* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Trust management in wireless sensor networks
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Distributed operating system wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
EUROPEAN TRANSACTIONS ON TELECOMMUNICATIONS Eur. Trans. Telecomms. 2010; 21:386–395 Published online 8 April 2010 in Wiley InterScience (www.interscience.wiley.com) DOI: 10.1002/ett.1413 Mobile Networks Trust management in wireless sensor networks Theodore Zahariadis1 , Helen C. Leligou1 ∗ , Panagiotis Trakadas2 and Stamatis Voliotis1 1 Department 2 Hellenic of Electrical Engineering, Technological Educational Institute of Chalkida, Psahna, 34400 Evia, Greece Authority for Communications Security and Privacy (ADAE), Ierou Lochou 3, Maroussi, 15124, Athens, Greece SUMMARY The range of applications of wireless sensor networks is so wide that it tends to invade our every day life. In the future, a sensor network will survey our health, our home, the roads we follow, the office or the industry we work in or even the aircrafts we use, in an attempt to enhance our safety. However, the wireless sensor networks themselves are prone to security attacks. The list of security attacks, although already very long, continues to augment impeding the expansion of these networks. The trust management schemes consist of a powerful tool for the detection of unexpected node behaviours (either faulty or malicious). Once misbehaving nodes are detected, their neighbours can use this information to avoid cooperating with them, either for data forwarding, data aggregation or any other cooperative function. A variety of trust models which follow different directions regarding the distribution of measurement functionality, the monitored behaviours and the way measurements are used to calculate/define the node’s trustworthiness has been presented in the literature. In this paper, we survey trust models in an attempt to explore the interplay among the implementation requirements, the resource consumption and the achieved security. Our goal is to draw guidelines for the design of deployable trust model designs with respect to the available node and network capabilities and application peculiarities. Copyright © 2010 John Wiley & Sons, Ltd. 1. INTRODUCTION Wireless Sensor Networks (WSN) offer efficient solutions in a great variety of application domains such as military fields, healthcare, homeland security, industry control, intelligent green aircrafts and smart roads. Security plays a vital role in all of them and foremost for military and surveillance cases. It can be interpreted in a list of security requirements which include node verification, user authorisation, data confidentiality, data integrity and freshness, privacy, secure localisation and trusted resource allocation. Although security requirements in WSN are quite similar with those of conventional networks, the applicability of already existing solutions designed for legacy networks is arguable, if possible at all, due to their specific characteristics. First, sensor networks are highly application oriented and as such, various applications bring diverse security needs. Second and more important, the sensor nodes have limited communication bandwidth, processing resources, memory space and battery capacity. So, the realisation cost of security functions executed on every single node should be well considered and carefully traded off with the possible achievements. Third, as WSNs can be established without any existing infrastructure, which is a major feature exploited in most applications, they rely on the mutual cooperation among nodes to route traffic towards the sink. (Typical sensor network architecture is shown in Figure 1, where it is also shown that multiple sensory networks may be connected through an IP network.) Each node is expected to act as a router in order to forward traffic generated by its neighbours, exactly as they will do in their turn. However, this operation can be falsified by an adversary. Several widely known attacks target the routing operation, since destroying it can lead to the network’s collapse. * Correspondence to: Helen C. Leligou, Department of Electrical Engineering, Technological Educational Institute of Chalkida, Psahna, 34400 Evia, Greece. E-mail: [email protected] Copyright © 2010 John Wiley & Sons, Ltd. Received 23 September 2008 Revised 9 January 2010 Accepted 27 January 2010 TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS The security threats that a large wireless network faces form a long list [1–3], since the wireless media allows for easy eavesdropping of information and false data injection in the network. Most proposals available in the literature try to secure these networks using traditional security techniques, to achieve confidentiality, integrity and authentication. For example, encryption is a powerful technique against data privacy attack while authentication is a well-established solution to the Sybil attack. However, the implementation of such security measures comes at a high cost since it requires significant memory and processing resources increasing at the same time the power consumption [4]. Focusing on routing attacks, a malicious node may refuse to forward all or part of the received traffic towards the destination (issuing a black-hole or grey-hole attack) exhibiting selfish behaviour. This attack may be combined with modification/falsification of the routing message in an attempt to allure traffic and then drop it. To combat such behaviours, an approach borrowed from human societies has been proposed: nodes establish trust relationships between each other and base their routing decisions not only on geographical or pure routing information, but also on their expectation (trust) that their neighbours will sincerely cooperate. Trust is the confidence of a node si that a node sj will perform as expected, i.e. on