DTSW: A data transmission scheme based on weighted security partition model in industrial Internet of Things environment

Abstract

With the rapid development of industrial Internet of Things, the secure transmission of nodes in Internet of Things is easily attacked by malicious nodes at all times, thereby causing a great threat to network performance and security of industrial Internet of Things. To improve the security and success rate of data transmission in industrial Internet of Things environment, this work proposes a data transmission scheme based on the weighted security partition model by considering the requirements of a hostile industrial environment. The weighted security partition of the nodes determines the secret distribution model. On this basis, a secure authentication scheme for network transmission is proposed for industrial Internet of Things to prevent the data from being tampered by malicious industrial nodes. Authority access control is added to the authentication scheme. The network access authority of users is used to eliminate the access of malicious users. Finally, the simulation experiments and performance evaluation are conducted and compared with other secure transmission algorithms. Results show that, by comparing to low-energy adaptive clustering hierarchy and distributed data secure transmission, the transmission rate of the proposed algorithm has increased by 35% and 25%, and the lifetime has increased by 34.3% and 37.3%, respectively.

Keywords

Industrial Internet of Things weighted partition transfer rate secure transmission authentication

Introduction

With the rapid development of industrial Internet of Things (IoT), the security of data transmission in industrial networks becomes increasingly important. IoT is a double-edged sword; it either provides convenience or causes numerous potential security risks. For example, the first case of malicious IoT attack occurred in 2014. The hacker was able to control more than 100,000 intelligent home appliances under IoT and construct a malicious botnet. About 750,000 phishing emails are sent to victims without precaution. IoT is an expansion of the Internet; thus, it faces the same security problems as the Internet. Although few IoT security events with large-scale and serious influence exist, the security situation of IoT has fundamental changes. The computational capability of embedded terminals is greatly improved, and the operating system is increasingly open. Hence, the security problems have worsened. The users are the service objects of IoT. If the security of user privacy cannot be ensured, then the practical application of IoT will be suspected. The foundation to ensure the security of user privacy should guarantee the completeness, correctness, and confidentiality of data and data transmission. IoT originates from the Internet. Hence, it faces many security problems. With its own features and limitation, security becomes increasingly intractable.¹

The expansion of IoT size has resulted in additional security risks. To avoid this issue, scholars^2–6 have deeply analyzed the security problems in industrial IoT and proposed solutions to ensure the practical application of industrial IoT. The traditional mobile ad hoc network (MANET)^7–9 depends on the infrastructure. However, the nodes in IoT use the store-carry-forward routing in communication. The issues of network division and time delay in traditional networks can be addressed in IoT. Therefore, IoT is suitable in hostile industrial environment without infrastructure.^10,11 IoT only requires the calculation of the local information and selects the suitable next-hop node for forwarding the data to the destination node. Consequently, the industrial IoT is superior in a hostile environment.¹²

As shown in Figure 1, the industrial network environment is vulnerable to network attacks and threats from selfish and malicious nodes. Data forwarding in IoT depends on the mobility of nodes, and the identity of the nodes is not authenticated by any management institution. In the industrial environment without any security mechanism, the industrial nodes cannot judge the security of the next-hop node. Such a condition easily causes privacy leakage among industrial users. Moreover, the resource abuse of industrial nodes will cause IoT system crash. On this basis, researchers have introduced the encryption mechanism in IoT to ensure secure data transmission to the destination node. To guarantee the identity and legality of the industrial nodes and the authenticity and reliability of the message source, legal users can decrypt the message only with a key. Therefore, identifying the manner in which the encryption mechanism is used to avoid the influence of malicious node in industrial networks should be deeply researched in secure data transmission techniques.

Figure 1.

The secure transmission flow in the industrial IoT.

In this work, we propose a data transmission method on the basis of the weighted security partition model to improve the security and success rate of data transmission in industrial IoT environment. The main contributions are listed as follows: (1) the weighted security partition of the nodes determines the secret distribution model; (2) a secure data transmission scheme is proposed to prevent the data from being tampered by malicious industrial nodes; (3) authority access control and network access authority of users are utilized to eliminate the access of malicious users.

Related work

In recent years, IoT techniques have been used extensively in the industry. Secure data transmission in industrial IoT has been attracting increasing attention. The secure protocol in the traditional network is not suitable in industrial IoT due to its differences. Therefore, routing protocols for industrial IoT must be designed. Substantial private user information exists in the routing protocols in industrial IoT. Once attacked, the attackers can pretend to be normal users and receive the transmitted data. This situation will cause considerable damage to the industrial network environment. Hence, researchers are also concerned with privacy protection in industrial IoT.

In industrial IoT, the source node should obtain the context attribute of the destination node before transmitting data. Substantial privacy information exists in the context, which should also be protected (e.g. the information of a node is sent to the next-hop sensor node after encryption). Mai and Azer¹³ proposed the privacy leak problem based on the node context and infect forwarding. Identity encryption was used to solve this problem. The context of the nodes was substituted by a group of attribute values. The principle was that the relay node compared its context attribute with that in the destination node. The data were transmitted if both attribute values exceed a threshold. The relay node could not obtain other attribute information, thereby ensuring the privacy of the destination node. In Ramanathan et al.,¹⁴ a public encryption algorithm was proposed based on keyword search. The encryption algorithm could be used to set a threshold for the attribute of the node. The relay node could obtain the data when its context attributes satisfy the context attribute threshold of the destination node. The relay node could not obtain the attributes of the destination node when forwarding the data.

A content-based privacy protection algorithm was proposed in Burgess et al.¹⁵ The routing table of a relay node was created based on the receiver. The relay node in the industrial network should encrypt the data, create the routing table, and query the encrypted routing information. The authors in Yao et al.¹⁶ analyzed the privacy threats in the industrial network and proposed a solution to confuse the friend list of the sender. In this case, the attacker could not obtain the list and the original data.

Industrial IoT is different from the traditional wireless network. The industrial nodes are randomly distributed. Hence, no complete path exists between the source and destination nodes.¹⁷ IoT has some features of a delay-tolerant network (DTN) because it originates from the DTN and the MANET. However, when the network is interrupted, the DTN regards it as a network fault, while IoT considers it normal and reconnects them using the node mobility. As a new self-organized network, the industrial IoT has a good prospect; however, many problems remain to be addressed.

