Download Trust management in wireless sensor networks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed operating system wikipedia , lookup

CAN bus wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Kademlia wikipedia , lookup

Routing in delay-tolerant networking wikipedia , lookup

Transcript
EUROPEAN TRANSACTIONS ON TELECOMMUNICATIONS
Eur. Trans. Telecomms. 2010; 21:386–395
Published online 8 April 2010 in Wiley InterScience
(www.interscience.wiley.com) DOI: 10.1002/ett.1413
Mobile Networks
Trust management in wireless sensor networks
Theodore Zahariadis1 , Helen C. Leligou1 ∗ , Panagiotis Trakadas2 and Stamatis Voliotis1
1 Department
2 Hellenic
of Electrical Engineering, Technological Educational Institute of Chalkida, Psahna, 34400 Evia, Greece
Authority for Communications Security and Privacy (ADAE), Ierou Lochou 3, Maroussi, 15124, Athens, Greece
SUMMARY
The range of applications of wireless sensor networks is so wide that it tends to invade our every day life.
In the future, a sensor network will survey our health, our home, the roads we follow, the office or the
industry we work in or even the aircrafts we use, in an attempt to enhance our safety. However, the wireless
sensor networks themselves are prone to security attacks. The list of security attacks, although already very
long, continues to augment impeding the expansion of these networks. The trust management schemes
consist of a powerful tool for the detection of unexpected node behaviours (either faulty or malicious). Once
misbehaving nodes are detected, their neighbours can use this information to avoid cooperating with them,
either for data forwarding, data aggregation or any other cooperative function. A variety of trust models
which follow different directions regarding the distribution of measurement functionality, the monitored
behaviours and the way measurements are used to calculate/define the node’s trustworthiness has been
presented in the literature. In this paper, we survey trust models in an attempt to explore the interplay among
the implementation requirements, the resource consumption and the achieved security. Our goal is to draw
guidelines for the design of deployable trust model designs with respect to the available node and network
capabilities and application peculiarities. Copyright © 2010 John Wiley & Sons, Ltd.
1. INTRODUCTION
Wireless Sensor Networks (WSN) offer efficient solutions
in a great variety of application domains such as military
fields, healthcare, homeland security, industry control, intelligent green aircrafts and smart roads. Security plays a vital
role in all of them and foremost for military and surveillance
cases. It can be interpreted in a list of security requirements
which include node verification, user authorisation, data
confidentiality, data integrity and freshness, privacy, secure
localisation and trusted resource allocation. Although
security requirements in WSN are quite similar with those of
conventional networks, the applicability of already existing
solutions designed for legacy networks is arguable, if
possible at all, due to their specific characteristics. First,
sensor networks are highly application oriented and as
such, various applications bring diverse security needs.
Second and more important, the sensor nodes have limited
communication bandwidth, processing resources, memory
space and battery capacity. So, the realisation cost of
security functions executed on every single node should
be well considered and carefully traded off with the
possible achievements. Third, as WSNs can be established
without any existing infrastructure, which is a major feature
exploited in most applications, they rely on the mutual
cooperation among nodes to route traffic towards the sink.
(Typical sensor network architecture is shown in Figure 1,
where it is also shown that multiple sensory networks may
be connected through an IP network.) Each node is expected
to act as a router in order to forward traffic generated by its
neighbours, exactly as they will do in their turn. However,
this operation can be falsified by an adversary. Several
widely known attacks target the routing operation, since
destroying it can lead to the network’s collapse.
* Correspondence to: Helen C. Leligou, Department of Electrical Engineering, Technological Educational Institute of Chalkida, Psahna, 34400 Evia,
Greece. E-mail: [email protected]
Copyright © 2010 John Wiley & Sons, Ltd.
Received 23 September 2008
Revised 9 January 2010
Accepted 27 January 2010
TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS
The security threats that a large wireless network faces
form a long list [1–3], since the wireless media allows
for easy eavesdropping of information and false data
injection in the network. Most proposals available in the
literature try to secure these networks using traditional
security techniques, to achieve confidentiality, integrity
and authentication. For example, encryption is a powerful
technique against data privacy attack while authentication
is a well-established solution to the Sybil attack. However,
the implementation of such security measures comes at
a high cost since it requires significant memory and
processing resources increasing at the same time the power
consumption [4]. Focusing on routing attacks, a malicious
node may refuse to forward all or part of the received
traffic towards the destination (issuing a black-hole or
grey-hole attack) exhibiting selfish behaviour. This attack
may be combined with modification/falsification of the
routing message in an attempt to allure traffic and then
drop it.
To combat such behaviours, an approach borrowed
from human societies has been proposed: nodes establish
trust relationships between each other and base their
routing decisions not only on geographical or pure routing
information, but also on their expectation (trust) that their
neighbours will sincerely cooperate. Trust is the confidence
of a node si that a node sj will perform as expected, i.e. on the
node’s sj cooperation. To evaluate the trustworthiness of its
neighbours, a node not only monitors their behaviour (direct
observations) but may also communicate with other nodes
to exchange their opinions. The methods for obtaining
trust information and defining each node’s trustworthiness
are referred to as trust models. A trust model is mostly
used not only for higher layer decisions such as routing
[5, 6] and data aggregation [7], but also cluster head
election [8] and, more surprisingly, for key distribution
[9]. Its aim is to improve security and thus increase the
throughput, the lifetime and the resilience of a sensor
network.
