475  Sensor Node Behaviors: Selfish and Malicious Nodes

475.1 Learning Objectives

By the end of this chapter, you will be able to:

  • Detect Selfish Behavior: Implement reputation systems to identify nodes prioritizing self-interest over network cooperation
  • Calculate Reputation Scores: Apply exponentially weighted moving average (EWMA) formulas for node reputation tracking
  • Identify Malicious Attacks: Recognize black hole, sinkhole, wormhole, and Sybil attacks in sensor networks
  • Design Mitigation Strategies: Apply appropriate defenses for different attack types

475.2 Prerequisites

Before diving into this chapter, you should be familiar with:

475.3 Introduction: Intentional Misbehavior

NoteKey Concepts
  • Selfish Node: A node that prioritizes self-interest (energy conservation) over network cooperation
  • Malicious Node: A node deliberately disrupting network operation through active attacks
  • Reputation System: Mechanism for tracking and scoring node cooperation behavior over time
  • Black Hole Attack: Malicious node drops all packets after attracting traffic
  • Sybil Attack: Single node presents multiple fake identities to control consensus

Selfish nodes are like classmates who do their own homework but refuse to help others during group projects. They are not trying to hurt the team - they are just lazy or trying to save effort for themselves.

Malicious nodes are like bullies who offer to deliver your homework to the teacher, then throw it in the trash. They are actively trying to hurt the team.

Behavior Selfish Node Malicious Node
Goal Save battery, live longer Disrupt network, cause harm
Forwards own data Yes (needs network) Maybe not (does not care)
Forwards others’ data Only when watched Never or selectively
Response to monitoring Improves behavior No change
Recovery possible Yes (with incentives) No (requires exclusion)

Detection strategy: If a node forwards more packets when neighbors are watching, it is probably selfish (responding to social pressure). If it drops packets regardless of monitoring, it is probably malicious (deliberately attacking).

Misconception: Students often assume selfish nodes and malicious nodes are the same - both drop packets, so they must be equally harmful.

Reality: Selfish and malicious nodes have fundamentally different motivations and behaviors:

Behavior Selfish Node Malicious Node
Motivation Extend own lifetime (rational self-interest) Disrupt network (active attack)
Forwarding rate 40-60% (drops when unmonitored) 0-20% (drops always or selectively)
Response to monitoring Forwards 95%+ when neighbors watch Continues dropping even when monitored
Own packets Always forwards own data May drop own data
Recovery Behavior improves when reputation is low Never improves
Network impact Gradual degradation Catastrophic failure

Key insight: Selfish nodes respond to incentives (reputation, exclusion threat). Malicious nodes require cryptographic defenses (authentication, encryption). Different mitigation strategies are needed.

475.4 Selfish Nodes

Time: ~12 min | Difficulty: Intermediate | Unit: P05.C14.U04

Definition:
Nodes that prioritize self-interest (energy conservation, resource preservation) over network cooperation 

%% fig-alt: "Selfish node packet forwarding decision tree: checks if own packet (forward), checks battery level below 20% (drop to save energy), checks if neighbors monitoring (forward to avoid detection), otherwise drops packet selfishly"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TB
    Packet["Relay Request<br/>Received"]

    CheckBattery{Battery<br/>< 20%?}
    CheckMonitored{Neighbors<br/>Watching?}
    CheckOwn{My Own<br/>Packet?}

    Forward["Forward<br/>Packet"]
    Drop["Drop Packet<br/>(Save Energy)"]

    Packet --> CheckOwn
    CheckOwn --> |Yes| Forward
    CheckOwn --> |No| CheckBattery
    CheckBattery --> |Yes| Drop
    CheckBattery --> |No| CheckMonitored
    CheckMonitored --> |Yes| Forward
    CheckMonitored --> |No| Drop

    style Forward fill:#16A085,stroke:#2C3E50,color:#fff
    style Drop fill:#E67E22,stroke:#2C3E50,color:#fff

Figure 475.1: Selfish node packet forwarding decision tree

475.4.1 Selfish Behaviors

  1. Packet dropping: Refuse to forward others’ packets
  2. Route advertisement refusal: Do not participate in route discovery
  3. Lazy sensing: Skip sensing cycles to save power
  4. False battery reports: Claim low battery to avoid relay duty
  5. Opportunistic sleep: Sleep longer than protocol requires

This timeline shows how selfish behavior evolves over time as battery depletes:

%% fig-alt: "Timeline showing sensor node behavior evolution as battery depletes: at 100% battery node is fully cooperative, at 50% battery node starts monitoring-aware behavior, at 30% battery node enters selfish mode, at 10% battery survival mode, at 0% battery node fails"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
timeline
    title Selfish Behavior Evolution with Battery Depletion
    section Cooperative Phase
        100% Battery : Full cooperation : Forward all requests : Reputation 1.0
        80% Battery : Full cooperation : Forward all requests : Reputation 1.0
    section Transition Phase
        50% Battery : Monitoring-aware : Forward when watched : Reputation 0.85
    section Selfish Phase
        30% Battery : Selfish mode : Drop most relay requests : Reputation 0.60
        10% Battery : Survival mode : Own packets only : Reputation 0.30
    section Failed
        0% Battery : Complete failure : No communication : Excluded from network

Key Insight: Selfish behavior is often gradual, not sudden. Reputation systems can detect the transition phase before full selfishness occurs.

475.4.2 Economic Rationality of Selfishness

WarningWhy Selfishness Makes Sense (For the Node)

From the selfish node’s perspective, cooperation has costs:

Energy Budget:

E_total = E_own_sensing + E_own_TX + E_relay_RX + E_relay_TX

Selfish strategy: Minimize E_relay to maximize lifetime
Cooperative strategy: Accept E_relay as network duty

Lifetime Calculation:

def calculate_lifetime(battery_mah, cooperative=True):
    """Calculate node lifetime with/without cooperation"""

    # Energy consumption per hour
    E_sense_TX = 50  # mAh (own data)
    E_relay = 30     # mAh (forwarding for others)

    if cooperative:
        hourly_consumption = E_sense_TX + E_relay
    else:
        hourly_consumption = E_sense_TX  # Selfish: no relay

    lifetime_hours = battery_mah / hourly_consumption
    return lifetime_hours

battery = 5000  # mAh

coop_lifetime = calculate_lifetime(battery, cooperative=True)
selfish_lifetime = calculate_lifetime(battery, cooperative=False)

print(f"Cooperative node lifetime: {coop_lifetime:.1f} hours")
print(f"Selfish node lifetime: {selfish_lifetime:.1f} hours")
print(f"Selfish benefit: +{(selfish_lifetime/coop_lifetime - 1)*100:.1f}%")

Output:

Cooperative node lifetime: 62.5 hours (2.6 days)
Selfish node lifetime: 100.0 hours (4.2 days)
Selfish benefit: +60.0% lifetime

The Tragedy of the Commons: If all nodes act selfishly, the network collapses (no one forwards packets). But individual selfish nodes benefit at the expense of cooperative nodes.

475.4.3 Detection and Mitigation

%% fig-alt: "Reputation-based selfish node detection: neighbor monitoring tracks forwarding behavior calculating reputation as weighted average, flagging nodes below 0.5 threshold for exclusion"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TB
    Monitor["Neighbor Monitoring<br/>System"]

    Track["Track Node X<br/>Forwarding Behavior"]

    Monitor --> Track

    Track --> Stats["Statistics:<br/>Requested: 100 packets<br/>Forwarded: 60 packets<br/>Drop rate: 40%"]

    Stats --> Calc["Calculate Reputation:<br/>R = 60/100 x 0.3 + 0.8 x 0.7<br/>R = 0.18 + 0.56 = 0.74"]

    Calc --> Decision{Reputation<br/>< 0.5?}

    Decision -->|"No (0.74)"| Monitor2["Flag for monitoring<br/>Continue routing (reduced)"]
    Decision -->|"Yes"| Exclude["Exclude from routing<br/>No packets to X"]

    Monitor2 --> Improve{Behavior<br/>improves?}

    Improve -->|"Yes: R > 0.8"| Restore["Restore full routing"]
    Improve -->|"No: R < 0.5"| Exclude

    style Monitor fill:#16A085,stroke:#2C3E50,color:#fff
    style Track fill:#16A085,stroke:#2C3E50,color:#fff
    style Stats fill:#3498DB,stroke:#2C3E50,color:#fff
    style Calc fill:#3498DB,stroke:#2C3E50,color:#fff
    style Decision fill:#E67E22,stroke:#2C3E50,color:#fff
    style Monitor2 fill:#E67E22,stroke:#2C3E50,color:#fff
    style Exclude fill:#C0392B,stroke:#2C3E50,color:#fff
    style Restore fill:#16A085,stroke:#2C3E50,color:#fff

