TSRF: A Trust-Aware Secure Routing Framework in Wireless Sensor Networks

In recent years, trust-aware routing protocol plays a vital role in security of wireless sensor networks (WSNs), which is one of the most popular network technologies for smart city. However, several key issues in conventional trust-aware routing protocols still remain to be solved, such as the compatibility of trust metric with QoS metrics and the control of overhead produced by trust evaluation procedure. This paper proposes a trust-aware secure routing framework (TSRF) with the characteristics of lightweight and high ability to resist various attacks. To meet the security requirements of routing protocols in WSNs, we first analyze features of common attacks on trust-aware routing schemes. Then, specific trust computation and trust derivation schemes are proposed based on analysis results. Finally, our design uses the combination of trust metric and QoS metrics as routing metrics to present an optimized routing algorithm. We show with the help of simulations that TSRF can achieve both intended security and high efficiency suitable for WSN-based networks.


Introduction
With the rapid advancements in Internet of Things (IoT), cloud computing, and social networks, smart city has attracted more and more attention in modern society.Smart city that relies on the different kinds of distributed smart devices can offer a wide range of applications for urban residents, such as environmental monitoring, traffic management, and social entertainments.These applications cannot only improve the living quality of city inhabitants, but also promote the realization of the low-carbon society.
Due to the characteristics of low cost, rapid deployment, and self-organized, wireless sensor networks (WSNs) play a crucial role in constructing the network and facilitate various services for smart city.The ubiquitous sensor nodes can both collect physical information of urban environments and control the public or private facilities in the context of smart city environments.Consequently, many studies of smart city have been made on the basis of WSNs technologies [1,2].
With a limited radio communication range, wireless sensor nodes typically communicate with each other via a multihop path.In this case, the design of routing protocol that determines the data forwarding and transmission path is a key process to consider as it will directly affect the performance of WSNs, such as the network lifetime, packet delivery rates and end-to-end packet delay [3][4][5][6].In this paper, we focus on security aspects of routing protocols in WSNs.Due to the open, distributed, and dynamic nature of WSNs, the routing protocols are highly vulnerable to various attacks [7,8].These attacks can be divided into two types: internal and external.The internal attacks are launched by compromised or malicious nodes in the network.The external attacks are launched by malicious nodes that have not access to the network [9,10].
In order to protect WSNs against malicious and selfish behavior, different secure routing protocols have been developed over the years [11][12][13].However, these routing protocols mainly rely on cryptographic primitives and authentication mechanisms which are not suitable for WSNs.The specific reasons can be summarized as follows: firstly, most cryptographic algorithms, especially the asymmetric encryption process, require high computational capabilities and power consumption [14,15].However, the low-cost sensor nodes are usually resource constrained in memory size, energy capacity, and computational capabilities.Secondly, many encryption and authentication mechanisms in routing protocols require a central authority or centralized administration to operate [16,17], which is usually impractical in WSNs.Finally, the sensor nodes deployed in a unattended area may be compromised by adversaries through physical means.Once the keys are leaked, all the security mechanisms may become ineffective.In other words, conventional secure routing protocols based on cryptographic primitives can resist some types of external attacks, but they cannot provide protection against malicious behavior of internal nodes.
Trust management is an effective solution to the above issues and could be a suitable component for the security architecture of WSNs [7,18].The notion of trust derives from social sciences, which is defined as the degree of beliefs about the behavior of other ones.As the trust management schemes have strong capabilities to identify the malicious entities and offer a prediction of one's future behavior, they can be used as a measure of security for securing routing.In order to find a secure route, the results of trust evaluation help to select the trustworthy next-hop node through which the source node will forward data to the sink node.As a result, a number of trust-based routing protocols have been proposed [19][20][21][22].
However, the traditional trust-based routing protocols still exist several key problems, which can be summarized as follows.Firstly, although the trust-based schemes can deal with the inherent attacks in wireless networks, they will also induce some new risks to which special consideration shall be given.Secondly, trust metric is significantly different from normal routing metrics such as the number of hops, delay, or other QoS requirements [7], but most trust models do not consider the particularity of trust metrics when designing routing protocols.Thirdly, the existing trust-based routing protocols have some limitations such as dependence on specific routing scheme or platform.In other words, security mechanisms may be invalid if the routing protocol of the network is changed.In addition, trust evaluation can be divided into two parts: trust computation and trust derivation [23].Previous trust models mainly focus on the process of trust computation.In fact, the trust information is frequently exchanged in trust derivation to ensure the accuracy of trust evaluation, which dominates the overhead of routing procedure.Therefore, designing an efficient trust derivation scheme is a critical issue in the development of WSN-based networks.
In this paper, we propose a trust-aware secure routing framework (TSRF) in WSNs that aims to address the challenges mentioned above.We first analyze the attacks on trust-aware routing protocols especially the common ones to trust management systems.According to the analysis results, we propose specific trust computation and trust derivation schemes to deal with these attacks, which will be used in our routing framework design.Furthermore, an optimized routing algorithm is designed by utilizing mathematical methods.In our scheme, the routing algorithm consider not only the features of trust metric, but also other QoS requirements in path selection.Finally, we introduce the details of our routing strategies which are not confined to specific routing protocols.By conducting extensive simulations, we show that TSRF cannot only maintain the desirable security of the network, but also significantly reduce the routing overhead.
The rest of this paper is organized as follows.Section 2 provides a brief overview of related work.The common attacks on trust-based routing protocols in WSNs and their solutions are discussed in Section 3. Section 4 proposes a lightweight trust computation method and also designs an optimized routing algorithm by utilizing the theory of semirings.We provide detailed operation of our proposed routing strategies in Section 5, with simulation results and performance evaluation given in Section 6.Finally, important conclusions and potential future works are given in Section 7.

