ETARP : An Energy Efficient Trust-Aware Routing Protocol for Wireless Sensor Networks

Copyright & reuse City University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders. All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages.


Introduction
Ad hoc networks are self-configuring wireless networks of mobile devices without a fixed infrastructure, and wireless sensor networks (WSNs) are a type of ad hoc networks consisting of wirelessly interconnected sensor nodes.Sensor nodes may have functions including sensing, data relaying, and data exchanging with other networks outside the WSN [1].WSNs may range in size from a few to hundreds of thousands of nodes.
While WSNs are useful for a wide variety of applications, this paper is focused on applications operating in extreme environments such as the battlefield where the risk of harm prohibits any manual engineering work.Various WSN applications can be deployed in the battlefield.For soldier detection and tracking (SDT), unattended acoustic and seismic sensors are deployed at specific points to detect the approach of enemy soldiers in order to protect military sites or buildings [2].Sensors can detect typical sounds made by soldier activities, for example, walking, crawling, weapon handling, and talking, at a distance.Another example of interest here is littoral antisubmarine warfare (ASW) that utilizes small and low cost sensors equipped with passive or active sonar, which can be deployed in large numbers (hundreds or thousands) to provide a high density sensor field to detect enemy submarines [3].These sensors have a short detection range and are far less susceptible to multipath reverberations and other acoustic artifacts.
There are many other WSN applications that share certain features with these two examples.First, nodes are usually deployed without careful preplanning (e.g., airdrop deployment) since the battlefield is a dangerous zone, and sending engineers to carry out precise deployment is not preferable.Thus network topology is not known a priori and will likely change over time due to exterior forces (e.g., explosions and movements).The networks are ad hoc by necessity in these environments.
Second, the nodes in the applications of interest are often physically unreachable after deployment.Consequently, replacement of the energy source (typically battery) is difficult or impossible.In order for the network to operate as long as possible, nodes may be capable of harvesting energy, and network routing protocols should select routes to minimize energy cost.
Third, the network faces the risk of attacks to interfere with operations, such as selective forwarding, wormhole 2 Journal of Sensors attacks, sinkhole attacks, and Sybil attacks [4].Nodes may become compromised which could be very difficult to detect.It is commonly assumed that compromised nodes may exhibit suspicious behavior, which is monitored and factored into a reputation system that calculates a reputation for every node and adapts route selections to avoid nodes with low reputations.Moreover, suspected nodes are prevented from participating in the routing protocol.
While routing protocols have been proposed for energy efficiency or security separately, the new routing protocol proposed here balances the two objectives simultaneously by means of utility theory.To the best of our knowledge, this is an original approach for WSN routing protocols.An essential component of the routing protocol is a new method to estimate energy consumption for packet forwarding.Another essential element is a Bayesian network to judge the probability of each node being compromised (or introduce a reputation or trust).
The contributions of this paper are as follows.First, a novel energy efficient routing protocol is proposed which aims to minimize energy consumption for data transmission.The second contribution is the novel use of utility theory to simultaneously consider two factors: energy efficiency and trustworthiness of nodes.Third, a Bayesian network is used to estimate the trustworthiness of nodes which is a different approach from previous literature.
Section 2 is a review of related work.In Section 3, the central concepts in the new Energy Efficient Trust-Aware Routing Protocol (ETARP) are presented.The methods to estimate energy consumption and risk of node compromise are explained.Performance evaluation in terms of simulation results is presented in Section 4. Section 5 concludes the paper.

Related Work
Many routing protocols have been proposed for WSNs; for instance, see a good survey by Royer and Toh [5].These traditional routing options for WSNs include the data centric approach such as Directed Diffusion and reactive approach such as Dynamic Source Routing (DSR).Particularly, a reactive approach called Ad Hoc On-Demand Distance Vector (AODV) routing has been a popular candidate due to advantages in coping with the ad hoc nature of some WSNs as AODV does not require knowledge of the global network topology.
Some efforts have been made to improve the energy efficiency of the routing protocol itself.For example, the routing method described in [6] attempted to minimize the energy consumed for routing data packets, but the drawback is that location information is required.In [7], the author provides a simple, scalable, and efficient solution for minimum cost routing in WSNs.In fact, the term "minimum cost" refers to maximum network lifetime, achieved by choosing the route with maximum energy reserve which is not exactly the same as a route with minimum energy cost.Another approach of minimum cost message delivery was studied in [8].This approach sought the minimum cost path from any given source to a specific sink in sensor networks.This approach may not be suitable for some WSN applications because the sink (or destination node) is assumed to be fixed.

