Ad Hoc Networks - GMU Network Architecture and Performance Lab - Home

Ad Hoc Networks xxx (2008) xxx–xxx

ARTICLE IN PRESS

Contents lists available at ScienceDirect

Ad Hoc Networks

journal homepage: www.elsevier .com/locate /adhoc

E-Hermes: A robust cooperative trust establishment schemefor mobile ad hoc networks

Charikleia Zouridaki a, Brian L. Mark a,*, Marek Hejmo a, Roshan K. Thomas b

a Department of Electrical and Computer Engineering, George Mason University, Fairfax, VA 22030, USAb SPARTA, Inc., 5875 Trinity Parkway, Suite 300, Centreville, VA 20120, USA

a r t i c l e i n f o

Article history:Received 29 December 2006Received in revised form 6 October 2008Accepted 8 October 2008Available online xxxx

Keywords:SecurityTrust establishmentReliabilityPerformanceRouting

1570-8705/$ - see front matter � 2008 Elsevier B.Vdoi:10.1016/j.adhoc.2008.10.003

* Corresponding author. Tel.: +1 703 993 4069; faE-mail addresses: [email protected] (C. Zou

edu (B.L. Mark), [email protected] (M. Hejmo), rocom (R.K. Thomas).

Please cite this article in press as: C. ZourNetw. (2008), doi:10.1016/j.adhoc.2008.

a b s t r a c t

In a mobile ad hoc network (MANET), a source node must rely on intermediate nodes toforward its packets along multi-hop routes to the destination node. Due to the lack of infra-structure in such networks, secure and reliable packet delivery is challenging. We proposea robust cooperative trust establishment scheme to improve the reliability of packet deliv-ery in MANETs, particularly in the presence of malicious nodes. In the proposed scheme,each node determines the trustworthiness of the other nodes with respect to reliablepacket forwarding by combining first-hand trust information obtained independently ofother nodes and second-hand trust information obtained via recommendations from othernodes. First-hand trust information for neighbor nodes is obtained via direct observationsat the MAC layer whereas first-hand information for non-neighbor nodes is obtained viafeedback from acknowledgements sent in response to data packets. The proposed schemeexploits information sharing among nodes to accelerate the convergence of trust establish-ment procedures, yet is robust against the propagation of false trust information by mali-cious nodes. We present simulation results which demonstrate the effectiveness of theproposed scheme in a variety of scenarios involving nodes that are malicious with respectto both packet forwarding and trust propagation.

� 2008 Elsevier B.V. All rights reserved.

1. Introduction

In recent years, there has been considerable interest inthe topic of trust establishment for ad hoc networks. Trustestablishment is an important and challenging issue in thesecurity of ad hoc networks [1]. The lack of infrastructurein a mobile ad hoc network (MANET) makes it difficult toensure the reliability of packet delivery over multi-hoproutes in the presence of malicious nodes acting as inter-mediate hops. In this paper, we present a robust, coopera-tive trust establishment scheme, called E-Hermes(Extended-Hermes), which enables a given node to identifyother nodes in terms of how ‘‘trustworthy” they are with

. All rights reserved.

x: +1 703 993 1601.ridaki), [email protected]@sparta.

idaki et al., E-Hermes: A10.003

respect to reliable packet delivery. The proposed schemeis cooperative in that nodes exchange information in theprocess of computing trust metrics with respect to othernodes. At the same time, the scheme is robust in the pres-ence of malicious nodes that propagate false trustinformation.

The proposed scheme extends our earlier work on Her-mes [2], a trust establishment framework that incorporatesa Bayesian approach for trust computation as well as thenotion of confidence, based on first-hand observations ofpacket forwarding behavior obtained by neighbor nodes.In Hermes, trust establishment of non-neighbor nodes re-lies on the second-hand trust information obtained fromthe propagation of recommendations. This approach is vul-nerable to attacks by nodes that propagate erroneous trustinformation in the network. The trust establishmentscheme proposed in the present paper avoids such attacksby extending the notion of first-hand evidence among

robust cooperative trust establishment scheme ..., Ad Hoc

mailto:[email protected]






http://www.sciencedirect.com/science/journal/15708705

http://www.elsevier.com/locate/adhoc

2 C. Zouridaki et al. / Ad Hoc Networks xxx (2008) xxx–xxx

ARTICLE IN PRESS

neighbor nodes to non-neighbor nodes by employing a se-cure acknowledgement protocol.

The main contribution of the present paper1 is a trustestablishment scheme for MANETs, which addresses thepropagation of false trust information with respect to packetforwarding behavior. The proposed E-Hermes scheme ob-tains first-hand trust information with respect to non-neigh-bor nodes and combines this information with second-handtrust information to accelerate the establishment of trust inan ad hoc network. The key novel components of the pro-posed trust establishment scheme are an acknowledgementscheme for first-hand trust information with respect to non-neighbor nodes and a recommendation scheme that is ro-bust against the propagation of false trust information bymalicious nodes. The proposed scheme, in conjunction witha routing protocol based on the computed trust metricsshould lead to improved packet delivery in the presence ofmisbehaving nodes.

The remainder of the paper is organized as follows: Sec-tion 2 reviews related work on trust establishment in adhoc networks and sets the context for the present paper.Sections 3 and 4 discuss the core concepts and advancesof the paper. Section 5 addresses the security propertiesof the proposed trust establishment scheme. Section 6 pre-sents results from simulation experiments that demon-strate the robustness and key properties of the proposedscheme. Finally, the paper is concluded in Section 7.

2. Background and scope of work

2.1. Related work

In recent years, there has been considerable interest inthe topic of trust establishment for ad hoc networks. Theauthors of [1] present a high-level framework for genera-tion, revocation and distribution of trust evidence anddemonstrate the significance of estimation metrics in trustestablishment. A mechanism for trust evidence dissemina-tion based on a model of ant behavior is proposed in [4]along the lines suggested in [1]. Others have approachedtrust establishment based on the use of a Bayesian frame-work [5,2]. In this framework, a random variable that fol-lows the beta distribution is associated with the trustvalue of a node. Also, the posterior distribution that repre-sents a notion of trust is derived from a prior distribution.The Bayesian approach was initially explored in [5]. TheHermes scheme presented in [2] builds on the Bayesian ap-proach by incorporating the notion of statistical confidenceassociated with a trust value.

In [6], a trust model is presented that allows the evalu-ation of the reliability of the routes, using only first-handinformation. The notion of confidence as it relates to trustmanagement was explored in [7] and a semi-ring approachwas suggested to evaluate trust and confidence along net-work paths. In [8], a framework for stimulating coopera-tion in MANETs is proposed. The approach is based on acredit system for packet forwarding while trusted hard-ware is assumed. The goal of collaboration is also pursued

1 A preliminary version of this work was presented in [3].

Please cite this article in press as: C. Zouridaki et al., E-Hermes: ANetw. (2008), doi:10.1016/j.adhoc.2008.10.003

in [9], which proposes a trust management model, where-by each node carries a portfolio of credentials, which ituses to prove its trustworthiness. An autonomous trustestablishment framework is proposed in [10,11], which re-lies on the introduction of pre-trusted agents and a publickey infrastructure.

2.2. Hermes framework

The Hermes framework for trust management intro-duced in [2] maps trust and confidence into a new compos-ite metric, called ‘‘trustworthiness”, which can be moreeasily used for making network decisions such as routeselections. Furthermore, Hermes deals directly with the is-sue of how evidence can be collected from the network toestablish and update trust. The work in [6] uses only first-hand information, while Hermes incorporates third-partyinformation to derive the notion of an opinion that a givennode has for any other node. While many of the works dealwith qualitative or abstract notions of trust, the Hermesframework provides metrics and mechanisms for estab-lishing trust quantitatively with respect to the objectiveof reliable packet delivery.

