1200 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED …people.cs.vt.edu/~irchen/ps/Chen-TPDS14.pdfIndex Terms—Delay tolerant networks, dynamic trust management, secure routing, performance

Dynamic Trust Management for Delay TolerantNetworks and Its Application to Secure Routing

Ing-Ray Chen, Member, IEEE , Fenye Bao, MoonJeong Chang, and Jin-Hee Cho, Member, IEEE

Abstract—Delay tolerant networks (DTNs) are characterized by high end-to-end latency, frequent disconnection, and opportunistic

communication over unreliable wireless links. In this paper, we design and validate a dynamic trust management protocol for secure

routing optimization in DTN environments in the presence of well-behaved, selfish and malicious nodes. We develop a novel model-

based methodology for the analysis of our trust protocol and validate it via extensive simulation. Moreover, we address dynamic trust

management, i.e., determining and applying the best operational settings at runtime in response to dynamically changing network

conditions to minimize trust bias and to maximize the routing application performance. We perform a comparative analysis of our

proposed routing protocol against Bayesian trust-based and non-trust based (PROPHET and epidemic) routing protocols. The results

demonstrate that our protocol is able to deal with selfish behaviors and is resilient against trust-related attacks. Furthermore, our trust-

based routing protocol can effectively trade off message overhead and message delay for a significant gain in delivery ratio. Our trust-

based routing protocol operating under identified best settings outperforms Bayesian trust-based routing and PROPHET, and

approaches the ideal performance of epidemic routing in delivery ratio and message delay without incurring high message or protocol

maintenance overhead.

Index Terms—Delay tolerant networks, dynamic trust management, secure routing, performance analysis, design and validation

Ç

1 INTRODUCTION

A delay tolerant network (DTN) comprises mobilenodes (e.g., humans in a social DTN) experiencing

sparse connection, opportunistic communication, and fre-quently changing network topology. Because of lackof end-to-end connectivity, routing in DTN adopts a store-carry-and-forward scheme by which messages are for-warded through a number of intermediate nodes leverag-ing opportunistic encountering, hence resulting in highend-to-end latency.

In this paper, we propose dynamic trust management forDTNs to deal with both malicious and selfish misbehavingnodes. Our notion of selfishness is social selfishness [18],[21] as very often humans carrying communication devices(smart phones, GPSs, etc.) in a DTN are socially selfish tooutsiders but unselfish to friends. Our notion of malicious-ness refers to malicious nodes performing trust-relatedattacks to disrupt DTN operations built on trust (e.g., trust-based DTN routing considered in this paper). We aim todesign and validate a dynamic trust management protocolfor DTN routing performance optimization in response todynamically changing conditions such as the population ofmisbehaving nodes.

The contributions of the paper relative to existing workin trust/reputation management for DTNs are summarizedas follows.

1. We propose to combine social trust deriving fromsocial networks [25] and traditional quality of service(QoS) trust deriving from communication networksinto a composite trust metric to assess the trust of anode in a DTN. To cope with both malicious andsocially selfish nodes, we consider “healthiness” and“unselfishness” as two social trust metrics.

2. We propose the notions of “subjective trust” ver-sus “objective trust” based on ground truth for pro-tocol validation. For example, the healthiness trustof a good node should converge to 1 (groundtruth) minus a false positive probability caused bynoise, while the healthiness of a bad node shouldconverge to 0 (ground truth) plus a false negativeprobability caused by noise and the random attackprobability with which this bad node performstrust-related attacks.

3. We address the issue of application performancemaximization (trust-based DTN routing in thispaper) through dynamic trust management by adjust-ing trust aggregation/formation protocol settingsdynamically in response to changing conditions tomaximize DTN routing performance. Essentially weaddress the importance of integration of trust andsecurity metrics into routing and replication deci-sions in DTNs.

4. We develop a novel model-based methodologyutilizing stochastic petri net (SPN) techniques [26]for the analysis of our trust protocol and validateit via extensive simulation. The model validatedwith simulation yields actual ground truth node

� I.-R. Chen, F. Bao, and M. Chang are with the Department of ComputerScience, Virginia Polytechnic Institute and State University, 7054Haycock Rd, Falls Church, VA 22043.E-mail: {irchen, baofenye, mjchang}@vt.edu.

� J.-H. Cho is with Computational and Information Sciences Directorate, USArmy Research Laboratory, Powder Mill Rd. Adelphi, MD 20783.E-mail: [email protected].

Manuscript received 20 Oct. 2012; revised 29 Jan. 2013; accepted 20 Mar.2013; date of publication 11 Apr. 2013; date of current version 21 Mar. 2014.Recommended for acceptance D. Turgut.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TPDS.2013.116

1200 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 5, MAY 2014

1045-9219 � 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

status against which “subjective” trust obtainedfrom executing the trust protocol is verified, andhelps identify the best protocol settings inresponse to dynamically changing network condi-tions to minimize trust bias and to maximize therouting application performance.

5. We perform a comparative analysis of our trust-based DTN routing protocol built on top of dynamictrust management with simulation validationagainst routing based on Bayesian trust management[12], [14] (called Bayesian trust-based routing forshort) and non-trust based (PROPHET [19] and epi-demic [27]) protocols. Our trust-based routing proto-col outperforms Bayesian trust-based routing andPROPHET. Further, it approaches the ideal perfor-mance of epidemic routing in delivery ratio and mes-sage delay without incurring high message orprotocol maintenance overhead.

The rest of the paper is organized as follows. In Section 2,we survey existing trust management protocols andapproaches to deal with misbehaving nodes in DTNs. InSection 3, we describe the system model. In Section 4, wedescribe our dynamic trust management protocol. In Sec-tion 5, we develop a performance model for the analysis ofour trust protocol. In Section 6, we first identify the best pro-tocol settings to minimize trust bias and to maximize therouting application performance, when given a set ofparameters characterizing the operational and environmen-tal conditions. Then we perform a comparative analysis ofour proposed routing protocol against Bayesian trust-basedrouting and PROPHET. In Section 7, we validate our trustmanagement protocol design through extensive simulationusing both synthetic and real mobility data. In Section 8, wedemonstrate the effectiveness of dynamic trust managementin response to changing network conditions to maximizeDTN routing performance. Finally in Section 9, we concludethe paper and discuss future research areas.

2 RELATED WORK

We refer the readers to Appendix A of the supplemental file[6] for a comprehensive survey on the state of the art of trustmanagement for DTNs.

