Upload
archana-akila
View
217
Download
0
Embed Size (px)
Citation preview
8/13/2019 FESICM
1/37
Downloaded from engine.lib.uwaterloo.caon 7 January 2014
FESCIM: Fair, Efficient, and SecureCooperation Incentive Mechanism forHybrid Ad Hoc NetworksMohamed Mohamed Elsalih Abdelsalam Mahmoud, Sherman
ShenDate Submitted: 23 November 2009
Date Revised: 23 December 2009
Date Published: 18 July 2011
Updated information and services can be found at:http://engine.lib.uwaterloo.ca/ojs-
2.2/index.php/pptvt/article/view/594
These include:
Subject Classification Vehicular Technology
Keywords Network-level security and protection, Payment schemes,Wireless communication, Hybrid systems.;
Submitting Author sComments
IEEE TMC
Comments You can respond to this article at:http://engine.lib.uwaterloo.ca/ojs-
2.2/index.php/pptvt/comment/add/594/0
Copyright 2009 IEEE. Personal use of this material is permitted.However, permission to reprint/republish this material for
advertising or promotional purposes or for creating new
collective works for resale or redistribution to servers or lists, or
to reuse any copyrighted component of this work in other works
must be obtained from the IEEE.
8/13/2019 FESICM
2/37
ForP
eerRev
iewOnly
FESCIM: Fair, Efficient, and Secure Cooperation Incentive
Mechanism for Hybrid Ad Hoc Networks
Journal: Transactions on Mobile Computing
Manuscript ID: Draft
Manuscript Type: Regular
Keywords:Network-level security and protection, Payment schemes, Wirelesscommunication, Hybrid systems
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 1 of
8/13/2019 FESICM
3/37
ForP
eerRev
iewOnly
FESCIM: Fair, Efficient, and Secure Cooperation
Incentive Mechanism for Hybrid Ad Hoc Networks
Mohamed Elsalih Mahmoud, Xuemin (Sherman) Shen, IEEE Fellow
AbstractIn hybrid ad hoc wireless networks, the mobile nodes usually act as routers to relay packets
from other nodes. However, selfish nodes may not cooperate but make use of the honest ones to relay
their packets, which has negative effect on fairness, security, and performance of the network. In this
paper, a fair, efficient, and secure cooperation incentive mechanism is proposed to stimulate the nodes
cooperation in hybrid ad hoc networks. Fair payment can be achieved by rewarding and charging credits to
balance between a nodes contributions and benefits. In order to reduce the overhead cost, a payment
aggregation technique is applied to reduce the number of generated receipts. A hash chain is used to
efficiently integrate the incentive mechanism in the routing protocol. Secure techniques are proposed to
protect the receipt submission from collusion attacks and to reduce the number of transmitted receipts.
Extensive evaluation shows that the proposed mechanism is robust against rational and colluding attacks,
and the nodes can be rewarded proportionally to their contributions. Simulation results demonstrate that
the proposed mechanism can be implemented efficiently.
Index Terms Network-level security and protection, Payment schemes, Wireless communication, Hybrid systems.
1 INTRODUCTION
Hybrid ad hoc network (also called multi-hop cellular network (MCN)) [1], [2], [3], [4] is anetwork architecture which incorporates the ad hoc characteristics into the cellular system. The
packets originated from a node are relayed through the mobile nodes to the receiver or to a base
station which delivers them to the receiver. The network nodes commit bandwidth, data storage,
CPU cycles, battery power, etc, forming a pool of resources which can be shared by all of them.
The utility which nodes can obtain from the pooled resources is much higher than they can obtain
on their own. Multi-hop relaying improves the network performance and deployment [5], [6], [7],
[8]. It can extend the communication range using limited transmit power, improve area spectralefficiency, reduce the dead areas, reduce power consumption because the transmission distances
are shorter, and enhance the network throughput and capacity. In addition, the network can be de-
ployed more readily and at lower costs. It is shown in [8] that the path loss per hop can be reduced
by 12dB, and the data rate can be increased by a factor of ten if the relaying distance is halved.
ge 1 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 2 of
8/13/2019 FESICM
4/37
ForP
eerRev
iewOnly
2 IEEE TRANSACTIONS ON MOBILE COMPUTI
However, due to involving autonomous devices in the routing process, it suffers from new security
challenges which endanger the practical implementation of the network.
The proper operation of the hybrid ad hoc network requires the intermediate nodes to collabo-
rate to enhance the network performance. It is shown in [9] that if 10% to 40% of the nodes behave
selfishly, the average throughput degrades by 16% to 32%. It is also shown in [10] that the delay
increases linearly with the percentage of selfish nodes. Therefore, the selfish behavior significantly
degrades the overall network performance which may result in failure of multi-hop data communi-
cation, and thus selfish nodes pose real threats to the operation of the hybrid ad hoc network. How-
ever, most existing works assume that all the mobile nodes of a hybrid ad hoc network are coop-
erative, i.e., they are willing to relay data generated from other nodes. While this assumption is
reasonable in disaster recovery or military applications since the nodes belong to a single authority
and have a common goal, it may not hold for civilian applications where each node tries to maxi-
mize its benefits from the network. Moreover, the nodes may not benefit from their cooperation
since it consumes their scarce resources (such as radio spectrum, battery power, and CPU cycles),
and does not provide any immediate advantages because serving others does not guarantee that the
user will be served as well. Consequently, in civilian applications, selfish nodes are not voluntarily
interested in cooperation without sufficient incentive, and they make use of the honest nodes to
relay their packets without any contribution to the network, which has negative impact on fairness,
security, and performance of the network. Several mechanisms have been proposed to mitigate the
problems caused by the selfish nodes [11], [12]. The mechanisms fall into one of two categories,
namely, reactive (or enforcement) and preventive (or incentive). In reactive mechanisms [13], [14],
[15], and [16], a network node monitors the transmission of a neighbor to make sure that the
neighbor forwards others traffic. A reputation system is used to identify and punish the selfish
nodes. The system should be able to differentiate between a nodes unwillingness and inability to
cooperate, and to suppress the false accusations against the honest nodes. In preventive (also called
credit-based or incentive) mechanisms, forwarding packets generated from other nodes is a service
(not an obligation) because the mobile nodes are autonomous devices which are owned by the
Page 2
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 3 of
8/13/2019 FESICM
5/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
network users. The mechanisms do not enforce the nodes to cooperate nor punish them when they
decide not to cooperate. An incentive (virtual currency or credits) is used to motivate the nodes to
collaborate, and to prove that it is more beneficial for them to cooperate than behaving selfishly.
The transmission of self-generated packets is charged and the forwarding of other nodes packets is
rewarded.
However, reactive mechanisms suffer from unreliable detection to the selfish nodes because dif-
ferent nodes may evaluate the behavior of the same node differently, and it is difficult to differenti-
ate between a nodes unwillingness and inability to cooperate due to low resources such as low
battery or full buffer. Another challenge is to prevent the propagation of incorrect reputations (ei-
ther good or bad) because malicious nodes can work together to boost their reputations or to de-
fame innocent nodes. In addition, reactive mechanisms may not guarantee fairness because the
nodes with higher contributions are not compensated. For instance, although the nodes situated in
the center contribute more to the network than those in the periphery, they are not compensated.
Moreover, to monitor their neighbors, the nodes work in the inefficient promiscuous mode [17].
Therefore, preventive mechanisms are more appropriate to commercial networks where individual
nodes do not have pre-existing links to each other and they can periodically contact a centralized
entity which manages their credit accounts.
Several preventive mechanisms have been proposed in the literatures [11]. The main concern is
that the practicability and performance remain unclear because the packet-by-packet paying im-
plies a significant communication overhead and implementation complexity due to generating and
transmitting a large number of receipts (payment proofs) for clearance, which consumes the net-
work storage area, bandwidth, and energy. Heavyweight mechanism degrades the performance of
the network, and stimulates the nodes to behave selfishly to save their resources to serve their us-
ers. Although the cooperation incentive mechanisms are implemented to protect the network from
rational attacks, insecure mechanisms encourage the nodes to attack the payment to pay less and/or
gain undeserved credits. Two techniques have been adopted in the existing mechanisms to submit
the receipts for clerarance: (1) one node (e.g. the last intermediate node) sends all the receipts; this
ge 3 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 4 of
8/13/2019 FESICM
6/37
ForP
eerRev
iewOnly
4 IEEE TRANSACTIONS ON MOBILE COMPUTI
technique is vulnerable to collusion attack to prevent clearing the receipts, (2) all the intermediate
nodes send all the receipts; this technique is not efficient because multiple copies of the same re-
ceipt (which has payment data for all the relaying nodes) are submitted. Fairness issues arise when
a node gains more benefits than its contributions, or when some nodes take advantage from the
honest ones which are more overloaded because the network traffic is concentrated through them.
