1

An Iterative Algorithm for Trust Management andAdversary Detection for Delay Tolerant Networks

Erman Ayday, Student Member, IEEE and Faramarz Fekri, Senior Member, IEEE

Abstract—Delay/Disruption Tolerant Networks (DTNs) have been identified as one of the key areas in the field of wireless communication,wherein sparseness and delay are particularly high. They are emerging as a promising technology in vehicular, planetary/interplanetary,military/tactical, disaster response, underwater and satellite networks. DTNs are characterized by large end-to-end communication latencyand the lack of end-to-end path from a source to its destination. These characteristics pose several challenges to the security of DTNs.Especially, Byzantine attacks in which one or more legitimate nodes have been compromised and fully controlled by the adversary can giveserious damages to the network in terms of latency and data availability. Using reputation-based trust management systems is shown to bean effective way to handle the adversarial behavior in Mobile Ad-hoc Networks (MANETs). However, because of the unique characteristics ofDTNs, those traditional techniques do not apply to DTNs. Our main objective in this paper is to develop a robust trust mechanism and an efficientand low cost malicious node detection technique for DTNs. Inspired by our recent results on reputation management for online systems ande-commerce, we develop an iterative malicious node detection mechanism for DTNs referred as ITRM. The proposed scheme is a graph basediterative algorithm motivated by the prior success of message passing techniques for decoding low-density parity-check codes over bipartitegraphs. Applying ITRM to DTNs for various mobility models, we observed that the proposed iterative reputation management scheme is farmore effective than well-known reputation management techniques such as the Bayesian framework and EigenTrust. Further, we concludedthat the proposed scheme provides high data availability and packet-delivery ratio with low latency in DTNs under various adversary attackswhich attempt to both undermine the trust and detection scheme and the packet delivery protocol.

Index Terms—Security, trust and reputation management, iterative algorithms, malicious node detection, delay tolerant networks

F

1 INTRODUCTION

Delay Tolerant Networks (henceforth referred to as DTNs)are a relatively new class of networks [1], wherein sparsenessand delay are particularly high. In conventional MobileAd-hoc Networks (MANETs), the existence of end-to-endpaths via contemporaneous links is assumed in spite ofnode mobility. It is also assumed that if a path is disrupteddue to mobility, the disruption is temporary and either thesame path or an alternative one is restored very quickly.In contrast, DTNs are characterized by intermittent contactsbetween nodes, leading to space-time evolution of multihoppaths (routes) for transmitting packets to the destination.In other words, DTNs’ links on an end-to-end path do notexist contemporaneously, and hence intermediate nodes mayneed to store, carry, and wait for opportunities to transferdata packets towards their destinations. Hence, DTNs aremuch more general than MANETs in the mobile networkspace (i.e., MANETs are special types of DTNs). Applicationsof DTNs include emergency response, wildlife surveying,vehicular-to-vehicular communications, healthcare, military,and tactical sensing.

Compared to traditional MANETs, common problems inpacket communication such as routing, unicasting, broad-casting and multicasting become sufficiently harder in DTNseven with lossless links (i.e., no packet erasures due to com-munication link). This increase in difficulty can be directlyattributed to the lack of knowledge on the network topology,and the lack of end-to-end path. Hence, the schemes forrouting packets have to be primitive such as forwarding tothe next available node, injecting multiple copies into avail-able nodes and employing erasure block codes [2]. On theother hand, depending upon the model for mobility, efficientcommunication schemes for stationary ad-hoc networks canbe extended partially or wholly to DTNs.

As in MANETs, adversary may mount several threatsagainst DTNs to reduce the performance of the network.The most serious attacks are due to the Byzantine (insider)adversary in which one or more legitimate nodes have

This material is based upon work supported partially by the National ScienceFoundation under Grant No. IIS- 1115199, and a gift from the Cisco UniversityResearch Program Fund, an advised fund of Silicon Valley Community Foundation.

• E. Ayday and F. Fekri are with the Department of Electrical and ComputerEngineering, Georgia Institute of Technology, Atlanta, GA, 30332.E-mail: eayday@gatech.edu, fekri@ece.gatech.edu

been compromised and fully controlled by the adversary. AByzantine-malicious node may mount the following attacksin order to give serious damage to the network: 1. Packetdrop, in which the malicious node drops legitimate packetsto disrupt data availability, 2. Bogus packet injection, inwhich the Byzantine node injects bogus packets to consumethe limited resources of the network, 3. Noise injection, inwhich the malicious node changes the integrity of legitimatepackets, 4. Routing attacks, in which the adversary temperswith the routing by misleading the nodes, 5. Floodingattacks, in which the adversary keeps the communicationchannel busy to prevent legitimate traffic from reachingits destination, and 6. Impersonation attacks, in which theadversary impersonates the legitimate nodes to mislead thenetwork. We note that because of the lack of end-to-end pathfrom a source to its destination in DTNs, routing attacks arenot significant threats for such networks. Attacks on packetintegrity may be prevented using a robust authenticationmechanism in both MANETs and DTNs. However, packetdrop is harder to contain because nodes’ cooperation is fun-damental for the operation of these networks (i.e., a group ofnodes cooperate in routing each others’ packets using multi-hop wireless links without any centralized control). This co-operation can be undermined by Byzantine attackers, selfishnodes, or even innocent but faulty nodes. Therefore, in thiswork, we focus on packet drop attack which gives seriousdamages to the network in terms of data availability, latency,and throughput. Finally, Byzantine nodes may individuallyor in collaboration attack the security mechanism (e.g., thetrust management and malicious node detection schemes)as will be discussed later.

In MANETs, reputation-based trust management systemsare shown to be an effective way to cope with adversary. Byestablishing trust with the nodes it has or has not directlyinteracted, a node in the network diagnoses other nodesand predicts their future behavior in the network. Hence,trust plays a pivotal role for a node in choosing with whichnodes it should cooperate, improving data availability in thenetwork. Further, examining trust values has been shownto lead to the detection of malicious nodes in MANETs.Despite all the progress for securing MANETs, achievingthe same for DTNs leads to additional challenges. Thespecial constraints posed by DTNs make existing securityprotocols inefficient or impractical in such networks as willbe discussed in Section 1.1.

2

Our main objective in this paper is to develop a securitymechanism for DTNs which enables us to evaluate thenodes based on their behavior during their past interactionsand to detect misbehavior due to Byzantine adversaries,selfish nodes and faulty nodes. The resulting scheme wouldeffectively provide high data availability and packet deliveryratio with low latency in DTNs in the presence of Byzan-tine attackers. To achieve this goal, we aim at obtaining areputation-based trust management system and an iterativemalicious node detection mechanism for DTNs. Our workon reputation systems stems from the prior success of it-erative algorithms, such as message passing techniques [3]in the decoding of Low-Density Parity-Check (LDPC) codesin erasure channels [4]. We believe the significant benefitsoffered by iterative algorithms can be tapped in to benefit thefield of reputation systems. To achieve this, we develop theIterative Trust and Reputation Mechanism (ITRM) [5], andexplore its application on DTNs. We propose a distributedmalicious node detection mechanism for DTNs using ITRMwhich enables every node to evaluate other nodes based ontheir past behavior, without requiring a central authority.We will show that the resulting scheme effectively provideshigh data availability and low latency in the presence ofByzantine attackers. We will also show that the proposediterative mechanism is far more effective than the voting-based techniques in detecting Byzantine nodes.

The main contributions of our work are summarized inthe following.

1) We introduced a novel iterative method for trust andreputation management referred as ITRM which is in-spired by the iterative decoding of low-density parity-check codes over bipartite graphs.

2) We introduce the application of ITRM into DTNs as aniterative trust management and malicious node detec-tion scheme. The scheme provides high data availabil-ity and packet delivery ratio with low latency in thepresence of Byzantine attackers.

3) The proposed algorithm computes the reputations ofthe network nodes accurately in a short amount oftime in the presence of attackers without any centralauthority.

4) The proposed algorithm mitigates the impacts ofByzantine attackers proportional to their attack de-grees. That is, the ones that are attacking with thehighest strength are detected with higher probability.

5) Comparison of ITRM with some well-known repu-tation management techniques (e.g., Bayesian frame-work and EigenTrust) indicates the superiority of ITRMin terms of robustness against attacks in a realisticDTN environment. Further, the proposed algorithm isvery efficient in terms of its computational complexity.Specifically, the complexity of ITRM is linear in thenumber of nodes. Hence, it is scalable and suitable forlarge scale implementations.

The rest of this paper is organized as follows. In the rest ofthis section, we summarize the related work. In Section 2, wedescribe ITRM and its security evaluation as a general trustand reputation framework (i.e., in a general setting). Next, inSection 3, we present the application of ITRM to DTNs andthe proposed security mechanism in detail. Moreover, weevaluate the proposed scheme by analysis and simulationsin a realistic DTN environment. Finally, in Section 4, weconclude the paper.

1.1 Related Work

The main goal for building a reputation system in MANETsis to protect the reactive routing protocol from attackersand increase the performance of the network. A recentreview of these secure routing protocols for MANETs [6]indicates that these protocols either use the watchdog mech-anism or ACK messages to build trust values between the

nodes. In MANETs, a node evaluates another by usingeither direct or indirect measurements. Building reputationvalues by direct measurement is either achieved by usingthe watchdog mechanism or by using the ACK from thedestination. Building reputation values by just relying on thedirect measurements and using the watchdog mechanism isproposed in [7], [8]. In [9], [10], the use of indirect measure-ments to build reputation values is also allowed while thewatchdog mechanism is used to obtain direct measurements.In [11]–[15], reputation values are constructed using theACK messages sent by the destination node. We note thatthese techniques are not applicable to DTNs due to thefollowing reasons. In DTNs, a node cannot use the watchdogmechanism and monitor another intermediate node afterforwarding its packets to it. This is because links on anend-to-end path do not exist contemporaneously, and hencean intermediate node needs to store, carry and wait foropportunities to transfer those packets. As a result, thenode loses connection with the intermediate node which itdesires to monitor. This implies that a Byzantine node inDTNs can get packets from a legitimate node, then moveaway and drop the packets. Similarly, relying on the ACKpackets from the destination to establish reputation valueswould fail in DTNs because of the lack of a fixed commonmultihop path from the source to the destination. Even if weassume an ACK from destination to the source (which incurslarge latency), this feedback packet travels to the sourcevia intermediate nodes that are different from the set ofnodes that delivered the data packet to the destination. Morespecifically, the source node, upon receiving a negative ACK,cannot decide which node on the forwarding path is to beblamed. Lastly, using indirect measurements is possible inDTNs. However, it is unclear as to how these measurementscan be obtained in the first place.

