An efficient secure and energy resilient trust-based system for detection and mitigation of sybil attack detection (SAN)

Energy

A crucial component of quality of service is the energy of the node. Node x trusts node y to have enough energy to keep working. The Remaining Energy (EG) percentage of node j estimated by node i and vice versa is the definition of the energy trust between node x and node y. It is represented by the notation EG_xy and EG_yx, respectively. In the IoT, the nodes’ primary source of energy consumption is during the receiving and sending packets. Many distinct methods may be used to compute the energy. According to the energy model presented in Heinzelman, Chandrakasan & Balakrishnan (2002), the equation used to determine the energy that node x expends to transport k bits of data to node y is the one designated as Excm_i. The term “electronics energy” (also known as “the energy required for the transmitter as well as the receiver circuitry”) is abbreviated as Eeeg, “energy dissipation for transmitting amplifiers” (abbreviated as Eam) and d refers to the distance between nodes x and y. According to Eq. (1), one may determine the energy the node j used to process the k (constant representing the energy consumption per unit distance) bits of data, symbolized by the symbol Excm_j. Every node in an RPL topology network connects with its neighbours. It transmits data using a power level proportional to the communication distance between the node and its neighbours. Therefore, the communication range equals the value of r. (1)${\displaystyle Exc{m}_i=k\cdot \left(Eeeg+Eamf\cdot r^2\right)}$ (2)${\displaystyle Exc{m}_j=k\cdot Eeeg.}$

Initially, the initial entropy EG_x(t) is equivalent to the maximum energy Emax; more specifically, when time equals zero, EG_x(0) equals Emax. The total energy used by node x may be calculated by adding the energy needed for message transmission to the amount required for message receipt. Therefore, the energy still available to the node x is computed using Eq. (3). (3)${\displaystyle E{G}_x\left(t\right)=E{G}_x\left(t-\Delta t\right)-\left(Exc{m}_i\left(t\right)+Exc{m}_j\left(t\right)\right).}$

Periodically, each node will communicate its leftover energy to the other nodes in the network. As stated in Eq. (4), the ratio of EG_xy(t) to Emax determines the energy trust value, which is denoted by the notation TEG_xy ∈ [0, 1], where EG_xy(t) = min(EG_reportedxy(t), EG_estimatedxy(t)) and EG_estimatedxy(t) = EG_j(t). (4)${\displaystyle TE{G}_{xy}\left(t\right)=\frac{E{G}_{xy}\left(t\right)}{Emax}.}$

However, EG_reportedxy(t) is the remaining Energy assessment of node y received by node x at time t, and EG_estimatedxy(t) is the remaining Energy estimation of node x toward node y at time t.

Authenticity

The honesty parameter indicates whether or not a node is trying to harm other nodes. As a result, node x analyzes node’s activity to determine whether or not node j has been hacked. Several strategies use IDS based on a collection of anomaly detection rules (Raza, Wallgren & Voigt, 2013; Pongle & Chavan, 2015). Each node x in SF-MRTS has its implementation of an IDS, which allows it to monitor and identify suspicious actions. The monitoring node x will consider node j dishonest and assign it an honesty-trust value of 0 if the intrusion detection system (IDS) causes an alert against the node.

The act of being selfish

A node is said to be selfish if it seeks to minimize the amount of resources it expends while simultaneously aiming to absorb the resources of other nodes. It is possible to determine a node’s level of selfishness using a distributed and collaborative score. During a specific time, P, node i examines node j using methods such as overhearing and snooping (Marti S), and from this assessment, it determines whether or not node j is self-centered. Assume that a particular application needs just the lowest amount of energy, which Emin will indicate. If ERx(t) is more significant than Emin, then the behaviour of the node x is correct; however, if ERx(t) is less than or equal to Emin, then the node x does not participate in the forwarding of packets any longer and instead spends its resources, such as its energy, for the transmission of its packets, which indicates that it is more likely to become self-centred. As a result, during the phase in which trust is calculated, SF-MRTS permits some degree of selfishness on the part of the nodes so that they may save their resources.

