Secure Multi-hop Routing Protocols in Wireless Sensor Networks:

Requirements, Challenges and Solutions

Nouman M Durrani1

Nadeem Kafi1

Jawwad Shamsi1

Waleej Haider

Systems Research Laboratory, Department of Computer Science, Department of Computer Science,

FAST NUCES, Karachi.
SSUET, Karachi
{muhammad.nouman,nadeem.kafi, jawwad.shamsi}@nu.edu.pk
directlyproportional2u@yahoo.com

Abstract Wireless Sensor Networks (WSNs) have been a

subject of extensive research and have undergone explosive
growth in the last few years. WSNs utilize collaborative
measures such as data gathering, aggregation, processing, and
management of sensing activities for enhanced performance. In
order to communicate with the sink node, node having low
power may have to traverse multi-hops. This requires
neighbors nodes to be used as relays. However, if the relay
nodes are compromised or malicious, they may leak
confidential information to unauthorized nodes in the WSN.
Moreover, in many WSN applications, the deployment of sensor
nodes is carried out in an ad-hoc fashion without careful
examination. In such networks it is desirable to ensure the
source to sink privacy and maximize the lifetime of the
network, by finding secure energy-efficient route discovery and
forwarding mechanisms. Careful management is also
necessary, as processing required for secure routing is
distributed over multiple nodes. An important consideration in
this regard is energy-aware secure routing, which is significant
in ensuring smooth operation of WSNs. As, these networks deal
in sensitive data and are vulnerable to attack, it is important to
make them secure against various types of threats. However,
resource constraints could make the design, deployment and
management of large WSNs a challenging proposition. The
purpose of this paper is to highlight routing based security
threats, provide a detailed assessment of existing solutions and
present a Trust-based Energy Efficient Secure Routing Protocol
(TEESR). The paper also highlights future research directions
in of secure routing in multi-hop WSNs.

the lifetime of the network, by finding energy-efficient secure

routes. Careful management is also required, as processing
required for secure routing and communication is distributed
over multiple nodes. Providing security in such networks is
extremely important and challenging. An important
consideration in this regard is energy-aware secure routing,
which is significant in ensuring smooth operation of WSNs
[1].
Opponents in WSN can easily paralyze the whole operation
of the entire network simply by capturing the node or by
attacking the routing protocol. Even few resources are
sufficient to inject fabricated messages, manipulate routing
messages, attack the routing protocols and subvert the
normal operation of the network. Even more, arbitrary
behavior may be induced by corrupting the intermediate
nodes or the network internal node's involvement in
suspicious activities. Considering all these realities, the
deployment of a secure routing protocol becomes a primary
task. However, resource constraints could make the design,
deployment and management of large WSNs a challenging
proposition [1, 2]. The paper highlights requirements and
challenges of secure routing in WSN. The paper also
provides a detailed assessment of routing based security
threats and existing solutions. At the end, an energy efficient
secure routing protocol for multi-hop WSNs has been
presented. The paper also explores future research directions
of the proposed routing protocol. The paper is organized as
follow: Section II-IV discusses the overall security
requirements, challenges and solutions. Section VI describes
the proposed protocol known as Trust-based Energy Efficient
Secure Routing Protocol and Section VII shows performance
and evaluation of our proposed protocol.

Keywords: WSN, Multi Trust, Secure Routing, INSENS, SEER, TEESR

I.

INTRODUCTION:

Wireless Sensor Networks (WSNs) has rapidly become a

pioneer network of small and smart computing nodes for
establishing reliable, scalable and resilient network. WSNs
are an important type of multi-hop wireless networks with
enormous utilization and limited resources. They are capable
of incorporating sensitive data and have been utilized in many
critical applications such as monitoring, decision-making,
and time-critical systems. The sensor nodes in WSNs have
limited energy, network bandwidth, transmission range,
processing power, and storage. In order to monitor and
accomplish real-time data, thousands of nodes are deployed
for a specific set of application. Establishing efficient
multipath communication among huge number of sensor
nodes is important securely transmit data in many sensitive
wireless-based applications. However, resource constraints
could make the design, deployment and management of large
WSNs a challenging proposition.
WSNs utilize collaborative measures such as data gathering,
aggregation, processing, and management of sensing
activities for enhanced performance. In order to
communicate with the sink node, node having low power
may have to traverse multi-hops. This requires neighbors
nodes to be used as relays. However, relaying packets
through malicious nodes may disrupt the communication and
hence the limited resources of WSNs. In such networks it is
desirable to ensure the source to sink privacy and maximize
978-1-4799-0615-4/13/$31.00 2013 IEEE

Asad M Abbsi
Department of Computer Science,
Iqra University, Karachi
m.asadabbasi@yahoo.com





 



 

 