Reputation systems for P2P networks and online systemsalso received a lot of attention [10], [16]–[22]. In [16] and[17], authors cover most of the work on the use of reputationsystems for P2P networks. However, reputation systems forP2P networks are either not applicable for DTNs or theyrequire excessive time to build the reputation values of thepeers. Most proposed P2P reputation management mecha-nisms utilize the idea that a peer can monitor others andobtain direct observations [18] or a peer can enquire aboutthe reputation value of another peer (and hence, obtainindirect observations) before using the service provided bythat peer [19], [20]. However, neither of these techniquesare practical for DTNs. In DTNs direct observations are notpossible as we discussed above. Further, enquiring aboutthe reputation value of a peer is not practical in DTNsdue to opportunistic communications during contact timesand intermittent connectivity of the peers. Assuming a peerenquires about the reputation values of the other peers fromits contacts, it can calculate the reputation values of theother peers when it collects sufficient indirect measurements.However, considering the opportunistic and intermittentconnectivity in DTNs, this method requires excessive timeto build the reputation values of all peers in the network.EigenTrust [21] is one of the most popular reputation man-agement algorithm for P2P networks. However, the Eigen-Trust algorithm is constrained by the fact that trustworthi-ness of a peer (on its feedback) is equivalent to its repu-tation value. In EigenTrust, the trust relationships betweenthe nodes are established based on the service qualities ofthe peers during a P2P file transfer. However, trusting apeer’s feedback and trusting a peer’s service quality aretwo different concepts. As we will discuss in Section 3.1,a malicious peer can attack the network protocol or thereputation management system independently. Therefore,the EigenTrust algorithm is not practical for applications inwhich the trustworthiness and reputation are two separateconcepts (as in our work). Use of the Bayesian frameworkis also proposed in [9]. In schemes utilizing the Bayesian

3

framework, each reputation value is computed independentof the other nodes’ reputation values. However, the ratingsprovided by the nodes induce a probability distribution onthe reputation values. These distributions are correlated be-cause they are induced by the overlapping set of nodes. Thestrength of ITRM stems from the fact that it tries to capturethis correlation in analyzing the ratings and computing thereputation values. Finally, [22] proposed to use the ClusterFiltering method [23] for reputation management. However,it can be shown that Cluster Filtering introduces quadraticcomplexity while the computational complexity of ITRMis linear with the number of users in the network. As aresult, our proposed scheme is more scalable and suitable forlarge scale reputation systems. Different from the existingschemes, ITRM algorithm [5] is a graph based iterativealgorithm motivated by the previous success on messagepassing techniques and belief propagation algorithms. Wecompared the performance of ITRM with EigenTrust [21]and the Bayesian reputation management framework [10](which is also proposed as the reputation managementsystem of the well-known CONFIDANT protocol [9]) in arealistic DTN environment in Section 3.5 and showed theeffectiveness of our proposed scheme.

Several works in the literature have focused on securingDTNs. In [24], the challenges of providing secure com-munication in DTNs is discussed and the use of Identity-Based Cryptography (IBC) [25] is suggested. In [26], sourceauthentication and anonymous communication as well asmessage confidentiality are provided using IBC. In [27], theuse of packet replication is proposed to improve messagedelivery rate instead of using cryptographic techniques. Wenote that the existing techniques to secure DTNs are aimedto provide data confidentiality and authentication only. Onthe other hand, our proposed trust based scheme providesmalicious node detection and high data availability with lowpacket latency in the presence of Byzantine attacks.

2 ITERATIVE TRUST AND REPUTATION MANAGE-MENT MECHANISM (ITRM)

In this section, we describe ITRM and its security evaluationin a broader context (i.e., in a general setting). Then, wewill modify and utilize it for DTNs in Section 3. Further,we will evaluate ITRM and compare its performance withsome well-known reputation management techniques (e.g.,Bayesian framework and EigenTrust) in a realistic DTNsetting in Section 3.5. As in every trust and reputation man-agement mechanism, we have two main goals: 1. Computingthe service quality (reputation) of the peers who providea service (henceforth referred to as Service Providers orSPs) by using the feedbacks from the peers who used theservice (referred to as the raters), and 2. Determining thetrustworthiness of the raters by analyzing their feedbackabout SPs. We consider the following major attacks that arecommon for any trust and reputation management mecha-nisms: i) Bad-mouthing, in which malicious raters colludeand attack the SPs with the highest reputation by givinglow ratings in order to undermine them, and ii) Ballot-stuffing, in which malicious raters collude to increase thereputation values of peers with low reputations. Further, weevaluated ITRM against some sophisticated attacks (whichutilizes bad-mouthing or ballot-stuffing with a strategy) suchas RepTrap [28] or the one in which malicious raters provideboth reliable and malicious ratings to mislead the algorithm.

Our proposed iterative algorithm is inspired by the earlierwork on the improved iterative decoding algorithm of LDPCcodes in the presence of stopping sets [4], [29]. In iterativedecoding of LDPC, every check-vertex (in the graph repre-sentation of the code) has some opinion of what the value ofeach bit-vertex should be. The iterative decoding algorithmwould then analyze the collection of these opinions to

decide, at each iteration, what value to assign for the bit-vertex under examination. Once the values of the bit-verticesare estimated, in the next iteration, those values are used todetermine the satisfaction probability of the check-verticesvalues. The novelty of ITRM stems from the observationthat a similar approach can be adapted to determine SPs’reputation values as well as the trustworthiness of the raters.

We let TRj be the global reputation of the jth SP. Further,TRij represents the rating that the peer i reports aboutthe SP j, whenever a transaction is completed betweenthe two peers. Moreover, Ri denotes the (report/rating)trustworthiness of the ith peer as a rater1. The first step indeveloping ITRM is to interpret the collection of the ratersand the SPs together with their associated relations as abipartite graph, as in Fig. 1(a). In this representation, eachrater corresponds to a check vertex in the graph, shown as asquare and each SP is represented by a bit vertex shown as ahexagon in the graph. If a rater i has a rating about the jth SP,we place an edge with value TRij from the ith check-vertexto the jth bit-vertex. As time passes, we use the age-factoredvalues as the edge values instead. To each edge {ij}, a valueWRij = wijTRij is assigned, where WRij is the age-factoredTRij value. The factor wij(t) is used to incorporate the time-varying aspect of the reputation of the SPs (i.e., time-varyingservice quality). We use a known factor wij(t) = λ̂t−tij whereλ̂ and tij are the fading parameter and the time when thelast transaction between the rater i and the SP j occurred,respectively. If a new rating arrives from the ith rater aboutthe jth SP, our scheme updates the new value of the edge{ij} by averaging the new rating and the old value of theedge multiplied with the fading factor.

We consider slotted time throughout this discussion. Ateach time-slot, ITRM will be executed using the input pa-rameters Ri and WRij to obtain the reputation parameters(e.g., TRj) and the list of malicious raters (referred to as theblacklist). Initially, the blacklist is set empty. Details of ITRMmay be described by the following procedure at the Lth

time-slot. Let Ri and TRij be the parameter values prior tothe present execution (the Lth execution) of ITRM algorithm.Let also TRν

j and TRνij be the values of the bit-vertex and the

{ij}th edge at the iteration ν of the ITRM algorithm. Prior tothe start of the iteration (ν = 0), we set TRν=0

ij = TRij andcompute the initial value of each bit-vertex (referred to asthe initial guess TRν=0

j ) based on the weighted average ofthe age-factored edge values (WRν

ij) of all the edges incidentto the bit-vertex j. Equivalently, we compute

TRνj =

∑

i∈AjRi ×WRν

ij∑

i∈AjRi × wij(t)

, (1)

where Aj is the set of all check-vertices connected to the bit-vertex j. It is interesting to note that the initial guess-valuesresemble the received information from the channel in thechannel coding problem. Then, the first iteration starts (i.e.,ν = 1). We first compute the average inconsistency factor Cν

iof each check-vertex i using the values of the bit-vertices (i.e.,TRν−1

j ) for which it is connected to. That is, we compute

Cνi = [1/

∑

j∈B

λ̂t−tij ]∑

j∈B

d(TRν−1ij , TRν−1

j ), (2)

where B is the set of bit vertices connected to the check-vertex i and d(·, ·) is a distance metric used to measure theinconsistency. We use the L1 norm (absolute value) as thedistance metric, and hence,

d(TRν−1ij , TRν−1

j ) = |TRν−1ij − TRν−1

j |λ̂t−tij . (3)After computing the inconsistency factor for every check-vertex, we list them is ascending order. Then, the check-vertex i with the highest inconsistency is selected and placed

1. All of these parameters (TRj , TRij and Ri) may evolve with time.However, for simplicity, we omitted time dependencies from the notation.

4

(c)

te

xt

5

TR ij

= 5

TR ij

= 4

TR ij

= 3

TR ij

= 2

TR ij

= 1

rater peer

blacklisted rater

service provider

Iteration C1

0

1

2

1.1

3

.85

.43

.12

C2

.72

.43

.35

.38

C3

.10

.35

.77

-

C4

1.52

1.23

.65

.63

C5

1.1

.85

.43

.12

C6

1.87

2.42

-

-

Iteration TR 1

TR 2

TR 3

0

1

2

4.8

4.8

4.8

3 2.75

3.5 3.33

4.33 4.5

3 4.75 5 4.5

5 5 5

R1 R2 R3 R4 R5 R6 R7

S1 S2 S3

(b)

5 5 5

R1 R2 R3 R4 R5 R6 R7

S1 S2 S3

(a)

1.87

-

-

-

C7

TR 11

TR 73

Fig. 1: Illustrative example of ITRM.

in the blacklist if its inconsistency is greater than or equal toa definite threshold τ (whose choice will be discussed later).If there is no check-vertex with inconsistency greater than orequal to τ , the algorithm stops its iterations. Once the check-vertex i is blacklisted, we delete its rating TRν

ij for all the bit-vertices j it is connected to. Then, we update the values ofall the bit-vertices using (1). This completes the first iterationof ITRM. The iterative algorithm proceeds to other iterationsexactly in the same way as the first iteration, updating thevalues of the bit-vertices and blacklisting some other check-vertices as a result. However, once a check-vertex is placedin the blacklist, for the remaining iterations it is neitherused for the evaluation of TRjs nor for the inconsistencymeasure of the check-vertices. We stop the iterations whenthe inconsistencies of all the check-vertices (excluding theones already placed in the blacklist) fall below τ .

As an example, ITRM is illustrated in Fig. 1 for 7 raters,3 SPs, and τ = 0.7. It is assumed that the rates are integervalues from {1, . . . , 5} and the actual reputations, ˆTRj , areequal to 5. For simplicity, we assumed wi’s to be equalto 1 and Ri’s to be equal for all raters. Furthermore, weassumed that the peers 1, 2, 3, 4, and 5 are honest but 6 and7 are malicious raters. The malicious raters (6 and 7) mountthe bad-mouthing attack in this example. Fig. 1(a) showsthe TRij values (illustrated by different line-styles) prior tothe execution of ITRM. The TRj values and the individualinconsistencies of the raters after each iteration are alsoillustrated in Fig. 1(c). We note that the algorithm stops at thethird iteration when all the raters have inconsistencies lessthan τ . Fig. 1(c) indicates how ITRM gives better estimates ofTRj’s compared to the weighted averaging method (whichis correspond to the zero iteration). Fig. 1(b) illustrates theedges after the final iteration of ITRM. It is worth notingthat the malicious raters 6 and 7 are blacklisted and theirratings are accordingly deleted. Moreover, rater 3, althoughhonest, is also blacklisted at the third iteration. We note thatthis situation is possible when an honest but faulty rater’srating have a large deviation from the other honest raters.

2.1 Raters’ Trustworthiness

We update the Ri values using the set of all past blackliststogether in a Beta distribution. Initially, prior to the firsttime-slot, for each rater-peer i, the Ri value is set to 0.5(φi = 1 and ϕi = 1). Then, if the rater-peer i is blacklisted,Ri is decreased by setting

ϕi(t+ 1) = λ̄ϕi(t) + (Ci + 1− τ)δ, (4)

otherwise, Ri is increased by setting

φi(t+ 1) = λ̄φi(t) + 1, (5)

where λ̄ is the fading parameter and δ denotes the penaltyfactor for the blacklisted raters. We note that updating Ri

values via the Beta distribution has one major disadvantage.An existing malicious rater with low Ri could cancel itsaccount and sign in with a new ID (whitewashing). Thisproblem may be prevented by updating Ri’s using themethod proposed in [30].