The majority of papers related to MANET security focuson securing the route discovery phase of an ad hoc routingprotocol. By contrast, the Hermes framework is intended toprovide the means to thwart a class of attacks on packetdelivery in MANETs during the data transmission phaserather than the route discovery phase. Most of the well-known MANET routing attacks discussed in the literature,such as the wormhole and Sybil attacks, are attacks onthe route discovery phase of a routing protocol. Variousauthors have proposed schemes for avoiding such attacks[12,13] in the route discovery phase.

The Hermes scheme is needed because even if routesare discovered correctly by means of a secure routing pro-tocol, nodes can misbehave during the data transmissionphase even if the route is a valid one. Most of the securerouting protocols in the recent literature do not deal withsuch attacks that occur during the data transmission phase,i.e., packet dropping and packet misforwarding. Moreover,an insider node may behave correctly during the route dis-covery phase, but then begin misbehaving during the datatransmission phase. Secure routing protocols generally donot provide any defense against such attacks.

2.3. Overview of Hermes trust establishment

The notion of trust and trust relationships have beenstudied extensively in the literature [14]. Associated withthe notion of trust is confidence, which is a measure of thelevel of assurance in the trust relationship. It is helpful tocombine trust and confidence into a composite notion calledtrustworthiness [2] as it makes trust-related computationsmore straightforward. We apply all these notions to theproblem of reliable packet delivery in MANETs. First-handinformation on packet delivery is what can be directly ob-served by the sender in a path, whereas second-hand infor-mation is obtained via third parties. The literature discussesthe conveyance of second-hand information through a vari-ety of schemes such as recommendations [6,15–18]. In


C. Zouridaki et al. / Ad Hoc Networks xxx (2008) xxx–xxx 3

ARTICLE IN PRESS

Hermes [2], opinions represent a combination of first-handand second-hand information, the latter being gatheredthrough recommendations.

We briefly review the notions of trust, confidence, andtrustworthiness introduced in the original Hermes scheme.For further details, the reader is referred to [2]. Consider agiven node that is observed over time with respect to itspacket forwarding behavior. Let A denote the cumulativenumber of packets forwarded correctly and let M denotethe cumulative number of packets sent for forwarding bythe node up to the current time. Then the trust value, t, as-signed to a node is defined as follows:

t,AM; ð1Þ

where 0 6 t 6 1. A value of t equal to one indicates abso-lute trust, whereas a value close to zero indicates low trust.This definition of trust is based on Bayesian statistics [5].

The confidence value, c, associated with the trust value tis defined as follows:

c ¼ 1�ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi12AðM � AÞM2ðM þ 1Þ

s; ð2Þ

where 0 6 c 6 1. A value of c close to one indicates highconfidence in the accuracy of the computed trust value t,whereas a value close to zero indicates low confidence.The confidence metric is important because a sufficientnumber of observations must be collected before theempirical trust value t can be considered statisticallymeaningful. Due to the time-varying, unreliable, and asym-metric characteristics of wireless links and also nodemobility, a node X may observe that its downstream neigh-bor node Y received a packet sent to it by node X, but fail toobserve that node Y subsequently forwarded the packet onto node Z, the downstream neighbor of node Y. Such errorswill incorrectly bias the value of the counter A, but can betreated as random noise which will be averaged out whenthe counter M is sufficiently large, i.e., when c is suffi-ciently close to 1.

At a given time instant a node can be characterized by apair (t, c). In particular, node i characterizes its trust innode j by the pair ðti;j; ci;jÞ. The trustworthiness metric char-acterizes a pair ðt; cÞ of trust and confidence values into asingle value to facilitate trust-based decisions. The trust-worthiness associated with a pair (t, c) is defined as [2]

Tðt; cÞ,1�

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiðt � 1Þ2 þ r2ðc � 1Þ2

qffiffiffiffiffiffiffiffiffiffiffiffiffi1þ r2p ; ð3Þ

where r is a parameter that determines the relative impor-tance of the trust value t vs. the confidence value c. The‘‘default” value of trustworthiness is defined as

Tdef ,Tð0:5;0Þ; ð4Þ

which represents the trustworthiness value assigned to anode when its assigned trust and confidence values aret ¼ 0:5 and c ¼ 0, respectively. Thus, the value Tdef repre-sents ignorance about the trustworthiness of a node. Thevalue Tdef can be interpreted as an initial threshold fortrustworthiness. If the trustworthiness of a node exceeds


Tdef , then the node is considered trustworthy or good.Otherwise, the node is viewed as untrustworthy or bad.

In addition to Tdef we also define cacc as an acceptabilitythreshold with respect to the confidence level. The conceptof acceptability is used in calculating second-hand trustinformation (see Section 4.1). The pair (t, c) is acceptableif a sufficient amount of observation data has been accu-mulated such that c > cacc. We remark that each nodemay choose a different value of cacc to implement its ownpolicy in determining the acceptability of trustworthinessvalues. The choice of cacc is a tradeoff between accuracyand convergence time. If cacc is large (i.e., close to one),the trustworthiness values obtained will be more accurate,but the convergence time will be longer.

2.4. Scope of E-Hermes

The E-Hermes scheme proposed in the present paperaddresses one of the major limitations of the original Her-mes scheme in its attack model and further provides addi-tional improvements. Even when the routing protocol isnot secure, the E-Hermes scheme can mitigate the effectsof routing attacks such as the wormhole and Sybil attacks,as discussed in Section 5. Hermes assumes that when anode forwards packets correctly, it also propagates trust-worthiness values honestly and vice versa. However, thesesets of behaviors can be independent. The focus of this pa-per is to extend the Hermes scheme to address an attackermodel where nodes can exhibit these malicious behaviorsindependently, i.e., failure to forward packets is indepen-dent of the honesty with which trustworthiness valuesare propagated about other nodes.

Another extension over Hermes is a novel mechanismfor deriving trustworthiness values for non-neighbornodes based on first-hand information from acknowledge-ments, as opposed to relying on second-hand recommen-dations alone. These extensions to Hermes wereintroduced in an earlier paper [3]. The present paper goesbeyond [3] by including the following: (1) a more completeformulation of the E-Hermes scheme; (2) a more detailedanalysis of security properties; (3) a discussion of thebehavior of E-Hermes under various attack scenarios; (4)a discussion of the communication and computationaloverhead; (5) a simpler formulation of the acknowledge-ment scheme; and (6) additional simulation results. Thekey security properties provided by the E-Hermes scheme,beyond what is provided in the original Hermes scheme[2], are summarized as follows:

(i) Ability to capture independent packet forwardingand trust propagation misbehaviors.

(ii) Resilience to the presence of bad nodes and badrecommenders.

(iii) Resilience to attacker placement.

In addition, the E-Hermes scheme provides faster con-vergence and more robustness than the original Hermesscheme due to the gathering of first-hand trust informa-tion for non-neighbor nodes via the proposed acknowl-edgement scheme.



ARTICLE IN PRESS

2.5. Attacker model

In this paper, we assume an attacker model in which anode may drop, misroute or replay data packets that it issupposed to forward under a given routing protocol. Anode that performs this type of attack with a certain statis-tical regularity is referred to as a bad node. A node that for-wards the majority of its packets correctly, with statisticalregularity, is referred to as a good node. Analogously, wedefine a bad recommender as a node that incorrectly prop-agates recommendations with a certain statistical regular-ity. Conversely, a node that propagates recommendationscorrectly, with high statistical regularity, is a goodrecommender.