Energy Harvesting Aware Routing Protocols.
Another research direction considers renewable energy from an external energy source.Renewable energy can be harvested from the surrounding environment by various means such as solar, wind, thermal, or motion [9].Solar power is well suited to WSNs because not only sunlight is easy to access but also solar panels can be made small enough to be mounted on wireless sensor nodes.
A notable routing algorithm that is energy harvesting aware is the Distributed Energy Harvesting Aware Routing Algorithm (DEHAR) [10], which defines a new metric of "energy distance" (including energy harvesting) for selecting the best route.By this metric, DEHAR aims to find the route with minimum total energy distance rather than spatial distance.But DEHAR calculates the shortest energy distance by using a method such as directed diffusion, a flooding mechanism incurring extra routing overhead.In contrast, ETARP proposed here avoids extra overhead in route discovery (compared to AODV).OR-AHaD (Opportunistic Routing algorithm with Adaptive Harvesting-aware Duty Cycling) proposed in [11] is designed with energy management capabilities that consider variations in the availability of the environmental energy.OR-AHaD can adjust the duty cycle of each node adaptively in order to exploit the available energy resources efficiently in comparison to other opportunistic routing protocols.But geographical information is required, which is not well suited to the applications of interest here.

Secure Routing Protocols.
Security challenges in WSNs are similar to those in mobile ad hoc networks identified in [12,13], and some existing routing protocols such as TinySec [14], Spins [15], TinyPK [16], and TinyECC [17] attempt to eliminate unauthorized behavior of malicious sensor nodes with the help of encryption or authentication on data packets.However, these solutions may be difficult for WSNs.For instance, data encryption is applicable for mobile ad hoc networks but generally not practical for WSNs because sensors have limited data processing capabilities and energy storage.
In addition to cryptographic solutions, routing algorithms that employ notions of trust and reputation have been proposed, such as trust-based on-demand multipath routing (AOTDV) [18] and light-weight trust-based routing protocol (LTB-AODV) [19].They passively observe forwarded data traffic and then calculate the risk level of different routes in terms of "trust values." The routing algorithm then chooses the most trusted route.Compared to ETARP, the reputation system used in AOTDV or LTB-AODV watches for a single specific behavior only, not like the Bayesian network adopted in ETARP.ETARP monitors multiple node behaviors and makes comprehensive judgments on node status.Furthermore, AOTDV or LTB-AODV focuses only on security with no special attention given to energy efficiency concerns.

Routing Protocols including Energy Harvesting and Security.
There are a few papers starting to consider security and energy efficiency at the same time.For instance, Ferng and Rachmarini [20] proposed a secure routing protocol for WSNs considering energy efficiency, but compared to ETARP, it has a disadvantage requiring information about node locations to improve energy efficiency.Furthermore, it depends on encryption which can be a heavy computation cost for sensor nodes.LS-LEACH [21] is another energy aware routing protocol, based on the LEACH (Low-Energy Adaptive Clustering Hierarchy) protocol, that depends on cryptographic authentication.The scheme generates extra overhead compared to ETARP.

