The benefits of indirect trust information exchange for supporting
mobility in Wireless Sensor Networks
H.C. Leligou, P. Trakadas, T. Zahariadis, P. Karkazis, S. Voliotis
Dept. of Electrical Engineering, TEI of Chalkis, Psahna, Greece
E-mail: {Leligou, trakadasp, zahariad, karpa, svoliotis}@teihal.gr
Abstract
Security is an inherent vulnerability of wireless communications which is further aggravated in Wireless Sensor
Networks due to the low computational and memory resources of the involved nodes. Moreover, the routing
procedure is accomplished in a cooperative manner in these systems assigning the role of router in all active
nodes. To protect against malicious behaviour, trust management systems have been proposed. Each node
monitors the behaviour of its neighbours before it decides which node to use for forwarding its packets. This
requires a number of interactions before each node decides about the trust-worthiness of its neighbours.
However, when nodes are moving, before they complete a sufficient number of interactions, they are found in a
different neighbours and any trust information built becomes obsolete and useless. In this case, the exchange of
trust information between nodes accelerates the process of trust build-up at the expense of node and network
resource consumption. In this paper, we present a novel trust –aware routing solution, which incorporates an
indirect trust exchange model to support mobility. The performance of the proposed solution for mobile WSNs is
investigated at the aid of computer simulations.
Keywords
Sensor networks, security attack, secure routing, trust model
1. Introduction
Wireless Sensor Networks (WSN) support a wide set of solutions in a great variety of
application domains such as military fields, urban surveillance, healthcare, homeland security,
industry control, intelligent green aircrafts, smart roads and others. As the number of installed
devices proliferates, their integration with other communication systems and applications is
currently pursued. However, before their successful integration, security issues have to be
efficiently addressed. Although security requirements in WSN are quite similar with those of
conventional networks (Giruka et al. 2008) (Karlof et al. 2007), the applicability of already
existing solutions designed for legacy networks is arguable, if possible at all, due to their
limited memory and computational resources as well as the limited available processing power.
A wide set of attacks address the routing procedure. For example, in the blackhole attack, a
node exhibits selfish behaviour and refuses to forward its neighbours traffic. The situation can
be further aggravated if it additionally advertises routes passing through it, alluring traffic. To
combat such behaviours, (Kannhavong et al. 2007) an approach borrowed from human
societies has been proposed: nodes establish trust relationships between each other and base
their routing decisions not only on geographical or pure routing information, but also on their
expectation (trust) that their neighbours will sincerely cooperate. In other words, a trust
management system is implemented. Trust is the confidence of a node ni that a node nj will
perform as expected i.e. on the node’s nj cooperation. To evaluate the trustworthiness of its
neighbours, a node monitors their behaviour (direct observations) but may also communicate
with other nodes to exchange their opinions. Depending on the distribution of the trust
establishment functionality in the network, the trust models can be distringuished in
centralized, hierarchical and distributed. The detection of an unexpected behaviour based only
on direct measurements and in a reliable way takes some time since an important number of
evidences are required. This procedure can be accelerated taking advantage of the neighbours’
experiences. In other words, each node (say node 1) may calculate its neighbour’s (for
example, node 3) trust value either based on its own observations (direct evidence) (Pirzada et
al. 2006) or combine it with information obtained from other nodes (for example nodes 2 and
5). The information provided by nodes 2 and 5 is called reputation or indirect evidence (Marias
et al. 2005). In this concept, every node can build a relation with its neighbours, based on the
collection of actions (events) performed by other nodes in the neighbourhood. Although the
indirect measurements could be simply considered as a component of the trust value, actually
they play a more significant role than that since the communication of this information
introduces the need for a specific protocol (new types of messages are exchanged, the
interaction protocol has to be defined, e.t.c.). It is worth stressing that the trust information
exchange can be exploited by adversaries to ruin the routing functionality of the network (Sun
et al. 2008). For example, a malicious node 5 can spread bad rumours for certain nodes (say 2
and 3) so that their neighbours do not use them for routing, forcing thus the traffic generated in
node 1 pass through 5.
In this paper, we present a trust-aware routing solution based on a geographical approach (to
support large WSNs) in section 2. Trust is built up in a distributed manner based on both direct
and indirect trust evidence. Our focus is on the performance for mobile WSNs which is
evaluated based on computer simulations. The results are presented in section 3 while final
conclusions are drawn in section 4.
