Cost-Aware SEcure Routing (CASER) Protocol

Embed Size (px)

DESCRIPTION

Abstract—Lifetime optimization and security are two conflicting design issues for multi-hop wireless sensor networks (WSNs) withnon-replenishable energy resources. In this paper, we first propose a novel secure and efficient Cost-Aware SEcure Routing (CASER)protocol to address these two conflicting issues through two adjustable parameters: energy balance control (EBC) and probabilisticbasedrandom walking. We then discover that the energy consumption is severely disproportional to the uniform energy deployment forthe given network topology, which greatly reduces the lifetime of the sensor networks. To solve this problem, we propose an efficientnon-uniform energy deployment strategy to optimize the lifetime and message delivery ratio under the same energy resource andsecurity requirement. We also provide a quantitative security analysis on the proposed routing protocol. Our theoretical analysis andOPNET simulation results demonstrate that the proposed CASER protocol can provide an excellent tradeoff between routing efficiencyand energy balance, and can significantly extend the lifetime of the sensor networks in all scenarios. For the non-uniform energydeployment, our analysis shows that we can increase the lifetime and the total number of messages that can be delivered by more thanfour times under the same assumption. We also demonstrate that the proposed CASER protocol can achieve a high message deliveryratio while preventing routing traceback attacks.

Citation preview

  • Cost-Aware SEcure Routing (CASER) ProtocolDesign for Wireless Sensor NetworksDi Tang, Tongtong Li, Jian Ren, Senior Member, IEEE, and Jie Wu, Fellow, IEEE

    AbstractLifetime optimization and security are two conflicting design issues for multi-hop wireless sensor networks (WSNs) with

    non-replenishable energy resources. In this paper, we first propose a novel secure and efficient Cost-Aware SEcure Routing (CASER)

    protocol to address these two conflicting issues through two adjustable parameters: energy balance control (EBC) and probabilistic-

    based random walking. We then discover that the energy consumption is severely disproportional to the uniform energy deployment for

    the given network topology, which greatly reduces the lifetime of the sensor networks. To solve this problem, we propose an efficient

    non-uniform energy deployment strategy to optimize the lifetime and message delivery ratio under the same energy resource and

    security requirement. We also provide a quantitative security analysis on the proposed routing protocol. Our theoretical analysis and

    OPNET simulation results demonstrate that the proposed CASER protocol can provide an excellent tradeoff between routing efficiency

    and energy balance, and can significantly extend the lifetime of the sensor networks in all scenarios. For the non-uniform energy

    deployment, our analysis shows that we can increase the lifetime and the total number of messages that can be delivered by more than

    four times under the same assumption. We also demonstrate that the proposed CASER protocol can achieve a high message delivery

    ratio while preventing routing traceback attacks.

    Index TermsRouting, security, energy efficiency, energy balance, delivery ratio, deployment, simulation

    1 INTRODUCTION

    THE recent technological advances make wireless sensornetworks (WSNs) technically and economically feasibleto be widely used in both military and civilian applications,such as monitoring of ambient conditions related to theenvironment, precious species and critical infrastructures.A key feature of such networks is that each network consistsof a large number of untethered and unattended sensornodes. These nodes often have very limited and non-replen-ishable energy resources, which makes energy an importantdesign issue for these networks.

    Routing is another very challenging design issue forWSNs. A properly designed routing protocol should notonly ensure a high message delivery ratio and low energyconsumption for message delivery, but also balance theentire sensor network energy consumption, and therebyextend the sensor network lifetime.

    In addition to the aforementioned issues, WSNs rely onwireless communications, which is by nature a broadcastmedium. It is more vulnerable to security attacks than itswired counterpart due to lack of a physical boundary. Inparticular, in the wireless sensor domain, anybody with anappropriate wireless receiver can monitor and intercept thesensor network communications. The adversaries may useexpensive radio transceivers, powerful workstations and

    interact with the network from a distance since they are notrestricted to using sensor network hardware. It is possiblefor the adversaries to perform jamming and routing trace-back attacks.

    Motivated by the fact that WSNs routing is often geogra-phy-based, we propose a geography-based secure and effi-cient Cost-Aware SEcure routing (CASER) protocol forWSNswithout relying on flooding. CASER allows messages to betransmitted using two routing strategies, random walkingand deterministic routing, in the same framework. The distri-bution of these two strategies is determined by the specificsecurity requirements. This scenario is analogous to deliver-ingUSMail throughUSPS: expressmails costmore than regu-larmails; however, mails can be delivered faster. The protocolalso provides a secure message delivery option to maximizethe message delivery ratio under adversarial attacks. In addi-tion, we also give quantitative secure analysis on the pro-posed routing protocol based on the criteria proposed in [1].

    CASER protocol has two major advantages: (i) Itensures balanced energy consumption of the entire sensornetwork so that the lifetime of the WSNs can be maxi-mized. (ii) CASER protocol supports multiple routingstrategies based on the routing requirements, includingfast/slow message delivery and secure message deliveryto prevent routing traceback attacks and malicious trafficjamming attacks in WSNs.

    Our contributions of this paper can be summarizedas follows:

    1) We propose a secure and efficient Cost-Aware SEcureRouting (CASER) protocol forWSNs. In this protocol,cost-aware based routing strategies can be applied toaddress the message delivery requirements.

    2) We devise a quantitative scheme to balance theenergy consumption so that both the sensor network

    D. Tang, T. Li, and J. Ren are with the Department of Electrical and Com-puter Engineering, Michigan State University, East Lansing, MI 48824-1226. E-mail: {ditony, tongli, renjian}@egr.msu.edu.

    J. Wu is with the Department of Computer and Information Sciences,Temple University, Philadelphia, PA 19122. E-mail: [email protected].

    Manuscript received 10 Dec. 2013; revised 25 Feb. 2014; accepted 5 Apr. 2014.Date of publication 16 Apr. 2014; date of current version 6 Mar. 2015.Recommended for acceptance by X. Cheng.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TPDS.2014.2318296

    960 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 4, APRIL 2015

    1045-9219 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

  • lifetime and the total number of messages that can bedelivered are maximized under the same energydeployment (ED).

    3) We develop theoretical formulas to estimate thenumber of routing hops in CASER under varyingrouting energy balance control (EBC) and securityrequirements.

    4) We quantitatively analyze security of the proposedrouting algorithm.

    5) We provide an optimal non-uniform energy deploy-ment (noED) strategy for the given sensor networksbased on the energy consumption ratio. Our theoreti-cal and simulation results both show that under thesame total energy deployment, we can increase thelifetime and the number of messages that can bedelivered more than four times in the non-uniformenergy deployment scenario.

    The remainder of this paper is organized as follows.In Section 2, the related work is reviewed. The systemmodel is presented in Section 3. The proposed scheme isdescribed in Section 4. In Section 6, security analysis ofthe proposed scheme is conducted. Section 7 providesperformance analysis of the proposed scheme. We pres-ent the optimal, non-uniform energy deployment strat-egy for CASER in Section 8. We conclude in Section 9.

    2 RELATED WORK

    Routing is a challenging task in WSNs due to the limitedresources. Geographic routing has been widely viewed asone of the most promising approaches for WSNs. Geo-graphic routing protocols utilize the geographic locationinformation to route data packets hop-by-hop from thesource to the destination [2]. The source chooses the imme-diate neighboring node to forward the message based oneither the direction or the distance [3], [4], [5], [6]. The dis-tance between the neighboring nodes can be estimated oracquired by signal strengths or using GPS equipments [7],[8]. The relative location information of neighbor nodes canbe exchanged between neighboring nodes.

