ieee transactions on mobile computing, vol. 5, no. 6,...

Performance Comparison of Trust-BasedReactive Routing Protocols

Asad Amir Pirzada, Chris McDonald, and Amitava Datta, Member, IEEE

Abstract—Ad hoc networks, due to their improvised nature, are frequently established in insecure environments and hence become

susceptible to attacks. These attacks are launched by participating malicious nodes against different network services. Routing

protocols, which act as the binding force in these networks, are a common target of these nodes. A number of secure routing protocols

have recently been proposed, which make use of cryptographic algorithms to secure the routes. However, in doing so, these protocols

entail a number of prerequisites during both the network establishment and operation phases. In contrast, trust-based routing protocols

locate trusted rather than secure routes in the network by observing the sincerity in participation by other nodes. These protocols thus

permit rapid deployment along with a dynamically adaptive operation, which conforms with the current network situation. In this paper,

we evaluate the performance of three trust-based reactive routing protocols in a network with varying number of malicious nodes. With

the help of exhaustive simulations, we demonstrate that the performance of the three protocols varies significantly even under similar

attack, traffic, and mobility conditions. However, each trust-based routing protocol has its own peculiar advantage making it suitable for

application in a particular extemporized environment.

Index Terms—Trust, security, ad hoc, network, protocol.

�

1 INTRODUCTION

MOBILE ad hoc wireless networks hold the promise ofthe future, with the capability to establish networks at

anytime, anywhere. These networks don’t rely on extra-neous hardware, which makes them an ideal candidate forrescue and emergency operations. These networks are built,operated, and maintained by their constituent wirelessnodes. These nodes generally have a limited transmissionrange and, so, each node seeks the assistance of itsneighboring nodes in forwarding packets. In order toestablish routes between nodes which are further than asingle hop, specially configured routing protocols areengaged. The unique feature of these protocols is theirability to trace routes in spite of a dynamic topology. Theseprotocols can be categorized into two main types: reactiveand proactive [1]. The nodes in an ad hoc network generallyhave limited battery power and, so, reactive routingprotocols endeavor to save power by discovering routesonly when they are essentially required. In contrast,proactive routing protocols establish and maintain routesat all instants of time so as to avoid the latency that occursduring new route discoveries.

Both types of routing protocols require persistent co-

operative behavior from the intermediate nodes that primar-

ily contribute to the route development. Similarly, all nodes

which practically act like mobile routers [2] have absolute

control over the data that passes through them. In essence,

the membership of any ad hoc networks indisputably calls

for sustained benevolent behavior from all participatingnodes. However, such selfless behavior is often difficult tosustain and, so, the execution of the routing protocols, by theselfish nodes, frequently deviates from defined specifica-tions. Similarly, ad hoc networks, which are generallyestablished in open and physically insecure environments,may be attacked in a number of other ways. These attacks ingeneral can be divided into two major types: passive andactive [3]. In passive attacks, a node only eavesdrops uponthe network traffic in order to extract vital information fromthe data and control packets. In active attacks, however, amalicious node expends its own energy to launch fabrication,modification, or impersonation attacks [4].

In order to protect ad hoc networks against selfish andmalicious behavior, a number of secure routing protocolshave been developed. These protocols employ a variety ofcryptographic tools to protect the core routing protocol,which in turn secures the routes, thereby protecting the datathat flows through them. More emphasis is laid upon theprecise establishment of the routes as there is no advantageto protecting the data if it never reaches its requisitedestination. A review of these secure routing protocols formobile ad hoc wireless networks [5] indicates that most ofthe protocols presume the existence of a centralized ordistributed trusted third party in the network. Thisassumption is also coupled with preconfiguration of nodeswith encryption keys prior to joining the network. As thename suggests, ad hoc wireless networks are rarelyestablished in a planned manner. They have the diversenature of being impromptu and, so, inherently oppose thedependence upon prerequisites. Based upon their establish-ment techniques, they can be roughly divided intotwo types: managed and pure [6].

Managed ad hoc networks are those which have theprovision of sustaining a trusted third party in the network.

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 5, NO. 6, JUNE 2006 695

. The authors are with the School of Computer Science and SoftwareEngineering, The University of Western Australia, 35 Stirling Highway,Crawley, W.A. 6009, Australia.E-mail: {pirzada, chris, datta}@csse.uwa.edu.au.

Manuscript received 26 Apr. 2005; revised 23 Aug. 2005; accepted 24 Aug.2005; published online 17 Apr. 2005.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TMC-0120-0405.

1536-1233/06/$20.00 � 2006 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

These networks thus require some a priori knowledgeconcerning the volume and setting of the network. This inturn restricts the size and mode of application of thesenetworks. Managed ad hoc networks are thus deemedsuitable for law enforcement and military set-ups thatgenerally have prior knowledge of forthcoming require-ments. In contrast, pure ad hoc networks are not basedupon any such assumptions and, hence, permit rapidestablishment of the network without any extraneousrequirements. These networks are formed in a spontaneousand self-organized manner without necessitating a physicalor virtual infrastructure. Any wireless node can gain or losethe membership of the network at any time, without theneed for prior registration [7].

Establishing trust in managed networks is relativelysimple to realize as the absolute trust is placed in thecryptographic algorithms and their mode of implementa-tion. However, this is achieved at the cost of deviating fromthe unplanned nature of ad hoc networks to a semi-organized one. In order to sustain the improvised nature ofad hoc networks, we deviate from the customary strategy ofusing cryptography and, as an alternative, use a trust-basedsystem that is influenced by the human behavioral model.According to Denning [8], “Trust cannot be treated as aproperty of trusted systems but rather it is an assessmentbased on experience that is shared through networks ofpeople.” As in real life, two entities with no previousmutual experience put confidence in each other’s compe-tence so as to realize their respective goals. These sharedexperiences lead to trust development that augments anddecays with time and frequency of interactions.

AODV, DSR, and TORA are three well-known reactiverouting protocols which are undergoing wide rangingactive research. These protocols have been developed fornetworks where all nodes can faithfully execute them in amunificent manner. However, in real life, such an altruisticstance is difficult to achieve and, so, these protocols aremore often executed by nodes that divert from the basicrequirements of participation. In order to maintain theimpromptu nature of ad hoc networks without making anyextraneous assumptions, a trust-based scheme is usuallyapplied to protect these routing protocols. In a trust-basedscheme, all nodes in the network independently execute atrust model and maintain their own assessment concerningother nodes in the network. Each node, based upon itspersonal experiences, rewards collaborating nodes for theirbenevolent behavior and penalizes malicious nodes for theirmalevolent conduct. Most of the events that are experiencedby a node occur within the vicinity of its immediateneighbors. This helps to establish direct trust relationshipsbetween the neighbors. In contrast, very few events aredirectly experienced between nodes that are more than onehop away. The direct trust values can also be shared amongneighbors using a higher layer Reputation ExchangeProtocol [9] or as an integral component of the underlyingrouting protocol [10].

A source routing protocol like DSR can benefit the mostfrom reputations, where each source node has the option ofselecting trustworthy nodes at the start of the connection.However, in case the sending node has incomplete trust

information about all the nodes in the path, malicious nodesmay still be included in the routing process. Reputation canthus help in such situations by providing trust informationbeyond a single hop. On the contrary, in hop-to-hop routingprotocols like TORA and AODV, the sending and forward-ing nodes can only make the next-hop routing decision forwhich direct trust is considered more accurate overreceived reputations. The sharing of trust reputations isalso vulnerable to deception where a malicious node mayupgrade its own reputation or degrade the reputation of anexisting trustworthy node. Cryptographic message digestsare frequently employed to ensure the integrity of reputa-tion messages. However, such mechanisms depend uponcertain certifying authorities that are considered trust-worthy both by the message sender and the recipient.Hence, we consider direct trust as the most effectivemechanism for incorporating trust-based routing in mobilead hoc wireless networks.

This paper is the first to provide a realistic comparativeanalysis of three trust-based reactive routing protocols in anattacked pure ad hoc network. We have endeavored toavoid a centralized or distributed trust entity which,although beneficial, conflicts with the improvised natureof ad hoc networks. Additionally, in order to evaluate theprecise impact of an identical trust-based scheme on allthree routing protocols, we don’t employ any reputation-based mechanism and only exploit the direct trust toinfluence the routing process. We evaluate the performanceof the protocols under active attacks and monitor theirinherent robustness against them. With the help ofextensive simulations, we present results showing theperformance of each protocol in a network under varyingtraffic loads, mobility conditions, and attack patterns.

