See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/331512411

Selective Authentication Based Geographic Opportunistic Routing in Wireless

Sensor Networks for Internet of Things Against DoS Attacks

Article  in  IEEE Access · March 2019

DOI: 10.1109/ACCESS.2019.2902843

CITATIONS READS

2 3,254

4 authors, including:

Chen Lyu
University of Canterbury
13 PUBLICATIONS   82 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Chen Lyu on 28 March 2019.

The user has requested enhancement of the downloaded file.

 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI

Selective Authentication based

Geographic Opportunistic Routing in
Wireless Sensor Networks for Internet of
Things against DoS Attacks
CHEN LYU1 , (Member, IEEE), XIAOMEI ZHANG2 , ZHIQIANG LIU3 AND CHI-HUNG CHI4
1
Department of Computer Science and Technology, Shanghai University of Finance and Economics, Shanghai, China (e-mail: [email protected])
2
School of Electronic and Electrical Engineering, Shanghai University of Engineering Science, Shanghai, China (e-mail: [email protected])
3
Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China (e-mail: [email protected])
4
Data61, CSIRO, Australia (e-mail: [email protected])
Corresponding author: Xiaomei Zhang (e-mail: [email protected])
This work was supported in part by the National Natural Science Foundation of China under Grant No. 61702319, Grant No. 61802252
and Grant No. 61672347, and in part by Shanghai Sailing Program under Grant No. 17YF1405500.

ABSTRACT Wireless Sensor Networks (WSNs) have been widely used as the communication system in
the Internet of Things (IoT). In addition to the services provided by WSNs, many IoT-based applications
require reliable data delivery over unstable wireless links. To guarantee reliable data delivery, existing
works exploit geographic opportunistic routing with multiple candidate forwarders in WSNs. However,
these approaches suffer from serious Denial of Service (DoS) attacks, where a large number of invalid
data are deliberately delivered to receivers to disrupt the normal operations of WSNs. In this paper, we
propose a selective authentication based geographic opportunistic routing (SelGOR) to defend against the
DoS attacks, meeting the requirements of authenticity and reliability in WSNs. By analyzing statistic
state information (SSI) of wireless links, SelGOR leverages an SSI-based trust model to improve the
efficiency of data delivery. Unlike previous opportunistic routing protocols, SelGOR ensures data integrity
by developing an entropy-based selective authentication algorithm, and is able to isolate DoS attackers
and reduce the computational cost. Specifically, we design a distributed cooperative verification scheme to
accelerate the isolation of attackers. This scheme also makes SelGOR avoid duplicate data transmission
and redundant signature verification resulting from opportunistic routing. Extensive simulations show that
SelGOR provides reliable and authentic data delivery, while it only consumes 50% of the computational
cost compared to other related solutions.

INDEX TERMS Internet of Things, opportunistic routing, DoS attacks, selective authentication

I. INTRODUCTION
IRELESS sensor networks (WSNs) have been de-
W veloped in the Internet of Things (IoT) and play
an important role to provide a wide range of applications
through sensors, such as smart home, traffic management,
smart grids and environment monitoring [1], [2]. A wireless
sensor network contains some receivers/sinks and a number
of distributed sensor nodes which collaboratively collect and
transmit data to perform a variety of missions. Built upon
WSNs, providing reliable data delivery is usually expected
for IoT-based applications. One example of such applications
is smart healthcare, which is used for the purpose of mon-
itoring, tracking or treating patients [3]. In this application,
sensor nodes collect the patient’s physical data and then
deliver them to the doctor. Based on the collected data, the
doctor is aware of the physiological status of the patient, and
is able to make a suitable diagnosis.
The above application requires WSNs to provide reliable
data delivery, which is regarded as the critical factor for the
success of diagnosis. However, based on the varying and
shared wireless mediums, WSNs are susceptible to link fail-
ures due to signal interference or signal fading, which may
significantly decrease the quality of service [4], [5]. There-
fore, supporting reliable data delivery becomes a challenging
problem in WSNs. To address this issue, many multi-path
routing strategies [6]–[8] have been proposed to improve the

