a survey on secure multipath routing protocols in wsns · 2011-09-21 · a survey on secure...

Computer Networks 54 (2010) 2215–2238

Contents lists available at ScienceDirect

Computer Networks

journal homepage: www.elsevier .com/ locate/comnet

A survey on secure multipath routing protocols in WSNs

Eliana Stavrou *, Andreas PitsillidesUniversity of Cyprus, Department of Computer Science, P.O. Box 20537, Nicosia CY 1678, Cyprus

a r t i c l e i n f o

Article history:Received 4 June 2009Received in revised form 23 February 2010Accepted 25 February 2010Available online 3 March 2010Responsible Editor: A. Kamal

Keywords:Secure multipath routingWireless sensor networksMultipath routingSecurity

1389-1286/$ - see front matter � 2010 Elsevier B.Vdoi:10.1016/j.comnet.2010.02.015

* Corresponding author. Tel.: +357 22325240; faxE-mail addresses: [email protected] (E. Stav

[email protected] (A. Pitsillides).

a b s t r a c t

Routing protocols in wireless sensor networks (WSN) have been substantially investigatedby researches. Most state-of-the-art surveys have focused on reviewing the different rout-ing schemes that have been proposed for WSN and classifying them based on the network’stype and protocol’s operation. Security aspects in routing protocols have not been givenenough attention, since most of the routing protocols in WSNs have not been designed withsecurity requirements in mind. However, taking into consideration that WSN applicationsneed to support critical infrastructures (i.e., military, healthcare, environmental, etc.), secu-rity becomes an issue. And since these infrastructures are highly depended on the availabil-ity of resources, focus has especially been given to support a secure, resilient and reliableenvironment, with multipath routing being one of the added functionalities. The need forsecurity in sensitive WSN application has lead researchers to design secure multipath rout-ing protocols from the beginning or design security extensions for existing protocols. Thispaper surveys the current state-of-the-art of secure multipath routing protocols in WSNs,classifies the protocols in categories according to their security-related operational objec-tives, defines a new threat model in the routing procedure and identifies open researchissues in the area.

� 2010 Elsevier B.V. All rights reserved.

1. Introduction

Wireless sensor networks (WSN) have been developingrapidly in the last years and they promise to be one of thebasic infrastructures to support ambient intelligence. Cur-rently, sensor nodes are promoted to be used in a widespectrum of applications such as in military, healthcareand environmental applications [37,38], where theymanage highly sensitive information. This means thatcompromization of data is unacceptable in these mission-critical environments since they are depended on timelyand reliable information to provide their services. In WSNs,there are many risks [31] that can compromise the net-work and its data. Therefore, security in critical WSNsinfrastructures becomes essential and must be addressedin order to protect the network and its data.

. All rights reserved.

: +357 22325241.rou), andreas.pitsilli-

Security should be supported by fundamental opera-tions in WSNs in order to promote a stable security infra-structure that will be able to handle effectively andefficiently malicious activity that targets to compromisethe WSN. Such an operation is the routing that establishescommunication paths between sensor nodes and forwardsdata from a source to a destination node. The commonpractice in WSNs, where resources are limited, is to estab-lish single-path routing between the source and destina-tion nodes. However, failure of nodes along the pathwould mean failure of the path and loss of data. Further-more, if routing is compromised then the entire WSN isendangered. In the context of sensitive applications, estab-lishing reliability and availability is considered vital for anapplication to serve its objectives successfully. Approacheshave been designed to offer multiple paths in order toenhance the availability, resilience and reliability of thenetwork. However, the use of multiple paths introducesadditional security concerns since it makes data availableat multiple locations, giving more opportunities to

http://dx.doi.org/10.1016/j.comnet.2010.02.015

mailto:[email protected]



http://www.sciencedirect.com/science/journal/13891286

http://www.elsevier.com/locate/comnet

2216 E. Stavrou, A. Pitsillides / Computer Networks 54 (2010) 2215–2238

adversaries to compromise the data. Therefore, in sensitiveenvironments it is important to safeguard the networkfrom malicious activity in order to enhance and maintainthe availability and reliability of the network.

Currently, security issues in multipath routing have notbeen given enough attention, since most of the routingprotocols in WSNs have not been designed with securityrequirements in mind [1–8]. This research work focuseson reviewing security issues in the area of multipath rout-ing in WSNs. This paper provides a comprehensive reviewon secure multipath WSN routing protocols and contrib-utes in two areas:

– Human resources. A new threat model is defined that canbe used by an adversary to compromise the routing pro-cess. Know your enemies and what they can do is a valu-able knowledge to have. The threat model reveals thefactors that influence the design of secure multipathrouting protocols in WSNs. The insecurities identifiedon the core operation of any routing protocol will helpresearchers to address them in an efficient and effectiveway.

– WSN infrastructure. Existing solutions and open researchissues related to security issues are discussed, providinga better understanding of the area and its needs. Fur-thermore, a classification of representative multipathrouting protocols, based on their security-related opera-tional objective, is provided.

The remainder of the paper is structured as follows. Sec-tion 2 discusses related work. Section 3 provides an over-view of the security requirements needed in sensitiveapplications that use WSNs. Section 4 briefly describesthe need for security in multipath routing. Section 5 de-fines the threat model based on adversary’s objectivesand activities. Section 6 presents a representative numberof secure multipath routing protocols and discusses thetradeoff between secure multipath routing and energy effi-ciency. Section 7 discusses future directions and Section 8constitutes conclusions.

2. Related work

A number of state-of-the-art reviews exist today inWSNs, covering from broad to specific areas of interest.However, a comprehensive review on secure multipathrouting issues in WSNs appears to be missing.

In [9,10], the authors have performed a review of thedesign issues that affect the routing process in WSN andan extensive survey of WSN routing protocols; their classi-fication is based on the network’s structure and the proto-cols’ operation. Al-Obaisat and Braun [14] have reviewedwell-known WSN routing protocols, describing their de-sign goals, characteristics and challenges. The work in[12] classifies existing WSN routing protocols based on aset of criteria and selects routing protocols for differentapplication types. Akyildiz et al. [17,19] have provided abroad survey of WSN-related issues, focusing on an analy-sis of the protocols developed for each layer of the WSN’sprotocol stack. For the network layer, they discuss how

an energy-efficient route can be selected and also differentrouting schemes that have been proposed for the WSNs.

Although quite a number of WSN routing protocols areanalyzed in the aforementioned papers, extensive reviewof security issues has not been performed since most ofthe protocols have not been designed with securityrequirements in mind. However, the need for secure rout-ing in WSN applications has lead researchers to design se-cure routing protocols. Currently, some efforts forreviewing WSN secure routing protocols can be found inthe literature. However, these reviews neither focus on se-cure multipath routing issues nor cover a broad investiga-tion and classification of existing WSN secure multipathrouting protocols. For example, a comprehensive review[18] of the broader state-of-the-art in WSNs briefly dis-cusses a few representative routing approaches along twosecure routing protocols [20,21]. Wang et al. [11] overviewrouting protocols according to the network’s structure andalso discuss, to some extend, the broadcast authenticationproblem and provide a short reference to a few securerouting schemes [23,25,26]. The work in [13] also reviewsdifferent routing techniques and three security schemes[22–24]. Djenouri et al. [16], survey security issues in mo-bile ad hoc and sensor networks with a brief reference toWSN secure routing schemes [22,25]. Walters et al. [15]have conducted another survey on WSN-related securityissues and presented a few techniques for securing therouting protocols [22,27].

3. Security requirements in sensitive WSN applicationsand multipath routing support

Security requirements support the need to know whatwe are trying to protect. In the context of multipath rout-ing, all the classical security requirements needed in sin-gle-path routing still apply, but multipath routing alsocontributes to the establishment of these requirements,providing additional benefits and risks. Throughout the lit-erature, researchers analyze in their work the securityrequirements in WSNs and establish appropriate securitymechanisms to address these requirements. Usually, thesesecurity requirements are studied in the same sequence:confidentiality, integrity, authentication and availability[11,15,28–30]. A first thought is that the order in whichthese security requirements are studied is not important.However, the order that these requirements are addressedshould reflect the significance that researchers place onthem in achieving and supporting security. The securityrequirements specification should not be considered a triv-ial process, especially since every application has its ownsecurity needs and requirements and therefore may giveemphasis on different security aspects. Studying the secu-rity requirements based on their importance will permitresearchers to gain a better understanding of the securityaspects that they should focus on.

In this section, we do not just provide another overviewof security requirements. We argue that sensitive applica-tions that use WSNs place importance differently thanwhat constitutes the traditional security requirementschain. Furthermore, we discuss how multipath routing

E. Stavrou, A. Pitsillides / Computer Networks 54 (2010) 2215–2238 2217

contributes to the establishment of these securityrequirements.

Mission critical applications, such as healthcare andmilitary applications, must provide their services continu-ously to aid in critical decision making and support theiroperational objectives. If the services and flow of informa-tion is interrupted in any way, then observation and iden-tification of critical events, i.e., enemy tracking, heartattack incidents, etc., could not be possible and can evenjeopardize human lives. Furthermore, since these applica-tions use sensitive information, it is essential to protectthe information from unauthorized parties.

3.1. Availability–reliability–resiliency–self-healing

The most important security requirements in criticalWSNs applications are the availability–reliability–resil-iency–self-healing. Availability ensures that the servicesand information can be accessed at the time that theyare required. This means that the network has to providea reliable service, guaranteeing that data will be deliveredto the destination, even in the face of threats. Availability isalso interrelated to resiliency and self-healing require-ments. The network has to be resilient in order to tolerateattacks and continue offering its services uninterruptedly.In addition, if the network has a self-healing capability, itcan further promote the resiliency and availability of thenetwork. By self-healing, we mean the ability to recoverfrom security problems and even isolate the source ofthreat so that it stops jeopardizing the availability of thenetwork in future communications. These requirementsare placed at the higher rank of the security requirementschain because if sensor nodes get disabled or cannot ex-change packets, it does not matter what other securityrequirements have been established.

The use of single-path routing is highly susceptible tosecurity attacks that target to compromise the availability,reliability and resilience of the network. The adversary canbreak the communication by just compromising one ormore nodes along the utilized path. Since packets are sentover a single path, the destination may not receive themor use incorrect information to feed critical decision mak-ing. To recover from path failure, the route maintenancephase must be initiated to find new routes to the destina-tion that it does not include the problematic nodes (notethat the same logic applies for failing nodes). This is a timeconsuming and probably risky operation since a new routehas to be established to support a new communication pathbetween sensor nodes. This is unacceptable in mission-crit-ical applications that require continuous monitoring of theenvironment to support timely critical decision making.

The use of multipath routing can diminish the effect ofsecurity attacks that target the availability, reliability andresilience of the network. By transmitting data redun-dantly through multiple paths, the packets have a higherprobability to reach destination, even if some of the pathshave been compromised. In this way, packet reliability ispromoted. Furthermore, the existence of multiple routeswhen some of the paths fail to deliver packets ensures thatthe operation of the network is uninterrupted and decisionmaking can still be achieved based on the received infor-

mation. Therefore, the network supports a resilient opera-tion, even in the presence of adversaries. In addition to this,the discovery and use of multiple routes contributes to thetimely recovery of path failures. Having multiple or stand-by alternative routes allows a node to reroute packets to-wards the destination using other paths in case a pathfailure/compromization has been detected. Furthermore,the route error control packets can be forwarded overalternate paths increasing the packet delivery at the desti-nation and the timely initiation of the route maintenancephase, if required. Multipath promotes a self-healingbehavior that targets to maintain the operation of the net-work services by achieving timely path recovery. All thesesupport and maintain the availability of the network andthe provided services. The use of multiple paths can alsosupport the network’s availability by distributing the en-ergy consumption over different paths and achieving amore balanced network energy depletion. It can even pro-vide defense against denial of service attacks that try toachieve energy depletion by flooding malicious requestsin the network and turning communication links unavail-able. Therefore, multipath routing promotes the network’ssurvivability, and helps in prolonging its lifetime.

3.2. Authentication

Assuming that the data are available and travelling todestination, the next assurance we need is that thereceived data were really sent by a trusted node. Authenti-cation verifies the identity of the participants in a commu-nication, distinguishing in this way legitimate nodes fromintruders. We place authentication as the second mostimportant security requirement because even if the dataseem to retain their confidentiality and integrity, we needto be sure that a trusted node has sent the packet and not amalicious node that injected false data in the network.

In single-path routing, if authentication between twocommunicating nodes cannot be established or verifieddue to malicious activity or network problems, then theutilized path cannot be used to route packets from sourceto destination. The route maintenance phase must be ini-tialized in order to establish a new route and support pack-et exchange. However, in multipath routing this issue canbe easily overcomed. The adversary does not have knowl-edge of the way alterative paths are established and usedand therefore does not know which nodes to compromisein order to influence all available routes. If the authentica-tion fails in a specific path, alternative paths exist to per-form authentication between other nodes and establishcommunication.

3.3. Integrity – freshness

Having received the data and verified that the sender isa trusted node, focus should now be placed on verifyingthat the data have not been altered maliciously and areup-to-date. Sensitive applications such as pollution andhealthcare monitoring rely on the integrity of the informa-tion to function properly. If the received data are notaccurate, this will affect decision making and result inerroneous and even harmful decisions.


In single-path routing the packet integrity verification isperformed between neighboring nodes included in thespecified route or at the destination. If a modification hasbeen detected, the node acts according to the protocol inuse, e.g. it drops the packet and informs sender to resendthe packet. This causes delay to packet delivery that can af-fect the decision making process in case of an emergency.Multipath routing can overcome these problems and allowfor accurate and timely decision making. The use of alter-native paths allows to some extend the original packet toreach the destination, even though some of the pathsmay be affected and packets may be illegally modified.Furthermore, although the sink may receive old packets,it can receive the most recent packets through some otherpaths and therefore decide which data to use. In this way,multipath promotes the integrity and freshness of the re-ceived information.

3.4. Confidentiality

Confidentiality is required to ensure that sensitiveinformation is well protected and not revealed to unautho-rized third parties. At first, it may seem that protecting theconfidentiality is the most significant security require-ment. However, if we do not know if we can trust the sen-der or if we cannot verify that the data have not beenmaliciously altered, protection from eavesdropping be-comes less significant.

Usually, compromization of confidentiality means thatthe adversary has in his possession cryptographic materialthat allows him to intercept the communication. Multi-path routing is often combined with secret sharingcryptography [61,62] in order to reduce the likelihood ofeavesdropping attacks. In a ðT;NÞ threshold secret sharingscheme, a packet is split into N pieces, called shares, whichare sent to the destination over the alternative paths. Thedestination has to receive any of the T shares to recon-struct the original packet, otherwise it will not be able toderive the packet. With this scheme it is more difficultfor the adversary to compromise communication becausehe has to steal the appropriate shares over the differentpaths that are forwarded, in order to reproduce the origi-nal packets.