2. The AWISSENET trust model
In the framework of the AWISSENET project, we have developed the Ambient Trust
Sensor Routing (ATSR) solution which is a location based routing approach that incorporates a
trust model suitable for large and mobile Wireless Sensor Networks (WSN). Our trust model is
flexible and thus applicable to a variety of sensor network architectures while it protects
against a wide set of attacks including those threatening the trust model itself as has been
supported by (Zahariadis et.al. 2009). The concept is to create on each sensor a trust repository
(Trust Table), which will maintain and handle trust and reputation information about each
neighbouring node. In the Trust Table values regarding a number of events is stored; based on
these values, an overall cost function is calculated and drives the selection of the forwarding
node.
The proposed trust model is a decentralized trust scheme, i.e. the trust management
functionality is distributed over the network nodes. Each node is responsible for computing its
own trust value per relation in the network, collecting events from direct relations, and
collecting trust values from other nodes in the network (in other words, reputations). This
means that both direct and indirect trust values are used to evaluate each node’s
trustworthiness. The indirect (second-hand) information is particularly useful when no or
limited direct interaction has been experienced. There is an inherent trade-off between
efficiency in using second-hand information and robustness against false ratings. Sharing
information makes the system vulnerable to false reports (bad-mouthing attack), but this
vulnerability can be alleviated by an intelligent reputation protocol, which rates the neighbours
providing also depending on the correctness of the provided reputations.
One of the most important aspects of trust management schemes is the process of data
collection. The direct trust value of a neighboring node can be determined by its multiattribute, time-varying trust value depending on a set of events. Therefore, it is essential to
point out, what type of data will be more relevant for these systems, and which are the events
that can provide a useful feedback to the system, towards the proper decision. Trading-off
security and implementation cost, we have selected a set of metrics which includes metrics that
reveal the cooperation willingness of the nodes both as regards routing and reputation
exchange. In more detail, the behaviour aspects to monitor are:
Packet forwarding: Since black-hole and grey-hole security attacks are very easy to
implement, to protect against these attacks a node should be evaluated regarding its willingness
and sincerity in the routing procedure cooperation. This can be checked either through
overhearing, or based on link layer acknowledgements. In the first case the power required for
the link layer acknowledgement transmission is saved, while the trust value of the node is
evaluated based on more important information, such as the actual forwarding of the message.
Network layer ACK. We also suggest that each node should check whether it receives the
network layer ACK from the Base Station, in order to make sure that the next hop node is not
colluding with another adversary in order to disrupt the network operation. This implies that
for every transmitted packet, the source node waits for a network ACK to check whether its
message has reached a higher layer node in the proposed architecture. If this checks completes
successfully, the trust of the node selected for forwarding the packet increases.
Authentication – Confidentiality – Integrity. A node can collect trust information about
neighbouring nodes during interactions regarding the proper use of the security measures
applied. For example, a node might use a mechanism to authenticate the message of a
neighbouring node or the base station. Furthermore, data integrity measures and confidentiality
measures (symmetric, public key or elliptic curve cryptography) can be applied for the
communication between neighbouring nodes. Consequently, the proper use of these security
mechanisms can be proved quite useful input events for trust value computation.
Reputation Scheme. To protect against attacks addressing the trust model (namely
badmouthing and conflicting behaviour attacks), the willingness and sincerity in the reputation
exchange protocol execution is monitored. In more detail, each node measures the ratio of
reputation responses received (within a predefined time interval) from each neighbour
triggered by a reputation request message. Hence, nodes replying to reputation request
messages are rated high due to their willingness to participate in the procedure. When a node
replies to messages outside the predefined time interval or does not reply at all, then this is a
reason of possible mistrust.
Reputation Validation: A second check regards the validity of the provided reputation and
targets the detection of conflicting behaviours, i.e. when a node behaves differently to different
neighbours or in different time spans. When node 1 that issued the reputation request is
confident about a neighbour 2 (this is decided based on a confidence factor that will be detailed
later on), then the received values (e.g. from nodes 3 and 4 regarding node 2) are compared
with the direct trust value of node 1. If the difference is below a certain threshold, then nodes 3
and 4 are considered benign. Otherwise, they are considered bad-mouthers.
Remaining energy. To avoid the node with high trust value die out early, the node’s energy
can be regarded as a restrictive factor and decrease its trust value. The relevant value can travel
piggybacked in periodically exchanged beacon message and/or in every interaction (exchanged
packet). This way energy awareness becomes an inherent feature of the trust model and saves
the node from complex calculations which have been proposed in the literature in order to
deduce the remaining energy of the node.