Secure Routing Protocols Based on Cryptographic Primitives.
With the growing trend in the field of security, there has been an increased effort in the research on routing protocols in recent years [24][25][26].SAODV [24] is a security extension of the AODV protocol to resist against some routing attacks.In order to guarantee the data integrity and authenticity, all the routing messages in SAODV are digitally signed.In this case, intermediate nodes cannot send RREP as the RREP message must be signed by the destination node.Although a mechanism called double signature is introduced in SAODV to solve this issue, it will definitely increase the load of intermediate nodes.Cerri and Ghioni developed A-SAODV protocol [25] to mitigate the negative effects of SAODV.In A-SAODV, intermediate nodes reply to RREQs only if they are not overloaded and the source node can determine whether to use single signature or double signature according to the threshold of the current load state.However, the above proposals are security extensions of existing ad hoc routing protocols which are not suitable for resource constrained WSNs.
SAR is a secure routing protocol in WSNs that can discover the shortest path with desired security attributes [26].The source node sets the desired security level for the route.Only the nodes with the same security level, which share encryption keys, can decrypt routing packets.Although SAR can ensure the data confidentiality to a certain extent, cryptographic primitives on which it mainly based will involve significant encryption overhead and limit its attractiveness for WSN applications [27,28].In addition, as the solution mainly utilizes encryption mechanisms, it is unable to prevent an internal attack launched by a compromised sensor node.

Secure Routing Protocols Based on Trust Evaluation.
Driven by the demand for security and efficiency considerations, the trust-based routing protocols have been proposed for WSNs [11,29,30].Paris et al. designed a new crosslayer metric called expected forwarding counter (EFW) for reliable routing in wireless networks.The EFW can motivate the cooperation between nodes and cope with the problem of selfish behavior.In [31], a bayesian game approach for preventing DoS attacks is presented in WSNs.Then, a secure routing protocol is also proposed by combining the bayesian approach with LEACH protocol.These routing protocols only aim at dealing with a particular attack, which is not sufficient to ensure the network security.Karlof and Wagner described the attacks against sensor networks and suggest countermeasures for secure routing [32], but they did not consider the effect of attacks on trust management systems.In other words, some new attacks against trust evaluation such as selfish and colluding attacks and their solutions were not included in the discussion.Yu et al. analyzed various attacks and countermeasures related to trust schemes in WSNs [33].However, they simply categorized the different types of existing attacks and did not design secure routing protocols according to the analysis results.
The fundamental purpose of trust-based routing protocol is to establish a trustworthy and efficient route between two nodes that can send data from the source to the destination.Routing algorithms determine the results of routing selection, which will directly affect the performance of trustbased routing, such as network security, routing delay, and computational overhead.Consequently, routing algorithm is one of the most important components in trust-aware routing protocols.Theodorakopoulos and Baras analyzed the effect of trust metric from the perspective of mathematical methods [18].By utilizing the theory of semirings, they proved that the indirect trust relation can be set up without previous direct interaction.To further study the features of trust metric in routing algorithms, a formal study of trust-based routing was proposed in [7].In this paper, four unique features of trust metric are identified compared with QoS-based routing metrics.The authors also analyzed the compatibility of trust metrics and routing protocols.However, they did not consider the situation that both trust metric and QoSbased metrics are required for designing routing algorithms in practical applications.The applications in WSNs may have different QoS requirements in terms of end-to-end packet delay, packet delivery rates, and network lifetime.Generally speaking, the QoS-based routing metrics should be optimized under the premise of security assurance.
In order to build well-established trust relationships without relying on any predefined assumption, Ren et al. proposed a probabilistic solution based on distributed trust model [34].In the proposal, a secret dealer was introduced in the system bootstrapping phase and provides the sensor nodes with sufficient trust evidences.Although these designs can simplify the process of trust initialization, the need for a centralized secret dealer limits its application to WSNs.Because WSNs inherit the properties of a wireless ad hoc network, where fixed infrastructure is not a necessary component.A novel on-demand unicast routing protocol (TSR) was presented in [23].TSR help the network build a simple trust prediction model based on evaluated node's historical behavior.According to assessment results, the nodes can select the shortest trusted route to transmit required packets.But indirect trust is not considered in TSR, which may affect the accuracy of trust computation.Zahariadis et al. proposed a distributed trust model that relies on both direct and indirect trust observations to evaluate the trust of nodes [35].By applying the trust model to geographical routing scheme, the proposal cannot only reduce the routing overhead but also resist some common attacks.However, this trust-aware scheme depends on the specific routing scheme, which restricts the scope of applications.