ETARP Routing
This section describes the ETARP routing protocol designed for the WSN applications mentioned in Section 1.The routing protocol aims to simultaneously consider energy efficiency and security to avoid routes that are inefficient and risky.In order to simplify the description, we assume for the moment a "normal" condition absent of attacks in the network.In this case, ETARP works to discover and select the most energy efficient routes.In the next section, attacks on the network will be taken into account to show how ETARP factors trustworthiness of nodes into the route selection.Because energy efficiency and security are two different problems, ETARP takes a novel approach of factoring both using the notion of expected utility.
A basic example to demonstrate the idea of ETARP is shown in Figure 1.After the enemy appears in the WSN covered region, their activity can be detected by a nearby sensor node (e.g., acoustic or seismic sensor) which will send warning information back to the data collection point.Usually this process cannot be accomplished in a single hop transmission; ETARP serves to find the most energy efficient multihop route while simultaneously avoiding any (perceived) compromised nodes.The status of nodes is estimated by a Bayesian network that collects data about observed node behaviors and calculates the probability that each node is compromised or not.

Energy Efficiency Routing in Absence of Attacks.
For the moment, attacks on the network are ignored to present how ETARP operates to discover and select energy efficient routes.Previous studies have found that the ad hoc nature of the network dictates an on-demand routing protocol such as AODV.However, AODV aims to minimize hop count without consideration of energy costs.ETARP is based on AODV but adds awareness of transmission energy costs.
The route discovery by ETARP operates similarly to AODV except for a different format of the routing messages: route requests (RREQs), route replies (RREPs), and so on.The format of the RREQ message in the original AODV is shown in Table 1 [22].In ETARP, the field "hop count" is replaced with "energy count." "Energy count" here implies the prediction of average transmission energy to successfully deliver a data packet from the originator node to the node  handling the request.The predictions are defined in (1)- (5) later in this section.
The same change applies to the RREP message as well.The field "hop count" in the original AODV RREP message is replaced with "energy count" in the ETARP RREP message.Again "energy count" refers to the predicted average transmission cost to successfully deliver a data packet from the originator node to the destination node.
Since ETARP uses the same basic messages (RREQ, RREP, etc.) as AODV, it does not incur more overhead compared to the original AODV.The next question is how to define energy consumption.
On any chosen th route with total number of   nodes, the expected total transmission cost   in terms of energy can be calculated as where   is the estimated transmission cost from the th node on this route to its next hop (1 ≤  ≤   − 1).
Transmission cost depends on successful delivery of a packet possibly after a number of reattempts.To be more specific, transmission cost has the form where   is the predicted average number of retries after a packet is successfully transmitted from node  to its next hop node  + 1;   is the minimum required radio transmission power level at node  to successfully deliver a data packet to the next hop;   is the processing power at node  (consumed by circuits for the preparation of radio transmission including coding and modulation);   is the receiving power at next hop  + 1 (consumed for receiving data including demodulation and decoding); and  is the transmission time needed for each transmission attempt.At least some of the nodes are assumed to be capable of harvesting solar energy.The harvested energy is considered free and accounted in   as where  is the maximum output power of the photovoltaic power generator and   is a random number in the range [0, 1] if node  is capable of energy harvesting or   = 0 if node  is not capable of energy harvesting.As mentioned in Section 1, solar cells are more suitable to be mounted on sensor nodes considering the size (e.g., wind driven generator is too bulky) or energy source accessibility (e.g., motion power is hard to access since nodes operate in severe environment where human activity is rare).
For nodes with energy harvesting,   =   / where   is the active power level of the photovoltaic power generator.For a photovoltaic power generator [23], its active power is assumed to follow a -distribution given by the probability density function: where  and  are the shape parameters of the distribution and Γ is the gamma function.Beta distributions are fit to the past record of sunlight data using the algorithm that minimizes the KS statistic [24], and its shape parameters  and  depend on the specific geographic location where sunlight data are recorded.This assumption is also based on the past recorded sunlight data and statistical correlation analysis of solar radiance and consumer load.
In order to successfully transmit a packet from node  to the next node, the expected average number of retries   can be calculated as where   is the probability of the packet not being delivered (or outage probability) from node  to node  + 1 on any attempt [25].Previous studies have shown that   can be expressed as a function of   [26].
After ETARP discovers a number of possible routes, say with energy costs { 1 ,  2 , . . .,   }, it selects the route with the minimum energy cost.

