118 IEEE TRANSACTIONS ON INFORMATION … · 2016-01-04 · 118 IEEE TRANSACTIONS ON INFORMATION...

118 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 1, JANUARY 2015

An Authenticated Trust and Reputation Calculationand Management System for Cloud and

Sensor Networks IntegrationChunsheng Zhu, Student Member, IEEE, Hasen Nicanfar, Student Member, IEEE,

Victor C. M. Leung, Fellow, IEEE, and Laurence T. Yang, Member, IEEE

Abstract— Induced by incorporating the powerful data storageand data processing abilities of cloud computing (CC) as well asubiquitous data gathering capability of wireless sensor networks(WSNs), CC-WSN integration received a lot of attention fromboth academia and industry. However, authentication as well astrust and reputation calculation and management of cloud serviceproviders (CSPs) and sensor network providers (SNPs) are twovery critical and barely explored issues for this new paradigm.To fill the gap, this paper proposes a novel authenticatedtrust and reputation calculation and management (ATRCM)system for CC-WSN integration. Considering the authenticityof CSP and SNP, the attribute requirement of cloud service user(CSU) and CSP, the cost, trust, and reputation of the serviceof CSP and SNP, the proposed ATRCM system achieves thefollowing three functions: 1) authenticating CSP and SNP to avoidmalicious impersonation attacks; 2) calculating and managingtrust and reputation regarding the service of CSP and SNP;and 3) helping CSU choose desirable CSP and assisting CSPin selecting appropriate SNP. Detailed analysis and design aswell as further functionality evaluation results are presented todemonstrate the effectiveness of ATRCM, followed with systemsecurity analysis.

Index Terms— Cloud, sensor networks, integration,authentication, trust, reputation.

I. INTRODUCTION

A. Cloud Computing (CC)

CLOUD computing (CC) is a model to enable convenient,on-demand network access for a shared pool of config-

urable computing resources (e.g., servers, networks, storage,applications, and services) that could be rapidly provisionedand released with minimal management effort or service

Manuscript received February 11, 2014; revised July 8, 2014; acceptedOctober 8, 2014. Date of publication October 27, 2014; date of currentversion December 17, 2014. This work was supported in part by a Four-YearDoctoral Fellowship through The University of British Columbia, Vancouver,BC, Canada, in part by the Natural Sciences and Engineering ResearchCouncil of Canada, and in part by the Institute for Computing, Information,and Cognitive Systems/TELUS People and Planet Friendly Home Initiativethrough The University of British Columbia, Vancouver, BC, Canada, TELUS,and other industry partners. The associate editor coordinating the review ofthis manuscript and approving it for publication was Prof. Nitesh Saxena.

C. Zhu, H. Nicanfar, and V. C. M. Leung are with the Department ofElectrical and Computer Engineering, The University of British Columbia,Vancouver, BC V6T 1Z4, Canada (e-mail: [email protected]; [email protected]; [email protected]).

L. T. Yang is with the Department of Computer Science, St. Francis XavierUniversity, Antigonish, NS B2G 2W5, Canada (e-mail: [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TIFS.2014.2364679

provider interaction [1]–[4]. CC is featured by that users canelastically utilize the infrastructure (e.g., networks, servers,and storages), platforms (e.g., operating systems and mid-dleware services), and softwares (e.g., application programs)offered by cloud providers in an on-demand manner. Not onlythe operating cost and business risks as well as maintenanceexpenses of service providers can be substantially loweredwith CC, but also the service scale can be expanded on demandand web-based easy access for clients could be providedbenefiting from CC.

B. Wireless Sensor Networks (WSNs)

Furthermore, wireless sensor networks (WSNs) arenetworks consisting of spatially distributed autonomoussensors, which are capable of sensing the physical or envi-ronmental conditions (e.g., temperature, sound, vibration,pressure, motion, etc.) [5]–[7]. WSNs are widely focusedbecause of their great potential in areas of civilian, industryand military (e.g., forest fire detection, industrial processmonitoring, traffic monitoring, battlefield surveillance, etc.),which could change the traditional way for people to interactwith the physical world. For instance, regarding forest firedetection, since sensor nodes can be strategically, randomly,and densely deployed in a forest, the exact origin of a forestfire can be relayed to the end users before the forest fire turnsuncontrollable without the vision of physical fire. In addition,with respect to battlefield surveillance, as sensors are able tobe deployed to continuously monitor the condition of criticalterrains, approach routes, paths and straits in a battlefield, theactivities of the opposing forces can be closely watched bysurveillance center without the involvement of physical scouts.

C. CC-WSN Integration

Induced by incorporating the powerful data storage anddata processing abilities of CC as well as the ubiquitous datagathering capability of WSNs, CC-WSN integration receivedmuch attention from both academic and industrial communi-ties (e.g., [8]–[14]). This integration paradigm is driven by thepotential application scenarios shown in Fig. 1. Specifically,sensor network providers (SNPs) provide the sensory data(e.g., traffic, video, weather, humidity, temperature) collectedby the deployed WSNs to the cloud service providers (CSPs).CSPs utilize the powerful cloud to store and process the

1556-6013 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

ZHU et al.: ATRCM SYSTEM FOR CLOUD AND SENSOR NETWORKS INTEGRATION 119

Fig. 1. Example of application scenarios of CC-WSN integration.

sensory data and then further on demand offer the processedsensory data to the cloud service users (CSUs). Thus CSUs canhave access to their required sensory data with just a simpleclient to access the cloud. In this new paradigm, SNPs are thedata sources for CSPs, and CSUs act as the data requestersfor CSPs.

D. Research Motivation

However, during the CC-WSN integration, the followingtwo very critical and barely explored issues should be takeninto consideration. These two issues not only seriously impedethe CSU from obtaining the desirable service they want fromthe authentic CSP, but also prevent the CSP from obtainingthe satisfied service from the genuine SNP.

I. Authentication of CSPs and SNPs: Malicious attackersmay impersonate authentic CSPs to communicate withCSUs, or fake to be authentic SNPs to communicate withCSPs. Then CSUs and CSPs cannot eventually achieveany service from the fake CSPs and SNPs respectively.In the meantime, the trust and reputation of the genuineCSPs and SNPs are also impaired by these fake CSPsand SNPs.

II. Trust and Reputation Calculation and Management ofCSPs and SNPs: Without trust and reputation calculationand management of CSPs and SNPs, it is easy for CSUto choose a CSP with low trust and reputation. Thenthe service from CSP to CSU fails to be successfullydelivered quite often. Moreover, CSP may easily select anuntrustworthy SNP that delivers the service that the CSP

requests with an unacceptable large latency. Moreover,the untrustworthy SNP probably may only be able toprovide the requested service for a very short time periodunexpectedly.

To the best of our knowledge, there is no research discussingand analyzing the authentication as well as trust and reputationof CSPs and SNPs for CC-WSN integration. Filling this gap,this paper analyzes the authentication of CSPs and SNPs aswell as the trust and reputation about the services of CSPs andSNPs. Further, this paper proposes a novel authenticated trustand reputation calculation and management (ATRCM) sys-tem for CC-WSN integration. Particularly, considering (i) theauthenticity of CSP and SNP; (ii) the attribute requirement ofCSU and CSP; (iii) the cost, trust and reputation of the serviceof CSP and SNP, the proposed ATRCM system achieves thefollowing three functions:

1) Authenticating CSP and SNP to avoid malicious imper-sonation attacks;

2) Calculating and managing trust and reputation regardingthe service of CSP and SNP;

3) Helping CSU choose desirable CSP and assisting CSP inselecting appropriate SNP.

E. Research Contribution and Organization

The main contributions of this paper are summarized asfollows.

• This paper is the first research work exploring the trustand reputation calculation and management system withauthentication for the CC-WSN integration, which clearly


distinguishes the novelty of our work and its scientificimpact on current schemes integrating CC and WSNs.

• This paper further proposes an ATRCM system for theCC-WSN integration. It incorporates authenticating CSPand SNP, and then considers the attribute requirement ofCSU and CSP as well as cost, trust and reputation ofthe service of CSP and SNP, to enable CSU to chooseauthentic and desirable CSP and assists CSP in selectinggenuine and appropriate SNP.

For the rest parts of this paper, Section II introduces therelated work and Section III presents the system model.Authentication about CSP and SNP as well as trust andreputation with respect to the service of CSP and SNP are dis-cussed and analyzed in Section IV. Details about the proposedATRCM system for CC-WSN integration are illustrated inSection V. Evaluation about the ATRCM system functionalityis performed in Section VI and the analysis about the ATRCMsystem security is presented in Section VII. Finally, this paperis concluded in Section VIII.