Trust Derivation.
The trust evaluation systems normally include two parts: trust computation and trust derivation.Most previous trust-based schemes only focused on the trust computation process by adopting mathematical analysis and modeling tools.In fact, the trust derivation that collects trust information for evaluation dominates the overhead of routing establishment.Consequently, the trust derivation is a major subject of study for trust-aware routing protocols.In [36], a trust-aware routing protocol (TARP) was proposed.Two steps are used to find a trusted neighbor node.The first step is called the "One Hop Check" and will only be initiated by the source node that has some data to send.The source node will send a Neighbor Request to all its neighbors asking them for their trust attributes.Once it receives the trust attributes, the source node will choose the most trusted node.In step two, the source node will make a credit check on the preselection node by communicating directly with its neighbors.For this purpose, the source node will use a different channel and a temporarily higher energy than the one used in step one.The source node will send a far neighbor request to nodes.In this case, more neighbor nodes of preselection node will receive the request and response with a far neighbor reply.However, to implement this approach, frequency-hopping and time synchronization technologies are needed.These complex MAC scheduling mechanisms may limit the applications making it unattractive to WSNs.
Reputation broadcast (also called flooding mechanism) is another common method for receiving recommendations from neighbors [37].The source or the evaluating node broadcast the trust request that carries the identification of the evaluated node.If a receiving node is a neighbor of the evaluated node, it will reply the corresponding trust information.Otherwise, it only forwards the trust request packets.Since flooding is involved in the process, this approach may produce a high overhead and incur lengthy latency.It is obvious that a robust trust derivation procedure relies on adequate collection of trust information from the network for computation.To overcome drawbacks of flooding, the common method is the use of a certain control mechanism in flooding (e.g., setting a small value to the hop limit of broadcast packets).But the performance of these methods is still easily affected by many factors such as network size and node density.

The Analysis of Attacks and Countermeasures
3.1.Network Model.In this paper, we consider a WSN consisting of a few sink nodes and a number of sensor nodes that are randomly distributed in a designated area.Each sensor node is in charge of both detecting events and acting as a router in order to forward packets.All the sensor nodes are resource constrained and have the same limited radio coverage.Consequently, end-to-end communication in We also assume that all the sensor nodes are compromisable if there are no security mechanisms protecting them.In addition, WSNs may consist of sensor nodes from different manufacturers or service providers.In this case, the selfish nodes may not completely cooperate with each other.

The Analysis of Attacks on Routing Protocols.
Routing protocols are the most critical component of the network as they address the problem of how to realize data transmission services.However, many classic routing protocols assume that the operating environment is trustworthy and do not consider security issues.However, this assumption is not realistic in many cases.With the open and remote deployment environment, WSNs are generally susceptible to various attacks, including blackhole attack, wormhole attack, sybil attack, and so on [33,38].Consequently, secure routing is very important to guarantee the network functionality in the face of malicious or selfish attacks.In this paper, we first analyze attacks on routing protocols in WSNs.The common attacks can be illustrated as follows.
(i) Blackhole attack: a malicious node discards all the packets it should forward.(ii) Greyhole attack: an attacker drops certain type of packets (routing packets, data packets from a designated node, etc.) and only forwards part of them.(iii) Sinkhole attack: a compromised node attracts nearly all the traffic from a particular area and disguises itself as a sink node.(iv) Wormhole attack: a pair of adversaries tunnel packets that received in one part of the network and replay them in another part through a low-latency link.(v) Sybil attack: a single node illegitimately presents multiple identities to other nodes in the network.(vii) Sniffing attack: an attacker can intercept and eavesdrop the data of interest.
(viii) Message Tampering: a malicious node tampers the receiving message before forwarding it to other nodes.
(ix) Replay Attack: an attacker may not acquire the data information but can simply replay earlier packets received from other nodes.
As described in Section 1, the attacks can be divided into two types according to their origin: internal and external.In addition, the various attacks can also be categorized into two classes on the basis of their nature [10]: passive and active.In passive attacks, malicious nodes may gather sensitive information or behave selfishly in collaborative operations, such as routing, to passively affect the proper operation of WSNs.In active attacks, malicious nodes may actively request sensitive information, influence the behavior of surrounding nodes, or affect the normal operation of WSNs using attacks such as Denial of Service (DoS).
Table 1 summarizes the different types of attacks, effectiveness of countermeasures, and instances of attack behavior.We can find that trust-based mechanisms can resist the majority of various attacks, while cryptography and authentication mechanisms cannot provide protection against most of the attacks launched by internal malicious nodes.The reason is that the internal sensor nodes in WSNs may have a probability to be compromised by external attackers due to the lack of physical protection.Then the attacker can easily use compromised nodes to obtain the key, which may cause encryption schemes invalid.On the contrary, the security features of trust-based schemes are mainly implemented via distributed intrusion detection mechanisms such as watchdog and pathrater [39].In this case, the malicious or selfish behavior can be seized no matter where the attacks come from (inside or outside of the network).Consequently, trust management can provide a better resistance capability for the internal attacks on routing protocols.In addition, sybil attack and sniffing attack are difficult to detect by trust-based mechanisms, they can be avoided by adopting location verification [35] and frequency-hopping techniques, respectively, which is not in the scope of this paper.

