A Security and Efficient Routing Scheme with Misbehavior Detection in Delay-Tolerant Networks

. Due to the unique network characteristics, the security and efficient routing in DTNs are considered as two great challenges. In this paper, we design a security and efficient routing scheme, called SER, which integrates the routing decision and the attacks detection mechanisms. In SERscheme, each DTNs nodelocally maintains a one-dimensional vector table to record thesummary information about the contact with other nodes and the trust degree of other nodes. To obtain the global status and the contact relationship among all nodes, the trusted routing table consisting of vectors of all nodes is built in each DTNs node. The method for detecting malicious nodes and selfish nodes is proposed, which exploits the global summary information to analyze the history forwarding behavior of node and judge whether it is a malicious node or selfish node. The routing decision method is proposed based on trust degree of forwarding messages between nodes, which adopts trust degree as relay node selection strategy. Simulation results show that compared with existing schemes SER scheme could detect the attacks behavior of malicious nodes and selfish nodes, at the same time, with higher delivery rate and lower average delivery delay.


Introduction
Delay-tolerant networks (DTNs) refer to a new form of selforganizing networks that is envisioned to support communication in case of failure or no preexisting infrastructure, such as interplanetary communication networks in space areas, high-speed vehicular networks that disseminate the city traffic information, and sensor networks in extreme environment [1,2].Different from the traditional wireless networks, DTNs are the challenging networks characterized by open medium, long delay and frequent disruption, and lack of fixed and guaranteed end-to-end communication links [3].DTNs make use of the store-carry-and-forward strategy to forward the message packets (also named bundle) when two nodes appear with contact opportunity.This routing strategy requires that each node in DTNs can cooperate with other nodes and is willing to help with forwarding.
However, DTNs are threatened by various attacks, because some nodes will behave selfishly and may not be willing to help others forward messages in order to conserve their limited resources (e.g., power and buffer), and even some nodes controlled by adversary will behave maliciously and may launch black hole, grey hole, or DoS attacks against the networks by dropping all or part of the received message packets, maliciously tampering message packets, or producing an enormous number of fake message packets [4][5][6][7].The recent researches show that these selfish or malicious nodes would significantly degrade the routing performance of DTNs, resulting in low delivery rate and poor forwarding efficiency of messages and high average delivery delay.Due to the lack of continuous path and centralized management in DTNs, the detection of these attacks is more difficult.Therefore, how to effectively resolve the selfishness problem and defense against attacks of malicious nodes, improving the routing performance, has become a very challenging issue to design security and efficient routing protocol that combines defense technique.

Security and Communication Networks
The purpose of routing in DTNs is to select the proper relay nodes to forward messages and improve the routing performance.Most of the existing routing protocols use historical encounter information or social relations as the decision of predicting relay nodes, which can effectively forward the message to the destination node.However, these routing schemes are inefficient in the DTNs environment with malicious or selfish nodes.To mitigate the impact of selfish or malicious nodes on DTNs, some detection attacks schemes are proposed in [3,6,7], which make use of the history forwarding evidences and encounter records of each node to analyze its forwarding behavior.However, these detection schemes are independent of specific routing protocols and require more computing capability, network bandwidth, and storage resources to work well.Due to the limited resources (e.g., power, buffer, and bandwidth) and intermittent connectivity in DTNs, we need an efficient routing scheme with misbehavior detection, which could not only improve the routing performance, but also detect malicious nodes and selfish nodes effectively.
In this paper, we propose a security and efficient routing scheme (SER) to improve message forwarding performance and detect malicious attacks.Different from existing routing schemes and malicious attacks detection schemes that work independently, respectively, we integrate the routing decision and attacks detection mechanisms into the trusted routing table.In SER scheme, each DTNs node maintains a onedimensional vector to record the summary information about the contact with other nodes.The summary information includes the encounter history evidences with other nodes, the evidences of messages of sending to or receiving from other nodes, and trust degree that represents the ability of other nodes to forward messages to it.To form a global view and obtain the contact relationship among all nodes, SER introduces the trusted routing table that consists of vector of each node.In the initial phase, the trusted routing table of each node has only its own vector; when the two nodes meet, they would exchange the trusted routing table with each other and update it by comparing with the received trusted routing table.Therefore, each node could obtain a global view of the previous network connectivity from its trusted routing table.Based on the trusted routing table, we design the routing decision method and malicious attacks detection mechanisms.The main contributions of this paper include the following three parts.
First, we introduce in detail the method of generating and updating the trusted routing table.The proposed method could not only ensure the security and reliability of trusted routing table, but also make the trusted routing table converge quickly to global consistency.
Second, to accurately evaluate the trust degree of the node, we propose a method of forwarding evidence collection based on layered coin model and digital signature mechanism.The forwarding evidences signed by nodes are bound dynamically on message during the relay processes, and the message carries evidences chain to the destination node.The proposed forwarding evidences collection method greatly improves the timeliness and reliability of the evidences collection and effectively reduces the network overhead.
Third, we propose a routing decision method based on trust degree, which could deliver messages to the destination node along the direction of trust gradient increment and improve effectively routing performance of DTNs.Moreover, the malicious attacks detection method is proposed based on the history evidences of trusted routing table, which could detect selfish nodes and malicious nodes effectively.
The remainder of this paper is organized as follows: In Section 2, we present the system model and design goals and some attacker models.In Section 3, we explained in detail the implementation of SER scheme.In Section 4, simulation results and analysis of SER are introduced.Section 5 highlights related work.Finally, we summarize the conclusions of our works in Section 6.