ETX

ETX is a quality of service trust component. According to one source, the ETX of a path is the estimated entire amount of packet transmissions required for the successful transmission of a packet along that path (Bao Yang & Wang, 2008). It is a dependability statistic that allows routing protocols to locate high-throughput routes and, as a result, minimize the amount of energy used. To compute TETXxy(t), ETX(t) must first be normalized to the range [0,1] via the Min-Max-Normalization technique, with ETXmin equal to 0 and ETXmax equal to 255.

Trust established directly

At time t, the trust value, T_xy(t), of each node’s immediate neighbour is calculated and analyzed. The trustworthiness of an entity (in this example, a node) may be determined using different approaches, such as belief theory, Bayesian systems, fuzzy logic, and weighted sums, among others. It has been decided that the weighted sum approach will be utilized to determine whether or not a node can be trusted because RPL’s objects have restricted processing and storage capacity. To determine direct trust, we build upon the foundation Bao & Chen (2012) laid in their work on trust-based solutions for Sybil attacks. In Eq. (4), w₁, w₂, w₃, and w₄ are weights related to honesty, selfishness, energy, and ETX characteristics, respectively. To determine the value of each behavioural parameter, X “Authenticity; Selfish”, Eq. (5) is used (Bao Yang & Wang, 2008), in which t denotes the time interval between trust update attempts, TX_xy(t − Δt) represents the previous observation and falls between the range [0, 1]. When it approaches 1, confidence is placed more heavily on recent experiences. In any other case, if it goes to 0, trust is increasingly dependent on previous findings. The trust computation for remaining energy and ETX relies only on fresh observations, each described in ‘SF-MRTS factors’ and ‘ETX’, respectively. This is because the remaining energy shows a node’s capacity to carry out its capabilities, while ETX reflects the state of the connection. ${\displaystyle w_1+w_2+w_3+w_4=1}$ (5)${\displaystyle T_{ij}^{Direct}\left(t\right)=w_1{T}_{ij}^{Honesty}\left(t\right)+w_2{T}_{ij}^{Selfish}\left(t\right)+w_3{T}_{ij}^{ER}\left(t\right)+w_4{T}_{ij}^{ETX}\left(t\right)}$ (6)${\displaystyle T_{ij}^X\left(t\right)=\alpha T_{ij}^{X.new}\left(t\right)+\left(1-\alpha \right)T_{ij}^X\left(t-\Delta t\right).}$

Trust established indirectly

The node x calculates the direct trust for each neighbour y before utilizing the trust values in the DIO messages from the other nodes k at time t to get its final trust value. This is done because SF-MRTS is a collaborative framework that finds the safest root path. The final trust value is the mean of the direct trust value and all ERNT object suggestions for neighbour x. If it gets non-local suggestions, node x will disregard them.

The dissemination of trust

The nodes in SF-MRTS employ the quantitative and dynamic RPL Node Trustworthiness metric, ERNT, to exchange, store, and propagate trustworthiness data. The DAG Metric Container of the DIO message carries and sends the object known as the ERNT metric. The ERNT object is composed of many ERNT sub-objects. SF-MRTS uses the ERNT object as a restriction and a recorded measure. The BR specifies the trust level (T_Trust) as a restriction imposed as an ERNT sub-object that nodes must employ to include or prevent unreliable nodes. The BR uses ERNT as a recorded statistic in addition to route cost, as do all nodes engaged in developing RPL and, subsequently, SF-MRTS. To do this, an ERNT sub is added for each computed (final) trust value. The route cost value accurately reflects the parent’s reliability.

