*2.9.17. LARS - Locally aware reputation system*

254 Wireless Sensor Networks – Technology and Protocols

built up adequate state of the nodes.

compromised.

sink.

The main contributions of this paper are the following:

demonstrated the effectiveness of the protocol in each case.

generating that identity.

*networks* 

mandate that a new identity will be accepted only if the owner shows reasonable effort in

In [76], authors propose a protocol called TIBFIT to diagnose and mask arbitrary node failures in an event-driven wireless sensor network. An event driven model of behaviour for sensing finds many applications in civilian, military as well as industrial scenarios. The goal of the proposed TIBFIT protocol involves event detection and location determination in the presence of faulty sensor nodes, coupled with diagnosis and isolation of faulty or malicious nodes. In this system model, sensor nodes are organized into clusters with rotating cluster heads. The nodes, including the cluster head, can fail in an arbitrary manner generating missed event reports, false reports, or wrong location reports. Correct nodes are also allowed to make occasional natural errors. The accuracy of the system is defined in terms of fraction of instances when an event occurrence is correctly detected, and its location determined within the given error bound. The approach followed by the protocol is to maintain state of the sensing nodes in terms of the fidelity of their previous sensing actions, and use this information in making decisions involving those sensing nodes. Sensor nodes report the occurrence and location of events to a data sink (cluster head), and remain silent otherwise. The data sink then decides on whether the event occurred and were based on the aggregated data. To determine the location of the event, the data sink must aggregate all reports from nodes within the detection radius. In this approach, a new parameter called *trust index* for this aggregation is introduced. Each node is assigned a trust index to indicate its track record in reporting past events correctly. The cluster head analyzes the event reports using the trust index and makes event decisions. The *Trust Index(TI)* of a node is a quantitative measure of the fidelity of previous event reports of that node as seen by the data sink. In a system comprised of sensing nodes, the data sink assigns and maintains a TI for each node in its domain, and does voting in a state-full manner. As the system runs over a longer time, more state is built up concerning the performance of the associated sensing nodes, and hence tolerance for faults also goes up accordingly. Authors claim that TIBFIT can tolerate faults in a network with more than 50% of its nodes compromised *after* it has

i. TIBFIT tolerates nodes that fail both naturally and maliciously, and makes decisions on event occurrence as well as location**.** Under several scenarios, accurate event determination and localization can be done even with more than 50% of the network

ii. No nodes are considered immune to failure, whether they are sensing nodes or the data

iii. An adversary model is proposed with increasing levels of sophistication and

*2.9.15. TIBFIT - Trust index based fault tolerance for arbitrary data faults in sensor* 

In [78], the authors propose LARS to mitigate misbehavior and enforce cooperation. Each node only keeps the reputation values of all its one-hop neighbours. The reputation values are updated on the basis of direct observations of the node's neighbours. If the reputation value of a node drops below an untrustworthy threshold, then it is considered misbehaving by the specific evaluator node. In such a case, the evaluator node will notify its neighbours about misbehaviour, by initiating a WARNING message. An uncooperative node is identified in the neighbourhood region, in case a WARNING message issued by a node is co-signed by *m*  different one hop-neighbours, where *m-1* is an upper bound on the number of nodes considered in the one-hop neighbourhood, in order to prevent false accusations and problems caused with inconsistent reputation values. Additionally, a fade factor has been introduced to give less weight to evidence received in the past. The misbehaving node is not excluded from the network for ever. After a time-out period, it is accepted, but with the reputation value unchanged so it would have to built its reputation by good cooperation.

## *2.9.18. TARF - A trust-aware routing framework for wireless sensor networks*

In [79] authors propose a trust aware routing framework for WSNs called TARF to secure multi-hop routing in WSNs against intruders exploiting the replay of routing information. This approach identifies malicious nodes that misuse "stolen" identities to misdirect packets by their low trustworthiness, thus helping nodes circumvent those attackers in their routing paths. It incorporates the trustworthiness of nodes into routing decisions and allows a node to circumvent an adversary misdirecting considerable traffic with a forged identity attained through replaying. It significantly reduces negative impacts from these attackers. TARF is also energy efficient, highly scalable, and well adaptable.