4. The need for security in multipath routing

Routing is the fundamental operation in WSNs thatfacilitates the establishment of communication links be-tween sensor nodes and the packet delivery. Most of thesecurity key areas such as secure data aggregation, securelocalization, intrusion detection, key management, etc.,rely on routing schemes to exchange data and supporttheir operation. Routing paths are usually establishedusing a single path between the source and destinationnodes. Although this scheme is well suited in WSNswhere resources are limited, failure of nodes along thepath would mean failure of the path and loss of data. Fur-thermore, compromizing the routing procedure can affectall other operations that rely on routing to provide theirservices. However, as discussed in the previous section,

loss of data is unacceptable in sensitive areas such as inmilitary and healthcare environments, where their mis-sion is highly depended on information. Therefore, avail-ability of data and reliability of communication are anecessity. Different approaches have been designed to of-fer multiple paths in order to enhance the availability,resilience and reliability of the network and aid in atimely critical decision making. Multiple paths face thesame vulnerabilities as in single-path routing. However,the use of multiple paths introduces additional securityconcerns that must be taken into consideration. For sensi-tive environments, it is equally important to safeguarddata from malicious activity as well as maintaining theavailability and reliability of the network. Therefore,securing the multipath routing process is a vital task toensure the successful operation of the routing tasks.However, prior to designing secure routing protocols,one has to understand the reasons that lead to the needfor security in the multipath routing process. Only thenresearchers will be able to address the appropriatesecurity requirements in their design. Below, we list anumber of the reasons:

– Data redundancy: Multipath routing introduces dataredundancy in the network when a redundant routingstrategy is adopted by forwarding the same packet overa number of alternative paths. With redundant routing,data are available at multiple locations giving moreopportunities to adversaries to intercept the informa-tion. Since many occurrences of a packet are traversingthe network, the adversary has a higher probability ofcompromising packets when attacking different nodes.This is unacceptable in sensitive applications, since ifcritical data is intercepted or modified it can potentiallycause damage to the application’s operation and evenendanger human lives.

– Routing attacks: Most routing protocols proposed inWSNs have not been designed with security require-ments in mind. A number of multipath schemes havebeen proposed to offer reliability of the communicationestablished in a WSN [1–8]. However, in a security con-text, this is not enough since an adversary may still com-promise any, or all, of the paths and access theinformation exchanged. A number of attacks have beenextensively analyzed in the literature [11,31–36] thatcan be launched against routing. In multipath routing,attacks can greatly affect the route discovery procedure[65] and give the opportunity to the adversary to controlthe alternative path establishment. Attacks can affectthe route discovery phase in different ways. A selectiveforward or a denial of service attack may prohibit thediscovery of all available paths and therefore controlthe network’s connectivity. A hello or sybil attack mayallow the adversary to participate in different routingpaths and in this way compromise data travelling overthe alternative paths. Even worse, the adversary canoverhear the communication between nodes and modifyrouting control packets affecting the discovery of alter-native paths and creating routing loops and dead ends.By having control over the routing operation, the adver-sary can bring down the entire network.


– Survivability: Since batteries are the main source ofenergy in WSNs [17], one of the main objectives isfor the network to function in an efficient way in orderto extend its lifetime as much as possible. This is evenmore important especially since WSNs can be imple-mented in remote or hostile locations, making infeasi-ble the monitoring and replacement of the batteries.Multipath itself incurs more energy consumption thansingle-path routing. An adversary can launch securityattacks in multipath routing protocols with the objec-tive of taking advantage of the path/packet recoverymechanisms implemented by the protocol in order toachieve a higher energy consumption. By attacking dif-ferent nodes and compromising integrity, droppingpackets, etc., the adversary forces recovery mechanismsto be initialized on the node/network in order to over-come the problem. When redundant routing is used,recovery can lead to increased energy consumption,for example, by resending the packet to all alternativepaths and increasing the communication between sen-sor nodes. By repeatedly launching the attacks, theadversary can succeed in draining the batteries of someof the sensors at a fast rate; this could lead to thedegradation of the routing process and the network’sperformance, and eventually result in the network’spartition, prohibiting the application from operatingsuccessfully.

All the aforementioned reasons lead to the conclusionthat securing the multipath routing process is of greatimportance. Prevention and recovery mechanisms shouldbe used to facilitate in the network’s fault tolerance andfurther support of its survivability. It is also essential to en-sure that all alternative paths have trusted nodes to for-ward packets, that an integrity violation is determined asearly as possible to avoid unnecessary communicationand that a security association scheme is adopted to con-fine damage to a local area in case cryptographic materialis compromised. Otherwise, potential modifications orother kind of misuse of the routing data could cause thenodes to become unavailable, the network to behave unex-pectedly and even cause the application to operate in aharmful way.

5. Threat model

The main approach in the literature towards the rout-ing threat model is focused in specifying the adversary’scapabilities according to the resources he has in his pos-session and whether he is an insider or outsider threat[11,16,31]. So far, no work has been performed in analyz-ing the adversary’s malicious activities towards each stepof the routing procedure. This analysis aims to define thethreat model that can be used to compromise the routingprotocol. The aim of the threat model is to specify theobjectives of the adversary and the strategies he mayuse to cause damage. Throughout this model, the insecu-rities of the actual routing process are identified so thatresearchers will be able to address them in an efficientand effective way.

5.1. Adversary’s objectives

One of the reasons, discussed in the previous section,that make security a need is the existence of attacks thatsomeone can launch against a WSN, and specificallyagainst routing [31]. Such an attack is usually launchedby an adversary for a reason. Therefore, it is very importantto investigate an adversary’s malicious objectives[28,32,39] towards the routing process in order to gain abetter understanding of his motives and what he is actu-ally trying to achieve. In this way, we can design an appro-priate security solution that will contain mechanisms tolimit potential damage or even prevent a security incidentfrom the early beginning. Below, we list some of the affectsof an attack:

– Network congestion: An adversary who steers traffictowards a specific area may overflow that part of thenetwork causing congestion at nodes. If nodes are notable to handle the extra traffic, they may drop packets.This situation may cause great loss and even delay indelivering packets, or even total network disruptiondue to node energy depletion. Dropping packets con-taining sensitive data, e.g. crypto keys, observation data,etc., at highly congested nodes may affect critical appli-cations that depend on the timely and reliable deliveryof the data. Furthermore, delays in the network canaffect protocols that use synchronization to function,disrupting the communication between nodes that arerequired to be synchronized.

– Route compromization: WSNs can be implemented inremote and even hostile environments, where theyoperate unattended for a long period of time. Sincephysical security cannot be established, an adversarycan capture a node and turn it into a malicious nodeor even introduce his own nodes into the network. Themalicious node can affect the routing process by modify-ing the routing paths. Compromising the routing pathscan also be done when the adversary eavesdrops onthe communication, and captures and modifies thepackets exchanged between nodes. These actions canlead to routing loops, construction of non-optimizedroutes, dead-end routes, inclusion of malicious nodeswithin routing paths, etc.

– Energy exhaustion: Energy is the main limitation inWSNs. Assuming that the batteries are the main sourceof energy, their replacement or recharging is often notpractical since sensors can be deployed in remote andunreachable locations. Energy consumption occurs dur-ing the communication and processing at a node. Theadversary targets to increase energy’s consumption, ata considerable rate, in order to drain the batteries anddisable the node from participating in the network. Inthe meantime, the adversary may have stolen the node’sidentity and sensitive data, e.g. crypto keys, impersonat-ing it and acting maliciously against the network.

– Network partitioning: The adversary tries to partition thenetwork mainly by jamming a certain area or by deplet-ing nodes’ energy, whose location is considered critical,e.g. they link different areas that otherwise would nothave been able to establish communication. By having


areas that are not monitored by sensor nodes, the adver-sary can act maliciously without been caught. The lattercan happen even if these areas are been monitored butobservations never arrive at the sink due to communica-tion problems.

– Routing database divergence: The adversary tries to pre-vent the routing protocol from converging to a stablestate. Having a malicious mobile node that movesaround the network and establishing communicationwith nodes, or having an adversary flooding the networkwith route discovery requests, will trigger the routingprocedure over and over again, creating more traffic,delays, instability of the routing tables, etc. All thesecould lead the network to collapse.

5.2. Attack strategies

Investigating the adversary’s objectives towards therouting process is not enough. One has to determine thestrategy an adversary may use to attack the routing proce-dure in a WSN. By doing so, we can gain knowledge on theinsights of an attack and also identify the components thatneed protection. Currently, no work has been performed inanalyzing the attack strategy that can be adopted by anadversary and used against the routing procedure. The ap-proach taken by Karlof and Wagner [31], where they pro-vide a detailed analysis of the insecurities found in themajor sensor network routing protocols, could be consid-ered the most representative security analysis. However,their work was in the context of the specific routing proto-cols they have studied. Our security analysis is more gen-eral, focused on the core operation of the routing process.The aim is to gain a better understanding of the dangersthat exist and motivate a fresh approach towards securingthe routing process.

We consider that an adversary that targets to disrupt therouting functionality has a clear view of what he is trying toachieve. To do so, he has to manipulate the actual function-ality of the routing protocol for his own benefit. His strategyis to attack any phase of the routing process in a way that hecan create an opportunity to act maliciously.

Following, we briefly state the attack strategies theadversary uses against each routing phase. Table 1 givesa more detailed analysis on the insecurities found in therouting process, listing the adversary’s activity and the rel-evant outcome.

Routing has three phases. Each phase has its own objec-tive and this is what the adversary tries to manipulate:

(1) Route discovery: At the beginning, when sensor nodesare deployed, the sink broadcasts a request to all thenodes. The nodes advertise their identity by sendingHELLO messages. Each node that receives a HELLOmessage, adds the node’s identity in its neighborhoodlist. After a specified time interval, the node sends aresponse packet to its neighboring nodes or/and thesink containing its neighborhood list. Depending onthe routing protocol, (a) various forwarding schemesmay be used, i.e., flooding, gossiping, etc. and (b)routing tables can be either computed locally at sen-

sor nodes or computed by the sink and sent to theappropriate sensor node. The objective is to discoverall the neighboring nodes in the network and con-struct the necessary routing tables to aid in the com-munication between sensor nodes. The adversary’sstrategy towards the route discovery phase is toaffect the construction of routing tables in a way thatthese tables are using incorrect information and per-mit the adversary to act maliciously. To do so, theadversary tries to add his own nodes in the network,and/or modifies or drops packets that contain neigh-borhood data in order to affect the path creation. Thismeans that the adversary can achieve a number ofoutcomes: he can be added in the routing tables,legitimate nodes do not get discovered or are consid-ered unavailable, constructed paths are not optimum,packets are sent to oblivion, etc.

(2) Data forwarding: We consider the data forwardingphase to be based on the application’s objectives.After the route discovery phase, we consider thatthe routing tables are established and the sensornodes can forward the actual observation data pack-ets from the source to the destination, using thepaths contained in the routing tables. The adver-sary’s strategy towards the data forwarding phaseis twofold; he wants to gain knowledge regardingthe environment status from the observation data,and he wants to compromise the observation datain a way that he can affect the application from ful-filling its objectives, i.e., enemy tracking, fire detec-tion, etc. Also, by compromizing the data packetsthe adversary can cover his own malicious activities.This can be achieved by sending data packets toshow that the environment’s status is normal, whilecompromizing the packets that indicate a criticalstatus change. His strategy can be further supportedif he succeeds in excluding functional nodes or add-ing unavailable nodes in the routing tables that areconstructed in the previous phase. In this way, a por-tion of the network is not been monitored by thesensor network, giving the opportunity to the adver-sary to act maliciously and not get caught.

(3) Route maintenance: A sensor node may be unavail-able for a number of reasons, e.g. battery exhaustion,sleep mode, denial of service (DoS) attack, etc. Whena node detects a change in one of its neighbors it canact using two approaches. One option is to take alocal decision and decide on a recovery action, e.g.bypass node. The second option is to propagate anupdate packet through the network to notify the restof the nodes and the sink of the change, indicating apotential problem on a specific area. When the sinkreceives the update packet, it will decide on a recov-ery action and inform sensors what actions should betaken. Furthermore, the sink can initiate the routediscovery phase to find a new path in order to reroutepackets around the problematic nodes. The sink itselfcan also initiate the route maintenance phase, at spe-cific time intervals, by broadcasting an appropriaterequest packet. The nodes respond to the sink withan appropriate respond update packet. An adversary

Table 1Threat model and its effect on the network.

Routing process Adversary’s activity Type of packets affected Outcome

Route discovery (i) Masquerade as the BS and broadcastroute discovery requests at a frequentrate

Route discovery request/responsepackets, HELLO packets, routingtables packets

(i) Initiate the route discovery phaseunnecessarily

(ii) Convince sensors that he is theirneighbor

(ii) More traffic travelling the network

(iii) Advertise that he is at multiplelocations at the same time

(iii) Energy consumption

(iv) Eavesdrop when nodes exchangetheir neighbor lists

(iv) Congestion at links

(v) Modify and then forward receivedneighboring lists (remove, add, changeentries)

(v) Addition of adversary in neighboringlists

(vi) Replay old route discovery repliesfrom sensor nodes

(vi) Addition of phantom nodes inneighboring lists

(vii) Masquerade as sensor nodes thatcurrently are not available to the network

(vii) Addition of unavailable sensor nodesin neighboring lists

(viii) Jam sensor nodes whenbroadcasting HELLO messages

(viii) Neighboring nodes are notdiscovered

(ix) Masquerade as the BS and sendmodified routing tables to sensor nodes

(ix) Neighboring nodes are not added inneighboring lists

(x) Change routing tables in a way thatspecific nodes are used at a frequent rate

(x) Construction of inaccurate routingtables(xi) Incomplete view of network topology(xii) Packets are lost(xiii) Sensor nodes do not monitor theentire environment(xiv) Functional nodes are excluded fromthe network

Data forwarding (i) Eavesdrop the observations committedby sensor nodes

Data/observation packets (i) Flooding of unnecessary packets

(ii) Modify and forward observations (ii) Energy consumption(iii) Replay old observations (iii) Packets are sent to oblivious(iv) Replay old routing tables (iv) Network congestion

(v) Malicious activity at the environmentis not identified(vi) False alarms are triggered,unnecessarily consuming resources(vii) Deplete the energy of sensor nodesthat participate at links with a frequentrate(viii) Unequal depletion of energy(ix) Partitioning of the network(x) Erroneous decisions taken based onobservations(xi) Application does not fulfill itsobjectives

Routemaintenance

(i) Masquerade as the BS and send routemaintenance requests at a frequent rate

Route maintenance requests/response packets, update packets

(i) Initiate the route maintenance phaseunnecessarily

(ii) Eavesdrop on the communication (ii) More traffic travelling the network(iii) Modify route maintenance requestand response packets

(iii) Energy consumption

(iv) Deceive nodes in accepting andforwarding malicious update packets

(iv) Congestion at links

(v) Replay old route maintenancerequests

(v) Unstable routing tables

(vi) Replay old route maintenanceresponses

(vi) Mark legitimate nodes as malicious

(vii) Jam sensors, prohibiting them fromcommunicating with other sensors

(vii) Functional nodes are excluded fromthe network(viii) Partitioning of the network(ix) Force recalculation of routing tables(x) Addition of unavailable nodes inrouting tables(xi) Route maintenance requests are notreceived



can use a strategy that will further support his activ-ities in the previous phases, that is to affect the cor-rect construction of the updated routing tables. Todo so, the adversary tries to stop the request/respondpackets from propagating in the network or modifiesthe update packets to indicate that functional nodesare problematic. This means that the constructedrouting tables do not represent the correct topologi-cal status of the network and that critical changesmay not get delivered to the intended destinations.For example, functional nodes are excluded fromthe construction of the communication paths,unavailable nodes are still considered in the newrouting tables, etc. All these leave the network in avulnerable position and create an opportunity forthe adversary to succeed with his malicious plan.

