IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO.

7, JULY 2014 1409

A Novel Approach to Trust Management in

Unattended Wireless Sensor Networks
Yi Ren, Member, IEEE, Vladimir I. Zadorozhny, Senior Member, IEEE,
Vladimir A. Oleshchuk, Senior Member, IEEE, and Frank Y. Li, Senior Member, IEEE

Abstract—Unattended Wireless Sensor Networks (UWSNs) are characterized by long periods of disconnected operation and fixed or
irregular intervals between sink visits. The absence of an online trusted third party implies that existing WSN trust management schemes
are not applicable to UWSNs. In this paper, we propose a trust management scheme for UWSNs to provide efficient and robust trust data
storage and trust generation. For trust data storage, we employ a geographic hash table to identify storage nodes and to significantly
decrease storage cost. We use subjective logic based consensus techniques to mitigate trust fluctuations caused by environmental factors.
We exploit a set of trust similarity functions to detect trust outliers and to sustain trust pollution attacks. We demonstrate, through extensive
analyses and simulations, that the proposed scheme is efficient, robust and scalable.

Index Terms—Unattended wireless sensor network (UWSN), distributed trust management, subjective logic

1 INTRODUCTION
W IRELESS Sensor Networks (WSNs) have been used in
challenging, hostile environments for various applications
such as forest fire detection, battlefield surveillance, habitat
management system is required to handle trust related
information in a secure and reliable way. It should deal with
uncertainty caused by noisy communication channels and
monitoring, traffic management, etc. One common assumption unstable sensor behavior.
in traditional WSNs is that a trusted third party, e.g., a sink, is We propose a trust management scheme for efficient trust
always available to collect sensed data in a near-to-real-time generation as well as scalable and robust trust data storage in
fashion. UWSNs. A central issue for trust management in UWSNs is
Although many WSNs operate in such a mode, there are how to store trust data without relying on a trusted third party.
WSN applications that do not fit into the real time data Initially, we consider two simple trust management schemes as
collection model. Consider an example of a monitoring system a first-step attempt to address the existing trust storage
deployed in a natural park to detect poaching activities. The problems in UWSNs. After analyzing the shortcomings of these
lack of regular access routes and the size of the surveillance simple schemes, we propose an advanced scheme based on a
area would require a mobile sink to collect data periodically [1]. Geographic Hash Table (GHT) [10]. Our advanced scheme
Another example is an underwater mobile sensor network for allows sensor nodes to put and get trust data to and from
submarine tracking and harbor monitoring. The inaccessibility designated storage nodes based on node IDs. Sensor nodes do
of the protected area and other technical problems make it not need to know the IDs of storage nodes. They use a hash
difficult to maintain continuous connections between sink and function to find locations of the storage nodes, which
sensors [2]. Fig. 1 shows an example of Unattended WSNs significantly reduce the storage cost. We also propose a set of
(UWSNs) [1], [3]-[5] with a mobile sink visiting the network at similarity threshold functions to remove outliers from trust
either fixed or irregular intervals to collect data. opinions. This prevents attackers from generating false trust
Trust management becomes very important for detecting opinions and from polluting trustworthiness. Furthermore, we
malicious nodes in unattended hostile environments. provide a detailed analysis of the proposed scheme and
conduct a comprehensive simulation-based study to
demonstrate that our scheme is efficient, robust, and scalable.
The rest of the paper is organized as follows. Related work
• Y. Ren is with the Department of Information and Communication
Technology, University of Ager, Grimstad 4898, Norway, and also with the
is reviewed in Section 2. Section 3 defines the network scenario,
Department of Computer Science, National Chiao Tung University, security model and design goals. Section 4 presents some
Hsinchu, Taiwan. E-mail: [email protected]. background material on trust management in sensor networks
• V. Oleshchuk and F. Li are with the Department of Information and and on subjective logic. Section 5 introduces our solutions for
Communication Technology, University of Ager, Grimstad 4898, Norway. efficient trust data storage. Section 6 reports a simulation-based
E-mail: {vladimir.oleshchuk, frank.li}@uia.no.
• V. Zadorozhny is with the School of Information Sciences, University of study conducted to evaluate the efficiency and the robustness
Pittsburgh, Pittsburgh, PA 15260 USA. E-mail: [email protected]. of the proposed schemes. Section 7 considers advanced
Manuscript received 30 Mar. 2012; revised 23 Dec. 2012; accepted 24 Jan. approaches to reliable trust generation. Section 8 offers
2013. Date of publication 14 Feb. 2013; date of current version 2 July 2014. conclusions.
For information on obtaining reprints of this article, please send e-mail to:
[email protected], and reference the Digital Object Identifier below.
Digital Object Identifier 10.1109/TMC.2013.22

It can also assist in secure routing [6], [7], secure data dis-
tribution [8], and trusted key exchange [9]. An efficient trust
1536-1233 © 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1410 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 7, JULY 2014

exception that proposed a distributed scheme establishing

reputation-based trust among sensor nodes. The authors
anyhow did not consider significant trust attacks (as defined in
Section 3.2) against the generated trust. The work in [10], [25]
addressed data centric storage in WSNs, but trust management
and security attacks are not considered.
To summarize, most schemes, e.g., [14]-[20], proposed for
P2P and ad hoc networks are not suitable for UWSNs for the
following reasons. First, UWSNs are more constrained with
Fig. 1. Example of UWSN. respect to computation, communication and power capabilities
than P2P and ad hoc networks (although today’s wireless
sensors provide more options for storage capacity and
2 RELATED WORK computational capabilities, cheap hardware cost and light
In this section, we review the existing trust management weight security solutions which lead to longer network lifetime
schemes in WSNs, ad hoc and P2P networks. are critical for UWSNs). Those schemes designed for P2P and
ad hoc networks based on public key cryptography are
therefore not suitable for UWSNs. Second, the number of nodes
2.1 Trust Management in WSNs
in ad hoc networks with typical applications like on-campus
Several solutions have been recently proposed for trust
peer-to-peer communication among lap-tops/smart-phones is
management in WSNs. In [11] the authors designed a protocol
usually lower than in UWSNs which are more often targeted at
to diagnose and mask arbitrary node failures in an event-driven
environment monitoring applications. An UWSN is likely to
WSN. In [12], the authors proposed a Bayesian trust
have thousands of sensors. P2P networks may have more nodes
management framework where each node maintains reputation
than UWSNs, but the nodes in P2P networks do not have the
metrics to assess past behavior of other nodes and to predict
same computational and energy constraints as in UWSNs.
their future behavior. The authors in [13] proposed iTrust, an
Finally, sensor nodes provide services throughout their whole
integrated trust framework for WSNs. A trust aware routing
lifetime, until their energy is depleted, while P2P nodes enter
protocol for WSNs was proposed in [7]. The protocol exploits
and exit the networks randomly.
prior routing patterns and link quality to determine efficient
routes. In [6], the authors proposed a trust-based routing 3 NETWORK SCENARIO, SECURITY MODEL AND DESIGN
scheme that selects a forwarding path based on the trust
requirement of a packet and the trust level of neighbor nodes. GOALS
3.1 Network Scenario
2.2 Trust Management in Ad Hoc Networks We consider an UWSN that consists of N sensor nodes, denoted
More trust management studies were conducted in the field of as Sj e S, where S = {Sj}N^. Each sensor Sj is located at point pj
ad hoc networks [14]-[17]. The authors in [14] proposed a and has a transmission range 0. Thus sj at point pj can
reputation system based on Bayesian estimation of misbehavior communicate with Sm at point pm if D(pj, pm) — 0, (j, m e{1,...,N}),
in mobile ad hoc networks. The work in [15] introduced an where D(pj, pm) is the distance between pj and pm . Each sensor Sj
information theoretic framework to measure trust and to model e S has nj neighbors. We say that Sm is one of Sj’s neighbors if
trust evolution. A data-centric framework for trust D(pj, pm) — 0. The yellow (light shadow) points in the circle in
establishment was proposed in [16]. In [17], the authors Fig. 2 form a set of neighbors of Sj, B(Sj) = {S|S e S and D(pj, p)
proposed a distributed trust scheme based on distributed — 0}. We assume that Sj’s neighbors, bi e B(Sj), i e{1,...,nj}, have
public key certificate management for mobile ad hoc networks. their own trust opinions Tij regarding the trustworthiness Yj1 of
Sj, and are referred as trust producers of Sj. The nodes storing
2.3 Trust Management in P2P Networks trust data are truSt managerS TMjr , r e {1,... ,a} of Sj. Here a is the
The authors in [18] proposed a Peer-Trust model based on number of trust managers in the network. Those sensors that
public key infrastructure and trust propagation. PowerTrust would like to know
[19], a robust and scalable P2P reputation scheme, was
1. In the context of this paper, trust opinion T is one sensor’s conclusion
proposed to leverage the power-law feedback factors. In [20],
about the trust level of another sensor; and trustworthiness Y is a combination
the authors developed Credence, a decentralized object of trust opinions over time and across all involved sensors.
reputation and ranking system for P2P networks.
UWSNs are an emerging class of wireless networks [3]. The
authors in [3] also defined a mobile adversary and proposed a
set of schemes to neutralize attacks focusing on erasing data.
Techniques providing forward secrecy and backward secrecy of
data stored in sensors are explored in [8], [21], [22]. To the best
of our knowledge, our earlier work [23] is the first study which
proposed trust data storage and trustworthiness calculation to
facilitate trust management in UWSNs. In this paper, we
further proposed a set of schemes to mitigate trust pollution
attacks based on subjective logic and various trust similarity Fig. 2. Example of network topology.
measures.
Most of the trust management solutions developed for
traditional WSNs, however, rely on the presence of an online
trusted third party, e.g., to store and distribute trust data [6],
[7], [11]-[13]. They cannot be applied directly to UWSNs due to Fig. 3. Relationship between trust producer, trust manager and trust
the absence of the sink (or the base station). [24] is one consumer.
REN ET AL.: NOVEL APPROACH TO TRUST MANAGEMENT 1411