In this approach, to route a data packet to the base station, a node only needs to decide to which neighbouring node it should forward the data packet considering both the trustworthiness and the energy efficiency. It maintains a neighbourhood table with trust level values and energy cost values for certain known neighbours. Two types of routing information that need to be exchanged in addition to data packet transmission are – (i) Broadcast messages from the base station about data delivery and (ii) Energy cost report messages from each node. Neither message needs acknowledgement. A broadcast message from the base station is flooded to the whole network. The other type of exchanged routing information is the energy cost report message from each node, which is broadcast to only its neighbours once. Any node receiving such an energy cost report message will not forward it. Each node has two modules – *Energy Watcher* and *Trust Manager* running on it in order to maintain a neighbourhood table with trust level values and energy cost values for certain known neighbours. *Energy Watcher* is responsible for recording the energy cost for each known neighbour, based on nodes observation of one-hop transmission to reach its neighbours and the energy cost report from those neighbours. A compromised node may falsely report an extremely low energy cost to lure its neighbours into selecting this compromised node as their next-hop node; however, these TARF-enabled neighbours eventually abandon that compromised next hop node based on its low trustworthiness as tracked by *Trust Manager*. *Trust Manager* is responsible for tracking trust level values of neighbours based on network loop discovery and broadcast messages from the base station about data delivery. At the beginning, each neighbour is given a neutral trust level. After any of those events occurs, the relevant neighbours' trust levels are updated. Occurrence of a loop degrades that node's next-hop node's trust level thereby gradually taking the trust level to a low value leading to the breaking of the loop by changing its next-hop selection. On the other hand, to detect the traffic misdirection by nodes exploiting the replay of routing information, *Trust Manager* computes the ratio of the number of successfully delivered packets which are forwarded by this node to the number of those forwarded data packets, denoted as Delivery Ratio. Once a node is able to decide its next hop neighbour according to its neighbourhood table, it sends out its energy report message - it broadcasts to all its neighbours its energy cost to deliver a packet from the node to the base station.

### *2.9.19. SensorTrust - A resilient trust model for wireless sensing systems*

In[80], authors propose a resilient trust model, SensorTrust with a focus on data integrity for hierarchical WSNs. In this model, the aggregator maintains trust estimations for children nodes by integrating their long-term reputation and short-term risk and taking into consideration both communication robustness and data integrity. Long-term reputation, also called conventional reputation, refers to its average performance level in its whole past history, and short-term risk identifies to which degree its future behaviour is associated with its recent performance. Neither long-term reputation nor short-term risk alone could fully reflect current trustworthiness. On the one hand, a single fault could occasionally happen to even a trustworthy sensor node, but that doesn't necessarily mean the node is unreliable. That suggests the one-sidedness of short-term risk. On the other hand, long-term reputation treats the node's behaviour in each transaction equally. But in the real world, a node with good average performance level might begin to behave negatively during recent transactions. That could suggest that the sensor starts to malfunction. Since a node can behave maliciously regarding either wireless communication or data management, trustworthiness is evaluated from two aspects: communication robustness and data integrity. This model employs the Gaussian model to rate data integrity in a fine-grained style, and a flexible update protocol to adapt to different applications. In this model, to accurately identify the current trust level, past history and recent risk are synthesized in a real-time way. This model uses a SensorTrust value, which is a decimal number in [0,1], to represent trustworthiness level. The higher some node's SensorTrust value is, the more trustworthy that node is. Specifically, the SensorTrust value in terms of communication robustness is the estimated probability of a positive communication transaction; the SensorTrust value in terms of data integrity is the estimated probability of integrity of data. At the beginning, the aggregator assigns a SensorTrust value of 0 to its children nodes, since no evidence of trustworthiness is available. Each time a sensor node interacts with its associated aggregator, the aggregator evaluates the node's behavior by giving a rating number in [0,1] for this transaction in terms of communication robustness and data integrity respectively. This rating number reflects the aggregator's opinion of the current transaction: the higher the rating numbering is, the more positive the aggregator views the sensor node to be. The rating number together with its latest SensorTrust value will be used by the aggregator to update the node's SensorTrust value. With acceptable overhead, SensorTrust proves resilient against varied faults and attacks.