    In [5], a geographic adaptive fidelity (GAF) routingscheme was proposed for sensor networks equipped withlow power GPS receivers. In GAF, the network area isdivided into fixed size virtual grids. In each grid, onlyone node is selected as the active node, while the otherswill sleep for a period to save energy. The sensor for-wards the messages based on greedy geographic routingstrategy. A query based geographic and energy awarerouting (GEAR) was proposed in [6]. In GEAR, the sinknode disseminates requests with geographic attributes tothe target region instead of using flooding. Each node for-wards messages to its neighboring nodes based on esti-mated cost and learning cost. The estimated costconsiders both the distance to the destination and theremaining energy of the sensor nodes. While the learningcost provides the updating information to deal with thelocal minimum problem.

    While geographic routing algorithms have the advan-tages that each node only needs to maintain its neighboringinformation, and provides a higher efficiency and a betterscalability for large scale WSNs, these algorithms may reach

    their local minimum, which can result in dead end or loops.To solve the local minimum problem, some variationsof these basic routing algorithms were proposed in [9],including GEDIR, MFR and compass routing algorithm.The delivery ratio can be improved if each node is aware ofits two-hop neighbors. There are a few papers [3], [10], [11],[12] discussed combining greedy and face routing to solvethe local minimum problem. The basic idea is to set the localtopology of the network as a planar graph, and then therelay nodes try to forward messages along one or possibly asequence of adjacent faces toward the destination.

    Lifetime is another area that has been extensively stud-ied in WSNs. In [13], a routing scheme was proposed tofind the sub-optimal path that can extend the lifetime ofthe WSNs instead of always selecting the lowest energypath. In the proposed scheme, multiple routing paths is setahead by a reactive protocol such as AODV or directed dif-fusion. Then, the routing scheme will choose a path basedon a probabilistic method according to the remainingenergy. In [14], Chang and Tassiulas assumed that thetransmitter power level can be adjusted according to thedistance between the transmitter and the receiver. Routingwas formulated as a linear programming problem ofneighboring node selection to maximize the network life-time. Then Zhang and Shen [15] investigated the unbal-anced energy consumption for uniformly deployed data-gathering sensor networks. In this paper, the network isdivided into multiple corona zones and each node can per-form data aggregation. A localized zone-based routingscheme was proposed to balance energy consumptionamong nodes within each corona. Liu et al. in [16] formu-lated the integrated design of route selection, traffic loadallocation, and sleep scheduling to maximize the networklifetime. Based on the concept of opportunistic routing,[17] developed a routing metric to address both link reli-ability and node residual energy. The sensor node com-putes the optimal metric value in a localized area toachieve both reliability and lifetime maximization.

    In addition, exposure of routing information presentssignificant security threats to sensor networks. By acquisi-tion of the location and routing information, the adversariesmay be able to traceback to the source node easily. To solvethis problem, several schemes have been proposed to pro-vide source-location privacy through secure routing proto-col design [18], [19], [20].

    In [21], source-location privacy is provided throughbroadcasting that mixes valid messages with dummy mes-sages. The main idea is that each node needs to transmitmessages consistently. Whenever there is no valid messageto transmit, the node transmits dummy messages. Thetransmission of dummymessages not only consumes signif-icant amount of sensor energy, but also increases the net-work collisions and decreases the packet delivery ratio. Inphantom routing protocol [22], each message is routed fromthe actual source to a phantom source along a designeddirected walk through either sector-based approach or hop-based approach. The direction/sector information is storedin the header of the message. Then every forwarder on therandom walk path forwards this message to a randomneighbor based on the direction/sector determined by thesource node. In this way, the phantom source can be away

    TANG ET AL.: COST-AWARE SECURE ROUTING (CASER) PROTOCOL DESIGN FORWIRELESS SENSOR NETWORKS 961

  • from the actual source. Unfortunately, once the message iscaptured on the random walk path, the adversaries is ableto get the direction/sector information stored in the headerof the message. Therefore, exposure of the directiondecreases the complexity for adversaries to trace back to theactual message source in the magnitude of 2h.

    In [19], [20], we developed a two-phase routing algo-rithm to provide both content confidentiality and source-location privacy. The message is first transmitted to a ran-domly selected intermediate node in the sensor domainbefore the message is being forwarded to a network mixingring where the messages from different directions aremixed. Then the message is forwarded from the ring to thesink node. In [1], we developed criteria to quantitativelymeasure source-location information leakage for routing-based schemes through source-location disclosure index(SDI) and source-location space index (SSI). To the best ofour knowledge, none of these schemes have considered pri-vacy from a cost-aware perspective.

    In this paper, for the first time, we propose a secure andefficient Cost-Aware SEcure Routing (CASER) protocol thatcan address energy balance and routing security concur-rently in WSNs. In CASER protocol, each sensor node needsto maintain the energy levels of its immediate adjacentneighboring grids in addition to their relative locations.Using this information, each sensor node can create varyingfilters based on the expected design tradeoff between secu-rity and efficiency. The quantitative security analysis dem-onstrates the proposed algorithm can protect the sourcelocation information from the adversaries. Our extensiveOPNET simulation results show that CASER can provideexcellent energy balance and routing security. It is also dem-onstrated that the proposed secure routing can increase themessage delivery ratio due to reduced dead ends and loopsin message forward.

    3 MODELS AND ASSUMPTIONS

    3.1 The System Model

    We assume that the WSNs are composed of a large numberof sensor nodes and a sink node. The sensor nodes are ran-domly deployed throughout the sensor domain. Each sensornode has a very limited and non-replenishable energyresource. The sink node is the only destination for all sensornodes to sendmessages to through amulti-hop routing strat-egy. The information of the sink node is made public. Forsecurity purposes, each message may also be assigned anode ID corresponding to the location where this message isinitiated. To prevent adversaries from recovering the sourcelocation from the node ID, a dynamic ID can be used. Thecontent of each message can also be encrypted using thesecret key shared between the node/grid and the sink node.

    We also assume that each sensor node knows its relativelocation in the sensor domain and has knowledge of itsimmediate adjacent neighboring grids and their energy lev-els of the grid. The information about the relative location ofthe sensor domain may be broadcasted in the network forrouting information update.

    In this paper, we will not deal with key management,including key generation, key distribution and key updating.

    3.2 The Adversarial Model and Assumptions

    In WSNs, the adversary may try to recover the messagesource or jam the message from being delivered to the sinknode. The adversaries would try their best to equip them-selves with advanced equipments, which means they wouldhave some technical advantages over the sensor nodes. Inthis paper, the adversaries are assumed to have the follow-ing characteristics:

    The adversaries will have sufficient energy resour-ces, adequate computational capability and enoughmemory for data storage. On detecting an event,they could determine the immediate sender by ana-lyzing the strength and direction of the signal theyreceived. They can move to this senders locationwithout too much delay. They may also compromisesome sensor nodes in the network.

    The adversaries will not interfere with the properfunctioning of the network, such as modifyingmessages, altering the routing path, or destroyingsensor devices, since such activities can be easilyidentified. However, the adversaries may carry outpassive attacks, such as eavesdropping on thecommunications.

    The adversaries are able to monitor the traffic inany specific area that is important for them andget all of the transmitted messages in that area.However, we assume that the adversaries areunable to monitor the entire network. In fact, if theadversaries could monitor the entire WSN, theycan monitor the events directly without relying onother peoples sensor network.