The route discovery and maintenance phases are costlyoperations in terms of resource consumption and shouldbe initiated only when required. The challenge in the routediscovery/maintenance phase is to manage to constructnew alternative paths in order to maintain the network’sconnectivity and operation. However, such result is notguaranteed given that a WSN is a dynamic environmentand therefore it would be very useful if a node had an indi-cation of the existence of new paths before initiating acostly operation. Cheng et al. [81] have proposed a frame-work for multipath maintenance where they identify theconditions needed for alternative paths to be recoveredwhen the provided node-disjoint paths are broken. Theirresearch work is useful for route recovery, allows nodesto verify if a new route exists or not and guides for noderelocation or indicates the need for new sensors deploy-ment in order to reconstruct new alternative paths.

Table 1 indicates the adversary’s actions that can be ta-ken at each routing phase, identifies the packets that canbe affected, and the relevant outcome. Researchers canuse the table to gain a better understanding of the risksthat exist in the routing process so they can appropriatelyaddress them in their protocol design.

6. Secure multipath routing protocols in WSNs

In this section, we survey the state-of-the-art of securemultipath routing protocols in WSNs and propose a taxon-omy based on the protocols security operational objective(Fig. 1). To the best of our knowledge, this is the first at-tempt to categorize the state-of-the-art protocols in thearea of secure multipath routing in WSNs. Furthermore,we present the evaluation approach taken by researchersto assess their protocols and discuss the tradeoff betweensecure multipath routing and energy efficiency. Note thatonly a representative sample of multipath routing paperscould be included in the review.

6.1. Taxonomy

Secure multipath routing protocols in WSNs can be di-vided into three categories based on the security-relatedoperational objective they serve: the multipath routing

protection only, the attack-specific, and the security opera-tions support categories. In multipath routing protectiononly protocols, the objective is to support a secure and reli-able communication in WSNs. The protocols just imple-ment mechanisms to protect the multipath procedure andthe data forwarding phase. In the attack-specific category,the protocols use security mechanisms to detect and re-cover from specific attacks. The alternative paths can beeither used to support attack identification or enhance theoverall security and reliability of the network. In the secu-rity operations support category, the protocols use securitymechanisms and alternative paths to support the function-ality of other security areas in WSNs. Each of the aforemen-tioned categories implements an appropriate securityapproach to support the objectives of its protocols. We haveidentified three security implementation approaches usedby the protocols, the prevention, the intrusion detectionand the hybrid approach. The prevention approach imple-ments mechanisms to safeguard the authentication, integ-rity, confidentiality and freshness of the communicationestablished between sensor nodes. The protocols that adoptintrusion detection techniques aim in detecting, bypassingor isolating malicious nodes before they affect the entirenetwork and in this way maintain the network’s availabil-ity, reliability and resilience. The hybrid approach inte-grates both prevention and intrusion detection techniquesin order to prevent adversaries from launching attacksand also to detect and isolate malicious nodes so they willstop threatening the network. Fig. 1 presents the classifica-tion of secure multipath routing protocols in WSNs basedon their purpose and also lists the underlying security tech-nique they use. Researchers that are interested in designingtheir own security protocol or using an existing one canconsult the figure to guide them in choosing the set of pro-tocols that could be referenced for further study and inves-tigation. To do so, researchers need to answer twoquestions. Answering the question ‘‘what is the purposeof using/designing a secure multipath routing protocol?”will indicate which category to follow (multipath routingprotection only, attack-specific or security operations sup-port). Then, by answering ‘‘what security objectives mustbe supported by the protocol?” one can choose the securitytechnique (prevention, intrusion detection or hybrid) thatshould be adopted to support the protocols purpose. Table2 provides a comparison of the protocols based on the secu-rity requirements they support. Tables 3 and 4 compare theprotocols according to the attacks they address. We shouldtake into consideration that although a protocol may ad-dress specific security requirements and attacks, that doesnot mean that it entirely defeats these attacks. For theseprotocols, we can consider that they address attacks in away that their impact is minimized. The tables also showthe trends on the approach followed by each routing proto-col related to the security requirements and attack aspects.This will be further discussed in Section 7 that constitutesopen issues and future directions.

6.1.1. Multipath routing protection onlySEIF [40] is a secure and efficient intrusion-fault toler-

ant routing protocol for WSNs. The protocol constructsnode-disjoint paths using a variation of the branch-aware

Fig. 1. Taxonomy of secure multipath routing protocols in WSNs.

Table 2Protocols comparison based on security requirements.

Security requirements addressedby the protocol

Authentication Integrity Confidentiality Freshness Accountability Reliability Self-healing

SEIF [40]p p p p

GoodMVMP [41]

p p pGood

p

INSENS [43]p p p p

LimitedDeng et al. [44]

p p p pMedium

JERT [56]p p

Goodp

Ling and Znati [57]p p p

Goodp

Chan et al. [59]p

GoodSEER [45,76]

pMedium

H-SPREAD [46]p p p

Goodp

PRSA [60]p

Mediump

SeRINS [47]p p p p p

Mediump

Lee and Choi [49]p p p

Mediump

Abu-Ghazaleh et al. [50]p p p p

Mediump

Zhang et al. [51]p p p p

Mediump

Ramaswami and Upadhyaya [53]p

Mediump

Song et al. [54]p

Goodp

Zhao and Delgado-Frias [68] Limitedp

ESRS [71]p p p p

N/Ap

Lu et al. [73]p

LimitedSAODV-MAP [77]

p p p p pMedium

SecMR [65]p p p p

VariableLee et al. [82,83]

p pGood

Chen and Leneutre [88]p p

GoodSELDA [97]

p pMedium


flooding. The scheme allows the construction of additionalalternative paths starting at the 2-hops neighbors of thesink node instead of the actual sink neighbors’ level. Eachnode considers new disjoint paths that come from nodesin different sub-branches. The routing tables are con-structed locally by each sensor, without the need to de-pend on the sink. A node chooses randomly a pathamong the discovered alternative paths to forward data.In this way, it avoids to use the same path, if the path iscompromised. Regarding security features, a set of one-way hash chains is used to authenticate messages fromthe sink and communication within a sub-branch. Further-more, each node establishes a broadcasting key to commu-

nicate securely with its neighboring nodes. The protocoldoes not address a number of attacks. If an adversary cap-tures a sensor he can find out about the cryptographic datathat are stored on the sensor and use it to compromise thenetwork’s confidentiality. Furthermore, he can launch theselective forward attack to affect the topology construc-tion. Path construction can also be compromised by a pow-erful adversary that combines a DoS and wormhole/sinkhole attacks, making distant sensors believe that theyare neighbors by just relaying packets between them. Bylaunching a rushing attack during the tree constructionphase, a node can consider its parent to be a far-reachingsensor. When the sensor will send packets though this

Table 3Protocols comparison based on security attacks, considering mostly outside adversaries.

Security attacks addressed by the protocol Eavesdrop Altering Rushing Replayed DoS Node capturing

SEIF [40]p p p

MVMP [41]p p

N/AINSENS [43]

p p p p

Deng et al. [44]p p p p

JERT [56]p p

N/ALing and Znati [57]

p pN/A

Chan et al. [59]p

N/ASEER [45,76]

p

H-SPREAD [46]p p p

PRSA [60]SeRINS [47]

p p p

Lee and Choi [49]p p p

Abu-Ghazaleh et al. [50]p p p

Zhang et al. [51]p p p

Ramaswami and Upadhyaya [53]Song et al. [54]Zhao and Delgado-Frias [68]ESRS [71]

p p p p

Lu et al. [73]p

SAODV-MAP [77]p p p p p

SecMR [65]p p p

Lee et al. [82,83]p p

Chen and Leneutre [88]p p

SELDA [97]p

Note: N/A means that there is not enough information to decide if the attack is addressed by the protocol.

Table 4Protocols comparison based on security attacks, considering mostly inside adversaries.

Security attacks addressed by the protocol Selective forward Sinkhole Sybil Wormhole Hello

SEIF [40]p p

MVMP [41] N/A N/A N/A N/AINSENS [43]

p p

Deng et al. [44]JERT [56] N/A N/A N/A N/ALing and Znati [57] N/A N/A N/A N/AChan et al. [59] N/A N/A N/A N/ASEER [45,76]

p p

H-SPREAD [46]PRSA [60]SeRINS [47]

p p

Lee and Choi [49]p p p p

Abu-Ghazaleh et al. [50]p p p p p

Zhang et al. [51] N/A N/A N/A N/ARamaswami and Upadhyaya [53]

p

Song et al. [54]p p

Zhao and Delgado-Frias [68]p

ESRS [71]p p

Lu et al. [73]SAODV-MAP [77]

p p p

SecMR [65]p p

Lee et al. [82,83]Chen and Leneutre [88]SELDA [97]

p

Note: N/A means that there is not enough information to decide if the attack is addressed by the protocol.


parent, the communication will be broken since theycannot actually hear each other.

Ma et al. [41] proposed a secure, multiversion, multi-path protocol called MVMP. The protocol’s objective is tooffer a secure and reliable data communication in WSNs.The protocol consists of four phases. First, the data packetsare divided into groups. Then, each group is encrypted

using different symmetric and asymmetric cryptographicalgorithms. The encrypted packets are reorganized into k-packet blocks and the RS ðn; kÞ coding [42] is applied, pro-ducing an n-packet RS codeword for each k-packet block.Each codeword is transmitted to the destination usingmultiple disjoint paths. Packets from the same codewordare transmitted though different paths in order to enhance


the security of the protocol. The authors assumed that themultiple paths have been established before the datatransmission. At the receiver, the encrypted block will bereconstructed if, at least, k packets are received. Theauthentication and integrity checks are applied basedagain on different algorithms, and if successful, the recei-ver can decrypt the original packet. The protocol does notaddress resource consumption attacks, i.e., DoS, replayedattack, and physical node capture attacks. An adversarythat captures a sensor can launch the selective forward at-tack or even steal cryptographic material that is stored onthe node and inject spurious packets in the network. Theadversary can compromise the communication if he inter-cepts k out of n packets in the codeword over the differentpaths and he is aware of all the encryption algorithms sup-ported by the specific transmission. Assuming that theadversary does not have any knowledge of the routingstrategy used by the protocol, he will not know whichpackets he needs to compromise over the different pathsto reconstruct the original message. To be able to recon-struct the original message he has to be able to make allpossible packet combinations which is a resource demand-ing task and therefore he has to have the means to be suc-cessful, e.g. be a powerful adversary.

INSENS [43] is an intrusion-tolerant routing protocol forWSNs. Its philosophy is that although a malicious node cancompromise a small number of nodes in its vicinity, it can-not cause widespread damage in the network. To achievethis objective, the authors have defined a set of high-leveldesign principles. They address the DoS flooding attacks byallowing only the base station (BS) to broadcast in the net-work and by having sensor nodes dropping duplicate mes-sages. Taking into consideration the resource-constrainednature of nodes, INSENS uses symmetric cryptography toprovide confidentiality, integrity and authentication, lever-aging the approach used in SPINS [25]. Each node shares asecret key only with the BS and not with any other nodes.Furthermore, the routing tables are calculated by the sinkand disseminated to the sensors. The protocol constructstwo alternative disjoint paths between each sensor nodeand the sink. Each message sent from a source to a destina-tion is sent multiple times through each alternative path.The one-way hash chain proposed in mTesla [25] is usedto authenticate messages sent by the BS and appropriateMAC mechanisms are implemented to verify the integrityof the packets. The protocol consists of three phases. First,the BS broadcasts a request message. Then, it collects thetopology information from the sensors. Third, it computesand forwards the routing tables to each node. During theroute discovery phase, an adversary can launch a rushingattack with a modified request message or can selectivelydrop packets. The damage of these attacks is confined toa localized portion of the network. The second phase ofthe protocol is subject to a number of attacks such as theDoS, selectively forwarding feedback messages, and modi-fying the neighborhood information of nodes. Again, theseattacks can only affect a local area but cannot compromisethe entire network. However, although INSENS localizesthe damage caused by an adversary, it still suffers fromdrawbacks. Since the topology implemented is not prede-fined, there are cases, i.e., random topologies where only

one path can be computed from a node to the sink, con-tradicting the philosophy of the protocol to build multi-path routing to address the problem of compromisednodes.

Deng et al. [44] have investigated how to use a securemultipath routing scheme in order to enhance the intru-sion tolerance capabilities of a WSN against attacks thattarget the isolation of the base station. The protocol con-siders a number of base stations and constructs a path toeach destination BS from each sensor node using a floodingapproach. To avoid having an adversary masquerading as aBS, the authors use a different one-way hash chain toauthenticate requests made by each BS. Furthermore, toaddress the rushing attack, the sensors use an echo-backscheme to establish communication only with neighboringnodes that are within their transmitting range. However,the echo-back scheme does not entirely prevent the rush-ing attack from happening. The adversary is assumed toonly have a certain transmission range, thus he can affectsensors in its vicinity and the damage is localized. Ofcourse, the damage can be greater if a number of adversar-ies move around the network launching the rushing attackand breaking connectivity between sensor nodes. Commu-nication is secured by establishing pair-wise keys betweenneighboring nodes. The pair-wise key setup is performedusing a global key. Authors also propose that each sensornode uses the pair-wise keys established with its neigh-bors to set up a cluster key and encrypt the data packets.However, if the adversary captures a node and gets the glo-bal key before the key setup is finished, he can obtain thepair-wise keys within its vicinity. Furthermore, the adver-sary can launch a selective forward attack and drop REQpackets, prohibiting nodes from discovering their parentnode and therefore breaking the communication. In addi-tion, the maintenance phase suffers from a significantdrawback. If a new node is added in the network, it willuse the echo-back scheme to identify its verified neighbors.However, if the adversary gets the global key he can launchthe HELLO and sybil attacks, establishing pair-wise andcluster keys with the sensors in his vicinity.