System Model and Design Goals
2.1.System Model.In this paper, we adopt the system model similar to the literature [13,14].We consider DTN with no trusted authorization center, which is different from [7] in that it exists with a periodically available TA (trusted authority).Each node is equipped with a wireless communication device to communicate with its one-hop neighbor node when the two nodes contact with each other.Each node has a unique ID identifier   and the corresponding public/private key pair   /  that is allocated when it first joins the DTNs.When two nodes first encounter, they would exchange their public key certificate.After a period of time, each node in DTNs may obtain public key certificates of the other nodes.We assume that each node is equipped with an independent capacity-limited buffer   to store message packets to be forwarded.Each message consists of message header and message content; message header contains a unique message ID   , source node ID, destination node ID, and timestamp  that indicates the time of message generation, finite time to live (TTL), maximum number of copies nc, and the signature information to verify the validity of the message, and message content is encrypted by the public key of the destination node.We assume that all nodes in DTNs are loosely synchronized on the local clock.
We adopt the multicopy message forwarding strategy that allows a message to be copied many times; each time only a copy of the message is forwarded to the next relay node, the max number of messages allowed to be copied is set in the header field of the message.The source node sends a message to the destination node via a sequence of intermediate nodes in a multihop manner.When two nodes contact each other, we would detect the behavior of the encounter node and select the most proper next-hop node as a relay node for each message according to the process of Figure 1.If any one copy of the message is delivered to the destination node, the destination node sends an ACK message packet to the network to indicate that the message has been received.The relay node automatically deletes the message from the buffer when the time to live (TTL) of message is in the end or when it received an ACK message from the destination node.When the node generates a new message or receives a message copy from last hop nodes, it first detects whether the remaining buffer space meets the storage requirements.If the remaining Figure 1: A flowchart for SER scheme execution.
buffer space is too small, it will sort the messages according to their TTL and delete the message that its TTL is longest.

Attacker Model.
According to the damage degree of the malicious nodes to the networks, we define two types of attackers as follows.
Definition 1 (selfish attacker).A selfish attacker is a node that often arbitrarily refuses the forwarding message request of the well-behaving nodes, to save the energy, buffer, or computing resources.But selfish attackers may decide to forward the message if they have a good relationship with the source node, the destination node, or last hop relay node.This type of attack is launched by selfish users that only want to profit from network and are not willing to help other users to forward messages.
Definition 2 (malicious attacker).A malicious attacker is a node that often uses the vulnerability of routing scheme to disguise as a relay node to receive a large number of messages from its encounter nodes, then maliciously drops these messages from its buffer, and does not forward these messages to the next-hop node.This type of attack is launched by adversary that wants to degrade or destroy the routing of DTNs.

Design Goals.
Our goals are to design a secure and reliable opportunistic routing protocol that can not only improve the performance of the network, but also effectively restrain the malicious behavior of selfish or malicious node.The specific objectives are as follows.
(1) Improving the Routing Performance of DTNs.The proposed routing scheme should be able to improve the network performance effectively compared with the existing message forwarding methods, that is, higher delivery rate and lower average delivery delay.
(2) Resistance to Malicious and Selfish Attacks.The proposed detection scheme should be able to resist the attacks of malicious and selfish nodes in DTNs.In the process of message delivery, the relay nodes using this scheme could distinguish the malicious nodes and well-behaving nodes and select well-behaving node as the next-hop relay node.
(3) Robustness.The proposed routing scheme should be secure and robust.The formation and evaluation method of node trust degree should be able to resist the attack of malicious nodes.The trusted routing table should not be deleted and modified by malicious nodes.

