1-s2.0-s1570870515000943-main

Ad Hoc Networks 33 (2015) 154–167

Contents lists available at ScienceDirect

Ad Hoc Networks

journal homepage: www.elsevier .com/locate /adhoc

Hierarchical trust management of community of interest groupsin mobile ad hoc networks

http://dx.doi.org/10.1016/j.adhoc.2015.05.0041570-8705/� 2015 Elsevier B.V. All rights reserved.

⇑ Corresponding author.E-mail addresses: [email protected] (I.-R. Chen), [email protected] (J. Guo).

Ing-Ray Chen ⇑, Jia GuoDepartment of Computer Science, Virginia Tech, United States

a r t i c l e i n f o

Article history:Received 26 March 2014Received in revised form 2 January 2015Accepted 5 May 2015Available online 14 May 2015

Keywords:Hierarchical trust managementCommunity of interest groupsIntrusion detection

a b s t r a c t

In mission-critical applications deployed in mobile ad hoc networks, very frequently acommander will need to assemble and dynamically manage Community of Interest (COI)mobile groups to achieve the mission assigned despite failure, disconnection or compro-mise of COI members. In this paper, we present a dynamic hierarchical trust managementprotocol that can learn from past experiences and adapt to changing environment condi-tions (e.g., increasing misbehaving node population, evolving hostility and node density,etc.) to enhance agility and maximize application performance. With trust-based misbe-having node detection as an application, we demonstrate how our proposed COI trust man-agement protocol is resilient to node failure, disconnection and capture events, and canhelp maximize application performance in terms of minimizing false negatives and posi-tives in the presence of mobile nodes exhibiting vastly distinct QoS and social behaviors.

� 2015 Elsevier B.V. All rights reserved.

1. Introduction

In military operation or emergency response situations,very frequently a commander will need to assemble anddynamically manage Community of Interest (COI) mobilegroups to achieve a critical mission assigned despite fail-ure, disconnection or compromise of COI members.COI-HM [8,12] was proposed to achieve scalability andreconfigurability following the command chain ofcommander ? leader ? COI members. Under COI-HM, aCOI is divided into multiple subtask groups to accomplisha mission. Each subtask group would be governed by a sub-task group leader (SGL) dynamically appointed by the COIcommander responsible for relaying commands from thecommander to the COI group members in the subtaskgroup, and filtering messages sent by COI members inthe same subtask group to COI members located in other

subtask groups. COI members in one subtask group maybe reassigned to another subtask group for tactical reasons,thus triggering registration/deregistration actions to thesubtask group leaders to maintain the hierarchicalstructure.

This hierarchical management structure is generic andcan be applied to various mission scenarios. Subtask groupsmay be physically co-located or separated. A node may beassigned to one or more subtasks, depending on node prop-erties (e.g., manned or unmanned) and subtask group char-acteristics (functionality, difficulty, urgency, importance,risk, size, and composition). Thus, a node’s mobility modelreflects its assignment, de-assignment or reassignment tosubtask groups, as well as its mobility pattern movingaround the subtask groups it is assigned to. In militaryapplications, very frequently a COI consists of heteroge-neous nodes with vastly different levels of functionality,capacity and resources. A SGL is presumably ahigher-capacity node and would be assigned, de-assigned,or reassigned dynamically by the COI-commander to leada subtask group.

http://crossmark.crossref.org/dialog/?doi=10.1016/j.adhoc.2015.05.004&domain=pdf

http://dx.doi.org/10.1016/j.adhoc.2015.05.004

mailto:[email protected]

mailto:[email protected]

http://dx.doi.org/10.1016/j.adhoc.2015.05.004

http://www.sciencedirect.com/science/journal/15708705

http://www.elsevier.com/locate/adhoc

I.-R. Chen, J. Guo / Ad Hoc Networks 33 (2015) 154–167 155

Despite providing scalability and reconfigurability,COI-HM does not provide tolerance against node compro-mises and collusion as there is no mechanism to defendagainst inside attackers or malicious nodes. Existing intru-sion detection system (IDS) techniques based on anomalyor pattern-based detection are either centralized (espe-cially for wired networks) which creates a single point offailure, or too complex for distributed execution in hetero-geneous mobile networks at runtime.

In this paper, we propose COI dynamic hierarchical trustmanagement (COI-HiTrust) for intrusion tolerance and sur-vivability. COI-HiTrust runs on top of COI-HM, so it canachieve scalability and reconfigurability since nodes willonly interact with peers in the same subtask group anddo not assess trust about every node in the network. Inaddition as we will demonstrate later, it also achieves trustresiliency and accuracy against inside attackers or mali-cious nodes.

In the literature there is a large body of trust manage-ment protocols for MANETs [1,9,10,11,16,17,20,23,27,36–40]. However, there is very little research on hierarchicallystructured trust management protocol design for MANETs.Verma et al. [16] and Davis [17] considered hierarchicaltrust management for MANETs. However, their schemesheavily rely on the certificates issued off-line or by trustedthird parties which typically are not available in MANETenvironments. Bao et al. [14,24] and Li et al. [19] consid-ered hierarchical trust management in wireless sensor net-works without considering node mobility. Zhang et al. [25]proposed a hierarchical trust architecture for wireless sen-sor networks and considered the dynamic aspect of trustby introducing a trust varying function. However, theirwork is theoretical in nature without addressing what trustattributes should be used (a trust composition issue), howtrust is aggregated accurately (a trust aggregation issue), orwhat weights should be put on trust attributes to formtrust (a trust formation issue). On the contrary, our workaddresses all three aspects of trust management.Moreover, we propose the concept of dynamic hierarchicaltrust management by which trust protocol parameter set-tings can be dynamically adjusted in response to changingenvironments to minimize trust bias and maximize appli-cation performance.

We envision the following original contributions fromthis work:

1. Unlike most existing reputation and trust managementschemes for mobile ad hoc networks in the literature[10], we consider not only traditional ‘‘QoS trust’’derived from communication networks, but also ‘‘socialtrust’’ derived from social networks [2,3] to obtain acomposite trust metric as a basis for evaluating trustof mobile nodes in COI applications. Moreover, we arethe first to propose the new design notion ofmission-dependent trust formation with the goal toenhance mission agility and maximize mission surviv-ability despite the presence of malicious, erroneous,partly trusted, uncertain and incomplete information.

2. We design and validate COI-HiTrust as a dynamic hierar-chical trust management protocol that can learn frompast experiences and adapt to changing environment

conditions (e.g., increasing or decreasing hostility,increasing misbehaving node population, etc.) to maxi-mize application performance and enhance operationagility. This is achieved by addressing critical issues ofhierarchical trust management for COI applications,namely, trust composition, aggregation, propagation,and formation. The learning process and adaptivedesigns of COI-HiTrust are reflected in trust aggrega-tion, trust propagation and trust formulation. For trustcomposition, aggregation and propagation, we firstexplore novel social and QoS trust components andthen devise trust aggregation and propagation proto-cols (for trust data collection, quality-of-informationdissemination and analysis) for peer-to-peer subjectivetrust evaluation of individual social and QoS trust com-ponents, and prove the accuracy by means of theoreti-cal analysis with simulation validation. The weights todirect trust and indirect trust are dynamically adjustedbased on environment conditions to minimize trustbias. For trust formation, we explore a new design con-cept of mission-dependent trust formation allowing trustbeing formed out of social and QoS trust components tomaximize application performance. We use a misbehav-ing node detection application as an example to illus-trate the design concept. Dynamic trust management(to be discussed in more detail in Section 7) is achievedby first determining the best trust formation modelgiven a set of model parameters specifying the environ-ment conditions (e.g., percentage of malicious nodes),and then at runtime COI-HiTrust learns and adapts tochanging environment conditions by using the besttrust formation model identified from static analysis.

3. To achieve the goals of identifying the best trust com-position and trust formation for mission-oriented COImobile group applications, we develop a novelmodel-based analysis methodology for analyzing andvalidating COI-HiTrust. The novelty lies in the newdesign notion of objective trust derived from globalknowledge or ground truth derived from the mathemat-ical model describing a COI against which subjectivetrust obtained as a result of executing COI-HiTrustmay be compared and validated.

This paper substantially extends from [41] by addingsimulation validation using ns-3 (Section 5) as well asnew materials, including a theoretical analysis of the pro-tocol’s convergence, accuracy and resiliency properties(Section 4), a sensitivity analysis of the effect of trust for-mation on application performance (Section 6), and a dis-cussion on applicability (Section 7). The rest of the paperis organized as follows. Section 2 describes the systemmodel and COI Architecture. Section 3 describesCOI-HiTrust and explains the hierarchical trust protocoldesign for managing COI groups in MANETs. Section 4 con-ducts a theoretical analysis of the convergence, accuracyand resiliency properties of COI-HiTrust. Section 5 devel-ops a novel model-based approach to describe dynamicbehaviors of nodes in MANETs in the presence of misbe-having nodes with the objective to yield objective trustagainst which subjective trust from executingCOI-HiTrust may be compared for trust bias minimization.