II. RELATED WORK

In this section, current works about the CC-WSN integrationare reviewed from the following two aspects: (A) Authentica-tion; (B) Trust and reputation.

A. Authentication

There are substantial works regarding authentication incloud (e.g., [15]–[17]). For instance, a user authenticationframework for CC is proposed in [18], aiming at providinguser friendliness, identity management, mutual authenticationand session key agreement between the users and the cloudserver. Paying particular attention to the lightweight of authen-tication since the cloud handles large amounts of data inreal-time, [19] shows a lightweight multi-user authenticationscheme based on cellular automata in cloud environment.Certificate authority based one-time password authenticationis utilized to perform authentication. Supporting anonymousauthentication, a decentralized access control scheme forsecure data storage in clouds is presented in [20]. The pro-posed scheme provides user revocation, prevents replay attacksas well as supports creation, modification and reading datastored in the cloud. Observing the demerits of losing richinformation easily as well as the poor performances resultingfrom the complex inputs of traditional fingerprint recognitionapproaches during user authentication by [21], it introducesa new fingerprint recognition scheme based on a set ofassembled geometric moment and Zernike moment featuresto authenticate users in cloud computing communications.

About authentication in CC-WSN integration, an extensibleand secure cloud architecture model for sensor informationsystem is proposed in [22]. It first describes the compositionand mechanism of the proposed architecture model. Thenit puts forward security mechanism for authenticating legalusers to access sensor data and information services inside thearchitecture, based on a certificate authority based Kerberosprotocol. Finally the prototype deployment and simulationexperiment of the proposed architecture model are introduced.

Focusing also on securing sensor data for sensor-cloud inte-gration systems by [23], a user authentication scheme isproposed by employing the multi-level authentication tech-nique. It authenticates the password in multiple levels forusers to access cloud services so as to improve authenticationlevel by order of magnitude. Concerning the authenticationof the data generated by body sensor networks in [24],it presents, analyzes and validates a practical, lightweightrobust data authentication scheme suitable for cloud-basedhealth-monitoring. The main idea is to utilize a Merkle hashtree to amortise digital signature costs and use network codingto recover strategic nodes within the tree. Experimental tracesof typical operating conditions show that over 99% of themedical data can be authenticated at very low overheads andcost.

To the best of our knowledge, current authenticationschemes in CC-WSN integration only focus on authenticatingusers or data. Different from these schemes, our work concernsthe authentication of CSPs and SNPs, which is an ignored butimportant issue in CC-WSN integration.

B. Trust and Reputation

There are a number of research works with respect to trust orreputation of cloud (e.g., [25]–[27]). For example, focusing onthe trustworthiness of the cloud resources in [28], a frameworkis proposed to evaluate the cloud resources trustworthiness, byutilizing an amor to constantly monitor and assess the cloudenvironment as well as checking the resources the armor pro-tects. For efficient reconfiguration and allocation of cloud com-puting resources to meet various user requests, a trust modelwhich collects and analyzes the reliability of cloud resourcesbased on the historical information of servers is proposedin [29], so that the best available cloud resources to fulfillthe user requests can be prepared in advance. To determinethe credibility of trust feedbacks as well as managing trustfeedbacks in cloud environments, [30] presents a frameworknamed trust as service to improve current trust managements,by introducing an adaptive credibility model to distinguishthe credible and malicious feedbacks. Discussing the cloudaccountability issue in [31], it first uses detective controls toanalyze the key issues to establish a trusted cloud and thengives a trustcloud framework consisted of five abstraction lay-ers, where technical and policy-based approaches are appliedto address accountability.

With respect to trust in the CC-WSN integration, the onlyrelated work is [32] focusing on how trust managementcould be effectively used to enhance the security of a cloud-integrated WSN. Particularly, the security breaches regardingdata generation, data transmission and in-network processingin the WSN integrated with cloud are observed in [32] first.Then it shows some examples that trust can be employed toperform trust-aware data transmission and trust-aware dataprocessing in the integrated WSN as well as trust-awareservices in the cloud.

For the state of the art, there is no trust and reputationcalculation and management system discussing CC-WSNintegration. Our work is the first system calculating and


TABLE I

MAIN NOTATION DEFINITIONS

managing the trust and reputation in the scenario of integratingCC and WSNs and also takes authenticating CSPs and SNPsinto account.

III. SYSTEM MODEL

In this section, our system model is presented as follows,while the main used notations in this paper are summarizedin Table I.

• There are multiple CSUs, CSPs and SNPs. The num-ber of CSU, CSP and SNP are Nu , Nc and Nk ,respectively. C SUSet = {C SU1, C SU2, . . . , C SUNu }.C S PSet = {C S P1, C S P2, . . . , C S PNc }. SN PSet ={SN P1, SN P2, . . . , SN PNk }.

• Each CSU, CSP and SNP have several attributes.Particularly, the data service requested and required by

the CSU owns the following attributes: data servicepay (DSP); data type (DT); data size (DS); data requestspeed (DRS); data service time (DST). The cloud serviceprovided and managed by each CSP has the followingcharacteristics: cloud service charge (CSC); cloud oper-ation cost (COC); sensor network service pay (SNSP);cloud service type (CST); cloud server number (CSN);cloud storage size (CSS); cloud processing speed (CPS);cloud operation time (COT); cloud response time (CRT).The sensor network offered and managed by each SNPis with the following properties: sensor network servicecharge (SNSC); sensor network operation cost (SNOC);sensor type (ST); sensor node number (SNN); sensor net-work coverage (SNC); sensor network throughput (SNT);sensor network lifetime (SNL); sensor network responsetime (SNRT).

• There is a trust value (i.e., Tcu) of each service from eachCSP to each CSU and there is a trust value (i.e., Tkc) ofeach service from each SNP to each CSP. In addition,there is a reputation value (i.e., Rc) of each serviceprovided by each CSP and there is a reputation value(i.e., Rk) of each service provided by each SNP.

• Each CSU owns a minimum acceptable trust value(i.e., Tscu) of each service from each CSP to the CSU.Moreover, each CSP has a minimum acceptable trustvalue (i.e., Tskc) of each service from each SNP to theCSP. Similarly, each CSU owns a minimum acceptablereputation value (i.e., Rsc) with respect to each serviceof each CSP. And each CSP has a minimum acceptablereputation value (i.e., Rsk) in terms of each service ofeach SNP.

• There is a cost difference (i.e., Cc) between the CSCof CSP and DSP of CSU for each service, i.e.,Cc = CSC − DSP.

• There is a cost difference (i.e., Ck) between the SNSCof SNP and SNSP of CSP for each service, i.e.,Ck = SNSC − SNSP.

• Each CSU owns an acceptable range (i.e., Cbc) about Cc.In addition, each CSP owns an acceptable range (i.e., Cbk)about Ck . The interval of Cbc and Cbk are |Cbc| and |Cbk|,respectively.

• Each CSU has three weights (i.e., αc, βc and γc) in termsof the importance of Cc, Tcu and Rc, while αc + βc +γc = 1. Similarly, each CSP owns three weights(i.e., αk , βk , γk) about the importance of Ck , Tkc andRk , while αk + βk + γk = 1.

IV. AUTHENTICATION OF CSP AND SNP AS WELL AS

TRUST AND REPUTATION OF SERVICE OF CSP AND SNP

In this section, we first discuss the authentication of CSPand SNP. With that, we give some preliminaries about servicelevel agreement (SLA) and privacy level agreement (PLA),followed with the preliminaries of trust and reputation andthe preliminaries of trusted center entity (TCE). Finally, wediscuss and analyze the trust and reputation with respect tothe service of CSP and SNP respectively.


A. Authentication of CSP and SNP

In this paper, as the key of our work is to enableCSU to choose the authentic and desirable CSP as wellas assist CSP in selecting genuine and appropriate SNP,we focus on the authentication of CSP and SNP ratherthan the authentication of CSU. Specifically, the CSPneeds to prove its authenticity to CSU and SNP hasto show its authenticity to CSP. Here, ISO/IEC 27001certification [33], [34] is applied to authenticate CSP andSNP, as it is an internationally recognized information securitymanagement system (ISMS) standard by the InternationalOrganization for Standardization (ISO) and the InternationalElectrotechnical Commission (IEC). It requires that theinformation management of an organization (e.g., CSP orSNP) meets (i) the organization’s information security risks aresystematically examined; (ii) a coherent and comprehensivesuite of information security controls is designed andimplemented to solve those risks that are deemedunacceptable; (iii) an overarching management processis adopted to ensure that the information security controlscontinue to satisfy the organization’s information securityneeds on an ongoing basis. Particularly, it provides confidenceand assurance to trading clients of the organization, as thesecurity status of the organization is audited to be qualified,by issuing a certificate with the ISO/IEC 27001 certification.After CSP and SNP are certificated with ISO/IEC 27001,they obtain the certificates (i.e., ctc and ctk) respectively.

