Fault Activity Aware Service Delivery in Wireless Sensor Networks for Smart Cities

,


Introduction
Wireless sensor networks (WSNs) have been integrated with smart cities and play an important role in smart city by providing versatile applications through sensors.With the demands for living and security standard of a city, it has become necessary for WSNs to support a series of city services, such as health monitoring, electricity consumption, intelligent transportation, visual target tracking, and multicamera surveillance [1,2].Sensors that are randomly distributed in a network cooperate with each other to deliver service data via multihop routing and rate control to the sink, which can communicate with conventional networks, for instance, the Internet.
Built upon open wireless medium, multiple city services in WSNs are particularly vulnerable to attackers which are attracted by sensitive information, less infrastructure, privacy, and so forth.Many service delivery protocols have been proposed and evaluated for countering different types of misbehaving nodes [3,4]; however, most studies largely ignored the uncertainties and variabilities in the city environment.It is not an easy job to characterize the dynamics of dynamic ongoing or unknown attacks in an intuitionist way.Moreover, recent works in [5,6] have demonstrated that the attackers with fixed strategy cannot disguise themselves as members of a city and are then marked as the adversaries.Inconsistent behaviors may exist in an intelligent misbehaving sensor or adapt its strategy under random attacks in smart grids [7], stealthy attacks in WSN-based IoT [8], and dynamic ongoing attacks in smart cities [9].Hence, the impact of misbehaving sensors is probabilistic and time-varying in many cases.In order to characterize the effect of faulty behaviors on routing and throughput, we propose an impact collectingbased approach, which formulates the dynamics of faulty behaviors.A popular approach is to collect information about the direct impact of the misbehaviors, such as energy and delivery quality inside a sensor.Besides that, the delivery for city services is affected by some indirect impacts.For example, the vehicle misleads network routine and causes bandwidth consumption by announcing its various fake position simultaneously or the frequent time interval [10].To defend against this type of misbehavior, a sensor needs to obtain trust verification from other sensors.The aim of our method is first to identify the state of a faulty sensor by, on direct impact and on indirect impact, gathering verification information received from its neighboring nodes.Then we model the state of being faulty at each sensor as a random process.Since the effect of faulty behaviors is probabilistic, the state of being faulty will also be nondeterministic and must be studied by applying a stochastic framework.Accordingly, we make each sensor establish novel metrics fault activity (FA) for modeling the stochastic state of being faulty in terms of statistical information about the probabilistic faulty nodes, which is also utilized to select next forwarding candidates for each hop and to allocate resource for each service.
Geographic opportunistic routing (GOR) is considered an effective and flexible way to improve network performance with the help of WSN localization and exploiting spatial diversity [11][12][13][14].Moreover, GOR maintains high efficiency and scalability since each sensor only needs the local one-hop connectivity.In this paper, our FAGOR uses more candidates as backups and integrates fault activity model into the process of the forwarding candidate selection.For example, as shown in Figure 1, based on distance, energy, trust verification, and delivery quality inside a sensor, each sensor filter is prioritizing to choose a candidate sensor set of the neighbors.These candidates follow the priorities to deliver the packet opportunistically.Malicious sensors (node A and node B) have very low priorities or are even not included in the candidate set according to their direct impacts and indirect impacts.
Network service performance becomes lower when inside intrusions are present since the effective flow gets thinner when misbehaving nodes are on its routines [15,16].Therefore, it is necessary to apply rate-control design to complement secure routing and guarantee performance.A popular approach for reliable resource allocation is to design improved optimal flow control (OFC) algorithms, which solve network utility maximization (NUM) problems with constraints on fixed reliability requirements [17][18][19].However, these approaches are unable to adopt their resource allocation and fairness dynamically according to the actualreceive rate of each service.We develop a FA-leaky-hop model in which each faulty sensor has potential effects on the resulting data throughput and incorporate the actual-receive rate at wireless hops into OFC approach.
Moreover, when multiple city services, for example, camera monitoring, health surveillance, email, and smart home, are run over a network as shown in Figure 1, the existing OFC approaches usually lead to a serious unfair resource allocation in terms of rates [20].For example, real-time traffic which has its minimum required rate may get almost zero utility, despite nonzero rates.The utility function conditions of OFC need be relaxed to describe different services regarding heterogeneous traffic types.Based on FA-leaky-hop model, we formulate the problem of allocating rate among multiple services as a lossy flow optimization problem, namely, fault activity utility OFC, through maximizing the sum of relaxed utilities subject to the network constraints.Considering the existence of faulty sensors, our FA-UOFC algorithm allocates traffic to various services and achieves fairness in terms of actual-receive utility, rather than that in terms of rate or utility.In particular, we define the utility fairness index which could measure the degree of fairness performance based on the achieved throughput in lossy networks and seek to gain its considerable value under our service delivery strategies.
In this article, we investigate multiple city service delivery of joint routing and rate-control that can minimize performance degradation in the event of misbehaving nodes.To the best of our knowledge, we are the first work to address both routing and rate-control for multiple services in WSNs via a fault-dynamic model-based approach.The main contributions of this paper are outlined as follows: (i) We design a distributed framework of fault activity information at each sensor to locally characterize the impact of the nondeterministic and dynamic faulty behaviors and to incorporate fault activity information into data delivery for multiple city services.
(ii) We propose a fault activity-based geographic opportunistic routing protocol, FAGOR, which combines the direct and indirect impacts of faulty behaviors, to protect against a wide range of attacks.
(iii) We formulate the problem of allocating resources among multiple services in the presence of misbehaving nodes as a lossy flow optimization problem along leaky-hop model.A distributed algorithm, FA-UOFC, is developed to allocate the effective rate properly within the sensor networks and to achieve lossy utility fairness by sources with different traffic types.
(iv) We define a novel index, index of utility fairness, that quantitatively measure the degree of utility fairness among multiple city services in distributed systems.
The rest of the paper is organized as follows.Related work is described in Section 2. We depict our system model in Section 3, and we present methods that allow sensors to establish novel metrics fault activity (FA) according to the impact of misbehaviors in Section 4. In Section 5, we introduce the formulation of a GOR protocol based on FA metrics.In Section 6, we describe the leaky-hop model and formulate the optimal rate-control for multiple services in the presence of misbehaving nodes.The performance of our algorithm is evaluated in Section 7. Finally, we conclude the paper and give directions for future work in Section 8.