Current state of trust

The SF-MRTS may alter the trust values in a planned or unanticipated manner. The time-driven, periodic trust update is managed by the trickle timer, which SF-MRTS utilizes to deliver DIO (DODAG Information Object) messages. On the other hand, the recurrent trust update uses local and global repair events as triggers and is event-driven. In our approach, either the T_Selfish is reached before the local or international repair is initiated, or the IDS produces an alert (i.e., it detects an attack). Or whenever one of these events occurs. If not, the trickle timer will control how often the update happens. Every time a node x receives a DIO message from one of its neighbours, it updates its routing table using the data included in the DIO message. It determines the trust levels of its neighbours in line with ‘An assessment of trust’ using the direct evaluations and suggestions contained in DIO messages that it has received. Then, it chooses a group of dependable parents who will ultimately help it get to the BR. It computes the route cost via each prospective parent. As the preferred parent, it desires the one with the most significant value for the path cost (in line with ‘The selection of parent’) to offer the BR the safest and most dependable traffic routing. After calculating each neighbour’s trustworthiness, the process creates and broadcasts a new DIO message with those parameters. Each neighbouring node repeats the procedure until the DODAG is correctly rebuilt. When the building is finished, the Trickle timer will tell you when to start doing maintenance. The timer controls how quickly the control messages are sent. The transmission rate will drop during a steady situation while the trickling timer’s trust update interval rises. Due to reduced calculation and control of message volumes, the network will use less energy, memory, and processing power. Alternatively, suppose anomalies (such as attack detection, selfish behaviour detection, and a new node entering the DODAG) include changes in the topology. In that case, the Trickle duration will be reset to a lower value, and the transmission rate will increase. This suggests additional computation and control messages. If there are errors, the Trickle timer will be adjusted to a lower value, and the transmission rate quickened. SF-MRTS will smooth out a tiny route cost (trust) rise or drop to cut down on the energy consumption caused by the trust update overheads. This will help minimize the cost of calculation. The suggested approach considers a hysteresis threshold of 0.15 to prevent frequent parsing errors.

The selection of parent

The SF-MRTS Trust Objective Function (TOF) isolates nodes and selects parents. The TOF consists of the processes of topology initialization (sometimes called neighbour discovery) and context-aware adaptive security execution. Since the nodes have no basis for determining the truthfulness and selflessness of their neighbours, the first step takes place during deployment. Since all nodes have the same beginning energy at the time of deployment, the only variable that has to be applied to design the RPL architecture is the ETX along the route. We may choose which parent is favoured by adding the ETX values at each node along the route (from the BR to the parent node). After initialization, all nodes may see and communicate with their neighbours. As in the first stage, ETX is the only metric to consider. If secure mode is off (the T flag is set to 0 in the ERNT sub-object), the nodes should utilize TOF to find the optimal paths by picking parents with the lowest ETX values. When secure mode is on, each node calculates the total cost of its routes, narrows the list of potential parents to those with trust values higher than or equal to the threshold T_Trust, and finally picks a favourite. There are several approaches to the trust inference issue to consider, as there are different methods to calculate the route cost using a trust measure. Following TOF, each node x determines its path cost, denoted by PC_x (calculates the node’s route cost). This is the set of nodes from node x to BR with the lowest trust rating relative to all possible parents y. Each node’s characteristics are condensed into a singular scalar value denoted as PC_x throughout the entire network traversal. This scalar, PC_x, encapsulates the attributes of the nodes and adheres to the SF-MRTS routing criteria, ensuring consistency, optimality, and loop-freeness. In the context of TOF (your specific term), the path cost PC_x is defined as the minimal trust value among on-route nodes from the source node x to the destination BR. Specific conditions must be met for acceptance. Consequently, node x selects its preferred parent based on the highest path cost along the route, as the lowest path cost signifies the optimal path. For simplicity, we denote PC_x as the value between the hypothetical PC_y and the theoretical T_xy(t) for parent y. Node x, guided by a recurrence threshold of 0.15, replaces its current preferred parent only if the route cost via the new parent exceeds the path cost through the currently selected parent. In cases of identical path costs among multiple pathways, node x prioritizes the parent with the maximum available energy, in contrast to our earlier findings (Djedjig et al., 2017). If the cost of travelling to the new parent from node x is at least 0.15 more than the cost of travelling to the currently chosen parent, node x will switch to using the new parent as its preferred parent. In contrast to our previous work (Djedjig et al., 2017), the node with the highest remaining energy will be the preferred parent if two possible pathways have similar path costs.