Energy Efficient and Secure Routing in Presence of Attacks.
The previous section dealt with the simple case of energy efficient routing assuming normal conditions without attacks on the network.The possibility of attacks adds complications because nodes can become compromised and interfere with packet forwarding.
Our approach to add security awareness into ETARP relies on the concept of "expected utility" from utility theory.Either transmission energy or risk of untrusted nodes will diminish the expected utility of a route.ETARP seeks routes with high expected utility which will be both energy efficient and trusted.
In practical operation, ETARP requires changes in the format of control messages described earlier in Section 3.1.For instance, the "energy count" field in RREQ messages is replaced with "expected utility count" which here means the expected utility of the route from the originator node to the node handling the request.Similarly for the RREP message, the field "energy count" is replaced with "expected utility count" where expected utility count refers to the expected utility of the route from the originator node to the destination node.

Definition of Utility.
Utility is a quite general concept known from microeconomics.In economics, utility is used to reflect a level of satisfaction of consumers when they purchase goods from a market.Usually the difficulty is how to exactly measure utility.Modern definitions of utility intend it to qualitatively reflect "consumer preferences".The goal is not to determine the exact value of utility, which is problematic, but to determine whether a choice of a particular good or product has a higher utility compared to others [27].
In WSNs, the utility or preference designated for a route is related to both energy cost and security level (trustworthiness).Consider a specific route consisting of  nodes ( − 1 hops).Considering only energy on any specific hop, say the th hop, the utility function is inversely proportional to the predicted transmission cost on this hop.Less energy consumption means a longer lifetime that is more "preferable" for the sensor nodes and therefore a higher utility.Then the utility function of the th hop, denoted by   , satisfies   ∝ 1/  , where   is the estimation of transmission cost from the th node on this route to its next hop (1 ≤  ≤  − 1).
The transmission on each hop takes place successively over time, starting from the source node and ending at the destination node.The utility of all these hops is imperfect substitutes to each other, meaning that some reduction in utility of th hop might be compensated for to some extent by the addition in another hop's utility and vice versa.But this is not always the case; for example, if the th hop is a dead link, no matter how good condition the other hops are, this route is considered to be useless with zero total utility.Due to this imperfect substitutes property, the utility function of a specific route belongs to the Cobb-Douglas type with standard form of  =       ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ , where   ,   ,   , . . . . . .denote the utility generated from first, second, third, . . . . . .until the last ( − 1th) hop on a route, respectively.That is, the utility of a route is the product of utility on all the −1 hops [27].On the other hand, wireless sensors deployed in a specific network typically belong to the same type with identical technical specifications; thus the sender nodes at each hop can be considered to be identical and use the same utility function to describe their "preference." In this case, the multiple  − 1 hops transmission on this route can be considered equivalent to a node repeating a single hop transmission  − 1 times.Then the total utility on this route can be written as where  is a positive constant indicating the "preference" level of each hop, which is related to the sensitivity to energy cost.Note that the numerator in the last part in (6) corresponds to the energy consumption factor on each hop, which is already explained in (3) of Section 3.1.

Calculation of Expected Utility.
At each hop, there is a certain risk that the next node is compromised.In other words, there is never certainty about the status of any node (malicious or not).Given this uncertainty, we introduce the weighted average of utilities gained from all the possible results (malicious node or not) as the "expected utility"    : where   is the probability that the destination node is safe (not compromised) and   is the possibility that the destination node is compromised but pretends to behave like normal node (a so-called "grey hole").How to determine the probability   is explained in Section 3.3.If the node is safe or pretending to be normal, the utility of this hop is   .Otherwise the node is considered compromised with zero utilities.The total expected utility on the entire route is given by   route = ∏ −1 =1    .As mentioned earlier, utility is only useful for acting as an indicator of preference between different choices of routes, and the precise utility value does not have any practical meaning.
ETARP discovers a number of possible routes, along with their expected total utility.It selects the route with the maximum total utility as the best route.