Research on secure data transmission of IoT can be classified into several aspects. Conti et al.¹⁸ proposed a common power control algorithm. All the nodes send data with the same power. COMPOW uses an agency at the network layer and compares the disperse power provided by the hardware. In this case, the minimum power to ensure the network connectivity will be found. Each node starts with the optimal power control and determines its own decision of transmission power. In this algorithm, the node degree is the number of neighboring nodes with a hop to the current node. The protocol based on the node degree initially sets the upper and floor requirement. The power of a node is dynamically adjusted to make its degree within the range of the requirement. In Song and Kotz,¹⁹ all the nodes in the network used the maximum power to send data and form a topology graph G. The proximity graph G′ is calculated using rule q. Each node in G′ determines the transmission power by the distance to the farthest neighboring node. Solving the power allocation problem is an approximate solution. In an industrial IoT environment, the proximity graph–based protocol makes the node determine the collection of its neighbors and adjust the transmission power. It can create a connective network and save the energy of the nodes. Figure 2 shows the flow of data forwarding in IoT. The industrial sensor system uses the intrusion protection measures in the data center. Traditional data encryption cannot ensure network security. An intruder can access the network via intrusion attack. In this case, all the stored keys will lose efficacy. Moreover, the intruder can damage the network running. For example, the intruder can capture the network node and use it to send useless data to other nodes. This action will cause network block or crash. In addition, the captured nodes sending false or malicious information to other nodes is also a common intrusion means.²⁰ Although the normal wireless network has many protocols, they are not suitable for IoT. The protocol in IoT should consider networking, energy saving, and reliability, among others. However, less work is required in security.²¹ At the physical level, some researchers have proposed a dynamic frequency hopping communication mechanism, which has improved the network security to some degree. The frequency hopping communication can realize interlace communication in multiple frequency bands, which can function against interference and avoid the intruder from capturing the signal. In a building with a complex structure, the frequency hopping communication possibly works on the frequency with serious interference. The communication performance will be dramatically degraded.^22–25 At the medium access control (MAC) layer, the cognitive radio-based IEEE 802.22 standard uses a safe sublayer to enhance the security of the MAC layer. The safe sublayer uses the keys of the sender and the receiver for authentication, thereby preventing the intruder from altering the data.^26–29 This scheme is centralized and requires a credible base station to transmit the key, which is unsuitable for IoT. The protocols at the network layer focus on routing security. However, with the limitation of the hardware, the routing protocols in the wireless sensor network are relatively simple, which decrease the capability of the routing protocols against one another. Security capacity is proposed to address the issues of eavesdropping. On this basis, a linear and nonlinear security capacity optimization algorithm is proposed. The access control algorithm can be designed to avoid security issues, including eavesdropped attack. The fragility of an open wireless network includes limited resources. If the network attacks are not prevented, then the network will face crash threat.

Figure 2.

Data forwarding flow in IoT.

Region partition control scheme

Data transmission model

In order to verify the relationship between region partition and efficiency of data transmission in industrial IoT, a region classification of the nodes is the protocol. It can ensure the dynamic connectivity of the IoT topology structure.³⁰ To make the data transmission in industrial IoT reliable and stable, we assume that there are lots of industrial nodes, which can be covered by a circle in the factory. The industrial network is a static network with a high density. The base station is usually at a fixed position. So, it will not consider the fast mobility of the industrial nodes. In the initial state, we can divide the data transmission region.^31–33

In the network transmission model of IoT, the coevolution is divided into three stages: subspace partition, selection of subspace adaption function, and subspace mutual collaboration. The neighboring region partition model is much important to keep the variety of population in coevolution. In this section, we assume that the industrial node selects the next-hop node in the forward neighboring region. A new secure transmission model based on neighboring region partition is proposed. The data transmission between regions is shown in Figure 3.

Given a security coefficient k for polynomial time calculation, a large prime number p and two p-order cyclic groups $G_{1}$ and $G_{2}$ are randomly selected by the system. $G_{1}$ is an additive cyclic group and $G_{2}$ is a multiplication cyclic group. g is the generating element of $G_{1}$ , satisfying bilinear mapping $e : G_{1} \times G_{1} \to G_{2}$ .

The key generation center PKG randomly selects $α$ as the main key, $α \in Z_{p}$ . The public key $g_{1} = g^{α}$ is calculated.

$g_{2} \in G_{2}$ is randomly selected to calculate the main key $g_{2}^{α}$ . $u' \in G_{1}$ and the vector $U = (u_{i}) = (u_{1}, u_{2}, \dots, u_{n})$ , $u_{i} \in G_{1}$ , with the length of n is randomly selected to generate the public parameter PK, $PK = (g, g_{1}, g_{2}, u', U)$ .

Figure 3.

Data transmission between regions.

The security coefficient k is used for polynomial time calculation. PKG is used to generate the necessary parameters. The system outputs the main private key (master key) s and the parameter PK. s is stored by the system and PK can be used by all users. The algorithm to generate the main private key is as follows: (1) a large prime number p and two p-order cyclic groups $G_{1}$ and $G_{2}$ are randomly selected by the system. $G_{1}$ is an additive cyclic group and $G_{2}$ is a multiplication cyclic group. g is the generating element of $G_{1}$ , satisfying bilinear mapping $e : G_{1} \times G_{1} \to G_{2}$ . (2) g is the generating element of $G_{1}$ . A main private key s, $s \in Z_{p}^{*}$ , is selected to generate the public key $P_{pub} = sP$ . (3) The plain text M, cryptogram space, and the hash function are defined. The hash function $H_{1} : {0, 1}^{*} \to G_{1}^{*}$ is used to map the user’s identity ID to an element in $G_{1}$ . $H_{2} : G_{2} \to {0, 1}^{n}$ is defined as the cryptogram space. The public parameter $PK = (p, G_{1}, G_{2}, \hat{e}, H_{1}, H_{2}, P, P_{pub})$ of the system is generated.