The above notations can be made more precise by mod-eling the frequency with which a node causes a fault interms of probabilities. More specifically, for each nodei 2N, let Bi

f denote the probability the node i incorrectlyforwards a data packet and let Bi

t denote the probabilitythat it incorrectly propagates a recommendation.

Definition 1. Node i is defined to be bad if Bif < Tdef .

Conversely, node i is good if Bif > Tdef .

Definition 2. Node i is defined to be a bad recommender ifBi

t < Tdef . Conversely, node i is a good recommender ifBi

t > Tdef .

We shall assume that every node, whether good or bad,forwards ACK or NACK packets corresponding to packetsthat it has forwarded earlier. This assumption simplifiesthe security discussion in Section 5, but does not representany limitation in the E-Hermes scheme itself. In the E-Her-mes framework, a given node X has nothing to gain by fail-ing to forward an ACK or NACK packet associated with apacket that it has forwarded previously. If node X fails toforward a ACK/NACK packet, node X will be penalized byall of the upstream nodes on the associated route asthough it had not forwarded the original packet.

NACK

FIN

x y1 y3 dyn-iy2

x y1 y3 dyn-iy2

NACK

s

s

a

b

Fig. 1. Processing of NACKs.

3. First-hand trust evaluation

In this section, we present a new scheme for gatheringfirst-hand trust information from non-neighbor nodesusing acknowledgements.

3.1. Wireless channel snooping nodes

In the Hermes scheme, nodes evaluate the trustworthi-ness of their neighbors by snooping the wireless channel. Itis assumed that the nodes are equipped with omnidirec-tional antennas and that they do not employ dynamicpower control. We use the term fault to denote an eventin which a node fails to forward a packet correctly to itsnext hop. A fault may occur due to malicious or non-mali-cious misbehavior of a node. Non-malicious packet for-warding misbehavior may be due to such phenomena asnetwork congestion, node mobility, or node malfunction.

Consider a very simple route fx; y; zg. In this scheme, agiven node x in the network maintains counters My andAy for a neighbor node such as y. We refer to the sets of


counters fMyg and fAyg as M-counters and A-counters,respectively. The counter My records the total number ofpackets sent from node x to node y for forwarding to z overan observation window. The counter Ay records the totalnumber of packets forwarded correctly (not dropped ormisrouted) from node y to node z.

The counters My and Ay are updated as follows. When-ever a packet p is forwarded from node x to node y, My isincremented by one and a timer is initiated. The timeoutinterval is set to a value greater than the maximumround-trip time (RTT) between two neighbor nodes inthe network. If node x observes a copy of packet p for-warded from node y correctly to the next hop (say nodez) before the timer expires the counter Ay is incrementedby one. Otherwise, the counter Ay is not updated.

Definition 3. The expiry of the timer indicates that anincorrect packet forwarding event has occurred. We referto this event as a fault. When a fault attributed to node yoccurs, the counter My is incremented by one and Ay is notupdated. In this case, we say that node x penalizes node y.

3.2. Acknowledgement scheme

We now propose an acknowledgement scheme to eval-uate first-hand trust when the underlying routing protocolis based on source routing, such as DSR [19]. To incorporatetrust into source routing, nodes must establish trust fornon-neighbor nodes. We remark that for distance vectorrouting protocols, such as AODV [20], it is sufficient toestablish trust only for neighbor nodes.

To obtain first-hand information from non-neighbornodes, we propose an acknowledgement scheme. Considerthe topology given in Fig. 1. When node x forwards packetp to node y1, it initiates an acknowledgement timer withtimeout interval tack and updates the M-counters for thedownstream intermediate nodes as follows:

Myi Myi

þ 1; 1 6 i 6 n� 1: ð5Þ

The value of timeout interval tack should be larger than themaximum round-trip propagation time along the givenpath in the network.

If node x receives an acknowledgement (ACK) packetfrom node y1 within the timeout interval, it forwards theACK to its upstream neighbor and updates the A-countersfor all of the downstream intermediate nodes as follows:

Ayi Ayi

þ 1; 2 6 i 6 n� 1; ð6Þ



ARTICLE IN PRESS

which indicates that all of the downstream nodes had cor-rectly forwarded the packet p. Since node y1 is a directneighbor of node x, the counter Ay1

is updated based onobservation of the packet forwarding behavior at theMAC layer as discussed earlier in Section 3.1.

In the case when an ACK is not received within thetimeout interval, the node creates a negative acknowledge-ment (NACK) packet and sends the NACK to its upstreamneighbor on the path. This situation is illustrated inFig. 1, where the dashed arrow from node x to node y indi-cates that x penalizes y for the fault and the solid arrowindicates the transmission of a NACK. Fig. 1a illustratesthe subcase where node x receives a NACK from node y2

and Fig. 1b illustrates the subcase when node x receives aNACK from node y1. The distinction between the two sub-cases is that y1 is a first intermediate node (FIN), i.e., thefirst node downstream from the recipient of the NACK.

Consider the subcase in which the NACK originatesfrom node yi;2 6 i 6 n� 1. Here, node x infers that a faultoccurred on the link ðyi; yiþ1Þ, but cannot identify which ofthe two nodes yi and yiþ1 caused the fault (y2 or y3 inFig. 1a). Therefore, node x penalizes both nodes of the link.To avoid penalizing the nodes downstream from yiþ1, theM-counters for these nodes are decremented by one

Myj Myj

� 1; iþ 2 6 j 6 n� 1: ð7Þ

On the other hand, the intermediate nodes y1; . . . ; yi�1

should receive credit for correctly forwarding the packet.This is done by incrementing the corresponding A-countersby one

Ayj Ayj

þ 1; 1 6 j 6 i� 1: ð8Þ

In the subcase where the NACK originates from FIN nodey1, if node x had previously observed at the MAC layer thatnode y1 correctly forwarded packet p, then node x assumesthat node y2 failed to forward the packet correctly. In otherwords, since y1 is the FIN, x can monitor the forwardingbehavior of y1 at the MAC layer, allowing it to isolate thefault to y2. To avoid penalizing the nodes downstream fromy2, the M-counters for the nodes y3; . . . ; yn�1 are decre-mented by one:

Myi Myi

� 1; 3 6 i 6 n� 1: ð9Þ

On the other hand, if node x had observed at the MAC layerthat node y1 incorrectly forwarded the packet p (seeFig. 1b), then the nodes downstream from y1 should notbe penalized. Therefore, node x decrements the M-countersfor these nodes by one

Myi Myi

� 1; 2 6 i 6 n� 1: ð10Þ

In both subcases, node x forwards the NACK to its up-stream neighbor. In subcase (b), node x verifies whetheror not node y1 correctly forwarded packet p based onsnooping the wireless channel. However, in some net-works, channel snooping may be vulnerable to certaintypes of attack (cf. Section 5.6). In such networks, subcase(b) should be handled similarly to subcase (a), i.e., bothnodes y1 and y2 are be penalized upon receipt of a NACKoriginating from y1. Note that the A and M counters aremaintained only for downstream nodes. Upon receipt of a


NACK, both ends of the associated link are penalized (ex-cept in subcase (b), with channel snooping) even if onlyone of the nodes may be responsible for the fault. However,this effect diminishes as more observation data involvingthe two nodes with respect to different flows is accumu-lated over time.