    3.3 Design Goals

    Our design goal can be summarized as follows:

    To maximize the sensor network lifetime, weensure that the energy consumption of all sensorgrids are balanced.

    To achieve a high message delivery ratio, our routingprotocol should try to avoid message dropping whenan alternative routing path exists.

    The adversaries should not be able to get the sourcelocation information by analyzing the traffic pattern.

    The adversaries should not be able to get the sourcelocation information if he is only able to monitor acertain area of the WSN and compromise a few sen-sor nodes.

    Only the sink node is able to identify the source loca-tion through the message received. The recovery ofthe source location from the received messageshould be very efficient.

    The routing protocol should maximize the probabil-ity that the message is being delivered to the sinknode when adversaries are only able to jam a fewsensor nodes.

    3.4 Overview of the Proposed Scheme

    In our scheme, the network is evenly divided into smallgrids. Each grid has a relative location based on the gridinformation. The node in each grid with the highest

    962 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 4, APRIL 2015

  • energy level is selected as the head node for message for-warding. In addition, each node in the grid will maintainits own attributes, including location information, remain-ing energy level of its grid, as well as the attributes of itsadjacent neighboring grids. The information maintainedby each sensor node will be updated periodically. Weassume that the sensor nodes in its direct neighboringgrids are all within its direct communication range. Wealso assume that the whole network is fully connectedthrough multi-hop communications.

    While maximizing message source location privacy andminimizing traffic jamming for communications betweenthe source and the destination nodes, we can optimize thesensor network lifetime through a balanced energy con-sumption throughout the sensor network.

    In addition, the maintained energy levels of its adjacentneighboring grids can be used to detect and filter out thecompromised nodes for active routing selection.

    4 THE PROPOSED CASER ROUTING PROTOCOL

    We now describe the proposed CASER protocol. Under theCASER protocol, routing decisions can vary to emphasizedifferent routing strategies. In this paper, we will focus ontwo routing strategies for message forwarding: shortestpath message forwarding, and secure message forwardingthrough random walking to create routing path unpredict-ability for source privacy and jamming prevention. Asdescribed before, we are interested in routing schemes thatcan balance energy consumption.

    4.1 Assumptions and Energy Balance Routing

    In the CASER protocol, we assume that each node maintainsits relative location and the remaining energy levels of itsimmediate adjacent neighboring grids. For node A, denotethe set of its immediate adjacent neighboring grids as N Aand the remaining energy of grid i as Eri; i 2 N A. With thisinformation, the node A can compute the average remainingenergy of the grids inN A as EaA 1jNAj

    Pi2NA Eri.

    In the multi-hop routing protocol, node A selects its nexthop grid only from the set N A according to the predeter-mined routing strategy. To achieve energy balance amongall the grids in the sensor network, we carefully monitorand control the energy consumption for the nodes with rela-tively low energy levels by configuring A to only select thegrids with relatively higher remaining energy levels formessage forwarding.

    For this purpose, we introduce a parameter a 2 0; 1 toenforce the degree of the energy balance control. We definethe candidate set for the next hop node as N aA fi 2 N A jEri aEaAg based on the EBC a. It can be easily seen thata larger a corresponds to a better EBC. It is also clear thatincreasing of a may also increase the routing length. How-ever, it can effectively control energy consumption from thenodes with energy levels lower than aEaA.

    We summarize the CASER routing protocol inAlgorithm 1. It should be pointed out that the EBC param-eter a can be configured in the message level, or in thenode level based on the application scenario and the pref-erence. When a increases from 0 to 1, more and more sen-sor nodes with relatively low energy levels will be

    excluded from the active routing selection. Therefore, theN aA shrinks as a increases. In other words, as a increases,the routing flexibility may reduce. As a result, the overallrouting hops may increase. But since EaA is defined asthe average energy level of the nodes in N A, this subset isdynamic and will never be empty. Therefore, the next hopgrid can always be selected from N aA.

    4.1.1 Probability Analysis

    The parameter EBC enforces the route to bypass the gridswith lower remaining energy levels to extend the lifetime ofnetwork. To analyze the effect, the network is divided intosections, as shown in Fig. 1. When the source node has amessage to forward to the sink node, the source node selectsa relay grid from its neighbor grids based on both hop dis-tance and the remaining energy level. We divide the entiresensor domain into four p2 sections i (i 1; 2; 3; 4) corre-sponding to F (orward), U(pper), D(own) and B(ackward).The distance from the section Gi to the sink node is denotedas di. We also denote the remaining energy level of section ias Ei (i 1; 2; 3; 4). Since the initial energy distribution eachgrids and the events distribution are both random variables,the remaining energy level Ei can also be viewed as a ran-dom and independent and identically distributed (iid) vari-able. Let fei be the probability distribution function (PDF)of Ei. Based on Algorithm 1 and remaining energy distribu-tion, the probability that section i is not selected as a candi-date direction can be derived as follows:

    P Zi PEi < a S

    4i1Ei4

    P

    4 Eia S4i1Ei < 0

    ; i 1; . . . ; 4;

    (1)

    where Zi is the event that grid Gi is not selected as thecandidate grid due to its relatively low remainingenergy level.

    Denote Pi as the probability that grid Gi is selected as therelay grid for message forwarding. Suppose d1 d4,then we have

    Fig. 1. Routing path and length estimation.

    TANG ET AL.: COST-AWARE SECURE ROUTING (CASER) PROTOCOL DESIGN FORWIRELESS SENSOR NETWORKS 963

  • Pi Yi1j1

    P Zj 1 P Zi; i 1; . . . ; 4; (2)

    where P Zi R 01 fzi dzi, and fzi is the PDF of ran-

    dom variable Zi.

    4.1.2 Analysis on Energy Distribution

    Assume that each sensor node is initially deployed withequal initial energy. The energy level decreases when thesensor node forwards message. The remaining energylevel of each node is based on the events distribution.Since the event is a random variable in the network, weassume the remaining energy levels of the sensor nodesare iid random variables.

    Since the network is randomly deployed, the numberof sensor nodes in each grid is determined by the size ofthe grid. So the number of sensor nodes in each grid alsofollows iid. We assume that the number of sensor nodesin each grid is large enough so that the initial energy ofeach gird follows the normal distribution according to thecentral limit theorem. For each layer, the energy con-sumption for sensing and forwarding also follow the nor-mal distribution. So the remaining energy level Ei shallfollow the normal distribution, that is Ei Nmi; s2i ,where mi is the mean of the remaining energy level ofeach grid, si is the standard derivation of energy distribu-tion. Then

    Zi Nm0i; s

    0i2; (3)

    fZi 12pp

    s0ie12zim0i

    2

    s0i2; (4)

    P Zi Z 01

    12pp

    s0ie12zim0i

    2

    s0i2dzi; (5)

    wherem0i 4a mi S4j1mj and s0i2 4a 12s2i S4j1;j 6is2j .

    4.1.3 The Hop distance Estimation

    As shown in Fig. 1, we divide the whole sensor domain intofour equal size sections F , B, U and D. Let PF , PB, PU andPD be the probabilities that the message is forwarded to thesections F , B, U and D, respectively. Then we have the fol-lowing theorem.

    Theorem 1. Assume that the network is randomly deployed andeach sensor node is initially deployed with equal initialenergy. We also assume that data generation in each sensornode is a random variable. Then the number of routing hopsin the dynamic routing protocol can be estimated by thefollowing Equation

    h

    1 PUPLPFPB

    2rPF PB ; (6)

    where h is the shortest hop distance between the source andthe sink.