Security and Efficient Routing Scheme
Based on Trusted Routing Table   0 ,  1 ,  2 ,  3 often forward messages to node   , those nodes would be the best relay nodes when a node delivers a message to node   .Moreover, due to the intermittent connectivity of DTNs, only the destination node could know which nodes have successfully participated in delivering message to it.Therefore, the destination node could reward and evaluate these nodes by using trust mechanisms.This means that the more trusted nodes have higher probability of delivering the message to the destination node.Based on the above observation, we design a security and efficient routing scheme based on trust mechanism.In our scheme, each DTNs node maintains a trusted routing table (TRT), TRT is  ×  two-dimensional matrix, as shown in (1), and  denotes the number of nodes in DTNs.The tuple   = ⟨ *  ,   ⟩ generated by node   records the summary information about node   based on the encounter histories and message forwarding histories, where  *  =   ,   ,   , sig  , sig  refers to the encounter evidences, receiving and sending messages evidences between node   and node   ,   denotes the number of encounters between node   and node   ,   and   denote the number of messages that node   receives from and sends to node   respectively, and sig  , sig  refer to the signature generated by node   and node   respectively.We will use   ,   ,   to detect malicious nodes and selfish nodes.  denotes the trust value of node   evaluated by node   based on history message forwarding evidences, which is a real number in the range of [0, 1]; the value of   denotes the ability of node   to deliver the message to node   .The larger the trust value   , the stronger the ability to deliver message to node   .We will use   as routing strategy to determine the proper nexthop relay node.
The row vector of matrix   = ( 1 ,  2 ,  3 , . . .,   ) represents the summary information that the node   reports about other nodes.The node   is responsible for maintaining and updating the vector   and periodically updates the latest   in trusted routing table.The column vector  *  = ( 1 ,  2 ,  3 , . . .,   )  represents the summary information that the other nodes report about node   .We can obtain the belief of whether the node   is malicious or selfish from the column vector Therefore, in the routing scheme based on TRT, the relay nodes can determine whether the encountered node is the proper next-hop relay node of the message by using row vector of destination node in the trusted routing table (TRT).The node can determine whether the encounter node is a malicious node or selfish node by using the column vector of encounter node in the trusted routing table.
In Figure 3, we illustrate the message forwarding process based on TRT.Suppose that the node  1 carries the message  to the destination node  6 , when node  1 meets node  2 , it first looks up the row vector of node  2 from TRT to get  61 ,  62 ; if  62 >  61 indicates that the ability of node  2 to carry messages  to destination node  6 is greater than that of node  1 , node  2 is more proper nexthop relay node; therefore node  1 forwards message  to node  2 .Otherwise, node  1 continues to carry message  until the destination node is encountered or the next-hop is more reliable.In our scheme, the trust degree of node that it meets is greater than itself as the next-hop relay node.So, the message can be delivered to the destination along the direction of trust gradient increment.

Collecting Forwarding Evidences.
To obtain timely and reliably the forwarding evidences of intermediate nodes, we adopt Captive-Carry mechanism to collect forwarding evidence information.In the message forwarding process, some forwarding evidences information that can prove which nodes have participated in forwarding message is bound dynamically into message body, carried to the destination node together with the message.After receiving the message, the destination node can obtain a list of intermediate nodes from the forwarding evidence information of message body and validate their authenticity and then reward these intermediate nodes according to the defined evaluation strategy.
To guarantee the security and authenticity of the forwarding evidences and prevent malicious nodes from tampering message and adding fake forwarding evidences, in the implementation, we adopt the layered coin model in the literature [15] to achieve Captive-Carry mechanism and message packet format.A typical layered coin model usually consists of a base layer formed by the source node and multiple endorsed layers formed by the intermediate nodes.If an intermediate node forwards the message to the next-hop relay node, it fists forms an endorsed layer on message and then adds signature information as evidence to the endorsed layer.Figure 3 shows an example of message architecture based on layered coin model; the base layer of message is composed of message header, message content, and endorsed layer 0 formed by the source node, and message header contains six fields: mid,  0 ,   , , TTL, nc refer to the identifier of the message, the identifier of the source node, the identifier of the destination node, the timestamp of message created, the time to live, and the max copy number of message, respectively.The message content is only composed of encrypted data; when the source node  0 wants to send a message to the destination node   with the public key pk  , node  0 uses the public key pk  to encrypt the real network data into to achieve confidentiality, where  denotes real network data and ( * ) is a hash function of message properties  0 , ,   and network data  to validate message content.
The endorsed layer is formed dynamically by the intermediate node when it wants to forward the message to the next-hop relay node.In Figure 4, for example, when the source node  0 encounters node  1 at timestamp ts 0 and has determined that node  1 is a proper next-hop relay node, node  0 creates an endorsed layer 0 that contains four fields: sig 0 ,  1 , ts 0 , sig 1 , where sig 0 = SIG sk 0 ( 0 | mid) is its signature over the message identifier mid and node identifier  0 using its corresponding private key sk 0 ,  1 is the identifier of the next-hop relay node, ts 0 is a timestamp indicating the time of message forwarding, sig ) is the signature of node  1 over the content   ( 0 | ts 0 |  1 ) using its corresponding private key sk 1 , and   ( * ) is a hash function for generating summary of  0 | ts 0 |  1 .These four fields used as the forwarding evidence proved that node  0 has forwarded a message to node  1 at timestamp ts 0 , and the signature sig 1 can prove that node  1 is willing to receive the message from node  0 at timestamp ts 0 .Other endorsed layers created by relay nodes only include the identifier of the forwarding nodes, timestamp of message forwarding, the identifier of the receiving node, and the signature of the receiving node; for example, in Figure 4, endorsed layer 1 contains  1 , ts 1 ,  2 , sig 2 .The above information is used as forwarding evidence which proved that  the message is forwarded to the next-hop relay node.The signature sig 1 , sig 2 , . . .can witness these nodes that are willing to receive the message.Overhead of the message is based on layered coin mode.Because the message is added multilayer of evidences information in the forwarding process, the message length is slightly larger than the basic message.Except the signature fields, we assume each field is 2-byte length; then the message header with six fields is 12 bytes, the length of endorsed layer 0 is around 4 + 2 ⋅ |sig| bytes, another each endorsed layer is around 6 + |sig| bytes, and then the overhead of a  layered message Length  () is calculated as follows.
Length  () = where | denotes the length of encrypted message content; |sig| denotes the length of signature.Thus, the overhead of a message is mainly composed of message content and additional evidence information.
We assume the |sig| is 20-byte length; then the length of additional evidence is around  = 26 + 18 bytes, when  = 10,  ≈ 0.25 kb.Therefore, the additional evidence information is very small, relative to the message content; the overhead of bandwidth and storage is only a little more than the traditional methods.