3.3. Computing trustworthiness

Given the counters My and Ay, maintained for bothneighbor and non-neighbor nodes with which a sourcenode interacts, the number of packets forwarded incor-rectly by node y is given by By,My � Ay. Then the trustand confidence that x attributes to y over an observationwindow are given by (cf. (1) and (2))

ty ¼ tðAy;ByÞ and cy ¼ cðAy;ByÞ;

from which the trustworthiness value Ty can be computedvia (3).

3.4. Authentication of packets

Authentication of every data, recommendation, ACK,and NACK packet is required to protect the networkagainst modification and impersonation attacks. We adopta variation of the scheme proposed in [21] for hop-by-hopauthentication, based on hash chains. We assume that thenodes have already established a set of pairwise keys usinga key management protocol [22,23]. If a secure routingprotocol is in place, the keys established for secure routingcan be used to secure the E-Hermes scheme. Let Ki;j denotethe shared key between node i and node j. Consider a pathR ¼ fs; a1; a2; . . . ; an�1; an ¼ dg, where n P 2, from sourcenode s to destination node d. Let k denote the sequencenumber of a given data packet that is forwarded alongthe path R.

3.4.1. Data and recommendation packetsAs in [21], the authentication field, A, of a data packet

with data field D sent along route R, consists of a sequenceof message authentication codes (MACs):

A ¼ ½Mn;Mn�1; . . . ;M1�:

The MACs are defined as follows:

Mn ¼ f ðKs;an ;DÞ;

and for i ¼ 1; . . . ;n� 1:

Mi ¼ f ðKs;ai; ½D;Mn; . . . ;Miþ1�Þ;

where f ðK;XÞ denotes the function that produces a MACfrom the key K and data X. The authentication field allowseach intermediate node to authenticate the packet andprotects against malicious intermediate nodes that try totamper with the MAC field of a downstream node. In theE-Hermes scheme, the intermediate nodes along the routeneed to be able to authenticate data packets in order to col-lect packet statistics to derive first-hand trust information.

Recommendation request and reply packets are notused to collect first-hand trust information. Therefore, forrecommendation packets, it suffices for the authenticationfield to consist only of a single MAC computed using the



ARTICLE IN PRESS

shared key between the recommender and the source ofthe recommendation request.

3.4.2. Control packetsIn [21], the authentication fields of each ACK or NACK

control packet are designed to satisfy three properties: (i)forging is impractical, (ii) an ACK or NACK verified at onenon-faulty node on a path, also verifies at all non-faultynodes on the path, (iii) authentication of node identities.We extend the scheme of [21] to provide a fourth property:(iv) authentication of whether the packet is an ACK or aNACK.

A one-way hash function hð�Þ and hash chains of lengththree, associated with each control packet, are used toguarantee these properties. For packet k and intermediatenode ai, a hash chain is used to authenticate ACK packetstraveling upstream on route R. Let a0

i ðkÞ denote the initialelement of the ‘‘ACK” hash chain for node ai fori ¼ 1; . . . ;n. The hash chain element a0

i ðkÞ is constructedby concatenating the key Kai

s , the sequence number k,and the element 0. The second and third elements inthe ACK hash chain associated with packet k and nodeai are

a1i ðkÞ,h½a0

i ðkÞ� and a2i ðkÞ,h½a1

i ðkÞ�;

respectively.We extend the scheme of [21] by defining a three-ele-

ment hash chain associated with packet k and node ai isdefined for the authentication of NACK packets fori ¼ 1; . . . ;n� 1. Note that a ‘‘NACK” hash chain element isnot required for the destination node an, since it nevertransmits NACK packets. Let g0

i ðkÞ denote the initial ele-ment of the NACK hash chain for node ai. The hash chainelement g0

i ðkÞ is constructed by concatenating the keyKai

s , the sequence number k, and the element 1. The secondand third elements in the ACK hash chain associated withpacket k and node ai are

g1i ðkÞ,h½g0

i ðkÞ� and g2i ðkÞ,h½g1

i ðkÞ�;

respectively. When node s transmits data packet k alongroute R, it concatenates the third elements of the ACKand NACK hash chains associated with the intermediatenodes, i.e.,

a21ðkÞ;a2

2ðkÞ; . . . ;a2nðkÞ;

g21ðkÞ;g2

2ðkÞ; . . . ;g2n�1ðkÞ:

As packet k is forwarded along the path R, each inter-mediate node ai (1 6 i 6 n� 1) extracts and stores thehash chain elements corresponding to the downstreamnodes.

The scheme of [21] is vulnerable to a certain attack be-cause only a single hash chain, for both ACKs and NACKs isused. Consider the path R ¼ fs; a1; a2; a3; a4 ¼ dg. Since onlya single hash-chain is used to represent both ACKs andNACKs, node a1 can create a NACK and forward it to thesource such that it will believe that node a2 constructeda NACK for link ða2; a3Þ. Consequently, nodes a2 and a3 willbe penalized erroneously. With our proposed extension,node a1 cannot launch the aforementioned attack becauseit cannot create a valid NACK packet attributed to node a2.


4. Formulation of opinions

Node i may need to make routing or other network-re-lated decisions that involve nodes, for example, a node mfor which confidence value ci;m is below cacc. In this case,second-hand trustworthiness values from third-partynodes are incorporated to form an opinion about node m.The propagation of trustworthiness information to formopinions is accomplished through recommendations.

4.1. Processing recommendations

Definition 4. A recommendation by node j on node m is an
assertion by j of the trustworthiness, which it has for nodem (denoted as Tj;m). Node j is called the recommender.
Node i seeks recommendations on a node m when theconfidence it has computed for m is below cacc (see Section2.3). Node i discriminates among multiple recommendersby evaluating a metric called recommender trustworthiness.

Definition 5. Recommender trustworthiness TRi;j is the trust-

worthiness that node i places on recommender node j as ameasure of how reliably node j propagates trustworthinessinformation.

Definition 6. A node j is considered a good recommender bynode i when the recommender trustworthiness TR

i;j that iplaces on recommender j exceeds Tdef .

Definition 7. A node j is considered a bad recommender bynode i when the recommender trustworthiness TR

i;j that iplaces on recommender j is smaller than Tdef .

Consider a scenario where node i asks a set of nodes Dfor their recommendations for node m. Recommendationsare sought when a node wishes to establish a route inwhich some of the nodes have a confidence value smallerthan cacc. The recommender set D is chosen from amongall nodes in the network in the following order of priority:(i) good recommenders, (ii) nodes for which the recom-mender confidence value cR < cacc, and (iii) all other badrecommenders. We remark that bad recommenders maybe chosen as part of the recommender set in order to up-date their recommender trustworthiness values. The rec-ommender set D is limited to a size d to limit thecommunication overhead. No mechanisms are in place toobligate nodes to respond to recommendation requests.We assume that node i will receive f 6 d recommendationsdue to network conditions or lack of willingness to respondto the request. Additionally, when node j has a confidencevalue for node m smaller than cacc, j does not reply to nodei’s recommendation request. Recommendations areauthenticated with a message authentication code (MAC)computed using the shared keys between the source sand the destination d of the request or the reply.

After receiving a set Rm ¼ fTj;m : j 2 Dg of recommenda-tions for node m, node i performs the following steps. If theconfidence value ci;m is smaller than cacc, node i calculates a‘‘temporary” trustworthiness value ~Ti;m, which is taken asthe maximum trustworthiness value Tj;m among the rec-ommenders j 2 D, i.e.,


Fig. 2. Single attacker node.


ARTICLE IN PRESS

~Ti;m ¼maxfTj;m : j 2 Dg: ð11Þ

The value ~Ti;m is used for routing or any other network-re-lated decisions until subsequent updates result in the va-lue of ci;m exceeding cacc.