156 I.-R. Chen, J. Guo / Ad Hoc Networks 33 (2015) 154–167

A performance evaluation is performed to demonstratetrust resiliency, convergence and accuracy properties withns-3 simulation validation. In Section 6, we apply the hier-archical trust management protocol to trust-based intrusiondetection to illustrate the design concept of application per-formance optimization with results and physical interpreta-tions given. Section 7 discusses how the results obtainedcan be applied for dynamic hierarchical trust management.Finally in Section 8 we conclude the paper and outlinesome future research areas.

2. System model

2.1. COI Architecture

We assume that COI members move from one subtaskto another due to task assignment, de-assignment, or reas-signment, as dictated by the needs which arise during mis-sion execution. A node can move around multiple subtaskgroups if it is assigned to multiple subtask groups. Thenode mobility model is therefore application-dependentand is given as input. A special case is that subtask groupseach occupy a region in an operational area for militaryoperation purposes. In this scenario, a mobility eventoccurs when a node moves across a regional boundary.One can reduce the regional size to the radio range toensure that mobility and instability of radio environmentswill not be a major factor to prevent members of a sub-group from communicating directly with the SGL. Eachsubtask group would be governed by a SGL dynamicallyappointed by the COI commander. When a COI memberin one subtask group moves to another subtask group, ittriggers registration and deregistration actions to the twoinvolving SGLs.

We assume that for security reasons, each node has aunique public/private key pair using Public KeyInfrastructure (PKI) and the public key must remain validthroughout its lifetime as a member in the COI. PKI caneffectively detect identity attacks [22] and derivativesextending from identity attacks such as Sybil attacks, andoutside attackers (i.e., attackers who are not members ofthe COI). However, it does not provide tolerance againstcompromised nodes (or inside attackers).

Our solution is COI-HiTrust (to be described in detail inSection 3) with intrusion detection as an application.During mission execution, each COI member performsCOI-HiTrust to evaluate trust of its peers within the samesubtask group. Each SGL performs COI-HiTrust to evaluatetrust of other SGLs in the COI group. A SGL collects trustevaluation results from the COI members within the sub-task group and performs a summarized trust evaluationfor each COI member in its subtask group. The commandercollects trust evaluation results from the SGLs within theCOI group and performs a summarized trust evaluationfor each SGL. A SGL may be assigned, de-assigned, or reas-signed depending on the evaluation result.

COI-HiTrust evaluates nodes based on both social trustand QoS trust for successful mission execution [10]. Socialtrust derives from the concept of social networks [2–4],including honesty, intimacy, selfishness, betweenness

centrality, and social reputation. A COI would consist ofheterogeneous mobile entities such as device-carry sol-diers, robotic vehicles, or ground vehicles operated byhumans. Therefore, unlike traditional network research,social trust must be considered between these mobileagents. For example, honesty is about integrity and maybe considered as important as, if not more important than,competence (which is not a social trust metric) for a COImission that concerns mission security. We use social net-works to evaluate the social trust value of a node in termsof the degree of personal or social trends, rather than thecapability of executing a mission based on past collabora-tive interactions. The latter belongs to QoS trust by whicha node is judged if it is capable of completing an assignedmission as evaluated by communication networks. Morespecifically, QoS trust represents competence, dependabil-ity, reliability, successful experiences, and reputation orpositive recommendations on task performance forwardedfrom direct or indirect interactions with others.

2.2. Attack model

We assume that a bad node can be selfish or malicious.A malicious node is necessarily selfish. A selfish node mayact uncooperatively, the degree of which depends onwhom it works with (e.g., a friend or not) and whether itgains its utility. A malicious node is essentially an insideattacker who performs various attacks to disrupt the oper-ation of a mission. A bad node can perform the followingtrust-related attacks to disrupt the trust system:

1. Self-promoting attacks: a malicious node can promoteits importance (by providing good recommendationsfor itself) so as to improve its trust status. Our trust pro-tocol deals with self-promoting attacks by consideringhonesty as a trust property to detect self-promotingattacks.

2. Discriminatory attacks: a socially selfish node can dis-criminatively attack non-friends or nodes withoutstrong social ties because of human nature or propen-sity towards friends. Our trust protocol deals with dis-criminatory attacks by considering intimacy as a trustproperty.

3. Bad-mouthing attacks: a malicious node can ruin thereputation of a well-behaved node by providing badrecommendations against the good node. This is a formof collusion attacks, i.e., it can collaborate with otherbad nodes to ruin the reputation of a good node. Ourtrust protocol deals with bad-mouthing attacks by con-sidering honesty as a trust property.

4. Ballot-stuffing attacks: a malicious node can boost thereputation of another bad node by providing good rec-ommendations for it. This is also a form of collusionattacks, i.e., it can collaborate with other bad nodes toboost the reputation of each other. Our trust protocoldeals with ballot-stuffing attacks by considering hon-esty as a trust property.

A malicious node can perform Sybil and identityattacks. We assume such attacks are detected by PKI tech-niques [22] and the offenders will be evicted from the


system. More specifically, each node has a private key andits certified public key available. A node’s identity isauthenticated based on the node’s public/private key pairby applying the challenge/response mechanism.Consequently, every node in our COI architecture has aunique identity. A cooperative attack means that maliciousnodes in the system boost their allies and focus on partic-ular victims in the system to victimize. Bad-mouthing andballot-stuffing attacks are a form of cooperative attacks toruin the reputation of (and thus to victimize) good nodesand to boost the reputation of bad nodes. COI-HiTrust issaid to be resilient to the above trust-related attacks whenthe ‘‘subjective trust’’ as a result of COI-HiTrust execution,is close to the ‘‘objective trust’’ despite the presence of mali-cious nodes performing these attacks.

3. COI-HiTrust protocol for COI dynamic hierarchicaltrust management

Our protocol design starts by applying COI-HM [8,12]by which we divide a COI into subtask groups. A node onlyneeds to do trust evaluation of other nodes in the samesubtask group. A node can send/receive messages to/fromanother node directly if they are in the same subtaskgroup, or indirectly through the two nodes’ SGLs if theyare not in the same subtask group provided they are con-sidered trustworthy by the SGLs, i.e., passing the runtimetrust test. Similarly each SGL must pass the runtime trusttest to stay in the system. Mobility management is aninherent part of COI-HM as the node mobility model repre-sents how and when a node moves from one subtask groupto another due to task assignment, de-assignment, or reas-signment, as well as how and when a node moves aroundsubtask groups if it is assigned to multiple subtask groups.For the special case in which each subtask group occupies aregion in an operational area, a mobility event occurs whena node moves across a regional boundary.

3.1. Two levels of subjective trust evaluation

COI-HiTrust maintains two peer-to-peer levels of trustin the COI-HM framework: node-level trust and SGL-leveltrust. Each node evaluates other nodes in the same subtaskgroup (node-to-node) while each SGL evaluates other SGLs(SGL-to-SGL) and nodes (SGL-to-node) in its subtask group.The peer-to-peer trust evaluation is periodically updatedbased on either direct observations or indirect observa-tions. When two nodes are neighbors within radio range,they evaluate each other based on direct observations viasnooping or overhearing. Each node sends its trust evalua-tion results toward other nodes in the same subtask groupto its SGL. Each SGL performs trust evaluation toward allnodes within its subtask group. Similarly, each SGL sendsits trust evaluation results toward other SGLs in the COIsystem to the commander. The commander performs trustevaluation toward all SGLs (commander-to-SGL) in thesystem. A SGL is responsible for misbehaving node detec-tion for nodes in its subtask group, while the commanderis responsible for misbehaving SGL detection for all SGLnodes in the system. The commander node is one of the

SGLs and is reelected periodically to remove a single pointof failure. We follow the election protocol in [8] to period-ically reelect the commander node from among the SGLs.The event can be triggered by other non-commander SGLnodes during the SGL-to-SGL trust evaluation process.

Our hierarchical trust management protocol dynami-cally performs trust evaluation and is inherently robustto mobility and instability of radio environments.Specifically, a SGL collects trust evaluation reports towarda particular member from all other members within itssubtask group in each trust update interval. So a SGL willbe able to perform SGL-to-node trust evaluation as longas it receives a majority of all reports. In case it does notreceive enough reports in a trust interval, it can alwaysdo so in the next trust interval as soon as the radio commu-nication is resumed.

3.2. Trust aggregation and propagation for peer-to-peer trustevaluation

We advocate that both social trust components such asconnectivity, intimacy, honesty and unselfishness, and QoStrust components such as competence, reliability anddelivery ratio be considered. Let X denote a trust compo-nent selected and let T X

ij ðtÞ denote node i’s assessmenttoward node j in trust property X at time t. Below wedescribe how trust aggregation and trust propagation forpeer-to-peer trust evaluation are conducted between twoCOI members in the same subtask group (i.e.,node-to-node trust evaluation) or two SGLs in a COI (i.e.,SGL-to-SGL trust evaluation).