Building and Updating Trusted Routing Table.
The tuple   = ⟨ *  ,   ⟩ is generated and updated by two processes: encounter process and message receiving process.In encounter process, suppose that node   and node   meet each other at time   ; the number of encounters between the two nodes   ,   will be incremented by 1, respectively.Without loss of generality, we assume that node   is carrying message that needs to be forwarded to the next-hop nodes.If node   is chosen as the next-hop relay of message, node   will follow SER routing protocol to forward a message copy to node   .After the message copy is successfully forwarded,   will be incremented by 1 to record the number of messages that have been sent to node   .In addition, after the node   received a message from the node   ,   will also be incremented by 1 to record the number of messages received from node   .Similarly, if the node   received a message from the node   ,   will be incremented by 1 to record the number of messages received from node   , and   will also be incremented by 1 to record the number of messages that have been sent to node   .The initial value of   ,   ,   ,   ,   ,   is set to 0. In message receiving process, if node   has received a message  and is the destination node of , node   extracts the forwarding evidences from the multiple endorsed layer of the message  and obtains the intermediate nodes and the message forwarding path as an evidence chain path:  0 →   .For each node in the evidence chain, the destination node   verifies the validity of their signature sig 0 , sig 1 , sig 2 , . . ., sig  , . .., and if signature verification for all nodes is correct and valid, those that successfully helped forwarding will be rewarded and trusted.The design of trust reward calculation is the pivot of an efficient routing scheme, which should reflect the ability of the intermediate nodes to forward message to the destination node and the fairness and incentive of trust evaluation.Therefore, we will calculate the trust reward of intermediate nodes based on the principles of reliability and delay.
(1) Reliability Principle.The position of intermediate node in the evidence chain path(  ) is closer to the destination node   , and the trust reward of this intermediate node should be higher.This is because the larger path(  ), the higher the reliability of node   to carry a message to the destination node   .
(2) Delay Principle.For the message of same link length, if the message delay time Δ =   −  is smaller, the intermediate node should get the higher trust reward from the destination node   .This is because the smaller Δ is, the quicker those intermediate nodes can deliver the message to the destination node   .
Assume that  ()  is the trust reward of node   evaluated by the destination node   based on the received message .Based on the above principle, we define  ()   as where |path()| denotes the length of message  forwarding path in evidence chain; () =  − , 0 <  ≤ 1, is the delay reward function of evidence chain, which has monotonic decreasing character with delay time Δ of the message.The value range of function is  − ≤ () < 1,  > 0 is regulatory factor for the minimum value of the delayed reward, and the larger the parameter , the smaller the minimum value of the delayed reward.path(  ) denotes the position of intermediate node   in the evidence chain, the range is 1 ≤ path(  ) ≤ |path()|, and () =  + (1 + ) 2 , 0 <  ≤ 1, is a reliability reward function for intermediate node, which has monotone increasing character with the parameter value path(  ).The value range of function is () ∈ (, 1], 0 ≤  < 1 is a regulatory factor for the minimum value of the reliability reward, and the larger the parameter , the larger the minimum value of the reliability reward.Therefore, the range of  ()  is ( − + )/2 <  ()  < 1.The trust degree   of node   toward node   is calculated based on all the messages forwarding evidences in history.The following trust degree calculation is exercised: if no new trust reward is gained in time window Tw, then   will decrease with the time; otherwise,   will increase based on trust reward  ()   ; that is, where    denotes the old trust degree of node   toward node   , Tw represents the length of trust update window, and  is the set of nodes that deliver successfully messages to node   within the current window, that is, the collection of nodes in the evidence chain received in the current time window. ∈ (1 − , 1) is a time decay function, where   ,  0 denote the current time and the latest trust update time, respectively; as  Robustness Analysis.In the building and updating process of the trusted routing table, the malicious node may modify the trusted routing table to forge high trust value and message forwarding ratio.However, this attack can be thwarted in our scheme, since the number of encounters and forwarding message number of malicious node can be verified by wellbehaving nodes that encountered malicious node in the past, so the malicious node cannot forge message forwarding ratio.Because each row vector in the trusted routing table has the signature of the corresponding node, if the malicious node forged high trust value in row vector, then this forged row vector cannot be updated to the trusted routing table of other nodes, because the signature of the node in this forged row vector is incorrect.As a result, the proposed trusted routing table has robustness and nonrepudiation.