the node’s sj cooperation. To evaluate the trustworthiness of its neighbours, a node not only monitors their behaviour (direct observations) but may also communicate with other nodes to exchange their opinions. The methods for obtaining trust information and defining each node’s trustworthiness are referred to as trust models. A trust model is mostly used not only for higher layer decisions such as routing [5, 6] and data aggregation [7], but also cluster head election [8] and, more surprisingly, for key distribution [9]. Its aim is to improve security and thus increase the throughput, the lifetime and the resilience of a sensor network. Although a lot of research work has been spent in the design of trust models, their implementation has attracted nearly no attention. In most cases this is due to the fact that the relevant implementation requirements are not met by current sensor nodes specifications. In this paper, we investigate already proposed trust models and analyse their advantages and disadvantages. Our target is to draw useful guidelines for the design of trust models that can be implemented in real-life applications. The rest of the paper is organised as follows. In Section 2 we concentrate on the trust information collection and we categorise trust models based on certain design criteria Copyright © 2010 John Wiley & Sons, Ltd. 387 while in Section 3 we focus on the trust metrics, i.e. the behaviours each node monitors in order to quantify trust. Next, in Section 4, we explore the implications of the presented trust model design options while conclusions are finally drawn in Section 5. 2. TRUST MODELS According to Reference [10], a trust model is a definition of entities, trust values, trust subject-matter, direct trust, indirect trust and trust roots. Entities are the subject objects of trust relationships, a trust value is some measure or quantification assigned by a local entity to its belief in the trustworthiness of another entity and trust is subject-matter specific, i.e. related to a specific function. Direct trust is some entity’s independent belief in the trustworthiness of another entity and is in general, not symmetric, while a recommendation (also called reputation in some works) is a statement of direct trust about a remote entity made by an intermediate entity. Trust roots, also called seeds of trust, are the positive assumptions about specific entities made by all entities in some community. A set of options arise during the design of a trust model, which also allow for different classifications [11]. Depending on the distribution of the trust establishment functionality in the network, i.e. on the node that decides–calculates the trust value of every network node, the trust models can be distinguished in centralised, hierarchical and distributed. In the centralised case, (an example of which can be found in Reference [12]), a (head) node undertakes the responsibility to decide the nodes’ trustworthiness, based either on trust data it has collected on its own, or on trust data received by all or specific nodes in the network. This head node is considered to be trusted and announces the calculated trust values back to the network nodes, so that they use it to make their decisions. The advantage is that there is no need to implement on every node the trust evaluation functionality. However, this comes at the cost of extra energy consumption since the trust information has to be disseminated in the network. Another important drawback of this approach is that the single trusted node represents a single point of failure. Once this is compromised, the routing operation in the whole network can be ruined. To enhance performance and economise resources such as transmission power and bandwidth, dense sensor networks are divided in groups/clusters [7] and one Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett 388 T. ZAHARIADIS ET AL. Figure 1. Aggregator nodes (ANs) collect data from the sensor nodes (si ) and communicate with application nodes (AP) which provide the desired services. In hierarchically structured sensory network, sensors are organised in clusters and one sensor in each cluster plays the role of cluster head. (or more) node(s) in each cluster undertakes special responsibilities, such as data aggregation, forwarding and trust calculation forming this way a hierarchical architecture [13]. Although algorithms to split the network in clusters based either on location or application criteria exist (e.g. LEACH), since the cluster heads play a more important role they have to be elected taking also into account their trustworthiness. In Reference [8], a trustaware scheme for cluster head election is proposed: the current cluster head undertakes the responsibility to gather trust information from the nodes of the cluster and decides the next cluster head after having authenticated it. An alternative approach for building trust in hierarchically structured dense sensor networks suggests that every node (including the aggregator and cluster head) is under surveillance of all its neighbours and all nodes evaluate the trustworthiness of their neighbours, forming a distributed trust architecture. The aggregator nodes in each cluster evaluate the trustworthiness of their source nodes; the cluster head evaluates the trustworthiness of each aggregator; and the source nodes overhear the aggregator’s transmission to evaluate the trustworthiness of the aggregator. When this falls below a certain threshold, a new aggregator can be chosen/elected [14]. This way the network will survive even if the aggregator nodes are compromised at the penalty of functionality implemented and running in all network nodes. Thus, all network nodes Copyright © 2010 John Wiley & Sons, Ltd. participate in the trust evaluation process playing a different role. This approach is also followed in References [15] and [16] where a three-tier