackers abusing the system by letting their reputation degrade quickly and then re-entering the system with a new identity. One approach ensures that newcomers must start with a low reputation and increase this gradually for a given amount of time. Another approach is for newcomers to ‘pay their dues’, that is to say, provide more service than they receive in order to obtain a positive reputation. 5. Mitigating denial of service attacks: To prevent a DoS attack against dissemination, one approach uses randomization techniques to collect participants for calculation and dissemination of reputation values. This can divide responsibility for either entire identities and reduce the probability collectiveness from malicious nodes. 3. Overview of trust in WSNs As we previously explained in Section 2.2.2, trust policy is one security mechanism, which tries to prevent diverse insider attacks and construct a self-healing wireless sensor network. The

871

development trend of trust is divided into two directions: authorization (hard trust) and evaluation (soft trust). Blaze et al. (1996) firstly proposed a trust management system, called PolicyMaker, to specify and enforce security policy, credentials and relationships that allow direct authorization of critical security actions. Implicit notions of trust are handled by applications which are based on cryptographic techniques. A trusted third party signs a certificate message to certify the identity associated with a public key. An important issue in this scenario is how the certified identity is acted upon. The answer to this is a just authorization procedure of Trust. The trust management system automatically implements the process of determining whether access should be allowed according to the specific policy, access rights and authorization semantics. Chapin et al. (2008) have investigated the foundations and features of authorization in trust management. The question remains: how do we to evaluate the extent of Trust. This problem is subsequently discussed in various literature, providing diverse trust classification (Grandison and Sloman, 2000) and evaluation models in various domains, such as E-commerce, P2P, ad hoc networks etc. In this section we provide the development of trust mechanisms in WSNs for the general reader. It reviews the basic properties of trust in WSNs, including trust definitions, characteristics and values. Furthermore, we conclude with several methodologies for trust systems in common networks, which could be applied to WSNs after appropriated modification. In addition, due to the inherent specific characteristics of wireless sensor networks, we emphasize the particularity of trust mechanisms compared with other networks. 3.1. Notion of trust It is of paramount importance to understand trust before an effective trust management system can be built. There have already been various attempts to depict trust properties in all kinds of fields (Jøsang et al., 2007). Trust in general is interpreted as belief, subjective probability, and reputation etc. As a natural consequence of combining trust within specific application environments, trust has been put forward with quite different meanings and corresponding features. Unlike other networks, the immanent properties of wireless sensor networks are vulnerable to more attacks, and require more complicated security measurements under the rigorous limitation of environments, not excepting trust mechanisms. 3.1.1. Trust definitions Many authors have addressed the issues of trust definition in different scenarios of wireless sensor networks. Momani et al. (2008) introduces Data Trust and Communication Trust, while Lin and Varadharajan (2007) proposes Hybrid Trust base on Soft Trust and Hard Trust. Moreover, other researchers focus on Node Trust, Path Trust and Service Trust, by monitoring the behaviors of nodes, the connectivity of paths and the availability of service. Although there is no clear consensus on the definitions of trust in WSNs, most of them are generalized as follows: Trust is a subjective opinion in the reliability of other entities or functions, including veracity of data, connectivity of path, processing capability of node and availability of service etc. Furthermore, the concept of reputation is considered as a closed relevance measure to evaluate trust, based on the recommendations from other participants in a community. But it is clearly different with trust in definition, as illustrated by the following statements (Jøsang et al., 2007): 1. I trust you because of your good reputation. 2. I trust you despite your bad reputation.

872


The above descriptions reflect that the reputation just belongs to one of the rating methods of trustworthiness. The result depends on concrete approaches for trust evaluation. For instance, if the weight of reputation is higher, we can obtain the first results easily. Contrary to this, when the personal experience gets the upper hand, the reputation is not so important any more.

3.1.2. Trust characteristics Based on the descriptions of trust properties in the literature, trust has common attributes in different networks and this is demonstrated in the following:

Subjective: This is provided by some observers or recommenders, depending on certain records of past behaviors.

Dynamic: It may change over time and space. Asymmetric: It is mutually independent between both sides, that is to say, A trusts B while B may distrust A.

Incomplete transitive: The trust link exists, but depending on the

structure or extent of the trust relationships among participants, A trusts B, and B trusts C, while A may trust or distrust C. Reflexive: Obviously, it trusts itself. Context-sensitive: It is effective within a specific prerequisite.

In addition, there exists three special attributes of trust for WSNs based on the above-mentioned information regarding network environments.

Low evidence: the evidence of trust, including own behaviors or

recommendations from others, is seldom collected due to the intrinsic characters of WSNs, such as limited energy power or exposed network environment. Ambiguous instability: the fluctuation of trustworthiness status may be large, which is affected easily by the wireless environment itself, however, it may not be blamed on the adversary. Complicated trust system structure: just like the various structures of wireless sensor networks, there are diverse architectures of trust systems: centralized trust systems, distributed trust systems and hybrid trust systems. These depend on where the scores of trust evaluations are obtained and computed from.

3.1.3. Trust values Trust values provide various methods of evaluation. By and large, we conclude two types in definitions of trust value: continuous and discrete. In regards to the former, there are varying ranges of trust according to the concrete evaluation method. For example, the common range could be [1, 1]. Discrete trust value may be depicted with an integer number or discrete value with labels rather than numbers (Abdul-Rahman and Hailes, 2000). Furthermore, the preset trust values are divided into three types: (1) High starting score: when the network is safe at the beginning of building, it may be adopted in an optimistic manner; (2) low starting score: if the network is not secure at the start, it would be better to be suspected, holding a pessimistic attitude; and (3) middle starting score: all trust rankings of participants are at the same level at the initial stage, with expression of a neutral attitude. The forms of trust value may not be vital for normal networks, however, for the wireless sensor networks, the significance is completely different. In general, recording and calculating real numbers will bring much more time complexity and storage complexity. This means it spends more energy power and requires larger storage space, which, as usual, should be avoided in WSNs. Thus, this issue is significant because of questions around the form of trust value to be applied, where to store those

trust information, and how to process and estimate trust data in theoretical and practical terms. 3.2. Trust with classical methodologies Many researchers have proposed trust or reputation systems in various fields over the past several decades, which span from Electronic Commerce (Zhou et al., 2008; Tafreschi et al., 2008; Ziegler and Golbeck, 2007) to Information Technology. In order to gain a deep understanding of some subsequent trust frameworks for the WSNs introduced, we need to describe a few trust models with several classical mathematical measures in this sub-section, and some of them have already been extended to apply in WSNs either. 3.2.1. Bayesian trust models An often used methodology for trust management is Bayesian theory, which has been further developed (Sun et al., 2006; Quercia et al., 2006; Nielsen et al., 2007; Qi et al., 2005; Teacy et al., 2008; Momani et al., 2008; Momani, 2008; Lahno, 2000; Jøsang, 2001) and broadly applied for decade. It has been divided into two directions: objective and subjective. In the objective view, the statistical analysis depends solely on the data analyzed, denying any subjective decision. In the subjective view, it adopts ‘confidence level’ as an argument to take part in the decision. In general, the mechanism of a trust system depends on the history records of an object’s behaviors or the relevant behaviors of other participants. Furthermore, the trust value can be seen as the prediction of uncertainty in behaviors. Fortunately, the Bayesian theory is substantially in total compliance with the procedure of trust evaluation. It utilizes the prior probability of an event, which is then updated in the light of updated relevant evidences, to make a posterior inference of that event. Hence, Bayesian theory is very suitable to rank trust value. To the best of our knowledge, it has been developed further (e.g. Dirichlet distribution (Nielsen et al., 2007) and Beta distribution (Momani, 2008)) and combined with other fields (e.g. Dampster–Shafer theory of evidence (Jøsang, 2001) and maximum entropy (Sun et al., 2006)).