Coming to the quantification of trust, for each trust metric except the remaining energy,
node A calculates a trust value regarding node B based on the following equation:
Ti A, B 
SiA, B
SiA, B  Fi A, B
(1)
where Si and Fi stand for the number of successful and failed co-operations respectively. As
regards the remaining energy, this is calculated as
TRE 
Vnow
(2)
V
initial
where Vnow and Vinitial stand for the remaining energy levels reported at the last and initial
message received.
To calculate the total direct trust value, all the trust values are summed up in a weighted
manner (Wi represents the significant of i-th trust metric) based on the following equation:
DT A, B  C A, B  ( Wi * Ti A, B )
(3)
Where C A, B is the confidence factor calculated as a function of the collected direct
measurements, which ranges between (0, 1) and increases with the number of interactions
towards 1.
The indirect trust (IT) information is important mainly for newly initialized nodes or recently
arrived nodes (in case of mobility). To trigger the indirect trust exchange process, each node
periodically issues a reputation request message. Since the reputation exchange is mainly
implemented to assist nodes with no or limited (direct) trust knowledge to reach a more
reliable conclusion for the trustworthiness of nodes they are interested in, a requested node
provides its opinion for its neighbors only if it is confident about the direct trust value it has
calculated. This is decided upon the so-called confidence factor C A, B of node A considering
node B.
As regards the indirect trust information, the received reputation values are used to calculate
an indirect trust value based on the following equation where we use as weighting factors the
relative direct trust value the current node has calculated for its neighbours.
IT A, B 
n
W ( DT
A, N j
) * DT
N j ,B
j 1
(4)
Where n is the number of neighbouring nodes that provided reputation responses to A, Nj
are the neighbouring nodes to A, DT
N j ,B
is node’s Nj reputation value of node B and
is a weighting factor reflecting node’s A direct trust value of node Nj. Finally, the
total trust value is the outcome of a weighted sum of the direct and indirect trust information.
W ( DT
A, N j
)
TT A, B  C A, B *DT A, B  (1  C A, B ) *IT A, B
(5)
Where DT A, B is node’s A direct trust value of node B, C A, B is the confidence factor
reflecting node’s A confidence for node B, IT A, B is node’s A indirect trust value of node B.
Finally to decide the node that will be selected for forwarding, a distance metric is defined
and taken into account in the final routing cost function. The distance metric is quantified as
follows:
d
TdA, B  1  A
D
(6)
N
where dA is the Euclidean distance of neighbor A to the base station and D =  d l stands for
l
the sum of the distance of all its N neighbors to the base station, which can be calculated
based on their coordinates and the coordinates of the base station.
The distance metric and the total trust value (which has already incorporated the remaining
energy value) are summed up in a weighted manner and are used to calculate the Routing
Function ( RF i , j ):
RF i , j  Wd * Tdi , j  Wt * TT i , j
(7)
where W d , and Wt represent the significance of distance and trust criterion respectively with
W d + Wt =1. Based on this equation, a routing value for each neighbor is calculated and the
node that corresponds to the maximum value is selected for forwarding the packet as it
represents a good candidate satisfying an integrated set of requirements: trust, energy and
proximity to the destination.
3. Performance Results
The performance of the proposed trust management system has been evaluated through
computer simulations. The JSim platform (Hou 2005) has been used to model our approach
excluding the reputation scheme which allows us to focus on the energy and trust aware
routing approach.
In the first scenario set, our target is to investigate the impact of the indirect trust
information exchange protocol parameters on performance. This scenario is based on the
topology depicted in the following figure. It is a demanding scenario, in the sense that a node
will have to bypass a relatively large number of malicious nodes placed around the node
towards the destination. In the presented case this is node 22 which is started later than the
other nodes (thus acting as a “newcomer”) and attempts to communicate with node 99. In the
sequence we refer to phase 1 to the time span during which node 22 is inactive and phase 2,
after node’s 22 activation. Before node 22 is started, there are seven (7) data sessions, which
allows node’s 22 neighbours gather trust information about their neighbours. (All nodes are
placed in fixed positions). The seven data sessions pairs are: (1, 99), (2, 99), (10, 99), (20, 26),
(30, 36), (40, 46) and (22, 99). Apart from gray-hole malicious nodes, this scenario further
involves integrity malicious nodes.