3 SYSTEM MODEL

We consider a DTN environment with no centralizedtrusted authority. Nodes communicate through multiplehops. When a node encounters another node, they exchangeencounter histories certified by encounter tickets [16] so asto prevent black hole attacks to DTN routing. We differenti-ate socially selfish nodes from malicious nodes. A selfishnode acts for its own interests including interests to itsfriends, groups, or communities. So it may drop packetsarbitrarily just to save energy but it may decide to forward apacket if it has good social ties with the source, current car-rier or destination node. We consider a friendship matrix[18] to represent the social ties among nodes. Each nodekeeps a friend list in its local storage. A similar concept tothe friendship relationship is proposed in [20], where famil-iar strangers are identified based on colocation information

in urban transport environments for media sharing. Ourwork is different from [20] in that rather than by frequentcolocation instances, friendship is established by the exis-tence of common friends. Energy spent for maintainingfriend lists and executing matching operations is negligiblebecause energy spent for computation is very small com-pared with that for DTN communication and matchingoperations are performed only when there is a change to thefriend lists. When a node becomes selfish, it will only for-ward messages when it is a friend of the source, current car-rier, or the destination node, while a well-behaved nodeperforms altruistically regardless of the social ties. A mali-cious node aims to break the basic DTN routing functional-ity. In addition to dropping packets, a malicious node canperform the following trust-related attacks:

1. Self-promoting attacks: it can promote its impor-tance (by providing good recommendations foritself) so as to attract packets routing through it(and being dropped).

2. Bad-mouthing attacks: it can ruin the reputation ofwell-behaved nodes (by providing bad recommen-dations against good nodes) so as to decrease thechance of packets routing through good nodes.

3. Ballot stuffing: it can boost the reputation of badnodes (by providing good recommendations forthem) so as to increase the chance of packets routingthrough malicious nodes (and being dropped).

A malicious attacker can perform random attacks toevade detection. We introduce a random attack probabilityPrand to reflect random attack behavior. When Prand ¼ 1, themalicious attacker is a reckless attacker; when Prand < 1 itis a random attacker.

A collaborative attack means that the malicious nodes inthe system boost their allies and focus on particular victimsin the system to victimize. Ballot stuffing and bad-mouthingattacks are a form of collaborative attacks to the trust systemto boost the reputation of malicious nodes and to ruin thereputation of (and thus to victimize) good nodes. We miti-gate collaborative attacks with an application-level trustoptimization design by setting a trust recommender thresh-old Trec to filter out less trustworthy recommenders, and atrust carrier threshold Tf to select trustworthy carriers formessage forwarding. These two thresholds are dynamicallychanged in response to environment changes.

A node’s trust value is assessed based on direct trustevaluation and indirect trust information like recommenda-tions. The trust of one node toward another node is updatedupon encounter events. Each node will execute the trustprotocol independently and will perform its direct trustassessment toward an encountered node based on specificdetection mechanisms designed for assessing a trustproperty X. Later in Section 4 we will discuss these specificdetection mechanisms employed in our protocol for trustaggregation.

4 TRUST MANAGEMENT PROTOCOL

Our trust protocol considers trust composition, trustaggregation, trust formation and application-level trustoptimization designs. Fig. 1 shows a flowchart of our

CHEN ET AL.: DYNAMIC TRUST MANAGEMENT FOR DELAY TOLERANT NETWORKS AND ITS APPLICATION TO SECURE ROUTING 1201

trust management protocol execution. For trust composi-tion design (described in the top part of Fig. 1), we con-sider two types of trust properties:

� QoS trust: QoS trust [10] is evaluated through thecommunication network by the capability of a nodeto deliver messages to the destination node. We con-sider “connectivity” and “energy” to measure theQoS trust level of a node. The connectivity QoS trustis about the ability of a node to encounter othernodes due to its movement patterns. The energy QoStrust is about the battery energy of a node to performthe basic routing function.

� Social trust: Social trust [10], [25] is based on honestyor integrity in social relationships and friendship insocial ties. We consider “healthiness” and social“unselfishness” to measure the social trust level of anode. The healthiness social trust is the belief ofwhether a node is malicious. The unselfishnesssocial trust is the belief of whether a node is sociallyselfish. While social ties cover more than just friend-ship, we consider friendship as a major factor fordetermining a node’s socially selfish behavior.

The selection of trust properties is application driven. InDTN routing, message delivery ratio and message delay aretwo important factors. We consider “healthiness”,“unselfishness”, and “energy” in order to achieve high mes-sage delivery ratio, and we consider “connectivity” toachieve low message delay.

We define a node’s trust level as a real number inthe range of [0, 1], with 1 indicating complete trust,0.5 ignorance, and 0 complete distrust. We consider atrust formation design (described in the middle part ofFig. 1) by which the trust value of node j evaluated bynode i at time t, denoted as Ti;jðtÞ, is computed by a

weighted average of healthiness, unselfishness, connectiv-ity, and energy as follows:

Ti;j tð Þ ¼Xall

X

wX � TXi;j tð Þ; (1)

where X represents a trust property explored ðX ¼ healthi-ness, unselfishness, connectivity or energy), TXi;j tð Þ is nodei’s trust in trust property X toward node j, and wX is theweight associated with trust property X with the sum equalto 1. wX is application-dependent. However, it is not relatedto the application priority [23] but dependent on the opera-tional profile of an application [22].

In this paper, we aim to identify the best weight ratiounder which the application performance (secure rout-ing) is maximized, given an operational profile [22] asinput. Before this can be achieved, however, one mustaddress the accuracy issue of trust aggregation. That is,for each QoS or social trust property X, we must deviseand validate the trust aggregation protocol executed by atrustor node to assess X of a trustee node such that thetrust value computed is accurate with respect to actualstatus of the trustee node in X. This is achieved bydevising a trust propagation protocol (described in themiddle part of Fig. 1) with tunable parameters whichcan be adjusted based on each trust property.

When evaluating Ti;jðtÞ, we adopt the following nota-tions: node i is the trustor, node j is the trustee, node m is anewly encountered node, and node k is a recommender.Node i (trustor) updates its trust toward node j (trustee) intrust property X upon encountering a node at time t overan encounter interval ½t; tþ Dt� as follows:

TXi;j tþ Dtð Þ ¼ bTdirect;Xi;j tþ Dtð Þ þ ð1� bÞT indirect;Xi;j tþ Dtð Þ:ð2Þ

In (2), Tdirect;Xi;j tþ Dtð Þ and T indirect;Xi;j tþ Dtð Þ are “directtrust” (based on direct observations) and “indirect trust”(based on recommendations) of node i toward node j inX at time tþ Dt, respectively, and b in the range of [0, 1]is a parameter to weigh node i’s own direct trust assess-ment toward node j. Every trust property X has its ownspecific b value under which subjective TXi;j tð Þ obtained isaccurate, i.e., close to actual status of node j in X at timet. Trust update is triggered by encounter events. Uponeach encounter event, node i obtains either direct obser-vations toward j (if node i encounters node jÞ or indirectrecommendations towards node j (if node i encountersnode m;m 6¼ j). This is indicated in the yes/no decisionbox in Fig. 1.