Although achieving fairness is an important requirement to stimulate the nodes to participate in the
routing process, the existing mechanisms have been paid little attention to adopt fair payment.
In this paper, a fair, efficient, and secure cooperation incentive mechanism is proposed to stimu-
late the nodes to cooperate in hybrid ad hoc network. Our mechanism can enforce fairness by re-
warding or chargingcredits to balance between the nodes contributions and benefits. In order to
reduce the number of the submitted receipts, each receipt contains complete payment data to all the
session nodes. Therefore, instead of transmitting all the receipts by all the nodes, they can be
transmitted by some. A payment aggregation technique is proposed to generate a receipt for multi-
ple packets instead of generating a receipt per packet. A hash chain is applied to integrate the in-
centive mechanism in the routing protocol efficiently. Secure techniques are proposed to protect
the receipt submission from collusion attacks and to reduce the number of transmitted receipts. It
will be shown that the mechanism can reward the network nodes proportionally to their contribu-
tions. Extensive security and overhead evaluations demonstrate that the mechanism is secure
against rational and colluding attacks, and can be implemented efficiently. The remainder of this
paper is organized as follows. A brief description and evaluation to some existing mechanisms are
presented in Section 2. Section 3 gives the network model. The proposed cooperation incentive
mechanism is presented in Sections 4. Extensive security analysis is given in Sections 5. In Section
6, fairness and implementation overhead are evaluated. Finally, we conclude the paper and discuss
some future work in Section 7.
2 RELATED WORK
In Nuglets mechanism [18], [19], and [20], a tamper proof device (TPD) is installed in each de-
Page 4
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 5 of
8/13/2019 FESICM
7/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
vice to store its credits and to secure its operation. The self-generated and forwarding packets are
passed to the TPD to decrease and increase the credit account, respectively. A node can not trans-
mit its generated packets if it does not have sufficient credits. Two models, called the packet purse
model (PPM) and the packet trade model (PTM), have been proposed. In the PPM, the source node
pays for relaying its packets by loading some credits in each packet before sending it. Each for-
warding node acquires the amount of credits that covers its forwarding cost. A packet is discarded
if it does not have enough credits to be forwarded. In the PTM, each intermediate node buys a
packet and sells it to the following node in the route until the destination node pays the total cost.
Using tamper-proof devices can reduce the complexity of the incentive mechanism but the as-
sumption that they can not be tampered is neither secure nor realistic for networks with autono-
mous nodes. Tamper-proof devices with high security level may be expensive, and if they are
compromised, attackers can attack the mechanism brutally in undetectable way. In a subtle attack,
two tamper proof devices can be installed in one device, and a packet is passed through them for
double rewarding. Fairness issue arises when a node loses its credits without any benefits. It is dif-
ficult to estimate the required amount of loaded credits so the surplus credits are lost in over-
estimation and all the loaded credits are lost in underestimation. In addition, the source node pays a
complete payment for every generated packet even if it does not reach its destination. The PTM
suffers from high bandwidth and latency overhead because an auction occurs at each node. Drop-
ping the packets with insufficient credits degrades the network throughput. It is shown in [21] that
the long-term operation of the mechanism is questionable because the amount of credits in the
network decreases over time due to employing unbalanced payment, i.e., the paid credits are not
necessarily equal to the earned ones. Unbalanced payment may lead to credit inflation if the re-
wards are greater, or credit depletion if the charges are greater. In credit inflation, the nodes are
rich and their stimulation to cooperation becomes less, whereas, in credit depletion, the nodes are
poor and they can not initiate communications.
In CASHnet mechanism [22] and [23], users regularly visit service points to buy traffic credits
(which are used to forward self-generated packets) and/or to transfer helper credits (which are
ge 5 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 6 of
8/13/2019 FESICM
8/37
ForP
eerRev
iewOnly
6 IEEE TRANSACTIONS ON MOBILE COMPUTI
gained from relaying other nodes packets) to traffic credits. Before transmitting a packet, the
originators traffic credit account (stored in the node) is charged. Upon receiving the packet, the
destination nodes traffic credit account is also charged and a digitally signed acknowledgement
packet (ACK) is sent. Upon receiving the ACK, the forwarding nodes increase their helper credit
account. The source node pays for relaying its packets to a gateway, and the destination node pays
for receiving them. It is shown in [21] and [24] that the performance of the network depends on the
availability of service points, i.e., although the nodes have helper credits, they starve because they
can not find a service point to convert. Fairness issues arise when a node is not rewarded when it
does not receive an ACK packet, and the sender pays full payment whether the packet reaches the
gateway or not. Moreover, the payment ratio between the source and destination nodes is propor-
tional to the distance to the gateway not to their interest from the communication.
In SIP (Secure Incentive Protocol) [25] and [26], after receiving a packet, the destination node
sends a payment RECEIPT packet to the transmitter to issue a REWARD packet which increments
the accounts (stored in the nodes) of the intermediate nodes. The mechanism encourages the com-
municating nodes to issue REWARD packets by overcharging them for full payment, and they get
the overcharged credits (half of the payment) back after issuing them. The mechanism incurs high
overhead because each packet needs three trips between the source and destination nodes. A fair-
ness concern is that the intermediate nodes are not rewarded, and the payers pay more than the de-
served credits when REWARD or RECEIPT packets are dropped, or when a data packet does not
reach the destination node due to malicious or non-malicious action.
In [27] and [28], a probabilistic payment technique is applied to avoid generating a large number
of receipts in the network. The sender (the payer) appends payment tokens to its transmitted pack-
ets. The forwarding nodes check whether a token corresponds to a winning ticket. Winning tickets
are sent to the accounting center (AC) to reward the winning nodes. Payers are charged per packet
and forwarding nodes are paid per winning ticket. The mechanism encourages the nodes to relay
the packets with losing tickets by rewarding not only the winning node but also its neighbors. The
mechanism suffers from a security flaw that colluders can intercept and exchange collected tokens
Page 6
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 7 of
8/13/2019 FESICM
9/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
to be checked locally in each node to gain credits without contributing to the network. In [29], it is
shown an attack which enables two attackers to communicate for free without being detected by
the operator. Fairness issue arises when a node is not compensated for consuming its resources to
relay a packet.
In Sprite mechanism [30], an intermediate node stores a receipt for each relayed packet and
submits the receipts when it has a connection to the accounting center to clear them. The mecha-
nism incurs significant communication overhead because the number of submitted receipts is large
due to generating a receipt for each packet and due to sending all the receipts by all the nodes. The
size of the receipts is large, which consumes the network resources. Fairness issue arises when the
amount of rewards is greatly reduced (to thwart cheating actions) if a packet is not reported to be
received by the destination node due to malicious or non-malicious actions. In [31], the sender ap-
pends a signature to the full path identities and an initialization of a keyed hash chain. Each inter-
mediate node verifies the signature and computes a new hash value. The recipient generates a re-
ceipt of the received amount of data and sends it to the last intermediate node to transmit to the
AC. A security flaw is that two colluders can communicate freely by exchanging packets with in-
valid hash values because the intermediate nodes can not verify the received hash chain. The last
intermediate node may collude with the payers, and it does not send the receipts to the AC to de-
prive the relaying nodes from their payments. In addition, the last intermediate node may not have
the sufficient resources to submit the receipts, or this extra load may degrade its efficiency.