network architecture (sensor nodes, cluster head, base station/command node) is considered. All nodes evaluate the trust of the cluster head and the relevant value is reported in the base station. Finally, in a fully distributed trust model, like the one presented in Reference [17], each node monitors the behaviour of its neighbours and based on the collected measurements, it calculates their trustworthiness, which is then taken into account when routing decisions are made. In this case, the trust establishment functionality is uniformly distributed all over the network, and so does the implementation cost. The advantage is that there are no ‘single points of failure’ in the network which comes at the expense of trust evaluation logic implemented in all network nodes. The detection of an unexpected behaviour based only on direct measurements and in a reliable way takes some time since an important number of evidence (measurements) are required. This effect becomes more important when considering mobile sensor nodes: each time they move to another neighbourhood, they need to perform a number of interactions with their (new) neighbours in order to evaluate their trustworthiness. This procedure can be accelerated taking advantage of the neighbours’ experience, and this represents an important Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS design option. In other words, each node (say s1 in Figure 1) may calculate its neighbour’s (for example, node s3 ) trust value based on its own observations (direct evidence) combining it with information obtained from other nodes (for example nodes s2 , s5 ). The information provided by s2 and s5 is called reputation and represents indirect evidence [18]. The reputation of a node regarding a specific function (e.g. forwarding) can be expressed as follows: Reputation = {NodeId, Function, Trust Value} where the ‘function’ is the trust subject-matter. In this concept, every node can build a relation with its neighbours, based on the collection of actions (events) performed by other nodes in the neighbourhood. The trust value that each node calculates can thus be based both on direct observations and on indirect trust information collected from its neighbours. The exchange of indirect trust information introduces the need for implementing a new protocol causing an overhead increase which can reach 60% [18]. To limit the cost of implementing a reputation scheme, different approaches have been pursued, increasing the design options portfolio: • The reputations are not flooded but instead limited or directed flooding is used [19]. In limited flooding, the reputation reaches nodes up to a fixed number (say 2) of hops far from the reputation source, while in directed flooding the reputation is announced to the nodes appearing in the path used by the reputation requestor. In Reference [20], the reputation messages reach only the one-hop neighbours. It is worth pointing out that this design option is coupled with the adopted routing protocol. For example, if source routing is adopted, then the trust of the whole path should be evaluated. In this case, the routing messages can be used for the dissemination of trust information. In contrast, in location-based routing protocols, where each node defines only the next hop, there is no reason to disseminate the trust information further than one-hop neighbours. • Only positive (or negative) information is shared. When only positive information is shared, since nodes learn only from their own experience about a malicious node, colluding malicious nodes can extend each other’s survival time through false praise reports. CORE—Collaborative Reputation Mechanism (presented in Reference [21]) is an example of a trust Copyright © 2010 John Wiley & Sons, Ltd. 389 management scheme using only positive information. Similarly, sharing only negative information prevents the false praise attack mentioned above, but in this case malicious nodes can launch a bad-mouth attack on benign nodes (see Reference [22]). To avoid the risks introduced by sharing only positive (or only negative) trust information, sharing all types of trust information presents an attractive solution. • Exactly as happens with proactive versus reactive routing protocols, trust computation can be done in a proactive or reactive fashion. In reactive trust models, each node computes the trust value of a neighbouring node or of the entire path, only when explicitly needed. On the other hand, in proactive trust establishment, the node maintains a table containing already computed trusted routes. Applying this technique, the trust-aware decision can be made without delay, but resources are consumed for the trust table maintenance, even when there is no data to route. When the trust information is exchanged only upon request, then transmission power is economised at the cost of additional delay. The design option that best fits the application should be chosen each time, i.e. in case the application generates heavy data streams or periodically senses the environment, proactive trust evaluation leads to better results in terms of delay and energy consumption. It is worth stressing that the trust information exchange can be exploited by adversaries to ruin the routing functionality of the network. Attacks addressing exactly the trust models have appeared in the literature [23]. For example, a malicious node s5 can spread bad rumours for certain nodes (say s3 and s2 ) so that their neighbours do not use them for routing, forcing thus the traffic generated in s1 pass through s5 . Another way to mislead the neighbours is the so-called on–off attack: a node performs well for a time period so that its neighbours consider it as trusted while it starts malfunctioning later on. Another attack is the conflicting behaviour where a node behaves differently towards different neighbours, in an attempt to cheat the trust model. Summing up, the trust model design options include the distribution of the functionality, the use of direct and/or indirect trust values, the reputation exchange protocol (reactive, proactive, periodic), the type of trust values exchanged (positive vs. negative). It should be noted that once the trust of each neighbour has been evaluated, the way this is taken into account when a neighbour has to be selected for cooperation (e.g. routing) falls outside the definition of the trust scheme itself. Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett 390 T. ZAHARIADIS ET AL. 3. TRUST EVALUATION To evaluate the trustworthiness of a node, its behaviour is monitored and then quantified. In the sequence, we first discuss the behaviour aspects that can be monitored and then we discuss how a trust value can be reached. 3.1. Trust metrics To evaluate the trustworthiness of a sensor node, multiple aspects of its behaviour can be monitored. Each of them aims at detecting a specific type of attack. For example, each time node s1 selects node s3 for forwarding its packet it enters the promiscuous mode in order to check whether node s3 successfully forwarded it. After a number of cooperations, comparing the successfully forwarded packets to the number of packet s1 sent to s3 , the source node (node s1 ) can assess the sincere execution of the routing protocol while a systematic failure reveals a selfish and/or malicious node acting as a black hole. Similarly, measuring the packets correctly forwarded without being modified, nodes issuing modification attacks can be detected. A list of behaviours that can be monitored is provided in Table 1 and is associated with the attack it can reveal. Both the direct and indirect measurements may address more than one node behaviours (e.g. forwarding and availability). Examining the above behaviour list, it is obvious that the required processing to decide whether a data message has been actually forwarded is less than the processing required to check the message precision and significantly less than the processing required to decide on the consistency of the reported data. Furthermore, the monitoring of neighbours’ behaviour apart from processing resources consumes power and thus shortens the nodes’ lifetime. While this drawback is of minor importance for devices such as PDAs, it becomes more significant for tiny sensor nodes with limited resources. For this reason, in most research efforts a subset of the above trust metrics are adopted. The choice depends on the target application environment as well as on the sensor node capabilities. 3.2. Trust evaluation For each monitored behaviour, a trust value can be derived based on the collected measurements: each interaction is marked either as a success or as a failure. The measurements are then used to decide the trustworthiness of a node which can be expressed either • As a trust level among a limited set of supported levels (e.g. medium, high, low) as proposed in Reference [18], or • As the success ratio (successful interactions divided by the total number of interactions) ranging from [0,1] (see Reference [12]) or • As a trust value reflecting the difference between the successfully accomplished and failed interactions, ranging from [−1, 1], (as proposed in Reference [17]). Table 1. Monitoring the behaviour of the neighbours, a wide set of attacks can be detected. Trust metric Monitored behaviour Attack addressed 1 Data packets forwarded Data message/packet forwarding 2 3 4 Control packets forwarded Data packet precision Control packet precision Control message forwarding Data integrity Control packet integrity 5 Availability based on beacon/hello messages Packet address modified Cryptography Routing protocol execution Battery/lifetime Consistency of reported values/data Sensing communication Reputation Timely transmission of periodic routing information reporting link/node availability Address of forwarded packets Capability to perform encryption Routing protocol specific actions (reaction to specific routing messages) Remaining power resources Consistency of sensing results, reported values (e.g. energy, humidity) Reporting of events (application specific) Trust value observed by third parties Black-hole, sinkhole, selective forwarding, denial of service, selfish behaviour Control/routing message dropping Data message modification Sybil, and any attack based on routing protocol message modification Passive eavesdropping, selfish node 6 7 8 9 10 11 12 Copyright © 2010 John Wiley & Sons, Ltd. Sybil, wormhole Authentication attacks Misbehaviours related to specific routing protocol actions Node availability Compromised nodes Selfish node behaviour at application level Bad mouthing attack Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS A generalised approach is to use the following equation for the calculation of trust. TiA,B = ai SiA,B − bi FiA,B ci SiA,B + di FiA,B where TiA,B is node’s A Trust value regarding node B,SiA,B is the number of successful type i events that A has measured for B,FiA,B is the number of failed type i events that A has measured for B and ai , bi , ci and di , represent the weight/significance of a successful versus the weight/significance of the failed events. Based on this equation, a trust value TiA,B is calculated for each monitored behaviour. These behaviour-related trust values are then multiplied by a weight factor (Wi ) reflecting their importance in security hierarchy and then summed up to form the overall node trustworthiness, as in the following equation. DT A,B = k Wi ∗ TiA,B i=1 In general, direct observations are considered more important than indirect trust information, while indirect information becomes important for newly activated nodes which have limited experience on the cooperation willingness of their neighbours. Special care is paid to the handling of old versus recent observation values in some works. For