In the rest of the paper, we first discuss some relevantprevious work in Section 2. In Section 3, we describe theapplication of a trust-based scheme to three native reactiverouting protocols. In Section 4, we evaluate the efficacy ofthe protocols through exhaustive simulations. Analysis ofthe results is carried out in Section 5, with concludingremarks in Section 6.

2 PREVIOUS WORK

2.1 Watchdog and Pathrater

The Watchdog and Pathrater mechanism [11] has beenspecifically designed to optimize the forwarding mechan-ism in the Dynamic Source Routing protocol [12]. Themechanism basically consists of two components: Watch-dog and Pathrater. The Watchdog is responsible fordetecting selfish nodes that do not forward packets. To doso, each node in the network buffers every transmittedpacket for some time. During this interval, the node placesits wireless interface into the promiscuous mode in order tooverhear whether the next node has forwarded the packetor not. The Pathrater assigns different rating to the nodesbased upon the feedback that it receives from the Watch-dog. These ratings are then used to select routes consistingof nodes with the highest forwarding rate. The range of theratings varies from 0.0 to 0.8, where 0.5 signifies a node asneutral. These values are updated periodically by 0.01 each

696 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 5, NO. 6, JUNE 2006

200 ms. During route selection, these ratings are averagedover all nodes present in a particular path and the routewith the maximum rating is selected.

2.2 CONFIDANT

CONFIDANT (Cooperation Of Nodes, Fairness In Dynamicad hoc NeTworks) [13] adds a trust manager and areputation system to the Watchdog and Pathrater scheme.The trust manager evaluates the events reported by theWatchdog (monitor in this case) and issues alarms to warnother nodes regarding malicious nodes. The alarm recipi-ents are maintained in a friends-list, which is configuredthrough a user-to-user authentication mechanism [14]. Toverify the source of alarms, a mechanism similar to PrettyGood Privacy [15] is employed. The reputation systemmaintains a black-list of nodes at each node and sharesthem with nodes in the friends-list. The CONFIDANTprotocol implements a punishment-based scheme by notforwarding packets of nodes whose trust level drops belowa certain threshold.

2.3 CORE

CORE (COllaborative REputation) [16] is similar to CON-FIDANT, however, it employs a complicated reputationexchange mechanism. CORE divides the reputation of anode into three distinct components: Subjective Reputation,which is observed through own observations, IndirectReputation, which is a positive report by another node,and Functional Reputation, which is based upon behaviormonitored during a specific task. These reputations areweighted for a combined reputation value. This combinedreputation value is used to make decisions regarding theinclusion or isolation of another node. CORE makes use oftwo types of entities, a requestor and one or moreproviders, to support a collaborative reputation mechanism.The requestor asks the providers for reputation values andvalidates the obtained results with the expected results thathave been derived using the Watchdog. Positive trustratings are exchanged, while the negative ratings are locallyderived using the Watchdog.

2.4 Terminodes

The TermiNodes project [17], [18] makes use of a virtualcurrency called nuglets, which serves as a payment perforwarded packet. The nuglets are maintained by each nodein a tamper-resistant security module. The project uses acryptographic infrastructure to ensure accuracy in transac-tions and avoid misuse of nuglets. The number of nugletsheld by a node increase with every forwarded packet anddecrease with each originated packet. The project endeavorsto encourage forwarding by introducing two chargingmodels: Packet trade model (Recipient to pay) and Packetpurse model (Sender to pay). In the first model, eachintermediate node has to purchase the packet from thesender of the packet. This increases the overall price of apacket, which has to be paid by the destination. Theadvantage of this model is that the originator of a packetdoes not need to know in advance the exact amount ofnuglets required to reach a particular destination and can,so, send the packet for free. The obvious disadvantage hereis that it doesn’t stop malicious nodes from superfluous

flooding. In the Packet Purse Model, the sending node hasto load each packet with sufficient nuglets so that it reachesthe destination. During transit of the packet, each inter-mediate node supposedly takes one nuglet out of the packetas its forwarding fee. The advantage of this model is that itis resilient to flooding as the number of nuglets is limited ineach packet. The disadvantage of this scheme is that thesender has to know precisely the number of nuglets that arerequired to be loaded into each transmitted packet and toensure that the intermediate nodes don’t overcharge duringthe forwarding mechanism.

3 TRUST-BASED REACTIVE ROUTING PROTOCOLS

The aforementioned schemes implement various mechan-isms to improve upon the routing mechanism in an ad hocnetwork. Although the use of a cryptographic infrastructureand special hardware devices help to protect againstmalicious nodes, they are considered an extraneousrequirement that contradicts the spontaneous nature ofad hoc networks. Some schemes have certain pre andpostestablishment conditions which restrict their applica-tion only to managed ad hoc wireless networks. In addition,most of the previous work only takes into account themeasure of the forwarding mechanism by network nodes.However, we accentuate that such a measure is not onlyinadequate for trust computation, but is also vulnerable todeception. For example, any malicious node may falla-ciously modify the packet contents during forwarding andstill get a positive rating by the trust model. In the followingsections, we present a pragmatic trust model that takes intoaccount not only the packet forwarding events, but alsoverifies a number of other parameters, including theintegrity of forwarded traffic and sincerity in execution ofthe routing protocol. The trust model has been integratedwith the reactive routing protocols in a manner whichfacilitates trust derivation and its subsequent application tothe routing process.

3.1 Reactive Routing Protocols

3.1.1 AODV

Ad hoc On-Demand Distance Vector Routing Protocol(AODV) [19] is inherently a distance vector routing protocolthat has been optimized for ad hoc wireless networks.AODV makes extensive use of sequence numbers in controlpackets to avoid routing loops. When a source node intendscommunicating with a destination node whose route is notknown, it broadcasts a ROUTE REQUEST packet. EachROUTE REQUEST packet contains an ID, source anddestination node IP addresses and sequence numbers,together with a hop count and control flags. The ID fielduniquely identifies the ROUTE REQUEST packet; thesequence numbers indicate the freshness of control packetsand the hop-count maintains the number of nodes betweenthe source and the destination. Each recipient of the ROUTEREQUEST packet that has not seen the Source IP and ID pairor doesn’t maintain a fresher (with a larger sequencenumber) route to the destination rebroadcasts the samepacket after incrementing the hop-count. Such intermediatenodes also create and preserve a REVERSE ROUTE to the

PIRZADA ET AL.: PERFORMANCE COMPARISON OF TRUST-BASED REACTIVE ROUTING PROTOCOLS 697

source node for a certain interval of time. When the ROUTEREQUEST packet reaches the destination node or any nodethat has a fresher route to the destination, a ROUTE REPLY

packet is generated and unicast back to the source of theROUTE REQUEST packet. Each ROUTE REPLY packetcontains the destination sequence number, the source anddestination IP addresses, and route lifetime, together with ahop count and control flags. Each intermediate node thatreceives the ROUTE REPLY packet increments the hop-count, establishes a FORWARD ROUTE to the source of thepacket and transmits the packet on the REVERSE ROUTE. Inorder to facilitate multipath support in AODV, a number ofextensions have been proposed [20]. AOMDV [21] is onesuch extension that provides loop-free and disjoint alternatepaths. In AOMDV, each recipient node creates multipleREVERSE ROUTES while processing the ROUTE REQUEST

packets that are received from multiple neighbors. Simi-larly, one or more ROUTE REPLY packets are generated via aloop free path by the destination or any node having a routeto the destination in response to each received ROUTE

REQUEST packet. These ROUTE REPLY packets, whenreceived by the source or intermediate nodes, result increation of multiple FORWARD ROUTES leading to the samedestination.