In [32] and [33], the sender encrypts the payload and appends a receipt. Each uplink node re-
encrypts the payload and stores the receipt. The base station removes the encryption layers and it-
eratively encrypts the payload with the keys shared with the downlink nodes. Each downlink node
decrypts one layer, computes and stores the receipt. The iterative encryption and decryption opera-
tions protect the mechanism from free riding attack. The sender is charged and the uplink nodes
are rewarded when the packet reaches the base station. The downlink nodes are rewarded when the
base station receives an ACK from the receiver. In order to motivate the destination node to send
ACK, it is charged a fee which is returned when the ACK is received. If a packet does not reach
ge 7 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 8 of
8/13/2019 FESICM
10/37
ForP
eerRev
iewOnly
8 IEEE TRANSACTIONS ON MOBILE COMPUTI
the base station, the intermediate nodes submit the receipts to claim the payments but they are re-
warded only for the minimum packet length. It is shown in [34] that the mechanism suffers from
the early duplicate attack to deny the service from the legitimate nodes. Two colluders can com-
municate for free because the intermediate nodes can not verify the payment data. A large number
of receipts are claimed because they are individually issued and claimed. If an ACK packet does
not reach the base station due to malicious or non-malicious action, the destination node is over-
charged.
In [35], the mechanism is a series of per-hop transactions. Nodes pay in advance to get coins be-
fore engaging in communication sessions. The intermediate nodes trade the forwarded packets. A
packet buyer contacts the AC to get deposited coins which are used for a limited time, specific
seller, and one session. The seller claims the coins by submitting them to the AC. The mechanism
is complicated because the buyers and sellers frequently and interactively contact the AC. The coin
format is inflexible because it is used for a specific user, one session, and limited time. The
mechanism can be used in limited applications because only the destination node can initiate the
session. In [36], an AODV-based incentive routing protocol for ad-hoc networks has been pro-
posed. The protocol employs three new types of control packets, which imposes much overhead.
In [37], an incentive-based mechanism has been proposed to encourage Transit Access Points
(TAPs) to forward data for other TAPs, and thus it eliminates the location-dependent unfairness
problem in the backhaul networks. The mechanism in [38] improves Sprite by using hash chains
instead of digital signatures but a large number of receipts are generated and payment non-
repudiation can not be guaranteed.
3THE NETWORK ARCHITECTURE
3.1 The Network Model
As shown in Fig. (1), the hybrid ad hoc network includes a trusted party (TP), a set of base sta-
tions (BSs) and mobile nodes (MNs). The trusted party is responsible for the security and financial
issues in the network. It generates and revokes (whenever it is necessary) the required crypto-
Page 8
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 9 of
8/13/2019 FESICM
11/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
graphic credentials for a node to join the network. It also contains the accounting center (AC) that
stores and manages the credit accounts of the network entities. Once the AC receives a proof of
packet forwarding (transaction cheque), it updates the accounts of the participating entities. The
nodes can gain credits from forwarding other nodes packets or from buying additional credits
from the accounting center for real money. Credits can be converted to real money and reverse to
make the network operation flexible and to give incentive to the rich nodes to keep cooperating.
Some of the relays may be fixed as parts of the network infrastructure to improve the network
connectivity especially in low density case. The base stations are powerful parties that are distrib-
uted in large geographic area.
Fig. (1): The hybrid ad hoc network architecture
The mobile nodes have limited storage, computing, and energy resources. Each node is regis-
tered with a legitimate operator and stores a unique global identifier, public/private key pair with a
certificate, and the public key of the trusted party. As opposite to [39], the nodes anonymity and
privacy preserving is outside the scope of this work, so each node has one identity during its life-
time. Each node is loaded with a local account counter to estimate its latest credit account stored in
the AC. The local counters alleviate the load of periodically requesting the latest account from the
AC. A node uses its counter to make some local decisions such as its state (cooperative or un-
ge 9 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 10 o
8/13/2019 FESICM
12/37
ForP
eerRev
iewOnly
10 IEEE TRANSACTIONS ON MOBILE COMPUTI
cooperative).
3.2 The Communication Model
The base stations are connected with each other and with the trusted party by a fast backbone
network which may be wired or wireless. The exchanged messages between the mobile nodes and
the trusted party are relayed by the base stations. The nodes can communicate in one of two
modes: pure ad hoc or hybrid. In pure ad hoc mode, the data packets are sent by the source node
and relayed in several hops through the intermediate nodes to the destination node without involv-
ing any infrastructure. In hybrid mode, at least one base station is involved in the communication,
i.e., the packets are relayed from an originator to the base station through multi-hops, then to the
destination base station over the backbone network (if the communicating parties are in different
domains), and finally to the destination node. In order to submit the payment proofs (cheques), the
network nodes are able to communicate with the trusted party at least once during a time interval
which can be in the range of few days.
3.3 Threat and Trust Models
An attacker has a full control on his mobile node, and he can change the nodes operation. At-
tackers can work individually or collude with each other to share information to launch more so-
phisticated attacks. Attackers are rational in the sense that they cheat if the benefit of doing so is
greater than that of honestly following the protocol. These strong assumptions do not exaggerate
the attackers capabilities because the nodes are autonomous and strongly motivated to cheating.
For the base stations, we consider them rational attackers because they are owned by different pro-
viders who are motivated to cheat to increase their accounts and their subscribers accounts. The
trusted party is fully secure; several security measures can be taken to guarantee its security such
as using threshold cryptosystems [40] which do not allow an individual person to perform an op-
eration. For the trust models, all the network nodes fully trust the trusted party to correctly perform
billing and auditing. The trusted party does not trust any entity in the network. The base stations
and users do not trust each other.
Page 10
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 11 o
8/13/2019 FESICM
13/37
8/13/2019 FESICM
14/37
8/13/2019 FESICM
15/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
packets) by attaching its signature to the payment data (PD), session establishment time stamp
(TS), counter to the number of transmitted packets (X), and the hash value of the message. The
signature is an approval from one payer to pay for X packets. It also ensures the message authen-
ticity and integrity, and thwarts free riding, packet replay, packet and payment repudiation, and
impersonation attacks. The source node initiates a new packet series (with a new cheque) when the
route is broken, or N packets have already been transmitted. After transmitting a packet, the sender
turns on a timer waiting for ACK, NACK, or Timeout.
(a) The data packet format
(b) The ACK packet format
Fig. (3): The formats of data and ACK packets
4.1.3 Packet Relaying Phase
Before relaying a packet, an intermediate node verifies the signature to ensure the messages in-
tegrity and authenticity, and to ensure that the payment data and the number of relayed packets are
correct. In case of the first packet in a series (X=1), an intermediate node composes the single ap-
proval cheque (SAC) (which contains payment approval from one payer) as a proof of receiving
the packet. The format of SAC is shown in Fig. (4-a). Storing the hash of the signatures signifi-
cantly reduces the cheque size but with extra overhead on the AC which is powerful party. The
nodes claim the SAC if the packet does not reach the destination node. For the successive packets
in a series (X>1), each node composes aggregated double approval cheque with a single approved
packet (ADAC_S(X)) which contains payment data for (X-1) successfully delivered packets and
one received packet. As shown in Figs. (4-c), the payment approval of the destination node in
ge 13 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 14 o
8/13/2019 FESICM
16/37
ForP
eerRev
iewOnly
14 IEEE TRANSACTIONS ON MOBILE COMPUTI
ADAC_S(X) lags that of the source node by one packet. The evolution of the payment cheques is
shown in Fig. (5).
(a) The SAC format
(b) The DAC format
(c) The ADAC_S format
(d) The ADAC format
Fig. (4): The formats of the payment cheques
4.1.4 Packet Receiving Phase
Upon receiving a packet in a series, the destination node attaches a new hash value from the
hash chain to its acknowledgement (ACK) packet (if it pays for the session). The hash value is an
approval from the second payer to pay for the received packet. The format of the ACK packet is
shwon in Fig. (3-b).