VOLUME x, 2019 1

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access
C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks
reliability of data delivery in WSNs. However, maintaining
a multi-path route for a data flow has a high communication
cost for the instability of wireless channels. Moreover, since
data packets are transmitted over multiple paths to receivers,
more transmission contentions and signal interferences are
introduced leading to additional transmission failures in the
network.
Recently, an efficient approach to meet the requirement
of data reliability is exploiting (geographic) opportunistic
routing which does not determine the routing path before data
transmission [9]–[12]. With the broadcast and shared nature
of the wireless channel, it allows packet transmission to be
overheard by multiple sensor nodes. Instead of one singer for-
warder in traditional routing, multiple candidate forwarders
are selected in the opportunistic routing, which are ordered
based on the priorities defined by the sender of the packet.
Therefore, the packet transmission is not disrupted as long
as one candidate in the forwarder set successfully relays
it. Compared with multi-path routing, opportunistic routing
has better performance because no additional transmission
contentions or signal interferences exist between candidates.
As one of the traditional routing protocols, geographic
routing is an attractive choice with regard to dynamic wire-
less links, since it does not need to establish and maintain
paths from source nodes to sinks [13]. Therefore, the combi-
nation of geographic routing and opportunistic routing has
been referred to as geographic opportunistic routing [14]–
[16]. Existing geographic opportunistic routing approaches
can achieve high reliability over wireless links (e.g., [16]).
However, they suffer from serious Denial of Service (DoS)
attacks. Malicious attackers may deliberately send a large
number of invalid data with illegitimate signatures to sinks,
aiming to waste the network resources and disrupt the normal
operations of WSNs [17]. In particular, opportunistic routing
aggravates DoS attacks that invalid data can be reliably deliv-
ered to receivers with multiple candidate forwarders, which
will be validated by our theoretical analysis and experiment
results in the latter part of this paper. To defend against such
attacks, we need a security authentication scheme, which can
guarantee that data packets are sent from legitimate sensor
nodes, and they are not sourced or modified by attackers
during transmissions. However, this opens plenty of new
issues.
First, involving an existing digital signature scheme for
authentication may tremendously increase the computational
cost of a sensor node and extend the delay of data delivery.
Sensor nodes are typically computational and energy con-
strained. Prior work has shown that verifying one ECDSA
signature needs about 1.62 seconds on MICA2 and MICAz
motes [18]. Verifying the digital signature of every incoming
data packet on a sensor node would fast exhaust its resource.
Therefore, a new lightweight authentication mechanism to
isolate DoS attackers is mandatory for WSNs. Second, ver-
ification of data packets may break down the priorities of
candidate forwarders defined by the opportunistic routing,
since the verification delay is generally much greater than
2 VOLUME x, 2019
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
the transmission time of data packets. Hence, restoring the
priorities of candidate forwarders to achieve the integrity and
reliability of data should be our main design goal. Third, du-
plicate transmission of invalid data or redundant verification
may be incurred by the opportunistic routing. For example, if
the first candidate drops one invalid packet after the process
of verification, the second candidate cannot certain whether
the data packet is dropped for being invalid or link failure.
It may skip the process of verification and then proceed to
deliver the invalid data packet. Alternatively, it may perform
the same process of verification and then drop it. Therefore,
a scheme of sharing the verification information between
candidates should be designed to minimize the incurred
overhead.
In this paper, we propose a selective authentication based
geographic opportunistic routing (SelGOR) to defend against
the DoS attacks in WSNs. SelGOR aims at ensuring the au-
thenticity and reliability of data packets for IoT-based appli-
cations. To improve the efficiency of data delivery, SelGOR
analyzes statistic state information (SSI) of wireless links,
and builds an SSI-based trust model for the construction of a
trust-based geographic opportunistic routing. In addition, in
contrast to existing opportunistic routing, SelGOR leverages
an entropy-based selective authentication algorithm to ensure
data integrity. Our selection authentication algorithm is per-
formed based on the signatures with high entropy (unknown
state) or low entropy (certain state), and is able to reduce
the computational cost of the sensor node. Especially, we
design a cooperative verification scheme to combine the
opportunistic routing with selective authentication algorithm,
which includes “verification notice” and “warning push”.
The mechanism of verification notice is utilized to restore the
priorities of candidate forwarders in opportunistic routing.
The mechanism of warning push is employed to share the
verification information of invalid signatures between candi-
dates, which could also accelerate the isolation of attackers.
According to warning push, candidate forwarders are allowed
to cancel duplicate data transmission or redundant signature
verification. The extensive comparative evaluation shows
that Our SelGOR could block 80% of invalid data with a
low communication overhead, while it saves 50% of com-
putational resources and 50%-70% of bandwidth resources
compared to other schemes.
To the best of our knowledge, our work is the first attempt
for an efficient and reliable data delivery protocol while
explicitly maintains the desired authentic data in WSNs. The
main contributions of this work are summarized as follows:
• We design an SSI-based trust model which is exploited
as the basis of constructing a trust-based geographic
opportunistic routing to improve the reliability of data
delivery.
• We identify the DoS attacks pose serious security threats
to the opportunistic routing in WSNs. Subsequently,
an entropy-based selective authentication algorithm is
introduced to isolate the DoS attackers with low com-
putational cost.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access
C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks
•A distributed cooperative verification scheme is exclu-
sively proposed to cooperate the selective authentica-
tion algorithm with the opportunistic routing, while it
also significantly reduces the number of transmission
of invalid data and the number of signature verification
incurred by the opportunistic routing.
• Theoretical analysis and empirical validations are done
to show our SelGOR effectively defends against the
DoS attacks. It is fairly reliable even over unstable
wireless links, and low-cost in terms of computational
and communication resources.
The rest of this paper is organized as follows. Section II
describes the related work. Section III discusses our network
and security model. The protocol SelGOR is presented in
Section IV. The effectiveness analysis of SelGOR against
DoS attacks is shown in Section V. The performance eval-
uation is provided in Section VI. At last, we conclude our
paper and outline the future work in Section VII.
II. RELATED WORK
There have been many researches on opportunistic routing
exploiting the spatial diversity of wireless transmissions for
data delivery in wireless ad hoc networks [9]–[12], [19]–
[21]. As one branch of opportunistic routing, geographic
opportunistic routing which makes use of the geographic
location to choose the candidate forwarders in the neighbor
list is also widely studied in the literature [14]–[16], [22].
Sanchez-Iborra et al. [10] propose the opportunistic rout-
ing named JOKER in order to balance the tradeoff between
multi-media service and energy consumption for mobile de-
vices. Their JOKER uses the routing metric combining the
reliability of wireless links with the distances to receivers
for candidate selection. To minimize the energy consumption
and maximize the lifetime of WSNs, Luo et al. [11] opti-
mize the candidate forwarder set based on the distances to
receivers and the remaining energies of sensor nodes, and
then use opportunistic routing for data delivery in the model
of one-dimensional queue network. So et al. [12] design
an opportunistic routing for load balance in the duty-cycled
wireless sensor networks. In their scheme, the number of
candidate forwarders is controlled based on the estimation
of forwarder cost in order to reduce redundant data forward-
ing caused by the opportunistic routing. Zeng et al. [14]
propose a geographic opportunistic routing in the multi-rate
wireless networks. They study the strategies of candidate
selection and candidate coordination, and then design an
effective metric for the opportunistic routing to achieve high
network throughput. Cheng et al. [16] address the problem
of Quality of Service (QoS) provisioning with the constraints
of reliability and end-to-end delay in WSNs. They formulate
it as an optimization problem, and then design an efficient
geographic opportunistic routing to provide QoS with low
communication cost.
Although these works are on the basis of opportunistic
routing, they mostly address the issues of QoS, load balance
or energy efficiency. In terms of security, Salehi et al. [23]
VOLUME x, 2019
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
address black hole attacks on opportunistic routing in the
wireless mesh networks, where nodes deliberately drop the
data packet that they are supposed to transmit. To defend
against such attacks, they make use of Markov chain to estab-
lish a packet salvaging model for the opportunistic routing.
Zhang et al. [24] propose a framework for the opportunistic
routing to provide both privacy preserving and security pro-
tection for delay/disruption-tolerant networks. The security
and privacy are realized according to anonymous routing,
the confidentiality of the routing metric and key agreement
for data communication. SGOR [25] is a geographic op-
portunistic routing which is proposed to cope with a wide
of attacks in WSNs. Thus, a location verification algorithm
is designed on received signal strength [26] to address the
location spoofing attack. To response to black hole attacks in
the routing, SGOR utilizes an ambient-sensitive trust model
to construct the routing metric for the opportunistic routing.
These discussed solutions provide a range of improvements
to the security of the opportunistic routing. However, none
of them could defend against any DoS attacks, which pose
serious threats to the opportunistic routing over wireless
links.
As to the DoS attacks, many security mechanisms have
been investigated in the field of Internet [27], Vehicular
Ad Hoc Networks [28], Cyber-Physical Systems [29], cloud
computing [30] and Wireless Sensor Networks [18], [31]–
[34]. Due to the different objectives of attackers, there are
a variety of DoS attacks in WSNs. Ning et al. [18] address
the DoS attacks with respect to broadcast authentication.
They propose a weak authentication scheme by exploiting
the mechanism of message-specific puzzles to mitigate the
DoS attacks on both digital signature schemes and TESLA-
based broadcast authentication scheme [35] in WSNs. The
limitation of this scheme is that it requires relatively high
computational cost for the packet sender. Moreover, the end-
to-end delay of data packets is largely extended for solving
the puzzles. To isolate the DoS attackers, Agah et al. [31]
divide the DoS attacks into passive attacks and active attacks,
and then exploit game theory to categorize nodes according
to their behaviors. However, their scheme requires a central-
ized base station to monitor the behaviors of all the sensor
nodes. Deng et al. [32] address the path-based DoS attacks,
and propose a scheme based on one-way hash chains to
defend against such attacks. However, since the routing paths
need to be determined before data transmission, their solution
cannot apply to the opportunistic routing. In WSNs, there are
some other secure schemes [33], [34] proposed to resist the
DoS attacks on code dissemination protocols, which spread a
new program image to all of the sensor nodes. Nevertheless,
all the above schemes do not deal with the DoS attacks on the
opportunistic routing. In this work, we attempt to address this
issue, and introduce the selective authentication algorithm
with low computational cost to isolate the DoS attackers in
WSNs. In order to efficiently combine the selective authen-
tication algorithm with the geographic opportunistic routing,
we design a distributed cooperative verification scheme by
3
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

minimizing the negative impact caused by the opportunistic 1) Data Integrity

routing. In addition, our work is the first to identify the
opportunistic routing aggravates the impact of DoS attacks
on data delivery based on theoretical analysis and evaluation
results.
III. NETWORK AND SECURITY MODEL
A. NETWORK MODEL
We assume a multi-hop WSN which consists of a number of
sensor nodes and some sinks/receivers is deployed for one
application of IoT. Sensor nodes within the wireless trans-
mission range R could directly send data to each other. The
multi-hop communication is enabled when their Euclidian
distance is greater than the transmission range. We assume
that the sensor network is a dense network, where each sensor
node has plenty of neighbor nodes. Thus, this network can be
defined by a graph G(V, L), where V depicts the set of sensor
nodes and L depicts the set of direct links between sensor
nodes. We denote a link li,j ∈ L if the Euclidian distance
between the sender nodes i ∈ V and the receiver node j ∈ V
is less than the wireless transmission range R.
We assume sensor nodes are stationary, and know their
location information and the position information of sinks.
Besides, nodes are aware of the location information of their
neighbor nodes through beacon messages in the general geo-
graphic routing, i.e., a sensor node periodically broadcasts its
identity, location information and residual energy in beacon
messages [13]. As the energy issue is a major challenge in
the WSN, we assume that sinks are equipped with powerful
devices and other sensor nodes operate on limited batteries.
Based on beacon messages, it is feasible for nodes to obtain
the energy information of their neighbor nodes.
In this work, we mainly concentrate on the performance
of data delivery in the network layer. To achieve the coordi-
nation of candidate forwarders in our protocol, we exploit a
modified MAC protocol which is proposed for opportunistic
routing based on RTS/CTS/ACK mechanism in the IEEE
802.11b [15]. However, other MAC layer problems such as
hidden terminal or collision avoidance are not considered in
this paper.
For security protection, a Public Key Infrastructure (PKI)
is required for key management in the WSN [36]. We assume
each sensor node has a pair of ECDSA keys: a public key
for verification and a private key for signing data packets. A
trusted Certificate Authority (CA) would endorse the public
keys as legal identities of sensor nodes. In the real deploy-
ment, sink nodes or developers of applications could act as
the role of CA. We assume each sensor node knows the public
keys of all nodes, and never releases its private key to another
party.
B. SECURITY MODEL
In this paper, our goal is to design an efficient and reliable
data delivery protocol which technically maintains the de-
sired authentic data in WSNs. Therefore, we should provide
these important properties for data packets.
4 VOLUME x, 2019
Before transmitting a data packet, a sensor node is supposed
to ensure the authenticity of data relayed by its neighbor
nodes. Otherwise, sinks would receive plenty of invalid data
from the DoS attackers, which disrupts the normal operations
of applications. To provide the property of data integrity, an
authentication scheme is indispensable for WSNs.
2) Non-repudiation
The property of non-repudiation usually involves authentica-
tion. It permits a sink to prove to third parties that the sender
node is responsible for the data packet. According to this
property, sinks can ascertain the sender of any invalid data
packet and report attackers to trusted CAs.
3) Data Reliability
Because of the broadcast and shared nature of the wireless
medium, data packets are susceptible to lose for link failures.
Even the effect of data loss is inevitable in WSNs, it should
not disable the operations of applications based on IoT.
Therefore, it is essential to guarantee high reliability for any
data delivery protocol.
4) DoS attacks Resistant
Without any authentication scheme, the DoS attackers may
send a lot of invalid data packets in the network to waste
communication resources of networks or disrupt the normal
data delivery. Moreover, sensor nodes normally have limited
computational and energy resources. To defend against DoS
attackers, the authentication scheme should have low compu-
tational cost for energy efficiency in WSNs.
We consider each sensor node registers with the CA by
preloading a public/private key pairs: P K and SK. The
private key SKi is exploited by the sender node i to sign the
data packet. A receiver node/sink can ensure the authenticity
of the data packet by the public key P Ki of the sender. We
consider DoS attacks are caused by one or more attackers
sending a number of illegitimate signature packets to sinks.
To avoid being detected, attackers may sometimes send valid
data with legitimate signatures in the network. If someone
reports the DoS attackers to the CA or any trusted legal
authority, they will seek to repudiate data packets that have
been created by them. In this work, we do not consider the
location spoofing attacks and black hole attacks, which can
be addressed by the existing security schemes [23], [25]. The
issues of eavesdropping and data privacy are out of the scope
of this paper.
IV. SELECTIVE AUTHENTICATION BASED
GEOGRAPHIC OPPORTUNISTIC ROUTING
In this section, we first give an overview of our selective
authentication based geographic opportunistic routing, and
then describe its primary components.