As illustrated in Fig. 1, when a trustor node (node i)evaluates a trustee node (node j) in the same level at timet, it updates T X

ij ðtÞ as follows:

T Xij ðtÞ¼

1�aX� �

T Xij t�Dtð ÞþaXTX;direct

ij ðtÞif i and j are 1-hop neighbors

avgk2Ni

ð1�cXÞT Xij t�Dtð ÞþcXTX;recom

kj ðtÞn o

otherwise

8>>><>>>:

ð1Þ

In Eq. (1) if node i is a 1-hop neighbor of node j at time t,

node i will use its direct observations ðTX;directij ðtÞÞ and past

experiences (T Xij t � Dtð Þwhere Dt is a trust update interval)

toward node j to update T Xij ðtÞ. This is illustrated in

Fig. 1(a). We use a design parameter aX with 0 6 aX6 1

to weight these two contributions and to consider trustdecay over time for trust property X. A larger aX meansthat trust evaluation will rely more on direct observations.

Here TX;directij ðtÞ indicates node i’s trust value toward node j

based on direct observations accumulated over the timeperiod ½0; t� possibly with a higher priority given to morerecent interaction experiences.

On the other hand, if node i is not a 1-hop neighbor ofnode j, node i will use its past experiences (T X

ij t � Dtð ÞÞand recommendations (TX;recom

kj ðtÞ0s where k is a recom-

mender) to update T Xij ðtÞ. This is illustrated in Fig. 1(b).

Here TX;recomkj ðtÞ is the recommendation from node k toward

j ipast experiences

direct observations

new trust value

k2

ji

k1

k3

past experiences

new trust value

recommendations

t)(tT Xji

Xα−1 Xγ−1Xα

Xγ

)(T Xji

(a) (b)Fig. 1. (a) Node i evaluates node j with direct observations and past experiences in trust property X. (b) Node i evaluates node j with recommendations andpast experiences in trust property X.


node j in component X and can be just T XkjðtÞ: A parameter

cX is used here to weigh these two contributions and toconsider trust decay over time as follows:

cX ¼ bXTikðtÞ1þ bXTikðtÞ

ð2Þ

For ease of disposition, here we introduce anotherparameter bX P 0 to specify the impact of ‘‘indirect recom-mendations’’ on T X

ij ðtÞ such that the weight assigned to

indirect recommendations is normalized to bXTikðtÞ rela-tive to 1 assigned to past experiences. Essentially, the con-tribution of recommended trust increases proportionallyas either TikðtÞ or bX increases. Instead of having a fixedweight ratio TikðtÞ to 1 for the special case in whichbX ¼ 1, we allow the weight ratio to be adjusted by adjust-ing the value of bX and test its effect on protocol resiliencyagainst good-mouthing and bad-mouthing attacks. Here,TikðtÞ is node i’s trust toward node k as a recommender(for node i to judge if node k provides correct information).Furthermore, to enhance QoI trust propagation, node i willonly use its 1-hop neighbors ðNiÞwho are considered trust-worthy (i.e., passing the RTT trust threshold) as recom-menders. The new trust value T X

ij ðtÞ in this case would bethe average of the combined trust values of past trustinformation and recommendations collected at time t.

Our assertion is that, because different trust propertieshave their own intrinsic trust nature and react differentlyto trust decay with time, each trust property X has itsown best (aX ; bXÞ set under which subjective assessmentof T X

ij ðtÞ from Eq. (1) would be the most accurate againstactual status of node j in trust property X. To discover thebest (aX ; bXÞ set for trust property X, we resort to thedevelopment of a mathematical model describing thedynamic behavior to yield actual status of node j.

3.3. Mechanisms for evaluating direct trust TX;directij ðtÞ

In Eq. (1) there is a direct trust term TX;directij ðtÞ computed

by node i toward node j based on evidences observed by

node i. For each trust property X, this work will developand validate evidence-based trust aggregation protocol s

executed by node i such that TX;directij ðtÞ thus obtained is

accurate against actual status of node j at time t. Belowwe describe trust aggregation protocols by which node i

can collect evidences to assess TX;directi;j ðtÞ for the case in

which i and j are 1-hop neighbors at time t forX = intimacy, honesty, unselfishness (social components)and competence (a QoS component) below.

� Tintimacy;directi;j ðtÞ: This measures intimacy or closeness of

node i toward node j. It follows the maturity model pro-posed in [1] in that the more interaction experiences Ahad with B, the more trust and confidence A will havetoward B. The mechanism for node i to compute

Tintimacy;directi;j ðtÞ is as follows: If node j is a friend to node

i as deriving from a ‘‘friendship’’ matrix [6], then

Tintimacy;directi;j ðtÞ ¼ 1. Otherwise node i computes

Tintimacy;directi;j ðtÞ by the ratio of the number of interactions

it has with node j during ½t � dDt; t� to the maximumnumber of interactions with any other node. Here d isthe window size giving recent interaction experienceshigher priority over ancient experiences. Note that forencounter-based COI applications, encountering experi-ences are interaction experiences. In this case,

Tintimacy;directi;j ðtÞ is computed by the ratio of the amount

of time nodes i and j are 1-hop neighbors during½t � dDt; t�.� Thonesty;direct

i;j ðtÞ: This refers to the belief of node i that nodej is honest based on node i’s direct observations during½t � dDt; t�. The mechanism for node i to estimate

Thonesty;directi;j ðtÞ is beta distribution as commonly used in

Bayesian Inference [26]. Specifically, node i uses a setof anomaly detection rules such as interval, retransmis-sion, jamming and delay rules [13,21] to keep a count ofcompliant experiences of node j (called A) and a countof suspicious experiences of node j (called B) during

½t � dDt; t�. Node i then computes Thonesty;directi;j ðtÞ by

A/(A + B). If A + B = 0, meaning there are neither


compliant nor suspicious experiences observed over

½t � dDt; t�, then Thonesty;directi;j ðtÞ is set to 0.5 meaning no

new knowledge is available. This will result in trustdecay over time based on Eq. (1).

� Tunselfishness;directi;j ðtÞ : This provides the belief of node i that

node j is unselfishness based on direct observationsduring ½t � dDt; t�. The mechanism for node i to estimate

Tunselfishness;directij ðtÞ is also Bayesian Inference [26].

Specifically, node i estimates Tunselfishness;directij ðtÞ by the

ratio of the number of cooperative interaction experi-ences to the total number of protocol interaction expe-riences. Note that both counts are related to protocolexecution except that the former count is for positiveexperiences when node j, as observed by node i, cooper-atively follows the prescribed protocol execution.

� Tcompetence;directi;j ðtÞ: This refers to the belief of node i that

node j is competent at time t. The mechanism for node

i to estimates Tcompetence;directi;j ðtÞ is also Bayesian Inference

[26]. Specifically, node i overhears node j’s packet trans-mission activities during ½t � dDt; t� and measures thetransmission delay experienced each time. If the delaymeasured is within the normal range, it is recorded asa positive experience in competence; otherwise it is anegative experience. Node i then estimates

Tcompetence;directij ðtÞ by the ratio of the number of positive

packet transmission experiences to the total numberof packet transmission experiences. In practice, as longas node j is alive (energy is not depleted and there is nohardware/software failure), node j is competent.

The above trust aggregation protocols will be tested fortheir validity. An important task is to assess the accuracy of

TX;directij ðtÞ obtained. We compare TX;direct

ij ðtÞ with T Xj ðtÞ; i.e.,

the actual status of node j at time t in trust property X.The latter quantity can be obtained by defining acontinuous-time semi-Markov process describing thedynamic behavior of node j and thus yielding actual statusof node j at time t. This provides a basis for validating trust

aggregation designs such that TX;directij ðtÞ computed is as

close to actual status of j as possible. The difference

between TX;directij ðtÞ and T X

j ðtÞ is the direct trust assessment

error, TEX;directij ðtÞ; defined as follows:

TEX;directij ðtÞ ¼ TX;direct

ij ðtÞ � T Xj ðtÞ ð3Þ

TEX;directij ðtÞ above is one source of trust inaccuracy. Another

source of trust inaccuracy is due to compromised nodesproviding incorrect trust recommendations throughbad-mouthing and ballot-stuffing attacks. The differencebetween T X

ij ðtÞ (from Eq. (1)) and T Xj ðtÞ is the trust bias in

component X; TB Xij ðtÞ; defined as follows:

TB Xij ðtÞ ¼ T X

ij ðtÞ � T Xj ðtÞ ð4Þ

TB Xij ðtÞ is the end result of a trust aggregation protocol

execution. The goal of trust propagation protocol designis to minimize TB X

ij ðtÞ. We minimize TB Xij ðtÞ by dynamically

selecting the best set of ðaX ; bXÞ set under which subjectiveassessment of T X

ij ðtÞ from Eq. (1) would be the most accu-rate against actual status of node j in trust property X,i.e., TB X

ij ðtÞ is minimized.