3.1.2 DSR

The Dynamic Source Routing (DSR) protocol [12] is areactive routing protocol. As the name suggests, it usesIP source routing. All data packets that are sent using theDSR protocol contain the complete list of nodes that thepacket has to traverse. During route discovery, the sourcenode broadcasts a ROUTE REQUEST packet with a uniqueidentification number. The ROUTE REQUEST packet con-tains the address of the target node to which a route isdesired. All nodes that have no information regarding thetarget node or have not seen the same ROUTE REQUEST

packet append their IP addresses to the ROUTE REQUEST

packet and rebroadcast it. In order to control the spread ofthe ROUTE REQUEST packets, the broadcast is done in anonpropagating manner, with the IP TTL field beingincremented in each route discovery. The ROUTE REQUEST

packets keep on spreading until they reach the target nodeor any other node that has a route to the target node. Therecipient node creates a ROUTE REPLY packet whichcontains the complete list of nodes that the ROUTE REQUESTpacket has traversed. Based upon implementation, thetarget node may respond to one or more incoming ROUTE

REQUEST packets. Similarly, the source node may acceptone or more ROUTE REPLY packets for a single target node.The selection of the ROUTE REPLY can be made both onminimal hop count or latency. In this paper, we have used amultipath version [22] of the DSR protocol in which eachROUTE REQUEST packet received by the destination isresponded to by an independent ROUTE REPLY packet. Foroptimization reasons, nodes maintain a PATH CACHE or aLINK CACHE scheme [23]. All nodes either forwarding oroverhearing data and control packets add all usefulinformation to their respective route cache. This informa-tion is used to limit the spread of control packets forsubsequent route discoveries.

3.1.3 TORA

The Temporally Ordered Routing Algorithm (TORA) [24] isa distributed routing protocol for multihop networks. Theunique feature of this protocol is that it endeavors tolocalize the spread of routing control packets. The protocolis basically an optimized hybrid of the Gafni Bertsekas (GB)protocol [25] and the Lightweight Mobile Routing (LMR)protocol [26]. It guarantees loop freedom, multiple routes,and minimal communication overhead, even in highlydynamic environments. The protocol attempts to minimizerouting discovery overhead and, in doing so, prefers instantroutes over optimal routes. The protocol supports source-initiated on-demand routing for networks with a high rateof mobility as well as destination-oriented proactive routingfor networks with lesser mobility. TORA maintains state ona per-destination basis and runs a logically separateinstance of the algorithm for each destination. TORAassigns directional heights to links so as to direct the flowof traffic from a higher source node to a lower destination.The significance of these heights, which are assigned basedon the direction of a link toward the destination, is that anode may only forward packets downstream, but notupstream, i.e., to another node that has a higher, undefinedor unknown height.

In the on-demand mode, the TORA algorithm performsthree routing functions: Route Creation, Route Maintenanceand Route Erasure. To accomplish these functions, it usesthree distinct control packets: Query (QRY), Update (UPD),and Clear (CLR). During route discovery, a source noderequiring a route to a destination broadcasts a QRY packetcontaining the destination address. The QRY packet ispropagated through the network until it reaches thedestination or any intermediate node possessing a route tothe intended destination. The recipient of the QRY packetbroadcasts a UPD packet that lists its height with respect tothe destination. If the destination itself replies to aQRY packet, it sets the height to zero in the UPD packet.Each node that receives the UPD packet sets its own heightgreater than that in the UPD packet. This results in thecreation of a directed acyclic graph (DAG) with all linkspointing in the direction of the destination as the root.TORA is not a standalone routing protocol, but requires theservices of the Internet MANET Encapsulation Protocol(IMEP) [27]. IMEP uses periodic BEACON packets toascertain the connection status between adjacent nodesand declares a link “broken” if no BEACONs are exchangedwithin the maximum beacon interval [28].

3.2 The Trust Model

We have applied an effort-return-based trust model [6] tothe above three reactive routing protocols. The trust modelessentially performs the function of trust derivation,computation, and application. During trust derivation, eachnode derives trust levels from directly experienced events.During trust computation, the monitored events arenormalized and assigned weights so as to compute thedirect trust in other nodes. These computed trust levels arethen associated with the routing process during trustapplication.


3.2.1 Trust Derivation

During trust derivation, the accuracy and sincerity of theimmediate neighboring nodes is measured by observingtheir contribution to the packet forwarding mechanism.Every time a node transmits a data or control packet, itimmediately brings its receiver into the promiscuous modeso as to overhear its immediate neighbor forwarding thepacket. The sending node verifies the different fields in theforwarded IP packet for requisite modifications through asequence of integrity checks. If the integrity checks succeed,it confirms that the node has acted in a benevolent mannerand, so, its direct trust counter is incremented. Similarly, ifthe integrity check fails or the forwarding node does nottransmit the packet at all, its corresponding direct trustmeasure is decremented.

For accurate derivation of trust, the participating nodesneed to support the following features:

. promiscuous mode operation,

. omnidirectional transceivers, and

. comparable transmission and reception ranges oftransceivers.

Each node in the network maintains a direct trust value

for its immediate neighbors. This rating is based upon a

node’s experience with another node over a period of time.

The following two categories can be derived from the DSR,

AOMDV, and TORA protocols, respectively, which can

subsequently be used to compute the direct trust in other

nodes:Acknowledgments (PA). In the “Acknowledgments”

category, the sender node places itself in promiscuousmode after the transmission of any packet so as to overhearthe retransmission by the recipient node. The acknowl-edgment method also provides us with the followinginformation about the next hop, including: It is not actinglike a black hole, it is not carrying out a modification attack,it is not carrying out fabrication attacks, it is not carryingout an impersonation attack, it is not showing selfishbehavior, and it is not inducing latency delays.

Packet Precision (PP). The category “Packet Precision”

ensures the integrity of the data and control packets that are

forwarded by other nodes in the network. The accuracy of

control packets plays a vital role in the establishment of

accurate routes through the network. The precision of these

control packets along with data packets is verified during

the forwarding stage. For instance, if an immediate

neighboring node forwards the control or data packet after

making requisite modifications, its corresponding trust

levels are elevated.To implement the trust derivation mechanism, a node

buffers each forwarded packet for the Trust Update Interval(TUI). The TUI is a very critical component of such a trustmodel and determines the time a node should wait beforeassigning a trust or distrust level to a node based upon theresults of particular event. After transmission, each nodepromiscuously listens for the neighboring node to forwardthe packet. If the neighbor forwards the packet in the propermanner (correct modification if required) within the TUI, itscorresponding trust level is incremented. However, if theneighboring node modifies the packet in an unexpected

manner or does not forward the packet at all, its trust levelis decremented.

3.2.2 Trust Computation

Each trust category is represented by one or more types ofevents. The successful and failed events for all thecategories are maintained in tables. All events are thennormalized to produce useable information having statis-tical properties. If Cs represents the cumulative sum ofsuccessful events of a category and Cf signifies thecumulative sum of failed events of a category, then thenormalized value Ci is equal to:

Ci ¼Cs � Cf

Cs þ Cffor Cs þ Cf 6¼ 0 else Ci ¼ 0;

where Ci represents one of the events being considered forthe computation of a category. Similarly, all eventsrepresenting a single category are recorded and normalized.By normalizing the values of events recorded, we limit thetrust values between -1 to +1. Negative values for trust canoccur as a result of more failures than successes for anevent. Hence, a trust value of -1 represents completedistrust, a value of 0 implies a noncontributing event, anda value of +1 means absolute trust in a particular event.These normalized events are then assigned weightsdepending upon their utility and importance. The Situa-tional Trust TxyðnÞ in node y by node x for trust category nis computed using the following equation:

TxyðnÞ ¼Xm

i¼1

½Ci �WðiÞ�;

where n 2 fPA;PPg and i is the number of events that arebeing monitored for a single category. WðiÞ represents theweight assigned to the ith event by node x. The SituationalTrust values from the two trust categories are then assignedweights, according to their priority, in order to determinethe direct trust level for a particular node. The direct trust innode y by node x is represented as Txy and is given by thefollowing equation:

Txy ¼WðPAÞ � TxyðPAÞ þWðPPÞ � TxyðPPÞ;

where PA represents the category Packet Acknowledgmentsthat preserves a count of the number of packets that havebeen forwarded by a node. PP represents the categoryPacket Precision, which maintains a count of the number ofpackets forwarded correctly. W reflects the weight orpriority assigned to that particular category. The optimalsituational weights that are assigned to different situationaltrust categories have been evaluated in preceding simula-tions [29]. The category PP and PA are employed incombination to protect the routing protocols againstdeceptive alteration of vital protocol fields and foridentifying selfish node behavior, respectively.