    Proof. Since the network is randomly deployed, the numberof sensor nodes in each grid is determined by the size ofthe grid. So the number of sensor nodes in each grid fol-lows iid. When the number of sensor nodes in each gridis large enough, the sum of the energy in each gridshould follow the normal distribution according to thecentral limit theorem. Therefore, the energy consumptionfor each grid is also the iid and follows the normaldistribution.

    In our proposed dynamic routing algorithm, the nextforwarding node is selected based on the routing proto-col. As shown in Fig. 1, since the probability of PU andPD have similar effect, while the PF PB needs to movethe message forward h hops, therefore we have estima-tion PF PB : PU PD h : x, where x is the rout-ing hops that the message is routed in theperpendicular direction, which can be calculated as

    x hPU PDPF PB :

    Therefore, the entire routing path length can be esti-mated as

    h

    1 PU PD

    PF PB

    2s; (7)

    and the total number of routing hops can be esti-mated by

    h

    1 PUPDPFPB

    2rPF PB :

    tuAccording to Section 4.1.1, in our case P1, P2, P3 and P4

    correspond to the sections F , B, U and D, respectively.Therefore, we have PF P1; PU P2; PD P3; PB P4.Based on Theorem 1, the total number of routing hops canbe estimated according to the following corollary.

    Corollary 1. Assume that the network is randomly deployed andeach sensor node is initially deployed with equal initial energy.We also assume that data generation in each sensor node is arandom variable. Then for a given EBC parameter a and thehop distance h for a = 0, the number of routing hops can beestimated from the following Equation:

    h

    1 P2P3P1P4

    2rP 1 P 4 : (8)

    Our simulation results conducted using OPNET networkperformance analysis tool demonstrate that Corollary 1 pro-vides a very good approximation on the actual number ofrouting hops, as shown in Table 1.

    4.2 Secure Routing Strategy

    In the previous section, we only described the shortestpath routing grid selection strategy. However, in CASERprotocol, we can support other routing strategies. In thissection, we propose a routing strategy that can providerouting path unpredictability and security. The routing

    964 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 4, APRIL 2015

  • protocol contains two options for message forwarding:one is a deterministic shortest path routing grid selectionalgorithm, and the other is a secure routing grid selec-tion algorithm through random walking.

    In the deterministic routing approach, the next hop grid isselected fromN aA based on the relative locations of the grids.The grid that is closest to the sink node is selected for mes-sage forwarding. In the secure routing case, the next hopgrid is randomly selected from N aA for message forwarding.The distribution of these two algorithms is controlled by asecurity level called b 2 0; 1, carried in each message.

    When a node needs to forward a message, the node firstselects a random number g 2 0; 1. If g > b, then the nodeselects the next hop grid based on the shortest routing algo-rithm; otherwise, the next hop grid is selected using randomwalking. The security level b is an adjustable parameter. Asmaller b results in a shorter routing path and is moreenergy efficient in message forwarding. On the other hand,a larger b provides more routing diversity and security.

    4.3 CASER Algorithm

    Based on the previous description, the CASER algorithmcan be described in Algorithm 2. While providing routingpath security, security routing will add extra routing over-head due to the extended routing path.

    When b increases, the probability for the next hop grid tobe selected through random walking also increases. Accord-ingly, the routing path becomes more random. In particular,when b 1, then randomwalking becomes the only routingstrategy for the next hop grid to be selected. The existingresearch [19], [20] has demonstrated that the message maynever be delivered from the source node to the destinationnode in this case.

    When b < 1, since CASER mixes random walking withdeterministic shortest path routing, the deterministic short-est path routing guarantees that the messages are sent fromthe source node to the sink node. However, the routing pathbecomes more dynamic and unpredictable. In this way, it ismore difficult for the adversary to capture the message or tojam the traffic. Therefore, the delivery ratio can be increasedin a hostile environment. While providing routing security,routing hop distance increases with the security level b.Corollary 2 provides a quantitative estimation of the routinghops in this scenario.

    Corollary 2. Assume that the network is randomly deployed andeach sensor node is initially deployed with equal initial energy.We also assume that data generation in each sensor node is arandom variable. Then the average number of routing hops fora message to be transmitted from the source to the sink nodescan be estimated as follows:

    h

    1 b21b

    2r1 b ; (9)

    where h is the required number of hops when the securitylevel b 0 (i.e., when no security is enforced).

    Proof. For a security level b, the probability that the mes-sage is routed forward using the deterministic shortestpath routing strategy is 1 b. For probability b, the mes-sage is forwarded using random walking. At eachsource, similar to Theorem 1, we can divide the entiredomain into four p2 sections, correspond to F;U;D;Bwithprobability PF 1 3b4 ; PU PD PB b4. The rest partof the proof is straight according to Theorem 1. tuTable 2 compares the average number of routing hops

    between simulation results and the estimation based onCorollary 2 for various security parameters.

    Remark 1. Corollary 1 and Corollary 2 are derived based onthe assumption that the sensor nodes are randomlydeployed. However, in our case, the remaining energylevels for the sensor nodes decrease exponentially whenmessage are being transmitted based on distancebetween the sensor nodes and the sink node. Therefore,the actual number of routing hops should be slightly lon-ger than this estimation.

    5 DETERMINE SECURITY LEVEL BASED ON COSTFACTOR

    Based on Corollary 2, for a given routing budget, we canalso find the maximum routing security level. This result isgiven in the following theorem.

    TABLE 1Routing Hops for Different EBC Parameters

    (m0 200, s0 50 2p )TABLE 2

    Routing Hops for Various Security Parameters (The SimulationWas Performed Using OPNET)

    TANG ET AL.: COST-AWARE SECURE ROUTING (CASER) PROTOCOL DESIGN FORWIRELESS SENSOR NETWORKS 965

  • Theorem 2. Assume that the network is randomly deployed andeach sensor node is initially deployed with equal initial energy.We also assume that data generation in each sensor node is arandom variable. Then for a given routing cost factor f , theoptimal security level can be estimated from the followingquartic equation:

    4fx4 5x2 2x 1 0; (10)where x 1 b.

    Proof. According to Corollary 2, we have1 b21b

    2r1 b f:

    Multiply both sides with 1 b, we have1 b

    21 b 2s

    f1 b:

    Square of both sides, we get

    1 b21 b 2

    f21 b2:

    Equivalently, we have

    41 b2 b2 4f21 b4:Let 1 b x, we can derive

    b2 1 x2 x2 2x 1;reorganize the above Equation, we get

    4f2x4 5x2 2x 1 0: (11)tu

    Equation (11) can be solved using Ferraris method[23] following Algorithm 3 to recover s 1 b. Thesecurity level b can be recovered as: b 1 s.

    Example 1. Suppose we want to deliver a message with costfactor f 1:5. To find the maximum routing securitylevel, we need to find the security parameter b. We cancompute s 1 b as follows:1: a 9; c 5; d 2; e 1;2: A 0:556;B 0:222;C 0:111;3: p 0:0854; q 0:016;

    4: r 0:001;5: u 0:110;6: y 0:314;w 0:270;7: s 0:684.

    Therefore, we have b 1 s 0:316, which means31.6% of the routing strategies should be based on ran-dom walking for message forwarding.

    6 SECURITY ANALYSIS

    In CASER, the next hop grid is selected based on one of thetwo routing strategies: shortest path routing or randomwalking. The selection of these two routing strategies isprobabilistically controlled by the security level b. The secu-rity level of each message can be determined by the messagesource according to the message priority or delivery prefer-ence. As b increases, the routing path becomes more ran-dom, unpredictable, robust to hostile detection, immune tointerception and interference attacks.