4.1.5 ACK/NACK Relaying Phase
In case of the first ACK in a series, an intermediate node verifies the hash value and upgrades
the single approval cheque (SAC) to double approval cheque (DAC) which is a proof of success-
fully delivering the packet. As shown in Fig. (4-b), the DAC contains payment approval from the
two payers. For ACK for successive packets in the series, the intermediate nodes ensure that the
ADAC-S(X)
PD|TS|X|HS(MX)|HDN(Nonce)|HD
N-X+1(Nonce)|
H( SigS(PD|TS|X|HS(MX)) | SigD(PD|TS| HDN(Nonce)))
DAC
PD |TS|1|HS(M1)| HDN(Nonce)|HD
N-1(Nonce)|
H( SigS(PD|TS|1|HS(M1)) | SigD(PD|TS| HDN(Nonce)))
SAC
PD|TS|1|HS(M1)|HDN(Nonce)|
H( SigS(PD|TS|1|HS(M1)) | SigD(PD|TS|HDN(Nonce)))
ADAC(X)
PD|TS|X|HS(MX)|HDN(Nonce)|HD
N-X(Nonce)|
H( SigS(PD|TS|X|HS(MX)) | SigD(PD|TS| HDN(Nonce)))
Page 14
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 15 o
8/13/2019 FESICM
17/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
hash value HDN-X+1(Nonce) is generated from hashing HD
N-X(Nonce), then they aggregate the pay-
ment by composing the aggregated double approval cheque (ADAC(X)) which contains the latest
hash value (HDN-X
(Nonce)) as a proof to pay for (X) delivered packets. If an intermediate node de-
cides to transit to uncooperative state, it piggybacks a notice in the ACK packet. The source node
re-establishes the route when it receives NACK, the Timeout expires without receiving ACK, or
some intermediate node(s) decided to transit to uncooperative state.
Fig. (5): The evolution of the payment cheques
4.1.6 Cheque Clearing Phase
Since the base stations are involved in the sessions, they submit the cheques to the AC for re-
demption. If a session was broken and the BS does not have the latest cheque, the nodes claim it.
Once the AC receives a cheque, it checks that it has not been deposited before using its unique
identifier (the identities of the payers and payees, and the time stamp), then it verifies the payers
payment approvals (the signatures of the payers, and X hashing operations to get HDN(Nonce) from
HDN-X(Nonce)). The AC clears the cheque by crediting the source and destination nodes with the
listed ratios, and rewarding the relaying nodes. The AC periodically sends clearance confirmation
messages to the nodes, showing the identifiers of the cleared cheques and their updated accounts.
After receiving the messages, the nodes delete the cleared cheques and adjust their local account
counters. If a cheque is not cleared in a certain time, the node can claim it.
ge 15 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 16 o
8/13/2019 FESICM
18/37
ForP
eerRev
iewOnly
16 IEEE TRANSACTIONS ON MOBILE COMPUTI
4.2 FESCIM for Pure Ad Hoc Mode Communication
For pure ad hoc mode, the proposed mechanism for hybrid mode can be used but because the
base stations are not involved in the communication, the intermediate nodes submit the cheques to
the AC. In this section, we discuss and evaluate different techniques to send the cheques to the AC.
In evaluating the performance of the techniques, we consider two metrics: the total number of
transmitted cheques (T), and the required storage space in each node to store the cheques (j). In the
security evaluation, the effect of collusion attack on the number of submitted cheques is consid-
ered. It is obvious as these metrics decrease, as it is better.
4.2.1 One-Trust-Level Cheque Submssion Technique
Every cheque contains complete payment data for all the session nodes, so it is sufficient to sub-
mit it once. For instance, the last intermediate node is responsible to submit all the session cheques
in [31]. This technique is efficient because the cheques are transmitted and stored once. However,
the entire cheque submission load is on one node that may not have the sufficient resources, or this
load may degrade its efficiency. The technique is not secure against collusion attack because if just
one node colludes with the payers, all the cheques are not transmitted. In addition, the cheques that
are stored in one node may be deleted or corrupted accidentally due to a malfunction.
4.2.2 Uncooperative Cheque Submssion Technique
All the intermediate nodes store and transmit the session cheques independently and uncoopera-
tively [30], [33]. The technique is secure against collusion attack because it guarantees that all the
cheques are submitted if at least one node does not collude with the payers. However, the tech-
nique is inefficient because each cheque is stored and transmitted (n-C) times, which exhausts the
network resources. In addition, each node has to store and transmit all the cheques, which con-
sumes its resources. In the following subsections, we propose two novel techniques to submit the
cheques to the AC aiming to balance between the performance and the security.
4.2.3 Deterministic Cheque Submssion Technique
Each intermediate node sends a unique and pre-defined set of cheques (around (i/n)). Node
Page 16
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 17 o
8/13/2019 FESICM
19/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
number (x) on the route sends a set of cheques starting from cheque number [S(x)] to [S(x)+j(x)-
1], where j(x) is the share size (the number of cheques to be sent by node number (x) on the ses-
sion route), and S(x) is the starting cheque number. Equations (1) and (2) can be used to calculate
j(x) and S(x). The used notations in the equations are defined in Table (1). The technique is effi-
cient because each cheque is stored and transmitted once and the cheque submission load is dis-
tributed evenly among the nodes. However, it has two security concerns: (1) colluders know their
profits in advance because each cheque is supposed to be sent by one node, which may be an in-
centive to cheating, and (2) the number of submitted cheques is sensitive to the number of collud-
ers especially at small number of relaying nodes because a nodes share is large.
(1)
Otherwise1x)V(R,]ni
Int[*1)-(x
1xIf1S(x) (2)
where:- R= i % n (% is the remainder),
otherwise0
0yif1I(y)
Rx,0RifR
Rx,0Rif1-xxofRegardless0Rif0
x)V(R,
4.2.4 Probabilistic Cheque Submssion Technique
Each node stores and submits a randomly chosen share (j) of the session cheques. One cheque
may be submitted by more than one node. The technique guarantees with a certain probability that
a minimum number of unrepeated cheques will be submitted. Q denotes an integer random vari-
able (0
8/13/2019 FESICM
20/37
ForP
eerRev
iewOnly
18 IEEE TRANSACTIONS ON MOBILE COMPUTI
submitted cheques by the other nodes, and (2) the honest nodes can take preventive measures (by
increasing (j)) to protect the technique up to a certain number of probable colluders, which is
called adaptive security.
ix
qxx)Pr(Qq)Pr(Q (3)
PR1 Cn
xiPR1 Cn1
x
x
ixQPr (4)
Fig. (6): The effect of PR on the probability of submitting the cheques
Fig. (6) gives the relation between the ratio of transmitted cheques by each node (PR=j/i) and
the probability of submitting at least (q) unrepeated cheques. We assume the number of intermedi-
ate nodes (n) is six, the number of the cheques (i) is 30, and all the nodes do not collude (C=0).
The nodes choose (j) to achieve a certain probability of submitting a minimum number of cheques.
As shown in the figure, it is not worth to choose the operating point at the first region (0%-10%) or
the last region (90%-100%) because the effect of changing PR on the probability is very little.
Therefore, the nodes calculate (j) to guarantee that the probability of sending at least 90% of the
cheques is at least 90%. The figure shows that at least 90% of the cheques can be submitted when
each node sends only 35.2% of the cheques. In addition, when each node submits 40% of the
cheques, at least 95% of the cheques can be submitted. For the un-sent cheques, the nodes can
Page 18
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 19 o
8/13/2019 FESICM
21/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
claim them, or the AC can compensate the nodes, i.e., it can add compensation credits to each
transaction.
In order to investigate the effect of the collusion attack on the number of submitted cheques and
to show how the honest nodes can take preventive measures to protect the technique in advance
(adaptive security), Fig. (7) shows the relation between PR and the probability of submitting at
least 90% of the cheques at different numbers of colluders (C). The relation shows that at PR=0.5,
the technique is immuned up to two colluders because it is guaranteed that the probability of sub-
mitting at least 90% of the cheques is 90%. The security against collusion attack is adaptive be-
cause increasing PR improves the immunity of the technique.