3.4. Trust formation

We advocate trustee-dependent trust formation by whichthe best way to form trust from social trust and QoS trust isidentified and applied to each individual node, properlyreflecting trustee properties given as input. We also advo-cate mission-dependent trust formation by which the bestway to form trust from social trust and QoS trust is identi-fied and applied to each individual subtask group to max-imize application performance, properly reflecting subtaskgroup mission characteristics given as input.

Let TijðtÞ denote node i’s trust toward node j at time t. To

form trust from social trust and QoS trust, let Tsocialij ðtÞ and

TQoSij ðtÞ denote node i’s social trust and QoS trust toward

node j at time t, respectively, derived from T Xij ðtÞ in Eq.

(1). We will explore the importance-weighted-sum trust for-mation with which trust is an importance-weighted sum ofsocial trust and QoS trust. It encompassesmore-social-trust, more-QoS-trust, social-trust-only, andQoS-trust-only in trust formation. It is particularly applica-ble to missions where context information is availableabout the importance of social or QoS trust properties forsuccessful mission execution. For example, for a subtaskgroup consisting of unmanned nodes, the more-QoS-trustor QoS-trust-only trust formation model will be appropri-ate. Specifically,

TijðtÞ ¼ wsocialTsocialij ðtÞ þwQoSTQoS

ij ðtÞ ð5Þ

where wsocial and wQoS are ‘‘importance’’ weights associatedwith social trust and QoS trust, respectively, withwsocial þwQoS ¼ 1.

Note that in the above formulation, Tsocialij ðtÞ and TQoS

ij ðtÞare aggregate trust derived from Eq. (1) with X = social trustcomponents and X = QoS trust components, respectively.We explore the weighted-sum-form model to aggregate

Tsocialij ðtÞ and TQoS

ij ðtÞ to allow the relative importanceof each trust property in its category (social or QoS) to bespecified. As an example, suppose that a mission dictatesintimacy and honesty be picked as two social trustproperties and both are considered equally important.

Then, Tsocialij ðtÞ would be computed by Tsocial

ij ðtÞ ¼0:5Tintimacy

ij ðtÞ þ 0:5Thonestyi;j ðtÞ.

3.5. Hierarchical trust evaluation

Fig. 2 illustrates the information flow of hierarchicaltrust evaluation in COI-HiTrust with node-to-node,SGL-to-node, SGL-to-SGL and commander-to-SGL trustevaluation. Leveraging the COI-HM structure, each nodereports its trust evaluation toward other nodes in the samesubtask group to its SGL, possibly through trust-basedrouting to counter black-hole attacks. The SGL then applies

Fig. 2. Information flow of hierarchical trust evaluation in COI-HiTrust.


statistical analysis principles to TijðtÞ values received toperform SGL-to-node trust evaluation towards node j to

yield TCOI�HiTrustj ðtÞ: One application-level trust setting

design is to set a drop-dead minimum trust threshold Tth:

A SGL, say node c, takes TijðtÞ from node i only if it consid-

ers node i is trustworthy, i.e., TciðtÞ > Tth. Then it can com-

pute TCOI�HiTrustj ðtÞ for node j as the average of TijðtÞ0s from

trustworthy nodes in its subtask group, i.e., be appropriate.Specifically,

TCOI�HiTrustj ðtÞ ¼ avg

i2NR^TciðtÞPTth

TijðtÞ� �

ð6Þ

where NR is the set of COI members in the subtask group.The SGL (node cÞ if certified to be trustworthy by the com-

mander could announce j as compromised if TCOI�HiTrustj ðtÞ is

less than Tth; otherwise, node j is not compromised. This isdiscussed more in Section 4 Misbehaving Node Detectionbelow. Also the SGL may leverage TijðtÞ values received todetect if there is any outlier as an evidence ofgood-mouthing or bad-mouthing attacks.

4. Theoretical analysis

In this section we formally prove the convergence,accuracy, and resiliency properties of our trust manage-ment protocol against trust attacks. We first provide proofsfor the case in which the environment is stationary, i.e., thenode status (good vs. malicious) is stationary. Then weextend the proof to the case in which the environment isnon-stationary. Later in Section 5, we present ns-3 simula-tion results to validate the convergence, accuracy, and resi-liency properties of our protocol design in non-stationaryenvironments.

For ease of disposition, we simplify the notations

TX;directij ðtÞ to D X

ij ðtÞ (with D standing for direct trust), and

TX;recomkj ðtÞ to R X

kjðtÞ (with R standing for recommendationtrust). Also for ease of disposition, we omit the superscriptX in T X

ij ðtÞ;DXij ðtÞ, and R X

kjðtÞ, since the analysis is generic andapplicable to all trust properties.

We consider the instantaneous trust (reflecting theactual behavior) of a node j as a stochastic processGj ¼ fGjðnÞ : n ¼ 1;2; . . .g where n is the nth trust updateinterval, i.e., t ¼ Dt1 þ Dt2 þ � � � þ Dtn. We define objectivetrust (or ground truth trust) at step n as the expected valueof GjðnÞ, i.e., E GjðnÞ

� �. The goal of trust management is to

estimate objective trust using direct observations on anode’s instantaneous behaviors and recommendations.The direct trust of node i towards node j (also a stochasticprocess Dij ¼ fDijðnÞ : n ¼ 1;2; . . .g might be different fromGj due to noises. We assume the noise process eij is a whitenoise with eijðnÞ : n ¼ 1;2; . . . being independent and iden-tically distributed and drawn from a zero-mean distribu-tion. Then,

DijðnÞ ¼ GjðnÞ þ eijðnÞ ð7Þ

Assume that Gj and Dij are random variables in thespace of [0, 1], so eij is in the space of [�1, 1]. That is, ifGj = 1 but Dij ¼ 0, then eij ¼ �1: if Gj ¼ 0 but Dij ¼ 1, theneij ¼ 1: Our proof does not rely on the specific distributionsof these random processes. For example, for the honestytrust property, a node might behave honest or dishonest,i.e., Gj follows Bernoulli distribution; for the cooperative-ness trust property, Gj could be a random variable in thespace of [0, 1] following a Beta distribution.

According to our trust aggregation and propagation pro-tocol described in Section 3.2, the subjective trust evalua-tion of node i towards node ðTij ¼ fTijðnÞ : n ¼ 1;2; . . .gÞ isupdated by either direct observations Dij or recommenda-tions from another node k (Rkj ¼ fRkjðnÞ : n ¼ 1;2; . . .gÞ.

When node i directly interacts with node j, we have:


TijðnÞ ¼ ð1� aÞTijðn� 1Þ þ aDijðnÞ ð8Þ

Otherwise, if node i interacts with another node k, wehave:

TijðnÞ ¼ ð1� cÞTijðn� 1Þ þ cRkjðnÞ ð9Þ

where c ¼ bDikðnÞ1þbDikðnÞ

. We analyze the trust accuracy, conver-

gence and resiliency properties of our protocol based ontrust bias, i.e., bijðnÞ ¼ TijðnÞ � GjðnÞ. We define trust accu-racy, convergence and resiliency by limn!1E bijðnÞ

� �; i.e.,

how much the subjective trust deviates from the objectivetrust when it converges in the presence of maliciousattacks. Note that as limn!1E bijðnÞ

� �converges, the vari-

ance will be stabilized, leading to an upper bound of trustbias that defines trust accuracy achieved.

We first consider a stationary environment in which Gj

and Dij are stationary random processes. We also first con-sider a simple case in which there is no trust-relatedattack, i.e., RkjðnÞ ¼ DkjðnÞ or the recommended trust ofnode k toward node j is equal to the direct trust of nodek toward node j. Later on we will relax these assumptions.