about other sensors’ trustworthiness are referred as trust unattended physical area with a high density of sensor nodes.
consumers. The relationship between trust producer, trust 4) Efficiency. The designed trust management scheme
manager and trust consumer is illustrated in Fig. 3. should be efficient in terms of both communication cost and
We assume further that time is split into equal time intervals storage cost.
and that sensors maintain loosely synchronized clocks. At time 5) ConSiStency. Trust opinions generated by trust producers
interval t, sj’s neighbor bi generates a trust opinion Tij,t and trust queries sent from trust consumers should be routed
regarding sj . Note that trust consumers can be anywhere in the correctly to trust managers where the trust data are stored.
network but trust producers are only within the transmission
range of the corresponding sensor. Furthermore, there is a 3.4 Performance Metrics
mobile sink visiting the network at either fixed or irregular time The following metrics are defined to evaluate the performance
intervals to collect data from sensors. of our scheme.
• Pr[Survival] t is defined as the probability that at least one
j

trust manager of Sj survives during time interval t.

3.2 Security Model • Communication CoSt (denoted as C): The communication
The UWSNs can be attacked in many ways. In this study, we cost consists of two parts: the cost of sending trust
focus on an adversary ADV launching attacks against trust opinions to trust managers; and the cost of querying and
data2. We divide the attacks into two categories: trust eraser and retrieving trustworthiness stored in trust managers. Cj is
trust pollution attacks. defined as a communication cost of Sj . Since trust value
The effect of the trust eraser attack (denoted as ADV _Del) is queries and answers are short messages, we assume that
that the trust data stored in sensors are lost and cannot be sending and receiving a trust value message across each
retrieved by trust consumers. For instance, ADV could try to hop have the same cost, and that an approximate
compromise sensors and to erase the trust data stored in them. communication cost is O(N) for message broadcast and
Moreover, when sensors are nonfunctional (e.g., due to energy O(VN) for point-to-point routing.
depletion, natural disasters, etc.) their stored trust data are lost • Storage CoSt (denoted as S): Sj is the storage cost of
and are considered as non-recoverable in this study. storing the trust opinions and trustworthiness of Sj.
In case of trust pollution attack, ADV does not delete the
trust data but rather pollute them. We consider the following
pollution strategies: 4 PRELIMINARIES
• Environmental effect (ADV _Noise). Since sensors’ trust 4.1 Information Collection on Sensor Behavior
opinions are generated based on sensors’ previous The information on a sensor ’s prior behavior is one of the most
important aspects of trust management solutions [26]. This
behavior, they may generate some noise due to
information varies from application to application. For
environmental effects.
• Homogeneous attack (AD V _Homo). Given a sensor Sj,
ADV tries to increase Sj trustworthiness Yj mono-
tonically or, it tries to decrease Yj monotonically. To do
so, at each time interval ADV can compromise a subset
of sensors to generate false trust opinions.

• Hybrid attack, denoted as ADV _Hbd. This attack is more

severe since ADV aims to manipulate the trust-
worthiness, i.e., it is able to increase or decrease
trustworthiness in any way.
For clarity, we assume that the number k of compromised
sensors in each time interval is fixed. We refer to this number as
the compromiSing capability. The compromised sensor can occur
anywhere in the network.

3.3 Design Goals

Our trust management scheme is designed with the following
goals in mind:
1) RobuStneSS. The scheme remains functional even after
certain amount of sensor nodes lose battery power or are
physically damaged. Moreover, the trust data stored in the
system should remain available to queries even if some sensor
nodes fail due to the ADV _Del attack.
2) ReSilience. The generated trustworthiness Y should be as
close as possible to its real value even though ADV tries to inject
false trust opinions in order to pollute it. In other words, the
system should be resilient to ADV _NoiSe, ADV _Homo and ADV
_Hbd.
3) Scalability. The scheme should work for a very large

2 In this paper trust data means trust related data, such as opin ions, trust measurement, etc., which are used by trust management scheme to make trust
aware decisions.
 1412 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 7, JULY 2014

example, it can be a watchdog A trust level can be naturally defined using the SL opinions,
mechanism that monitors the e.g., T1 = {0.0, 0.93, 0.07} for low trust value and T2 = {0.88, 0.0,
0.12} for higher one.
behavior of neighboring nodes. The
Definition 2. Let SX, SY and SZ be three SenSorS. Then T YX = {BYX ,
work in [12] uses the Bayesian DYX, UYX} and TZX = {BZX, DZX, UZX} denote the opinionS of
approach for assessing node SY and SZ about the truStworthineSS of SX. Their com- bind (3)
reputation and trust evolution. consensus opinion is defined as TY Z = Ty ® TX = {BYX Z , DYX Z ,
Node capture attacks [27], where UYX Z} where BYX Z = (BYXUZX + BZX UYX)/(UYX + UX , UXU, X) D,X
nodes are removed from the network (DXUX, +DXUX)(UX+UX UXUX)
for an indefinite amount of time, UZ -UY UZ ), DY,Z = (DY UZ + DZ UY)/(UY + UZ -UY UZ ) and
UYX,Z = (UYXU, ZX)/(UYX + UZX - UYXUZX).
can be detected by their neighbors.
One-shot probing is proposed in The trust value expressed as subjective opinions instead of
one simple trust level provides a more flexible trust model of
[28] to identify misbehaving nodes. the real world. Therefore, according to Def. 2, the nj consensus
The authors in [29] consider the of trust opinions generated by sensors {bi}i=1 in time interval t
about sensor sj is
trust inference problem as a
shortest path calculation in a T
I t e...e j e...e j = Ti-,i, ,n . (1)
weighted directed graph. They
utilize the theory of semirings for Definition 3. Let sX and sY be two sensors. Then {TYX-t1 -...-TYX-tn}
trust evaluation. denotes the opinion of sY about the trustworthiness of sX for time
In this study, we assume that sensor nodes may use the intervals {t1 -...tn} respectively, where TYX-tn = {BYX-tn - DYX-tn - UYX-tn
analyses and scoring sensor trust approaches (e.g., [12], [27]- }. Then sY’s opinion about the trustworthiness of sx on 11 U • • • U
[29]) to generate trust opinions. That is, in a time interval t, sj’s tn is defined as
neighbors, {bi}in=j 1, can generate trust opinions Tj’t (i e {1, ..., nj})
regarding Sj, by monitoring Sj's prior behavior. TX,t 1u-utn = {BX,I 1u-utn DX,I 1u-utn uX,t 1u-utn} (2)

4.2 Subjective Logic ( )

where B^t 1
tn = 1 (DX 1 + ••• +
• tn = n BX- 1 + ••• + B^tn , D^t
Monitoring sensor behavior in UWSNs based on previous
communication patterns involves considerable uncertainty. DX’tn), Uy’t tn = n(Uy' 1 +••• + Uytn)•
Communication channels between sensors are unstable and
According to Def. 2 and Def. 3, we define trustworthiness Yj
noisy. To deal with this uncertainty, we adopt a Subjective in terms of sensor consensus to combine trust nj
Logic (SL) framework [30], and use SL opinionS to assess opinions generated by sensors {sj-i}i=1 in time interval {t}ttn=t1 as
trustworthiness. SL has two advantages: 1) it is lightweight;
Yj____Tj,t। "' tn
and 2) it takes both uncertainty and belief ownership into = J1, ••• ,i, ••• ,nj
account. The definition of SL opinion is as follows.
Definition 1. An opinion iS a triplet, T ={B, D, U}, where B,D, U e The Y can be calculated with respect to sensor consensus or
j

