Documente Academic
Documente Profesional
Documente Cultură
io
is
c
e
D
Where OA represents the index of the situational operation
Monitoring Misbehavior Trust Evaluation and j represents the node ID of the neighbor concerned to
Module Report Module
the report. Nm and No represent the number of misbehavior
and normal-behaviors of the situational operation OA in the
ation
form
l
nd In
o
tr
o
n
Ha trust update period separately.
nd
Seco
C
g
head
n
it
o
ri
ster-
3.2.2. Trust Evaluation Module The trust evaluation mod-
o
n
t: Clu
t Slo ule is responsible for evaluating neighbors’ situational trust
M
Trus
for situational operations and decision trust for making de-
Steady State Confirmation
cisions by the situational misbehavior reports.
Each node maintains a data structure, called NSTT
Figure 1. System architecture of TLEACH. (Neighbor Situational Trust Table), in which each table en-
try contains neighbor’s ID and situational trust for situa-
tional operations, TS .
Our proposed system consists of two main modules: 1)Direct Trust When the trust evaluation module receives a
trust management module and trust-based routing module. situational misbehavior report from its monitoring module,
Figure 1 illustrates the overall system architecture of pro- it evaluates the new direct trust of concerned node.
posed TLEACH protocol and the inter-modules’ relation- We employ the beta distribution[4] to model the node’s
ships. The trust management module is responsible for situational behaviors as in[9] because of its simplicity and
providing infrastructural trust support for routing decisions, strong foundation on statistical theory.
203
For situational operation OA , upon receiving a situa- behaviors to regain its trust. If the value of w is large, then
tional misbehavior report, < Nm , No , OA , j >, the direct the malicious node can regain its trust by performing nor-
trust of node i on node j, DT (i, j, OA ), is defined as fol- mal behaviors for a while after doing much misbehavior; on
lows according to the beta distribution: the other hand, if the value of w is small, the attacker can do
vandalism without being detected after acquiring high trust.
No + 1
DT (i, j, OA ) = (1) To address this problem, the value of w should be chosen
No + N m + 2 carefully. A phenomenon should be noticed that the trust
Without any direct observations, Nm = No = 0, and should not be reduced in an idealized system. As the realis-
DT (i, j, OA ) is equal to 0.5, so the initial value of neigh- tic system may have system failure because of environment
bor’s situational trust is 0.5, which stands for neutral trust. changes or emergent events, it is reasonable to assume that
2)Indirect Trust If a node only evaluates trust by the di- the trust should not be reduced sharply under normal cir-
rect observations, it keeps monitoring module working to cumstances, and if a node wants to regain its trust after some
get more precise values, and then the energy consumption misbehavior, it needs to do more normal behaviors, after all
will be too large for WSNs. The sensor nodes may exchange bad behaviors are always remembered easily in trust sys-
trust values between them to make use of the neighbors’ tem. So we do not choose fixed w, and set w as a function
observations as SHT(Second Hand Trust), however, over of the difference between Tnew and Told . For example, we
depending on SHT will lead to high communication over- can choose:
head, thus our scheme only gets SHT from cluster-heads as w = wo f or Told − Tnew ≥ β;
a trade-off, which play a crucial role in LEACH and are usu- (4)
w = w1 f or Told − Tnew < β
ally more trustworthy. Upon receiving SHT, ST (k, j, OA ),
the trust value from node k to node i on node j, node i com- Where 0 < w1 ≤ w0 ≤ 1, 0 < β < 1. w0 can choose
putes indirect trust on node j, IDT (i, j, OA ) , according to a bigger value, then the trust drops rapidly after an excep-
the following formula: tional trust reduction, and w1 can choose a smaller value,
then the trust grows slowly for normal behaviors. β is the
IDT (i, j, OA ) = T S(i, k, OA ) × ST (k, j, OA ) predefined threshold which indicates the max permissible
(2)
+(1 − T S(i, k, OA )) × T S(i, j, OA ) trust decrement depending on the system circumstances and
requirements.