2.2 Security Evaluation of ITRM

To prove that the general ITRM framework is a robust trustand reputation management mechanism, we briefly evaluateits security both analytically and via computer simulations.Then, in Section 3.5, we will evaluate the security ofITRM in a realistic DTN environment. In order to facilitatefuture references, frequently used notations are listed below.D Number of malicious ratersH Number of honest ratersN Number of service providersm Rating given by an honest ratern Rating given by a malicious raterX Total number of malicious ratings TRij per a victim SP

dTotal number of newly generated ratings, per time-slot, byan honest rater

b Total number of newly generated ratings, per time-slot, bya malicious rater

b̂Total number of newly generated attacking/malicious rat-ings, per time-slot, by a malicious rater

∆ b̂/b (i.e., fraction of attacking ratings per time-slot)µ Total number of un-attacked SPs rated by an honest rater

2.2.1 Analytic Evaluation

We adopted the following models for various peers involvedin the reputation system. We assumed that the quality ofSPs remains unchanged during time-slots. We provided theevaluation for the bad-mouthing attack only, as similarresults hold for ballot-stuffing and combinations of bad-mouthing and ballot-stuffing. We let T̂Rj be the actualreputation value of the jth SP. Ratings (i.e., TRij) generatedby the non-malicious raters are distributed uniformly amongthe SPs. We further assumed that m is a random variablewith folded normal distribution (mean ˆTRj and variance0.5), however, it takes only discrete values from 1 to 5.Furthermore, the values of Ri for all the raters are set to thehighest value (i.e., Ri = 1) for simplicity (which reflects theworst case). Finally, we assumed that d is a random variablewith Yule-Simon distribution, which resembles the power-law distribution used in modeling online systems, with theprobability mass function fd(d; ρ) = ρB(d, ρ+ 1), whereB(·, ·) is the Beta function. For modeling the adversary,we made the following assumptions. We assumed that themalicious raters initiate bad-mouthing and collude whileattacking the SPs. Further, the malicious raters attack thesame set Γ of SPs at each time-slot. In other words, Γrepresents a set of size b̂ in which each SP has an incomingedge from all malicious raters. The following discussions aredeveloped for the time-slot t.τ -eliminate-optimal Scheme: We declare a reputationscheme to be τ -eliminate-optimal if it can eliminate all themalicious raters whose inconsistency (measured from actualreputation values ˆTRj of SPs) exceeds the threshold τ .Hence, such a scheme would compute the reputations ofthe SPs by just using the honest raters. Naturally, we needto answer the following question: For a fixed τ , what arethe conditions to have a τ -eliminate-optimal scheme? Theconditions for ITRM to be a τ -eliminate-optimal scheme aregiven by the following lemma:

Lemma 1: Let Θj and dt be the number of unique ratersfor the jth SP and the total number of outgoing edges froman honest rater in t elapsed time-slots, respectively. Let alsoQ be a random variable denoting the exponent of the fadingparameter λ̂ at the tth time-slot. Then ITRM would be a τ -eliminate-optimal scheme if the conditions

5

∑

r∈Λ

Ψr ≥ (b̂m+ bτ) (6a)

and

µ

dt> 1−

Θλ̂Q∆

D(6b)

are satisfied at the tth time-slot, where

Ψr =mX + nΘrλ̂

Q

X +Θrλ̂Qfor r ∈ Λ, (7)

and Λ is the index set of the set Γ.Proof: At each iteration, ITRM blacklists the rater i with

the highest inconsistency Ci if Ci ≥ τ . Each malicious raterhas b̂ attacking ratings at each time slot. Moreover, theinconsistency of a malicious rater due to each of its attacking

edge j is(

mX+nΘj λ̂Q

X+Θj λ̂Q−m

)

, where j ∈ Γ. Therefore, the

total inconsistency of a malicious rater (which is calculatedconsidering both its attacking and non-attacking ratings)should be greater than or equal to τ to be blacklisted. Thisresults the condition in (6a). Further, given Ci ≥ τ for amalicious rater i, to have a τ -eliminate-optimal scheme, werequire that the inconsistency of the malicious rater withthe highest inconsistency exceeds the inconsistencies of allthe reliable raters so that the blacklisted rater can be amalicious one in all iterations. To make sure ITRM blacklistsall malicious raters, the inconsistency of a malicious ratermust be greater than the inconsistency of a reliable rater atthe 0th iteration with a high probability. The inconsistencyof a malicious rater at the tth time slot is given by

(

|mX + ncλQ

X + cλQ−m|

)

∆. (8)

Similarly, the inconsistency of a reliable rater at the tth timeslot is

(

|mX + ncλQ

X + cλQ− n|

)

dt − µ

dt. (9)

Hence, to blacklist a malicious rater, we require the term in(8) be greater than that of (9) which leads to (6b).

The design parameter τ should be selected based onthe highest fraction of malicious raters to be tolerated. Todetermine the optimal value of τ , we start with Lemma 1.We use a waiting time t such that (6a) and (6b) are satisfiedwith high probability (given the highest fraction of maliciousraters to be tolerated). Then, among all τ values that satisfy(6a) and (6b) with high probability, we select the highest τvalue. The intention for selecting the highest τ value is tominimize the probability of blacklisting a reliable rater. Inthe following example, we designed the scheme to tolerateup to W = 0.30 (i.e., 30% malicious raters). For the givenparameters D + H = 200, N = 100, ∆ = 1, ρ = 1 andλ̂ = 0.9, we obtained the optimal τ = 0.4. As shown in Fig. 2,for W lower than 0.30, the waiting time becomes shorter tohave a τ -eliminate-optimal scheme for τ = 0.4. However,the scheme may also blacklist a few non-malicious raters inaddition to the malicious ones when W is actually less than0.30. This is because the optimal value of τ is higher fora τ -eliminate-optimal scheme when W is actually less than0.30.

2.2.2 Simulations

We evaluated the performance of ITRM via computer simu-lations. We assumed that there were already 200 raters (all ofwhich are honest and provide reliable ratings) and 50 SPs inthe system. Moreover, a total of 50 time-slots have passedsince the launch of the system. Further, ratings generatedduring previous time-slots were distributed among the SPsin proportion to their reputation values. After this initial-ization process, we introduced 50 more SPs as newcomers.

Further, we assumed that a fraction of the existing raterschanged behavior and became malicious after the initializa-tion process. Hence, by providing reliable ratings during theinitialization period (for 50 time-slots) the malicious ratersincreased their trustworthiness values before they attack.Eventually, we had D+H = 200 raters and N = 100 SPs intotal. We further assumed that d is a random variable withYule-Simon distribution as discussed in the analysis. At eachtime-slot, the newly generated ratings from honest raters areassigned to the SPs in proportion to the present estimate oftheir reputation values, TRj . We obtained the performanceof ITRM, for each time-slot, as the mean absolute error(MAE) |TRj− T̂Rj |, averaged over all the SPs that are underattack (where, T̂Rj is the actual value of the reputation). Weused the following parameters throughout our simulations:b = 5, ρ = 1, λ̂ = λ̄ = 0.9, the penalty factor δ = 10, andτ = 0.4 (the choice of τ is based on the analytical resultsdiscussed in Section 2.2.1).

We have evaluated the performance of ITRM in the pres-ence of bad-mouthing and ballot-stuffing. Here, we providean evaluation of the bad-mouthing attack only, as similarresults hold for ballot-stuffing. In all simulations, we consid-ered the worst-case scenario in which the victims are chosenamong the newcomer SPs with an actual reputation valueof ˆTRj = 5 in order to have the most adverse effect. Themalicious raters do not deviate very much from the actualˆTRj = 5 values to remain under cover as many time-slots as

possible (while still attacking). Hence, at each time-slot, themalicious raters apply a low intensity attack by choosingthe same set of SPs from Γ and rate them as n = 4. Wehad also tried higher deviations from the ˆTRj value andobserved that the malicious raters were easily detected byITRM in fewer time-slots. Therefore, we identified the lowintensity attack scenario as the most adverse one againstthe reputation management mechanism. We note that thisattack scenario also resembles the RepTrap attack in [28]which is proved to be a strong and destructive attack thatcan undermine the reputation system. Further, by assumingthat the ratings of the reliable raters deviate from the actualreputation values, our attack scenario becomes even harderto detect when compared to the RepTrap. Figure 3 illustratesthe MAE performance of ITRM for this attack scenarioafter the newcomer SPs joined to the system and varyingfractions of existing raters (W ) changed behavior and be-came malicious. Thus, the plots in Fig. 3 are shown fromthe time-slot the newcomers are introduced and existingraters changed behavior. We note that for this simulationwe set ∆ = b̂/b = 1. The lags in the plots of ITRM inFig. 3 correspond to waiting times to include the newcomerSPs into the execution of ITRM, computed based on ouranalytical results presented in Fig. 2. We also observed thatthe average number of iterations for ITRM is around 5and it decreases with time and with decreasing fraction ofmalicious raters.

We also evaluated the performance of ITRM when themalicious raters provide both reliable and malicious ratingsto mislead the algorithm. In Fig. 4, we illustrate the perfor-mance of ITRM for this attack for W = 0.10 and different∆ = b̂/b values. We observed that as the malicious ratersattack with less number of edges (for low values of b̂), itrequires more time slots to undo their impact using ITRM.Further, when the b̂ values becomes very small (b̂ = 1, 2),it is hard to detect the malicious peers. On the other hand,although the malicious raters stay under cover when theyattack with very less number of edges, this type of an attacklimits the malicious raters’ ability to make a serious impact(they can only attack to a small number of SPs). It is worthnoting that Fig. 4 only considers the MAE on the SPs thatare under attacked. Thus, if the MAE is normalized overall SPs, it becomes clear that the impact of the malicious

6

raters is reduced as they attack using smaller b̂ values. Wenote that for small values of b̂, other reputation managementmechanisms also fail to detect the malicious raters. Fromthese simulation results, we conclude that ITRM frameworkprovides robust trust and reputation management in thepresence of attacks.

3 TRUST MANAGEMENT AND ADVERSARY DE-TECTION IN DTNS

3.1 Adversary Models and Security Threats

As discussed in Section 1, we consider the challengingproblem of countering Byzantine (insider) attacks (that giveserious damage to the network in terms of data availability,latency and throughput). We note that the security issuessuch as source authentication and data authentication havebeen considered for disconnected networks in [24], [26].Hence, they are not explicitly considered in this paper.Instead, broadly we consider two types of attack: 1. Attackon the network communication protocol, 2. Attack on thesecurity mechanism.Packet drop and packet injection (attack on the networkcommunication protocol): An insider adversary drops legit-imate packets it has received. This behavior of the maliciousnodes has a serious impact on the data availability andthe total latency of the network. Moreover, a maliciousnode may also generate its own flow to deliver to another(malicious) node via the legitimate nodes. As a result, bogusflows compete with legitimate traffic for the scarce networkresources.Bad-mouthing (ballot-stuffing) on the trust management(attack on the security mechanism): As it will be discussed,a legitimate node needs feedbacks from a subset of nodesto determine its trust on a specific node. When a maliciousnode is an element of this subset, it gives incorrect feedbackin order to undermine the trust management system. Bad-mouthing and ballot-stuffing attacks attempt to reduce thetrust on a victim node and boost the trust value of amalicious ally, respectively. A successful attack may result inan incorrect edge value (rating) from a non-malicious check-vertex in the graph representation in Fig. 1(a).Random attack on trust management (attack on the secu-rity mechanism): A Byzantine node may adjust its packetdrop rate (on the scale of zero-to-one) to stay under cover,making it harder to detect.Bad-mouthing (ballot-stuffing) on the detection scheme(attack on the security mechanism): As it will be discussed,every legitimate node, in order to detect the nature ofevery network node, creates its own trust entries in a table(referred to as the node’s rating table) for a subset of networknodes for which the node has collected sufficient feedbacks.Further, each node also collects rating tables from othernodes. When the Byzantine nodes transfer their tables to alegitimate node, they may victimize the legitimate nodes (inthe case of bad-mouthing) or help their malicious allies (inthe case of ballot-stuffing) in their rating table entries. Thiseffectively reduces the detection performance of the system.Furthermore, malicious nodes can provide both reliable andmalicious ratings to mislead the algorithm as discussed inSection 2.2.2. A successful attack adds a malicious check-vertex providing malicious edges (ratings) in the graphrepresentation in Fig. 1(a).