Although a lot of research work has been spent in the
design of trust models, their implementation has attracted
nearly no attention. In most cases this is due to the fact
that the relevant implementation requirements are not met
by current sensor nodes specifications. In this paper, we
investigate already proposed trust models and analyse their
advantages and disadvantages. Our target is to draw useful
guidelines for the design of trust models that can be
implemented in real-life applications.
The rest of the paper is organised as follows. In Section 2
we concentrate on the trust information collection and we
categorise trust models based on certain design criteria
Copyright © 2010 John Wiley & Sons, Ltd.
387
while in Section 3 we focus on the trust metrics, i.e. the
behaviours each node monitors in order to quantify trust.
Next, in Section 4, we explore the implications of the
presented trust model design options while conclusions are
finally drawn in Section 5.
2. TRUST MODELS
According to Reference [10], a trust model is a definition
of entities, trust values, trust subject-matter, direct trust,
indirect trust and trust roots. Entities are the subject objects
of trust relationships, a trust value is some measure or
quantification assigned by a local entity to its belief in the
trustworthiness of another entity and trust is subject-matter
specific, i.e. related to a specific function. Direct trust is
some entity’s independent belief in the trustworthiness of
another entity and is in general, not symmetric, while a
recommendation (also called reputation in some works) is
a statement of direct trust about a remote entity made by an
intermediate entity. Trust roots, also called seeds of trust,
are the positive assumptions about specific entities made by
all entities in some community.
A set of options arise during the design of a trust
model, which also allow for different classifications [11].
Depending on the distribution of the trust establishment
functionality in the network, i.e. on the node that
decides–calculates the trust value of every network node,
the trust models can be distinguished in centralised,
hierarchical and distributed.
In the centralised case, (an example of which can be
found in Reference [12]), a (head) node undertakes the
responsibility to decide the nodes’ trustworthiness, based
either on trust data it has collected on its own, or on
trust data received by all or specific nodes in the network.
This head node is considered to be trusted and announces
the calculated trust values back to the network nodes, so
that they use it to make their decisions. The advantage
is that there is no need to implement on every node
the trust evaluation functionality. However, this comes
at the cost of extra energy consumption since the trust
information has to be disseminated in the network. Another
important drawback of this approach is that the single
trusted node represents a single point of failure. Once this is
compromised, the routing operation in the whole network
can be ruined.
To enhance performance and economise resources
such as transmission power and bandwidth, dense sensor
networks are divided in groups/clusters [7] and one
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
388
T. ZAHARIADIS ET AL.
Figure 1. Aggregator nodes (ANs) collect data from the sensor nodes (si ) and communicate with application nodes (AP) which provide
the desired services. In hierarchically structured sensory network, sensors are organised in clusters and one sensor in each cluster plays
the role of cluster head.
(or more) node(s) in each cluster undertakes special
responsibilities, such as data aggregation, forwarding
and trust calculation forming this way a hierarchical
architecture [13]. Although algorithms to split the network
in clusters based either on location or application criteria
exist (e.g. LEACH), since the cluster heads play a more
important role they have to be elected taking also into
account their trustworthiness. In Reference [8], a trustaware scheme for cluster head election is proposed: the
current cluster head undertakes the responsibility to gather
trust information from the nodes of the cluster and decides
the next cluster head after having authenticated it. An
alternative approach for building trust in hierarchically
structured dense sensor networks suggests that every
node (including the aggregator and cluster head) is
under surveillance of all its neighbours and all nodes
evaluate the trustworthiness of their neighbours, forming
a distributed trust architecture. The aggregator nodes in
each cluster evaluate the trustworthiness of their source
nodes; the cluster head evaluates the trustworthiness
of each aggregator; and the source nodes overhear the
aggregator’s transmission to evaluate the trustworthiness of
the aggregator. When this falls below a certain threshold,
a new aggregator can be chosen/elected [14]. This way
the network will survive even if the aggregator nodes are
compromised at the penalty of functionality implemented
and running in all network nodes. Thus, all network nodes
Copyright © 2010 John Wiley & Sons, Ltd.
participate in the trust evaluation process playing a different
role. This approach is also followed in References [15] and
[16] where a three-tier network architecture (sensor nodes,
cluster head, base station/command node) is considered. All
nodes evaluate the trust of the cluster head and the relevant
value is reported in the base station.
Finally, in a fully distributed trust model, like the
one presented in Reference [17], each node monitors the
behaviour of its neighbours and based on the collected
measurements, it calculates their trustworthiness, which
is then taken into account when routing decisions are
made. In this case, the trust establishment functionality is
uniformly distributed all over the network, and so does the
implementation cost. The advantage is that there are no
‘single points of failure’ in the network which comes at
the expense of trust evaluation logic implemented in all
network nodes.