3.2.3 Trust Application

Trust-based routing schemes generally segregate nodes intotwo possible states, i.e., either benevolent or malevolent.With our proposed trust model, there is no such discretesegregation and all nodes in the network are considered


potential routing candidates based upon their contempor-ary trust levels. In essence, our scheme facilitates best-effortdelivery even in the presence of malicious and selfishnodes. Thus, all available nodes, based upon their respec-tive trust levels, are selected for the routing process. In casehigher trust nodes are not available in the neighborhood,then nodes with lower trust levels are engaged and given asubsequent chance to improve upon their past performance.

All participating nodes in the network initially consider

every other unknown1 node in the network as trustworthy

and set its direct trust value equal to the initial trust value

(TI). The TI can be set in two different ways: neutral or

trustworthy. In the neutral category the TI of the node is set

to 50 percent. This implies that all nodes are initially

considered neutral until the time they have interactions

with other nodes in the network. Based upon these

interactions, the trust values can either improve or dimin-

ish. However, this approach causes problems when dealing

with nodes portraying gray holes. As these nodes vary their

packet drop pattern, it is possible that the trust level of such

nodes may increase that of a neutral node. Such an

occurrence would prevent neutral nodes from getting

analyzed by the trust model, in the presence of a gray hole

node x in their near vicinity with Txy > TI. The other

mechanism that we have used is to set the TI of each node

as 100 percent trustworthy or TI ¼ 1. This ensures that all

nodes are judged in due time regarding their capability and

past performance. The model then explicitly identifies

malicious or trustworthy nodes based upon their current

trust levels. These trust levels can be dynamically adjusted

depending upon the current environment and conditions.

Nodes that execute the protocol in a benevolent manner

thus maintain a higher trust level than those which are

detected as selfish or malicious by the trust model. This

mechanism is resilient to the gray hole attack since any

malicious activity by a node drops its trust level further

down in comparison to that of the neighboring nodes.

In AOMDV, before initiating a new route discovery, the

routing table is first scanned for a working route to the

destination. In the event of unavailability of a route from

the routing table, the ROUTE REQUEST packet is propa-

gated. So, when the search is made for a route in the table,

the least cost path in terms of number of hops is always

returned. Similarly, each forwarding node scans its local

routing table to find a least hop path leading to the packet’s

destination. We modify this rule and associate the direct

trust values as the cost of nodes. So, each time a packet is

sent or forwarded, the sending or forwarding node first

scans the routing tables for all alternate paths leading to the

same destination. It then compares the direct trust levels of

all next hops in these paths and selects the one with the

highest trust level. In case the next hop nodes are not

previously known to the sender or forwarder, then the path

with the least distance to the destination is selected.In DSR, before initiating a new route discovery, the

sending node scans its LINK CACHE for a working route to

the destination. In case a route is not found from the LINKCACHE, the ROUTE REQUEST packet is propagated. In theLINK CACHE scheme, the default cost of each link is one. So,when the search is made for a route in the LINK CACHE, theshortest path in terms of number of hops is alwaysreturned. We have modified this rule and associate thedirect trust level of link end nodes as the cost of every link.So, each time a new route is required, a modified variant ofthe Dijkstra algorithm [30] is executed to find the route withthe maximum trust level.

In TORA, the height structure is modified by adding Txyas a sixth tuple to the existing height information. Theheight of node y determined by node x is represented as(�y, oidy, ry, Txy, �y, y), where now the first four valuesrepresent the reference level and the last two represent thechange with respect to the reference level. The linkagebetween the node heights and their corresponding directtrust values enable a sending or forwarding node toretrieve a route with a higher trust level rather than aroute with the least height. In case of similar trust levelsbetween any two nodes, the other height components aretaken into consideration.

The association of direct trust levels to the nodes either inthe routing tables or cache ensures that, if alternatetrustworthy routes are available, then the malicious nodeswith lower trust levels are avoided and bypassed in allongoing and subsequent data connections. In contrast toAOMDV and TORA, the trust-based route selection in DSRcan only be carried out at the connection originating stageand not at the forwarding stage. This is due to the fact thatthe intermediary nodes, participating in any active dataconnection, are able to derive trust in other nodes, butcannot make trust-based routing decisions for that parti-cular connection. However, these nodes can subsequentlyuse the derived trust information when they act as sourcenodes and initiate new data connections.

4 SIMULATION

4.1 Setup

The NS-2 [31] simulator was used to evaluate the

performance of the three trust-based routing protocols

under attack conditions. To avoid confusion, we henceforth

refer to the trust-based AOMDV, DSR, and TORA protocols

as the AODV, DSR, and TORA protocols, respectively. The

simulation parameters are listed in Table 1.

4.2 Mobility Model

We implement the random way point movement model forthe simulation in which a node first waits for the pauseinterval and then moves to a randomly chosen positionwith a velocity chosen between 0 m/s to the maximumspeed, waits there for the pause time, and then moves on toanother random position. A pause time of 0 seconds impliescontinuous mobility whereas a pause time of 1,000 secondsmeans a static network. Similarly, a maximum speed of0 m/s also correlates to a static network.

4.3 Communications Model

The IEEE standard 802.11 Distributed Coordination Func-tion (DCF) [32] is used as the MAC layer for the three routing


1. A node remains unknown to another node until the time it is involvedin a predetermined number of mutual interactions.

protocols. All ROUTE REQUEST and QRY packets are broad-

cast using the unslotted Carrier Sense Multiple Access

protocol with Collision Avoidance (CSMA/CA). In CSMA/

CA, each broadcasting node waits for a vacant channel by

sensing the medium. If the channel is vacant, it makes the

transmission. In case of a collision, the colliding stations wait

using the Ethernet binary exponential back off algorithm. To

unicast packets, the node first reserves the channel by

transmitting a short Ready-to-Send (RTS) frame. The

intended recipient node, in response, sends a Clear-to-Send

(CTS) frame to the RTS sender. All nodes overhearing the

RTS or CTS frames desist from transmitting for the Network

Allocation Vector (NAV) interval. Upon receipt of the CTS,

the packet is transmitted which is acknowledged by the

recipient [33].

4.4 Attack Pattern

Malicious nodes simulate the following types of active

attacks:

1. Modification Attack. These attacks are carried out by

adding, altering, or deleting IP addresses from the

ROUTE REQUEST, QRY, ROUTE REPLY, UPD, ROUTE

ERROR, CLR, and Data packets, which pass through

the malicious nodes.2. Black Hole Attack. In this attack, the malicious node

dumps all data packets, which it is supposed toforward. However, it participates devotedly in theroute discovery process, which is initiated by other

nodes so as to remain on the path of the dataconnections.

3. Gray Hole Attack. The gray hole attack is similar tothe black hole attack, however, the malicious nodealso selectively forwards data packets at randomintervals.

4.5 Legitimate Packet Loss

In addition to malicious packet dump, data packets can alsobe lost by any node due to the following reasons:

1. MAC Layer Collisions. All three protocols do notguarantee packet delivery and, so, data packets arenot buffered for retransmission. In the event of acollision involving a data packet, the packet issimply considered lost. The responsibility of retrans-mission of the packet is left to the higher layers in theprotocol stack.

2. Saturation of Interface Queues. TORA, AODV, andDSR implement Network Interface Queues (IFQ) tobuffer packets, which are ready to be transmittedand are received by the network protocol stack.These IFQ generally limit the maximum number ofpackets that can be held in them and may alsoimplement a maximum timeout policy for packets inthe IFQ. As a result, any packet awaiting a route inthe IFQ for an extended period may simply bediscarded without any notification.

The legitimate packet drops are influenced by the mobilitypattern of the network and accordingly influence the differentperformance metrics of the network. This is confirmed by thefact that the throughput of the three protocols always remainslower than 100 percent even when no malicious nodes arepresent in the network. However, the ratio of legitimatepacket drop to deliberate drop is negligible, as will beconfirmed by the results.

4.6 Assumptions

It is possible that a node may spoof its IP or MAC address inorder to steal a data connection or to deceive the trustmodel. Such an activity, which may not be directlyperceivable to the neighboring nodes, is still detectable ifa MAC to IP address binding is maintained at each node.Each time an IP address corresponding to a MAC address ischanged, it is considered as a modification attack and, so,the spoofing node can be graded untrustworthy by itsadjacent nodes. However, for the simulation, we haveassumed that the malicious nodes do not carry out spoofingattacks and that the MAC to IP bindings remain consistent.All malicious nodes work in a noncolluding manner suchthat each malicious node sporadically alters its attackprofile by randomly switching between the three types ofattacks.