Where T S(i, k, OA ) and T S(i, j, OA ) are the situational 4)Decision Trust Compute In a trust-based system, when
trust of node i on node k and node j. It is a weighted a node wants to cooperate with one neighbor for an opera-
sum which takes the trust value of node k and j into ac- tion, it makes decision based on the neighbor’s instant trust,
count. Without the weighted factor, the indirect trust may called decision trust. Different situational operations may
be computed incorrectly as the SHT may be sent by ma- perform consistently for malicious nodes, in other words,
licious nodes. If the trust on the sender is too little, the if a node misbehaves in one operation, it is very likely un-
result of the formula is approximate to the old trust value trustworthy in others, however, each situational trust should
T S(i, j, OA ), so the malicious SHT will make little impact have different weight in final decisions, so the decision trust
on the trust evaluation. about operation O of node i on node j, Tdecision (i, j, O), is
3)Trust Update After new direct misbehavior reports or defined as:
SHT is received, new direct trust or indirect trust, Tnew , is
Tdecision (i, j, O) = θOA × T S(i, j, OA ) + θOB ×
calculated, which needs to be integrated with the old value, (5)
Told , stored in the NSTT, then Told is updated to the new T S(i, j, OB ) + θOC × T S(i, j, OC ) + . . .
integrated trust value, TI . It is intuitive to assume that Tnew
Where θOx (x = A, B, C . . .) is the association factor for
and Told should carry different weights in the integrated
each situational trust, which takes values in range (0, 1),
trust, so the integrated trust value, TI , is calculated as fol-
and the total sum of θOx is 1. For decision trust calculation
lows:
on different situational operations, the values of θOx should
TI = (1 − w) × Told + w × Tnew (3)
be different, as the more interrelated situational operations
Where w is the updating factor reflecting the weight of the of the final decision should have bigger association factors.
Tnew , whose value ranges from 0 to 1. Trust update is a
periodical action, which can be exploited by sophisticated 3.3. Trust-based Routing Module
malicious nodes to do time-domain inconsistent behaviors
and break the functioning of the trust management system. Our trust-based routing module preserves the core of the
For example, a malicious node may do normal behaviors at original protocol with the same cluster-head election al-
the start in order to obtain high trust, then perform attack gorithm and working phases as shown in Figure 1, while
actions without being detected, and then go on to do normal adding trust slots and trust-based decision-making.
204
3.3.1. Set-up Phase 1) Data slots For cluster-heads, they keep their receivers on
1) Advertisement The operation is the same as the original to receive data. In the last data slot, they detect the data
protocol. After this phase is completed, each non-cluster- misbehavior, then do data aggregation based on the deci-
head node will have a list of the cluster-head candidates. sion trust about data aggregation operation, excluding the
2) Cluster Joining In this phase, the non-cluster-head untrustworthy nodes. Then they send the aggregated data to
nodes decide which cluster-head to join for this round. The the sink.
decision of the original protocol is based on the received For non-cluster-head nodes, they send data to their
signal strength of the advertisement, which can be illegally cluster-heads during their time slots, with the monitoring
used by attackers[6]. Our cluster-head selection is based on modules turned off, and when not in their time slots, they
the decision trust about cluster-head selection operation on turn on the monitoring modules to observe the neighbors’
the cluster-head candidates. The selection procedure is as behaviors. In order to reduce energy consumption, we turn
follows: on the monitoring module with a monitoring probability,
Firstly, for each cluster-head candidate, we compute the Pm , for each data slot. Notice that the cluster-heads keep
decision trust about cluster-head selection operation by the observing the cluster-members’ behaviors, while holding
formula (5), then we get a trust list of cluster-head candi- the most comprehensive information about clusters, and the
dates. non-cluster-head nodes get SHT from their cluster-heads,
Secondly, the final cluster-head is chosen by the trust so our work control of monitoring module is cluster-head-
list. The simple way is to choose the candidate whose trust assisted, with the monitoring probability determined by de-
is maximal. However, all the cluster-head candidates may cision trust about monitoring operation on the cluster-heads,
be malicious in some cases, so we define a trust threshold, for example, we set the monitoring probability of node i,
Tmin , and only choose the candidate of maximal trust be- Pm (i), as:
yond the threshold. If there are no candidates whose trust
values are beyond the threshold, the nodes reset the cluster- Pm (i) = 1 − Tdecision (i, CH, OM ) (6)
head selection procedure.