The detection of an unexpected behaviour based only
on direct measurements and in a reliable way takes
some time since an important number of evidence
(measurements) are required. This effect becomes more
important when considering mobile sensor nodes: each
time they move to another neighbourhood, they need
to perform a number of interactions with their (new)
neighbours in order to evaluate their trustworthiness. This
procedure can be accelerated taking advantage of the
neighbours’ experience, and this represents an important
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS
design option. In other words, each node (say s1 in
Figure 1) may calculate its neighbour’s (for example,
node s3 ) trust value based on its own observations (direct
evidence) combining it with information obtained from
other nodes (for example nodes s2 , s5 ). The information
provided by s2 and s5 is called reputation and represents
indirect evidence [18]. The reputation of a node regarding
a specific function (e.g. forwarding) can be expressed as
follows:
Reputation = {NodeId, Function, Trust Value}
where the ‘function’ is the trust subject-matter. In this
concept, every node can build a relation with its neighbours,
based on the collection of actions (events) performed by
other nodes in the neighbourhood. The trust value that
each node calculates can thus be based both on direct
observations and on indirect trust information collected
from its neighbours. The exchange of indirect trust
information introduces the need for implementing a new
protocol causing an overhead increase which can reach
60% [18].
To limit the cost of implementing a reputation scheme,
different approaches have been pursued, increasing the
design options portfolio:
• The reputations are not flooded but instead limited or
directed flooding is used [19]. In limited flooding, the
reputation reaches nodes up to a fixed number (say
2) of hops far from the reputation source, while in
directed flooding the reputation is announced to the
nodes appearing in the path used by the reputation
requestor. In Reference [20], the reputation messages
reach only the one-hop neighbours. It is worth pointing
out that this design option is coupled with the adopted
routing protocol. For example, if source routing is
adopted, then the trust of the whole path should be
evaluated. In this case, the routing messages can be
used for the dissemination of trust information. In
contrast, in location-based routing protocols, where each
node defines only the next hop, there is no reason to
disseminate the trust information further than one-hop
neighbours.
• Only positive (or negative) information is shared.
When only positive information is shared, since
nodes learn only from their own experience about
a malicious node, colluding malicious nodes can
extend each other’s survival time through false praise
reports. CORE—Collaborative Reputation Mechanism
(presented in Reference [21]) is an example of a trust
Copyright © 2010 John Wiley & Sons, Ltd.
389
management scheme using only positive information.
Similarly, sharing only negative information prevents
the false praise attack mentioned above, but in this
case malicious nodes can launch a bad-mouth attack on
benign nodes (see Reference [22]). To avoid the risks
introduced by sharing only positive (or only negative)
trust information, sharing all types of trust information
presents an attractive solution.
• Exactly as happens with proactive versus reactive routing
protocols, trust computation can be done in a proactive
or reactive fashion. In reactive trust models, each node
computes the trust value of a neighbouring node or of
the entire path, only when explicitly needed. On the
other hand, in proactive trust establishment, the node
maintains a table containing already computed trusted
routes. Applying this technique, the trust-aware decision
can be made without delay, but resources are consumed
for the trust table maintenance, even when there is no data
to route. When the trust information is exchanged only
upon request, then transmission power is economised at
the cost of additional delay. The design option that best fits
the application should be chosen each time, i.e. in case the
application generates heavy data streams or periodically
senses the environment, proactive trust evaluation
leads to better results in terms of delay and energy
consumption.
It is worth stressing that the trust information exchange
can be exploited by adversaries to ruin the routing
functionality of the network. Attacks addressing exactly
the trust models have appeared in the literature [23]. For
example, a malicious node s5 can spread bad rumours for
certain nodes (say s3 and s2 ) so that their neighbours do not
use them for routing, forcing thus the traffic generated in s1
pass through s5 . Another way to mislead the neighbours
is the so-called on–off attack: a node performs well for
a time period so that its neighbours consider it as trusted
while it starts malfunctioning later on. Another attack is
the conflicting behaviour where a node behaves differently
towards different neighbours, in an attempt to cheat the trust
model.
Summing up, the trust model design options include the
distribution of the functionality, the use of direct and/or
indirect trust values, the reputation exchange protocol
(reactive, proactive, periodic), the type of trust values
exchanged (positive vs. negative). It should be noted that
once the trust of each neighbour has been evaluated, the
way this is taken into account when a neighbour has to
be selected for cooperation (e.g. routing) falls outside the
definition of the trust scheme itself.
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
390
T. ZAHARIADIS ET AL.
3. TRUST EVALUATION
To evaluate the trustworthiness of a node, its behaviour is
monitored and then quantified. In the sequence, we first
discuss the behaviour aspects that can be monitored and
then we discuss how a trust value can be reached.