Before data transmission, the identity of user ID, $ID \in {0, 1}^{*}$ , is the input of the system. PKG executes the algorithm by inputting the main private key s, the public parameter PK, and the user identity ID. $Q_{ID} = H_{1} (ID) \in G_{1}^{*}$ is calculated to generate a unique secret key $S_{ID}$ , $S_{ID} = s Q_{ID}$ , which matches with ID. It will be sent to the user via a secure channel. In network transmission, the transmitted message M is encrypted. The user calculates $Q_{ID}$ with the public parameter. r, $r \in Z_{p}^{*}$ , is used to calculate $g_{ID} = e (Q_{ID}, P_{pub}) \in G_{2}^{*}$ (g is the generating element of the disperse group). $U = rP$ . $V = M \oplus H_{2} (g_{ID}^{r})$ . The ciphertext $E = (U, V) = < rP, M \oplus H_{2} (g_{ID}^{r}) >$ is generated. When the industrial user receives a message, the private key $S_{ID} = s Q_{ID}$ can be used to decrypt $E = < U, V >$ and calculate the following

M = H_{2} (e (S_{ID}, U)) \oplus V

(1)

\begin{matrix} e (S_{ID}, U) & = e (s Q_{ID}, rP) = e (Q_{ID}, P)^{sr} \\ = e (Q_{ID}, sP)^{r} = e (Q_{ID}, P_{pub})^{r} = {g_{ID}}^{r} \end{matrix}

(2)

\begin{matrix} H_{2} (e (S_{ID}, U)) \oplus V = H_{2} (g_{ID}^{r}) \oplus V \\ = H_{2} (g_{ID}^{r}) \oplus H_{2} (g_{ID}^{r}) \oplus M = M \end{matrix}

(3)

The private key generation model

Assume that the identity of a user is a bitstring with the length of n. V is the identity, $V_{i}$ is the ith bit of the bitstring. $V \subseteq (1, 2, \dots, n)$ is the collection of i with $V_{i} = 1$ . $r (r \in Z_{p})$ is randomly selected to generate the private key $d_{V}$ of the identity V

d_{V} = (d_{1}, d_{2}) = (g_{2}^{α} {(u' \underset{i \in V}{Π} u_{i})}^{r}, g^{r})

(4)

The encryption model

The message $M (M \in G_{1})$ is encrypted. $t \in Z_{p}$ and the public parameter and the identity V of the receiver are used to calculate $E = (E_{1}, E_{2}, E_{3}) = (\hat{e} (g_{1}, g_{2})^{t} M, g^{t}, (u' \underset{i \in V}{Π} u_{i})^{t})$ .

The decryption model

The receiver uses the private key $d_{V}$ to decrypt the ciphertext $E = (E_{1}, E_{2}, E_{3})$ by calculating

M = E_{1} \frac{\hat{e} (d_{2}, E_{3})}{\hat{e} (d_{1}, E_{2})}

(5)

Identity authentication protocol

This section will present a two-way anonymous identity authentication protocol. This protocol includes the initialization phase, registration phase, and the authentication and key update phase. All clients have unique identity.

Initialization phase

In this agreement, P is a generator of $G_{1}$ , TC (trust center) chooses a master key s, public key $P_{pub} = sP$ , $G_{3}$ is a multiplicative group with order q, generator is g, $m \in Z_{p}^{*}$ , $g^{m} mod (2 q + 1)$ is the element in $G_{3}$ , and in the following we use $g^{m}$ to represent $g^{m} mod (2 q + 1)$ .

Registration phase

Client registration

During client registration in TC, the client chooses a random key $b_{i}$ and an identity $I D_{i}$ , computes $A_{1} = g^{ID} b_{i}$ , $A_{2} = I D_{i} \oplus h (s) \oplus b_{i}$ , and $A_{3} = h (g^{I D_{i}} ∥ s) \oplus b_{i}$ , and stores $A_{1}, A_{2}, A_{3}$ in the memory.

Server registration

During server registration in TC, the server computes $K_{i} = 1 / (g_{b_{i}}^{I D_{i}} + s)$ , $C_{i} = h (I D_{i}) \oplus h (s ∥ b_{i}) \oplus g^{I D_{i}}$ , and $D = h (g^{I D_{i}} ∥ s)$ , and stores $K_{i}, C, D$ in the memory.

Authentication and key update phase

At this stage, the client and server will authenticate the identity by using a bidirectional anonymous way, as illustrated in Figure 4.

Figure 4.

Authentication and key update phase.

The implementation process is as follows:

Step 1. Client generates a random number $a_{i}$ , computes $A_{4} = e (P, P)^{a_{i}}$ , $A_{5} = a_{i} \oplus h (A_{4})$ , and $A_{6} = a_{i} (g_{b_{i}}^{I D_{i}} P + sP)$ , and sends $M_{1} = {A_{1}, A_{2}, A_{3}, A_{4}, A_{5}, A_{6}}$ to the server via a public channel.

Step 2. After obtaining the authentication information $M_{1}$ , the server begins to compute $A'_{4} = e (A_{6}, K_{i})$ , extracts message $a'_{i}$ by $a'_{i} = h (A'_{4}) \oplus A_{5}$ , then computes $B_{1} = h (A_{1} ∥ s)$ , extracts information $b'_{i}$ through $b'_{i} = B_{1} \oplus A_{3}$ , computes $B_{2} = h (s) \oplus b'_{i}$ , extracts message $I D'_{i}$ by $I D'_{i} = B_{2} \oplus A_{2}$ , calculates $B_{3} = h (I D'_{i}) \oplus h (s ∥ b'_{i})$ , extracts $g^{I {D'}_{i}}$ through $g^{I {D'}_{i}} = C \oplus B_{3}$ , checks $h (g^{I {D'}_{i}} ∥ s) \overset{?}{=} h (g^{I D_{i}} ∥ s)$ , and if so then finally authenticates the client successfully.