Fig. (7): The effect of collusion attack on cheque submission
4.2.5 Case Study
In order to demonstrate the difference among the cheque submission techniques, we run a case
study to analyze their security and performance. We assume that i=100 and n=10. As shown in Ta-
ble (2), we consider different security levels in the probabilistic technique. A security level (or
immunity level) is defined by the maximum number of colluders that the probability of transmit-
ting at least 90% of the cheques is at least 90%. As shown in the table, one-trust-level technique
achieves the worst protection against collusion attack because for one colluder (at C=1), all the
cheques are not submitted. However, its performance is high because the cheques are stored and
ge 19 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 20 o
8/13/2019 FESICM
22/37
ForP
eerRev
iewOnly
20 IEEE TRANSACTIONS ON MOBILE COMPUTI
transmitted once (T=100) but the submission load is on one node. The uncooperative technique
can provide the highest protection against colluders since up to nine colluders, all the cheques are
submitted but with high overhead cost because the cheques are supposed to be stored and transmit-
ted ten times (T=1000). Deterministic technique has low overhead because the cheques are stored
and transmitted once (j=10). The number of submitted cheques decreases by 10% for each col-
luder. Probabilistic technique can balance between the protection against colluders and the over-
head. Increasing PR enhances the security but with more overhead. For instance, increasing PR
from 0.23 to 0.36 increases the number of submitted cheques from 75 to 90 assuming four collud-
ers but with increasing the storage space per node from 23 to 36 and the total transmitted cheques
from 230 to 360. The results also emphasize that the probabilistic technique is less sensitive to the
colluders. For instance, when the number of colluders increases from 2 to 8 at PR=0.28, the num-
ber of submitted cheques drops from 80 to 20 in the deterministic technique and from 90 to 46 in
the probabilistic technique.
TABLE (2):THE RESULTS OF THE CASE STUDY
5SECURITY ANALYSIS
In this Section, we study the robustness of the proposed mechanism against some common at-
tacks.
Page 20
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 21 o
8/13/2019 FESICM
23/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
5.1 Free Calling (or Riding) Attacks
Attackers launch this kind of attacks to communicate for free or with reduced payment. Two col-
luding intermediate nodes on a legitimate session can manipulate the packets to add their ex-
changed data. If the payers pay only for successfully delivered packets, colluders can claim that
the packet is dropped and then they deliver it secretly. In another scenario, if the intermediate
nodes are unable to verify the payment data, payers can exchange packets which will not be re-
warded for. Attackers may record legitimate packets and reply them in different place and/or time
claiming that they are fresh to establish a session without paying. Our mechanism is secure against
these attacks since the intermediate nodes can detect any addition or modification to the packets
and verify the payment data because of having the hash of the message and the payment data in the
payers signatures. The intermediate nodes can claim the payment if a packet does not reach the
destination node, and attaching time stamp can prevent packet replaying attack. In a subtle attack,
attackers may exploit that the AC clears the cheques with the same identifier once and attempt to
issue cheques with the same identifier for different sessions to pay once for multiple sessions. This
attack can not be launched in our mechanism because a cheques identifier includes the identities
of the nodes on the route and the session establishemnet time. Therefore, even if an attacker estab-
lishes two different sessions at the same time, the cheques identifiers are different because at least
one intermediate node is different. In another attack, since the AC clears only the first received
cheque when multiple copies of the same cheque are submitted, the payers may collude with some
intermediate nodes to reduce their payments. The colluders may submit cheques with less pay-
ments so when the AC receives other copies with the same identifier (but with correct payment), it
discards them. In order to thwart the attack and identify the attackers, the AC should compare the
amount of payment in the cleared cheque with each received copy of the same cheque.
For other collusion attack, the colluding intermediate nodes do not send the cheques to the AC.
In order to evaluate the effectiveness of this attack, we run a simulation to evaluate the effect of the
nodes collusion on the ratio of un-sent cheques in a cell with 100 network nodes. The probability
that a node is honest or colluder has uniformly random distribution. As shown in Fig. (8), the effect
ge 21 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 22 o
8/13/2019 FESICM
24/37
ForP
eerRev
iewOnly
22 IEEE TRANSACTIONS ON MOBILE COMPUTI
of collusion is nearly linear with a weight of 0.01% for each colluding node in the deterministic
technique. The probabilistic technique can improve the ratio of un-sent cheques. For instance,
when 60% of the network nodes collude, colluders can prevent sending 60% of the cheques in the
deterministic technique but they prevent only 41% of the cheques in probabilistic technique with
PR=0.33. In order to prevent submitting a significant ratio of the cheques in probabilistic tech-
nique, an attacker has to collude with a large number of nodes, which may not be reasonable in
civilian applications and scalable network. For example, to prevent sending at least 50% of the
cheques, an attacker has to collude with at least 55 and 68 nodes at PR of 0.23 and 0.33, respec-
tively. Even if an attacker could prevent sending a group of cheques, the nodes can claim them,
and the trusted party can identify the attackers by applying some statistical analysis.
Fig. (8): The effect of the nodes collusion on the ratio of un-sent cheques
5.2 Modification of Payment Data Attacks
A misbehaving node may attempt to compromise the payment data to gain more credits or pay
less. It may try to add its identity and/ora friends identity claiming that they participated in packet
relaying. In a severe attack, an attacker may fabricate a forged cheque to reward himself and his
friends for a session which did not happen. In the proposed mechanism, modifying the payment
data is difficult because it is hard to forge or modify the payers signatures and to compute H DN-
Page 22
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 23 o
8/13/2019 FESICM
25/37
8/13/2019 FESICM
26/37
ForP
eerRev
iewOnly
24 IEEE TRANSACTIONS ON MOBILE COMPUTI
the destination node due to malicious or non-malicious actions. In our mechanism, the trusted
party can detect the attack by applying statistical analysis to infer that some nodes are always
neighbors, and they claim SACs more than the normal rate.
5.7 Dropping Control Packets Attack
Although control packets (such as ACK and NACK) are short, some rational attackers may drop
them to save their resources. In our mechanism, the nodes are fully motivated to forward them to
gain more credits by triggering the source node to generate more packets, and to get their credits
by enabling the base stations to compose and redeem the cheques. By applying statistical analysis,
the trusted party can identify the attackers because the routes are frequently broken at them.
5.8 Credit Depletion Attack
Malicious nodes may launch attacks to deplete the destination nodes credits by sending useless
data or inserting dummy data to increase the payment. The attack may lead to denial of service
(DOS) because the victims having fewer credits do not initiate communication. In our mechanism,
a rational node does not launch this attack because both the sender and receiver pay. The interme-
diate nodes can detect and drop modified packets, and the payers agree on the ratio of payment in
route discovering phase. Colluders can not generate fake cheques to steal credits from a destination
node because its payment approval is needed for each packet. However, colluders can establish a
session and generate SACs (without sending data) to steal credits from the receiver. The destina-
tion node can thwart the attack by denying creating sessions with the nodes that frequently create
incomplete sessions. In addition, statistical tools can be applied to identify the colluders because
they claim SACs more than the normal rate.
5.9 Irrational Attacks
Although the main objective of the mechanism is to protect the network from rational attacks, it
can also thwart some irrational ones. In sleep deprivation attack, attackers send bogus information
to exhaust the resources of the nodes. Attackers can not launch this attack successfully by replay-
ing valid packets due to signing time stamps. External attackers can not launch the attack by send-
Page 24
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 25 o
8/13/2019 FESICM
27/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
ing bogus data because they have to sign their transmitted messgaes. The senders are discouraged
to launch sleep deprivation attack because they pay. In packet dropping attack, an attacker partici-
pates in route discovering phase but it drops the data packets aiming to degrade the network per-
formance. The trusted party can identify the attackers by noticing that their preceding nodes on the
routes claim SACs more than the normal rate. An attacker may compromise mobile nodes to infer
their secret keys to launch irrational attacks under their names. By statistical analysis, the trusted
party can notice that a user has appeared in different locations at the same time.
6EVALUATIONS
In this section, fairness is analyzed and simulation results are discussed to evaluate the feasibil-
ity of the proposed mechanism.
6.1 Fairness Analysis
Fairness is defined as a nodes benefits from the network are proportional to its contributions
[41]. A nodes contribution can be relaying packets generated from other nodes or paying credits,
whereas a nodes benefit can be relaying its packets or gaining credits. Fairness is an important
requirement to stimulate the users to participate in the routing process. Our mechanism can enforce
fairness by rewarding or charging credits to balance between the nodes contributions and benefits.
In the proposed mechanism, the nodes are rewarded for every relayed packet regardless whether it
reaches the destination node or not because the relaying nodes can claim the payment. The nodes
are able to validate the payment data before relaying the packets to make sure that they will be re-
warded. They do not delete the cheques before receiving a clearance confirmation from the ac-
counting center. The payers pay only the deserved credits (not full payment) when a route is bro-
ken. In addition, in route discovering phase, the communicating nodes agree on the payment ratio
which is proportional to their interest from the communication.