4.1 Trust Update upon Node ii Encountering Node jj

Upon encountering node j at time t, node i updates “directtrust” Tdirect;Xi;j tþ Dtð Þ in (2) based on “direct” observationsor interaction experiences with node j over the encounterinterval ½t; tþ Dt�. When a monitoring node (node i) cannotproperly monitor a trustee node (node j) upon encounterbecause of a short contact time, it adapts to this situation bydiscarding the current monitoring result and instead updat-ing direct trust by its past direct trust toward j decayed

Fig. 1. A flowchart for trust protocol execution.


over the time interval Dt to model trust decay over time.Specifically, let Cdirect;X

i;j ðtÞ be a boolean variable indicating ifthe needed data (discussed below) for assessing X is obtain-able within Dt. Then, Tdirect;Xi;j tþ Dtð Þ, node i’s trust in Xtoward node j at time tþ Dt upon encounter at time t, is cal-culated by:

Tdirect;Xi;j tþ Dtð Þ

¼Tencounter;Xi;j tþ Dtð Þ; if Cdirect;X

i;j tð Þ ¼ truee��dDt � Tdirect;Xi;j tð Þ; if Cdirect;X

i;j tð Þ ¼ false:

((3)

In other words, node i will update Tdirect;Xi;j tþ Dtð Þwith its new direct trust toward node j in property Xonly if node i directly encounters node j at time t andthe data needed for assessing X is obtainable withinthe encounter interval Dt; otherwise, node i willsimply update Tdirect;Xi;j tþ Dtð Þ with its past experienceTdirect;Xi;j tð Þ decayed overDt. We adopt an exponential timedecay factor, e�� dDt (with 0 < �d � 0:1 to limit the decayto at most 50 percent).

Node i assesses Tencounter;Xi;j tþ Dtð Þ based on data col-lected from direct observations toward node j over theencounter interval ½t; tþ Dt� as follows:

� Tencounter;healthinessi;j tþ Dtð Þ: Node i assesses node j’sunhealthiness based on evidences manifested due tomalicious attacks including self-promoting, bad-mouthing and ballot stuffing attacks. Evidences ofself-promoting attacks may be detected through theencounter history exchanged from node j. If theencounter history is not certified (e.g., using encoun-ter tickets as in [4], [16]), or is certified but inconsis-tent with node i’s encounter history matrix [11]accumulated, it is considered as a negative experi-ence. A matrix element ðj; kÞ records the number oftimes node j encountered node k, with each encoun-ter being certified with an encounter ticket [4], [16]by both nodes j and k with time stamp information.Because of the encounter ticket mechanism, it isimpossible that node i’s cumulative encounter historymatrix element ðj; kÞ is inconsistent with the encoun-ter history provided by node j with node k if eithernode j or k is a good node, but it is possible that ele-ment ðj; kÞ is inconsistent with the encounter historyprovided by node j with node k if both node j andnode k are malicious, colluding and performing self-promoting attacks to attract packets to them. This isparticularly the case when either node j or node kwas good but later compromised and became mali-cious in between two encounters with node i. Thisinconsistency would be detected by node i andcounted as one negative experience. Evidences ofbad-mouthing/ballot stuffing attacks may bedetected by comparing node j’s recommendationtoward another, say, node q, with the trust value ofnode i toward node q itself. If the percentage differ-ence is higher than a threshold, it is considered sus-picious and thus a negative experience. Thesepositive/negative experiences are collected over

the new encounter period ½t; tþ Dt� to assessTencounter;healthinessi;j tþ Dtð Þ. It is computed by the num-ber of positive experiences over the total experiencesin healthiness-related behavior.

� Tencounter;unselfishnessi;j tþ Dtð Þ: Our notion of social self-ishness is that friends will be cooperative towardeach other even if they are selfish. Every node keepsa friend list and also adds itself as a member. Whennode i and node j encounter and directly interactwith each other, if there is a change to either friendlist, they can exchange their friend lists. To preserveprivacy, node i and node j can agree on a one-wayhash function (with a session key) upon encounter-ing while exchanging the friend lists to hide the iden-tities of their friends. This way, only common friends(the source node, node i, node j, or the destinationnode) will be identified while the identities ofuncommon friends will not be revealed. From nodei’s perspective if node j is a friend of the sourcenode, node i, or node d (the destination) thenTencounter;unselfishnessi;j tþ Dtð Þ is 1. Otherwise, node iwill hope that node j is altruistic by examining theprotocol compliance degree of node j. Specifically,node i applies monitoring techniques to detect altru-istic behaviors, e.g., whether or not node j followsthe prescribed protocol over ½t; tþ Dt�. Evidence ofaltruism is manifested by the behavior for executingbeacon, encounter history exchange, packet receiptacknowledgement, and trust evaluation protocolsexpected out of node j. Tencounter;unselfishnessi;j tþ Dtð Þ isthen computed by the number of positive experien-ces over the total experiences in unselfishness-related behavior. Here we note that node i will notmonitor if node j has forwarded a packet since it isimpractical to monitor packet forwarding in DTNs.

� Tencounter;connectivityi;j tþ Dtð Þ: While there is no pre-determined connectivity pattern in DTNs, the con-nectivity of one node ðjÞ to another node ðdÞ is inher-ently associated with its mobility pattern and itssocial activities. This trust property represents theconnectivity of node j to the destination node d. Ifthe connectivity trust is high, then node j would be agood candidate for packet delivery to node d. Node ideduces node j’s connectivity with node d based onits encounter matrix [11] collected over 0; tþ Dt½ �,including the new encounter history received fromnode j. Specifically, node i uses its encounter historymatrix accumulated over 0; tþ Dt½ � to computeTencounter;connectivityi;j tþ Dtð Þ as the ratio of the numberof encounters between node j and node d to the max-imum number of encounters between any node andnode d. Note that node i should only accept a certi-fied encounter history (as in [4], [16]) to avoid blackhole attacks.

� Tencounter;energyi;j tþ Dtð Þ: This trust property representsthe capability or competence of node j to do the basicrouting function. Node i counts the ratio of thenumber of acknowledgement packets receivedfrom node j (at the MAC layer) over transmittedpackets to node j, over ½t; tþ Dt�, to estimate energystatus in node j.