Figure 475.2: Reputation-based selfish node detection system

Reputation Calculation:

\[ Reputation_i(t) = \frac{Packets_{forwarded}}{Packets_{requested}} \cdot \alpha + Reputation_i(t-1) \cdot (1 - \alpha) \]

Where:

  • \(\alpha\) = learning rate (e.g., 0.3)
  • Reputation is in range [0, 1]
  • Low reputation leads to node being avoided by routing protocols
NoteWorked Example: Detecting a Selfish Node Through Reputation Monitoring

Scenario: An agricultural WSN has 50 nodes monitoring soil moisture. Node 17 has been operating for 8 months and its battery dropped to 25%. Network administrators notice packet delivery rates decreasing in the region around Node 17.

Given:

  • Node 17’s previous reputation: R(t-1) = 0.85
  • Learning rate: alpha = 0.3
  • In the last monitoring interval, Node 17 was asked to forward 80 packets
  • Node 17 actually forwarded only 48 packets
  • Exclusion threshold: R < 0.50

Steps:

  1. Calculate current forwarding ratio:
    • Forwarding ratio = 48/80 = 0.60 (60%)
  2. Apply EWMA reputation formula:
    • R(t) = (Packets_forwarded / Packets_requested) x alpha + R(t-1) x (1-alpha)
    • R(t) = 0.60 x 0.3 + 0.85 x 0.7
    • R(t) = 0.18 + 0.595 = 0.775
  3. Evaluate against thresholds:
    • New reputation: 0.775 (above 0.50 threshold)
    • Node remains in network but is flagged for monitoring
    • If this pattern continues for 3 more intervals:
      • Interval 2: R = 0.60 x 0.3 + 0.775 x 0.7 = 0.72
      • Interval 3: R = 0.60 x 0.3 + 0.72 x 0.7 = 0.68
      • Interval 4: R = 0.60 x 0.3 + 0.68 x 0.7 = 0.66

Result: Node 17’s reputation dropped from 0.85 to 0.775 in one interval. Continued monitoring will either force improved behavior or eventual exclusion.

Key Insight: The EWMA formula provides graceful degradation - a single bad interval does not cause immediate exclusion, but persistent selfish behavior accumulates penalties.

475.4.4 Incentive Mechanisms

  1. Tit-for-tat: “I forward for you only if you forward for me”
  2. Virtual currency: Nodes earn credits by forwarding, spend credits to send
  3. Reciprocity: Track bilateral cooperation ratios
  4. Exclusion threat: Selfish nodes lose network access for their own traffic

475.5 Malicious Nodes

Time: ~15 min | Difficulty: Intermediate | Unit: P05.C14.U05

Definition:
Nodes deliberately disrupting network operation through active attacks 

%% fig-alt: "Malicious node attack taxonomy showing five attack types: black hole, selective forwarding, sinkhole, wormhole, and Sybil attacks"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TB
    Malicious["Malicious Node<br/>(Compromised)"]

    BlackHole["Black Hole Attack<br/>Drop ALL packets"]
    Selective["Selective Forwarding<br/>Drop specific packets"]
    Sinkhole["Sinkhole Attack<br/>Attract traffic, then drop"]
    Wormhole["Wormhole Attack<br/>Tunnel packets via colluding nodes"]
    Sybil["Sybil Attack<br/>Present multiple fake identities"]

    Malicious --> BlackHole
    Malicious --> Selective
    Malicious --> Sinkhole
    Malicious --> Wormhole
    Malicious --> Sybil

    BlackHole --> Impact["Network Impact:<br/>Data loss<br/>Routing failures<br/>False information<br/>System compromise"]
    Selective --> Impact
    Sinkhole --> Impact
    Wormhole --> Impact
    Sybil --> Impact

    style Malicious fill:#C0392B,stroke:#2C3E50,color:#fff
    style BlackHole fill:#E67E22,stroke:#2C3E50,color:#fff
    style Selective fill:#E67E22,stroke:#2C3E50,color:#fff
    style Sinkhole fill:#E67E22,stroke:#2C3E50,color:#fff
    style Wormhole fill:#E67E22,stroke:#2C3E50,color:#fff
    style Sybil fill:#E67E22,stroke:#2C3E50,color:#fff
    style Impact fill:#C0392B,stroke:#2C3E50,color:#fff