Estimation of Risk by Bayesian Network.
Generally, it is difficult to ascertain whether a node has been actually compromised or not unless it is manifested in the node's observable behavior.A practical approach assumes that a risk can be estimated by observing the node's behavior compared to its expected behavior.In order to calculate a "belief " about a node's trustworthiness, a learning Bayesian network is proposed for this purpose.As addressed in Section 2, unlike the reputation management employed by previously proposed AOTDV or LTB-AODV which only watch a specific behavior, a Bayesian network is meant to organize the entire knowledge about observed node behavior into a coherent whole and makes comprehensive judgments on node status.Perhaps the use of joint probability distribution could be another approach to deal with multiple types of nodes behaviors, but the size of a joint probability distribution would be exponential in the number of nodes behaviors of interest, increasing both modeling and computational difficulties.On Node is healthy?
(H) Symptom 1 the other hand, a Bayesian network can address all of these difficulties in principle, by acting as a graphical modeling tool for specifying probability distributions [28].
To be more specific, a Bayesian network is a probabilistic graphical model that represents a set of random variables and their conditional dependencies via a directed acyclic graph (DAG).Our Bayesian network serves to model a set of node status (comprised or not) and their behaviors.It can be used to predict the most likely status of a node based on past observed behaviors.To calculate this prediction, one method is the maximum likelihood approach.
A general Bayesian network structure employed in our case is shown in Figure 2. To determine whether a node is safe (not compromised, denoted by H), we need to observe the node's symptoms; some symptoms may require further observation on their subsymptoms.Considering a basic practical example shown in Figure 3, the purpose is to determine a node's "health" status (node is compromised or not), denoted by variable H, two symptoms are considered: "node used to drop packets" (denoted by variable D).Note that it is normal for a node to drop packet sometimes for a valid reason, for example, bad link quality, but the term "drop packet" here implies that the number of dropped packets is unusually large.Also, "node participated in routing before or not" (denoted by variable P) can help to identify attacks including selective forwarding, sink hole, and black and gray hole.These variables are binary, represented by ℎ 1 (true) or ℎ 2 (false) for variable H,  1 (true) or  2 Edges in the graph represent "direct causal influences" among these variables; for example, the node participated in routing before (P) is a direct cause of node not being compromised (H).All these causal influences are presented by conditional probabilities, an example shown in the last two subtables of Table 3 (which is also an example of initial estimates to be explained later).Given this causal structure, one would expect the dynamics of changing belief to satisfy some properties.For example, if we get a record that the sensor node dropped a packet, our belief that the node participated in routing before would probably decrease.
In practical cases, the recorded node symptoms (referred to as data sets) are usually incomplete due to some reason; for example, a node is compromised or not cannot be directly observed (in fact, the purpose of creating Bayesian network is to determine it).Table 2 shows an example of incomplete data sets D with 3 different recorded data cases: case 1 , case 2 , and case 3 .A data case is a record of a set of symptoms shown by a node, in other words, a record with certain combination of instantiation (ℎ, , ), in which the status parameters ℎ 1 ,  1 , and  1 denote that this node has not been compromised, used to drop packet, and participated in routing before, respectively.And ℎ 2 ,  2 , and  2 denote that this node has been compromised, not used to drop packet, and not participated in routing before, respectively.The symbol "?" represents the missing values of variables.
The goal is to calculate the expected empirical distribution of nodes status H based on the incomplete data set.Some initial estimates are assumed as shown in Table 3 based on common sense; a comprised node is more likely to drop data packet and not participate in previous routing.On the other hand, a compromised node is more likely to participate in routing but may still drop data packet for some reason, for example, data transmission error.
The expected empirical distribution of the incomplete data set D is defined as where  is an event with certain combination of instantiation (ℎ, , ),  is the size of the data set, and c  are variables with unrecorded values of case case  .For example, the probability of an instantiation ℎ 1 ,  2 ,  1 (which denotes the following: node is not compromised, node did not use to drop packet, and node participated in routing before) is given by Repeating this process can obtain the probability of all the other instantiations (ℎ  ,   ,   ).Then the expectation maximization estimate of a node not being compromised is written as Other parameters such as  D ( | ℎ) and  D ( | ℎ) can be calculated by All the results derived from ( 8) and (11) based on incomplete data sets D constitute the D estimates that serves as the replacement of initial estimates shown in Table 3.If we continue to observe the network and fetch new incomplete data sets D 1 , D 2 , . . ., D  , where  is a positive integer, as proved in Chapter 17 in [28], for any , D +1 estimates have a higher likelihood than that of D  estimates.Thus all the above procedures can be repeated to update the D estimates to D 1 estimates, D 2 estimates, and so on, in order to get estimates with higher likelihood.
A potential problem of the aforementioned Bayesian network based risk determination method is that certain suspicious node's (or "target node") behaviors need to be monitored by its neighboring nodes (so called "watcher") while these nodes themselves might be malicious.Whether these "watchers" are reporting honestly becomes a new issue.How to acquire correct behavior information of the target node under the existence of some dishonest "watchers" is considered a classical agreement problem called Byzantine Generals' Problem.If  is the number of dishonest watchers involved in the monitoring process, it has been proved that we can still obtain the correct information of target node if the total number of "watchers" satisfies  ≥ 3 + 1 [29].
Applying this property to our case, assume that the entire WSN network has nodes deployment density of  nodes/ 2 , the malicious fraction of the network is V, and size of neighboring area of target node is  2 ; it can be concluded that the accurate status of a target node can be obtained if the number of watchers  involved in monitoring the target node satisfies where  is clearly an integer.