During the evaluation of the proposed scheme, we as-sumed that malicious nodes may mount attacks on both thenetwork communication protocol and the underlying secu-rity mechanism (trust and reputation management mecha-nism, ITRM) simultaneously. In the attack on the networkcommunication protocol, we assumed that malicious nodesboth drop the legitimate packets they have received fromreliable nodes and generate their own flows to deliver toother (malicious) nodes via the legitimate nodes in order to

degrade the network performance (i.e., data availability andpacket delivery ratio) directly. In the attack on the securitymechanism, we assumed that malicious nodes simultane-ously execute “bad-mouthing (ballot-stuffing) on the trustmanagement”, “random attack on trust management”, and“bad-mouthing (ballot-stuffing) on the detection scheme”(which are described above) to cheat the underlying trustand reputation management scheme (i.e., ITRM) and de-grade the network performance indirectly. We study theimpact of these attacks and evaluate our proposed scheme inthe presence of these attacks (on the network communicationprotocol and the security mechanism) in Section 3.5. First,we study the impact of the attacks to cheat the underlyingtrust and reputation management mechanism alone andobtain the time required to detect all the malicious nodes inthe network. Next, we study the impact of the “packet dropand packet injection attack” to the network performance (interms of data availability and packet delivery ratio) whilethe malicious nodes also mount attacks on the underlyingreputation mechanism.

As a result of our studies, we concluded that ITRMprovides a very efficient trust management and maliciousnode detection mechanism for DTNs under the threat modeldiscussed above. The most significant advantage of ITRMunder the above threat model, in addition to resiliency toa high fraction of malicious nodes, is to let each networknode accurately compute the reputation values of the othernetwork nodes in a short time. Computing the reputationvalues in a short time is a very crucial issue in DTNs be-cause of their unique characteristics (such as the intermittentcontacts between the nodes). As a result of this advantage,each legitimate node detects and isolates the malicious nodesfrom the network to minimize their impact to the networkperformance (as will be illustrated in Section 3.5).

We note that since we did not assume pre-existing trustrelationships among the nodes, we did not study someparticular attacks such as RepTrap [28] (which is studiedin Section 2.2.2 to evaluate the performance of ITRM) par-ticularly for DTNs.

3.2 Network/Communication Model and TechnicalBackground in Context

Before giving a high level description of our scheme, we willintroduce the network/communication model and the maintools that we use for the system to operate.Mobility model: We use both Random Waypoint (RWP) andLevy-walk (LW) mobility models for our study which arewidely used for simulating DTNs. RWP model producesexponentially decaying inter-contact time distributions forthe network nodes making the mobility analysis tractable.On the other hand, LW is shown to produce power-lawdistributions that has been studied extensively for animalpatterns and recently has been shown to be a promis-ing model for human mobility [31]. In the RWP mobilitymodel [32], each node is assigned an initial location in thefield and travels at a constant speed to a randomly chosendestination. The speed is randomly chosen from [vmin, vmax]independently of the initial location and destination. Afterreaching the destination, the node may pause for a randomamount of time before the new destination and speed arechosen randomly for the next movement. In LW mobilitymodel [31], [33], [34], on the other hand, each movementlength and pause time distributions closely match truncatedpower-law distributions. Further, angles of movement arepulled from a uniform distribution. Our implementationof the LW mobility model is based on the model in [31].A step is represented by four variables, movement length(ℓ), direction (θ), movement time (Υtf ), and pause time(Υtp). The model selects movement lengths and pause timesrandomly from their Levy distributions p(ℓ) and ψ(Υtp) withcoefficients α and β, respectively. Finally, regardless of the

7

2 4 6 8 100

0.2

0.4

0.6

0.8

1

time slot

Pr(

ITR

M b

ein

g τ

−elim

inate

−o

pti

mal)

W=0.10

W=0.15

W=0.20

W=0.25

W=0.30

Fig. 2: Waiting time for τ -eliminate-optimal.

6 8 10 12 14 16 18 200

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

time slot

MA

E

W = 0.10

W = 0.15

W = 0.20

W = 0.25

W = 0.30

Fig. 3: MAE performance of ITRM for bad-mouthing and for varying W .

6 8 10 12 14 16 18 200

0.1

0.2

0.3

0.4

0.5

0.6

0.7

time slot

MA

E

∆ = 1

∆ = 0.8

∆ = 0.6

∆ = 0.4

∆ = 0.2

Fig. 4: MAE performance of ITRM for bad-mouthing when W = 0.10 and for varying ∆.

mobility model used, we assume a finite rate of packettransfer which forces the number of packets transmitted percontact to be directly proportional to the contact time.Packet format: We require that each packet contains its twohop history in its header. In other words, when node Breceives a packet from node A, it learns from which nodeA received that packet. This mechanism is useful for thefeedback mechanism as discussed in Section 3.4.Routing and packet exchange protocol: We assume thatmessages at the source are packetized. Further, the sourcenode never transmits multiple copies of the same packet.Hence, at any given time, there is at most a single copyof each packet in the network. We assume only single-copyrouting since reliable single-copy routing with packetizationis achieved by encoding the data packets using ratelesscodes [35], [36] at the source node. The use of rateless codingimproves reliability and latency in DTNs even when thereis no adversary [37]. Furthermore, exchange of packets be-tween two nodes follows a back-pressure policy. To illustratethis, assume node A and B have x and y packets belongingto the same flow f , respectively (where x > y). Then if thecontact duration permits, node A transfers (x−y)/2 packetsto node B belonging to flow f . As a result of the mobilitymodel, each node has the same probability to meet withthe destination of a specific flow. Hence, by using the back-pressure policy we equally share the resources (e.g., contacttime) among the flows.

The packet exchange protocol also enforces fairnessamong multiple nodes that forwarded the same flow to anode. To clarify, let us assume that node A has some packetsfrom a flow f (which were forwarded to it by χ differentnodes) and based on the back-pressure policy, it needs totransfer some of them to node B. In this situation, node Amust fairly select the packets based on their previous hops(which is available via the packet format discussed before).In other words, each packet that is received from a differentnode has the same probability to be selected for transfer.This mechanism is useful for the feedback mechanism asdiscussed later. Finally, when a node forwards a packet, itdeletes it from its buffer.Bloom filter: A Bloom filter is a simple space-efficientrandomized data structure for representing a set in orderto support membership queries [38]. A Bloom filter forrepresenting a set U of G elements is described by an arrayof κ bits, initially all set to 0. It employs γ independenthash functions H1, . . . ,Hγ with range { 1, . . . , κ }. For everyelement x ∈ U , the bits H1(x), . . . ,Hγ(x) in the array areset to 1. A location can be set to 1 multiple times, butonly the first change has an effect. To check if y belongsto U , we check whether all H1(y), . . . ,Hγ(y) are set to 1.If not, y definitely does not belong to U . Otherwise, weassume y ∈ U although this may be wrong with someprobability. Hence, a Bloom filter may yield a false positivewhere it suggests that y is in U even though it is not. Thenetwork designer can arbitrarily decrease this probability to

the expense of increasing communication overhead. Further,the false positive probability can be significantly reduced byusing recently proposed techniques such as [39].

3.3 Iterative Detection for DTNs

In this section, we will describe how ITRM is adapted inDTNs as an iterative malicious node detection mechanism.We will pick an arbitrary node in the network and presentthe algorithm from its point of view throughout the rest ofthis paper. We denote this node as a judge for clarification ofour presentation. Further, the counterpart to the quality of aSP in the discussion of ITRM is the reliability of the node inDTN in faithfully following the network (routing) protocolsto deliver the packets.

Since direct monitoring is not an option in DTNs (asexplained in Section 1.1), a judge node creates its own ratingabout another network node by collecting feedbacks aboutthe node and aggregating them. Each judge node has atable (referred to as a Rating Table) whose entries (whichare obtained using the feedback mechanism described inSection 3.4) are used for storing the ratings of the networknodes. In DTNs, due to intermittent contacts, a judge nodehas to wait for a very long time to issue its own ratings forall the nodes in the network. However, it is desirable fora judge node to have a fresh estimate of the reputation ofall the nodes in the network in a timely manner, mitigatingthe effects of malicious nodes immediately. To achieve thisgoal, we propose an iterative detection mechanism whichoperates by using the rating tables formed by other nodes(acting as judges themselves). The rating table of a judgenode can be represented by a bipartite graph consisting onecheck-vertex (the judge node) and some bit-vertices (i.e., asubset of all the nodes in the network for which the judgenode has received sufficient number of feedbacks to form arating with high confidence). Besides, by collecting sufficientnumber of rating tables from other nodes, a judge node cangenerate a bipartite graph as in Section 2; which includes allthe network nodes as bit-vertices. We illustrate this processat judge node M in Fig. 5 in which node M collects ratingtables from other judge nodes (including K and V ) andgenerates a bipartite graph including all network nodes asbit-vertices. Assuming N nodes in the network, a judge nodemay create a bipartite graph with N bit-vertices by collectingrating tables from k−1 nodes each with at least s non-emptyentries. Hence, the resulting graph would have k check-vertices (the kth check vertex belongs the judge node). Theparameters s and k are to be determined for high probabilityof detection while minimizing detection latency. Clearly,higher s and k reduces the detection error but increases thedelay. We will discuss this issue in Section 3.5. Hence, whentwo nodes establish a contact in a DTN, they exchange theirrating tables. Once a judge node collects sufficient numberof tables each with sufficient number of non-empty entries,it can then proceed with the iterative algorithm to specifythe reputation values for all the nodes.

8

i+1 i+5 i+2 i+3 i+4 i

M

. . . . . .

. . . . . .

. . . . . .

i+1 i+5 i+2 i+3 i+4 i

M K V

Node Rating . . .

. . .

. . . . . .

i

i+1

i+2

i+3

i+4

i+5

-

1

0

1

-

-

Node K’s

Rating Table

Node Rating . . .

. . .

. . . . . .

i

i+1

i+2

i+3

i+4

i+5

-

-

1

-

0

0

Node V’s

Rating Table

. . .

Fig. 5: Collecting and combining the rating tables at the judge node M .

To adapt the ITRM scheme for DTNs, we will present(feedback) ratings as “0” or “1”, which results in binaryreputation values. In this special case, the iterative reputa-tion scheme becomes a detection scheme. That is, a nodewith a reputation value of zero would be interpreted as amalicious node. Therefore, the proposed scheme detects andisolates the malicious nodes from the network to minimizetheir impact. We note that we used binary rating values forsimplicity of the setup. Alternatively, one may consider asetup where ratings are non-binary. In this scenario, whentwo nodes establish a contact, they may exchange packetswith some probability associated with their reputation val-ues (i.e., they may exchange packets proportional to theirreputation values). Moreover, we did not incorporate Ri

values for simplicity of simulations, and hence, we set all Ri

values to one for the application of ITRM in DTNs. In otherwords, we assume that the judge node does not have anyprevious knowledge about the witness nodes and it trustseach witness node equally.

