Sage Journals: Discover world-class research

Abstract

In ad hoc and sensor networks, reputation-based trust management schemes have been widely used to identify the malicious nodes. These schemes leverage each node's behaviors for malicious node detection and thus require a certain amount of time to observe the behaviors of nodes. In mobile sensor networks, however, malicious nodes frequently move to different locations, and thus it is likely difficult to collect enough evidence for them. Moreover, when reputation-based schemes are employed, it is not easy to revoke the malicious nodes due to the risk of false positives. To mitigate these limitations of reputation-based schemes, we propose mobile malicious node detection schemes based on software attestation technique, which virtually fulfills zero false positives. In particular, we propose a probabilistic detection scheme in which each node attests its neighboring node with a certain probability. In order to reduce the attestation overhead of the probabilistic detection scheme, we also propose the SPRT (Sequential Probability Ratio Test) based detection scheme that uses the SPRT to determine when to perform the attestations. Through analysis and simulation, we show that our proposed schemes detect mobile malicious nodes through software attestations in robust and efficient manner.

1. Introduction

In mobile sensor networks, the attacker may capture sensor nodes and subvert them to be malicious. With these mobile malicious nodes, he can distort the various operations of the mobile sensor networks. For instance, in order to disrupt data collection operation of the base station, the attacker can launch false data injection attacks by having mobile malicious nodes send false data into the base station. He can also make mobile malicious nodes ruin the local operations such as routing, localization, and clustering by contacting many benign nodes. To diminish this damage incurred by mobile malicious nodes, it is imperative to detect and revoke them as quickly as possible. To meet this need, many researchers have proposed a variety of malicious node detection schemes in the context of ad hoc and sensor networks [1–10].

Reputation-based trust management schemes have been proposed to deal with an individual nodes trust in accordance with its behaviors [2, 4, 8]. Although malicious nodes can be identified in these schemes, they are not easily revoked due to the risk of false positives. Moreover, mobile malicious nodes can control their movements in such a way to make it difficult for their malicious behaviors to be observed. Another approach to deal with the malicious node detection in sensor networks is software attestation [1, 3, 5–7, 9, 10]. In this approach, attester (the base station or a node) performs attestations against the software running on attestee (a node) to verify whether it matches the expected software image; subverted image codes can then be detected. From perspective that this approach achieves virtually zero false positives and does not require any node behavior knowledge, it is more suitable than reputation approach for mobile malicious node detection. However, the previous works on software attestation did not describe how frequently each node needs to be attested even though they proposed several attestation methodologies.

To efficiently and effectively perform software attestations against mobile nodes, we first devise a probabilistic attestation scheme in which each mobile node is probabilistically attested. We then improve the performance of the probabilistic scheme by developing a scheme based on the SPRT (Sequential Probability Ratio Test) [11]. We apply the SPRT to determine the frequency of attestations per mobile node in such a way that highly mobile nodes are more frequently attested than lowly mobile nodes, leading to fast detection of highly mobile malicious nodes. Our analytical results show that both schemes achieves high mobile malicious node detection capability at the reasonable attestation overhead. We also evaluate the proposed schemes by using ns-2 simulator. Our simulation results demonstrate that the SPRT-based scheme outperforms the probabilistic scheme in terms of the attestation overhead while incurring reasonable malicious node detection time. Moreover, our proposed schemes catch out the malicious nodes with at least 99.74% detection rate. This indicates that almost all malicious nodes are detected by our proposed schemes (a preliminary version of this paper was presented in [12]).

The rest of paper is organized as follows. Section 2 presents the relevant work of malicious node detection. Section 3 describes the network assumptions and attacker models for our proposed schemes. Section 4 proposes mobile malicious node detection schemes and analyzes the proposed schemes. Section 5 presents the evaluation results of our proposed schemes. Finally, Section 6 concludes the paper.

2. Related Work

In this section, we present the related work for malicious node detection in wireless sensor networks.