6.2 Overhead
Several performance measures have been taken to reduce the overhead cost and to improve the
ge 25 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 26 o
8/13/2019 FESICM
28/37
ForP
eerRev
iewOnly
26 IEEE TRANSACTIONS ON MOBILE COMPUTI
scalability of the proposed mechanism. Our mechanism is scalable because it does not require in-
stantaneous contacting to the AC in each session. Reducing the number and size of the cheques
lessens the required storage, energy, and bandwidth to submit them. A cheque contains complete
payment information for all the session nodes. Therefore, instead of transmitting all the receipts by
all the nodes, they can be transmitted by some. A payment aggregation technique is applied to gen-
erate a cheque for multiple packets instead of generating a cheque per packet. In order to reduce
the ACK packet overhead, the destination nodes signature is replaced with a hash value because
hashing operations are more efficient than signing or verifying operations. The cheque size is very
compact due to storing the hash of the signatures but more overhead is required by the AC to ver-
ify it. This is acceptable because online clearance is not required, and the AC is a powerful party.
Composing a cheque is efficient because it needs only one lightweight hashing operation. The
payment does not suffer from credit depletion or inflation due to adopting balanced payment and
converting credits to real money and reverse.
The proposed mechanism avoids using impractical techniques such as e-coins (which require an
online party to check the coins and permanent storage), and tamper proof devices (which may be
insecure and expensive). Our mechanism does not need extra control packets or executing an auc-
tion in each node to avoid causing bandwidth and latency overheads. With using local credit
counters, the nodes make their decisions locally without frequently contacting the accounting cen-
ter. Converting the credits into real money motivate the rich nodes to continue in cooperative state.
Although symmetric key cryptography is faster and requires less resource, in our application, pub-
lic key cryptography is more appropriate to prevent payers from denying the payment, and to en-
able the relaying nodes to verify the payment data.
6.2.1 Simulation Setup
In the simulation, we consider two popular digital signature algorithms: RSA and DSA. Accord-
ing to NIST guidelines [42], the secure private keys should have at least 1024 bits. For the mes-
sage digest function, we use MD5 [40] with digest length of 16 bytes. In our mechanism, the major
online processing overhead is due to signing and verifying operations to the security and incentive
Page 26
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 27 o
8/13/2019 FESICM
29/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
data. Therefore, in order to estimate the computational processing delays of applying our mecha-
nism, we have implemented a prototype of the mechanism using the Crypto++ library [43]. The
mobile node is a laptop with an Intel processor at 1.6 GHZ and 1 GB Ram. The operating system
of the mobile node is Windows XP. Table (3) gives the CPU processing times of sending (signing)
and forwarding (verifying or hashing) a message. As it is shown, the processing time of the hash
function is much shorter than the signing or verifying times, i.e., replacing the signatures with
hash values in the ACK packets is efficient. A concern in using DSA in multi-hops networks is that
the verifying operations performed by the intermediate and destination nodes need more delays
than the signing operations performed by the sender. The RSA signature generation is computa-
tionally intensive but the signature verification time is shorter. DSA and RSA generate signature
tags of 320 and 1024 bits, respectively. A concern in using RSA is its longer signature size. The
resources of the real mobile nodes may be less than a laptop, so in the simulations (in next subsec-
tions), the results in Table (3) are scaled by factor of five to estimate a limited-resource node.
TABLE (3):PROCESSING TIMES FOR CRYPTOGRAPHIC PRIMITIVES
Network simulator NS2 (version 2.27) is used to implement a version from the proposed
mechanism and Sprite [30] as an example to a mechanism which generates a cheque per packet.
We simulate a hybrid ad hoc network in a square cell of 800800 square meters. 35 mobile nodes
are randomly deployed, and a fixed base station is located at the center of the cell. We use the Dis-
tributed Coordination Function (DCF) of IEEE 802.11 as the medium access control (MAC) layer
protocol, and dynamic source routing (DSR) as the routing protocol. The radio transmission ranges
for a node and the base station are 250 meters, and the transmission data rate is 2 Mbits/s. To
stimulate the node movements, the random waypoint model is used with speed and pause time uni-
formly distributed in the ranges [0-10] m/s and [0-100] sec, respectively. Constant bit rate (CBR)
traffic source is implemented in each node as an application layer. The source and destination pairs
ge 27 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 28 o
8/13/2019 FESICM
30/37
ForP
eerRev
iewOnly
28 IEEE TRANSACTIONS ON MOBILE COMPUTI
are randomly selected. All data packets are 512 bytes and sent at speed of 2 packets/sec. For sim-
plicity, we assume that all the nodes are cooperative, and the relaying price is one credit per
packet. Each simulation is executed for 15 simulated minutes, and each data point represents an
average of twenty runs with identical traffic models but differently generated mobility scenarios. A
summary for the simulation scenario is given in Table (4).
TABLE (4):SIMULATION PARAMETERS
6.2.2 Simulation Results
A. Average Storage Area
For networks with limited-resource nodes, the mechanism should require small storage area. In
FESCIM, each node stores cryptographic information and the payment cheques. The concern issue
is the required area to store the cheques because each node has to store them until it receives a con-
firmation of clearance. Table (5) gives the expected cheque size in Sprite and FESCIM using dif-
ferent cryptosystems. In FESCIM, a cheque size does not depend on the used cryptosystem, and it
needs less storage area due to hashing the signature. The aggregated cheques (ADAC(X) and
ADAC-S(X)) have fixed sizes regardless of the number of relayed packets (X), but each packet
requires a receipt in Sprite. In FESCIM, 1MB can store up to 9,157 aggregated cheques, but in
Sprite, the same area can store up to 4,628 and 7,569 receipts using RSA and DSA, respectively.
In order to evaluate the effectiveness of the payment aggregation technique, Table (6) gives the
Page 28
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 29 o
8/13/2019 FESICM
31/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
expected number of generated cheques in all the intermediate nodes in Sprite and FESCIM for a
session at different packet transmission rates. The source and detination pair is uniformaly chosen
and the session is held for 300 seconds. The table shows that in Sprite, the number of cheques is
much larger, and it significantly increases with the increase of the packet transmission rate. The
FESCIM can significantly reduce the number of generated cheques. More cheques are generated at
higher mobility because the routes are more frequently broken. Fewer cheques can be generated
with the increase of the size of the hash chain (N) because a cheque can aggregate payment for
more packets but more memory space and CPU cycles are needed to store and calculate the chain.
In the optimal case, one cheque is generated for a session. However, because it is difficult to esti-
mate the number of packets in a session in advance, the unused hash values in a chain are lost be-
cause it is insecure to use them in other sessions. The table shows that increasing N above 30 can
not reduce the number of the cheques significantly. Consequently, properly choosing the size of the
hash chain can optimize the number of cheques and also save the nodes resources. The FESCIM
does not suffer from storage problem because the cheques are compact, temporarily stored, and
few.
TABLE (5):AVERAGE CHEQUE SIZE
TABLE (6):THE AVERAGE NUMBER OF GENERATED CHEQUES
B. Packet End-to-End Delay
It is the average time interval between the data packet generation and the time when the last bit
ge 29 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 30 o
8/13/2019 FESICM
32/37
ForP
eerRev
iewOnly
30 IEEE TRANSACTIONS ON MOBILE COMPUTI
arrives at the destination. Fig. (9) shows the average end to end delay as a function of the number
of connections in Sprite and FESCIM. Up to 20 connections, the delay is mainly due to the signing
and verifying operations but for larger number of connections, the delay dramatically increases
(with or without implementing the cooperation incentive mechanism) because the channel conten-
tion and queuing delays dominate. There is no sensible delay difference between Sprite and
FESCIM because the additional hashing operation needed in each ACK packet in FESCIM is free
computationally (50s per operation), i.e., using the hash chain to aggregate the payment almost
does not have effect on the delay. Although DSA has much shorter signature tag than RSA, it
causes more delay because the verifying time (in the intermediate nodes) is longer. The end to end
delay can be significantly improved by using a delayed verification, i.e., a node forwards the
packet first then it verifies the payment.