In this section, security requirements of WSNs have been

briefly discussed. A sensor node in WSN should be able to
authenticate the identity of all the network entities, receive
all the messages intended for it, ensures that the information
are not altered during the communication, and the sender is
sending fresh data. Moreover, the sensor nodes may also be
authenticated and identified before any service is granted
[1, 3].
Formally, a secure WSN should offer the following security
services: (i) Data Confidentiality: In most applications,
sensor nodes communicate sensitive information about
industrial secretes, medical instrumentation and surveillance
system information. In order to prevent eavesdropping
attacks, sensor nodes must communicate securely and
privately over the wireless communication channels. Data,
cryptographic keys information must be protected by
sending them in an encrypted form to the intended receiver
only. (ii) Data Integrity: Data Integrity ensures that
information sent by sensor nodes are not altered or modified
during the communication. (iii) Data Freshness: In WSNs,
data freshness ensures that the data is current and fresh. It
41

also ensures that neither messages are hold for malicious

activities (to disturb the sequence of communication) nor
stale messages have been replayed during the
communication. The adversary may also disrupt the network
operation by regularly broadcasting same data.
(iv)
Availability: Nodes are equipped with limited power source,
and are strongly dependent on their battery lifetime. Nodes
may lose their availability due to computation and
communication. Further, they may also rapidly lose their
energy requirements due to insecure routing protocols. (v)
Self-Organization: Distributed WSN must self-organize to
support fault-tolerance in the network. The network must
also support multipath routing for dynamic nodes. Secure
self-organization is hard to be implemented in WSNs. (vi)
Authentication: Before giving access to information or other
services, sensor nodes in a WSN must confirm the identities
of all network participants. Nodes must also be assured that
identified sources are sanding and routing the information.
(vii) Secure Localization: The effectiveness of a WSN
depends on its ability to accurately and automatically trace
each sensor in the network. However, an opponent may
report replaying signal or false signal strength and can easily
manipulate non secured location. (viii) Access control:
Sensors trying to connect to the network must first be
authenticated before any access to services and data.
However, due to limited constraints of WSNs, a security
model that the above mentioned services is difficult to
implement. The security model should prevent the network
being subjected to malicious attacks. It should also detect
malicious attacks and isolate (new topology resulting route
flooding and convergence) malicious nodes. Furthermore,
the WSN should also provide recovery solutions and
corrective measures for the successful operations of the
network.
III.

due to failures of sensor nodes. In the fault tolerance

domain, whenever a sensor node cannot forward its data
packets towards the sink, it can benefit from the availability
of alternative paths to salvage its data packets from node or
link failures. Through this mechanism, as long as an
alternative path is available, data forwarding can be
continued without any interruption even in the case of path
failure. Multiple paths also can be used simultaneously to
elevate data transmission reliability. (iii) Scalability:
Organization of few nodes in WSNs is an easy practice.
However, if the number of nodes will increase, complexities
in management of time-varying characteristics of large
number of nodes will increase, which may further leads to
disturbance in the communication system. (iv) Operating
Environment & Node Deployment: In WSNs, topological
deployment of nodes affects the performance of the routing
protocol and is mainly dependent upon the type of
application. Wireless sensors nodes are deployed either as
deterministic or self-organizing. Deterministic deployment is
mainly used for static set of nodes. In self-organizing
deployment, the sensor nodes are dispersed arbitrarily
forming an infrastructure. Improper distribution of nodes
will disturb the system communication.
(v) Data Delivery Models: This model controls the flow of
data that how the data collected by the sensor nodes has to
be delivered to respective sink nodes. Depending upon the
type of WSNs application of the, the data delivery model
may be Continuous, Event-driven, Query-driven or Hybrid.
(vi) Data Aggregation/Fusion: Data aggregation is the
combination of data from different sources. Substantial data
transfer optimization and energy can be saved through data
aggregation, as less energy will be consumed in computation
than communication. In some WSNs, redundant data
aggregations are assigned to powerful specialized nodes.
(vii) Quality Of Service (QoS ): Quality of Service (QoS) is
a set of technologies for managing WSN environment in a
cost effective manner.
It allows to measure energy
considerations of sensor nodes, length of their lifetime,
bandwidth, detect changing network conditions (such as
congestion or availability of bandwidth), reliability
location-awareness,
collaborative-processing
and
to
prioritize or throttle traffic. For example, QoS technologies
can be applied to prioritize traffic for latency-sensitive
applications and to control the impact of latency-insensitive
traffic. In WSNs, these factors greatly affect the selection of
the type of routing protocols for different applications. In
some applications (e.g. military, weather forecast
applications etc.) the sensed data should be transmitted
within a certain time frame from the moment it is sensed. In
some applications, WSNs may be focused on the length of
nodes lifetime and not on the quality of results. (viii) Data
Latency and Overhead: Latency is a measure of time delay
experienced in a WSN. Multi-hop data relays and
aggregation can cause this delay in the network. Moreover,
some routing protocols generate too many overheads to
implement their algorithms, which are not appropriate for
serious energy consideration networks. These factors may
greatly influence the design of routing protocol. (ix) Network
Dynamics: Most of the WSN architectures assume that
network components such as sensor nodes, sink nodes and
event monitoring are stationary. However, it is deemed
important that the WSN models should also support the
mobility of sinks, cluster-heads (gateways), sensor nodes,
event monitoring, or the type of data model being used.
Routing messages and other cryptographic information from
one movable node to other moving nodes is more

CHALLENGES OF SECURE ROUTING IN WSN

This section describes challenges related to WS. The Section

starts with the general constraints related to WSN, followed
by a detailed study of challenges in the form of attacks on
secure routing in WSN.
(1) General Constraints
Initially, WSNs were mainly inspired by military
applications. Later on the civilian application domain of
wireless sensor networks have been considered, such as
environmental and species monitoring, production and
healthcare, smart home etc. These WSNs may consist of
heterogeneous and mobile sensor nodes, the network
topology may be as simple as a star topology; the scale and
density of a network varies depending on the application.
To meet the general trend towards diversification, the
following important design issues of the sensor network
have to be considered [1, 2, 3, 8]. (i) Energy Consideration:
In WSN, nodes are limited in computational capabilities,
memory and power. Nodes are equipped with limited power
source, and are strongly dependent on their battery lifetime.
They use their limited power for computations and data
transmission. The malfunctioning of some sensor nodes due
to power failure can cause significant topological changes
and might require rerouting of packets and reorganization of
the network. Hence, energy efficient communication and
computation are important in WSNs. (ii) Reliability and
Fault-Tolerance: Reliable data transmission is a challenging
task due to sporadic nature of low-powered sensor nodes and
dynamic network topology. Fault tolerance is the ability of a
system to tolerate its functionalities without any stoppage
42

challenging since route stability, energy and network

bandwidth becomes important optimization factors. Sensing
static events in forest, biological species, or fire prevention
work in a reactive fashion, generates traffic upon reporting.