Nasser and Chen have proposed a secure and energy-efficient multipath routing protocol [45,76] where the sinkcomputes the alternative paths to reach each node andperiodically selects a new path (among the set of multi-paths) which consumes the minimum sum of energy toroute the packet from the source to destination node. Theprotocol constructs both disjoint and braided paths usinga modification of the Breadth First Search algorithm. Theauthors state that its security features comes from the pro-tocol’s ability to protect the network from attacks that at-tract traffic by advertising high quality routes to the sinknode. Since the sink is the one that decides on the routeselection, attacks such as the sinkhole and wormhole areno longer applicable. Furthermore, the authors argue thatthe effect of a selective forward attack is minimized be-cause (1) this attack is most effective when the attackeris explicitly included on the routing path, (2) the sink deci-des on the selection of the routing path and (3) each packetincludes a sequence number that allows a sensor to iden-tify if a node is dropping packets. However, the securityfeatures implemented are not adequate. Although the


authors mention that simple link layer encryption andauthentication can be used to protect against a numberof attacks, the protocol does not implement any. Thismeans that an adversary is able to eavesdrop and alterpackets, affecting the routing path construction, even addbogus nodes in the network. In addition, if an adversarycaptures a set of nodes he increases the chance to be inthe path selected by the sink and drop packets. And evenif a sequence number is used to identify the maliciousnodes that selectively drop packets, the protocol does nottake any further actions, for example to isolate the mali-cious nodes. Furthermore, although the scheme addressesthe replayed attack by having each packet identified by aunique sequence number to be transmitted only once, italso creates a vulnerability. The adversary can effectivelylaunch a combined rushing and wormhole attack duringthe neighbor discovery phase and convince remote sensorsthat are neighbors and add each other in their list. Whenthe sink decides on the routing paths, packets will be for-warded to oblivion.

H-SPREAD [46] protocol is proposed in order to improvethe security and reliability of the communication in a WSN.The protocol extends a previous work of the authors [72]called SPREAD that was proposed to enhance the data con-fidentiality in mobile ad hoc networks by using an end-to-end multipath traffic dispersion. In SPREAD, authors haveconsidered the multipath discovery procedure between asingle source–destination pair. In H-SPREAD they considerthe multiple-to-one communication pattern of WSNs. H-SPREAD protocol uses the threshold secret sharing schemeðT;NÞ to split a message into N pieces, called shares. Eachshare is then forwarded by a source node to a differentpath towards the sink, where the original packet is recon-structed if at least T shares are received. H-SPREAD discov-ers multiple disjoint paths in two phases. During phaseone, the branch-aware flooding protocol is used to find aset of node-disjoint paths. Nodes tag their neighbors as achild, sibling or cousin, based on the branch that the nodeis located. Sensors found on a different tree branch form analternative disjoint path. Phase one is achieved without theneed to introduce any extra routing messages. In phasetwo, authors use an extension of flooding in order to over-come the limitation of the branch-aware flooding that dis-covers extra paths at nodes that only have cousinneighbors. In order to maximize the number of disjointpaths, each node propagates its paths discovered in phaseone to its parent, siblings and cousins. This is establishedwith additional routing messages. Authors also use an ac-tive per-hop packet salvaging strategy to improve the reli-ability of each path so that a packet will have a greaterchance to be delivered to the sink. If a node detects thata packet is not successfully transmitted to the next hop,the sender forwards the packet through another path in-stead of dropping it. Authors address security in terms ofresilience against node capture, meaning that the compr-omization of a small number of paths will not result inthe message compromization when malicious nodes arepresent. However, this is not enough to provide a high-le-vel of protection to the network. A number of attacks canbe launched disabling the sensor nodes. An adversary canlaunch a DoS attack to prohibit nodes from discovering

the alternative paths. He can even introduce his own mali-cious nodes or capture legitimate nodes launching theselective forwarding attack or a combination of the worm-hole/sinkhole/rushing attacks with the objective of affect-ing the construction of the routing paths. Furthermore,without any authentication mechanisms, the adversarycan masquerade as the sink node and become the destina-tion of all traffic in the network.

Lu et al. [73] have proposed a secure multipath routingprotocol in sensor networks using random network codingin directed diffusion routing [74] to protect data fromeavesdropping attacks. They construct alternative routesbetween a source node and the sink to forward codedpackets and identify the maximum data flow that can beestablished per time unit. Although network coding canprohibit eavesdropping the protocol is still vulnerable[75] since the adversaries can launch a number of attacksto compromise the routing protocol and the packet codingoperation. Attacks such as the selective forward, the sybil,hello, insertion of bogus routing information and worm-hole/sinkhole attacks can affect the operation of the direc-ted diffusion and the construction of the alternative paths.Furthermore, by dropping or altering transmitted codedpackets the adversary can affect the coding and decodingoperation, prohibiting the reconstruction of the originaldata flows.

Lee et al. [82,83] have proposed a secure multipathrouting solution to address the problem of how to choosesecure and reliable paths in order to minimize the maxi-mum damage that can be caused by a single-link attack,e.g. minimize data compromization. Furthermore, authorsinvestigate how to achieve a desired throughput rate withthe provisioned network bandwidth and therefore main-tain the network’s performance. The proposed protocol as-sumes that an appropriate mechanism exists to reliablydeliver data such as a threshold secret sharing scheme[72] and defines two algorithms, the Bound-control andthe Lex-control, to identify the alternative paths that canmaximize the packet security and reliability. The Bound-control algorithm formulates the solution as a maximum-flow problem using the Preflow-Push algorithm [84] tosolve it. Its objective is to minimize the maximumthroughput loss when a link is attacked. Authors extendthe Bound-control algorithm to the Lex-control algorithmto provide resilience against link attacks that are severebut do not cause the worst damage. Authors define as‘‘severe” an attack with at least 25% cost of the worst case.The Lex-control algorithm achieves its objectives by for-mulating its solution as a lexicographic-optimization prob-lem [85] and distributing the link attack cost evenly amongthe network links. The protocol works well to diminish thedamage brought by single or multiple link attacks. How-ever, the protocol focuses on proactive protection basedon attack history. This means that new attack patternsare not taken into consideration and the adversary cancause damage to the network. Depending on the networkconditions and attack frequencies, the alternative pathsshould be updated accordingly to maintain packet reliabil-ity. Authors state that a possible solution is to restart thealgorithms or adopt the self-stabilizing solutions in[86,87]. Furthermore, although a data recovery mechanism


is assumed [72], the reliability level achieved by the proto-col is highly depended on the implemented mechanism,e.g. the defined threshold of received packets. Furtherinvestigation and implementation considerations are leftas a future work.

Chen and Leneutre [88] have also investigated how toselect secure and reliable node-disjoint paths in order tominimize the worst-case security risk which they defineas the percentage of packets captured by the adversary.Authors formulate the problem as a minimaximizationproblem and employ game theory to solve and analyze it.The solution assumes link reliability history in its computa-tions. Furthermore, the authors extend the proposed solu-tion in order to maximize the worst-case packet deliveryratio while limiting the worst-case security risk in orderto achieve a trade-off between security and performance.The protocol focuses on the worst-case attack scenariosassuming powerful attackers. The evaluation shows thatthe proposed solutions achieve the design objective of pro-viding the best security and/or performance in the worst-case scenarios. As discussed previously in [82,83], it isimportant to update the utilized multiple paths frequently,in order to take into consideration new attack patterns andrecompute the most reliable and secure routes.

SecMR [65] is an on-demand secure multipath routingprotocol that provides resilience against collaboratingmalicious nodes. The security of the protocol is mainlybased on neighborhood node authentication using an Ellip-tic Curve Cryptosystem (ECC) [89]. Although public keycryptography is costly in terms of the WSNs, studies haveshown that ECC is viable in WSNs [79,80,90,91]. Nodes dig-itally sign messages during the neighborhood authentica-tion phase to allow neighbor nodes to verify theiridentity. In the route discovery phase, a node will processa route request query if the sending node (a) is listed inthe next hop list that contains possible next hop nodes ofa particular route query, (b) it does not already belong tothe route list which is the list of intermediate nodes thatparticipate in the routing path and (c) it is not includedin the exclude list that contains the nodes that are not al-lowed to participate in the current route request query.These lists are included in the route request query andare updated accordingly by each node. Furthermore, thesource node that initiated the query includes in the packetan encrypted symmetric key to be shared with the sink anda keyed hash value in order to allow the sink to verify thepackets integrity. The sink computes the maximum set ofnode-disjoint paths up to a given number of hops andbroadcasts a route reply message with the paths and theassociated hash value to the source node. The source nodeuses a number of multipath routing strategies. It can usethe shortest path and if the path is broken then use analternative route. Or it can use all discovered routing pathstowards the destination. Another option is to use a hybridapproach. In the maintenance phase the error messages aresigned by the sending node in order to prohibit adversariesfrom flooding the network with fake error messages.Although the protocol defends against a number of attacks,such as spoofing, eavesdropping, altering, and helloattacks, it is vulnerable to the selective forward attack thatcan prohibit the discovery of all neighbor nodes.

Furthermore, if the adversary compromises nodes he canlaunch a combination of the wormhole and sinkhole at-tacks in order to manipulate the use of the routing lists in-cluded in the route request query and trick the sink tocompute erroneous paths. In addition to this, an adversarycan manipulate the end-to-end integrity control by modi-fying a number of messages which will have to travel totheir destination to discover that they have been altered.This means that energy is wasted due to the fact that integ-rity violations are not detected as soon as possible and themaliciously modified packet is still forwarded todestination.

6.1.2. Attack-specificLee and Choi have proposed a secure alternate path

routing protocol for WSNs, called SeRINS[47]. The protocoladdresses the selective forwarding attack and detects andisolates the malicious nodes that advertise inconsistentrouting information by having a neighbor report system.When a node advertises inconsistent information, itsneighbor nodes report its identity to the base station. Then,the base station informs the entire network so that sensornodes will revoke the associated keys and exclude themalicious node from the network. The protocol considersa tree-based connectivity, where each node maintainsmultiple parent nodes in the routing tree and forwardspackets through alternative paths to one of its parentnodes in a round-robin manner. In this way, packets fromdescendent nodes of a compromised node have an oppor-tunity to bypass the node that selectively drops them.The network establishes a new routing topology at everyround. In SERINS, the communication is established usingsymmetric cryptography; the base station shares a uniquesecret key with every node in the network and also eachpair of neighboring nodes establishes a unique secret keyin order to establish a secure communication. Further-more, a one-way hash chain is used in order for the sensornodes to authenticate that the route discovery requests areindeed initiated from the base station. Sensor nodes com-munication is authenticated using the ARMS [48].Although the protocol addresses the selective forward at-tack through the usage of alternative paths, it does not en-tirely defeat the attack. The proposed alternate pathscheme does not detect malicious nodes that launch selec-tive forwards attacks. It just implements a round-robinrouting strategy considering that it provides an opportu-nity to nodes to bypass the (undetected) malicious nodesthat drop packets. However, since a malicious node is notdetected and isolated from the network, it still has theopportunity to participate in the communication when se-lected by the routing strategy. Furthermore, a maliciousnode can launch a combination of attacks including DoS,sybil, wormhole and rushing attacks and affect the pathconstruction.

Lee and Choi have also designed another scheme [49]using the concept of a neighbor watch system (NWS) to de-tect maliciously packet dropping nodes in sensor networks.The idea of the NWS is to check if the neighbor of a nodehas really forwarded the relaying packet to its neighbor.This means that decisions are taken locally by sensor nodeswithout referring to the sink. The protocol starts by


considering single-path routing and converts into multi-path at the location where a misbehavior is detected. Toprotect the communication LEAP [34] is used. Furthermore,authors extend the neighbor discovery in LEAP in order toidentify both neighboring nodes and also their respectiveneighbors. Neighboring nodes certify their relationship bygenerating an appropriate MAC that acts as a certificatewhere node u certifies node v to be its direct neighborand vice versa. This procedure is established within thetime limit Tmin. If node u transmits its neighbor list withinTmin, each receiving node accepts the list as valid. Eachnode stores the certificates of its neighbors and the associ-ated verified neighbor list in a neighbor table. Nodes thatare added in the network after the Tmin follow a similarapproach to verify their neighbor list. A relaying packet isencrypted with the cluster key of the forwarding node toavoid eavesdropping and also each node uses a one-waykey chain to establish broadcast authentication. Althoughthe paper addresses maliciously packet dropping activity,it does not prohibit adversaries from launching DoS at-tacks. A DoS attack can enforce packet dropping at differ-ent nodes so that it manipulates the proposed NWS andmultipath is established over single path, consuming nodesresources and decreasing the network’s lifetime. Further-more, replaying old packets at a frequent rate can also re-sult in great energy consumption, affecting network’sconnectivity and survivability. Although the scheme canidentify a misbehaving node, it bypasses the node by turn-ing into multipath. However, it does not take any other ac-tion to prohibit future communication with other nodes.Authors also proposed a neighbor list verification schemethat can be manipulated by an adversary. If the adversarycompromises sensor nodes, he can perform malicious ac-tions. He can steal all information stored on sensor, e.g.encryption keys, certificates, neighbor lists, etc. However,damage is localized because each node has establishedpairwise keys with its neighbors and thus cannot cause awidespread damage. Furthermore, the adversary can usethe compromised nodes to launch a man-in-the-middle at-tack and deceive newly-added nodes to consider nodes asits direct neighbors and create an opportunity to deceivethe NWS. In addition to that, the adversary can trick exist-ing nodes to believe that the newly-added node is a directneighbor of a compromised node, although this is not valid.However, the adversary has to discover newly-addednodes in order to be able to launch the man-in-the-middleattack. Since the adversary does not know their location apriori, this can make it difficult for him to manipulate thenodes.

Abu-Ghazaleh et al. [50] have considered the security ofgeographic routing through the design of a resilient schemebased on probabilistic multipath routing and trust manage-ment in order to overcome the selective forwarding attack.The protocol uses public key cryptography to prevent anadversary from impersonating a legitimate node or access-ing the packet’s content. Once a route from the source to thedestination node is established, the two ends agree on asession key in order to avoid extra resource consumptiondue to asymmetric cryptography. Furthermore, authorspropose a location verification scheme to address attackssuch as the sybil and sinkhole attacks. The proposed proto-

col uses multipath to increase the packet delivery ratio incase of attacks and trust management to identify maliciousnodes and exclude them from the network. Each node holdsa routing table with its neighboring nodes and an associ-ated trust value for each of these nodes. Each time a neigh-boring node forwards the relaying packet towards thedestination, its trust level is increased otherwise it is de-creased. If a node falls under a trust level threshold, it is ex-cluded from its neighbors’ routing tables. A nodeprobabilistically selects k neighbors, verifying that theirtrust level is greater than or equal to the specified thresh-old, to which it will forward the packet. Although the pro-tocol can bypass malicious nodes, it does not address anumber of attacks. If adversary frequently launches a DoSattack prohibiting the ACK packet exchange or the datapacket delivery, the legitimate nodes trustworthiness levelcan be affected and decreased below the threshold. Thismeans that these nodes will be excluded from thenetwork and can break the network’s connectivity.Furthermore, an adversary can replay packets creating con-gestion in the network and depleting nodes’ batteries. Also,if the adversary captures sensor nodes, he can steal crypto-graphic material and eavesdrop on the communication.