Step 3. The server chooses a random key $b_{i + 1}$ , computes $Z_{1} = h (A'_{4} ∥ g^{I {D'}_{i}} b'_{i} ∥ a'_{i})$ and $Z_{2} = h (a'_{i}) \oplus b_{i + 1}$ , updates stored key information $K_{i + 1} = 1 / (g^{I {D'}_{i}} b_{i + 1})$ and $C_{i + 1} = h (I D_{i}) \oplus h (s ∥ b_{i + 1}) \oplus g^{I {D'}_{i}}$ , and then sends $M_{2} = {Z_{1}, Z_{2}}$ to the client via a public channel.

Step 4. After receiving the message $M_{2}$ from the server, the client computes $Z'_{1} = h (A_{4} ∥ A_{1} ∥ a_{i})$ and verifies $Z'_{1} =^{?} Z_{1}$ ; if the values are equal, it means that the server has passed the client authentication. Then the client computes $b'_{i + 1} = h (a_{i}) \oplus Z$ , then extracts the message $b'_{i + 1}$ , and updates the $A_{1}, A_{2}, A_{3}$ messages, $A_{1} = g^{I D_{i}} b_{i + 1}$ , $A_{2} = I D_{i} \oplus h (s) \oplus b_{i + 1}$ , and $A_{3} = h (g^{I D_{i}} b_{i + 1} ∥ s) \oplus b_{i + 1}$ . This completes the entire authentication and key update process.

The node partitioning algorithm in IoT

Weighted partition

After the industrial network is created, each sensor node in the factory will construct a reasonable communication region. As shown in Figure 5, the cluster head C and the common industrial nodes $C_{1}, C_{2}, C_{3}$ , and $C_{4}$ are partitioned by the weight value. The destination cluster head $C_{2}$ can be further partitioned to determine the cluster head with a higher weight value. The whole network has a hierarchical structure. All the nodes will be partitioned by the weight values. Given the range of the weight value, it can be used to determine the communication region. If the activity frequency of the nodes is low, then the communication weight value will also be low. Otherwise, the communication range will be extended. In this case, the communication weight value of the nodes in industrial IoT can be used to partition the region of the nodes. It can prolong the network lifetime and ensure the connectivity for communication of the nodes.^34–36

Figure 5.

The region partition of the nodes.

In this section, we use the concept of forward region and propose a new weight partition model based on the unit circle communication. As shown in Figure 6, the model divides the one-hop neighboring region of node i into four regions, C₁, C₂, C₃, and C₄. The coordinates of node i and the sink node are (x_i, y_i) and (x₀, y₀), respectively. O_i is a circle with the center of node i and radius R. The partition algorithm is as follows:

Two tangents are constructed from the sink node to the circle O_i, and two radiuses across the points of tangency a and b are constructed. The ordinates of a and b are, respectively, (x_a, y_a) and (x_b, y_b).

Two line segments L₁ and L₂ are constructed based on the ordinates of node i, a and b.

O_s is a circle with the center of the sink node and radius R. Two tangents are constructed from node i to O_s. The reverse extension cords cross the circle O_i. The segments are, respectively, L₃ and L₄.

The regions of C₁, C₂, C₃, and C₄ are denoted in O_i

{\begin{matrix} θ_{1} = 2 \arccos [\frac{R}{\sqrt{{(x_{i} - x_{0})}^{2} + {(y_{i} - y_{0})}^{2}}}] \\ θ_{2} = θ_{3} = \frac{π}{2} \\ θ_{4} = π - θ_{1} \end{matrix}

(6)

Figure 6.

The region partition for industrial nodes.

According to the spatial distribution of node i, the region O₁ is the forward neighboring region. O₂ and O₃ are, respectively, the left and right neighboring regions. O₄ is the backward neighboring region. Based on the geometric principle, the intersection angles of O₁, O₂, O₃, and O₄ are, respectively, $θ_{1}$ , $θ_{2}$ , $θ_{3}$ , and $θ_{4}$ , which satisfy equation (6).

After that, the region of the one-hop neighboring node j can be determined by equation (7). $d_{ja}, d_{jb}, d_{ij}, and d_{js}$ are, respectively, the distance from node j to the points a, b, node i, and the sink node. $d_{is}$ is the distance between node i and the sink node

{\begin{matrix} θ_{jis} = \arccos [\frac{d_{is}^{2} + d_{ij}^{2} - d_{js}^{2}}{2 \times d_{is} \times d_{ij}}] \\ C_{1} = {j | θ_{jis} \leq \frac{1}{2} θ_{1}} \\ C_{2} = {j | θ_{jis} > \frac{1}{2} θ_{1}, θ_{jis} \leq \frac{1}{2} θ_{1} + θ_{2}, d_{ja} \leq d_{jb}} \\ C_{3} = {j | θ_{jis} > \frac{1}{2} θ_{1}, θ_{jis} \leq \frac{1}{2} θ_{1} + θ_{2}, d_{ja} > d_{jb}} \\ C_{4} = {j | θ_{jis} > \frac{1}{2} θ_{1} + θ_{2}, θ_{jis} < π} \end{matrix}

(7)

To find the optimal next hop of node i, the nodes, respectively, in O₁, O₂, and O₃ are optimized in their own regions. The nodes in region O₄ are far away from the sink node, which will be added to the tabu table and not participate in the evolution.

Node frequency control

When the number of nodes d_(ai) after the weight partition is less than the minimum threshold of the node weight, the transmission frequency in the current round will increase by less than B_max times, as in equation (8). Similarly, if d_(ai) is greater than the maximum threshold Max, the transmission frequency will be decreased as in equation (9). Here, B_max, B_min, A_inc, and A_dec are adjustable parameters, which will affect the frequency range in the whole IoT

P = min {B_{max} \times P, A_{inc} \times (Min - Num) \times P}

(8)

P = max {B_{min} \times P, A_{dec} \times (Num - Max) \times P}

(9)

The node weight is the number of nodes with the distance to a node U_i less than a threshold. The algorithm is described as follows:

Step 1. The collection of the nodes in the industrial IoT is denoted by u = {u₁, u₂, …, u_n}. The cluster head is determined by the communication protocol. Assuming that all the nodes have the same transmission frequency P, the nodes within the same region will broadcast a message Msg including its own ID periodically.

Step 2. The number of industrial nodes in a cluster is selected based on a threshold. The degree d_(ui) for each node in the cluster is calculated. After that, the nodes within a cluster will be ordered as {d_(u1), d_(u2), …, d_(un)} if the weight values are greater than W_(ai).