example, in Reference [18], it is proposed to keep the outcome of the n latest interactions in a vector instead of summing up the successful and failed co-operations. Each of the n bits of the vector is equal to ‘1’ (for successfully completed interactions) or ‘0’ for failed ones. Each time a new cooperation has been completed, the new outcome is appended to the vector and the oldest value is shifted out. Then, a new trust value is calculated based on the newly formed vector. The width of the vector is directly related to the observation window. To reduce the influence of sporadic misbehaviour in the evaluation of the trust value, the authors in Reference [21] provide more relevance to past observations through a time dependent function based on which the direct trust value is defined. Assigning higher weight factor to old measurements allows for smoother evolution of trust values [21] while lower weights allow for faster detection of misbehaviours [18]. In Reference [24], the notion of the ‘aging factor’ is introduced and the trust Copyright © 2010 John Wiley & Sons, Ltd. 391 values are calculated as T = γTnew + (1 − γ)Told where γ stands for the weight assigned to the recently calculated trust value Tnew , and Told is the previously defined trust value. In Reference [25], the weight factor γ changes dynamically depending on the relation between Tnew , and Told . In more detail, it increases when the difference Tnew − Told increases. The main drawback of these approaches is that they introduce complexity in the calculation of trust. Another approach also explored in the literature adopts a probabilistic model for the trust evaluation. In Reference [24], the trust is calculated as the expectation that a new cooperation will be successfully completed given that the past observations are as recorded applying the Bayes theorem and the Beta distribution on the obtained measurements. In Reference [26], the output of the trust mechanism is a trust value and a confidence interval around this value based on direct and indirect experiences of sensor node behaviour. Statistical values are used both in initial evaluation of experience records as well as the collected experiences by third parties. 4. ASSESSMENT To efficiently address security in wireless sensor networks, the use of a suitably designed trust management system is required. In Reference [17], the throughput is shown to increase by 20% for 40% of nodes acting maliciously due to the realisation of a trust establishment scheme. Unfortunately, a direct quantitative comparison of the effectiveness of the trust models is not possible because it depends on a variety of design options including the adopted routing protocol. It also depends on how the trust value is used during the routing decisions, which is outside the scope of the trust model design. Namely, once the node trust value has been defined, the possible responses to this information vary. ‘Positive response’ represents the preference for a node to cooperate with the neighbour with the highest trust value [17]. The disadvantage of this choice is poor load balancing which leads to the exhaustion of highly trusted nodes. To overcome this drawback, in Reference [27], it is proposed to mark every packet with a trust threshold and route it along paths traversing nodes exceeding this threshold. In Reference [25], a trust threshold is defined to characterise malicious nodes and either stop any interaction Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett 392 T. ZAHARIADIS ET AL. with them or just stop using them for forwarding. However, this introduces the need for defining a trust threshold which depends on the application run over the WSN and may also result in poor connectivity when nodes exceeding this threshold do not exist in the network. So, to decide the trust threshold the desired/required security level has to be balanced to possible blocking of nodes in the network. For all these reasons, a qualitative assessment of trust model design options follows in an attempt to provide useful guidelines for designing an efficient and deployable trust model. 4.1. Distribution of monitoring functionality The distribution of monitoring functionality affects the resource consumption in terms of energy and communication bandwidth as well as the node requirements in terms of processing and memory. The implementation of a fully distributed trust model implies that all nodes have similar capabilities and resource consumption. In an attempt to reduce the node requirements, the monitoring of neighbours’ behaviour can be assigned to selected nodes, which can be the cluster heads or (preferably) nodes with higher battery capacity or even constant power supply (as suggested in Reference [25]). Although this approach elongates the network lifetime, the monitoring nodes represent ‘single points of failure’, i.e. if such a node is compromised, the impact on the overall network operation will be more evident. Additionally, the communication of the trust information to nodes which do not possess the monitoring functionality increases the bandwidth requirements and the energy consumption. In contrast, if all nodes calculate the trust values of their neighbours then they all have identical processing requirements and the trust management functionality is uniformly distributed. The case where all nodes calculate the trust value and also exchange trust related information (i.e. a reputation scheme is realised) is the most resource demanding case, both for the node and the network. This approach can be justified only when node mobility has to be supported or the robustness in trust calculation offered by the reputation scheme is considered mandatory. This can be the case in applications with very high security requirements. In any case, the choice of direct measurements is the absolute minimum to perform trust evaluation. 