Performance Evaluation
In this section, the safety performance and energy efficiency performance of the ETARP routing protocol are analyzed.Two competitors are chosen for comparison.The first protocol is LTB-AODV, which is dedicated to the mitigation of network attacks based on the observed past behaviors of nodes [19].The other protocol for comparison is AODV-EHA which is an energy efficient protocol aware of energy harvesting [30].
In performance evaluation, "safety performance" involves the average number of compromised nodes that are likely to be encountered in a single transmission, given a specific malicious ratio.Likewise "energy efficiency performance" here involves the estimated energy cost after successfully delivering a data packet in a single transmission along the route discovered by a specific routing protocol.

Existing Protocols for Comparison
4.1.1.Overview of LTB-AODV to Compare Safety.In LTB-AODV [19], different "trust values" are computed for all the routes to represent the risk level; then the algorithm chooses the route with the least hops among the candidates having a trust value higher than a given threshold.Let    () denote the level of trust of any specified node  on any chosen neighbor node .It is calculated as Number of packets forwarded by  Number of packets to be forwarded by  .
The values of the numerator and denominator are obtained by node  monitoring the traffic of its neighbor .For a complete route, the total trust value, denoted by   route , is given as the product   route = ∏ −1 =1    , where    is the trust value of the th node on its next hop.LTB-AODV is a modification of the AODV protocol incorporating the above trust estimation technique.Thus LTB-AODV chooses the most trusted route.

Overview of AODV-EHA to Compare Energy Efficiency.
In AODV-EHA [30], the predictions of data transmission cost (in terms of energy) are computed for all the routes while considering the energy harvesting technology.The algorithm chooses the route with the least energy cost approximation for data transmission.Let   () denote the approximation of energy cost after a data packet is successfully delivered from any specified node  to any chosen neighbor node ; then, for a complete route, the total trust energy cost denoted by  route is given as the sum  route = ∑ −1 =1   , where   is the estimation of energy cost after successfully delivering a data packet from the th node to its next hop.AODV-EHA is a modification of the AODV protocol incorporating the above energy cost estimation.Thus AODV-EHA chooses the most energy efficient route.

Simulation Setup.
The experimental evaluation is carried out by means of MATLAB simulations using the Monte-Carlo method.The two criteria considered are safety performance and energy efficiency performance.
The size of the simulated area is 500 m × 500 m.The communication range of each node is 250 m.Considering the WSN applications, this paper focuses on (as addressed in the beginning of Section 1) IEEE 802.15.4 which was chosen for the physical and data-link layer, which is suitable for low data rate but very long battery life applications [31].According to the specification mentioned in [31], the traffic type is constant bit rate (CBR) with a data rate of 20 Kbps, and the size of each packet is 127 bytes.Since the transmission cost prediction partly depends on previous works [26]; therefore, for those parameters required for the prediction process, we continue to use same values as adopted in [26].Details are listed in Table 4.
Every simulation contains a certain malicious fraction of the network.These compromised nodes are located randomly in the simulation area, and they are assigned with certain behaviors that can further affect the route discovery process.

