gation Scheme
RSDAfocuses on aggregating physical phenomena in heterogeneous environments and follows the multiple aggregator model in which the aggregation is performed at each non-leaf cell. Taking advantage of the temporal and the spatial correlation in WSNs, each node monitors the behavior of other sensor nodes within the same cell and then calculates their reputation values. These calculations are based on how these sensor nodes participate in some cell oper- ations such as sensing, forwarding, and aggregation.
In each cell, a sensor node is selected to be the cell representative Crep. Initially,Crep is chosen randomly since all nodes start with same reputation value such as 0.90. Later on, the selection of a new Crep is based on the highest reputation score that exists among the cell members. TheCrepis responsible for confirming its cell readingCread (reported by other cell members), aggregating it with other readings (if the cell is an intermediate cell), and forwarding the aggregation result to an upstream cell. Each node in the cell has a monitoring mechanism similar to the watchdog mechanism (WDM), discussed in Section 3.1.1, in order to monitor the behavior of neighboring nodes within the same cell.
RSDA belongs to the class of Bayesian trust and reputation models due to its flexibility and strong foundation on statistics [64, 121], its simplicity in meeting the resource constraints in the sensor nodes, and its success in detecting the misbehaving sensor nodes [47, 91, 92]. The calculation of the reputation value is defined as the expectation value of beta probability density function (PDF) with the parameters (α,β) [64, 121]. The node’s behavior in the Bayesian trust and reputation model can be represented in the form (α,β), where α and β represent respectively the amount of positive and negative ratings. These ratings are calculated by a cell member for its cell members and then stored in its reputation table. The beta PDF denoted
Algorithm 4.1: Bootstrap Phase /* code for sensor nodexin celli. */ /* cellsj, k, lare adjacent cells for celli. */
/*xis preloaded with two network wide shared keysK1, K2 */
1 xcomputes its intra-cell key as in Equation 4.2 ;
2 xcomputes its inter-cell keys as in Equation 4.3 ;
3 xdeletesK1 andK2;
4 returnKCi,KCij,KCik, andKCil ;
bybeta(p∥α, β)can be expressed using gamma function as follows:
beta(p∥α, β) = Γ(α, β)
Γ(α)Γ(β) p
α−1(1−p)β−1
where 0 ⩽ p ⩽1 andα, β ⩾ 0 with the restriction thatp ≠ 0 ifα< 1, andp ≠ 1 ifβ< 1. The probability expectation value of the beta distribution is given by:
E(p) = α α + β
when nothing is known, the a priori distribution is the uniform beta PDF with α = 1 and
β = 1. After observingrpositive andsnegative outcomes, thea posteriori distribution is the beta PDF withα = r + 1 andβ = s + 1.
This approach provides a sound mathematical foundation for the calculation of the rep- utation values. The nodes’ behaviors are examined for three functions: data sensing, data forwarding, and data aggregation (ifxis theCrep for an intermediate cell). Each node there- fore maintains a reputation table for its cell members and keeps recordingrandsseparately for these functions: sensing, forwarding, and aggregation as in Table 4.2. If the packet is forwarded to its intended destination, then the forwarding behavior of the overheard node is considered correct. On the other hand, the forwarding behavior is considered incorrect if the packet is dropped or forwarded along an incorrect path. The aggregation behavior is considered normal if cell members find that the difference between their calculation for the aggregation result and the Crep’s calculation is bounded by a predefined threshold. Finally, if the reported sensor reading is within the accepted range of readings covered by the temporal correlation feature, then the sensing behavior of the overheard node is correct.
Thus, the reputation value which factors in sensing, aggregation, and forwarding RS/A/F can be expressed as follows:
RS/A/F =
αS/A/F
αS/A/F +βS/A/F
(4.1) The essential operations, before runningRSDA, are performed in a short period of time where the network is genuine. This period is called the “bootstrap phase”.
