Sage Journals: Discover world-class research

Abstract

Verifiable top-k query processing in tiered sensor networks, which refers to verifying the authenticity and the completeness of top-k query results received by the network owner in tiered sensor networks, has received attention in very recent years. However, the existing solutions of this problem are only fit for static sensor network. In this paper, we try to solve the problem in a tiered mobile sensor network model, where not only static sensor nodes but also mobile sensor nodes existed. Based on the tiered mobile sensor network model, we propose a novel verifiable scheme named VTMSN for fine-grained top-k queries. The main idea of VTMSN is as follows: it maps each of the positions where sensor nodes are in a static state to a virtual node and then establishes relationships among data items of each virtual node with their score orders, which are encrypted along with the scores of the data items and the time epochs using the distinct symmetric keys kept by each sensor node and the network owner. Both theory analysis and simulation results show the efficiency and the security of VTMSN.

1. Introduction

More and more attention has been paid to two-tiered sensor networks in recent years [1–3]. A two-tiered sensor network, which is shown in Figure 1, consists of a lot of resource constrained sensor nodes at the lower level and some master nodes with relatively abundant resource at the upper level. The main tasks of the sensor nodes are to monitor the surroundings and generate sensing data, while the main tasks of the master nodes are to collect the sensing data from the sensor nodes and answer queries from the network owner. This two-tiered architecture is known to improve the scalability and capacity of the sensor networks. Besides, it is also able to reduce system complexity and prolong the network lifetime [3].

Figure 1

A traditional tiered sensor network model.

In this paper, we present a new sensor network model named TMSN (tired mobile sensor network) based on the two-tiered network architecture, which is shown in Figure 2. The difference between TMSN and the traditional two-tiered sensor network model is that mobile sensor nodes existed at the lower level of TMSN while all sensor nodes are static in the latter case. There are many advantages when mobile sensor nodes are introduced into the two-tiered network architecture. As an example, moving some of the mobile sensor nodes to heavy traffic regions can help balance the energy consumption of the sensor nodes at the lower level of TMSN. Another example is target coverage [4]. Some of targets in a tiered sensor network may lose coverage because of the early death of some sensor nodes or bad initial deployment of the sensor nodes. If some mobile sensor nodes exist, they can move to the position where dead nodes are located or to some other places by well designing [5].

Figure 2

A tired mobile sensor network (TMSN) model.

Top-k query is an important kind of queries in sensor networks. To obtain the top k data items from all the data items generated by the sensor nodes in the interested region, the network owner first sends a top-k query to each of the master nodes whose cells are intersected with the interested region. Each of the master nodes processes the top-k query locally and finds out the top-k query result in the intersected region in its own cell. Then the master nodes send their own query results to the network owner. Finally, the network owner finds out the final top-k query result according to the data received from the master nodes.

Nowadays, the security of top-k queries in tired sensor networks is under threat. If the master nodes are compromised, they may tamper the query results and return incomplete and/or false top-k query results to the network owner. Moreover, although introducing mobile sensor nodes into tiered sensor network architecture can bring many advantages, it also brings some challenges. One of the challenges is that the data items generated by the same sensor node may be generated at different locations, and the compromised master node may take place the data items generated in the query region with the data items generated by the same sensor node in other places. This is hard to be detected using the existing security verification method in tired sensor networks.

To verify the authentication and the completeness of the top-k query results received by the network owner in TMSN, we propose a novel verification scheme, which is called VTMSN. We assume that each sensor node in TMSN has two states: a mobile state and a static state, and they only generate sensing data when they are in a static state. The main technique of VTMSN is that it maps each of the positions where mobile sensor nodes are in a static state to a virtual static node. Thus, a mobile sensor node becomes one or many static sensor node/nodes for a given time interval. Then, with some modifications, schemes used in static tired sensor networks to verify the authentication and the completeness of the top-k query results received by the network owner can be used in TMSN.

In summary, the main contributions of this paper are listed as follows: (i)

We present a new sensor network model named TMSN based on the two-tiered network architecture, where mobile sensor nodes are introduced into the lower tier of the architecture.

(ii)

We investigate the problem of verifiable fine-grained top-k queries in TMSN for the first time and propose an effective verification scheme called VTMSN to verify the authentication and the completeness of the top-k query results.

(iii)

Theory analysis and extensive experiment have been conducted to show the efficiency and feasibility of our scheme VTMSN.

The rest of this paper is organized as follows. Section 2 presents the related work; Section 3 presents the network and attack models; Section 4 presents the notations, some definitions, and the problem statement; in Section 5, we provide the novel verification scheme VTMSN as well as the analysis of its detection probability and energy efficiency; the simulation results and their analysis are given in Section 6; Section 7 makes a conclusion.

2. Related Work

Many schemes and protocols are developed to secure query processing in two-tiered sensor networks. Some of them are proposed for range queries [6]. Range queries ask for data within one or multiple attributes falling into specified ranges, and they are different from top-k queries, which aim at finding k data items with peak values among all the data items generated in the query region. Some other papers focus on the problem of securing top-k queries [3, 7–10]. Zhang et al. [3] proposed three schemes, which are the closest work to ours, to solve the problem of verifiable fine-grained top-k queries in two-tiered sensor networks. All of them are only fit for static tiered sensor networks, because it is assumed that the network owner knows the mapping between sensor node IDs and their respective geographic locations. This assumption can not hold in TMSN because of the mobile sensor nodes.

There are also some works for mobile sensor networks or for mobile target detection in sensor networks [11]. Good schemes [4, 12, 13] are proposed to solve many kinds of coverage problems in mobile sensor networks; [14–17] are dedicated in localization in mobile sensor networks; routing protocols are studied in mobile sensor networks in [18–20]; an efficient framework for in-network data replication and acquisition in mobile sensor networks are proposed in [21]. In [22], mobility management of mobile sensors was discussed for the purposes of forming a better wireless sensor network. In [23], low cost data gathering using mobile hybrid sensor networks is achieved. In [24], a group-based discovery mechanism was proposed to reduce the discovery delay in low-duty-cycle mobile sensor networks. To the best of our knowledge, no work has been done considering mobile sensor nodes in tiered sensor networks at present.

3. Network and Attack Models

3.1. TMSN Model

Similar to the traditional tiered sensor networks, TMSN also contains two levels. At the lower level, there are a lot of resource-constrained sensor nodes, which are deployed into many cells. At the upper level, there are some master nodes with relatively abundant resource, each of which is responsible for one cell of sensor nodes at the lower level. We assume that time is divided into epochs, which is the same with [3]. At the end of each epoch, each sensor node sends all of its data generated during the epoch to its corresponding master node. After collecting the data from sensor nodes, master nodes can answer top-k queries from the external network owner. The network owner can communicate with some of the master nodes via an on-demand wireless (e.g., satellite) link, which is relatively low-rate. We assume that each sensor node communicates with its neighboring sensor nodes with short-range radios while master nodes can communicate with their neighboring master nodes through relatively high-rate, long-range radios.

The significant difference between TMSN and the traditional tiered sensor networks is that mobile sensor nodes existed in TMSN while all sensor nodes are static in the latter case. The manner of mobility for a sensor node can be divided into two kinds: controllable mobility and uncontrollable mobility. In this paper, we assume the mobility behaviors of sensor nodes are controllable. Specifically, we assume that each sensor node only moves in its own cell. The sensor nodes do not always move because their energy is limited. They will stop moving and monitor the surroundings to meet the demand of applications. When a sensor node stops at some place, the first thing it does is to estimate its position. We assume that some localization techniques in mobile sensor networks such as [14–17] are adopted to help the sensor nodes estimate their current locations. Thus, each sensor node in TMSN has two states: a mobile state and a static state. We assume that all sensor nodes generate sensing data only when they are in a static state, and we consider it a reasonable assumption because data items often need to be bound up with the locations where they are generated. Besides, we assume that all mobile sensor nodes will stop moving at the end of each epoch and assist other sensor nodes to route their data to the corresponding master nodes in the cell.