Detecting Malicious
Nodes and Selfish Nodes.By analyzing and observing the characteristics of the attacker in Section 2.2, we have the strong belief that can distinguish between well-behaving nodes and malicious nodes through their historical forwarding behavior and trust value, because if a well-behaving node has a high number of encounters with other nodes, it might receive a lot of messages and forward a larger portion of them or all of them; that is, it has higher ratio between forwarded messages and received messages.However, malicious nodes often have high number of encounters and receive a lot of messages from other nodes but only forward a small portion of them or even do not forward any of them, so malicious nodes have lower ratio of forwarded messages over received messages.Different from malicious nodes, selfish nodes receive only a few of messages even if they have high number of encounters with other nodes, but they forward a lot of messages generated by themselves, so selfish nodes have abnormal high ratio between forwarded messages and received messages.Based on the above analysis, we use the column vector in the trusted routing table to define the metrics named malicious behavior ratio, MBR, and selfish behavior ratio, SBR, that can effectively detect malicious nodes and selfish nodes.Suppose the column vector of node   is  *  = ( 1 ,  2 ,  3 , . . .,   )  , malicious behavior ratio MBR of node   can be formulated as where ∑  =1   ⋅   is the total number of messages that all DTNs nodes received from node   , that is, the total number of messages forwarded by node   .∑  =1   ⋅   is the total number of messages that all DTNs nodes send to node   , that is, the total number of messages received by node   .∑  =1   ⋅  is the total number of encounters where all DTNs nodes meet node   .MBR can potentially reveal malicious behavior of malicious nodes dropping packets frequently, because ∑  =1   ⋅   is far less than ∑  =1   ⋅   and ∑  =1    ⋅   , so malicious nodes have lower MBR than the well-behaving nodes.
To effectively detect selfish nodes, selfish behavior ratio SBR can be formulated as where the meaning of each value and expression is the same as (6), and SBR can potentially reveal behavior of selfish nodes that frequently refuse the request of forwarding message packets, because ∑  =1   ⋅   and ∑  =1   ⋅   are greater than ∑  =1   ⋅  , so selfish nodes have abnormal higher SBR than the well-behaving nodes.using Eq. ( 6); (3) calculate selfish behavior ratio SBR of node   using Eq. ( 7); (4) if MBR < Th MBR then (5) return node   is a malicious node; ( 6) else (7) if SBR > Th SBR then (8) return node   is a selfish node; ( 9) else (10) return node   is a well-behaving node; ( 11) end (12) end Algorithm 2: Detecting malicious and selfish nodes.
Therefore, after obtaining MBR and SBR of node   , we compare them with predefined thresholds to judge whether the node   is malicious node or not.Th MBR and Th SBR denote threshold of malicious behavior ratio and selfish behavior ratio, respectively, and their value is chosen empirically using simulation.The detailed detection process of malicious and selfish nodes is shown in Algorithm 2.

Security and Efficient Routing Based on TRT.
When node   meets node   , it triggers Algorithm 3 to perform the following routing steps.Step (1): node   first uses Algorithm 2 to judge whether node   is a well-behaving node or not; if node   is a well-behaving node, it runs to next step.Step (2): node   queries messages in its buffer   ; if there are messages that need to be forwarded, it stores the messages in a temporary set  and then goes to next step.
Step (3): for each message  ∈ , node   gets the identity   of the destination node from head field of message  and obtains row vector   = ( 1 ,  2 ,  3 , . . .,   ) of node   in trusted routing table TRT, then queries the trust value   ⋅   ,   ⋅   , of node   and node   evaluated by node   , and goes to next step.Step (4): node   forwards the message  to node   according to the following strategies.
(1) If   ⋅   >   ⋅   , node   will forward a copy of message  with copy number nc  to node   and then updates copy number nc  ← nc  − nc  ; otherwise node   continues to carry message  until it meets a node with greater trust degree.The copy number of message is divided according to the proportion of trust value, as shown in (8).If the node has higher trust value, it has larger copy number of message.
(1) if node   meets node   then (2) node   triggers Algorithm 2 and detects behavior of node   ; (3) get detection result of node   from Algorithm 2; (4) end (5) if node   is a well-behavior node and   ̸ =  then (6) sorts messages by the remaining TTL; (7) for each message  ∈   do (8) get destination node   from head field of ; (9) get   ⋅   ,   ⋅   of node   and node   from   = ( 1 ,  2 ,  3 , . . .,   ); (10) if   ⋅   >   ⋅   then (11) get copy number nc  from head field of ; (12) calculate nc  using Eq. ( 8 (2) In the initial phase, if   ⋅  and   ⋅  are null values, we use average trust values   ,   of node   and node   as the decision for message forwarding, , it shows that the network is in the cold start phase.Therefore, node   adopts epidemic algorithm to forward the copy of message  to node   and does not divide the copy number of message .
(3) If   >   , node   will forward a copy of message  with copy number nc  to node   and then updates copy number nc  ← nc  −nc  ; otherwise node   continues to carry message  until it meets a node with greater trust degree.In this case, the copy number of message is divided as shown in

Security and Communication Networks
The proposed routing algorithm only uses the row vectors and column vectors in the local trusted routing table to judge the behavior of encountered node and make forwarding decision.The overhead of the algorithm is low; the maximum time complexity is equal to (|| × ).The algorithm of detecting malicious nodes and selfish nodes can detect the behavior of the encountered node and effectively resist the attacks of malicious and selfish nodes in DTNs.Therefore, the proposed scheme improves the security and reliability of DTNs effectively and achieves the design goal 2 in Section 2.3.In the proposed scheme, a message is delivered to the destination node along the direction of trust gradient increment; only when the condition   ⋅   >   ⋅   is met, the relay nodes forward the message to the next-hop relay nodes.This scheme makes the probability of the message reaching the destination node get higher and higher and significantly improves the network routing performance, that is, higher delivery ratio and lower average delivery delay and achieves design goal 1 in Section 2.3.