(2) Attacks on Secure Routing Protocols
In this section we briefly discuss the possible attacks against
secure routing protocols. Disrupting secure routing in WSN
would be classified as an active insider attack. The attacker
must compromise an existing node or physically add a new
malicious node, with similar characteristics and identity, in
the target multi-hop WSN. This node may be called as
attacker node. The adversary can select attacker node
computational and communication characteristics (e.g. mote
or laptop) based on the type and scale of the attack to be
launched including identity mechanism and compatibility at
physical, data link and network layers. The attackers node
must be able to inject new packets, modify existing packets
and be able to use cryptographic primitive and security code
at the node.
In WSN, attacks against secure routing can be classified
based on the attacker profile. For example in basic attacks,
the attacker does not have any deciphering capability and
simply want to either monitor activities for future attacks or
disrupt the network temporarily by delaying operations or
disabling a small portion of the network. Attacks in this
category neither permanently disrupt nor target the data
confidentiality. Moreover, sophisticated attack is significant
where the attacker possesses the capability to decipher, have
the keys and signatures.
On the basis of the attackers capabilities, following attacks
are identified in the literature [7, 9, 23, 24, 25]: (i) Spoofed
or Bogus routing information: Spoofed routing information
is the most direct attack to influence routing and change the
routing information in the network. In this attack, an
adversary targets, alters, spoofs, or replays routing
information to disturb traffic in the network. Moreover, an
adversary can create routing loops, attract or repel traffic to
selected nodes, increase latency, and may generate forged
error messages to disrupt the overall communication. (ii)
Selective forwarding: In this type of attack, a malicious node
selectively forward chosen messages and drop rest of them.
In order to launch this attack, an adversary compromises or
insert a malicious node in the path of the data flow. (iii)
Sinkhole: In the sinkhole attack, an adversary tries to make a
malicious node looks more attractive to its neighbors by
spoofing the route advertisement, forging the routing
information. As the neighbor nodes select the malicious node
as the next hop node to forward packets, it makes selective
forwarding simple to flow the data packets through the
compromised nodes in the network. (iv) Sybil attack: In this
attack an adversary simulates multiple nodes and advertises
multiple identities in the network. The Sybil attack can
disrupt routing algorithms, distributed storage, data
aggregation, voting, fair resource allocation, and foiling
misbehavior detection. For example, the Sybil attack might
use multiple identities to generate additional votes and can
cripple even the robust multi-path routing algorithms by
routing multiple paths through a single malicious node. (v)
Wormhole: A wormhole is a low latency out-of-band channel
used to connect sub-parts of a network through which an
adversary replays network message. In wormhole attack, the
adversary receives the packets at one location and tunnels
the received packets at some other location, and replays the
packets into the network. This tunneling between the
planning adversaries is called the wormhole. In some
wormhole attacks, an adversary claims a one-hop link

instead of multi-hops to the BS and becomes a sinkhole for

his neighbors providing low-latency route to the BS. (vi)
Blackhole and Grayhole: In Blackhole attack, a malicious
node in the route-finding process falsely advertises a route to
the destination node. The route advertised may be the most
stable or shortest path to deter the route finding process or
interrupt all data packets sent to the destination. In some
situations, known as grayhole attack, the adversary makes its
detection even more problematic by intermittently dropping
data packets. (vii) Hello flood: In the neighbor detection
phase of some routing protocols, adversaries broadcast a
HELLO message announcing to be the neighbor of receiving
nodes. An adversary may use a high-powered transmitter to
send a HELLO message to large number of distinct nodes,
and fool a large number of nodes. In some cases, an
adversary falsely broadcast the shortest path to the BS, and
all nodes try to transmit their packets to the out-of-range
attacker. (vii) Byzantine attack: In byzantine attack,
malicious nodes work in collusion and attack the network in
such a manner that it does not exhibit any abnormal
behavior. Byzantine attacks may include selective packet
dropping, packet forwarding on non-optimal paths, creating
routing loops. (viii) Information disclosure: In this type of
attack, a compromised node may leak confidential
information to unauthorized nodes in the WSN. Important
information may include geographic position of nodes,
network topology, routing information to un-authorized
nodes in the network. (ix) Resource depletion attack: In
resource depletion attack, a malicious node attempts to drain
out the limited resources of wireless sensor nodes. Possible
attacks may include repeatedly sending of unnecessary route
requests, frequent generation of beacon packets or
forwarding of stale packets to specific nodes. The targeted
resources may include the battery power, bandwidth,
memory and computational power. (x) Acknowledgment
spoofing: In acknowledge spoofing, an attacker spoofs the
acknowledgements to persuade the node. In this way an
attacker disseminate false information about the status of
nodes. Furthermore, an adversary may encourage a node that
its dead neighbor is alive, or it may claim that a weak link is
reliable. (xi) Routing table overflow: In this attack, an
adversary advertises fabricated routes of non-existing nodes
to its neighbors in the WSN. The main purpose of this attack
is to overflow the routing tables and prevent further entries
corresponding to new paths to authorized nodes. Proactive
routing protocols are more vulnerable to this attack, as
source to destination routes are relatively static in this
routing. (xii) Routing table poisoning: In routing poising
attack, compromised nodes send fabricated or modified
routing update packets to authentic nodes in the network.
This attack may result congestion in some sub networks,
inefficient routing, or even arise a situation where parts of
the network are unreachable. (xiii) Packet replication: In this
type of attack, an adversary replicates stale packets to waste
the valuable resources of WSN. For example, due to
replicate packets this attack may cause confusion in the
routing process and may drain-out the battery power,
bandwidth of nodes in the network. (xiv) Route cache
poisoning: In reactive routing protocols, each node keeps
information about previous known routes in the route cache.
Using this cache, an adversary poisons the route cache to
disrupt the communication. (xv) Rushing attack: In route
discovery phase of some routing protocols, duplicate
suppression is used. In this attack, an adversary node who
receive a legitimate route request packet, floods the received
packet quickly enough before other nodes in the network and
43