3.2. Adversary Model

Our attack model is similar as [3]. Specifically, we assume that both master nodes and sensor nodes can be compromised, and the sensor nodes that are not compromised are the majority. Adversaries may insert forged data to query results and/or return incomplete query results to the network owner through the compromised master nodes. We do not require the confidentiality of the top-k query results as in [3], but we do require the authenticity and completeness of top-k results. Because each master node in TMSN is in charge of one cell and each sensor node corresponds to one master node, an attacker who wants to break the authenticity and/or completeness of top-k query results in one cell can not get help from the compromised nodes in other cells. Thus we only focus on a cell C consisting of N sensor nodes, which are denoted by ${S_{i}}_{i = 1}^{N}$ , and one compromised master node $M$ in this paper.

4. Definitions, Notations, and Problem Statement

In this section, we present some definitions and important notations used throughout the paper as well as the problem investigated in this paper.

4.1. Definitions and Notations

We first list some definitions used in this paper as follows.

Definition 1 (virtual node).

A virtual node is a position where a real sensor node is in a static state, and it only exists in the epoch/epochs when the sensor node is in a static state at the position.

Definition 2 (mother node and child node).

A mother node is a real sensor node, and the child nodes of the mother node are virtual nodes generated by the same mother node.

Definition 3 (queried sensor node).

If at least one child node of a sensor node is in the query region of a top-k query during the interested time epoch, the sensor node is called queried sensor node for the query.

Definition 4 (qualified and unqualified data item).

If a data item is among the top k data items generated in the query region of a top-k query during the interested time epoch, the data item is qualified for the query. Otherwise it is unqualified for the query.

Definition 5 (qualified and unqualified virtual node).

If at least one qualified data item is generated on a virtual node for a top-k query, the virtual node is called a qualified virtual node for the query. Otherwise it is called an unqualified virtual node for the query.

Now we present the notations used in this paper. Assume that, during epoch t, each node $S_{i} \in {S_{i}}_{i = 1}^{N}$ generates $λ_{i}^{t}$ virtual nodes, which are denoted by $V N D_{i} = {v n d_{i}^{j}}_{j = 1}^{λ_{i}^{t}}$ , and $μ_{i}^{j}$ data items denoted by $D_{i}^{j} = {D_{i, h}^{j}}_{h = 1}^{μ_{i}^{j}}$ are generated on each virtual node $v n d_{i}^{j} \in V N D_{i}$ . Each data item $D_{i, h}^{j} \in D_{i}^{j}$ can be scored by some public scoring functions, such as the one in [25]. Let $f (\cdot)$ denote a good public scoring function and let $d_{i, h}^{j}$ denote the score of $D_{i, h}^{j}$ . Then we have $d_{i, h}^{j} = f (D_{i, h}^{j})$ . In [3], if a data item is smaller than or equal to another data item, the score of the former data item is also smaller than or equal to the score of the latter data item. In this paper, we release this assumption and just assume that different data items have different data scores. $W$ in this paper denotes the network owner. $I_{t} = {i}_{i = 1}^{N}$ is used to denote the ID set of all the sensor nodes in cell C, and $V I_{t}^{i} = {(i, j)}_{j = 1}^{λ_{i}^{t}}$ denotes the ID set of the child nodes of sensor node $S_{i}$ ( $\forall i \in I_{t}$ ).

We use $Q_{t} = 〈C, t, k, Q R〉$ to denote a primitive top-k query in TMSN, where C denotes a cell ID, t is the epoch number, k is the desired number of data items with peak values, and $Q R$ is the query region. We use $R_{Q t}$ to denote the query result of $Q_{t}$ . In this paper, we only pay attention to the primitive queries, because more complicated queries can be decomposed into multiple primitive ones easily.

4.2. Problem Statement

In this subsection, we present the problem and some metrics that we use to evaluate the performance of the verification scheme proposed in this paper.

Given a query $Q_{t} = 〈C, t, k, Q R〉$ , the problem we are interested in this paper is how to verify the authenticity and completeness of $R_{Q t}$ in TMSN, where the authenticity of $R_{Q t}$ means that all data items in $R_{Q t}$ are indeed generated on virtual nodes in $Q R$ during epoch t, and the completeness of $R_{Q t}$ means that $R_{Q t}$ indeed contains the top k data items among all the candidates.

One of the performance metrics used in this paper is $P_{d e t}$ , which denotes the probability that an incomplete and/or forged top-k query result is detected [3]. Maximizing the lifetime of sensor networks is an important target for many protocols in sensor networks [26, 27]. Generally speaking, communication consumes most of the energy. If the communication cost is decreased, the lifetime of the sensor networks can increase significantly. Thus, the performance metrics used in this paper also include the following.

(i) $C_{v - s m}$ : In-Cell Communication Cost. It is the energy consumption in bits incurred by transmitting and receiving the verification information generated by the sensor nodes in cell C per epoch. We also assume that the energy consumption of transmitting and receiving every bit across each hop is the same as [3].

(ii) $C_{v - m w}$ : Query Communication Cost. It is the energy consumption in bits incurred by sending and receiving the verification information between $M$ and $W$ to reply to a top-k query. It may need to travel multiple master nodes and the on-demand wireless link for $M$ to connect $W$ . For simplicity, we consider the route connecting $M$ to $W$ a virtual hop. The energy consumption of transmitting one bit across a virtual hop is different from that between neighboring sensor nodes.

(iii) $R_{v s}$ : Ratio of Cost. It is the ratio of the cost of transmitting and receiving verification information to that of transmitting and receiving data items, which are not verification information.

5. Verifiable Top-k Queries in TMSN

In this section, we first propose a novel scheme named VTMSN for verifiable top-k queries in TMSN. For clarity, we ignore compromised sensor nodes temporarily in Section 5.1. Then $P_{d e t}$ , $C_{v - s m}$ , and $C_{v - m w}$ are analyzed in Section 5.2. Finally, the impact of compromised sensor nodes is discussed in Section 5.3.

5.1. VTMSN: A Novel Verification Scheme in TMSN

VTMSN enables completeness verification by establishing relationships between every two ordered neighboring data items of each virtual node with their orders, which are encrypted along with the time epoch numbers and the virtual node IDs by the symmetric keys shared by sensor nodes and the network owner $W$ . For each sensor node $S_{i}$ ( $\forall i \in I_{t}$ ), we assume that a distinct symmetric key $K_{i}$ between $S_{i}$ and $W$ is preloaded on it. To achieve forward-secure authenticity, $K_{i}$ can be epoch-based as in [7–9]. VTMSN enables authenticity verification by taking the scores of data items encrypted with the distinct keys as the verification information. Recall that different data items have different data scores, each of which is very short in length. Thus, if we create verification information by encrypting the scores, it can not only make the authenticity of top-k query results verifiable but also shrink the amount of verification information. Specifically, VTMSN includes the following four stages.

5.1.1. Data Preparation

At the end of each epoch, each sensor node $S_{i}$ ( $\forall i \in I_{t}$ ) prepares the data generated during the epoch and some necessary verification information, which will be sent to the master node $M$ . Let ${I N F O}_{i}^{j}$ denote the information that $S_{i}$ prepares for its child node $v n d_{i}^{j}$ , let $l o c_{i}^{j}$ denote the location of virtual node $v n d_{i}^{j}$ , and let $E_{K i} {*}$ denote the encryption operation with key $K_{i}$ . Then, according to different values of $μ_{i}^{j}$ , the content of ${I N F O}_{i}^{j}$ is also different, and it is shown as follows: (i)

if $μ_{i}^{j} = 0$ ,

\begin{matrix} {I N F O}_{i}^{j} = 〈l o c_{i}^{j}, E_{K i} \{t ∥ j\}〉; \end{matrix}

(1)

(ii)

if $μ_{i}^{j} \neq 0$ ,

\begin{matrix} {I N F O}_{i}^{j} = 〈l o c_{i}^{j}, E_{K i} \{μ_{i}^{j} ∥ t ∥ j\}, D_{i, 1}^{j}, E_{K i} \{1 ∥ t ∥ d_{i, 1}^{j} ∥ j\}, D_{i, 2}^{j}, E_{K i} \{2 ∥ t ∥ d_{i, 2}^{j} ∥ j\}, \dots, D_{i, μ_{i}^{j} - 1}^{j}, E_{K i} \{(μ_{i}^{j} - 1) ∥ t ∥ d_{i, μ_{i}^{j} - 1}^{j} ∥ j\}, D_{i, μ_{i}^{j}}^{j}, E_{K i} \{μ_{i}^{j} ∥ t ∥ d_{i, μ_{i}^{j}}^{j} ∥ j\}〉, \end{matrix}

(2)

where term

E_{K i} {μ_{i}^{j} ∥ t ∥ l o c_{i}^{j}}

is needed for verification when

μ_{i}^{j} < k

and all data items of

S_{i}

are qualified data items. It is used to determine whether the data are dropped by the master node

M

or not in such a case.