Lastly, the non-cluster-head nodes send cluster-join mes- Where Tdecision (i, CH, OM ) is the decision trust about
sages to their chosen cluster-heads. monitoring operation on the node’s cluster-head. If the
3) Confirmation After a cluster-head receives all the cluster-heads have high trust, the cluster-members can turn
cluster-join messages, it begins to create a TDMA sched- off their monitoring modules in most time, as they can
ule. Our scheme adjusts the original time schedule to pro- get trustworthy information about neighbors from cluster-
vide better support for trust evaluation, adding trust slots. heads; if the cluster-heads have low trust, the cluster-
As shown in Figure 2, the whole steady-state time period member need to get precise trust by direct observations with
is divided into some frames, each of which consists of data high monitoring probability, as the SHT from cluster-heads
slots for data sending and a trust slot for trust evaluation, is untrustworthy.
update and exchange, then the trust update period of our 2) Trust slot For cluster-heads, they perform trust evalua-
scheme is frame time. tion and update their NSTTs, then they share their observa-
tions, with broadcasting their situational trust values to their
Steady state phase cluster-members.
For non-cluster-head nodes, they evaluate the new direct
trust by the misbehavior reports from their monitoring mod-
Data slot Trust slot
ules with formula (1), and indirect trust by the SHT received
…
i j k … i j k … from their cluster-heads with formula (2), then update the
NSTT by the new trust calculated by formula (3).
After one frame ends, the next frame begins as the same,
Frame and when the steady-ready state ends, the next round begins
with the advertisement phase.
Figure 2. TDMA Schedule.
4. Simulations
3.3.2. Steady-state Phase In this phase, the non-cluster-
head nodes begin to send data to their cluster-heads in their In this section, we use simulations to study the perfor-
data slots and control monitoring module to observe neigh- mance of our scheme. We have implemented TLEACH and
bors’ behaviors, while the cluster-heads keep their receivers original LEACH in OMNET++[10], a discrete event sim-
on to receive the data, and all nodes perform trust evaluation ulator. The parameter settings are the same as [3] when-
during the trust slots. ever possible. We evaluate TLEACH using the following
205
metrics: trust evolution, the runtime trust value of a node; evolution of our scheme. First we consider the effectiveness
packet deliver ratio, the percentage of sent packets received of different updating factor settings under different attack
by the sink. modes. Figure 3 shows the trust evolution of a malicious
We consider a network where 100 sensor nodes are ran- node, with three updating factor settings:(I)fixed w = 0.8,
domly scattered in a rectangular space of size 1000m by (II) fixed w = 0.05, (III)tunable w, with wo = 0.95, w1 =
1000m. The sensor nodes send the sensory data and state 0.1, and β = 0.05. Figure 3(a) shows the trust evolution
packets reporting their state information to their cluster- under uninterrupted attack. The trust value falls rapidly to
heads in their data slots. The cluster-heads aggregate the range from 0.2 to 0.3 in setting (I) and (III), and then keeps
sensory data, while forwarding state packets to the sink in the range, while taking more time to fall in the range
without aggregation. In our simulation,we assume that the in setting (II). Figure 3(b) shows the trust evolution under
malicious nodes inject 70%-80% bogus data for data situa- probabilistic attack, with probability of 0.6, from which we
tional operation and drop 70%-80% state packets for rout- can see that even for more sophisticated attacks, the trust
ing situational operation. value maintains low below 0.35 in setting (III) , while keep-
ing beyond 0.5 in setting (II) and varying fiercely in set-
4.1. Trust Evolution ting (I). It is shown that the tunable updating factor of our
scheme can detect more sophisticated attacks.
Next we consider the impact of cluster-head-assisted
1
monitoring on trust evolution. For monitoring operation,
0.9
we set θOR = 0.5, association factor of routing situational
trust, θOD = 0.5, association factor of data situational trust.
Fixed w=0.8
Fixed w=0.05
0.8
Tunable w The nodes choose the candidates whose trust are maximal
0.7
Data Situational Trust
0.8
4.2. Packet Deliver Ratio
0.7
Data Situational Trust
0.6
206
1 1
0.9 0.9
0.8 0.8
0.7 0.7
Data Situational Trust
0.3 0.3
0.2 0.2
LEACH
TLEACH−0
0.1 0.1 TLEACH−0.5
0 0
0 1 2 3 4 5 6 0 10 20 30 40 50 60 70 80 90 100
Time x 10
4
Number of Malicious Nodes
Figure 4. Trust Evolution with and without Figure 5. Packet Deliver Ratio versus the
cluster-head-assisted monitoring number of malicious nodes
207