[0, 1] and B+D+ U = 1, and that B, D, and U correSpond to belief, time asj, follows: 1) with respect to sensor consensus: Yj _
T t 1uyutn _ Tj’t 1 ' tn ^ • • • ^ Tj,ti ' tn ^ • • • ^
diSbelief and uncertainty reSpectively.
,n
1, ••• ,i ••• j 1 i
; and u2)u with urespect
Tn. 1u utn to time: Yj _ Tj, 1u^ utn _u nu! 1, ••• ,i, ••• ,nj
{Bt 1u7u tn D,t 1 7 tn Uji 1 ?u tn where j 1 y tn _
1,••• ,i,••• ,nj’ 1,••• ,i,••• ,nj’ 1,••• ,i,••• ,nj1,••• ,i,••• ,nj
1 (B,t 1 +_ B,tn ), D,t 1 u?utn _ 1 (D,t 1 +
n\ 1, ••• ,i, ••• ,nj 1, ••• ,i, ••• ,nfi’ 1, ••• ,i, ••• ,nj n\ 1, ••• ,i, ••• ,nj

••• + D.: . tn
), and U^ 1 V tn _ (U’
u u 1 1
1. +••• +
1, ••• ,i, ••• -nj ’ 1, ••• ,i, ••• ,nj n\ 1, ••• ,i, ••• ,nj
U^t-n )
^1, ••• ^i, ••• ,nj'' (0.99x0.88+0.8), 1 (0.99x0.03+0.38), 1-2 (0.99*0.88+ 0.8) - 2 (0.99
Remark. According to Def. 3, each trust opinion has the same x 0.03 + 0.38)} _ {0.8712, 0.0297, 0.0991}.
impact over time. Meanwhile, it is more realistic to design However, we will consider this extension in our future
the scheme to be time-aware such that the newer trust work. The reasons are because that specifying a suitable value
opinions have higher impact on the trustworthiness, while of f is not a trivial task and it needs to be further investigated.
prior trust opinions should be also taken into account. A For example, given f _ 0.99 or f _ 0.88, it is not clear which one is
straightforward solution is to use a time factor (e.g., f e [0- more reasonable and how f varies over time. Due to page limit,
we are not able to include any results on time-aware solutions
1]) adding time impact into prior trust opinions, where
in this paper. Indeed, this aspect is the focus in our more recent
greater f indicates newer opinion. More specifically, the work on subjective logic based machine learning (Bayesian
time-aware trust opinion can be computed as Tj’t 1u^utn _ {B’ network) techniques for time-aware trustworthiness estab-
1u^utn, D’ 1u^utn, U^ 1u^utn}, where Bi 1u^utn _ 1 (f -1 Bi, 1 + ••• j-1 + B^t1), D’ 1
- n
lishment. We refer interested readers to [30] for more details on
^ t _ (f -1 D, 1 + ...fj-1 + D ), and Ui 1 ^ t _ 1 - Bj 1u^utn - Di’ 1u^utn. For
n 1 n tn - u u n -
subjective logic and to [31]—[33] for examples of the
example, given Ti _ {0.88- 0.3- 0.09}, Ti _ {0.8- 0.38- 0.09},
j-t-1 j- t application of subjective logic in WSNs and social networks.
and f _ 0.99, Tij-t-1ut can be computed as Tij-t-1ut _ {1
REN ET AL.: NOVEL APPROACH TO TRUST MANAGEMENT 1413

5 EFFICIENT AND ROBUST STORAGE OF TRUST DATA 5.1.1 Communication Cost

Queries ASK(T*j ) are broadcast to all nodes at the cost of O(N).
In traditional WSNs, a trusted third party, e.g., base station, is
Responses ANS(T*j ) are sent back to the trust consumer at the
used to keep and calculate received trust opinions. The queries
of sensors’ trustworthiness are also sent to and answered by the cost of O(VN) each. For t time intervals, the cost becomes Cj =
base station. However, since UWSNs do not have a base station, O(tN) + O(tnjVN) = O(t(N + njVN)), where N is the number of
trust opinions of sensors need to be stored in sensors instead. sensors in the network.
Therefore, once sensor bi generates an opinion Tij,t at time
interval t, it either stores Tij,t locally or sends Tij,t to other nodes. 5.1.2 Storage Cost
Next we consider three trust data storage schemes without For a sensor sj, each neighbor in its transmission range gen-
involving the base station. First, we introduce two basic erates one trust opinion per time interval. As the generated
schemes and discuss their shortcomings. Then we propose an trust opinions are combined over time, the storage cost for each
advanced scheme to improve the basic schemes. neighbor is very low (i.e., O(1)). There are nj neighbors that
need to store the trust opinions regarding sj at the cost of O(nj).
5.1 Basic Scheme I (SI) - Trust Data Local Storage That is, Sj = O(nj).
The main idea of the SI is to keep generated trust opinions Discussion. According to Proposition 4, ADV _Del can
nj
locally, i.e., bi generates Ti and then stores Ti in its own compromise all the trust managers in a short time (> -£■). After
j,t j,t

memory. In other words, bi is not only one of sj’s trust that, both pre-compromised and post-compromised trust data
producers but also one of sj ’s trust managers.
can be deleted by ADV _Del. Therefore, we need to hide trust
The SI includes local storage of trust opinion, and trust
managers from ADV_Del. Next we propose Basic Scheme II that
opinion querying and calculation:
supports distributed trust data storage.
(1) Local storage of trust opinion. At every time interval, each
sensor generates trust opinions about its neighbor nodes,
5.2 Basic Scheme II (SII) - Distributed Trust Data
combines it with previous trust opinions according to Eq. (2)
Storage
and stores it locally. Note that the generated trust opinions are In order to address the shortcomings of the SI, we should
combined as a combined trust opinion resulting in very low ensure that: (1) a sensor sj’s trust producer and trust manager
storage cost. For instance, bi generates Tij,t1 , jt jt are not the same node; (2) ADV cannot easily find trust manager
Ti 2 and Ti 3 at t1, t2 and t3, respectively, and stores the combined nodes; and (3) the scheme is resilient against node failures.
trust opinion in its memory as Tj = Tj’t0Ut 1Ut2Ut3. A straightforward solution would be to specify for each
(2) Trust opinion querying and calculation. Consider the node a designated trust manager node that stores its trust data.
The trust manager should not be one of the node’s direct
example in Fig. 2. Assume that sensor sa wants to estimate the
neighbors. The components of the SII scheme are defined as
trustworthiness Yj of another sensor, sj. It broadcasts a trust
follows:
opinion request, ASK(T*), to ask sensors to collect opinions of (1) System initialization. To provide trust data redundancy,
other sensors about Sj. Here, we assume a suitable broadcast at the beginning, each sensor sj is associated with a randomly
authentication protocol, e.g., multilevel pTESLA [34], for secure selected trust managers {TMr}0=1. The IDs of those trust
and reliable transmission of such broadcast values. If there is no managers, {TMr}0=1, are stored in the trust producers before
direct relationship between two sensors (e.g., Sh and Sj), they deployment since the trust producers need to send the
have highest uncertain opinion score about each other’s generated trust opinions to those trust managers, {TMj }r =1. In
r a

trustworthiness, i.e., Th = Tj ={0, 0, 1}. Upon receiving ASK(T ),

j h j addition, trust consumers store { sj, { TM j
r a
} r =1 } in their local

each sensor sends feedback messages, ANS(T*), to sa if they memory so that trust consumers are able to retrieve sj’s trust
data from {TMjr}ra=1.
have a direct relationship with Sj. Otherwise they just drop
(2) Trust opinion distributed storage. After generating trust
ASK(Tj). Next, sa combines received sensors’ opinions using a
opinions about sj, the trust producers of sj send them to
consensus operator (Eq. (1)) to compute sj’s trustworthiness Yj,
{TMjr}ra=1. Note that, in every time interval, TMjr receives j,t nj
and stores the results.
nj trust opinions {Ti }i=1 from bi e B(sj) (i e [1, nj]). After receiving
Proposition 4. In the Basic Scheme I, the probability that at least one {T j,t} n j , TM r first removes outlier trust opinions as noise (we
i i = 1 j
trust manager node remains uncompromised within t time
will further discuss this in Section 7). Then it combines the
intervals is
trustworthiness of previous time intervals with the received
Pr[survival]t = 1, k * t < nj (4) trust opinions according to Def. 3 and j j j, 1 ^•••U t
Pr[survival]t = 0, k * t > nj , j, 1 ^•••U t — 1 j,t
Def. 2 as follows: Yr = Yr = Yr U Yr =
where nj is the number of neighbor nodes and k is the Yr1U Ut 1U(T1’t®---®Tnt), where Yr’t is the trustworthiness of sj
compromising capability of ADV as defined in Section 3.2. stored in TMjr during the time interval t.
Proof. In SI, each sensor sj has nj trust managers and nj trust (3) Trustworthiness query and calculation. Trust consumers
producers in its transmission range. It is easy for ADV to send ASK(Tj*) to {TMjr}ra=1 to retrieve trustworthiness {Yrj}ra=1 from
find the trust managers in the transmission range of sj. sj’s trust manager nodes. Upon receiving a trustworthiness,
Within each time interval ADV compromises k sensors (trust trust consumers remove outliers using the similarity threshold
managers) in sj’s transmission range. By the end of t-th time functions defined in Section 7
interval, k * t sensors (trust managers) are compromised.
Therefore, k * t > nj implies that all the trust managers are
compromised, i.e., Pr[survival]jt = 0; otherwise Pr[survival]t =
1. □
1414 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 7, JULY 2014