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks
SelGOR
Trust-based Selective
Geographic Authentication
Opportunistic Routing Algorithm
An SSI-based Candidate Opportunistic Node Verification
Trust Model Selection Routing Probability
FIGURE 1. The overview of SelGOR.
A. PROTOCOL OVERVIEW
Our SelGOR protocol mainly contains three major com-
ponents: trust-based geographic opportunistic routing, se-
lective authentication algorithm and cooperative verification
scheme. As shown in Figure 1, we first give the overview of
the three components as follows:
• Trust-based geographic opportunistic routing: By col-
lecting and analyzing historical data transmission of
wireless links, a sensor node establishes an SSI-based
trust model and dynamically updates it in WSNs. When
a data packet arrives at a sensor node, the sensor node
needs to determine the candidate forwarder set from its
neighbors in order to achieve reliable data delivery in
opportunistic routing. To do so, the sensor node assigns
the priority to each candidate forwarder based on the
routing metric, which is defined on the SSI-based trust
model. Therefore, trust-based geographic opportunistic
routing includes an SSI-based trust model, candidate
selection and opportunistic routing. We will present its
construction in Section IV-B.
• Selective authentication algorithm: Before sending any
data packet, a sensor node needs to ensure the au-
thenticity of the packet to defend against DoS attacks.
We present an entropy-based selective authentication
algorithm that can quickly block the invalid data packets
without checking all signatures on every hop. If the sen-
sor node knows more/less information about a received
signature, it could be checked with a lower/higher
probability. In addition, we leverage node verification
probability, which could be actively adjusted based on
the received invalid signatures, to achieve isolation of
attackers. We will present this algorithm in Section
IV-C.
• Cooperative verification scheme: When a sensor node
begins to verify a data packet before transmission, it
undermines the priorities of candidate forwarders de-
fined by the opportunistic routing. Hence, we design the
mechanism of verification notice to address this issue.
After verification, we could exploit the mechanism of
warning push to share the verification result between
candidate forwarders for efficient and fast isolation. Co-
operative verification scheme, including the mechanism
of verification notice and warning push, is present in
Section IV-D.
VOLUME x, 2019
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
10.1109/ACCESS.2019.2902843, IEEE Access
In SelGOR, a data packet M is opportunistically routed
from the source to the sink. As illustrated in Figure 2, each
route segment consists of a set of candidate forwarders (e.g.,
Cooperative node R1 , R2 and R3 ). Our SelGOR works as follows.
Verification
Scheme
When M arrives at node A, the relay node A would deter-
mine the priorities of candidate nodes based on the routing
metric, which is constructed based on the SSI-based trust
Verification Warning model. In our example, we assume that the decided order
Notice Push
is {R1 , R2 , R3 }, which indicates nodes would forward M
with the priority rule (R1 > R2 > R3 ). The priority rule is
usually realized by the distinctive timer run on each candidate
node [10], [15]. Accordingly, node R1 becomes the first
candidate node to relay the data packet. If the link quality is
poor, it cannot receive M and the transmission is interrupted.
However, due to the shared wireless channel, node A and
other candidate nodes do not hear any packet transmission
from node R1 at this moment, and then detect the failure of
the wireless link. Node A adjusts the trust of link lA,R1 in
the SSI-based trust model. Meanwhile, node R2 is activated
to transmit M . When its timer expires, node R2 becomes the
relay node of M with the principle of opportunistic routing.
Providing that node R1 receives the packet M correctly,
it performs selective authentication algorithm to decide to
check M or not. If it skips the verification process based
on the node verification probability of node A, the data
packet is promptly transmitted to the next relay node. Based
on the scheme of opportunistic routing, node R2 and R3
cancel the transmissions of M by disabling their own timers.
However, if it decides to verify M , a packet of verification
notice should be multicast to the other candidates with low
priorities in order to reset their timers. After finishing veri-
fication, node R1 sends out M to the next relay node if it
is valid. Concurrently, node R2 and R3 disable their timers
to cancel the transmissions of M . In case M does not pass
the verification, node R1 drops M and increases the node
verification probability of node A. To share the verification
result, a packet of warning push is then sent to the other
candidates with low priorities. Once receiving the warning
push, node R2 and R3 cancel the transmissions of M and
simultaneously increase the node verification probability of
node A.
It is possible to consider that node R1 would deliberately
drop M and send warning push after successful verification
of M . In this work, we do not exclusively deal with this issue
to simplify our model. However, this attack is likely to be
addressed by designing a new reputation model for sensor
nodes.
B. TRUST-BASED GEOGRAPHIC OPPORTUNISTIC
ROUTING
Our trust-based geographic opportunistic routing consists of
an SSI-based trust model, candidate selection and oppor-
tunistic routing to provide reliable data delivery. First, we
design an SSI-based trust model by characterizing unreliable
wireless links in WSNs. Second, we integrate the SSI-based
trust model into our routing metric to select multiple candi-
5
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

Node R1 N Dki (n) is updated by αN Dki (n) + 1, where α (0 < α ≤ 1)

