A M OBILE A GENT - BASED M ETHOD TO C OUNTER S INKHOLE A TTACKS IN W IRELESS S ENSOR N ETWORKS

Wireless sensor networks (WSNs) are an applied technology widely used in various areas. According to the WSN limitations, they usually face many types of attacks. The sinkhole attack is the most popular and dangerous attack in the routing of WSNs. There are many approaches to counter sinkhole attacks in the literature. The mobile agent methods generate better results in facing sinkhole attacks and overcoming the WSN limitations. In this paper, we present a new mobile agent-based method that applies the trust value of each sensor to detect and prevent sinkhole attacks. We compute the trust values to inform the sensor nodes about their neighbors' reputations. As shown in the experiments, the proposed method generates better results in packet loss ratio. It also fixes the security flaws of previous works and reduces the agents' overhead in the network compared to previous methods.

that area [6]. Now, it can launch other attacks, such as selective forwarding, packet drops and packet modifications [15]. Thus, the sinkhole attack decreases the network's lifetime and increases the network overhead [14]. Figure 1. The sinkhole attack in a WSN [9].
There are many methods in the literature to address sinkhole attacks [1]- [2]. Here, we focus on the agentbased methods that apply mobile agents as a self-controlling program to transfer code and data between the sensor nodes [11], [16], [4]. With the aid of agents, we can reduce the communication costs by moving the processing code to the sensors instead of transferring data to a central processor node.
In this paper, we propose a new mobile agent-based method that applies the trust value of each sensor to detect and prevent sinkhole attacks. We use the trust value of each sensor to inform the sensor nodes about their neighbors' reputations. Hence, the main contributions of this paper are as follows:  We compute the trust value of each node to inform the sensor nodes about their neighbor's reputations.  We apply mobile agents to reduce the communication costs in WSNs by eliminating unnecessary data transfer.
The rest of this paper is organized as follows. We investigate the related work in Section 2. The proposed method is described in Section 3. In Section 4, we compare our proposed method with two related works regarding packet loss, energy consumption, throughput and agent overhead. Finally, the conclusion and the future direction are mentioned in Section 5.