In this case, since there is no new “indirect trust,” node i

simply updates T indirect;Xi;j tþ Dtð Þ with its past experience

T indirect;Xi;j tð Þ decayed over Dt, i.e.,

T indirect;Xi;j tþ Dtð Þ ¼ e��dDt � T indirect;Xi;j tð Þ: (4)

4.2 Trust Update upon Node ii Encountering Nodem;m 6¼ jm;m 6¼ j

When node i encounters node m;m 6¼ j, node i uses its1-hop neighbors (including node m) as recommendersto update “indirect trust” T indirect;Xi;j tþ Dtð Þ in (2). Anapplication-level optimization parameter is the recom-mender trust threshold Trec for the selection of recommen-ders. Using Trec provides robustness against bad-mouthingor ballot stuffing attacks since only recommendations frommore trustworthy nodes are considered. The indirect trustevaluation toward node j is given in (5) below where Ri isthe set containing node i’s 1-hop neighbors withTi;k tð Þ � Trec and jRij indicates the cardinality of Ri. Ifnode i considers node k as a trustworthy recommender, i.e.,Ti;k tð Þ � Trec, then node k is allowed to provide its recom-mendation to node i for evaluating node j. In this case,node i weighs node k’s recommendation, TXk;jðtÞ, withnode i’s referral trust, TXi;kðtÞ, toward node k.

T indirect;Xi;j tþ Dtð Þ ¼e��dDt � T indirect;Xi;j tð Þ; if jRij ¼ 0;P

k2Ri

�TXi;kðtÞ�TX

k;jðtÞ�

Pk2Ri

TXi;k

tð Þ ; if jRij > 0:

8><

>:

(5)

In this case, since there is no new “direct trust,” node isimply updates Tdirect;Xi;j tþ Dtð Þ with its past experienceTdirect;Xi;j tð Þ decayed over Dt, i.e.,

Tdirect; Xi;j tþ Dtð Þ ¼ e��dDt � Tdirect;Xi;j tð Þ: (6)

4.3 Application-Level Trust Optimization forEncounter-Based DTN Routing

When node i encounters node j, it uses Ti;j tð Þ from Eq. (1) todecide whether or not node m can be the next message car-rier to shorten message delay or improve message deliveryratio. We use two application-level optimization parametersfor encounter-based DTN routing performance maximiza-tion. One parameter described earlier in Section 4.2 is theminimum trust threshold Trec for the selection of recommen-ders. A high Trec blocks bad-mouthing or ballot stuffingattacks but discourages recommendations, so “indirecttrust” may be decayed unnecessarily because of lack of rec-ommendations. A low Trec on the other hand encouragesrecommendations but opens door to malicious attacks.Another application-level optimization parameter is theminimum trust threshold Tf for the selection of the nextmessage carrier. Node i will forward the message to node jonly if Ti;j tð Þ � Tf and Ti;j tð Þ is in the top V percentileamong all Ti;m tð Þ ‘s. This helps the chance of selecting atrustworthy next message carrier. We aim to identify the

best application-level trust optimization parameter settingsin terms of Trec and Tf to maximize the performance of theDTN routing application. This application-level trust opti-mization design is described in the bottom part of Fig. 1.

5 PERFORMANCE MODELING

We validate our trust management designs by a novelmodel-based analysis methodology via extensive simula-tion. Specifically we develop a mathematical model basedon continuous-time semi-Markov stochastic processes (forwhich the event time may follow any general distribution)to define a DTN consisting of a large number of mobilenodes exhibiting heterogeneous social and QoS behaviors.

We take the concept of “operational profiles” in softwarereliability engineering [22] as we build the mathematicalmodel. An operational profile is what the system expects tosee during its operational phase. During the testing anddebugging phase, a system would be tested with its antici-pated operational profile to reveal design faults. Failuresare detected and design faults causing system failures areremoved to improve the system reliability. The operationalprofile of a DTN system specifies the operational and envi-ronmental conditions. Typically this would include knowl-edge regarding (a) hostility such as the expected percent ofmisbehaving nodes and if it is evolving the expected rate atwhich nodes become malicious or selfish or even theexpected percent of misbehaving nodes as a function oftime; (b) mobility traces providing information of how oftennodes meet and interact with each other; (c) behavior speci-fications defining good behavior and misbehavior duringprotocol execution; and (d) resource information such ashow fast energy is consumed.

We develop a probability model based on stochastic petrinet techniques [26] to describe a DTN, given an operationalprofile as input. The SPN model for a DTN node is shownin Fig. 2 consisting of four places, namely, energy, location,maliciousness and selfishness. The underlying state machineis a semi-Markov model with 4-component states, i.e.,(energy, location, maliciousness, selfishness), where energy isan integer holding the amount of energy left in the node,location is an integer holding the location of the node,maliciousness is a binary variable with 1 indicating the nodeis malicious and 0 otherwise, and selfishness is a binary vari-able with 1 indicating the node is socially selfish and 0 oth-erwise. A selfish node will forward a packet only if thesource, current carrier or the destination is in its friend list.Here we note that a node’s trust value actually is a realnumber in [0, 1]; it is calculated by a state-probabilityweighed sum of trust values assigned to the states of the

Fig. 2. SPN Model for a Node in the DTN.


underlying semi-Markov model of the SPN performancemodel, i.e., trust value ¼

Pi (state probability of state i �

trust value in state i). In some states, the trust value isbinary. For example in a state in which a node is compro-mised, the trust value for property “healthiness” in thisstate is 0. Note that each node has its own SPN model. Sothere are as many SPN models as they are nodes in theDTN. The operational profile specifies the percent of mali-cious nodes and the percent of socially selfish nodes. Thus,some nodes will be malicious in accordance with this speci-fication. Similarly some nodes will be selfish based on thepercent of selfish nodes.

The purpose of the SPN model is to yield ground truthstatus of a node in terms of its healthiness, unselfishness,connectivity, and energy status. Then we can check subjec-tive trust against ground truth status for validation of trustprotocol designs. Below we explain how we leverage theSPN model to determine a node’s ground truth status.

Location (Connectivity): The connectivity trust of node mtoward node d is measured by the probability that bothnode m and node d are in the same location at time t. Weuse the location subnet to describe the location status of anode. Transition T_LOCATION is triggered when the nodemoves to a new area from its current location according toits mobility pattern. We consider both synthetic mobilitymodels based on SWIM [15] and real mobility traces. Thisinformation along with the location information of othernodes at time t provides us the probability of two nodesencountering with each other at any time t.

Energy: We use the energy subnet to describe theenergy status of a node. Place energy represents the cur-rent energy level of a node. An initial energy level ðE0Þof each node represented by a number of tokens isassigned according to node heterogeneity information. Atoken is taken out when transition T_ENERGY fires rep-resenting the energy consumed during protocol execu-tion, packet forwarding and/or performing attacks in thecase of a malicious node. The rate of transitionT_ENERGY indicates the energy consumption rate whichvaries depending on the ground truth status of the node(i.e., malicious or selfish). The operational profile speci-fies the energy consumption rate of a malicious nodeversus a selfish node versus a well-behaved node.