Represents an Intermediate Cell Represents a Leaf Cell Represents a Cell Member Represents a Cell Representative Represents a Single Cell Reading Represents Aggregated Readings
Ci
Cj Ck
Cm Cb
Cz
Figure 4.3: A simplified deployment area forRSDA
Bootstrap Phase This phase constitutes of a short duration of time immediately following
the network deployment. It is short enough to assume that no attacks are possible during this phase. The required operations in this phase are summarized in Algorithm 4.1. The node x
computes the intra-cell key (KCi) which is used to authenticate any communication between itself and any node in the same cell in a similar way to Ren et al. [101] as follows:
KCi=H(K 1∣∣
Ci) (4.2)
where∣∣represents bit string concatenation. KCi is used to prevent non-cell members from participating in the cell operations and affecting the accuracy ofCread
i . After that, each sensor node computes inter-cell keys with adjacent cells, such asCj, as follows:
KCij =H(K 2∣∣
Ci∣∣Cj) (4.3)
At the end of this phase, each sensor node deletes K1 and K2. This helps to prevent an adversary from getting access to these keys and then participating in network activities. If only one network-wide shared key is used, then an intra-cell key compromise leads to the compromise of all inter-cell keys. In this case, where K1 = K2, an adversary can calculate inter-cell key between cellsiandj as follows:
KCij =H(H(K 1∣∣
Ci) ∣∣Cj)
The advantage of using two network-wide shared keys is that a compromise of an intra-cell key does not lead to the compromise of an inter-cell key.
Data Aggregation Before describing how the aggregation procedure works, the packet for- mat used within the network is introduced below. Each packet has the following format:
{Cirep, Cjrep, Qn, P ayload}
where Cireprepresents a sending cell representative, Cjreprepresents a receiving cell repre- sentative, Qn is a query number, and P ayload is a packet content. An aggregation process begins when theBpropagates a query to all cells as follows:
{ B, all cells, Qn, P ayload}
The query and its response are relayed to their destination via some intermediate cells. The data flow relies further on the routing algorithm, which is not the focus of this thesis. Actions, which are done at each cell to answer this query, vary depending on whether the cell is an intermediate cell or a leaf cell.
At Leaf Cells Algorithm 4.2 summarizes the important activities which are performed at
leaf cells. When a leaf cell Ci receives the queryQn, Cirep randomly selects a sensor node x from its cell to send back the required sensing information,px, as follows:
{Cirep, x, Qn, P ayload}
As a response,xsenses some physical phenomena (as requested) and then sends it back to
Cirepas follows:
{x, Cirep, Qn, P ayload},where
P ayload ≡ px∣∣MACKci(x∣∣Qn∣∣px) (4.4) Since other nodes in Ci are within the radio coverage and share the same intra-cell key with
Cirep, they follow the process of overhearing the on-going traffic between the elected node and
Cirep. These nodes then compare their local readings with px. If the cell members agree on
px and the response sent toC rep
i , they update α x S and α
x
F of node xand consider px as the
Ciread. They also update αS for all other nodes because of their implicit agreements on the
Cread
i , which are represented by being silent and not sending complaints aboutpx. A cell node
y does not agree on the reading px if∣py−px∣ > ThrS. If the reportedpx is not correlated closely enough with the local sensing information of other nodes in the cell, disagreeing nodes perform the following actions:
Update βSx if the reading was unacceptable, and update βFx if the destination was not the cell representative or no reply was sent.
ProvideCirep with the correctCiread.