RELATED WORK
So far, many methods have been presented to detect and prevent sinkhole attacks. In this section, we examine some of them and the related work in this area. Sheela et al. detected the sinkhole attacks in WSNs by a mobile agent-based method. The mobile agents collect information from all sensor nodes to make each node aware of the network in terms of the malicious nodes. Normal nodes do not accept the fake information of the compromised nodes. This method has agent navigation and data routing algorithms which the first algorithm describes how to visit all nodes and to give the network information to nodes by the mobile agent. Also, the second algorithm describes how to use a node of this global network information for routing data packets. An essential feature of this method is that it detects the sinkhole attack without any encryption or decryption mechanism. However, if the number of nodes increases, the overhead of this method will be very high [22].
Sharmila and Umamaheswari have presented a solution to detect sinkhole attacks using message digest.
In this method, a control scheme can be built for each packet in the network by using hash functions. The digest message is calculated by the source node using a combination of MD5 and SHA1 hash algorithms and is sent through a trustable path to the base station. Then, the message is sent through a node that claims to have the shortest route to the sink. If an adversary modifies the message, it can be detected by checking the modified message and the message digest. Due to the use of SHA1 and MD5 algorithms, overhead caused by the encryption and decryption operations is high and transfer the message is transferred in the two paths causing loss of energy and traffic overhead that are disadvantages of this method. Also, having a trustable path in this type of network is often not possible due to their nature [21].
Bahekmat et al. have presented an efficient algorithm to detect sinkhole attacks in WSNs. In their proposed algorithm, it is assumed that all nodes in the network are similar, randomly distributed and aware of their locations in the network. Each node sends a control packet to the base station directly before sending the data packet through hop-by-hop routing. If any change is made on the control fields, it indicates that there are malicious nodes in the path. The advantage of this method is the reduction of packet loss rate and energy consumption. The main disadvantage of this algorithm is that each sensor needs to use localization algorithms or have a Global Position System (GPS) in order to know its geographical location, which requires additional costs [5].
Hamedheidari and Rafeh have presented a defensive mechanism by mobile agents to counter sinkhole attacks. Each node is aware of its trusted neighbors using mobile agents with a three-step negotiation.
The main purpose of the three-step trusting procedure between the node and the agent is an authentication mechanism that uses unique codes and hash algorithms. In this method, it has been assumed that all nodes are physically protected. This assumption is not very logical due to the nature of this type of network that is placed in remote areas. Now, by omitting this assumption, the attacker can gain access to the node physically. As a result, this method suffers from tampering attacks [9].
Naderi et al. detected the sinkhole area according to the energy consumption model in the network and the energy deviation of each node from other nodes. Also, nodes' energy information is collected and analyzed by the sink. Then, a trust evaluation mechanism is used, so that each node calculates the trust value of its neighbors. The trust mechanism starts after observing a contradiction in energy consumption in a limited area of the network and then a trust value is assigned to each node based on security requirements by the sensed event. The advantage of this method is to achieve considerable performance in factors that have higher risk. For example, a network that has more nodes and compromised nodes has a short distance to the sink and delivers more packets to the sink under challenging conditions. The major disadvantage of this method is that it acts only based on energy criteria. In other words, if a node has a higher energy consumption due to more telecommunication capabilities, it is incorrectly detected as a malicious node, which is referred to as a false positive [17].
Jahandoust and Ghassemi proposed an adaptive framework with a combination of subjective logic and an extension of timed automata to counter sinkhole attacks in WSNs. For this reason, they utilized a stochastic extension of the AODV routing algorithm. A subjective logic model is applied to detect the sinkhole nodes and find the most reliable path. Also, a probabilistic model monitors the network behavior to adaptively adjust the algorithm parameters [10].
In recent research, Nwankwo and Abdulhamid applied the ant colony method to detect sinkhole areas [18]. Although they claim that their method can improve the detection rate and false alerts, it applies ant colony as a time-consuming method which is not proper for WSN applications. Wang presented a threelayer detection scheme to monitor the heterogeneous Industrial WSN (IWSN). Unlike the previous method, their scheme does not utilize information and location information from the neighbors. At the first layer, the normal and Sybil nodes are found by a quadratic difference based on the received signal strength indicator (RSSI). The second layer continues the search for nodes detected in the first layer using a method based on residual energy. Finally, the base station detects the first and second highenergy nodes [24]. Jatti and Sonti presented an agent-based algorithm to detect and prevent sinkhole attacks in WSNs [11]. Their work is very similar to Hamedheidari and Rafeh's method [9]. They just apply their presented method to a different routing algorithm and evaluate it through network simulator NS 2.35.
In this paper, we present a new mobile agent-based method to counter sinkhole attacks. Therefore, we focus on the agent-based literature and exceed it to fix the security flaws of previous works and reduce the overhead caused by the presence of the agents in the network. We compare our proposed method with two agent-based related works to show its performance in facing sinkhole attacks.

PROPOSED METHOD
Here, we explain our proposed method to apply mobile agents and trust management. In our method, each node computes the trust value of its neighbors. Furthermore, it uses mobile agents to make each node aware of the reputation values of its neighbors. Consequently, each node identifies its compromised neighbors and does not interact with them.

Agent Designing
Such as other methods, the mobile agent is an executable script that migrates from one node to another in the format of an agent packet. In the proposed method, we use a simplified type of agent code to detect the sinkhole nodes. As a result, it produces less computational overhead and decreases energy consumption in the nodes as well. Furthermore, agents do not communicate with each other and only interact with the nodes placed on them. So, no traffic overhead will exist due to the agents' communication with each other. It reduces the energy consumption in the nodes significantly [9].

Agent Migration
The migration allows an agent to move from an agent node (the node that contains the agent) to a neighbor node and back to the original node. Therefore, the agent only moves to a one-hop neighbor and does not need to maintain the agent migration path to return to the original node. As a result, the source and destination storage will suffice. We define here another action that is the agent cycling. Agent cycling is done when a mobile agent migrates to all one-hop nodes around an agent node.