Healthiness: A malicious node is necessarily unhealthy.So we will know the ground truth status of healthinessof the node by simply inspecting if place maliciousnesscontains a token.

Unselfishness: A socially selfish node drops packets unlessthe source, current carrier or the destination node is in itsfriend list. We will know the ground truth status of unself-ishness of the node by simply inspecting if place selfishnesscontains a token.

Dynamically changing environment conditions: With thegoal to deal with malicious and selfish nodes in DTN rout-ing, in this paper we consider a dynamically changing envi-ronment in which the number of misbehaving nodes(malicious or selfish) is changing over time. A nodebecomes malicious when it is captured and turned into acompromised node, as dictated by the per-node capturerate. The SPN output provides the probability that a node iscompromised at time t. We model the capture event by a

transition T_COMPRO (in dashed line) in Fig. 2. Once thetransition T_COMPRO is triggered, a token will be movedinto the place maliciousness representing that this node iscompromised. Similarly, once the transition T_SELFISH(also in dashed line) is triggered, a token will be moved intothe place selfishness representing that this node becomes self-ish. The transition rates of T_COMPRO and T_SELFISH are�c and �s, respectively. We will use the SPN model aug-mented with the two dashed line transitions in Section 8 inwhich we treat the subject of dynamic trust management.

Objective trust evaluation: The SPN model describedabove yields actual or ground truth status of each node.The “objective” trust of node j at time t, denoted byTj tð Þ, is also obtained from Eq. (1) except that TXj tð Þ isbeing used instead of TXi;j tð Þ. Here TXj ðtÞ is simply theactual or ground truth status of node j in trust propertyX at time t obtainable from the SPN model for node j.The notion of “objective” trust evaluation is to validatesubjective trust evaluation, that is, subjective trust evalu-ation is valid if the subjective trust value obtained as aresult of executing our dynamic trust management proto-col is accurate with respect to the objective trust valueobtained from ground truth.

6 NUMERICAL RESULTS

In this section we present numerical results generatedfrom the SPN model. Our trust evaluation results havetwo parts. The first part is about the convergence andaccuracy of trust aggregation for individual trust proper-ties. The second part is about maximizing applicationperformance through trust formation (by setting the bestweights to trust properties) and application-level trustoptimization (by setting the best recommender trustthreshold Trec, and message carrier trust threshold Tf ).Because different trust properties have their own intrin-sic trust nature and react differently to trust decay overtime, each trust property X has its own best set of ðb; �dÞunder which TXi;j tð Þ obtained from (2) would be the mostaccurate, i.e., closest to actual status of node j in trustproperty X, or TXj tð Þ. Recall that a higher b value indi-cates that subjective trust evaluation relies more ondirect observations compared with indirect recommenda-tions provided by the recommenders and that a higher�d indicates a higher trust decay rate. Once we ensurethe accuracy of each trust property X, we can thenaddress the trust formation issue, i.e., identifying thebest way to form the overall trust out of QoS and socialtrust properties and the best way to set application-leveltrust parameters such that the application performance(i.e., secure routing) is maximized.

Table 1 lists a set of parameters and their values (for inputparameters) as prescribed by the operational profile of aDTN. We consider N ¼ 20 nodes moving according to theSWIM mobility model [15] modeling human social behaviorsin an m�m ¼ 16� 16 ð4 km� 4 kmÞ operational region,with each region coving R ¼ 250 m radio radius. We useSWIM in this section for numerical results. Later in Section 7we also use traces in our simulation studies. The initialenergy of each node E0 is set to 100 hours lifetime. The errorprobability of direct trust assessment of Tdirect;Xi;j tþ Dtð Þ due


to environment noise denoted by Perror is set to 5 percent. ForX ¼ healthiness, the false positive probability Pfp of misi-dentifying a healthy node as an unhealthy node is equivalentto Perror, i.e., 5 percent. For a compromised node performingrandom attacks with probability Prand (in the range of [0, 1])to evade detection, the false negative probability Pfn formissing an unhealthy node as a healthy node isPerrorPrand þ ð1� PerrorÞð1� PrandÞ. That is, Pfn is Perror withprobability Prand (if attacking) and 1� Perror with probability1� Prand (if not attacking). We set Cdirect;X

i;j (in Eq. (3)) to trueif the encounter duration is longer than 10 minutes as itwould allow sufficient data to be collected for direct trustassessment of X; we set it to false otherwise. In SWIM [15], anode has a home location and a number of popular places. Anode makes a move to one of the population places based ona prescribed pattern. The probability of a location beingselected is higher if it is closer to the node’s home location orif it has a higher popularity (visited by more nodes). Whenreaching the destination, the node pauses at the destinationlocation for a period of time following a bounded power lawdistribution. We set the slope of the SWIM mobility model to1.45 (as in [15]) and the upper-bound pause time to 4 hours.

The weight of direct trust ðbÞ, trust decay parameter(�d), trust threshold for the recommender ðTrecÞ, trustthreshold for the next carrier ðTfÞ and weight of trustproperty X ðwXÞ are design parameters whose best set-tings are to be determined as output. Here we shouldnote that a social friendship matrix [18] and the percen-tages of selfish and malicious nodes, although not speci-fied in Table 1, are also given as input, which we willvary in the analysis to test their effects on design param-eters. Lastly, the node compromise rate ð�cÞ and nodeselfishness rate ð�sÞ for characterizing changing DTNconditions are also not specified in Table 1. We will con-sider these two parameters and treat the subject ofdynamic trust management in Section 8.

6.1 Best Trust Propagation Protocol Settings toMinimize Trust Bias

Here we determine the best ðb; �dÞ values that yield subjec-tive trust evaluation closest to objective trust evaluation tominimize trust bias, given a set of parameter values as listedin Table 1 characterizing the operational and environmentalconditions. We fix the percentage of selfish nodes to 30 per-cent and vary the percentage of malicious nodes from 0 to45 percent to examine its effect. We set the recommendertrust threshold ðTrecÞ to 0.6, since the trust value of a mali-cious node is likely to be lower than ignorance (0.5), soTrec � 0:6 can effectively filter out false recommendationsfrom malicious nodes. Since there are only two input

parameters, we search the best ðb; �dÞ for each trust prop-erty through exhaustive search, i.e., we compare subjectivetrust obtained through protocol execution under a givenðb; �dÞ with objective trust. The best ðb; �dÞ combination isthe one that produces the lowest mean square error (MSE).This information determined at static time is recorded in atable to be used by dynamic trust management which wewill discuss later in Section 8.