Performance Evaluation
4.1.Simulation Setup.We set up the experiment environment with the ONE (opportunistic network environment) simulator, in which we implement our proposed routing algorithm.ONE simulator is designed for evaluating and verifying DTNs routing protocols and includes a variety of movement models, map of Helsinki city, and some typical routing algorithms such as Epidemic, Spray and Wait (SAW), Prophet, and MaxProp.In our experiment, we adopt the map of Helsinki city as the experiment environment and deploy 200 nodes on the map with size of 4500 m to 3400 m.The well-behaving nodes and selfish nodes use shortest path map based movement model to simulate the movement at speed of 0.5 m/s to 1.5 m/s, and malicious nodes move at speed of 2.7 m/s to 13.9 m/s.Messages are generated at the rate of one per 25 to 35 seconds.The simulation time is set to 24 hours, during which 2900 messages are generated.The size of message is 512 kB.Time to live (TTL) is in the range of 30 to 240 minutes.The buffer   of each node is in the range of 5 M to 60 M. Delay of reward regulation factor  is set to 10. Reliability reward regulation factor  is set to 0.3.Time decay factor  is set to 0.2.The maximum copy number of message nc is set to 10.
We evaluate our scheme in two aspects: effectiveness of malicious attack detection and routing performance.The performance metrics used in the evaluation are (i) detected accuracy, which is the percentage of malicious nodes and selfish nodes that can be detected; (ii) false positive rate, which is the percentage of well-behaving nodes that are falsely judged as malicious nodes and selfish nodes; (iii) delivery rate, which is the percentage of generated messages that are successfully delivered to destination nodes within time to live; (iv) average delivery delay, which is the average time taken for the messages to be delivered from the source nodes to the destination nodes; (v) overhead rate, which is the proportion between the number of relayed messages (excluding the successfully delivered messages) and the number of successfully delivered messages.Both detected accuracy and false positive rate are used to measure effectiveness of malicious attack detection.Delivery rate, average delivery delay, and overhead rate are used to measure routing performance.

Simulation Results and Analysis
4.2.1.The Impact of Choosing Different Threshold.First, we evaluate the impact of choosing different threshold Th MBR on malicious behavior detection of SER.The number of malicious nodes is set to 40.The dropping probability of messages is varied from 0.1 to 0.8, which indicates the level of malicious nodes.The threshold of malicious behavior ratio Th MBR is varied from 0.05 to 0.4.Time to live (TTL) of each message is fixed to 30 minutes.The buffer   of each node is fixed to 5 M.
Figure 5 presents the detected accuracy and false positive rate of SER with varying thresholds and dropping probability.Figure 5(a) shows that six curves have similar trends, which indicate that the malicious nodes are more likely to be detected when their dropping probability increases.When the dropping probability of messages increases to 0.3, the detected accuracy of SER reaches to 100 percent using four varying thresholds.Even though the dropping probability of messages is lower than 0.1, the detected accuracy of SER is still higher than 70 percent when the threshold is greater than 0.15.This shows that SER could achieve a better detected accuracy.Furthermore, Figure 5(a) also shows that the greater the threshold, the higher the detected accuracy of SER.However, from Figure 5(b), we can obviously find that the greater the threshold, the higher the false positive rate of SER.When the threshold is equal to 0.4, the false positive rate of SER exceeds 14 percent, which is obviously unacceptable even with higher detected accuracy.Therefore, we need to set a threshold tradeoff between detected accuracy and false positive rate.As seen in Figures 5(a) and 5(b), if the threshold is set to 0.1 or 0.15, SER not only has higher detection accuracy, but also has lower false positive rate.That means SER has little effect on well-behaving nodes when we choose the appropriate threshold.
Similarly, we evaluate the impact of choosing different threshold Th SBR on selfish behavior detection of SER.The total number of selfish nodes is varied from 10 to 50.The threshold Th SBR is varied from 1.3 to 3. Figure 6(a) shows that the detected accuracy of SER reaches to 100 percent under all thresholds, when the total number of selfish nodes is less than 20, which implies that the less selfish nodes are easier to be detected.When the number of selfish nodes exceeds 30, the detected accuracy of SER has the drop trends, and the greater the threshold, the more obvious the drop trends.But correspondingly, as shown in Figure 6(b), the false positive rate of SER also has more significant drop trends, when the number of selfish nodes increases.This is because the selfish nodes have more friends and receive more messages from their friends.The result is that some selfish nodes have lower SBR and do not violate the large thresholds.Even though the number of selfish nodes is increased to 50, the detected accuracy of SER is still higher than 94 percent, but the false positive rate of SER is lower than 2 percent when the threshold is equal to 1.3.This means that SER could detect selfish behavior effectively and has a little effect on wellbehaving nodes.Therefore, we conclude that if the number of selfish nodes is less than 30, we use the large threshold to detect false positive rate; on the contrary, we use a small threshold.