Related Work
Over the past few years, literatures investigated the multiple city service delivery over wireless networks.A resource management scheme is proposed in [21] to offer the delivery of various city services in the Internet of Things.Tang et al. [22] propose a cross-layer resource allocation model for guaranteeing the QoS requirements of elastic service (audio and video surveillance, habitat monitoring, and real-time traffic monitoring) based on the optimal achievable rate in Cloud Radio Access Network.Spachos et al. [23] design an energy-aware dynamic routing scheme to improve the QoS-aware routing of multimedia traffic by optimizing the selection of the forwarding candidate set.The feasibility of the schemes mentioned above does not consider the existence of malicious nodes, and there is no policy given to defend the misbehaviors of wireless nodes.There exist works that study particular misbehaviors of node-selfishness for multiservice delivery.Luo et al. [24] design an algorithm to select relay nodes in terms of residual energy metrics in WSN-based IoT.The "ground truth" status of each node in [25] is served as virtual credit to encourage data delivery according to its social and QoS behavior.The work in [26] presents a dynamic trust management for secure routing to deal with selfish behaviors and trust-related attacks.Our fault-aware routing and resource allocation scheme extends from these solutions with consideration given to a wider range of misbehaviors on the multiservice delivery in WSNs from the perspectives of both direct-impact factors and indirect impact factors.
Due to the misbehaving nodes' effect on network performance, various defense strategies dealing with the nodes' misbehaviors have been studied for wireless networks.However, most of these works only present countermeasure analysis for different types of faulty nodes and have not considered the uncertainties and dynamics of real environments.Most of the studies assume that the faulty nodes employ a constant strategy that will not change with time.In fact, a faulty node can adopt variable misbehaviors to maximize its intrusion strength [27].Malicious nodes can be equipped with cognitive technology and can adapt their attacking strategy according to the legitimate users' actions [28].The attackers decrease their attacks in frequency to disguise themselves and to avoid being detected [29].Mitchell and Chen [30] characterize a malicious attacker by its capacity to perform random attacks.Similar to [30], our approach works against misbehaving behaviors which may exhibit inconsistent behaviors; a misbehaving node acts as a good node and does not launch attacks at first, in order to gain the trust of other nodes, or, it may perform on-off attacks with a random probability.Our work characterizes the impact of potential dynamic faults and incorporates statistical information into the resource allocation and routing protocols.This assumption not only provides efficient defense against stationary failures but also is suitable for mobile attacks and the uncertain losses from the various environments.
In the reliable routing of WSNs, geographic routing is an attractive approach since no end-to-end route is determined before data delivery [31].A QoS-aware geographic opportunistic routing, QGOR, is explored in [14] for delivering packets with both time delay and reliability constraints in WSNs.Using location information, Wu et al. [32] design an efficient routing and load balancing algorithm in hybrid VANET.These studies, however, do not consider and respond to location-related attacks.Liu et al. [33] consider the use of the location verification such that neighbors exchange their location information to address a series of locationrelated attacks.One main limitation of this scheme is that if the localization mechanism is separated from the routing protocol, the protocol will fail.FAGOR is similar to those schemes in terms of security requirements.FAGOR differs from them in that it uses RSS to detect location information and the verification from the other sensors to identify this type of misbehaviors with possibility.
An optimization problem is first applied to formulate the rate-control stack design of the wireline context by Kelly et al. [34].This pioneering work was further advanced by studies in cellular wireless networks [35], ad hoc networks [36], and wireless sensor networks [37].The fundamental assumption of the above research is that each application attains concave utility function and, thus, is only suitable for elastic traffic.It cannot deal with the resource allocation of multiple services in sensor networks where both elastic and inelastic traffic are commonly engaged.Lee et al. [38] show that instability and high network congestion may be caused by the mixing of inelastic and elastic traffic in the absence of appropriate rate controllers.Hande et al. [39] have further derived the sufficient and necessary conditions of system optimality in a mixed-traffic scenario and have proposed a link provisioning method which could potentially be used during the networkplanning stage.Alternatively, Wang et al. [20] have developed a new rate-control framework that is able to deal with both elastic and inelastic traffic of multiple services such that the resulting utility is proportional fair.However, these works do not consider the existence of misbehaving nodes and assume that each wireless node is cooperative and well-behaved.
Recently, numerous protocols which maximize the sum of each application's utility by setting fixed reliability constraints have been proposed to allocate the resources of multiple services to provide reliable wireless transmissions [16].Their works, however, are unable to adapt fairness dynamically in terms of the actual-receive resource of each application.Li et al. [19] incorporate rate, in addition to delay and reliability, into the utility function to support different QoS requirements of various traffic.In our paper, we take a similar approach that the utility is defined to be a function of effective utility received at destination nodes.By means of embodying QoS objectives in the extended utility function, our FA-UOFC is applicable for various services addressing their real utility requirements and improves the utility performance both of inelastic sources and elastic sources.

System Model and Assumptions
This section presents the network and the misbehaving-node model handled in this article, as well as the assumptions made in order to design the proposed architecture.