5.1.2. Data Submission

After preparing the information for each virtual node $v n d_{i}^{j}$ , each sensor node $S_{i}$ ( $\forall i \in I_{t}$ ) sends a message, which includes the information prepared for each child node $v n d_{i}^{j}$ ( $\forall v n d_{i}^{j} \in V N D_{i}$ ) of node $S_{i}$ , to master $M$ . Specifically, the message is as follows:

\begin{matrix} S_{i} ⟶ M : 〈i, E_{K i} \{t ∥ 1 ∥ l o c_{i}^{1} ∥ 2 ∥ l o c_{i}^{2} ∥ \dots ∥ λ_{i}^{t} ∥ l o c_{i}^{λ_{i}^{t}}\}, I N F O_{i}^{1}, I N F O_{i}^{2}, \dots, I N F O_{i}^{λ_{i}^{t}}〉 . \end{matrix}

(3)

When the message is received by $M$ , the data items and verification information included in the message will be stored on $M$ .

5.1.3. Query Processing

When a top-k query primitive $Q_{t} = 〈C, t, k, {Q R}_{t}〉$ is received by the master node $M$ in cell C, $M$ first locates the top k data items among all data items generated in $Q R_{t}$ during epoch t and then sends them along with some verification information to $W$ . Suppose that there are totally m queried sensor nodes which are denoted as $Q S N_{t} = {S_{x_{a}}}_{a = 1}^{m}$ for $Q_{t}$ , and each sensor node $S_{i} \in Q S N_{t}$ has $ω_{i}^{t}$ child nodes which are denoted as $Q V N_{i}^{t} = {v n d_{i}^{y_{b}}}_{b = 1}^{ω_{i}^{t}}$ in $Q R_{t}$ during epoch t, where the combination $(i, y_{b})$ is the ID of the virtual node $v n d_{i}^{y_{b}}$ . Let $R S T_{i}^{j}$ denote the information included in the query result for child node $v n d_{i}^{j} \in Q V N_{i}^{t}$ of sensor node $S_{i} \in Q S N_{t}$ and let $n_{i}^{j}$ denote the number of qualified data items generated by $S_{i}$ on virtual node $v n d_{i}^{j} \in Q V N_{i}^{t}$ during epoch t. Then, the content of $R S T_{i}^{j}$ is as follows: (i)

If $n_{i}^{j} = μ_{i}^{j} = 0$ ,

\begin{matrix} R S T_{i}^{j} = 〈E_{K i} \{t ∥ j\}〉 . \end{matrix}

(4)

(ii)

If $n_{i}^{j} = 0$ , $μ_{i}^{j} > 0$ ,

\begin{matrix} R S T_{i}^{j} = 〈E_{K i} \{1 ∥ t ∥ d_{i, 1}^{j} ∥ j\}〉 . \end{matrix}

(5)

(iii)

If $0 < n_{i}^{j} = μ_{i}^{j} < k$ ,

\begin{matrix} R S T_{i}^{j} = 〈E_{K i} \{μ_{i}^{j} ∥ t ∥ j\}, D_{i, 1}^{j}, E_{K i} \{1 ∥ t ∥ d_{i, 1}^{j} ∥ j\}, D_{i, 2}^{j}, E_{K i} \{2 ∥ t ∥ d_{i, 2}^{j} ∥ j\}, \dots, D_{i, μ_{i}^{j} - 1}^{j}, E_{K i} \{(μ_{i}^{j} - 1) ∥ t ∥ d_{i, μ_{i}^{j} - 1}^{j} ∥ j\}, D_{i, μ_{i}^{j}}^{j}, E_{K i} \{μ_{i}^{j} ∥ t ∥ d_{i, μ_{i}^{j}}^{j} ∥ j\}〉 . \end{matrix}

(6)

(iv)

If $n_{i}^{j} = k$ and $μ_{i}^{j} \geq k$ ,

\begin{matrix} R S T_{i}^{j} = 〈D_{i, 1}^{j}, E_{K i} \{1 ∥ t ∥ d_{i, 1}^{j} ∥ j\}, D_{i, 2}^{j}, E_{K i} \{2 ∥ t ∥ d_{i, 2}^{j} ∥ j\}, \dots, D_{i, k - 1}^{j}, E_{K i} \{(k - 1) ∥ t ∥ d_{i, k - 1}^{j} ∥ j\}, D_{i, k}^{j}, E_{K i} \{k ∥ t ∥ d_{i, k}^{j} ∥ j\}〉 . \end{matrix}

(7)

(v)

If $0 < n_{i}^{j} < k$ and $μ_{i}^{j} > n_{i}^{j}$ ,

\begin{matrix} R S T_{i}^{j} = 〈D_{i, 1}^{j}, E_{K i} \{1 ∥ t ∥ d_{i, 1}^{j} ∥ j\}, D_{i, 2}^{j}, E_{K i} \{2 ∥ t ∥ d_{i, 2}^{j} ∥ j\}, \dots, D_{i, n_{i}^{j} - 1}^{j}, E_{K i} \{(n_{i}^{j} - 1) ∥ t ∥ d_{i, n_{i}^{j} - 1}^{j} ∥ j\}, D_{i, n_{i}^{j}}^{j}, E_{K i} \{n_{i}^{j} ∥ t ∥ d_{i, n_{i}^{j}}^{j} ∥ j\}, E_{K i} \{(n_{i}^{j} + 1) ∥ t ∥ d_{i, n_{i}^{j} + 1}^{j} ∥ j\}〉 . \end{matrix}

(8)

After

M

prepares

R S T_{i}^{j}

for each child node

v n d_{i}^{j} \in Q V N_{i}^{t}

of each sensor node

S_{i} \in Q S N_{t}

M

checks whether it has answered a query whose interested time epoch is the same as that of

Q_{t}

. If

M

has not answered such a query, it returns the following information for each

S_{i}

\forall i \in I_{t}

(i)

If $S_{i} \in Q S N_{t}$ , the information is

\begin{matrix} M ⟶ W : 〈i, E_{K i} \{t ∥ 1 ∥ l o c_{i}^{1} ∥ 2 ∥ l o c_{i}^{2} ∥ \dots ∥ λ_{i}^{t} ∥ l o c_{i}^{λ_{i}^{t}}\}, {\{R S T_{i}^{y_{b}}\}}_{b = 1}^{ω_{i}^{t}}〉, \end{matrix}

(9)

where $R S T_{i}^{y_{b}}$ denotes the information included in the query result for child node $v n d_{i}^{y_{b}} \in Q V N_{i}^{t}$ of sensor node $S_{i} \in Q S N_{t}$ .