B. Preliminaries of SLA and PLA

An SLA [35], [36] is a negotiated agreement betweentwo or more parties, in which one is the customer and theothers are service providers. In short, it is a part of a servicecontract, in which a service is formally defined. SLA specifiesthe levels of availability, serviceability, performance, operationand other attributes of the service. Usually, an SLA addressesthe following segments about a service: definition, perfor-mance measurement, problem management, duties, warranties,termination. The subject of SLA is the result of the servicereceived by the customer.

An PLA [37] is an agreement to describe the level of privacyprotection that the CSP will maintain. Thus it is an appendix tothe SLA between CSU and CSP. The SLA between CSU andCSP provides specific parameters and minimum levels on otherperformance (e.g., cloud processing speed, cloud operationtime) of the cloud service, while PLA addresses informationprivacy and personal data protection issues about the cloudservice.

C. Preliminaries of Trust and Reputation

Defined by Merriam Webster’s Dictionary, trust is “assuredreliance on the character, ability, strength or truth of someoneor something” and reputation is “overall quality or char-acter as seen or judged by people in general”. However,trust and reputation are multidisciplinary concepts withdifferent definitions and evaluations in various fields(e.g., psychology, sociology, economics, philosophy, wireless

networks) [38]–[40]. For example, in the scenario of wirelesscommunications, “Trust of a node A in a node B is thesubjective expectation of node A receiving positive outcomesfrom the interaction with node B in a specific context”.Also, “Reputation is the global perception of a node’strustworthiness in a network”.

Generally, to evaluate trust from an entity (e.g., A or trustor)to another entity (e.g., B or trustee), A needs to gather evi-dence (e.g., honest, selfish, malicious behaviors), representingthe satisfaction, about B either through direct interaction orinformation provided by third-parties [38]–[40]. With that,trustor (A) maps the gathered information from the evidencespace to the trust space through a predefined mapping functionand an aggregation function to obtain the trustworthiness valueof trustee (B). Specifically, the trustworthiness obtained bymapping evidences from direct interaction is known as directtrust, while the trustworthiness achieved through mappingevidences from third-parties is indirect trust. Furthermore,a trustor can bring into account recent trust, which reflects onlythe recent behaviors, as well as historical trust, which is builtfrom the past experiences and it reflects long-term behavioralpattern. For instance, using indirect trust and historical trusthelps trustor to protect trust evaluation (and trust systemin general) from attacks such as good mouthing and badmouthing, or sudden selfishness of a trustee. More discussionabout these terms and definitions can be found in ourreferences, for instance in [41]. In addition, to evaluate reputa-tion about a trustee (e.g., B), the aggregated trust opinion of agroup of entities are usually taken to represent the reputationvalue [42], [43].

A widely used way to map the observed informationfrom the evidence space to the trust space is the betadistribution [44]–[46] illustrated as follows. Let s and frepresent the (collective) amount of positive and negativefeedbacks in the evidence space about target entity, thenthe trustworthiness t of a subject node is then computedas t = s+1

f +s+2 .

D. Preliminaries of TCE

In this paper, based on the five main roles (e.g., cloudcustomer, cloud provider, cloud broker, cloud auditor andcloud carrier) in CC [47], we assume that the role of the cloudauditor is assigned to TCE. Furthermore, we assume that TCEconsists of multiple entities in various locations with a sharedand secured database, e.g., in a data center. Specifically, theduties of TCE are introduced as follows.

Duty 1) Receiving the copies of signed SLAs and PLAs fromCSUs, CSPs and SNPs.

Duty 2) Receiving the feedbacks from CSUs about the ser-vices of CSPs and receiving the feedbacks from CSPsabout the services of SNPs, based on signed SLAsand PLAs.

Duty 3) Auditing whether received copies are genuine as wellas auditing whether received feedbacks that are tobe utilized to calculate Tcu , Tkc, Rc and Rk aregenuine, by security audit, privacy impact audit andperformance audit, and etc. [48].


Duty 4) Calculating and managing (i.e. storing and updating)Tcu , Tkc , Rc and Rk , with the genuine historicalfeedbacks received from CSUs about the services ofCSPs and the genuine historical feedbacks from CSPsabout the services of SNPs based on genuinely signedSLAs and PLAs.

Duty 5) Replying Tcu , Tkc, Rc and Rk values if these valuesare requested by CSUs or CSPs.

Duty 6) Auditing whether the Tcu , Tkc, Rc and Rk valuesreceived by CSUs and CSPs are genuine, by securityauditing, privacy impact auditing and performanceauditing, and etc. [48].

Duty 7) Monitoring the process of the proposed ATRCMsystem to detect misbehaviors of CSUs, CSPs orSNPs that affect the process of ATRCM.

E. Trust of Service of CSP

From Fig. 1, we can obtain that the fulfillment of ser-vice of CSP needs to receive and store the raw sensorydata from SNP first. Then CSP processes the raw sensorydata and stores the processed sensory data. Finally, CSPtransmits the processed sensory data to CSU on demand.In this process, there are various types of trust (e.g., clouddata storage trust, cloud data processing trust, cloud dataprivacy trust, cloud data transmission trust) which mightconcern the CSU to choose the service of CSP. Furthermore,for various CSUs, the types of trust that they concern aredifferent.

In this paper, we assume that the following three types oftrust about CSP concern the CSU to choose the service of CSPand we further show how they are calculated.

i) Cloud Data Processing Trust: This trust is related towhether cloud processes the raw sensory data with error.TCE has a database which dynamically stores thenon-error number (i.e., Sc1) and error number (i.e., Fc1)of data processing of each service from CSP to the CSUin the history, with the feedbacks about the historicalSLAs regarding the service. The trust value of clouddata processing trust (i.e., Tc1) is calculated by TCE viaequation (1).

Tc1 = Sc1 + 1

Fc1 + Sc1 + 2(1)

ii) Cloud Data Privacy Trust: This trust is about whether thesensory data stored on cloud can be accessed by others.Based on the feedbacks about previous PLAs regardingthe service, assume the number that the sensory dataaccessed by others with respect to each service from CSPto CSU in the history stored on TCE database is Fc2.As CSU is generally sensitive about the data privacy,the trust value of cloud data privacy trust (i.e., Tc2) ispresented by TCE through equation (2).

Tc2 ={

1, Fc2 = 0

0, Fc2 > 0(2)

iii) Cloud Data Transmission Trust: This trust is with respectto whether the data transmission from CSP to CSU

is successful. Using the feedbacks of previous SLAsregarding the service, with the success number (i.e., Sc3)and failure number (i.e., Fc3) of data transmission of eachservice from CSP to the CSU in the history on TCEdatabase, the cloud data transmission trust (i.e., Tc3) isshown by TCE as per equation (3).

Tc3 = Sc3 + 1

Fc3 + Sc3 + 2(3)

In summary, with respect to Tcu value calculation, thetrust value Tcu of each service from CSP to CSU is cal-culated by TCE with a combination function (i.e. C F) ofthree-dimensional trust (i.e., cloud data processing trust, clouddata privacy trust and cloud data transmission trust), as perequation (4).

Tcu = C F(Tc1, Tc2, Tc3) (4)

Specifically, about C F , there are many different ways tocombine multi-dimensional trust. For example, a probabilistictrust model based on the Dirichlet distribution to combinemulti-dimensional trust is shown in [49], by estimating theprobability that each contract dimension will be successfullyfulfilled as well as the correlations between these estimates.In addition, an MeTrust model is presented in [50], enablingeach user to choose a dimension as a primary dimensionand put different weights on different dimensions for trustcalculation.

In this paper, we assume that these three types of trust(i.e., cloud data processing trust, cloud data privacy trust andcloud data transmission trust) are considered with equal weightand then the minimum trust value in these three trust valuesis taken as Tcu , through equation (5).

Tcu = Minimum{Tc1, Tc2, Tc3} (5)

F. Reputation of Service of CSP

In this paper, based on the feedbacks of previous SLAsabout the service, we assume that if the CSU chose the serviceof the CSP, then it means that the CSU somehow trusted thatCSP and decided to use the service of the CSP. Let us assumethat the number of CSUs that chose the service of the CSPis C Nc and the number of CSUs that needed the service toreceive from a CSP is N ′

u (N ′u ≤ Nu ). Then the reputation

value (i.e., Rc) of the service of the CSU is calculated byTCE following [42], [43] via equation (6).