Reputation-based trust management schemes have been proposed to evaluate each node's trust based on its activities [2, 4, 8]. In particular, Ganeriwal and Srivastava [2] used a Bayesian formulation for trust management. Sun et al. [8] applied information theoretic frameworks for trust evaluation. Li and Wu [4] utilized node mobility to reduce an uncertainty in trust computation and facilitate trust convergence. However, the mobile malicious nodes are not easily revoked because of the risk of false positives when these trust management schemes are used. Furthermore, mobile malicious nodes can evade these schemes by adopting high mobility strategy for their malicious actions not to be observed.

Software-attestation based schemes have been proposed to discern the subverted software images of sensor nodes [1, 3, 5–7, 9, 10]. In particular, the base station checks whether the flash image codes have been maliciously corrupted by performing attestations against randomly chosen parts of image codes or the entire codes [5–7]. Yang et al. [9] propose a localized attestation process in which each node collaborates with its neighbors for node attestations. Tamer et al. [1] propose a group-based software attestation scheme in wireless sensor networks. In this scheme, the attestation process is localized and performed without the aid of the base station. Jin et al. [3] use dynamic node attestation chains to reduce checksum computation time required for node attestation in mobile sensor networks. Zhang and Liu [10] propose a dynamic software attestation scheme in sensor networks. The proposed scheme employs software attestation technique to detect the corrupted program data in run time.

3. Models

In this section, we first state the network assumptions and then present an adversary models.

We assume a mobile sensor network where sensor nodes freely roam throughout the network. Since every sensor node is mobile, for simplicity, sensor node or node will be used to indicate mobile sensor node in the rest of the paper. We also assume that the sensor nodes could directly or indirectly communicate with the base station. The base station is assumed to be a trusted entity. This is a reasonable assumption in the sense that the entire network operations are controlled by the base station, and thus the network operator will fail to correctly run the networks if the base station is compromised.

Attacker is able to capture a certain amount of sensor nodes and make them malicious. He then exerts the malicious nodes to mount a variety of attacks while keeping moving them to different locations. For example, they can launch denial of service attacks such as jamming and flooding to damage various services provided in mobile sensor networks. They can also inject fake data into the network, and thus the network operator will gather the false information from the network. Moreover, the attacker could make malicious nodes contact many benign nodes and undermine the normal operations such as routing, clustering, and localization executed by these benign nodes.

4. Robust Detection of Mobile Malicious Nodes through the Software Attestation

This section presents the details of our schemes to detect and revoke the malicious nodes using software attestation. We start with a probabilistic approach and then show how to reduce the attestation overhead with the SPRT.

4.1. Scheme I: The Probabilistic Approach

A straightforward attestation approach is that a node attests its neighboring nodes whenever it meets them. Although this approach quickly detects malicious nodes, it will incur a large amount of attestation overheads, leading to the delay in processing the network operations. To reduce this attestation overhead, we propose a probabilistic attestation scheme (Scheme I) in which node attestation is probabilistically performed. We first describe the details of Scheme I and present an analysis of it.

4.1.1. Protocol Description

(a) Phase I: Predeployment. Before deployment, the network operator generates a secret key shared between a sensor node and the base station and installs it into each node.

(b) Phase II: Attestation. After deployment, each time every attester u meets every attestee v within its communication vicinity while moving in the network, and it performs software attestation against v with probability $p_{a}$ . This probabilistic attestation is attempted only once while v is in the vicinity of u. Any techniques in [5–7, 10] can be used for software attestation on v. By leveraging the fact that the sensor nodes typically run homogeneous flash image codes, these techniques examine whether the images codes executing on a node coincide with the original image codes and identify the subverted image codes.

(c) Phase III: Postdetection. Once u determines v as malicious node, it generates a malicious node alert message on v, MNA $= {u ∥ v ∥ t_{m} ∥ {MAC}_{K_{u}} [u ∥ v ∥ t_{m}]}$ , where MAC stands for message authentication code, $K_{u}$ is the shared secret key between u and the base station, and $t_{m}$ is a timestamp representing the generation time of MNA. The timestamp $t_{m}$ is used to prevent the replay attacks. Attester u then sends MNA message to the base station. After receiving MNA from u, the base station performs software attestation against v to verify whether v is really malicious. If MNA is valid, the base station revokes v from the network.