and compute the expected value

(4) managers improves Pr[survival]t as well as trust data
redundancy. However, as discussed above, the storage cost of
of the rest of Yj as Sj’s SII is proportional to a(N + nj), causing huge storage costs
trustworthiness. especially in large-scale UWSNs (see Fig. 8(a) and (b)). This
limitation motivates us to design a more scalable scheme that
Proposition 5. In the BaSic Scheme II, the probability that at leaSt can reduce storage cost caused by distributed storage while
one truSt manager node iS not keeping the same Pr[survival]t as in SII.
compromiSed within t time intervalS iS k
N — (t — 1 . (5)
Pr[survival] t = 1 — M — ri (1 — )k 5.3 Advanced Scheme (AS)
t=1 Our Advanced Scheme (AS) utilizes a hash-table-like interface
of GHT [10] where nodes can put and get data based on their
Proof. Let Er, = 1 denote the event of r-th trust manager data type, i.e., Put(DataType, DataValue) and Get(DataType).
compromised by ADV_Del at time interval t', and Er, = 0 Since a sensor ID is unique in the network, trust producers are
denote the event of r-th trust manager survival within the able to put trust opinions to trust managers based on the ID, i.e.,
time interval t'. The probability of no trust manager nodes Put(sj, Tij,t). Trust consumers are able to get trustworthiness
surviving up to t is from trust managers using the same sensor ID, i.e., Get(sj). In
Pr [ E1 = 1 n • • • n Er = 1 n • • • n E ? = 1]
1 other words, trust opinions are pushed by, and stored at the
same trust manager node. Meanwhile it enables trust
=Pr [E1 = 1] * • • • * Pr [Er = 1] * • • • * Pr [E ? = 1]
1
consumers to pull trustworthiness from the trust manager
=Pr [ Er = 1]a. nodes consistently. Neither trust producers nor trust consumers
Thus the probability of at least one trust manager node need to store the IDs of trust manager nodes, reducing storage
surviving up to t is Pr[survival] t = 1 — Pr[Er = 1]a. cost significantly. Furthermore, the scheme should not be
The probability that r-th trust manager survives up to t is sensitive to node failures. That is, the scheme should be
resilient to ADV _Del. Thus, trust opinions are pushed to a (a>1)
Pr [ Er = 0] = (1 — N) (1 — N^k) (1 — N—2k) ■
trust manager nodes, whereas trust consumers pull
trustworthiness from a trust managers. To do so, we modify the
N— (t— 1)k
original basic operations of GHT from
t
Put(DataType, DataValue) t Put(Sj, Tj,tl, r) ^ [1 ] Get(DataType)
,.
t=1 Get(sj , r)
Thus, we have
Put(sj, Tij,t,a) is the function in which trust producer bi is able
Pr [ survival ] t = 1 — Pr [ Er = 1]a = 1 — (1 — Pr [ Er = 0] )a to put its trust opinion Tij,t regarding sj to the r-th trust manager
5.2.1 Communication Cost node of sj, where a is the number of trust manager nodes
specified by the mobile sink when the network is deployed.
Once a trust opinion is generated, it is sent to and stored at the
Using the Get(sj , r) function, trust consumers are able to get sj’s
(1—ri (1—N—(— 1 )k trustworthiness Yj from the r-th trust manager node of sj. That
=1—
is, each node has a trust manager nodes to store its trust
opinions from its neighbors for data redundancy. Trust
opinions regarding a sensor sj are hashed by the sensor ID sj to
corresponding trust managers. The communication cost to store a geographical location. The node closest to the hashed
the trust opinion is O(\/N). Since nj trust producers need to geographical location is referred to as the trust manager node
send trust opinions to a trust managers at each round, the total where data is sent to and retrieved from. Fig. 5 shows an
cost is O(tnjaVN). Queries are sent to the designated node (trust example of a sensor ID sj hashed to a = 3 random geographical
manager), which also returns a response, causing a locations in the sensor network by using a secure hash function
communication cost of O(VN). That is, Cj = O(tnja VN) + O( 2 ta Ljr = hr(sj) = h(hr—1 (sj))3 (Vr e {1,..., a}); trust producers (e.g., b and
VN) = O(tnja VN). bm) and trust consumers (e.g., sa) can send trust opinions and
trust query requests to Ljr using Greedy Perimeter Stateless
5.2.2 Storage Cost Routing (GPSR) [35]. The closest node to the location Ljr,
For a sensor sj, all its trust producers (its neighbors) have to namely
know that a designated sensor TMj is a corresponding trust
manager node, i.e., for all sensors bi e B(Sj) (i e [1, nj]), they have 3. Note that Ljr is not the location of sj but the location closest to the r-th
to store the ID of TMj at the cost of O(anj). In addition, any node trust manager node of sj .
in the network could be sj ’s trust consumer, consequently
every node has to know which node is sj’s trust manager. That
is, every node in the network has to store the ID of sj and the ID
of its corresponding trust manager TMj, which causes O(N) of
storage cost. Thus, Sj = O(a(N+ nj)).
Discussion. Once attacked by an ADV _Del, the trust data
stored in sensors are deleted rather than polluted, so that a
survived trust manager is able to report trust data. In order to
compare SII with SI, we obtain numerical results of Eq. (4) and
Eq. (5) using MATLAB, as illustrated in Fig. 4. We observe that
SII is more robust than SI for all values of N, k, t and a, upon
attacking by ADV _Del. Increasing the number of trust
REN ET AL.: NOVEL APPROACH TO TRUST MANAGEMENT 1415

Fig. 4. Comparison of SI, SII and AS using Eq. (4) and Eq. (5) with default setting: N = 10000, k = 5 and t = 150. (a) Pr [survival]t vs. N. (b) Pr
[survival]t vs. k. (c) Pr[survival]t vs. t.

trust manager (see {TMjr}r3=1 in Fig. 5), can receive the trust Proof. The same as for Proposition 5. The numerical results are
opinions and trust query requests. The AS includes the shown in Fig. 4. □
following phases:
(1) System initialization. Each node is preloaded with a
secure hash function, denoted as h(•), and the redundancy 6 EFFICIENCY AND ROBUSTNESS k
factor a specified by the mobile sink depending on application EVALUATION N — (t — 1
scenarios. All nodes know their own locations, and the )k
In this section we conduct a set of
locations of the nodes which are one hop away. simulations in MATLAB to show that AS has the strongest
(2) Trust opinion storage based on GHT. During the time performance among these three schemes in terms of both
interval t, and after Tij,t is generated, bi uses the function Put(sj, efficiency and robustness. We consider an UWSN where 10000
Tij,t, r) to put Tij,t to a trust managers. In other words, bi performs nodes are randomly distributed in a 3000 x3000 units area. The
other parameters are set as follows. Each sensor has
hr(sj) to obtain Lj1 ,...,Lja, and then sends Tij,t to locations Lj1 ,...,Lja
transmission range 0 = 150 units. ADV _Del has compromising
using GPSR, respectively. The closest node to location Ljr, capability k = 25. The number of trust managers nodes a = 3.
denoted as TMjr, finally receives the trust opinion Tij,t and is The simulation results are averaged over 20 randomly
called the r-th trust manager node of sj. deployed networks and are explained below.
Fig. 6(a)-(c) show the performance of t in terms of how
(3) Trust opinion querying and calculation. A trust consumer
many intervals the network can survive, given different a, k and
node, e.g., sh, wants to know the trustworthiness of sj. It uses 0. It demonstrates that SII and AS have better performance than
the function Get(sj, r) Vr e [1, a] to get trustworthiness {Yr}a=1 SI does with respect to t for all values of a, k and 0. We observe
from Sjzs a trust manager nodes. Similar as the put process, Sh in Fig. 6(a) that increasing a improves the performance of t.
performs hr (sj) to obtain Lj, • • • , La, and sends ASK(Tj) to Meanwhile, increasing k decreases the performance of t. Fig.
6(c) shows that 0 has no impact on SII and AS in terms of t but
locations Lj, ••• , La using GPSR. The closest nodes to Lj, ••• , L®,
slightly increases the performance of t in SI.
i.e., trust manager nodes {TMr} £=1, finally receive ASK(Tj) and Fig. 7(a)-(c) display the performance in terms of com-
then send {Yr)a=j to Sh. munication cost C for different a, k and 0 . Distributed trust