    While random walking can provide good routing pathunpredictability, it has poor routing performance [19], [20],[22]. CASER provides an excellent balance between routingsecurity and efficiency.

    6.1 Quantitative Security Analysis of CASER

    In [1], we introduced criteria to quantitatively measuresource-location privacy for WSNs.

    Definition 1 ([1] Source-location Disclosure Index). SDImeasures, from an information entropy point of view, theamount of source-location information that one message canleak to the adversaries.For a routing scheme, to achieve good source-location

    privacy, SDI value for the scheme should be as close to zeropossible.

    Definition 2 ([1] Source-location Space Index). SSI is definedas the set of possible network nodes, or area of the possible net-work domain, that a message can be transmitted from.For a source-location privacy scheme, SSI should be as

    large as possible so that the complexity for an adversary toperform an exhaustive search of the message source ismaximized.

    Definition 3 ([1] Normalized Source-location Space Index(NSSI)). NSSI is defined as the ratio of the SSI area over thetotal area of the network domain. Therefore, NSSI 2 0; 1,and we always have NSSI 1 d for some d 2 0; 1. The d iscalled the local degree.Based on these criteria, we can evaluate security of the

    CASER routing protocol.

    Theorem 3. Assume that the network is randomly deployed andeach sensor node is initially deployed with equal initial energy.We also assume that data generation in each sensor node is arandom variable. Then the CASER routing protocol canachieve perfect source node location information protectionwhen b > 0, that is

    SDI 0:Proof. First, in CASER, according to our assumption, a

    dynamic ID is used for each message, which prevents theadversary from linking multiple messages from the same

    966 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 4, APRIL 2015

  • source or linking the message to the source directionusing correlation based techniques.

    Second, for b > 0, due to probabilistic distribution ofrandom walking and deterministic routing, at each inter-mediate node, neither the original packet source direc-tion, nor the hop distance can be determined throughrouting traceback analysis. In fact, the adversary is infea-sible to determine the previous hop source node throughrouting traceback analysis. Moreover, the probability forthe adversary to receive multiple messages from thesame source node continuously is negligible for largesensor networks. Therefore, we have

    SDI 0: tuTheorem 4. Assume that the network is randomly deployed and

    each sensor node is initially deployed with equal initial energy.We also assume that data generation in each sensor node is arandom variable. Then the source location that can be providedby the CASER routing protocol is probabilistically propor-tional to the distribution of the random walking. That is

    NSSI 1:Proof.When an adversary intercepts a messagem while the

    message is being transmitted from node A to node B,there are two possible scenarios: (i) the message is trans-mitted using random walking, or (ii) the message istransmitted using deterministic routing.

    For scenario (i), suppose message m is transmittedfrom Si to Di, the previous source node is located inshaded area, as shown in Fig. 2a, based on the routingscheme and routing hop distance, where the angle of theshaded circular sector with horizontal lines is p2 and sym-metric to the SiDi.

    Since each node routes the message forward withprobability 1 b using deterministic routing and withprobability b using random walking. It can be derivedthat the probability for the immediate previous hop nodeto be located in the shaded sector is 1 b b4 1 34b,and to be located in the rest of the shaded area is 34b.

    The probability advantage for the immediate previ-ous hop node to be in the shared sector area with hor-izontal lines is

    1 34b 1

    4 3

    41 b:

    However, when the traceback analysis continues, wewill not be able to get any probability advantage for thenext previous hop routing source node, except that thenode will be located in the shaded area, given in Fig. 2b,based on the hop distance.

    Since the hop distance between the actual source nodeand the current intercepted node is unknown, this makesit impossible for the actual source node to be located inthe sensor domain, with an negligible exception of asmall area around the nodeDi. Therefore, we have

    NSSI 1:tu

    Remark 2. From the proof of Theorem 4, we can see that theadversary can only get probability advantage 34 1 b ofone hop source node. In particular, when b 1, that isthe case of random walking, the adversary is unable toget any probability advantage.

    6.2 Dynamic Routing and Jamming Attacks

    For security level b, the distribution between random walk-ing and the shortest path routing for the next routing hop isb and 1 b. b can vary for each message from the samesource. In this way, the routing path becomes dynamic andunpredictable. In addition, when an adversary receives amessage, he is, at most based on our assumption, able totrace back to the immediate source node that the messagewas transmitted. Since the message can be sent to the previ-ous node by either of the routing strategies, it is infeasiblefor the adversary to determine the routing strategy and findout the previous nodes in the routing path.

    Fig. 3 gives the routing path distribution for four differ-ent security levels using OPNET. The messages are trans-mitted from a single source located at 332; 259 to the fixedsink node located at 1;250; 1;250. The source node and thedestination node are 10 hops away in direct distance. In thefigures, each line represents a routing path used by at leastone message. This figure demonstrates that the routing pathdistribution width increases with the energy balance controla and the security parameter b.

    In fact, if we assume that the minimum number of rout-ing hops between the source node and the sink node is h forb 0, then for b > 0, the total number of random walkingis about hb1b hops. The routing path can be spread largely inthe area of width hb1b centered around the path for securitylevel b 0. Therefore, for a larger security level, more effortis required to intercept a message since it triggers more ran-dom walking, which will create a wider routing path distri-bution and a higher routing robustness under hostileattacks. As a result, the adversary has to monitor a largerarea in order to intercept/jam a message. As an example,when b 0:5, the width of the routing path is about thesame as the length of the routing path, as shown in Fig. 3d.

    Jamming attacks have been extensively studied [24],[25]. The main idea is that the jammers try to interferewith normal communications between the legitimatecommunication parties in the link layer and/or physicallayer. However, a jammer can perform attacks onlywhen the jammer is on the message forwarding path. Asdiscussed in [25], dynamic routing is an effective method

    Fig. 2. Routing source traceback analysis.

    TANG ET AL.: COST-AWARE SECURE ROUTING (CASER) PROTOCOL DESIGN FORWIRELESS SENSOR NETWORKS 967

  • to minimize the probability of jamming. The CASERrouting algorithm distribute the routing paths in a largearea based on our above analysis due to the random andindependent routing selection strategy in each forward-ing node. This makes the likelihood for multiple mes-sages to be routed to the sink node through the samerouting path very low even for the smart jammers thathave knowledge of the routing algorithm.

    6.3 Energy Level and Compromised Node Detection

    Since we assume that each node has knowledge of energylevels of its adjacent neighboring grids, each sensor nodecan update the energy levels based on the detected energyusage. The actual energy is updated periodically. For WSNswith non-replenishable energy resources, the energy level isa monotonically decreasing function. The updated energylevel should never be higher than the predicated energylevel since the predicted energy level is calculated based ononly the actually detected usage. If the updated energy levelis higher than the predicted level, the node must have beencompromised and should be excluded from its list of theadjacent neighboring grids.

    We also compared the CASER algorithm with the RSINalgorithm in [20] on path distribution under the similarenergy consumption. The results show that the CASER canachieve better and more uniform path distribution, asshown in Fig. 4. Our simulation results show that the aver-age number of routing hops for the two schemes are 14.51and 15.27, respectively.

    In addition, for a node with a low energy level that iscaused by excessive usage due to security attacks, accordingto our design, these nodes will be filtered out of the pool foractive routing selection. Therefore, the CASER design canminimize the possibility for denial-of-service (DoS) attacks.