4.1.2. Analysis

In this section, we will first discuss the possible attack strategies on Scheme I and the corresponding countermeasures. We will then explore the malicious node detection capability of Scheme I. Finally, we will compute the attestation overhead.

We consider false alert injection attack in which malicious nodes inject false malicious node alert (MNA) messages into the base station. In particular, a malicious node $w$ could create false MNA message on benign node z and send it to the base station. However, the base station will see that $z$ is not malicious through attesting on z, and thus there will be no harm on z. Rather, malicious node $w$ will be revoked due to fake alert injection. Hence, although the base station needs to perform attestations against on benign nodes, there will be little benefit for malicious nodes from launching false alert injection attack.

Next, we consider more severe attack, denial of attestation attack in which malicious nodes deny participating in attestation process and thus evade being detected. More specifically, an attestee v rejects the attestation attempts performed by an attester $u$ and flees to other regions. By maintaining this attack strategy whenever meeting other nodes, $v$ will avoid being detected. A straightforward countermeasure against this attack is to let the base station know that v escapes from being attested, to have the base station perform the attestation against v and revoke it from the network. More specifically, when v refuses $u$ 's attestation attempts, $u$ generates denial of attestation notification message on $v$ , DAN $= {u ∥ v ∥ t_{d} ∥ {MAC}_{K_{u}} [u ∥ v ∥ t_{d}]}$ , where $t_{d}$ is a timestamp indicating the generation time of DAN. $u$ then sends DAN message to the base station. Upon receiving DAN message, the base station makes an attempt to attest v. If $v$ accepts to be attested, the base station will revoke v in case that it is malicious. Otherwise, the base station will isolate $v$ from the network; thus, $v$ will not be allowed to participate in any network operations. Even though malicious nodes could send the base station fake DAN messages on benign nodes, the base station will discern that they are actually benign nodes through attestations, but rather the malicious nodes will be revoked from the network. As a result, the attacker will take little merit from mounting denial of attestation attack.

Next, we compute an average number of attestations that are performed by $N_{a}$ attesters. Since each attester independently performs attestation with probability $p_{a}$ , $N_{a}$ attesters performing $p_{a} \times N_{a}$ attestations on an average.

Finally, we investigate the probability that malicious nodes are detected.

Lemma 1.

Let one denote $N$ as the total number of nodes in the network. Let one also denote $N_{m}$ as the total number of malicious nodes in the network ( $N_{m} < N$ ). Moreover, one denotes $N_{a}$ by the total number of attesters that are encountered by $N_{m}$ malicious nodes. One defines $p_{d}$ as the probability that at least one malicious node is detected by $N_{a}$ attesters. The probability $p_{d}$ is bounded from below by $1 - e^{- ((p_{a} \times N_{m} \times N_{a}) / N)}$ .

Proof.

Let us define $p_{n d}$ as the probability that any of $N_{m}$ malicious nodes are not detected by $N_{a}$ attesters. $N_{m} / N$ is the probability that a node is malicious in the network, and the attestation probability is $p_{a}$ . Also, the malicious node is detected once it is attested. Thus, $1 - ((p_{a} \times N_{m}) / N)$ is calculated as the probability that a malicious node is not detected by one attester. As a consequence, $p_{n d}$ is computed as ${(1 - ((p_{a} \times N_{m}) / N))}^{N_{a}}$ . By using the property that $(1 + x) \leq e^{x}$ , we compute the lower bound of $p_{d}$ as follows:

\begin{array}{l} p_{d} = 1 - p_{n d} \\ = 1 - {(1 - \frac{p_{a} \times N_{m}}{N})}^{N_{a}} \\ \geq 1 - e^{- ((p_{a} \times N_{m} \times N_{a}) / N)} . \end{array}

(1)

We now investigate how the lower bound of $p_{d}$ is affected by $N_{m}$ and $p_{a} \times N_{a}$ . For this study, we set $N = 100$ . Note that $p_{a} \times N_{a}$ is an average number of attestations performed in the network. As shown in Figure 1, the lower bound of $p_{d}$ exceeds 0.99 when $N_{m}$ is above 4. This means that our proposed scheme achieves very high detection capability even when there are a small number of malicious nodes in the network. Moreover, as an average number of attestations increases under $N_{m} \leq 4$ , the lower bound of $p_{d}$ tends to increase. This indicates that an increase in the number of attestations results in the enhancement of malicious node detection capability.