3.1. Trust metrics
To evaluate the trustworthiness of a sensor node, multiple
aspects of its behaviour can be monitored. Each of them
aims at detecting a specific type of attack. For example,
each time node s1 selects node s3 for forwarding its packet
it enters the promiscuous mode in order to check whether
node s3 successfully forwarded it. After a number of cooperations, comparing the successfully forwarded packets
to the number of packet s1 sent to s3 , the source node
(node s1 ) can assess the sincere execution of the routing
protocol while a systematic failure reveals a selfish and/or
malicious node acting as a black hole. Similarly, measuring
the packets correctly forwarded without being modified,
nodes issuing modification attacks can be detected. A
list of behaviours that can be monitored is provided in
Table 1 and is associated with the attack it can reveal.
Both the direct and indirect measurements may address
more than one node behaviours (e.g. forwarding and
availability).
Examining the above behaviour list, it is obvious
that the required processing to decide whether a data
message has been actually forwarded is less than the
processing required to check the message precision and
significantly less than the processing required to decide
on the consistency of the reported data. Furthermore, the
monitoring of neighbours’ behaviour apart from processing
resources consumes power and thus shortens the nodes’
lifetime. While this drawback is of minor importance
for devices such as PDAs, it becomes more significant
for tiny sensor nodes with limited resources. For this
reason, in most research efforts a subset of the above trust
metrics are adopted. The choice depends on the target
application environment as well as on the sensor node
capabilities.
3.2. Trust evaluation
For each monitored behaviour, a trust value can be derived
based on the collected measurements: each interaction is
marked either as a success or as a failure. The measurements
are then used to decide the trustworthiness of a node which
can be expressed either
• As a trust level among a limited set of supported levels
(e.g. medium, high, low) as proposed in Reference [18],
or
• As the success ratio (successful interactions divided by
the total number of interactions) ranging from [0,1] (see
Reference [12]) or
• As a trust value reflecting the difference between
the successfully accomplished and failed interactions,
ranging from [−1, 1], (as proposed in Reference [17]).
Table 1. Monitoring the behaviour of the neighbours, a wide set of attacks can be detected.
Trust metric
Monitored behaviour
Attack addressed
1
Data packets forwarded
Data message/packet forwarding
2
3
4
Control packets forwarded
Data packet precision
Control packet precision
Control message forwarding
Data integrity
Control packet integrity
5
Availability based on
beacon/hello messages
Packet address modified
Cryptography
Routing protocol
execution
Battery/lifetime
Consistency of reported
values/data
Sensing communication
Reputation
Timely transmission of periodic routing
information reporting link/node availability
Address of forwarded packets
Capability to perform encryption
Routing protocol specific actions (reaction
to specific routing messages)
Remaining power resources
Consistency of sensing results, reported
values (e.g. energy, humidity)
Reporting of events (application specific)
Trust value observed by third parties
Black-hole, sinkhole, selective forwarding,
denial of service, selfish behaviour
Control/routing message dropping
Data message modification
Sybil, and any attack based on routing
protocol message modification
Passive eavesdropping, selfish node
6
7
8
9
10
11
12
Copyright © 2010 John Wiley & Sons, Ltd.
Sybil, wormhole
Authentication attacks
Misbehaviours related to specific routing
protocol actions
Node availability
Compromised nodes
Selfish node behaviour at application level
Bad mouthing attack
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS
A generalised approach is to use the following equation
for the calculation of trust.
TiA,B
=
ai SiA,B − bi FiA,B
ci SiA,B + di FiA,B
where TiA,B is node’s A Trust value regarding node B,SiA,B
is the number of successful type i events that A has
measured for B,FiA,B is the number of failed type i
events that A has measured for B and ai , bi , ci and di ,
represent the weight/significance of a successful versus
the weight/significance of the failed events. Based on
this equation, a trust value TiA,B is calculated for each
monitored behaviour. These behaviour-related trust values
are then multiplied by a weight factor (Wi ) reflecting their
importance in security hierarchy and then summed up to
form the overall node trustworthiness, as in the following
equation.
DT A,B =
k
Wi ∗ TiA,B
i=1
In general, direct observations are considered more
important than indirect trust information, while indirect
information becomes important for newly activated
nodes which have limited experience on the cooperation
willingness of their neighbours.
Special care is paid to the handling of old versus
recent observation values in some works. For example,
in Reference [18], it is proposed to keep the outcome of
the n latest interactions in a vector instead of summing
up the successful and failed co-operations. Each of the
n bits of the vector is equal to ‘1’ (for successfully
completed interactions) or ‘0’ for failed ones. Each time
a new cooperation has been completed, the new outcome
is appended to the vector and the oldest value is shifted
out. Then, a new trust value is calculated based on the
newly formed vector. The width of the vector is directly
related to the observation window. To reduce the influence
of sporadic misbehaviour in the evaluation of the trust value,
the authors in Reference [21] provide more relevance to past
observations through a time dependent function based on
which the direct trust value is defined. Assigning higher
weight factor to old measurements allows for smoother
evolution of trust values [21] while lower weights allow for
faster detection of misbehaviours [18]. In Reference [24],
the notion of the ‘aging factor’ is introduced and the trust
Copyright © 2010 John Wiley & Sons, Ltd.