The Analysis of Attacks on Trust Models.
Although trust management systems can deal with most of the existing attacks on routing protocol and help improve the security of the network, they may become a new attractive target for attacks [38,40].For example, due to the cost and resources constraints, the intrusion detection system is difficult to guarantee 100% accuracy of detecting.Consequently, it is possible that some malicious or misbehaved nodes are wrongly included in the trusted set of nodes that provide recommendations at some point.In this case, the misbehaved nodes may launch passive or active attacks on routing protocols and impair the performance of the network.
In this subsection, we identify some possible attacks on trust models for WSNs and discuss their countermeasures.Some of the most common attacks to a trust management system are summarized as follows.
(i) On-off attack: a malicious entity behaves well and badly alternatively in order to remain in the trusted set of nodes.
(ii) Conflicting behavior attack: a malicious node behaves differently to nodes in different groups.
(iii) Selfish attack: a selfish attacker does not reply to recommendation information when receiving a trust request.
(iv) Bad mouthing attack: a misbehaved node provides dishonest recommendations and propagates negative/positive recommendation information about well-behaved/malicious nodes, which might affect the accuracy of trust evaluation.
(v) Collusion attack: more than one malicious node colludes with one another to disrupt the network operation (e.g., providing dishonest recommendations about other nodes).
In order to design a secure framework for trust-aware routing protocols in WSNs, it is necessary to develop corresponding countermeasures against the above attacks, which do not require complex calculation process and much additional overhead.We first introduce an adaptive decay time factor into our trust computation model, which can solve the problems caused by on-off attacks.In our trust evaluation system, the behavior of sensor nodes should be monitored by their neighbors.Both the direct trust and the recommendations provided by other nodes should be considered.In this case, if a conflicting behavior attacker behaves differently to different nodes, it can be quickly detected and expelled from the network.Furthermore, we propose a lightweight trust derivation scheme to resist selfish attacks.By introducing the inconsistency check mechanism, our trust evaluation scheme can also reduce or even eliminate the effects of bad mouth attacks and collusion attacks.The specifications of these countermeasures will be described in Sections 4 and 5.

Routing Algorithm
4.1.System Model.We utilize graph model to analyze routing issues in WSNs.For a weighted directed graph (, , ), the set of vertices  stands for the sensor nodes in the network. ⊆  ×  is the edge set which represents the relations of nodes.The weighted label  stands for metrics used for measuring links or paths.For each (, ) ∈ , we consider that node  is the issuer and node  represents the target.A path Trust model essentially performs trust derivation, computation, and application [20].In this paper, we adopt watchdog [39] as the foundation of detection mechanisms.Each sensor node is responsible for monitoring the behavior of its neighbors and evaluating their trust level.More specifically, the detection results are utilized for the evidence of trust computation.(, ) represents the trust value of node  for node .In our model, node  is the evaluating device and node  is the evaluated one.The trust  of an arbitrary node includes direct trust  and indirect trust .Direct trust is based on direct observations of each node that participates in data communication, while indirect trust, which is also called recommendation trust, stands for the trust relations between distributed nodes without direct interactions.
In order to further construct the routing model and study the optimality of routing protcols, we view   (,   , ℎ) as the physical graph where   stands for the set of directed wireless physical links.Similarly,   (,   , ) denotes the routing graph on which path selection and packet forwarding are performed.Consequently, the routing problems can be considered as the selection of the optimal path on a weighted physical graph   (,   , ℎ) by utilizing the routing metric .In our model, the routing metric  is the combination of the trust metric and other QoS metrics such as delay and packet loss rate, which is constrained by trust graph   (,   , ) and corresponding QoS Graph   (,   , ).All the optimal paths  * can ultimately form the optimal routing graph  *  (,   , ).In this paper, we define the optimal route as the maximizing of the desired service quality under the premise of security assurance.