Figure 475.3: Malicious node attack taxonomy

This variant maps attack types to the network layer they target and the defense mechanisms required:

%% fig-alt: "Layered security diagram showing malicious attacks mapped to OSI layers and defenses"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
flowchart TB
    subgraph AppLayer["Application Layer Attacks"]
        Sybil["Sybil Attack<br/>Fake Identities"]
        DataFalsify["Data Falsification<br/>Corrupt Readings"]
    end

    subgraph NetworkLayer["Network Layer Attacks"]
        BlackHole["Black Hole<br/>Drop All"]
        Sinkhole["Sinkhole<br/>Attract + Drop"]
        Wormhole["Wormhole<br/>Tunnel Packets"]
    end

    subgraph LinkLayer["Link Layer Attacks"]
        Collision["Collision<br/>Manipulation"]
    end

    subgraph PhysLayer["Physical Layer Attacks"]
        Jamming["RF Jamming<br/>Deny Service"]
    end

    subgraph Defenses["Defense Mechanisms"]
        D1["Identity Verification<br/>PKI, Resource Testing"]
        D2["Anomaly Detection<br/>Statistical Filtering"]
        D3["Secure Routing<br/>Authenticated Updates"]
        D4["Geographic Verification<br/>Timing Analysis"]
        D5["Secure MAC<br/>Authentication"]
        D6["Spread Spectrum<br/>Frequency Hopping"]
    end

    Sybil -.-> D1
    DataFalsify -.-> D2
    BlackHole -.-> D3
    Sinkhole -.-> D3
    Wormhole -.-> D4
    Collision -.-> D5
    Jamming -.-> D6

    style AppLayer fill:#C0392B,stroke:#2C3E50,color:#fff
    style NetworkLayer fill:#E67E22,stroke:#2C3E50,color:#fff
    style LinkLayer fill:#F39C12,stroke:#2C3E50,color:#fff
    style PhysLayer fill:#7F8C8D,stroke:#2C3E50,color:#fff
    style Defenses fill:#16A085,stroke:#2C3E50,color:#fff

Security Implementation Priority: Network layer attacks (black hole, sinkhole, wormhole) are most common in WSNs. Implement secure routing with authenticated updates as the first line of defense.

475.5.1 Black Hole Attack

%% fig-alt: "Black hole attack: malicious node advertises optimal route attracting packets from nodes A, B, and C, then drops all packets"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph LR
    NodeA["Node A<br/>(Source)"] --> |"Packet sent"| BlackHole["Black Hole<br/>(Advertises best route)"]
    NodeB["Node B"] --> |"Packet sent"| BlackHole
    NodeC["Node C"] --> |"Packet sent"| BlackHole

    BlackHole -.->|"ALL packets<br/>DROPPED"| Void["Void<br/>(No forwarding)"]

    Gateway["Gateway<br/>(Should receive)"]

    BlackHole -.->|"Should forward but does not"| Gateway

    style NodeA fill:#16A085,stroke:#2C3E50,color:#fff
    style NodeB fill:#16A085,stroke:#2C3E50,color:#fff
    style NodeC fill:#16A085,stroke:#2C3E50,color:#fff
    style BlackHole fill:#C0392B,stroke:#2C3E50,color:#fff
    style Void fill:#7F8C8D,stroke:#2C3E50,color:#fff
    style Gateway fill:#16A085,stroke:#2C3E50,color:#fff

Figure 475.4: Black hole attack illustration

Characteristics:

  • Advertises false “best routes” to attract traffic
  • Drops all received packets silently
  • Creates routing black hole (packets disappear)

Impact:

  • Denial of service (communications fail)
  • Energy waste (sources keep retransmitting)
  • Possible data theft (attacker sees packet contents before dropping)

475.5.2 Sinkhole Attack

Attacker makes itself appear attractive as routing parent:

// Example: Malicious node advertising false routing metrics
void maliciousSinkholeAdvertisement() {
    RoutingPacket fake_ad;

    fake_ad.node_id = attacker_id;
    fake_ad.distance_to_gateway = 1;  // LIE: Claim 1-hop to gateway
    fake_ad.link_quality = 255;       // LIE: Perfect link
    fake_ad.battery = 100;            // LIE: Full battery

    // Broadcast fake advertisement
    broadcastRoutingUpdate(&fake_ad);