hence, the targeted nodes receive the legitimate packets from

an adversary node. As the targeted nodes assume the
legitimate packets as duplicate of the already received
packets, they simply discard the packets. Hence, the source
node would find an adversary node as its intermediate node.
Such attacks are very difficult to detect in WSNs.

tolerate intrusions without any need for detecting the

intruders in a region and operates correctly in the presence
of (undetected) intruders. The protocol then perform
resource-intensive computations such as building routing
tables, security and intrusion tolerance issues at the BS and
minimize the computation, storage and bandwidth
requirements at the nodes. The protocol also restricts the
intrusion to limited number of nodes in its vicinity by using
appropriate authentication mechanism and limiting flooding.
During the route request phase, a malicious node can launch
rushing or selective attacks by modifying or selectively
forwarding the request message. However, the damage of
these attacks is restricted to a small portion of the network.
The second phase of the protocol is subject to many attacks,
such as the DoS, selectively forwarding feedback messages,
and modifying the neighborhood information of nodes.
Again, the damage of these attacks can only affect a local
area but cannot compromise the entire network.
In WSNs, an attacker can advertise inexistent branches to
attract the maximum number of paths and become an
important node among the forwarding nodes. This leading
position gives the attacker to control considerable traffic
flow, which is very dangerous in many sensitive
applications. The protocol Secure and Efficient
Intrusion-Fault tolerant routing protocol for WSNs (SEIF)
[12] represents a merge between the multipath topology
offered by SMRP and an efficient in-network sub-branch
authentication. In SEIF, instead of identifying sub-branches
with simple node IDs that can be manipulated by any
intruder, one-way hash chains (OHC) can be used to prevent
attackers from advertising inexistent sub-branches.
Nidal, Chen et.al [13] proposed a Secure and
Energy-Efficient Multipath Routing Protocol (SEER). In
SEER, each node does not keep consistently up-to-date
routing information to every other node in the network.
Nodes sense and forward the received data to sink nodes
using the information stored in the routing table. The BS
periodically updates the available energy of each node along
the path on the number of packets being received and sent.
In SEER the path is selected by the BS or sink node, and
hence this protocol can defend against attacks like
Wormhole, Sinkhole and Selective Forwarding attacks.
Through the compromised or attackers nodes, Wormhole and
Sinkhole attacks try to pull traffic from sensor nodes to the
BS. According to the energy level, BS sporadically re-selects
a new path; therefore, attracting traffic and advertising false
routes lasts only for a short time and hence has no impact on
the routing paths. However, this protocol has no mechanism
against internal attacks.

IV.
RELATED WORK
Detection of malicious nodes is important as malicious node
activities can cause degradation in system throughput, denial
of service, misrouting, delays and unreliable data
transmission. In this section, we present the state-of-the-art
secure routing protocols for multi-hop WSNs as under:
In ATSR (Ambient Trust Sensor Routing) [5], a fully
distributed Trust management system is used to evaluate the
reliability of nodes. In this approach, nodes in WSN
directly monitor the behaviors of their neighbors and finds
trust value of its neighbor with respect to different trust
matrices. In Trusted AODV [18] routing is performed by
taking different trust metrics into account. In Trusted GPSR
[19], the Greedy Perimeter Stateless Routing protocol is
modified to use trust values of node into account. In this
approach, when a node sends a packet to its neighbor, it
waits until its neighbor overhears about its forwarding.
Based on this forwarding information, a node maintains trust
matrices for its neighbors and it for routing decisions. In
TRANS Based on the trust information of nodes, secure
routes are selected in this protocol. For destined locations,
BS only sends a message to its trusted neighbors. Those
corresponding neighbors then forward the message to their
trusted neighbors that have the nearest location to
destination. Thus the packet reaches the destination along a
path of trusted sensors.
Directed Diffusion [4] is a data-centric and
application-aware paradigm, in which all data generated by
sensor nodes is named by attribute-value pairs. The main
idea of this approach is to combine data coming from
different sources, eliminate redundancy and minimize the
number of data transmission to save the network energy and
prolong its lifetime. In SPINS [16] when node wants to
establish a shared secret session key with another node, they
use BS. As a single secret key shared with the BS and one
unique link key for each one of its neighbors in this
distribution approach, small memory is required. The Key
establishment and distribution is efficient against
compromised nodes, as the captured node divulges no secrets
about the whole network. If the compromised node is to be
revoked, the BS broadcast the encrypted revocation message
to the network. Node replication activities are easily
controlled at the BS, as the entire key establishment takes
place at the BS.
Xiaojiang Du, Sghaier Guizani et al. [11] proposed a
Two-Tier Secure Routing protocol (TTSR) for heterogeneous
sensor networks (HSN). It offers security attributes such as
authentication, confidentiality, and integrity. Hierarchical
network architecture is formed by the Base Stations (BS),
H-sensors and L-sensors in an HSN. H-sensors have more
energy, high data rate and long transmission range and more
advantages for designing better secure routing protocols.
H-sensors serve as the cluster heads and form the backbone
network. L-sensors send data to their respective H-sensors.
H-sensors also remove redundant data, aggregate data from
multiple L-sensors and through the H-sensor backbone
network, compressed packets are sent to the BS.
INSENS [14] is INtrusion-tolerant routing protocol for
wireless SEnsor NetworkS. INSENS exploits redundancy to