3.4 Trust management scheme for DTNs

In the proposed scheme, the authentication mechanism forthe packets generated by a specific source is provided by aBloom filter [38] and ID-based signature (IBS) [25]. When-ever a source node sends some packets belonging to the flowthat is initiated by itself, it creates a Bloom filter outputfrom those packets, signs it using IBS and sends it to itscontacts. The Bloom filter output provides an authenticationmechanism for the packets generated by a specific source.It is worth noting that whenever an intermediate nodeforwards packets belonging to a specific flow to its contact,it also forwards the signed Bloom filter output belongingto those packets for the packet level authentication at eachintermediate node. We do not give further details of theauthentication mechanism as source and data authenticationfor DTNs have been considered before [24], [26] and they areout of the scope of this paper.

Our proposed feedback mechanism to determine the en-tries in the rating table is based on a 3-hop loop (referred toas Indirect type I feedback). We will describe this scheme byusing a toy example between 3 nodes A, B, and C as follows.Let us denote the node that is evaluating as the judge (nodeA), the node that is being evaluated as the suspect (nodeB), and the node that was the direct contact of the suspect

A B

B C

C A

Packets from A’s buffer

Time Stamp signed by B

Receipts to prove its deliveries

Contact History

Request feedback for B

Feedback for B

( t 0 )

( t 1 )

( t 2 )

Fig. 6: Indirect type I feedback between nodes A (judge), B (suspect) andC (witness).

as the witness (node C). The basic working principle of themechanism is that after the judge node has a transaction (inthe form of passing some packets) with a suspect, the judgenode waits to make contacts and receive feedback about thesuspect from every node (i.e., witnesses) that has been indirect contact with the suspect. It is worth noting that thisfeedback mechanism is only used for constructing the entriesin the judge node’s rating table for a few network nodes. Inoverall, rating tables are collected from the contacts of thejudge node and ITRM is applied to find the reputations ofall network nodes (as described in Section 3.3).

Let assume that node A meets B, B meets C and C meetsA at times t0, t1 and t2, respectively, where t0 < t1 < t2.Indirect type I feedback between nodes A, B and C isillustrated in Fig. 6. At time t0, A and B execute mutualpacket exchange as described in Section 3.2. When B and Cmeet at t1, they first exchange signed time-stamps. Hence,when C establishes a contact with A, it can prove thatit indeed met B. Then B sends the packets in its bufferexecuting the fairness protocol discussed in Section 3.2.Moreover, (suspect) node B transfers the receipts it receivedthus far to the (witness) C. Those receipts include the proofsof node B’s deliveries (including deliveries of the packetsbelonging to node A) thus far and are signed by the nodesto which its packets were delivered. We note that the receiptsexpire in time and deleted from the buffers of the witnesses.Hence, they are not accumulated in the buffers of the nodes.The lifetime of the receipts are determined based on thedetection performance of the scheme (required time for thescheme to have a high malicious node detection accuracy)as will be described in Section 3.5. At the end of the contact,node C also gives a signed receipt to node B including theIDs of the packets it received from B during the contact.Finally, when the judge node A and the witness C meet, theyinitially exchange their contact histories. Hence, A learnsthat C has met B and requests the feedback. The feedbackconsists of 2 parts: i) Those receipts of B that are usefulfor A’s evaluation (i.e., receipts which include the deliveryproofs of the packets belonging to node A), and ii) If node Creceived node A’s packets from node B, it sends the hashesof those packets to A for the latter’s evaluation. We notethat C can easily find out A’s packets by just examining theheaders as explained in Section 3.2. From B’s receipts, nodeA can determine if B followed the packet delivery procedure(which is described in Section 3.2) properly while deliveringthe packets forwarded by node A at time t0 (B’s receiptswill reveal the packet deliveries of B after time t0). Further,from the hashes of its own packets (if there is any receivedby node C), node A can determine if node B had modifiedany of the packets before delivery.

If both parts of the feedback are verified by node A (ifnode B followed the packet delivery procedure for A’spackets and delivered the packets properly), then the judgeA makes a “positive evaluation” as 1. Otherwise, if eitherpart of the feedback is not verified, the evaluation will be“negative” as 0. We note that if node C did not receiveany packets belonging to node A, then node A’s evaluationwill be only based on the receipts of B which are provided

9

by node C at time t2 (i.e., node A will evaluate node Bbased on the receipts it received from node C, which is thefirst part of the feedback explained before). We note thatthe feedbacks from the witnesses are not trustable. Becauseof the bad-mouthing (ballot-stuffing) and random attacks(discussed in Section 3.1), a judge node waits for a definitenumber of feedbacks to give its verdict about a suspectnode with a high confidence. We will discuss this waitingtime, the number of required feedbacks, and their interplayfor different adversarial models in Section 3.5. Hence, eachjudge node uses the Beta distribution to aggregate multipleevaluations it has made about a suspect using the associatedfeedbacks to form its rating (verdict) for a suspect node.That is, if the aggregation of multiple feedbacks for a suspectnode is bigger that 0.5, the suspect node is rated as “1” inthe judge node’s rating table (i.e., the node’s verdict is “1”).Otherwise, if the aggregation value is smaller than or equalto 0.5, the suspect node is rated as “0”2.

In the high level description of ITRM, it was implicitlyassumed that the judge has a priori knowledge about thepacket drop rate of the Byzantine node. This is unrealisticas the nodes may apply random attacks as in Section 3.1. Toremove this assumption, we propose detection at differentlevels. We observed that the sufficient number of feedbacksthat is required to give a verdict with high confidencedepends on the packet drop rate of the Byzantine nodes. Inother words, for a node with a higher drop rate, we wouldrequire fewer feedbacks than a node with a lower droprate. Assume that we desire to perform detection at levelp1 = 0.8. This implies that after applying ITRM, each judgenode would identify and isolate all the Byzantine nodeswhose packet drop rates are p1 or higher. Further, assumethat the detection at level p1 requires at least M̂1 feedbacksabout a suspect node. The number of feedbacks depends onthe confidence we seek at the accuracy of a verdict (beforedetection). The level of confidence is determined by thedetection strategy. For instance, for ITRM, a confidence valuein the order of 0.95 (out of 1) would be sufficient. Clearly,the number of feedbacks also depends on the detection level.The lower the detection level, the higher is the number ofrequired feedbacks to maintain the same detection confi-dence. Hence, every judge stores together with its verdict thelowest level of detection at which the verdict can be used.Obviously, an entry verdict with lower detection level (e.g.,p = 0.6) is also good for use in a high detection level (e.g.,p = 0.8), but the inverse is not true. An entry is left empty ifthe judge does not have the sufficient number of feedbacksto give any verdict even at the highest detection level. Wenote that there is no pre-determined detection level for theproposed scheme. The judge node applies the ITRM forthe lowest possible detection level (to minimize the impactsof malicious nodes) depending on the entries (number offeedbacks used to construct each entry verdict) in both itsown rating table and the rating tables it collected from othernodes. The judge checks the detection level of each tableentry (from both its own table and the collected tables) andperforms the ITRM at the detection level of the entry verdictwhich is the largest. To clarify this, assume a judge nodeM collected rating tables from other nodes K and V asin Fig. 5. For this toy example, we assume that the judgenode M performs the ITRM by using only 3 rating tables(its own rating table and the ones collected from nodes Kand V ). We further assume that the rating table entries withthe largest detection levels has a detection level of m, k andv for nodes M , K and V ’s rating tables, respectively. Then,the judge node M performs the ITRM at the detection levelof max(m, k, v). As a result of this mechanism, the maliciousnodes may try to survive from the detection mechanism by

2. ITRM then takes the rating tables, whose entries are associated ver-dicts, as inputs to process and determines the final faith of a node. Hence,the verdicts will be further examined by ITRM.

setting their packet drop rates to lower values. However,the proposed detection mechanism eventually detects allthe malicious nodes (even the ones with lower packet droprates) when the judge node waits longer times to apply theITRM at a lower detection level. Further, as the drop rateof the malicious nodes gets lower, the negative impact ofthe malicious nodes gets less significant in terms of dataavailability and packet delivery ratio.

3.5 Security Evaluation

In this section, we give an analysis of the metrics of interestand illustrate our simulation results. Further, we comparethe performance of ITRM with the well-known reputationmanagement schemes (Bayesian framework [10] and Eigen-Trust [21]) in a realistic DTN environment. Finally, we showthe performance of the proposed scheme for the maliciousnode detection, availability and packet delivery ratio viasimulations (conducted using MATLAB). We assumed themobility models (RWP and LW) of Section 3.2 with Nnodes in the network. It is shown that the inter-contacttime distributions of the LW can be modeled by a truncatedPareto distribution [34]. On the other hand, as we mentionedin Section 3.2, the fact that the inter-contact times of the RWPmobility model can be modeled as a Poisson process [40]makes the mobility analysis tractable. Therefore, for ouranalytical conclusions (in Lemmas 2 and 3), we assumedthe RWP mobility model3. However, for the simulations,we used both RWP and LW mobility models to evaluatethe performance of the proposed scheme under differentmobility models.

In all simulations, we fixed the simulation area to 4.5kmby 4.5km (with reflecting boundaries) which includes N =100 nodes each with a transmission range of 250m (which isthe typical value for IEEE 802.11b). For the RWP model, weused [vmin, vmax] = [10, 30]m/s and ignored the pause timefor the nodes. For the LW model, we set the speed of everynode to 10m/s. Further, we set the scale factors of movementlengths and pause times to 10 and 1, respectively. We usedthe Levy distribution coefficients of α = 1 and β = 1. Finally,we set the maximum movement length and pause time to4km and 2 hours, respectively.Confidence on a Verdict: We let λi be the inter-contact timebetween two particular nodes. We analytically illustrated thewaiting time of a judge node to collect sufficient numberof feedbacks about a suspect (to give its verdict with highconfidence) and evaluated the effect of random attack onthe required number of feedbacks in the following. Letthe random variables x, y and z represent the number offeedbacks received at a specific judge node A (about asuspect node B), total number of contacts that the suspectnode B established after meeting A, and the number ofdistinct contacts of B after meeting A, respectively. Thefollowing lemma characterizes the time needed to receiveM distinct feedbacks about a particular suspect node B ata particular judge node A for the RWP mobility model.

Lemma 2: Let t0 be the time that a transaction occurredbetween a particular judge-suspect pair. Further, let NT bethe number of feedbacks received by the judge for thatparticular suspect node since t = t0. Then, the probabilitythat the judge node has at least M feedbacks about thesuspect node from M distinct witnesses at time T + t0 isgiven by

Pr(NT ≥M) =

∫

∞

M

∫ +∞

−∞

f(x|z, T )f(z, T )dzdx. (10)

Here, the distribution f(x|z, t) is Poisson with rate λiz/2 and

f(z, t) =

∫ +∞

−∞

f(z|y, t)f(y, t)dy, (11)

3. Similar results can be obtained for the LW mobility model using atruncated Pareto distribution for the inter-contact times.

10

where f(y, t) and f(z|y, t) are both Poisson distributionswith rates (N − 2)λi and (N − 2)λi − λiy/2, respectively.