If node i interacts with a node at stage n, there are twoways to update trust:

(1) If node i directly interacts with node j, it uses directobservations to update its trust toward node jaccording to Eq. (1). So the trust bias of node itowards node j at stage n is:

bijðnÞ ¼ TijðnÞ � GjðnÞ¼ 1� að ÞTijðn� 1Þ þ aDijðnÞ � GjðnÞ ð10Þ

Since DijðnÞ ¼ GjðnÞ þ eijðnÞ, we have

bijðnÞ ¼ 1� að ÞTijðn� 1Þ þ a GijðnÞ þ eijðnÞ� �

� GjðnÞ ð11Þ

Reformatting the equation above by subtracting andadding ð1� aÞGjðn� 1Þ in the right side, we have:

bijðnÞ ¼ 1� að Þ Tijðn� 1Þ � Gjðn� 1Þ� �

þ 1� að ÞGjðn� 1Þ þ a GjðnÞ þ eijðnÞ� �

� GjðnÞð12Þ

Since bijðn� 1Þ ¼ Tijðn� 1Þ � Gjðn� 1Þ, we have:

bijðnÞ ¼ 1� að Þbijðn� 1Þ þ 1� að ÞGjðn� 1Þ� 1� að ÞGjðnÞ þ aeijðnÞ ð13Þ

If node i interacts with another node k, rather than j
(2)at stage n, it uses the recommendation from node kto update its trust toward node j according to Eq. (1).Using a similar derivation as above, we have the trustbias of node i towards node j at stage n as follows:
bijðnÞ ¼ 1� cð Þbijðn� 1Þ þ 1� cð ÞGjðn� 1Þ� 1� cð ÞGjðnÞ þ cekjðnÞ ð14Þ

Note that in this derivation above, we assume thereis no trust-related attack, so RkjðnÞ ¼ DkjðnÞ ¼GjðnÞ þ ekjðnÞ.Since we assume a stationary environment and azero mean noise, we have E Gjðn� 1Þ � GjðnÞ

� �¼

0; E eijðnÞ� �

¼ 0, and E ekjðnÞ� �

¼ 0. Let p (0 6 p 6 1Þdenote the probability that node i interacts withnode j at stage n. Then, with the independenceassumption, we have:

E bijðnÞ� �

¼ p 1� að Þ þ 1� pð Þ 1� E c½ �ð Þf gE bijðn� 1Þ� �

¼ HE bijðn� 1Þ� �

ð15Þ

Since DikðnÞ ¼ GkðnÞ þ eikðnÞ is independent ofbijðn� 1Þ; c ¼ bDikðnÞ

1þbDikðnÞis independent of bijðn� 1Þ.

Consequently, as long as 0 6 H < 1;limn!1E eijðnÞ

� �¼ 0, i.e., the trust evaluation con-

verges. To make sure 0 6 H < 1, we need 0 < a 6 1and 0 < E c½ � 6 1. Notice that 0 < E½c� ¼E bDikðnÞ

1þbDikðnÞ

h i6 1 if b > 0. Hence, we have Lemma 1 as

follows:

Lemma 1. In a stationary environment, if there is notrust-related attacks, the trust evaluation in our trust man-agement protocol converges as long as 0 < a 6 1 and b > 0.

From Eq. (15), we note that the trust evaluation con-verges exponentially when 0 6 H < 1. Thus, the conver-gence speed increases as H decreases. This leads toLemma 2.

Lemma 2. In a stationary environment, if there is notrust-related attacks, the trust convergence speed of our trustmanagement protocol increases as a or b increases (0 < a 6 1and b > 0).

We measure trust fluctuation by the variance of trustbias, i.e., Var TijðnÞ � E GjðnÞ

� �� . Consider a stationary envi-

ronment, we have Var TijðnÞ � E GjðnÞ� ��

¼ Var TijðnÞ� �

.Below we analyze the effects of trust parameters on trustfluctuation. Again, we consider two cases based on thenode with which node i interacts:

(1) If node i interacts with node j, it uses direct observa-tions to update trust according to Eq. (1). Then, wehave,

TijðnÞ ¼ 1� að ÞTijðn� 1Þ þ a GjðnÞ þ eijðnÞ� �

ð16Þ

Tijðn� 1Þ is obtained based on past direct observa-tions and trust bias at step n� 1, so it is independentof GjðnÞ and eijðnÞ, which are also independent ofeach other. Therefore:

Var TijðnÞ� �

¼ 1� að Þ2Var Tijðn� 1Þ� �

þ a2 Var GjðnÞ� �

þ Var eijðnÞ� ��

ð17Þ

Since GjðnÞ and eijðnÞ are stationary random pro-cesses, Var GjðnÞ

� �þ Var eijðnÞ

� �is constant.

Therefore, after trust convergence (0 < a 6 1 andn!1Þ, the variance of trust evaluation will stabi-lize to a constant value, i.e., Var TijðnÞ

� �¼

Var Tijðn� 1Þ� �

, that is,


Var TijðnÞ� �

¼ 1� að Þ2Var TijðnÞ� �

þ a2 Var GjðnÞ� �


ð18Þ

This simplifies to:

Var TijðnÞ� �

¼ a2� a

Var GjðnÞ� �


ð19Þ

From Eq. (19), we can see that in this case, after trustconvergence, the trust fluctuation increases as aincreases.

(2) If node i interacts with another node k, rather than jat stage n, it uses the recommendation from node kto update trust in accordance with Eq. (1). Using asimilar derivation as in case (1), we have

Var TijðnÞ� �

¼ c2� c

Var GjðnÞ� �


ð20Þ

Since c ¼ bDikðnÞ1þbDikðnÞ

in this case, after trust convergence,

the trust fluctuation increases as b increases.Because the trust update falls into either case (1) orcase (2) above, we have Lemma 3 as follows:

Lemma 3. In a stationary environment, if there is notrust-related attacks, the variance or trust fluctuation of thetrust value after convergence in our trust management proto-col increases as a or b increases (0 < a 6 1; b > 0Þ.

Now we extend the analysis to the more generalcase when there are malicious nodes performing trustrelated attacks. Because of attacks, the trust evaluationmay not converge to objective trust. However, we canselect appropriate trust parameters such that the trustevaluation converges and the trust bias is minimized.Suppose that the percentage of malicious nodes inthe network is k and the probability that node i inter-acts with node j at stage n is p. Again, there are twocases:

(1) If node i interacts with node j, it uses direct observa-tions to update trust. Then following the samederivation for Eq. (13), the trust bias of node itowards node j at stage n is:

bijðnÞ ¼ 1� að Þbijðn� 1Þ þ 1� að ÞGjðn� 1Þ� 1� að ÞGjðnÞ þ aeijðnÞ ð21Þ

(2) If node i interacts with another node k (who hadprior interaction experience with node jÞ rather thanwith node j itself at stage n, it uses the recommenda-tion from node k to update trust. Following the samederivation for Eq. (14), we have the trust bias of nodei towards node j at stage n as follows:

bijðnÞ ¼ 1� cð Þbijðn� 1Þ þ 1� cð ÞGjðn� 1Þ� 1� cð ÞGjðnÞ þ ce0kjðnÞ ð22Þ

Eq. (22) is similar to Eq. (14) except that we haveused e0kjðnÞ instead of ekjðnÞ to account for possiblerecommendation attacks from node k. Let k be thepercentage of malicious nodes. With probability1-k, node k is a good node in which case

E e0kjðnÞh i

¼ E eijðnÞ� �

¼ 0 as before. With probability

k, node k is a malicious node in which case there isa non-zero-mean trust-related recommendation

attack noise and E e0kjðnÞh i

– 0. Meanwhile we still

have E Gjðn� 1Þ � GjðnÞ� �

¼ 0 since we assume a sta-tionary environment. Summarizing above, theexpected value of bijðnÞ in Eq. (22) is given by:

E bijðnÞ� �

¼ p 1� að Þ þ 1� pð Þ 1� E c½ �ð Þf gE bijðn� 1Þ� �

þ kð1� pÞE c½ �E e0kjðnÞh i

ð23Þ

We can see from Eq. (23) that as long as 0 6 H ¼p 1� að Þ þ 1� pð Þ 1� E c½ �ð Þ < 1; E bijðnÞ

� �will eventu-

ally converge. Therefore, E bijðnÞ� �

¼ E bijðn� 1Þ� �

eventually at which point we will have:

E bijðnÞ� �

¼ kð1� pÞE c½ �1� p 1� að Þ þ 1� pð Þ 1� E c½ �ð Þð Þ E e0kjðnÞ

h ið24Þ

Reformatting the equation above, we have:

E bijðnÞ� �� ¼ k 1� pð ÞE c½ �

apþ 1� pð ÞE c½ � E½e0kjðnÞ��

< k E e0kjðnÞh i�� ð25Þ

Here E c½ � ¼ E bDikðnÞ1þbDikðnÞ

h i< 1 and �1 < E½e0kjðnÞ� < 1

since in our protocol, a trust value is in the rangeof [0, 1]. Therefore, E bijðnÞ

� �� < k. Eq. (25) leads toLemma 4 as follows:

Lemma 4. In a stationary environment, if there are maliciousnodes performing trust related attacks, the trust evaluation inour trust management protocol stabilizes as long as 0 < a 6 1and b > 0. The trust bias is less that k after trust stabilizes anddecreases as a increases or as b decreases.

Now we extend the proof to non-stationary environ-ments in which Gj and Dij are non-stationary randomprocesses. We note that the objective trust status maychange before trust converges since trust convergenceand stabilization take time. However, from Eqs. (15)and (23), subjective trust obtained as a result of execut-ing our trust management protocol will approach objec-tive trust even if objective trust changes dynamically,and will converge to objective trust if objective truststabilizes after each change. Hence, as long as we selecthigh a and b to shorten trust convergence time at theexpense of high trust fluctuation, the system operatingunder our protocol will quickly adapt to environmentchanges.