Network Model.
In a smart city, a wireless sensor network involves tiny devices, called sensor nodes V = {1, 2, . . ., }, which have ability to cater to different applications.These devices are randomly deployed in a city area with a constant size, for example, a smart community containing residential buildings, hospitals, schools, shopping malls, cafes, and banks.Two SNs within the wireless transmission range  can send data and communicate with each other, and any two nodes with a distance greater than  would require a multihop to communicate with each other.A link is denoted as a pair as nodes (, ), where  ∈ V is the transmitter and  ∈ V is the receiver.The data collected by sensors is sent to sinks which process data locally or through core networks such as the Internet.
The location of sinks as data, computation, and control center are known in the network.Each sensor knows the geographic coordinate of itself using one of secure localization algorithms [40].Meanwhile, a sensor can adapt its location information with the help of some trusted mobile anchor nodes in neighbor set, for example, vehicle nodes equipped with GPS.
Due to the broadcast nature of the wireless medium, the transmitters contend in wireless channel capacity for the shared wireless medium if they are within the interference range of each other.Considering the protocol model [41] for successful transmission, the interference among the transmissions is characterized by the interference sets.Since the transmitters included in the interference set share the same common channel capacity, only one of the sensors may transmit over a channel in a time slot.Moreover, since energy is a major concern in WSNs, we assume that sinks are powerful services for collecting data and that other sensors have limited and unreplaceable batteries.We build a power dissipation model to guarantee the operational lifetime of the sensor network in Section 6.

City Services.
WSNs provide a variety of services to city users that will force networks to support heterogeneous traffic.More generally, utilities of multiple city services in a smart city can be categorized as follows in terms of performance goal perspectives [20]: (i) Elastic utility for traditional data services such as file transfer, mail, and ftp (ii) Inelastic utility including real-time utility, rateadaptive utility, and stepwise utility such as video surveillance, real-time monitoring, and teleconferencing Figure 1 illustrates an example network with five flows  1 to  5 of source rates  1 to  5 , respectively.There are different types of sensors embedded to support city services with different QoS requirements.The utility types of source nodes are given as follows: inelastic utility for the first four source nodes and elastic utility for the fifth source node.Note that, in comparison with other data delivery for elastic traffic, the assumption of mixed traffic in our rate-control model is practical for many smart city applications, such as water consumption, electricity consumption, target tracking, health surveillance, and smart home appliance.

Fault Activity Information.
In this article, we assume that the source nodes have no prior knowledge of the abnormal behaviors of nodes being performed.That is, we make no assumption about the malicious nodes' strategies, misbehaviors' goals, or mobility patterns.We assume that the types of misbehaviors, like failure of internal components or external faults, are unknown to the network.In order to characterize the effect of nodes' misbehaviors on the multiservice delivery, each source must collect information on the impact of the misbehaviors in city parts of networks.However, due to the distributed characteristic of wireless sensor nodes, no central network entity collects the information on the misbehaviors' impact of all sensors and a fully distributed solution is required.Every source/SN should have its own fault activity information (FAI) for both its neighbors' and its own faulty behavior impact.The node FAI at each SN obtains the faulty activity impact of its neighbors and of itself in terms of direct and indirect impacts recommended by the SNs around it.Meanwhile, the direct and indirect impacts are affected by SNs' factors, that is, energy, trust verification, and delivery quality inside a sensor.
When sensor node  delivers multiservices to the sink via multihop communication, there are some candidates based on node 's knowledge of available forwarding neighbors.Nevertheless, since the node misbehaviors may degrade the reliability of the routing path, each hop selects the most reliable one of these candidates in terms of their FAI.Additionally, each sensor node tries to maximize the benefit by sending the feedback signal, the "resource price" determines the cost of consuming limited resources by competing services, to the source.Accordingly, each source is charged the resource price and is then allocated a certain amount of resources for delivering its service.For various types of services or applications, each source is associated with a utility function that reflects how much QoS benefit that source obtains at the allocated transmission rate.Here, the network model of the distributed framework of the candidate selection and rate allocation of the sources is shown in Figure 2.

Characterizing the Impact of Faulty Activities
In this section, we propose techniques for sensor node estimation and characterization of the impact of faulty activities and for obtaining misbehavior information.Under the distributed framework of the fault activity information (FAI), the FAI of each sensor node consists of two parts: direct impact and indirect impact of misbehaviors on multiservice delivery.Based on FAI, we determine the node-faulty state and get the estimation of FA metric.Each relay sensor should incorporate its neighbors' estimates into its candidate selection for next-hop from its neighbor set.In order for a source node to incorporate the misbehavior impact in the rate-control problem, its own estimation of FA must be recorded in the data packets when the packets arrive at this intermediate sensor and be sent back to the source node when the packets arrive at the sinks.

Direct-Impact Model
4.1.1.Delivery Quality inside a Sensor.In a smart city, sensors with heterogeneous nature support and forward a mix of elastic and inelastic traffic.With the existence of misbehaving sensors along routing paths, the data rate of a flow gets thinner and thinner and the actual-receive rate at the sink is considerably lower than that at the source.Figure 3 shows the utility obtained by elastic and inelastic applications at different actual-receive rates.If an elastic service gets a rate slightly greater or lower than their minimum required rate, inelastic applications get zero utility.Therefore, the quality of delivery inside a sensor is a significant factor for utility of multiple services.Although a faulty node may perform various behaviors, any good node exhibits the same behavior: delivering packets correctly.Similar to the approach in [42], we use the ratio of packets successfully delivered compared to those sent (packets may be corrupt even if received) in order to characterize the delivery quality inside a sensor.During a certain period [ − , ], each node (sender) enters the promiscuous mode and checks whether the packet is actually forwarded by its selected nodes.Additionally, it can record in the neighbor list the running average number   [ − , ] of packets sent to node  and the running average number   [ − , ] of valid 4.1.2.Energy.If some sensors malfunction due to the lack of energy, this degrades the overall network efficiency and performance.  is denoted as the remaining energy of node .Let   ,   , and   be the energy consumed in the sensing, transmitting, and receiving for one data packet per unit time.
In order to update the direct-impact metric, the location beacon of one-hop neighbors is extended to apply an additional field of remaining energy   ().We can use   ([ − , ]) and   to update the estimate () at the end of the time interval.In order to balance the stability and the accuracy of the estimation results, we update the estimation () through iterations: where 0 <  ≤ 1 is the parameter that controls the preference between current and historic samples and 0 <  ≤ 1.