(ii)

If $S_{i} \notin Q S N_{t}$ , the information is

\begin{matrix} M ⟶ W : 〈i, E_{K i} \{t ∥ 1 ∥ l o c_{i}^{1} ∥ 2 ∥ l o c_{i}^{2} ∥ \dots ∥ λ_{i}^{t} ∥ l o c_{i}^{λ_{i}^{t}}\}〉 . \end{matrix}

(10)

If $M$ has answered a top-k query whose interested time epoch is the same as that of $Q_{t}$ , it does not need to return the location information for virtual nodes formed during epoch t, because the network owner can find this information from the history query records. Thus, $M$ only needs to return the following information to $W$ for each $S_{i} \in Q S N_{t}$ in this case:

\begin{matrix} M ⟶ W : 〈i, {\{R S T_{i}^{y_{b}}\}}_{b = 1}^{ω_{i}^{t}}〉 . \end{matrix}

(11)

In fact, the amount of information in $R_{Q t}$ can be further shrunk when $Q_{t}$ is not the first top-k query whose interested time epoch is t. As an example, if $v n d_{i}^{j}$ is in $Q R_{t}$ and it has no qualified data item for query $Q_{t}$ , $R_{Q t}$ should include term $E_{K i} {t ∥ j}$ . However, if the same case has appeared for a former query whose interested time epoch is also t, term $E_{K i} {t ∥ j}$ does not need to be included in $R_{Q t}$ because it has been sent to the network owner before.

5.1.4. Verification

When receiving a top-k query result $R_{Q t}$ , the network owner checks the authenticity of $R_{Q t}$ in the following way. For each data item $D_{i, h}^{j}$ in $R_{Q t}$ , the network owner decrypts term $E_{K i} {h ∥ t ∥ d_{i, h}^{j} ∥ j}$ following $D_{i, h}^{j}$ in $R_{Q t}$ and checks whether $d_{i, h}^{j}$ got from term $E_{K i} {h ∥ t ∥ d_{i, h}^{j} ∥ j}$ is equal to $f (D_{i, h}^{j})$ , where $f (*)$ is a public scoring function [4]. If they are equal, data items in $R_{Q t}$ are authentic; otherwise they are not. The principle is that different data items have different scores [3], and if a compromised master node modifies $D_{i, h}^{j}$ , it should also modify $d_{i, h}^{j}$ in term $E_{K i} {h ∥ t ∥ d_{i, h}^{j} ∥ j}$ . However, it can not do this because it does not know the key $K_{i}$ .

Completeness verification of $R_{Q t}$ is a little complicated. The first step to verify the completeness of $R_{Q t}$ is to check whether each sensor node $S_{i}$ in cell C has sent term $E_{K i} {t ∥ 1 ∥ l o c_{i}^{1} ∥ 2 ∥ l o c_{i}^{2} ∥ \dots ∥ λ_{i}^{t} ∥ l o c_{i}^{λ_{i}^{t}}}$ to the network owner. If any sensor node has not sent it, $R_{Q t}$ is considered incomplete. The second step is to check whether term $R S T_{i}^{j}$ for each child node $v n d_{i}^{j} \in Q V N_{i}^{j}$ of each sensor node $S_{i} \in Q S N_{t}$ has been sent to the network owner. If at least one of them has not been sent to the network owner, $R_{Q t}$ is considered incomplete. The last step is to verify the completeness of each $R S T_{i}^{j}$ in $R_{Q t}$ . If they are all verified to be complete, $R_{Q t}$ is considered complete; otherwise it is not. Details of completeness verification of each $R S T_{i}^{j}$ are given in Algorithm 1, where $d_{s m a l l e s t}$ is the smallest data score in $R_{Q t}$ .

Algorithm 1: Completeness verification of ${R S T_{i}}^{j}$ .

Input: top-k query $Q_{t} = 〈C, t, k, {Q R}_{t}〉$ , ${R S T_{i}}^{j}$ , $d_{s m a l l e s t}$

Output: completeness

(1) completeness = true

(2) if ${R S T_{i}}^{j}$ includes $γ_{i}^{j}$ ( $γ_{i}^{j}$ ≠ 0) data items denoted by ${\{D}_{i, h}^{j} \}_{h = 1}^{γ_{i}^{j}} \{$

(3) Decrypt each term $E_{K i} \{h ∥ t ∥ d_{i, h}^{j} ∥ j \}$ following each data item $D_{i, h}^{j} \in {\{D}_{i, h}^{j} \}_{h = 1}^{γ_{i}^{j}}$ with $K_{i}$

(4) if (the orders got from each term $E_{K i} \{h ∥ t ∥ d_{i, h}^{j} ∥ j \}$ are not consecutive from 1 to $γ_{i}^{j}$ )

(5) $\{c o m p l e t e n e s s = f a l s e\}$

(6) if term $E_{K i} \{μ_{i}^{j} ∥ t ∥ j \}$ is in ${R S T_{i}}^{j} \{$

(7) if $μ_{i}^{j}$ ≠ $γ_{i}^{j} \{c o m p l e t e n e s s = f a l s e\}$

(8) }else{

if term $E_{K i} \{(γ_{i}^{j} + 1) ∥ t ∥ d_{i, γ_{i}^{j} + 1}^{j} ∥ j \}$ is in ${R S T_{i}}^{j} \{$

(9) if $d_{i, γ_{i}^{j} + 1}^{j} \geq d_{s m a l l e s t} \{c o m p l e t e n e s s = f a l s e\}$

(10) }else{ if $γ_{i}^{j} \neq k \{c o m p l e t e n e s s = f a l s e\}$

(11) }

(12) }

(13) }else if no data item is in ${R S T_{i}}^{j} \{$

(14) if (both term $E_{K i} \{t ∥ j \}$ and $E_{K i} \{1 ∥ t ∥ d_{i, 1}^{j} ∥ j \}$ are not in ${R S T_{i}}^{j}$ ) or

(( $E_{K i} \{1 ∥ t ∥ d_{i, 1}^{j} ∥ j \}$ is in ${R S T_{i}}^{j}$ ) and ( $d_{i, 1}^{j} \geq d_{s m a l l e s t}$ ))

(15) {completeness = false}

(16) }

(17) if (not all the encrypted terms in ${R S T_{i}}^{j}$ can be decrypted by the same symmetric key) or

(not all the values of j in the encrypted terms in ${R S T_{i}}^{j}$ are the same) or (at least one time epoch

number in the encrypted terms in ${R S T_{i}}^{j}$ is not equal to t)

(18) $\{c o m p l e e n e s s = f a l s e\}$

(19) return completeness.

In Algorithm 1, lines (1)–(16) can verify the completeness of $R S T_{i}^{j}$ under the condition that the data items and their corresponding verification information in $R S T_{i}^{j}$ are not replaced by those of other virtual nodes. Lines (17)-(18) are added to tear off this constraint condition.

5.2. Performance Analysis of VTMSN

Theorem 6.

As long as none of the queried sensor nodes is compromised, a compromised master node can not insert forged data into query results without being detected by VTMSN.

Proof.

This theorem is actually proved in the verification stage in Section 4.1.

Theorem 7.

As long as none of the queried sensor nodes is compromised, a compromised master node can not replace data items generated during the interested time epoch with data items generated in some other time epochs without being detected by VTMSN.

Proof.

Each encrypted term in top-k query results contains an epoch number t in VTMSN. Thus, it is easy to detect such behaviors by checking the time epoch numbers in the encrypted terms.

Theorem 8.

As long as none of the queried sensor nodes is compromised, a compromised master node can not replace qualified data items with unqualified data items generated during the same epoch without being detected by VTMSN.

Proof.

It is clear that the corresponding verification information should also be replaced if some data items are replaced. Then, the following two propositions prove that Theorem 8 holds. (1)

The compromised master node can not replace qualified data items with unqualified data items of the same virtual node without being detected by VTMSN. This is because the orders in the encrypted terms following the data items will not be consecutive if such behavior is made.

(2)

The compromised master node can not replace qualified data items with unqualified data items of some other virtual nodes without being detected by VTMSN. The verification information of a virtual node in the query region can not be totally replaced with those of another virtual node because each virtual node in the query region is asked to include its verification information in the query result. Besides, if some qualified data items of a virtual node are replaced with unqualified data items of some other virtual nodes, either the encrypted terms for the same virtual node in the query result can not be decrypted by the same key or the values of j got from each encrypted term following each data item of the same virtual node in the query result are not the same. According to Algorithm 1, both cases can be detected by VTMSN.