Beta distribution system: Jøsang (2001) developed a series of trust and reputation models for electronic commerce based on the beta distribution by modelling a posterior reputation value computed by binary ratings as input (i.e. positive and negative). They used the beta probability density functions (PDF) to represent and derive the reputation score, which is defined as the expectation value of the beta PDF. The beta PDF denoted by betaðpja, bÞ can be expressed using the gamma function G as betaðpja, bÞ ¼

Gða þ bÞ a1 p ð1pÞb1 GðaÞGðbÞ

where 0 rp r1, a, b 40. With the restriction that the probability variable p a 0 if a o 1 and p a1 if b o 1. The expectation value of the beta PDF is obtained by EðpÞ ¼

a aþb

The parameters a and b represent the ratings of r positive and s negative outcomes with a ¼ r þ 1 and b ¼ s þ 1, respectively. After observing the results of transactions, the reputation score (i.e. the expectation value of the beta PDF) can be interpreted as the utmost possibility in the future.

3.2.2. Subjective logic trust model Subjective logic (Jøsang et al., 2006) is extended from the Dampster–Shafer theory of evidence to be used for modelling


trust network and analyzing a Bayesian network. Subjective opinions express subjective beliefs about the truth of propositions with degrees of uncertainty. A subjective logic opinion is usually denoted as oAx where A is the subject, also called the belief owner, and x is the proposition to which the opinion applies. oAx is defined as a four-tuple ox ¼ ðb,d,u,aÞ where:

b: Belief is the belief that the specified proposition is true. d: Disbelief is the belief that the specified proposition is false. u: Uncertainty is the amount of uncommitted belief. a: Base rate is the a priori probability in the absence of evidence.

These components satisfy b,d,u A ½0,1 and b þ d þu ¼ 1. The probability expectation value of an opinion is defined as E ¼ b þ au. The parameter a determines how uncertainty contributes to the expectation value E, which is also called relative atomicity. The Beta distribution with subjective logic is applied as: ( a ¼ 2b=u þ 2a a EðpÞ ¼ where b ¼ 2d=u þ 2ð1aÞ aþb

3.2.3. Entropy trust model Entropy is a concept in thermodynamics, statistical mechanics and information theory as a measure of ‘uninformativeness’, i.e. uncertainty. Furthermore, Caticha and Giffin (2006) state that Bayesian theory and maximum entropy are totally compatible and can be seen as special cases of the method of maximum entropy. Sun et al. (2006) proposed a trust evaluation system in ad hoc networks with a similar method, which is based on the Bayesian-based trust propagation model and entropy-based trust value. The entropy-based value is defined as ( 1HðpÞ for 0:5 r p r 1 T¼ HðpÞ1 for 0 rp o 0:5 where T ¼ Tfsubject : agent; actiong, p ¼ pfsubject : agent; actiong, HðpÞ ¼ plog2 ðpÞð1pÞlog2 ð1pÞ and H is the entropy function. The most character of this definition is that the trust value is not a linear function of the probability. The authors give a simple example to explain this. When the probability increases from 0.5 to 0.509 in the first case, the trust value is increased by 0.00023. When the probability increases from 0.99 to 0.999 in the second case, the trust value is increased by 0.07. It means that more uncertainty (the probability value is nearly to 0.5.) is, less fluctuation of the trust value is. 3.2.4. Fuzzy trust model Trust itself is a vague relationship in most instances, so it cannot be strictly treated with the likelihood of probability, even though the probability value ranges from 0 to 1. However, fuzzy logic is a form of multi-valued logic derived from fuzzy set theory to deal with reasoning, which is approximate rather than precise. In addition, uncertainty is one of the most inherent characters in trust networks, because the evidence to be supported may be fuzzy, or the policies to be enforced may be fuzzy. The subject logic trust model contains evaluation of uncertainty, however, not all uncertainty can be treated as a probability and thus cannot be described by a probability model. Several fuzzy trust models have been proposed to provide a series of fuzzy rules to handle such uncertainty in trust management, which is popular to be used in control systems for decision making and pattern recognition etc. Fuzzy logic incorporates a series of IF–THEN rules to solve a control problem rather than attempt to model a system

873

mathematically. The main steps of fuzzy rule-based inference are as follows (Boukerche and Ren, 2008): 1. predefine the fuzzy sets and criteria; 2. initialize the input variable values to the fuzzy engine, by calculating the degree to which the input basic steps and condition of the fuzzy rules; 3. apply the fuzzy rules to determine the output data, by calculating the rule’s conclusion based on its matching degree; and 4. evaluate the results and give certain feedbacks to moderate criteria or rules.

3.2.5. Game theory trust model Game theory attempts to mathematically capture behavior in strategic situations in which an individual’s success in making a decision depends on the behaviors of others. To some extent, game theory is a so-called trust game (King-Casas et al., 2005) for two players. In self-organizing networks such as ad hoc networks, selfish behavior is a distinct issue due to the lack of cooperation between extensive nodes. Several scholars (Jaramillo and Srikant, 2007; Komathyk and Narayanasamy, 2008; Papaioannou and Stamoulis, 2008) propose trust mechanisms with game theory to eliminate the uncooperative nodes. Based on Prisoner’s dilemma, the interactions (such as packet forwarding) among nodes sharing some resource can be formally modelled as games. However, game theory is not a predictive tool for the behavior of nodes, but a suggestion for how participants ought to behave. Moreover, the prerequisite of applying game theory is bidirectional behavior, whereas it is almost a one-way transmission in sensor networks. Therefore, in our minds, game theory is not an appropriate approach to resolving trust problems in WSNs. 3.3. Challenges of trust schemes in WSNs Based on the special attributes of trust for wireless sensor networks previously mentioned, unique challenges exist in establishing a trust framework in WSNs by choosing the appropriate approaches, unlike general cases. 1. Low complexity of algorithm: Due to limited energy power and constrained storage, the capabilities of computation of sensor nodes is not high, so the methods of a trust framework for WSNs should not be complicated to calculate. 2. Equilibrium period of trust validity: Since trust evidence is rarely collected in WSNs, the validity of a trust status of a sensor node should not be too long or too short. Long term may improve the risk of attacks from malicious nodes, whereas short term may waste resources from sensor nodes already in short supply. So it is crucial to stipulating an appropriate time interval in WSNs. 3. Diversity in the roles: With the complexity of a trust system structure, it needs diverse roles in order to meet the flexibility of trust evaluation approaches. For example, the cluster head node is always required with high trust levels in the long term as the backbone. Meanwhile, the trust level of other common nodes is lower and may be attainted from local information. 4. Evaluation criteria for trust system: Several trust models in different application situations have been proposed with various mathematical methodologies. However, presently there is a lack of uniformity for criteria to estimate the performance of those trust mechanisms. Most comparisons of simulation results are limited to the different parameters of the trust model itself, or they fall into the two occasions: with