Rc = C Nc

N ′u

(6)

G. Trust of Service of SNP

Based on Fig. 1, we can also observe that the service of SNPrequires the sensor nodes to be deployed first and then sense,store and process data to achieve data collection. At last, thecollected sensory data are transmitted from SNP to the CSP.

Similarly, in this paper, we assume that the following fourkinds of trust about SNP consist of the trust of service of SNPin the above process.


TABLE II

AUTHENTICATION FLOWCHART OF CSP AND SNP

i) Sensor Data Collection Trust: This trust concerns whetherthe sensor network collects the required sensory data witherror. Utilizing the feedbacks of previous SLAs regardingeach service, given that the non-error number and errornumber of data collection of each service from SNP toCSP in the history on the TCE database are Sk1 and Fk1,respectively. The trust value of sensor data collection trust(i.e., Tk1) is calculated by TCE as follows.

Tk1 = Sk1 + 1

Fk1 + Sk1 + 2(7)

ii) Sensor Network Lifetime Trust: This trust aims to analyzewhether the lifetime of the real deployed sensor networkmatches the sensor network lifetime the SNP demon-strates, as energy consumption is the primary concern ofsensor network. Assume that the matching number andnon-matching number of the sensor network lifetime ofeach service from SNP to CSP in the history recorded byTCE are Sk2 and Fk2 respectively, with the feedbacks ofhistorial SLAs regarding each service. The sensor networklifetime trust (i.e., Tk2) is shown by TCE as follows.

Tk2 = Sk2 + 1

Fk2 + Sk2 + 2(8)

iii) Sensor Network Response Time Trust: This trustresearches whether the response time of the real deployedsensor network matches the sensor network response timethe SNP demonstrates, since the response time of sensornetwork is with quite uncertainty due to various factors(e.g., sensor dies, bad weather). TCE records the matchingnumber (i.e., Sk3) and non-matching number (i.e., Fk2)of the sensor network response time of each service fromSNP to CSP in the history with feedbacks about previousSLAs. The sensor network response time trust (i.e., Tk3)is obtained by TCE as follows.

Tk3 = Sk3 + 1

Fk3 + Sk3 + 2(9)

iv) Sensor Data Transmission Trust: This trust cares whetherthe data transmission from SNP to CSP is success-ful or not. TCE owns a database which dynamicallystores the success number (i.e., Sk4) and failure number(i.e., Fk4) of data transmission of each service from SNPto the CSP in the history, based on the feedbacks ofprevious SLAs regarding each service. The sensor datatransmission trust value (i.e., Tk4) is presented by TCE asfollows.

Tk4 = Sk4 + 1

Fk4 + Sk4 + 2(10)

In summary, concerning Tkc value calculation, we alsoassume that these four types of trust (i.e., sensor data collectiontrust, sensor network lifetime trust, sensor network responsetime trust and sensor data transmission trust) are consideredequally and the minimum value of these four trust values istaken as the trust value Tkc of the service from SNP to CSP,calculated by TCE as follows:

Tkc = Minimum{Tk1, Tk2, Tk3, Tk4} (11)

H. Reputation of Service of SNP

About Rk value calculation, with the feedbacks of previousSLAs about the service, given that if the CSP chose theservice of an SNP, then it also means that the CSP somehowtrusted the SNP and decided to use the service of the SNP.Further, denote that the number of CSPs that chose the serviceof the SNP is C Nc and the number of CSPs that requiredthe service to receive from a SNP is N ′

c (N ′c ≤ Nc), the

reputation value of the service of the SNP is calculated byTCE following [42], [43] as follows.

Rk = C Nk

N ′c

. (12)

V. PROPOSED AUTHENTICATED TRUST AND

REPUTATION CALCULATION AND

MANAGEMENT (ATRCM) SYSTEM

A. System Overview

The proposed authenticated trust and reputation calculationand management (ATRCM) system is introduced from thefollowing three parts:

Part 1) Authentication flowchart of CSP and SNP;Part 2) Trust and reputation calculation and management

flowchart between CSU and CSPs;Part 3) Trust and reputation calculation and management

flowchart between CSP and SNPs.

Specifically, Part 1) shown in Table II aims at identityauthentication of CSP and SNP to avoid malicious imper-sonation attacks, based on the certificate of ISO/IEC 27001certification [33], [34] illustrated in Section IV. In addition,Part 2) and Part 3) are presented in Table III and Table IV focuson (i) calculation and management of trust and reputationwith respect to the service of CSP and SNP as well as(ii) helping the CSU choose desirable CSP and assisting theCSP in selecting appropriate SNP, considering the attributerequirement of CSU and CSP as well as cost, trust andreputation of the service of CSP and SNP.


TABLE III

TRUST AND REPUTATION CALCULATION AND MANAGEMENT FLOWCHART BETWEEN CSU AND CSPS

TABLE IV

TRUST AND REPUTATION CALCULATION AND MANAGEMENT FLOWCHART BETWEEN CSP AND SNPS

B. Authentication Flowchart of CSP and SNP

Step 1: CSPs provide the certificate ctc to CSU and CSUchecks whether the signature of the certificate is validand whether the certificate is revoked. CSU filters theCSPs that are not qualified.

Step 2: SNPs offer the certificate ctk to CSP and CSP checkswhether the signature of the certificate is valid andwhether the certificate is revoked. CSP filters theSNPs that are not qualified.

C. Trust and Reputation Calculation and ManagementFlowchart Between CSU and CSPs

Step 1: CSU checks whether the characteristics of CSPssatisfy the attribute requirement of CSU. Filter theCSPs that are not satisfied.⎧⎪⎪⎪⎨

⎪⎪⎪⎩C ST ⊇ DT

C SS ≥ DS

C PS ≥ DRS

C OT ≥ DST

(13)

Step 2: CSU issues requests to TCE and achieves theTcu value of the service from CSP to the CSU. CSUchecks whether the Tcu value is greater than or equalto the Tscu value. Filter the CSPs that are not satisfied.

Tcu ≥ Tscu (14)

Step 3: CSU issues requests to TCE and achieves the Rc valueof the service offered by the CSP. CSU checkswhether the Rc value is greater than or equal to theRsc value. Filter the CSPs that are not satisfied.

Rc ≥ Rsc (15)

Step 4: CSU calculates the Cc value between CSC of CSPand DSP of CSU and checks whether the Cc value

is within the Cbc range. Filter the CSPs that are notsatisfied.

Cc ∈ Cbc (16)

Step 5: CSU checks whether ctc is revoked and chooses theservice offered by the CSP with the maximum Mc

and informs TCE about signed SLA or PLA.

Mc = −αc · Cc

|Cbc| + βc · Tcu + γc · Rc (17)

Step 6: CSU checks whether ctc is revoked before using theservice from the CSP. CSU sends feedbacks aboutthe service of the CSP to TCE based on PLA andSLA after the termination of service. TCE stores andupdates the Tcu value as well as the Rc value with theequations illustrated in Section IV.

D. Trust and Reputation Calculation and ManagementFlowchart Between CSP and SNPs

Step 1: CSP checks whether the characteristics of SNPssatisfy the attribute requirement of CSP. CSP alsochecks whether the characteristics of SNP satisfy theattribute requirement of CSU. Filter the SNPs that arenot satisfied. ⎧⎪⎪⎪⎨

⎪⎪⎪⎩ST ⊇ DT

SNC ⊇ DS

SNT ≥ DRS

SN L ≥ DST

(18)

⎧⎪⎪⎪⎨⎪⎪⎪⎩

C ST ⊇ ST

C SS ≥ SNC

C PS ≥ SNT

C OT ≥ SN L

(19)

Step 2: CSP issues requests to TCE and receives the Tkc valueof the service from SNP to the CSP. CSP checks


whether the Tkc value is more than or equal to theTskc value. Filter the SNPs that are not satisfied.

Tkc ≥ Tskc (20)

Step 3: CSP issues requests to TCE and receives the Rk valueof the service offered by the SNP. CSP checks whetherthe Rk value is more than or equal to the Rsk value.Filter the SNPs that are not satisfied.

Rk ≥ Rsk (21)

Step 4: CSP calculates the Ck value between SNSC of SNPand SNSP of CSP and checks whether the Ck valueis within the Cbk range. Filter the SNPs that are notsatisfied.

Ck ∈ Cbk (22)

Step 5: CSP checks whether ctk is revoked and choosesthe service offered by the SNP with the maximumMk and informs TCE about signed SLA or PLA.