TRUST-BASED ENERGY EFFICIENT SECURE

ROUTING PROTOCOL
This section describes the design of our proposed routing
protocol called Trust-based Energy Efficient Secure Routing
Protocol (TEESR).
The design of this protocol is based on three principles:
First, the protocol restricts malicious nodes in its vicinity by
using appropriate authentication and flooding mechanism.
Secondly, The protocol perform resource-intensive
computations such as building routing tables, trust tables,
security and intrusion tolerance issues at the sink nodes and
BS to minimize the computation, storage and bandwidth
requirements of the WSN.
V.

44

Figure 1: Wireless Sensors Network division into clusters

with cluster heads
Thirdly, the protocols uses multipath overlay networks to
exploits redundancy and tolerates intrusions in a region and
operates correctly in the presence of (undetected) intruders.
As shown in Figure 1, hierarchical network architecture is
formed by the Base Stations (BS), CH-sensors and SF
(Sensing and Forwarding) sensors. The network is divided
into small clusters. Each cluster consists of SF-sensors and
CH-sensors. CH-sensors or sink nodes have more energy,
high data rate and long transmission range and more
advantages for designing better secure routing protocols.
CH sensors serve as the cluster heads CHs and form the
backbone network. SF-sensors send data to their respective
CH-sensors. CH-sensors also remove redundant data,
aggregate data from multiple L-sensors and through the
CH-sensor backbone network, compressed packets are sent
to the BS. The protocol applies MAC (Message
Authentication Code) for integrity of message and
Symmetric key cryptography for discovering a safe route
against black hole attack. In our protocol, first Clusters with
backbone network under the BS supervision is formed. But
for the sake of simplicity, we first discuss the neighbor
discovery phase.
Neighbor Discovery Phase: In the neighbor discovery
phase, each node broadcast a neighbor detect NBRDET
message to all nodes in its transmission range. The format of
message is as follow:
NBRDET: KX | IDx | MAC(EK, IDX | NX)
where KX is an initial preconfigured sequence number, EK is
a key , IDx is the ID and NX is a nonce of node X. To avoid
an adversary masquerading as a legitimate node
authenticates the request made by each node, one-way hash
chain [10] has been used by sensor nodes. A one-way hash
chain is a sequence of numbers Kn; Kn-1, , K0, such that
K(i+1)= F(Ki), where 0 < i n. Each sensor node is
pre-configured with the initial number of K0. Each BS
randomly selects a seed Km and computes a one-way hash
chain H= <Kn; Kn-1; K0> using one-way hash function
F. Each sensor node is pre-configured with the initial
sequence number K0. When one node sends its REQ
message to another sensor node containing a one-way hash
chain sequence number Kp, that message is verified using
one-way hash function K0 = F(Kp). The sequence number
chain is different for each cluster. As shown in Figure 2,
node transmit a neighbor detect NBRDET message with
transmission power pt (less than a threshold pt-th) to all nodes
in its transmission range. Each node calculates the receiving
power using Friis equation [17]:

Figure 2: Multipath Secure Routing between sensor nodes

and Cluster Heads
pr = ptGtGr2 / (4r)2
where r is the transmission distance, Gt and Gr are the
transmission and receiving antenna gains respectively. If the
receiving power pr is less than a certain threshold pr-th, the
receiving node considers the requesting node as far-field or
malicious node. After receiving the NBRDET message, the
receiving node also verifies the message authentication using
MAC. After successfully verifying the NBRDET message,
the receiving node sends a reply message in the following
format:
REPLAY: KY | IDX | IDY | MAC (EK, IDX | IDY | NY)
where IDY is the identity and NY is the nonce of the
receiving node Y. Node IDX verifies the reply message using
MAC, and adds its ID into its neighbor list, otherwise drops
the packet. After a specified time interval, the neighbors
information NBRDECT INFO is sent to the Cluster Head
CH in following format:
X CH: NBRDECT INFO KX | KY | IDX | IDY |MAC(EK,
NBRDECT INFO (KX | KY | IDX | IDY| NX | NY))
After receiving the neighbor information from node X, and
all other nodes in the cluster, the Cluster Head CH produces
a neighbor matrix and by applying the following Algorithm,
multiple paths are found from the CH to every other node in
the cluster. The CH also calculates the pair-wise key also
known as Secret key for each pair of neighbor nodes. A hash
function Kxy = h(secret; IDx; IDy) is used to generated the
pair-wise keys. This cost estimation has been shown in
Algorithm 1.
As shown in Figure 2, the CH and BS can find least cost (in
terms of High Trust and Low Transmission Power) multiple
disjoint paths for multicast communication. For Sensitive set
of applications, large values of the Trust parameter (in terms
of weight) may be used. However, if working in
non-sensitive applications, large values of Power
Transmission parameter (in terms of weight) may be
preferred. The CH then unicasts the pairwise key to the
respective nodes with the following considerations: in the
following format:
CH x : PAIR KEY | KCH | IDCH | IDX | IDY |
MAC(EKXCH, PAIR KEY | KCH| IDCH | IDX | IDY | NCH)
where KCH is the CH sequence number, IDCH is the ID and
NCH is the nonce of Cluster Head.
45