391
values are calculated as
T = γTnew + (1 − γ)Told
where γ stands for the weight assigned to the recently
calculated trust value Tnew , and Told is the previously
defined trust value. In Reference [25], the weight factor
γ changes dynamically depending on the relation between
Tnew , and Told . In more detail, it increases when the
difference Tnew − Told increases. The main drawback of
these approaches is that they introduce complexity in the
calculation of trust.
Another approach also explored in the literature adopts a
probabilistic model for the trust evaluation. In Reference
[24], the trust is calculated as the expectation that a
new cooperation will be successfully completed given
that the past observations are as recorded applying the
Bayes theorem and the Beta distribution on the obtained
measurements. In Reference [26], the output of the trust
mechanism is a trust value and a confidence interval around
this value based on direct and indirect experiences of sensor
node behaviour. Statistical values are used both in initial
evaluation of experience records as well as the collected
experiences by third parties.
4. ASSESSMENT
To efficiently address security in wireless sensor networks,
the use of a suitably designed trust management system
is required. In Reference [17], the throughput is shown
to increase by 20% for 40% of nodes acting maliciously
due to the realisation of a trust establishment scheme.
Unfortunately, a direct quantitative comparison of the
effectiveness of the trust models is not possible because it
depends on a variety of design options including the adopted
routing protocol. It also depends on how the trust value is
used during the routing decisions, which is outside the scope
of the trust model design. Namely, once the node trust value
has been defined, the possible responses to this information
vary. ‘Positive response’ represents the preference for a
node to cooperate with the neighbour with the highest trust
value [17]. The disadvantage of this choice is poor load
balancing which leads to the exhaustion of highly trusted
nodes. To overcome this drawback, in Reference [27], it
is proposed to mark every packet with a trust threshold
and route it along paths traversing nodes exceeding this
threshold. In Reference [25], a trust threshold is defined to
characterise malicious nodes and either stop any interaction
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
392
T. ZAHARIADIS ET AL.
with them or just stop using them for forwarding. However,
this introduces the need for defining a trust threshold which
depends on the application run over the WSN and may
also result in poor connectivity when nodes exceeding this
threshold do not exist in the network. So, to decide the
trust threshold the desired/required security level has to be
balanced to possible blocking of nodes in the network. For
all these reasons, a qualitative assessment of trust model
design options follows in an attempt to provide useful
guidelines for designing an efficient and deployable trust
model.
4.1. Distribution of monitoring functionality
The distribution of monitoring functionality affects
the resource consumption in terms of energy and
communication bandwidth as well as the node requirements
in terms of processing and memory. The implementation
of a fully distributed trust model implies that all nodes
have similar capabilities and resource consumption. In an
attempt to reduce the node requirements, the monitoring of
neighbours’ behaviour can be assigned to selected nodes,
which can be the cluster heads or (preferably) nodes with
higher battery capacity or even constant power supply
(as suggested in Reference [25]). Although this approach
elongates the network lifetime, the monitoring nodes
represent ‘single points of failure’, i.e. if such a node is
compromised, the impact on the overall network operation
will be more evident. Additionally, the communication
of the trust information to nodes which do not possess
the monitoring functionality increases the bandwidth
requirements and the energy consumption. In contrast, if
all nodes calculate the trust values of their neighbours then
they all have identical processing requirements and the
trust management functionality is uniformly distributed.
The case where all nodes calculate the trust value and also
exchange trust related information (i.e. a reputation scheme
is realised) is the most resource demanding case, both for the
node and the network. This approach can be justified only
when node mobility has to be supported or the robustness
in trust calculation offered by the reputation scheme is
considered mandatory. This can be the case in applications
with very high security requirements. In any case, the choice
of direct measurements is the absolute minimum to perform
trust evaluation.
4.2. Trust value components
Focusing on the node requirements for trust model
implementation, these depend on the number of monitored
Copyright © 2010 John Wiley & Sons, Ltd.
behaviours (from the list appearing in Table 1), on the way
the trust value is calculated as well as on the adoption
(or not) of any reputation scheme. Starting from the
memory requirements, the measurements (success and
failures) for each monitored behaviour are maintained in
two counters. As the set of employed metrics becomes
larger, the required memory space increases linearly. As
regards the processing requirements, these depend on the
type of the monitored behaviour and the realisation or
not of any reputation scheme. For example, monitoring
the ‘data packet forwarded’ behaviour is less demanding
than the ‘data integrity’ check since the latter requires
more complex packet processing. More demanding than
both is the monitoring of the ‘reported data consistency’
which requires the execution of application-specific logic.
Once the measurements related to the monitored behaviours
have been collected, the way trust value is calculated also
affects the processing cost. Multiplications and divisions
come at higher implementation cost than classification to
fixed trust levels. In this respect, calculating the trust as
the success ratio relaxes the processing task compared to
the case where the aging factor is adopted. The handling
of older values (denoted as history in the table) increases
both the memory and the processing requirements since the
relevant equation is more complex than a simple division
[10]. Finally, the implementation of a reputation scheme
significantly impacts the processing requirements since it
mandates the implementation of an additional protocol
state machine and the generation, transmission, reception
and processing of the corresponding messages, strongly
increasing processing, memory and energy requirements.