874


the trust mechanism or without the trust mechanism. Therefore, it is a struggle to build a series of standard evaluation methods (Ma´rmol and Pe´rez, 2009; Ma´rmol et al., 2010) for the trust scheme to judge which trust model is much better than the others and why. 4. Existing trust models for secure routing Wireless sensor networks have been developed to a large number of applications. In addition, trust frameworks have been proposed as an effective security scheme to protect wireless sensor networks. The purpose of securing wireless sensor networks is mainly divided into two aspects: securing routing and securing data. In this section, we are going to survey state-of-theart trust frameworks for routing in WSNs and show how those trust models eliminate adverse routing information from malicious nodes, especially captured nodes. We present the detailed consideration of attack resistance of all the major trust frameworks in WSNs. According to the various ‘de-facto’ applications, the structure of routing in WSNs can be divided into flat-based routing, hierarchical-based routing, and location-based routing. Most of them are restricted by the resource constraints, such as limited energy supply, low computing power and so on. Furthermore, wireless communication is vulnerable to external and internal attacks due to its inherent nature. Hence, guaranteeing the safety of routing is crucial and complicated problem. We survey the proposed trust models for securing routing, present the types of attack to resist as Table 3, analyze the relevant countermeasures and discuss the lack of consideration given to security. 4.1. m RACER

m RACER (Rezgui and Eltoweissy, 2009) is a service-oriented query model for SANETs (Sensor–Actuator Networks). m RACER assumes an extended Event-Condition-Action (ECA) rules for query specification, which is triggered when an event occurs and a certain condition is satisfied in concurrence. It consists of three protocols: trust-aware routing protocol (TARP), ContextAware Routing Protocol (CARP), and Service-Aware Routing Protocol (SARP), which covers all communication tasks within a node. In particular, it (1) delivers incoming queries to ServiceOriented Query Layer (SOQL); (2) sends out query results from SOQL; and (3) forwards received queries and query results to neighbors. TARP is built as an underlying routing protocol in three of these protocols, the goal of which is to avoid routing through non-cooperative nodes. It includes two concurrent

sub-functions: reputation assessment and path reliability evaluation. Like most reputation mechanisms, two types of reputation contribute to the reputation value: direct reputation and indirect reputation. In the process of direct reputation routing, it adopts bidirectional communication information between transmitter and receiver. That is to say, calculating the ratio of messages acted by the receiver and overhearing the ratio of messages forwarded by the receiver. As for indirect reputation, the information is derived from the neighbor node’s direct reputation. The Aggregation Reputation is defined as follows: Ri ðnj þ 1 Þ ¼ a Ri ðnj Þ þ b Dr i ðnj Þ þ g Iri ðnj Þ where a þ b þ g ¼ 1. Not only is the node’s reliability a concern, but the path is also taken into account. The path’s reliability is evaluated through the product of all the probabilities of node cooperation and the various ratios of message forwards among nodes. As the most reliable path is chosen, TARP builds loop-free paths to the sink. TARP maintains a data structure called Neighborhood Description Table (NDT) that provides details about the neighbors of a given node and the quality of the links between the local node and these neighbors. CARP is based on the concept of context-aware, which is a routing protocol that adapts each node’s routing behavior and service profile according to the current context of the node. It selects the next task for a node based on the node’s current query and routing load. CARP assumes that each message carries a priority value. It considers the priority and direction of messages when making decision about the message to route. The goal of SARP protocol is to avoid aimless routing. Each node determines the capability requested by the received query and forwards a query only if it determines that it is on a path to one or more nodes that provide the requested capability. With the service table and service directory, SARP focuses on the quality of service. It consists of two activity phases: path learning and query routing. Path learning takes place at bootstrapping time. At this time, each node broadcasts a message that contains the list of service classes that it provides. Query routing is a distributed process in several nodes providing those services. In this case, SARP forwards the query to a node’s neighbors. CARP and SARP are built on top of TARP. TARP monitors the behavior of nodes and the quality of links and provides a routing layer which supports end-to-end reliability. CARP is a center of node cooperation and receives messages from TARP. It forwards service updates to SARP and queries to the Service Oriented Query Layer (SOQL) that is responsible for query processing. In addition, CARP also receives service updates from SARP and query results from the SOQL.

Table 3 Trust models for securing routing in WSNs. Trust model

Evaluation approach

Attacks resistance

Network structure

Trust objective

Source of trust

Trust factors

Storage location

Energy consumption

Platform

TARP (m RACER) EMPIRE

WM WM

Greyhole Blackhole

QM GM

LQ LQ

DT & Re DT & Re

MP MP

L S, HP

Low Low

k-FTM TRANS RFSN (BRSN)

WM WM BM

TM QM UM

BC LQ LQ

DT DT DT & Re

MP MP MP, AD

L L L

Low Low Low

ATRM

EF

Blackhole Blackhole Bad mouthing, Ballot stuffing, Whitewashing –

TinyOS Monte Carlo JAVA – TinyOS, SOS

CM

–

DT & Re

MP

AL

Low

NS-2

WM: weight method; BM: Bayesian model; EF: encrypted function; QM: query model; TM: tree model; GM: grid model; UM: universal model; CM: cluster model; LQ: link quality; BC: broadcast communication; DT: direct trust; Re: reputation; MP: message packets; AD: aggregation data; L: local; AL: agent launcher; S: sink node; and HP: head of packet.


Attack resistance: TARP is one routing protocol in m RACER with

a trust mechanism that enables each node to build a local communication context which is then used to determine the best next hop when transferring a message. Relying on the routing reputation values, which are calculated with the ratio of message forwarded, TARP eliminates distrusted nodes from the routing path and improves end-to-end reliability. Consideration: Although the evaluation result of TARP energy consumption is low, it is questionable in large numbers. Each node recorded and updated its neighbor behaviors and information every time. Meanwhile, once its direct reputation has gone under a threshold, it will broadcast a message to its neighbor. Consequently, when an inside attacker frequently alters the ratio of messages forwarded or fabricate its own direct reputation with others, a chain reaction will occur, even affecting the energy of whole networks.