Fig. 6. Simulation results: a/k /0 vs. t.

trust query and pull path ■■■> trust push path o sensor node
Fig. 5. Simple example of GHT techniques on UWSNs with a = 3.
Proposition 6. The BaSic Scheme II and the Advanced Scheme have
the Same Pr[Survival]t. That iS

Pr[survival] t = 1 — M — ^ (1 — Fig. 7. Simulation results: t/a/0 vs. C.

t=1
1416 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 7, JULY 2014

location, or role of the nodes. For example, a node, sj, buried

under the ground has higher {Tij,0}in=j 1 than the exposed ones.
After the trust opinions are generated, a trust producer bi is able
to update Tij using a conjunction operation (Eq. (2)), and trust
consumers can calculate the trustworthiness Yj using consensus
operation (Eq. (1)).
In the following, we conduct a simulation-based study of
the trust resilience of the proposed schemes against pollution
attacks. We assume that uncompromised sensor nodes generate
correct trust opinions cTj = {cBj , cDj , cUj }, while compromised
sensors generate false trust opinions fTj = {fBj , fDj , fUj }, where
Fig. 8. Simulation results: a/0 vs. S. cB and fB denote correct belief and false belief. Similarly, cD, cU,
fD, and fU denote correct disbelief, correct uncertainty, false
data storage is resilient to ADV _Del and provides higher t. disbelief, and false uncertainty, respectively. We adopt normal
However, it causes higher communication costs. As shown in distribution to generate trust opinions, i.e., B ~ N(E(B), a2),
Fig. 7(b) and (c), the communication cost is acceptable if a < 3 where E(B) is the expected value of B and a is the standard
and 0 < 120. deviation of B. In order to compare the impact of false trust
As our simulation results in Fig. 8(a) and (b) indicate, SII has opinions fT, in the simulations, fT values are generated after the
higher storage costs than SI and AS do in terms of a and 0. 20th time interval so that we can observe whether there are any
Meanwhile, 0 has no impact on SII in terms of S but slightly differences before and after the 20th time interval on the
increases S of SI and AS. a does not have any influence on SI trustworthiness of a node. ___________________
and AS with respect to S but significantly increases S for SII. We will use d(Bi, E(Bjm)) = ((Bj — E(Bjm))2 to denote the
Discussions. Euclidean distance between Bij and its expected value E(Bjm)
(1) Robustness. Trust opinions {Tij,t}i=j 1 generated for each where j e {1,..., N} and i, m e {1,..., nj}.
time interval are routed to and stored in a trust managers.
Therefore, the trustworthiness can be retrieved even if up to a -
1 trust managers are lost. That is, the SII and AS are resilient to 7.1 Trust Consensus only Approach (TC-ONLY)
ADV_Del, as shown in Fig. 6(a)-(c). In addition, those figures In this subsection, we consider the TC-ONLY approach, which
also show that SII and AS have the same probability of at least we used in Section 5, as our baseline. This approach generates
one trust manager survival, which is coincident with the trustworthiness based on trust consensus only as in Eq.
analysis of Proposition 6. (2)andEq.(3). Through simulation results, we first demonstrate
(2) Efficiency. SII and AS have the same communication that it is resilient to ADV_Noise, and then reveal its
cost. In addition, AS has a much lower storage cost compared shortcomings with respect to ADV _Homo and ADV_Hbd.
with SII. Unlike in SII, trust producers do not need to store the
IDs of the trust managers of a sensor sj due to the nature of put
and get function of GHT. For a trust managers, the total storage 7.1.1 Trust Resilience against ADV _Noise
cost is O(a(N + nj)) for SII and O(a) for AS. Thus, AS is more To evaluate the performance of the proposed scheme with
efficient than SII. respect to environmental effect (ADV _Noise), i.e., d(ai, E(ajm)) ^ 0
(3) Scalability. As discussed above, the storage cost of AS (a e {B, D, U}), we set the correct trust
does not depend on the number of sensors, N. Increasing N
does not increase storage costs in AS. Moreover, Section 5.2.1
demonstrates that the communication cost of AS is proportional
to NN. For example, when the number of sensors N increases 10
times from 1000 to 10000, we observe only a 3 times increase in
communication costs.
(4) Consistency. For a given sensor, sj, all generated trust
opinions {Tij,t}in=j 1 are routed to {Ljr}ra=1, respectively. The j,t nj
nodes closest to {Ljrr}ra=1 receive {Ti }i=1 and store them in their local
memory, where Lj = hr(sj). Since sensor ID is unique in the
network for a given sensor sj , the generated hash values {Ljr}ra=1
are also unique in the network due to the one-way property of
the hash function. As a consequence, all the trust producers and
trust consumers are able to find the correct trust managers to
store and query trust data.

7 TRUSTWORTHINESS GENERATION
Through the simulations and discussions in the previous
section, we have demonstrated that AS significantly reduces
storage cost caused by distributed data storage and provides
resilience to ADV _Del. In this section, we continue to
investigate the performance of the proposed schemes against
trustworthiness pollution attacks (i.e., ADV _Noise, ADV _Homo
and ADV _Hbd) defined in Section 3.2.
Initially, for each sensor sj, trust opinion Tij,0 could be set by
a mobile sink based on such information as physical protection,
REN ET AL.: NOVEL APPROACH TO TRUST MANAGEMENT 1417

Fig. 9. Consensus is enough, cT = {0.3, 0.3, 0.4}, ac = 0.01, fT = {0.3, 0.3, 0.4}, af = 0.1.

Fig. 10. Example of when ADV tries to increase Tj, cT = {0.1,0.3, 0.6}, fT = {0.4, 0.1,0.5}, ac = af = 0.01.

opinions as cT = {0.3, 0.3, 0.4}3 and ac = 0.01, where cB, cD ~ decrease T in the second simulation.
N(0.3, 0.001), and cU = 1 - cB - cD. In order to monitor Simulation one. In order to increase T, ADV _Homo increases
environmental effect, we set a certain percentage PrC of sensors B and decreases D simultaneously. That is, generate fT that
to generate trust opinions with larger af = 0.1. satisfies E(cB) < E(fB) and E(cD) > E(fD). We select a special case
Fig. 9 shows the simulation results of SI, SII and AS when when cT = {0.1, 0.3, 0.6}, fT = {0.4, 0.1, 0.5} and ac = af = 0.01. The
different values of PrC (from 10% to 40%) are specified. These simulation results are shown in Fig. 10. The same as in the other
figures display three elements B, D and U in white, green (light figures, the results for SI are plotted in the first row, while the
shadow), and red (black) respectively. The first row of Fig. 9 is SII and AS results are shown in the second row. It is interesting
the simulation results of SI. As one can observe that, after the to see that the results of SI experience sharp steps and jitters
20th time interval, the obtained trustworthiness T starts to after the 20th time interval. Those sharp steps and jitters
become unstable. In addition, increasing the percentage PrC of indicate that SI is not resilient to ADV _Homo attacks. In con-
anomalous sensors makes T more unstable. The second row of trast, the results of SII and AS are smoother compared with that
Fig. 9 shows the results for the SII and AS schemes. It is of SI. The smoother result means that trust consensus does
interesting to emphasize that T is very smooth for all values of effectively mitigate the effect of AD V _Homo. In addition, when
PrC. The anomalous trust opinions have almost no influence on PrC increases, T starts to increase. The reason is that more
T. We observe a slight increase T when PrC = 40% in Fig. 9(h). sensors generate false trust opinions, increasing the impact of
This is because that the consensus operation reduces trust false trust opinion fT on trustworthiness T.
uncertainty. Comparing the first row of Fig. 9 and the second Simulation two. To decrease T as much as possible, ADV
row of Fig. 9, it is easy to see that SII and AS are more resilient _Homo decreases B and increases D simultaneously.
against ADV _Noise than SI is. Therefore, trust consensus
improves resilience against ADV_Noise, i.e., d^j, E(ajm)) ^ 0 (a e
{B, D, U}).