Trust Computation of Nodes.
Normally, the sensor nodes are highly constrained in terms of computational power, energy, memory, and bandwidth, so the design of security mechanisms for WSNs is significantly challenging.We first propose a lightweight computation method to evaluate the trust value of sensor nodes in WSNs, which is an extension to our previous work [41]: where  () (, ) −1 represents the direct trust value of node  for node  based on node 's past well-behaved behavior, while  () (, ) −1 is the direct trust value of node  for node  based on node 's past malicious behavior. 1 and  2 correspond to the exponential decay time factor of the positive and negative assessment, respectively.The (, )  denotes the assessment for current behavior of device  by utilizing intrusion detection systems.The (, ) is given by where () and () represent the positive and negative assessment for device 's behavior, respectively.These parameters should follow the rule that good reputation is more difficult to gain than the bad one.The value of ( * ) should be set to zero if the judgment for nodes' behavior is not absolutely sure.
In order to deal with on-off attacks, we introduce an adaptive exponential decay time factor , which can be shown as below: where   stands for the current time and  −1 represents the time when the last interaction happens.According to the above equations, the trust value will decrease with the elapse of the time.When  → 0, it means that the results of recent interactions are much more important than those of older ones.The weight factors should depend on the context.An on-off attacker can behave well and badly alternatively to gain a relatively high reputation.In this case, we can set a low value of  for well-behaved records of nodes and set a high value for malicious records.This mechanism implies that the malicious behavior will be remembered for a longer time than the well-behaved behavior.As a result, the on-off attacker is difficult to build a good reputation which requires a long-time interaction and consistent well-behaved behavior of nodes.
Then the following represents the indirect trust evaluation process: In this model, we employ the trust chain to evaluate the indirect trust of sensor nodes.(, ) stands for the direct trust value of node  for node .(, ) represents the direct trust value of node  for node  that provides the recommendation data.To deal with the bad mouthing attack and collusion attack, we propose an inconsistency check scheme, which is given by As previously mentioned, the collected recommendations may include false data provided by bad mouthing attackers and collusion attackers.For each recommendation, our trust computation model uses a threshold  to determine whether the data is suspicious.If |(, )  − (, )  | > , the recommendation data will be discarded.In this case, if a malicious node that is incorrectly included in the trusted set of devices provides false data, it can be quickly detected as its false recommendation may have a significant difference (higher or lower) from true ones.

Trust Computation of Paths.
When a source node prepares to transmit packets to a destination node via multihop communication, it must evaluate the trust value of the route.Different methods based on the results of nodes' trust assessment can be applied to the process of path trust computation.Generally, the design of trust computation of paths should comply with the following rules.Firstly, the trust information cannot be increased via propagation [42].In other words, the trust value of a path should not be greater than the trust value of any intermediate node in the path.Secondly, the destination node is considered to be a trusted entity in trust management systems and its trust value for any other node in the path should be set to 1.
If we choose the most trusted path determined by the highest product of all trust values along the path, the trust of a path  can be computed by where node  and node  are neighbors.node  is the next hop of node .As shown in Figure 1, V 0 is the source node and V 5 is the destination node.There are three paths from the source to the destination.Among them, (V 0 , V 3 , V 4 , V 5 ) is the most We can also choose the most trusted path determined by the highest minimum trust values of intermediate nodes in the path.The trust of a path  can be represented as follows: The function min( * ) returns the minimum value from the input set.In this case,

Routing Metrics.
In practical applications, routing metrics may include both trust metric that can ensure the security of the network and QoS metrics which are used for improving the service quality.So the routing metrics of a path  can be denoted by () ≜ ((),  1 (),  2 () ⋅ ⋅ ⋅   ()), where  1 (),  2 () ⋅ ⋅ ⋅   () are different QoS metrics of the path .As described above, the different calculation method of routing metrics, such as trust metrics, may effect the results of routing selection.In order to avoid interfering with the design of routing algorithms, we introduce a mathematical theory called semiring in this paper.The rigorous mathematical proof and mathematical properties of semiring were proposed in [7,18].Definition 1.A semiring is an algebraic structure (, ⊕, ⊗, 0, 1, ⪯), where  is a set.⊕, ⊗, and ⪯ are operators with the following properties.
(i) ⊕ is commutative and associative.For ⊕, 0 is a neutral element: (ii) ⊗ is associative.For ⊗, 1 is a neutral element and 0 is an absorbing element:

Routing Selection.
By utilizing the theory of semirings, we can conveniently describe the selection of the optimal route.For example, if we want to choose the most trusted path (V 1 , V  ) in the network, the optimal route is given by where  ∈ (V 1 , V  ).We assume that the trust of the path is computed by (7).Therefore, the operator ⊗  stands for "×" and the operator ⊕  represents "max( * )".Similarly, if we want to find the path with minimum delay, the optimal route can be described as below: where  ∈ (V 1 , V  ). is the delay time of a path.⊗  and ⊕  represent "+" and "min( * )", respectively.Then, we can propose the routing algorithm which considers diverse routing metrics.We assume that  is the set of all the nodes in the network and  * is the set of nodes that have optimal routes to the destination node.When a source node V  ∈  −  * wants to find its optimal route to the destination node V  , it should first sort the routing metrics based on their priorities.We define the priority assignment of routing metrics as ⃗ ((V  , V  )) ≜ ( 0 ,  1 , . . .,   ). 0 has the highest priority ( 0 ⪰  1 ⪰ ⋅ ⋅ ⋅   ).In our model, we think that the QoS of networks should be improved under the premise of security assurance.Consequently, we set  0 = ().Then the source node V  traverses its forwarding set Γ(V  ) which is the set of candidate nodes chosen to forward packets in order to evaluate the trust of path (V  , V  ).We define a threshold of path trust as ((V  , V  )) th .If any path trust value (V  , (V  , V  ), V  ∈ Γ(V  )) is greater than the threshold, it will be added into the candidate set of the optimal paths  *  0 (V  , V  ).If no one can satisfy the security requirements of paths, node V  cannot find the optimal route to node V  and will be disconnected from the network.Similarly, node V  should traverse the route selection process measured by other QoS metrics.Finally, the optimal route from node V  to node V  can be selected, which is denoted by  *  (V  , V  ).The specifics of our routing algorithm are shown in Algorithm 1.

The Scheme of TSRF
5.1.Routing Strategy.Generally, the routing protocols in WSNs have to meet strict energy saving and security requirements.In this section, we propose a lightweight and secure routing scheme which does not rely on specific routing protocols.Figure 2 shows an example on how a source node (V 0 ) finds the optimal route to the destination node (V 11 ).The detailed procedure of our trust-ware routing protocol works as follows.
Step 1.When the source node V 0 prepares to send packets to the destination node V 11 , node V 0 initializes the trust derivation process and sends a trust request packet to its neighbor nodes (e.g., node V 2 ).The trust request is a 6ary tuple, and is denoted as TR = ⟨  ,   , () th , , , ℎ⟩, where   is the evaluating node's ID and   is the evaluated nodes' ID. () th represents the threshold of path trust. is the timestamp and  stands for the sequence number of trust request packet.hl denotes the hop limit of trust request packet.To reduce the overhead of trust derivation procedure, the hop limit value of the trust request packet should be set to one.This value should be decremented by one every time the trust request packet is forwarded if it is not zero.In this example,   is equal to node V 0 's ID and   is equal to node V 2 's ID.Node V 2 that receives the trust request packet should first check if it has already received the same request.If it has, the request should be immediately discarded.If not, the node should broadcast this trust request to all its neighbors.
Step 2. When receiving the trust request packet, the nodes except the evaluating one should check whether the evaluated node is its neighbor (node V 0 will simply discard this request as it is the source of the trust request).If not, it remains silent.Otherwise, the nodes (V 1 , V 3 and V 6 ) may unicast a trust reply to the evaluating node (V 0 ) through the existing reverse routes.Then, these nodes will drop the broadcast trust request packets if the hop limit value is equal to zero.
Step 3.After obtaining the recommendations provided by the neighbors of the evaluated node, the evaluating node V 0 computes the trust value by combining direct trust with indirect trust.Then, node V 0 can determine whether the evaluated node V 2 should be trusted according to the required path trust constraint.The method of trust computation is described in Section 4. Similarly, node V 0 can find a trusted International Journal of Distributed Sensor Networks

Wireless link
Tust request Step 1

Wireless link Tust reply
Step 2 Wireless link Route request Step 3

Wireless link Route request Route reply Data packet Wireless link
Wireless link Step 4 Step 5 Step 6 Untrusted nodes Trusted nodes forwarding set (V 2 , V 3 ) and send the route request to these nodes in the forwarding set.
Step 4. If an intermediate trusted node that receives the route request has the optimal route to the destination node, it will send a route reply to the source node.Then, the source node V 0 can find the optimal route to the destination node V 11 .Go to Step 6.If not, the intermediate trusted node will repeat Steps 1-3 to find the next trusted one.
Step 5. Once the route request hits the destination, the destination node V 11 will send a route reply to the source node V 0 via the selected reverse route.The routing algorithm is described in Algorithm 1.
Step 6.Finally, node V 0 can send data packets to node V 11 through the optimal route.
From the previously mentioned descriptions, we can see that the direct trust derivation process which is based on the direct observations of evaluating node will not produce much communication cost, because it mainly relies on its own detection system.By contrast, the recommendation mechanism is closely related to the communication overhead due to the packet interactions.In this paper, we only choose the recommendations provided by the neighbor nodes of the evaluated one.Because most malicious behaviors can be detected by the neighbors and this mechanism can obviously reduce the overhead of trust derivation.In addition, the whole trust derivation procedure can be monitored by the evaluating node in our scheme.In this case, if a selfish node does not participate in recommendation mechanism for its battery saving, its trust value will be degraded in our trust model and finally be evicted from the network.