4.2. EMPIRE The efficient monitoring procedure in a reputation system (EMPIRE (Maarouf et al., 2009)) keeps the system at a satisfactory level while trying to minimize power consumption, memory usage and the communication overhead in wireless sensor networks. The most expensive part in resource usage is monitoring in WSNs and reducing the frequency of monitoring. That is to say reducing Nodal Monitoring Activity (NMA). For this reason, EMPIRE aims to reduce NMA, thereby conserving network resources. The reputation system consists of three main components: (1) monitoring component, EMPIRE, which observes packet forwarding events; (2) rating component evaluates the amount of risk an observed node would provide for the routing operation based on first hand information (namely direct trust) and second hand information (namely reputation); and (3) response components here is a trust-aware version of geographical and energy aware routing (GEAR) protocol (Yu et al., 2001), which calculates with the distance and energy information to choose the next best hop. In the monitoring phase, each node alternates between two NMA states: ON or OFF, which are relevant with the NMA. That is to say, an OFF NMA state node may still send or receive messages not related to monitoring issues. With two parts of the monitoring cycles, T1 and T2, the node will accordingly fall in different NMA states based on a certain probability of PON1 or PON2 . At the beginning, each node can start its monitoring cycle with T1 or T2 with a probability of 0.5. Then, at the beginning of T1, each node will enter the ON state with a probability of PON 1 and stays there for T1, or enters an OFF state with a probability of 1PON 1 and stays there for T1. Similarly, at the start of T2, the node can be in the ON state with a different probability of PON 2 and stay there for T2 or it can be in the OFF state with a probability of 1PON2 and stays there for T2. The transition of node is not totally independent which depends on whether the node was in the ON or OFF state. Furthermore, for the purpose of maintaining the same ability to distinguish between malicious and non-malicious neighbors after reducing NMA, a new metric called average misbehavior detection metric (MDM) is defined: (1) actual list (AL) sorts all neighbors in the descending order based on the behavior (all malicious nodes will occupy the top positions of the list), and POSi,AL is the position of a in the AL; (2) monitoring list (ML) sorts all neighbors in the descending order based on the number of monitored events per neighbor, and POSi,ML is the position of a in the ML. The MDM per node is calculated mathematically as 8 Pm < i ¼ 1 ðPOSi,ML POSi,AL Þ ; m 40 m MDM ¼ : 0; m¼0

875

where i is a malicious neighbor and m is the number of malicious neighbors. In the rating component, each node rates its neighbor by assigning a risk value to the corresponding monitored node. This is calculated by simple algebra; the ratio of node misbehavior frequency to the allowed misbehavior frequency. In the response component, it modifies GEAR routing protocol to have the additional feature of trust awareness. The trust awareness is achieved by the rating functionality as follows: tðj,RÞ ¼ bðri,j Þ þ ð1bÞ½adðj,RÞ þ ð1aÞeðjÞ where t(j,R) is the trust-aware cost of using the node j by node as a router to the destination R. ri,j is the risk value that node i so far knows about node j. d(j,R) is the normalized distance from j to R (the distance from j to R divided by the distance from the furthest neighbor of i to R). e(j) is the so far normalized consumed energy at node j, which is announced periodically every Tupdate . a is a tuneable parameter A ½0,1 to give more preference to distance or energy. ½adðj,RÞ þ ð1aÞeðjÞ is the GEAR component of the routing decision. b is a tuneable parameter to give more or less preference to trust as opposed to other resources.

Attack resistance: The EMPIRE is applied for the detection of

non-forwarding attacks, namely a Blackhole attack. During the ON state of the monitoring phase, it is divided into two subperiods, monitoring and validation period (TMV) and validation only period (TVO). In TMV, a node will accept to monitor the transmission of a new packet as well as validating old packets. However, in TVO, it will only validate old packets. If a match in the monitoring queue is not found, the packet will be deleted in both the TMV and TVO periods, otherwise, the packet will be added if in the TMV. Consideration: In the rating component of EMPIRE, they consider that ‘good news’ about nodes is a trial from the announcer. Therefore, the approach rejects positive information and accepts only negative ones, neglecting the badmouthing attack. Moreover, the collision-free attack and selective forwarding attack are impossible to resist according to the assumption of the attack model.

4.3. k-FTM k-FTM (Srinivasan and Wu, 2007, 2009) (k-Parent Flooding Tree Model) is a multi-parent tree-based model which is robust against DoBM (denial-of-broadcast message) attacks. k-FTM achieves the broadcast reliability close to that of blind flooding with reduced redundant rebroadcasts. In blind flooding, each node receives n copies of the same message, where n is the number of neighbors. While in k-FTM, each node receives up to a maximum of k copies, and only internal nodes rebroadcast the message on receiving it for the first time. k-FTM is the first model to employ a reputation and trust-based framework for securing broadcast communication in WSNs. The adopted reputation used the simple weighting approach to weigh history reputation and direct information. Trust model: In k-FTM, every node maintains a reputation value for each of its parent and child nodes using the reputation monitoring system. The reputation value of a parent node or a child node is calculated by a simple weighting approach as follows: Rnew j,i ¼ m Rj,i þ ð1mÞ t and where t ¼ 1 if the node forwarded the message, else t ¼ 0; the constant m is system-dependant parameter, which decides the extent to which past history can be discounted and substituted with the most recent behavior.

876


Attack resistance: The purpose of an attacker is to block each

broadcast message (non-forwarding data packet, namely Blackhole attack) to as many nodes in the network as possible during the broadcast phase or the acknowledgement phase. In the broadcast phase, the attacker is blocking the message from reaching the nodes, which is a serious threat since the BS cannot communicate the message to all the nodes. In the acknowledgement phase, the attacker is merely increasing the false alarm rate since the message would have already been delivered to the nodes. Consideration: During the acknowledgement phase, the attacker could be referred to as ‘False negative’. This does not benefit the attacker since it only increases the probability of their detection. However, in other attacker models it may cause the rebroadcast of a message and the consumption of network resources. Furthermore, the attacker assumes that non-forwarding but not selective forwarding occurs in k-FTM. In addition to this, the reputation monitoring system is only considered as direct trust, because the initial reputation values are set up after the initial k-FTM construction. That indicates the network model is static.

4.4. TRANS TRANS (Tanachaiwiwat et al., 2004; Slijepcevic et al., 2002) is location-centric (as opposed to node-centric) trust routing protocol, which fits the data-centric model. It selects trusted paths that do not include misbehaving nodes, by identifying insecure locations and routing around them efficiently via detour points using embedded blacklists and modified geographic or trajectory routing. The protocol consists of two components: Trust Routing and Insecure Location Avoidance. The trust routing uses loose-time synchronization asymmetric authentication scheme m TESLA (Slijepcevic et al., 2002) to authenticate all requests. The shared encryption key will be carried with the Message Authentication Code (MAC) from sink or base station to ensure request integrity and confidentiality. Each sensor node authenticates every neighbor node but it only monitors availability and packet forwarding of the nodes in the forwarding path. Based on the replies a sink receives from the nodes, each node is assigned trust value. The trust value of node i is defined as T ¼ Ci Ai b Pi where (1) if node i has the cryptographic authentication, Ci ¼1, else Ci ¼0; (2) Ai is the availability of node i, which is based on beacon measurements and is used to account for node or link failures or wakeup/sleep schedules; (3) Pi is the dynamic packet forwarding value for node i; and (4) b is encouraging factor to encourage the packet forwarding based on simulation. If the trust value drops below a certain threshold, this indicates a potential misbehaving insecure location, so the sink procedures to isolate such a location using probing. Once the location is found, the information of the insecure location will be embedded in the black list (for broadcast) or in the packet header. The first approach does not require the modification of geographic routing or the packet header because the non-cooperative node will simply be removed from the neighbor list and will not be selected to participate in any routing activity. The latter approach produces less overhead in packet delivery but requires modification of packet headers and possibly simple extensions to geographic routing to route via detour points.