Algorithm 1: Trust-based Energy Efficient Secure routing

Multipath protocol.
1 Initialization:
2
N = {A}
3
for all nodes v
4
if v adjacent to A && Trust is Maximum
5
then D(vi) = c(A,v)
6
else D(vi) = infinity
7
Loop
8
find w not in N such that D(w) is a minimum in terms
of Transmission Power and Trust (where lower values
of trust indicates HIGH Trust, for example Trust with
value equal to 1 is considered as High)
9
add w to N
10
update D(v) for all v adjacent to w and not in N:
11
D(vi) t = min( D(v), D(w) + c(w,v))
| D(vi+1) t = min( D(v), max(Disjoint D(vi))
12
/* new cost to v is either old cost to v or known
13
shortest path cost to w plus cost from w to v */
14 until all nodes in N
15 If | D(vi) t - D(vi) t-1 | threshold then
16 D(vi) t = D(vi) t-1 /*No change in the existing path*/
17 else
18
D(vi) t

Once the shared pairwise keys are calculated, nodes transmit

sensed data in an encrypted form and an authenticated
Cluster Head. Also the BS uses a unique shared key or
pairwise key with the cluster heads to decrypt and
authenticate the received data.
In neighbor detection phase, any malicious activity observed
by a source node, cluster head or BS is sent to all those
nodes with malicious neighboring nodes joining their
neighbors list to update their neighbors list. The routing
update message sent by the sink nodes to the neighboring
nodes is in the following format:
BS CHnID X: MALICIOUS NODE KBS | KCHnID | IDBS |
IDCH | IDMalicious | MAC(EKBs, IDBS | IDCH | IDMalicious |
NBS | NCHnID)
where IDMalicious is Malicious node ID.
Data Forwarding Phase: In the data forwarding phase, the
source node X sends the data to the sink through its neighbor
node Y in the following format:
: | SK IDx | MAC(EK, SK X(Data) | NX)
, ( ),()
where SK is the shared pair-wise key. The data is encrypted
with the primary key shared between the sink node and the
sending node X, so that an intermediate node cannot decrypt
it.
VI. PROTOCOL PERFORMANCE AND EVALUATION

Cluster Formation Phase: Cluster Head CH sensors or sink

nodes have more energy, high data rate and long
transmission range. They form the backbone network and
are more advantageous for designing secure multipath
routing protocols. CH-sensors also remove redundant data,
aggregate data and send compressed packets to the BS. As
discussed in the neighbor discovery phase, each CH
broadcast a neighbor detect NBRDET message to all Cluster
Heads CHs in its transmission range in the following format:
NBRDET: K1CHID | CH1ID | Mac(EK, CHID | NCH1ID)
where KX is an initial preconfigured sequence number, CHID
is the ID NCHID is a nonce of node CHID. After successful
verification, the receiving CH node sends a reply message in
the following format:
REPLAY: K2CHID | CH1ID | CH2ID | NCH2ID | MAC(EK,
CH1ID | CH2ID | NCH2ID)
where CH2ID is the identity and NCH2ID is the nonce of the
receiving node CH2ID adds its ID into the neighbor list,
otherwise it drops the packet. After a specified time interval,
the neighbors information NBRDECT INFO is sent to the
BS in the following format:
CH1ID BS: NBRDECT INFO KCH1ID | KCH2ID | CH1ID |
CH2ID | MAC(EK, NBRDECT INFO CH1ID | CH2ID | NCH1ID |
NCH2ID)
After receiving the neighbor information from Cluster Head
CH1ID, and all other Cluster Heads in the whole network, the
BS calculates multiple paths and the pair-wise key for each
pair of neighbor Cluster Heads using the algorithm discussed
in the previous phase. The BS then unicasts the pairwise key
to the respective Cluster Heads in the following format:
BS CH1ID : PAIR KEY | KBS| IDBS | CH1ID | CH2ID |
MAC(EKBS, PAIR KEY | | KBS| IDBS | CH1ID | CH2ID|NBS)
where KBS is the BS sequence number, IDBS is the ID and
NBS is the nonce of the BS.

In this section, the performance of our proposed protocol has

been evaluated using the OMNeT++ modeling framework

MiXiM. The performance of the protocol is evaluated as

under:
(1) Security: First the security of the protocol was
evaluated against attacks Wormhole, Sinkhole, Sybil,
Hello Flood, and Selective Forwarding and was found
defensive against these and many other attacks. The
protocol is resilient against Wormhole and Sinkhole
attacks, as secure routes are selected by the CH and BS
and the attacker is not able to participate in this routing.
Further, power transmitted by a node is also restricted in a
limited geographic region, as shown in Figure 2. In this
case, node is not allowed to transmit power greater than
some threshold (pt<<pt-th). Like-wise the received power
is supposed to be greater than a certain threshold
(pr>>pr-t). According to the energy level, BS sporadically
re-selects a new path; therefore, attracting traffic and
advertising false routes lasts only for a short time and hence
has no impact on the routing paths. Also, the protocol
applies MAC and symmetric cryptography to provide
confidentiality, integrity and authentication. However, this
protocol has no mechanism against internal attacks. Table 1
enlists relevant attacks against the routing protocols. It also
shows that how our proposed routing protocol is effective
against possible attacks.
(2) Energy: Due to power constraints, all the nodes are
supposed to operate in a limited geographic region
(sub-cluster). Nodes receiving power pr greater than certain
threshold pr-th will only respond to the neighbor request
message. Hence, the protocol flood neighbors information
in few numbers of messages and hence significant amount of
energy is saved. As shown in Figure 3, the protocols
flooding has been compared with the INSENS and other
non-secure routing protocols.