5. Trust protocol performance

We develop a mathematical model based oncontinuous-time semi-Markov stochastic processes eachmodeling a mobile node in the COI mission-oriented group.Specifically, we leverage the stochastic Petri net techniques

0 50 100 150 200 250 300 350 4000

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

Time (min)

TBijho

nest

y(t)

com=1/(10hrs) simulation





com=1/(10hrs) analytical





Fig. 3. TBhonestyij ðtÞ over time.


[7,31–35] to define a continuous-time semi-Markov pro-cess describing the status of a node as time progresses,including the subtask group the node resides, compromisestatus, selfishness status, hardware/software failure status,and energy status, thus providing global informationregarding the probability that the node is in a particularsubtask group, whether it is compromised or not, whetherit is selfish or not, and whether it is still alive and thuscompetent to perform the mission assigned at time t. Anode is considered incompetent when its energy isdepleted or it suffers from a hardware/software failure.Each node is characterized by its specific mobility model(representing movements between subtask groups), com-promise rate, selfish rate, hardware/software failure rate,initial energy (a SGL has more resources and more energythan a regular nodes), and role-based energy consumptionrate. Thus, a node’s semi-Markov stochastic process mustreflect the node’s specific characteristics in addition tothe COI’s operational and environmental characteristics.Moreover, a node with its own stochastic process will gofrom one state to another, depending on its interactionswith other nodes, each having its own continuous-timesemi-Markov process. We develop an iterative computa-tional procedure so that all semi-Markov stochastic pro-cesses converge, thus properly reflecting node interactionexperiences with each other. The output of the mathemat-ical model is the objective trust function for each trustproperty X for node j at time t, i.e., TX;OBJ

j ðtÞ from which

we obtain objective trust TOBJj ðtÞ based on a trust formation

model (e.g., Eq. (5)) to be compared with subjective trust

TCOI�HiTrustj ðtÞ obtained in Eq. (6) for accuracy assessment.

Table 1 lists the default parameter values. We consideran environment with N = 400 heterogeneous mobileobjects/devices, each with energy E drawn from uniformdistribution U[12,24] hours. Devices are connected in asocial network represented by a friendship matrix [6].Physically, nodes move according to the SWIM mobilitymodel [5] modeling human social behaviors in 16 � 16regions with the length of each region equal to radio rangeR, so that two nodes are neighbors is they are in the sameregion or in the neighbor regions. We consider the case inwhich a 4 � 4 area is a subtask group area. Each node issubject to dishonesty and selfishness behavior attacks withrates kcom and kselfish respectively. Initially All nodes arehonest and unselfish, but may turn into dishonest and self-ish as time progresses depending on the attack rates. A dis-honest node performs self-promoting, bad-mouthing andballot-stuffing attacks as described in Section 2. A selfishnode performs discriminatory attacks. All nodes runsCOI-HiTrust to perform peer-to-peer trust evaluation with

Table 1Parameters and default values/ranges used.

Parameter Value Parameter Value

E U [12,24] h R 250 mspeed 1.45 N 400pause 2 h d 2kcom 1/18 h Dt 0.2 hkselfish 1/36 h TEX;direct

ijU[0, 0.2]

the update interval Dt ¼ 0:2 h with the observation win-dow size d = 2.

In the following we report analytical results based onEqs. (1)–(6). We further experimentally validate analyticalresults with extensive simulation using ns-3 [18,28].

5.1. P2P trust accuracy and convergence behavior

We examine peer-to-peer trust convergence behavior of

our trust protocol design. Fig. 3 plots TBhonestyij ðtÞ defined by

Eq. (4), i.e., the difference between subjective Thonestyij ðtÞ

(from Eq. (1)) and objective Thonestyj ðtÞ (ground truth) over

time for a trustor node (i.e., node iÞ and a trustee node(i.e., node j) randomly picked. The solid lines are analyticalresults and the dashed lines are ns-3 simulation results.

The subjective trust is obtained from COIHiTrust oper-ating at the identified optimal ðahonesty; bhonestyÞ settings asshown in Table 2. We observe that a very distinct set of(ahonesty; bhonestyÞ is being used by the trustor node inresponse to the attacker strength detected at runtime.Specifically, when the attacker strength is strong, the trus-tor node would rather trust its own assessment and henceit uses a high ahonesty (in the range of [0, 1]) and a low bhonesty

(in the range of [1,10]) at the expense of slow trust conver-gence. Conversely, when the environment condition isbenign, the trustor node would rather take in more trustrecommendations and hence it uses a low ahonesty and a

Table 2(ahonesty , bhonesty) setting to minimize trust bias.

kcom (ahonesty; bhonestyÞ MSE of trust bias

1/(10 h) (0.9, 1) 0.01231/(14 h) (0.9, 1) 0.01311/(18 h) (0.7, 2) 0.00831/(22 h) (0.6, 4) 0.00761/(26 h) (0.65, 5) 0.00053

0 50 100 150 200 250 300 350 4000

0.05

0.1

0.15

0.2

Time (min)

TBijho

nest

y(t)











Fig. 5. TBhonestyij ðtÞ vs. t with noise in U[0, 0.2].


high bhonesty so it can quickly achieve trust convergencewithout risking trust inaccuracy. There are several curvesin Fig. 3, each with a different compromise rate kcom repre-senting the attacker strength. We see that trust bias

TBhonestyij ðtÞ is higher as the compromise rate kcom increases

because there are more compromised nodes in the systemperforming trust-related attacks to disrupt the trust sys-tem. Nevertheless, we see a stable convergence behaviorof our trust protocol with trust bias limited to 0.07 evenfor a high compromise rate. The mean square error (MSE)

between Thonestyij ðtÞ and Thonesty

j ðtÞ is small as shown inTable 2.

We observe a remarkable match between the analyticalresults (solid lines) and the simulation results (dashedlines). The close match validates our analytical modeland verifies the validity of our trust protocol design againsttrust-related attacks (self-promoting, bad-mouthing, andballot-stuffing attacks) by malicious nodes.

5.2. COI-HiTrust accuracy and convergence behavior

In this section, we examine the trust convergence andaccuracy behavior of COIHiTrust by ns-3 simulation.Recall that COIHiTrust is built on P2P trust assessment

results. Specifically, TCOI�HiTrustj ðtÞ is obtained from Eq. (6)

after collecting TijðtÞ0s from nodes in the same subtaskgroups at time t, assuming wsocial=wQoS ¼ 0:5=0:5. Fig. 4plots trust bias (the difference between TOBJ

j ðtÞ and

TCOI�HiTrustj ðtÞÞ over time for a trustee node (node jÞ ran-

domly picked. There are several curves in Fig. 4, each cor-responding to a different compromise rate kcom. Again thesolid lines are analytical results and the dashed lines arens-3 simulation results. Fig. 4 confirms trust accuracyand convergence behavior of COIHiTrust. We observe thatthe trust bias is well under control, i.e., it is less than0.02 for low compromise rates and less than 0.08 for highcompromise rates.

0 50 100 150 200 250 300 350 4000

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

Time (min)

T jCO

I-HiT

rust

(t)-T

jOB

J(t)











Fig. 4. Trust bias of COIHiTrust over time.

5.3. Effect of uncertainty and noise

Noise and uncertainty is modeled by TEX;directij ðtÞ defined

by Eq. (3). Fig. 5 plots TBhonestyij ðtÞ over time for a node ran-

domly picked. However, instead of setting

TEhonesty;directij ðtÞ ¼ 0; TEhonesty;direct

ij ðtÞ is a random variable fol-lowing uniform distribution U[0, 0.2] so that the trust errorof direct honesty trust assessment to go as high as 0.2. Wesee that the trend exhibited in Fig. 5 is remarkably similar

to that of Fig. 3. TBhonestyij ðtÞ in Fig. 5 is about 0.1 higher than

its counterpart in Fig. 3 because the average value of

TEhonesty;directij ðtÞ is 0.1, given that it follows U[0, 0.2] distribu-

tion. This verifies that our trust propagation and aggrega-tion protocol design (Eqs. (1) and (2)) is resilient to

TEX;directij ðtÞ since there is no extra trust error being intro-

duced during trust propagation and aggregation. Our pro-tocol’s resiliency is attributed to its ability to adjust thebest set of (ahonesty; bhonestyÞ values dynamically in responseto noise detected at runtime.