4.3. Implementation of reputation-based schemes
Systems based only on direct interactions, although
completely robust against rumour spreading, have some
serious drawbacks: the time required by the network
nodes to build reputation is high, and it takes longer
for reputation to decrease, allowing malicious nodes to
stay in the system longer. On the contrary, the use of
second-hand (reputation) information has many benefits:
the reputation of nodes builds up more quickly, due to
the ability of nodes to learn from each others’ experience
and trust value will be more stable over time. However,
the use of recommendations to evaluate a node’s trust
value necessitates the implementation of a reputation
exchange protocol. This exchange severely burdens the
processing load of each sensor and leads to bandwidth
and transmission energy consumption. The introduced
overhead depends on the implemented reputation protocol
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS
and more precisely it depends on the re-active or proactive
way of reputation exchange as well as on the set of
nodes this information is communicated to. In case sensed
data are rarely exchanged, the reactive approach results
in lower overhead per generated data unit; otherwise,
proactively establishing and updating trust information is
more efficient. An approach which can reduce the consumed
energy and bandwidth is to piggyback this information in
routing messages, thus reducing the frequency of reputation
exchange using dedicated messages. For these reasons, the
introduced overhead varies, for example an overhead of
20% is reported in Reference [10], while 60% is reported
in Reference [18].
To conclude, there is an interplay among the node
capabilities (processing, memory and communication
bandwidth), the resource consumption (node energy
and network bandwidth) and the achieved security. To
evaluate the implementation requirements of a trust
model, we have designed the trust model (presented
in Reference [28]) which calculates the direct trust
based on four monitored behaviours (forwarding, network
acknowledgment, integrity and authentication) and also
incorporates a reputation exchange scheme under which
nodes periodically exchange reputation information with
their one hop neighbours. The results for its implementation
in MicaZ, IRIS [29] sensor nodes showed that 35 kb of ROM
and about 4 kb of RAM were occupied.
5. CONCLUSIONS
In the unmanaged environment of WSNs, trusting the
neighbour for forwarding the traffic, for aggregating the
sensed values or for performing any other function is
not a wise option. Cryptography and strong authentication
schemes are not a panacea since they do not detect a large set
of routing attacks such as selfish behaviours and black-holes
while at the same time their implementation at low cost is
not feasible. The establishment of trust relationships among
nodes based on behaviour monitoring, exactly as in human
societies, is a useful and effective tool. Although a wealth
of intelligent and efficient trust models has been presented
in the literature, if a trust model needs to be implemented,
the algorithmic complexity, memory allocation and power
consumption become the prime requirements.
The choice of the behaviours to monitor is associated
with the attacks against which protection is aimed and
it affects the introduced complexity. As the number of
monitored behaviours increases, the achieved security
Copyright © 2010 John Wiley & Sons, Ltd.
393
becomes higher, but the implementation feasibility has to
be checked with respect to the node capabilities. For each
monitored behaviour, at least two counters to keep the
successful/failed interactions are required per neighbour,
while the processing required for deciding whether an
interaction was successful or not depends on the monitored
behaviour and increases for behaviours related to layer 2
functions towards the application layer. In any case, the set
of the behaviours to be monitored should at least include
forwarding and then move further in the provided table.
As regards the implementation of the trust evaluation
and measurement functionality, the appropriate choice each
time depends on the actual network and application set up.
In more detail, in case of a homogeneous WSN, the implementation of a fully distributed trust model is more suitable
since it uniformly distributes node requirements and power
consumption. If further the WSN is dense enough and
node capabilities allow, an algorithm that assigns the trust
functionality to selected nodes in different time periods,
can result in power consumption savings. In case of a heterogeneous WSN, the extra node capabilities and/or power
availability may be exploited to increase the overall network
performance, if the bandwidth required for the exchange of
trust information is available. Security-wise, the implementation of trust functionality in all network nodes represents
the best choice. In this view, even in a heterogeneous WSN,
nodes can implement a distributed trust model with some
of them monitoring more behaviours than others.
The exchange of trust information based on a specific
reputation protocol enables faster detection of unexpected
(either faulty or malicious) behaviours. As the application
domains of sensor networks expand, security threats
proliferate and new attacks targeting the reputation
protocol have appeared. Although a trust model designer
can define an intelligent and effective way for secure
reputation exchange, the implementation cost in terms
of node processing and memory resources as well as
bandwidth resources and more importantly in terms
of power consumption is very high. For this reason,
it is recommended, to incorporate reputation exchange
schemes in the trust models only when mobility needs
to be supported; otherwise, the benefits brought by the
reputation mechanism do not justify the introduced power
consumption. Furthermore, in case a reputation protocol
has to be implemented to support mobility, it is suggested
first, that each node interrogates its neighbours only
for other one-hop neighbours, to avoid the flooding of
the reputation messages in the network and second, the
reputation exchange should occur less frequently when the
neighbourhood changes slowly or does not change at all.
