1. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1
Design and Implementation of TARF: A
Trust-Aware Routing Framework for WSNs
Guoxing Zhan, Weisong Shi, Senior Member, IEEE, and Julia Deng
Abstract—The multi-hop routing in wireless sensor networks (WSNs) offers little protection against identity deception through replaying
routing information. An adversary can exploit this defect to launch various harmful or even devastating attacks against the routing
protocols, including sinkhole attacks, wormhole attacks and Sybil attacks. The situation is further aggravated by mobile and harsh
network conditions. Traditional cryptographic techniques or efforts at developing trust-aware routing protocols do not effectively address
this severe problem. To secure the WSNs against adversaries misdirecting the multi-hop routing, we have designed and implemented
TARF, a robust trust-aware routing framework for dynamic WSNs. Without tight time synchronization or known geographic information,
TARF provides trustworthy and energy-efficient route. Most importantly, TARF proves effective against those harmful attacks developed
out of identity deception; the resilience of TARF is verified through extensive evaluation with both simulation and empirical experiments
on large-scale WSNs under various scenarios including mobile and RF-shielding network conditions. Further, we have implemented a
low-overhead TARF module in TinyOS; as demonstrated, this implementation can be incorporated into existing routing protocols with
the least effort. Based on TARF, we also demonstrated a proof-of-concept mobile target detection application that functions well against
an anti-detection mechanism.
3
1 I NTRODUCTION network traffic. Those routing packets, including their
original headers, are replayed without any modification.
Wireless sensor networks (WSNs) [2] are ideal can-
Even if this malicious node cannot directly overhear the
didates for applications to report detected events of
valid node’s wireless transmission, it can collude with
interest, such as military surveillance and forest fire
other malicious nodes to receive those routing packets
monitoring. A WSN comprises battery-powered senor
and replay them somewhere far away from the original
nodes with extremely limited processing capabilities.
valid node, which is known as a wormhole attack [5].
With a narrow radio communication range, a sensor
Since a node in a WSN usually relies solely on the
node wirelessly sends messages to a base station via
packets received to know about the sender’s identity,
a multi-hop path. However, the multi-hop routing of
replaying routing packets allows the malicious node to
WSNs often becomes the target of malicious attacks.
forge the identity of this valid node. After “stealing” that
An attacker may tamper nodes physically, create traffic
valid identity, this malicious node is able to misdirect
collision with seemingly valid transmission, drop or
the network traffic. For instance, it may drop packets
misdirect messages in routes, or jam the communication
received, forward packets to another node not supposed
channel by creating radio interference [3]. This paper
to be in the routing path, or even form a transmission
focuses on the kind of attacks in which adversaries
loop through which packets are passed among a few
misdirect network traffic by identity deception through
malicious nodes infinitely. It is often difficult to know
replaying routing information. Based on identity decep-
whether a node forwards received packets correctly even
tion, the adversary is capable of launching harmful and
with overhearing techniques [4]. Sinkhole attacks are an-
hard-to-detect attacks against routing, such as selective
other kind of attacks that can be launched after stealing
forwarding, wormhole attacks, sinkhole attacks and Sybil
a valid identity. In a sinkhole attack, a malicious node
attacks [4].
may claim itself to be a base station through replaying
As a harmful and easy-to-implement type of attack, a
all the packets from a real base station [6]. Such a fake
malicious node simply replays all the outgoing routing
base station could lure more than half the traffic, creating
packets from a valid node to forge the latter node’s iden-
a “black hole”. This same technique can be employed to
tity; the malicious node then uses this forged identity to
conduct another strong form of attack - Sybil attack [7]:
participate in the network routing, thus disrupting the
through replaying the routing information of multiple
legitimate nodes, an attacker may present multiple iden-
• G. Zhan and W. Shi are with the Department of Computer Science, Wayne
State University, Detroit, MI, 48202.
tities to the network. A valid node, if compromised, can
E-mail: gxzhan@wayne.edu, weisong@wayne.edu. also launch all these attacks.
• J. Deng is with Intelligent Automation Inc., Rockville, MD 20855. The harm of such malicious attacks based on the
Email: hdeng@i-a-i.com.
technique of replaying routing information is further
This work is in part supported by AFRL contract FA8650-10-C-1740 and aggravated by the introduction of mobility into WSNs
NSF Career Award CCF-0643521. We also would like to thank the program
manager Mr. John Woods for his great support as well as the anonymous and the hostile network condition. Though mobility is
reviewers for their constructive comments and suggestions. introduced into WSNs for efficient data collection and

2. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 2
various applications [8], [9], [10], [11], it greatly increases TARF can be developed into a complete and indepen-
the chance of interaction between the honest nodes dent routing protocol, the purpose is to allow existing
and the attackers. Additionally, a poor network connec- routing protocols to incorporate our implementation of
tion causes much difficulty in distinguishing between TARF with the least effort and thus producing a secure
an attacker and a honest node with transient failure. and efficient fully-functional protocol. Unlike other se-
Without proper protection, WSNs with existing routing curity measures, TARF requires neither tight time syn-
protocols can be completely devastated under certain cir- chronization nor known geographic information. Most
cumstances. In an emergent sensing application through importantly, TARF proves resilient under various attacks
WSNs, saving the network from being devastated be- exploiting the replay of routing information, which is
comes crucial to the success of the application. not achieved by previous security protocols. Even under
Unfortunately, most existing routing protocols for strong attacks such as sinkhole attacks, wormhole attacks
WSNs either assume the honesty of nodes and focus as well as Sybil attacks, and hostile mobile network
on energy efficiency [12], or attempt to exclude unau- condition, TARF demonstrates steady improvement in
thorized participation by encrypting data and authen- network performance. The effectiveness of TARF is ver-
ticating packets. Examples of these encryption and au- ified through extensive evaluation with simulation and
thentication schemes for WSNs include TinySec [13], empirical experiments on large-scale WSNs. Finally, we
Spins [14], TinyPK [15], and TinyECC [16]. Admittedly, it have implemented a ready-to-use TARF module with
is important to consider efficient energy use for battery- low overhead, which as demonstrated can be integrated
powered sensor nodes and the robustness of routing into existing routing protocols with ease; the demon-
under topological changes as well as common faults stration of a proof-of-concept mobile target detection
in a wild environment. However, it is also critical to program indicates the potential of TARF in WSN appli-
incorporate security as one of the most important goals; cations.
meanwhile, even with perfect encryption and authen- We start by stating the design considerations of TARF
tication, by replaying routing information, a malicious in Section 2. Then we elaborate the design of TARF
node can still participate in the network using another in Section 3, including the routing procedure as well
valid node’s identity. The gossiping-based routing proto- as the EnergyWatcher and TrustManager components. In
cols offer certain protection against attackers by selecting Section 4, we present the simulation results of TARF
random neighbors to forward packets [17], but at a against various attacks through replaying routing in-
price of considerable overhead in propagation time and formation in static, mobile and RF-shielding conditions.
energy use. Section 5 further presents the implementation of TARF,
In addition to the cryptographic methods, trust and empirical evaluation at a large sensor network and a
reputation management has been employed in generic resilient proof-of-concept mobile target detection appli-
ad hoc networks and WSNs to secure routing protocols. cation based on TARF. Finally, we discuss the related
Basically, a system of trust and reputation management work in Section 6 and conclude this paper in Section 7.
assigns each node a trust value according to its past
performance in routing. Then such trust values are used
to help decide a secure and efficient route. However, 2 D ESIGN C ONSIDERATIONS
the proposed trust and reputation management systems Before elaborating the detailed design of TARF, we
for generic ad hoc networks target only relatively pow- would like to clarify a few design considerations first,
erful hardware platforms such as laptops and smart- including certain assumptions in Section 2.1 and the
phones [18], [19], [20], [21]. Those systems can not be goals in Section 2.3.
applied to WSNs due to the excessive overhead for
resource-constrained sensor nodes powered by batteries.
As far as WSNs are concerned, secure routing solutions 2.1 Assumptions
based on trust and reputation management rarely ad- We target secure routing for data collection tasks, which
dress the identity deception through replaying routing are one of the most fundamental functions of WSNs. In
information [22], [23]. The countermeasures proposed so a data collection task, a sensor node sends its sampled
far strongly depends on either tight time synchronization data to a remote base station with the aid of other inter-
or known geographic information while their effective- mediate nodes, as shown in Figure 1. Though there could
ness against attacks exploiting the replay of routing be more than one base station, our routing approach is
information has not been examined yet [4]. not affected by the number of base stations; to simplify
At this point, to protect WSNs from the harmful our discussion, we assume that there is only one base
attacks exploiting the replay of routing information, we station. An adversary may forge the identity of any legal
have designed and implemented a robust trust-aware node through replaying that node’s outgoing routing
routing framework, TARF, to secure routing solutions in packets and spoofing the acknowledgement packets,
wireless sensor networks. Based on the unique character- even remotely through a wormhole.
istics of resource-constrained WSNs, the design of TARF Additionally, to merely simplify the introduction of
centers on trustworthiness and energy efficiency. Though TARF, we assume no data aggregation is involved.

3. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 3
Node
Base station
the base station broadcast packets which are asymmet-
rically authenticated. The asymmetric authentication of
those broadcast packets from the base station is crucial to
any successful secure routing protocol. It can be achieved
through existing asymmetrically authenticated broadcast
schemes that may require loose time synchronization. As
an example, µTESLA [14] achieves asymmetric authen-
ticated broadcast through a symmetric cryptographic
algorithm and a loose delay schedule to disclose the
keys from a key chain. Other examples of asymmetric
Fig. 1. Multi-hop routing for data collection of a WSN.
authenticated broadcast schemes requiring either loose
or no time synchronization are found in [25], [26].
Nonetheless, our approach can still be applied to cluster- Considering the great computation cost incurred by a
based WSNs with static clusters, where data are aggre- strong asymmetric authentication scheme and the diffi-
gated by clusters before being relayed [24]. Cluster-based culty in key management, a regular packet other than a
WSNs allows for the great savings of energy and band- base station broadcast packet may only be moderately
width through aggregating data from children nodes and authenticated through existing symmetric schemes with
performing routing and transmission for children nodes. a limited set of keys, such as the message authentication
In a cluster-based WSN, the cluster headers themselves code provided by TinySec [13]. It is possible that an
form a sub-network; after certain data reach a cluster adversary physically captures a non-base legal node and
header, the aggregated data will be routed to a base reveals its key for the symmetric authentication [27].
station only through such a sub-network consisting of With that key, the adversary can forge the identity of
the cluster headers. Our framework can then be applied that non-base legal node and joins the network “legally”.
to this sub-network to achieve secure routing for cluster- However, when the adversary uses its fake identity to
based WSNs. TARF may run on cluster headers only falsely attract a great amount of traffic, after receiving
and the cluster headers communicate with their children broadcast packets about delivery information, other le-
nodes directly since a static cluster has known relation- gal nodes that directly or indirectly forwards packets
ship between a cluster header and its children nodes, through it will start to select a more trustworthy path
though any link-level security features may be further through TrustManager (Section 3.4).
employed.
Finally, we assume a data packet has at least the 2.3 Goals
following fields: the sender id, the sender sequence
number, the next-hop node id (the receiver in this one- TARF mainly guards a WSN against the attacks mis-
hop transmission), the source id (the node that initiates directing the multi-hop routing, especially those based
the data), and the source’s sequence number. We insist on identity theft through replaying the routing informa-
that the source node’s information should be included tion. This paper does not address the denial-of-service
for the following reasons because that allows the base (DoS) [3] attacks, where an attacker intends to damage
station to track whether a data packet is delivered. It the network by exhausting its resource. For instance, we
would cause too much overhead to transmit all the one- do not address the DoS attack of congesting the network
hop information to the base station. Also, we assume the by replaying numerous packets or physically jamming
routing packet is sequenced. the network. TARF aims to achieve the following desir-
able properties:
High Throughput Throughput is defined as the ratio of
2.2 Authentication Requirements the number of all data packets delivered to the base
Though a specific application may determine whether station to the number of all sampled data packets. In
data encryption is needed, TARF requires that the pack- our evaluation, throughput at a moment is computed
ets are properly authenticated, especially the broadcast over the period from the beginning time (0) until that
packets from the base station. The broadcast from the particular moment. Note that single-hop re-transmission
base station is asymmetrically authenticated so as to may happen, and that duplicate packets are considered
guarantee that an adversary is not able to manipulate or as one packet as far as throughput is concerned. Through-
forge a broadcast message from the base station at will. put reflects how efficiently the network is collecting and
Importantly, with authenticated broadcast, even with delivering data. Here we regard high throughput as one
the existence of attackers, TARF may use TrustManager of our most important goals.
(Section 3.4) and the received broadcast packets about Energy Efficiency Data transmission accounts for a ma-
delivery information (Section 3.2.1) to choose trustwor- jor portion of the energy consumption. We evaluate en-
thy path by circumventing compromised nodes. Without ergy efficiency by the average energy cost to successfully
being able to physically capturing the base station, it is deliver a unit-sized data packet from a source node to the
generally very difficult for the adversary to manipulate base station. Note that link-level re-transmission should

4. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 4
be given enough attention when considering energy cost necessary to delete some neighbors’ entries to keep the
since each re-transmission causes a noticeable increase in table size acceptable. The technique of maintaining a
energy consumption. If every node in a WSN consumes neighborhood table of a moderate size is demonstrated
approximately the same energy to transmit a unit-sized by Woo, Tong and Culler [28]; TARF may employ the
data packet, we can use another metric hop-per-delivery same technique.
to evaluate energy efficiency. Under that assumption, the In TARF, in addition to data packet transmission, there
energy consumption depends on the number of hops, are two types of routing information that need to be ex-
i.e. the number of one-hop transmissions occurring. To changed: broadcast messages from the base station about
evaluate how efficiently energy is used, we can measure data delivery and energy cost report messages from
the average hops that each delivery of a data packet each node. Neither message needs acknowledgement. A
takes, abbreviated as hop-per-delivery. broadcast message from the base station is flooded to the
Scalability & Adaptability TARF should work well with whole network. The freshness of a broadcast message
WSNs of large magnitude under highly dynamic con- is checked through its field of source sequence number.
texts. We will evaluate the scalability and adaptability of The other type of exchanged routing information is the
TARF through experiments with large-scale WSNs and energy cost report message from each node, which is
under mobile and hash network conditions. broadcast to only its neighbors once. Any node receiving
Here we do not include other aspects such as latency, such an energy cost report message will not forward it.
load balance, or fairness. Low latency, balanced network For each node N in a WSN, to maintain such a neigh-
load, and good fairness requirements can be enforced in borhood table with trust level values and energy cost val-
specific routing protocols incorporating TARF. ues for certain known neighbors, two components, Ener-
gyWatcher and TrustManager, run on the node (Figure 2).
3 D ESIGN OF TARF EnergyWatcher is responsible for recording the energy
TARF secures the multi-hop routing in WSNs against in- cost for each known neighbor, based on N ’s observation
truders misdirecting the multi-hop routing by evaluating of one-hop transmission to reach its neighbors and the
the trustworthiness of neighboring nodes. It identifies energy cost report from those neighbors. A compromised
such intruders by their low trustworthiness and routes node may falsely report an extremely low energy cost to
data through paths circumventing those intruders to lure its neighbors into selecting this compromised node
achieve satisfactory throughput. TARF is also energy- as their next-hop node; however, these TARF-enabled
efficient, highly scalable, and well adaptable. Before in- neighbors eventually abandon that compromised next-
troducing the detailed design, we first introduce several hop node based on its low trustworthiness as tracked
necessary notions here. by TrustManager. TrustManager is responsible for tracking
Neighbor For a node N , a neighbor (neighboring node) trust level values of neighbors based on network loop
of N is a node that is reachable from N with one-hop discovery and broadcast messages from the base station
wireless transmission. about data delivery. Once N is able to decide its next-
Trust level For a node N , the trust level of a neighbor is a hop neighbor according to its neighborhood table, it
decimal number in [0, 1], representing N ’s opinion of that sends out its energy report message: it broadcasts to
neighbor’s level of trustworthiness. Specifically, the trust all its neighbors its energy cost to deliver a packet
level of the neighbor is N ’s estimation of the probability from the node to the base station. The energy cost is
that this neighbor correctly delivers data received to the computed as in Section 3.3 by EnergyWatcher. Such an
base station. That trust level is denoted as T in this paper. energy cost report also serves as the input of its receivers’
Energy cost For a node N , the energy cost of a neighbor EnergyWatcher.
is the average energy cost to successfully deliver a unit-
sized data packet with this neighbor as its next-hop One-hop
Delivery
node, from N to the base station. That energy cost is
Neighbor
denoted as E in this paper. Energy Cost EnergyWatcher Energy Cost
Report
Neighborhood Next-hop
Table
3.1 Overview Network Loop Selection
Discovery
For a TARF-enabled node N to route a data packet to the TrustManager Neighbor Trust
Level
Energy Cost
base station, N only needs to decide to which neighbor- Base Station
Report
Broadcast
ing node it should forward the data packet considering
both the trustworthiness and the energy efficiency. Once
Fig. 2. Each node selects a next-hop node based on its
the data packet is forwarded to that next-hop node, the neighborhood table, and broadcast its energy cost within its
remaining task to deliver the data to the base station is neighborhood. To maintain this neighborhood table, Energy-
fully delegated to it, and N is totally unaware of what Watcher and TrustManager on the node keep track of related
routing decision its next-hop node makes. N maintains events (on the left) to record the energy cost and the trust level
a neighborhood table with trust level values and energy values of its neighbors.
cost values for certain known neighbors. It is sometimes

5. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 5
3.2 Routing Procedure explained as follows: the fact that an attacker attracts a
TARF, as with many other routing protocols, runs as a great deal of traffic from many nodes often gets revealed
periodic service. The length of that period determines by at least several of those nodes being deceived with
how frequently routing information is exchanged and a high likelihood. The undelivered sequence interval [a,
updated. At the beginning of each period, the base b] is explained as follows: the base station searches the
station broadcasts a message about data delivery during source sequence numbers received in last period, identi-
last period to the whole network consisting of a few fies which source sequence numbers for the source node
contiguous packets (one packet may not hold all the with this id are missing, and chooses certain significant
information). Each such packet has a field to indicate interval [a, b] of missing source sequence numbers as
how many packets are remaining to complete the broad- an undelivered sequence interval. For example, the base
cast of the current message. The completion of the base station may have all the source sequence numbers for the
station broadcast triggers the exchange of energy report source node 2 as {109, 110, 111, 150, 151} in last period.
in this new period. Whenever a node receives such a Then [112, 149] is an undelivered sequence interval;
broadcast message from the base station, it knows that [109, 151] is also recorded as the sequence boundary
the most recent period has ended and a new period has of delivered packets. Since the base station is usually
just started. No tight time synchronization is required connected to a powerful platform such as a desktop, a
for a node to keep track of the beginning or ending of a program can be developed on that powerful platform to
period. During each period, the EnergyWatcher on a node assist in recording all the source sequence numbers and
monitors energy consumption of one-hop transmission finding undelivered sequence intervals.
to its neighbors and processes energy cost reports from Accordingly, each node in the network stores a table
those neighbors to maintain energy cost entries in its of <node id of a source node, a forwarded sequence
interval [a, b] with a significant length> about last
neighborhood table; its TrustManager also keeps track of
network loops and processes broadcast messages from period. The data packets with the source node and the
the base station about data delivery to maintain trust sequence numbers falling in this forwarded sequence
interval [a, b] have already been forwarded by this node.
level entries in its neighborhood table.
When the node receives a broadcast message about data
To maintain the stability of its routing path, a node
delivery, its TrustManager will be able to identify which
may retain the same next-hop node until the next fresh
data packets forwarded by this node are not delivered to
broadcast message from the base station occurs. Mean-
the base station. Considering the overhead to store such
while, to reduce traffic, its energy cost report could
a table, old entries will be deleted once the table is full.
be configured to not occur again until the next fresh
Once a fresh broadcast message from the base station
broadcast message from the base station. If a node does
is received, a node immediately invalidates all the ex-
not change its next-hop node selection until the next
isting energy cost entries: it is ready to receive a new
broadcast message from the base station, that guaran-
energy report from its neighbors and choose its new
tees all paths to be loop-free, as can be deducted from
next-hop node afterwards. Also, it is going to select a
the procedure of next-hop node selection. However, as
node either after a timeout is reached or after it has
noted in our experiments, that would lead to slow
received an energy cost report from some highly trusted
improvement in routing paths. Therefore, we allow a
candidates with acceptable energy cost. A node imme-
node to change its next-hop selection in a period when
diately broadcasts its energy cost to its neighbors only
its current next-hop node performs the task of receiving
after it has selected a new next-hop node. That energy
and delivering data poorly.
cost is computed by its EnergyWatcher (see Section 3.3).
Next, we introduce the structure and exchange of
A natural question is which node starts reporting its
routing information as well as how nodes make routing
energy cost first. For that, note that when the base station
decisions in TARF.
is sending a broadcast message, a side effect is that its
neighbors receiving that message will also regard this
3.2.1 Structure and Exchange of Routing Information as an energy report: the base station needs 0 amount
A broadcast message from the base station fits into at of energy to reach itself. As long as the original base
most a fixed small number of packets. Such a message station is faithful, it will be viewed as a trustworthy
consists of some pairs of <node id of a source node, an candidate by TrustManager on the neighbors of the base
undelivered sequence interval [a, b] with a significant station. Therefore, those neighbors will be the first nodes
length>, <node id of a source node, minimal sequence to decide their next-hop node, which is the base station;
number received in last period, maximum sequence they will start reporting their energy cost once that
number received in last period>, as well as several node decision is made.
id intervals of those without any delivery record in last
period. To reduce overhead to an acceptable amount, 3.2.2 Route Selection
our implementation selects only a limited number of Now, we introduce how TARF decides routes in a WSN.
such pairs to broadcast (Section 5.1) and proved effec- Each node N relies on its neighborhood table to select an
tive (Section 5.3, 5.4). Roughly, the effectiveness can be optimal route, considering both energy consumption and

6. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 6
reliability. TARF makes good efforts in excluding those relation:
nodes that misdirect traffic by exploiting the replay of
EN b = EN →b + Eb
routing information.
For a node N to select a route for delivering data Since each known neighbor b of N is supposed to
to the base station, N will select an optimal next-hop broadcast its own energy cost Eb to N , to compute EN b ,
node from its neighbors based on trust level and energy N still needs to know the value EN →b , i.e., the average
cost and forward the data to the chosen next-hop node energy cost of successfully delivering a data packet from
immediately. The neighbors with trust levels below a N to its neighbor b with one hop. For that, assuming
certain threshold will be excluded from being considered that the endings (being acknowledged or not) of one-
as candidates. Among the remaining known neighbors, hop transmissions from N to b are independent with
N will select its next-hop node through evaluating each the same probability psucc of being acknowledged, we
neighbor b based on a trade-off between TN b and EN b ,
T
Nb first compute the average number of one-hop sendings
with EN b and TN b being b’s energy cost and trust level needed before the acknowledgement is received as fol-
value in the neighborhood table respectively (see Sec- lows:
∞
tion 3.3, 3.4). Basically, EN b reflects the energy cost of 1
delivering a packet to the base station from N assuming i · psucc · (1 − psucc )i−1 =
1 i=1
psucc
that all the nodes in the route are honest; TN b approx-
imately reflects the number of the needed attempts to Denote Eunit as the energy cost for node N to send a
send a packet from N to the base station via multiple unit-sized data packet once regardless of whether it is
hops before such an attempt succeeds, considering the received or not. Then we have
trust level of b. Thus, EN b combines the trustworthiness
Nb Eunit
T EN b = + Eb
and energy cost. However, the metric EN b suffers from
T
Nb psucc
the fact that an adversary may falsely reports extremely The remaining job for computing EN b is to get the proba-
low energy cost to attract traffic and thus resulting in a bility psucc that a one-hop transmission is acknowledged.
low value of EN b even with a low TN b . Therefore, TARF
T
Nb
Considering the variable wireless connection among
prefers nodes with significantly higher trust values; this wireless sensor nodes, we do not use the simplistic
preference of trustworthiness effectively protects the net- averaging method to compute psucc . Instead, after each
work from an adversary who forges the identity of an transmission from N to b, N ’s EnergyWatcher will update
attractive node such as a base station. For deciding the psucc based on whether that transmission is acknowl-
next-hop node, a specific trade-off between TN b and EN b
T
Nb
edged or not with a weighted averaging technique. We
is demonstrated in Figure 5 (see Section 5.2). use a binary variable Ack to record the result of current
Observe that in an ideal misbehavior-free environ- transmission: 1 if an acknowledgement is received; oth-
ment, all nodes are absolutely faithful, and each node erwise, 0. Given Ack and the last probability value of an
will choose a neighbor through which the routing path acknowledged transmission pold succ , an intuitive way is
is optimized in terms of energy; thus, an energy-driven to use a simply weighted average of Ack and pold succ as
route is achieved. the value of pnew succ . That is what is essentially adopted
in the aging mechanism [29]. However, that method used
3.3 EnergyWatcher against sleeper attacks still suffers periodic attacks [30].
To solve this problem, we update the psucc value using
Here we describe how a node N ’s EnergyWatcher com- two different weights as in our previous work [30], a
putes the energy cost EN b for its neighbor b in N ’s relatively big wdegrade ∈ (0, 1) and a relatively small
neighborhood table and how N decides its own energy wupgrade ∈ (0, 1) as follows:
cost EN . Before going further, we will clarify some 
notations. EN b mentioned is the average energy cost  (1 − wdegrade ) × pold succ + wdegrade × Ack,

if Ack = 0.

of successfully delivering a unit-sized data packet from pnew succ =
N to the base station, with b as N ’s next-hop node  (1 − wupgrade ) × pold succ + wupgrade × Ack,

if Ack = .1

being responsible for the remaining route. Here, one-hop
re-transmission may occur until the acknowledgement The two parameters wdegrade and wupgrade allow flexible
is received or the number of re-transmissions reaches application requirements. wdegrade and wupgrade repre-
a certain threshold. The cost caused by one-hop re- sent the extent to which upgraded and degraded per-
transmissions should be included when computing EN b . formance are rewarded and penalized, respectively. If
Suppose N decides that A should be its next-hop node any fault and compromise is very likely to be associated
after comparing energy cost and trust level. Then N ’s with a high risk, wdegrade should be assigned a relatively
energy cost is EN = EN A . Denote EN →b as the average high value to penalize fault and compromise relatively
energy cost of successfully delivering a data packet from heavily; if a few positive transactions can’t constitute ev-
N to its neighbor b with one hop. Note that the re- idence of good connectivity which requires many more
transmission cost needs to be considered. With the above positive transactions, then wupgrade should be assigned
notations, it is straightforward to establish the following a relatively low value.

7. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 7
3.4 TrustManager are forwarded by this node to the number of those
A node N ’s TrustManager decides the trust level of forwarded data packets, denoted as DeliveryRatio. Then
each neighbor based on the following events: discovery N ’s TrustManager updates its next-hop node b’s trust
of network loops, and broadcast from the base station level as follows:

about data delivery. For each neighbor b of N , TN b  (1 − wdegrade ) × Told N b

denotes the trust level of b in N ’s neighborhood table.  +wdegrade × DeliveryRatio,



At the beginning, each neighbor is given a neutral trust  if DeliveryRatio < Told N b .


level 0.5. After any of those events occurs, the relevant Tnew N b =
neighbors’ trust levels are updated.  (1 − wupgrade ) × Told N b



Note that many existing routing protocols have their  +wupgrade × DeliveryRatio,



own mechanisms to detect routing loops and to react 
if DeliveryRatio >= Told N b .
accordingly [31], [32], [28]. In that case, when integrating
TARF into those protocols with anti-loop mechanisms,
3.5 Analysis on EnergyWatcher and TrustManager
TrustManager may solely depend on the broadcast from
the base station to decide the trust level; we adopted Now that a node N relies on its EnergyWatcher and
such a policy when implementing TARF later (see Sec- TrustManager to select an optimal neighbor as its next-
tion 5). If anti-loop mechanisms are both enforced in hop node, we would like to clarify a few important
the TARF component and the routing protocol that in- points on the design of EnergyWatcher and TrustManager.
tegrates TARF, then the resulting hybrid protocol may First, as described in Section 3.1, the energy cost report
overly react towards the discovery of loops. Though so- is the only information that a node is to passively receive
phisticated loop-discovery methods exist in the currently and take as “fact”. It appears that such acceptance of en-
developed protocols, they often rely on the comparison ergy cost report could be a pitfall when an attacker or a
of specific routing cost to reject routes likely leading to compromised node forges false report of its energy cost.
loops [32]. To minimize the effort to integrate TARF and Note that the main interest of an attacker is to prevent
the existing protocol and to reduce the overhead, when data delivery rather than to trick a data packet into a less
an existing routing protocol does not provide any anti- efficient route, considering the effort it takes to launch
loop mechanism, we adopt the following mechanism to an attack. As far as an attack aiming at preventing data
detect routing loops. To detect loops, the TrustManager delivery is concerned, TARF well mitigates the effect of
on N reuses the table of <node id of a source node, this pitfall through the operation of TrustManager. Note
a forwarded sequence interval [a, b] with a significant that the TrustManager on one node does not take any rec-
length> (see Section 3.2) in last period. If N finds that a ommendation from the TrustManager on another node.
received data packet is already in that record table, not If an attacker forges false energy report to form a false
only will the packet be discarded, but the TrustManager route, such intention will be defeated by TrustManager:
on N also degrades its next-hop node’s trust level. If when the TrustManager on one node finds out the many
that next-hop node is b, then Told N b is the latest trust delivery failures from the broadcast messages of the base
level value of b. We use a binary variable Loop to record station, it degrades the trust level of its current next-hop
the result of loop discovery: 0 if a loop is received; 1 node; when that trust level goes below certain threshold,
otherwise. As in the update of energy cost, the new trust it causes the node to switch to a more promising next-
level of b is hop node.
 Second, TrustManager identities the low trustworthi-
 (1 − wdegrade ) × Told N b + wdegrade × Loop,
 ness of various attackers misdirecting the multi-hop
if Loop = 0.

Tnew N b = routing, especially those exploiting the replay of routing
 (1 − wupgrade ) × Told N b + wupgrade × Loop,
 information. It is noteworthy that TrustManager does not
if Loop = 1.

distinguish whether an error or an attack occurs to the
Once a loop has been detected by N for a few times next-hop node or other succeeding nodes in the route.
so that the trust level of the next-hop node is too low, It seems unfair that TrustManager downgrades the trust
N will change its next-hop selection; thus, that loop is level of an honest next-hop node while the attack occurs
broken. Though N can not tell which node should be somewhere after that next-hop node in the route. Con-
held responsible for the occurrence of a loop, degrading trary to that belief, TrustManager significantly improves
its next-hop node’s trust level gradually leads to the data delivery ratio in the existence of attack attempts of
breaking of the loop. On the other hand, to detect the preventing data delivery. First of all, it is often difficult to
traffic misdirection by nodes exploiting the replay of identify an attacker who participates in the network us-
routing information, TrustManager on N compares N’s ing an id “stolen” from another legal node. For example,
stored table of <node id of a source node, forwarded se- it is extremely difficult to detect a few attackers colluding
quence interval [a, b] with a significant length> recorded to launch a combined wormhole and sinkhole attack [4].
in last period with the broadcast messages from the Additionally, despite the certain inevitable unfairness
base station about data delivery. It computes the ratio involved, TrustManager encourages a node to choose
of the number of successfully delivered packets which another route when its current route frequently fails to

8. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 8
deliver data to the base station. Though only those legal Matlab to test TARF. We have conducted extensive sim-
neighboring nodes of an attacker might have correctly ulation experiments; however, due to the page limit,
identified the adversary, our evaluation results indicate interested readers may refer to our technical report [33]
that the strategy of switching to a new route without and the conference version of paper [1] for detailed
identifying the attacker actually significantly improves simulation settings and experimental results. In our ex-
the network performance, even with the existence of periments, initially, 35 nodes are randomly distributed
wormhole and sinkhole attacks. Fig 3 gives an example to within a 300*300 rectangular area, with unreliable wire-
illustrate this point. In this example, node A, B, C and D less transmission. All the nodes have the same power
are all honest nodes and not compromised. Node A has level and the same maximal transmission range of 100m.
node B as its current next-hop node while node B has an Each node samples 6 times in every period; the timing
attacker node as its next-hop node. The attacker drops gap between every two consecutive samplings of the
every packet received and thus any data packet passing same node is equivalent. We simulate the sensor network
node A will not arrive at the base station. After a while, in 1440 consecutive periods.
node A discovers that the data packets it forwarded did Regarding the network topology, we set up three types
not get delivered. The TrustManager on node A starts to of network topologies. The first type is the static-location
degrade the trust level of its current next-hop node B case under which all nodes stand still. The second type
although node B is absolutely honest. Once that trust is a customized group-motion-with-noise case based on
level becomes too low, node A decides to select node C Reference Point Group Mobility (RPGM) model that
as its new next-hop node. In this way node A identifies a mimics the behavior of a set of nodes moving in one
better and successful route (A - C - D - base). In spite of or more groups [34], [35]. The last type of dynamic
the sacrifice of node B’s trust level, the network performs network incorporated in the experiments is the addition
better. Further, concerning the stability of routing path, of scattered RF-shielded areas to the aforementioned
group-motion-with-noise case.
The performance of TARF is compared to that of a
B link connectivity-based routing protocol adapted from
Attacker
what is proposed by Alec Woo, Terence Tong and
A David Culler [28]. We denote the link connectivity-
Base Station based routing protocol as Link-connectivity. With the
Link-connectivity protocol, each node selects its next-hop
C D
node among its neighborhood table according to an
Fig. 3. An example to illustrate how TrustManager works. link estimator based on exponentially weighted moving
average (EWMA). The simulation results show, in the
presence of misbehaviors, the throughput in TARF is often
once a valid node identifies a trustworthy honest neigh-
much higher than that in Link-connectivity; the hop-per-
bor as its next-hop node, it tends to keep that next-hop
delivery in the Link-connectivity protocol is generally at
selection without considering other seemingly attractive
least comparable to that in TARF.
nodes such as a fake base station. That tendency is
Under a misbehavior-free environment, the simula-
caused by both the preference to maintain stable routes
tion results show that TARF and Link-connectivity have
and the preference to highly trustable nodes.
comparable performance when there is no adversary.
Finally, we would like to stress that TARF is designed
Both protocols are also evaluated under three common
to guard a WSN against the attacks misdirecting the
types of attacks: (1) a certain node forges the identity of
multi-hop routing, especially those based on identity
the based station by replaying broadcast messages, also
theft through replaying the routing information. Other
known as the sinkhole attack; (2) a set of nodes colludes to
types of attacks such as the denial-of-service (DoS) [3]
form a forwarding loop; and (3) a set of nodes drops re-
attacks are out of the discussion of this paper. For
ceived data packets. These experiments were conducted
instance, we do not address the attacks of injecting
in the static case, the group-motion-with-noise case, and
into the network a number of data packets containing
the addition of RF-shielded areas to the group-motion-
false sensing data but authenticated (possibly through
with-noise case separately. Generally, under these com-
hacking). That type of attacks aim to exhaust the network
mon attacks, TARF produces a substantial improvement
resource instead of misdirecting the routing. However, if
over Link-connectivity in terms of data collection and en-
the attacker intends to periodically inject a few routing
ergy efficiency. Further, we have evaluated TARF under
packets to cause wrong route, such attacks can still be
more severe attacks: multiple moving fake bases and
defended by TARF through TrustManager.
multiple Sybil attackers. As before, the experiments are
conducted under all the three types of network topology.
Under these two types of most severe attacks which
4 S IMULATION
almost devastates the Link-connectivity protocol, TARF
We have developed a reconfigurable emulator of wire- succeeds in achieving a steady improvement over the
less sensor networks on a two-dimensional plane with Link-connectivity protocol. Finally, we have conducted

9. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 9
certain experiments to explore the choice of the period sensing frequency, the energy efficiency and trustworthi-
length and the trust updating scheme. Our experiments ness requirement. TrustManagerC provides two inter-
reveal that a shorter period or a faster trust updating faces (see Figure 4), TrustControl and Record, which
scheme may not necessarily benefit TARF. are implemented in other modules. The TrustControl
interface provides the commands to enable and disable
the trust evaluation, while the Record interface provides
5 I MPLEMENTATION AND E MPIRICAL E VALUA - the commands for a root, i.e., a base station, to add
TION delivered message record, for a non-root node to add
forwarded message record, and for a node to retrieve the
In order to evaluate TARF in a real-world setting, we trust level of any neighboring node. The implementation
implemented the TrustManager component on TinyOS on a root node differs from that on a non-root node: a
2.x, which can be integrated into the existing routing pro- root node stores the information of messages received
tocols for WSNs with the least effort. Originally, we had (delivered) during the current period into a record table
implemented TARF as a self-contained routing proto- and broadcast delivery failure record; a non-root node
col [1] on TinyOS 1.x before this second implementation. stores the information of forwarded messages during the
However, we decided to re-design the implementation current period also in a record table and compute the
considering the following factors. First, the first imple- trust of its neighbors based on that and the broadcast in-
mentation only supports TinyOS 1.x, which was replaced formation. Noting that much implementation overhead
by TinyOS 2.x; the porting procedure from TinyOS 1.x for a root can always be transferred to a more powerful
to TinyOS 2.x tends to frustrate the developers. Second, device connected to the root, it is reasonable to assume
rather than developing a self-contained routing protocol, that the root would have great capability of processing
the second implementation only provides a TrustMan- and storage.
ager component that can be easily incorporated into the
existing protocols for routing decisions. The detection configuration TrustManagerC { interface TrustControl
of routing loops and the corresponding reaction are provides { {
excluded from the implementation of TrustManager since interface TrustControl; //enable trust evaluation
interface Record; command error_t start();
many existing protocols, such as Collection Tree Proto- } //disable trust evaluation
col [32] and the link connectivity-based protocol [28], implementation { command error_t stop();
........................................... }
already provide that feature. As we worked on the first }
implementation, we noted that the existing protocols }
provide many nice features, such as the analysis of
link quality, the loop detection and the routing decision interface Record
{
mainly considering the communication cost. Instead of //for a root to add delivered record <source node id, source sequence number>
providing those features, our implementation focuses command void addDelivered(am_addr_t src, uint8_t seq);
//for a non-root node to add forwarded record <source id, source sequence, next-hop id>
on the trust evaluation based on the base broadcast command void addForwarded(am_addr_t src, uint8_t seq, am_addr_t next);
of the data delivery, and such trust information can //return the trust level of a node
command uint16_t getTrust(am_addr_t id);
be easily reused by other protocols. Finally, instead of }
using TinySec [13] exclusively for encryption and au-
thentication as in the first implementation on TinyOS 1.x,
Fig. 4. TrustManager component.
this re-implementation let the developers decide which
encryption or authentication techniques to employ; the A root broadcasts two types of delivery failure record:
encryption and authentication techniques of TARF may at most three packets of significant undelivered intervals
be different than that of the existing protocol. for individual origins and at most two packets of the id’s
of the origins without any record in the current period.
For each origin, at most three significant undelivered
5.1 TrustManager Implementation Details
intervals are broadcast. For a non-root node, considering
The TrustManager component in TARF is wrapped the processing and memory usage overhead, the record
into an independent TinyOS configuration named table keeps the forwarded message intervals for up to 20
TrustManagerC. TrustManagerC uses a dedicated source nodes, with up to 5 non-overlapped intervals for
logic channel for communication and runs as a periodic each individual origin. Our later experiments verify that
service with a configurable period, thus not interfering such size limit of the table on a non-root node produces a
with the application code. Though it is possible to im- resilient TARF with moderate overhead. The record table
plement TARF with a period always synchronized with on a node keeps adding entries for new origins until it
the routing protocol’s period, that would cause much in- is full.
trusion into the source code of the routing protocol. The With our current implementation, a valid trust value is
current TrustManagerC uses a period of 30 seconds; an integer between 0 and 100, and any node is assigned
for specific applications, by modifying a certain header an initial trust value of 50. The weigh parameters are:
file, the period length may be re-configured to reflect the wupgrade = 0.1, wdegrade = 0.3. The trust table of a

10. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 10
non-root node node keeps the trust level for up to 10 candidate has a trust level above certain threshold. The
neighbors. Considering that an attacker may present reason is, the sole trust/cost criteria could be exploited
multiple fake id’s, the implementation evicts entries with by an adversary replaying the routing information from
a trust level close to the initial trust of any node. Such a base station and thus pretending to be an extremely
eviction policy is to ensure that the trust table remembers attractive node. As for Step 2, compared to the CTP
those neighbors with high trust and low trust; any other implementation, we add two more circumstances when
neighbor not in this table is deemed to have the initial a node decides to switch to the optimal candidate found
trust value of 50. at Step 1: that candidate has a higher trust level, or the
current next-hop neighbor has a too low trust level.
5.2 Incorporation of TARF into Existing Protocols
//Step 1. traverse the neighborhood table for an optimal candidate for the next hop
To demonstrate how this TARF implementation can be optimal_candidate = NULL
//the cost of routing via the optimal candidate provided by the existing protocol, initially infinity
integrated into the exiting protocols with the least effort, optimal_cost = MAX_COST
we incorporated TARF into a collection tree routing //the trust level of the optimal candidate, initially 0
optimal_trust = MIN_TRUST
protocol (CTP) [32]. The CTP protocol is efficient, robust, for each candidate in the neighborhood table
if link is congested, or may cause a loop, or does not pass quality threshold
and reliable in a network with highly dynamic link continue
topology. It quantifies link quality estimation in order better = false
if candidate.trust >= optimal_trust && candidate.cost < optimal_cost
to choose a next-hop node. The software platform is better = true
//prefer trustworthy candidates
TinyOS 2.x. To perform the integration, after proper if candidate.trust >= TRUST_THRESHOLD && optimal_trust < TRUST_THRESHOLD
interface wiring, invoke the TrustControl.start better = true
if candidate.trust >= ESSENTIAL_DIFFERENCE_THRESHOLD + optimal_trust
command to enable the trust evaluation; call the better = true
//effective when all nodes have low trust due to network change or poor connectivity
Record.addForwarded command for a non-root node if candidate.trust >= 3 * optimal_trust / 2
to add forwarded record once a data packet has been better = true
//add restriction of trust level requirement
forwarded; call the Record.addDelivered command if candidate.trust >= TRUST_THRESHOLD && candidate.trust / candidate.cost >
optimal_trust / optimal_cost
for a root to add delivered record once a data packet has better = true
been received by the root. Finally, inside the CTP’s task if better == true
optimal_candidate = candidate
to update the routing path, call the Record.getTrust optimal_cost = candidate.cost
optimal_trust = candidate.trust
command to retrieve the trust level of each next-hop
candidate; an algorithm taking trust into routing consid- //Step 2. decide whether to switch from the current next-hop node to the optimal candidate found:
if optimal_trust >= currentNextHop.trust
eration is executed to decide the new next-hop neighbor || currentNextHop.trust <= TRUST_THRESHOLD
|| current link is congested and switching is not likely to cause loops
(see Figure 5). || optimal_cost + NEXTHOP_SWITCH_THRESHOLD < currentNextHop.cost
Similar to the original CTP’s implementation, the im- currentNextHop = optimal_candidate
plementation of this new protocol decides the next-hop
neighbor for a node with two steps (see Figure 5): Step Fig. 5. Routing decision incorporating trust management.
1 traverses the neighborhood table for an optimal candi-
date for the next hop; Step 2 decides whether to switch This new implementation integrating TARF requires
from the current next-hop node to the optimal candidate moderate program storage and memory usage. We im-
found. For Step 1, as in the CTP implementation, a plemented a typical TinyOS data collection application,
node would not consider those links congested, likely MultihopOscilloscope, based on this new protocol. The
to cause a loop, or having a poor quality lower than MultihopOscilloscope application, with certain modified
a certain threshold. This new implementation prefers sensing parameters for our later evaluation purpose,
those candidates with higher trust levels; in certain periodically makes sensing samples and sends out the
circumstances, regardless of the link quality, the rules sensed data to a root via multiple routing hops. Orig-
deems a neighbor with a much higher trust level to inally, MultihopOscilloscope uses CTP as its routing
be a better candidate (see Figure 5). The preference of protocol. Now, we list the ROM size and RAM size
highly trustable candidates is based on the following requirement of both implementation of MultihopOscillo-
consideration: on the one hand, it creates the least chance scope on non-root Telosb motes in Table 1. The enabling
for an adversary to misguide other nodes into a wrong of TARF in MultihopOscilloscope increases the size of
routing path by forging the identity of an attractive ROM by around 1.3KB and the size of memory by
node such as a root; on the other hand, forwarding data around 1.2KB.
packets to a candidate with a low trust level would result
in many unsuccessful link-level transmission attempts, TABLE 1
thus leading to much re-transmission and a potential Size comparison of MultihopOscilloscope implementation
waste of energy. When the network throughput becomes
low and a node has a list of low-trust neighbors, the Protocol ROM (bytes) RAM (bytes)
node will exclusively use the trust as the criterion to CTP 31164 3579
TARF-enabled CTP 34290 4767
evaluate those neighbors for routing decisions. As show
in Figure 5, it uses trust/cost as a criteria only when the

11. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 11
5.3 Empirical Evaluation on Motelab addition to programming those 91 motes with CTP, we
We evaluated the performance of TARF against a com- also programmed the five fake base stations so that they
bined sinkhole and wormhole attack on Motelab [36] at stole the id the base station through replaying. In the
Harvard University. 184 TMote Sky sensor motes were last experiment, we programmed those 91 motes with
deployed across many rooms at three floors in the de- the TARF-enabled CTP, and programmed the five fake
partment building (see Figure 6), with two to four motes base stations as in the second experiment. Each of our
in most rooms. Around 97 nodes functioned properly programs run for 30 minutes.
while the rest were either removed or disabled. Each As illustrated in Figure 7(a), the existence of the five
mote has a 2.4GHz Chipcon CC2420 radio with an wormhole attackers greatly degraded the performance
indoor range of approximately 100 meters. In Figure 6, of CTP: the number of the delivered data packets in
the thin green lines indicate the direct (one-hop) wireless the case of CTP with the five-node wormhole is no more
connection between motes. Certain wireless connection than 14% that in the case of CTP without adversaries.
also exists between nodes from different floors. The TARF-enabled CTP succeeded in bringing an
immense improvement over CTP in the presence of
the five-node wormhole, almost doubling the throughput.
That improvement did not show any sign of slowing
down as time elapsed. The number of nodes from each
floor that delivered at least one data packet in each
six-minute sub-period is plotted in Figure 7(a), 7(b) and
7(c) separately. On each floor, without any adversary,
at least 24 CTP nodes were able to find a successful
route in each six minute. However, with the five fake
base stations in the wormhole, the number of CTP nodes
that could find a successful route goes down to 9 for
the first floor; it decreases to no more than 4 for the
second floor; as the worst impact, none of the nodes on
the third floor ever found a successful route. A further
look at the data showed that all the nine nodes from
the first floor with successful delivery record were all
Fig. 6. Connectivity map of Motelab (not including the inter- close to the real base station. The CTP nodes relatively
floor connectivity), adapted from Motelab[Motelab]. far away from the base station, such as those on the
second and the third floor, had little luck in making
We developed a simple data collection application in good routing decisions. When TARF was enabled on
TinyOS 2.x that sends a data packet every five seconds to each node, most nodes made correct routing decisions
a base station node (root) via multi-hop. This application circumventing the attackers. That improvement can
was executed on 91 functioning non-root nodes on Mote- be verified by the fact that the number of the TARF-
lab. For comparison, we used CTP and the TARF-enabled enabled nodes with successful delivery record under
CTP implementation as the routing protocols for the data the threat of the wormhole is close to that of CTP nodes
collection program separately. The TARF-enabled CTP with no attackers, as shown in Figure 7(a), 7(b) and 7(c).
has a TARF period of 30 seconds. We conducted an attack
with five fake base stations that formed a wormhole. As
in Figure 6, whenever the base station sent out any 5.4 Application: Mobile Target Detection in the Pres-
packet, three fake base stations which overheard that ence of an Anti-Detection Mechanism
packet replayed the complete packet without changing To demonstrate how TARF can be applied in networked
any content including the node id. Other fake base sensing systems, we developed a proof-of-concept re-
stations overhearing that replayed packet would also silient application of target detection. This application
replay the same packet. Each fake base station essentially relies on a deployed wireless sensor network to detect
launched a sinkhole attack. Note that there is a distinction a target that could move, and to deliver the detection
between such malicious replay and the forwarding when events to a base station via multiple hops with the TARF-
a well-behaved node receives a broadcast from the base enabled CTP protocol. For simplification, the target is a
station. When a well-behaved node forwards a broadcast LEGO MINDSTORM NXT 2.0 vehicle robot equipped
packet from the base station, it will include its own with a TelosB mote that sends out an AM (Active
id in the packet so that its receivers will not recognize Message) packet every three seconds. A sensor node
the forwarder as a base station. We conducted the first receiving such a packet from the target issues a detection
experiment by uploading the program with the CTP report, which will be sent to the base station with the
protocol onto 91 motes (not including those 5 selected aforementioned TARF-enabled CTP protocol.
motes as fake bases in later experiments), and no attack The experiment is set up within a clear floor space of
was involved here. Then, in another experiment, in 90 by 40 inches with 15 TelosB motes (see Figure 8(a)). To

12. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 12
4
x 10
3
CTP without adversaries
power of all the Telosb motes except two fake base
Number of delivered packets
CTP with 5-node wormhole stations in the network is reduced through both software
2.5 TARF-enabled CTP with 5-node wormhole
reduction and attenuator devices to within 30 inches. The
2 target uses an anti-detection mechanism utilizing a fake
base station close to the real base station, and another
1.5 remote base station close to the target and mounted on
another LEGO vehicle robot. The two fake base stations,
1
with a transmission range of at least 100 feet, collude
0.5 to form a wormhole: the fake base station close to the
base station replays all the packets from the base station
0
0 5 10 15 20 25 30
immediately; the remote fake base station, after receiving
Time in minutes those packets, immediately replays it again. This anti-
(a) All three floors. detection mechanism tricks some network nodes into
sending their event reports into these fake base stations
26 26
instead of the real base station. Though the fake base
Number of nodes with
25 25 25 25
24 24
station close to the real base station is capable of cheating
delivery record
21
20
the whole network alone by itself with its powerful radio
for a certain amount of time, it can be easily recognized
9 9 9 9 9
by remote nodes as a poor next-hop candidate soon by
most routing protocols based on link quality: that fake
[0min, 6min] [6min, [12min, [18min, [24min,
base station does not acknowledge the packets “sent”
12min] 18min] 24min] 30min]
to it from remote nodes with a weak radio via a single
Time
CTP without adversaries hop since it can not really receive them. Thus, the anti-
CTP with 5-node wormhole
TARF-enabled CTP with 5-node wormhole detection mechanism needs to create such a wormhole to
(b) First floor. replay the packets from the base station remotely.
36 36 36 36 37 36
34
Number of nodes with
33 32
30
delivery record
4 3
2 2 2
[0min, 6min] [6min, [12min, [18min, [24min,
12min] 18min] 24min] 30min]
Time
CTP without adversaries
CTP with 5-node wormhole
TARF-enabled CTP with 5-node wormhole
(c) Second floor.
(a) A snapshot of the network.
Number of nodes with
25 25 25 25 25
24 24
23 23
22
delivery record
0 0 0 0 0
[0min, 6min] [6min, [12min, [18min, [24min,
12min] 18min] 24min] 30min]
Time
CTP without adversaries
CTP with 5-node wormhole
TARF-enabled CTP with 5-node wormhole
(d) Third floor.
Fig. 7. Empirical comparison of CTP and TARF-enabled CTP (b) A closer look.
on Motelab: (a) number of all delivered data packets since the
beginning; number of nodes on (b) the first floor, (c) the second Fig. 8. Deployment of a TARF-enabled wireless sensor network
floor and (d) the third floor that delivered at least one data packet to detect a moving target under the umbrella of two fake base
in sub-periods. stations in a wormhole.
The target node 14 and the fake base station 13 close to
it move across the network along two parallel tracks of
make the multi-hop delivery necessary, the transmission 22 inches back and forth (see Figure 8(b)); they travel