Trust Verification.
In smart environments, the network also has one or more malicious users that control a number of malicious colluders.All colluders may cooperate with each other and turn their partner into an inside faulty node.During the initial stage or under a random attack strategy, these malicious nodes do not immediately launch packet dropping behaviors, and they modify their transmission power to disguise themselves.Hence, the impact of the disguised nodes' misbehavior is indirect on packet delivery from the perspective of the network, and a validation metric can be applied to distinguish malicious nodes with the voting-based scheme.
To keep consistency, we follow the assumption and variable definitions about GOR in [43].Each node periodically broadcasts the location beacon with the location information to its one-hop neighbors.After receiving the beacon from node A, a neighbor B verifies the location information in terms of the received signal strength.RSS is given by the following [44]: where   is the node's transmission power in dBm and  is the path loss factor.Here,  0 is the path loss at the reference distance  0 and  is a random variable.However, if the RSS is susceptible, the above approach will lead to high false negatives against location-related attacks.Based on (4), the distance is estimated as   =   (1±), where  is the measurement error.To reduce the effect of the disguised nodes, node A requires collecting more RSS value from the information of its common neighbors.We denote H =  () ∧  () = { 1 ,  2 , . . .,   } as the intersection of A's neighbor set and B's neighbor set.A neighbor node   is selected by  to find the difference of the RSS value of the sender in  (e.g., node   ).Even though the transmission power may be modified, the difference      is found to be constant [45]: An attacker can launch a spoofing attack by sending forged location beacons to attract SNs to choose one of them as the next-hop.In this paper, the FAI management makes use of the RSS to verify SNs' location and to address the locationrelated attacks by offering nodes the location with possibility.Based on the collected RSS values, we can compute the values (   1 ,    2 , . . .,     ) for the set H whose size is , where     = (RSS  − RSS   )/10 = lg(   /  ).Then the following inequality can be provided to decide whether node  is marked as a successful validation: where    and   are the position announced in the received location beacon.If the inequality is satisfied, it means that node A with one neighbor   ∈ H can be marked as a successful validation, and We can obtain the ratio of successful validation of node A: Furthermore, we introduce the indirect impact metric to address issues of location-related attacks.In order to gain the trust of other nodes, some malicious sensors claim themselves as legitimate nodes but transmit beacon messages containing false location information to confuse other sensors.Each network node may obtain the verification information of its candidates indirectly received from its neighboring nodes.Additionally, the impact of these disguised nodes' misbehavior which pollutes the network system with bogus information is indirect on packet delivery from the perspective of the network.We get the expression of indirect impact metric of node A: where  1 + 2 = 1 and 0 <   < 1 which is the coefficient factor.The indirect impact metric of each node's one-hop neighbors can be calculated in terms of information in the beacon.
To reduce the bandwidth consumption caused by beacon exchange, it is not necessary to contain the neighbor information in the beacon unless the information is changed.

Fault Activity Metric Based on Determining Node State.
Due to the uncertainty in the faulty impact, we model the direct impact and the indirect impact as random processes and allow the sensor nodes to collect empirical data for characterizing the process.In order to identify the faulty state of each node, we design an impact metric which enables each node to measure faulty impact for both its own faulty impact and its neighbors' faulty impact based on its knowledge of available one-hop neighbors.The total impact value for node  can be given by where  is the factor with 0 <  ≤ 1.Then we define the novel faulty state and FA metric as follows.
To determine the node-faulty state, we can use a heuristic approach to test whether the current node is experiencing "being faulty condition" in which the impact metric drops below a certain threshold.Any node whose impact metric is below the threshold can be regarded as a faulty node since we are unable to accomplish our objectives efficiently.We suppose that each node  updates   and   after each update period of  seconds and estimates the FA metric after each update calculation period of   ≫  seconds.Next, we define the FA which is the time that faulty nodes spend in each state per unit time.To facilitate observation, we illustrate an example of converting the impact value of a sensor node A (as shown in Figure 4) into the faulty state with  0 being 0.6 in Figure 5 and the value of fault activity in Figure 6.Once we obtain the estimation of FA, we can get the fault-statistical information for routing path selection and resource allocation.

Fault Activity Geographic Opportunistic Routing Algorithm
In this section, a geographic routing protocol on fault activity metric is presented, providing methods for sensors to choose the candidates based on impact caused by faulty behaviors.FA-GOR selects more forwarding candidates based on the routing metric of available next-hop forwarders.Before presenting our routing algorithm, we first discuss an intrinsic nature of WSNs that can support our idea: network connectivity.When sensors are distributed in area  randomly, the process that there are  sensors in an arbitrary area  is modeled according to Poisson distribution [40]: where  denotes node density, |  | is the cardinality of   , and  = |  |/.In order to describe the full connection probability   , we first calculate the probability  iso that no link exists between sensor  and other nodes: In terms of the isolation probability  iso , the full connection probability is given by the following [46]: Figure 7 shows that when  and  are set as proper values, the expected fully connected can be achieved in a WSN.
We introduce the FAGOR algorithm to select the next relay node following the assigned priority in forwarder set  to relay the packets.Algorithm 1 depicts the pseudocode of FAGOR algorithm.
Our FAGOR could defend against a wide range of misbehaviors.For example, in Figure 8, as one candidate of node 's next-hops, node  lies about its location and associates with disguisers ( 4 - 7 ) as its colluders.The mutual neighbors of  and ,  1 - 7 , need to report their RSS values related to  to  and work based on majority voting. could choose reference nodes from  () ∧  () to verify the validity of the voters.Node  sends the estimate value    about  4 - 7 to node  by (8).Node  calculates   to incorporate it into indirect value of node .Finally, node  is found as being faulty state during a period and could not be selected into the routing path.