256 Wireless Sensor Networks – Technology and Protocols

In this approach, to route a data packet to the base station, a node only needs to decide to which neighbouring node it should forward the data packet considering both the trustworthiness and the energy efficiency. It maintains a neighbourhood table with trust level values and energy cost values for certain known neighbours. Two types of routing information that need to be exchanged in addition to data packet transmission are – (i) Broadcast messages from the base station about data delivery and (ii) Energy cost report messages from each node. Neither message needs acknowledgement. A broadcast message from the base station is flooded to the whole network. The other type of exchanged routing information is the energy cost report message from each node, which is broadcast to only its neighbours once. Any node receiving such an energy cost report message will not forward it. Each node has two modules – *Energy Watcher* and *Trust Manager* running on it in order to maintain a neighbourhood table with trust level values and energy cost values for certain known neighbours. *Energy Watcher* is responsible for recording the energy cost for each known neighbour, based on nodes observation of one-hop transmission to reach its neighbours and the energy cost report from those neighbours. A compromised node may falsely report an extremely low energy cost to lure its neighbours into selecting this compromised node as their next-hop node; however, these TARF-enabled neighbours eventually abandon that compromised next hop node based on its low trustworthiness as tracked by *Trust Manager*. *Trust Manager* is responsible for tracking trust level values of neighbours based on network loop discovery and broadcast messages from the base station about data delivery. At the beginning, each neighbour is given a neutral trust level. After any of those events occurs, the relevant neighbours' trust levels are updated. Occurrence of a loop degrades that node's next-hop node's trust level thereby gradually taking the trust level to a low value leading to the breaking of the loop by changing its next-hop selection. On the other hand, to detect the traffic misdirection by nodes exploiting the replay of routing information, *Trust Manager* computes the ratio of the number of successfully delivered packets which are forwarded by this node to the number of those forwarded data packets, denoted as Delivery Ratio. Once a node is able to decide its next hop neighbour according to its neighbourhood table, it sends out its energy report message - it broadcasts to all its neighbours its energy cost to deliver a packet from the node to the base station.

*2.9.19. SensorTrust - A resilient trust model for wireless sensing systems* 

In[80], authors propose a resilient trust model, SensorTrust with a focus on data integrity for hierarchical WSNs. In this model, the aggregator maintains trust estimations for children nodes by integrating their long-term reputation and short-term risk and taking into consideration both communication robustness and data integrity. Long-term reputation, also called conventional reputation, refers to its average performance level in its whole past history, and short-term risk identifies to which degree its future behaviour is associated with its recent performance. Neither long-term reputation nor short-term risk alone could fully reflect current trustworthiness. On the one hand, a single fault could occasionally happen to even a trustworthy sensor node, but that doesn't necessarily mean the node is unreliable. That suggests the one-sidedness of short-term risk. On the other hand, long-term *Considering the related work reported in the literature, it can be stated that there is a lack of standardization orientations when designing a trust and/or reputation model for distributed systems[46,47,55]. It has been found that approaches/schemes proposed in related research literature are based on quite different assumptions, while the trust/reputation framework considered varies significantly in many aspects. Some of the aspects in which these reported approaches differ can be listed as - Computation of trust/reputation considering only first hand information or both firsthand and second-hand information, Propagation of second-hand information considering only positive, negative or both types of recommendation, Degree of propagation, Adopted model for reputation value computation, Dishonest second-hand information provisioning, Identification of misbehaving nodes, Actions taken, Node re-integration in the system, etc. The proposed reputation systems use several debatable heuristics for the key steps of reputation updates and integration. Some systems maintain a statistical representation of the reputation by borrowing tools from the realms of game theory. These systems try to counter selfish routing misbehaviour of nodes by enforcing nodes to cooperate with each other. More recent reputation systems proposed in the domain of ad-hoc and sensor networks, formulate the problem in the realm of Bayesian analytics rather than game theory. Furthermore, most of the trust research focuses on communication behaviors without clearly indicating data integrity importance. Some reported recent approaches employ communication trust and data trust separately in their suggested trust models considering the fact that one of the main tasks of WSNs is data collection and moreover, different applications have their own specific requirements regarding communication trustworthiness and data trustworthiness.* 