When ci;m > cacc, the trustworthiness of the recom-menders j 2 D can be evaluated. This is done by performingthe following recommender’s test or RC-test:RC� test : jTi;m � Tj;mj 6 g;where g 2 ð0;1Þ is a threshold value. The RC-test succeedswhen the recommended trustworthiness value is close tothe first-hand trustworthiness value as defined by the setthreshold. Otherwise, the test fails. The outcome of eachRC-test for recommender j is used to update counters AR

and MR, where AR counts the number of times for whichthe RC-test succeeds and MR counts the total number oftimes that the RC-test is applied. The AR and MR countersare then used to calculate the recommender trustworthinessTR

i;j according to the trustworthiness formulas (1)–(3).A node j declines to submit a recommendation for node

m to node i when m is the FIN node of j and g � 100% of thecontrol packets sent from m to j for a given flow are NACKs.As discussed in Section 3.2, when node m sends a NACK up-stream, the source node i attributes the fault both to m andits downstream neighbor. On the other hand, since j is aneighbor of m, it can isolate the fault either to node m orits downstream neighbor. In this case, the trustworthinessthat i calculates for m, Ti;m, and the trustworthiness that jcalculates for m, Tj;m, could be significantly different whenm is actually a good node. Thus, the RC-test would fail fornode j even though it may in fact be a good recommender.

4.2. Calculation of opinion

We generalize the notion of trustworthiness to the con-cept of opinion, which incorporates second-hand trustwor-thiness values from third-party nodes. We denote theopinion that node i has for node m by Pi;m. The definitionfor the opinion that any node i has for another node m isgiven as follows:

Pi;m, maxj2Cfxi;jTj;mg; for Pj;m–Tdef ; ð12Þ

where

xi;j ¼TR

i;j; i–j;

1; i ¼ j:

(ð13Þ

and C is the set of recommenders in D that have passed theRC-test.

Nodes are judged to be good or bad on the basis of theopinion value.

Definition 8. A node j is considered good by node i whenthe opinion Pi;j > Tdef .

Definition 9. A node j is considered bad by node i when theopinion Pi;j < Tdef .

5. Security evaluation

We analyze the resistance of E-Hermes to (1) incorrectdata packet forwarding, and (2) incorrect propagation of


trust information attacks. As discussed in Section 1, duringthe data transmission phase authorized or insider nodesmay consistently drop, misroute, or replay data packets.The Hermes scheme identifies such misbehaviors in termsof the trustworthiness and opinion metrics, but does notpurport to distinguish between malicious or non-maliciousmisbehaviors. Non-malicious packet forwarding misbe-havior may be due to such phenomena as network conges-tion, node mobility, or node malfunction. Note that we donot distinguish among the various types of data packet for-warding misbehaviors, i.e., packet dropping, misrouting,and replay attacks.

We consider the response of the E-Hermes schemes invarious attack scenarios, with respect to a single flow. Aswe shall see, in each case, the E-Hermes scheme success-fully penalizes the bad nodes and bad recommenders.The upstream neighbor of the bad node will also be penal-ized even if it happens to be a good node, since the ACKscheme penalizes bad links along the route. In general,however, the upstream neighbor will be credited as a goodnode with respect to other flows. Routing diversity ensuresthat a good node will be recognized as bad only with lowprobability.

5.1. Bad nodes

Fig. 2 illustrates the response of Hermes to packet for-warding misbehavior from a single bad node, labelled X,on a route R1 ¼ fY2; Y1; o;X; Z2; . . .g corresponding to flowf1. The case of multiple bad nodes along a given path issimilar. In Fig. 2, node X incorrectly forwards data packetson flow f1 with probability BX

f , where 0 < BXf 6 1. Since

node o is a neighbor of X, it obtains first-hand informationabout the packet-forwarding behavior of node X at theMAC layer. The nodes upstream of node o, i.e., nodes Y1-Y3, infer first-hand trust information from the NACKs initi-ated by node o. Since node o is a neighbor of node Y1, nodeY1 is able to verify the correct forwarding behavior of nodeo. Thus, upon receiving a NACK from node o, node Y1 penal-izes node X. On the other hand, upon receiving a NACK ini-tiated by node o, nodes Y1 and Y2 penalize both nodes oand X. In this case, node o can be recognized as a good nodeonly through other flows in which node o is not penalized.

In our attacker model, we have assumed that when anode forwards packets correctly, it also propagates ACKand NACK packets correctly, whereas when a node incor-rectly forwards data packets, it does not initiate NACKpackets. Consider a scenario in which an attacker nodeX drops or misroutes data packets, and initiates NACK


Fig. 4. Attacker node and colluding bad recommender.


ARTICLE IN PRESS

packets in an attempt to accuse its downstream neighborof incorrect data packet forwarding. Such an attack doesnot benefit the attacker, since the E-Hermes scheme penal-izes both ends of the link at fault. As a result, all non-neigh-bor upstream nodes of attacker X on the route will penalizenode X.

5.2. Bad recommenders

The E-Hermes scheme makes use of trustworthinessinformation exchanged among nodes through recommen-dations. An obvious attack on the E-Hermes scheme wouldbe for a given node to propagate false trustworthinessinformation, i.e., the node propagates a trustworthiness va-lue that is different from the value that it would compute ifit were following the Hermes scheme. The RC-test (see Sec-tion 4.1) ensures that recommendations are accepted onlywhen the recommended trustworthiness value is suffi-ciently close to the first-hand trustworthiness value com-puted by the node that asked for the recommendations,provided that c > cacc for this node. If c 6 cacc, the nodeonly temporarily accepts the maximum value from amongall the recommenders. Because of this, bad recommendernodes can be identified by the scheme.

Next, consider the case when a node is falsely catego-rized as a bad recommender. Due to the RC-test, this cate-gorization does not affect the trust establishment processfor a node, since ‘‘bad” recommendations are discarded.Fig. 3 illustrates an example of this type of scenario. Sourcenode Y2 establishes route R1 ¼ fY2; Y1; o;X; Z2; . . .g for itsflow f1. Node X forwards data packets incorrectly withprobability 0 < BX

f 6 1. X’s upstream neighbor node o willinitialize NACKs for all packets that are not acknowledgedby node X. Node Y2 will penalize both nodes o and X. Nowsuppose that node Y3 establishes route R2 ¼fY3;Y1; o; Z1; . . .g for its flow f2. Node Y3 sees node o as agood node. If nodes Y2 and Y3 exchange recommendationsabout node o at this point in time, they will consider eachother as bad recommenders. However, this will not affecttheir trust establishment processes. Moreover, if Y2 col-lects more observations of node o from flows that do nottraverse node X, eventually node Y2 will compute a hightrustworthiness value for node o.

5.3. Collusion of bad node and recommender

Fig. 4 illustrates a colluding attack involving a bad nodeand a bad recommender (yet good node) on a route. Source

Fig. 3. Bad recommender false positive.


node Y2 establishes route R ¼ fY2;Y1;w;X; Z1; . . .g for itsflow f. Node X forwards data packets incorrectly with prob-ability BX

f , while node w propagates trustworthiness valuesfor node X higher than the value that a Hermes-compliantnode would compute. In doing this, node w is attemptingto persuade the upstream nodes on the route that node Xis a good node. Node w does not initiate NACKs for theunacknowledged packets that node X incorrectly forwards;otherwise, it would be contradicting itself. Instead, node Xwould send NACKs itself, while dropping or misroutingpackets. In this case, all non-neighbor upstream nodes ofthe attacker X on the route would correctly penalize the at-tacker node X.