Step 3. If a node is within the weight range in a cluster, it will send an Ack message after receiving Msg. The Ack message includes the weight degree of node ID. In this case, the path between the current node and the destination node will be rapidly determined. If a node is out of the weight range, it will give up competing the cluster head and exit the cluster. In this case, other nodes will judge the weight range. The time period is T₁.

Step 4. The selection of cluster head in a cluster can be determined by the communication weight and the frequency in unit time. As shown in Figure 6, the node with the highest frequency in a cluster and within the weight range will be selected as the cluster head, while the node with the lowest frequency in a cluster will be regarded as the sleeping node despite whether it falls in the weight range.

Step 5. Other nodes in the cluster will be the active nodes. The hierarchical structure can be determined based on the weight range and the frequency. The cluster node with the highest transmission frequency can determine the communication distance in the next round according to the communication weight of the node. The cluster head in the next round will be selected as the candidate cluster head until the cluster head is determined. The sleeping nodes with low frequency will be aroused according to the dynamic neighbor table. The arousing time is T₂.

Step 6. The algorithm terminates the judgment. If there is no optimal solution until the circulation enters specific code, the circulation exits and outputs the result. Otherwise, it jumps to Step 3.

Secure partition of the weight region

The industrial IoT constitutes a reliable server and the industrial users. The reliable server is the center for key generation and does not have to be on-line all the time. The reliable server selects an attribute set for the users and generates a private key about the user identity for the user. The key will be sent to the user via a secure channel. The public key is generated by the initial module and exposed to all users. The reliable server is the only part trusted by all entities. All the weight partition nodes in the system are users including the sender and the receiver. Since malicious users may exist in IoT, the sender will encrypt the plain message before transmission. The message will be decrypted by the receiver. A large prime number p and two p-order cyclic groups $G_{1}$ and $G_{2}$ are randomly selected by the system. $G_{1}$ is an additive cyclic group and $G_{2}$ is a multiplication cyclic group. g is the generating element of $G_{1}$ , satisfying bilinear mapping $e : G_{1} \times G_{1} \to G_{2}$ . g is the generating element of $G_{1}$ . With Lagrange’s interpolation, we have $Δ_{i, U} (x) = \underset{j \in U, j \neq i}{Π} \frac{x - j}{i - j}$ , $i \in Z_{p}$ . In the weight partition, a selection space u for attributes of the normal users is defined. n independent elements $| U | = t_{1}, t_{2}, \dots, t_{n} \in Z_{p}$ will be selected in space u. The weight attribute set of the malicious users is denoted by $u'$ . Each element is unique. The system generates the parameters $α, β \in Z_{p}$ and the public parameter PK. $α$ is the main key and $β$ is a key responsible for access control. An attribute i for a user x is selected. TA selects $t_{i} \in Z_{p}$ for the attribute i and a polynomial $h (\cdot)$ for $β_{i}$ , $h (0) = β$ . Besides, TA selects polynomial $f (\cdot)$ satisfying $f (0) = α$ for each user x. PKG generates a public key $PK = (t_{i} P, β_{i} P, Y = \hat{e} (P, P)^{α})$ , $i = 1, 2, \dots, n$ . The key generation center selects a weight partition attribute set $ω (ω \in u)$ for the receiver. With $ω, α, β$ , the private key can be generated using equation (10)

\begin{matrix} SK = D = \\ (D_{1 i} = \frac{f (i)}{t_{i}} P, D_{2 i} = (f (i) + \frac{β}{t_{i}}) P, D_{3 i} = \frac{1}{t_{i}} P, D_{4 i} = \frac{β_{i}}{t_{i}} P) \end{matrix}

(10)

Here, $i \in ω$ . The generated private key will be sent to the user via a secure channel. $M, PK$ , and the set of negative access structure $Θ (Θ \in u')$ are the inputs. $Θ$ is the negative attribute. The randomly selected $s \in Z_{p}$ will be used to encrypt M and calculate the cipher text using equation (11)

E = (Θ, E_{1} = M Y^{s}, E_{2 i} = s t_{i} P, E_{3 i} = s β_{i} P, E_{4} = sP)

(11)

Here, $E_{1} = M Y^{s} = M [\hat{e} (P, P)^{α}]^{s}$ , $E_{2 i} = s t_{i} P$ , $i \in u$ , and $E_{3 i} = s β_{i} P$ , $i \in Θ$ .

In this algorithm, the working time of the nodes in the wireless region is m time units. So, the computational complexity of each node from Step 3 to Step 5 is O(m). Assume that the mean forwarding time in a period is T. The overall computational complexity of the algorithm is O(m × n × T). The receiver uses the private key generated by $ω'$ to decrypt the cipher text. After receiving the cipher text E, the receiver first determines whether some attributes in $Θ$ exist in its attribute set $ω$ . If $| ω \cap Θ | \neq φ$ , there are attributes of malicious user in the attribute set of the receiver. The user cannot decrypt the message. Otherwise, the received message can be decrypted. The Lagrange coefficient ${δ_{i}}_{i \in ω \cup u'}$ is calculated, which satisfies $\sum_{i \in ω \cup u'} δ_{i} h (i) = h (0) = β$ . The decryption procedure is as follows

E = \frac{E_{1}}{\underset{k \in u}{Π} {F_{i}}^{Δ_{i, u} (x)}}

(12)

F_{i} = {\begin{matrix} \frac{\hat{e} (D_{2 i}, E_{4})}{\hat{e} (D_{3 i}, \underset{x \in u'}{Π} {(E_{3 x})}^{δ_{x}}), \hat{e} {(D_{4 i}, E_{4})}^{δ_{i}}}, i \in ω \\ \hat{e} (D_{1 i}, E_{2 i}), i \in u \end{matrix}

(13)

In the data transmission scheme based on weighted partition, PKG is the private parameter of industrial nodes. The transmitted data between nodes should be encrypted to realize the security. The secret key generator defines a fault-tolerant degree d and makes it public to all the users. PKG defines a selection space u for the attributes. n independent elements $t_{1}, t_{2}, \dots, t_{n} \in Z_{p}$ and s are selected from the selection space. $s \in Z_{p}$ is the main private key. PKG calculates the public parameter by equation (14)

PK = (T_{i} = t_{i} P, Y = \hat{e} (P, P)^{s})

(14)

Here, $i = 1, 2, \dots, n$ . PK is public to all the users.