In Table 2, we summarize the best ðb; �dÞ values foreach trust property for minimizing trust bias, given thepercent of malicious nodes as input, for a trustor node(i.e., node i) randomly picked toward a trustee node(i.e., node j) also randomly picked. Each ðb; �dÞ entryrepresents the best combination under which subjectivetrust TXi;j tð Þ obtained as a result of executing our trustaggregation protocol for trust property X (as prescribedby Eq. (2)) deviates the least from objective trust forproperty X (that is, TXj tð Þ). We have observed for allcases the most deviation is 3 percent MSE. This substan-tiates our claim that there exists a distinct best protocolsetting in terms of ðb; �dÞ for each trust property X,with X ¼ connectivity, energy, healthiness or unselfish-ness. Furthermore, the best ðb; �dÞ setting changes as thepercent of misbehaving nodes changes dynamically.

6.2 Best Trust Formation Protocol Settings toMaximize Application Performance

Next we turn our attention to the trust formation issue tooptimize application performance. For the secure routingapplication, two most important performance metrics aremessage delivery ratio and delay. In many situations,however, excessive long delays are not acceptable toDTN applications. We define the delivery ratio as thepercentage of messages that are delivered successfullywithin an application deadline which is the maximumdelay the application can tolerate. While our protocol isgeneric to any deadline, we set the deadline (or a time-to-live limit) to 2 hours to reveal the tradeoff betweendelay and delivery ratio in this environment setting forDTN routing. Our goal is to find the best way to assignthe weight wX to X ¼ healthiness, unselfishness, connec-tivity or energy to maximize the delivery ratio. Since thesearch space is small, we perform exhaust search toidentify the best trust formation (wX with an increment

Table 2Best ðb, �d) to Minimize Trust Bias

Table 1System Parameters


of 0.1) under which delivery ratio is maximized. Thisinformation again is recorded in a table to be used fordynamic trust management (Section 8). We assume thata malicious node drops all packets. A selfish node dropspart of packets it receives depending on if it knows thesource, current carrier or destination node socially(whether these nodes are in its friend list).

We consider two variations of secure routing protocols:single-copy forwarding (L ¼ 1Þ and multi-copy forwardingðL � 2Þ, where L is the maximum number of carriers towhich a node can forward a message. Below we discusshow we identify the best setting for double-copy forward-ing ðL ¼ 2Þ. The best setting for other cases ðL ¼ 1 orL > 2Þ can be obtained in a similar way, but is not pre-sented here due to space limitation.

Table 3 summarizes the best trust formation for maxi-mizing delivery ratio under double-copy forwarding,given the percentage of malicious nodes as input. Wefirst observe there is a distinct set of optimal weight set-tings under which delivery ratio is maximized. Second,the optimal weight of the healthiness trust propertyincreases as the percent of malicious node increases.This is because in hostile environments, using a higherweight on healthiness helps identify malicious nodes toavoid message loss.

Fig. 3 correspondingly shows the maximum deliveryratio obtainable when the system operates under the besttrust formation setting identified. We see that the deliveryratio remains high even as the percent of malicious nodesincreases to as high as 45 percent. This to some extent dem-onstrates the resiliency property of our trust-based routingprotocol against malicious attacks.

6.3 Best Application-Level Trust OptimizationDesign Settings to Maximize ApplicationPerformance

In this section, we apply the application-level trust opti-mization design in terms of the best minimum trustthreshold Trec for the selection of recommenders and thebest message carrier trust threshold Tf to maximizedelivery ratio in response to changing hostility reflectedby the percent of malicious nodes. Fig. 4 shows deliveryratio versus Tf with the percentage of malicious nodesvarying in [0-45 percent]. We set the trust recommenderthreshold, Trec, at 0.6 to isolate out its effect. We noticethat there is an optimal Tf value under which deliveryratio is maximized. With the environment setting (30 per-cent selfish nodes and 0 to 45 percent malicious nodes),the optimal value Tf value is around 0.7. The reason isthat using a higher value of Tf helps generate a highermessage delivery ratio by choosing only the most trust-worthy nodes as message carriers, but it also introducesa higher message delay. Therefore, Tf ¼ 0:7 is the bestsetting to balance the tradeoff between message deliveryratio versus message delay, except for the case whenthere are little malicious nodes for which Tf ¼ 0:5 is thebest setting.

6.4 Comparative Analysis

Lastly we conduct a comparative analysis, contrasting ourtrust-based protocol operating under the best settings iden-tified with Bayesian trust-based routing [12], [14] and non-trust based (PROPHET [19] and epidemic [27]) protocols.PROPHET [19] uses the history of encounters and transitiv-ity to calculate the probability that a node can deliver a mes-sage to a particular destination; it is considered as abenchmark “non-trust based” forwarding algorithm forDTNs in the literature. Bayesian trust-based routing on theother hand relies on the use of trust information maintainedby a Bayesian based trust management system (such as aBeta reputation system [12], [14]) to make routing decisions.In a Bayesian trust management system, the trust value isassessed using the Bayes estimator, updated by both directobservations and indirect recommendations. The directobservations are directly used to update the number of posi-tive and negative observations, whereas the recommenda-tions are discounted by the confidence [12] or belief [14] ofthe trustor toward the recommender. Under Bayesian trust-based routing, a node is chosen as the message carrier onlyif its trust value is in the top V percentile and higher thanthe message carrier trust threshold Tf . We choose Bayesian

Table 3Best Trust Formation to Maximize Delivery Ratio

Fig. 3. Delivery ratio under best trust formation.

Fig. 4. Effect of Tf on delivery ratio.


trust-based routing because of its popularity in trust/repu-tation systems. We again consider double-copy forwarding(with L ¼ 2) with nodes following the SWIM mobilitymodel. For our trust-based secure routing protocol, we usethe best settings for double-copy forwarding as identifiedearlier. There is no specific protocol parameter being usedin epidemic routing. In epidemic routing, a message carrierforwards a message to every encountering node wheneverthis node has not seen the message before. It is selected as abaseline protocol to provide a performance bound in mes-sage delivery ratio and message delay. For PROPHET, theparameter values of initialization constant, aging constant,and scaling constant are 0.75, 0.25, and 0.98, respectively assuggested in [19], and we verify that PROPHET performsthe best under these parameter settings through simulation.For the Bayesian trust model, there is no direct trust andindirect trust weight parameters because the weight to indi-rect trust is determined by confidence or belief [12], [14],[17] based on the positive and negative experiences/recom-mendations received. For fair comparison, we also use thebest application-level protocol setting (i.e., Tf ). When apply-ing the Bayesian trust model to DTN routing.