Zhang et al. [51] proposed the interleaved authentica-tion scheme in braided multipath networks that filtersfalse reports injected by malicious nodes. By identifyingthe false reports early in the communication, sensor re-sources such as energy are not wasted, promoting net-work’s survivability. Authors extend the IHA scheme [52]to associate nodes in a multipath network by having eachnode authenticating the MAC generated by its associatedpair. The main idea is to have each node establishingMAC keys with its upstream and downstream associatednodes that are (t + 1) hops away towards the sink and thesource node, respectively. The scheme uses multiple pathsin each routing direction. A packet contains a sliding t + 1MACs computed by t + 1 associated nodes. If any t nodesin this path are compromised, the scheme is still secure be-cause the last association is still hidden and can be used todetect a false report. Authentication is performed betweenassociated nodes and if it fails the packet is dropped.Otherwise, it is forwarded using multiple paths. Althougha false report is detected and dropped en-route, thescheme does not isolate the malicious nodes that producedthe report. To reduce the authentication overhead causedby the overlapped routing paths, each node establishesone authentication key for all of its upstream (t + 1) hop-away nodes and another key for all of its downstream(t + 1) hop-away nodes. Furthermore, the authors addressthe node association attack by keeping (t + 1) authentica-tion chains disjoint. However, an adversary is able tolaunch a DoS attack and prohibit packets from reachingtheir destination and affecting the node association pro-cess. Also, a replayed attack can consume nodes resourcesand affect the network survivability. Furthermore, theadversary can capture sensor nodes and selectively droppackets, compromising the network’s operation.

Ramaswami and Upadhyaya [53] addressed the prob-lem of colluding and coordinated black hole attacks andproposed a technique that can be integrated in the AODVand SAODV protocols. Their scheme identifies the


malicious nodes and isolates them from the network byadopting a lightweight acknowledgment scheme that usesmultipath routing for securing the protocol. The protocoladopts the route discovery process of the AODV protocolto forward packets from the source to the destination node.When data are to be forwarded, the source sends a burst ofspecial packets along the data packet. Having received thespecial packets, the destination forwards acknowledgmentpackets for the specific packet burst to the source usingmultiple paths. If the number of ACK packets received atthe source over periodic cycles of data transmission is lessthan a threshold, then the source notifies the other nodesof possible intruders and initiates a black hole discoveryprocess. Authors do not provide details regarding the blackhole discovery process. When black holes are detected, thesource broadcasts the id of the malicious nodes so that theother nodes will exclude them from their routing tables.The proposed protocol provides a defense mechanism to-wards the black hole attacks and overlooks any other secu-rity consideration. Therefore, the protocol is vulnerableagainst a number of attacks, including a DoS, Hello, sybil,selective forward and node capturing attacks.

Song et al. [54] have proposed a statistical analysis mul-tipath scheme, called SAM, to detect wormhole attacks inad hoc networks which is also applicable in the case ofWSNs. The scheme does not have any special requirementsbut rather it works entirely based on the information col-lected by the multipath routing. The protocol can be usedas a stand alone module or it can be integrated into anintrusion detection system. Authors consider an on de-mand multipath routing protocol for the route discoveryprocess such as the SMR [55]. The main idea of the SAMis based on the observation that certain statistics of thediscovered routes will change dramatically under a worm-hole attack. The authors consider the frequency of eachlink that appears in the routing paths to identify a worm-hole attack. Since the attack works by attracting othernodes to use the tunneled link, for example by advertisingthe link as the optimal, then most of the established pathswill contain that link. If there is a suspicion that such an at-tack is underway, the source sends test data packets andwaits for ACK. If the attack is verified, the malicious nodeswill be reported in order to isolate them from the network.Although the authors consider the wormhole attack, theydo not provide any other countermeasures for any otherattacks. This creates a great vulnerability since the adver-sary can launch a number of attacks, including a DoS, re-played, selective forward, altering and sybil attacks.

Zhao and Delgado-Frias [68] have proposed a multipathrouting protocol to protect the data transmission frommisbehaving nodes in an ad hoc network. Their schemeis also applicable in WSNs. The authors have integratedmultipath routing with a feedback mechanism to detectnodes that drop packets and select a new path to send dataand therefore avoid misbehaving nodes. Each source nodediscovers two node-disjoint paths, one to send data pack-ets and the other one to send control packets. The protocoluses [69,70] to obtain the alternative paths but it can alsooperate with any other multipath routing protocol. Thesource node constructs two packets, the first packet con-tains information about the control-based path and is sent

over the data-based path while the second packet containsinformation about the data-based path and is sent over thecontrol-based path. If the destination does not receive datapackets at a specific time interval, it considers that misbe-havior nodes have dropped packets and uses the control-based path to notify the source node. The source node findstwo new disjoint paths to continue forwarding packets todestination, bypassing the misbehaving nodes. The pro-posed protocol is concerned with achieving a reliable datatransmission and does not implement any security mecha-nisms. Therefore, the adversary can launch a number of at-tacks, such as eavesdrop, sybil, wormhole, etc., andcompromise the communication. Furthermore, a denial ofservice attack on the control-based path can diminish theeffectiveness of the protocol to increase the packet reliabil-ity. If the source node does not receive the notificationpacket it will not switch to new alternative paths and willcontinue to use the compromised paths.

Liao et al. [71] have proposed an efficient secure relayscheme (ESRS) for ad hoc based embedded networks whichcan also be applied to WSN communication. The protocolconsists of two phases. The first phase establishes anend-to-end secure path in order to protect the forwardeddata. Each node shares a pre-shared key with the sink nodewhich is used for authentication and to encrypt packets.During the route discovery phase a trusted and power-aware routing path is discovered by avoiding nodes in anuntrusted node list and by using a power-aware algorithm.When a path between the source and destination is estab-lished, the end-to-end nodes invoke a session key con-struction procedure to derive their session key using theDiffie-Hellman key exchange protected with the pre-shared key. The second phase of the protocol monitorsthe nodes relay behavior during data transmission. Nodesmonitor their neighbors if they have forwarded data tothe destination and decide if an attack has been launched.If an attack is confirmed, nodes are alerted to add the sus-pect node in an untrusted node list and the data transmis-sion is terminated. Then, nodes have to find otheralternative paths to forward packets to the destination.The protocol defends against a number of attacks such asreplayed, denial of service, selective forward, etc., and triesto reduce their impact. However, the routing discoveryprocedure is vulnerable to attacks since it does not encryptpackets but only authenticates communicating partiesusing the untrusted node list. An adversary can launch ahello, wormhole/sinkhole attacks and convince nodes thatare far away that they are neighbors. Furthermore, themalicious node can lie about its remaining battery andinfluence the power-aware algorithm or even worse canlaunch a man-in-the-middle attack and change the costfield of the packets sent between nodes and therefore con-trol path selection. Although the protocol can detect a de-nial of service attack that results in dropping packets andreact by changing the routes, an adversary can greatlyinfluence the protocol by executing a denial of service at-tack at different nodes forcing the protocol to perceivelegitimate nodes as malicious and add them in the untrust-ed node list. This can as a consequence affect the connec-tivity of the network, since a number of nodes will not beconsidered for communication.


Vaidya et al. [77] have proposed a secure and robustmultipath routing protocol (SAODV-MAP) for mobile adhoc networks. The objective of the protocol is to minimizethe use of the costly route discovery procedure when com-munication failures are detected and also to protect themultipath routing operation and detect node misbehavior.The proposed protocol is a modification of the AODV proto-col [78] and discovers both disjoint and braided paths. Theneighbor discovery phase is protected with public keycryptography. Each node verifies the certificate of itsneighbor node in order to authenticate its identity and ifthe verification is successful then both nodes add eachother in their corresponding neighbor node table. Theroute discovery phase is protected by an HMAC sharedkey between a source node and the sink in order to verifypacket integrity. Packet integrity is verified only at a sourceor the sink node. The protocol implements another securitymechanism to detect misbehaving nodes that launch aselective forward or alteration attack. Each node checks ifthe sending node is in its neighbor node table and alsothe packet’s route path field for routing loops. If misbehav-ior is detected the packet is dropped. Furthermore, eachnode overhears its neighbor’s transmission and verifies ifthe packet is forwarded with the proper route path infor-mation to ensure that the packet is routed only to the in-tended nodes. If the transmission is verified the nodeadds its neighbor in a forwarded node list. When a routerequest reply is received by a node, it forwards it to thenext hop only if the sending node is in the forwarded nodelist. Authors also use a timestamp along with a digital sig-nature to authenticate a route request error packet and en-sure its freshness. The use of public key cryptography isconsidered by many researchers inappropriate solution tobe used in WSNs due to the intensive computations re-quired and the increased energy consumption. However,studies have shown that public key cryptography is feasi-ble when using the right selection of algorithms and asso-ciated parameters along with optimization techniques[79,80]. SAODV-MAP does not specify the details of theimplemented public key cryptography. However, themechanisms proposed can be applied in a WSN when usedwith an appropriate asymmetric cryptographic scheme.The protocol addresses a number of attacks, such as eaves-dropping, alteration, rushing, sybil and hello attacks. At-tacks such as sinkhole and wormhole attacks can affectthe route path establishment when a new route requestis initiated. Furthermore, the existence of colluding mali-cious neighbor nodes can diminish the value of the for-warded node list since it can trick an intermediate nodethat its neighbor has indeed forwarded its packet usingthe intended route path.

6.1.3. Security operations supportMultipath can be used in random key pre-distribution

schemes to establish a secret key between neighboringnodes that do not share any common keys. However, thisapproach is vulnerable if a path is compromised and thesecret key is revealed to the adversary. The JERT scheme[56] addresses this issue using the powerful Maximum-Distance Separable (MDS) codes. After the key pre-distri-bution process is finished, the secret key is encoded in

ðn; kÞ MDS code by the source node and is forwardedthrough multiple multihop paths to the destination. To re-duce the communication overhead, the redundant symbolsof the MDS codes are transmitted only if the destinationfails to decode the secret. Furthermore, different amountsof symbols are sent through paths of different lengths inorder to enhance the security of the scheme. JERT workswith braided or disjoint paths and with different pathlength. The protocol can use any pre-existing scheme tocompute the alternative paths. In general, the idea is thatwhen one round of transmission of the JERT scheme fails,the next round provides the receiver with just-enoughsymbols so that it can correct the errors. The scheme doesnot address node capturing attacks. If an adversary com-promises sensor nodes he can use their key pool to en-crypt/decrypt/modify messages or even launch a selectiveforward attack. By doing so, he can decode the secret keyand compromise the communication between the sourceand destination nodes. He can also launch a DoS attackby forcing the destination node to request retransmissionof packets due to errors or by replaying packets, causingcongestion in the network and depleting sensors energy.

Ling and Znati [57] have also proposed an end-to-endpairwise key establishment scheme using multiple disjointpaths. The scheme negotiates symmetric keys betweensensor nodes in key pre-distribution schemes that do notshare any common cryptographic keys. The proposed pro-tocol addresses the shortcoming of existing key pre-distri-bution schemes that negotiate a shared key over a securepath that is established between nodes that share a com-mon key. This means that the negotiated key is revealedto each node along the path since different symmetric keysare used for different links in the path. In this way, theadversary that captures sensor nodes along the path willbe able to compromise the shared key. Authors proposeto split the negotiated key into multiple fragments in orderto secure the establishment of the common key. Each frag-ment is then encrypted/decrypted between each set ofnodes that transmit it through one of the established paths.The destination node must have all fragments to rebuildthe key. The scheme uses a node-disjoint routing protocol,such as the [58] to compute the disjoint paths. Althoughthe key fragments are transmitted over a secure path pro-hibiting eavesdropping, there are a number of attacks thatare not addressed in the paper. An adversary can launch aDoS attack by replaying old packets consuming sensor re-sources and depleting their batteries, thus making themunavailable and compromizing the network’s connectivity.Furthermore, if sensor nodes are captured, the adversarycan launch a selective forward attack prohibiting nodesto establish a common key. Node capturing is very effec-tive if the adversary captures the destination or its neigh-boring nodes since he will access all key fragments, thushe can reproduce the key.

Chan et al. [59] have proposed a multipath key rein-forcement scheme to increase the security of the key setupin random key pre-distribution schemes. The protocol con-siders networks with a very large size. Their objective is tostrengthen security so that an adversary will have to com-promise many sensors to be able to compromise any givencommunication. The authors consider that the initial key


set up is established and that sensor nodes that share com-mon keys have established a secure link. The scheme ad-dresses the situation where the security of a linkbetween A and B nodes is at risk if the adversary has com-promised some other nodes that have in their key pool thekey that is used by A and B. Authors propose to update thekey between A and B nodes after the initial key setup using2-hop multiple disjoint paths to overcome the aforemen-tioned problem. To compute the new key, node A generatesj random values and each value is transmitted to B using adifferent path. All j values have to be received in order for Bto be able to compute the new key. The protocol is veryscalable and support networks with a very large size(>1000 nodes). Evaluation shows that the communicationoverhead for the key reinforcement and the neighbor dis-covery is quite expensive but authors consider it to be anacceptable trade-off because the risk of compromizingthe communication is greatly minimized. A very largenumber of nodes have to be compromised in order to com-promise a small fraction of the communication. However,the protocol suffers from a number of attacks that can dis-turb its operation. An adversary can capture a node andsteal its key pool which can use later on to eavesdrop onthe communication. Eavesdropping will be very effectiveif the adversary is close to a destination node, receivingall random values that form the new key and also hasthe appropriate encryption keys to decrypt the packets.The selective forward or the DoS attacks can disable thefunctionality of the protocol since all random values sentthrough the alternative paths have to be received at thedestination node to compute the key. The adversary canalso replay old packets forcing nodes to compute wrongkeys and prohibiting them to establish a secure communi-cation based on a new key.