Attack resistance: The sink initiates data transfer using queries and creates a message with its location, the destination location, authentication message and detour locations. Based

on the trust value of each location, the sink identifies misbehavior, probes potential misbehaving locations and isolates insecure locations. The misbehavior is mainly related to the forwarding packet. Only locations with a trust value higher than the specified trust threshold will be selected to participate in data forwarding, hereby efficiently preventing a Blackhole attack. Consideration: Adopting the direct trust value as the only resource of trust evaluation standard ensures effective control for cost of energy in the short term. However, if recommended reputation information from other nodes is accepted, it will enhance the efficiency of trust judgement and save consumption of the whole network in the long term. Furthermore, the blacklist is embedded in the message, which may incur another serious attack if some node is compromised.

4.5. RFSN Reputation-based Framework for Sensor Networks (RFSN (Ganeriwal and Srivastava, 2004; Ganeriwal et al., 2008)) provides a scalable, diverse and a generalized approach for countering all types of misbehavior resulting from malicious and faulty nodes. The purpose of RFSN is to generate a community of trustworthy sensor nodes. RFSN disseminates reputation values in a completely distributed manner based on the watchdog mechanism, which consists of three modules: (1) WMRouting monitors the data forwarding behavior of the neighbor nodes by keeping the radio active; (2) WMData checks for outlier detection by observing the consistency of raw sensing data among the neighbor nodes; and (3) WMProcessing. A node builds each entry in the reputation table over time through the watchdog mechanism. The reputation of a node is made up of two subcomponents: direct reputation ðRij ÞD and indirect reputation ðRij ÞID . Rij ¼ ðRij ÞD þ ðRij ÞID . In RFSN, the trust value is obtained by beta distribution (as Section 3.2.1), and is defined as Tij ¼ EðRij Þ ¼ EðBetafaj þ 1 , bj þ 1 gÞ ¼

aj þ 1 aj þ bj þ2

Furthermore, it employs wage as the aging weight in updating reputation to make sure that reputation information becomes stale.

Attack resistance: In regards to bad-mouthing attacks, RFSN

only propagate good reputation information about other nodes. This resiliency comes at the cost of system efficiency as now nodes cannot exchange their bad experiences about malicious/faulty nodes in the network. Some attackers collude to obtain unfairly high ratings, called a ballot stuffing attack, which belongs to a type of conflicting attacks. Because of the reputation value of each recommendation node itself, which is regarded as the weight for reputation value, this attack can be prevented easily in RFSN. When a malicious node somehow learns that it has been classified as a bad node, it adopts a new identity to carry out fresh attacks. That attack is called an identity attack or whitewashing attack. In RFSN, they take a pessimistic attitude to initialize reputation value to improve the cost of intruders. Consideration: RFSN takes a pessimistic approach at the onset of the network, whereby no node in the network trusts each other. The reputation gradually builds up over time. It prevents a whitewashing attack, but at the same time it increases the consumption of the whole network in the bootstrapping phase. A good reputation scheme is similar to the pessimistic


attitude because nodes cannot share their bad experiences with each other.

877

efficiently for WSNs. It includes minimizing the overhead of a message, reducing time delay and system convergence time etc.

4.6. ATRM 4.7. Other trust schemes for secure routing The objective of the agent-based trust and reputation management scheme (ATRM (Ganeriwal and Srivastava, 2004; Ganeriwal et al., 2008)) is to manage trust and reputation locally with minimal overhead in terms of extra messages and time delay. This is based on a clustered WSN with backbone and on a mobile agent system. It introduces a trust and reputation local management strategy with help from the mobile agents running on each node. The architecture of ATRM consists of four key components: agent launcher (AL), trust and reputation assessors (TRAs), trust instruments (t-instruments), and reputation certificates (r-certificates).

An AL is an authority responsible for generating and launching

TRAs into the network. The AL launches one TRA each time in a broadcast fashion into the backbone network. TRA is designed to be distributed into every node and to provide its hosting node with a trust and reputation management scheme. Each node will hold a replica of the TRA’s current version, which maintains four data structures, i.e. a trust evaluation table Tabeval , a t-instrument table Tabinstr , a r-certificate buffer Buf cert , and a LowVersion message counter CNTER. A t-instrument is a segment of data that is organized with a special structure and issued by the local replica TRA of a node (issuer) to another node (issuee). Considering any two nodes ni and nj, the t-instrument issued by TRAðni Þ to nj under context C is defined as %

TIðni ,nj ,C Þ ¼ EAK ðD,HðDÞÞ %

where D ¼ ðIDðni Þ,IDðnj Þ,C ,T,ti,j Þ T is a time-stamp implying the time when the t-instrument is issued. ti,j is the trust evaluation value made by ni on nj. The data structure of r-Certificate is similar with t-instrument, and it is calculated as: %

RCðni Þ ¼ EAK ðR,HðRÞÞ where R ¼ ðIDðni Þ,T,ððr1 ,C1 Þ,ðr2 ,C2 Þ, . . . ,ðrk ,Ck ÞÞÞ T is a time-stamp implying the time when the t-instrument is issued. ni’s reputation is r1 under context C1, r2 under context C2, . . ., and rk under context Ck at time point T. The execution of ATRM involves two phases: network initialization phase and the service-offering phase. The first phase consists of two stages: (1) the AL launches a TRA in the backbone network in a broadcast fashion and (2) the backbone node checks wether it is a cluster head itself. If so, the node broadcasts its replica TRA within its cluster in order to distribute the replica TRA to all its cluster members, otherwise it keeps silent. After this, nodes get into the second phase, which includes four types of subservices: r-certificate acquisition, t-instrument issuance, r-certificate issuance, and trust management routine.

Attack resistance: The focus on this research is not concen-

trated on the evaluation method of the trust and reputation method, but on managing the trust and reputation locally with minimal overheads in terms of extra messages and time delay. Hence, it does not definitively identify on which type of attack, as this depends on the rules of trust ranking. Consideration: The research on consumption of trust and reputation systems (Shaikh et al., 2010) is also an important issue for WSNs in order to utilize the trust mechanisms

As far as our present knowledge goes, some other trust schemes in WSNs may be classed as secure routing, because they directly serve routing protocols, such as cluster head election (Pissinou and Crosby, 2007; Chen et al., 2009a; Kifayat et al., 2009) and securing location (Srinivasan and Wu, 2009). The trust evaluation methods in Cluster head election are similar to the previously mentioned approaches for securing routing. The node in the same cluster with the highest trust value will be voted as the Cluster head. As for securing location, less research has been conducted.