is the parameter of adjustment rate in the system. Once node
k hears a successful transmission by node i, N Ski (n) turns
Node A Node B
M
Node R2
into αN Ski (n)+1 so that the trust of the link lk,i is positively
changed. Otherwise, N Ski (n) becomes αN Ski (n) in terms
of a failed transmission, and the trust degree is negatively
Node R3
changed.
In order to achieve the stability of the trust for candidate
selection in opportunistic routing, the trust of link lk,i at time
t is updated through iterations in node k’s neighbor list:
(a) The network topology
Tki (t) = ωTki (t − n) + (1 − ω)Tki (n), (2)
An SSI-based Candidate Selection Opportunistic
Trust Model (R1, R2, R3) Routing where ω (0 ≤ ω ≤ 1) is the weight to balance the preference
between current and historic state information. As there is no
Cancel transmissions of ambiguity with respect to the time, we use Tki for brevity.
R2 and R3
Node R1
M Selective 2) Candidate Selection
No
Authentication Send M
Algorithm In opportunistic routing, plenty of routing metrics have been
developed in the literature to select candidates for load bal-
Yes ance, energy saving or QoS provisioning in WSNs. By jointly
Verification
Notice considering the proposed techniques and unreliable wireless
Reset the timers for
R1, R2 and R3
links, we mainly exploit three factors to design our routing
Cooperative
M is valid metric, including the single-hop distance progress [14], [16],
Verification the trust degree and the remaining energy of the neighbor
Scheme
Cancel transmissions of node.
M is invalid
R2 and R3 Supposing that a node k is sending a data packet to the
Warning sink/receiver (denoted as s), and node i is one of its neighbor
Drop M
Push node which is set closer to the sink than node k. When a data
(b) The work flow of node R1 packet is transmitted from node k to node i, we define single-
hop distance progress as SPki :
FIGURE 2. The illustration of SelGOR.
SPki = D(k, s) − D(i, s), (3)
dates from neighbor nodes. At last, we describe the scheme
where D(k, s) is the Euclidian distance between node k and
of opportunistic routing.
node s. We define Qk as the available candidate forwarder set
for node k, where all nodes have positive single-hop distance
1) SSI-based Trust Model
progresses.
By collecting and analyzing historical data transmission of In the traditional geographic routing, node k selects a
neighbors, we exploit the ratio of the number of packets single candidate with the highest SPki in Qk for data delivery.
successfully delivered to the number of packets sent to char- However, more thought must be given to improving data
acterize the trust of a link. At a high level, a sensor node delivery. On the one hand, we should integrate the trust
k divides the timeline into a chain of observation intervals, degree of the wireless link in our routing metric. Based on
which has the same length of n. During each observation the SSI-based trust model, node k is able to obtain the trust
interval, it is possible for node k to hear the wireless channel Tki of link lk,i in the neighbor list. Inspired by the prior
and check whether a data packet is truly forwarded by the research [16], we take Tki times SPki in our routing metric
selected neighbor node. For one of the observation intervals, to improve the QoS of data delivery. On the other hand,
the number of data packets transmitted by a neighbor node some links may become expired due to energy shortage of
i is denoted as N Ski (n), and the number of data packets sensor nodes. Hence, the remaining energy (denoted as RE)
sent to it is denoted as N Dki (n). Therefore, node k could should be also taken into account. In the WSN, node k is
evaluate the trust of the link lk,i , which is defined as Tki (n) aware of the remaining energy RE i of node i according to
(0 ≤ Tki (n) ≤ 1). the scheme of periodic beacon messages in the geographic
N Ski (n) routing. Therefore, the routing metric RMki of node i is
Tki (n) = . (1) defined as follows:
N Dki (n)
RMki = γ(SPki × Tki ) + (1 − γ)RE i , (4)
At the start of an observation interval, N Ski (n) is initial-
ized to zero and N Dki (n) is initialized to one. When a data where γ (0 < γ < 1) is the parameter to balance the energy,
packet is relayed by node k to node i as the next hop node, trust and positive progress to the sink.
6 VOLUME x, 2019

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

Based on the routing metric, candidates in Qk are sorted Algorithm 1 Procedure of Opportunistic Routing Run by
in the descending order. The first N candidates could be Candidate Nodes.
selected in candidate forwarder set, which is denoted as Ck Input: a data packet broadcast to N candidate nodes with
(Ck ⊆ Qk ). We further optimize Ck with the scheme in [16] their priorities defined by the sender k
so that all the candidates in Ck are neighbors. We validate Output: successful and coordinated data delivery
the effectiveness of the new routing metric based on our SSI- 1: if Node i ∈ Ck then
based trust model in Section VI-B. 2: Receive the data packet;
3: Start a timer and time(i) = τ ∗Order(i), where τ is a
3) Opportunistic Routing constant and Order(i) is the priority of node i defined
After candidate selection, the source/intermediate node k is in the data packet; // Order(i) = 0, 1, · · · , N − 1
4: end if
ready to send a data packet to the sink. It first performs the se-
lective authentication algorithm (See Section IV-C) to decide // Node i is selected as the first candidate node;
5: if time(i) == 0 then
to check the data packet or not. When it skips the verification
process or the verification result is true, it broadcasts the 6: Node i becomes the next-hop sender, which is ready
data packet, which includes the list of candidates and their for data transmission;
priorities according to Ck . In the opportunistic routing, each 7: return
8: end if
candidate forwarder follows the assigned priority to forward
the data packet, as shown in Algorithm 1. // Node i is not selected as the first candidate node;
9: while time(i)! = 0 do
After receiving the data packet correctly, a candidate node
i starts a timer time(i) = τ ∗ Order(i), where τ is a con- 10: if Node i overhears that the data packet is being
stant and Order(i) is its priority defined in the data packet. transmitted by another candidate node; then
Therefore, the higher-priority node has a shorter timer. As a 11: Cancel the timer time(i) and drop the data packet;
result, the first candidate node instantly turns into the next- 12: return
hop sender. It would establish its own forwarder set, and 13: end if
14: end while
prepare for the data transmission.
According to the timers, other low-priority candidate node // The timer of node i expires
15: Node i becomes the next-hop sender, which is ready for
caches the received data packet and waits for transmission.
If it hears that the data packet is being transmitted by data transmission;
16: return
another high-priority node, it would cancel the timer and
drop the data packet. Once the timer expires, the candidate
node becomes the next-hop sender, and prepares for the data
transmission. Subsequent sensor nodes carry out the same verified with a lower probability when the sensor node knows
process until the data packet reaches the sink. more information about the forwarder. Hence, forwarder or
neighbor identification should be supported in our algorithm.
C. SELECTIVE AUTHENTICATION ALGORITHM There are many efficient schemes for neighbor identification
Before sending a data packet, each sender node signs the data (e.g., TESLA [35]), our algorithm works with all of them.
packet with its ECDSA private key in order to provide the As the measurement of uncertainty, node verification prob-
security properties of data integrity and non-repudiation in ability is exploited to achieve isolation of attackers, which
WSNs. To preserve the computational and energy resources, could be adjusted dynamically according to received invalid
relay nodes often forward data packets without verification signatures.
until the sink node checks the signatures of data packets. We denote vyx as the probability that node y verifies a data
However, such a forwarding scheme is vulnerable to DoS packet forwarded by a neighbor node x. Our goal is to update
attacks, where attackers send a large number of bogus data vyx , leading to vyx → 0 for benign x, and vyx → 1 for malicious
packets with illegal signatures to waste the network resources x. After a period of time, we want to make neighbor nodes of
and disrupt the normal operations of WSNs. Especially, a DoS attacker verify every data packet and neighbor nodes
opportunistic routing makes DoS attacks more serious that of a benign node verify nothing.
invalid data packets are reliably delivered with multiple In the neighbor list of a sensor node, each neighbor node
candidate forwarders. The scheme of checking signatures is assigned a node verification probability. For example, if
on every node can block the invalid data packets, but it node y receives the packet Mx sent by node x and the packet
immensely extends the delivery delay and is computationally Mz sent by node z, y would check Mx with the probability
expensive. vyx , and Mz with the probability vyz . These node verification
To response the challenge of designing a lightweight au- probabilities should be updated over time.
thentication scheme for opportunistic routing, we leverage To initialize the node verification probability, the sensor
a selective authentication algorithm that can fast block bo- node could set an initial value for every newly neighbor node.
gus signatures without checking all the signatures at every After the initial allocation, the value of node verification
sensor node. We observe that a received signature can be probability is able to be adjusted in many ways, such as a
VOLUME x, 2019 7

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

Algorithm 2 Procedure of Cooperative Verification Run by

Candidate Nodes.
1: if Node i ∈ Ck becomes the next-hop sender then 0 d 2d 3d 4d 5d 6d (L-2)d (L-1)d Ld
2: Perform selective authentication algorithm with the
output of a flag; origin
sink
3: if The flag indicates verification then R
R

4: Broadcast a packet of Verification Notice;

