FESICM

8/13/2019 FESICM

1/37

Downloaded from engine.lib.uwaterloo.caon 7 January 2014

FESCIM: Fair, Efficient, and SecureCooperation Incentive Mechanism forHybrid Ad Hoc NetworksMohamed Mohamed Elsalih Abdelsalam Mahmoud, Sherman

ShenDate Submitted: 23 November 2009

Date Revised: 23 December 2009

Date Published: 18 July 2011

Updated information and services can be found at:http://engine.lib.uwaterloo.ca/ojs-

2.2/index.php/pptvt/article/view/594

These include:

Subject Classification Vehicular Technology

Keywords Network-level security and protection, Payment schemes,Wireless communication, Hybrid systems.;

Submitting Author sComments

IEEE TMC

Comments You can respond to this article at:http://engine.lib.uwaterloo.ca/ojs-

2.2/index.php/pptvt/comment/add/594/0

Copyright 2009 IEEE. Personal use of this material is permitted.However, permission to reprint/republish this material for

advertising or promotional purposes or for creating new

collective works for resale or redistribution to servers or lists, or

to reuse any copyrighted component of this work in other works

must be obtained from the IEEE.

8/13/2019 FESICM

2/37

ForP

eerRev

iewOnly

FESCIM: Fair, Efficient, and Secure Cooperation Incentive

Mechanism for Hybrid Ad Hoc Networks

Journal: Transactions on Mobile Computing

Manuscript ID: Draft

Manuscript Type: Regular

Keywords:Network-level security and protection, Payment schemes, Wirelesscommunication, Hybrid systems

http://mc.manuscriptcentral.com/tmc-cs

Transactions on Mobile Computing

Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 1 of

8/13/2019 FESICM

3/37

ForP

eerRev

iewOnly

FESCIM: Fair, Efficient, and Secure Cooperation

Incentive Mechanism for Hybrid Ad Hoc Networks

Mohamed Elsalih Mahmoud, Xuemin (Sherman) Shen, IEEE Fellow

AbstractIn hybrid ad hoc wireless networks, the mobile nodes usually act as routers to relay packets

from other nodes. However, selfish nodes may not cooperate but make use of the honest ones to relay

their packets, which has negative effect on fairness, security, and performance of the network. In this

paper, a fair, efficient, and secure cooperation incentive mechanism is proposed to stimulate the nodes

cooperation in hybrid ad hoc networks. Fair payment can be achieved by rewarding and charging credits to

balance between a nodes contributions and benefits. In order to reduce the overhead cost, a payment

aggregation technique is applied to reduce the number of generated receipts. A hash chain is used to

efficiently integrate the incentive mechanism in the routing protocol. Secure techniques are proposed to

protect the receipt submission from collusion attacks and to reduce the number of transmitted receipts.

Extensive evaluation shows that the proposed mechanism is robust against rational and colluding attacks,

and the nodes can be rewarded proportionally to their contributions. Simulation results demonstrate that

the proposed mechanism can be implemented efficiently.

Index Terms Network-level security and protection, Payment schemes, Wireless communication, Hybrid systems.

1 INTRODUCTION

Hybrid ad hoc network (also called multi-hop cellular network (MCN)) [1], [2], [3], [4] is anetwork architecture which incorporates the ad hoc characteristics into the cellular system. The

packets originated from a node are relayed through the mobile nodes to the receiver or to a base

station which delivers them to the receiver. The network nodes commit bandwidth, data storage,

CPU cycles, battery power, etc, forming a pool of resources which can be shared by all of them.

The utility which nodes can obtain from the pooled resources is much higher than they can obtain

on their own. Multi-hop relaying improves the network performance and deployment [5], [6], [7],

[8]. It can extend the communication range using limited transmit power, improve area spectralefficiency, reduce the dead areas, reduce power consumption because the transmission distances

are shorter, and enhance the network throughput and capacity. In addition, the network can be de-

ployed more readily and at lower costs. It is shown in [8] that the path loss per hop can be reduced

by 12dB, and the data rate can be increased by a factor of ten if the relaying distance is halved.

ge 1 of 35




8/13/2019 FESICM

4/37

ForP

eerRev

iewOnly

2 IEEE TRANSACTIONS ON MOBILE COMPUTI

However, due to involving autonomous devices in the routing process, it suffers from new security

challenges which endanger the practical implementation of the network.

The proper operation of the hybrid ad hoc network requires the intermediate nodes to collabo-

rate to enhance the network performance. It is shown in [9] that if 10% to 40% of the nodes behave

selfishly, the average throughput degrades by 16% to 32%. It is also shown in [10] that the delay

increases linearly with the percentage of selfish nodes. Therefore, the selfish behavior significantly

degrades the overall network performance which may result in failure of multi-hop data communi-

cation, and thus selfish nodes pose real threats to the operation of the hybrid ad hoc network. How-

ever, most existing works assume that all the mobile nodes of a hybrid ad hoc network are coop-

erative, i.e., they are willing to relay data generated from other nodes. While this assumption is

reasonable in disaster recovery or military applications since the nodes belong to a single authority

and have a common goal, it may not hold for civilian applications where each node tries to maxi-

mize its benefits from the network. Moreover, the nodes may not benefit from their cooperation

since it consumes their scarce resources (such as radio spectrum, battery power, and CPU cycles),

and does not provide any immediate advantages because serving others does not guarantee that the

user will be served as well. Consequently, in civilian applications, selfish nodes are not voluntarily

interested in cooperation without sufficient incentive, and they make use of the honest nodes to

relay their packets without any contribution to the network, which has negative impact on fairness,

security, and performance of the network. Several mechanisms have been proposed to mitigate the

problems caused by the selfish nodes [11], [12]. The mechanisms fall into one of two categories,

namely, reactive (or enforcement) and preventive (or incentive). In reactive mechanisms [13], [14],

[15], and [16], a network node monitors the transmission of a neighbor to make sure that the

neighbor forwards others traffic. A reputation system is used to identify and punish the selfish

nodes. The system should be able to differentiate between a nodes unwillingness and inability to

cooperate, and to suppress the false accusations against the honest nodes. In preventive (also called

credit-based or incentive) mechanisms, forwarding packets generated from other nodes is a service

(not an obligation) because the mobile nodes are autonomous devices which are owned by the

Page 2




8/13/2019 FESICM

5/37

ForP

eerRev

iewOnly

M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS

network users. The mechanisms do not enforce the nodes to cooperate nor punish them when they

decide not to cooperate. An incentive (virtual currency or credits) is used to motivate the nodes to

collaborate, and to prove that it is more beneficial for them to cooperate than behaving selfishly.

The transmission of self-generated packets is charged and the forwarding of other nodes packets is

rewarded.

However, reactive mechanisms suffer from unreliable detection to the selfish nodes because dif-

ferent nodes may evaluate the behavior of the same node differently, and it is difficult to differenti-

ate between a nodes unwillingness and inability to cooperate due to low resources such as low

battery or full buffer. Another challenge is to prevent the propagation of incorrect reputations (ei-

ther good or bad) because malicious nodes can work together to boost their reputations or to de-

fame innocent nodes. In addition, reactive mechanisms may not guarantee fairness because the

nodes with higher contributions are not compensated. For instance, although the nodes situated in

the center contribute more to the network than those in the periphery, they are not compensated.

Moreover, to monitor their neighbors, the nodes work in the inefficient promiscuous mode [17].

Therefore, preventive mechanisms are more appropriate to commercial networks where individual

nodes do not have pre-existing links to each other and they can periodically contact a centralized

entity which manages their credit accounts.