Proof: The probability that a particular judge node re-ceives at least M feedbacks (from distinct witnesses) abouta particular suspect node between time t0 and t0+T is givenby

Pr(NT ≥M) =

∫

∞

M

f(x, T )dx., (12)

where f(x, t) =∫ +∞

−∞f(x|z, t)f(z, t)dz. As a result of the

RWP mobility model, it can be shown that f(x|z, t) isPoisson with rate λiz/2 where z represents the numberof distinct contacts of the suspect between time t0 andt0 + T and x is the number of feedbacks received by thejudge node (about the suspect) from a subset of those zcontacts. Further, since there are N nodes in the network,it can be shown that the number of contacts established byany node has a Poisson distribution with rate (N − 1)λi(excluding itself). Therefore, the number of contacts thesuspect established after the transaction with the judge, y,has a Poisson distribution with rate (N−2)λi (excluding thejudge node and the suspect node itself), and given y, thenumber of distinct contacts of the suspect z has a Poissondistribution with rate (N − 2)λi − λiy/2.

We studied the effect of random attack on the requirednumber of feedbacks for a network with N = 1004. Wedenote the fraction of the Byzantine nodes in the network asW . As we discussed in Section 3.4, a judge node waits fora definite number of feedbacks to give its verdict about asuspect node with a high confidence. Figure 7 illustrates thevariation of a (judge) node’s confidence Σ on its verdict fora suspect versus different levels of detection p. This is givenfor different number of feedbacks (M ) when W = 0.10. Asexpected, a node has more confidence at higher detectionlevels and for high M values. Due to the bad-mouthing,ballot-stuffing and random attacks, a judge node must waitfor a definite number of feedbacks to give its verdict about asuspect node with a high confidence. Let M̂ be the minimumnumber of feedbacks required about a specific suspect nodefor an acceptable confidence level on a verdict. In Fig. 8,the variance of M̂ for different detection levels (p) anddifferent W values is illustrated for a judge node to haveΣ = 0.95 confidence on its verdict (i.e., M̂=M for Σ ≃ 0.95).Using Fig. 8, we conclude that a judge node needs morefeedbacks about a suspect when there are more maliciousnodes mounting bad-mouthing (or ballot-stuffing) on thetrust management.

Detection Performance: We analytically obtained the wait-ing time of a judge node before executing ITRM and eval-uated the effects of attacks on the detection scheme for anetwork of size N in which the inter-contact time betweentwo particular nodes is λi. Let M̂ be the minimum numberof feedbacks required about a specific suspect node for anacceptable confidence level on a verdict. Further, let T̂ bethe time required to receive M̂ feedbacks for a specificsuspect. The following lemma along with the simulationresults illustrated in Figs. 9, 10, 11 and 12 (which will bepresented next) provide a good insight for a judge nodeabout the instant at which it should apply ITRM (the proofis similar to that of Lemma 2).

Lemma 3: Let a particular judge node start collecting feed-backs and generating its rating table at time t = t0. Further,let N̂T be the number of entries in the rating table of thejudge node. Then, the probability that the judge node has atleast s entries at time t0 + T is given by

4. The results illustrated (in Figs. 7 and 8) are independent of the mobilitymodel used.

Pr(N̂T ≥ s) =

∫ +∞

s

∫ +∞

−∞

f(z|x, T − T̂ )f(x, T − T̂ )dxdz,

(13)

where f(x, t) and f(z|x, t) are Poisson distributions with therates (N − 1)λi and (N − 1)λi−λix/2 for the RWP mobilitymodel, respectively.

We evaluated the performance of ITRM for different (k, s)pairs (where k is the number of rating tables collected atthe judge node and s is the number of non-empty entries ineach table). Moreover, we compared ITRM with the well-known Voting Technique in which a judge node decideson the type of a suspect based on the majority of thevotes for that node. For the Voting Technique, we used theIndirect type I feedback as described in Section 3.4 (sincedirect monitoring is not possible in DTNs, we believe thatthis feedback mechanism is the only option for the nodes).However, in the Voting Technique, instead of utilizing theITRM, a judge node decides on the type of a suspect nodebased on the majority of feedbacks it received (i.e., a suspectnode is identified as a malicious node if it received morenegative feedbacks than the positive ones).

We defined the success of a scheme as its capability ofdetecting all malicious nodes in the network (without tag-ging any reliable node as malicious by mistake). We illus-trated the probability of success S of ITRM and the VotingTechnique for different (k, s) pairs versus the required time.We used both RWP and LW mobility models (with theparameters described previously) in our simulations. In bothmobility models, whenever two nodes establish a contact, atransaction occurs between them in the form of the packetexchange. Further, it is assumed that the judge and maliciousnodes start generating their rating tables and mounting theirattacks at time t = 0, respectively.

We provide the evaluation only for the bad-mouthingon the detection scheme and bad-mouthing on the trustmanagement only, as similar results hold for ballot-stuffingand combinations of bad-mouthing and ballot-stuffing. Inparticular, malicious nodes provide incorrect feedbacks tothe judge nodes about their reliable contacts in order tocause the judge nodes to misjudge the types of reliable nodes(in their verdicts). As a result of the malicious feedback, ajudge node may make a “negative evaluation” (as describedin Section 3.4) on a reliable node. Second, the maliciousnodes collaboratively victimize the reliable nodes (i.e., attackthe same set of reliable nodes) in their own rating tables byrating them as “0” and forward these rating tables wheneverthey contact with reliable nodes to mislead the detectionmechanism.

In Fig. 9, we illustrated S versus time for fixed values ofk and varying s for the RWP mobility model. In Fig. 10,the s values are fixed and the parameter k is varied withincrements of 5 for the RWP model. Similarly in Figs. 11and 12, we illustrated S for ITRM and the Voting Techniquewith the LW mobility model. In all figures, time is measuredstarting from t = 0. Our results support the fact that RWPshows a more optimistic routing performance compared toLW since its high occurrences of long movements intensifythe chance of meeting destinations [31]. Further, these resultsalso give some indication of the false positive (tagging areliable node as malicious) and false negative (labeling amalicious node as reliable) probabilities of the proposedscheme as well. As S increases, the probability that thescheme detects all malicious nodes gets higher along withthe probability that the scheme identifies all reliable nodesas reliable. Similarly, as S decreases, the probability thatthe scheme labels a malicious node as reliable gets higheralong with the probability that the scheme marks a reliablenode as a malicious one. In other words, false positive andfalse negative probabilities are high when the probability ofsuccess is low as in Figs. 9, 10, 11 and 12. Furthermore, theseresults can also be used to determine the lifetimes of the

11

receipts at the witness nodes. Knowing how long it takes tohave a high success probability at a judge node for a givendetection level, the witnesses can delete the receipts whichhave been stored for more than the sufficient time requiredfor a high success probability from their buffers. Based onour simulation results, we concluded that ITRM significantlyoutperforms the Voting Technique by providing higher suc-cess rates in shorter time (regardless of the mobility model)which is a very crucial issue in DTNs. We obtained theseresults for the fraction of malicious nodes W is 0.10 andfor a detection level of p = 0.8. However, we note thatthe required (k, s) pairs to obtain a high success probabilitydo not change with the detection level, which only has aneffect on M̂ . It is worth noting that even though the timerequired to get the high success probability increases withincreasing W , the performance gap between ITRM and theVoting Technique remains similar for different values of W .

In the rest of this section, we will present our simulationresults for different network parameters and show the per-formance of the proposed scheme for mean absolute error(MAE) in the computed reputation values, data availability,and packet delivery ratio. We note that we did not comparethe proposed scheme with existing DTN security schemessuch as [26] since none of the existing schemes is aimed toprovide data availability and malicious node detection as inour work. Further, it is worth noting that there is no existingtrust and reputation management mechanism for DTNs. Inspite of this, we compared the proposed scheme with theBayesian reputation management framework in [10] (whichis also proposed as the reputation management system of thewell-known CONFIDANT protocol [9]) and the EigenTrustalgorithm [21] in a DTN environment. For the Bayesianframework [10], we used the parameters from the originalwork [10] (deviation threshold d = 0.5 and trustworthinessthreshold t = 0.75). Further, we set the fading parameterto 0.9 (for details refer to [10]). It is worth noting thatneither the original Bayesian reputation framework in [10]nor EigenTrust [21] is directly applicable to DTNs sinceboth protocols rely on direct measurements (e.g., watchdogmechanism) which is not practical for DTNs as discussedin Section 1.1. Therefore, we implemented [10] and [21]by letting the judge nodes collect indirect measurements(feedbacks) from the witnesses using Indirect type I feedbackas described in Section 3.4. Since direct monitoring is notpossible in DTNs, we believe that this feedback mechanismis the only option for the nodes. Thus we assumed that,as in our scheme, each judge node collects feedbacks andforms its rating table. Further, each judge node exchangesits rating table with the other nodes upon a contact andthen executes the reputation management protocol in [10] orEigenTrust [21]. We note that in principle, ITRM performsbetter than the Bayesian reputation management frameworkin [10] since Bayesian approaches of [10] and [41] assumethat the reputation values of the nodes are independent.Hence, in these schemes, each reputation value is computedindependent of the other nodes’ reputation values usingthe ratings given to each node. However, this assumptionis not valid because the ratings provided by the nodesinduce a probability distribution on the reputation values ofthe nodes. However, this assumption is not valid becausethe ratings provided by the nodes induce a probabilitydistribution on the reputation values of the nodes. Thesedistributions are correlated because they are induced bythe overlapping set of (rater) nodes. The strength of ITRMstems from the fact that it tries to capture this correlation inanalyzing the ratings and computing the reputations. On theother hand, as we discussed in Section 1.1, the EigenTrustalgorithm is constrained by the fact that trustworthinessof a peer (on its feedback) is equivalent to its reputationvalue. However, trusting a peer’s feedback and trustinga peer’s service quality are two different concepts since

a malicious peer can attack the network protocol or thereputation management system independently. Therefore, inprinciple, ITRM also performs better than the EigenTrustalgorithm. Indeed, our simulation results (presented next)also support these arguments.

We used the simulation settings described before with theLW mobility model. We assumed that a definite amount oftime (4 hours) has elapsed since the launch of the systemas the initialization period, during which new messages aregenerated by a Poisson distribution at rate λm = 1/3000at the source nodes and transmitted to their respectivedestinations. Further, during this initialization period, ratingtables were being created at the judge nodes. Then, at timet = 0 (after the initialization period)5, we assumed legitimatenodes simultaneously start new flows to their destinations(while the previous flows may still exist) and attackers startmounting their attacks (both on the network communica-tion protocol and the security system). Therefore, at timet = 0, we assumed each legitimate source node has 1000information packets which are encoded via a rateless codefor single-copy routing transmission. Hence, the number ofencoded packets required by each destination to recover amessage is roughly 10006. We assumed packets with 128bytes payloads and a data rate of 250 kbps for each link. Wenote that we used the same routing and packet exchangeprotocol for ITRM, Bayesian framework and EigenTrustalgorithm (which is described in Section 3.2). We evaluatedthe data availability and packet delivery ratio for these newflows since time t = 0. Moreover, we let each judge nodeexecute ITRM, Bayesian framework, or EigenTrust algorithmstarting from time t = 0, and hence, we also evaluatedthe MAE since time t = 0. Thus, for all simulations, theplots are shown from time t = 0. The percentage of theByzantine nodes in the network is denoted as W . For ITRM,the Bayesian framework in [10], and EigenTrust [21], weassumed that each judge node randomly picks 10 entriesfrom each rating table it received in order to prevent themalicious users from flooding the mechanism with incorrectentries. We ran each simulation 100 times to get an average.We executed the experiment with different parameters inthe LW mobility model (e.g., different Levy distributioncoefficients, node speeds, etc.) and obtained similar trends.We further simulated the proposed scheme with the RWPmobility model with [vmin, vmax] = [10, 30]m/s and ignoringthe pause times. The RWP model resulted in similar trendsas the LW model, and hence, we do not report its resultsdue to the space limit.