5: Verify the data packet; FIGURE 3. A line model of relay nodes with the transmission range R.
6: if The data packet is invalid then
7: Increase node verification probability; candidates for efficiency. This enables SelGOR to accelerate
8: Broadcast a packet of Warning Push; the isolation of attackers, and avoid duplicate invalid data
9: Drop the data packet; transmission or redundant signature verification. Algorithm 2
10: else describes our cooperative verification scheme, which mainly
Send the data packet with opportunistic routing; consists of the mechanism of verification notice and the
11: end if mechanism of warning push.
12: else
Send the data packet with opportunistic routing; 1) Verification Notice
13: end if Based on node verification probability, if a sender or a relay
14: else node decides to verify a data packet before transmission, it
15: if Node i receives Verification Notice then will broadcast a packet of verification notice, which includes
16: Increase its timer; its identity, the data packet’s identifier (i.e., the identity of
17: end if source node and the sequence number), the identities of
18: if Node i receives Warning Push then candidate nodes with low priorities and the estimation of the
19: Increase node verification probability; verification time.
20: Stops its timer and drop the data packet; After receiving the verification notice, a candidate node
21: end if specified in the packet will increase its timer by the verifica-
22: end if tion time. Therefore, candidate nodes with low priorities need
to wait for transmission until the signature is verified by the
high-priority sensor node. With the reset timers, candidate
linear function and a step function. As suggested in [37], we nodes are reordered according to the priorities assigned in
employ the step function, which maintains v0 and jumps to opportunistic routing.
one when receiving the threshold number of invalid signa-
tures, to achieve the isolation of DoS attackers. The node 2) Warning Push
verification probability is also affected by receiving warning If a data packet’s signature agrees with the public key of the
push, which will be discussed later. source node, it would be considered to be a valid data packet,
In our implementation, our selective authentication algo- and then forwarded by the relay node with opportunistic
rithm verifies the first data packet from a new neighbor, and routing. Otherwise, it fails the verification and is dropped
then sets the initial node verification probability to v0 for by the relay node. If an invalid signature is detected, the
later data packets. The links associated with attackers have relay node adjusts the node verification probability of its
a high probability of verification over time, and attackers that preceding forwarder. As illustrated in Figure 2, the relay
have sent numerous invalid signatures are blocked from com- node R1 increases the node verification probability of node
munication. We evaluate the performance of our selective A if M is invalid. Besides, a packet of warning push which
authentication algorithm in Section VI-C and VI-D. contains the relay node’s identity, the data packet’s identifier,
the identity of the preceding forwarder node and the identities
D. COOPERATIVE VERIFICATION SCHEME of candidate nodes with low priorities, is broadcast by the
Our cooperative verification scheme is proposed to optimally relay node.
integrate the selective authentication algorithm into trust- Upon receiving the warning push, a candidates node spec-
based geographic opportunistic routing. When a sensor node ified in the packet performs two operations. On the one hand,
decides to verify a data packet, it breaks down the priorities it increases the node verification probability of the preceding
of candidate forwarders defined by the opportunistic routing. forwarder as well. In our example, node R2 and R3 increase
This is because the verification time of a signature is much the node verification probability of A if they receive the
greater than the transmission time [18]. Therefore, we design warning push from node R1 . On the other hand, the candidate
the mechanism of verification notice to restore the priorities node stops its timer and then drops the data packet.
of candidate forwarders in opportunistic routing. After ver- In contrast to most of the authentication schemes which
ification, we use the mechanism of warning push to share make each node to verify the data packet independently,
the verification information of invalid signatures between SelGOR exploits the shared verification information between
8 VOLUME x, 2019

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

TABLE 1. Default Parameters for Simulation

100

Our SelGOR Parameter Value

80
OR with N=2 Network size 300m × 300m
OR with N=4 Number of nodes 60, 120 or 180
F(100, h)

60 MAC protocol IEEE 802.11b with 1 Mbps

Transmission range 80m
40 Link quality 0.8
Probability of attack rate 0.5
20
Number of flows 10 CBR
Packet size 512 Bytes
Initial power of sensor node 36 mW
0 Power for signature verification 24 mW
1 2 3 4 5 6 7 8 9 10
h ECDSA verification time 1.62s
(a) F varies with h, when v0 is set to 0.3. Initial node verification probability v0 = 0.1 or 0.3
Number of candidate nodes N =3
Time slot τ = 0.01s
100 Weight values α = 0.9, ω = 0.7, γ = 0.7
Our SelGOR
80 OR with N=2
OR with N=4 time g, where 0 ≤ h ≤ g.
First, we analyze the impact of selective authentication
F(100, 3)

60
40
20
0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
v0
(b) F varies with v0 , when h is set to 3.
FIGURE 4. The effect of authentication with g = 100.
neighbors to assist the adjustment of node verification prob-
ability for fast isolation. For receiving the shared verification
information, other candidate nodes are aware of the invalid
data packet. Ultimately, they directly stop the opportunistic
transmission and drop the data packet without extra veri-
fication, which significantly reduces the cost of bandwidth
resources.
V. PRELIMINARY ANALYSIS OF AUTHENTICATION
Since each sender signs every data packet with its private
key, the signature of the data packet ensures the properties
of data integrity and non-repudiation. Instead of checking
every signature on the sensor node, we exploit the selective
authentication algorithm to reduce the computational cost in
SelGOR. Here, we study the effect of selective authentication
algorithm, and consider a simple line model for ease of
modeling.
As shown in Figure 3, we assume sensor nodes are placed
at location 0, d, 2d, · · · , Ld. The transmission range R is set
to N d. Therefore, each node has N candidate nodes for data
forwarding. The DoS attacker is located at the origin location,
and sends an invalid signature at intervals. We consider the
attacker sends a valid signature to avoid being detected at the
beginning (i.e., g = 0), and then sends invalid signatures after
the first time interval (i.e., g = 1).
When a candidate node i ∈ Cs receives a data packet from
the sender s, it verifies the signature with the verification
probability of vis . We denote F (g, h) as the expected number
of invalid signatures forwarded h hops from the attacker at
VOLUME x, 2019
algorithm on the primary opportunistic routing. To isolate
the DoS attacker, each sensor node independently verifies the
signature based on the node verification probability. How-
ever, according to the rule of opportunistic routing, the data
packet can be successfully forwarded to the next hop node
1 as long as one of candidates skips the process of verification.
Hence, F (g, h) of the primary opportunistic routing is calcu-
lated as:
h−1
Y N
Y −1
FOR (g, h) = g ∗ (1 − vis ), (5)
s=0 i=0
QN −1
where 1 − i=0 vis indicates that the probability of verifica-
tion skipped by at lease one candidate.
Our protocol exploits cooperative verification scheme to
share the verification information between candidates. There-
fore, if the first candidate finds an invalid signature, it in-
stantly sends warning push to notice other candidates. There-
fore, F (g, h) of our SelGOR is expressed as:
h−1
Y
FSelGOR (g, h) = g ∗ (1 − v0s ), (6)
s=0
where v0s indicates the node verification probability of the
first candidate node.
Considering that the initial node verification probability is
set to v0 for all nodes, we compare the impact of authen-
tication on our SelGOR with that on primary opportunistic
routing in Figure 4. The analysis result shows that SelGOR
can converge more rapidly than the primary opportunistic
routing with the selective authentication algorithm. As h
increases, the number of invalid signatures in Equation (6)
decreases much faster than that in Equation (5), since the
mechanism of warning push accelerates the isolation process.
When v0 increases, more invalid signatures are dropped at
one hop as expected. It is also observed that sinks receive
more invalid signatures in primary opportunistic routing with
a higher N , which theoretically confirms that DoS attacks
pose serious threats to the primary opportunistic routing.
9

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

1 .0 1 .0

0 .9 S e lG O R
0 .8 G P S R
0 .8 E Q G O R

E T E D e la y ( s )
G O R -S e l
0 .7 0 .6
P D R

0 .6
0 .4
S e lG O R
0 .5 G P S R
E Q G O R 0 .2
0 .4
G O R -S e l
0 .3 0 .0
0 .5 0 .6 0 .7 0 .8 0 .9 1 .0 0 .5 0 .6 0 .7 0 .8 0 .9 1 .0
L in k Q u a lity L in k Q u a lity

(a) Packet Delivery Ratio (b) End-to-End Delay

1 8 0 0 0 0 1 0 0 0 0
S e lG O R

C o n tr o l P a c k e t O v e r h e a d ( b its /s )
G P S R
T r a n s m is s io n O v e r h e a d ( b its )

1 5 0 0 0 0
E Q G O R 8 0 0 0
G O R -S e l
1 2 0 0 0 0
6 0 0 0
9 0 0 0 0
4 0 0 0
6 0 0 0 0 S e lG O R
G P S R
2 0 0 0 E Q G O R
3 0 0 0 0
G O R -S e l
0 0
0 .5 0 .6 0 .7 0 .8 0 .9 1 .0 0 .5 0 .6 0 .7 0 .8 0 .9 1 .0
L in k Q u a lity L in k Q u a lity

(c) Transmission Overhead of Invalid Packets (d) Control Packet Overhead

FIGURE 5. The impact of link quality.