Mk = −αk · Ck

|Cbk | + βk · Tkc + γk · Rk (23)

Step 6: CSP checks whether ctk is revoked before utilizingthe service of the SNP. After the end of service, CSPsends feedbacks about the service of SNP to TCEbased on SLA and PLA. TCE stores and updatesthe Tkc value and the Rk value with the equationspresented in Section IV.

Note: In the aforementioned steps, during the utilizationof the service, the ctc of the chosen CSP or the ctk of theselected SNP may still be revoked. Furthermore, the Tcu orthe Rc of the service of the chosen CSP may be lowerthan Tscu or Rsc, respectively. Similarly, the Tkc or the Rk

of the service of the selected SNP is possible to be lowerthan Tskc or Rsk respectively. In such cases, the systemflowcharts are performed again to enable the CSU to choosea new CSP or make the CSP select a new SNP. In addition,although the check of ctc, Tcu and Rc is the duty of CSUas well as the check of ctk , Tkc and Rk is the duty of CSP,TCE can support these duties for CSU and CSP as well ifnecessary.

VI. EVALUATION OF SYSTEM FUNCTIONALITY

In this section, we evaluate whether our proposed ATRCMsystem can fulfill the predetermined functions: 1) authenticat-ing CSP and SNP to avoid malicious impersonation attacks;2) calculating and managing trust and reputation regarding theservice of CSP and SNP; 3) helping CSU choose desirableCSP and assisting CSP in selecting appropriate SNP, basedon (i) the authenticity of CSP and SNP; (ii) the attributerequirement of CSU and CSP as well as (iii) the cost, trustand reputation of the service of CSP and SNP.

A. Evaluation Setup

To perform the evaluation, all the three aimed functionsare analyzed based on the flowcharts and processes of the

corresponding functions. Particularly, the third function is eval-uated utilizing two representative case studies to demonstratethe effectiveness of ATRCM. Case study 1 involves a smallquantities of CSUs, CSPs and SNPs, while case study 2involves a large number of CSUs, CSPs and SNPs. Theevaluation processes of the third function shown in these twocase studies are universal for CSUs, CSPs and SNPs with otherattributes and parameters.

B. Evaluation Results

1) Authenticating CSP and SNP: With respect to theauthentication of CSP and SNP, Part 1) authenticationflowchart of CSP and SNP shown in Section V presents thedetailed steps.

Based on the flowchart, we can observe that if a maliciousattacker impersonates the authentic CSP or authentic SNP,then it needs to own the ctc certificate or the ctk certificatefirst. If it cannot provide a certificate, then it is not a genuineorganization. In addition, even if the malicious attacker furthera) offers a fake certificate (e.g., f ctc or f ctk) or b) providesa real but revoked certificate (e.g., rctc or rctk), it still cannotlaunch the impersonation attacks, since CSU and CSP checkwhether the signature of the certificate is valid and whetherthe certificate is revoked.

Thus, we can achieve that our proposed ATRCM system isable to prevent malicious impersonation attacks, by enforcingthe CSP or SNP providing a valid certificate. Meanwhile, asthe valid certificate of CSP and SNP are obtained throughISO/IEC 27001 certification, the CSU will start trading withCSP and CSP will begin trading with SNP, with moreconfidence and assurance.

2) Calculating and Managing Trust and Reputation ofService of CSP and SNP: For the calculation and managementof trust and reputation with respect to the service of the CSPand SNP, the detailed processes are illustrated in Section IV.

Particularly, calculation and management of trust regardingthe service of the CSP are based on cloud data processingtrust (i.e., Tc1 shown in equation (1)), cloud data privacy trust(i.e., Tc2 shown in equation (2)) and cloud data transmissiontrust (i.e., Tc3 shown in equation (3)). The minimum value ofTc1, Tc2 and Tc3 is the trust value of the service of the CSP.Moreover, the history that CSUs chose the service of the CSPand the history that CSUs needed the service to receive from aCSP are utilized to calculate and manage the reputation aboutthe service of the CSP (i.e., Rc shown in equation (6)).

Furthermore, calculating and managing the trust of theservice of the SNP take sensor data collection trust (i.e., Tk1presented in equation (7)), sensor network lifetime trust(Tk2 presented in equation (8)), sensor network response timetrust (i.e., Tk3 presented in equation (9)) as well as sensordata transmission trust (i.e., Tk4 presented in equation (10))into account. The trust value of the service of the SNP isthe minimum value of Tk1, Tk2, Tk3 and Tk4. Finally, thecalculation and management of the reputation of the serviceof the SNP (i.e., Rk presented in equation (12)) are based onthe history that CSPs selected the service of the SNP and thehistory that CSPs required the service to receive from a SNP.


TABLE V

PARAMETERS OF CSUs AND QUALIFIED CSPs

TABLE VI

PARAMETERS OF QUALIFIED CSPs AND SNPS

From the above analysis, we can obtain that the proposedARTCM system is capable of calculating and managing thetrust and reputation about the service of CSP and SNP.

3) Helping CSU Choose Desirable CSP and Assisting CSPin Selecting Appropriate SNP: Regarding helping CSU tochoose desirable CSP as well as assisting CSP in selectingappropriate SNP, Part 2) Trust and reputation calculationand management flowchart between CSU and CSPs andPart 3) Trust and reputation calculation and managementflowchart between CSP and SNPs shown in Section V, presentthe detailed mechanisms to validate our demonstration.Specifically, from equation (17) and equation (23), we can seethat the cost and trust as well as the reputation of the serviceof CSP and SNP are utilized for CSU and CSP to make thecorresponding choice.

Case Study 1: In the following sample case study, there arethree CSUs, four CSPs and five SNPs. With the filter processof the Step 1 of Part 2) and Part 3), we assume that one CSPand two SNPs are filtered out as their attributes do not satisfythe requirements. Then there are three CSUs, three CSPs andthree SNPs, in which all characteristics of CSPs satisfy theattribute requirement of CSUs and all characteristics of SNPssatisfy the attribute requirement of CSPs.

In the following, Table V shows the detailed parameterswith respect to CSUs and qualified CSPs about Cc, Tcu ,Rc, Cbc, Tscu and Rsc, which will be used from Step 2to Step 5 of Part 2). And table VI presents the detailedparameters regarding qualified CSPs and SNPs, that will beutilized from Step 2 to Step 5 of Part 3) about Ck , Tkc, Rk ,Cbk , Tskc and Rsk . Moreover, two typical weight sets aboutαc, βc, γc as well as αk , βk and γk are used to validatethe effectiveness. In weight set 1, CSUs and CSPs take Cc,Tcu and Rc all into account. For weight set 2, CSUs and CSPsonly consider one of Ck , Tkc and Rk .

TABLE VII

WEIGHT SET 1 OF CSUs AND CORRESPONDING CHOICES

TABLE VIII

WEIGHT SET 1 OF QUALIFIED CSPs AND

CORRESPONDING CHOICES

TABLE IX

WEIGHT SET 2 OF CSUs AND CORRESPONDING CHOICES

TABLE X

WEIGHT SET 2 OF QUALIFIED CSPs AND

CORRESPONDING CHOICES

Weight set 1 of CSUs and the corresponding choices withrespect to CSPs are shown in Table VII. Meanwhile, weightset 1 of qualified CSPs and the corresponding choices withrespect to SNPs are shown in Table VIII. With equation (17)and equation (23), we can get that C SU1, C SU2 and C SU3all choose C S P3 as shown in Table VII. In addition, C S P1,C S P2 and C S P3 all select SN P1 as presented in Table VIII.

Furthermore, Table IX and Table X present weight set 2 ofCSUs and the corresponding choices with respect to CSPs aswell as weight set 2 of qualified CSPs and the correspondingchoices with respect to SNPs, respectively. Similarly, based onequation (17) and equation (23), we can obtain that C SU1 andC SU2 select C S P3 while C SU3 chooses C S P1 as presentedin Table IX. Meanwhile, C S P1 chooses SN P3 while C S P2and C S P3 both select SN P1 as shown in Table X.

Case Study 2: In the following sample case study, thereare one hundred CSUs, one hundred and fifty CSPs andtwo hundred SNPs. With the filter process of the Step 1 ofPart 2) and Part 3), we suppose that fifty CSPs and one hundredSNPs are filtered out as their characteristics are not satisfied.Then there are one hundred CSUs, one hundred CSPs andone hundred SNPs, in which all characteristics of CSPs satisfythe attribute requirement of CSUs and all characteristics ofSNPs satisfy the attribute requirement of CSPs.