46



Table 1: Possible attacks on the existing routing protocols

Routing
Relevant Attacks
Protocols
Directed
Spoofed, altered or replayed routing
diffusion
information
SPIN,
Selective forwarding, Sinkhole, Sybil,
SAR
Wormholes, HELLO flood , Internal attacks
Minimum
Spoofed, altered or replayed routing
cost
information, Selective forwarding, Sinkhole,
forwarding Sybil, Wormholes, HELLO flood , Internal
attacks
LEACH,
Selective forwarding, Sybil, HELLO flood,
TEEN,
Internal attacks
PEGASIS
GPSR,
Spoofed, altered, or replayed routing
GEAR
information Selective forwarding, Sybil,
Internal attacks
SPAN,
Spoofed, altered or replayed routing
GAF
information, Sybil, HELLO flood, Internal
attacks
Rumor
Spoofed, altered, or replayed routing
routing
information, Selective forwarding, Sinkhole,
Sybil, Wormholes, Internal attacks
TEESR
Internal attacks, Physical Capture




















Figure 3: The protocol TEESR floods neighbors information
in less numbers of messages.



















 !
!




Figure 4: Figure shows that TEESR has a lower end-to-end

delay and its stability against malicious nodes.

It has been found that the protocol floods neighbors

information in few number of messages like non-secure
routing protocols. Also, in Figure 7, it has been shown that

many of the TEESR nodes still alive in a WSN

environment even if the energy level per node drops to
1%. This is because of the low transmitting power of
nodes in their respective regions or sub-clusters.
Performance of the proposed routing protocol called
TEESR has been compared with other routing algorithms,
such as LEACH, Directed Diffusion and PEGASIS [15,
20].
Simulation results show that the percentage of forwarding
nodes decreases when the number of nodes increases. As
shown in Figure 5, in 300 nodes, only 4.65 % of the
nodes have been selected as the forwarding nodes. The
reason for this is that Cluster Heads and BS are
responsible for the selection of secure and energy
efficient nodes. Hence, much of the network energy is
saved in careful forwarding of packets.

&'

()















"
#$%

#

&

Figure 5: Percentage of forwarding nodes in EAD[21],

LEACH[20], SEERP[22] and TEESR.


(3) No of drop messages: In WSNs, when the number of

malicious nodes increases, the number of drop messages also
increases. As shown in Figure 4, only 14 % percent of
messages have been dropped in the presence of 19 %
internally malicious nodes. This shows that the protocol is
resilient against malicious nodes.
(4) End-to-End Delay: As discussed, only few forwarding
nodes are selected within the network. These results in low
end-to-end delays, as only few nodes are involved in the
packet processing and forwarding process. In Figure 6,
end-to-end delay of the proposed protocol is compared with
AODV and RTSR [6, 26]. It has been found that end-to-end
delay increases with the number of nodes. However, the
protocols end-to-end delay is less than AODV and RTSR.
The main reason behind this is that less number of
forwarding nodes are involved in the packet forwarding.

#'
+
+
,+-
.




/'/

!

#01



/'/

!

 



/'/

!









      * 

Figure 6: Actual transmission time and end-to-end delay of

AODV, RTSR and TEESR

47



4
4

'

"
#$%

&
2# 

'

"
#$%

&
2# 

3

3

3

"
#$%

3 3 3 3 3

'

&
2# 

4

4

Figure 7: This Figure shows that many of the TEESR nodes still alive in a WSN environment even if the energy level per
node drops to 1%. Performance of TEESR has been compared with other routing algorithms, such as LEACH, Directed
Diffusion and PEGASIS
[9]
Chen Jing, Zhang Huanguo, HU Junhui. An efficiency security
VII. CONCLUSION AND FUTURE DIRECTIONS
Wireless Sensor Networks deal with sensitive data and are
vulnerable to different types of attacks. Only few resources
are sufficient to inject fabricated messages, manipulate
routing messages, attack the routing protocols and subvert
the normal operation of the network. Even more, arbitrary
behavior may be induced by corrupting the intermediate
nodes. Considering all these realities, the deployment of an
energy efficient secure routing protocol becomes a primary
task. Due to the resource constraints in WSNs, the design of
such secure and energy efficient routing protocols is not an
easy task. The purpose of this paper is to highlight
requirements, challenges, routing based security threats,
provide a detailed assessment of existing solutions, and offer
an efficient solution known as TEESR to Secure Routing in
multi-hop WSN. As compared with other routing protocols,
the protocol select limited number of forwarding nodes,
floods the neighbors information in few numbers of
messages, this results low end-to-end delay and hence save
significant amount of energy. Moreover, the protocol is
stable against malicious nodes and their relevant attacks.
At different values of power transmission and trust, security
concerns of TEESR in sub-clusters are left for future work.
Handover of nodes between sub-clusters is also left for
future research.
VIII. REFERENCES
[1]

[2]

[3]
[4]

[5]

[6]
[7]