Figure 1

Affects of the number of malicious nodes ( $N_{m}$ ) and an average number of attestations ( $p_{a} \times N_{a}$ ) on the lower bound of $p_{d}$ .

4.2. Scheme II: The SPRT-Based Approach

Although the attestation overhead of Scheme I is reasonable, it could be reduced by using the attestation probability configured in line with nodes’ mobility rates, rather than using the same attestation probability. To do this, we propose the SPRT-based attestation approach (Scheme II) which adapts the SPRT to determine the attestation probability in accordance with nodes’ mobility rates. Note that SPRT [11] is a statistical decision process that reaches a decision with a few number of samples while maintaining low error rates. We start with the detailed description of Scheme II and then provide an analysis of it.

4.2.1. Protocol Description

The predeployment phase is the same as the one in Scheme I, and the attestation phase is described as follows.

Let us first consider the scenario that every node $u$ meets every other node v more than once within its communication vicinity while roaming in the network. In this scenario, we denote a series of meeting time between u and $v$ by $T_{1}, T_{2}, \dots$ . We also define $T_{i + 1} - T_{i}$ ( $i \geq 1$ ) as intermeeting time between u and v. Let δ be an intermeeting time threshold that is used to determine whether intermeeting time is short or not. Putting it in differently, δ is regarded as a mobility threshold to decide whether node u frequently encounters node v or not. Let $M_{i}$ denote a Bernoulli random variable that is defined as

\begin{matrix} M_{i} = {\begin{cases} 0, & if T_{i + 1} - T_{i} > δ, \\ 1, & if T_{i + 1} - T_{i} \leq δ . \end{cases} \end{matrix}

(2)

The success probability $Ψ$ of Bernoulli distribution is defined as $Pr (M_{i} = 1) = 1 - Pr (M_{i} = 0) = Ψ$ .

If $Ψ$ is not larger than a predefined threshold $Ψ^{'}$ , it is likely that node u infrequently contacts node v. Otherwise, it is likely that node u frequently contacts node v. The problem of deciding whether u frequently contacts v or not can be formulated as a hypothesis testing problem with null and alternate hypotheses of $Ψ \leq Ψ_{0}$ and $Ψ \geq Ψ_{1}$ , respectively, such that $Ψ_{0} < Ψ_{1}$ .

Under this formulation, we present how node u performs the SPRT to make a decision on node v from the observed n samples, $M_{1}, M_{2}, \dots, M_{n}$ . We define null hypothesis $H_{0}$ and alternate one $H_{1}$ as follows: $H_{0}$ is the hypothesis that u infrequently encounters v and $H_{1}$ is the hypothesis that u frequently encounters v. We then define $L_{n}$ as the log-probability ratio on n samples, given as

\begin{matrix} L_{n} = \ln \frac{Pr  (M_{1}, \dots, M_{n} ∣ H_{1})}{Pr  (M_{1}, \dots, M_{n} ∣ H_{0})} . \end{matrix}

(3)

Assume that $M_{i}$ is independent and identically distributed. This assumption is reasonable in the sense that both u and v independently move in the network and accordingly the intermeeting time between u and v is also independent. Then, $L_{n}$ can be rewritten as

\begin{matrix} L_{n} = \ln \frac{\prod_{i = 1}^{n} Pr  (M_{i} ∣ H_{1})}{\prod_{i = 1}^{n} Pr  (M_{i} ∣ H_{0})} = \sum_{i = 1}^{n} ‍ \ln \frac{Pr  (M_{i} ∣ H_{1})}{Pr  (M_{i} ∣ H_{0})} . \end{matrix}

(4)

Let $τ_{n}$ denote the number of times that $M_{i} = 1$ in the n samples. Thus, we have

\begin{matrix} L_{n} = τ_{n} \ln \frac{Ψ_{1}}{Ψ_{0}} + (n - τ_{n}) \ln \frac{1 - Ψ_{1}}{1 - Ψ_{0}}, \end{matrix}

(5)

where $Ψ_{0} = Pr (M_{i} = 1 ∣ H_{0})$ , $Ψ_{1} = Pr (M_{i} = 1 ∣ H_{1})$ .