Fig. 5 compares the message delivery ratio, delay, andoverhead generated by our trust protocol against Bayesian

trust-based, PROPHET, and epidemic routing protocols. Theresults demonstrate that our trust-based secure routing pro-tocol designed to maximize delivery ratio can effectivelytrade off message overhead for a significant gain in deliveryratio. In particular, our protocol and Bayesian trust-basedrouting have less performance degradation in message deliv-ery ratio than PROPHET when the percentage of maliciousnodes increases. The reason is that using trust to select thenext message carrier can avoid messages being forwarded tomalicious nodes and then being dropped. Further, our trust-based routing protocol outperforms Bayesian trust-basedrouting and PROPHET in delivery ratio as it applies the besttrust formation out of social and QoS trust properties. More-over, our trust-based routing protocol also outperformsBayesian trust-based and PROPHET in message delay exceptwhen there is a very high percent of malicious nodes (e.g., 40-45 percent of malicious nodes) in the system. The reason isthat when there is a high percent of malicious nodes, our pro-tocol tends to use a higher weight for healthiness and conse-quently a lower weight for connectivity, thus causing ahigher message delay. Here we note that there is a tradeoffbetween message delivery ratio and message delay. Whenthe percentage of malicious nodes in the network increases, amessage originally successfully delivered with a longer mes-sage delay is more likely to be dropped; hence, this droppedmessage would not be counted in calculating message delay.This certainly does not mean we should have more maliciousnodes in the network since the message delivery ratio willdecrease. The similar observations appear in [19] investigat-ing the performance of both message delivery ratio and mes-sage delay in DTN routing. Lastly, the message overhead ofour trust-based routing protocol is significantly lower thanepidemic routing. We conclude that our trust-based protocolapproaches the ideal performance of epidemic routing indelivery ratio and message delay without incurring highmessage overhead.

7 SIMULATION VALIDATION

In this section, we validate analytical results through exten-sive simulation using ns-3 [1]. The simulated DTN environ-ment is setup as described in Table 1. We simulate twomobility patterns: a synthetic mobility model based onSWIM [15] and real mobility traces from [24], namely Intel,Cambridge, Infocom05 and Infocom06. The simulation resultsobtained based on both SWIM mobility and mobility tracescorrelate well with analytical results in Fig. 5. We also pres-ent simulation results to demonstrate trust assessment accu-racy, convergence and resiliency properties of our protocol.We refer the readers to Appendix B of the supplemental file[6] for detail.

8 DYNAMIC TRUST MANAGEMENT

In this section, we perform a comparative analysis of ourdynamic trust management protocol for DTN routingagainst PROPHET, Bayesian trust-based routing, and epi-demic routing, all operating under best protocol settingsdynamically in response to hostility changes over time. Weconsider two mobility patterns: the SWIM mobility model[15] and the infocom06 mobility trace [24] to demonstrate the

Fig. 5. Performance comparison (analytical results based on SWIMmobility).


effectiveness of our dynamic trust management protocolregardless of the mobility pattern. We refer the readers toAppendix C of the supplemental file [6] for detail.

9 CONCLUSION

In this paper, we designed and validated a trust manage-ment protocol for DTNs and applied it to secure routing todemonstrate its utility. Our trust management protocolcombines QoS trust with social trust to obtain a compositetrust metric. Our design allows the best trust settingðb; �dÞ for trust aggregation to be identified so that subjec-tive trust is closest to objective trust for each individualtrust property for minimizing trust bias. Further, ourdesign also allows the best trust formation ðwXÞ and appli-cation-level trust settings ðTf ; TrecÞ to be identified to maxi-mize application performance. We demonstrated how theresults obtained at design time can facilitate dynamic trustmanagement for DTN routing in response to dynamicallychanging conditions at runtime. We performed a compara-tive analysis of trust-based secure routing running on topof our trust management protocol with Bayesian trust-based routing and non-trust-based routing protocols(PROPHET and epidemic) in DTNs. Our results backed bysimulation validation demonstrate that our trust-basedsecure routing protocol outperforms Bayesian trust-basedrouting and PROPHET. Further, it approaches the idealperformance of epidemic routing in delivery ratio and mes-sage delay without incurring high message or protocolmaintenance overhead.

There are several future research areas including(a) exploring other trust-based DTN applications withwhich we could further demonstrate the utility of ourdynamic trust management protocol design; (b) design-ing trust management for DTNs considering social com-munities and performing comparative analysis withmore recent works such as [2], [3]; (c) implementing ourproposed dynamic trust management protocol on top ofa real DTN architecture [5] to further validate the proto-col design, as well as to quantify the protocol overhead;(d) investigating trust-based admission control strategiesas in [7], [8], [9] used by selfish nodes to maximize theirown payoffs while contributing to DTN routing perfor-mance; and (e) developing trust and security manage-ment protocols for delay-tolerant, self-contained messageforwarding applications based on the information-centricnetworks (ICN) architecture [13].

ACKNOWLEDGMENTS

This work was supported in part by the Army ResearchOffice under Grant W911NF-12-1-0445.

REFERENCES

[1] “The ns-3 Network Simulator,” http://www.nsnam.org/, Nov.2011.

[2] E. Ayday, H. Lee, and F. Fekri, “Trust Management and Adver-sary Detection for Delay Tolerant Networks,” Proc. MilitaryComm. Conf., pp. 1788-1793, 2010.

[3] E. Ayday, H. Lee, and F. Fekri, “An Iterative Algorithm for TrustManagement and Adversary Detection for Delay TolerantNetworks,” IEEE Trans. Mobile Computing, vol. 11, no. 9, pp. 1514-1531, Sept. 2012.

[4] J. Burgess, B. Gallagher, D. Jensen, and B.N. Levine, “Maxprop:Routing for Vehicle-Based Disruption-Tolerant Networking,”Proc. IEEE INFOCOM, pp. 1-11, Apr. 2006.

[5] V. Cerf, S. Burleigh, A. Hooke, L. Torgerson, R. Durst, K. Scott,K. Fall, and H. Weiss, “Delay-Tolerant Networking Architec-ture,”RFC 4838, IETF, 2007.

[6] I.R. Chen, F. Bao, M. Chang, and J.H. Cho, “Supplemental Mate-rial for ‘Dynamic Trust Management for Delay Tolerant Networksand Its Application to Secure Routing’,” IEEE Trans. Parallel andDistributed Systems, 2013.

[7] I.R. Chen and T.H. Hsi, “Performance Analysis of AdmissionControl Algorithms Based on Reward Optimization for Real-TimeMultimedia Servers,” Performance Evaluation, vol. 33, no. 2, pp. 89-112, 1998.