4.7 Metrics

To evaluate the performance of the protocols, we use thefollowing metrics:

1. Packet Loss. The packet loss indicates the totalnumber of data packets lost legitimately or throughmalicious action without any notification.


TABLE 1Simulation Parameters

2. Packets Forwarded. The metric represents the number

of data packets that were successfully forwarded by

the intermediary nodes.

3. Throughput. It is the ratio between the number of

data packets received by the application layer of

destination nodes to the number of packets sent by

the application layer of source nodes.

4. Routing Packet Overhead. This is the ratio between

the total number of control packets generated

(excluding HELLO and BEACON packets) to the total

number of data packets received during the

simulation time.

5. Average Latency. Gives the mean time in seconds

taken by the data packets to reach their respective

destinations.

6. Path Optimality. It is the ratio between the number of

hops in the optimal path to the number of hops in

the path taken by the data packets.

7. Probability of Detection. It is the ratio between the

number of nodes whose behavior (malicious or

benevolent) is identified correctly to the actual

number of such nodes present in the network.

4.8 Results and Discussions

The following tests were conducted to evaluate theperformance of the three protocols under varying attackand mobility conditions:

. Test 1: Comparison between Trusted and StandardProtocols.

. Test 2: Varying the number of malicious nodes.

. Test 3: Varying the node pause times.

. Test 4: Varying the node maximum speeds.

. Test 5: Varying the trust update interval.

. Test 6: Comparison between Trusted and PathratedDSR Protocol.

Each test was carried out under multiple traffic loads

with the number of connections set to 10 or 30. Accordingly,

AODV, DSR, and TORA, each with 10 sources, is

represented as AODV-10, DSR-10, and TORA-10, respec-

tively. Similarly, AODV-30, DSR-30, and TORA-30 repre-

sent each protocol with the number of sources set to 30. To

get an accurate picture, each protocol is tested against

exactly the same scenario and connection pattern. The

performance metrics are obtained through ensemble aver-

aging [34] over 100 simulations, each with a different

mobility and connection pattern.

4.9 Test 1 (Comparison between Trusted andStandard Protocols)

In Test 1, we have used the parameters as listed in Table 2.

The results of Test 1 (shown in Fig. 1) highlight the

effectiveness of the trusted AODV, DSR, and TORA routing

protocols in comparison with their standard counterparts.

The results indicate that the packet loss in the standard

protocols is up to 20 percent higher than that in the trusted

routing protocols. Nodes which execute the standard

routing protocols cannot differentiate between malevolent

and benevolent nodes and, hence, select shortest possible


TABLE 2Test 1 Specific Simulation Parameters

Fig. 1. Test 1: Simulation of trusted and standard routing protocols.

routes. These routes, if containing malevolent nodes, induce

higher packet loss in the network. However, nodes

executing the trust model, which have been successful in

detecting malicious node behavior, bypass the malevolent

nodes in the routing process, and, hence, lower the packet

loss. The total number of packets forwarded using the

standard routing protocols also remains lower than that of

the trusted protocols.Nodes executing the Trusted TORA depict the highest

forwarding rate, followed by Trusted AODV and DSR pro-

tocols, respectively. The higher forwarding rate of the

trusted protocols has a positive effect on the throughput of

the network. Trusted AODV augments the throughput of

the Standard AODV by up to 20 percent, Trusted TORA up

to 18.5 percent, and Trusted DSR up to 11.8 percent in the

presence of 40 percent malicious nodes. The higher packet

delivery rate of the trusted protocols also keeps the routing

overhead lower, which is computed per received data

packet. However, as the trusted protocols endeavor to find

the most trusted paths in the network, the selected paths

may sometimes sway considerably from the optimal paths.

This increases the length of the paths, thereby increasing the

latency of the network.

4.10 Test 2 (Varying Number of Malicious Nodes)

The parameters listed in Table 3 were used in Test 2. Fig. 2depicts the performance results for the trusted AODV, DSR,and TORA protocols in the presence of malicious nodes.The results of Test 2 indicate that, in the absence ofmalicious nodes, the legitimate packet loss is about 1percent for AODV and TORA protocols and about 3 percentfor DSR. The higher packet loss for DSR is primarily due toits specific working in which multipath selection can onlybe made at the source node. So, in case a ROUTE ERROR ispropagated, all intermediary nodes drop the packetspresent in their IFQ. However, intermediary nodes usingAODV and TORA are able to reroute data packets and areso able to minimize the packet loss. TORA makes effectiveuse of its inherent multipath feature and is hence able toforward a large number of packets at all traffic loads withminimal loss.

The throughput of all three protocols rapidly drops withthe increase in the number of malicious nodes. The rate ofthis drop is the highest for DSR-10 which degrades from96 percent with no malicious nodes to about 42 percent with40 percent malicious nodes. The throughput of AODVdrops from 97 percent to 53 percent for a similar increase inthe number of malicious nodes. The TORA-10 protocoldegrades from an 85 percent throughput to about 58 per-cent. However, the increase in the number of sources causesTORA-30 to undergo a congestive collapse [28]. This isessentially due to the positive feedback loop created inTORA/IMEP due to the increased number of MAC layercollisions. These collisions incorrectly make IMEP believethat the links to adjacent nodes are severed. In response,TORA generates more UPD packets, which closes a service-able link that is temporarily congested. This leads togeneration of further QRY packets to find alternate routesdespite the availability of working routes. This increased



Fig. 2. Test 2: Simulation with a varying number of malicious nodes.

control packet overhead essentially closes the feedback loopcausing further congestion. On the other hand, the mal-icious nodes in the network, which drop the network traffic,aid TORA in recovering from this phenomenon by reducingthe traffic load and, thereby, the number of MAC layercollisions. This indirectly improves the performance of theTORA-30 from 10 percent with no malicious nodes to about20 percent with 40 percent malicious nodes.

The routing overhead of all three protocols remainssignificantly constant with the increase in the number ofmalicious nodes. AODV, on the average, generates onecontrol packet for each received data packet, DSR generatesone for every 12 received data packets while TORA-10generates one control packet for every five received datapackets. The increased control packet overhead in AODV andTORA is primarily due to their route discovery mechanismthat requires the ROUTE REQUEST or UPD packet to bebroadcast over the network, whereas the DSR protocol makeseffective use of its inherent caching strategy to limit thisrouting overhead. The control packet overhead of TORA-30remains exponentially high when no malicious nodes arepresent and drops when the malicious nodes in the networkinadvertently support the protocol by lowering the amount oftraffic in the network.

The latency of the network remains minimal for theDSR protocol, where trust-based routing decisions areonly made once upon the initiation of the data connection.The trust-based AODV and TORA protocols on the otherhand have to make such decisions at the source as well asall intermediary nodes. This indirectly increases the delayin the packet traversal time. The latency of TORA-30remains higher due to the data packets going intoextended routing loops.

The path optimality of the network with all three pro-tocols remains uniform with the increase in the number ofmalicious nodes. The data packets, which finally do reachtheir intended destinations in the presence of maliciousnodes, have traversed the path that contains no black holebut may or may not contain a gray hole. The path optimalityof the DSR protocol remains higher due to the optimal pathselection at the source node with the intermediary nodesrigidly following the selected path, whereas nodes execut-ing the trusted AODV and TORA protocols make routingdecisions for each forwarded data packet and, so, the pathdiverts from the available shortest possible path. TORA,due to its link reversal mechanism, prefers local routefixation over discovery of alternate optimal routes in thenetwork. In doing so, TORA lowers the routing overheaddue to extraneous route discoveries, but loses upon the pathoptimality of the network.

The energy consumption of the nodes is primarilyaffected by the throughput and control packet overheadof the network. The results, not shown here, indicate thatthe energy consumption of the nodes decreases with theincrease in the number of malicious nodes. This is primarilydue to the low throughput of the network, which indirectlyreduces the number of transmissions and receptions. Nodesexecuting the trusted AODV, DSR, and TORA protocolsrequire sustained promiscuous mode receive operation forthe TUI and receive all MAC frames whether or not they are

destined for that node [35]. However, this increase in theenergy consumption affects all three protocols in a some-what similar manner. AODV and TORA protocols consumemore energy than the DSR protocol due to their effectivethroughput and higher routing overheads. The energyconsumption by the nodes is directly proportional to themobility of the network. At lower speeds, the routes in thetable or cache remain comparatively stable, minimizing thenumber of additional route discoveries. This helps to lowerthe routing overhead which in turns improves the energyconsumption.