Several preventive mechanisms have been proposed in the literatures [11]. The main concern is

that the practicability and performance remain unclear because the packet-by-packet paying im-

plies a significant communication overhead and implementation complexity due to generating and

transmitting a large number of receipts (payment proofs) for clearance, which consumes the net-

work storage area, bandwidth, and energy. Heavyweight mechanism degrades the performance of

the network, and stimulates the nodes to behave selfishly to save their resources to serve their us-

ers. Although the cooperation incentive mechanisms are implemented to protect the network from

rational attacks, insecure mechanisms encourage the nodes to attack the payment to pay less and/or

gain undeserved credits. Two techniques have been adopted in the existing mechanisms to submit

the receipts for clerarance: (1) one node (e.g. the last intermediate node) sends all the receipts; this

ge 3 of 35




8/13/2019 FESICM

6/37

ForP

eerRev

iewOnly


technique is vulnerable to collusion attack to prevent clearing the receipts, (2) all the intermediate

nodes send all the receipts; this technique is not efficient because multiple copies of the same re-

ceipt (which has payment data for all the relaying nodes) are submitted. Fairness issues arise when

a node gains more benefits than its contributions, or when some nodes take advantage from the

honest ones which are more overloaded because the network traffic is concentrated through them.

Although achieving fairness is an important requirement to stimulate the nodes to participate in the

routing process, the existing mechanisms have been paid little attention to adopt fair payment.

In this paper, a fair, efficient, and secure cooperation incentive mechanism is proposed to stimu-

late the nodes to cooperate in hybrid ad hoc network. Our mechanism can enforce fairness by re-

warding or chargingcredits to balance between the nodes contributions and benefits. In order to

reduce the number of the submitted receipts, each receipt contains complete payment data to all the

session nodes. Therefore, instead of transmitting all the receipts by all the nodes, they can be

transmitted by some. A payment aggregation technique is proposed to generate a receipt for multi-

ple packets instead of generating a receipt per packet. A hash chain is applied to integrate the in-

centive mechanism in the routing protocol efficiently. Secure techniques are proposed to protect

the receipt submission from collusion attacks and to reduce the number of transmitted receipts. It

will be shown that the mechanism can reward the network nodes proportionally to their contribu-

tions. Extensive security and overhead evaluations demonstrate that the mechanism is secure

against rational and colluding attacks, and can be implemented efficiently. The remainder of this

paper is organized as follows. A brief description and evaluation to some existing mechanisms are

presented in Section 2. Section 3 gives the network model. The proposed cooperation incentive

mechanism is presented in Sections 4. Extensive security analysis is given in Sections 5. In Section

6, fairness and implementation overhead are evaluated. Finally, we conclude the paper and discuss

some future work in Section 7.

2 RELATED WORK

In Nuglets mechanism [18], [19], and [20], a tamper proof device (TPD) is installed in each de-

Page 4




8/13/2019 FESICM

7/37

ForP

eerRev

iewOnly


vice to store its credits and to secure its operation. The self-generated and forwarding packets are

passed to the TPD to decrease and increase the credit account, respectively. A node can not trans-

mit its generated packets if it does not have sufficient credits. Two models, called the packet purse

model (PPM) and the packet trade model (PTM), have been proposed. In the PPM, the source node

pays for relaying its packets by loading some credits in each packet before sending it. Each for-

warding node acquires the amount of credits that covers its forwarding cost. A packet is discarded

if it does not have enough credits to be forwarded. In the PTM, each intermediate node buys a

packet and sells it to the following node in the route until the destination node pays the total cost.

Using tamper-proof devices can reduce the complexity of the incentive mechanism but the as-

sumption that they can not be tampered is neither secure nor realistic for networks with autono-

mous nodes. Tamper-proof devices with high security level may be expensive, and if they are

compromised, attackers can attack the mechanism brutally in undetectable way. In a subtle attack,

two tamper proof devices can be installed in one device, and a packet is passed through them for

double rewarding. Fairness issue arises when a node loses its credits without any benefits. It is dif-

ficult to estimate the required amount of loaded credits so the surplus credits are lost in over-

estimation and all the loaded credits are lost in underestimation. In addition, the source node pays a

complete payment for every generated packet even if it does not reach its destination. The PTM

suffers from high bandwidth and latency overhead because an auction occurs at each node. Drop-

ping the packets with insufficient credits degrades the network throughput. It is shown in [21] that

the long-term operation of the mechanism is questionable because the amount of credits in the

network decreases over time due to employing unbalanced payment, i.e., the paid credits are not

necessarily equal to the earned ones. Unbalanced payment may lead to credit inflation if the re-

wards are greater, or credit depletion if the charges are greater. In credit inflation, the nodes are

rich and their stimulation to cooperation becomes less, whereas, in credit depletion, the nodes are

poor and they can not initiate communications.

In CASHnet mechanism [22] and [23], users regularly visit service points to buy traffic credits

(which are used to forward self-generated packets) and/or to transfer helper credits (which are

ge 5 of 35




8/13/2019 FESICM

8/37

ForP

eerRev

iewOnly


gained from relaying other nodes packets) to traffic credits. Before transmitting a packet, the

originators traffic credit account (stored in the node) is charged. Upon receiving the packet, the

destination nodes traffic credit account is also charged and a digitally signed acknowledgement

packet (ACK) is sent. Upon receiving the ACK, the forwarding nodes increase their helper credit

account. The source node pays for relaying its packets to a gateway, and the destination node pays

for receiving them. It is shown in [21] and [24] that the performance of the network depends on the

availability of service points, i.e., although the nodes have helper credits, they starve because they

can not find a service point to convert. Fairness issues arise when a node is not rewarded when it

does not receive an ACK packet, and the sender pays full payment whether the packet reaches the

gateway or not. Moreover, the payment ratio between the source and destination nodes is propor-

tional to the distance to the gateway not to their interest from the communication.

In SIP (Secure Incentive Protocol) [25] and [26], after receiving a packet, the destination node

sends a payment RECEIPT packet to the transmitter to issue a REWARD packet which increments

the accounts (stored in the nodes) of the intermediate nodes. The mechanism encourages the com-

municating nodes to issue REWARD packets by overcharging them for full payment, and they get

the overcharged credits (half of the payment) back after issuing them. The mechanism incurs high

overhead because each packet needs three trips between the source and destination nodes. A fair-

ness concern is that the intermediate nodes are not rewarded, and the payers pay more than the de-

served credits when REWARD or RECEIPT packets are dropped, or when a data packet does not

reach the destination node due to malicious or non-malicious action.

In [27] and [28], a probabilistic payment technique is applied to avoid generating a large number

of receipts in the network. The sender (the payer) appends payment tokens to its transmitted pack-

ets. The forwarding nodes check whether a token corresponds to a winning ticket. Winning tickets

are sent to the accounting center (AC) to reward the winning nodes. Payers are charged per packet

and forwarding nodes are paid per winning ticket. The mechanism encourages the nodes to relay

the packets with losing tickets by rewarding not only the winning node but also its neighbors. The

mechanism suffers from a security flaw that colluders can intercept and exchange collected tokens

Page 6




8/13/2019 FESICM

9/37

ForP

eerRev

iewOnly


to be checked locally in each node to gain credits without contributing to the network. In [29], it is

shown an attack which enables two attackers to communicate for free without being detected by

the operator. Fairness issue arises when a node is not compensated for consuming its resources to

relay a packet.

In Sprite mechanism [30], an intermediate node stores a receipt for each relayed packet and

submits the receipts when it has a connection to the accounting center to clear them. The mecha-

nism incurs significant communication overhead because the number of submitted receipts is large

due to generating a receipt for each packet and due to sending all the receipts by all the nodes. The

size of the receipts is large, which consumes the network resources. Fairness issue arises when the

amount of rewards is greatly reduced (to thwart cheating actions) if a packet is not reported to be

received by the destination node due to malicious or non-malicious actions. In [31], the sender ap-

pends a signature to the full path identities and an initialization of a keyed hash chain. Each inter-

mediate node verifies the signature and computes a new hash value. The recipient generates a re-

ceipt of the received amount of data and sends it to the last intermediate node to transmit to the

AC. A security flaw is that two colluders can communicate freely by exchanging packets with in-

valid hash values because the intermediate nodes can not verify the received hash chain. The last

intermediate node may collude with the payers, and it does not send the receipts to the AC to de-

prive the relaying nodes from their payments. In addition, the last intermediate node may not have

the sufficient resources to submit the receipts, or this extra load may degrade its efficiency.