5. Existing trust models for securing data Unlike the purpose of secure routing, the objective of protecting data focuses on the data content itself. Furthermore, the diversity of the data format and the privacy protection of data enhances obstacles and provides more challenges (Lenders et al., 2008) in WSNs. In this section, we focus on two aspects for securing data: data sensing and data aggregation. 5.1. Secure data sensing Applications are emerging that capitalize on sensed information, including Pressure Sensors, Position Sensors, Temperature Sensors, Vibration Sensors, etc. The data sensing in such sensor networks are more valuable and trustworthy if they can be related to where and when the readings originated. We introduce two approaches to secure data sensing based on the trust mechanism: one is applied for binary event report and the other is related to sensor readings. In addition, we analyze the data accuracy and insufficiencies of these two trust models. 5.1.1. TIBFIT TIBFIT (Krasniewski and Rabeler, 2005) is a protocol to diagnose and mask arbitrary node failures in an event-driven wireless sensor network based on trust index. The goal of TIBFIT involves event detection and location determination in the presence of faulty sensor nodes. The event detection is divided into two categories: (1) binary event detection, which leads to the system recognizing the occurrence of the event with a binary decision about whether it happened and (2) event detection with location determination, which is when the coordinates of the event are also reported by the sensing nodes. The event reports are assumed binary in nature simply, which specify whether the event has occurred or not. All the nodes in the same cluster are event neighbors for any event detected by the cluster. The CH (Cluster Header) receives the event reports within a predefined interval of time. Then, the CH partitions the event neighbors into two sets R (Report Group) and NR (Non-Report Group) based on whether they have reported the occurrence of the event or not. The trust indices of each group are summed up and the group with the higher cumulative TI (CTI) wins out. The trust index values of nodes in the winning group are increased while the index values of nodes in the losing group are decreased according to the formula given above. The TI is calculated as TI ¼ eln . For another thing, the CH determines the actual location of the event, which cannot be sensed by the common nodes. A correct event report sent in by a sensing node reports the location of an event to within a radius rerror surrounding the event, and the

878


location determination procedure throws out the event reports from nodes that make a localization error of more than rerror . The CHs are chosen based on high TI values, and furthermore, two additional SCHs (shadow cluster heads) are assigned to each cluster so the SCHs can monitor all input and output traffic associated with the selected CH.

Data accuracy: The misbehavior of nodes includes missed event reports, false reports, or wrong location reports. Correct nodes are also allowed to make occasional natural errors. TIBFIT analyzes the event reports using the TI and makes an event decision. As opposed to simple voting, this protocol can tolerate faults in a network with more than 50% of its nodes compromised after it has built up adequate state of the nodes, compared with simple voting.

5.1.2. TrustVoting TrustVoting (Xiao et al., 2007b) is an efficient in-network voting algorithm to determine faulty sensor readings based on SensorRank by exploring Markov Chain. Compared with the distance-based weighted voting which gives more weight to closer neighbors in voting, they argue that the distance between two sensor nodes does not fully represent the correlation between readings of those two sensors. More seriously, if the nearest sensor is faulty, the voting result may be contaminated by this faulty sensor. Hence, the correlation of sensor readings rather than their distance should be considered in the voting. Employing the Extended Jaccard similarity function (Strehl and Joydeep Ghosh, 2000), the correlation (similarity function) is of two sensors si and sj defined as: corri,j ¼

bi ðtÞ bj ðtÞ Jbi ðtÞJ22 þJbj ðtÞJ22 bi ðtÞ bj ðtÞ

section, we survey some literature of those who pay attention to secure data aggregation based on a trust mechanism, however, we mainly focus on the article written by Hur et al. (2005).

5.2.1. Trust management for resilient wireless sensor networks Hur et al. propose a trust management scheme to secure data sensing and data aggregation. The methods for data sensing are similar to research previously mentioned in this paper: (1) distance factor: they define a reverse sense function, which outputs the expected sensing value of a node based on the distance between a node and an event and (2) consistency of reports: the communication value contains the communication ratio information of sensing node ssi (sensing success count of node i) and sfj (sensing failure count of node j). Depending on the consistency level of data sensing under the battery constraints, the trust value of each node is calculated as Ti ¼

W1 Ci þ W2 Si þ W3 Bi P3 i ¼ 1 Wi

where Wi as a weight which represents importance of a particular factor; Ci is the data consistency value; Bi represents the sensing communication value (consistency of reports); Si represents the battery power. To aggregate data, sensor nodes elect one node as an aggregator per grid. This has the highest trust value among all the nodes in an identical grid by the majority of votes. Then, the aggregator obtains sensing data from the other member nodes in its grid and aggregates them to a representative value in consideration of the trust values of member nodes as follow: Pm i ¼ 1 ðTi þ 1Þsr i SRGridID ¼ P m i ¼ 1 ðTi þ 1Þ

where Jbi ðtÞJ22 ¼ j xi ðtDt þ 1Þj2 þ þ j xi ðtÞj2 . Then, according to the correlations among sensor nodes in the network to build up a correlation network, and the weight of edge is assigned to be the corr i,j . Based on the correlation network, the SensorRank (i.e. trust value) to each node is computed for a TrustVoting algorithm. It consists of two phases: self-diagnosis and neighbors diagnosis phase. In the self-diagnosis phase, each sensor verifies whether the current reading of a sensor is unusual or not. Once the reading of a sensor goes through the self-diagnosis phase, this sensor can directly report the reading. Otherwise, the sensor node consults with its neighbors to further validate whether the current reading is faulty or not.

where sri is the value of a reverse sense function as previous mentioned.

Data accuracy: The main contribution of TrustVoting is com-

5.2.2. Challenges of data aggregation with trust mechanisms Although several researchers have paid attention to protecting data aggregation with a trust mechanism, research is still in its ¨ zdemir, 2007), RSDA (Alzaid et al., 2008) and DCP in infancy. SELDA (O Rabinovich and Simon (2007) are similar proposed protocols to ensure the reliability of aggregated data and to select secure and reliable paths with different methods based on a trust mechanism. However, the concrete evaluation method of a trust value or trust factor, which is directly associated with data aggregation, is not clearly indicated. Securing data aggregation in WSNs has been an outstanding question for long period of time under the constraints of privacy for data and energy limitation. The requirements for data aggregation ¨ zdemir and Xiao, 2009): data confidentiality, data security include (O integrity, data freshness, data availability, authentication, non-repudiation and data accuracy. Furthermore, it is also important to pursue the equilibrant point between security and efficiency. Last but not the least, the diversity of aggregating data increases the complexity of security.

plementing similarity properties of data sensing in a trust scheme. However, the consumption of the network is neglected. We argue that the cost of bootstrapping to build up a correlation network is large in WSNs due to the dynamics of data. 5.2. Secure data aggregation ¨ zdemir In general, aggregation techniques (Alzaid et al., 2008; O and Xiao, 2009; Castelluccia et al., 2009; Yang et al., 2008) are used to reduce the amount of data transmission within a WSN for the purpose of reducing the expenditure of energy and bandwidth. The data aggregation method successfully extends the lifetime of a network at the cost of data accuracy, security and so on. Early researchers on data aggregation focus on improving the existing routing algorithms to make data aggregation possible. Recent work on data aggregation tends to group sensor nodes into clusters so that data is aggregated in each group for improved efficiency. In this

Consideration: Choosing the highest trust value among related nodes as a data aggregator seems to be reasonable on the surface. However, the trust value is vulnerable to inside attack by fabricating the trust records, which is stored in a local node. Then, it will lead to a more serious consequence of selecting the counterfeit node as an aggregator, while other nodes know nothing about it.