Fault Activity Utility-Based Optimal Flow Control Approach
In this section, we present a leaky-hop model which explicitly takes account of faulty activities and then present fault activity-based utility optimal flow control (FA-UOFC) based on the leaky-hop model.One underlying assumption in the utility framework of rate control is that the same flow is present at all the hops along the route.In hostile environments, however, the data rate   of a given flow  becomes thinner along its path.Due to potential faulty behaviors on each node, all data deliveries are not successful.from hop , the correctly received data rate    at hop  is presented by For path   traversing multiple hops, the end-to-end packet success ratio for path   is given by is denoted as the subpath of   between source  and the intermediate node , and    is denoted as the subpath of   between the intermediate node  and the sink node of   .For subpath    of a data flow, the data delivery probability at leaky-hop  is given by    = ∏ (,)∈   (1 −   ).It can be seen that the data rate of a given flow becomes "thinner and thinner" at each hop along its routing path, and we call the flow traversing every potential misbehaving hop to be a leakyhop flow.We define goodput    of flow  as the data rate received correctly at the sink [47].Therefore, in the presence of misbehaving nodes,    =     .An example leaky-hop model is described in Figure 9. Flow 1 traverses along four leaky-hops:  1 ,  3 ,  4 , and  6 .Flow 2 traverses along three leaky-hops:  2 ,  3 , and  5 .The goodput of flow 1 at the destination is It can be seen that the data rate of a flow becomes lower and lower along multiple hops.For example, 1  1 .There may exist different data delivery probabilities at a leaky-hop for different data flows.The leaky-hop  3 for flow 1 and flow 2 has different data delivery probabilities: We call a potential faulty node on the routing path of flow  to be a leaky-hop for flow .
The resource allocation problem in WSNs gives rise to many new challenges.Among the many unique characteristics of WSNs, we focus on two constraints in our formulation.Due to the broadcast nature of the wireless medium, all transmissions are not successful and the transmitters contend with each other in the broadcast domain.To apply the constraint of contention regions, we use the contention set concept from [48].The contention set Ω is denoted as the subset of links belonging to a contention region that, at most, one link in Ω can transmit in each time slot successfully.Let Ω (,) be the contention link set of link (, ).If user  transmits over link (, ), other flows in the contention set Ω (,) cannot transmit packets simultaneously.Let  (,) be the capacity of link (, ).We incorporate the node-faulty activity statistics into the link capacity constraint generation.Due to leaky-hops along the routing path, the flow rate is potentially reduced at each of the receiving hops as packets are lost.The availability metric in Definition 2 means the fraction of time for which the immediate sensor delivers packets correctly.The stochastic capacity constraint on the total flow rate traversing a link (, ) is given by Another major point in WSNs is the energy constraint caused by the energy consumption of sensing, transmitting, receiving, and relaying data.Let   denote the initial amount of initial battery (energy) at node ,  ∈ .
We also incorporate the FA statistics into the energy constraint, in which the power consumption of each node  should not exceed the maximum allowed power generation  max  : where   =      , if flow  starts from sensor node ; otherwise,   = 0.For a prespecified lifetime,   , the maximum node power consumption  max  =   /(  −  idle ), where  and  idle are the duty cycle and energy consumed in the idle state per unit time.

FA-UOFC for Multiple Services.
For wireless sensor networks in a smart city, many different types of sensor are emerging to present numerous applications that exhibit different utility behaviors.Similar to [20], we observe that the operations of the data gathering involve both inelastic and elastic traffic.In order to support the multiple types of traffic, the flow control strategy should have the ability to allocate traffic rates properly in order to balance the performance for different applications.We will adopt the rate-control protocol, newly developed by Wang et al. [20], for handling elastic and inelastic traffic.When each source  transmits at rate   , it attains a utility   (  ).The utility function   (⋅) is assumed to be continuous, strictly increasing, and bounded in the interval [  ,   ].We define a "pseudoutility"   (  ) as In order to provide a good performance balance for different applications in sensor networks, the flow control can be generalized to obtain new problem formulations, namely, utility optimal flow control (UOFC), which maximizes the  sum pseudoutility under the contention constraint [41] and the energy constraint.
At the sink of flow , the correctly received data rate can be represented as     .The optimization problem introduced previously can be presented as a new formulation: Since the objective function   (⋅) is nonnegative, continuous, and strictly increasing (not concave), the "pseudoutility" ∫       1/  () must be a strictly increasing concave function.Therefore, with linear, separable, convex, and compact constraints, the optimization problem in (22) has a unique optimal solution.
In the following, we use Lagrangian dual method and develop a rate-control algorithm.First, we form the Lagrangian as follows: where  = [ We use the gradient method to solve the above dual problem.The Lagrangian multipliers for the dual can be updated as follows at each iteration : where  > 0 is a small step size, and  + = max{0, }.Here,  (,) , (, ) ∈ , can be considered the price for using the resource of contention set Ω (,) .Similarly,  () ,  ∈ , can be interpreted as the price for using energy at sensor node .Given these two prices, each flow ,  ∈ , adopts its rate according to where []   = min(max(, ), ),  −1  is the inverse of   s , and ( 27) can be replaced as follows: ) , where   () = ∑ (,)∈()  (,) () + (  +   ) ∑ ∈()   () + (  +   )  ().Hence, we propose Algorithm 2 based on the problem formulation of fault activity-based utility optimal control.Our algorithm can be carried out in a distributed manner by message exchange in the network, as shown in Figure 10.To implement our scheme, no node in the network needs to know global information nor the individual variables of algorithm.The information needs to be updated by the receiving node and to be sent via piggybacking.
First, each sensor node estimates and updates the resource price locally, the fault activity information of its neighbors, and its own fault activity information; then we apply two additional header fields, mean field and price field, to both data packets and control packets.When a new packet arrives, the updated FAI is multiplied together and the local prices are added to the price of the packets that arrive from the upstream node.When the packet arrives at the sink, values of the two fields will be feedback to the source node by the acknowledgement packet.
Second, when the packet arrives at the sink, the aggregated FAI and resource prices will be piggybacked to the source node in the acknowledgement packet.
Third, each node can construct its local contention set by exchanging information from neighbors instead of knowing the entire network topology.
Hence, the total number of additional exchange operations is within (), where  is the number of source   routing paths and  is the number of network's links.The proposed fault activity utility optimal flow control algorithm is practical and realizable in WSNs.