In [32] and [33], the sender encrypts the payload and appends a receipt. Each uplink node re-

encrypts the payload and stores the receipt. The base station removes the encryption layers and it-

eratively encrypts the payload with the keys shared with the downlink nodes. Each downlink node

decrypts one layer, computes and stores the receipt. The iterative encryption and decryption opera-

tions protect the mechanism from free riding attack. The sender is charged and the uplink nodes

are rewarded when the packet reaches the base station. The downlink nodes are rewarded when the

base station receives an ACK from the receiver. In order to motivate the destination node to send

ACK, it is charged a fee which is returned when the ACK is received. If a packet does not reach

ge 7 of 35




8/13/2019 FESICM

10/37

ForP

eerRev

iewOnly


the base station, the intermediate nodes submit the receipts to claim the payments but they are re-

warded only for the minimum packet length. It is shown in [34] that the mechanism suffers from

the early duplicate attack to deny the service from the legitimate nodes. Two colluders can com-

municate for free because the intermediate nodes can not verify the payment data. A large number

of receipts are claimed because they are individually issued and claimed. If an ACK packet does

not reach the base station due to malicious or non-malicious action, the destination node is over-

charged.

In [35], the mechanism is a series of per-hop transactions. Nodes pay in advance to get coins be-

fore engaging in communication sessions. The intermediate nodes trade the forwarded packets. A

packet buyer contacts the AC to get deposited coins which are used for a limited time, specific

seller, and one session. The seller claims the coins by submitting them to the AC. The mechanism

is complicated because the buyers and sellers frequently and interactively contact the AC. The coin

format is inflexible because it is used for a specific user, one session, and limited time. The

mechanism can be used in limited applications because only the destination node can initiate the

session. In [36], an AODV-based incentive routing protocol for ad-hoc networks has been pro-

posed. The protocol employs three new types of control packets, which imposes much overhead.

In [37], an incentive-based mechanism has been proposed to encourage Transit Access Points

(TAPs) to forward data for other TAPs, and thus it eliminates the location-dependent unfairness

problem in the backhaul networks. The mechanism in [38] improves Sprite by using hash chains

instead of digital signatures but a large number of receipts are generated and payment non-

repudiation can not be guaranteed.

3THE NETWORK ARCHITECTURE

3.1 The Network Model

As shown in Fig. (1), the hybrid ad hoc network includes a trusted party (TP), a set of base sta-

tions (BSs) and mobile nodes (MNs). The trusted party is responsible for the security and financial

issues in the network. It generates and revokes (whenever it is necessary) the required crypto-

Page 8




8/13/2019 FESICM

11/37

ForP

eerRev

iewOnly


graphic credentials for a node to join the network. It also contains the accounting center (AC) that

stores and manages the credit accounts of the network entities. Once the AC receives a proof of

packet forwarding (transaction cheque), it updates the accounts of the participating entities. The

nodes can gain credits from forwarding other nodes packets or from buying additional credits

from the accounting center for real money. Credits can be converted to real money and reverse to

make the network operation flexible and to give incentive to the rich nodes to keep cooperating.

Some of the relays may be fixed as parts of the network infrastructure to improve the network

connectivity especially in low density case. The base stations are powerful parties that are distrib-

uted in large geographic area.

Fig. (1): The hybrid ad hoc network architecture

The mobile nodes have limited storage, computing, and energy resources. Each node is regis-

tered with a legitimate operator and stores a unique global identifier, public/private key pair with a

certificate, and the public key of the trusted party. As opposite to [39], the nodes anonymity and

privacy preserving is outside the scope of this work, so each node has one identity during its life-

time. Each node is loaded with a local account counter to estimate its latest credit account stored in

the AC. The local counters alleviate the load of periodically requesting the latest account from the

AC. A node uses its counter to make some local decisions such as its state (cooperative or un-

ge 9 of 35



Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 10 o

8/13/2019 FESICM

12/37

ForP

eerRev

iewOnly


cooperative).

3.2 The Communication Model

The base stations are connected with each other and with the trusted party by a fast backbone

network which may be wired or wireless. The exchanged messages between the mobile nodes and

the trusted party are relayed by the base stations. The nodes can communicate in one of two

modes: pure ad hoc or hybrid. In pure ad hoc mode, the data packets are sent by the source node

and relayed in several hops through the intermediate nodes to the destination node without involv-

ing any infrastructure. In hybrid mode, at least one base station is involved in the communication,

i.e., the packets are relayed from an originator to the base station through multi-hops, then to the

destination base station over the backbone network (if the communicating parties are in different

domains), and finally to the destination node. In order to submit the payment proofs (cheques), the

network nodes are able to communicate with the trusted party at least once during a time interval

which can be in the range of few days.

3.3 Threat and Trust Models

An attacker has a full control on his mobile node, and he can change the nodes operation. At-

tackers can work individually or collude with each other to share information to launch more so-

phisticated attacks. Attackers are rational in the sense that they cheat if the benefit of doing so is

greater than that of honestly following the protocol. These strong assumptions do not exaggerate

the attackers capabilities because the nodes are autonomous and strongly motivated to cheating.

For the base stations, we consider them rational attackers because they are owned by different pro-

viders who are motivated to cheat to increase their accounts and their subscribers accounts. The

trusted party is fully secure; several security measures can be taken to guarantee its security such

as using threshold cryptosystems [40] which do not allow an individual person to perform an op-

eration. For the trust models, all the network nodes fully trust the trusted party to correctly perform

billing and auditing. The trusted party does not trust any entity in the network. The base stations

and users do not trust each other.

Page 10




8/13/2019 FESICM

13/37

8/13/2019 FESICM

14/37

8/13/2019 FESICM

15/37

ForP

eerRev

iewOnly


packets) by attaching its signature to the payment data (PD), session establishment time stamp

(TS), counter to the number of transmitted packets (X), and the hash value of the message. The

signature is an approval from one payer to pay for X packets. It also ensures the message authen-

ticity and integrity, and thwarts free riding, packet replay, packet and payment repudiation, and

impersonation attacks. The source node initiates a new packet series (with a new cheque) when the

route is broken, or N packets have already been transmitted. After transmitting a packet, the sender

turns on a timer waiting for ACK, NACK, or Timeout.

(a) The data packet format

(b) The ACK packet format

Fig. (3): The formats of data and ACK packets

4.1.3 Packet Relaying Phase

Before relaying a packet, an intermediate node verifies the signature to ensure the messages in-

tegrity and authenticity, and to ensure that the payment data and the number of relayed packets are

correct. In case of the first packet in a series (X=1), an intermediate node composes the single ap-

proval cheque (SAC) (which contains payment approval from one payer) as a proof of receiving

the packet. The format of SAC is shown in Fig. (4-a). Storing the hash of the signatures signifi-

cantly reduces the cheque size but with extra overhead on the AC which is powerful party. The

nodes claim the SAC if the packet does not reach the destination node. For the successive packets

in a series (X>1), each node composes aggregated double approval cheque with a single approved

packet (ADAC_S(X)) which contains payment data for (X-1) successfully delivered packets and

one received packet. As shown in Figs. (4-c), the payment approval of the destination node in

ge 13 of 35




8/13/2019 FESICM

16/37

ForP

eerRev

iewOnly


ADAC_S(X) lags that of the source node by one packet. The evolution of the payment cheques is

shown in Fig. (5).

(a) The SAC format

(b) The DAC format

(c) The ADAC_S format

(d) The ADAC format

Fig. (4): The formats of the payment cheques

4.1.4 Packet Receiving Phase

Upon receiving a packet in a series, the destination node attaches a new hash value from the

hash chain to its acknowledgement (ACK) packet (if it pays for the session). The hash value is an

approval from the second payer to pay for the received packet. The format of the ACK packet is

shwon in Fig. (3-b).