In the following, the detailed parameters with respect toCSUs and qualified CSPs about Cc, Tcu , Rc, Cbc, Tscu andRsc are randomly initialized and they will be utilized fromStep 2 to Step 5 of Part 2). Similarly, the detailed parametersabout qualified CSPs and SNPs are randomly initialized and


Fig. 2. Different weight set for a CSU and Corresponding Choice About CSP.

Fig. 3. Different weight set for a qualified CSP and corresponding choiceabout SNP.

they will be used from Step 2 to Step 5 of Part 3) about Ck ,Tkc, Rk , Cbk , Tskc and Rsk . In addition, one hundred differentweight sets about αc, βc, γc as well as αk , βk and γk arerandomly initialized to validate the effectiveness.

Different weight sets for a CSU and the correspondingchoices regarding CSPs are shown in Fig. 2. Meanwhile,different weight sets for a qualified CSP and the corre-sponding choices regarding SNPs are shown in Fig. 3. Withequation (17) and equation (23), we can get that the C SUcan choose C S P and C S P can choose SN P as shown inFig. 2 and Fig. 3, respectively.

4) Summary: From the above evaluation results, we canobserve that our proposed ATRCM system is indeed ableto assist the CSU in selecting authentic and desirable CSPas well as help CSP choose authentic and appropriate SNP,considering (i) the authenticity of CSP and SNP and (ii) theattribute requirement of CSU and CSP as well as (iii) the cost,trust and reputation of the service of CSP and SNP.

Moreover, we can deduce that different weight sets do notalways change the corresponding results for CSU to chooseCSP, by comparing the weight sets and corresponding choicesabout CSPs in Table VII with that in Table IX and observingthe corresponding choices about CSPs with different weightsets shown in Fig. 2. Similarly, the corresponding choices forCSP to select SNP are not always be affected by changingweight sets, comparing the weight sets and correspondingchoices about SNPs in Table VIII with that in Table X andobserving the corresponding choices about SNPs with differentweight sets presented in Fig. 3.

VII. ANALYSIS OF SYSTEM SECURITY

In this section, we analyze our proposed ATRCM systemfrom the view of security by providing a few adversary models,in which we follow Dolev-Yao approach [51]. Particularly,we analyze whether ATRCM is immune to the followingfour attacks [52], [53] (i.e., good mouthing attack, badmouthing attack, collusion attack and white-washing attack).

A. First Adversary Model: Good Mouthing andBad Mouthing Attacks

1) Mechanism: The adversary (e.g., a malicious CSU ora malicious CSP) provides a malicious feedback about itsexperience with another party (a CSP or a SNP). Forexample, a malicious CSU provides a malicious feedbackabout its experience with a CSP or a malicious CSP providesa malicious feedback about its experience with a SNP, even ifthe experience actually does not exist. The feedback could bewrong positive feedback (i.e., good mouthing attack) or wrongnegative feedback (i.e., bad mouthing attack).

2) Initial Capability: The adversary knows the operationalmechanism of ATRCM system and is free to produce wrongfeedbacks about any service of any CSP or any SNP.

3) Capability During the Attack: During the attack, theadversary is able to send feedbacks periodically to the TCEabout the experience via a secure communication.

4) Discussion: The good mouthing and bad mouthing attackcannot maliciously subvert the trust or reputation value as theadversary wishes, because of the following:

• False feedbacks from the adversary to the TCE will notbe utilized to calculate the trust or reputation value, aswhether the feedbacks received by TCE are genuine areaudited by TCE.

• The trust and reputation of a CSP or a SNP on providing aservice are largely dependent on the historical feedbacksof previous SLAs or PLAs about the service, meaningthat the historical trust values can effectively maintainthe trust or reputation.


B. Second Adversary Model: Collusion Attack

1) Mechanism: The adversaries (i.e., malicious CSUs ormalicious CSPs or malicious SNPs) collude other partiesmutually (e.g., a malicious CSU collude a malicious CSP ora malicious CSP collude a malicious SNP) and participate inevents that generate real positive feedbacks for the colludingparticipants.

2) Initial Capability: The adversaries know about the oper-ational mechanism of ATRCM system and they are free tocollude any CSP or any SNP mutually.

3) Capability During the Attack: During the attack, theadversaries are able to to change their colluding partiesdynamically, without noticing TCE.

4) Discussion: From [54], since the colluders are synthesiz-ing events that create verifiable feedbacks between CSUs andCSPs or between CSPs and SNPs in a collective way, they areable to improve their trust and reputation values faster than thehonest participants or counter the effects of possible negativefeedbacks. Thus, it is hard to mitigate the collusion attack,without detecting and reacting to the groups of colluders whointeract exclusively with each other, while discovering thesecolluders that are formulated as discovering a clique of acertain size within a graph is known to be NP-complete andonly heuristic-based solutions have been proposed.

On the other hand, to launch the collusion attack, sinceTCE is supposed to be informed about the signed SLAs orPLAs and TCE is capable of monitoring the process of system(i.e., TCE has the role of the cloud auditor), TCE should sensethe service delivery at the minimum. Therefore, in case ofthis attack, the colluding participants should initially reportdummy SLAs or PLAs to TCE followed by bogus feedbacks,and then do not actually deliver the service. However, if theservice delivery is not actually performed, TCE will detectthis. Thus, TCE can detect this attack and further filter out thebogus feedbacks.

Note: In case of the first and second adversary models,since in the trust and reputation management systempunishment is a normal action after finding a malicious entity,the TCE punishes the attacker. For instance, the TCE can filterout the feedbacks initiated by an adversary after finding anattack lunched by the adversary. Then, the TCE can decreasethe services provided to the adversary to punish the adversary.Therefore, these attacks are costly for the adversary and thehigh cost can prevent the adversary to perform the attacks.

C. Third Adversary Model: White-Washing Attack

1) Mechanism: The adversary (e.g., a malicious CSP or amalicious SNP) resets a poor trust or reputation, by rejoiningthe system with a new identity and a fresh trust or reputation.

2) Initial Capability: The adversary knows the operationalmechanism of ATRCM system, and is free to re-enter thesystem at any time with a new identity and a fresh trust orreputation.

3) Capability During the Attack: During the attack, theadversary is able to switch their identities dynamically, withoutinforming TCE.

4) Discussion: The white-washing attack cannot misleadthe honest customers by resetting a poor trust or reputationas the adversary wishes, because of the following:

• In case of a malicious CSU, the adversary can rejoin thesystem only to lunch other attacks such as bad mouthingattack. However, since the trust and reputation evaluationof CSU is not within our system targets, rejoining thesystem does not affect the trust or reputation value ofthe CSU. In fact, these two values are not utilized byATRCM system.

• When a malicious CSP or a malicious SNP rejoins thesystem as a new identity, it needs to be authenticatedby the CSU or the CSP based on the ISO/IEC 27001certification, then the CSU or the CSP will know itsoriginal identity and rejoining purpose.

• The trust and reputation are different in the ATRCMsystem in terms of newcomers and participants that haveshown good behaviors for a long time. Thus, it is hard tocheat the honest customers by letting them easily choosenewcomers.

• Finally, even if the adversary resets its negative trustvalue and restarts as a fresh entity, in return the adversaryloses its reputation completely (as per equation (6) andequation (12)). Furthermore, the reputation is a positivevalue all the time, and resetting it puts the adversary ina vulnerable and risky position of not being selected byany customer for a long time (as per equation (17) andequation (23)).

VIII. CONCLUSION

In this paper, we advancingly explored the authenticationas well as trust and reputation calculation and managementof CSPs and SNPs, which are two very critical and barelyexplored issues with respect to CC and WSNs integration.Further, we proposed a novel ATRCM system for CC-WSNintegration. Discussion and analysis about the authenticationof CSP and SNP as well as the trust and reputation with respectto the service provided by CSP and SNP have been presented,followed with detailed design and functionality evaluationabout the proposed ATRCM system. All these demonstratedthat the proposed ATRCM system achieves the following threefunctions for CC-WSN integration: 1) authenticating CSP andSNP to avoid malicious impersonation attacks; 2) calculat-ing and managing trust and reputation regarding the serviceof CSP and SNP; 3) helping CSU choose desirable CSP andassisting CSP in selecting appropriate SNP, based on (i) theauthenticity of CSP and SNP; (ii) the attribute requirementof CSU and CSP; (iii) the cost, trust and reputation of theservice of CSP and SNP. In addition, our system securityanalysis powered by three adversary models showed that ourproposed system is secure versus main attacks on a trust andreputation management system, such as good mouthing, badmouthing, collusion and white-washing attacks, which are themost important attacks in our case.