4.2. Trust value components Focusing on the node requirements for trust model implementation, these depend on the number of monitored Copyright © 2010 John Wiley & Sons, Ltd. behaviours (from the list appearing in Table 1), on the way the trust value is calculated as well as on the adoption (or not) of any reputation scheme. Starting from the memory requirements, the measurements (success and failures) for each monitored behaviour are maintained in two counters. As the set of employed metrics becomes larger, the required memory space increases linearly. As regards the processing requirements, these depend on the type of the monitored behaviour and the realisation or not of any reputation scheme. For example, monitoring the ‘data packet forwarded’ behaviour is less demanding than the ‘data integrity’ check since the latter requires more complex packet processing. More demanding than both is the monitoring of the ‘reported data consistency’ which requires the execution of application-specific logic. Once the measurements related to the monitored behaviours have been collected, the way trust value is calculated also affects the processing cost. Multiplications and divisions come at higher implementation cost than classification to fixed trust levels. In this respect, calculating the trust as the success ratio relaxes the processing task compared to the case where the aging factor is adopted. The handling of older values (denoted as history in the table) increases both the memory and the processing requirements since the relevant equation is more complex than a simple division [10]. Finally, the implementation of a reputation scheme significantly impacts the processing requirements since it mandates the implementation of an additional protocol state machine and the generation, transmission, reception and processing of the corresponding messages, strongly increasing processing, memory and energy requirements. 4.3. Implementation of reputation-based schemes Systems based only on direct interactions, although completely robust against rumour spreading, have some serious drawbacks: the time required by the network nodes to build reputation is high, and it takes longer for reputation to decrease, allowing malicious nodes to stay in the system longer. On the contrary, the use of second-hand (reputation) information has many benefits: the reputation of nodes builds up more quickly, due to the ability of nodes to learn from each others’ experience and trust value will be more stable over time. However, the use of recommendations to evaluate a node’s trust value necessitates the implementation of a reputation exchange protocol. This exchange severely burdens the processing load of each sensor and leads to bandwidth and transmission energy consumption. The introduced overhead depends on the implemented reputation protocol Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS and more precisely it depends on the re-active or proactive way of reputation exchange as well as on the set of nodes this information is communicated to. In case sensed data are rarely exchanged, the reactive approach results in lower overhead per generated data unit; otherwise, proactively establishing and updating trust information is more efficient. An approach which can reduce the consumed energy and bandwidth is to piggyback this information in routing messages, thus reducing the frequency of reputation exchange using dedicated messages. For these reasons, the introduced overhead varies, for example an overhead of 20% is reported in Reference [10], while 60% is reported in Reference [18]. To conclude, there is an interplay among the node capabilities (processing, memory and communication bandwidth), the resource consumption (node energy and network bandwidth) and the achieved security. To evaluate the implementation requirements of a trust model, we have designed the trust model (presented in Reference [28]) which calculates the direct trust based on four monitored behaviours (forwarding, network acknowledgment, integrity and authentication) and also incorporates a reputation exchange scheme under which nodes periodically exchange reputation information with their one hop neighbours. The results for its implementation in MicaZ, IRIS [29] sensor nodes showed that 35 kb of ROM and about 4 kb of RAM were occupied. 5. CONCLUSIONS In the unmanaged environment of WSNs, trusting the neighbour for forwarding the traffic, for aggregating the sensed values or for performing any other function is not a wise option. Cryptography and strong authentication schemes are not a panacea since they do not detect a large set of routing attacks such as selfish behaviours and black-holes while at the same time their implementation at low cost is not feasible. The establishment of trust relationships among nodes based on behaviour monitoring, exactly as in human societies, is a useful and effective tool. Although a wealth of intelligent and efficient trust models has been presented in the literature, if a trust model needs to be implemented, the algorithmic complexity, memory allocation and power consumption become the prime requirements. The choice of the behaviours to monitor is associated with the attacks against which protection is aimed and it affects the introduced complexity. As the number of monitored behaviours increases, the achieved security Copyright © 2010 John Wiley & Sons, Ltd. 393 becomes higher, but the implementation feasibility has to be checked with respect to the node capabilities. For each monitored behaviour, at least two counters to keep the successful/failed interactions are required per neighbour, while the processing required for deciding whether an interaction was successful or not depends on the monitored behaviour and increases for behaviours related to layer 2 functions towards the application layer. In any case, the set of the behaviours to be monitored should at least include forwarding and then move