4.1.5 ACK/NACK Relaying Phase

In case of the first ACK in a series, an intermediate node verifies the hash value and upgrades

the single approval cheque (SAC) to double approval cheque (DAC) which is a proof of success-

fully delivering the packet. As shown in Fig. (4-b), the DAC contains payment approval from the

two payers. For ACK for successive packets in the series, the intermediate nodes ensure that the

ADAC-S(X)

PD|TS|X|HS(MX)|HDN(Nonce)|HD

N-X+1(Nonce)|

H( SigS(PD|TS|X|HS(MX)) | SigD(PD|TS| HDN(Nonce)))

DAC

PD |TS|1|HS(M1)| HDN(Nonce)|HD

N-1(Nonce)|

H( SigS(PD|TS|1|HS(M1)) | SigD(PD|TS| HDN(Nonce)))

SAC

PD|TS|1|HS(M1)|HDN(Nonce)|

H( SigS(PD|TS|1|HS(M1)) | SigD(PD|TS|HDN(Nonce)))

ADAC(X)

PD|TS|X|HS(MX)|HDN(Nonce)|HD

N-X(Nonce)|

H( SigS(PD|TS|X|HS(MX)) | SigD(PD|TS| HDN(Nonce)))

Page 14




8/13/2019 FESICM

17/37

ForP

eerRev

iewOnly


hash value HDN-X+1(Nonce) is generated from hashing HD

N-X(Nonce), then they aggregate the pay-

ment by composing the aggregated double approval cheque (ADAC(X)) which contains the latest

hash value (HDN-X

(Nonce)) as a proof to pay for (X) delivered packets. If an intermediate node de-

cides to transit to uncooperative state, it piggybacks a notice in the ACK packet. The source node

re-establishes the route when it receives NACK, the Timeout expires without receiving ACK, or

some intermediate node(s) decided to transit to uncooperative state.

Fig. (5): The evolution of the payment cheques

4.1.6 Cheque Clearing Phase

Since the base stations are involved in the sessions, they submit the cheques to the AC for re-

demption. If a session was broken and the BS does not have the latest cheque, the nodes claim it.

Once the AC receives a cheque, it checks that it has not been deposited before using its unique

identifier (the identities of the payers and payees, and the time stamp), then it verifies the payers

payment approvals (the signatures of the payers, and X hashing operations to get HDN(Nonce) from

HDN-X(Nonce)). The AC clears the cheque by crediting the source and destination nodes with the

listed ratios, and rewarding the relaying nodes. The AC periodically sends clearance confirmation

messages to the nodes, showing the identifiers of the cleared cheques and their updated accounts.

After receiving the messages, the nodes delete the cleared cheques and adjust their local account

counters. If a cheque is not cleared in a certain time, the node can claim it.

ge 15 of 35




8/13/2019 FESICM

18/37

ForP

eerRev

iewOnly


4.2 FESCIM for Pure Ad Hoc Mode Communication

For pure ad hoc mode, the proposed mechanism for hybrid mode can be used but because the

base stations are not involved in the communication, the intermediate nodes submit the cheques to

the AC. In this section, we discuss and evaluate different techniques to send the cheques to the AC.

In evaluating the performance of the techniques, we consider two metrics: the total number of

transmitted cheques (T), and the required storage space in each node to store the cheques (j). In the

security evaluation, the effect of collusion attack on the number of submitted cheques is consid-

ered. It is obvious as these metrics decrease, as it is better.

4.2.1 One-Trust-Level Cheque Submssion Technique

Every cheque contains complete payment data for all the session nodes, so it is sufficient to sub-

mit it once. For instance, the last intermediate node is responsible to submit all the session cheques

in [31]. This technique is efficient because the cheques are transmitted and stored once. However,

the entire cheque submission load is on one node that may not have the sufficient resources, or this

load may degrade its efficiency. The technique is not secure against collusion attack because if just

one node colludes with the payers, all the cheques are not transmitted. In addition, the cheques that

are stored in one node may be deleted or corrupted accidentally due to a malfunction.

4.2.2 Uncooperative Cheque Submssion Technique

All the intermediate nodes store and transmit the session cheques independently and uncoopera-

tively [30], [33]. The technique is secure against collusion attack because it guarantees that all the

cheques are submitted if at least one node does not collude with the payers. However, the tech-

nique is inefficient because each cheque is stored and transmitted (n-C) times, which exhausts the

network resources. In addition, each node has to store and transmit all the cheques, which con-

sumes its resources. In the following subsections, we propose two novel techniques to submit the

cheques to the AC aiming to balance between the performance and the security.

4.2.3 Deterministic Cheque Submssion Technique

Each intermediate node sends a unique and pre-defined set of cheques (around (i/n)). Node

Page 16




8/13/2019 FESICM

19/37

ForP

eerRev

iewOnly


number (x) on the route sends a set of cheques starting from cheque number [S(x)] to [S(x)+j(x)-

1], where j(x) is the share size (the number of cheques to be sent by node number (x) on the ses-

sion route), and S(x) is the starting cheque number. Equations (1) and (2) can be used to calculate

j(x) and S(x). The used notations in the equations are defined in Table (1). The technique is effi-

cient because each cheque is stored and transmitted once and the cheque submission load is dis-

tributed evenly among the nodes. However, it has two security concerns: (1) colluders know their

profits in advance because each cheque is supposed to be sent by one node, which may be an in-

centive to cheating, and (2) the number of submitted cheques is sensitive to the number of collud-

ers especially at small number of relaying nodes because a nodes share is large.

(1)

Otherwise1x)V(R,]ni

Int[*1)-(x

1xIf1S(x) (2)

where:- R= i % n (% is the remainder),

otherwise0

0yif1I(y)

Rx,0RifR

Rx,0Rif1-xxofRegardless0Rif0

x)V(R,

4.2.4 Probabilistic Cheque Submssion Technique

Each node stores and submits a randomly chosen share (j) of the session cheques. One cheque

may be submitted by more than one node. The technique guarantees with a certain probability that

a minimum number of unrepeated cheques will be submitted. Q denotes an integer random vari-

able (0

8/13/2019 FESICM

20/37

ForP

eerRev

iewOnly


submitted cheques by the other nodes, and (2) the honest nodes can take preventive measures (by

increasing (j)) to protect the technique up to a certain number of probable colluders, which is

called adaptive security.

ix

qxx)Pr(Qq)Pr(Q (3)

PR1 Cn

xiPR1 Cn1

x

x

ixQPr (4)

Fig. (6): The effect of PR on the probability of submitting the cheques

Fig. (6) gives the relation between the ratio of transmitted cheques by each node (PR=j/i) and

the probability of submitting at least (q) unrepeated cheques. We assume the number of intermedi-

ate nodes (n) is six, the number of the cheques (i) is 30, and all the nodes do not collude (C=0).

The nodes choose (j) to achieve a certain probability of submitting a minimum number of cheques.

As shown in the figure, it is not worth to choose the operating point at the first region (0%-10%) or

the last region (90%-100%) because the effect of changing PR on the probability is very little.

Therefore, the nodes calculate (j) to guarantee that the probability of sending at least 90% of the

cheques is at least 90%. The figure shows that at least 90% of the cheques can be submitted when

each node sends only 35.2% of the cheques. In addition, when each node submits 40% of the

cheques, at least 95% of the cheques can be submitted. For the un-sent cheques, the nodes can

Page 18




8/13/2019 FESICM

21/37

ForP

eerRev

iewOnly


claim them, or the AC can compensate the nodes, i.e., it can add compensation credits to each

transaction.

In order to investigate the effect of the collusion attack on the number of submitted cheques and

to show how the honest nodes can take preventive measures to protect the technique in advance

(adaptive security), Fig. (7) shows the relation between PR and the probability of submitting at

least 90% of the cheques at different numbers of colluders (C). The relation shows that at PR=0.5,

the technique is immuned up to two colluders because it is guaranteed that the probability of sub-

mitting at least 90% of the cheques is 90%. The security against collusion attack is adaptive be-

cause increasing PR improves the immunity of the technique.