Theorem 9.

As long as none of the queried sensor nodes is compromised, VTMSN can detect any incomplete top-k query result with probability $P_{d e t} = 1$ .

Proof.

There are totally two methods for $M$ to break the completeness of top-k query results. The first method is to replace the qualified data items with some unqualified data items, and the second method is to drop part or all of the qualified data items without replacing them with unqualified data items. According to Theorems 7 and 8, it can be detected with $P_{d e t} = 1$ if $M$ adopts the first method. Then we prove that it can also be detected by VTMSN with probability $P_{d e t} = 1$ if $M$ adopts the second method. For each qualified virtual node $v n d_{i}^{j}$ , if $M$ drops part of the qualified data items of $v n d_{i}^{j}$ , $M$ must drop all the last $σ_{i}^{j}$ ( $0 < σ_{i}^{j} < n_{i}^{j}$ ) qualified data items and all the unqualified data items of $v n d_{i}^{j}$ in order to make the orders of the left data items consecutive. Then term $E_{K i} {μ_{i}^{j} ∥ t ∥ j}$ or $E_{K i} {χ ∥ t ∥ d_{i, χ}^{j} ∥ j}$ must be left in the query result, where $χ = n_{i}^{j} - σ_{i}^{j} + 1$ ; otherwise $R S T_{i}^{j}$ will be considered incomplete according to Algorithm 1. If term $E_{K i} {μ_{i}^{j} ∥ t ∥ j}$ is left in the query result, $μ_{i}^{j}$ got from $E_{K i} {μ_{i}^{j} ∥ t ∥ j}$ must not be equal to the number of data items of $v n d_{i}^{j}$ left in the query result. If term $E_{K i} {χ ∥ t ∥ d_{i, χ}^{j} ∥ j}$ is left in the query result, $d_{i, χ}^{j}$ got from term $E_{K i} {χ ∥ t ∥ d_{i, χ}^{j} ∥ j}$ must be not smaller than the smallest data score of the data items in the query result. According to Algorithm 1, the query result can be considered incomplete in both cases. If $M$ drops all qualified data items of $v n d_{i}^{j}$ , the incomplete query result can also be detected because $M$ can not generate a legal term $E_{K i} {t ∥ j}$ or $E_{K i} {1 ∥ t ∥ d_{i, 1}^{j} ∥ j}$ without knowing $K_{i}$ . Thus, any incomplete query result can be detected as long as none of the queried sensor nodes is compromised.

Next, we will analyze the in-cell communication cost $C_{v - s m}$ of VTMSN. Note that all information in the message sent from each sensor node to $M$ is the verification information except data items. In this paper, we assume that the length of the data after they are encrypted is the same as that before they are encrypted. We use $ζ_{i}^{t}$ to denote the number of child nodes, which have data items in epoch t, of each sensor node $S_{i}$ ( $\forall i \in I_{t}$ ). Then the number of child nodes, which do not have data items in epoch t, of sensor node $S_{i}$ is $λ_{i}^{t} - ζ_{i}^{t}$ . The meanings of some other parameters are listed in Table 1.

Table 1

Parameters and their meanings.

Para.	Meaning
$l_{o r d e r}$	Length in bits of an order number
$l_{e p o c h}$	Length in bits of an epoch number
$l_{l o c}$	Length in bits of each location
$l_{i d}$	Length in bits of an ID number
$l_{n u m}$	Length in bits of number of data items
$l_{s c o r e}$	Length in bits of a data score

For a child node, which does not have data item in time epoch t, of sensor node $S_{i}$ , the length of verification information per epoch in bits is

\begin{matrix} L_{i}^{λ - ζ} = l_{l o c} + l_{e p o c h} + l_{i d} . \end{matrix}

(12)

Let $T_{a v g}$ denote the average time for a sensor node to be in a static state per epoch and let $f_{d}$ denote the average data generating frequency of each sensor node. The average number of data items that are generated on a child node in one epoch is

\begin{matrix} μ = f_{d} * T_{a v g} . \end{matrix}

(13)

Then, for a child node that has data items in time epoch t of sensor node $S_{i}$ , the length of verification information in bits per epoch is

\begin{matrix} L_{i}^{ζ} = l_{l o c} + l_{e p o c h} + l_{i d} + l_{n u m} + μ * (l_{e p o c h} + l_{i d} + l_{o r d e r} + l_{s c o r e}) . \end{matrix}

(14)

For each sensor node $S_{i}$ ( $\forall i \in I_{t}$ ), it also has to take some locations and IDs of its child nodes as the verification information. Thus, the length of verification information prepared by each sensor node $S_{i}$ ( $\forall i \in I_{t}$ ) in bits per epoch is

\begin{matrix} L_{S_{i}} = l_{i d} + l_{e p o c h} + λ_{i}^{t} * (l_{l o c} + l_{i d}) + (λ_{i}^{t} - ζ_{i}^{t}) * L_{i}^{λ - ζ} + ζ_{i}^{t} * L_{i}^{ζ} . \end{matrix}

(15)

Let $h_{i}$ denote the hop counts from $S_{i}$ to $M$ along the shortest path at the end of epoch t. Then the in-cell communication cost $C_{v - s m}^{S_{i}}$ in bits incurred by sending the verification information generated by $S_{i}$ to $M$ is

\begin{matrix} C_{v - s m}^{S_{i}} = L_{S_{i}} * h_{i} . \end{matrix}

(16)

Then we have

\begin{matrix} C_{v - s m} = \sum_{i = 1}^{N} 2 * C_{v - s m}^{S_{i}} . \end{matrix}

(17)

In this paper, we assume that the energy consumption incurred by sending and receiving one bit of data is the same as in [3]. So in formula (17), the total energy consumption is doubled.

Suppose that a query $Q_{t} = 〈C, t, k, Q R_{t}〉$ is received by $M$ . We then derive the query communication cost $C_{v - m w}$ incurred by VTMSN. First, the query communication cost in bits incurred by sending the verification information from $M$ to $W$ for each virtual node $v n d_{i}^{j}$ that is located in $Q R_{t}$ is

\begin{matrix} C_{v - s m}^{v n d_{i}^{j}} = \{\begin{cases} l_{i d} + l_{e p o c h} & (n_{i}^{j} = μ_{i}^{j} = 0) \\ l_{i d} + l_{o r d e r} + l_{e p o c h} + l_{s c o r e} & (n_{i}^{j} = 0, μ_{i}^{j} > 0) \\ l_{i d} + l_{n u m} + l_{e p o c h} + μ_{i}^{j} (l_{e p o c h} + l_{s c o r e} + l_{o r d e r} + l_{i d}) & (0 < n_{i}^{j} = μ_{i}^{j} < k) \\ k (l_{e p o c h} + l_{o r d e r} + l_{s c o r e} + l_{i d}) & (n_{i}^{j} = k) \\ (n_{i}^{j} + 1) (l_{e p o c h} + l_{s c o r e} + l_{o r d e r} + l_{i d}) & (1 \leq n_{i}^{j} < k, μ_{i}^{j} > n_{i}^{j}), \end{cases} \end{matrix}

(18)

where

μ_{i}^{j}

is the total number of data items generated by sensor node

S_{i}

on its child node

v n d_{i}^{j}

during time epoch t and

n_{i}^{j}

is the number of qualified data items among the

μ_{i}^{j}

data items.