6. Conclusions and future work This paper provides a detailed review of trust mechanisms and the corresponding attacks and countermeasures in wireless sensor networks. To give the motivation behind the application of trust schemes, we firstly categorize all attacks related with trust schemes in WSNs, and use intelligent behavior attack to denote a inconsistent behavior attack in the content domain. Secondly, we analyze the methodologies of trust schemes and emphasize the difference and challenges of trust schemes in WSNs. Finally, an extensive literature survey is presented by summarizing the most advanced trust mechanisms in WSNs. Based on the literature, open research fields and future research directions are identified. In the future we plan to design more suitable trust evaluation models for WSNs that include or, at least consider as many of the attacks mentioned in this paper as possible. Besides, in order to decrease the energy expenditure of trust schemes, we will develop a lightweight algorithm which effectively performs trust value transmission and evaluation. This will be implemented and analyzed under the NS2 simulation platform at first.

Acknowledgments This work is supported by NSFC under Grant nos of 90818002, 60973117, 60973116, and 60973115, New Century Excellent Talents in University (NCET) of Ministry of Education of China, and Intel-MOE Joint Research Fund. References Abdul-Rahman A, Hailes S. Supporting trust in virtual communities. In: Proceeding of the 33rd IEEE Hawaii international conference on system sciences, Washington, USA, 2000. p. 4–7. Alzaid H, Foo E, Nieto J. RSDA: reputation-based secure data aggregation in wireless sensor networks. In: Proceedings of the ninth international conference on parallel and distributed computing, applications and technologies (PDCAT ’08), Dunedin, New Zealand, 2008. p. 419–24. Blaze M, Feigenbaum J, Lacy J. Decentralized trust management. In: Proceeding of the 1996 IEEE symposium on security and privacy, Washington, 1996. p. 164–73. Boukerche A, Ren Y. A trust-based security system for ubiquitous and pervasive computing environments. Computer Communications 2008;31(18):4343–51. Castelluccia C, Chan A, Meykletun E, Tsudik G. Efficient and provably secure aggregation of encrypted data in wireless sensor networks. ACM Transactions on Sensor Networks (TOSN) 2009;5(3). Caticha A, Giffin A. Updating probabilities. In: The 26th International workshop on Bayesian inference and maximum entropy methods, vol. 872, Paris, France, 2006. p. 31–42. Chapin P, Skalka C, Wang X. Authorization in trust management: features and foundations. ACM Computing Surveys 2008;40(3):1–48. Chen R, Hsieh C, Huang Y. A new method for intrusion detection on hierarchical wireless sensor networks. In: Proceedings of the third international conference on ubiquitous information management and communication (ICUIMC), Suwon, Korea, 2009a. p. 238–45. Chen X, Makki K, Yen K, Pissinou N. Sensor network security: a survey. IEEE Communications Surveys and Tutorials 2009b;11(2):52–73. Fernańdez-Gago MC, Romań R, Lopez J. A survey on the applicability of trust management systems for wireless sensor networks. In: Third international workshop on security, privacy and trust in pervasive and ubiquitous computing (SecPerU 2007), Istanbul, Turkey, 2007. p. 25–30. Ganeriwal S, Balzano L, Srivastava M. Reputation-based framework for high integrity sensor networks. ACM Transactions on Sensor Networks 2008;4(3): 1–37. Ganeriwal S, Srivastava M. Reputation-based framework for high integrity sensor networks. In: Proceedings of the second ACM workshop on security of ad hoc and sensor networks; 2004. p. 66–77. Grandison T, Sloman M. A survey of trust in internet applications. IEEE Communications Surveys and Tutorials 2000;3(4):2–16. Hoffman K, Zage D, Rotaru CN. A survey of attack and defense techniques for reputation systems. ACM Computing Surveys 2009;42(1):1–31. Hur J, Lee Y, Hong S, Yoon H. Trust management for resilient wireless sensor networks. In: Proceedings of the eighth international conference on information security and cryptology (ICISC), Seoul, Korea; 2005. p. 56–68. Jaramillo J, Srikant R. Darwin: distributed and adaptive reputation mechanism for wireless ad hoc networks. In: Proceedings of the 13th annual ACM international conference on mobile computing and networking; 2007. p. 87–98.