Fig. (7): The effect of collusion attack on cheque submission

4.2.5 Case Study

In order to demonstrate the difference among the cheque submission techniques, we run a case

study to analyze their security and performance. We assume that i=100 and n=10. As shown in Ta-

ble (2), we consider different security levels in the probabilistic technique. A security level (or

immunity level) is defined by the maximum number of colluders that the probability of transmit-

ting at least 90% of the cheques is at least 90%. As shown in the table, one-trust-level technique

achieves the worst protection against collusion attack because for one colluder (at C=1), all the

cheques are not submitted. However, its performance is high because the cheques are stored and

ge 19 of 35




8/13/2019 FESICM

22/37

ForP

eerRev

iewOnly


transmitted once (T=100) but the submission load is on one node. The uncooperative technique

can provide the highest protection against colluders since up to nine colluders, all the cheques are

submitted but with high overhead cost because the cheques are supposed to be stored and transmit-

ted ten times (T=1000). Deterministic technique has low overhead because the cheques are stored

and transmitted once (j=10). The number of submitted cheques decreases by 10% for each col-

luder. Probabilistic technique can balance between the protection against colluders and the over-

head. Increasing PR enhances the security but with more overhead. For instance, increasing PR

from 0.23 to 0.36 increases the number of submitted cheques from 75 to 90 assuming four collud-

ers but with increasing the storage space per node from 23 to 36 and the total transmitted cheques

from 230 to 360. The results also emphasize that the probabilistic technique is less sensitive to the

colluders. For instance, when the number of colluders increases from 2 to 8 at PR=0.28, the num-

ber of submitted cheques drops from 80 to 20 in the deterministic technique and from 90 to 46 in

the probabilistic technique.

TABLE (2):THE RESULTS OF THE CASE STUDY

5SECURITY ANALYSIS

In this Section, we study the robustness of the proposed mechanism against some common at-

tacks.

Page 20




8/13/2019 FESICM

23/37

ForP

eerRev

iewOnly


5.1 Free Calling (or Riding) Attacks

Attackers launch this kind of attacks to communicate for free or with reduced payment. Two col-

luding intermediate nodes on a legitimate session can manipulate the packets to add their ex-

changed data. If the payers pay only for successfully delivered packets, colluders can claim that

the packet is dropped and then they deliver it secretly. In another scenario, if the intermediate

nodes are unable to verify the payment data, payers can exchange packets which will not be re-

warded for. Attackers may record legitimate packets and reply them in different place and/or time

claiming that they are fresh to establish a session without paying. Our mechanism is secure against

these attacks since the intermediate nodes can detect any addition or modification to the packets

and verify the payment data because of having the hash of the message and the payment data in the

payers signatures. The intermediate nodes can claim the payment if a packet does not reach the

destination node, and attaching time stamp can prevent packet replaying attack. In a subtle attack,

attackers may exploit that the AC clears the cheques with the same identifier once and attempt to

issue cheques with the same identifier for different sessions to pay once for multiple sessions. This

attack can not be launched in our mechanism because a cheques identifier includes the identities

of the nodes on the route and the session establishemnet time. Therefore, even if an attacker estab-

lishes two different sessions at the same time, the cheques identifiers are different because at least

one intermediate node is different. In another attack, since the AC clears only the first received

cheque when multiple copies of the same cheque are submitted, the payers may collude with some

intermediate nodes to reduce their payments. The colluders may submit cheques with less pay-

ments so when the AC receives other copies with the same identifier (but with correct payment), it

discards them. In order to thwart the attack and identify the attackers, the AC should compare the

amount of payment in the cleared cheque with each received copy of the same cheque.

For other collusion attack, the colluding intermediate nodes do not send the cheques to the AC.

In order to evaluate the effectiveness of this attack, we run a simulation to evaluate the effect of the

nodes collusion on the ratio of un-sent cheques in a cell with 100 network nodes. The probability

that a node is honest or colluder has uniformly random distribution. As shown in Fig. (8), the effect

ge 21 of 35




8/13/2019 FESICM

24/37

ForP

eerRev

iewOnly


of collusion is nearly linear with a weight of 0.01% for each colluding node in the deterministic

technique. The probabilistic technique can improve the ratio of un-sent cheques. For instance,

when 60% of the network nodes collude, colluders can prevent sending 60% of the cheques in the

deterministic technique but they prevent only 41% of the cheques in probabilistic technique with

PR=0.33. In order to prevent submitting a significant ratio of the cheques in probabilistic tech-

nique, an attacker has to collude with a large number of nodes, which may not be reasonable in

civilian applications and scalable network. For example, to prevent sending at least 50% of the

cheques, an attacker has to collude with at least 55 and 68 nodes at PR of 0.23 and 0.33, respec-

tively. Even if an attacker could prevent sending a group of cheques, the nodes can claim them,

and the trusted party can identify the attackers by applying some statistical analysis.

Fig. (8): The effect of the nodes collusion on the ratio of un-sent cheques

5.2 Modification of Payment Data Attacks

A misbehaving node may attempt to compromise the payment data to gain more credits or pay

less. It may try to add its identity and/ora friends identity claiming that they participated in packet

relaying. In a severe attack, an attacker may fabricate a forged cheque to reward himself and his

friends for a session which did not happen. In the proposed mechanism, modifying the payment

data is difficult because it is hard to forge or modify the payers signatures and to compute H DN-

Page 22




8/13/2019 FESICM

25/37

8/13/2019 FESICM

26/37

ForP

eerRev

iewOnly


the destination node due to malicious or non-malicious actions. In our mechanism, the trusted

party can detect the attack by applying statistical analysis to infer that some nodes are always

neighbors, and they claim SACs more than the normal rate.

5.7 Dropping Control Packets Attack

Although control packets (such as ACK and NACK) are short, some rational attackers may drop

them to save their resources. In our mechanism, the nodes are fully motivated to forward them to

gain more credits by triggering the source node to generate more packets, and to get their credits

by enabling the base stations to compose and redeem the cheques. By applying statistical analysis,

the trusted party can identify the attackers because the routes are frequently broken at them.

5.8 Credit Depletion Attack

Malicious nodes may launch attacks to deplete the destination nodes credits by sending useless

data or inserting dummy data to increase the payment. The attack may lead to denial of service

(DOS) because the victims having fewer credits do not initiate communication. In our mechanism,

a rational node does not launch this attack because both the sender and receiver pay. The interme-

diate nodes can detect and drop modified packets, and the payers agree on the ratio of payment in

route discovering phase. Colluders can not generate fake cheques to steal credits from a destination

node because its payment approval is needed for each packet. However, colluders can establish a

session and generate SACs (without sending data) to steal credits from the receiver. The destina-

tion node can thwart the attack by denying creating sessions with the nodes that frequently create

incomplete sessions. In addition, statistical tools can be applied to identify the colluders because

they claim SACs more than the normal rate.

5.9 Irrational Attacks

Although the main objective of the mechanism is to protect the network from rational attacks, it

can also thwart some irrational ones. In sleep deprivation attack, attackers send bogus information

to exhaust the resources of the nodes. Attackers can not launch this attack successfully by replay-

ing valid packets due to signing time stamps. External attackers can not launch the attack by send-

Page 24




8/13/2019 FESICM

27/37

ForP

eerRev

iewOnly


ing bogus data because they have to sign their transmitted messgaes. The senders are discouraged

to launch sleep deprivation attack because they pay. In packet dropping attack, an attacker partici-

pates in route discovering phase but it drops the data packets aiming to degrade the network per-

formance. The trusted party can identify the attackers by noticing that their preceding nodes on the

routes claim SACs more than the normal rate. An attacker may compromise mobile nodes to infer

their secret keys to launch irrational attacks under their names. By statistical analysis, the trusted

party can notice that a user has appeared in different locations at the same time.

6EVALUATIONS

In this section, fairness is analyzed and simulation results are discussed to evaluate the feasibil-

ity of the proposed mechanism.

6.1 Fairness Analysis

Fairness is defined as a nodes benefits from the network are proportional to its contributions

[41]. A nodes contribution can be relaying packets generated from other nodes or paying credits,

whereas a nodes benefit can be relaying its packets or gaining credits. Fairness is an important

requirement to stimulate the users to participate in the routing process. Our mechanism can enforce

fairness by rewarding or charging credits to balance between the nodes contributions and benefits.