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
394
T. ZAHARIADIS ET AL.
To sum up, to design and implement a trust model for
enhancing security in a WSN, the capabilities of the nodes,
the targeted application, and the network restrictions (in
terms of bandwidth and lifetime) have to be traded-off with
the risks that need to be mitigated.
ACKNOWLEDGEMENTS
The work presented in this paper was partially funded by the EU
FP7 211998 AWISSENET project.
REFERENCES
1. Giruka VC, Singhal M, Royalty J, Varanasi S. Security in wireless
sensor networks. Wireless Communications and Mobile Computing
2008; 8: 1–24.
2. Kannhavong B, Nakayama H, Nemoto Y, Kato AN, Jamalipour A. A
survey of routing attacks in mobile ad hoc networks. IEEE Wireless
Communications 2007; 14(5): 85–91.
3. Karlof C, Wagner D. Secure routing in wireless sensor networks:
attacks and countermeasures. IEEE International Workshop on
Sensor Network Protocols and Applications, Anchorage, AK, USA,
2003; 113–127.
4. Atakli IM, Hu H, Chen Y, Ku WS, Su Z. Malicious node detection
in wireless sensor networks using weighted trust evaluation. Spring
Simulation Multiconference, Ottawa, Canada, 2008.
5. Li H, Singhal M. A Secure routing protocol for wireless ad hoc
networks. 39th Hawaii International Conference on system Sciences,
Kauai, 2006.
6. Rezgui A, Eltoweissy M, TARP: a trust-aware routing protocol for
sensor-actuator networks. IEEE International Conference on Mobile
Ad Hoc and Sensor Systems, Pisa, Italy, 2007.
7. Hur J, Lee Y, Yoon H, Choi D, Jin S. Trust evaluation model
for wireless sensor networks. Advanced Communication Technology
Conference, Phoenix Park, Korea, 2005; 491–496.
8. Crosby GV, Pissinou N. Cluster-based reputation and trust
for wireless sensor networks. Consumer Communications and
Networking Conference, Las Vegas, NV, USA, 2007.
9. Lewis N, Foukia N., Using trust for key distribution and route
selection in wireless sensor networks. IEEE Globecom, Washington
DC, USA, 2007.
10. Mahoney G, Myrvold W, Shoja GC. Generic Reliability Trust Model.
3rd Annual Conference on Privacy, Security and Trust, St. Andrews,
New Brunswick, Canada, 2005.
11. Theodorakopoulos G, Baras J. On trust models and trust evaluation
metrics for ad-hoc networks. IEEE Journal on Selected Areas in
Communications (JSAC) 2006; 24: 318–328.
12. Tanachaiwiwat S, Dave P, Bhindwale R, Helmy A. Location-centric
isolation of misbehavior and trust routing in energy-constrained
sensor networks. IEEE International Conference on Performance,
Computing, and Communications, Phoenix, AZ, USA, 2004.
13. Ghazaleh NB, Kang KD, Liu K. Towards resilient geographic routing
in wireless sensor networks. 1st ACM Workshop on QoS and Security
for Wireless and Mobile Networks, Montreal, Canada, 2005.
14. Zhang W, Das SK, Liu Y. A trust based framework for secure
data aggregation in wireless sensor networks. 3rd Annual IEEE
Communications Society on Sensor and Ad Hoc Communications
and Networks, Reston, VA, USA, 2006.
15. Meidanis D, Papaefstathiou I. On the power consumption of
security algorithms employed in wireless networks. IEEE CCNC09,
Consumer Communications and Networking Conference, Las Vegas,
NV, USA 2009.
16. Xu M, Du R, Zhang H, Zhan J. A Trust chain build scheme for
enhancing wireless network security. IEEE Conference on Wireless
Communications, Networking and Mobile Computing, 2007.
17. Pirzada AA, McDonald C. Trust establishment in pure ad hoc
networks. Wireless Personal Communications 2006; 37: 139–
163.
18. Marias G, Tsetsos V, Sekkas O, Georgiadis P. Performance evaluation
of a self-evolving trust building framework. 1st International
Conference on Security and Privacy for Emerging Areas in
Communication Networks, Athens, Greece, 2005.
19. Liu Z, Joy A, Robert A. Thompson a dynamic trust model for mobile
ad hoc networks. 10th IEEE International Workshop on Future Trends
of Distributed Computing Systems, 2004.
20. Sun Y, Yu W, Han Z, Liu KJR. Information theoretic framework
of trust modeling and evaluation for ad hoc networks. IEEE JSAC
(Special Issue on Security in Wireless Ad Hoc Networks) 2006; 24:
305–317.
21. Michiardi P, Molva R. CORE: a collaborative reputation mechanism
to enforce node cooperation in mobile ad hoc networks. IFIP
TC6/TC11 Sixth Joint Working Conference on Communications and
Multimedia Security, 2002; 228: 107-121.