VI. PERFORMANCE EVALUATION [15], [16], [18].

In this section, we perform simulation experiments to eval- We exploit the following metric to evaluate SelGOR’s
uate the performance of SelGOR under the DoS attacks in performance in WSNs:
OPNET network simulator. We first describe the simulation
1) Packet Delivery Ratio (PDR): defined as the ratio of the
setup. Second, we show the reliability of SelGOR, and com-
number of packets received at the sinks to the number
pare it with other three routing protocols under different
of packets sent by the source nodes.
link qualities. Third, we study the performance of SelGOR
2) Number of Verification: the total number of verification
with different parameters. Finally, we provide the simulation
performed by the sensor nodes in the network during
results to demonstrate the effectiveness of authentication
the simulation time, which is the indicator of computa-
achieved by SelGOR.
tional cost as well as energy consumption.
3) Hop Count of Invalid Packets: measured as the average
A. SIMULATION SETUP
hop count of invalid data packets transmitted in the
In our implementation, sensor nodes are placed randomly network.
in the network of 300m×300m. The quality of the wireless 4) Transmission Overhead of Invalid Packets: defined as
link is varied from 0.5 to 1 for our test. Sensor nodes use the total number of invalid packets transmitted in the
ECDSA key pairs for signing and verification operations. To network (bits).
avoid being detected, the DoS attacker would sometimes send 5) End-to-End Delay: the average time for the data pack-
valid data with legitimate signatures. Hence, we consider the ets delivered from source nodes to sinks, including
probability of attack rate is varied from 0.1 to 1 in different both the valid and invalid data packets (seconds).
scenarios. 6) Proportion of Invalid Packets: the ratio of the number
We use the Nakagami model in the physical layer and the of invalid data packets received at the sinks to the total
modified version of IEEE 802.11b in the MAC layer to sup- number of data packets received at the sinks.
port opportunistic routing. In our test, we only consider the 7) Control Packet Overhead: the number of extra packets
energy cost of signature verification, since it consumes orders for data delivery in unit time (bits/s), including the
of magnitude more energy than transmitting or receiving data beacon messages, the packet of verification notice and
packets [18]. Each simulation result is based on 20 iterations. the packet of warning push.
Table 1 lists the default simulation parameters and the sample
values commonly used by wireless sensor networks [11],
10 VOLUME x, 2019

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

2 5 0 0 0 0 .2 5
S e lG O R
C o n tr o l P a c k e t O v e r h e a d ( b its /s )
v 0
= 0 .1 v 0
= 0 .3
G P S R
2 0 0 0 0 0 .2 0

P r o p o r tio n o f In v a lid p a c k e ts
E Q G O R
G O R -S e l
1 5 0 0 0 0 .1 5

1 0 0 0 0 0 .1 0

5 0 0 0 0 .0 5

0 0 .0 0
6 0 1 2 0 1 8 0 1 2 3 4
N u m b e r o f N o d e s N u m b e r o f C a n d id a te N o d e s

FIGURE 6. Control packet overhead with different number of nodes. FIGURE 7. The proportion of invalid packets under different number of
candidate nodes.

B. THE IMPACT OF LINK QUALITY

ent link qualities. It is seen that all the opportunistic routing
We first evaluate the performance of SelGOR with different schemes have higher control overhead than GPSR. Since we
link qualities in the 60-node network, and compare it with use the packets of verification notice and warning push to
three other schemes: the single-path routing (i.e., GPSR achieve the cooperative verification scheme, the overhead of
[13]), the opportunistic routing (i.e., EQGOR [16]) and the SelGOR is slightly higher than the other two opportunistic
opportunistic routing with authentication (i.e., GOR-Sel). For routing schemes. To examine the scalability of SelGOR, we
comparison, We introduce GOR-Sel which is constructed by also evaluate the control packet overhead under different
the trust-based geographic opportunistic routing and selective number of sensor nodes, as shown in Figure 6. We find
authentication algorithm, but lacks cooperative verification that the overhead of the cooperative verification scheme
scheme. The node verification probability is set to 0.1. The only occupies a tiny proportion of overall control overhead.
link quality which indicates the packet reception ratio of the It means that our SelGOR scheme is scalable with a few
wireless link ranges from 0.5 to 1. communication overhead.
Figure 5(a) shows the packet delivery ratio under dif- Based on these results, SelGOR performs best, which has
ferent link qualities. As the link quality decreases, many the highest packet delivery rate with an acceptable delay even
data packets are dropped in the paths and the PDRs of all over the poor wireless links. When there are DoS attackers
the schemes decline. Compared with GPSR, opportunistic in the network, it could effectively stop at least 70% invalid
routing schemes have much higher PDRs since multiple data packets spreading with a relatively low communication
candidates are deployed at each hop for data delivery instead overhead compared to the EQGOR scheme.
of one forwarder. It is also shown that SelGOR and GOR-Sel
perform better than EQGOR, which indicates that integrating C. THE IMPACT OF PARAMETER
our SSI-based trust model into the routing metric could We examine how the number of candidate nodes N and
effectively improve the reliability of data delivery. the initial node verification probability v0 affect our scheme
Figure 5(b) indicates the performance of end-to-end de- in the 120-node network. As a significant parameter in the
lay under different link qualities. We could see that using opportunistic routing, the number of candidate nodes ranges
authentication in WSNs inevitably increases the delay of from 1 to 4 for the evaluation of SelGOR.
data delivery. When there are more packets lost due to poor The proportion of invalid packets is shown in Figure 7.
link quality, it is shown that the delay of GOR-Sel sharply With a higher v0 , the relay nodes increase the number of
increases. This is because redundant verification has been verification and then filter more invalid data packets. Hence,
incurred by opportunistic routing. In this case, GOR-Sel less invalid packets arrive at the sinks leading to the decrease
cannot certain the data packet is dropped for being invalid or
link failure. With the scheme of warning push, SelGOR could 1 .2

reduce the number of verification and the delay performance v 0

= 0 .1 v 0
= 0 .3
1 .0
is not affected much by the link quality.
Figure 5(c) reports the transmission overhead of invalid 0 .8
E T E D e la y ( s )

packets under different link qualities. It is shown that our 0 .6

SelGOR has the lowest transmission overhead, and signifi-
cantly preserves the computational resources. With multiple 0 .4

candidate forwarders, EQGOR introduces more than twice of

0 .2
the transmission overhead of GPSR, which experimentally
confirms that the DoS attacks are more serious for oppor- 0 .0
1 2 3 4
tunistic routing.
N u m b e r o f C a n d id a te N o d e s
Figure 5(d) plots the control packet overhead under differ-
FIGURE 8. The end-to-end delay under different number of candidate nodes.
VOLUME x, 2019 11

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

TABLE 2. Comparison of five schemes

Scheme Geographic Opportunistic No All Selective Cooperative

Routing Routing Authentication Authentication Authentication Verification
SelGOR X X X X
No-Verify X X X
Verify-All X X X
GPSR-Sel X X
GOR-Sel X X X

of the ratio of the number of invalid packets to all the received 6

5 N o - V e r if y
packets. Therefore, the initial node verification probability
plays an important role on the proportion of invalid packets. 4

H o p c o u n t
We also find that the proportion of invalid packets does not 3

change much with the number of candidate nodes. These 2

simulation results correspond to our analysis of Equation (6) 1

1 0 0 2 0 0 3 0 0
in Section V. 6

Figure 8 illustrates the end-to-end delay under different 5 V e r if y - A ll

4

H o p c o u n t
number of candidate nodes. As the initial node verification
probability increases, the delay of data packets apparently 3

increases from 0.6 to 1. Although prior work has shown that 2

the increase of the number of candidate nodes could extend 1

1 0 0 2 0 0 3 0 0
the end-to-end delay of data packets in the opportunistic 6
routing [15], the end-to-end delay of our SelGOR does not 5 G P S R -S e l
raise as N increases in our simulation. The reason is mainly 4
H o p c o u n t

that the verification delay of the data packet dominates the 3

end-to-end delay so that such an increase becomes negligible 2

1
for data delivery. It is observed that the end-to-end delay
1 0 0 2 0 0 3 0 0
is significantly influenced by the initial node verification 6
probability. G O R -S e l
5

4
From the above results, the proportion of invalid packets
H o p c o u n t

3
would decrease with a high v0 . However, such a setting could
2
critically increase the end-to-end delay. Hence, the choice of
the initial node verification probability should be determined 1
1 0 0 2 0 0 3 0 0
by the specific requirement of IoT-based applications. 6

5 S e lG O R

4
D. THE PERFORMANCE OF AUTHENTICATION
H o p c o u n t

We analyze the performance of authentication under the sce- 3

narios of lossless wireless links. In the scenarios, we compare
SelGOR with the other four solutions under the topologies
with different attack rates of the DoS attackers. These five
solutions are now summarized in Table 2: 1) No-Verify is
the primary geographic opportunistic routing without au-
thentication scheme. 2) Verify-ALL is the approach where
every sensor node verifies each incoming data packet. 3)
GPSR-Sel is the common unicast routing GPSR where every
sensor node selectively verifies data packets. 4) GOR-Sel
makes uses of the selective authentication algorithm without
cooperative verification scheme.
Figure 9 shows the effectiveness of authentication in each
of the schemes by examining how far the invalid data packets
can transfer. In this test, the attacker sends invalid packets
with the data rate of 1Hz, and the attack rate is 0.5. The node
verification probability for selective authentication algorithm
is set to 0.3. It can be observed that Verify-ALL> Our
SelGOR > GPSR-Sel > GOR-Sel > No-Verify in terms of the
ability to prevent invalid data packets. We also find that GOR-
12
2
1
1 0 0 2 0 0 3 0 0
t im e ( s e c o n d )
FIGURE 9. Hop count of invalid packets.
Sel which only uses the selective authentication algorithm
does not perform well. With the cooperative verification
scheme, SelGOR stops more invalid packets in the network
and accelerates the isolation of attackers as we expected.
Verify-ALL perfectly blocks all invalid data packets, but it
has the very high computational overhead that we will show
shortly.
We study the effectiveness of authentication under dif-
ferent scenarios by changing the attack rate from 0.1 to 1.
The performance of the proportion of invalid data packets
is indicated in Figure 10. Our SelGOR could block more
than 80% of invalid data packets, which is better than both
GPSR-Sel and GOR-Sel. It is observed that GPSR-Sel which
VOLUME x, 2019