[8]

[10]
[11]

[12]

[13]

[14]

[15]

[16]
[17]
[18]

[19]

Kellner, Ansgar, Omar Alfandi, and Dieter Hogrefe. "A survey on

measures for secure routing in wireless sensor networks."
International Journal of Sensor Networks and Data Communications
1 (2012): 1-17.
Sahoo, Mrs Soumyashree, Mr Pradipta Kumar Mishra, and Rabi
Narayan Satpathy. "Secure Routing in Wireless Sensor Networks."
International Journal of Computer Science 9 (2012).
Radi, Marjan, et al. "Multipath routing in wireless sensor networks:
Survey and research challenges." Sensors 12.1 (2012): 650-685.
Intanagonwiwat, Chalermek, Ramesh Govindan, and Deborah Estrin.
"Directed diffusion: a scalable and robust communication paradigm
for sensor networks." Proceedings of the 6th annual international
conference on Mobile computing and networking. ACM, 2000.
Zahariadis, Theodore, et al. "An energy and trust-aware routing
protocol for large wireless sensor networks." Proceedings of the 9th
WSEAS international conference on Applied informatics and
communications. World Scientific and Engineering Academy and
Society (WSEAS), 2009.
C.E. Perkins, E. Belding-Royer, S.R. Das, Adhoc on-demand
distance vector (AODV) routing, in: IETF RFC 3561, July 2003.
Newsome, James, et al. "The sybil attack in sensor networks: analysis
& defenses." Proceedings of the 3rd international symposium on
Information processing in sensor networks. ACM, 2004.
Maarouf I K, Naseer A R.WSNodeRater- An optimized reputation
system framework for security aware energy efficient geographic
routing in WSNs, IEEE/ACS International Conference on Computer
Systems and Applications. IEEE, 2007: 258-265.

[20]

[21]

[22]

[23]
[24]

[25]

[26]

48

model of routing protocol in wireless sensor networks, Second Asia

International Conference on Modeling & Simulation. Washington
D.C. : IEEE Computer Society .2008: 59-64.
Merkle, Ralph C. "One way hash functions and DES." Advances in
CryptologyCRYPTO89 Proceedings. Springer New York, 1990.
Du, Xiaojiang, et al. "Two tier secure routing protocol for
heterogeneous sensor networks." Wireless Communications, IEEE
Transactions on 6.9 (2007): 3395-3401.
Ouadjaout, Abdelraouf, et al. "SEIF: secure and efficient
intrusion-fault tolerant routing protocol for wireless sensor
networks." Availability, Reliability and Security, 2008. ARES 08.
Third International Conference on. IEEE, 2008.
Nasser, Nidal, and Yunfeng Chen. "Secure multipath routing
protocol for wireless sensor networks." Distributed Computing
Systems Workshops, 2007. ICDCSW'07. 27th International
Conference on. IEEE, 2007.
J. Deng, R. Han, S. Mishra, INSENS: intrusion-tolerant routing in
wireless sensor networks, Technical Report CUCS-939-02,
Department of Computer Science, University of Colorado, 2002.
Lindsey, Stephanie, and Cauligi S. Raghavendra. "PEGASIS:
Power-efficient gathering in sensor information systems."
Aerospace conference proceedings, 2002. IEEE. Vol. 3. IEEE, 2002.
Perrig A, Szwczyk R, Wen V. SPINS: Security Protocols for sensor
networks. Wireless Networks, 2002, 8(5): 521-534.
Rappaport, Theodore S. Wireless communications: principles and
practice. Vol. 2. New Jersey: Prentice Hall PTR, 1996.
Li, Xiaoqi, Michael R. Lyu, and Jiangchuan Liu. "A trust model
based routing protocol for secure ad hoc networks." Aerospace
Conference, 2004. Proceedings. 2004 IEEE. Vol. 2. IEEE, 2004.
Pirzada, Asad Amir, and Chris McDonald. "Trusted greedy perimeter
stateless routing." Networks, 2007. ICON 2007. 15th IEEE
International Conference on. IEEE, 2007.
Heinzelman, W.R., Chandrakasan, A., Balakrishnan, H.:
Energy-Efficient Communication Protocol for Wireless Microsensor
Networks. In: Proc. of HICSS, pp. 30053014 (2000)
Azzedine, B., Xiuzhen, C., Joseph, L.: Energy-aware data-centric
routing in microsensor networks. In: Proceedings of the 8th MSWiM
03, San Diego, pp. 4249 (2003)
Pathan, Al-Sakib Khan, and Choong Seon Hong. "A secure
energy-efficient routing protocol for WSN." Parallel and Distributed
Processing and Applications. Springer Berlin Heidelberg, 2007.
407-418.
Sen, Jaydip. "Routing security issues in wireless sensor networks:
attacks and defenses." arXiv preprint arXiv:1101.2759 (2011).
Karlof, Chris, and David Wagner. "Secure routing in wireless sensor
networks: Attacks and countermeasures." Ad hoc networks 1.2
(2003): 293-315.
Pathan, Al-Sakib Khan, Hyung-Woo Lee, and Choong Seon Hong.
"Security in wireless sensor networks: issues and challenges."
Advanced Communication Technology, 2006. ICACT 2006. The 8th
International Conference. Vol. 2. IEEE, 2006.
Neelavathy Pari, S., B. Narmadhadevi, and Sridharan Duraisamy.
"Requisite trust-based Secure Routing Protocol for MANETs."
Recent Trends In Information Technology (ICRTIT), 2012
International Conference on. IEEE, 2012.