As the test was carried out at a relatively higher speed of20 m/s, the nodes frequently had interactions with eachother. This enabled the trust levels of nodes to be evaluatedby their neighboring nodes. The probability of detectionimproves with the traffic loads and we see that most of themalicious nodes were successfully detected by one or morenodes executing the trusted protocols. The higher prob-ability of detection in AODV and TORA protocols isattributable to their specific working in which intermediarynodes make trust-based routing decisions at the forwardingstage to create reliable but longer routes. This, though,lowers the path optimality, but permits increased interac-tions with unknown nodes in the network. DSR, on theother hand, selects optimal paths only at the source node.The source node may continue to do so till the time itencounters direct interactions with an intermediary mal-icious node present on the path to the destination. Similarly,during the simulation, there were few nodes whose trustlevel was not evaluated till the end of the simulation period.These nodes were not involved in any of the dataconnections and, hence, their behavior was not evaluatedby other nodes in the network.

4.11 Test 3 (Varying Node Pause Times)

In Test 3, we have used the parameters as listed in Table 4.

The results of Test 3 (shown in Fig. 3) indicate that the

throughput of all protocols degrades with the increase in

pause time. Higher pause times essentially limit the number

of interactions with other network nodes. This in turn

reduces the detection probability, permitting selection of

malicious nodes for routing purposes. The malicious nodes

are thus able to increase the packet loss, thereby reducing

the throughput of the network. The maximum throughput

of the protocols is achieved at 0 pause time (incessant

mobility) with 40 percent malicious nodes in the network.

AODV and DSR maintain an unvarying throughput under

different pause times with dissimilar traffic loads. The

TORA-10 protocol has the highest throughput under



varying pause times; however, TORA-30 portrays degraded

performance at lower pause times due to the creation of

positive feedback loops.At higher pause times, the frequency of link creation and

breakage reduces significantly. This ensure that the datapackets make it to their destinations without being queuedfor a long time at the source or intermediary2 nodes,awaiting route discoveries. Thus, the routing packet over-head for all three protocols shows a gradual downwardtrend with increasing pause times. At lower pause times,TORA-10 limits its routes discoveries to the local region[36], which in turn limits the overall routing packetoverhead. AODV and DSR also generate less overheadwith increasing pause times due to the stabilization oftopology, which makes the routes to last longer. Thispermits nodes to send or forward data packets withoutinitiating new route discoveries. Thus, the data packets canbe directly transmitted on previously known routes withoutany noticeable delay. This helps to lower the overall latencyof the network. All three trusted routing protocols aim toincrease the aggregate trust level and decrease the numberof hops of the path between the source and destination. So,when the nodes pause for large intervals, the least costpaths are selected which are comparable with the shortestpossible paths. Thus, we observe an improvement in thepath optimality with the increase in node pause times.

The probability of detection of all three protocolsincreases at lower pause times primarily due to theincreased number of interactions. TORA depicts the highestdetection probability even when the network is virtuallystatic. This is due to the fact that TORA retains multiplepaths to a single destination and is thus able to evaluate the

trust of different neighboring nodes more effectively.AODV also works in a similar manner but has limitedavailable paths to a destination due to certain optimizationsthat avoid routing loops. DSR has the least detectioncapability due to the limited perspective of the sourcenodes. Each source node, using DSR, selects the mosttrusted nodes in the path based upon the available currentinformation. Generally, this information is restricted to onlya few nodes in the neighborhood. So, when it creates asource route, the route may contain one or more maliciousnodes. As the immediate nodes cannot make the routingdecisions, so the data connections continue to traverse onthe fixed set of nodes, which were initially selected by thesource node. This essentially limits the number of nodesthat interact with each other, thus lowering the probabilityof detection. The lower detection probability also suggestsselection of optimal paths in terms of number of hops (fallback to original DSR).

4.12 Test 4 (Varying Node Maximum Speed)

The parameters listed in Table 5 were used in Test 4. Theresults of Test 4 (shown in Fig. 4) indicate that thethroughput of all three protocols improves with the increasein node speeds. This improvement can be attributed to theimproved probability of detection of node behavior due tothe higher number of internode interactions. TORA-10


Fig. 3. Test 3: Simulation with varying node pause times.

2. AODV supports local link repairing at the intermediate nodes. Anyreceived data packet with a broken next hop is buffered for a certaininterval in the IFQ so as to facilitate the discovery of an alternate suitablelink leading to the same destination.


makes use of its inherent multipath feature, which supportsmultiple link-disjoint paths to every known destination. InTORA, the established destination-oriented DAGs can besevered due to a link failure. However, TORA doesn’t reactto such scenarios till the time it has at least one outgoinglink pointing to the same destination. So, each data packetbeing forwarded by the intermediary nodes is supported bythis multipath feature, which elevates the probability ofsuccessful delivery to a trusted node under varyingnetwork speeds. In contrast, nodes executing AODV onlymaintain limited routes to a destination and are thus unableto aid in packet delivery in case of the unavailability of atrusted next hop link leading to a destination. DSR also hasno option for an enroute fixation for ongoing dataconnections; however, single data packets may be sal-vaged.3 The LINK CACHE scheme of the DSR permits pathcreation between any two nodes in the cache based uponthe available link connectivity information. This informa-tion is used by the source nodes to limit the number of routediscoveries in search of previously known nodes.

The routing packet overhead for AODV and TORAincreases with the network speed. At higher speeds, thelinks are frequently disconnected and thus the nodesinitiate additional route discoveries to sustain ongoing dataconnections. However, the routing overhead of TORA-10remains comparatively lower than that of AODV due to itsmultipath feature. On the other hand, DSR makes use of itscaching strategy to lower the routing packet overhead withthe increase in node speeds.

The path optimality of AODV and TORA protocolsdegrades with the increase in speed. This is observed due to

the fact that routing decisions are made by intermediatenodes based upon trust levels and, so, the actual path maysway notably from the best available path. These longerroutes also increase the latency of the network with theincrease in node speeds. In contrast, source nodes executingthe DSR protocol make the routing decisions before the startof a data connection and thus the data packets make it to thedestination without any deviation from the originallyfabricated optimal path. This ensures that the latency ofthe network is not substantially raised with the increase inthe network speed.

The probability of detection of all three protocolsimproves with the increase in node speeds. This iscontributable to the increased number of interactionsbetween unfamiliar nodes leading to better trust evaluation.At high speeds, AODV and TORA depict better detectionprobability than DSR primarily due to their dissimilarmodus operandi. Intermediate nodes executing AODV orTORA, redirect the traffic in real time as per the con-temporary trust levels of adjacent nodes. However, DSRsupports no such intermediary redirection facility and,hence, the number of nodes whose behavior can beevaluated is limited to the actual number of nodes presenton a particular data connection.


3. In DSR, if an intermediate node receives a packet for which the nexthop is not available, it may scan its route cache to find an alternate route tothe final recipient. If it can locally find such a route, it salvages the packet toform a new source header and sends the packet across. It also informs theoriginal sender of the packet about the failed link through a ROUTE ERROR

packet such as to minimize subsequent salvage operations.

Fig. 4. Test 4: Simulation with varying node maximum speeds.


4.13 Test 5 : Simulation with varying Trust UpdateInterval

In Test 5, we have used the parameters as listed in Table 6.The results of Test 5 (shown in Fig. 5), indicate that theaverage packet loss slightly increases with the increase inTrust Update Interval (TUI). It has also been observed thatminimal packet loss, minimal packet overhead, and max-imum throughput are achieved when the TUI approacheszero. At lower TUI values, congestion and efficiency ofnodes is also evaluated along with malicious and legitimatepacket drops. Thus, we can see an improvement inthroughput at reduced TUI. However, at lower TUI, asluggish or committed benevolent node may be wronglyconsidered malicious due to its inability to forward packetsduring the TUI (observable in the probability of detection ofTORA-30). The average latency reduces as the pathoptimality improves with the increase in TUI. The increasein the TUI gradually reduces the probability of detectionbecause, by increasing the interval, an adjacent node isgiven a larger window to forward the packet. However,depending on the mobility and movement pattern, itgenerates a number of false positives when nodes go outof range of each other within that window interval. Thesefalse positives lead to a lower probability of detection ofmalicious behavior with increasing TUI. This occurrencecauses usage of malicious nodes in the routing of the data.Thus, the packets which make it to their final destinationstraverse shorter paths and have lower latency.