In the proposed mechanism, the nodes are rewarded for every relayed packet regardless whether it

reaches the destination node or not because the relaying nodes can claim the payment. The nodes

are able to validate the payment data before relaying the packets to make sure that they will be re-

warded. They do not delete the cheques before receiving a clearance confirmation from the ac-

counting center. The payers pay only the deserved credits (not full payment) when a route is bro-

ken. In addition, in route discovering phase, the communicating nodes agree on the payment ratio

which is proportional to their interest from the communication.

6.2 Overhead

Several performance measures have been taken to reduce the overhead cost and to improve the

ge 25 of 35




8/13/2019 FESICM

28/37

ForP

eerRev

iewOnly


scalability of the proposed mechanism. Our mechanism is scalable because it does not require in-

stantaneous contacting to the AC in each session. Reducing the number and size of the cheques

lessens the required storage, energy, and bandwidth to submit them. A cheque contains complete

payment information for all the session nodes. Therefore, instead of transmitting all the receipts by

all the nodes, they can be transmitted by some. A payment aggregation technique is applied to gen-

erate a cheque for multiple packets instead of generating a cheque per packet. In order to reduce

the ACK packet overhead, the destination nodes signature is replaced with a hash value because

hashing operations are more efficient than signing or verifying operations. The cheque size is very

compact due to storing the hash of the signatures but more overhead is required by the AC to ver-

ify it. This is acceptable because online clearance is not required, and the AC is a powerful party.

Composing a cheque is efficient because it needs only one lightweight hashing operation. The

payment does not suffer from credit depletion or inflation due to adopting balanced payment and

converting credits to real money and reverse.

The proposed mechanism avoids using impractical techniques such as e-coins (which require an

online party to check the coins and permanent storage), and tamper proof devices (which may be

insecure and expensive). Our mechanism does not need extra control packets or executing an auc-

tion in each node to avoid causing bandwidth and latency overheads. With using local credit

counters, the nodes make their decisions locally without frequently contacting the accounting cen-

ter. Converting the credits into real money motivate the rich nodes to continue in cooperative state.

Although symmetric key cryptography is faster and requires less resource, in our application, pub-

lic key cryptography is more appropriate to prevent payers from denying the payment, and to en-

able the relaying nodes to verify the payment data.

6.2.1 Simulation Setup

In the simulation, we consider two popular digital signature algorithms: RSA and DSA. Accord-

ing to NIST guidelines [42], the secure private keys should have at least 1024 bits. For the mes-

sage digest function, we use MD5 [40] with digest length of 16 bytes. In our mechanism, the major

online processing overhead is due to signing and verifying operations to the security and incentive

Page 26




8/13/2019 FESICM

29/37

ForP

eerRev

iewOnly


data. Therefore, in order to estimate the computational processing delays of applying our mecha-

nism, we have implemented a prototype of the mechanism using the Crypto++ library [43]. The

mobile node is a laptop with an Intel processor at 1.6 GHZ and 1 GB Ram. The operating system

of the mobile node is Windows XP. Table (3) gives the CPU processing times of sending (signing)

and forwarding (verifying or hashing) a message. As it is shown, the processing time of the hash

function is much shorter than the signing or verifying times, i.e., replacing the signatures with

hash values in the ACK packets is efficient. A concern in using DSA in multi-hops networks is that

the verifying operations performed by the intermediate and destination nodes need more delays

than the signing operations performed by the sender. The RSA signature generation is computa-

tionally intensive but the signature verification time is shorter. DSA and RSA generate signature

tags of 320 and 1024 bits, respectively. A concern in using RSA is its longer signature size. The

resources of the real mobile nodes may be less than a laptop, so in the simulations (in next subsec-

tions), the results in Table (3) are scaled by factor of five to estimate a limited-resource node.

TABLE (3):PROCESSING TIMES FOR CRYPTOGRAPHIC PRIMITIVES

Network simulator NS2 (version 2.27) is used to implement a version from the proposed

mechanism and Sprite [30] as an example to a mechanism which generates a cheque per packet.

We simulate a hybrid ad hoc network in a square cell of 800800 square meters. 35 mobile nodes

are randomly deployed, and a fixed base station is located at the center of the cell. We use the Dis-

tributed Coordination Function (DCF) of IEEE 802.11 as the medium access control (MAC) layer

protocol, and dynamic source routing (DSR) as the routing protocol. The radio transmission ranges

for a node and the base station are 250 meters, and the transmission data rate is 2 Mbits/s. To

stimulate the node movements, the random waypoint model is used with speed and pause time uni-

formly distributed in the ranges [0-10] m/s and [0-100] sec, respectively. Constant bit rate (CBR)

traffic source is implemented in each node as an application layer. The source and destination pairs

ge 27 of 35




8/13/2019 FESICM

30/37

ForP

eerRev

iewOnly


are randomly selected. All data packets are 512 bytes and sent at speed of 2 packets/sec. For sim-

plicity, we assume that all the nodes are cooperative, and the relaying price is one credit per

packet. Each simulation is executed for 15 simulated minutes, and each data point represents an

average of twenty runs with identical traffic models but differently generated mobility scenarios. A

summary for the simulation scenario is given in Table (4).

TABLE (4):SIMULATION PARAMETERS

6.2.2 Simulation Results

A. Average Storage Area

For networks with limited-resource nodes, the mechanism should require small storage area. In

FESCIM, each node stores cryptographic information and the payment cheques. The concern issue

is the required area to store the cheques because each node has to store them until it receives a con-

firmation of clearance. Table (5) gives the expected cheque size in Sprite and FESCIM using dif-

ferent cryptosystems. In FESCIM, a cheque size does not depend on the used cryptosystem, and it

needs less storage area due to hashing the signature. The aggregated cheques (ADAC(X) and

ADAC-S(X)) have fixed sizes regardless of the number of relayed packets (X), but each packet

requires a receipt in Sprite. In FESCIM, 1MB can store up to 9,157 aggregated cheques, but in

Sprite, the same area can store up to 4,628 and 7,569 receipts using RSA and DSA, respectively.

In order to evaluate the effectiveness of the payment aggregation technique, Table (6) gives the

Page 28




8/13/2019 FESICM

31/37

ForP

eerRev

iewOnly


expected number of generated cheques in all the intermediate nodes in Sprite and FESCIM for a

session at different packet transmission rates. The source and detination pair is uniformaly chosen

and the session is held for 300 seconds. The table shows that in Sprite, the number of cheques is

much larger, and it significantly increases with the increase of the packet transmission rate. The

FESCIM can significantly reduce the number of generated cheques. More cheques are generated at

higher mobility because the routes are more frequently broken. Fewer cheques can be generated

with the increase of the size of the hash chain (N) because a cheque can aggregate payment for

more packets but more memory space and CPU cycles are needed to store and calculate the chain.

In the optimal case, one cheque is generated for a session. However, because it is difficult to esti-

mate the number of packets in a session in advance, the unused hash values in a chain are lost be-

cause it is insecure to use them in other sessions. The table shows that increasing N above 30 can

not reduce the number of the cheques significantly. Consequently, properly choosing the size of the

hash chain can optimize the number of cheques and also save the nodes resources. The FESCIM

does not suffer from storage problem because the cheques are compact, temporarily stored, and

few.

TABLE (5):AVERAGE CHEQUE SIZE

TABLE (6):THE AVERAGE NUMBER OF GENERATED CHEQUES

B. Packet End-to-End Delay

It is the average time interval between the data packet generation and the time when the last bit

ge 29 of 35




8/13/2019 FESICM

32/37

ForP

eerRev

iewOnly


arrives at the destination. Fig. (9) shows the average end to end delay as a function of the number

of connections in Sprite and FESCIM. Up to 20 connections, the delay is mainly due to the signing

and verifying operations but for larger number of connections, the delay dramatically increases

(with or without implementing the cooperation incentive mechanism) because the channel conten-

tion and queuing delays dominate. There is no sensible delay difference between Sprite and

FESCIM because the additional hashing operation needed in each ACK packet in FESCIM is free

computationally (50s per operation), i.e., using the hash chain to aggregate the payment almost

does not have effect on the delay. Although DSA has much shorter signature tag than RSA, it

causes more delay because the verifying time (in the intermediate nodes) is longer. The end to end

delay can be significantly improved by using a delayed verification, i.e., a node forwards the

packet first then it verifies the payment.