The rationale behind the configuration of $Ψ_{0}$ and $Ψ_{1}$ is as follows. On the one hand, $Ψ_{0}$ should be configured in accordance with the likelihood that node with insufficient mobility is determined to be frequently encountered. On the other hand, $Ψ_{1}$ should be configured to consider the likelihood that node with sufficient mobility is determined to be frequently encountered. Since the former likelihood is smaller than the latter one, $Ψ_{0}$ should be set to smaller than $Ψ_{1}$ .

The SPRT for $H_{0}$ against $H_{1}$ is given as follows.

(i)

$τ_{n} \leq γ_{0} (n)$ : accept $H_{0}$ and terminate the test.

(ii)

$τ_{n} \geq γ_{1} (n)$ : accept $H_{1}$ and terminate the test.

(iii)

$γ_{0} (n) < τ_{n} < γ_{1} (n)$ : continue the test process with another observation,

where

\begin{matrix} γ_{0} (n) = \frac{\ln (β^{'} / (1 - α^{'})) + n \ln ((1 - Ψ_{0}) / (1 - Ψ_{1}))}{\ln (Ψ_{1} / Ψ_{0}) - \ln ((1 - Ψ_{1}) / (1 - Ψ_{0}))}, \\ γ_{1} (n) = \frac{\ln ((1 - β^{'}) / α^{'}) + n \ln ((1 - Ψ_{0}) / (1 - Ψ_{1}))}{\ln (Ψ_{1} / Ψ_{0}) - \ln ((1 - Ψ_{1}) / (1 - Ψ_{0}))}, \end{matrix}

(6)

$α^{'}$ (resp., $β^{'}$ ) is a user-configured false positive (resp., negative) error probability that a user desires to achieve in terms of the SPRT's decision.

When the SPRT terminates in the acceptance of $H_{0}$ (resp., $H_{1}$ ), u attests the software images of v with probability of $τ_{n} / n$ (resp., 1). u then restarts the SPRT on v with newly incoming samples. If u decides that the software images of v are maliciously modified, u performs the same postdetection phase as in Scheme I.

4.2.2. Analysis

In order to defend against the false alert injection and denial of attestation attacks, the same countermeasures are used as in Scheme I.

In this section, we first compute an average number of the attestations that an attester u performs against an attestee v. We then calculate the probability that u detects v when v is malicious.

Assume that u makes $k$ decisions on v while meeting with v in its vicinity. Moreover, assume that $(1 - ω) k$ and $ω k$ decisions are made in the acceptance of $H_{0}$ and $H_{1}$ , respectively. Let us denote the number of samples required to make the ith $H_{0}$ decision by $n_{i}$ . Note that the attestation probability for the $i$ th $H_{0}$ (resp., $H_{1}$ ) decision is $τ_{n_{i}} / n_{i}$ (resp., 1). An average number of attestations performed by u is calculated as $\sum_{i = 1}^{(1 - ω) k} ‍ (τ_{n_{i}} / n_{i}) + ω k$ . If $ω > 0$ holds, the detection probability will be 1 because u attests v with probability 1 in case of $H_{1}$ decision. If $ω = 0$ holds, the SPRT in u always accepts $H_{0}$ per decision. Thus, $\prod_{i = 1}^{k} ‍ (1 - (τ_{n_{i}} / n_{i}))$ is the probability that u fails to detect a malicious v after making k consecutive $H_{0}$ decisions. As a consequence, $1 - \prod_{i = 1}^{k} ‍ (1 - (τ_{n_{i}} / n_{i}))$ is the probability that a malicious v is detected after k consecutive $H_{0}$ decisions.