Utility Fairness.
The goal of our rate-control approach is to able to maintain an acceptable level of service degradation, including effective network throughput and fairness, in the presence of misbehaving nodes.In this section, we establish the existence and uniqueness of a utility fair solution with the presence of misbehaving nodes and define a novel index, utility fairness index, which quantitatively measures the degree of utility fairness in distributed systems.
Considering the performance of different services, the utility OFC (UOFC) with the resource constraints in WSNs allocates flow rates of different applications according to their utility requirements, and, what is more, the optimization approach yields utility fairness [20].In WSNs without faulty nodes, the set of goodput rate vector  for each flow  that satisfies the resource constraints in problem (22) with    = 1 for  ∈  is called the rate region (, , 1).In hostile environments, the set of goodput vector   that follows from problem (22) with   ̸ = 1 is denoted as (, , ).It is clear that    ≤ 1 and that (, , ) ⊆ (, , 1).When the rate-control Algorithm 2 with   = 0 leads to equilibrium ( * ,  * ,  * ) at convergence, the pseudoutility function () is maximized within the feasible solution.
Here we can employ both a utility proportional fairness as described in [20] and utility max-min fairness proposed in [48].For any other feasible allocation is utility proportionally fair.() is the strictly concave function; the strict inequality holds and meets the utility proportional fairness definition.Therefore, the source rate allocation in Algorithm 2 with   = 1 is utility proportionally fair.To achieve utility max-min fairness, we give a new distributive flow control algorithm.If the aggregate price of Algorithm 2 is replaced with   () = max{max (,)∈()  (,) (), max ∈()   ()}, which is the maximum of the contention prices and the energy prices along the path, the updated algorithm could provide a utility max-min fair allocation among all data flows.

Utility Fairness of 𝑋(𝑐, 𝑠, 𝛾)
. We relate the arguments on utility OFC based on the leaky-hop model to a case without leaky-hop by proving a continuity property of fair allocation as   approaches 1.Let the ratio of node-faulty activities drop to zero: lim →∞ min (,)∈     = 1.Then the rate regions in WSNs containing faulty nodes converge the rate regions in the corresponding WSNs without faulty nodes, and utility fair solution converges to the corresponding utility fair solution without faulty nodes [47].
The goal of our rate-control approach is to be able to maintain an acceptable level of service degradation, including effective network throughput and fairness, in the presence of misbehaving nodes.In this section, we establish the existence and uniqueness of a utility fair solution with the presence of misbehaving nodes and define a novel index, utility fairness index, which quantitatively measures the degree of utility fairness in distributed systems.
In the homogeneous traffic context, Jain et al. [49] propose a quantitative measure called Index of Fairness to tell how far the resource allocation is from equality.With considering QoS requirements of different applications, it may be undesirable to allocate resources simply according to conventional measurements such as Index of Fairness [49].Hence, we define a novel index, index of utility fairness (), which measures the utility fairness of various applications and addresses their utility requirements: where    is the goodput of flows and || is the number of flows in WSNs.This index measures the "equality" of user utility allocation.If all sources get the same amount of utility, that is, if (   ) are all equal, then the utility fairness index is 1.As the disparity increases, the utility fairness decreases and is near 0 as only a selected few users will be favored.A higher value of (⋅) means a higher degree of utility fairness.

Performance Evaluations
In this section, we conduct simulation experiments to evaluate the performance of the proposed FAGOR protocol and FA-UFOC scheme when misbehaving nodes exist in the network.We first describe the simulation setup and then compare the simulation results with GPSR [12], DWSIGF [13], QGOR [14], and our proposed FAGOR protocol in a variety of experiments.Next, we illustrate the advantage of the FA-UOFC over the traditional OFC approach without considering misbehavior of faulty nodes.Finally, we show the effectiveness of our proposed FAGOR protocol combined with our FA-UOFC algorithm for WSNs in adversarial environments, and we simulate the fairness of our proposed scheme in terms of utility fairness index and the convergence discussed in Section 6.3.1.
The extensive simulations have been conducted in OPNET and C++ simulator.The OPNET simulator is designed for the network design and performance test.It is further enhanced to support for wireless sensor networks in city environments.In original OPNET, the calculation of received power only considers the propagation model of free space.In the urban communication environment, wireless channel is affected by the diffraction of signals by various buildings and trees.A Rician model is used as a channel fading model to illustrate effects due to buildings, obstacles, and trees in the city.We incorporate Rician distribution into the receiver power module in OPNET in accordance with radio wave propagation model in practical scenarios.
We consider static WSNs for a smart city.Therefore, mobility is not considered in experiments.As shown in Figure 11, 100 to 400 wireless sensors, which include both misbehaving sensors and well-behaved sensors, are randomly deployed in an area of 1000 m × 1000 m.The percentage of misbehaving nodes to all the nodes which is a simulation parameter is varied from 0 to 0.4 in different experiments.Each sensor has IEEE 802.15.4 based technology.The sources send data to 10 sinks which have sufficient power.The initial power of each sensor is set to 9 mW.The parameters for energy consumption are set to   = 150 nJ/bit,   = 158 nJ/bit, and   = 100 nJ/bit, respectively [50].Each simulation runs 3000 iterations, and the default simulation parameters are listed in Table 1.