further in the provided table. As regards the implementation of the trust evaluation and measurement functionality, the appropriate choice each time depends on the actual network and application set up. In more detail, in case of a homogeneous WSN, the implementation of a fully distributed trust model is more suitable since it uniformly distributes node requirements and power consumption. If further the WSN is dense enough and node capabilities allow, an algorithm that assigns the trust functionality to selected nodes in different time periods, can result in power consumption savings. In case of a heterogeneous WSN, the extra node capabilities and/or power availability may be exploited to increase the overall network performance, if the bandwidth required for the exchange of trust information is available. Security-wise, the implementation of trust functionality in all network nodes represents the best choice. In this view, even in a heterogeneous WSN, nodes can implement a distributed trust model with some of them monitoring more behaviours than others. The exchange of trust information based on a specific reputation protocol enables faster detection of unexpected (either faulty or malicious) behaviours. As the application domains of sensor networks expand, security threats proliferate and new attacks targeting the reputation protocol have appeared. Although a trust model designer can define an intelligent and effective way for secure reputation exchange, the implementation cost in terms of node processing and memory resources as well as bandwidth resources and more importantly in terms of power consumption is very high. For this reason, it is recommended, to incorporate reputation exchange schemes in the trust models only when mobility needs to be supported; otherwise, the benefits brought by the reputation mechanism do not justify the introduced power consumption. Furthermore, in case a reputation protocol has to be implemented to support mobility, it is suggested first, that each node interrogates its neighbours only for other one-hop neighbours, to avoid the flooding of the reputation messages in the network and second, the reputation exchange should occur less frequently when the neighbourhood changes slowly or does not change at all. Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett 394 T. ZAHARIADIS ET AL. To sum up, to design and implement a trust model for enhancing security in a WSN, the capabilities of the nodes, the targeted application, and the network restrictions (in terms of bandwidth and lifetime) have to be traded-off with the risks that need to be mitigated. ACKNOWLEDGEMENTS The work presented in this paper was partially funded by the EU FP7 211998 AWISSENET project. REFERENCES 1. Giruka VC, Singhal M, Royalty J, Varanasi S. Security in wireless sensor networks. Wireless Communications and Mobile Computing 2008; 8: 1–24. 2. Kannhavong B, Nakayama H, Nemoto Y, Kato AN, Jamalipour A. A survey of routing attacks in mobile ad hoc networks. IEEE Wireless Communications 2007; 14(5): 85–91. 3. Karlof C, Wagner D. Secure routing in wireless sensor networks: attacks and countermeasures. IEEE International Workshop on Sensor Network Protocols and Applications, Anchorage, AK, USA, 2003; 113–127. 4. Atakli IM, Hu H, Chen Y, Ku WS, Su Z. Malicious node detection in wireless sensor networks using weighted trust evaluation. Spring Simulation Multiconference, Ottawa, Canada, 2008. 5. Li H, Singhal M. A Secure routing protocol for wireless ad hoc networks. 39th Hawaii International Conference on system Sciences, Kauai, 2006. 6. Rezgui A, Eltoweissy M, TARP: a trust-aware routing protocol for sensor-actuator networks. IEEE International Conference on Mobile Ad Hoc and Sensor Systems, Pisa, Italy, 2007. 7. Hur J, Lee Y, Yoon H, Choi D, Jin S. Trust evaluation model for wireless sensor networks. Advanced Communication Technology Conference, Phoenix Park, Korea, 2005; 491–496. 8. Crosby GV, Pissinou N. Cluster-based reputation and trust for wireless sensor networks. Consumer Communications and Networking Conference, Las Vegas, NV, USA, 2007. 9. Lewis N, Foukia N., Using trust for key distribution and route selection in wireless sensor networks. IEEE Globecom, Washington DC, USA, 2007. 10. Mahoney G, Myrvold W, Shoja GC. Generic Reliability Trust Model. 3rd Annual Conference on Privacy, Security and Trust, St. Andrews, New Brunswick, Canada, 2005. 11. Theodorakopoulos G, Baras J. On trust models and trust evaluation metrics for ad-hoc networks. IEEE Journal on Selected Areas in Communications (JSAC) 2006; 24: 318–328. 12. Tanachaiwiwat S, Dave P, Bhindwale R, Helmy A. Location-centric isolation of misbehavior and trust routing in energy-constrained sensor networks. IEEE International Conference on Performance, Computing, and Communications, Phoenix, AZ, USA, 2004. 13. Ghazaleh NB, Kang KD, Liu K. Towards resilient geographic routing in wireless sensor networks. 1st ACM Workshop on QoS and Security for Wireless and Mobile Networks, Montreal, Canada, 2005. 14. Zhang W, Das SK, Liu Y. A trust based framework for secure data aggregation in wireless sensor networks. 3rd Annual IEEE Communications Society on Sensor and Ad Hoc Communications and Networks, Reston, VA, USA, 2006. 15. Meidanis D, Papaefstathiou I. On the power consumption of security algorithms employed in wireless networks. IEEE CCNC09, Consumer Communications and Networking Conference, Las Vegas, NV, USA 2009. 16. Xu M, Du R, Zhang H, Zhan J. A Trust chain build scheme for enhancing wireless network security. IEEE Conference on Wireless Communications, Networking and Mobile Computing, 2007. 17. Pirzada AA, McDonald C. Trust establishment in pure ad hoc networks. Wireless Personal Communications 2006; 37: 139– 163. 18. Marias G, Tsetsos V, Sekkas O, Georgiadis P. Performance evaluation of a self-evolving trust building framework. 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, Athens, Greece, 2005. 