The secret key generation center selects an attribute set $ω$ , $ω \in u$ . PKG randomly selects a d – 1-order polynomial $q (x)$ (d is the number of $ω$ ), satisfying $q (0) = s$ . The private key $P_{r} K_{i} = D_{i} = (q (i) / t_{i}) P$ is generated. Here, $i \in ω$ .

In the data transmission, the weighted partition function has the inputs of a message M, public parameter PK, and the attribute set $ω$ . The sender selects $r \in Z_{p}$ randomly and encrypts the message M. The cipher text $E = (ω, E' = M Y^{r}, E_{i} = r T_{i})$ . Here, $E' = M Y^{r} = M [\hat{e} (P, P)^{s}]^{r}$ , $E_{i} = r T_{i} = r (t_{i} P)$ , $i \in ω$ . If the industrial users need to decrypt the cipher text, the decryption condition is $| ω \cap ω' | \geq d$ . With Lagrange’s interpolation formula, the plain text is generated. U is a subset of $ω \cap ω'$

M = \frac{E'}{\underset{i \in U}{Π} \hat{e} {(D_{i}, E_{i})}^{Δ_{i, U} (0)}}

(15)

In the secure data transmission scheme, the key generation center allocates a private key to the newly added user after the weight partition. The users can interact with each other without the participation of the third party. The secure authentication based on weight partition substitutes the password authentication in traditional encryption and prevents the malicious nodes from forwarding data. The security of data transmission is greatly enhanced.

In order to verify security, some regular attacks are simulated. The identity of attackers should be determined before attacks. An attacker A selects a target with the identity of $ω$ . The challenger C declares a public parameter PK. The attacker A requests to C for generating a private key with the identity $ω_{i}$ . C calculates a private key for $ω_{i}$ which is sent to A via a secure channel. The identity $ω_{i}$ satisfies $| ω \cap ω_{i} | < d$ . After that, the attacker A sends plain messages $m_{0}$ and $m_{1}$ with the same length and an attribute set $ω_{i}$ to C. C randomly selects and encrypts a plain message $m_{b}$ , which will be then transmitted to A. The attacker A outputs the guess $m'_{b}$ of $m_{b}$ . If $m_{b} = m'_{b}$ , the attacker A is successful in this attack; otherwise, it fails.

The experiments and performance comparison

Simulation parameters

In this experiment, the ONE simulator is used for simulation. The results are then shown by figures in MATLAB. The selfish node and malicious node will affect the normal operation of IoT. To verify the ability of the proposed DTSW against the malicious nodes, we conduct a series of experiments. Suppose that all the sensors are deployed within a square area of 4.5 km × 3.4 km. The ordinate of the sink node is (450M, 450M). The sink node is assumed to be inexhaustible. The detailed parameters are listed in Table 1.

Table 1.

Network simulation parameters.

Parameter	Value
Number of nodes	200
Number of base stations	1
Simulation area	4.5 km × 3.4 km
Speed of mobile nodes	0.5–1.2 m/s
Communication speed rate	250 kb/s
Node cache	5 MB
Message size	200–800 kb
Frequency of message generation	Generate a new message every 25–35 s
Communication radius of normal nodes	15 m
Communication radius of the sink node	The communication area covers all the area

Network lifetime

The performance evaluation metrics in industrial IoT include lifetime, network delay, and throughput. This work focuses on low energy consumption and prolonging the network lifetime. In this work, we select the following algorithms for comparison: low-energy adaptive clustering hierarchy (LEACH)² and distributed data secure transmission (DDST).⁶ We adjust the parameters to make each algorithm run for the same period. In this case, the running rounds of the algorithm can be used to evaluate the running time and the overhead.

The number of surviving nodes can reflect the overall performance of the network. If the number of surviving nodes is less than a threshold, the network will be broken down.

The energy consumption is another metric to evaluate performance. Since the energy of the industrial sensor nodes is limited, it is important to prolong the network lifetime by saving the energy.

In this experiment, we evaluate the three algorithms under the same conditions. The external factors are the same except the algorithm principle. The experiments are conducted when the numbers of nodes in the network are 200, 400, 800, and 1600. The results are compared to those of DDST and LEACH, as shown in Figure 7.

Figure 7.

The comparison of surviving nodes: (a) 200 nodes, (b) 400 nodes, (c) 800 nodes, and (d) 1600 nodes.

Figure 7 shows the surviving node in each round. The experiments are conducted under the same conditions. X is the cycle number and Y is the number of surviving nodes. In this figure, the number of surviving nodes in the DTSW algorithm is more than that of LEACH. Four groups of experiments can eliminate some occasional factors, making the results reliable.

Figure 7(a) shows the result when the number of sensor nodes is 200. In the 80th round, the surviving nodes of LEACH, DDST, and DTSW are, respectively, 162, 174, and 179. The DTSW algorithm increases the surviving nodes, respectively, by 10.5% and 2.9% in comparison with LEACH and DDST, respectively. In the 392nd round, the nodes in LEACH will be dead. In Figure 7(b), in the 200th round, the numbers of surviving nodes of LEACH, DDST, and DTSW are, respectively, 372, 355, and 392. The DTSW algorithm increases the surviving nodes, respectively, by 5.37% and 10.4% in comparison with LEACH and DDST. In the 992nd round, all the nodes of LEACH are dead but the there are some surviving nodes in DTSW. In Figure 7(c), in the 400th round, the surviving nodes of LEACH, DDST, and DTSW are, respectively, 684, 167, and 791. The DTSW algorithm increases the surviving nodes, respectively, by 15.6% and 78.9% in comparison with LEACH and DDST. In Figure 7(d), in the 1000-th round, the number of surviving nodes of LEACH is 984 and that of DTSW is 1322. The DTSW algorithm increases the surviving nodes, respectively, by 34.3% and 37.3% in comparison with LEACH and DDST.