4.14 Test 6: Comparison of Trusted and PathratedDSR Protocol

The parameters listed in Table 7 were used in Test 6. In thistest, we compare the performance of the Trusted DSRprotocol with that of the Watchdog/Pathrated DSR [11]. Asthe watchdog can only detect malicious packet drop usingthe DSR protocol, so we only evaluate DSR in Test 6 and

restrict to black and gray hole attacks. The Pathrated DSR

initially assigns a low trust value to each encountered

malicious node. This, although advantageous in avoiding

malicious nodes, causes certain problems when dealing

with gray holes, as discussed in Section 3.2.3. The Pathrater

scheme also assigns an extremely low trust value (-100) to adetected malicious node, which cuts off the malicious node

from the network. This essentially segregates nodes into

two possible states, i.e., either benevolent or malevolent.

With our proposed trust model, there is no cut-off state and,

so, trust values transpire in an incessant range. Thus, all

nodes, either benevolent or malevolent, are involved in the

routing process based upon their contemporary trust levels.

This in effect facilitates engagement of nodes portrayed as

gray holes or partial forwarders into the routing process in

case alternate trusted nodes are not available. This also

prevents benevolent nodes, undergoing legitimate packet

loss, from being graded as malicious and, consequently,

being isolated from the network. These nodes are simply

bypassed in the routing process until the time other trusted

nodes are available in the network.The results (shown in Fig. 6) highlight the effectiveness

of the Trusted DSR in comparison to the Pathrated DSR.


Fig. 5. Test 5: Simulation with varying trust update intervals.


Both protocols are successfully able to detect gray holes.However, the Pathrated DSR immediately absolves suchnodes from the routing process and, in the worst case, whenno alternate route is available, the packet is dropped at thesource. This essentially increases the packet loss and lowersthe throughput of the network. On the other hand, theTrusted DSR endeavors to sustain a best-effort delivery and,in case no alternate routes are available, selects the grayholes for the routing process. Thus, we see an improvementof up to 8 percent in the throughput of the network. Due tothe improved trust computation and its subsequentapplication, the Trusted DSR makes effective routingdecisions by circumventing malicious nodes, therebyelongating optimal possible paths and increasing thelatency of the network. The routing overhead of the TrustedDSR, however, remains consistent with that of the PathratedDSR due to no extraneous route discoveries.

5 ANALYSIS

The simulation results indicate that the trusted TORAprotocol performs exceptionally well in the presence ofmalicious nodes under low traffic and diverse mobilityconditions. However, due to the inherent feedback loopproblem of the TORA protocol, it fails to sustain the sameperformance at higher traffic loads. The multipath featureof the TORA protocol permits intermediary nodes to makelocalized routing decisions based upon trust levels. Thesedecisions help to improve the overall throughput of thenetwork by avoiding malicious nodes. TORA has relativelyhigher packet overhead due to its IMEP reliable deliverymechanism and thus induces higher energy consumptionfor both benevolent and malicious nodes. The pathoptimality of TORA remains significantly constant evenwith an increased number of malicious nodes due to itslocalized route fixation mechanism. However, the pathoptimality is lower than the other two protocols as TORAendeavors to fix routes locally rather than finding theoptimal path to a destination. This feature, though it lowersthe packet overhead, increases the latency due to sub-optimal paths. The behavior detection probability of TORAimproves with the increase in node speeds at lower pausetimes.

Nodes executing the trusted DSR protocol consume theleast energy due to the minimal routing overhead generatedby the protocol. The DSR protocol makes maximum use ofits caching scheme to limit the number of search requestsfor known nodes. This scheme helps to minimize the

latency of the network under varying speeds and nodepause times. However, the overall throughput of the DSRprotocol in the presence of malicious nodes remains lowerthan that of the TORA and AODV protocols under varyingmobility conditions. This is attributed to the fact that amalicious node, present on a link in the LINK CACHE

scheme of the DSR protocol, will be used till the time itstrust is evaluated by the source node. Thus, a source nodewill keep on sending packets on the path containing amalicious node until the time the path between the sourceand destination is severed. Only upon the breakage of thepath can an alternate route can be found to the samedestination either from the cache or through a new routediscovery, whereas in TORA and AODV, the point-to-pointrouting process inadvertently helps to avoid maliciousnodes in the data connections. The behavior detectionprobability of DSR remains the least of the three protocols,primarily due to its source driven working principle.

AODV exhibits consistent throughput under differenttraffic loads with varying number of malicious nodes. Thethroughput improves with the decrease in node pause timesand with the increase in mobility. The routing packetoverhead of AODV increases with the node speeds. AODVand TORA functionally operate in a similar manner wherethe intermediary nodes pass the data packets to the nexttrusted hop on the path to the destination. However, AODVdoes not suffer from routing loops at higher traffic loads asTORA and is thus able to maintain a stable throughput.AODV at lower traffic loads depicts improved latency andpath optimality over TORA due to its unabridged routefixation till the destination rather than localized routerecovery. However, in doing so, it generates more overheadas compared to that of TORA. The behavior detectionprobability of AODV improves with the increase in nodespeeds at lower pause times.

A smaller TUI value helps to evaluate trust accurately innetworks with high mobility, i.e., high rate of link creationand breakages. The results indicate that a network having amaximum speed of 20 m/s has an optimal TUI value closeto 5 seconds. When the TUI is kept extremely small, thepossibility exists that a number of committed benevolentnodes may be incorrectly graded as being inefficient.Similarly, a large TUI value may lead to false detectionwhen nodes go out of range of each other within theTUI. Packet overhead generally remains constant withdifferent TUI values, ensuring even energy consumption.The probability of detection of malicious or benevolent


Fig. 6. Test 6: Simulation of trusted and pathrated DSR protocol

behavior remains higher at lower TUI values and graduallydecreases with the increase in TUI.

6 CONCLUSION

Ad hoc networks are formed with the help of a largenumber of wireless nodes, generally with limited energy,computation, and transmission powers. The prime advan-tage of such networks is their capability to operate withoutany fixed or virtual infrastructure. Each node helps everyother node in the network by forwarding their packets inreturn of a similar favor from them. All is well if such analtruistic attitude is upheld by all participating nodes.However, as these nodes often operate in a physicallyinsecure environment, they are vulnerable to capture andcompromise. In addition, the communication mediumbeing wireless restricts enforcement of rigorous nodememberships and, so, a number of malicious nodes alsoparticipate in the network. These nodes, in order to snoopor sabotage, can carry out a variety of attacks against thenetwork. To counter such nodes in an ad hoc network,cryptographic or trust-based schemes are generally used.Cryptographic schemes, although considerably secure,impose a number of prerequisites upon the networkestablishment and operation phase. This in turn impedestheir application to pure ad hoc networks, which areestablished in a spontaneous and impromptu manner. Incontrast, trust-based schemes are devoid of such require-ments and, hence, permit rapid on-the-fly deployment. Inthis paper, we have examined the performance of threesuch trust-based reactive routing protocols in an attackednetwork. We simulated up to 40 percent malicious nodes inthe network and monitored the routing protocols undervarying traffic conditions. The results from the simulationsindicate that the performance of these protocols variessignificantly under similar attack conditions. TORA, atlower traffic loads, performs better than the other twoprotocols in the presence of malicious nodes. AODVperforms second best, but surpasses TORA at higher trafficloads. DSR, though, provides lower throughput as com-pared to either TORA or AODV, generates the least routingoverhead, has the lowest latency, and consumes minimalenergy.

ACKNOWLEDGMENTS

This work was supported by the Australian InternationalPostgraduate Research Scholarship and the University ofWestern Australia Postgraduate Award. The authors wouldlike to thank Mahesh K. Marina (Stony Brook University,New York) and Diana Senn (ETH Information SecurityGroup, Zurich, Switzerland) for contributing NS-2 code insupport of the simulations.

REFERENCES

[1] E.M. Royer and C.K. Toh, “A Review of Current Routing Protocolsfor Ad Hoc Mobile Wireless Networks,” IEEE Personal Comm.Magazine, vol. 6, no. 2, pp. 46-55, 1999.

[2] S. Corson and J. Macker, “Mobile Ad Hoc Networking (MANET):Routing Protocol Performance Issues and Evaluation Considera-tions,” IETF MANET, RFC 2501, 1999.