Route Maintenance.
When a newly node joins the network, its behavior will be evaluated by its neighbors.As shown in Figure 2, the established route is (V 0 , V 2 , V 6 , V 11 ).In our model, only the upstream node can launch the route maintenance procedure of the downstream node (e.g., V 2 is the upstream node of V 6 ).Each time a transaction takes place, the direct trust of node V 6 for node V 2 will be immediately updated.If the variation of direct trust value of node V 6 for node V 2 is greater than the trust update threshold  (Δ(V 2 , V 6 ) > ), node V 2 will launch the trust evaluation process for node V 6 .The trust evaluation process is similar to the procedure of our trust-ware routing scheme (from Step 1 to Step 3).If the trust value of node V 6 for node V 2 cannot meet the required path trust constraint, node V 2 will send a routing update packet to the source node V 0 via the reverse route.When receiving this routing update packet, node V 0 starts the process of finding the new optimal route.

Simulation Results and Performance Evaluation
In this section, the NS-2 simulator [44] is used to evaluate the performance of TSRF.Our simulations model a network consisting of 100 sensor nodes placed randomly within a 200 m × 200 m area.We define two types of sensor nodes in the simulations: well-behaved nodes and malicious nodes.The malicious nodes can launch greyhole, tampering, onoff, and bad mouth attacks in the simulated scenarios.We first consider the impact on the network caused by each attack; then the case that all the four attacks are launched simultaneously is also be analyzed.All the default simulation parameters that we have chosen are summarized in Table 2.
The simulations can be divided into two parts.First, we analyze the effect of attacks on our scheme by introducing several common attacks into the network.Then, we further discuss the effectiveness and security of our proposed scheme by comparing the performance of TSRF with other trustbased mechanisms in routing protocols.

The Effect of Attacks on TSRF.
We first assume that the malicious nodes launch greyhole attacks (drop 50% packets) and then analyze their impact on the average packet delivery ratio of the network.As shown in Figure 3, the average packet delivery ratio is close to 100% when there are no attacks in the network.However, if there are some malicious nodes launching greyhole attacks (from 10 s), the average packet delivery ratio will suffer a degradation.By introducing TSRF into the classic routing protocol in WSNs (GPSR), the average packet delivery ratio significantly increases as the elapse of simulation time.Because our scheme can help source nodes find trusted routes that exclude the influence of greyhole attackers to the destination node.Furthermore, the threshold of path trust is a critical factor for the trust evaluation process in our design.The higher threshold of path trust (0.4) will lead to a higher packet delivery ratio as it can promote the trust evaluation systems to detect the malicious nodes more quickly.If the network can seize all the behavior of the node correctly, the higher the threshold of path trust we choose, the higher packet delivery ratio can be obtained.However, it is almost impossible to realize it in actual conditions as an error probability of detection may exist in the detection mechanisms.In this case, an unreasonably high value of path trust constraint may cause error trust evaluation events.Consequently, the threshold of path trust should be reasonably selected in the context of different applications.We can get a similar conclusion when the malicious nodes launch message tampering attacks (prevent the valid packets from reaching the destination by modifying the content of packets) in the simulation, which is illustrated in Figure 4.
As shown in Figure 5, the trust value typically grows over time if no abnormal behavior occurs (from 30 s to 70 s).However, the trust value decreases significantly when the malicious nodes launch on-off attacks (from 75 s to 95 s).Generally, we can find that the lower proportion of on-off behavior (20%) makes the malicious node gain a relatively  higher reputation.As an adaptive exponential decay time factor is introduced into our trust evaluation model, the negative assessment will decay more slowly than the positive one.Compared with the trust evaluation process without considering the decay time factor, our proposed scheme can provide better resistance capability against on-off attacks.By utilizing TSRF, the on-off attacker is difficult to build a good reputation or get rid of bad reputation, which requires a long-time interaction and consistent well-behaved behavior of nodes.For example, the trust value of malicious nodes that launch on-off attacks is 0.51 without introducing the adaptive decay time factor, while the trust value of them is equal to 0.29 measured by TSRF (the proportion of malicious behavior = 0.5, at 90 s).
We also proposed an inconsistency check scheme to provide protection against bad mouth attacks, which is illustrated in Figure 6.In the simulation, the bad mouth attackers provide negative/positive recommendation information about well-behaved/malicious behavior.Consequently, the trust value is relatively low when assessing well-behaved behavior (from 30 s to 70 s) under bad mouth attacks, and vice versa.More bad mouth attackers (the proportion of bad mouth attackers = 0.5) may cause a greater impact on trust evaluation process than less ones do (the proportion of bad mouth attackers = 0.25).In this case, our inconsistency check scheme can filter out most of false recommendations as they normally have a significant difference (higher or lower) from the ones provided by well-behaved nodes.Finally, the accuracy of trust evaluation can be improved by adopting the proposed inconsistency check scheme.