7.1.2 Trust Resilience against ADV _Homo

Since ADV _Homo tries to either increase T or decrease T
monotonously, we conduct two simulations. In the first
simulation, ADV _Homo is assumed to generate false trust
opinions fT to increase T. In contrast, ADV _Homo is set to

3 Our simulations are conducted using random trust values and distribution paremeters. To exhibit the impact of ADV’s attacks as clear as possible, we
select suitable values (e.g., cT={0.3,0.3,0.4}, ac = 0.01, etc.) to plot simulation results (figures). The same simulation parameter configuration applies to the rest
of the paper.
1418 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 7, JULY 2014

Fig. 11. Example of when ADV tries to decrease Tj, cT = {0.4, 0.1,0.5}, fT = {0.1,0.3, 0.6}, ac = af = 0.01.

That is, E(cB) > E(fB) and E(cD) < E(fD). We set cT = {0.4, 0.1, negatives. However, since the threshold function is based on
0.5}, fT = {0.1, 0.3, 0.6}, ac = af = 0.01 in the simulation. We how far Bij is from its expected value E(Bjm), and E(Bjm) is the
observe, in Fig. 11, that trust consensus does not mitigate ADV average value of both cB and fB, the selection of e may be
_Homo. After the 20th time interval, T starts to decrease sharply.problematic.
Similar to simulation one, increasing PrC has heavier influence As shown in Fig. 12, decreasing e increases true positives.
on T, and SII and AS have better performance than SI does. However, it also increases false positives. Fig. 12(a) shows that
Through the simulation results shown above, we conclude a major part of fB and a small part of cB are considered to be
that TC-ONLY is not resilient against ADV _Homo attack. outliers. A small part of false trust opinions are considered to
be correct trust opinions (false negative), if a suitable similarity
7.1.3 Trust Resilience against ADV _Hbd threshold factor e is specified. When e is too small, as shown in
Recall that ADV _Hbd aims to manipulate trustworthiness T, it Fig. 12(b), all false trust opinions are considered to be outliers.
is able to increase or decrease T in any way. However, as shown However, more than half of the correct trust opinions are also
in Figs. 10 and 11, trust consensus does not perform well in considered to be outliers. In contrast, when e is too large, more
either increasing T or decreasing T attacks. than half of the false
Discussion. From the simulation results shown above, it is
easy to conclude that TC-ONLY is not enough for trustwor-
thiness calculation. It can only sustain ADV _Noise caused by
environmental effects. The reason is that using trust consensus
for trust calculation decreases uncertainty U and makes T
stable. However, it does not performance well against ADV
_Homo and ADV _Hbd. The reason is that both correct trust
opinions cT and false trust opinions fT are taken into account in
trustworthiness calculation as input, resulting in polluted T .
One way to solve this problem is to reduce the effect of fT as
much as possible. Thus we propose the next scheme capable of
removing false trust opinions.

7.2 Trust Consensus with One Parameter Similarity

Threshold Function (ONE-PARA)
As compromised trust producers may send false trust opinions
to trust managers to pollute trustworthiness, we use ONE-
PARA to remove outliers. A one parameter similarity threshold
function is defined as
( J(B- - EBm))
2 Fig. 12. Example of similarity threshold factor selection in terms of false
ST(T ) =
lj
, (6) positive (FP), true positive (TP) and false negative (FN). (a) Suitable
i
BjiE(Bjm) similarity threshold factor e. (b) Similarity threshold factor e is too small.
(c) Similarity threshold factor e is too large.
where B i and B m are the belief values regarding sj generated by
j j

its neighbors si and sm respectively. As a consequence, any Tj is

considered as a outlier if ST(Tj) > e where e is a similarity
threshold factor (e.g., e = 0.1). The similarity threshold function
is expected to neutralize false trust opinions as much as
possible. It is also desirable to reduce false positives (when trust
opinions are considered as false trust opinions even though
they are correct), as well as false negatives (when trust opinions
are considered as correct trust opinions even though they are
false). Therefore, we aim to increase true positives as much as
possible while keeping very few false positives and false
REN ET AL.: NOVEL APPROACH TO TRUST MANAGEMENT 1419

treats both false and correct trust opinions as outliers.

When e is too small, as illustrated in Fig. 12(b), more
than half of the correct trust opinions are considered as
outliers, causing the bizarre behavior in the second
column of Fig. 14.
• e is too large. As shown in Fig. 12(c), false negatives
increase with a larger e. That is, more false trust opinions are
considered as correct trust opinions, resulting in higher values
in disbelief D and lower values in belief B, as shown in Fig.
15(e) and (j). Discussion. As shown in Figs. 14 and 15, ONE-
PARA works well in some special cases (see Table 1). However,
when d(Bj, E(Bm)) ~ 0 and d(Di, E(Dm)) are high, ONE-PARA
cannot identify the difference between disbelief D, such as
correct trust opinion cT = {0.1, 0.1, 0.8} and false trust opinion fT
= {0.1, 0.8, 0.1}, or cT = {0.1, 0.8, 0.1} and fT = {0.1, 0.1, 0.8}. As
Fig. 13. ROC curve with cT = {0.1,0.3, 0.6}, fT = {0.4, 0. 1,0.5}, oc = of = shown in Fig. 16, when cB = fB = 0.1, cD = 0.1 and fD = 0.8, the
0.01 where similarity threshold factor e are specified as 0.2, 0.4, 0.6 differences in disbelief D cannot be detected by ONE-PARA,
and 0.8, respectively.
which may cause severe consequences. ADV’s attack pollutes
the trustworthiness for all schemes. We observe in Fig. 17 that
trust opinions are considered to be correct trust opinions. In ADV’s attack is mitigated by the consensus when d(B, E(Bm)) ^ 0
addition, the larger the number of false trust opinions and E(cB) > E(fB). Furthermore, ONE-PARA can only specify
considered to be correct trust opinions, the closer E(Bjm) is to one parameter among the three elements B, D and U so that it
E(fB). cannot sustain AD V _Hbd. The reason is that the most efficient
Fig. 13 shows the Receiver Operating Characteristic (ROC) way for ADV to increase Y is to increase B and to decrease D
curve with cT = {0.1, 0.3, 0.6}, fT = {0.4, 0.1, 0.5}, oc = of = 0.01 simultaneously. The threshold functions based on one
where similarity threshold factor e is specified as 0.2, 0.4, 0.6 parameter cannot control these two parameters, i.e., B and D.
and 0.8 respectively. We observe that true positives increase as To mitigate the pollution caused by ADV _Hbd for the case
when d(Bj, E(Bjn)) ~ 0 and E(cB) < E(fB), we propose our next
false positives increase, and that the ROC curves are the same
scheme.
when e = 0.6 and 0.8. That is the reason why Fig. 14(d), (i), (e),
and (j) indicate the same level of performance.
7.3 Trust Consensus with Three Parameter
Similarity Threshold Function (T-PARA)
1.1.1 Trust Resilience against ADV _Noise Since ONE-PARA cannot recognize the difference between cT =
Since ONE-PARA is an improved version of TC-ONLY, it {0.1, 0.1, 0.8} and false trust opinion fT = {0.1, 0.8, 0.1}, we
works well against ADV _Noise and can further filter outliers. formulate a three-parameter similarity threshold function as
follows,
1.1.2 Trust Resilience against ADV _Homo j (B(Bi - E(Bm))2 + (Di - E(Dm))2 + (U - E(Um))2
As demonstrated above, TC-ONLY cannot sustain ADV _Homo. STT) = i
i
We conduct two more sets of simulations and compare it with BiiE(Bin)+DiiE(Din)+UiiE(Uni)
ONE-PARA. We use the parameters of the last two simulations
of TC-ONLY with a fixed percentage of compromised sensors
PrC = 20%4. 7.3.1 Trust Resilience against ADV _Noise
The results are as shown in Figs. 14 and 15. The first rows As an improved version of TC-ONLY, T-PARA exhibits better
and the second rows are the simulation results of SI and that of performance. Here, we do not show the simulation results with
SII and AS, respectively. We observe that, due to trust respect to ADV _Noise due to page limit.
consensus, the generated Y in SII and AS is more stable than Y
in SI. The first column of Figs. 14 and 15 shows the results when 7.3.2 Trust Resilience against ADV _Homo and
the threshold function is not applied (TC-ONLY). The rest of ADV_Hbd
the columns of those figures are the results when the threshold We use the same simulation parameters as in ONE-PARA
function (ONE- PARA) is applied. Here similarity threshold experiments. Figs. 18 and 19 show the simulation results.
factor e varies from 0.2 to 0.8. We notice that TC-ONLY (the first
column of Figs. 14 and 15) do not sustain ADV _Homo and ADV (7)
_Hbd as expected. Consider now the simulation results of SII
and AS (columns 2,3,4,5 in Figs. 14 and 15):

• Proper e. We find that ONE-PARA works well (see Fig.