5.4. Wormhole attack

If a wormhole attack occurs and no mechanism is inplace to prevent this attack during the route discoveryphase (cf. [12]), the E-Hermes scheme will still be able toidentify the misbehaving nodes involved in the wormhole.For example, suppose that two colluding nodes X and Yform a wormhole. They may be connected by a wired linkor a wireless link formed using a directional antenna. Thus,nodes X and Y could form part of a route even though theyare not neighbors. Now suppose packets are sent on a routewhich includes node X and Y. If the packets are not for-warded correctly by nodes X and Y through the wormhole,the ACK scheme of E-Hermes will penalize both nodes Xand Y.

5.5. Sybil attack

In the Sybil attack, a node impersonates one or more ofthe other nodes in the network. This is an attack on theauthentication scheme and can really only be addressedusing cryptographic techniques (cf. [13]). Suppose a givennode X launches a Sybil attack by impersonating anothernode Z on given route. Under the E-Hermes scheme, if nodeX drops packets sent along this route, then node Z will bepenalized. On the other hand, node X is also penalized withrespect to this route, since it claims to be node Z.

5.6. Attackers with directional antennas

Thus far, we have implicitly assumed that the nodes areequipped with omnidirectional antennas and that they donot employ dynamic power control. However, an outsideadversary could use a directional antenna to launch an at-tack. E-Hermes can deal with this type of attack as follows.Suppose nodes X and Y are neighbors along a route and



ARTICLE IN PRESS

node Y is an attacker equipped with a directional antenna.Now suppose node Y forwards packets in the direction ofnode X such that node X believes that node Y forwardedthese packets correctly, when in actual fact, node Y doesnot forward these packets to the next node on the path.

In this case, the first-hand trust evaluation based onneighbor observations (i.e., channel snooping) in E-Hermeswill be foiled. However, first-hand trust evaluation for non-neighbor nodes in E-Hermes, which is based on acknowl-edgments, will identify node Y correctly as the culprit. Tosee this, note that Y can attempt to deceive node X in oneof three possible ways: (i) send a forged ACK to X; (ii) cre-ate a NACK and then send it to X; or (iii) send neither anACK nor a NACK to X. The hash-chain scheme discussedin Section 3.4.2 precludes action (i) from being successful.In case (ii), both node Y and its downstream neighbor willbe penalized. In case (iii), the acknowledgement timer ofnode X will expire, causing node X to penalize node Yand its downstream neighbor. Thus, node Y cannot avoidbeing penalized for the attack. Hence, to deal with direc-tional antenna attacks, the E-Hermes scheme should placemore weight on the second form of first-hand trust oravoid making use of neighbor observations altogether.

6. Performance evaluation

In this section, we present some representative perfor-mance results of E-Hermes obtained from simulationexperiments.

6.1. Simulation methodology

The simulation experiments were implemented usingMATLAB and are intended to evaluate the performance ofE-Hermes under various network and attack scenarios. Inthe simulation scenarios, nodes exhibit four types ofbehavior:

– Type I: Good nodes and good recommenders.– Type II: Bad nodes and good recommenders.– Type III: Good nodes and bad recommenders.– Type IV: Bad nodes and bad recommenders.

A predefined number of flows is generated for each sim-ulation scenario. The route corresponding to a flow is notderived based on a given topology, but is chosen randomlyto reflect the network topology at a given point in time.Thus, the effect of a dynamically changing network topol-ogy is captured in the simulation. In particular, traffic flowsare generated as a function of the number of networknodes and the minimum and maximum number of nodesallowed on a route with no routing loops. The nodes inthe network collect empirical evidence and build theirtrustworthiness and opinion values for all other networknodes based on traffic generated by the traffic flows.

The bad nodes may be neighbors or non-neighbors. Thenumber of traffic flows generated in the simulation scenar-ios presented in this section is relatively small. However,when the number of generated flows is small, some nodesmay not participate in any flows and as a result, no opinion


is formed for them. Given a sufficiently large and diverseset of traffic flows, all nodes should be able to form validopinions for every other node in the network.

6.2. Static node behavior

We consider a simulation scenario consisting of 10nodes and 8 random traffic flows are established along dif-ferent paths. The minimum and maximum number ofnodes allowed on a route are four and seven respectively.Nodes 1, 3, 4, 5, 8, 9, 10 are randomly assigned to be ofType I. They forward 100% of the packets that they shouldbe forwarding and propagate correct opinions P. Node 7 israndomly assigned to be of Type II. Node 7 forwards 20% ofthe packets received for forwarding, but propagates correctopinions. Node 6 is randomly assigned to be of Type III.Node 6 forwards 100% of the packets received for forward-ing, but propagates recommendations of fixed opinionP ¼ 0:5. Node 2 is randomly chosen to be of Type IV. Node2 forwards 20% of the packets received for forwarding, andpropagates recommendations of fixed opinion P ¼ 0:5.Although in this case 30% of the nodes exhibit maliciousbehavior of one or another type, increasing this percentagedoes not affect the ability of the E-Hermes scheme to formaccurate opinions. The source nodes send 100 data packetsduring each observation window W (also called ‘‘round”).The trustworthiness parameter r in (3) is set asr ¼

ffiffiffiffiffiffiffiffi2=9

p. Finally, the RC-test threshold g is set to 0.1.

Fig. 5 illustrates the opinion value that node i places onnode j with a gray-scale representation. A black color im-plies an opinion value of 0, white represents an opinion va-lue of 1, while intermediate values are represented bydifferent shades of gray. Fig. 5 (a) illustrates the opinionvalues, Pi;j, obtained by the scheme without the use of rec-ommendations. Nodes that interacted with nodes 2 and 7correctly identified them as bad nodes. Nodes that inter-acted with the remaining nodes identified them as good,with two exceptions. The two false positives are attributedto the fact that upon receipt of a NACK both ends of thefaulty link are penalized. This effect would be attenuatedby the establishment of a more diverse set of flows.

Fig. 5b illustrates the opinion values, Pi;j when recom-mendations are used. Nodes 2 and 7 are correctly identi-fied as bad nodes by all other nodes, except node 6,which is ignorant of their behaviors ðT6;2 ¼ T6;7 ¼ TdefÞ.Node 7 has not identified node 2 as a bad node for the samereason. The good nodes are also correctly identified. Com-paring (a) and (b) we see that when recommendations areused, nodes form the correct network view much morequickly. We have evaluated the E-Hermes scheme undervarious attack scenarios by varying the number of bad rec-ommenders and bad nodes, and found that the schemecomputes accurate opinions in all cases.

Fig. 5c shows the recommender trustworthiness values,TR

i;j, which are the opinions formed in terms of trust prop-agation. Nodes 2 and 6 are correctly identified as bad rec-ommenders by all other nodes that were able to computeacceptable recommender trustworthiness values TR forthem. The remaining nodes are correctly identified as goodrecommenders with one exception. There is a false positiverecommender trustworthiness TR, because only eight flows


1 2 3 4 5 6 7 8 9 10

1

2

3

4

5

6

7

8

9

10

Node j

Nod

e i

1 2 3 4 5 6 7 8 9 10

1

2

3

4

5

6

7

8

9

10

Node j

Nod

e i

1 2 3 4 5 6 7 8 9 10

1

2

3

4

5

6

7

8

9

10

Node j

Nod

e i

a

b

c

Fig. 5. Network view (a) opinion Pi;j , without recommendations, (b)opinion Pi;j , with recommendations, (c) Recommender trustworthinessTRi;j .