As before, we present the evaluation only for the bad-mouthing on the detection scheme and bad-mouthing on thetrust management (as described in Section 3.1), as similarresults hold for ballot-stuffing and combinations of bad-mouthing and ballot-stuffing. Malicious nodes provide in-correct feedbacks to the judge nodes about their reliablecontacts in order to cause the judge nodes to misjudge thetypes of reliable nodes (in their verdicts). Further, maliciousnodes collaboratively victimize the reliable nodes in theirrating tables by rating them as “0” and forward their ratingtables whenever they contact with a reliable node to misleadthe detection mechanism. In addition to the attacks on thesecurity mechanism (i.e., the trust management and thedetection algorithms), malicious nodes mount attacks onthe network communication protocol by both dropping thelegitimate packets they have received from reliable nodes(with different packet drop rates) and generating their ownflows to deliver to other (malicious) nodes via the legitimatenodes. The ultimate goal of the adversary is to degradethe network performance (i.e., data availability and packet

5. Once the initialization period is elapsed, we set the time as t = 0.6. It can be shown that when the decoder receives 1000(1+ζ1000) packets,

where ζ1000 is a positive number very close to zero, it can successfullydecode all 1000 input packets with high probability [35], [36].

12

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Detection level (p)

Co

nfi

den

ce (

Σ)

M=20

M=40

M=60

M=80

M=100

Fig. 7: Confidence of a judge node on itsverdict vs. the detection level for W = 0.10.

0.2 0.4 0.6 0.8 10

50

100

150

200

Detection level (p)

W=0.05

W=0.10

W=0.15

W=0.20

W=0.25

W=0.30

M̂

Fig. 8: M̂ versus the detection level whenΣ = 0.95 for different values of W .

18 20 22 24 26 28

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

time (minutes)

Su

ccess p

rob

ab

ilit

y

k=10 ITRM

k=15 ITRM

k=20 ITRM

k=10 Voting

k=15 Voting

k=20 Voting

s=15

s=25

s=30

s=35s=40

s=20

s=10

Fig. 9: Probability of detection success forfixed k and varying s values with the RWPmobility model.

18 20 22 24 26 28

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

time (minutes)

Su

ccess p

rob

ab

ilit

y

s=10 ITRM

s=20 ITRM

s=30 ITRM

s=40 ITRM

s=10 Voting

s=20 Voting

s=30 Voting

s=40 Voting

k=15

k=20

k=10

Fig. 10: Probability of detection success forfixed s and varying k values with the RWPmobility model.

60 70 80 90 100 110

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

time (minutes)

Su

ccess p

rob

ab

ilit

y

k=10 ITRM

k=15 ITRM

k=20 ITRM

k=10 Voting

k=15 Voting

k=20 Votings=10

s=15

s=20

s=25

s=30

s=35

s=40

Fig. 11: Probability of detection success forfixed k and varying s values with the LWmobility model.

60 70 80 90 100 110

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

time (minutes)

Su

ccess p

rob

ab

ilit

y

s=10 ITRM

s=20 ITRM

s=30 ITRM

s=40 ITRM

s=10 Voting

s=20 Voting

s=30 Voting

s=40 Votingk=10

k=15

k=20

Fig. 12: Probability of detection success forfixed s and varying k values with the LWmobility model.

delivery ratio).Mean Absolute Error (MAE): In Fig. 13, we compared theperformance of ITRM with the Bayesian reputation manage-ment framework in [10] and the EigenTrust algorithm [21](in the DTN environment presented before) in terms of MAEwhen the fraction of the malicious raters (W ) is 0.30. Inother words, for each legitimate judge, we computed theaverage MAE (between the actual reputation value and thecomputed reputation value) based on the reputation valuescomputed at that judge node. Further, since each legitimatejudge node computes the reputation values (of the othernodes) itself using ITRM, Bayesian framework or EigenTrust,we computed the average MAE over all legitimate nodes.

50 100 150 200 250 300 350 400 450 5000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

time (minutes)

MA

E

ITRM

Bayesian framework [11]

Eigentrust

Fig. 13: MAE performance of various schemes for bad-mouthing whenW = 0.30.

From these simulation results, we conclude that ITRMsignificantly outperforms the Bayesian framework and theEigenTrust algorithm in the presence of attacks. Further,for different values of W and for different parameters inthe LW mobility model, we still observed the superiorityof ITRM over the other schemes. We note that since theBayesian framework shows a better performance than theEigenTrust in terms of MAE, we compare the performanceof ITRM with the Bayesian framework for data availabilityand packet delivery ratio in the rest of this section.

Availability: We define the availability as the percentageof recovered messages (by their final destinations) in thenetwork at a given time. In Figs. 14 and 15, we showedthe percentage of recovered messages versus time for thefollowing scenarios: i) when there is no defense against themalicious nodes and each malicious node has a packet droprate of 1, ii) when a detection level of 0.8 is used by ITRM (inwhich each judge node is supposed to identify and isolateall the Byzantine nodes whose packet drop rates are 0.8 orhigher), iii) when a complete detection is used by ITRM (inwhich all malicious nodes are supposed to be detected andisolated regardless of their packet drop rate), and iv) whenthe Bayesian reputation management framework in [10] isused to detect the malicious nodes. We note that in thesecond, third, and fourth scenarios, the packet drop ratesby the malicious nodes are uniformly distributed between 0and 1 in order to make the detection harder. Further, in thesecond, third, and fourth scenarios, we assume the attack onthe security mechanism as described before.

The plots show that the percentage of recovered messagesat a given time significantly decreases with increasing W forthe defenseless scheme. On the other hand, we observed aconsiderable improvement in the percentage of recoveredmessages even after a high level detection (p = 0.8) usingthe proposed scheme. We further observed that the Bayesianreputation management framework in [10] fails to providehigh data availability with low latency. This is due to thefact that when the malicious nodes collaboratively attack thereputation management scheme, reputation systems whichrely on the Bayesian Approach (such as [10]) result in highMAE in the reputation values of the nodes (as illustratedin Fig. 13). Therefore, the reputation mechanism in [10] notonly fails to detect all malicious nodes in the network, butit also labels some reliable nodes (which are victimized bythe malicious nodes using the bad-mouthing attack) as mali-cious. Moreover, we considered the reliable message delivery asthe probability of the delivery of a single specific messageto its destination at any given time. Thus, the probabilityof recovery (of a specific message) at the destination nodeat any given time is plotted (while other flows still exist) in

13

100 200 300 400 500 600 700 800 900 100010

20

30

40

50

60

70

80

90

time (minutes)

% r

eco

vere

d m

essag

es

defenseless

detection level of 0.8

complete detection

Bayesian framework [11]

Fig. 14: Fraction of the recovered messagesversus time for W = 0.10 with the LW mobil-ity model.

200 400 600 800 1000 1200 1400 160010

20

30

40

50

60

70

80

90

time (minutes)

% r

eco

vere

d m

essag

es

defenseless

detection level of 0.8

complete detection

Bayesian framework [11]

Fig. 15: Fraction of the recovered messagesversus time for W = 0.40 with the LWmobility model.

80 100 120 140 160 180 200 220 2400.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

time (minutes)

Pro

bab

ilit

y o

f m

essag

e r

eco

very

defenseless

detection level of 0.8

complete detection

Bayesian framework [11]

Fig. 16: Probability of message recovery fora single flow versus time for W = 10% withthe LW mobility model.

100 200 300 400 500 6000.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

time (minutes)

Pro

bab

ilit

y o

f m

essag

e r

eco

very

defenseless

detection level of 0.8

complete detection

Bayesian framework [11]

Fig. 17: Probability of message recovery fora single flow versus time for W = 40% withthe LW mobility model.

0 100 200 300 400 500 6000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

time (minutes)

Packet

delivery

rati

o

defenseless

detection level of 0.8

complete detection

Bayesian framework [11]

Fig. 18: Packet delivery ratio versus timefor W = 10% with the LW mobility model.

0 100 200 300 400 500 6000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

time (minutes)

Packet

delivery

rati

o

defenseless

detection level of 0.8

complete detection

Bayesian framework [11]

Fig. 19: Packet delivery ratio versus timefor W = 40% with the LW mobility model.

Figs. 16 and 17. These figures also illustrate the improvementin reliable message delivery as a result of the proposedscheme even after a high level detection. We again observedthat the reputation mechanism in [10] fails to provide fastreliable message delivery due to the vulnerability of theBayesian reputation management framework to detect ma-licious nodes.

Comparing the time required for a high success prob-ability (for detection) in Figs. 11 and 12 and the timerequired to have high data availability at the receivers, weobserved that the ITRM enables the judge nodes to calculatethe reputations of all the network nodes in a relativelyshort amount of time. In other words, the time required tocalculate the reputation values of all the network nodes ata judge node is significantly less than the time required forthe transmission of a single message, which is a significantresult for DTNs. Further, the overhead caused by the extramessages between the nodes due to the security protocolis negligible when compared with the data packets. Thisis because the overhead due to the security mechanism isdominated by the signed receipts from the suspect nodes toprove the deliveries by the suspect nodes. As we mentionedbefore, knowing how long it takes to have a high successprobability at a judge node for a given detection level (fromthe results in Figs. 11 and 12), the witnesses can determinethe lifetimes of the signed receipts. For example, in the LWmobility model used, the scheme provides a high probabilityof success (S) in approximately 70 minutes. Therefore, thelifetime of a signed receipt is estimated as 70 minutes, onthe average. Moreover, for the chosen mobility model, eachnode establishes (on the average) 30 contacts in 70 minutes.This means that a suspect node transfers approximately 30signed receipts to a witness node upon its contact. Since thelength of the signature is about 20 bytes [42] and the size of adata packet is 128 bytes, 30 signed receipts can be deliveredvia 5 data packets. Considering the data rates of 250 kbps,the overhead of 5 data packets becomes negligible whencompared to the entire message exchange between twonodes during the contact. This also shows that the proposedalgorithm does not introduce a significant overhead burden

on the network.Packet Delivery Ratio: We define the packet delivery ratioas the ratio of the number of legitimate packets receivedby their destinations to the number of legitimate packetstransmitted by their sources. Therefore, we observed theimpact of malicious nodes on the packet delivery ratio andthe progress achieved as a result of our scheme in Figs. 18and 19. As before, we consider i) the defenseless scheme,ii) a detection level of 0.8, iii) a complete detection, and iv)the Bayesian reputation management framework in [10]. Weobserved a notable improvement in the packet delivery ratioas a result of the proposed scheme. As W increases, thepacket delivery ratio of the defenseless scheme decreasessignificantly while our proposed scheme still provides ahigh packet delivery ratio even at the detection level of0.8, which illustrates the robustness of the proposed scheme.Finally, we observed that the scheme in [10] fails to providea high packet delivery ratio due to its vulnerability againstcolluding malicious nodes as discussed before.

4 CONCLUSION

In this paper, we introduced a robust and efficient securitymechanism for delay tolerant networks. The proposed secu-rity mechanism consists of a trust management mechanismand an iterative reputation management scheme (ITRM).The trust management mechanism enables each networknode to determine the trustworthiness of the nodes withwhich it had direct transactions. On the other hand, ITRMtakes advantage of an iterative mechanism to detect andisolate the malicious nodes from the network in a shorttime. We studied the performance of the proposed schemeand showed that it effectively detects the malicious nodeseven in the presence of the attacks on the trust and de-tection mechanisms. We also illustrated that the proposedscheme is far more effective than the Bayesian frameworkand EigenTrust in computing the reputation values in aDTN environment. Moreover, using computer simulationswe showed that the proposed mechanism provides high dataavailability with low information latency by detecting andisolating the malicious nodes in a short time.