The Effectiveness of FAGOR.
In this section, we show how our FAGOR protocol can provide effective routing with the existence of an arbitrary number of misbehaving nodes.The proposed FAGOR protocol is benchmarked against other three routing protocols: (1) DWSIGF, (2) GPSR, and (3) QGOR (a QoS-aware GOR which provides routing service based on the end-to-end QoS metric [22]).The following two metrics are used to compare the performance of the protocols: (i) PDR: the ratio of the total number of data packets by the sink packet delivery to the total amount of data packets sent by the source (ii) End-to-end delay: the time interval for the data packet to be transmitted from the source node to the sink We simulate Sybil attacks with 4 Sybil nodes which perform random attacks with a configurable probability.The Sybil nodes create more virtual locations by altering their transmission power, which is similar to location spoofing attackers.We model randomly distributed misbehavior nodes such as black holes, gray holes, and nodes in jamming regions which drop data packets with variable possibility.The routing protocol is simulated attacking with varied probabilities to evaluate performance under various misbehaviors.
First we show the effectiveness of FAGOR under varied the number of misbehaving nodes.Figure 12(a) reports the packet delivery ratio of FAGOR in comparison with the other three routing protocols.We have the following observations: (a) the PDR of FAGOR is consistently higher than GPSR and DWSIGF with the existence of a varied number of misbehaving nodes, and (b) the PDR of FAGOR declines more slowly than GPSR and DWSIGF as the percentage of misbehaving nodes increases.The reason is that the misbehaving nodes are more likely to be chosen as the nexthop nodes in GPSR and DWSIGF, while FAGOR incorporates faulty impacts for choosing more reliable candidates to set up the routing paths.
The PDR in QGOR is higher than in other routing protocols except FAGOR.This can be explained as follows.QGOR also selects more reliable relays according to the QoS priority of neighboring nodes.However, without the ability to identify location-related attacks, QGOR may select a Sybil node as the next-hop relay.Our FAGOR gives low reliability values to Sybil nodes based on majority voting and to other misbehaving nodes based on direct-impact values.In terms of the compound of reliability value by the proposed FA metric, FAGOR transmits packets with faulty hops, and the impact of misbehaviors on the network performance is stable.
As the number of misbehaving nodes increases, the endto-end delay of GPSR and DWSIGF plotted in Figure 12(b) decreases.For hostile sensor networks, misbehaving nodes in the routing path would cause links to break.The decline of the end-to-end delay means that only the data packets from the nodes that are closer to the sink can be successfully delivered to the sink in GPSR and DWSIGF, while it is hard to successfully transmit the data packets to a distant destination with more hops.However, FAGOR and QGOR encourage suboptimal candidates to collaboratively relay data packets that the delay of such packets raises.As the number of misbehaving nodes increases, FAGOR and QGOR spend more time maintaining uninterrupted communication, and higher end-to-end delays are consequently achieved.Furthermore, FAGOR gets a lower end-to-end delay than QGOR because of the existence of Sybil nodes among misbehaving nodes.Since the reliability of neighbors is unknown at the beginning, FAGOR uses majority voting to decrease the probability of location attacks.Compared to QGOR which operates without identifying location attacks, FAGOR mitigates Sybil attacks in advance and saves the network delay time.
We further study the effect of  0 on the performance of FAGOR.The packet delivery ratio under varied values of  0 is shown in Figure 13(a).In this simulation, we find out that underestimating the parameter  0 will lead to imprecise next-hop choosing results and will affect the performance of FAGOR.On the other hand, overestimating  0 as shown in Figure 13(b) may make the routing algorithm yield less feasible next-hops, lead to repeated candidate discovery, and result in higher delay.This result illustrates that there is tradeoff between the PDR and time delay and choosing a proper value of  0 gives better performance of FAGOR.
Figure 14 compares the performance of four protocols for different network size by increasing the numbers of nodes from 100 to 400.Compared with GPSR and DWSIGF, our FAGOR improves the delivery ratio by approximately 40% and keeps stable with the different random topologies.
In order to evaluate the number of candidates of the performance of FAGOR, we consider network scenarios with different numbers of misbehaving nodes.From Figure 15(a), we see that PDR increases and the gap of PDR between  0 = 0.1,  0 = 0.4, and  0 = 0.7 gets smaller as the number of candidates increases.Thus more candidates in FAGOR can relieve the performance degradation under more misbehaving nodes.Figure 15(b) shows that the transmission delay decreases when  = 1.This is because, in FAGOR, when packet dropping ratio is high, there will be fewer hop counts which means that the data delivery would not last long.As the number of candidates increases, transmission time delay when  0 = 0.1 increases faster than when  0 > 0.1 due to a long one-hop delay in the presence of more misbehaving nodes.The simulation results show that there is a trade-off between the time delay and robustness on the selection of the candidates' numbers.
One object of FAGOR is to ensure the ability to operate effectively under dynamic misbehaving networks.In our simulation study, we set up a configurable probability of misbehaving nodes which behave well at the beginning of the experiment.They change to misbehaving nodes at random points of time.In Figure 16, we show the PDR performance of four protocols with a varied percentage of behavior-changing nodes.The following observations can be obtained from these figures.First, the packet delivery ratio of FAGOR is consistently higher than that of the other three protocols with different percentages of changing misbehaving nodes.Second, since FAGOR selects faulty nodes in the routing path, the impact of misbehaviors on the network performance is stable.algorithm over the OFC with same resource constraints.In the simulation, the sensor nodes turn to misbehaving nodes with probability 0.35.The network topology for one sink is depicted in Figure 17.We assume a link capacity of 4 kbps and a maximum node power consumption of 4 mW.In smart cities, there are various types of sensors embedded in networks to support multiple services with different QoS requirements.Therefore, we set utility functions consisting of elastic and inelastic traffic.The utility function of each source node is given as  1 ( 1 ) = 1/(1 +  −2( 1 −6) ),  2 ( 2 ) = log( 2 + 1)/ log 11,  3 ( 3 ) = 0.1 3 ,  4 ( 4 ) = 1/(1+ −2( 4 +4) ).All the sources have their maximum rates at 10 Mbps.
We compare the effectiveness of two flow control strategies: (1) NE-OFC (OFC with noneffective utility functions and constraints); (2) FA-UOFC (our improved OFC approach).NE-OFC approach subject to contention and energy constraints for WSNs is with utility functions of allocated flow rate without considering the faulty impact caused by misbehaving nodes.Figure 18 shows the comparison of the goodput for each flow at sink between our proposed FA-UOFC and NE-OFC.The proposed FA-UOFC can be seen to have achieved higher performance in terms of effective throughput compared to the conventional flow control method.Obviously this is due to the introduction of the faulty activity metric.The source adjusts its flow rate on its route adaptively to compensate for data loss in our FA-UOFC algorithm, which takes into account the effect of misbehaving nodes in utility function and constraints.
According to Section 6,  is denoted as the injection rate at the source node and   is denoted as the goodput at the sink.Figure 19 verifies that the rate-control algorithm in NE-OFC converges and is able to provide utility proportional fairness (we use the sum of contention price and energy price) among four source nodes according to the utilities of  on the source nodes.Without considering faulty nodes, the source algorithm controls the flow rates to provide a utility fair resource allocation in which  1 achieves a utility  1 ( 1 ) = 1 and  2 ,  3 , and  4 then share the remaining network resources with an equal utility of 0.52.
In fact, the goodputs of four flows cannot maintain the utility fairness at their sink nodes after traveling along the leaky-hops.The utilities of goodputs for four flows in the NE-OFC approach and FA-UOFC approach are shown in Figure 20.It can be seen that FA-UOFC yields higher utilities of goodput for four flows than NE-OFC.In Figure 19, three flows share a fair utility allocation that  2 ( 2 ) is equal to  3 ( 3 ) and  4 ( 4 ).However, the utility fairness is broken due to different faulty effects on three paths consisting of misbehaving nodes. 3 (  3 ) and  4 (  4 ) of goodputs at the sinks both from NE-OFC and FA-UOFC in Figure 20 are lower than those of rates at the source nodes in Figure 19.Meanwhile,  2 (  2 ) of goodput from FA-UOFC increases, yet  2 (  2 ) from NE-OFC decreases.We calculate two indexes of utility fairness, 0.7 and 0.86, according to (29) for NE-OFC and FA-OFC, respectively.It demonstrates that better  utility fairness is attained among flows by FA-UOFC.Our proposed algorithm effectively adjusts the resource allocation by explicitly taking into account the faulty effects in utility functions and constraints.Clearly, the network performance under misbehaving nodes is improved by our proposed FA-UOFC algorithm through both better utility fairness and higher effective throughput.