Let $C_{v - m w}^{S_{i}}$ denote query communication cost in bits incurred by sending the verification information generated by $S_{i}$ from $M$ to $W$ . Then, if $M$ has not answered a top-k query whose interested time epoch is the same as that of $Q_{t}$ , the following two cases should be considered. (i)

The first case is that $S_{i}$ is not a queried sensor node; then

\begin{matrix} C_{v - m w}^{S_{i}} = l_{i d} + l_{e p o c h} + λ_{i}^{t} * (l_{l o c} + l_{i d}) . \end{matrix}

(19)

(ii)

The second case is that $S_{i}$ has $ω_{i}^{t}$ ( $ω_{i}^{t} \neq 0$ ) child nodes located in $Q R_{t}$ ; then we have

\begin{matrix} C_{v - m w}^{S_{i}} = l_{i d} + l_{e p o c h} + λ_{i}^{t} * (l_{l o c} + l_{i d}) + \sum_{a = 1}^{ω_{i}^{t}} C_{v - s m}^{v n d_{i}^{x_{a}}}, \end{matrix}

(20)

where

C_{v - s m}^{v n d_{i}^{x_{a}}}

is the query cost for

v n d_{i}^{x_{a}} \in Q V N_{i}^{t}

and

ω_{i}^{t}

is the number of child nodes of sensor node

S_{i} \in Q S N_{t}

If $M$ has answered a top-k query whose interested time epoch is the same as that of $Q_{t}$ , the location information of each virtual node does not need to be sent to the network owner any more. Moreover, we further shrink the amount of information in top-k query results by excluding the information that has been sent to the network owner. Thus, if $S_{i}$ is a queried sensor node for $Q_{t}$ , the following inequality holds:

\begin{matrix} C_{v - m w}^{S_{i}} \leq l_{i d} + \sum_{a = 1}^{ω_{i}^{t}} C_{v - s m}^{v n d_{i}^{x_{a}}} . \end{matrix}

(21)

If sensor node $S_{i}$ is not a queried sensor node for $Q_{t}$ , then

\begin{matrix} C_{v - m w}^{S_{i}} = 0 . \end{matrix}

(22)

Then we have

\begin{matrix} C_{v - m w} \leq \sum_{i = 1}^{N} 2 * C_{v - m w}^{S_{i}} . \end{matrix}

(23)

Similarly, we assume that the energy consumption incurred by sending and receiving one bit of data is the same across the on-demand wireless link. Thus, $C_{v - m w}$ is doubled in (23).

5.3. Impact of Compromising Some Sensor Nodes

In above sections, we never consider the case that some sensor nodes are compromised. Thus we now further analyze the impact of compromised sensor nodes. If some sensor nodes are compromised, the following two kinds of attack may be launched.

(1) The compromised sensor nodes may collaborate with $M$ to help it escape the detection. The impact of this behavior depends on $P_{c}$ , which is the probability that at least one queried sensor node is compromised. In [3], it is known that if sensor nodes are static and uniformly distributed, the probability that at least one compromised node is in the query region is $1 - \prod_{i = 1}^{c} (1 - \min {1, δ / (N - i + 1)})$ , where c is the number of compromised nodes in a cell and δ is the number of sensor nodes in the query region. Thus, in TMSN, if one sensor node generates b virtual nodes on average in one epoch and all virtual nodes uniformly distributed, we have

\begin{matrix} P_{c} = 1 - \prod_{i = 1}^{c * b} (1 - \min \{1, \frac{δ}{N * b - i + 1}\}), \end{matrix}

(24)

where δ denotes the number of virtual nodes in the query region in one epoch and c denotes the number of compromised sensor nodes in a cell. If a queried sensor node is compromised, its forged data can not be detected by

W

using existing methods including ours.

However, some countermeasures can be adopted to solve this problem. One countermeasure is to shrink the query region, so that $P_{c}$ can be decreased; another countermeasure is to monitor the frequency for a sensor node to generate data items with peak values. If a sensor node generates data items with extremely high values on some of its child nodes frequently, the sensor node can be suspected as being compromised, and then some tools like software attestation [28] can be used to testify its hypotheses.

(2) If $M$ is not compromised, the compromised sensor nodes may generate some verification information encrypted using the incorrect keys to make $W$ take $M$ as being compromised. One countermeasure against this attack is to digitally sign every message transmitted and received. Because of limited space, we do not describe this method in detail, and more details can be found in [3].

6. Performance Evaluation

In this section, we evaluate the efficiency of VTMSN and illustrate the impact of some factors on the metrics presented in Section 4. We use OMNET++ as our simulator. In our simulation model, we assume the size of a cell in TMSN is 400 m × 400 m. In each cell, 500 sensor nodes are deployed randomly. They switch their states between mobile state and static state periodically. Some other default parameters are listed in Table 2, where R is the communication radius of each sensor node, $T_{s}$ denotes the average time period for a sensor node to keep static, and $T_{m}$ denotes the average time period for a sensor node to keep mobile. We will make a special declaration if some parameters are changed in the simulation. We also assume collision-free and error-free packet transmissions as in [3]. For ease of presentation, when we say verification information for data items, we refer to the encrypted term following each data item in the query result, and we call the left verification information the verification information for virtual nodes in the following of this paper.

Table 2

Default evaluation parameters.

Para.	Val.
$l_{D}$	400
$f_{d}$	10
$l_{e p o c h}$	10
R	50 m
$f_{q}$	100
$l_{s c o r e}$	20
$l_{i d}$	10
$T_{m}$	10
$l_{n u m}$	10
k	10
$T_{s}$	10
$T_{e}$	50

6.1. The Results of $C_{v - s m}$ and the Corresponding $R_{v s}$

To evaluate the performance of $C_{v - s m}$ and the corresponding $R_{v s}$ objectively, we run the simulation for consecutive 100 epochs and take the average values of $C_{v - s m}$ and $R_{v s}$ in one epoch as the final results, which are illustrated as follows.

6.1.1. Impact of Parameters $T_{m}$ , $T_{s}$ , and $T_{e}$

Figure 3 shows that $C_{v - s m}$ becomes larger and larger as $T_{e}$ increases. The reason is obvious: the larger $T_{e}$ is, the more the data items are, and more verification information is needed. However, Figure 4 shows that the corresponding $R_{v s}$ does not change too much as $T_{e}$ increases. This indicates that the ratio of the increasing rate of verification information to that of data items keeps relatively stable as $T_{e}$ increases.

Figure 3

Impact of parameters $T_{m}$ , $T_{s}$ , and $T_{e}$ on $C_{v - s m}$ .

Figure 4

Impact of parameters $T_{m}$ , $T_{s}$ , and $T_{e}$ on $R_{v s}$ corresponding to $C_{v - s m}$ .

From Figure 3, we can also find that the longer the total time for sensor nodes to be in a static state in one epoch is, the larger $C_{v - s m}$ is, because sensor nodes generate data items only when they are in a static state. Moreover, when $T_{m}$ and $T_{s}$ are equal, the smaller $T_{m}$ and $T_{s}$ are, the more the verification information is needed, because more virtual nodes are formed when $T_{m}$ and $T_{s}$ are smaller and the amount of data items is almost the same when $T_{m}$ and $T_{s}$ are equal. It is also the reason why $R_{v s}$ is much larger than that in the other two cases in Figure 4 when $T_{m}$ and $T_{s}$ are set to 2 s.

Now we explain why $R_{v s}$ with $T_{m} = 2$ s and $T_{s} = 10$ s is almost equal to or sometimes a little larger than $R_{v s}$ with $T_{m} = 10$ s and $T_{s} = 10$ s in Figure 4. First, sensor nodes in the former case generate more data items than those in the latter case. If the numbers of virtual nodes are the same for the two cases, the more the data items are generated, the smaller $R_{v s}$ is. Of course, $R_{v s}$ should be bigger than the ratio of cost of transmitting the verification information for data items to the cost of transmitting data items. Thus, if the number of virtual nodes is the same, $R_{v s}$ in the former case should be much smaller than that in the latter case. However, virtual nodes formed in the former case are many more than those formed in the latter case. Thus, much more verification information for virtual nodes is needed in the former case. Taken altogether, $R_{v s}$ in the former case is almost equal to or sometimes a little larger than that in the latter case.