Fig. (9): The end to end delay in Sprite and FESCIM
C. Network Throughput
The average network throughput gives the fraction of the channel capacity used for useful
transmission. It is computed by dividing the size of the received data by all the nodes over the
simulation time. Fig. (10) shows the average throughput as a function of the number of connec-
tions. Increasing the number of connections increases the network throughput but the increasing
rate starts to decrease above 20 connections because the network starts to enter its maximum ca-
pacity. There is little improvement by using RSA over DSA because congestions occur more likely
in longer processing delays in the intermediate nodes, and no difference between Sprite and
Page 30
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 31 o
8/13/2019 FESICM
33/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
FESCIM because the extra hashing operation in FESCIM has little effect on the processing delay.
Fig. (10): The throughput in Sprite and FESCIM
D. Data Packet Delivery Ratio (PDR)
It is the average ratio of the data packets successfully delivered to the destination nodes with re-
spect to those generated by the sources. Fig. (11) shows the average packet delivery ratio (PDR) as
a function of the number of connections. The percentage of packets correctly delivered is quite
high (above 99%) for up to 20 connections. Over 20 connections, the PDR decreases because the
congestions are more likely to occur. We can observe little improvement by using RSA over DSA
because congestions are more likely to take place in DSA due to its longer processing delay. The
extra lightweight hashing operation needed in FESCEM does not have effect on the PDR.
Fig. (11): The Packet Delivery Ratio in Sprite and FESCIM
ge 31 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 32 o
8/13/2019 FESICM
34/37
8/13/2019 FESICM
35/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
cheque size is reduced with storing the hash of the payers signatures. A hash chain is used to effi-
ciently integrate the incentive mechanism in the routing protocol. In order to protect the payment
from collusion attacks, secure and efficient techniques have been proposed to submit the cheques
to the accounting center for redemption. Extensive evaluation demonstrates that the mechanism is
robust against rational and colluding attacks, and it can reward the nodes proportionally to their
contributions. Overhead evaluation shows that the mechanism can significantly reduce the number
of cheques, and can be implemented efficiently. In this work, on-demand routing protocol has been
used to enable the payers (the source and destination nodes) to know the identities of the payees
(the intermediate nodes) to issue the payment cheques. In some wireless networks, such as Delay
Tolerant Networks (DTN), the source node may not be able to know the identities of the relaying
nodes before sending a packet. Therefore, in our future work, we are going to extend this work to
consider these networks.
REFERENCES[1] Y. Lin and Y. Hsu, Multihop Cellular: A New Architecture for Wireless Communications, Proc. of IEEE IN-
FOCOM00, Vol. 3, pp. 1273---1282, March 26-30, 2000.[2] X. Li, B. Seet, and P. Chong, Multihop Cellular Networks: Technology and Economics, Computer Networks,
Vol. 52, No. 9, pp. 1825---1837, June 2008.
[3] C. Gomes and J. Galtier, Optimal and Fair Transmission Rate Allocation Problem in Multi-hop Cellular Net-works, Lecture Notes in Computer Science, Springer Berlin/Heidelberg, Vol. 5793, pp. 327-340, August 29,2009.
[4] Y. Tam, S. Akl, and H. Hassanein, Resource Managemnet in Multi-hop Cellular Networks, PhD Thesis,Queens University, Kingston, Ontario, Canada, January 2009.
[5] G. Shen, J. Liu, D. Wang, J. Wang, and S. Jin,Multi-Hop Relay for Next-Generation Wireless Access Net-works, Bell Labs Technical Journal, Vol. 13, No. 4, pp. 175-193, 2009.
[6] F. Hossain and H. Chowdhury, Impact of Mobile Relays on Throughput and Delays in Multihop Cellular Net-work, Proc. of IEEE International Conference on Wireless and Mobile Communications (ICWMC08), pp. 304-308, Athens, Greece, July 27-August 1, 2008.
[7] R. Schoenen, R. Halfmann, and B. Walke, MAC Performance of a 3GPP-LTE Multihop Cellular Network,Proc. of IEEE International Conference on Communications (ICC08), pp. 4819---4824, Beijing, China, May 19-23, 2008.
[8] 3rd Generation Partnership Project, Technical Specification Group Radio Access Network, Opportunity Driven
Multiple Access, 3G Technical Reort 25.924, version 1.0.0, December 1999.[9] S. Marti, T. Giuli, K. Lai, and M. Baker, Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Proc.
of ACM International Conference on Mobile Computing and Networking (MobiCom00), pp. 255---265, Boston,Massachusetts, USA, August 6-11, 2000.
[10]P. Michiardi and R. Molva, Simulation-Based Analysis of Security Exposures in Mobile Ad Hoc Networks,Proc. of European Wireless Conference, Florence, Italy, February 25---28, 2002.
[11]J. Hu, Cooperation in Mobile Ad Hoc Networks, Technical report (TR-050111), Computer Science Depart-ment, Florida State University, Tallahassee, January 2005.
ge 33 of 35
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 34 o
8/13/2019 FESICM
36/37
ForP
eerRev
iewOnly
34 IEEE TRANSACTIONS ON MOBILE COMPUTI
[12]G. Marias, P. Georgiadis, D. Flitzanis, and K. Mandalas, Cooperation Enforcement Schemes for MANETs: ASurvey, Wiley's Journal of Wireless Communications and Mobile Computing, Vol. 6, Issue 3, pp. 319---332,2006.
[13]C. Song and Q. Zhang, OMH-----Suppressing Selfish Behavior in Ad hoc Networks with One More Hop,Mobile Networks and Applications, Springer Netherlands, Vol. 14, No. 2, pp. 178-187, February 2009.
[14]Y. Ho, A. Ho, K. Hua, and F. Xie, Cooperation Enforcement in a Highly Dynamic Mobile Ad Hoc Network,Journal of Universal Computer Science, Vol. 15, No. 5, pp. 1090-1118, 2009.
[15]D. Djenouri and N. Badache, On Eliminating Packet Droppers in MANET: A Modular Solution, Elsevier AdHoc Networks, Vol. 7, Issue 6, pp. 1243-1258, August 2009.
[16]G. Bella, G Costantino, and S. Riccobene, Evaluating the Device Reputation Through Full Observation inMANETs, Journal of Information Assurance and Security, Vol. 4, Issue 5, pp. 458-465, March 2009.
[17]L. Feeney, An Energy-Consumption Model for Performance Analysis of Routing Protocols for Mobile Ad HocNetworks, Mobile Networks and Applications, Vol. 3, No. 6, pp. 239---249, 2001.
[18]L. Buttyan and J. Hubaux, Nuglets: A Virtual Currency to Stimulate Cooperation in Self Organized Ad HocNetworks, Technical Report DSC/2001/001, Swiss Federal Institute of Technology, Lausanne, January 2001.
[19]L. Buttyan and J. Hubaux, Enforcing Service Availability in Mobile Ad-hoc WANs, Proc. of the 1stIEEE/ACM international symposium on Mobile Ad Hoc Networking and Computing (MobiHOC00), pp. 87-96,Boston, Massachusetts, August 11, 2000.
[20]L. Buttyan and J. Hubaux, Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks, MobileNetworks and Applications, Vol. 8, No. 5, pp. 579-592, October, 2004.
[21]A. Weyland, T. Staub, and T. Braun, Comparison of Motivation-Based Cooperation Mechanisms for Hybrid
Wireless Networks, Journal of Computer Communications, Vol. 29, pp. 2661---2670, 2006.[22]A. Weyland and T. Braun, Cooperation and Accounting Strategy for Multi-Hop Cellular Networks, Proc. of
IEEE Local and Metropolitan Area Networks (LANMAN04), pp. 193-198, Mill Valley, CA, USA, April 25-28,2004.
[23]A. Weyland and T. Braun, Cashnet - Cooperation and Accounting Strategy for Hybrid Networks, Proc. ofIEEE International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks(WiOpt04), Cambrigde, UK, March 24-26, 2004.
[24]A. Weyland, T. Staub, and T. Braun, Liveliness Evaluation of a Cooperation and Accounting Strategy in HybridNetwork, Proc. of Workshop on Applications and Services in Wireless Networks (ASWN04), Boston, Massa-chusetts, USA, August, 2004.