PRSA [60] is another path redundancy based securityalgorithm. The algorithm computes least cost disjoint andbraided multipaths, using Dijkstra’s algorithm, betweenthe source and destination nodes and uses a combinationof transmission techniques to deliver the packets includinground-robin, redundant and selective modes. The securityaspect of the algorithm comes from the support of itsintrusion detection design. A set of parameters is definedsuch as node power, node HELLO messages, number ofhops to destination, etc., that can identify the presence ofmalicious nodes. If a node is identified as malicious, thenthe algorithm excludes the node and its links from the pathcalculation procedure. The protocol does not offer any pre-venting mechanisms, therefore it is subject to a number ofattacks, including the DoS, sybil, wormhole, sinkhole andreplayed attacks. Furthermore, the communication can beintercepted since transmission is established in clear modeand the adversary has the opportunity to read, alter datapackets or affect the construction of the routing paths ina way that he is included in the communication paths.The paper does not provide many details on its intrusiondetection capabilities, therefore we cannot assess its effec-tiveness towards identifying and isolating malicious nodes.

Multipath routing can also be used to secure andsupport the data aggregation functionality in WSNs. Theaggregators combine data coming from different nodes inthe network, eliminating data redundancy, minimizing

the number of transmissions and therefore saving energy.In data aggregation, what values the most is for the aggre-gator to receive correct information in order for the aggre-gated data to be accurate and provide a correctrepresentation of the environment’s status. SELDA [97] isa data aggregation protocol that integrates reputation-based trust management and secure multipath routing toensure the security and reliability of aggregated data inthe presence of malicious nodes. The proposed protocolestablishes reputation ratings for each node using Beta dis-tribution function [98]. Aggregators compute a reputationvalue for each of their neighbor nodes while a simple nodecomputes only a single reputation value for its neighbor-hood in order to reduce the computational overhead. Sen-sor nodes exchange their reputation ratings withneighboring nodes to form a web of trust and determinesecure and reliable paths to data aggregators. Aggregatorsuse the reputation rating of a neighbor node to weightthe received data prior to performing the data aggregation.The trust scheme monitors nodes based on their sensing,routing and availability behavior. A sensor node uses thereputation value of its neighborhood to determine thenumber of alternative paths that will be used to transmitdata to the aggregator. The alternative paths are used onlywhen the neighborhood reputation value falls under athreshold, indicating that malicious nodes may exist inthe neighborhood. By combining reputation-based trustmanagement and multipath routing, the protocol increasesthe reliability of the aggregated data. With reputation-based trust management the nodes select to send theirpackets over paths that have a higher reputation, indicat-ing that the path contains honest nodes. With multipathrouting the data aggregator is able to detect false data bycomparing the multiple instances of the same data re-ceived over the multiple paths. Furthermore, to protectthe communication from eavesdropping and maliciousmodifications, symmetric encryption is used. Authors pro-pose a scheme to keep the number of the utilized alterna-tive paths and the relevant node identities secret using aspecial packet header encrypted with a secret key sharedbetween each pair of neighboring nodes. Although themultipath data transmission is secured with a sharedencryption key between neighboring nodes, the path dis-covery algorithm is applied without cryptographic protec-tion and therefore is vulnerable against a number ofattacks, e.g. eavesdropping, altering, rushing, sybil and hel-lo attacks, that can compromise the path establishment bycreating routing loops, dead-ends, including the adversaryin the routing paths, etc. Furthermore, the adversary canmanipulate the reputation scheme by performing a denialof service attack at different links and negatively affect thenodes’ reputation values that are computed by their neigh-boring nodes. Nevertheless, the protocol defines someinteresting features to enhance the reliability of dataaggregation that are worth investigating them further.

6.2. Performance evaluation

This section discusses the importance of a performanceevaluation, highlighting that an evaluation comparison is acomplicated process, made more difficult by different


researchers taking different approaches to evaluating theirproposed protocols. We consider a basic set of fundamen-tal aspects and assess if these are included in the evalua-tions of proposed protocols. Also, in this section wediscuss further an important aspect of the performance,that of the tradeoff between secure multipath routingand energy efficiency.

6.2.1. Protocol evaluation challenges and recommendationsSecure multipath routing protocols in WSNs are devel-

oped to protect the communication between sensor nodesand also promote the availability, reliability and resilienceof the network. To decide whether a protocol has achievedits objectives, researchers need to evaluate it towards itsrouting capabilities, the security level that is achieved andalso assess if the associated cost is acceptable. The evalua-tion process will reveal if the security and routing strategiesare effective and if the cost of implementing them is justi-fied. The cost can take many forms, e.g. it can be the energyconsumption, the communication overhead, the packet lossratio, the compromization probability, the resilience level,etc. The challenge here is to balance the tradeoff betweensecurity, routing, compromization and cost to reflect the le-vel of protection that is really needed by the application.The state-of-the-art shows that researchers use differentsets of criteria to evaluate the performance of their protocolin terms of security and routing that makes it difficult tocompare protocols. Furthermore, the fact that protocolsare developed under different deployment configurationscomplicates even more a potential protocol comparison.Some effort have been made [66,67] to evaluate securemultipath routing protocols in mobile ad hoc networks bydefining some common evaluation metrics based on whichprotocols are compared. However, such efforts need to beexpanded to provide a comprehensive evaluation and com-parison of the state-of-the-art of secure multipath routingprotocols in WSNs.

In order to compare different evaluation approaches, wehave used the broad set of evaluation criteria listed below.Table 5 presents the evaluation criteria that are consideredfor evaluation by each protocol. Note that this section isnot meant to be an exhaustive evaluation comparison ofthe state-of-the-art protocols. This is left as a future work.

� Energy consumption: Energy is a critical resource of thenetwork since it is one of the main elements that definethe survivability of the network. Deciding if a protocol issuitable for a specific application highly depends on theenergy consumption that occurs due to the protocol’sfunctionality.

� Communication overhead: Each protocol follows its ownrouting and security approach based on the application’sobjectives and requirements. These procedures createcommunication overhead with the messages that needto be exchanged between nodes during the setup estab-lishment, data forwarding and maintenance phases ofeach procedure. Therefore, the protocols that evaluatehow many messages are transmitted are consideredunder this criterion. This may concern routing-relatedpackets, e.g. control and data packets, and security-related packets, e.g. key setup packets.

� Storage overhead: The routing and security approachtaken by each protocol creates a storage overheadrelated to the size of the routing tables and the numberand size of cryptographic keys stored on each node.These are aspects that are evaluated by protocols thatassess the storage overhead of their approach.

� Reliability: It is also important to compare protocols andobserve how reliable they are in delivering the packetsto the intended destination. The protocols consider anumber of metrics to evaluate the reliability level, e.g.the packet delivery ratio, the quality of the establishedpaths in terms of a set of path characteristics, e.g. num-ber of discovered braided or disjoint paths, path length.

As we can observe from Table 5, the protocols’ evalua-tion is mostly inadequate, as certain important aspectsare not evaluated. For example, most of the protocols arenot evaluated in terms of energy consumption. We advo-cate that an appropriate evaluation framework be de-signed, and this will be part of our future work, based onwhich a spherical protocol comparison can be established.

6.2.2. Security and energy efficiency tradeoff in multipathrouting

Energy is a valuable asset in sensor networks due to theresource-limited environment. Communication betweensensor nodes is the major reason that leads to energy con-sumption. Therefore, communication must be kept at min-imum levels but still allow for the network’s operation tobe established and function. In multipath routing, morethan one paths are established to forward a packet fromsource to destination. This means that communication isincreased in comparison to single-path routing. Also, secu-rity itself further contributes to the energy consumptiondue to the extra communication and processing requiredat sensor nodes. Even worse, energy is greatly affectedwhen a protocol combines security mechanisms with mul-tipath routing.

In terms of reliability, availability and resilience, the en-ergy consumption is affected by the routing strategy. Therouting strategy defines the number and length of alterna-tives paths, the type of paths (braided or disjoint) and thetransmission mode (redundant, round-robin, selective).Depending on the level of reliability, availability and resil-ience we want to achieve, we configure the routing strat-egy appropriately. However, a tradeoff exists between therequired level of reliability, availability and resilience andthe energy consumption. As the number of alternativepaths increases so does the data packets that are travellingin the network. The same applies for the path length be-cause as it increases packets traverse more hops to reachthe destination. The increased communication results inmore energy consumption. The energy consumption ateach node varies depending on the type of alternativepaths. In braided paths the common nodes are used moreoften than the other nodes and therefore they consumemore energy. This puts at risk the network connectivityas more nodes get disabled due to battery depletion. In dis-joint paths, the energy consumption is more evenly spreadbut still consumes more energy that single-path routing.Furthermore, the energy is affected by the multipath

Table 5Evaluation of protocols based on four fundamental aspects.

Security protocols Energy consumption Communication overhead Storage overhead Reliability

SEIF [40]p

MVMP [41]INSENS [43]

p

Deng et al. [44]p

JERT [56]p p

Ling and Znati [57]p p

Chan et al. [59]p p

SEER [45,76]p p

H-SPREAD [46]p p

PRSA [60]p p p

SERINS [47]Lee and Choi [49]

p

Abu-Ghazaleh et al. [50]Zhang et al. [51]Ramaswami and Upadhyaya [53]

p

Song et al. [54]Zhao and Delgado-Frias [68]

p

ESRS [71]p

Lu et al. [73]SAODV-MAP [77]

p p

SecMR [65]p p

Lee et al. [82,83]p p

Chen and Leneutre [88]p

SELDA [97]p


routing transmission mode. The most severe mode interms of energy consumption is the redundant modewhere all alternative paths are used to forward packets.The selective mode, which selects specific paths amongthe set of alternative paths to send the packets, consumesless energy. However, if a path is selected more frequentlythan others it has a higher risk in depleting the energy ofits utilized nodes and jeopardizing the availability of thenetwork. The round-robin mode, which uses all pathsone at a time, consumes the minimum energy in compari-son to the other modes.

In terms of authentication, integrity and confidentiality,each node must establish appropriate security associationswith more than one neighboring nodes in order to sup-port the use of alternative paths. This incurs more commu-nication overhead that affects the consumed energy.Furthermore, processing is performed at more nodes incomparison to single-path routing that adds to the energyconsumption. The energy consumption that occurs due toauthentication, integrity and confidentiality mechanismsdepends on the level of reliability, availability and resil-ience implemented by the protocol. In addition, the energyconsumption is further affected by the security attackslaunched against the network. By attacking at differentpaths, the security and routing recovery mechanisms areapplied on more nodes, increasing the communicationand processing and therefore causing extra energy con-sumption. Having the adversary repeatedly attacking thenetwork, the recovery mechanisms can drain the energyin a fast rate affecting the operation of the network.

A tradeoff between security and energy efficiency inmultipath routing can only be achieved if we have a clearunderstanding of the environment, the associated threatsand the application’s objectives. In this way, the appropri-ate security and routing mechanisms can be used toprotect the network and its resources. The challenge is to

define the security and routing strategies in a way that re-flect the level of security and reliability that is reallyneeded by the application and in this way consume theminimum required amount of energy.

7. Future directions – open issues

Although the work carried out so far in the area of se-cure multipath routing in WSNs addresses a number ofsecurity problems, there are still open areas that need tobe further investigated. This section discusses the trends(ref. Tables 2–4) and open issues in the area and providesdirections to researchers, promoting future contributionsin the area.

From the literature survey, we can observe that thereare multipath routing protocols that claim to be secure justbecause they implement multipath routing. They considerthat security is achieved because they can address theselective forwarding attack through the alternative paths.However, such approaches can only address this attack tosome level but cannot entirely defeat it. Furthermore,these protocols are very vulnerable since they do notimplement any security mechanisms and therefore providethe opportunity to the adversary to launch any attack fromthe most naïve to the most sophisticated. In a multipathrouting protocol, security is affected by two issues: the cri-teria based on which the multiple paths are establishedand used, and the security measures that are actuallyimplemented. These two issues define the security andreliability levels of these protocols. Although multipath it-self cannot be claimed to provide security, it can enhancesecurity if combined with other mechanisms. This combi-nation has to be carefully designed, because multipathcan also degrade security if it is not used in an efficientand effective way. When designing secure multipath


routing protocols we have to consider that a WSN is a dy-namic environment where adversaries’ activities cannot al-ways be predicted in order to provide proactive protection.Furthermore, the problem gets even worse as adversariescan manipulate the multipath routing operation to furthercompromise and degrade the network’s performance.Therefore, the challenge is to define the way the alterna-tive paths are used in such protocols in order to aid in max-imizing the security and reliability of packet delivery. Apromising approach is to use reputation-based trustschemes in multipath routing, e.g. [50,97]. Such schemesadd another layer of security that goes beyond the capabil-ities of the utilized cryptographic mechanisms. The idea isto evaluate the possible paths using reputation metricsthat reflect the behavior of nodes over time in order to de-cide which paths to use based on the reputation ratings.Reputation metrics may involve the capability of correctpacket forwarding of sensors, intrusion detection results,recommendations from neighbor nodes, etc. A number ofreputation-based trust schemes have been proposed thatcan be utilized in multipath routing protocols. For exam-ple, Marti et al. [92] proposed a reputation-based schemecomposed of a watchdog and a pathrater module in orderto determine if intermediate nodes are indeed forwardingthe received packets. The watchdog node overhears thecommunication to verify if its neighbor node has for-warded the packet or not. Based on the result, the pathr-ater rates each path and chooses a path to avoidmisbehaving nodes. The concepts of monitoring and ratingform the basic functionality of a reputation trust-basedframework that is applied according to the aspects thatneed to be evaluated. In [93,96], authors define reputationmetrics related to cryptographic operation and nodesbehavior that can indicate malicious activity. In [94],authors follow a similar trust evaluation approach to aidthe election of trustworthy cluster heads. Another ap-proach is taken by Liu et al. [95] where they not only favorwell behaving nodes for each successful packet forwardingbut also penalize suspicious nodes that lie about their con-tribution to routing. Reputation-based trust managementschemes can be very useful in multipath routing to balancethe tradeoff between reliability, compromization risk andperformance. Combining such schemes with other securitysolutions, e.g. cryptographic operations, can lead to an effi-cient and effective security strategy.

As mentioned, most of the protocols consider that theyaddress the selective forward attack by implementing mul-tipath in order to bypass malicious nodes. However, onlyfew protocols truly address this attack by implementingschemes that can actually detect it and take recovery mea-sures such as excluding malicious nodes from the routingtables. Furthermore, the protocols that detect and recoverfrom attacks against the sensor network follow a commonapproach where they address specific attacks. The attacksthat are least addressed when considering external adver-saries are the node capturing and DoS attacks. Since sensornodes are often deployed in open areas, physical security isa critical issue. If the adversary can capture a node, he canextract any data, e.g. cryptographic material, that arestored on the node and use them to compromise the net-work communication. Using tamper-resistant nodes may

be one defense, however, such solution is more expensiveand currently most of the researchers do not consider itin their implementations. Therefore, it is important to pro-vide solutions that can overcome node capturing and itsoutcomes. Future protocols should also address DoS at-tacks. DoS attacks can come into many forms [32,33] anddamage the network. We also consider it important to fo-cus on defeating attacks that target the battery depletionof nodes. Energy defines the survivability of the network,therefore is one of the most valuable assets of the networkand must be well protected. To address node capturing andDoS attacks, there is the need to design schemes that willconfine damage to a local area in order to avoid wide-spread compromization of the network. To support suchactivities, solutions should detect the attack and isolatethe malicious node from the network. Such schemes willpermit the network to continue its operation even in thepresence of malicious nodes. A promising approach is touse a decentralized system, using cooperation betweenspecific nodes to gather information about other nodesbehavior and activities and check for inconsistencies incomparison to the expected operations. Furthermore, mostof the protocols do not consider the situation where coop-erating adversaries attack the network. Such a scenario isnot unrealistic since WSNs are currently used in a numberof mission-critical applications that have to be protectedfrom competitors, terrorists, etc, that launch large-scale at-tacks to compromise the application. Therefore, it is impor-tant to study how these attacks can be launched andidentify patterns that can be used to detect such coopera-tive attacks.