22. Buchegger S, Boudec J. Performance analysis of the CONFIDANT
protocol: cooperation of nodes: fairness in distributed ad hoc
networks. 3rd ACM International Symposium on Mobile Ad Hoc
Networking and Computing, 2002; 226–236.
23. Sun YL, Han Z, Liu KJR. Defense of trust management vulnerabilities
in distributed networks. IEEE Communications Magazine 2008; 25:
112–119.
24. Chen H. Task-based trust management for wireless sensor networks.
International Journal of Security and Its Applications 2009; 3: 21–26.
25. Maarouf IK, Naseer AR. WSNodeRater: an optimized reputation
system framework for security aware energy efficient geographic
routing in WSNs. IEEE/ACS International Conference on Computer
Systems and Applications, 2007; 258–265.
26. Probst MJ, Kasera SK. Statistical trust establishment in wireless
sensor networks. International Conference on Parallel and
Distributed Systems, Hsinchu, Taiwan, 2007.
27. Hung KS, Lui KS, Kwok YK. A trust-based geographical routing
scheme in sensor networks. IEEE Wireless Communications and
Networking Conference, Hong-Kong, 2007.
28. Trakadas P, Maniatis S, Karkazis P, Zahariadis T, Leligou
HC, Voliotis S. A novel flexible trust management system
for heterogeneous wireless sensor networks. 9th International
Symposium on Autonomous Decentralized Systems, Athens, Greece,
2009.
29. www.xbow.com
AUTHORS’ BIOGRAPHIES
Theodore Zahariadis received his Ph.D. degree in Electrical and Computer Engineering from the National Technical University of
Athens, Greece, and his Dipl.-Ing. degree in Computer Engineering from the University of Patras, Greece. Currently, he is the project
manager of the STREP ICT/AWISSENET-028097. In the past, he has been with Ellemedia Technologies as the Technical Director; the
Copyright © 2010 John Wiley & Sons, Ltd.
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett
TRUST MANAGEMENT IN WIRELESS SENSOR NETWORKS
395
Hellenic Aerospace Industry (HAI) as chief engineer; the Lucent Technologies/Bell-Laboratories, Holmdel, NJ as a senior consultant;
Intrasoft, Intracom and the Telecommunications Laboratory of NTUA as senior researcher. Since 1994, he has participated in many
ACTS, ESPRIT and IST projects as senior researcher or Technical manager. His research interests are in the fields of broadband
wireline/wireless/mobile communications, interactive service deployment over IP networks, management of IP networks, embedded
systems and multimedia home networks. He is currently an assoc. professor at the Technological Educational Institute of Chalkida.
Dr Zahariadis has published more than 90 papers in magazines, journals and conferences and he is the author of the book ‘Home
Networking: Technologies and Standards’ published by Artech House.
Helen C. Leligou received the Dipl.-Ing. and Ph.D. degrees, both in Electrical and Computer Engineering, from the National Technical
University of Athens (NTUA), Athens, Greece, in 1995 and 2002, respectively. Her research interests lie in the area of protocol design
for communication systems, access control mechanisms in broadband networks including HFC, PON, WDM metro and core networks.
Currently she is working on security protocols for wireless sensor networks. Her research results have been published in more than
80 scientific journals and conferences. She has participated in several EU-funded ACTS, IST and ICT research projects in the above
areas. Since 2007 she is a lecturer at Technological Educational Institute of Chalkida.
Panagiotis Trakadas was born in Athens, Greece, in 1972. He received the Diploma of Electrical and Computer Engineering and the
Ph.D. degree from the National Technical University of Athens (NTUA) in 1997 and 2001, respectively. From 2001 until 2004 he was
with the Hellenic Aerospace Industry (HAI) as Senior Engineer. From 2005 he is working as a certified auditor at the Hellenic Authority
for Communication Security and Privacy (ADAE). He has participated in many projects as Senior Researcher. He authored more than
50 papers in journals, magazines and international conferences. His main research interests include wireless communications systems
and antennas propagation issues.
Stamatis Voliotis honoured the degree of Computer Engineering and Informatics from University of Patras, Hellas in 1985, the M.Sc.
in Electrical Computer Engineering from Syracuse University, USA in 1989 and the Ph.D. in Robotics from University of Patras, Hellas
in 1990. Currently he is a Professor at Technological Educational Institute of Chalkida, head of the Communication Networks and
Automation Systems Laboratory. Professor Voliotis has participated in many E.U. funded projects under the Telematics Applications
Programme, the ADAPT initiative and the Leonardo Da Vinci, and has great experience in project management in E.U. and National
funded projects. His research interests are in the area of computer automation architecture and network processing, mobile/wireless
communications and robotics navigation and control. He has a large number of publications in international scientific journals and he
is member of various scientific and technical associations. His wide range of interests also includes competitive bridge.
Copyright © 2010 John Wiley & Sons, Ltd.
Eur. Trans. Telecomms. 2010; 21:386–395
DOI: 10.1002/ett