Experimental setup

Experiments involved applying different attack scenarios (black hole, Rank, Sybil) to the network. For comparison, the MRTS algorithm was simulated alongside two other algorithms (MRHOF-RPL and SecTrust). Trust thresholds and weights were empirically set based on prior research and expert knowledge. Each experiment consisted of 100 iterations to ensure statistical robustness.

Parameters

• Number of Nodes: 20

• Number of Edges: 30 (initial RPL network topology)

• Number of Iterations: 100

• Simulation Time: 30 min

Simulation scale

Several key factors drove the chosen simulation scale of 20 nodes:

• Initial experimental constraints: The initial use of 20 nodes is driven by resource limitations and the need to establish a controlled environment to observe and measure specific behaviours and trends. This smaller scale allowed for precise control and detailed analysis of each node’s interactions and the overall network performance.

• Fundamental behaviors and trends: The primary objective of our study was to identify and analyze fundamental behaviours and trends within the network under various attack scenarios. A smaller network facilitated a more straightforward identification of these patterns, providing clear insights without the complexity and noise that more extensive networks might introduce.

• Relevance to scenario: Our specific research scenario, which focuses on the impact of various attacks on RPL networks, is effectively modelled with 20 nodes to represent minor to medium-sized networks commonly found in practical deployments, such as smart homes, small industrial environments, or localized sensor networks. This scale sufficiently illustrates our proposed algorithms’ critical vulnerabilities and efficacy.

• Scalability considerations: While our initial experiments utilized a 20-node network, we fully recognize the importance of demonstrating scalability to more extensive networks. To this end, we are conducting additional experiments with larger network sizes to validate our findings further. These larger-scale experiments will provide a comprehensive view of the algorithms’ performance and robustness in more extensive and varied network environments.

• Preliminary results from larger-scale simulations: Preliminary results from ongoing experiments with more extensive networks have been promising, indicating that the behaviours and trends observed in the 20-node network scale appropriately with increased network size. We plan to incorporate these findings into future iterations of our research, thereby providing a more robust validation of our proposed methods.

Data generation

Synthetic data was generated for simulations. The network topology resembled a tree structure using the generate_network_graph_with_parent_child function, ensuring each node had a parent except for the root node. Random parameters like node rank changes, packet delivery ratio, energy consumption, and throughput were generated for each node in every iteration.

Attack scenarios

Three attack scenarios were considered:

• Black hole attack: Nodes maliciously drop packets, decrease their Rank, increase energy consumption, and reduce throughput.

• Rank attack: Nodes maliciously decrease their Rank, decrease packet delivery ratio, increase energy consumption, and reduce throughput.

• Sybil attack: Nodes impersonate multiple identities to gain influence, with similar effects to the Rank Attack but with additional complexities.

Evaluation metrics

The following metrics were used for evaluation:

• Average node rank changes: This measure considers the average change in the nodes ranking within the network within a specific time as the main element. Within Routing Protocol (RPL), nodes get to maintain a score to determine their position in the network. A significant change in the average node degree, on the other hand, can reveal network instability or the fact that the nodes are often reconfigured, and this could be a result of node failures, attacks, or changes in the network conditions.

• Average packet delivery ratio: The ratio of checked packets to sent ones shows how a network transmits information. Protocols help deliver packets, revealing the extent of congestion and delays in the network. The ratio of the higher average package delivery rate to the network that is better indicates the network performance, which is where more packets successfully reach their intended targets.

• Average energy consumption: This parameter assesses the average power ripped from a set of nodes in the network for a particular period. Energy consumption is an essential factor for creating energy-constrained networks such as the IoT, as the direct result is the diminution of the battery life and network viability. Lower average energy utilization can be declared as the wish orientation; the lesser it is, the more appropriate and long-living the energy system will be.

• Average throughput: Throughput is a data rate measurement that describes the amount of data successfully transmitted over the network. The throughput of an average node determines the data transfer rate for all network nodes. A higher average throughput means the quality of network performance in delivering data instantly and on time, which is very important for multiple applications in this era that require prompt or real-time response.