5. Simulation Study

We use the ns-2 network simulator to evaluate the proposed schemes in a mobile sensor network. In our simulation, 100 mobile sensor nodes are placed within a square area of 500 m × 500 m. Moreover, we use the Random Waypoint Mobility (RWM) model to set up node movement patterns. In particular, we use the RWM model with the steady-state distribution provided by the Random Trip Mobility (RTM) model [13] for accurate performance evaluation. In the RWM model, each node moves to a randomly selected location with a randomly chosen speed between predefined minimum and maximum speeds. After coming to that location, it pauses there for a predefined time. After the pause time, each node then randomly chooses another location and moves to the selected location. This random movement process is repeated throughout the simulation period. We create a steady-state version of RWM model with the program codes of [14].

All simulations were performed for 1000 simulation seconds. We fixed a pause time of 10 simulation seconds and a minimum moving speed of 1 m/s of each node. Each node uses IEEE 802.11 as the medium access control protocol in which the transmission range is 50 m. We set $α^{'} = β^{'} = 0.01$ . We also configure $Ψ_{0} = 0.1$ and $Ψ_{1} = 0.9$ . The rationale behind the general configurations of $Ψ_{0}$ and $Ψ_{1}$ is discussed in Section 4.2.

To study how node mobility affects the proposed schemes, we vary each node's maximum speed ( $V_{\max}$ ) in the range of 10, 20, 40, 60, and 80 m/s. We also configure the attestation probability $p_{a} = 0.1$ and set a mobility threshold δ in accordance with node mobility. In low node mobility ( $V_{\max}$ = 10, 20 m/s), we configure $δ = 40$ simulation seconds. In high node mobility ( $V_{\max}$ = 40, 60, 80 m/s), we configure $δ = 20$ simulation seconds. The rational behind these settings is that the higher node mobility leads to the shorter intermeeting time, and accordingly, the smaller value of δ needs to be configured. In order to investigate how the fraction of malicious nodes ( $f_{m}$ ) affects the proposed schemes, we consider low fraction of malicious nodes ( $f_{m} = 0.1$ ) and high fraction of malicious nodes ( $f_{m} = 0.5$ ).

5.1. Simulation Results

We use the following metrics to evaluate the performance of our scheme.

(i)

Malicious Node Detection Time is an average time required to detect all malicious nodes in the network. Note that this time is represented in simulation seconds.

(ii)

Number of Attestations is the number of attestations that are performed in the network.

(iii)

False Negative is the error probability that a malicious node is not detected.

For each execution, we obtain each metric as the average of the results of the SPRTs that are repeated. The average of the results of 100 executions is presented as follows.

First, we found no false negatives except the case that $f_{m} = 0.5$ and $V_{\max}$ = 10 m/s in Scheme II. In this case, the false negative is measured as 0.0026. This means that Scheme I always detects malicious nodes and Scheme II performs malicious node detection with probability 0.9974. Hence, our proposed schemes catch out almost all malicious nodes.

Second, as shown in Figures 2 and 3, Scheme I requires less malicious node detection time than Scheme II irrespective of the values of $V_{\max}$ and $f_{m}$ . This indicates that Scheme I performs attestations more frequently than Scheme II and thus identifies malicious nodes more quickly than Scheme II. We observe that malicious node detection time tends to decrease as $V_{\max}$ increases. This is because sufficient node mobility increases the chance that malicious nodes are attested and detected, leading to diminishing malicious node detection time. In both Schemes I and II, we also see that malicious node detection time when $f_{m} = 0.1$ is less than the one when $f_{m} = 0.5$ . This indicates that it does not take substantial time to catch out all malicious nodes when a small number of malicious nodes are in the network.

Figure 2

Malicious node detection time versus $V_{\max}$ when the fraction of malicious nodes is 0.1.

Figure 3

Malicious node detection time versus $V_{\max}$ when the fraction of malicious nodes is 0.5.

Finally, as shown in Figures 4 and 5, the number of attestations tends to increase as $V_{\max}$ rises in both Schemes I and II. This indicates that sufficient node mobility expedites to node-to-node contacts, and thus nodes are more often attested. We also see that the number of attestations performed in Scheme I is larger than the one in Scheme II regardless of the values of $V_{\max}$ and $f_{m}$ . This means that Scheme II performs attestations less frequently than Scheme I. Furthermore, we notice that the number of attestations when $f_{m} = 0.1$ is more than the one when $f_{m} = 0.5$ in both Schemes I and II. This indicates that substantial numbers of attestations are required to detect all malicious nodes when a small number of malicious nodes are in the network. By comparing Figures 2 and 3 to Figures 4 and 5, we see that the more number of attestations leads to the less malicious node detection time.