The Effectiveness and Security of TSRF.
The procedure of route establishment mainly includes trust derivation and traditional route discovery schemes.In this paper, we proposed a lightweight trust derivation scheme which does not rely on specific routing protocols.We first introduce TSRF into BAR routing protocol and compare its overhead with some conventional trust derivation schemes such as flooding and flooding with hop limit methods.Then, the time spent on routing establishment is also studied by introducing TSRF into GPSR routing protocol.
Routing overhead is an important factor we should consider when designing routing protocol for WSNs.In Figure 7,  we can see that the routing overhead of flooding is much higher than the other three schemes due to its large number of broadcast and rebroadcast packets.The overhead of BAR without security mechanisms and flooding method remains stable as the former mainly depends on network uptime, while the latter depends on the number of nodes in the network.Imposing hop limit in flooding or using our trust derivation approach in TSRF can significantly reduce the routing overhead of the network with security mechanisms.Comparing the two improved schemes, when the average number of neighbor nodes is small, these two schemes produce similar overhead.However, the routing overhead produced by the former will grow with the increasing number of neighbor nodes (node density).In contrast, the overhead produced by TSRF remains relatively stable throughout.For example, when the average number of neighbor nodes is equal to 14, our approach saves 79.4% of routing overhead than flooding with 2-hop limit.More saving can be expected for denser networks.
Figure 8 represents the different time spent to complete the routing establishment process between TSRF and other mechanisms.It is clear that latency performance exhibits similar phenomena as those in routing overhead, with more obvious advantages over other schemes.For example, compared with the flooding with 2-hop limit, our scheme can save 32.2% of time when the average number of neighbor nodes is equal to 14.
To validate the security of TSRF, we assume that malicious nodes will launch greyhole, tampering, on-off, and bad mouth attacks on the network (from 20s).The probability of each one is 25%.In the simulation, we vary the number of malicious nodes and analyze their effects on the average packet delivery ratio.As shown in Figure 9, more malicious   nodes will indeed cause greater damage to the network.TSRF can offer an effective solution to these attacks.By introducing TSRF into existing routing protocol, the average packet delivery ratio has increased constantly, because TSRF will quickly launch a route update procedure to find a trusted route when detecting malicious intermediate nodes in the previous path.TSR [23] is a trust evaluation scheme that only considers the direct trust value.We compare its performance with our proposed scheme when introducing them into the same routing protocol.The correctness of the trust evaluation is based on the accuracy of intrusion detection mechanisms.If all the behavior of nodes can be detected accurately, the indirect trust data are not necessary.However, it is almost impossible to realize it in actual conditions.Consequently, we take an error probability of detection into account and set it to 0.1.In Figure 10, we can see that the average packet delivery ratio will suffer a significant degradation when malicious nodes launch attacks on the network (from 20 s).As some error detecting events may occur in the simulated scenarios, TSRF can improve the security of the network compared with TSR.This situation is more obvious when the number of malicious nodes increases.Because TSRF both take direct trust and indirect trust into consideration, which can provide better resistance capability for error detecting events.

Conclusion and Future Work
In this paper, we first analyzed characteristics of various attacks on trust-based routing protocols.Then, we proposed a lightweight trust computation and trust derivation scheme to deal with these attacks.By utilizing the semirings theory, an optimized routing algorithm was also presented which considered the combination of trust metric and other QoS metrics.Compared with some traditional trust-ware mechanisms, the simulation results showed that TSRF had a wide applicability and could improve the performance of the network under the premise of security assurance, especially in a dense networks.
In the future, we plan to design distributed intrusion detection systems for WSNs which can both enhance the accuracy of trust evaluation and improve the security of WSNs.

(
vi) DoS attack: a DoS attacker can disrupt legitimate communication of other nodes by flooding the network with redundant or false traffic.

Figure 4 :
Figure 4: The effect of tampering attacks.

Figure 5 :
Figure 5: The effect of on-off attacks.

Figure 6 :
Figure 6: The effect of bad mouth attacks.

Figure 8 :
Figure 8: Time spent on routing establishment.

Figure 9 :
Figure 9: The effect of malicious nodes.

Table 1 :
Attacks on routing protocols in WSNs.
a WSN is normally achieved via multihop relaying where a communication path is established in a distributed manner.
International Journal of Distributed Sensor NetworksIncluding  +  = 1,  > 0,  > 0. (, ) represents the trust value of node  for node .(, ) is the direct trust value.(, ) stands for the recommendations provided by node  which belongs to the neighbor set   of node .denotes the number of neighbors and  represents the sequence number of the evaluation records.and  are weighed factors which are associated with the security policies.A larger value for  indicates that the sensor node in WSNs is more convinced about its own judgement.Similarly, a larger value for  means that the recommendations provided by other nodes are more trustworthy in trust evaluation process.In addition, the trust value is subject to 0 ≤  ≤ 1.Generally, we believe that the higher trust value the sensor node is, the more trustworthy it has.The effect of conflicting behavior attacks can be reduced by setting adequate values of  and .Because the behavior of nodes is monitored by its neighbors in the network, if a malicious node behaves differently to different nodes, it can be detected by considering the combination of direct trust and indirect trust.The computation of direct trust is given by