14(i) and (j) as well as Fig. 15(h) and (i)) when a suitable
e is selected.
• e is too small. It is interesting to observe that uncer-
tainty U becomes higher while belief B and disbelief D
decrease in the second column of Figs. 14 and 15. This is
because that a very small similarity threshold factor

4 Please note that the percentage of compromised sensors can be configured randomly in the range of [0,50%). Due to page limit, we only illustrate the
results with 20% compromised nodes.
1420 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 7, JULY 2014

Fig. 14. Example of when ADV tries to increase Tj, cT = {0.1,0.3, 0.6}, fT = {0.4, 0.1,0.5}, ac = af = 0.01.

(A) SI: PrC=20% (B) SI: P1C=2O%, e=0.2 (C) SI: PrC=20%, e=0.4 (D) SI: PrC=20%, e=0.6 (E) SI: PrC=20%, e=0.S

Fig. 15. Example of when ADV tries to decrease Tj, cT = {0.4, 0.1, 0.5}, fT = {0.1, 0.3, 0.6}, ac = af = 0.01.

The results based on TC-ONLY are plotted in the first column. 7.4 Three Parameters with Weighted Factors (T-
As one can observe, the performance of T-PARA is much PARA-WF)
better in comparison with TC-ONLY when a suitable similarity In order to provide a more flexible threshold function to
threshold factor e is specified (see Fig. 18(h)-(j) as well as Fig. prevent ADV from pollution attacks, we further develop an
19(h)-(j)). In addition, we observe that T-PARA works well improved version of Eq. (7):
when e = 0.4, 0.6 and 0.8 (see Fig. 18(h)-(j)), while the
performance of ONE-PARA is not good (Fig. 16). Moreover, j X(2(Bj - E(Bm))2 + y2(Di - E(Dm))2 + z2(Ui - E(Um))2
Fig. 18(b) and (g) as well as Fig. 19(b) and (g) show the impact ST(T,j) = 1--------i--------:----'-.-------------:----------:-----4---------------,
of e when it is too small. Furthermore, it is worth mentioning xBiE(Bm) + yDiE(Um) + zUi E(Um)
that T-PARA performs well (see Fig. 18(h)-(j) as well as Fig. (8)
19(h)-(j)) in terms of both ADV _Homo increasing T attack and
ADV _Homo decreasing T attack. Therefore, it is resilient to where xB + yD + zU = 1.
ADV_Hbd. We introduce three weighted factors x, y and z into Eq. (7),
enabling a T-PARA-WF method that can be adjusted depending
on different scenarios. For example, to prevent ADV from
increasing trustworthiness, we can define a

TABLE 1
Impacts of Consensus and Threshold Functions with Respect to d(Bij, E (Bmj )), d(Dij,E(Dmj )) and d(Uij, E(Umj ))

Threshold Function
d(B^,B(B^)) dtD^Etp^Y) d(Ul,E(U^) TC-ONLY ONE-PARA T-PARA T-PARA-WF
(Eq. (6)) (Eq. (7)) (Eq. (8))
«0 «0 RS 0 good good good good
«0 E(cD) > E(fD) good good good good
high -
S3 0 E(cD) C E(fD) - not enough not enough good good
E(cB) ; > E(fB) - - not enough good good good
high
E(cB) ; E(fB) - - not enough good good good
REN ET AL.: NOVEL APPROACH TO TRUST MANAGEMENT 1421

Fig. 16. Example of ONE-PARA does not work, when cT = {0.1,0.1,0.8}, fT = {0. 1,0.8, 0.1}, oc = of = 0.01.

Fig. 17. Example of ONE-PARA works even it cannot identity the difference between cT = {0.1,0.8, 0. 1} and fT = {0. 1,0.1,0.8}, oc = of = 0.01.

Fig. 18. Example of T-PARA works while TC-ONLY and ONE-PARA does not work well where cT = {0.1,0.1,0.8}, fT = {0.1,0.8, 0.1}, oc = of = 0.01.

higher value of B in Eq. (8), i.e., increase x. In contrast, we • In contrast, if ADV _Homo wants to decrease Y, ONE-
define a lower value for y to prevent ADV from decreasing PARA in terms of D is better than T-PARA since D is the
trustworthiness. To prevent ADV _Hbd (i.e., ADV generates false only weight factor in it.
trust opinions in any way to manipulate sensor trust- • T-PARA is resilient to ADV _Noise, ADV _Homo and
worthiness), a larger value of z can be defined to put more ADV_Hbd.
weight on uncertainty U. • T-PARA-WF is a more flexible way to prevent ADV
Note that Eq. (6)andEq.(7) are special cases of Eq. (8) when x from various attacks. The selection of x, y and z is
= 1, y = z = 0andx = y = z = 1, respectively. Finally, we have the scenario dependent.
following observations. The countermeasures against ADV’s pollution attack strategies
are summarized in Table 2. Here, Fair and Good indicate
• If ADV_Homo intends to increase Y, ONE-PARA in
terms of B is better than T-PARA since B is the only
weight factor in it. That is, x = 1, y = z = 0, meaning that
D and U are not taken into consideration.
1422 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 13, NO. 7, JULY 2014

Fig. 19. Example of TC-ONLY works well while T-PARA slightly compromised the result when e is selected too small. cT = {0. 1,0.8, 0.1}, fT =
{0.1,0.1,0.8}, oc = of = 0.01.

how the countermeasures are resilient to ADV’s pollution attack supported in part by the Aiming for the Top University and
strategies. Good means that a countermeasure (e.g., ONE- Elite Research Center Development Plan by Taiwan, and this
PARA) is more resilient than TC-ONLY (i.e., Fair), once work was partially done while Y. Ren was visiting the School of
attacked by ADV _Noise. Information Sciences, University of Pittsburgh. Part of this
paper was presented at the IEEE MDM conference, July 2012.
8 CONCLUSION
In this paper, we have proposed a family of efficient and robust REFERENCES
trust management schemes for UWSNs based on Subjective [1] D. Ma, C. Soriente, and G. Tsudik, “New adversary and new threats:
Logic. Our advanced trust storage scheme, AS, facilitates Security in unattended sensor networks,” IEEE Netw., vol. 23, no. 2, pp.
distributed trust data storage to ensure high reliability of trust 43-48, Mar. 2009.
[2] Y. Ren, V. Oleshchuk, F. Y. Li, and S. Sulistyo, “SCARKER: A sensor
data. It takes the advantage of both GHT and GPSR routing to capture resistance and key refreshing scheme for mobile WSNs,” in
find storage nodes and to route trust data. We have also Proc. IEEE LCN, Bonn, Germany, 2011.
proposed several methods to mitigate trust pollution attacks [3] R. Di Pietro, L. V. Mancini, C. Soriente, A. Spognardi, and G. Tsudik,
based on various trust similarity measures. We demonstrated “Catch me (if you can): Data survival in unattended sensor networks,” in
Proc. IEEE PERCOM, Hong Kong, 2008.
that our trust management schemes are resilient to major attack
[4] R. Di Pietro, G. Oligeri, C. Soriente, and G. Tsudik, “United we stand:
categories including ADV _Del, ADV _Noise, ADV_Homo, and Intrusion-resilience in mobile unattended WSNs,” IEEE Trans. Mobile
ADV _Hbd. Moreover, our simulation results demonstrated that Comput., vol. 12, no. 7, pp. 1456-1468, Jul. 2013.
AS has much lower storage costs compared with the less [5] R. Di Pietro and N. Verde, “Epidemic data survivability in unattended
sophisticated approaches. Combining AS with similarity wireless sensor networks,” in Proc. ACM WiSec, Hamburg, Germany,
2011.
threshold measures, we are able to significantly reduce trust [6] K.-S. Hung, K.-S. Lui, and Y.-K. Kwok, “A trust-based geographical
storage costs and perform efficient node invalidation and routing scheme in sensor networks,” in Proc. IEEE WCNC, Kowloon,
mitigation of ADV’s pollution attacks. Hong Kong, 2007.
[7] A. Rezgui and M. Eltoweissy, “TARP: A trust-aware routing protocol for
sensor-actuator networks,” in Proc. IEEE MASS, Pisa, Italy, 2007.
ACKNOWLEDGMENTS [8] Y. Ren, V. Oleshchuk, and F. Li, “Optimized secure and reliable
The research leading to these results has received funding from distributed data storage scheme and performance evaluation in
unattended WSNs,” Comput. Commun., vol. 36, no. 9, pp. 1067-1077,
the EU FP7-PEOPLE-IRSES program under grant agreement May 2013.
247083, project acronym S2EuNet. V. Zadorozhny’s research [9] N. Lewis and N. Foukia, “Using trust in key distribution in wireless sensor
was supported in part by the Research Council of Norway networks,” in Proc. GLOBECOM Workshops, Washington, DC, USA,
through the L. Eiriksson mobility program, project 209237. Y. 2007.
[10] S. Ratnasamy et al., “GHT: A geographic hash table for data- centric
Ren’s research was
storage,” in Proc. ACM WSNA, 2002.
[11] M. Krasniewski, P. Varadharajan, B. Rabeler, S. Bagchi, and Y. Hu,
“TIBFIT: Trust index based fault tolerance for arbitrary data faults in
TABLE 2 sensor networks,” in Proc. DSN, 2005.
ADV’s Pollution Attack Strategies and Their Countermeasures [12] S. Ganeriwal, L. Balzano, and M. Srivastava, “Reputation-based
Countermeasures framework for high integrity sensor networks,” ACM Trans. Sen. Netw.,
yWV's strategy TC-ONLY ONE-PARA T-PARA T-PARA-WF vol. 4, no. 3, pp. 1-37, May 2008.
AT>V_Noise Fair Good Good Good [13] K. Yadav and A. Srinivasan, “iTrust: An integrated trust framework for
ADV_Homo: wireless sensor networks,” in Proc. ACM SAC, New York, NY, USA,
increase T No Good Fair Good 2010.
ADV_Homo: [14] S. Buchegger and J. Le Boudec, “A robust reputation system for mobile
decrease T No Good Fair Good ad-hoc networks,” in Proc. P2PEcon, 2004.
AT>V_Hbd No No Good Good
[15] Y. L. Sun, W. Yu, Z. Han, and K. Liu, “Information theoretic framework
of trust modeling and evaluation for ad hoc networks,” IEEE J. Sel.
Areas Commun., vol. 24, no. 2, pp. 305-317, Feb. 2006.
REN ET AL.: NOVEL APPROACH TO TRUST MANAGEMENT 1423