6. Application: misbehaving node detection

We propose a novel scheme to utilize COI-HiTrust forIDS functionality for the misbehaving node detectionapplication. The basic idea is to have the SGL (or the com-mander) make a decision periodically whether a node (or aSGL) is considered untrustworthy or compromised basedon the peer-to-peer trust evaluation results sent to it.The IDS strategy we investigate is as follows: when anode’s trust level falls below the system minimum trust

threshold, say, Tth, the node is diagnosed as completelyuntrustworthy and thus compromised. The IDS formed ischaracterized by its false positive probability, PIDS

fp , i.e., theprobability of misdiagnosing a good node as a bad node,and false negative probability, PIDS

fn , i.e., the probability ofmisdiagnosing a bad node as a good node. With the helpof the semi-Markov stochastic processes developed, we


can fairly accurately predict PIDSfp and PIDS

fn . More specifically,we leverage the knowledge of whether a node is compro-mised or not at time t from the semi-Markov stochasticprocess model to predict PIDS

fp ðtÞ and PIDSfn ðtÞ obtainable.

Suppose that in a subtask group with n + 1 nodes, eachnode, say i (i – j), reports its peer-to-peer trust evaluationresult Ti;jðtÞ to the SGL. Based on our IDS strategy if theexpected trust value of node j at time t;ljðtÞ, is below

Tth, the SGL will consider node j as totally untrustworthyand thus compromised. Suppose that the peer-to-peertrust value toward node j is a random variable followingt-distribution and thus the SGL has nTi;jðtÞ sample valuescollected from n nodes in the same subtask group. Then,we will have a random variable XjðtÞ with n-1 degree offreedom, i.e.,

XjðtÞ ¼Ti;jðtÞ � ljðtÞ

SjðtÞ=ffiffiffinp ð26Þ

where TijðtÞ and SjðtÞ are the sample mean and samplestandard deviation of node j’s trust value, respectively.Thus, the probability that node j is judged as a compro-mised node at time t is:

HjðtÞ ¼ Pr ljðtÞ < Tth �

¼ Pr XjðtÞ >Ti;jðtÞ � Tth

SjðtÞ=ffiffiffinp

!ð27Þ

The anticipated false positive probability at time t canbe obtained by calculating HjðtÞ under the condition thatnode j is not compromised. Similarly, the false negativeprobability at time t can be obtained by calculating1�HjðtÞ under the condition that node j is compromised.That is,

PIDSfp;jðtÞ ¼ Pr XjðtÞ >

TNij ðtÞ � Tth

SNj ðtÞ=

ffiffiffinp

0@

1A ð28Þ

00.2

0.40.6

0.81

0.04

0.06

0.08

0.10

0.2

0.4

0.6

0.8

1

trust threthhold (Tth)com

max

(P fp

,Pfn

)

Fig. 6. Effect of Tth and kcom on maxðPfp; PfnÞ.

PIDSfn;jðtÞ ¼ Pr XjðtÞ 6

TCijðtÞ � Tth

SCj ðtÞ=

ffiffiffinp

0@

1A ð29Þ

Here TNij ðtÞ and SN

j ðtÞ are the mean value and standarddeviation of node j’s trust value reported by all nodes inthe same subtask group, conditioning on node j not having

been compromised at time t, while TCi;jðtÞ and SC

j ðtÞ are themean value and standard deviation of node j’s trust value,conditioning on node j having been compromised at time t.Note that only Eq. (26) will be used by a SGL (or a comman-der) based on nTi;jðtÞ values collected at time t to judge ifnode j is totally untrustworthy or compromised. Eqs. (28)and (29) are used to predict the resulting false positiveprobability PIDS

fp;jðtÞ and false negative probability PIDSfn;jðtÞ,

given the knowledge whether node j is actually compro-mised or not at time t, which we can easily find out fromthe mathematical model output.

For the intrusion detection application, theapplication-level parameters for application performanceoptimization include (a) the drop-dead minimum trust

threshold Tth and (b) the weights wsocial and wQoS associatedwith social trust and QoS trust, with wsocial þwQoS ¼ 1.

6.1. Sensitivity analysis of the drop-dead minimum trustthreshold Tth

Fig. 6 shows max(Pfp; PfnÞ vs. the compromise rate kcom

and the minimum trust threshold Tth as a result of execut-ing the trust-based intrusion detection application, wherePfp and Pfn are the time-averaged false positive and falsenegative probabilities calculated from Eqs. (28) and (29),respectively, over all nodes in the system. Herewsocial ¼ wQoS ¼ 0:5 to isolate its effect. maxðPfp; PfnÞ is usedas the performance metric because there is a tradeoffbetween Pfp and Pfn. That is, as the minimum trust thresh-

old Tth increases, the false negative probability Pfn

decreases while the false positive probability Pfp increases.We see that given a compromise rate kcom value for trust

formation, there exists an optimal trust threshold Tth atwhich max(Pfp; PfnÞ is minimized. Further, we can visuallyobserve the effect of our proposed application performancemaximization design in this intrusion detection application.

Specifically, Fig. 6 identifies that the optimal Tth value is 0.6when kcom ¼ 0:05 to minimize Pfp without penalizing Pfn

but the optimal Tth value increases to 0.7 as kcom increasesto 0.1 so as to minimize Pfn without compromising Pfp, thusminimizing max(Pfp; PfnÞ as a result.

6.2. Sensitivity analysis of trust formation ðwsocial and wQoSÞ

Fig. 7 shows maxðPfp; PfnÞ vs. the minimum trust thresh-

old Tth and the weight wsocial associated with social trust(with wQoS ¼ 1�wsocialÞ. Here kcom = 0.05 to isolate itseffect. Maximizing application performance, i.e., minimiz-ing max(Pfp; PfnÞ, is achieved by adjusting wsocial to allowtrust to be formed out of the best combination of socialtrust and QoS trust components. We see that the best

wsocial value is 0.5 when Tth is set at 0.6 to minimizemax(Pfp; PfnÞ. However, max(Pfp; PfnÞ is minimized among

all when wsocial is 0.9 and Tth is 0.5. As the environment

Fig. 7. Effect of Tth and wsocial on maxðPfp; PfnÞ.


conditions change dynamically, e.g., as kcom changes from0.05 to 0.1, there exists the best combination of wsocial

and Tth values that will maximize the application perfor-mance in terms of minimizing max(Pfp; PfnÞ.

7. Applicability

The identification of optimal protocol settings in termsof ðaX ; bXÞ to minimize trust bias, and the bestapplication-level trust optimization settings in terms of

wsocial and Tth to maximize application performance, i.e.,minimizing maxðPfp; PfnÞ for the intrusion detection appli-cation is performed at static time. One way to apply theresults for dynamic hierarchical trust management is tobuild a lookup table at static time listing the optimal pro-tocol settings discovered over a perceivable range ofparameter values. Then, at runtime, upon sensing the envi-ronment conditions matching with a set of parameter val-ues, a node can perform a simple table lookup operationaugmented with extrapolation/interpolation techniquesto determine and apply the optimal protocol setting tominimize trust bias and maximize application perfor-mance dynamically in response to environment changes.The complexity is O(1) because of the table lookup tech-nique employed.

8. Conclusion

In this paper, we designed and analyzed a dynamic hier-archical trust management protocol for managing commu-nity of interest mobile groups in heterogeneous MANETenvironments. We demonstrated desirable resiliency andaccuracy properties of our protocol design by means of anovel model-based analysis methodology with simulationvalidation. We also demonstrated its utility with a misbe-having node detection application built on top of our pro-tocol based on a new design concept of mission-dependenttrust formation for achieving application performancemaximization. We proposed an efficient table-lookupmethod for applying the analysis results at runtimedynamically in response to changing environment

conditions to maximize application performance in termsof minimizing the false alarm rate.

In the future, we plan to consider more sophisticatedattacker models such as random, opportunistic, and insid-ious attacks [15,29,30] to further test the resiliency of ourhierarchical trust management protocol design and extendthe analysis to the Internet of things systems and cyberphysical systems where hierarchical control is essentialfor achieving scalability, reconfigurability, survivabilityand intrusion tolerance.

Acknowledgment

This material is based upon work supported in part bythe U.S. Army Research Office under contract numberW911NF-12-1-0445.

References

[1] P.B. Velloso, R.P. Laufer, D. de Cunha, O.C. Duarte, G. Pujolle, Trustmanagement in mobile ad hoc networks using a maturity-basedmodel, IEEE Trans. Netw. Serv. Manage. 7 (3) (2010) 172–185.

[2] H. Yu, M. Kaminsky, P.B. Gibbons, A.D. Flaxman, SybilGuard:defending against sybil attacks via social networks, IEEE/ACMTrans. Netw. 16 (3) (2008) 576–589.

[3] M. Maheswaran, H.C. Tang, A. Ghunaim, Toward a gravity-basedtrust model for social networking systems, in: 27th Int’l Conf. onDistributed Computing Systems Workshops, 2007, pp. 24–31.

[4] E.M. Daly, M. Haahr, Social network analysis for information flow indisconnected delay-tolerant MANETs, IEEE Trans. Mob. Comput. 8(5) (2009) 606–621.