Algorithm
First, nodes are randomly distributed with a uniform distribution in the network. After that, the base station selects several sensor nodes based on the expected number of agents in the network and sends agent packets to them. After receiving agents, each node sends a HELLO packet to neighbor nodes and creates a neighboring matrix. Figure 2 shows a WSN with nine nodes. In this network, node A consists of an agent and H is the malicious node. Table 1 shows the neighboring matrix of node B after sending HELLO packets. As can be seen, in this step, detected are only neighbors of a node which may be malicious.  Each node increases the number of sent packets variable by one after transmitting a packet to its onehop neighbor. Next, each sender node (x) monitors its neighbor (y) for a limited time to investigate its forwarding behaviors. If node x detects the correct retransmission, it will increase the number of correct packets variable by one [8]. Before forwarding a new packet, each node checks to know whether the number of sent packets variable has reached a predefined threshold of forwarding, 100 for example, or not. Then, the direct trust from node x to node y can be calculated by the formula and variable value 'number of sent packets' proposed in [20] as in Equation (1)  where , is the trust from node x to node y, , is the number of correct packets forwarded by node y and , is the number of packets dropped by node y. Also, to reduce the forwarded data and computational overhead, trust values are stored as unsigned integers in the range of 0 to 100 instead of decimal values that represent the lowest and the highest level of trust, respectively. To update the trust for node y at node x (i.e., trust value variable), we apply formula (1) to calculate the trust average. The trust value in node x is calculated and stored in node x as well. Moreover, to get a more accurate trust value, the reputation value is calculated by using mobile agents. For this reason, the trust values of all one-hop neighbors of an agent node are collected by the agent. The reputation values are calculated at the agent node and then new reputation values are submitted to the neighbor nodes with the help of mobile agents.
The update state variable is binary. 0 means that the last update of variable 'trust value' has been done by direct calculation of trust value by the node and one means that it has been updated by the average of provided reputation value by the agent and stored trust value in the trust value variable. At first, the agent checks the value of the update state variable. If it is 0, it submits the reputation value of the node's neighbors to it and receives the values of variables 'trust value' and 'number of sent packets 2' of the node's neighbors and delivers them to the agent node during its migration. But, if the update state variable is set to 1, the mobile agent returns to the agent node without doing any extra operation. The purpose of using the update state variable is that if a node has not been done, the adequate number of interactions (i.e., 100), it can solely update the trust value variable. So, it is better to ignore these trust values, which can prevent the computational overhead imposed by these processes.
Furthermore, this simple binary variable prevents the impact of a fake agent on a node. According to our mechanism of updating the trust value variable, if a node updates the trust value based on the reputation, the new trust value cannot update until it is already updated based on the direct trust value which is calculated by the node. As a result, if an agent hands over incorrect reputation information to a node, the impact of this fake information can be reduced by calculating the trust value based on the direct trust calculated by the node. Initialization and updating of the variable 'update state' are done only by the node. At the first step of updating the trust value variable, the direct trust value is calculated as described earlier by the node. Then, the average of this value and the one stored in the trust value will be held as the new trust value and also the value of the two variables 'number of sent packets' and 'number of correct packets' will be changed to zero. This procedure could be done if the number of interactions reaches 100. On the other hand, if the value of the update state variable is zero, it means that the agent has not read the trust value yet. Hence, the number of interactions is stored in another variable named 'number of sent packets 2' in the node in which values will be multiples of 100 (except the default value). We use this variable to weigh the collected trust values of the nodes for calculations of reputation that are done within the agent node. Three tables are stored in the agent node; table 1 (which is also stored in all other nodes), table 2 and table 3. The data used to calculate the reputation value which has been transmitted to an agent node by the mobile agent is stored in Table 2. For each neighboring node, one dedicated table 2 is stored in an agent node. The reputation value of all nodes is stored in Table 3 as well.  After agent cycling, the reputation of each node is calculated by using the information gathered by the mobile agent as follows: 1 = , × , + , × , + , × , + ℎ, × ℎ, , + , + , + ℎ, 2 = × , + × , + × , + ℎ × ℎ, + + + ℎ where , is the number of sent packets from node a to node b, , is the trust value of node a to node b or the trust value variable and is the reputation value of node a.
Since a malicious node may try to show the number of its interactions (i.e., the 'number of sent packets 2' variable) extraordinary high to increase the impact of its comment in a weighted mean formula, we apply the following condition with a reasonable threshold of 400, for instance, to prevent this possible disorder.
IF number of sent packets 2 >= threshold, THEN number of sent packets 2 = threshold