We also evaluate the rate of energy consumption of the three algorithms, and the comparison results are shown in Figure 8. By comparing to DDST and LEACH, the proposed DTSW algorithm achieves the lowest energy consumption rate. Namely, DTSW has more remaining energy in each round than those of LEACH and DDST. So, DTSW is the most energy efficient.

Figure 8.

The comparison of remaining energy.

Network throughput

Network throughput is also evaluated and compared to those of DDST and LEACH. The results are shown in Figure 9. As shown in Figure 9, with the increase of the industrial nodes, the DTSW algorithm has better network throughput than the other algorithms. The weight partition model is used to control data transmission in the network. The above experimental results show that DTSW has good performance in terms of network lifetime and network throughput.

Figure 9.

The comparison of network throughput.

Transmission rate

IoT uses the single-copy transmission. In the next hop selection, some selfish or malicious nodes are eliminated. In this case, the data transmission overhead is greatly reduced. In this evaluation, we set the number of selfish and malicious nodes at 40 and that of normal nodes is 160. With the increase of threats, the overall performance of the network decreases. The evaluation of the transmission success rate is shown in Figure 10. With the increase of simulation time, the network resources are gradually consumed. The transmission success rates of all the comparative algorithms show a downward trend. DDST has the highest transmission success rate when the network starts running. However, it has a sharp downward trend. DTSW shows a gentle curve. With the increase of simulation time, the transmission rate of DTSW is higher than those of the other comparative algorithms.

Figure 10.

Comparison chart of data transmission rate when the number of selfish/malicious nodes is 40.

The evaluation of the average delay time is shown in Figure 11. DTSW is also compared to DDST and LEACH. In this figure, DTSW shows a short delay than DDST and LEACH. It demonstrates that the proposed DTSW also has good efficiency when there are some selfish and malicious nodes in the network.

Figure 11.

Comparison chart of the average delay when the number of selfish/malicious nodes is 40.

Analysis

DTSW is a secure data transmission scheme for IoT that can solve the issue of slow extension speed of the nodes. It determines the transmission authority using the attributes of users. The attributes in the DTSW model can be divided into subjective (e.g. identity, role, age, and position), objective (e.g. accessed resource), and environmental (e.g. context environment) attributes. With the attributes of the users and the authority, the administrator only requires determining whether a user can access the network. The core factor of DTSW is attributes. The subject provides the IoT attributes and determines whether it can access the network. The authority is controlled by the attributes of the system. Hence, this condition is more suitable for a complex IoT environment and can improve the security of the network. Furthermore, DTSW has a good expression capability. The attributes of the users can be described from many aspects to satisfy the dynamic authority of access control. Table 2 presents the performance of data transmission and access control.

Table 2.

Advantages and disadvantages of different access control models.

Access control model	Advantage	Disadvantage
LEACH	Controls the direction of data flow and ensures confidentiality	Low flexibility and not suitable for large-scale networks
DDST	Simple and highly efficient	Multiple checks and complex
DTSW	High granularity of access control	High requirements on the users and without attribute interaction

LEACH: low-energy adaptive clustering hierarchy; DDST: distributed data secure transmission.

Conclusion

IoT has been extensively used in the industry due to its good features. This work analyzes the network feature of IoT and proposes data transmission based on weight partition. In this scheme, the region partition divides the uneven anisotropic network into several even isotropic networks. The proposed scheme can ensure communication quality and secure data transmission. The nodes with less communication time have a larger energy consumption weight than the ones with more communication time. In this case, the times to adjust the frequency will be less, thereby making the frequency close to the target value. It can reduce the response time, enhance the stability, and prolong the network lifetime. The experiments show that the proposed scheme has increased the network lifetime, communication traffic, and network capacity.

Although the proposed algorithm provides an effective solution for addressing the security issues in an anisotropic network, some aspects must be improved, such as optimizing network protocol to save energy consumption and designing a good routing protocol. The design of a secure transmission protocol in industrial IoT should be researched further in the future. In recent years, information privacy has become increasingly important in many fields, including IoT. In our future research, we will pay further attention to the protection of information privacy and avoiding data leakage. In this work, we realize initial studies on models with existing selfish and malicious nodes. In our future works, we will consider identity authentication between nodes and realize secure data transmission on the basis of the identity of the nodes.

Footnotes

Handling Editor: Fei Yu

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Science Foundation of China (Grant No. 61572188), Xiamen Science and Technology Foundation (Grant No. 3502Z20173035), Scientific Research Program of New Century Excellent Talents in Fujian Province University, Fujian Provincial Natural Science Foundation of China (Grant No. 2018J01570), the Young Teachers’ Education Scientific Research Project of Fujian Province (Grant No. JT180455), in part by the CERNET Innovation Project (Grant No. NGII20170411), the National Nature Science Foundation of Fujian Province (Grant No. 2018J01544), the Scientific Research Program of Outstanding Young Talents in Universities of Fujian Province, the Key Project of Natural Foundation for Young in Colleges of Fujian Province (Grant No. JZ160466), the National Nature Science Foundation of China (Grant No. 61871204), and the Natural Science Foundation of Fujian Province (Grant No. 2018J01544).

ORCID iD

Wei Zhu

References

Liang

Ruan

Xie

et al . A novel digital certificate based remote data access control scheme in WSN. J Sensor 2015; 2015: 928174.

Long

An improved LEACH multi-hop routing protocol based on intelligent ant colony algorithm for wireless sensor networks. J Inform Comput Sci 2014; 11: 2747–2757.

Liang

Long

Weng

et al . TBRS: A trust based recommendation scheme for vehicular CPS network. Future Generation Computer Systems 2018; 92: 383–398.

Niu

Bhuiyan

MZA

et al . A robust ECC based provable secure authentication protocol with privacy protection for industrial Internet of Things. IEEE Trans Indus Inform 2018; 14: 3599–3609.

Liang

Xie

Xiao

et al . A two-step MF signal acquisition method for wireless underground sensor networks. Comput Sci Inform Syst 2016; 13: 623–638.