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

7 0 0 0 0
1 .0
S e lG O R
6 0 0 0 0

T r a n s m is s io n O v e r h e a d ( b its )
S e lG O R
P r o p o r tio n o f In v a lid p a c k e ts

N o - V e r ify
0 .8 N o - V e r ify V e r ify - A ll
5 0 0 0 0
V e r ify - A ll G P S R -S e l
0 .6 G P S R -S e l 4 0 0 0 0 G O R -S e l
G O R -S e l
3 0 0 0 0
0 .4
2 0 0 0 0
0 .2
1 0 0 0 0

0 .0 0
0 .1 0 .2 0 .3 0 .4 0 .5 0 .6 0 .7 0 .8 0 .9 1 .0 0 .1 0 .2 0 .3 0 .4 0 .5 0 .6 0 .7 0 .8 0 .9 1 .0
A tta c k R a te A tta c k R a te

FIGURE 10. Authentication: the proportion of invalid packets under different FIGURE 12. Authentication: the transmission overhead of invalid data packets
attack rates. under different attack rates.
6
S e lG O R
uses one path for data delivery is sensitive to the attack N o - V e r ify

H o p C o u n t o f In v a lid P a c k e ts
5 V e r ify - A ll
rate. In terms of the proportion of invalid data packets, both
G P S R -S e l
our SelGOR and GOR-Sel do not vary much as the attack G O R -S e l
4
rate increases, since opportunistic routing exploits multiple
candidate forwarders leading to more stable data delivery. 3
Figure 11 shows the number of verification during the
simulation time. Since every node verifies the incoming data 2
packet, the computational cost of Verify-All is the highest
among the five schemes. By using selective authentication 1
0 .1 0 .2 0 .3 0 .4 0 .5 0 .6 0 .7 0 .8 0 .9 1 .0
algorithm, GPSR-Sel has a low number of verification. How- A tta c k R a te
ever, for the rule of opportunistic routing, GOR-Sel intro-
FIGURE 13. Authentication: the hop count of invalid data packets under
duces more than twice the number of verification of GPSR- different attack rates.
Sel. Compared with GOR-Sel, our SelGOR apparently re-
duces the number of verification by 50%, which validates of invalid data packets.
that the cooperative verification scheme could effectively Figure 13 depicts the hop count of invalid packets among
decrease the number of verification caused by opportunistic five schemes. The hop count of invalid packets of GOR-Sel
routing. It is obviously seen that SelGOR reaches the close is much high and does not vary with the attacker rate. This
performance to GOR-Sel, which indicates the high efficiency is because there are duplicate transmissions of invalid data as
of our SelGOR. illustrated in Figure 12. From the simulation result, the hop
Figure 12 plots the transmission overhead of invalid pack- count of invalid data of SelGOR is much lower than GOR-
ets. We find that GOR-Sel has more transmission overhead Sel and GPSR-Sel. It is worth noting that SelGOR efficiently
of invalid packets than GPSR-Sel. The reason is that the blocks invalid data packets at the first two hops.
transmission of the invalid data packets is continued although As a summary, SelGOR prevents more than 80% of invalid
these packets are dropped by some high-priority candidate data packets, while it consumes less than 50% of the number
after verification. Since our SelGOR employs the mechanism of verification compared to the solution of Verify-ALL, and
of warning push to share the verification result between 50% of transmission overhead compared to the solution of
candidates, it is able to maintain a low transmission overhead No-Verify. The simulation results also highlight that our
cooperative verification scheme could significantly decrease
7 0 0 the number of verification and transmission overhead raised
S e lG O R by the opportunistic routing.
6 0 0 N o - V e r ify
V e r ify - A ll
N u m b e r o f V e r ific a tio n

5 0 0 G P S R -S e l VII. CONCLUSION
G O R -S e l
4 0 0 In this paper, we designed an efficient scheme SelGOR
3 0 0 aiming to provide the properties of authenticity and reliability
of data delivery for IoT-based applications. As a trust-based
2 0 0
geographic opportunistic routing, SelGOR exploits the SSI-
1 0 0 based trust model to improve the reliability of data delivery
0 in WSNs. To defend against DoS attacks, we studied the
0 .1 0 .2 0 .3 0 .4 0 .5 0 .6 0 .7 0 .8 0 .9 1 .0
existing authentication schemes and found that they failed
A tta c k R a te
to operate for opportunistic routing due to either being un-
FIGURE 11. Authentication: the number of verifications under different attack serviceable or high computational cost in WSNs. Hence, we
rates.
VOLUME x, 2019 13