0 5 10 15 20 25 30 35 40 45 500.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Round (W)

Opi

nion

P

P10.2

P10.3

P10.7

P10.8

Fig. 6. Opinion that node 10 computes for nodes 2, 3, 7, 8 from round 1 to50. Nodes 2, 7 change their forwarding behaviors in rounds 5 and 10,respectively.


ARTICLE IN PRESS

are active. As the diversity of flows in the network in-creases, the accuracy of the opinions computed improves.However, note that the existence of false positives TR is


acceptable, as long as the correct opinions P are formed,which is the case here.

6.3. Dynamic node behavior

Next, we consider a simulation scenario in which thebehavior of a node changes dynamically. Eight flows aregenerated and the source nodes send 100 data packets dur-ing each round. The simulation runs for 50 rounds. How-ever, now nodes 1, 4, 5, 8, 9, 10 are of Type I. Nodes 2, 6are bad recommenders, propagating opinions with valueP ¼ 0:5. Node 3 is of Type II. Node 2 is good for rounds1–5 and then becomes bad, thus switching from TypesIII–IV. Node 7 is bad for rounds 1–10 and then becomesgood, thus switching from Type II to Type I. Node 6 is ofType III. Good nodes forward 100% of the packets that theyshould be forwarding. Bad nodes forward 20% of the pack-ets received for forwarding. As before, the RC-test thresh-old g is set to 0.1.

The opinions P that node 10 places on nodes 2, 3, 7, 8over 50 rounds is shown in Fig. 6. E-Hermes accuratelyevaluates trust and adapts to changes in the nodes’ behav-iors. Note that the past behavior of a node influences thevalue of the current opinion P. For example, at round 50P10;8 � 1, whereas P10;7 ¼ 0:86.

6.3.1. Misbehavior recognitionA useful measure of the performance of the proposed

trust establishment scheme is given as follows.

Definition 10. The misbehavior (�) recognition percentageor MB(�)-recognition is the percentage of the nodes in thenetwork that have identified all the misbehaving nodes inthe network by computing the opinions Pi;m that are withina precision of � from the true node behavior characterizedby Bi

f , i.e., jPi;m � ð1� Bif Þj < �.

We present some performance results of E-Hermes withrespect to MB(0.1)-recognition when the percentage of badnodes and Bf are varied. In particular, the percentage ofmisbehaving network nodes ranges from 4% to 95%, whileBf ranges from 20% to 100%. The number of bad recom-menders is set to 25% of the network nodes. Our simulationruns are intended to evaluate the MB(0.1)-recognitionmetric and the convergence rate of E-Hermes when the


150

200

250

d (W

)


ARTICLE IN PRESS

percentage of bad recommenders and Bf are varied. In par-ticular, the percentage of bad recommenders ranges from4% to 100%, while Bf ranges from 20% to 100%. The propor-tion of bad nodes is set to 25% of the network nodes.

The bad nodes and the bad recommenders are chosenrandomly from the set of the network nodes. Thus, a nodemay exhibit any of the four types of behavior introduced inSection 6.1. The simulated network consists of 30 nodes.Initially one flow is generated and then one flow is addedper round. The flows are randomly generated. The numberof nodes on a route is set to 7. The non-misbehaving nodesforward all the packets that they receive for forwarding.The good recommenders propagate correct opinions P.The bad recommenders propagate fixed opinion P ¼ 0:5when Bf –0:5 and they propagate fixed opinion P ¼ 0:2when Bf ¼ 0:5. The source nodes send 100 data packetsduring each round. The other simulation parameters areset as before. The results are obtained from executing 10simulation trials for each network scenario.

Fig. 7a illustrates the number of rounds required forE-Hermes to reach a steady state. As expected, the conver-gence rate depends on the percentage of misbehavingnetwork nodes; the more misbehaving nodes in the net-

Fig. 7. E-Hermes performance when the percentage of misbehavingnodes and Bf are varied.


work, the longer it takes for E-Hermes to reach a steadystate. The value of Bf slightly influences the convergencerate of the proposed trust establishment framework. Forexample, when 4% of the nodes are misbehaving, E-Hermesrequires 50, 47, 48, and 54 rounds to reach steady statewhen Bf is set to 0.25, 0.5, 0.75 and 1, respectively. Whenthere are 95% of misbehaving network nodes, E-Hermes re-quires 89, 90, 86, and 76 rounds to reach steady state whenBf is set to 0.25, 0.5, 0.75, and 1 respectively.

Fig. 7b shows the steady-state MB(0.1)-recognition val-ues for E-Hermes. As expected, the MB(0.1)-recognition ofE-Hermes is in the range 93–98%, with one exception:When 95% of the nodes are misbehaving and Bf ¼ 1, theMB(0.1)-recognition of E-Hermes is 85%. Nonetheless, itshould be noted that steady state is reached only after 76rounds.

12

25

50

75

100

0

50

100

Case

100*Bf

100*Bf

Rou

n

100% bad recommendersNo recommenders

1

2

25

50

75

100

0

20

40

60

80

100

Case

MB(

0.1)

−rec

ogni

tion

100% bad recommendersNo recommenders

Fig. 8. E-Hermes performance when (1) 100% of nodes are bad recom-menders, and (2) recommendations are not exchanged.



ARTICLE IN PRESS

Fig. 8a compares the number of rounds required forE-Hermes to reach a steady state when (1) 100% of the nodesin the network are bad recommenders, and (2) recommen-dations are not exchanged in the network. Fig. 8b showsthe MB(0.1)-recognition of E-Hermes in steady state when(1) 100% of the nodes are bad recommenders, and (2) rec-ommendations are not exchanged in the network. Thus,the figures show that the exchange of bad recommenda-tions does not undermine the performance of E-Hermes.However, the availability of good recommendations doesaccelerate the convergence of the trust establishment pro-cedures. If all the nodes in the network are bad recom-menders, E-Hermes performs as if no recommenders arepresent in the network.

7. Conclusion

We presented a robust cooperative trust establishmentscheme for MANETs, which is designed to improve the reli-ability of packet forwarding over multi-hop routes, partic-ularly in the presence of malicious nodes. The proposedscheme extends the Hermes framework introduced in [2]in several important ways. In the E-Hermes scheme, first-hand information for non-neighbor nodes is obtained viafeedback from acknowledgements sent in response to datapackets. The E-Hermes exploits information sharing amongnodes to accelerate the convergence of trust establishmentprocedures. Second-hand trust information is obtained viarecommendations from cooperative nodes. The trustwor-thiness of the recommendations and recommenders isevaluated. The concept of trustworthiness is then extendedto the notion of an opinion that a given node has about theforwarding behavior of any arbitrary node by combiningfirst-hand and second-hand trust information.

A potential problem arises when a node behaves wellwith respect to some flows, but behaves badly with respectto other flows. The E-Hermes scheme may not be able tocompute accurate trustworthiness values in this case.However, such Byzantine behavior can be addressed byextending the Hermes framework in a different way, asdiscussed in [24].

Acknowledgement

This work was supported in part by the NationalScience Foundation under Grants Nos. CCR-0209049 andCCF-0133390.

References

[1] L. Eschenauer, V.D. Gligor, J. Baras, On trust establishment in mobilead-hoc networks, in: Proceedings of the Security ProtocolsWorkshop, vol. 2845, LNCS, 2002, pp. 47–66.

[2] C. Zouridaki, B.L. Mark, M. Hejmo, R.K. Thomas, Hermes: aquantitative trust establishment framework for reliable datapacket delivery in MANETs, Journal of Computer Security 15 (1)(2007) 3–38.