Each disagreeing node, say node y, sends its reading to Cirep and as a consequence, other nodes in the cell are able to verify this disagreement and then updateαySorβSy. Cirepcomputes
Algorithm 4.2: At Leaf Cells
/* code for sensor nodes xandy in celli */
/* cell representativeCirephas received a recent query Qn from B */
1 Cirep selects normally a cell memberxto answerQn ;
2 xsendspx back toCi as in Equation 4.4;
3 other cell member (i.ey) comparespx withpy;
4 if ∣py−px∣ >Thrsthen
5 y updatesβSx;
6 y sends correct informationpy toC rep
i (as a complaint);
7 else
8 Ciread=px;
9 end if;
10 if px is routed in an incorrect paththen
11 y updatesβFx ; 12 else 13 y updatesαx F ; 14 end if; 15 if No-of-Complaints≥tthen
16 Cirepcalculates Ciread as in Equation 4.5
17 end if;
18 CirepforwardsCiread to an upperCrepas in Equation 4.6
19 other cell member (i.ey) recomputes step 16;
20 if ∣Cread
y −Crepread∣ >Thrsthen
21 y updatesβC rep i A ; 22 else 23 y updatesαC rep i A ; 24 end if;
25 if Ciread routed in an incorrect paththen 26 y updatesβC rep i F ; 27 otherwise 28 y updatesαC rep i F ; 29 end if;
the cell reading by using Exogenous Discounting of Unfair Ratings proposed by Whitby et al. [132], after receivingncomplaints (wheren ≥ t) regarding the reported readingpx. These complaints should be received from nodes located in the same cell, where the disagreement occurred, and haveR > T hrR. It is based on the assumption that sensors with low reputation are likely to give unfair information and vice versa. The reputation values of thesennodes are used to determine the weight given to the readings as follows:
Ciread= ∑ n i=1(piRiSRiF) ∑n i=1(RiSR i F) (4.5)
Then, theCirepforwards this reading to a next cellCj in the upstream path as follows: {Cirep, Cjrep, Qn, P ayload},where
P ayload ≡ Ciread∣∣Ci#∣∣MACKCij(C rep
i ∣∣Qn∣∣Ciread∣∣C
#
whereC# is the number of inputs to the aggregation function and it is set to 1 as a result of being a leaf cell. C# helps an intermediate cell representative to calculate the average aggre- gation function (AVE) by calculating the number of participants in the aggregation function. Other nodes in Ci monitor this transmission in order to evaluate the behavior of Cirep since they also know the inter-cell keys shared betweenCi and its adjacent cells. If the cell reading gets altered by more than ThrS, thenβ
Cirep
A is updated. Otherwise,α Crepi
A is updated. When- ever the cell reading gets routed along an incorrect path or does not get routed at all, βC
rep i F is updated; otherwise,αC rep i F is updated.
Generally speaking, each cell member calculates the overall reputation value Rfor its cell members, except the cell representative, by considering the sensing and forwarding behaviors as follows:
R=µ1RS+ (1−µ1)RF where 0<µ1<1 (4.7)
As soon as a cell member has become the cell representative,RA is set toRS and the overall reputation value of the cell representative can be calculated for onward transactions as follows:
RCrep =µ2RC rep
A + (1−µ2)RC rep
F where 0<µ2<1 (4.8)
Algorithm 4.3: At Intermediate Cells
/* code for sensor nodesf in cellj */
/* cell representativeCjrephas received an answer for a recentQn from a down- stream representativeCirep */
/* cell representativeCjrepchecks the legitimacy of the received message */
1 if the message has been alteredthen 2 Cjrep updatesβC rep i F ; 3 else 4 Cjrep updatesαC rep i F ;
5 Cjrep collects reading from its cell and children cells;
6 Cjrep performs aggregation as in Equation 4.10;
7 Cjrep forwardsARCj toC rep
k as in Equation 4.12;
8 other cell members (i.ef) recomputes step 6;
9 if ∣ARf− ARCj∣ >ThrA then 10 f updates βC rep j A ; 11 else 12 f updates αC rep j A ; 13 end if; 14 if Cread
j routed in an incorrect paththen
15 f updates βC rep j F ; 16 else 17 f updates αC rep j F ; 18 end if;