Fig. (9): The end to end delay in Sprite and FESCIM

C. Network Throughput

The average network throughput gives the fraction of the channel capacity used for useful

transmission. It is computed by dividing the size of the received data by all the nodes over the

simulation time. Fig. (10) shows the average throughput as a function of the number of connec-

tions. Increasing the number of connections increases the network throughput but the increasing

rate starts to decrease above 20 connections because the network starts to enter its maximum ca-

pacity. There is little improvement by using RSA over DSA because congestions occur more likely

in longer processing delays in the intermediate nodes, and no difference between Sprite and

Page 30




8/13/2019 FESICM

33/37

ForP

eerRev

iewOnly


FESCIM because the extra hashing operation in FESCIM has little effect on the processing delay.

Fig. (10): The throughput in Sprite and FESCIM

D. Data Packet Delivery Ratio (PDR)

It is the average ratio of the data packets successfully delivered to the destination nodes with re-

spect to those generated by the sources. Fig. (11) shows the average packet delivery ratio (PDR) as

a function of the number of connections. The percentage of packets correctly delivered is quite

high (above 99%) for up to 20 connections. Over 20 connections, the PDR decreases because the

congestions are more likely to occur. We can observe little improvement by using RSA over DSA

because congestions are more likely to take place in DSA due to its longer processing delay. The

extra lightweight hashing operation needed in FESCEM does not have effect on the PDR.

Fig. (11): The Packet Delivery Ratio in Sprite and FESCIM

ge 31 of 35




8/13/2019 FESICM

34/37

8/13/2019 FESICM

35/37

ForP

eerRev

iewOnly


cheque size is reduced with storing the hash of the payers signatures. A hash chain is used to effi-

ciently integrate the incentive mechanism in the routing protocol. In order to protect the payment

from collusion attacks, secure and efficient techniques have been proposed to submit the cheques

to the accounting center for redemption. Extensive evaluation demonstrates that the mechanism is

robust against rational and colluding attacks, and it can reward the nodes proportionally to their

contributions. Overhead evaluation shows that the mechanism can significantly reduce the number

of cheques, and can be implemented efficiently. In this work, on-demand routing protocol has been

used to enable the payers (the source and destination nodes) to know the identities of the payees

(the intermediate nodes) to issue the payment cheques. In some wireless networks, such as Delay

Tolerant Networks (DTN), the source node may not be able to know the identities of the relaying

nodes before sending a packet. Therefore, in our future work, we are going to extend this work to

consider these networks.

REFERENCES[1] Y. Lin and Y. Hsu, Multihop Cellular: A New Architecture for Wireless Communications, Proc. of IEEE IN-

FOCOM00, Vol. 3, pp. 1273---1282, March 26-30, 2000.[2] X. Li, B. Seet, and P. Chong, Multihop Cellular Networks: Technology and Economics, Computer Networks,

Vol. 52, No. 9, pp. 1825---1837, June 2008.

[3] C. Gomes and J. Galtier, Optimal and Fair Transmission Rate Allocation Problem in Multi-hop Cellular Net-works, Lecture Notes in Computer Science, Springer Berlin/Heidelberg, Vol. 5793, pp. 327-340, August 29,2009.

[4] Y. Tam, S. Akl, and H. Hassanein, Resource Managemnet in Multi-hop Cellular Networks, PhD Thesis,Queens University, Kingston, Ontario, Canada, January 2009.

[5] G. Shen, J. Liu, D. Wang, J. Wang, and S. Jin,Multi-Hop Relay for Next-Generation Wireless Access Net-works, Bell Labs Technical Journal, Vol. 13, No. 4, pp. 175-193, 2009.

[6] F. Hossain and H. Chowdhury, Impact of Mobile Relays on Throughput and Delays in Multihop Cellular Net-work, Proc. of IEEE International Conference on Wireless and Mobile Communications (ICWMC08), pp. 304-308, Athens, Greece, July 27-August 1, 2008.

[7] R. Schoenen, R. Halfmann, and B. Walke, MAC Performance of a 3GPP-LTE Multihop Cellular Network,Proc. of IEEE International Conference on Communications (ICC08), pp. 4819---4824, Beijing, China, May 19-23, 2008.

[8] 3rd Generation Partnership Project, Technical Specification Group Radio Access Network, Opportunity Driven

Multiple Access, 3G Technical Reort 25.924, version 1.0.0, December 1999.[9] S. Marti, T. Giuli, K. Lai, and M. Baker, Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Proc.

of ACM International Conference on Mobile Computing and Networking (MobiCom00), pp. 255---265, Boston,Massachusetts, USA, August 6-11, 2000.

[10]P. Michiardi and R. Molva, Simulation-Based Analysis of Security Exposures in Mobile Ad Hoc Networks,Proc. of European Wireless Conference, Florence, Italy, February 25---28, 2002.

[11]J. Hu, Cooperation in Mobile Ad Hoc Networks, Technical report (TR-050111), Computer Science Depart-ment, Florida State University, Tallahassee, January 2005.

ge 33 of 35




8/13/2019 FESICM

36/37

ForP

eerRev

iewOnly


[12]G. Marias, P. Georgiadis, D. Flitzanis, and K. Mandalas, Cooperation Enforcement Schemes for MANETs: ASurvey, Wiley's Journal of Wireless Communications and Mobile Computing, Vol. 6, Issue 3, pp. 319---332,2006.

[13]C. Song and Q. Zhang, OMH-----Suppressing Selfish Behavior in Ad hoc Networks with One More Hop,Mobile Networks and Applications, Springer Netherlands, Vol. 14, No. 2, pp. 178-187, February 2009.

[14]Y. Ho, A. Ho, K. Hua, and F. Xie, Cooperation Enforcement in a Highly Dynamic Mobile Ad Hoc Network,Journal of Universal Computer Science, Vol. 15, No. 5, pp. 1090-1118, 2009.

[15]D. Djenouri and N. Badache, On Eliminating Packet Droppers in MANET: A Modular Solution, Elsevier AdHoc Networks, Vol. 7, Issue 6, pp. 1243-1258, August 2009.

[16]G. Bella, G Costantino, and S. Riccobene, Evaluating the Device Reputation Through Full Observation inMANETs, Journal of Information Assurance and Security, Vol. 4, Issue 5, pp. 458-465, March 2009.

[17]L. Feeney, An Energy-Consumption Model for Performance Analysis of Routing Protocols for Mobile Ad HocNetworks, Mobile Networks and Applications, Vol. 3, No. 6, pp. 239---249, 2001.

[18]L. Buttyan and J. Hubaux, Nuglets: A Virtual Currency to Stimulate Cooperation in Self Organized Ad HocNetworks, Technical Report DSC/2001/001, Swiss Federal Institute of Technology, Lausanne, January 2001.

[19]L. Buttyan and J. Hubaux, Enforcing Service Availability in Mobile Ad-hoc WANs, Proc. of the 1stIEEE/ACM international symposium on Mobile Ad Hoc Networking and Computing (MobiHOC00), pp. 87-96,Boston, Massachusetts, August 11, 2000.

[20]L. Buttyan and J. Hubaux, Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks, MobileNetworks and Applications, Vol. 8, No. 5, pp. 579-592, October, 2004.

[21]A. Weyland, T. Staub, and T. Braun, Comparison of Motivation-Based Cooperation Mechanisms for Hybrid

Wireless Networks, Journal of Computer Communications, Vol. 29, pp. 2661---2670, 2006.[22]A. Weyland and T. Braun, Cooperation and Accounting Strategy for Multi-Hop Cellular Networks, Proc. of

IEEE Local and Metropolitan Area Networks (LANMAN04), pp. 193-198, Mill Valley, CA, USA, April 25-28,2004.

[23]A. Weyland and T. Braun, Cashnet - Cooperation and Accounting Strategy for Hybrid Networks, Proc. ofIEEE International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks(WiOpt04), Cambrigde, UK, March 24-26, 2004.