[16] M. Raya, P. Papadimitratos, V. Gligor, and J.-P. Hubaux, “On data- 1993. He is an Associate Professor in the School
centric trust establishment in ephemeral ad hoc networks,” in Proc. IEEE of Information Sciences, University of Pittsburgh.
INFOCOM, Phoenix, AZ, USA, 2008. Before coming to United States, he was a
[17] M. Omar, Y. Challal, and A. Bouabdallah, “Reliable and fully distributed Principal Research Fellow in the Institute of
trust model for mobile ad hoc networks,” Comput. Secur., vol. 28, no. 3- System Programming, Russian Academy of
4, pp. 199-214, May 2009. Sciences. Since May 1998, he has been working
[18] L. Xiong and L. Liu, “PeerTrust: Supporting reputation-based trust for as a Research Associate at the Institute for
peer-to-peer electronic communities,” IEEE Trans. Knowl. Data Eng., Advanced Computer Studies, University of
vol. 16, no. 7, pp. 843-857, Jul. 2004. Maryland, College Park. He joined the University
[19] R. Zhou and K. Hwang, “PowerTrust: A robust and scalable reputation of Pittsburgh in September 2001, where he is the
system for trusted peer-to-peer computing,” IEEE Trans. Parallel head of the Network Aware Data Management
Distribut. Syst., vol. 18, no. 4, pp. 460-473, Apr. 2007. Group and a member of the Advanced Data
[20] K. Walsh and E. G. Sirer, “Experience with an object reputation system Management Technologies Laboratory. His research interests include
for peer-to-peer filesharing,” in Proc. USENIX NSDI, Berkeley, CA, networked information systems, complex adaptive systems, WSN data
USA, 2006. management, query optimization in resource constrained distributed
[21] D. Ma and G. Tsudik, “DISH: Distributed self-healing,” in Proc. Int.
environments, and scalable architectures for wide-area environments
Symp. SSS, Detroit, MI, USA, 2008.
with heterogeneous information servers. He received the Best Paper
[22] Y. Ren, V. Oleshchuk, and F. Y. Li, “Secure and efficient data storage in
Award in IEEE MDM 2012. He is a senior member of the IEEE.
unattended wireless sensor networks,” in Proc. IFIP Int. Conf. NTMS,
Cairo, Egypt, 2009.
[23] Y. Ren, V. I. Zadorozhny, V. Oleshchuk, and F. Y. Li, “An efficient,
Vladimir A. Oleshchuk is Professor of Computer Science at the
robust and scalable trust management scheme for unattended wireless
University of Agder, Norway. He received his Ph.D. degree in Computer
sensor networks,” in Proc. IEEE MDM, Bengaluru, India, 2012.
Science (1988) from the Taras Shevchenko Kiev
[24] M. Probst and S. Kasera, “Statistical trust establishment in wireless
sensor networks,” in Proc. ICPADS, Hsinchu, Taiwan, 2007. State University, Kiev, Ukraine. He is a senior
[25] S. Shenker, S. Ratnasamy, B. Karp, R. Govindan, and D. Estrin, “Data- member of the IEEE and a senior member of the
centric storage in sensornets,” ACM SIGCOMM Comput. Commun. Rev., ACM. His current research interests include
vol. 33, no. 1, pp. 137-142, 2003. formal methods and information security, privacy
[26] M. T. Refaei, L. A. DaSilva, M. Eltoweissy, and T. Nadeem, “Adaptation and trust with special focus on
of reputation management systems to dynamic network conditions in ad telecommunication systems. He received the
hoc networks,” IEEE Trans. Comput., vol. 59, no. 5, pp. 707-719, May Best Paper Award in IEEE MDM 2012.
2010.
[27] A. Becher, Z. Benenson, and M. Dornseif, “Tampering with motes: Real-
world physical attacks on wireless sensor networks,” in Proc. Int. Conf. Frank Y. Li (S’99, M’03, SM’09) holds a Ph.D.
SPC, York, U.K., 2006. degree from the Norwegian University of Science
[28] S. Tanachaiwiwat, P. Dave, R. Bhindwale, and A. Helmy, “Location- and Technology (NTNU). He worked as a Senior
centric isolation of misbehavior and trust routing in energy-constrained Researcher at UniK - University Graduate
sensor networks,” in Proc. IEEE IPCCC, 2004. Center, University of Oslo, before joining the
[29] G. Theodorakopoulos and J. Baras, “On trust models and trust evaluation Department of Information and Communication
metrics for ad hoc networks,” IEEE J. Sel. Areas Commun., vol. 24, no. Technology, University of Agder (UiA) in August
2, pp. 318-328, Feb. 2006. 2007 where he is currently a Professor. During
[30] A. Josang, “An algebra for assessing trust in certification chains,” in the past few years, he has been an active par-
Proc. NDSS, San Diego, CA, USA, 1999. ticipant in several Norwegian and EU FP6/FP7
[31] K. Pelechrinis, V. Zadorozhny, and V. Oleshchuk, “Collaborative research projects. He is listed as a Lead
assessment of information provider’s reliability and expertise using Scientist by the European Commission DG RTD
subjective logic,” in Proc. CollaborateCom, Orlando, FL, USA, 2011. Unit A.03 - Evaluation and Monitoring of
[32] V. Oleshchuk and V. Zadorozhny, “Trust-aware query processing in data Programmes in Nov. 2007. Dr. Li’s research
intensive sensor networks,” in Proc. Int. Conf. SensorComm, Valencia, interest includes 3G/4G and beyond mobile systems and wireless
Spain, 2007. networks, mesh and ad hoc networks; wireless sensor network; Device-
[33] K. Pelechrinis, V. Zadorozhny, and V. Oleshchuk, “A cognitivebased to-Device (D2D) communication; cooperative communications;
scheme for user reliability and expertise assessment in Q&A social cognitive radio networks; green wireless communications; QoS,
networks,” in Proc. IEEE Conf. IRI, Las Vegas, NV, USA, 2011. resource management and traffic engineering in wired and wireless IP-
[34] D. Liu and P. Ning, “Multilevel ^TESLA: Broadcast authentication for based networks; analysis, simulation and performance evaluation of
distributed sensor networks,” ACM Trans. Embed. Comput. Syst., vol. 3, communication protocols and networks. He received the Best Paper
no. 4, pp. 800-836, Nov. 2004. Award in IEEE MDM 2012. He is a senior member of the IEEE.
[35] B. Karp and H. T. Kung, “GPSR: Greedy perimeter stateless routing for
wireless networks,” in Proc. ACM MobiCom, 2000. ■ For more information on this or any other computing topic,
Vladimir I. Zadorozhny received the Ph.D. degree from the Institute for please visit our Digital Library at www.computer.org/publications/dlib.
Problems of Informatics, Russian Academy of Sciences, Moscow, in

Yi Ren is currently doing research as a postdoctoral researcher at National Chiao Tung University (NCTU), Taiwan. He
received his Ph.D. degree in Information Communication and Technology from the University of Agder (UiA), Norway, in
April 2012. His current research interests include security in wireless sensor networks, ad hoc, and mesh networks, LTE,
smart grid, and e-health security. He received the Best Paper Award in IEEE MDM 2012. He is a member of the IEEE.