879

Jøsang A. A logic for uncertain probabilities. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 2001;9(3):279–311. Jøsang A, Hayward R, Pope S. Trust network analysis with subjective logic. In: Proceedings of the Australasian computer science conference (ACSC’06), Hobart, 2006. p. 139–61. Jøsang A, Ismail R, Boyd C. A survey of trust and reputation systems for online service provision. Decision Support Systems 2007;43(2):618–44. Karlof C, Wagner D. Secure routing in wireless sensor networks: attacks and countermeasures. Elsevier’s Ad Hoc Networks Journal, Special Issue on Sensor Network Applications and Protocols 2003;1(2–3):293–315. Kifayat K, Merabti M, Shi Q, Llewellyn-Jones D. An efficient multi-parameter group leader selection scheme for wireless sensor networks. In: IFIP international conference on network and service security, Paris, France, 2009. p. 1–9. King-Casas B, Tomlin D, Anen C, Camerer CF, Quartz SR, Montague PR. Getting to know you: reputation and trust in a two-person economic exchange. Science 2005;308(5718):78–83. Komathyk K, Narayanasamy P. Trust-based evolutionary game model assisting AODV routing against selfishness. Journal of Network and Computer-Application 2008;31(4):446–71. Krasniewski M, Rabeler B. Tibfit: trust index based fault tolerance for arbitrary data faults in sensor networks. In: Proceedings of the 2005 international conference on dependable systems and networks (DSN’05), Washington, DC, USA, 2005. p. 672–81. Kyriazanos DM, Prasad NR, Patrikakis CZ. A security, privacy and trust architecture for wireless sensor networks. In: 50th international symposium ELMAR-2008, Zadar, Croatia, 2008. p. 523–9. Lahno B. Is trust the result of Bayesian learning? University of Duisburg Working Paper, 2000. Law YW, Havinga PJ. How to secure a wireless sensor network. In: Proceeding of the 2005 international conference on intelligent sensors, sensor networks and information processing conference; 2005. p. 89–95. Lenders V, Koukoumidis E, Zhang P, Martonosi M. Location-based trust for mobile user-generated content: applications, challenges and implementations. In: Proceedings of the ninth IEEE workshop on mobile computing systems and applications, New York, USA, 2008. p. 60–4. Lin C, Varadharajan V. A hybrid trust model for enhancing security in distributed systems. In: Proceedings of the second international conference on availability, reliability and security; 2007. p. 35–42. Lopez J, Roman R, Alcaraz C. Analysis of security threats, requirements, technologies and standards in wireless sensor networks. Foundations of Security Analysis and Design V 2009;5705:289–338. Maarouf I, Baroudi U, Naseer A. Efficient monitoring approach for reputation system-based trust-aware routing in wireless sensor networks. IET Communication 2009;3(5):846–58. Ma´rmol FG, Gira~ o J, Pe´rez GM. Trims, a privacy-aware trust and reputation model for identity management systems. Computer Networks 2010;54(16):2899–912. Ma´rmol FG, Pe´rez GM. Trmsim-wsn, trust and reputation models simulator for wireless sensor networks. In: ICC IEEE; 2009. p. 1–5. Momani M. Bayesian methods for modelling and management of trust in wireless sensor networks. Australasian digital theses program, University of Technology Sydney, 2008. Momani M, Challa S, Alhmouz R. Can we trust trusted nodes in wireless sensor networks? In: Proceedings of international conference on computer and communication engineering; 2008. p. 1227–32. Nielsen M, Krukow K, Sassone V. A bayesian model for event-based trust. Electronic Notes on Theoretical Computer Science (ENTCS) 2007;172: 499–521. ¨ Ozdemir S. Secure and reliable data aggregation for wireless sensor networks, 2007. p. 102–9. ¨ zdemir S, Xiao Y. Secure data aggregation in wireless sensor networks: a O comprehensive overview. Computer Networks 2009;53(12):2022–37. Papaioannou T, Stamoulis G. Achieving honest ratings with reputation-based fines in electronic markets. In: IEEE INFOCOM; 2008. p. 1040–8. Peng T, Leckie C, Ramamohanarao K. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys 2007;39(1):123–8. Pissinou N, Crosby GV. Cluster-based reputation and trust for wireless sensor networks. In: The fourth IEEE consumer communications and networking conference; 2007. p. 604–8. Qi J-J, Li Z-Z, Wei L. A trust model based on bayesian approach. Advances in Web Intelligence (AWIC) 2005;3528:374–9. Quercia D, Hailes S, Capra L. B-trust: Bayesian trust framework for pervasive computing. In: Trust management: proceedings of the fourth international conference, iTrust 2006, Pisa, Italy, 2006. Rabinovich P, Simon R. Secure aggregation in sensor networks using neighborhood watch. In: ICC; 2007. p. 1484–91. Rezgui A, Eltoweissy M. m acer: a reliable adaptive service-driven efficient routing protocol suite for sensor–actuator networks. IEEE Transactions on Parallel and Distributed Systems 2009;20(5):607–22. Shaikh R, Lee Y, Lee S. An extended energy consumption analysis of reputationbased trust management schemes of wireless sensor networks. Journal of Networks 2010;5(3):283–91. Slijepcevic S, Potkonjak M, Tsiatsis V, Zimbeck S, Srivastava M. On communication security in wireless ad-hoc sensor network. In: 11th IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises (WETICE); 2002. p. 139–44.

880


Srinivasan A, Wu J. A novel k-parent flooding tree for secure and reliable broadcasting in sensor networks. In: IEEE international conference on communication; 2007. p. 1497–502. Srinivasan A, Wu J. Secure and reliable broadcasting in wireless sensor networks using multi-parent trees. Security and Communication Networks 2009;2(3):239–53. Strehl A, Joydeep Ghosh RM. Impact of similarity measures on web-page clustering. In: Proceedings of the 17th national conference on artificial intelligence: workshop of artificial intelligence for web search (AAAI 2000), Austin, Texas, USA, 2000. p. 58–64. Sun YL, Han Z, Yu W, Liu KJR. A trust evaluation framework in distributed networks: vulnerability analysis and defense against attacks. In: IEEE INFOCOM, Barcelona, Spain, 2006. p. 1–13. Tafreschi O, Maler D, Fengel J, Rebstock M, Eckert C. A reputation system for electronic negotiations. Computer Standards and Interfaces 2008;30(6):351–60. Tanachaiwiwat S, Dave P, Bhindwale R, Helmy A. Location-centric isolation of misbehavior and trust routing in energy-constrained sensor networks. In: IEEE workshop on energy-efficient wireless communications and networks (EWCN), in conjunction with IEEE international conference on performance, computing, and communications (IPCCC), Phoenix, Arizona, 2004. Teacy W, Jennings N, Roger A, Luck M. A hierarchical bayesian trust model based on reputation and group behaviour. In: Proceedings of the sixth European workshop on multi-agent systems, Bath, UK, 2008.

Xiao B, Yu B. Detecting selective forwarding attacks in wireless sensor networks. In: Proceedings of the 20th international parallel and distributed processing symposium (IPDPS); 2006. p. 1–8. Xiao B, Yu B, Gao C. Chemas: identify suspect nodes in selective forwarding attacks. Journal of Parallel and Distributed Computing 2007a;67(11):1218–30. Xiao X, Peng W, Hung C, Lee W. Using sensorranks for in-network detection of faulty readings in wireless sensor networks. In: Proceeding of the sixth ACM workshop on data engineering for wireless and mobile access (MobiDE’07), Beijing, China, 2007b. Yang Y, Feng Q, Suny Y L, Dai Y. Reptrap: a novel attack on feedback-based reputation systems. In: Proceeding of international conference on security and privacy in communication networks (SecureComm’08), Istanbul, Turkey, 2008. Yu Y, Govindan R, Estrin D. Geographical and energy aware routing: a recursive data dissemination protocol for wireless sensor networks. Technical Report UCLA-CSD TR-01-0023, UCLA Computer Science Department /http://citeseerx. ist.psu.edu/viewdoc/summary?doi=10.1.1.21.8533S; 2001. Zhou M, Dresner M, Windle R. Online reputation systems: design and strategic practices. Decision Support Systems 2008;44(4):785–97. Ziegler C-N, Golbeck J. Investigating interactions of trust and interest similarity. Decision Support Systems 2007;43(2):460–75.

Trust mechanisms in wireless sensor networks Attack ...

Trust mechanisms in wireless sensor networks Attack ...

Suggest Documents

Trust Management in Wireless Sensor Networks - arXiv

Trust management in wireless sensor networks

in wireless sensor networks

Isolating Wormhole Attack in Wireless Sensor Networks - Scientific ...

A Survey On Selective Forwarding Attack in Wireless Sensor Networks

The Replication Attack in Wireless Sensor Networks - Springer Link

Trust-based Backpressure Routing in Wireless Sensor Networks ...

Review of Trust Models in Wireless Sensor Networks - World Academy ...

Trust-based Backpressure Routing in Wireless Sensor Networks ...

Wormhole Attack in Wireless Sensor Network - IJCNCS

ASF: an Attack Simulation Framework for wireless sensor networks

Security in Wireless Sensor Networks

Sensor Coverage in Wireless Sensor Networks - CiteSeerX

Wireless Sensor Networks in Health

Sensor Coverage in Wireless Sensor Networks - CiteSeerX

Simulation in Wireless Sensor Networks

Wireless Sensor Networks

Wireless Sensor Networks

Wireless Sensor Networks - ICTP

Simulating Wireless Sensor Networks

Wireless Sensor Networks

Wireless Sensor Networks Simulation

Teaching Wireless Sensor Networks

Wireless sensor networks - Automation.com