Figure 4

Number of attestations versus $V_{\max}$ when the fraction of malicious nodes is 0.1.

Figure 5

Number of attestations versus $V_{\max}$ when the fraction of malicious nodes is 0.5.

6. Conclusions

In this paper, we propose malicious node detection schemes in mobile sensor networks. In particular, we first develop a probabilistic approach in which nodes are probabilistically attested. Moreover, we devise the SPRT-based approach to enhance the performance of probabilistic approach. Our analytical results show that the proposed schemes fulfill the robust detection capability at the reasonable software attestation overhead. Furthermore, our simulation results demonstrate that the SPRT-based approach detects malicious nodes within reasonable time while reducing the attestation overhead of the probabilistic approach.

Footnotes

Acknowledgment

This work was supported by a research grant from Seoul Women's University (2011).

References

Tamer

Kang

Nyang

Lee

K. H.

A software-based group attestation for wireless sensor networks

Ad-Hoc and Sensor Wireless Networks 2011 13 1-2 121 154

2-s2.0-84855299594

Ganeriwal

Srivastava

M. B.

Reputation-based framework for high integrity sensor networks

Proceedings of the ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN ′04)

October 2004

66 77

2-s2.0-14844315770

Jin

Putthapipat

Pan

Pissinou

Makki

S. K.

Unpredictable software-based attestation solution for node compromise detection in mobile WSN

Proceedings of the IEEE Globecom Workshops (GC ′10)

December 2010

Miami, Fla, USA

2059 2064

2-s2.0-79951864122

10.1109/GLOCOMW.2010.5700307

Mobility reduces uncertainty in MANETs

Proceedings of the IEEE 26th IEEE International Conference on Computer Communications (INFOCOM ′07)

May 2007

Anchorage, Alaska, USA

1946 1954

2-s2.0-34548359282

10.1109/INFCOM.2007.226

Park

Shin

K. G.

Soft tamper-proofing via program integrity verification in wireless sensor networks

IEEE Transactions on Mobile Computing 2005 4 3 297 309

2-s2.0-19944369062

10.1109/TMC.2005.44

Seshadri

Perrig

Van Doom

Khosla

SWATT: softWare-based ATTestation for embedded devices

Proceedings of the IEEE Symposium on Security and Privacy

May 2004

272 282

2-s2.0-3042738543

10.1109/SECPRI.2004.1301329

Shaneck

Mahadevan

Kher

Kim

Remote softwarebased attestation for wireless sensors

Proceedings of the Second European conference on Security and Privacy in Ad-Hoc and Sensor Networks (ESAS ′05)

July 2005

27 41

Sun

Y. L.

Han

Liu

K. J. R.

A trust evaluation framework in distributed networks: vulnerability analysis and defense against attacks

Proceedings of the 25th IEEE International Conference on Computer Communications (INFOCOM ′06)

April 2006

Barcelona, Spain

2-s2.0-39049116456

10.1109/INFOCOM.2006.154

Yang

Wang

Zhu

Cao

Distributed software-based attestation for node compromise detection in sensor networks

Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems (SRDS ′07)

October 2007

Beijing, China

219 228

2-s2.0-47249110641

10.1109/SRDS.2007.4365698

10.

Zhang

Liu

DataGuard: dynamic data attestation in wireless sensor networks

Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN ′10)

July 2010

Chicago, Ill, USA

261 270

2-s2.0-77956569613

10.1109/DSN.2010.5544307

11.

Wald

Sequential Analysis 2004

New York, NY, USA

Dover

12.

J. W.

Malicious Node Detection in Mobile Sensor Networks Using Sequential Analysis

Proceedings of the Advanced Signal Processing (ASP ′12)

March 2012

13.

Le Boudec

J.-Y.

Vojnović

Perfect simulation and stationarity of a class of mobility models

Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′05)

March 2005

2743 2754

2-s2.0-25644450392

14.

PalChaudhuri