    7 PERFORMANCE EVALUATION AND SIMULATIONRESULTS

    In this section, we will analyze the routing performance ofthe proposed CASER protocol from four different areas:routing path length, energy balance, the number of mes-sages that can be delivered and the delivery ratio under thesame energy consumption. Our simulations were con-ducted in a targeted sensor area of size 1;500 1;500 metersdivided into grids of 15 15.

    7.1 Routing Efficiency and Delay

    For routing efficiency, we conduct simulations of the pro-posed CASER protocol using OPNET to measure the aver-age number of routing hops for four different securitylevels. We randomly deployed 1,000 sensor nodes in theentire sensor domain. We also assume that the source nodeand destination node are 10 hops away in direct distance.The routing hops increase as the number of transmittedmessages increase. The routing hops also increase with thesecurity levels.

    We performed simulations with different a and b valuesas shown in Tables 1 and 2. In all cases, we derived consis-tent results showing that the average number of routinghops derived in this paper provides a very close approxima-tion to the actual number of routing hops. As expected,when the energy level goes down, the routing path spreadsfurther wider for better energy balance.

    We also provided simulation results on end-to-end trans-mission delay in Table 3.

    7.2 Energy Balance

    The CASER algorithm is designed to balance the overallsensor network energy consumption in all grids by con-trolling energy spending from sensor nodes with lowenergy levels. In this way, we can extend the lifetime ofthe sensor networks. Through the EBC a, energy con-sumption from the sensor nodes with relatively lowerenergy levels can be regulated and controlled. Therefore,we can effectively prevent any major sections of the

    Fig. 3. Routing path distribution statistics for various energy balancecontrol a and security parameters b. In all simulations, the target area is1;500 1;500. The source node is located at 332; 259 and sink islocated at 1;250; 1;250.

    Fig. 4. Routing path distribution statistics for energy balance controla 0:5 and security parameters b 0:25 and RSIN in [20] with parame-ters: dmin 100; r 3.

    TABLE 3Delay Results for Various Security Parameter from Simulation

    968 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 4, APRIL 2015

  • sensor domain from completely running out of energyand becoming unavailable.

    In the CASER scheme, the parameter a can be adjusted toachieve the expected efficiency. As a increases, betterenergy balance can be achieved. Meanwhile, the averagenumber of routing hops may also increase. Accordingly, theoverall energy consumption may go up. In other words,though the energy control can balance the network energylevels, it may increase the number of routing hops and theoverall energy consumption slightly. This is especially truewhen the sensor nodes have very unbalanced energy levels.

    In our simulations, shown in Fig. 5, the message source islocated at (332, 259) and the message destination is locatedat (1,250, 1,250). The source node and the destination nodeare 10 hops away in direct distance. There are three nodesin each grid, and each node is deployed with energy totransmit 70 messages. We show the remaining energy levelsof the sensor nodes under two different a levels. The darkergray-scale level corresponds to a lower remaining level.Fig. 5a, we set a 0 and there is only one source node. Theenergy consumption is concentrated around the shortestrouting path and moves away only until energy runs out inthat area. In Fig. 5b, we set a 0:5, then the energy con-sumption is spread over a large area between this node andthe sink. While maximizing the availability of the sensornodes, or lifetime, this design can also guarantee a highmessage delivery ratio until the energy runs out for all ofthe available sensor nodes in the area.

    We also conducted simulations to evaluate the energyconsumption for dynamic sources in Fig. 6. We assume thatthe only sink node is located in the center of the sensordomain. There are three nodes in each grid, and each nodeis deployed with energy to transmit 70 messages. In thiscase, the energy consumption is highest for the node aroundthe sink node. The consumption decreases based on the dis-tance that the node is away from the sink node. In fact, theaverage energy consumption for the node with distance i tothe sink node can be calculated as follows.

    Theorem 5. Assume that all sensor nodes transmit messages tothe sink node at the same frequency, the initial energy level ofeach grid is equal, then the average energy consumption for thegrid with distance i to the sink node is

    n2 n i i22i

    ; (12)

    where n is the distance between the sink node and the outmostgrid.

    Proof. Since all messages will be sent to the sink node, theenergy consumption for the grids with distance i to thesink node can be measured based on message forward-ing for grids with distance larger than i and messagetransmission for grids with distance i. The number ofgrids with distance j to the sink node is 8j. The totalenergy consumption of the grids with distance i to thesink can be calculated as

    Pnji 8j: The average grid

    energy consumption is therefore:

    Pnji 8j8i

    n2 n i i2

    2i:

    tuTo investigate the energy consumption in the uniform

    energy deployment, we assume each sensor node has equalprobability to generate packets and acts as a source node inFigs. 6 and 7.

    In these simulations, the sink node is located in the centerof the target area located at (750, 750), which makes the tar-get area symmetrical to show the energy consumption. Eachnode has the same probability to generate the packets. Themaximum direct distance between the source node and sinkis 7. Similar to the previous simulation, we assume there arethree nodes in each grid, and each node is deployed withenergy to transmit 70 messages.

    Fig. 6 gives the remaining energy levels close to the sinknode when the sensor nodes run out almost the entireenergy, where n 7;a 0:5;b 0:5. The color evenness in

    Fig. 5. Remaining energy distribution statistics after the source transmit-ted about 600 messages.

    Fig. 6. The remaining energy levels of the sensor nodes in the sensordomain when the innermost grid almost runs out of the energy, wherea 0:5; b 0:5.

    Fig. 7. Delivery ratio under different EBC a and security level b.

    TANG ET AL.: COST-AWARE SECURE ROUTING (CASER) PROTOCOL DESIGN FORWIRELESS SENSOR NETWORKS 969

  • each layer of the grids demonstrates the energy usage bal-ance enforced through the EBC a.

    In fact, according to Equation (12), we can calculate thetotal number of messages that can be transmitted from theoutmost grid when the innermost grid runs out of energy as210

    n2 n=2 21072 7=2 7:5. In this case, theoverall energy consumption is only 7:5Pni1 8j2 8;400;when the sensor networks become unavailable. Recall thatthe overall energy units deployed are 210 2n 121 47;040: Therefore, the energy consumption is only8;400=47;040 5=28 17:86% when the innermost gridsrun out of energy and become unavailable.

    7.3 Delivery Ratio

    One of the major differences between our proposed CASERrouting protocol and the existing routing schemes is that wetry to avoid having any sensor nodes run out of energywhile the energy levels of other sensor nodes in that areaare still high.

    We implement this by enforcing a balanced energy con-sumption for all sensor nodes so that all sensor nodes willrun out of energy at about the same time. This design guar-antees a high message delivery ratio until energy runs outfrom all available sensor nodes at about the same time.Then the delivery ratio drops sharply. This has been con-firmed through our simulations, shown in Fig. 7.

    8 CASER OPTIMAL NON-UNIFORM ENERGYDEPLOYMENT

    CASER is designed to balance the energy consumption ofsensor nodes and thereby extends the lifetime of the sensornetworks. However, as we have described in Section 7.2, theenergy consumption is uneven in sensor networks. Theenergy consumption for the sensor nodes closer to the sinknode is much higher than the nodes that are away from thesink node. In fact, the average energy consumption for thenode with distance i to the sink node can be calculatedaccording to Equation (12). Therefore, the best that we cando is to balance the energy of the grids with the same radiusto the sink node, as shown in Fig. 6.

    In this section, we will explore the optimal, non-uniforminitial energy deployment strategy that can maximize thelifetime of the sensor networks. Suppose the original energydistribution for each grid is the same, and we denote theenergy level as u. We also assume that the largest distancebetween the sink node and the outmost grid is n, then thetotal energy unit is u2n 12 1.