6.1.2. Impact of Parameter $f_{d}$

From Figure 5, we can see that the larger $f_{d}$ is, the larger $C_{v - s m}$ is. The reason is clear: more data items need more verification information in VTMSN. Figure 6 shows the simulation results of the corresponding $R_{v s}$ . We can see that the larger $f_{d}$ is, the smaller $R_{v s}$ is. The reason is that larger $f_{d}$ leads to more data items generated in a given time period, and the more the data items are generated, the closer $R_{v s}$ is to the ratio of the amount of verification information for data items to the amount of the data items. However, because there is an encrypted term following each data item in VTMSN, $R_{v s}$ can not be smaller than the ratio of the length of each verification term following each data item to the length of each data item. That is why $R_{v s}$ decreases slower and slower as $f_{d}$ increases in Figure 6.

Figure 5

Impact of parameter $f_{d}$ on $C_{v - s m}$ .

Figure 6

Impact of parameter $f_{d}$ on $R_{v}$ corresponding to $C_{v - s m}$ .

6.2. The Results of $C_{v - m w}$ and the Corresponding $R_{v s}$

In this subsection, we evaluate the performance of our verification scheme VTMSN on $C_{v - m w}$ and its corresponding $R_{v s}$ with different parameter configurations. The results are as follows.

6.2.1. Impact of Parameters $Q R$ and k

Figure 7 shows the impact of the query region $Q R$ and parameter k on $C_{v - m w}$ in VTMSN. We can see that the larger $Q R$ and k are, the larger $C_{v - m w}$ is, because larger $Q R$ and k bring more virtual nodes and data items which need more verification information.

Figure 7

Impact of parameters $Q R$ and k on $C_{v - m w}$ .

Figure 8 shows the impact of $Q R$ and k on $R_{v s}$ corresponding to $C_{v - m w}$ of VTMSN. We can see that if parameter k does not change, the larger $Q R$ is, the larger $R_{v s}$ is. Recall that $R_{v s}$ here is the ratio of $C_{v - m w}$ to the energy consumption in bits incurred by sending and receiving the top k data items. Thus, if k does not change, the larger $C_{v - m w}$ is, the larger $R_{v s}$ is. On the other hand, we can also see from Figure 8 that, with the same $Q R$ , the larger k is, the smaller $R_{v s}$ is. This can be explained easily according to the definition of $R_{v s}$ . In Figure 8, $R_{v s}$ decreases slower and slower as k increases. The reason is that there is an encrypted term $E_{K i} {*}$ following each data item as the verification information for data items in VTMSN, and $R_{v s}$ can not be smaller than the ratio of the length of the term $E_{K i} {*}$ to the length of a data item.

Figure 8

Impact of parameters $Q R$ and k on $R_{v s}$ corresponding to $C_{v - m w}$ .

6.2.2. Impact of Parameters $T_{m}$ , $T_{s}$ , and v

Figures 9 and 10 show the impact of moving period $T_{m}$ , static period $T_{s}$ , and the moving speed v of a sensor node on $C_{v - m w}$ and its corresponding $R_{v s}$ , respectively. It is clear that both $C_{v - m w}$ and its corresponding $R_{v s}$ are not influenced by the speed of sensor nodes too much.

Figure 9

Impact of parameters $T_{m}$ , $T_{s}$ , and v on $C_{v - m w}$ .

Figure 10

Impact of parameters $T_{m}$ , $T_{s}$ , and v on $R_{v s}$ corresponding to $C_{v - m w}$ .

In theory, with the same other parameters, the more the times for sensor nodes to switch their states in one epoch are, the larger $C_{v - m w}$ is, because more virtual nodes will be generated in the query region and they need more verification information. Figure 9 illustrates this. As an example, when $T_{m} = 2$ s, $T_{s} = 2$ s, and $T_{e} = 50$ s, each sensor node switches its state for 24 times, while there are only 4 times for a sensor node to switch its state when $T_{m} = 10$ s, $T_{s} = 10$ s, and $T_{e} = 50$ s. Figure 9 shows that $C_{v - m w}$ in the former case is larger than that in the latter case. The corresponding $R_{v s}$ in Figure 10 is in conformity with $C_{v - m w}$ in Figure 9. The reason is that the value of parameter k is the same, which means the amount of data items sent from $M$ to $W$ is the same in this test, and the value of $R_{v s}$ depends on the value of $C_{v - m w}$ totally according to the meaning of $R_{v s}$ .

6.2.3. Impact of Parameter $f_{q}$

Figures 11 and 12 show the impact of query frequency $f_{q}$ on $C_{v - m w}$ and its corresponding $R_{v s}$ , respectively, where the abscissas denote the number of queries issued by the network owner in one epoch. We can see that both $C_{v - m w}$ and its corresponding $R_{v s}$ decrease as $f_{q}$ increases. The reason is that the locations of virtual nodes need to be sent to the network owner only when the data generated during the epoch when the virtual nodes existed are queried for the first time. Besides, if a virtual node does not have any qualified data for a query, it needs to send the verification information to the network owner only when it is in the query region for the first time. Thus, as the number of queries increases in one epoch, the probability that a virtual node need not have to have the verification information of itself in the query result increases. Thus, the average value of $C_{v - m w}$ for each query decreases. Besides, according to the definition of $R_{v s}$ , with the same k, $R_{v s}$ decreases as $C_{v - m w}$ decreases.

Figure 11

Impact of parameter $f_{q}$ on $C_{v - m w}$ .

Figure 12

Impact of parameter $f_{q}$ on $R_{v s}$ corresponding to $C_{v - m w}$ .

7. Conclusion

In this paper, we present a tiered mobile sensor network model named TMSN for the first time and propose an effective verification scheme called VTMSN to verify the authentication and the completeness of the top-k query results received by the network owner in TMSN. The proposed scheme achieves the goal of making the network owner verify the authenticity and completeness of top-k query results in TMSN with high probability and good efficiency via the mechanisms of virtual node mapping and data binding. Theory analysis shows that VTMSN can detect any forged and/or incomplete top-k query result with probability that $P_{d e t} = 1$ when none of the queried sensor nodes is compromised. We have conducted extensive experiments with different parameter configurations, and the simulation results show that VTMSN is effective and feasible.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research is supported by the National Natural Science Foundation of China under Grant no. 61562005, the Natural Science Foundation of Guangxi Province under Grant no. 2015GXNSFAA139286, 2015 Scientific and Technological Research Projects of Universities in Guangxi Province under Grant no. KY2015YB486, and the Project of Outstanding Young Teachers' Training in Higher Education Institutions of Guangxi Province.

References

Gnawali

Jang

K.-Y.

Paek

Vieira

Govindan

Greenstein

Joki

Estrin

Kohler

The tenet architecture for tiered sensor networks

Proceedings of the 4th International Conference on Embedded Networked Sensor Systems (SenSys ′06)

November 2006

Boulder, Colo, USA

153 166

10.1145/1182807.1182823

2-s2.0-34547484870

Desnoyers

Ganesan

Shenoy

TSAR: a two tier sensor storage architecture using interval skip graphs

Proceedings of the 3rd International Conference on Embedded Networked Sensor Systems (SenSys ′05)

November 2005

San Diego, Calif, USA

ACM

39 50

10.1145/1098918.1098923

2-s2.0-84905852894

Zhang

Shi

Liu

Zhang

Verifiable fine-grained top-k queries in tiered sensor networks

Proceedings of the 29th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′10)

March 2010

San Diego, Calif, USA

IEEE

1 9

10.1109/INFCOM.2010.5461927

Liao

Z. F.

Zhang

S. G.

Cao

J. N.

Wang

W. P.

Wang

J. X.

Minimizing movement for target coverage in mobile sensor networks

Proceedings of the 32nd International Conference on Distributed Computing Systems Workshops (ICDCSW ′12)

June 2012

Macau, China

IEEE

194 200

10.1109/ICDCSW.2012.38

Wang

Cao

Porta

T. L.

Proxy-based sensor deployment for mobile sensor networks

Proceedings of the IEEE International Conference on Mobile Ad-Hoc and Sensor Systems (MAHSS ′04)

October 2004

493 502

2-s2.0-20344379672

Sheng

Verifiable privacy-preserving range query in sensor networks

Proceedings of the IEEE 27th Conference on Computer Communications (INFOCOM ′08)

April 2008

Phoenix, Ariz, USA

IEEE

46 50

10.1109/infocom.2008.18

Zhou

Lin

Y. P.

Zhang

Xiao

J. G.

Secure and verifiable top-k query in two-tiered sensor networks

Security and Privacy in Communication Networks 2013 127

Springer

19 34 Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

10.1007/978-3-319-04283-1_2

C.-M.