[8] S.T. Cheng, C.M. Chen, and I.R. Chen, “Dynamic Quota-BasedAdmission Control with Sub-Rating in Multimedia Servers,” Mul-timedia Systems, vol. 8, no. 2, pp. 83-91, 2000.

[9] S.T. Cheng, C.M. Chen, and I.R. Chen, “Performance Evalua-tion of an Admission Control Algorithm: Dynamic Thresholdwith Negotiation,” Performance Evaluation, vol. 52, no. 1, pp. 1-13, 2003.

[10] J.H. Cho, A. Swami, and I.R. Chen, “A Survey on Trust Manage-ment for Mobile Ad Hoc Networks,” IEEE Comm. Surveys & Tuto-rials, vol. 13, no. 4, pp. 562-583, Fourth Quarter 2011.

[11] E.M. Daly and M. Haahr, “Social Network Analysis for Informa-tion Flow in Disconnected Delay-Tolerant MANETs,” IEEE Trans.Mobile Computing, vol. 8, no. 5, pp. 606-621, May 2009.

[12] M.K. Denko, T. Sun, and I. Woungang, “Trust Management inUbiquitous Computing: A Bayesian Approach,” Computer Comm.,vol. 34, no. 3, pp. 398-406, 2011.

[13] V. Jacobson, D.K. Smetters, J.D. Thornton, M. Plass, N. Briggs, andR. Braynard, “Networking Named Content,” Comm. ACM, vol. 55,no. 1, pp. 117-124, 2012.

[14] A. Jøsang and R. Ismail, “The Beta Reputation System,” Proc. BledElectronic Commerce Conf., pp. 1-14, June 2002.

[15] S. Kosta, A. Mei, and J. Stefa, “Small World in Motion (SWIM):Modeling Communities in Ad-Hoc Mobile Networking,” Proc.Seventh IEEE Comm. Soc. Conf. Sensor, Mesh and Ad Hoc Comm. andNetworks, June 2010.

[16] F. Li, J. Wu, and A. Srinivasan, “Thwarting Blackhole Attacks inDisruption-Tolerant Networks Using Encounter Tickets,” Proc.IEEE INFOCOM, pp. 2428-2436, 2009.

[17] N. Li and S.K. Das, “RADON: Reputation-Assisted Data Forward-ing in Opportunistic Networks,” Proc. Second ACM Int’l WorkshopMobile Opportunistic Networking, pp. 8-14, Nov. 2010.

[18] Q. Li, S. Zhu, and G. Cao, “Routing in Socially Selfish Delay Toler-ant Networks,” Proc. IEEE INFOCOM, pp. 1-9, Mar. 2010.

[19] A. Lindgren, A. Doria, and O. Schelen, “Probabilistic Routing inIntermittently Connected Networks,” ACM SIGMOBILE MobileComputing and Comm. Rev., vol. 7, no. 3, pp. 19-20, 2003.

[20] L. McNamara, C. Mascolo, and L. Capra, “Media Sharing Basedon Colocation Prediction in Urban Transport,” Proc. 14th Ann. Int’lConf. Mobile Computing and Networking, 2008.

[21] A. Mei and J. Stefa, “Give2Get: Forwarding in Social Mobile Wire-less Networks of Selfish Individuals,” Proc. IEEE Int’l Conf. Distrib-uted Computing Systems, pp. 488-297, June 2010.

[22] J.D. Musa, “Operational Profiles in Software-Reliability Engineer-ing,” IEEE Software, vol. 10, no. 2, pp. 14-32, Mar. 1993.

[23] I. Psaras, L. Wood, and R. Tafazolli, “Delay-/Disruption-TolerantNetworking: State of the Art and Future Challenges,” technicalreport, Dept. of Electrical Eng., Univ. of Surrey, 2009.

[24] J. Scott, R. Gass, J. Crowcroft, P. Hui, C. Diot, and A. Chain-treau, “CRAWDAD Data Set Cambridge/Haggle (v. 2009-05-29),” http://crawdad.cs.dartmouth.edu/cambridge/haggle,May 2009.

[25] S. Trifunovic, F. Legendre, and C. Anastasiades, “Social Trust inOpportunistic Networks,” Proc. IEEE INFOCOM, pp. 1-6, Mar.2010.

[26] K.S. Trivedi, “Stochastic Petri Nets Package User’s Manual,” Dept.of Electrical and Computer Eng. Duke Univ., 1999.

[27] A. Vahdat and D. Becker, “Epidemic Routing for Partially Con-nected Ad Hoc Networks,” technical report, Duke Univ., 2000.


Ing-Ray Chen received the BS degree from theNational Taiwan University, Taipei, Taiwan, andthe MS and PhD degrees in computer sciencefrom the University of Houston. He is a professorin the Department of Computer Science at Vir-ginia Tech. His research interests include mobilecomputing, wireless systems, security, trust man-agement, data management, real-time intelligentsystems, and reliability and performance analy-sis. He currently serves as an editor for IEEECommunications Letters, IEEE Transactions on

Network and Service Management, Wireless Personal Communications,Wireless Communications and Mobile Computing, The Computer Jour-nal, Security and Network Communications, and International Journalon Artificial Intelligence Tools. He is a member of the IEEE and ACM.

Fenye Bao received the BS degree in computerscience from Nanjing University of Aeronauticsand Astronautics, Nanjing, China in 2006 andthe ME degree in software engineering fromTsinghua University, Beijing, China in 2009. Hereceived his PhD degree in Computer Sciencefrom Virginia Tech in 2013. Currently he is a tech-nical staff member of LinkedIn. His researchinterests include trust management, security,wireless networks, wireless sensor networks,mobile computing, and dependable computing.

MoonJeong Chang received the BS, MS, andPhD degrees in computer science from EwhaWomans University in 2001, 2003, and 2009,respectively. Her research interests includemobility management, trust management, mobilecomputing, delay tolerant computing, and secureand dependable computing. She is currently apostdoc in the Department of Computer Scienceat Virginia Tech.

Jin-Hee Cho received the BA degree from theEwha Womans University, Seoul, Korea and theMS and PhD degrees in computer science fromthe Virginia Tech. She is currently a computerscientist at the US Army Research Laboratory(USARL), Adelphi, Maryland. Her research inter-ests include wireless mobile networks, mobile adhoc networks, sensor networks, secure groupcommunications, group key management, net-work security, intrusion detection, performanceanalysis, trust management, cognitive networks,

social networks, dynamic networks, and resource allocation. She is amember of the IEEE and ACM.

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

1200 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED …people.cs.vt.edu/~irchen/ps/Chen-TPDS14.pdfIndex Terms—Delay tolerant networks, dynamic trust management, secure routing, performance