[3] C. Zouridaki, B.L. Mark, M. Hejmo, R.K. Thomas, Robust cooperativetrust establishment for MANETs, in: Proceedings of the Third ACMWorkshop on Security of Ad Hoc and Sensor Networks (SASN’06),2006, pp. 23–34.


[4] T. Jiang, J.S. Baras, Ant-based adaptive trust evidence distribution inMANET, in: Proceedings of the Second International Workshop onMobile Distributed Computing (MDC), 2004.

[5] S. Buchegger, J.-Y.L. Boudec, A robust reputation system for P2P andmobile ad-hoc networks, in: Proceedings of the Second Workshop onEconomics of Peer-to-Peer Systems, 2004.

[6] A.A. Pirzada, C. McDonald, Establishing trust in pure ad-hocnetworks, in: Proceedings of the 27th Australasian ComputerScience Conf. (ACSC’04), 2004, pp. 47–54.

[7] G. Theodorakopoulos, J.S. Baras, Trust evaluation in ad-hoc networks,in: Proceedings of the ACM Workshop on Wireless Security(WiSe’04), 2004, pp. 1–10.

[8] L. Buttyan, J.-P. Hubaux, Stimulating cooperation in self-organizingmobile ad hoc networks, Mobile Networks and Applications 8 (5)(2003) 579–592.

[9] L. Capra, Engineering human trust in mobile system collaborations,in: Proceedings of the 12th ACM SIGSOFT International Symposiumon Foundations of Software Engineering, 2004, pp. 107–116.

[10] T. Jiang, J.S. Baras, Autonomous trust establishment, in: Proceedingsof the Second International Network Optimization Conference,2005.

[11] J. Baras, T. Jiang, Cooperative games, phase transition on graphs anddistributed trust in MANET, in: Proceedings of the 43rd IEEEConference on Decision and Control (CDC’04), 2004.

[12] Y.C. Hu, A. Perrig, D.B. Johnson, Wormhole Attacks in WirelessNetworks, IEEE Journal of Selected Areas in Communications 24 (2)(2006) 370–380.

[13] D. Glynos, P. Kotzanikolaou, C. Douligeris, Preventing impersonationattacks in MANET with multi-factor authentication, in: Proceedingsof the International Symposium on Modeling and Optimization inMobile, Ad Hoc, and Wireless Networks (WIOPT), 2005, pp. 59–64.

[14] S. Marsh, Formalizing trust as a computational concept, Ph.D. Thesis,University of Stirling, 1994.

[15] A. Abdul-Rahman, S. Hailes, Supporting trust in virtual communities,in: Proceedings of the IEEE Hawaii International Conference onSystem Sciences, 2000.

[16] B. Yu, M.P. Singh, A social mechanism of reputation management inelectronic communities, in: Proceedings of the Fourth InternationalWorkshop on Cooperative Information Agents, vol. 1860, LNCS,2000, pp. 154–165.

[17] P. Resnick, K. Kuwabara, R. Zeckhauser, E. Friedman, Reputationsystems, Communications of the ACM 43 (12) (2000) 45–48.

[18] J.P. Hubaux, L. Buttyan, S. Capkun, The quest for security inmobile ad hoc networks, in: Proceedings of the ACM MobiHoc,2001.

[19] D. Johnson, D. Maltz, Dynamic source routing in ad hoc wirelessnetworks, in: T. Imielinski, H. Korth (Eds.), Mobile Computing,Kluwer Academic Publishers, 1996, pp. 153–181 (Chapter 5).

[20] C. Perkins, E. Belding-Royer, S. Das, Ad-hoc on-demand distancevector (AODV) routing, in: IETF RFC 3561.

[21] I. Avramopoulos, H. Kobayashi, R. Wang, A. Krishnamurthy, Highlysecure and efficient routing, in: Proceedings of the IEEE Infocom2004, 2004.

[22] L. Zhou, Z.J. Haas, Securing Ad Hoc Networks, IEEE Networks SpecialIssue on Network Security 13 (6) (1999) 24–33.

[23] N. Asokan, P. Ginzboorg, Key agreement in ad-hoc networks,Computer Communications Journal 23 (17) (2000) 1627–1637.

[24] C. Zouridaki, B.L. Mark, M. Hejmo, Byzantine robust trustestablishment for mobile ad hoc networks, TelecommunicationsSystems 35 (2007) 189–206.

Charikleia Zouridaki received the B.S. degreein Physics from Aristotle’s University ofThessalonica, Greece in 2000 and the M.S.degree in Computer Engineering from GeorgeMason University, Fairfax, VA in 2002. Cur-rently, she is a Ph.D. Candidate in InformationTechnology at George Mason University,Fairfax, VA. Her research interests includenetwork security, systems security, and com-munication networks. Her research focuses onsecurity of wireless networks. Ms. Zouridaki isa Student Member of IEEE Women in Engi-

neering (WIE). She is also a Member of Phi Beta Delta, an honor society forinternational scholars.


c Netw

ARTICLE IN PRESS

Brian L. Mark received the B.A.Sc. degree inComputer Engineering with an option in
Mathematics from the University of Waterloo,Canada, in 1991 and the Ph.D. in ElectricalEngineering from Princeton University,Princeton, NJ in 1995. He was a research staffmember at the C&C Research Laboratories,NEC USA, Princeton, NJ from 1995 to 1999. In1999, he was on part-time leave from NEC as avisiting researcher at Ecole Nationale Supéri-eure des Télécommunications in Paris, France.In 2000, he joined the Dept. of Electrical and
Computer Engineering at George Mason University, where he is currentlyan Associate Professor. His main research interests lie broadly in thedesign, modeling, and analysis of communication systems, communica-

C. Zouridaki et al. / Ad Ho

tion networks, and computer systems. He was co-recipient of the bestconference paper award for IEEE Infocom’97. He received a NationalScience Foundation CAREER Award in 2002.

Marek Hejmo received the B.S. degree inElectrical Engineering in 1999 and the M.S.degree in Computer Engineering in 2000,both from AGH University of Science andTechnology, Krakow, Poland. He completedthe Ph.D. in Information Technology atGeorge Mason University, Fairfax, VA in July2006. Currently, he is a network securityengineer with Cvent in McLean, VA. Hisresearch involves security and quality-of-service aspects of mobile ad hoc networks.Other research interests include mobile and

wireless communication, ad hoc networking, performance analysis andanalytical modeling.


Roshan K. Thomas received the B.Sc. degree
from the University of Lagos, Nigeria and theM.S. degree in Computer Science from theUniversity of Houston, Texas. He receivedthe Ph.D. in Information Technology with aspecialization in computer security fromGeorge Mason University, Fairfax, VA in May1994. He is currently a Senior Principal Sci-entist at Sparta, Inc., and prior to that workedas Senior Scientist at McAfee Research Labo-ratories. He has over ten years of experienceas a researcher at the Principal Investigator
level in various aspects of computer security including access controlmodels, network security, secure distributed database management andmultilevel-secure object-oriented distributed computing. He is currently

orks xxx (2008) xxx–xxx 13

a co-PI on a National Science Foundation (NSF) sponsored project calledSEQUOIA that is investigating the integration of security-aware quality-of-service (QoS) mechanisms in into ad-hoc wireless routing protocols.Dr. Thomas served as the co-founder of the First IEEE InternationalWorkshop on Pervasive Computing and Communication Security (PerSec2004) and served as the PC co-chair for the second workshop (PerSec2005).


Ad Hoc Networks - GMU Network Architecture and Performance Lab - Home

Documents