    8.1 Node Energy Deployment

    For the optimal energy deployment, the energy allocation ofthe grids should be proportional to the energy usage. Westill assume that the sink node is in the center of the sensordomain. All sensor nodes transmit messages at the same fre-quency. The distance between the outmost grid and the sinknode is n according to Equation (12), the energy allocationfor the grids with hop distance i to the sink node should be

    n2 n i i22i

    v;

    where v is the basic energy unit for energy deployment.Accordingly, from the outmost to the innermost, theenergy assignment should be

    v;2n 1n 1 v;

    3n 1n 2 v; . . . ;

    n 2n 14

    v;n 1n

    2v:

    The total energy units should be

    v8

    3n3 4n2 4

    3n

    :

    To maintain the same amount of energy, we let

    u2n 12 1 v 83n3 4n2 4

    3n

    :

    Then we have

    v 3n2n 1n 1u: (13)

    Example 2. We still assume that n 7, and each grid hasu 210 energy units originally. According to Equa-tion (13), we can derive that

    v 3u2n 1 u 42:

    Therefore, the non-uniform energy deployment for allof the grids from the outmost to the innermost can becalculated as

    42; 91; 151; 231; 350; 567; 1176:

    With this energy deployment, we maintained thesame overall amount of energy deployment units, 47,040,in the non-uniform energy deployment. However, underour assumption, the energy consumption should be100% before the sensor network runs out of energy anddies. Recall that in the uniform energy deployment sce-nario, the sensor network dies when only about 17.86%of the energy is consumed. Therefore, under non-uni-form deployment, the efficiency of a sensor networksenergy usage can be roughly 100=17:86 5:6 times com-pare to the uniform energy deployment. The efficiencycan be measured by the total number of messages thatcan be delivered, or the lifetime of the sensor networkunder the same transmission frequency.

    8.2 Routing in Non-Uniform Energy Deployment

    Under the new energy deployment, we have to redefine theway we calculate the average remaining energy of the adja-cent neighboring grids since otherwise, the messages willalways be routed to the nodes that are closer to the sinknode, at least initially. In this way, the number of possiblenodes for the next hop can be greatly limited and securityrouting may become trivial.

    970 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 4, APRIL 2015

  • For the non-uniform energy deployment case, the energyassignment is proportional to the energy consumption. Inother words, the energy assignment is constant whendivided by the energy consumption factor n

    2nii22i , where

    i 1; 2; . . . ; n. Therefore, we can define the average remain-ing level as

    EaA 1jN AjXi2NA

    Erin2nii2

    2i

    : (14)

    Accordingly, we have the updated Algorithm 4.

    8.3 Simulation Results

    We conducted simulations using OPNET to compare themessage delivery ratio of uniform energy deployment andnon-uniform energy deployment for different a valueswhen b 0. The simulation settings are similar to Fig. 6.However, each node is deployed with a different energylevel according to Algorithm 4. From the simulation resultsin Fig. 8a, we can see that the delivery ratio increases witha. Comparing to uniform energy deployment, the deliveryratio for non-uniform energy deployment is much higherthan the uniform energy deployment with the same a.

    We also compared the total number of messages that canbe delivered in the two scenarios. Our statistics are basedon the message delivery ratio that is 95% or above. In uni-form energy deployment, when a 0, the number of mes-sages that can be delivered is 1,510. When a 0:25, thenumber of messages that can be delivered increases to1,624. The increase is 7.55%. We found that when we furtherincrease a, the number of messages that can be transmitted

    increases slightly. At this point, all the nodes around thesink have run out of energy and no more messages can betransmitted.

    For the non-uniform deployment, when a 0; 0:25; 0:5and 0:75, the ratio of the number of messages that can bedelivered between non-uniform and uniform is 2.37, 4.2,5.16 and 5.38, respectively. The simulation results demon-strate that the proposed CASER and non-uniform energydeployment can significantly increase the delivery ratio andthe lifetime of the WSN.

    When b 6 0, from Fig. 8b we can see that the messagedelivery ratio drops as b increases. This is because the over-all energy consumption increases as the required securitylevel increases. We also found that under the proposedCASER protocol, non-uniform energy deployment canincrease the energy efficiency and network lifetime evenwhen security is required in WSNs.

    Fig. 8c provides themessage delivery ratio in amore realis-tic scenario. Since the different messages may have differentimportance, we select both security parameters and energybalance levels randomly for non-uniform and uniform energydeployment in this simulation. The results demonstrate thatnon-uniform energy deployment can achieve a much higherdelivery ratiowhile extending the lifetime of theWSN.

    Fig. 9 shows the energy consumption of the WSN fornon-uniform energy deployment. Comparing the tworesults, we conclude that CASER can achieve excellentenergy balance. All sensor nodes run out of energy at aboutthe same time, while in uniform energy deployment, theenergy consumption is very unbalanced, as shown in Fig. 6.

    Fig. 8. Message delivery ratio: (a) b 0 and varying a, (b) a 0:5 and varying b, (c) varying a and b, where a 2 0:25; 0:75; b 2 0; 0:5.

    Fig. 9. A snapshot of energy distribution when the remaining energy isabout 10% in the sensor nodes, where a 0:5; b 0:5.

    TANG ET AL.: COST-AWARE SECURE ROUTING (CASER) PROTOCOL DESIGN FORWIRELESS SENSOR NETWORKS 971

  • 9 CONCLUSIONS

    In this paper, we presented a secure and efficient Cost-Aware SEcure Routing (CASER) protocol for WSNs to bal-ance the energy consumption and increase network lifetime.CASER has the flexibility to support multiple routing strate-gies in message forwarding to extend the lifetime whileincreasing routing security. Both theoretical analysis andsimulation results show that CASER has an excellent routingperformance in terms of energy balance and routing pathdistribution for routing path security. We also proposed anon-uniform energy deployment scheme to maximize thesensor network lifetime. Our analysis and simulation resultsshow that we can increase the lifetime and the number ofmessages that can be delivered under the non-uniformenergy deployment bymore than four times.

    ACKNOWLEDGEMENTS

    This research was supported in part by the US National Sci-ence Foundation (NSF) Grants CNS-0845812, CNS-0746811,CNS-1117831, CNS-1217206, and CCSS-1232109.

    REFERENCES[1] Y. Li, J. Ren, and J. Wu, Quantitative measurement and design of

    source-location privacy schemes for wireless sensor networks,IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 7, pp. 13021311, Jul.2012.

    [2] Y. Li, J. Li, J. Ren, and J. Wu, Providing hop-by-hop authentica-tion and source privacy in wireless sensor networks, in Proc.IEEE Conf. Comput. Commun. Mini-Conf., Orlando, FL, USA, Mar.2012, pp. 30713075.

    [3] B. Karp and H. T. Kung, GPSR: Greedy perimeter stateless rout-ing for wireless networks, in Proc. 6th Annu. Int. Conf. MobileComput. Netw., New York, NY, USA, 2000, pp. 243254.

    [4] J. Li, J. Jannotti, D. S. J. De Couto, D. R. Karger, and R. Morris, Ascalable location service for geographic ad hoc routing, in Proc.6th Annu. Int. Conf. Mobile Comput. Netw., 2000, pp. 120130.

    [5] Y. Xu, J. Heidemann, and D. Estrin, Geography-informed energyconservation for ad-hoc routing, in Proc. 7th Annu. ACM/IEEEInt. Conf. Mobile Comput. Netw., 2001, pp. 7084.