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access
C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks
developed a lightweight selective authentication algorithm
to isolate DoS attackers with low computational cost. To
cooperate the selective authentication algorithm with the
opportunistic routing, we designed a distributed cooperative
verification scheme, which could block the spread of invalid
data packets and reduce the number of signature verification
raised by the opportunistic routing. Extensive evaluations
indicate that our SelGOR holds a high packet delivery rate
even over poor wireless links. With low communication
cost, our SelGOR effectively blocks the DoS attackers while
significantly reducing the computational cost compared to
other schemes.
From our evaluation results, our protocol runs efficiently
with respect to the computational and communication re-
sources. However, the end-to-end delay could become quite
long when a high node verification probability is decided. In
future work, we will formulate the problem, and study how to
adjust the node verification probability to achieve the optimal
performance of delay. Another extension of our work is to
establish the behavior model of DoS attackers and investigate
the improvement of the selective authentication algorithm.
REFERENCES
[1] L Atzori, A Iera, and G Morabito, “The Internet of Things: A survey,"
Computer Networks, vol. 54, no. 15, pp. 2787-2805, Oct. 2010.
[2] J. Gubbi, R. Buyya, S. Marusic, and M.Palaniswami, “Internet of Things
(IoT): A vision, architectural elements, and future directions," Future
generation computer systems, vol. 29, no. 7, pp. 1645-1660, 2013.
[3] L. D. Xu, W. He, and S. Li, “Internet of Things in industries: A survey,"
IEEE Transactions on Industrial Informatics, vol. 10, no. 4, pp. 2233-
2243, Nov. 2014.
[4] R. H. Weber, “Internet of Things-New security and privacy challenges,"
Computer Law & Security Review, vol. 26, no. 1, pp. 23-30, Jan. 2010.
[5] J. N. Al-Karaki and A. E. Kamal, “Routing techniques in wireless sensor
networks: A survey," IEEE Wireless Communications, vol. 11, no. 6, pp.
6-28, Dec. 2004.
[6] E. Felemban, C. G. Lee, and E. Ekici, “MMSPEED: Multipath multi-speed
protocol for qos guarantee of reliability and timeliness in wireless sensor
networks," IEEE Transactions on Mobile Computing, vol. 5, no. 6, pp.
738-754, Jun. 2006.
[7] S. Li, R. K. Neelisetti, C. Liu, and A. Lim, “ Efficient multi-path protocol
for wireless sensor networks," International Journal of Wireless and
Mobile Networks, vol. 2, no. 1, pp. 110-130, 2010.
[8] X. Huang and Y. Fang, “Multiconstrained qos multipath routing in wireless
sensor networks," Wireless Networks, vol. 14, no. 4, pp. 465-478, 2008.
[9] G. Schaefer , F. Ingelrest, M. Vetterli, “Potentials of opportunistic routing
in energy-constrained wireless sensor networks," in Proceedings of the 6th
European Conference on Wireless Sensor Networks, February 11-13, 2009,
Cork, Ireland.
[10] R. Sanchez-Iborra and M. Cano, “JOKER: A novel opportunistic routing
protocol," ," IEEE Journal on Selected Areas in Communications, vol. 34,
no. 5, pp.1690-1703, May 2016.
[11] J. Luo, J. Hu, D. Wu, and R. Li, “Opportunistic routing algorithm for relay
node selection in wireless sensor networks," IEEE Trans. Ind. Informat.,
vol. 11, no. 1, pp. 112-121, Feb. 2015.
[12] J. So and H. Byun, “Load-balanced opportunistic routing for duty-cycled
wireless sensor networks," IEEE Transactions on Mobile Computing, vol.
16, no. 7, pp. 1940-1955, Jul. 2017.
[13] B. Karp and H. T. Kung, “GPSR: greedy perimeter stateless routing for
wireless networks, " in Proceedings of the Annual International Confer-
ence on Mobile Computing and Networking (MobiCom’00), pp. 243-254,
Boston, Mass, USA, August 2000.
[14] K. Zeng, Z. Yang, and W. Lou, “Location-aided opportunistic forwarding
in multirate and multihop wireless networks," IEEE Trans. Vehicular
Technology, vol. 58, no. 6, pp. 3032-3040, Jul. 2009.
14
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
[15] S. Yang, C. Yeo, and B. Lee, “Towards reliable data delivery for highly dy-
namic mobile ad hoc networks," IEEE Transactions on Mobile Computing,
vol. 11, no, 1, pp. 111-124, Jan. 2012.
[16] L. Cheng, J. Niu, J. Cao, S. K. Das, and Y. Gu, “QoS aware geographic
opportunistic routing in wireless sensor networks," IEEE Trans. Parallel
Distrib. Syst., vol. 25, no. 7, pp. 1864-1875, Jul. 2014.
[17] D. R. Raymond and S.F. Midkiff, “Denial-of-service in wireless sensor
networks: Attacks and defenses," IEEE Pervasive Computing, no.1, pp.
74-81, 2008.
[18] P. Ning, A. Liu, and W. Du, “Mitigating DoS attacks against broadcast
authentication in wireless sensor networks," ACM Transactions on Sensor
Networks, vol. 4, no. 1, pp. 1-35, Jan. 2008.
[19] M. Naghshvar and T. Javidi, “Opportunistic routing with congestion diver-
sity in wireless multi-hop networks," in Proceeding of IEEE INFOCOM,
2010.
[20] S. Biswas and R. Morris, “ExOR: Opportunistic multi-hop routing for
wireless networks," ACM SIGCOMM Computer Communication Review,
vol. 35, no. 4, pp. 133-144, 2005.
[21] L. Cheng, J. Niu, Y. Gu, T. He and Q. Zhang, “Energy-efficient statis-
tical delay guarantee for duty-cycled wireless sensor networks," in 12th
Annual IEEE International Conference on Sensing, Communication, and
Networking (SECON), pp. 46-54, 2015.
[22] X. Tang, J. Zhou, S. Xiong, J. Wang, and K. Zhou, “Geographic segmented
opportunistic routing in cognitive radio ad hoc networks using network
coding," IEEE Access, vol. 6, pp. 62766-62783, 2018.
[23] M. Salehi and A. Boukerche, “A novel packet salvaging model to improve
the security of opportunistic routing protocols," Computer Networks,
vol. 122, pp.163-178, 2017.
[24] L. Zhang, J. Song, and J. Pan, “A Privacy-preserving and secure framework
for opportunistic routing in DTNs," IEEE Transactions on Vehicular
Technology, vol. 65, no. 9, pp. 7684-7697, Sept. 2016.
[25] C. Lyu, D. Gu, X. Zhang, S. Sun, Y. Zhang, and A. Pande, “SGOR: Secure
and scalable geographic opportunistic routing with received signal strength
in WSNs," Computer Communications, vol. 59, pp. 37-51, Mar. 2015.
[26] Y. Sheng, K. Tan, G. Chen, D. Kotz, and A. Campbell, “Detecting 802.11
mac layer spoofing using received signal strength," in Proceedings of
IEEE INFOCOM, pp. 1768-1776, 2008.
[27] S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan, and C. A. Gunter,
“Adaptive selective verification," in IEEE INFOCOM 2008 - The 27th
Conference on Computer Communications, Phoenix, AZ, pp. 529-537,
2008.
[28] C. Sun, J. Liu, X. Xu, and J. Ma, “A privacy-preserving mutual authenti-
cation resisting DoS attacks in vanets," IEEE Access, vol. 5, pp. 24012-
24022, 2017.
[29] M. Krotofil, A. A. Crdenas, B. Manning, and J. n Larsen, “CPS: driving
cyber-physical systems to unsafe operating conditions by timing DoS
attacks on sensor signals," in Proceedings of the 30th Annual Computer
Security Applications Conference (ACSAC ’14), ACM, New York, NY,
USA, pp. 146-155, 2014.
[30] A. Chonka, Y. Xiang, W. Zhou, and A. Bonti, “Cloud security defence
to protect cloud computing against HTTP-DoS and XML-DoS attacks,"
Journal of Network and Computer Applications, vol.34, no.4, pp.1097-
1107, 2011.
[31] A. Agah and Sajal K. Das, “Preventing DoS attacks in wireless sensor
networks: A repeated game theory approach," International Journal of
Network Security,vol.5, no.2, pp.145-153, Sep. 2007.
[32] J. Deng, R. Han, and S. Mishra, “Defending against path-based DoS
attacks in wireless sensor networks," in Proceedings of the 3rd ACM
workshop on Security of ad hoc and sensor networks, pp. 89-96, 2005.
[33] S. Hyun, P. Ning, A. Liu, and W. Du, “Seluge: Secure and DoS-resistant
code dissemination in wireless sensor networks," in Processing of IEEE
IPSN, pp. 445-456, 2008.
[34] D. He, C. Chen, S. Chan, and J. Bu, “DiCode: DoS-resistant and dis-
tributed code dissemination in wireless sensor networks," IEEE Trans-
actions on Wireless Communications, vol. 11, no. 5, pp. 1946-1956, May
2012.
[35] A. Perrig, R. Canetti, D. Song, and J. D. Tygar, “Efficient and secure source
authentication for multicast," in Proceedings of NDSS , pp. 35–46, 2001.
[36] A. Perrig, J. Stankovic, and D. Wagner, “Security in wireless sensor
networks," Commun. ACM, vol. 47, no. 6 pp.53-57, Jun. 2004.
[37] N. Ristanovic, P. Papadimitratos, G. Theodorakopoulos, J. Hubaux, and J.
Le Boudec, “Adaptive message authentication for multi-hop networks," in
2011 Eighth International Conference on Wireless On-Demand Network
Systems and Services, Bardonecchia, pp. 96-103, 2011.
VOLUME x, 2019
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2902843, IEEE Access

C. Lyu et al.: Selective Authentication based Geographic Opportunistic Routing in WSNs for IoT against DoS Attacks

CHEN LYU received the BS and MS degrees

in Telecommunications Engineering from Xidian
University of China, Xian, China, in 2007 and
2010, and the PhD degree in the Department of
Computer Science and Engineering from Shang-
hai Jiao Tong University, Shanghai, China, in
2016. She is currently a lecturer in the Department
of Computer Science and Technology at Shanghai
University of Finance and Economics, Shanghai,
China. Her research interests include wireless se-
curity, applied cryptography, and security and privacy in online social
networks.

XIAOMEI ZHANG is currently a lecturer in the

School of Electronic and Electrical Engineering
at Shanghai University of Engineering Science,
Shanghai, China. She received the PhD degree
in the Department of Computer Science and En-
gineering from Shanghai Jiao Tong University,
Shanghai, China, in 2018. Her current research
interests include wireless network security and
distributed system security. Her publications in-
clude over 30 papers in scholarly journals and con-
ference proceedings. She is a member of the Shanghai Computer Security
(SCS).

ZHIQIANG LIU is currently an Associate Pro-

fessor in the Department of Computer Science
and Engineering at Shanghai Jiao Tong University,
Shanghai, China. He got his Ph.D degree in the
Department of Computer Science and Engineering
from Shanghai Jiao Tong University. His research
interests include cryptocurrency and blockchain
technology, privacy preserving, design and anal-
ysis of symmetric-key cryptography, side-channel
attacks, and white-box cryptography.

CHI-HUNG CHI is currently a Senior Principal

Research Scientist of Data61 in CSIRO (Com-
monwealth Scientific and Industrial Research Or-
ganization), Australia. He got his Ph.D degree
from Purdue University (West Lafayette). Before
he joint CSIRO, Dr. Chi has worked in indus-
try (Philips Research Laboratory in the U.S.A.,
IBM at Poughkeepsie) and universities (Chinese
University of Hong Kong, National University
of Singapore, and Tsinghua University) for more
than 20 years. He has published more than 260 international journal and
conference papers and edited ten books; he also holds six U.S.A. patents.
His research areas include cybersecurity, behavior modeling, knowledge
graph, data engineering and analytics, cloud and service computing, social
computing, Internet-of-Things, and distributed computing.

VOLUME x, 2019 15

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
View publication stats http://www.ieee.org/publications_standards/publications/rights/index.html for more information.