At Intermediate Cells In order to ensure that the message is received from the claimed entity (data-origin authentication),Cjreprecomputes theMAC for the data received from the downstream cell, and then compares it with the attached one. If they do not match, then the message received fromCirepis ignored andβCi
F is updated by increasings Ci
F by one. Otherwise,
Cjrepremoves the attachedMAC and considers the reported data as an input to the aggregation function and updatesαCi
F by increasingr Ci
F by one. SinceC
rep
j has no access to the inter-cell keys shared between Cirep and Ci’s adjacent cell representatives, Cjrep can not evaluate the aggregation and sensing behavior ofCirep. Thus, Cjrep calculates the reputation value ofCirep
by using the available information about the forwarding activities as follows:
RCi = αF
αF +βF
(4.9) The aggregation behavior of the Cirep is only monitored by nodes in the cell i. To perform some in-network processing,Cjrepwaits until receiving readings from its cell and other children cells. The reading ofCj is done in the same way as the leaf cell does. Then, theC
rep
j applies, for example, the average aggregation function on the readings in order to answerQnas follows:
ARQn Cj = F (C read 1 , C read 2 , ..., C read i , ..., C read j ) (4.10) = R Crep1 Cread 1 +RC rep 2 Cread 2 +...+RC rep i Cread i +...+R CjrepCread j C1#+C2#+...+Ci#+...+Cj# (4.11)
After that,CjrepsetsCj#to be the summation of the received countersC1#, C2#, ..., Ci#, ..., Cj#
and then forwardsARQn
Cj to an upper cell representativeC rep
k (see Figure 4.3) with the following packet format:
{Cjrep, Ckrep, Qn, P ayload} ,where
P ayload ≡ ARQn Cj ∣∣C # j ∣∣MACKCjk(C rep j ∣∣Qn∣∣ AR Qn Cj ∣∣C # j ) (4.12)
Other nodes in cellCj are able to keep an eye on the aggregation and forwarding behavior of Cjrep. They recalculate the aggregation functionAR∗Cj and match the result withARCj. If they are bounded by a small value such as ∣ARCj − AR
∗ Cj∣ <ThrA, r Cjrep A is increased by one. Otherwise, sC rep j
A is increased by one. Moreover, the α Cjrep
F is increased by one if C rep j forwards the packet to the rightCrep that is not in the blacklist and is one-cell closer to the base station; otherwise,βC
rep j
F is updated.
OnceRCjrep falls belowThrR, the currentCrep should be blacklisted and a newCrep should be elected. This can be done through the cell representative revocation mechanism, which is discussed in the subsequent paragraph. Algorithm 4.3 summarizes the discussion above and highlights important activities which are performed at intermediate cells.
Table 4.3: Datasets used in the experimental evaluation section
Scenario Dataset Description Duration Frequency # Attacks
Scenario 1 Dataset-1 No Attacks - - -
Scenario 2 Dataset-2 Abrupt Change 28 1 1
Scenario 3 Dataset-3 1-per-2 OO - F. Block 1 2 7
Dataset-4 1-per-2 OO - L. Block 1 2 7
Cell Representative Replacement Mechanism The main aim of this mechanism is to:
inform representatives of adjacent cells about the detection of a low reputation value of the current cell representativeCrep, blacklistCrep, and then select a new cell representative that
has the highest reputation value among the rest of the cell members. The revocation process starts when nnodes (n≥t) in a cellCi send revoke messages to representatives of adjacent cells in order to inform them about the low reputation value that Cirep has recently achieved. Each cell member, say x, selects one node (i.e y) that has the highest Ry among the rest of the cell members and has never been on the black list as a good candidate for the newCirep. This revoke message is sent as follows:
{x, Cjrep, Qn, P ayload} ,where
P ayload ≡ Cirep∣∣RCrepi ∣∣y∣∣MACK
Cij(x∣∣Qn∣∣C rep i ∣∣R
Crepi ∣∣
y) (4.13)
Each adjacent cell representative, say Cjrep, should receive at least n valid requests to participate in the replacement process. A valid request is a request that is received from a cell member that is located in the same cell as the revokedCrep, has an acceptable reputation