The Impact of TTL on the Routing Performance.
In this section, we compare SER with three classic routing schemes Epidemic, Prophet, and SAW in the routing performance.The buffer   of each node is fixed to 5 M. Time to live (TTL) of message is varied from 30 minutes to 240 minutes.Suppose there are no malicious nodes and selfish nodes in DTNs.
Figure 7 shows the performance of four routing schemes under varying TTL.As seen in Figures 7(a) and 7(b), our scheme SER has obvious advantages in delivery rate and average delivery delay compared with other three schemes.From the figure, TTL has little effect on SER.Even though the TTL is equal to 30 minutes, the delivery rate of SER still reached to 70 percent.When TTL is greater than 120 minutes, the delivery rate of SER reached to 88.5 percent and tends to a steady state.This is because SER adopts the following message forwarding strategy: (1) selecting the more trusted nodes as the next-hop relay nodes and (2) each message having multiple finite copies that are forwarded concurrently along different paths.However, the delivery rates of Epidemic and Prophet have the drop trends when the TTL increases.This is because these two schemes adopt the infinite message copies forwarding strategy; there are many messages that are not forwarded in time, which are deleted by nodes due to buffer capacity limitation and receiving the new messages.Although the delivery rate of SAW approaches SER when the TTL is increased to 240 minutes, SER has greater advantage in the average delivery delay; the other schemes have obvious growth trend with TTL increased.When the TTL is increased

The Impact of the Number of Malicious Nodes on the Routing Performance.
In this experiment, we assume that there are malicious nodes in DTNs.The number of malicious nodes is varied from 0 to 40.The dropping message probability of malicious nodes is fixed to 0.3.The threshold Th MBR on malicious behavior detection of SER is set to 0.15.The buffer   of each node is fixed to 10 M. Time to live (TTL) of message is fixed to 60 minutes.We evaluate the routing performance of four schemes under varying number of malicious nodes.Figure 9(a) shows that the delivery rate of SER has the slight dropping trends, but the delivery rate of other schemes has the obvious dropping trends, when the number of malicious nodes increases.Even though the number of malicious nodes is increased to 40, the delivery rate of SER still exceeds 84 percent that is obviously higher than other schemes.This result indicates that SER has better effect of resisting malicious behavior by using malicious nodes detection mechanism and the trusted forwarding strategy.However, the average delivery delay of four schemes has obvious rising trends in Figure 9(b); this is because the total number of nodes in the experiment is fixed to 200; if the number of malicious nodes increases, the number of well-behaving nodes would decrease to lead to the increase of average delivery delay.The delivery rate of SAW has the obvious linear dropping trend, which indicates that the malicious nodes have big effect on the single copy strategy.As seen in Figure 9(c), the overhead rate of SER is lower than 100 and close to SAW, which indicates that SER could not only detect the malicious nodes, but also forward the message to the most proper next-hop relay node.The overhead rate of Epidemic and Prophet has the dropping trends, when the number of malicious nodes increases; this is because the total number of copies of the message in DTNs is decreased.As a result of the two-hop routing strategy, the overhead rate of SAW is very small; this is because fewer copies of messages are generated in DTNs.

Related Work
In recent years, many research works on misbehavior detection and routing in DTNs have been proposed, which are closely related to our SER scheme.In Prophet [11], Lindgren et al. first propose a probabilistic routing protocol for DTNs, which calculates the probability of a node contacting the destination node as the next-hop relay node selection strategies.A node will forward a message to the next-hop node only when the next-hop node has a higher probability of contacting the destination node.MaxProp [8] exploits priority of the transmitted path to schedule the messages to be forwarded and the messages to be dropped and stores a list of previous intermediaries to prevent message from forwarding twice to the same node.In ERB [12], to minimize overhead in terms of both extra traffic injected into the network and control overhead, ERB adopts historical encounter-based metric for optimization of message forwarding, where each node is only responsible for maintaining the past rate of encounter average to predict future encounter rates.SMART [16], SSAR [10], Bubble Rap [9], and SGBR [17] exploit the various social metrics to select the appropriate next-hop relay node, such as history of interaction, betweenness centrality, and community.Although the routing schemes mentioned above are very effective for improving route performance, they cannot address the security problems in DTNs.
To detect colluding blackhole and greyhole attacks, Pham and Yeo [6] designs a statistical-based detection scheme (SDBG) in which each node locally maintains the encounter records and the meeting summary with other nodes.When the nodes meet each other, they are required to exchange their encounter record histories, based on which other nodes can evaluate their forwarding behaviors.Alajeely et al. [3] present the detection attack and trace back mechanisms based on the Merkle tree, where the legitimate nodes can detect attack based on the received packets and then trace back and identify the malicious nodes.Zhu et al. [7] exploit a trusted authority (TA) to judge the forwarding behavior of nodes based on the collected delegation task evidence, forwarding history evidence, and contact history evidence.Chen et al. [13], Lu et al. [15], Ayday and Fekri [18], Li and Cao [14], Zhao et al. [19], and Chen and Chan [20] adopt the incentive mechanism to motivate selfish nodes to forward messages, which use reputation or credit to represent the forwarding behavior of nodes.
Different from existing routing protocols and misbehavior detection schemes, our proposed SER scheme introduces a trusted routing table (TRT) that contains the behavior history information of each node and the trust degree of forwarding the message to other nodes.We use the trusted routing table not only to analyze the behavior of nodes, but also to make effective routing decisions.Therefore, SER can achieve both the routing performance and the misbehavior detection and only cost the extra resource overhead that maintains the trusted routing table.