Liang

Huang

et al . A distributed data secure transmission scheme in wireless sensor network. Int J Distribut Sensor Net 2017; 12, https://journals.sagepub.com/doi/abs/10.1177/1550147717705552

Liang

Ruan

Wang

et al . RESH: a secure authentication algorithm based on regeneration encoding self-healing technology in WSN. J Sensors 2016; 2016: 2098680.

Singh

Juyal

Saggar

Trust based intelligent routing algorithm for delay tolerant network using artificial neural network. Wirel Netw 2017; 23: 693–702.

Kumari

Karuppiah

Das

et al . A secure authentication scheme based on elliptic curve cryptography for IoT and cloud servers. Journal Supercomput 2018; 74: 6428–6453.

10.

Karati

Islam

Biswas

et al . Provably secure identity-based signcryption scheme for crowd sourced industrial internet of things environments. IEEE Internet Things 2018; 5: 2904–2914.

11.

Shabut

Dahal

Bista

et al . Recommendation based trust model with an effective defence scheme for MANETs. IEEE Trans Mob Comput 2015; 14: 2101–2115.

12.

Karati

Islam

Karuppiah

Provably secure and lightweight certificateless signature scheme for IIoT environments. IEEE Trans Indus Inform 2018; 14: 3701–3711.

13.

Mai

Azer

. A novel proximity based trust model for opportunistic networks. In: Proceedings of the 8th international conference on availability, reliability and security, Regensburg, 2–6 September 2013, pp.281–284. New York: IEEE.

14.

Ramanathan

Hansen

Basu

et al . Prioritized epidemic routing for opportunistic networks. In: Proceedings of the 1st international MobiSys workshop on mobile opportunistic networking, San Juan, Puerto Rico, 11 June 2007, pp.62–66. New York: IEEE.

15.

Burgess

Gallagher

Jensen

et al . MaxProp: routing for vehicle-based disruption-tolerant networks. In: Proceedings of the IEEE INFOCOM 2006: 25tH IEEE international conference on computer communications, Barcelona, 23–29 April 2006. New York: IEEE.

16.

Yao

Man

Huang

et al . Secure routing based on social similarity in opportunistic networks. IEEE Trans Wirel Commun 2016; 15: 594–605.

17.

Wong

GKW

Chang

Jia

et al . Performance evaluation of social relation opportunistic routing in dynamic social networks. In: Proceedings of the international conference on computing, networking and communications 2015, Anaheim, CA, 16–19 February 2015, pp.874–878. New York: IEEE.

18.

Conti

Giordano

May

et al . From opportunistic networks to opportunistic computing. IEEE Commun Mag 2010; 48: 126–139.

19.

Song

Kotz

DF.

Evaluating opportunistic routing protocols with large realistic contact traces. In: Proceedings of the ACM workshop on challenged networks, Montreal, QC, Canada, 14 September 2007, pp.35–42. New York: ACM.

20.

Zhao

Tang

et al . COUPON: a cooperative framework for building sensing maps in mobile opportunistic networks. IEEE Trans Parall Distr Syst 2015; 26: 392–402.

21.

Liu

Yao

et al . A trust routing for multimedia social networks. Comput J 2014; 58: 688–699.

22.

Geeta

Moin

Arvinder

Grey relational effort analysis technique using regression methods for software estimation. Int Arab J Inform Technol 2014; 11: 40–73.

23.

Khuman

Yang

Liu

Grey relational analysis and natural language processing. In: Proceedings of the IEEE international conference on grey systems and intelligent services, Leicester, 18–20 August 2016. New York: IEEE.

24.

Hashemi

Karimi

Tavana

An integrated green supplier selection approach with analytic network process and improved grey relational analysis. Int J Product Econom 2015; 159: 178–191.

25.

Wang

Qian

Wang

Gray correlation degree analysis of the impact of social capital on the income and income gap of farmer households. Guangdong Agr Sci 2012; 39: 200–202.

26.

Girginer

Kun

Efficiency analysis of surgical services by combined use of data envelopment analysis and gray relational analysis. J Med Syst 2015; 39: 56.

27.

Shou

. A trust model based on grey relational analysis and cooperative computing in opportunity networks. In: Proceedings of the international conference on wireless communication and sensor network, 2017, pp.122–128, https://www.atlantis-press.com/proceedings/icwcsn-16/25870935

28.

English

Wagealla

Nixon

et al . Trusting collaboration in global computing systems. In: Proceedings of the trust management, first international conference, Itrust 2003, Crete, 28–30 May 2002, pp.136–149. New York: Springer.

29.

Silva

Santos

ALD

Albini

LCP

et al . Quantifying misbehaviour attacks against the self-organized public key management on MANETs. In: Proceedings of the international conference on security and cryptography, Porto, 26–29 July 2008, pp.128–135, http://www.scitepress.org/Papers/2008/19227/19227.pdf

30.

Sayantani

Marimuthu

Selvakumar

et al . An intelligent/cognitive model of task scheduling for IoT applications in cloud computing environment. Future Generat Comput Syst 2018; 88: 254–261.

31.

Saedon

Jaafar

Yahaya

et al . Multi-objective optimization of titanium alloy through orthogonal array and grey relational analysis in WEDM. Proc Technol 2015; 15: 832–840.

32.

Trifunovic

Kurant

Hummel

et al . Preventing spam in opportunistic networks. Comput Commun 2014; 41: 31–42.

33.

Jayachitra

Geetha

Aishwarya

Multi-constrained QoS opportunistic routing by optimal power tuning in low duty-cycle WSNs. Circuit Syst 2016; 7: 2928–2939.

34.

Zhu

Zheng

et al . Location based hierarchical matrix factorization for web service recommendation. In: Proceedings of the 21st IEEE international conference on web services, Anchorage, AK, 27 June–2 July 2014, pp.297–304. New York: IEEE.

35.

Zhou

Wang

Zheng

et al . On cloud service reliability enhancement with optimal resource usage. IEEE Trans Cloud Comput 2014; 4: 452–466.

36.

Fan

Wang

Zheng

et al . Topology-aware deployment of scientific applications in cloud computing. In: Proceedings of the 5th IEEE international conference on cloud computing, Honolulu, HI, 24–29 June 2012, pp.319–326. New York: IEEE.