The routing algorithm is ATSR, with weight for trust (Wt) equal to 0.6 and weight for
distance (Wd) equal to 0.4 in the routing cost function. The weight values used for the
calculation of direct trust are Wfr=0.4 for forwarding, Wack=0.2 for network
acknowledgement, and Wint=0.4 for integrity. To assess the benefits of exchanging trust
information and evaluate the impact of the reputation exchange frequency, we have run
simulations for the following cases:
 direct trust only (DT)
 indirect trust with a frequency of one repreq every three seconds (marked is IT3 scenario)
 indirect trust with a frequency of one repreq every three seconds and 4 bad-mouth
malicious nodes (nodes 3, 10, 30, 33) around node 22 (IT3-BM)
 indirect trust with a frequency of one repreq every five seconds (IT5)
n9
n19
n29
n39
n49
n59
n69
n79
n89
n99
n8
n18
n28
n38
n48
n58
n68
n78
n88
n98
n7
n17
n27
n37
n47
n57
n67
n77
n87
n97
n6
n5
n16
n15
n26
n25
n36
n35
n46
n45
n56
n55
n66
n65
n76
n75
n86
n85
n96
nxx
Nodes that participate in sessions
nxx
Black Holes
nxx
Gray Holes
nxx
Integrity Holes
nxx
Bad - mouth nodes
n95
n4
n14
n24
n34
n44
n54
n64
n74
n84
n94
n3
n13
n23
n33
n43
n53
n63
n73
n83
n93
n2
n12
n22
n32
n42
n52
n62
n72
n82
n92
n1
n11
n21
n31
n41
n51
n61
n71
n81
n91
n0
n10
n20
n30
n40
n50
n60
n70
n80
n90
Figure 1: Topology assumed for scenario 1
The results are presented in the table 1. The delivery ratio for the session initiated by node 22
towards node 99 improves from 94% to 98% when the indirect trust exchange mechanism is
activated. A small (positive) difference is observed when bad-mouthing attacks are issued,
proving that the designed trust model efficiently mitigates bad-mouthing attacks. When the
frequency of indirect trust message exchange becomes larger (e.g. 5ms), the delivery ration is
identical to the case when no indirect trust information is exchanged. This happens because
node 22 has not gather indirect trust information before it transmits the first messages, thus it
does not gain any advantage of the already gathered trust information. This indicates that for
any newcomer to exploit the trust experience collected from its neighbours, the frequency of
trust information exchange should be shorter than or equal to the data exchange frequency. As
regards the mean packet latency, rather small differences are observed.
Scenario
DT
IT3
IT3-BM
IT5
Delivery
ratio
94
98
99.7
94
Mean packet
latency (ms)
12.478
12.586
13.201
12.553
GH
Phase 1
57
55
61
48
GH
Phase 2
10
3
2
8
beacon
msgs
82279
82009
82326
82220
repreq
msgs
0
54760
54759
32853
repres
mesgs
0
193503
192978
115830
Table 1: Results for scenario 1 (fixed nodes positions, node 22 acting as newcomer)
Comparing the greyhole (GH) attacks measured in phase 1 to the GH attacks in phase 2, it is
evident that node 22 experiences a very low number of attacks when indirect trust is
exchanged, also proving that in this case it has gather trust knowledge from its neighbours and
has thus avoided cooperation with malicious nodes. Finally, the last three columns of the table
indicate the number of exchanged messages which can be directly translated in energy
consumption. This is almost tripled for the case with indirect trust exchange activated,
prompting the researchers to other ways of exchanging this information (e.g. piggy-backing).
In a second scenario, we assume that all nodes, apart from the four nodes that participate in
data sessions, are moving. The mobility model used is the implemented by the J-Sim
simulation platform “Random Waypoint Mobility Model”, with a mobility speed of 0.5.
A grid of 100 sensor nodes (10x10) is assumed and two data sessions transferring data
packets, which are: n0n99 and n9n90 (these four nodes are placed at the four corners of the
grid). Both data sessions transfer packets of 31 bytes to their respective destination, with a
frequency of one packet every two seconds. Both sessions start at simulation time T1=10 sec,
plus a small margin in order to be desynchronized.
The scenario is run with a different number of malicious nodes, in order to investigate how
the protocol can react to an increasing number of malicious nodes existing in the network.
The scenarios employ 0, 10, 20, 30, 40, and 50 nodes acting as malicious nodes. The latter are
set randomly and include grey-hole, integrity, authentication, and confidentiality attacks.
The routing algorithms employed are the GPSR, which is a routing protocol based only in
geographical information (Karp 2000), as well as ATSR with weight for trust (Wt) equal to
0.6 and weight for distance (Wd) equal to 0.4. The weight values used for the calculation of
direct trust, in the ATSR case, Wfr=0.2, Wack=0.1, Wint=0.2, Wrepres=0.2 and
Wenergy=0.3.