14

REFERENCES

[1] K. Fall, “A delay-tolerant network architecture for challenged inter-nets,” ACM SIGCOMM, pp. 27–34, 2003.

[2] Y. Wang, S. Jain, M. Martonosi, and K. Fall, “Erasure-coding basedrouting for opportunistic networks,” in WDTN ’05: Proceeding of the 2005ACM SIGCOMM workshop on Delay-tolerant networking. New York, NY,USA: ACM Press, 2005, pp. 229–236.

[3] Y. Zhu, D. Guo, and M. L. Honig, “A message-passing approach forjoint channel estimation, interference mitigation and decoding,” IEEETransactions on Wireless Communications, vol. 8, no. 12, pp. 6008–6018,Dec. 2009.

[4] H. Pishro-Nik and F. Fekri, “Results on punctured low-density parity-check codes and improved iterative decoding techniques,” IEEE Trans-actions on Information Theory, vol. 53, no. 2, pp. 599–614, Feb. 2007.

[5] E. Ayday, H. Lee, and F. Fekri, “An iterative algorithm for trust andreputation management,” ISIT ’09: Proceedings of IEEE InternationalSymposium on Information Theory, 2009.

[6] A. A. Pirzada, C. McDonald, and A. Datta, “Performance comparisonof trust-based reactive routing protocols,” IEEE Transactions on MobileComputing, vol. 5, no. 6, pp. 695–710, Jun. 2006.

[7] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehaviorin mobile ad-hoc networks,” Proceedings of ACM International Conferenceon International Conference on Mobile Computing and Networking (Mobi-Com00), pp. 255–265, 2000.

[8] K. Paul and D. Westhoff, “Context aware detection of selfish nodes indsr based ad-hoc networks,” Proceedings of IEEE Global Telecommunica-tions Conference (GLOBECOM02), pp. 178–182, 2002.

[9] S. Buchegger and J. Boudec, “Performance analysis of CONFIDANTprotocol (coorperation of nodes: Fairness in dynamic ad-hoc net-works),” Proceedings of IEEE/ACM Symposium on Mobile Ad Hoc Net-working and Computing (MobiHOC), Jun. 2002.

[10] ——, “A robust reputation system for p2p and mobile ad-hoc net-works,” Proceedings of the Second Workshop on the Economics of Peer-to-Peer Systems, 2004.

[11] E. Ayday and F. Fekri, “Using node accountability in credential basedrouting for mobile ad-hoc networks,” Proceedings of the Fifth IEEEInternational Conference on Mobile Ad-hoc and Sensor Systems, 2008.

[12] ——, “A protocol for data availability in mobile ad-hoc networks inthe presence of insider attacks,” Elsevier Ad Hoc Networks, vol. 8, no. 2,pp. 181–192, Mar. 2010.

[13] P. Dewan, P. Dasgupta, and A. Bhattacharya, “On using reputations inad-hoc networks to counter malicious nodes,” Proceedings of the TenthInternational Conference on Parallel and Distributed Systems (ICPADS04),2004.

[14] K. Liu, J. Deng, P. K. Varshney, and K. Balakrishnan, “Anacknowledgment-based approach for the detection of routing misbe-havior in MANETs,” IEEE Transactions on Mobile Computing, vol. 6, no. 5,pp. 536–550, May 2007.

[15] W. Yu and K. R. Liu, “Game theoretic analysis of cooperation stim-ulation and security in autonomous mobile ad-hoc networks,” IEEETransactions on Mobile Computing, vol. 6, no. 5, pp. 507–521, May 2007.

[16] P. Resnick, R. Zeckhauser, E. Friedman, and K. Kuwabara, “Reputationsystems: facilitating trust in internet interactions,” Communications of theACM, vol. 43, no. 12, pp. 45–48, 2000.

[17] A. Jøsang, R. Ismail, and C. Boyd, “A survey of trust and reputationsystems for online service provision,” Decision Support Systems, vol. 43,no. 2, pp. 618–644, 2007.

[18] K. Aberer and Z. Despotovic, “Managing trust in a peer-2-peer infor-mation system,” CIKM ’01: Proceedings of the 10th International Conferenceon Information and knowledge management, pp. 310–317, 2001.

[19] F. Cornelli, E. Damiani, S. D. C. di Vimercati, S. Paraboschi, andP. Samarati, “Choosing reputable servents in a P2P network,” WWW’02: Proceedings of the 11th International Conference on World Wide Web,pp. 376–386, 2002.

[20] E. Damiani, D. C. di Vimercati, S. Paraboschi, P. Samarati, and F. Vi-olante, “A reputation-based approach for choosing reliable resources inpeer-to-peer networks,” CCS ’02: Proceedings of the 9th ACM Conferenceon Computer and Communications Security, pp. 207–216, 2002.

[21] S. D. Kamvar, M. T. Schlosser, and H. Garcia-Molina, “The eigentrustalgorithm for reputation management in P2P networks,” WWW ’03:Proceedings of the 12th International Conference on World Wide Web, pp.640–651, 2003.

[22] C. Dellarocas, “Immunizing online reputation reporting systemsagainst unfair ratings and discriminatory behavior,” EC ’00: Proceedingsof the 2nd ACM conference on Electronic commerce, pp. 150–157, 2000.

[23] P. Macnaughton-Smith, W. T. Williams, M. B. Dale, and L. G. Mockett,“Dissimilarity analysis: A new technique of hierarchical sub-division,”Natue(202), pp. 1034–1035, 1964.

[24] A. Seth and S. Keshav, “Practical security for disconnected nodes,”Proceedings of the 1st IEEE ICNP Workshop on Secure Network Protocols(NPSec), pp. 31–36, 2005.

[25] S. Cui, P. Duan, and C. Chan, “An efficient identity-based signaturescheme with batch verifications,” Proceedings of the 1st InternationalConference on Scalable Information Systems (InfoScale ’06), p. 22, 2006.

[26] A. Kate, G. Zaverucha, and U. Hengartner, “Anonymity and securityin delay tolerant networks,” Proceedings of the 3rd International Conferenceon Security and Privacy in Communication Networks (SecureComm07), 2007.

[27] J. Burgess, G. Bissias, M. Corner, and B. Levine, “Surviving attackson disruption-tolerant networks without authentication,” Proceedings ofthe 8th ACM International Symposium on Mobile Ad Hoc Networking andComputing, pp. 61–70, 2007.

[28] Y. Yang, Q. Feng, Y. L. Sun, and Y. Dai, “RepTrap: a novel attackon feedback-based reputation systems,” SecureComm ’08: Proceedings ofthe 4th International Conference on Security and Privacy in CommunicationNetworks, pp. 1–11, 2008.

[29] B. N. Vellambi and F. Fekri, “Results on the improved decodingalgorithm for low-density parity-check codes over the binary erasurechannel,” IEEE Transactions on Information Theory, vol. 53, no. 4, pp.1510–1520, April 2007.

[30] G. Zacharia, A. Moukas, and P. Maes, “Collaborative reputation mech-anisms in electronic marketplaces,” HICSS ’99: Proceedings of the Thirty-second Annual Hawaii International Conference on System Sciences-Volume8, 1999.

[31] I. Rhee, M. Shin, S. Hong, K. Lee, and S. Chong, “On the levywalk nature of human mobility,” INFOCOM ’08: Processings of the IEEEInternational Conference on Computer Communications, 2008.

[32] J. Broch, D. A. Maltz, D. B. Johnson, Y.-C. Hu, and J. Jetcheva,“A performance comparison of multi-hop wireless ad hoc networkrouting protocols,” MobiCom ’98: Proceedings of the 4th Annual ACM/IEEEInternational Conference on Mobile Computing and Networking, pp. 85–97,1998.

[33] A. Petz, J. Enderle, and C. Julien, “A framework for evaluatingDTN mobility models,” Proceedings of the 2nd International Conferenceon Simulation Tools and Techniques, pp. 94:1–94:8, 2009.

[34] S. Hong, I. Rhee, S. J. Kim, K. Lee, and S. Chong, “Routing performanceanalysis of human-driven delay tolerant networks using the truncatedlevy walk model,” Proceeding of the 1st ACM SIGMOBILE workshop onMobility models, pp. 25–32, 2008.

[35] M. Luby, “LT codes,” FOCS ’02: Proceedings of the 43rd Symposium onFoundations of Computer Science, pp. 271–280, 2002.

[36] A. Shokrollahi, “Raptor codes,” IEEE Transactions on Information Theory,vol. 52, no. 6, pp. 2551–2567, June 2006.

[37] B. N. Vellambi, R. Subramanian, F. Fekri, and M. Ammar, “Reliableand efficient message delivery in delay tolerant networks using ratelesscodes,” MobiOpp ’07: Proceedings of the 1st international MobiSys workshopon Mobile opportunistic networking, pp. 91–98, 2007.

[38] B. H. Bloom, “Space/time trade-offs in hash coding with allowableerrors,” ACM Communications, vol. 13, no. 7, pp. 422–426, Jul. 1970.

[39] F. Hao, M. Kodialam, and T. V. Lakshman, “Building high accuracyBloom filters using partitioned hashing,” Proceedings of ACM Interna-tional Conference on Measurement and Modeling of Computer Systems, pp.277–288, 2007.

[40] R. Groenevelt, P. Nain, and G. Koole, “The message delay in mobilead hoc networks,” Performance Evaluation, vol. 62, no. 1-4, pp. 210–228,2005.

[41] A. Whitby, A. Josang, and J. Indulska, “Filtering out unfair ratingsin bayesian reputation systems,” AAMAS ’04: Proceedings of the 7thInternational Workshop on Trust in Agent Societies, 2004.

[42] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An efficient identitybased batch verification scheme for vehicular sensor networks,” INFO-COM ’08: Processings of the IEEE International Conference on ComputerCommunications, 2008.

Erman Ayday received his B.S. degree in Electricaland Electronics Engineering from the Middle EastTechnical University, Ankara, Turkey, in 2005. Hereceived his M.S. degree from the School of Electricaland Computer Engineering (ECE), Georgia Instituteof Technology, Atlanta, GA, in 2007. He is currentlya Research Assistant in the Information Processing,Communications and Security Research Laboratoryand pursuing his Ph.D. degree at the School of ECE,Georgia Institute of Technology, Atlanta, GA. Hiscurrent research interests include wireless networksecurity, game theory for wireless networks, trust and

reputation management, and recommender systems. Erman Ayday is therecipient of 2010 Outstanding Research Award from the Center of Signaland Image Processing (CSIP) at Georgia Tech and 2011 ECE GraduateResearch Assistant (GRA) Excellence Award from Georgia Tech.

Faramarz Fekri received Ph.D. degree from theGeorgia Institute of Technology in 2000. Since 2000,Dr. Fekri has been with the faculty of the School ofElectrical and Computer Engineering at the GeorgiaInstitute of Technology where he currently holds a fullProfessor position. He serves on the editorial boardof the IEEE Transactions on Communications, and onthe Technical Program Committees of several IEEEconferences.

Dr. Fekri’s current research interests are in thearea of communications and signal processing, inparticular coding and information theory, information

processing for wireless and sensor networks, and communication secu-rity. Dr. Fekri received the National Science Foundation CAREER Award(2001), and Southern Center for Electrical Engineering Education (SCEEE)Research Initiation Award (2003), Outstanding Young faculty Award of theSchool of ECE (2006). He is a Senior Member of the IEEE.