[5] S. Kosta, A. Mei, J. Stefa, Small World in Motion (SWIM): modelingcommunities in ad-hoc mobile networking, in: 7th IEEE Conferenceon Sensor, Mesh and Ad Hoc Communications and Networks, Boston,MA, USA, 2010.

[6] Q. Li, S. Zhu, G. Cao, Routing in socially selfish delay tolerantnetworks, in: IEEE Conference on Computer Communications, SanDiego, CA, 2010, pp. 1–9.

[7] G. Ciardo, R.M. Fricks, J.K. Muppala, K.S. Trivedi, Stochastic Petri NetPackage (SPNP) users manual, Department Electrical Engineering,Duke University, 1999.

[8] J.H. Cho, I.R. Chen, D.C. Wang, Performance optimization of region-based group key management in mobile ad hoc networks, Perform.Eval. 65 (5) (2008) 319–344.

[9] J.H. Cho, A. Swami, I.R. Chen, Modeling and analysis of trustmanagement for cognitive mission-driven group communicationsystems in mobile ad hoc networks, in: International Conference onComputational Science and Engineering, Vancouver, Canada, 2009.

http://refhub.elsevier.com/S1570-8705(15)00094-3/h0005













[10] J.H. Cho, A. Swami, I.R. Chen, A Survey on trust management formobile ad hoc networks, IEEE Commun. Surv. Tut. 13 (4) (2011)562–583.

[11] A. Josang, S. Pope, Semantic constraints for trust transitivity, in: Proc.2nd Asia-Pacific Conf. on Conceptual Modeling, Newcastle, Australia,2005.

[12] J.H. Cho, I.R. Chen, Performance analysis of hierarchical group keymanagement integrated with adaptive intrusion detection in mobilead hoc networks, Perform. Eval. 68 (1) (2011) 58–75.

[13] A. daSilva, M. Martins, B. Rocha, A. Loureiro, L. Ruiz, and H. Wong,Decentralized intrusion detection in wireless sensor networks, in:ACM 1st International Workshop on Quality of Service and Securityin Wireless and Mobile Networks, Montreal, Quebec, Canada, 2005.

[14] F. Bao, I.R. Chen, M. Chang, J.H. Cho, Hierarchical trust managementfor wireless sensor networks and its applications to trust-basedrouting and intrusion detection, IEEE Trans. Netw. Serv. Manage. 9(2) (2012) 161–183.

[15] R. Mitchell, I.R. Chen, Effect of intrusion detection and response onreliability of cyber physical systems, IEEE Trans. Reliab. 62 (1) (2013)199–210.

[16] R.R.S. Verma, D. O’Mahony, H. Tewari, NTM – progressive trustnegotiation in ad hoc networks, in: IEI/IEE Symposium onTelecommunications Systems Research, Dublin, Ireland, 2001, pp.1–8.

[17] C.R. Davis, A localized trust management scheme for ad hocnetworks, in: International Conference on Networking, 2004, pp.671–675.

[18] The ns-3 Network Simulator, 2011, <http://www.nsnam.org/>.[19] X. Li, F. Zhou, J. Du, LDTS: a lightweight and dependable trust system

for clustered wireless sensor networks, IEEE Trans. Inf. Foren. Secur.8 (6) (2013) 924–935.

[20] J.H. Cho, A. Swami, I.R. Chen, Modeling and analysis of trustmanagement with trust chain optimization in mobile ad hocnetworks, Netw. Comput. Appl. 35 (2012) 1001–1012.

[21] R. Mitchell, I.R. Chen, A survey of intrusion detection in wirelessnetworks, Comput. Commun. 42 (2014) 1–23.

[22] J. Huang, D. Nicol, A calculus of trust and its application to PKI andidentity management, in: ACM 8th Symposium on Identity and Truston the Internet, Gaithersburg, MD, 2009.

[23] I.R. Chen, F. Bao, M. Chang, J.H. Cho, Trust management forencounter-based routing in delay tolerant networks, in: IEEEGlobal Telecommunications Conference, Miami, FL, 2010.

[24] I.R. Chen, F. Bao, M. Chang, J.H. Cho, Trust-based intrusion detectionin wireless sensor networks, in: IEEE International Conference onCommunications, Kyoto, Japan, 2011.

[25] J. Zhang, et al., A trust management architecture for hierarchicalwireless sensor networks, in: 35th IEEE International Conference onLocal Computer Networks, Denver, Colorado, 2010, pp. 264–267.

[26] A. Jøsang, R. Ismail, The beta reputation system, in: Bled ElectronicCommerce Conference, Bled, Slovenia, 2002, pp. 1–14.

[27] E. Ayday, H. Lee, F. Fekri, An iterative algorithm for trustmanagement and adversary detection for delay tolerant networks,IEEE Trans. Mob. Comput. 11 (9) (2012) 1514–1531.

[28] I.R. Chen, N. Verma, Simulation study of a class of autonomous host-centric mobility prediction algorithms for wireless cellular and adhoc networks, in: 36th Annual Symposium on Simulation, 2003, pp.65–72.

[29] I.R. Chen, A.P. Speer, M. Eltoweissy, Adaptive fault-tolerant QoScontrol algorithms for maximizing system lifetime of query-basedwireless sensor networks, IEEE Trans. Dependable Secure Comput. 8(2) (2011) 161–176.

[30] H. Al-Hamadi, I.R. Chen, Redundancy management of multipathrouting for intrusion tolerance in heterogeneous wireless sensornetworks, IEEE Trans. Netw. Serv. Manage. 19 (2) (2013) 189–203.

[31] I.R. Chen, D.C. Wang, Analyzing dynamic voting using petri nets, in:15th IEEE Symposium on Reliable Distributed Systems, Niagara Falls,Canada, 1996, pp. 44–53.

[32] I.R. Chen, O. Yilmaz, I.L. Yen, Admission control algorithms forrevenue optimization with QoS guarantees in mobile wirelessnetworks, Wireless Pers. Commun. 38 (3) (2006) 357–376.

[33] S.T. Cheng, C.M. Chen, I.R. Chen, Dynamic quota-based admissioncontrol with sub-rating in multimedia servers, Multimedia Syst. 8(2) (2000) 83–91.

[34] I.R. Chen, T.M. Chen, C. Lee, Performance evaluation of forwardingstrategies for location management in mobile networks, Comput. J.41 (4) (1998) 243–253.

[35] B. Gu, I.R. Chen, Performance analysis of location-aware mobileservice proxies for reducing network cost in personalcommunication systems, Mob. Netw. Appl. 10 (4) (2005) 453–463.

[36] A.A. Selçuk, E. Uzun, M.R. Pariente, A reputation-based trustmanagement system for P2P networks, Netw. Secur. 6 (3) (2008)235–245.

[37] L. Xiong, L. Liu, PeerTrust: supporting reputation-based trust forpeer-to-peer electronic communities, IEEE Trans. Knowl. Data Eng.16 (2004) 843–857.

[38] S.D. Kamvar, M.T. Schlosser, H. Garcia-Molina, The EigenTrustalgorithm for reputation management in P2P networks, in: 12thInternational Conference on World Wide Web, Budapest, Hungary,2003.

[39] Z. Su, et al., ServiceTrust: trust management in service provisionnetworks, in: IEEE International Conference on Services Computing,Santa Clara, CA, 2013.

[40] I.R. Chen, F. Bao, M. Chang, J.H. Cho, Dynamic trust management fordelay tolerant networks and its application to secure routing, IEEETrans. Parallel Distrib. Syst. 25 (5) (2014) 1200–1210.

[41] I.R. Chen, J. Guo, Dynamic hierarchical trust management of mobilegroups and its application to misbehaving node detection, in: 28thIEEE International Conference on Advanced Information Networkingand Applications, Victoria, Canada, 2014.

Ing-Ray Chen received the BS degree from theNational Taiwan University, Taipei, Taiwan,and the M.S. and Ph.D. degrees in computerscience from the University of Houston. He isa professor in the Department of ComputerScience at Virginia Tech. His research interestsinclude mobile computing, wireless systems,security, trust management, data manage-ment, real-time intelligent systems, and reli-ability and performance analysis. Dr. Chencurrently serves as an editor for IEEECommunications Letters, IEEE Transactions on

Network and Service Management, Wireless Personal Communications, TheComputer Journal, and Security and Network Communications. He is amember of the IEEE and ACM.

Jia Guo received the B.S. degree in ComputerScience from Jilin University, China in 2012.Currently he is pursuing his Ph.D. degree inthe Computer Science Department at VirginiaTech. His research interests include trustmanagement, security, wireless networks,wireless sensor networks, mobile computing,dependable computing, system modeling, andperformance analysis.














http://www.nsnam.org/








































1-s2.0-s1570870515000943-main

Documents