16
60
14
packet loss ratio
50
40
GPSR
ATSR
30
20
10
mean packet latency (msec)
70
12
10
GPSR
8
ATSR
6
4
2
0
0
0
10
20
30
# malicious nodes
40
50
0
10
20
30
40
50
# malicious nodes
Figure 2: a) Packet loss ratio for GPSR and ATSR and b) Mean packet latency in msec
for GPSR and ATSR
Packet loss for the ATSR is graphically depicted in Figure 2, where the results for the non
trust-aware GPSR algorithm are included. From this figure, we notice that ATSR outperforms
GPSR in all cases. An interesting observation is that in both cases packet loss occurs even
with no malicious node present in the network, probably due to the fact that mobility results in
frequent recalculation of the neighboring node list, or due to collisions with beacons
exchanged now more frequently. So, the relatively large number of packet loss for ATSR is
due to mobility and not because of inability to bypass malicious nodes. Moreover, the
difference between ATSR and GPSR is now less evident, since GPSR achieves to find some
good paths to the destination, depending on the random mobility patterns of the intermediate
nodes.
Mean packet latency is graphically depicted in the right hand figure of figure 2. It is expected
that ATSR results in higher mean packet latency in all cases, especially when the number of
malicious nodes increases, since it finds alternative but “longer” (i.e. involving more
intermediate nodes) paths to the destination. Additionally, the latency calculated for GPSR is
averaged over those packets that manage to reach their destination, i.e. over a significantly
lower number of packets since more than 50% of the packets never reach their destination for
50 malicious nodes when GPSR is adopted.
4. Conclusions
The main conclusion is that the indirect trust mechanism always helps newcomer nodes to
find a trusted path to the destination in less time compared to relying only on the direct trust
calculation, resulting in a larger number of successfully delivered packets to destination. This
is particularly true in the case that there are a large number of malicious nodes around the
newcomer towards the destination node. The effect on nodes that commence at the same time
is negligible, while most times direct trust calculation gives slightly better results for such
nodes, apart from very specific topologies. The main drawback of the solution is the increase
in energy consumption which is caused by the exchange and processing of the reputation and
request messages. The trade-off between performance gain and energy consumption is a very
important factor that should be considered before enabling the indirect trust mechanism. One
suggestion to decrease energy consumption is to prevent one node from sending reputation
request messages after some operational time, or after it has gained enough confidence.
ACKNOWLEDGMENT
The work presented in this paper was partially supported by the EU-funded FP7 211998
AWISSENET project.
5. References
C. Giruka, M. Singhal, J. Royalty, S. Varanasi, Security in wireless sensor networks, Wireless Communications
Mob. Comput. (2008); 8:1–24.
J-Sim official web site (2005), “J-Sim Official”, NSF DARPA/IPTO, MURI/AFOSR, Cisco Systems, Inc., Ohio
State University,University of Illinois at Urbana-Champaign, < http://sites.google.com/site/jsimofficial/>
(Accessed Sept. 2008)
B. Kannhavong, H. Nakayama, Y. Nemoto N. Kato, A. Jamalipour (2007), A survey of routing attacks in mobile
ad hoc networks, IEEE Wireless Communications, pp. 85-91.
C. Karlof. D. Wagner (2003), “Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures”,
Proceedings of the IEEE International Workshop on Sensor Network Protocols and Applications, pp. 113-127
B. Karp, H. T. Kung (2000), GPSR: “Greedy Perimeter Stateless Routing for Wireless Networks”, MobiCom.
G. Marias, V. Tsetsos, O. Sekkas, P. Georgiadis (2005) “Performance evaluation of a self-evolving trust building
framework”, Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in
Communication Networks
A.A. Pirzada and C. McDonald (2006), “Trust Establishment In Pure Ad-hoc Networks”, Wireless Personal
Communications Vol. 37, pp: 139–163
Y.Sun, Z. Han, K. Liu (2008), “Defense of Trust Management Vulnerabilities in Distributed Networks”, IEEE
Communications Magazine, Vol. 25, No.2, pp. 112-119.
T. Zahariadis, P. Trakadas, S. Maniatis, P. Karkazis, H. C. Leligou, S. Voliotis (2009), “Efficient detection of
routing attacks in Wireless Sensor Network”, 16th International Workshop on Systems, Signals and Image
Processing, Chalkida, Greece, 10.1109/IWSSIP.2009.5367775.