Future research also has to take into consideration theattacks that can greatly influence the network whenlaunched from inside adversaries, e.g. wormhole, sinkhole,hello attacks. These attacks are usually more difficult to de-feat because the adversary has already gained access andhe is considered part of the network. Researchers shouldinvestigate the security aspects of multipathing and howit can aid in detecting these attacks, rather than using mul-tipath only as a transmission method. Furthermore, obser-vations towards the security operations support category,show that most of the researches focus their work on usingmultipath in key management schemes in order to en-hance the security of the key establishment procedure. Fu-ture research has to promote more solutions that usemultipath to support the operations of other security areas,e.g. secure aggregation, secure localization, etc.

Regarding the security requirements addressed in theexisting protocols, we can observe a number of trends. Anumber of protocols do not consider mechanisms forauthentication, freshness and/or accountability. However,sensitive applications are dependent on accurate and up-to-date data and need to operate uninterruptedly in orderto provide their services and support their objectives.Therefore, we cannot overlook fundamental securityrequirements in future protocol designs. It is importantto provide a spherical protection, e.g. by prohibiting adver-saries from joining the network, protecting the informationexchanged between sensor nodes and support the robust-ness of the network against security attacks. Furthermore,reliability is another security requirement that needs to be


taken into consideration when designing secure multipathrouting protocols in WSNs. One way to measure the levelof reliability is to consider the path type (braided or dis-joint) that is used by each routing protocol. Braided pathshave common nodes between the different paths. Compro-mising a common node can lead to compromization of anumber of paths, therefore jeopardizing the data deliveryto the intended destination. On the other hand, disjointpaths do not include any common nodes, so compromizinga single node can only affect the path that contains thatnode and the data have a greater probability of deliveryto the destination. Therefore, routing protocols that usebraided paths have a lower reliability level that those thatuse disjoint paths. Research should focus on designingrouting protocols that can guarantee the discovery of dis-joint paths, supporting the reliability and availability ofthe network.

The availability of the network is also supported by theself-healing capabilities of routing protocols. The review onthe state-of-the-art shows that most of the routing proto-cols implement a self-healing behavior. Self-healing isachieved through packet splitting [61–64] or by identifyingand recovering from security attacks. Packet splitting algo-rithms support this requirement by tolerating comprom-ization of fragments up to a threshold and permitting thereconstruction of the original packet, even if not all frag-ments have been received. Furthermore, self-healing issupported by protocols that implement intrusion detectionand provide response mechanisms to eliminate the threat.For example, when a malicious node is identified, nodesexclude the malicious node from the routing table andrevoke its cryptographic key to prevent future communica-tion with the network. Both approaches look very promis-ing and should be further investigated in future protocoldesigns.

A critical issue when designing security protocols forWSNs is the limited resources of sensor nodes, in termsof available storage, processing capabilities and mostimportantly energy. Usually, sensor nodes use batteriesas their main energy source. As already mentioned, energydetermines the lifetime of the nodes and also the surviv-ability of the network. There are several sources of energyconsumption in sensor networks, such as when communi-cating, sensing and processing information. The establish-ment and use of alternative paths in combination withthe security operations obviously requires more communi-cation and processing, leading to increased energyconsumption. Therefore, there is the need to balance theenergy consumption and the implemented security opera-tions according to the level of security and reliability that isreally needed by the application. Furthermore, dependingon the security requirements and deployment conditionsof the application, different architectures should beconsidered using nodes with heterogeneous resources.The objective will be to investigate how heterogeneitycan influence the establishment of alternative paths andpermit the implementation of resource-demanding secu-rity mechanisms.

Another major open issue in the area is the lack of anevaluation framework that can measure the robustnessand security of these protocols and can be used to compare

similar protocols. Furthermore, existing protocols are eval-uated under certain performance criteria that most of thetimes are not adequate to evaluate the effectiveness andefficiency of the protocols. In addition to that, the fact thateach researcher uses its own set of evaluation criteriamakes it even more difficult to compare protocols.

8. Conclusions

In this paper, we have surveyed the state-of-the-art ofsecure multipath routing protocols in WSNs and discusseda number of security issues related to multipath routing it-self. The protocols have been categorized based on theirsecurity purpose and the security implementation ap-proach they adopt. There are protocols that aim in securingthe multipath routing procedure itself. Other protocols aredesigned to detect and recover from specific attacks whileothers support the operation of other security areas inWSNs. We have also overviewed the security requirementsof sensitive applications that use WSNs and argue that mis-sion-critical applications place importance differently thanwhat constitutes the traditional security requirementschain. We have listed the reasons that drive the need forsecurity in multipath routing promoting a better under-standing of the risks that exist and also we have defineda new threat model that can be used to compromise rout-ing in WSNs. Furthermore, we discuss performance evalu-ation issues and propose a basic set of performance criteriathat should be considered. Finally, we discuss future direc-tions and open issues. As future work, we plan to design anappropriate evaluation framework, based on which aspherical protocol evaluation and comparison can beestablished.

Acknowledgments

This research work is supported by ASPIDA project(KINHT/0506/03), funded by Cyprus Research PromotionFoundation. Partial support (for professor A. Pitsillides) isprovided by the GINSENG project (FP7 ICT-224282).

References

[1] S. De, C. Qiao, H. Wu, Meshed multipath routing: an efficient strategyin sensor networks, in: Proceedings of the IEEE WirelessCommunications and Networking Conference (WCNC), NewOrleans, LA, March 2003.

[2] K. Sohrabi, J. Gao, V. Ailawadhi, G.J. Pottie, Protocols for self-organization of a wireless sensor network, IEEE PersonalCommunications 7 (5) (2000) 16–27.

[3] D. Ganesan, R. Govindan, S. Shenker, D. Estrin, Highly-resilientenergy-efficient multipath routing in wireless sensor networks, in:ACM Mobile Computing and Communication Review (MC2R), vol. 1(2), 2002.

[4] C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: ascalable and robust communication in wireless sensor networks, in:Proceedings of the Fifth IEEE/ACM Mobicom, 1999, pp. 174–185.

[5] F. Ye, G. Zhong, S. Lu, L. Zhang, GRAdient broadcast: a robust datadelivery protocol for large scale sensor networks, in: ACM WirelessNetw. (WINET), vol. 11 (2), 2005.

[6] C. Rahul, J. Rabaey, Energy aware routing for low energy ad hocsensor networks, in: IEEE Wireless Communications and NetworkingConference (WCNC), vol. 1, Orlando, FL, March 17–21, 2002, pp. 350–355.


[7] R. Vidhyapriya, P.T. Vanathi, Energy efficient adaptive multipathrouting for wireless sensor networks, IAENG International Journal ofComputer Science 34 (1) (2007).

[8] X. Huang, Y. Fang, Multiconstrained QoS multipath routing inwireless sensor networks, ACM Wireless Networks 14 (4) (2008)465–478.

[9] K. Akkaya, M. Younis, A survey of routing protocols in wirelesssensor networks, Ad hoc Network, Elsevier Journal 3 (3) (2005) 325–349.

[10] J.N. Al-Karaki, A.E. Kamal, Routing techniques in wireless sensornetworks: a survey, IEEE Wireless Communications 11 (6) (2004) 6–28.

[11] Y. Wang, G. Attebury, B. Ramamurthy, A survey of security issues inwireless sensor networks, IEEE Communications Surveys & Tutorials8 (2) (2006) 2–23.

[12] Y. Li, T. Newe, Wireless sensor networks – selection of routingprotocols for applications, in: Australian TelecommunicationNetworks and Applications Conference (ATNAC), 2006.

[13] M.I. Abd-El-Barr, M.M. Al-Otaibi, M.A. Youssef, Wireless sensornetworks. Part II: Routing protocols and security issues, in: CanadianConference on Electrical and Computer Engineering, May 1–4, 2005,pp. 69–72.

[14] Y. Al-Obaisat, R. Braun, On wireless sensor networks: architectures,protocols, applications, and management, in: InternationalConference on Wireless Broadband and Ultra WidebandCommunication (AusWireless), 2006.

[15] J.P. Walters, Z. Liang, W. Shi, V. Chaudhary, Wireless sensor networkssecurity: a survey, in: Yang Xiao (Ed.), Book Chapter of Security inDistributed, Grid and Pervasive Computing, Auerbach Publications,CRC Press, 2006, ISBN: 0-849-37921-0.

[16] D. Djenouri, L. Khelladi, . A.N. Badache, A survey of security issues inmobile ad hoc and sensor networks, IEEE Communications Surveys &Tutorials 7 (4) (2005) 2–28.

[17] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cayirci, A survey onsensor networks, IEEE Communications Magazine 40 (8) (2002)102–114.

[18] J. Yick, B. Mukherjee, D. Ghosal, Wireless sensor networksurvey, Computer Networks, Elsevier Journal 52 (12) (2008)2292–2330.

[19] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cayirci, wirelesssensor networks: a survey, Computer Networks, Elsevier Journal 38(4) (2002) 393–422.

[20] J. Yin, S. Madria, SecRout: a secure routing protocol for sensornetworks, in: Proceedings of the 20th International Conference onAdvanced Information Networking and Applications (AINA06),Vienna, Austria, 2006.

[21] X. Du, Y. Xiao, H.H. Chen, Q. Wu, Secure cell relay routing protocol forsensor networks, Wireless Communications and Mobile Computing6 (2006) 375–391.

[22] J. Deng, R. Hang, S. Mishra, INSENS: intrusion-tolerant routing inwireless sensor networks, Computer Communications, ElsevierJournal 29 (2) (2006) 216–230.

[23] R. Pietro, L. Mancini, Y. Law, S. Etalee, P. Havinga, LKHW: a directdiffusion-based secure multicast scheme for wireless sensornetworks, in: ICPPW ’03: Proceedings of the 32nd InternationalConference on Parallel Processing Wksps, IEEE Computer SocietyPress, 2003.

[24] C. Karlof, Y. Li, J. Polastre, ARRIVE: algorithm for robustrouting in volatile environments, Report UCBCSD-02-1233,Computer Science Department, University of California atBerkeley, May 2002.

[25] A. Perrig, R. Szewczyk, V. Wen, D. Cullar, J.D. Tygar, SPINS: securityprotocols for sensor networks, in: Proceedings of the Seventh AnnualACM International Conference on Mobile Computing and Networks(MOBICOM), Rome, Italy, July 2001.

[26] W. Du, R. Wang, P. Ning, An efficient scheme forauthenticating public keys sensor networks, in: MobiHoc ’05:Proceedings of the Sixth ACM International Symposium onMobile Ad hoc Networks and Computers, ACM Press, NewYork, 2005.

[27] S. Tanachaiwiwat, P. Dave, R. Bhindwale, A. Helmy, Location-centricisolation of misbehavior and trust routing in energy-constrainedsensor networks, in: The Workshop on Energy-Efficient WirelessCommunications and Networks (EWCN 04) in Conjunction with IEEEInternational Performance, Computing, and CommunicationsConference (IPCCC), 2004.

[28] D.W. Carman, P.S. Kruus, B.J. Matt, Constraints and approaches fordistributed sensor network security, NAI Labs Technical Report #00-010, 2000.

[29] S. Seys, B. Preneel, Security issues for distributed sensor networks,Ph.D. Symposium, 2003.

[30] K. Jamshaid, A framework for implementing security in wirelesssensor networks, Master Thesis, Graduate School of Wayne StateUniversity, Detroit, MI, 2002.

[31] C. Karlof, D. Wagner, Secure routing in wireless sensor networks:attacks and countermeasures, in: IEEE International Workshop onSensor Network Protocols and Applications, May 2003, pp. 113–127.

[32] A.D. Wood, J.A. Stankovic, Denial of service in sensor networks, IEEEComputer 35 (10) (2002) 54–62.

[33] A.D. Wood, J.A. Stankovic, A taxonomy for denial-of-service attacksin wireless sensor networks, Handbook of Sensor Networks:Compact Wireless and Wired Sensing Systems, CRC Press, 2004.

[34] S. Zhu, S. Setia, S. Jajodia, LEAP: efficient security mechanisms forlarge-scale distributed sensor networks, in: Proceedings of the 10thACM Conference on Computer and Communications Security(CCS’03), 2003, pp. 62–72.

[35] T. Zia, A. Zomaya, Security issues in wireless sensor networks, in:International Conference on Systems and Networks Communication(ICSNC 2006), 2006.

[36] H. Chan, A. Perrig, Security and privacy in sensor networks, IEEEComputer Magazine (2003) 103–105.

[37] K. Romer, F. Mattern, The design space of wireless sensor networks,IEEE Wireless Communications 11 (6) (2004) 54–61.

[38] C.F. Garcia-Hernandez, P.H. Ibarguengoytia-Gonzalez, J. Garcia-Hernandez, J.A. Perez-Diaz, Wireless sensor networks andapplication: a survey, International Journal of Computer Scienceand Network Security (IJCSNS) 7 (3) (2007).

[39] H. Karl, A. Willig, Advanced application support, Protocols andArchitectures for Wireless Sensor Networks, John Wiley & Sons,2005 (Chapter 14).

[40] A. Ouadjaout, Y. Challal, N. Lasla, M. Bagaa, SEIF: secure and efficientintrusion-fault tolerant routing protocol for wireless sensornetworks, in: Proceedings of the Third International Conference onAvailability, Reliability and Security (ARES) 2008, March 4–7, 2008,pp. 503–508.

[41] R. Ma, L. Xing, H.E. Michel, A new mechanism for achieving secureand reliable data transmission in wireless sensor networks, in:Proceedings of the 2007 IEEE Conference on Technologies forHomeland Security, Woburn, MA, May 16–17, 2007, pp. 274–279.

[42] P. Djukic, S. Valaee, Minimum energy fault tolerant sensor networks,in: IEEE Globecom Workshops Proceedings, 2004.

[43] J. Deng, R. Han, S. Mishra, INSENS: intrusion-tolerant routing inwireless sensor networks, Technical Report CUCS-939-02,Department of Computer Science, University of Colorado, 2002.