19. Liu Z, Joy A, Robert A. Thompson a dynamic trust model for mobile ad hoc networks. 10th IEEE International Workshop on Future Trends of Distributed Computing Systems, 2004. 20. Sun Y, Yu W, Han Z, Liu KJR. Information theoretic framework of trust modeling and evaluation for ad hoc networks. IEEE JSAC (Special Issue on Security in Wireless Ad Hoc Networks) 2006; 24: 305–317. 21. Michiardi P, Molva R. CORE: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks. IFIP TC6/TC11 Sixth Joint Working Conference on Communications and Multimedia Security, 2002; 228: 107-121. 22. Buchegger S, Boudec J. Performance analysis of the CONFIDANT protocol: cooperation of nodes: fairness in distributed ad hoc networks. 3rd ACM International Symposium on Mobile Ad Hoc Networking and Computing, 2002; 226–236. 23. Sun YL, Han Z, Liu KJR. Defense of trust management vulnerabilities in distributed networks. IEEE Communications Magazine 2008; 25: 112–119. 24. Chen H. Task-based trust management for wireless sensor networks. International Journal of Security and Its Applications 2009; 3: 21–26. 25. Maarouf IK, Naseer AR. WSNodeRater: an optimized reputation system framework for security aware energy efficient geographic routing in WSNs. IEEE/ACS International Conference on Computer Systems and Applications, 2007; 258–265. 26. Probst MJ, Kasera SK. Statistical trust establishment in wireless sensor networks. International Conference on Parallel and Distributed Systems, Hsinchu, Taiwan, 2007. 27. Hung KS, Lui KS, Kwok YK. A trust-based geographical routing scheme in sensor networks. IEEE Wireless Communications and Networking Conference, Hong-Kong, 2007. 28. Trakadas P, Maniatis S, Karkazis P, Zahariadis T, Leligou HC, Voliotis S. A novel flexible trust management system for heterogeneous wireless sensor networks. 9th International Symposium on Autonomous Decentralized Systems, Athens, Greece, 2009. 29. www.xbow.com AUTHORS’ BIOGRAPHIES Theodore Zahariadis received his Ph.D. degree in Electrical and Computer Engineering from the National Technical University of Athens, Greece, and his Dipl.-Ing. degree in Computer Engineering from the University of Patras, Greece. Currently, he is the project manager of the STREP ICT/AWISSENET-028097. In the past, he has been with Ellemedia Technologies as the Technical Director; the Copyright © 2010 John Wiley & Sons, Ltd. Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS 395 Hellenic Aerospace Industry (HAI) as chief engineer; the Lucent Technologies/Bell-Laboratories, Holmdel, NJ as a senior consultant; Intrasoft, Intracom and the Telecommunications Laboratory of NTUA as senior researcher. Since 1994, he has participated in many ACTS, ESPRIT and IST projects as senior researcher or Technical manager. His research interests are in the fields of broadband wireline/wireless/mobile communications, interactive service deployment over IP networks, management of IP networks, embedded systems and multimedia home networks. He is currently an assoc. professor at the Technological Educational Institute of Chalkida. Dr Zahariadis has published more than 90 papers in magazines, journals and conferences and he is the author of the book ‘Home Networking: Technologies and Standards’ published by Artech House. Helen C. Leligou received the Dipl.-Ing. and Ph.D. degrees, both in Electrical and Computer Engineering, from the National Technical University of Athens (NTUA), Athens, Greece, in 1995 and 2002, respectively. Her research interests lie in the area of protocol design for communication systems, access control mechanisms in broadband networks including HFC, PON, WDM metro and core networks. Currently she is working on security protocols for wireless sensor networks. Her research results have been published in more than 80 scientific journals and conferences. She has participated in several EU-funded ACTS, IST and ICT research projects in the above areas. Since 2007 she is a lecturer at Technological Educational Institute of Chalkida. Panagiotis Trakadas was born in Athens, Greece, in 1972. He received the Diploma of Electrical and Computer Engineering and the Ph.D. degree from the National Technical University of Athens (NTUA) in 1997 and 2001, respectively. From 2001 until 2004 he was with the Hellenic Aerospace Industry (HAI) as Senior Engineer. From 2005 he is working as a certified auditor at the Hellenic Authority for Communication Security and Privacy (ADAE). He has participated in many projects as Senior Researcher. He authored more than 50 papers in journals, magazines and international conferences. His main research interests include wireless communications systems and antennas propagation issues. Stamatis Voliotis honoured the degree of Computer Engineering and Informatics from University of Patras, Hellas in 1985, the M.Sc. in Electrical Computer Engineering from Syracuse University, USA in 1989 and the Ph.D. in Robotics from University of Patras, Hellas in 1990. Currently he is a Professor at Technological Educational Institute of Chalkida, head of the Communication Networks and Automation Systems Laboratory. Professor Voliotis has participated in many E.U. funded projects under the Telematics Applications Programme, the ADAPT initiative and the Leonardo Da Vinci, and has great experience in project management in E.U. and National funded projects. His research interests are in the area of computer automation architecture and network processing, mobile/wireless communications and robotics navigation and control. He has a large number of publications in international scientific journals and he is member of various scientific and technical associations. His wide range of interests also includes competitive bridge. Copyright © 2010 John Wiley & Sons, Ltd. Eur. Trans. Telecomms. 2010; 21:386–395 DOI: 10.1002/ett
 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                            