REFERENCES

[1] Q. Zhang, L. Cheng, and R. Boutaba, “Cloud computing: State-of-the-art and research challenges,” J. Internet Services Appl., vol. 1, no. 1,pp. 7–18, 2010.


[2] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, and I. Brandic, “Cloudcomputing and emerging IT platforms: Vision, hype, and reality fordelivering computing as the 5th utility,” Future Generat. Comput. Syst.,vol. 25, no. 6, pp. 599–616, Jun. 2009.

[3] J. Baliga, R. W. A. Ayre, K. Hinton, and R. S. Tucker, “Green cloudcomputing: Balancing energy in processing, storage, and transport,”Proc. IEEE, vol. 99, no. 1, pp. 149–167, Jan. 2011.

[4] K. M. Sim, “Agent-based cloud computing,” IEEE Trans. ServicesComput., vol. 5, no. 4, pp. 564–577, Fourth Quarter 2012.

[5] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “Wirelesssensor networks: A survey,” Comput. Netw., Int. J. Comput. Telecommun.Netw., vol. 38, no. 4, pp. 393–422, Mar. 2002.

[6] C. Zhu, L. Shu, T. Hara, L. Wang, S. Nishio, and L. T. Yang,“A survey on communication and data management issues in mobilesensor networks,” Wireless Commun. Mobile Comput., vol. 14, no. 1,pp. 19–36, Jan. 2014.

[7] M. Li and Y. Liu, “Underground coal mine monitoring with wirelesssensor networks,” ACM Trans. Sensor Netw., vol. 5, no. 2, Mar. 2009,Art. ID 10.

[8] M. Yuriyama and T. Kushida, “Sensor-cloud infrastructure—Physicalsensor management with virtualized sensors on cloud computing,” inProc. 13th Int. Conf. Netw.-Based Inf. Syst., Sep. 2010, pp. 1–8.

[9] G. Fortino, M. Pathan, and G. Di Fatta, “BodyCloud: Integration ofcloud computing and body sensor networks,” in Proc. IEEE 4th Int.Conf. Cloud Comput. Technol. Sci., Dec. 2012, pp. 851–856.

[10] Y. Takabe, K. Matsumoto, M. Yamagiwa, and M. Uehara, “Proposedsensor network for living environments using cloud computing,” in Proc.15th Int. Conf. Netw.-Based Inf. Syst., Sep. 2012, pp. 838–843.

[11] R. Hummen, M. Henze, D. Catrein, and K. Wehrle, “A cloud design foruser-controlled storage and processing of sensor data,” in Proc. IEEE4th Int. Conf. Cloud Comput. Technol. Sci., Dec. 2012, pp. 232–240.

[12] C. Zhu, V. C. M. Leung, L. T. Yang, X. Hu, and L. Shu, “Collaborativelocation-based sleep scheduling to integrate wireless sensor networkswith mobile cloud computing,” in Proc. IEEE Globecom Workshops,Dec. 2013, pp. 452–457.

[13] C. Zhu, V. C. M. Leung, H. Wang, W. Chen, and X. Liu, “Providingdesirable data to users when integrating wireless sensor networks withmobile cloud,” in Proc. IEEE 5th Int. Conf. Cloud Comput. Technol.Sci., Dec. 2013, pp. 607–614.

[14] A. Alamri, W. S. Ansari, M. M. Hassan, M. S. Hossain, A. Alelaiwi,and M. A. Hossain, “A survey on sensor-cloud: Architecture, applica-tions, and approaches,” Int. J. Distrib. Sensor Netw., vol. 2013, 2013,Art. ID 917923.

[15] S. Grzonkowski and P. Corcoran, “Sharing cloud services: User authen-tication for social enhancement of home networking,” IEEE Trans.Consum. Electron., vol. 57, no. 3, pp. 1424–1432, Aug. 2011.

[16] M.-H. Guo, H.-T. Liaw, L.-L. Hsiao, C.-Y. Huang, and C.-T. Yen,“Authentication using graphical password in cloud,” in Proc. 15th Int.Symp. Wireless Pers. Multimedia Commun., Sep. 2012, pp. 177–181.

[17] H. A. Dinesha and V. K. Agrawal, “Multi-dimensional password gen-eration technique for accessing cloud services,” Int. J. Cloud Comput.,Services Archit., vol. 2, no. 3, pp. 31–39, Jun. 2012.

[18] A. J. Choudhury, P. Kumar, M. Sain, H. Lim, and H. Jae-Lee, “A stronguser authentication framework for cloud computing,” in Proc. IEEEAsia-Pacific Services Comput. Conf., Dec. 2011, pp. 110–115.

[19] S.-H. Shin, D.-H. Kim, and K.-Y. Yoo, “A lightweight multi-userauthentication scheme based on cellular automata in cloud environment,”in Proc. IEEE 1st Int. Conf. Cloud Netw., Nov. 2012, pp. 176–178.

[20] S. Ruj, M. Stojmenovic, and A. Nayak, “Decentralized access controlwith anonymous authentication of data stored in clouds,” IEEE Trans.Parallel Distrib. Syst., vol. 25, no. 2, pp. 384–394, Feb. 2014.

[21] J. Yang et al., “A fingerprint recognition scheme based on assemblinginvariant moments for cloud computing communications,” IEEE Syst. J.,vol. 5, no. 4, pp. 574–583, Dec. 2011.

[22] P. You and Z. Huang, “Towards an extensible and secure cloud architec-ture model for sensor information system,” Int. J. Distrib. Sensor Netw.,vol. 2013, Jul. 2013, Art. ID 823418.

[23] H. A. Dinesha, R. Monica, and V. K. Agrawal, “Formal modeling formulti-level authentication in sensor-cloud integration system,” Int. J.Appl. Inf. Syst., vol. 2, no. 3, pp. 1–6, May 2012.

[24] S. T. Ali, V. Sivaraman, and D. Ostry, “Authentication of lossy data inbody-sensor networks for cloud-based healthcare monitoring,” FutureGenerat. Comput. Syst., vol. 35, pp. 80–90, Jun. 2014.

[25] K. Hwang and D. Li, “Trusted cloud computing with secure resourcesand data coloring,” IEEE Internet Comput., vol. 14, no. 5, pp. 14–22,Sep./Oct. 2010.

[26] A. Barsoum and A. Hasan, “Enabling dynamic data and indirect mutualtrust for cloud computing storage systems,” IEEE Trans. Parallel Distrib.Syst., vol. 24, no. 12, pp. 2375–2385, Dec. 2013.

[27] X. Li and J. Du, “Adaptive and attribute-based trust model for servicelevel agreement guarantee in cloud computing,” IET Inf. Secur., vol. 7,no. 1, pp. 39–50, Mar. 2013.

[28] M. Kuehnhausen, V. S. Frost, and G. J. Minden, “Framework forassessing the trustworthiness of cloud resources,” in Proc. IEEE Int.Multi-Discipl. Conf. Cognit. Methods Situation Awareness DecisionSupport, Mar. 2012, pp. 142–145.

[29] H. Kim, H. Lee, W. Kim, and Y. Kim, “A trust evaluation model forQoS guarantee in cloud systems,” Int. J. Grid Distrib. Comput., vol. 3,no. 1, pp. 1–9, 2010.

[30] T. H. Noor and Q. Z. Sheng, “Trust as a service: A framework for trustmanagement in cloud environments,” in Proc. 12th Int. Conf. Web Inf.Syst. Eng., 2011, pp. 314–321.

[31] R. K. L. Ko et al., “TrustCloud: A framework for accountability and trustin cloud computing,” in Proc. IEEE World Congr. Services, Jul. 2011,pp. 584–588.

[32] O. Savas, G. Jin, and J. Deng, “Trust management in cloud-integratedwireless sensor networks,” in Proc. Int. Conf. Collaboration Technol.Syst., May 2013, pp. 334–341.

[33] C. Pelnekar, “Planning for and implementing ISO 27001,” Inf. Syst. AuditControl Assoc. J., vol. 4, 2011.

[34] Information Technology—Security Techniques—Information SecurityManagement Systems—Requirements, ISO/IEC Standard 27001:2013,2013.

[35] N. Karten, How to Establish Service Level Agreements, 2003.[36] P. Wieder, J. M. Butler, W. Theilmann, and R. Yahyapour, Service Level

Agreements for Cloud Computing, 2011.[37] Privacy Level Agreement Outline for the Sale of Cloud Services in the

European Union, Cloud Security Alliance, 2013.[38] H. Yu, Z. Shen, C. Miao, C. Leung, and D. Niyato, “A survey of trust

and reputation management systems in wireless communications,” Proc.IEEE, vol. 98, no. 10, pp. 1755–1772, Oct. 2010.