G.-K.

Chen

I.-Y.

Gelenbe

Kuo

S.-Y.

Top-k query result completeness verification in tiered sensor networks

IEEE Transactions on Information Forensics and Security 2014 9 1 109 124

10.1109/tifs.2013.2291326

2-s2.0-84891672139

Liao

X. J.

J. Z.

Secure and efficient top-k query processing in two-tier sensor network

Journal of Computer Research and Development 2013 50 3 490 497

2-s2.0-84875602895

10.

X. P.

Song

Wang

J. X.

Gao

J. L.

Min

G. Y.

A novel verification scheme for fine-grained top-k queries in two-tiered sensor networks

Wireless Personal Communications 2014 75 3 1809 1826

10.1007/s11277-013-1360-0

2-s2.0-84899431775

11.

Chen

Lai

T. H.

Trapping mobile targets in wireless sensor networks: an energy-efficient perspective

IEEE Transactions on Vehicular Technology 2013 62 7 3287 3300

10.1109/tvt.2013.2254732

2-s2.0-84884380171

12.

Chen

Shen

X. S.

Sun

Mobility and intruder prior information improving the barrier coverage of sparse sensor networks

IEEE Transactions on Mobile Computing 2014 13 6 1268 1282

10.1109/tmc.2013.129

2-s2.0-84902184986

13.

Ammari

H. M.

Das

S. K.

Mission-oriented k-coverage in mobile wireless sensor networks

Distributed Computing and Networking 2010 5935

Berlin, Germany

Springer

92 103

10.1007/978-3-642-11322-2_13

14.

Saad

Benslimane

König

J.-C.

A distributed method to localization for mobile sensor networks

Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC ′07)

March 2007

Kowloon, China

3060 3065

10.1109/wcnc.2007.566

2-s2.0-36348961440

15.

Wang

G. L.

Cao

G. H.

Porta

T. L.

Zhang

W. S.

Sensor relocation in mobile sensor networks

Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′05)

March 2005

Miami, Fla, USA

2302 2312

16.

Sheu

J.-P.

W.-K.

Lin

J.-C.

Distributed localization scheme for mobile sensor networks

IEEE Transactions on Mobile Computing 2010 9 4 516 526

10.1109/TMC.2009.149

2-s2.0-77649270849

17.

Chenji

Stoleru

Toward accurate mobile sensor network localization in noisy environments

IEEE Transactions on Mobile Computing 2013 12 6 1094 1106

10.1109/tmc.2012.82

2-s2.0-84876959543

18.

Papadopoulos

A. A.

Navarra

McCann

J. A.

Pinotti

C. M.

VIBE: an energy efficient routing protocol for dense and mobile sensor networks

Journal of Network and Computer Applications 2012 35 4 1177 1190

10.1016/j.jnca.2011.05.004

2-s2.0-84860357724

19.

Singh

Sethi

A tree based routing protocol for mobile sensor networks

International Journal on Computer Science and Engineering 2010 2 1 55 60

20.

Cugola

Migliavacca

A context and content-based routing protocol for mobile sensor networks

Wireless Sensor Networks: 6th European Conference, EWSN 2009, Cork, Ireland, February 11–13, 2009. Proceedings 2009 5432

Berlin, Germany

Springer

69 85 Lecture Notes in Computer Science

10.1007/978-3-642-00224-3_5

21.

Andreou

Zeinalipour-Yazti

Chrysanthis

P. K.

Samaras

In-network data acquisition and replication in mobile sensor networks

Distributed and Parallel Databases 2011 29 1-2 87 112

10.1007/s10619-010-7073-4

2-s2.0-78650873794

22.

Wang

Y.-C.

F.-J.

Tseng

Y.-C.

Mobility management algorithms and applications for mobile sensor networks

Wireless Communications and Mobile Computing 2012 12 1 7 21

10.1002/wcm.886

2-s2.0-84855172007

23.

Tao

Tang

S. J.

H. D.

Low cost data gathering using mobile hybrid sensor networks

Proceedings of the 10th International Conference on Ad Hoc Networks and Wireless (ADHOC-NOW ′12)

July 2012

Belgrade, Serbia

193 206

24.

Chen

L. Y.

Guo

Shu

Y. C.

Zhang

Chen

J. M.

Group-based discovery in low-duty-cycle mobile sensor networks

Proceedings of the 9th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON ′12)

June 2012

Seoul, South Korea

542 550

10.1109/secon.2012.6275824

2-s2.0-84867928668

25.

Das

Gunopulos

Koudas

Tsirogiannis

Answering Top-k queries using views

Proceedings of the 32nd international conference on Very large data bases (VLDB ′06)

September 2006

451 462

2-s2.0-35448930647

26.

Liu

Jin

Cui

Chen

Deployment guidelines for achieving maximum lifetime and avoiding energy holes in sensor network

Information Sciences 2013 230 197 226

10.1016/j.ins.2012.12.037

2-s2.0-84874114967

27.

Jiang

Liu

Chen

Lifetime maximization through dynamic ring-based routing scheme for correlated data collecting in WSNs

Computers & Electrical Engineering 2015 41 191 215

10.1016/j.compeleceng.2014.04.001

2-s2.0-84899036051

28.

Seshadri

Perrig

van Doorn

Khosla

P. K.

SWATT: software-based attestation for embedded devices

Proceedings of the IEEE Symposium on Security and Privacy (SP ′04)

May 2004

Oakland, Calif, USA

IEEE

272 282

10.1109/SECPRI.2004.1301329

Verifiable Top- k Query Processing in Tiered Mobile Sensor Networks

Abstract

1. Introduction

2. Related Work

3. Network and Attack Models

3.1. TMSN Model

3.2. Adversary Model

4. Definitions, Notations, and Problem Statement

4.1. Definitions and Notations

Definition 1 (virtual node).

Definition 2 (mother node and child node).

Definition 3 (queried sensor node).

Definition 4 (qualified and unqualified data item).

Definition 5 (qualified and unqualified virtual node).

4.2. Problem Statement

5. Verifiable Top-k Queries in TMSN

5.1. VTMSN: A Novel Verification Scheme in TMSN

5.1.1. Data Preparation

5.1.2. Data Submission

5.1.3. Query Processing

5.1.4. Verification

Algorithm 1: Completeness verification of R S T i j .

5.2. Performance Analysis of VTMSN

Theorem 6.

Proof.

Theorem 7.

Proof.

Theorem 8.

Proof.

Theorem 9.

Proof.

5.3. Impact of Compromising Some Sensor Nodes

6. Performance Evaluation

6.1. The Results of C v - s m and the Corresponding R v s

6.1.1. Impact of Parameters T m , T s , and T e

6.1.2. Impact of Parameter f d

6.2. The Results of C v - m w and the Corresponding R v s

6.2.1. Impact of Parameters Q R and k

6.2.2. Impact of Parameters T m , T s , and v

6.2.3. Impact of Parameter f q

7. Conclusion

Footnotes

Conflict of Interests

Acknowledgments

References

Algorithm 1: Completeness verification of ${R S T_{i}}^{j}$ .

6.1. The Results of $C_{v - s m}$ and the Corresponding $R_{v s}$

6.1.1. Impact of Parameters $T_{m}$ , $T_{s}$ , and $T_{e}$

6.1.2. Impact of Parameter $f_{d}$

6.2. The Results of $C_{v - m w}$ and the Corresponding $R_{v s}$

6.2.1. Impact of Parameters $Q R$ and k

6.2.2. Impact of Parameters $T_{m}$ , $T_{s}$ , and v

6.2.3. Impact of Parameter $f_{q}$