Statistical analysis

Statistical methods such as averaging were used to analyze results across iterations. The phrase “Delivered-to-Seen-Total Packet Ratio” is referred to by its abbreviation, “APDR”. AEC is an abbreviation for “average energy consumption across all network nodes”. The acronym ARC refers to the “average number of parent switches”. Multiplying the size of the packets by the integer 8 (used to convert bytes to bits) and taking the average number of packets delivered across all simulated topologies determines throughput. Depending on data distribution and experimental design, further analysis of differences between algorithms under different attack scenarios may involve statistical tests like t-tests or ANOVA.

Simulation configuration

For the simulation setup:

• Three attackers out of the 29 nodes were randomly located to conduct Rank, blackhole, or Sybil attacks.

• The trust threshold was raised to 0.75 from the initial 0.5.

• Equal weights (0.25) were assigned to parameters w₁, w₂, w₃, and w₄ to consider all aspects of route selection.

• An Intrusion Detection System (IDS) was used to detect malicious nodes and assign reputation scores, favouring those with higher scores as parent nodes. w₁ is set to 1, and w₂, w₃, and w₄ are set to 0 in an even distribution throughout the simulation if the normal node discovers another node is selfish. This occurs only if the normal node observes that the other node is selfish.

• IDS would set a node’s trust metric weight to 1 if identified as malicious, effectively disregarding it as a potential parent node.

• Both time-driven and event-driven updating techniques were used. The trickling timer (time-driven) and the IDS, either sounding an alert or connecting to the T_Selffish (event-driven), initiate the computing method. The performance of SF-MRTS was analyzed and compared to that of MRHOFRPL and SecTrust-RPL. Throughput, average energy usage, rank changes, and the average packet delivery ratio (APDR) in percent were determined.

• Metrics analyzed included throughput, average energy usage, rank changes, and average packet delivery ratio (APDR) in per cent.

The simulation duration was 3600 s (30 min).

Isolating the attacker

Untrusted nodes may be excluded from participating in network activities using various techniques. Each node in SF-MRTS collaborates with the IDS to maintain a blocklist. A node is added to the blacklist after it is identified as being untrusted. Normal nodes reject all data and control packets arriving from the blacklisted nodes as a consequence and no longer take them into account when making routing decisions.

Calculation of trust metrics

The method creates several trust metrics for each node in the network to assess each node’s level of trustworthiness. These metrics consist of:

• Energy: This statistic assesses a node’s energy availability or usage. Limited energy reserves may make nodes less dependable in communication and routing activities.

• Authenticity: Authenticity evaluates the reliability of the data and messages that each node exchanges. Nodes with a history of delivering counterfeit or unverified data may be viewed as less reliable.

• Selfishness: This metric determines if a node exhibits selfish behaviour by failing to forward packets as the routing protocol specifies. Selfish nodes may obstruct the network’s data flow.

• ETX: ETX is the anticipated number of transmissions required for a packet to pass through a particular node and reach its destination. A node with a high ETX value raises the possibility that communication delays or packet losses may occur.

Setting the trust threshold

The trust model uses the threshold (T_Trust) to determine if a node is trustworthy. It also suggests that the four trust factors—Energy, Authenticity, Selfishness, and ETX—are all equally significant in calculating a node’s total trust score.

Adjusting weights for malicious nodes

In the simulation, if a node is identified by the Intrusion Detection System (IDS) as malicious, other nodes take action to lessen the effects of that node’s actions on the network. The method accomplishes this by altering the weights connected to the malicious node’s trust metrics in the manner described below:

• Energy (w₁): The weight w₁ is set to 1, suggesting that the malicious node regards the energy measure as unreliable.

Trust metric evaluation

In this stage, the system compares each node’s computed trust metrics against the trust threshold. Any node whose total trust score is below the threshold is seen as untrustworthy and may indicate that the network is vulnerable to attack.

Sending DAO message for attack prevention

When the trust metric evaluation determines a node’s trust score is less than the threshold, the system sends a Defensive Awareness Object (DAO) message to the destination. The DAO message aims to avert the attack by informing the destination node of the possible threat and allowing defensive steps to be taken quickly.