[39] J.-H. Cho, A. Swami, and I.-R. Chen, “A survey on trust managementfor mobile ad hoc networks,” IEEE Commun. Surv. Tuts., vol. 13, no. 4,pp. 562–583, Fourth Quarter 2011.

[40] K. Govindan and P. Mohapatra, “Trust computations and trust dynamicsin mobile adhoc networks: A survey,” IEEE Commun. Surveys Tuts.,vol. 14, no. 2, pp. 279–298, Second Quarter 2012.

[41] A. Das and M. M. Islam, “SecuredTrust: A dynamic trust computationmodel for secured communication in multiagent systems,” IEEE Trans.Depend. Secure Comput., vol. 9, no. 2, pp. 261–274,Mar./Apr. 2012.

[42] J. M. Pujol, R. Sangüesa, and J. Delgado, “Extracting reputation in multiagent systems by means of social network topology,” in Proc. 1st Int.Joint Conf. Auton. Agents Multiagent Syst., 2002, pp. 467–474.

[43] C. Zhu, H. Wang, V. C. M. Leung, L. Shu, and L. T. Yang,“An evaluation of user importance when integrating social networksand mobile cloud computing,” in Proc. IEEE Global Commun. Conf.,Dec. 2014.

[44] A. Josang and R. Ismail, “The beta reputation system,” in Proc. 15thBled Electron. Commerce Conf., 2002, pp. 324–337.

[45] S. Ganeriwal, L. K. Balzano, and M. B. Srivastava, “Reputation-basedframework for high integrity sensor networks,” ACM Trans. SensorNetw., vol. 4, no. 3, May 2008, Art. ID 15.

[46] T. Qin, H. Yu, C. Leung, Z. Shen, and C. Miao, “Towards a trustaware cognitive radio architecture,” ACM SIGMOBILE Mobile Comput.Commun. Rev., vol. 13, no. 2, pp. 86–95, Apr. 2009.

[47] W. Viriyasitavat and A. Martin, “A survey of trust in workflowsand relevant contexts,” IEEE Commun. Surv. Tuts., vol. 14, no. 3,pp. 911–940, Third Quarter 2012.

[48] US Government Cloud Computing Technology Roadmap Volume IIRelease 1.0 (Draft), Nat. Inst. Standard Technol., Gaithersburg, MD,USA, Nov. 2011.

[49] S. Reece, A. Rogers, S. Roberts, and N. R. Jennings, “Rumours andreputation: Evaluating multi-dimensional trust within a decentralisedreputation system,” in Proc. 6th Int. Joint Conf. Auton. Agents MultiagentSyst., 2007, pp. 1063–1070.

[50] G. Wang and J. Wu, “Multi-dimensional evidence-based trust manage-ment with multi-trusted paths,” Future Generat. Comput. Syst., vol. 27,no. 5, pp. 529–538, May 2011.

[51] D. Dolev and A. C. Yao, “On the security of public key protocols,”IEEE Trans. Inf. Theory, vol. 29, no. 2, pp. 198–208,Mar. 1983.


[52] Y. L. Sun, Z. Han, W. Yu, and K. J. R. Liu, “A trust evaluationframework in distributed networks: Vulnerability analysis and defenseagainst attacks,” in Proc. 25th IEEE Int. Conf. Comput. Commun.,Apr. 2006, pp. 1–13.

[53] Y. Sun and Y. Liu, “Security of online reputation systems: The evolutionof attacks and defenses,” IEEE Signal Process. Mag., vol. 29, no. 2,pp. 87–97, Mar. 2012.

[54] K. Hoffman, D. Zage, and C. Nita-Rotaru, “A survey of attack anddefense techniques for reputation systems,” ACM Comput. Surv., vol. 42,no. 1, Dec. 2009, Art. ID 1.

Chunsheng Zhu (S’12) received the B.E. degree innetwork engineering from the Dalian University ofTechnology, Dalian, China, in 2010, and theM.Sc. degree in computer science from St. FrancisXavier University, Antigonish, NS, Canada, in 2012.

He is currently pursuing the Ph.D. degree with theDepartment of Electrical and Computer Engineer-ing, The University of British Columbia, Vancouver,BC, Canada. He has authored around 40 papersby refereed international journals (e.g., the IEEETRANSACTIONS ON INDUSTRIAL ELECTRONICS,

the IEEE TRANSACTIONS ON COMPUTERS, the IEEE TRANSACTIONS ON

EMERGING TOPICS IN COMPUTING, and the IEEE SYSTEMS JOURNAL)and conferences (e.g., the IEEE Global Communications Conference andthe IEEE International Conference on Communications). His current researchinterests are mainly in the areas of wireless sensor networks and mobile cloudcomputing.

Hasen Nicanfar (S’11) received the B.A.Sc. degreein electrical engineering from the Sharif Univer-sity of Technology, Tehran, Iran, in 1993, and theM.A.Sc. degree in computer networks from RyersonUniversity, Toronto, ON, Canada, in 2011.

He is currently pursuing the Ph.D. degree with theDepartment of Electrical and Computer Engineering,The University of British Columbia, Vancouver, BC,Canada. From 1993 to 2010, he worked in differentpositions, such as the IT/ERP Manager, the ProjectManager, and a Business and System Analyst. His

research interests are in the areas of trust, security and privacy in wirelesscommunication, computer network, and cloud computing.

Victor C. M. Leung (S’75–M’89–SM’97–F’03)received the B.A.Sc. (Hons.) degree in electri-cal engineering from The University of BritishColumbia (UBC), Vancouver, BC, Canada, in 1977,and was awarded the APEBC Gold Medal as theHead of the Graduating Class from the Facultyof Applied Science. He attended graduate schoolat UBC on a Natural Sciences and Engineer-ing Research Council Postgraduate Scholarship andcompleted the Ph.D. degree in electrical engineeringin 1981.

He was a Senior Member of Technical Staff and Satellite System Specialistat MPR Teltech Ltd., Burnaby, BC, Canada, from 1981 to 1987. In 1988,he was a Lecturer with the Department of Electronics, Chinese Universityof Hong Kong, Hong Kong. He joined UBC as a faculty member in 1989,where he is currently a Professor and the TELUS Mobility Research Chair inAdvanced Telecommunications Engineering with the Department of Electricaland Computer Engineering. He has coauthored over 700 technical papersin international journals and conference proceedings, 29 book chapters, andcoedited eight book titles. Several of his papers have been selected for bestpaper awards. His research interests are in the areas of wireless networks andmobile systems.

Dr. Leung is a Registered Professional Engineer in the Province of BritishColumbia, Canada. He is a fellow of the Royal Society of Canada, theEngineering Institute of Canada, and the Canadian Academy of Engineering.He was a Distinguished Lecturer of the IEEE Communications Society. Heis an Editorial Board Member of the IEEE WIRELESS COMMUNICATIONS

LETTERS, Computer Communications, and several other journals. He hasserved on the Editorial Boards of the IEEE JOURNAL ON SELECTED

AREAS IN COMMUNICATIONS-WIRELESS COMMUNICATIONS SERIES, theIEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, the IEEE TRANS-ACTIONS ON VEHICULAR TECHNOLOGY, the IEEE TRANSACTIONS ONCOMPUTERS, and the Journal of Communications and Networks. He hasguest-edited many journal special issues, and contributed to the organizingcommittees and technical program committees of numerous conferences andworkshops. He was a recipient of the IEEE Vancouver Section CentennialAward and the 2012 UBC Killam Research Prize.

Laurence T. Yang (M’97) received the B.E. degreein computer science and technology from TsinghuaUniversity, Beijing, China, and the Ph.D. degree incomputer science from the University of Victoria,Victoria, BC, Canada.

He is currently a Professor with the Departmentof Computer Science, St. Francis Xavier Univer-sity, Antigonish, NS, Canada. His research interestsinclude parallel and distributed computing, embed-ded and ubiquitous/pervasive computing, and bigdata. He has published over 200 papers in vari-

ous refereed journals (around 1/3 on the IEEE/ACM TRANSACTIONS andJOURNALS, and others mostly on Elsevier, Springer, and Wiley journals).His research has been supported by the National Sciences and EngineeringResearch Council of Canada, and the Canada Foundation for Innovation.

118 IEEE TRANSACTIONS ON INFORMATION … · 2016-01-04 · 118 IEEE TRANSACTIONS ON INFORMATION...

Documents

Transcript of 118 IEEE TRANSACTIONS ON INFORMATION … · 2016-01-04 · 118 IEEE TRANSACTIONS ON INFORMATION...