[25]Y. Zhang, W. Lou, and Y. Fang, SIP: A Secure Incentive Protocol against Selfishness in Mobile Ad Hoc Net-works, Proc. of IEEE Wireless Communication and Networking Conference (WCNC04), pp. 1679-1684, At-lanta, Georgia, USA, March 21-25, 2004.
[26]Y. Zhang, W. Lou, and Y. Fang, A Secure Incentive Protocol for Mobile Ad Hoc Networks, ACM WirelessNetworks, Vol. 13, No. 5, pp. 569-582, October, 2007.[27]M. Jakobsson, J. Hubaux, and L. Buttyan, A Micro-Payment Scheme Encouraging Collaboration in Multi-hop
Cellular Networks, Proc. of the 7th Financial Cryptography (FC'03), pp. 15---33, La Guadeloupe, January 2003.[28]M. Jakobsson and L. Yang, Quantifying Security in Hybrid Cellular Networks, ACNS Springer-Verlag Ber-
lin/Heidelberg, Vol. 3531, pp. 350---363, May 2005.[29]G. Avoine, Fraud within Asymmetric Multi-Hop Cellular Networks, Proc. of Financial Cryptography (FC05),
Vol. 3570, pp. 1---15, Roseau, The Commonwealth of Dominica, February 28-March 3, 2005.[30]S. Zhong, J. Chen, and R. Yang, Sprite: A Simple, Cheat-Proof, Credit Based System for Mobile Ad-Hoc Net-
works, Proc. of Annual Joint Conference of the IEEE Computer and Communications Societies (INFO-COM03), Vol. 3, pp. 1987-1997, San Francisco, CA, March 30-April 3, 2003.
[31]B. Lamparter, K. Paul, and D. Westhoff, Charging Support for Ad Hoc Stub Networks, Journal of ComputerCommunications, Vol. 26, No. 13, pp. 1504---1514, 2003.
[32]N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, A Charging and Rewarding Scheme for Packet Forwarding
in Multi-hop Cellular Networks, Proc. of ACM International Symposium on Mobile Ad Hoc Networking andComputing (MobiHoc03), Annapolis, USA, June 2003.
[33]N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, Node Cooperation in Hybrid Ad Hoc Networks, IEEETransactions on Mobile Computing, Vol. 5, No. 4, April 2006.
[34]N. Salem, L. Buttyan, J. Hubaux, and M. Jakobsson, Cooperation in Multi-hop Cellular Networks with Ex-tended Security Analysis, Proc. of ACM International Symposium on Mobile Ad Hoc Networking and Comput-ing (MobiHoc03), Annapolis, MD, USA, June 1-3, 2003.
[35]J. Pan, L. Cai, X. Shen, and J. Mark, Identity-Based Secure Collaboration in Wireless Ad Hoc Networks,Computer Networks (Elsevier), Vol. 51, No. 3, pp. 853-865, 2007.
Page 34
http://mc.manuscriptcentral.com/tmc-cs
Transactions on Mobile Computing
Downloaded from engine.lib.uwaterloo.ca on 7 January 2014 Page 35 o
8/13/2019 FESICM
37/37
ForP
eerRev
iewOnly
M. MAHMOUD: FESCIM: FAIR, EFFICIENT, AND SECURE COOPERATION INCENTIVE MECHANISM FOR HYBRID AD HOC NETWORKS
[36]C. Bassem and A. Bestavros,CSR: Constrained Selfish Routing in Ad-Hoc Networks, Lecture Notes in Com-puter Science, Springer Berlin/ Heidelberg, Vol. 5682, pp. 179-189, 2009.
[37]J. Lee, W. Liao, and M. Chen, An Incentive-based Fairness Mechanism for Multi-hop Wireless Backhaul Net-works with Selfish Nodes, IEEE Transactions on Wireless Communications, Vol. 7, No. 2, pp. 697---704, Febru-ary 2008.
[38]H. Janzadeh, K. Fayazbakhsh, M. Dehghan, and M. Fallah, A Secure Credit-based Cooperation StimulatingMechanism for MANETs Using Hash Chains, Future Generation Computer Systems, Vol. 25, Issue 8, Septem-
ber 2009.[39]M. Mahmoud and X. Shen, Anonymous and Authenticated Routing in Multi-Hop Cellular Networks, Proc. of
IEEE ICC09, Dresden, Germany, June 14-18, 2009.[40]A. Menzies, P. Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press,
http://www.cacr.math.uwaterloo.ca/hac, Boca Raton, Fla., 1996.[41]A. Mok, B. Mistry, E. Chung, and B. Li, FAIR: Fee Arbitrated Incentive Architecture in Wireless Ad Hoc Net-
works, Proc. of 10th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS'04), pp.38-47, Toronto, Canada, May 25-28, 2004.
[42]National Institute of Standards and Technology (NIST), Recommendation for Key Management - Part 1: Gen-eral (Revised), Special Publication 800-57 200, 2007.
[43]W. Dai, Crypto++ Library 5.6.0, http://www.cryptopp.com, 2009.[44]G. Pottie and W. Kaiser,Wireless Integrated Sensor Networks, Communications of the ACM, Vol. 43, Isuue 5,
pp. 51-58, May 2000.[45]N. Potlapally, S. Ravi, A. Raghunathan, and N. Jha, A Study of the Energy Consumption Characteristics of
Cryptographic Algorithms and Security Protocols, IEEE Transactions on Mobile Computing, Vol. 5, No. 2, pp.128-143, March-April 2006.
Mohamed Elsalih Mahmoud received the B.Sc. (1998) degree with honor degree and the M.Sc. (2003) fromBanha university (Egypt), both in electrical communications engineering. He got the best paper award inCommunication and Information Systems Security Symposium in International Conference on Communications(ICC09), Dresden, Germany, 14-18 June, 2009. He also got the University of Waterloo Graduate Scholarshipaward four times. He is currently working toward his Ph.D. degree in the Department of Electrical and ComputerEngineering at the University of Waterloo, Ontario, Canada, where he is working with the Broadband Com-
munications Research (BBCR) Group. His research interest includes wireless network security, privacy in hybridad hoc networks, and cooperation incentive mechanisms in multi-hop wireless networks.
Xuemin (Sherman) Shen received the B.Sc.(1982) degree from Dalian Maritime University (China) and theM.Sc. (1987) and Ph.D. degrees (1990) from Rutgers University, New Jersey (USA), all in electrical engineer-ing. He is a Professor and University Research Chair, Department of Electrical and Computer Engineering,University of Waterloo, Canada. Dr. Shens research focuses on mobility and resource management in inter-connected wireless/wired networks, UWB wireless communications networks, wireless network security, wire-less body area networks and vehicular ad hoc and sensor networks. He is a co-author of three books, and haspublished more than 400 papers and book chapters in wireless communications and networks, control andfiltering. Dr. Shen served as the Tutorial Chair for IEEE ICC08, the Technical Program Committee Chair forIEEE Globecom07, the General Co-Chair for Chinacom07 and QShine06, the Founding Chair for IEEE Com-munications Society Technical Committee on P2P Communications and Networking. He also serves as aFounding Area Editor for IEEE Transactions on Wireless Communications; Editor-in-Chief for Peer-to-Peer
Networking and Application; Associate Editor for IEEE Transactions on Vehicular Technology; KICS/IEEE Journal of Communications
and Networks, Computer Networks; ACM/Wireless Networks; and Wireless Communications and Mobile Computing (Wiley), etc. Hehas also served as Guest Editor for IEEE JSAC, IEEE Wireless Communications, IEEE Communications Magazine, and ACM MobileNetworks and Applications, etc. Dr. Shen received the Excellent Graduate Supervision Award in 2006, and the Outstanding Perform-ance Award in 2004 and 2008 from the University of Waterloo, the Premiers Research Excellence Award (PREA) in 2003 from theProvince of Ontario, Canada, and the Distinguished Performance Award in 2002 and 2007 from the Faculty of Engineering, Universityof Waterloo. Dr. Shen is a registered Professional Engineer of Ontario, Canada, and a Distinguished Lecturer of IEEE CommunicationsSociety.
ge 35 of 35 Transactions on Mobile Computing