[44] J. Deng, R. Han, S. Mishra, Intrusion tolerance and anti-trafficanalysis strategies for wireless sensor networks, in: Proceedings ofthe 2004 IEEE International Conference on Dependable Systems andNetworks, 2004, p. 637.

[45] N. Nasser, Y. Chen, Secure multipath routing protocol for wirelesssensor networks, in: Proceedings of the 27th InternationalConference on Distributed Computing Systems Workshops(ICDCSW ’07), 2007, p. 12.

[46] W. Lou, Y. Kwon, H-SPREAD: a hybrid multipath scheme forsecure and reliable data collection in wireless sensor networks,IEEE Transactions on Vehicular Technology 55 (4) (2006) 1320–1330.

[47] S. Lee, Y. Choi, A secure alternate path routing in sensor networks,Computer Communications, Elsevier 30 (1) (2006) 153–165.

[48] S. Lee, Y. Choi, ARMS: an authenticated routing message in sensornetworks, Secure Mobile Ad-hoc Networks and Sensors Workshop(MADNES’05), Lecture Notes in Computer Science, Springer,September 2005.

[49] S. Lee, Y. Choi, A resilient packet-forwarding scheme againstmaliciously packet-dropping nodes in sensor networks, in:Proceedings of the Fourth ACM Workshop on Security of Ad hocand Sensor Networks (SASN’06), October 2006, pp. 59–70.

[50] N. Abu-Ghazaleh, K. Kang, K. Liu, Towards resilient geographicrouting in WSNs, in: Proceedings of the First ACM InternationalWorkshop on Quality of Service & Security in Wireless and MobileNetworks, Montreal, Quebec, Canada, 2005, pp. 71–78.

[51] Y. Zhang, J. Yang, H.T. Vu, The interleaved authentication for filteringfalse reports in multipath routing based sensor networks, in:Proceedings of the 20th International IEEE Parallel and DistributedProcessing Symposium (IPDPS’06), 2006.

[52] S. Zhu, S. Setia, S. Jajodia, P. Ning, An interleaved hop-by-hopauthentication scheme for filtering of injected false data in sensornetworks, in: Proceedings of IEEE Symposium on Security andPrivacy, Oakland, CA, May 2004.


[53] S.S. Ramaswami, S. Upadhyaya, Smart handling of colluding blackhole attacks in MANETs and wireless sensor networks usingmultipath routing, in: IEEE Information Assurance Workshop, June2006, pp. 253–260.

[54] N. Song, L. Qian, X. Li, Wormhole attacks detection in wireless ad hocnetworks: a statistical analysis approach, in: Proceedings of the 19thIEEE International Parallel and Distributed Processing Symposium,2005.

[55] S. Lee, M. Gerla, Split multipath routing with maximally disjointpaths in ad hoc networks, in: IEEE International Conference onCommunications (ICC ’01), vol. 10, 2001, pp. 3201–3205.

[56] J. Deng, Y.S. Han, Multipath key establishment for wireless sensornetworks using just-enough redundancy transmission, IEEETransactions on Dependable and Secure Computing 5 (3) (2008)177–190.

[57] H. Ling, T. Znati, End-to-end pairwise key establishment using multi-path in wireless sensor network, in: Proceedings of the IEEE GlobalCommunications Conference (GLOBECOM 2005), St. Louis, MO,November 2005.

[58] X. Li, L. Cuthbert, Node-disjointness-based multipath routing formobile ad hoc networks, in: Proceedings of the First ACMInternational Workshop on PE-WASUNN, October 2004, pp. 23–29.

[59] H. Chan, A. Perrig, D. Song, Random key predistribution schemes forsensor networks, in: Proceedings of the 2003 IEEE Symposium onSecurity and Privacy (SP’03), 2003, p. 197.

[60] S.S. Al-Wakeel, S.A. Al-Swailemm, PRSA: a path redundancy basedsecurity algorithm for wireless sensor networks, in: IEEE WirelessCommunications and Networking Conference (WCNC 2007), 2007.

[61] G.J. Simmons, An introduction to shared secret and/or shared controlschemes and the application, Contemporary Cryptology: The Scienceof Information Integrity, IEEE Press, 1992. pp. 441–497.

[62] A. Shamir, How to share a secret, Communications of the ACM 22(11) (1979) 612–613.

[63] I.S. Reed, X. Chen, Error-Control Coding for Data Networks, KluwerAcademic Publishers, 1999.

[64] S. Lin, D.J. Costello Jr., Error Control Coding: Fundamentals andApplications, second ed., Prentice Hall, Englewood Cliffs, NJ, 2004.

[65] R. Mavropodi, P. Kotzanikolaou, C. Douligeris, SecMR – securemultipath routing protocol for ad hoc networks, Ad Hoc Networks5 (1) (2007) 87–99.

[66] R. Mavropodi, C. Douligeris, Multipath routing protocols formobile ad hoc networks: security issues and performanceevaluation, in: WAC 2005, LNCS, vol. 3854, Springer-Verlag,2006, pp. 165–176.

[67] R. Mavropodi, P. Kotzanikolaou, C. Douligeris, Performance analysisof secure multipath routing protocols for mobile ad hoc networks,in: WWIC 2005, LNCS, vol. 3510, Springer-Verlag, 2005, pp. 269–278.

[68] L. Zhao, J.G. Delgado-Frias, Multipath routing based secure datatransmission in adhoc networks, in: IEEE International Conferenceon Wireless and Mobile Computing, Networking andCommunications (WiMob 2006), Montreal, Canada, June 19–21,2006.

[69] J. Broch, D. Johnson, D. Maltz, The dynamic source routing protocolfor mobile adhoc networks, November 2003. <http://www.ietf.org/internet-drafts/draft-ietf-manet-dsr-04.txt> (IETF Internet Draft).

[70] K. Wu, J. Harms, Performance study of a multipath routing methodfor wireless mobile adhoc networks, in: Proc. MASCOTS’ 01, 2001,pp. 99–107.

[71] Cheng-Fu Liao, Yung-Feng Lu, Ai-Chun Pang, Tei-Wei Kuo, A securerouting protocol for wireless embedded networks, in: Proceedings ofthe 14th IEEE International Conference on Embedded and Real-TimeComputing Systems and Applications, 2008.

[72] W. Lou, W. Liu, Y. Zhang, Y. Fang, SPREAD: improving networksecurity by multipath routing in mobile ad hoc networks, WirelessNetworks, Springer, 2007.

[73] F. Lu, L. Geng, L.T. Chia, Y.C. Liang, Secure multi-path in sensornetworks, in: Proceedings of the Fifth International Conference onEmbedded Networked Sensor Systems (SenSys ’07), 2007, pp. 413–414.

[74] C. Intanagonwiwat, R. Govindan, D. Estrin, J. Heidemann, F. Silva,Directed diffusion for wireless sensor networking, IEEE/ACMTransactions on Networking (TON) 11 (1) (2003) 2–16.

[75] J. Dong, R. Curtmola, C. Nita-Rotaru, Secure network coding forwireless mesh networks: threats, challenges, and directions,Computer Communications (Elsevier) 32 (17) (2009) 1790–1801.

[76] N. Nasser, Y. Chen, SEEM: secure and energy-efficient multipathrouting protocol for wireless sensor networks, ComputerCommunications, Elsevier 30 (11–12) (2007) 2401–2412.

[77] B. Vaidya, J.Y. Pyun, J.A. Park, S.J. Han, Secure multipath routingscheme for mobile ad hoc network, in: Proceedings of the Third IEEEInternational Symposium on Dependable, Autonomic and SecureComputing, 2007.

[78] C.E. Perkins, E. Belding-Royer, S.R. Das, Adhoc on-demand distancevector (AODV) routing, in: IETF RFC 3561, July 2003.

[79] A.S. Wander, N. Gura, H. Eberle, V. Gupta, S.C. Shantz, Energy analysisof public-key cryptography for wireless sensor networks, in:Proceedings of the Third IEEE International Conference onPervasive Computing and Communication, March 2005.

[80] G. Gaubatz, J.P. Kaps, B. Sunar, Public key cryptography insensor networks-revisited, in: Proceedings of First EuropeanWorkshop on Security in Ad-Hoc and Sensor Networks (ESAS’04), 2004.

[81] W. Cheng, K. Xing, X. Cheng, X. Lu, Z. Lu, Route recovery in vertex-disjoint multipath routing for many-to-one sensor networks, in:Proceedings of the Ninth ACM International Symposium on MobileAd hoc Networking and Computing, 2008.

[82] P.P.C. Lee, V. Misra, D. Rubenstein, Distributed algorithms for securemultipath routing in attack-resistant networks, IEEE/ACMTransactions on Networking 15 (6) (2007) 1490–1501.

[83] P.P.C. Lee, V. Misra, D. Rubenstein, Distributed algorithms forsecure multipath routing, in: Proc. IEEE INFOCOM, 2005, pp.1952–1963.

[84] A.V. Goldberg, R.E. Tarjan, A new approach to the maximum-flowproblem, Journal of the ACM (JACM) 35 (4) (1988) 921–940.

[85] L. Georgiadis, P. Georgatsos, K. Floros, S. Sartzetakis,Lexicographically optimal balanced networks, IEEE/ACMTransactions on Networking (TON) 10 (6) (2002) 818–829.

[86] S. Ghosh, A. Gupta, S.V. Pemmaraju, A self-stabilizing algorithm forthe maximum flow problem, Distributed Computing 10 (4) (1997)167–180.

[87] B. Hong, V.K. Prasanna, Distributed adaptive task allocation inheterogeneous computing environments to maximize throughput,in: Proceedings of the 18th International Parallel and DistributedProcessing Symposium (IPDPS 2004), April 2004, pp. 52–61.

[88] L. Chen, J. Leneutre, On multipath routing in multihop wirelessnetworks: security, performance, and their tradeoff, EURASIP Journalon Wireless Communications and Networking (2009).

[89] N. Koblitz, Elliptic curve cryptosystems, Mathematics ofComputation 48 (1987) 203–209.

[90] A. Liu, P. Ning, TinyECC: elliptic curve cryptography for sensornetworks (version 1.0), 2007. <http://discovery.csc.ncsu.edu/software/TinyECC/>.

[91] D.J. Malan, M. Welsh, M.D. Smith, A public-key infrastructure for keydistribution in TinyOS based on elliptic curve cryptography, in:Proceedings of the First IEEE International Conference on Sensor andAd Hoc Communications and Networks, Santa Clara, CA, October,2004.

[92] S. Marti, T. Giuli, K. Lai, M. Baker, Mitigating routing misbehaviorin mobile ad hoc networks, in: Proceedings of the MOBICOM,2000.

[93] Z. Yao, D. Kim, I. Lee, K. Kim, J. Jang, A security framework with trustmanagement for sensor networks, in: Workshop of the FirstInternational Conference on Security and Privacy for EmergingAreas in Communication Networks, 2005, pp. 190–198.

[94] G.V. Crosby, N. Pissinou, J. Gadze, A framework for trust-basedcluster head election in wireless sensor networks, in: Proceedings ofthe Second IEEE Workshop on Dependability and Security in SensorNetworks and Systems, 2006.

[95] K. Liu, N. Abu-Ghazaleh, K. Kang, Location verification and trustmanagement for resilient geographic routing, 67 (2) (2007) 215–228.

[96] S. Tanachaiwiwat, P. Dave, R. Bhindwale, A. Helmy, Securelocations: routing on trust and isolating compromised sensorsin location-aware sensor networks, in: Proceedings of the FirstACM Conference on Embedded Networked Sensor Systems(SenSys), November 2003.

[97] S. Ozdemir, Secure and reliable data aggregation for wireless sensornetworks, in: H. Ichikawa et al. (Eds.), LNCS, vol. 4836, 2007, pp.102–109.

[98] G. Casella, R.L. Berger, Statistical Inference, Duxbury Press, Boston,MA, 1990.

http://www.ietf.org/internet-drafts/draft-ietf-manet-dsr-04.txt

http://www.ietf.org/internet-drafts/draft-ietf-manet-dsr-04.txt

http://discovery.csc.ncsu.edu/software/TinyECC/

http://discovery.csc.ncsu.edu/software/TinyECC/

ter Networks 54 (2010) 2215–2238

Eliana Stavrou received the B.Sc. and M.Sc.degrees in Computer Science from the Uni-
versity of Cyprus in 2003 and 2006, respec-tively. From 2002 to 2005, she was a researchassociate at the Computer Science depart-ment, University of Cyprus. Between 2006 and2009, she has worked in a number of securityrelated telecommunication R&D projects, forthe private sector, as well projects funded bythe national research promotion foundationbut also FP6 and FP7 funded research projects.She now studies towards a Ph.D. degree at the
Computer Science department, University of Cyprus. Her research inter-ests include network security, security architectures, sensor networks,performance evaluation and protocol design.

2238 E. Stavrou, A. Pitsillides / Compu

Andreas Pitsillides, received his B.Sc. fromthe University of Manchester Institute of Sci-ence and Technology, UMIST (Manchester,UK) in 1980 and his Ph.D. from SwinburneUniversity of Technology (Melbourne, Aus-tralia) in 1993. Spent 6 years in industry and18 years in academia (7 with SwinburneUniversity of Technology, Melbourne, Austra-lia). He is currently a Professor of ComputerScience, University of Cyprus (UCY), serves asChairman of the Cyprus Research and Aca-demic Network (CYNET), and heads the Net-

works Research Lab (NetRL) at UCY. His research interests include fixedand mobile/wireless networks, Internet technologies and their applica-

tion in Mobile e-Services, especially e-health, and security. He has aparticular interest in adapting tools from various fields of applied math-ematics such as control theory, nature inspired techniques, and compu-tational intelligence to solve problems in computer networks. Publishedover 200 referred journal, conference papers and book chapters, he is theco-editor with Petros Ioannou of the book on Modelling and Control ofComplex Systems (CRC Press, ISBN: 978-0-8493-7985-0, 2007), partici-pated in over 30 European Commission and locally funded researchprojects with over 4 million Euro as principal or co-principal investigator,presented invited lectures at major research organisations, short coursesat international conferences and short courses to industry He serves onthe editorial board of the Journal of Computer Networks (COMNET),served on international conferences as, Vice General Chair (WiOpt’07),international co-chair (INFOCOM 2003), general chair (EuroMedNet’981998), technical program chair (MCCS05, ISYC06), and on executivecommittees (e.g. INFOCOM 2001–2003, and ICT98), technical committees,guest co-editor, invited speaker, and as a regular reviewer for conferenceand journal submissions. He is also a member of the International Fed-eration of Automatic Control (IFAC) Technical Committee (TC 1.5) onNetworked Systems, IFAC TC 7.4 on Transportation Systems and the IFIPworking group WG 6.3 (http://www.NetRL.ucy.ac.cy).

http://www.NetRL.ucy.ac.cy

a survey on secure multipath routing protocols in wsns · 2011-09-21 · a survey on secure...

Documents