EXPERIMENTAL RESULTS
In this section, we express the security benefits of our proposed method compared with the Hamedheidari and Rafeh [9] and Jatti and Sonti [11] methods. We describe the security weaknesses of the previous methods and their incapability of detecting and resisting some sorts of attack. Moreover, we explain the advantages of our proposed method and the way in which we resolve these weaknesses. Then, we compare the proposed method with the mentioned two methods in terms of various standard evaluation parameters in normal conditions to see whether the proposed method, which brings superior safety, imposes more overhead than the previous methods or not.
In Hamedheidari and Rafeh's method, they assume that all nodes are physically protected. This assumption is not logical due to the nature of WSNs that are placed in risky areas. By removing this assumption, an attacker (i.e., human attacker) can take the node physically. In fact, it will gain access to code 1, code 2 and the NodeHashFunc(); so by having this information, it can create a fake node and place it in the network. In Hamedheidari and Rafeh's method, a fake node is treated as a normal node; and all actions of it are allowed, even hostile acts. By knowing this information, accessing code 3 and creating a fake agent is not so hard; so the detection way of the base paper fails in this situation. Furthermore, the agent node multicasts the trust packet and its neighbors only check the sender ID of the packet to ensure transmitting by the agent node. Hence, an attacker can easily create a fake trust packet and pretend that the packet is sent by it via changing the ID of the trust packet to an agent node. Therefore, this can easily disrupt the network's ordinary workflow.
As described in detail in the proposed method section, unlike Hamedheidari and Rafeh's method, our proposed method has a reasonable performance in all the above conditions. Also, another positive point of the proposed method is that the value of the threshold to detect an attacker can be set according to the sensitivity of WSN's type. The more security is essential, the higher the threshold should be and vice versa.

Simulation
In this sub-section, we evaluate the performance of the proposed method within a simulation environment. For this purpose, we developed an agent-based simulator and then compared the results of our proposed method with two related works [9], [11].

Simulation Environment
Simulation environment has been considered to be 200 × 200 meters in simulations and we assume N sensor nodes with a uniform distribution that are randomly distributed in the environment and are mobile as well. Simulations have been done for N sensor nodes from 100 to 400 with the step of 100. Simulation time is 20 minutes and the results are recorded one time every 30 seconds. Also, each experiment has been repeated for any number of sensor nodes five times and corresponding diagrams are the average of 5-time runs. In each experiment, between 10-20% of nodes are malicious. Simulations were done for each number of nodes with various percents of agents (10%, 15%, 20% and 25%) in each experiment. In table 4, the simulation conditions are shown, so that Eelect is consumed energy to activation electronic circuits of transmitter and Efs is the activation energy amplifier of the transmitter.

Network Model
Base station: It is static and located in coordinates (100,100). In simulations, we found that this place has more efficiency. The base station is entirely safe and has infinite energy.
Sensor nodes: All nodes in the simulation are homogeneous and are not better than another. Nodes are distributed with a uniform distribution in the environment. They are mobile and move with a speed of 10 m/s by a random waypoint algorithm in all experiments.
Mobile agent: Only one type of agent is used in this method. The agents are randomly placed on nodes done by the base station at the beginning of the network creation. The agents perform agent cycling every 5 to 10 seconds.
Malicious node: Malicious nodes are the regular nodes in the network that generate sinkhole attacks.
In each experiment, 10% to 20% of total nodes are malicious and distributed randomly around the network environment.