Conclusions
In this paper, we proposed a security and efficient routing scheme (SER), which has the dual functions of routing decision and malicious attacks detection.Based on the layered coin model and digital signature mechanism, the proposed forwarding evidences collection mechanism can effectively guarantee the security and authenticity of the forwarding evidence.Exploiting the forwarding evidence and historical contact information, we described in detail the build and update process of trusted routing table.By adopting the trusted routing table, the proposed SER scheme can obtain the global view about the contact relationship among all nodes in DTNs.The detailed analysis has shown that the trusted routing table not only is secure and reliable, but also quickly converges to global consistency.The simulation results show that SER could accurately detect the attacks behavior of malicious nodes or selfish nodes by analyzing the history forwarding behavior of node from the global view.In addition, the simulation results also demonstrate that SER has better routing performance compared with the existing algorithms, such as higher delivery rate and lower average delivery delay.For our future work, we will design the hierarchical trusted routing table and further reduce the network resource overhead.

Figure 3 :
Figure 3: Message forwarding process based on trust.

Figure 4 :
Figure 4: Layered coin model based message format.

Figure 8 :
Figure 8: Routing performance under varying buffer capacity.

Figure 9 :
Figure 9: Routing performance under varying of the number of malicious nodes.
Node N i and node N j exchange the trusted routing table with each other Node N i analyzes the history forwarding behavior of node N j along the path  0 →  1 →  2 →  3 →   .Due to those intermediate nodes  0 ,  1 ,  2 ,  3 successfully participated in forwarding message; according to the regular pattern of periodic movement of nodes, those nodes may deliver messages to the destination node   again at some time in the future.If the nodes To prevent malicious nodes from forging   ,   ,   ,   ,   ,   and ensure   =   ,   =   ,   =   , the new evidences  *  =   ,   ,   , sig  , sig  and  *  =   ,   ,   , sig  , sig  will be generated by node   and node   respectively, where sig  = SIG sk  (  (  |   |   |   )) and sig  = SIG sk  (  (  |   |   |   )) refer to the signatures generated by node   and node   , respectively, to show that node   and node   have accepted these evidences   ,   ,   ,   ,   ,   .Node   and node   can judge whether   =   ,   =   ,   =   are established by verifying the signature of the other party.Consequently, malicious nodes have difficulty forging the encounter and forwarding evidences unilaterally.

Table 1 :
Trusted routing table TRT  of node   before update.

Table 2 :
(5)sted routing table TRT  of node   before update.shownin(5),0<  ≤ 1 is a factor of decay rate and minimum; the larger the parameter  is, the quicker the trust degree value decreases.Therefore, if a node can keep good trust degree continuously, it will have a strong ability to forward message to the node   .When the encounter process and message receiving process are performed, node   will generate or update the tuple    = ⟨ *  ,   ⟩ to record summary information about node   .Without loss of generality, node   generates the tuple  for each DTNs node after multiple cycles of the network operation.Therefore, we adopt vector table   = ( 1 ,  2 ,  3 , . . .,   ) to store the summary information that the node   reports about other nodes.The trusted routing table (TRT) consists of vector table of each node, but in initial phase, each node's trusted routing table has only its own row vector.To quickly build and update trusted routing table in each DTNs node, when the two nodes meet, they first exchange trusted routing table with each other.When a node received the encounter node's trusted routing table, it compares the received trusted routing table to itself trusted routing table.If there is a new row vector in the received trusted routing table, this node will update its trusted routing table.To prevent malicious nodes from tampering row vector of trusted routing tables, node   generates the record information of the row vector  *  =   , TwID, Sig  periodically to update and verify the trusted routing table, where Sig  = SIG sk  (  (  | TwID)) refers to the signature generated by node   on vector table   ,   ( * ) is a hash function for generating summary of   | TwID, and TwID denotes the latest update window of record information  *  .We use an example to illustrate the update process of the trusted routing table.As shown in Tables 1 and 2, the trusted routing table TRT  of node   contains three row vectors  1 ,  2 ,   , and the trusted routing table TRT  of node   contains three row vectors  1 ,  3 ,   , and when node   and node   meet, they exchange the trusted routing tables TRT  , TRT  with each other.After the update operation, as shown in Table 3, the trusted routing tables TRT  , TRT  of node   and node   contain five row vectors  1 ,  2 ,  3 ,   ,   , and  1 is the latest vector table in

Table 3 :
Trusted routing table of node   and node   after update. maintains the vector table   = ( 1 ,  2 ,  3 , ⋅ ⋅ ⋅ ,   ); The initial value of trusted routing table TRT  contains only row vectors   ; (1) if node   updated the vector table   then if node   and node   meet each other then (7) send trusted routing table TRT  to node   ; (8) receive trusted routing table TRT  from node   ; (9) end (10) while ∀  ∈ TRT  ∩ TRT  do (11) if TRT  ⋅   ⋅ TwID > TRT  ⋅   ⋅ TwID then while ∀  ∈ TRT  and   ∉ TRT  do (22) verify the validity of the signature Sig  ; (23) if Sig  is valid then   .The detailed update process of trusted routing table is shown in Algorithm 1.