[24]A. Weyland, T. Staub, and T. Braun, Liveliness Evaluation of a Cooperation and Accounting Strategy in HybridNetwork, Proc. of Workshop on Applications and Services in Wireless Networks (ASWN04), Boston, Massa-chusetts, USA, August, 2004.

[25]Y. Zhang, W. Lou, and Y. Fang, SIP: A Secure Incentive Protocol against Selfishness in Mobile Ad Hoc Net-works, Proc. of IEEE Wireless Communication and Networking Conference (WCNC04), pp. 1679-1684, At-lanta, Georgia, USA, March 21-25, 2004.

[26]Y. Zhang, W. Lou, and Y. Fang, A Secure Incentive Protocol for Mobile Ad Hoc Networks, ACM WirelessNetworks, Vol. 13, No. 5, pp. 569-582, October, 2007.[27]M. Jakobsson, J. Hubaux, and L. Buttyan, A Micro-Payment Scheme Encouraging Collaboration in Multi-hop

Cellular Networks, Proc. of the 7th Financial Cryptography (FC'03), pp. 15---33, La Guadeloupe, January 2003.[28]M. Jakobsson and L. Yang, Quantifying Security in Hybrid Cellular Networks, ACNS Springer-Verlag Ber-

lin/Heidelberg, Vol. 3531, pp. 350---363, May 2005.[29]G. Avoine, Fraud within Asymmetric Multi-Hop Cellular Networks, Proc. of Financial Cryptography (FC05),

Vol. 3570, pp. 1---15, Roseau, The Commonwealth of Dominica, February 28-March 3, 2005.[30]S. Zhong, J. Chen, and R. Yang, Sprite: A Simple, Cheat-Proof, Credit Based System for Mobile Ad-Hoc Net-

works, Proc. of Annual Joint Conference of the IEEE Computer and Communications Societies (INFO-COM03), Vol. 3, pp. 1987-1997, San Francisco, CA, March 30-April 3, 2003.

[31]B. Lamparter, K. Paul, and D. Westhoff, Charging Support for Ad Hoc Stub Networks, Journal of ComputerCommunications, Vol. 26, No. 13, pp. 1504---1514, 2003.

[32]N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, A Charging and Rewarding Scheme for Packet Forwarding

in Multi-hop Cellular Networks, Proc. of ACM International Symposium on Mobile Ad Hoc Networking andComputing (MobiHoc03), Annapolis, USA, June 2003.

[33]N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, Node Cooperation in Hybrid Ad Hoc Networks, IEEETransactions on Mobile Computing, Vol. 5, No. 4, April 2006.

[34]N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, Cooperation in Multi-hop Cellular Networks with Ex-tended Security Analysis, Proc. of ACM International Symposium on Mobile Ad Hoc Networking and Comput-ing (MobiHoc03), Annapolis, MD, USA, June 1-3, 2003.

[35]J. Pan, L. Cai, X. Shen, and J. Mark, Identity-Based Secure Collaboration in Wireless Ad Hoc Networks,Computer Networks (Elsevier), Vol. 51, No. 3, pp. 853-865, 2007.

Page 34




8/13/2019 FESICM

37/37

ForP

eerRev

iewOnly


[36]C. Bassem and A. Bestavros,CSR: Constrained Selfish Routing in Ad-Hoc Networks, Lecture Notes in Com-puter Science, Springer Berlin/ Heidelberg, Vol. 5682, pp. 179-189, 2009.

[37]J. Lee, W. Liao, and M. Chen, An Incentive-based Fairness Mechanism for Multi-hop Wireless Backhaul Net-works with Selfish Nodes, IEEE Transactions on Wireless Communications, Vol. 7, No. 2, pp. 697---704, Febru-ary 2008.

[38]H. Janzadeh, K. Fayazbakhsh, M. Dehghan, and M. Fallah, A Secure Credit-based Cooperation StimulatingMechanism for MANETs Using Hash Chains, Future Generation Computer Systems, Vol. 25, Issue 8, Septem-

ber 2009.[39]M. Mahmoud and X. Shen, Anonymous and Authenticated Routing in Multi-Hop Cellular Networks, Proc. of

IEEE ICC09, Dresden, Germany, June 14-18, 2009.[40]A. Menzies, P. Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press,

http://www.cacr.math.uwaterloo.ca/hac, Boca Raton, Fla., 1996.[41]A. Mok, B. Mistry, E. Chung, and B. Li, FAIR: Fee Arbitrated Incentive Architecture in Wireless Ad Hoc Net-

works, Proc. of 10th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS'04), pp.38-47, Toronto, Canada, May 25-28, 2004.

[42]National Institute of Standards and Technology (NIST), Recommendation for Key Management - Part 1: Gen-eral (Revised), Special Publication 800-57 200, 2007.

[43]W. Dai, Crypto++ Library 5.6.0, http://www.cryptopp.com, 2009.[44]G. Pottie and W. Kaiser,Wireless Integrated Sensor Networks, Communications of the ACM, Vol. 43, Isuue 5,

pp. 51-58, May 2000.[45]N. Potlapally, S. Ravi, A. Raghunathan, and N. Jha, A Study of the Energy Consumption Characteristics of

Cryptographic Algorithms and Security Protocols, IEEE Transactions on Mobile Computing, Vol. 5, No. 2, pp.128-143, March-April 2006.

Mohamed Elsalih Mahmoud received the B.Sc. (1998) degree with honor degree and the M.Sc. (2003) fromBanha university (Egypt), both in electrical communications engineering. He got the best paper award inCommunication and Information Systems Security Symposium in International Conference on Communications(ICC09), Dresden, Germany, 14-18 June, 2009. He also got the University of Waterloo Graduate Scholarshipaward four times. He is currently working toward his Ph.D. degree in the Department of Electrical and ComputerEngineering at the University of Waterloo, Ontario, Canada, where he is working with the Broadband Com-

munications Research (BBCR) Group. His research interest includes wireless network security, privacy in hybridad hoc networks, and cooperation incentive mechanisms in multi-hop wireless networks.

Xuemin (Sherman) Shen received the B.Sc.(1982) degree from Dalian Maritime University (China) and theM.Sc. (1987) and Ph.D. degrees (1990) from Rutgers University, New Jersey (USA), all in electrical engineer-ing. He is a Professor and University Research Chair, Department of Electrical and Computer Engineering,University of Waterloo, Canada. Dr. Shens research focuses on mobility and resource management in inter-connected wireless/wired networks, UWB wireless communications networks, wireless network security, wire-less body area networks and vehicular ad hoc and sensor networks. He is a co-author of three books, and haspublished more than 400 papers and book chapters in wireless communications and networks, control andfiltering. Dr. Shen served as the Tutorial Chair for IEEE ICC08, the Technical Program Committee Chair forIEEE Globecom07, the General Co-Chair for Chinacom07 and QShine06, the Founding Chair for IEEE Com-munications Society Technical Committee on P2P Communications and Networking. He also serves as aFounding Area Editor for IEEE Transactions on Wireless Communications; Editor-in-Chief for Peer-to-Peer

Networking and Application; Associate Editor for IEEE Transactions on Vehicular Technology; KICS/IEEE Journal of Communications

and Networks, Computer Networks; ACM/Wireless Networks; and Wireless Communications and Mobile Computing (Wiley), etc. Hehas also served as Guest Editor for IEEE JSAC, IEEE Wireless Communications, IEEE Communications Magazine, and ACM MobileNetworks and Applications, etc. Dr. Shen received the Excellent Graduate Supervision Award in 2006, and the Outstanding Perform-ance Award in 2004 and 2008 from the University of Waterloo, the Premiers Research Excellence Award (PREA) in 2003 from theProvince of Ontario, Canada, and the Distinguished Performance Award in 2002 and 2007 from the Faculty of Engineering, Universityof Waterloo. Dr. Shen is a registered Professional Engineer of Ontario, Canada, and a Distinguished Lecturer of IEEE CommunicationsSociety.

ge 35 of 35 Transactions on Mobile Computing

Documents

FESICM