[3] Y.C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” Proc. EighthAnn. Int’l Conf. Mobile Computing and Networking (MobiCom),pp. 12-23, 2002.

[4] B. Dahill, B.N. Levine, E. Royer, and C. Shields, “A Secure RoutingProtocol for Ad Hoc Networks,” Proc. Int’l Conf. Network Protocols(ICNP), pp. 78-87, 2002.

[5] A.A. Pirzada and C. McDonald, “Secure Routing Protocols forMobile Ad Hoc Wireless Networks,” Advanced Wired and WirelessNetworks, 2004.

[6] A.A. Pirzada and C. McDonald, “Establishing Trust in PureAd Hoc Networks,” Proc. 27th Australasian Computer Science Conf.(ACSC), vol. 26, pp. 47-54, 2004.

[7] A.A. Pirzada and C. McDonald, “Kerberos Assisted Authentica-tion in Mobile Ad Hoc Networks,” Proc. 27th AustralasianComputer Science Conf. (ACSC), vol. 26, pp. 41-46, 2004.

[8] D. Denning, “A New Paradigm for Trusted Systems,” Proc. ACMNew Security Paradigms Workshop, pp. 36-41, 1993.

[9] A.A. Pirzada, A. Datta, and C. McDonald, “Propagating Trust inAd Hoc Networks for Reliable Routing,” Proc. Int’l WorkshopWireless Ad Hoc Networks (IWWAN), 2004.

[10] A.A. Pirzada, A. Datta, and C. McDonald, “Trust Based Routingfor Ad Hoc Wireless Networks,” Proc. IEEE Int’l Conf. Networks(ICON ’04), pp. 326-330 2004.

[11] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating RoutingMisbehavior in Mobile Ad Hoc Networks,” Proc. Sixth Ann. Int’lConf. Mobile Computing and Networking (MobiCom), pp. 255-265,2000.

[12] D.B. Johnson, D.A. Maltz, and Y. Hu, “The Dynamic SourceRouting Protocol for Mobile Ad Hoc Networks (DSR),” IETFMANET, Internet Draft, 2003.

[13] S. Buchegger and J. Boudec, “Performance Analysis of theCONFIDANT Protocol: Cooperation of Nodes—Fairness in Dis-tributed Ad Hoc NeTworks,” Proc. IEEE/ACM Workshop MobileAd Hoc Networking and Computing (MobiHOC), pp. 226-236, 2002.

[14] F. Stajano and R. Anderson, “The Resurrecting Duckling: SecurityIssues for Ad Hoc Wireless Networks,” Proc. Seventh Int’lWorkshop Security Protocols, pp. 172-194, 1999.

[15] S. Garfinkel, PGP: Pretty Good Privacy. O’Reilly and Assoc., 1995.[16] P. Michiardi and R. Molva, “CORE: A Collaborative Reputation

Mechanism to Enforce Node Cooperation in Mobile Ad HocNetworks,” Proc. IFIP TC6/TC11 Sixth Joint Working Conf. Comm.and Multimedia Security, pp. 107-121, 2002.

[17] L. Buttyan and J. Hubaux, “Enforcing Service Availability inMobile Ad Hoc WANs,” Proc. IEEE/ACM Workshop Mobile Ad HocNetworking and Computing (MobiHOC), pp. 87-96, 2000.

[18] L. Buttyan and J. Hubaux, “Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks,” Proc. ACM/Kluwer MobileNetworks and Applications (MONET), vol. 8, pp. 579-592, 2003.

[19] C. Perkins, E. Belding-Royer, and S. Das, “Ad Hoc On-DemandDistance Vector (AODV) Routing,” IETF RFC 3591, 2003.

[20] S.J. Lee and M. Gerla, “AODV-BR: Backup Routing in Ad HocNetworks,” Proc. IEEE Wireless Comm. and Networking Conf.(WCNC), pp. 1311-1316, 2000.

[21] M.K. Marina and S.R. Das, “On-Demand Multi Path DistanceVector Routing in Ad Hoc Networks,” Proc. Ninth Int’l Conf.Network Protocols (ICNP), pp. 14-23, 2001.

[22] A. Nasipuri and S. Das, “On-Demand Multipath Routing forMobile Ad Hoc Networks,” Proc. Eight Int’l Conf. Computer Comm.and Networks, pp. 64-70, 1999.

[23] Y.C. Hu and D.B. Johnson, “Caching Strategies in On-DemandRouting Protocols for Wireless Ad Hoc Networks,” Proc. SixthAnn. Int’l Conf. Mobile Computing and Networking (MobiCom),pp. 231-242, 2000.

[24] V. Park and S. Corson, “Temporally Ordered Routing Algorithm(TORA) Version 1 Functional Specification,” IETF MANET,Internet Draft, 2001.

[25] E. Gafni and D. Bertsekas, “Distributed Algorithms for GeneratingLoop-Free Routes in Networks with Frequently ChangingTopology,” IEEE Trans. Comm., vol. 29, no. 1, pp. 11-18, 1981.

[26] M.S. Corson and A. Ephremides, “Lightweight Mobile RoutingProtocol (LMR), A Distributed Routing Algorithm for MobileWireless Networks,” Wireless Networks, 1995.

[27] S. Corson, S. Papademetriou, P. Papadopoulos, V. Park, and A.Qayyum, “Internet MANET Encapsulation Protocol (IMEP) speci-fication,” IETF MANET, Internet Draft, 1999.


[28] J. Broch, D.A. Maltz, D.B. Johnson, Y.C. Hu, and J. Jetcheva, “APerformance Comparison of Multi-Hop Wireless Ad Hoc Net-work Routing Protocols,” Proc. Fourth Ann. Int’l Conf. MobileComputing and Networking (MobiCom), pp. 85-97, 1998.

[29] A.A. Pirzada and C. McDonald, “Reliable Routing in Ad HocNetworks Using Direct Trust Mechanisms,” Advances in Ad Hocand Sensor Networks, Springer, 2006.

[30] E.W. Dijkstra, “A Note on Two Problems in Connection withGraphs,” Numerische Mathematik, pp. 83-89, 1959.

[31] NS “The Network Simulator,” http://www.isi.edu/nsnam/ns/,1989.

[32] IEEE-Standard, “Wireless LAN Medium Access Control (MAC)and Physical Layer (PHY) Specifications 802.11,” 1997.

[33] A.S. Tanenbaum, Computer Networks, fourth ed. Prentice Hall,2002.

[34] W.H. Yuen and R.D. Yates, “Inter-Relationships of PerformanceMetrics and System Parameters in Mobile Ad Hoc Networks,”Proc. IEEE Military Comm. Conf. (MILCOM), vol. 1, pp. 519-524,2002.

[35] L. Feeney, “An Energy Consumption Model for PerformanceAnalysis of Routing Protocols for Mobile Ad Hoc Networks,”Mobile Networks and Applications, vol. 6, no. 3, pp. 239-249, 2001.

[36] Y.-B. Ko and N. Vaidya, “GeoTORA: A Protocol for Geocasting inMobile Ad Hoc Networks,” Proc. Int’l Conf. Network Protocols(ICNP), pp. 240-250, 2000.

Asad Amir Pirzada received the BE degree inavionics from NED University Pakistan, theMSc degree in computer science from PrestonUniversity, and the MS degree in informationsecurity from the National University of Sciencesand Technology, Pakistan. He is presentlyworking on the PhD degree on trust and securityissues in ad hoc wireless networks at theUniversity of Western Australia.

Chris McDonald received the BSc (Hons) andPhD degrees in computer science from theUniversity of Western Australia. He currentlyholds the appointments of senior lecturer in theSchool of Computer Science and SoftwareEngineering at the Univeristy of Western Aus-tralia and adjunct professor in the Department ofComputer Science at Dartmouth College, NewHampshire.

Amitava Datta received the MTech and PhDdegrees in computer science from the IndianInstitute of Technology, Madras. He did hispostdoctoral research at the Max Planck Insti-tute for Computer Science, University of Frei-burg, and University of Hagen, all in Germany.He joined the University of New England,Australia, in 1995 and, subsequently, the Schoolof Computer Science and Software Engineering

at the University of Western Australia in 1998, where he is currently anassociate professor. He is a member of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


ieee transactions on mobile computing, vol. 5, no. 6,...

Documents