    [6] Y. Yu, R. Govindan, and D. Estrin, Geographical and energy-aware routing: A recursive data dissemination protocol for wire-less sensor networks, Comput. Sci. Dept., UCLA, TR-010023, LosAngeles, CA, USA, Tech. Rep., May 2001.

    [7] N. Bulusu, J. Heidemann, and D. Estrin, GPS-less low cost out-door localization for very small devices, Comput. Sci. Dept.,Univ. Southern California, Los Angeles, CA, USA, Tech. Rep. 00-729, Apr. 2000.

    [8] A. Savvides, C.-C. Han, and M. B. Srivastava, Dynamic fine-grained localization in ad-hoc networks of sensors, in Proc. 7thACM Annu. Int. Conf. Mobile Comput. Netw., Jul. 2001, pp. 166179.

    [9] P. Bose, P. Morin, I. Stojmenovic, and J. Urrutia, Routing withguaranteed delivery in ad hoc wireless networks, in Proc. 3rd Int.Workshop Discrete Algorithms Methods Mobile Comput. Commun.,1999, pp. 4855.

    [10] P. Bose, P. Morin, I. Stojmenovic, and J. Urrutia, Routing withguaranteed delivery in ad hoc wireless networks, in Proc. 3rdACM Int. Workshop Discrete Algorithms Methods Mobile Comput.Commun., Seattle, WA, USA, Aug. 1999, pp. 4855.

    [11] T. Melodia, D. Pompili, and I. Akyildiz, Optimal local topologyknowledge for energy efficient geographical routing in sensornetworks, in Proc. IEEE Conf. Comput. Commun., Mar. 2004, vol. 3,pp. 17051716.

    [12] Y. Li, Y. Yang, and X. Lu, Rules of designing routing metrics forgreedy, face, and combined greedy-face routing, IEEE Trans.Mobile Comput., vol. 9, no. 4, pp. 582595, Apr. 2010.

    [13] R. Shah and J. Rabaey, Energy aware routing for low energy adhoc sensor networks, in Proc. IEEE Wireless Commun. Netw. Conf.,Mar. 1721, 2002, vol. 1, pp. 350355.

    [14] J.-H. Chang and L. Tassiulas, Maximum lifetime routing in wire-less sensor networks, IEEE/ACM Trans. Netw., vol. 12, no. 4, pp.609619, Aug. 2004.

    [15] H. Zhang and H. Shen, Balancing energy consumption to maxi-mize network lifetime in data-gathering sensor networks, IEEETrans. Parallel Distrib. Syst., vol. 20, no. 10, pp. 15261539, Oct.2009.

    [16] F. Liu, C.-Y. Tsui, and Y. J. Zhang, Joint routing and sleep sched-uling for lifetime maximization of wireless sensor networks,IEEE Trans. Wireless Commun., vol. 9, no. 7, pp. 22582267, Jul.2010.

    [17] C.-C. Hung, K.-J. Lin, C.-C. Hsu, C.-F. Chou, and C.-J. Tu, Onenhancing network-lifetime using opportunistic routing in wire-less sensor networks, in Proc. 19th Int. Conf. Comput. Commun.Netw., Aug. 2010, pp. 16.

    [18] C. Ozturk, Y. Zhang, and W. Trappe, Source-location privacy inenergy-constrained sensor network routing, in Proc. 2nd ACMWorkshop Security Ad Hoc Sens. Netw., 2004, pp. 8893.

    [19] Y. Li and J. Ren, Preserving source-location privacy in wirelesssensor networks, in Proc. IEEE 6th Annu. Commun. Soc. Conf.Sens., Mesh Ad Hoc Commun. Netw., Rome, Italy, Jun. 2009, pp.493501.

    [20] Y. Li and J. Ren, Source-location privacy through dynamic rout-ing in wireless sensor networks, in Proc. IEEE INFOCOM 2010,San Diego, CA, USA., Mar. 1519, 2010. pp. 19.

    [21] M. Shao, Y. Yang, S. Zhu, and G. Cao, Towards statisticallystrong source anonymity for sensor networks, in Proc. IEEE 27thConf. Comput. Commun., Apr. 2008, pp. 5155.

    [22] P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk, Enhancingsource-location privacy in sensor network routing, in Proc. 25thIEEE Int. Conf. Distrib. Comput. Syst., Jun. 2005, pp. 599608.

    [23] Wikipedia. Quartic function [Online]. Available: http://en.wikipedia.org/wiki/Quartic_function, Apr. 2014.

    [24] W. Xu, K. Ma, W. Trappe, and Y. Zhang, Jamming sensor net-works: Attack and defense strategies, IEEE Netw., vol. 20, no. 3,pp. 4147, May/Jun. 2006.

    [25] A. Pathan, H.-W. Lee, and C. seon Hong, Security in wirelesssensor networks: Issues and challenges, in Proc. 8th Int. Conf.Adv. Commun. Technol., 2006, pp. 10431048.

    Di Tang received the BE degree from Xidian Uni-versity in 2005. He is currently working toward thePhD degree in electrical and computer engineer-ing at Michigan State University. His researchinterests include wireless sensor networks andnetwork security.

    Tongtong Li received the PhD degree in electricalengineering from Auburn University in 2000. From2000 to 2002, she was with Bell Labs, and hadbeen working on the design and implementation of3G and 4G systems. Since 2002, she has beenwith Michigan State University, where she is cur-rently an associate professor. Her research inter-ests include the areas of wireless and wiredcommunications, wireless security, informationtheory, and statistical signal processing. Shereceived the US National Science Foundation

    (NSF) CAREER Award (2008) for her research on efficient and reliablewireless communications. She was an associate editor for the IEEE Sig-nal Processing Letters from 2007-2009, and an editorial board memberfor EURASIP Journal Wireless Communications and Networking from2004-2011. She is currently an associate editor for the IEEE Transac-tions on Signal Processing.

    972 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 4, APRIL 2015

  • Jian Ren received the BS and MS degrees both inmathematics from Shaanxi Normal University, andthe PhD degree in electrical engineering fromXidian University, China. He is an associate pro-fessor in the Department of Electrical and Com-puter Engineering at Michigan State University.His current research interests include cryptogra-phy, cloud computing security, network security,energy-efficient sensor network security protocoldesign, privacy-preserving communications, net-work coding, distributed network storage, and cog-

    nitive networks. He received the US National Science Foundation (NSF)Faculty Early Career Development (CAREER) Award in 2009. He is asenior member of the IEEE.

    Jie Wu is the chair and a professor in the Depart-ment of Computer and Information Sciences,Temple University. Prior to joining Temple Univer-sity, he was a program director at the US NationalScience Foundation (NSF). His research interestsinclude wireless networks and mobile computing,routing protocols, fault-tolerant computing, andinterconnection networks. He is on the editorialboard of the IEEE Transactions on Computersand the Journal of Parallel and Distributed Com-puting. He is the program cochair for the IEEE

    INFOCOM 2011. He was also the general cochair for the IEEE MASS2006, IEEE IPDPS 2008, and DCOSS 2009. He is an ACM distinguishedspeaker and is the chairman of the IEEE Technical Committee on Dis-tributed Processing (TCDP). He is a fellow of the IEEE.

    " For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.

    TANG ET AL.: COST-AWARE SECURE ROUTING (CASER) PROTOCOL DESIGN FORWIRELESS SENSOR NETWORKS 973

    /ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 150 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

    /CreateJDFFile false /Description >>> setdistillerparams> setpagedevice