Experimental Results.
The chosen scenario is analogous to the application of enemy detection on the battlefield.The data collection device (possibly a human) could be assigned to any position in the area where the WSN is deployed, rather than being tied to a fixed place.The number of nodes in the simulated area varies from 50 to 90.

Safety Performance.
Figure 4 shows the safety performance of the 3 protocols under different compromised ratios (10%-30%).It can be seen that, as the malicious ratio  increases from 10% to 30%, the difficulty of maintaining security in the network is increasing.On the other hand, under different malicious ratios, the risk level lines of ETARP and LTB-AODV wind around each other while fluctuating a little bit as the nodes number increases.Therefore we can conclude that ETARP can maintain a similar safety performance as LTB-AODV.
By comparison, there is a more notable increment of risk level for AODV-EHA, as the malicious ratio increases in the network.Under any certain malicious ratio, the risk level line for AODV-EHA keeps increasing with the number of nodes in the network.This is due to the network coverage area remaining the same while the number of compromised nodes increases.Thus we can conclude that there is no security in AODV-EHA, as expected, since its original design did not take safety into consideration.

Energy Efficiency Performance. Figures 5-7 show the average energy cost of each transmission under different compromised ratios (10%-30%).
For any certain malicious ratio, both lines of ETARP and LTB-AODV fluctuate per number of nodes in the network.ETARP consistently uses less average transmission cost compared to LTB-AODV in terms of energy.More specifically, the energy cost of ETARP is reduced by 2.4% to 20.5% in comparison to that of LTB-AODV, depending on various situations.
On the other hand, the average transmission cost of AODV-EHA under any certain malicious ratio tends to decrease as the nodes number increases.The cost appears to be less than that of ETARP or LTB-AODV; but as illustrated in Section 4.3.1, the route determined by AODV-EHA is likely to be a dead-link almost in every transmission.A deadlink makes the theoretical minimum energy cost of AODV-EHA meaningless, since the packets are probably dropped on their way without reaching destination.All the energy   already spent on the transmission is wasted, even though it is ostensibly less than that of ETARP.From all the above results gained from safety and energy efficiency performance evaluations, we can conclude that, under different compromised ratios, ETARP has advantages in terms of energy efficiency in transmission while it can still maintain almost the same safety performance as LTB-AODV at the same time (stated in Section 4.3.1).By comparison, even though AODV-EHA achieves the theoretical "lowest" transmission cost, there is no security in AODV-EHA since  its original design focused on reducing energy cost but did not give attention to security.
A large network can be considered an interconnection of many smaller ones.We believe that the current results can be generalized to larger networks for the following reasons.
Suppose we are trying to find an optimal route from a specific source to a specific destination in a large network.The whole optimal route could be further decomposed to multiple subroutes; each one traverses a smaller subnetwork.Since these subnetworks are part of the whole network, they shall keep some identical properties, for example, nodes density and malicious rate.Therefore, for the same routing protocol, the subroute of the whole optimal route also serves as the optimal route in the corresponding subnetwork.In other words, for the same routing protocol, its routing process in the whole network is equivalent to the repeat of routing process in multiple subnetworks, and this protocol will not show a different and surprising behavior in a large network compared to the behavior of smaller ones.
Figure 8 shows a simple example of the aforementioned network decomposition; the whole optimal route is divided into 2 subroutes and transverses 2 subnetworks.The number of subroutes and subnetworks could be extended to any volume.

Figure 4 :
Figure 4: Average route risk level (average number of compromised nodes encountered on the route).

10%
of the nodes in the network are compromised Number of nodes Average end to end transmission cost (J)
30% of the nodes in the network are compromised Number of nodes Average end to end transmission cost (J)

Table 1 :
RREQ message format in original AODV.

Table 2 :
Incomplete data sets D.(false) for D, and  1 (true) or  2 (false) for P. Circles in this DAG represent the aforementioned propositional variables.