The FAGOR Protocol Combined with FA-UOFC Algorithm.
In the following, we investigate the performance of our proposed FAGOR protocol combined with FA-UOFC algorithm for WSNs in adversarial environments.The proposed FAGOR + FA-UOFC scheme is benchmarked against the scheme with only FAGOR which does not employ any optimal flow control algorithm.Figures 21 and 22 plot the goodputs and the goodputs' utilities obtained by FAGOR and FAGOR + FA-UOFC while increasing the percentage of misbehaving nodes in the network from 5% to 40%.Clearly, our proposed method significantly outperforms FAGOR in terms of the goodputs and goodputs' utilities obtainable under a varied percentage of misbehaving nodes.The benefit of our proposed method over FAGOR increases as the number of misbehaving nodes increases.The result demonstrates that the FA-UOFC complements secure routing and alleviates the performance degradation caused by the misbehaving nodes along the routing paths.We also take a closer look at Flow 2 and Flow 3 in Figure 22.As the number of the misbehaving nodes increases, the goodputs' utilities of Flow 2 and Flow 3 in our scheme increase, whereas they decrease in FAGOR.Accordingly, our scheme achieves higher goodputs' utilities for Flow 2 and Flow 3 than FAGOR.This is due to the source nodes in our scheme, which are able to compensate for faulty nodes in the allocation of traffic based on the real performance requirements of services and which can achieve utility fairness among the goodputs.
To demonstrate the fairness of FAGOR and FAGOR + FA-UOFC, we point to the variation of () in (29).With various values for the percentage of misbehaving nodes  1 and the probability of dropping packets  2 in Figure 23, our proposed scheme can be seen to achieve a higher degree of utility fairness in terms of utility fairness index () for goodput than the FAGOR scheme.This is because our proposed scheme explicitly takes into account the loss feature of faulty nodes and embodies the utility fairness objectives in the utility function that are concerned with the goodputs.
For a sequence of networks with decreasing impact with misbehaving nodes, we can see in Figure 23 that the utility fairness index converges to 0.92.As discussed in Section 6, the rate allocation and utility fairness in our scheme converge to those of the corresponding lossless networks when the ratios of nodes' faulty activities drop to zero. Figure 23

Figure 2 :
Figure 2: The delivery framework for multiple services based on the fault activity information.

Figure 3 :
Figure 3: Utility of elastic and inelastic services.

Definition 2 .
The FA for node-faulty state denoted by   is the fraction of time during period [ −   , ] for which the node  is in the state Λ  , that is,   = (/  ) ∫  −  Λ  ().

Figure 4 :Figure 5 :
Figure 4: Impact value of a sensor node.

Figure 9 :
Figure 9: An example network with leaky-hop flows.

Figure 12 :
Figure 12: Packet delivery ratio and end-to-end delay versus percentage of misbehaving nodes.

7. 2 .
The Effectiveness of FA-UOFC.In this subsection, we use numerical examples to illustrate the advantage of FA-UOFC End-to-end delay

Figure 13 :
Figure 13: Packet delivery ratio and end-to-end delay with different values of  0 .

Figure 17 :Figure 18 :
Figure 17: The network topology for one sink.

Figure 19 :
Figure 19: Utility of flow rate at source in NE-OFC.
As either the node   or the chosen neighbor node   may use forged information of this distance value,      or Wireless Communications and Mobile Computing 7     are used to replace the value of      and     .We can get the inequality from (5): lg        ) for other nodes in set H. In this round, two disguised nodes   and   are identified with   , provided that With node 's neighbor nodes as reference nodes, each   belonging to  can be identified using this method.During the time period [ − , ], there are   ([ − , ]) disguised nodes that are faked by actually one node in a round and    ([ − , ]) rounds of the entire    ([ − , ]) rounds in the calculation.The estimate value    () of the possible disguiser   can be obtained by (15)ive the data packet;(12)check the sender ID and start a timer and time() = /metric  , where  is a constant; (13) end for(14)if node  which obtains the highest priority receives the data packet correctly then(15)reply an ACK to notify the sender as well as other candidates