Experimental Result
Here, we compare the simulation results of our method with Hamedheidari and Rafeh's method [9] and Jatti and Sonti's method [11] in terms of packet loss, energy consumption, throughput and agent overhead. As shown in the experiments, our proposed method generates better results in terms of packet loss ratio and the agents' overhead. It also leads to acceptable energy consumption and throughput.

Energy Consumption
Since energy is the most vital resource for sensor nodes, the methods and approaches proposed for sensor nodes need to be economical in terms of energy consumption. Figures 3-6 show the energy consumption of our proposed method in comparison with the previous methods. As shown in these figures, increasing the number of agents increases the consumed energy. However, the amount of increase is less with 100 nodes than with 400 nodes in the network. It is because of more scattering between nodes in the largescale networks with a few nodes. As a result, their neighbors are less and agents visit fewer nodes in every cycling. The energy consumption of the entire network is still low. But in dense networks; i.e., networks with a large number of nodes (because of having more neighbors), agent cycling is performed more, so more energy is consumed. The Hamedheidari and Jatti methods consume less energy than the proposed method because regular nodes know their trusted neighbors through trust packets that are sent by the agent node. Still, in the proposed method, a regular node calculates the trust value of its neighbors. So, in the proposed method, each node consumes more energy.

Packet Loss Rate
The most possible related problem in sinkhole attacks is packet loss. The attacker, after receiving the packets, does not transmit them. Packet loss is a vital problem in many applications. We compare the packet loss rate of our proposed method with the previous methods in Figures 7-10. The packet loss in the Hamedheidari and Jatti methods is caused by the presence of uncovered nodes for the agent. The uncovered nodes assume that all their neighbors are attackers and do not interact with them.  Therefore, by increasing the number of agents, the network is covered better and the packet loss rate gets reduced in the Hamedheidari and Jatti methods. Since the uncovered nodes can recognize their malicious neighbors, so in a network with a large number of nodes and a low percentage of agent nodes, the number of lost packets in the proposed method is less than in the compared methods, as shown in Figure 10. Another reason for packet loss is the end of energy of intermediate nodes in a data path. The energy consumption in the proposed method is more than the Hamedheidari and Jatti methods, so from this point of view, the number of packet losses in the compared methods is less than in the proposed method. Figure 9. Comparison of the packet loss rate in the compared methods with 300 nodes in the network. Figure 10. Comparison of the packet loss rate in the compared methods with 400 nodes in the network.

Throughput
Throughput is the average of successful message delivery in a communication channel. Since the sinkhole attack forwards the packets in the wrong paths or does not transmit them, throughput is reduced. We can measure the throughput by data packets per second or data packets per interval. Comparison of throughput with the two methods is depicted in Figures 11-14. In the Hamedheidari and Jatti methods, only the agents are responsible for detecting malicious nodes, whereas in our method, this process is done by agents and nodes. As shown, by increasing the number of agents, the compared methods have better performance than our method.

Mobile Agents' Overhead
The next criterion that we review in simulations is the average mobile agents' overhead in the network. A comparison of the average of mobile agents' overhead between the proposed method and the compared methods is shown in Figures 15-18. This criterion has been calculated by the rate of the number of Figure 11. Comparison of throughput in the compared methods with 100 nodes in the network.     control packets). As shown, the agent overhead increases while the number of agent migrations becomes more. In other words, agents' overhead is reduced by increasing the number of sensor nodes. Moreover, there is no trust packet in our method; so, the agent's overhead is reduced more than the Hamedheidari and Jatti methods.

CONCLUSION AND FUTURE WORK
In this research, we proposed a novel mobile agent-based technique to counter sinkhole attacks in WSNs. We carefully examined the most relevant method to the subject of this paper and issues which could challenge its security. We then presented our solution, which covered the security flaws of previous methods. The simulation results showed that our method could improve the overhead caused by the agents in the network and the packet loss ratio in comparison with the previous methods. At the same time, other criteria, such as energy consumption and throughput remained almost the same. Furthermore, our method resolved the issue of uncovered nodes in the previous methods by equipping each node to have the ability to detect adversaries on its own. In the future, we plan to apply fuzzy logic to improve the detection algorithm of the malicious nodes. Moreover, we want to extend our method to support the other routing protocols.