    // Result: Many nodes will choose attacker as parent
    // Attacker can now eavesdrop, drop, or modify their traffic
}

475.5.3 Wormhole Attack

Two colluding attackers create “tunnel” to confuse routing:

%% fig-alt: "Wormhole attack: two colluding malicious nodes in distant areas connected via private link appearing as single hop"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TB
    subgraph Area1["Area 1 (Left side)"]
        N1["Node 1"]
        N2["Node 2"]
        M1["Malicious M1<br/>(Wormhole endpoint)"]
    end

    subgraph Area2["Area 2 (Right side)"]
        M2["Malicious M2<br/>(Wormhole endpoint)"]
        N3["Node 3"]
        Gateway["Gateway"]
    end

    N1 --> M1
    N2 --> M1

    M1 ===|"Private Link<br/>(Ethernet/Wi-Fi/LTE)<br/>Appears as 1 hop"| M2

    M2 --> Gateway
    N3 --> Gateway

    style N1 fill:#16A085,stroke:#2C3E50,color:#fff
    style N2 fill:#16A085,stroke:#2C3E50,color:#fff
    style N3 fill:#16A085,stroke:#2C3E50,color:#fff
    style M1 fill:#C0392B,stroke:#2C3E50,color:#fff
    style M2 fill:#C0392B,stroke:#2C3E50,color:#fff
    style Gateway fill:#16A085,stroke:#2C3E50,color:#fff

Figure 475.5: Wormhole attack with colluding nodes

How it works:

  1. M1 and M2 collude (connected via out-of-band link: Ethernet, Wi-Fi, etc.)
  2. M1 captures packets in Area 1
  3. M1 tunnels packets to M2 via private link (appears to be 1 hop)
  4. M2 re-broadcasts in Area 2
  5. Result: Nodes think Areas 1 and 2 are adjacent (1-2 hops apart)
  6. Routing protocols converge on wormhole as “optimal” path
  7. Attackers can monitor, drop, or modify all tunneled traffic

475.5.4 Sybil Attack

Single malicious node presents multiple identities:

%% fig-alt: "Sybil attack: single physical malicious node creates five fake identities to control 83% of votes in consensus protocol"
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TB
    Physical["Physical Malicious Node<br/>(1 hardware device)"]

    ID1["Fake ID: Node-001<br/>Vote: YES"]
    ID2["Fake ID: Node-002<br/>Vote: YES"]
    ID3["Fake ID: Node-003<br/>Vote: YES"]
    ID4["Fake ID: Node-004<br/>Vote: YES"]
    ID5["Fake ID: Node-005<br/>Vote: YES"]

    Physical --> ID1
    Physical --> ID2
    Physical --> ID3
    Physical --> ID4
    Physical --> ID5

    Normal1["Normal Node<br/>Vote: NO"]
    Normal2["Normal Node<br/>Vote: NO"]

    Vote["Voting Result:<br/>YES: 5 votes (83%)<br/>NO: 2 votes (17%)<br/>Attacker controls majority!"]

    ID1 --> Vote
    ID2 --> Vote
    ID3 --> Vote
    ID4 --> Vote
    ID5 --> Vote
    Normal1 --> Vote
    Normal2 --> Vote

    style Physical fill:#C0392B,stroke:#2C3E50,color:#fff
    style ID1 fill:#E67E22,stroke:#2C3E50,color:#fff
    style ID2 fill:#E67E22,stroke:#2C3E50,color:#fff
    style ID3 fill:#E67E22,stroke:#2C3E50,color:#fff
    style ID4 fill:#E67E22,stroke:#2C3E50,color:#fff
    style ID5 fill:#E67E22,stroke:#2C3E50,color:#fff
    style Normal1 fill:#16A085,stroke:#2C3E50,color:#fff
    style Normal2 fill:#16A085,stroke:#2C3E50,color:#fff
    style Vote fill:#C0392B,stroke:#2C3E50,color:#fff

Figure 475.6: Sybil attack controlling voting through fake identities

Example:

  • Voting-based protocol: “90% of neighbors agree”
  • Attacker presents 9 fake identities
  • Attacker controls majority vote with single physical node

475.5.5 Mitigation Strategies

Table 475.1: Malicious Node Defenses
Attack Detection Mitigation
Black Hole Monitor forwarding rates, consistency checks Multi-path routing, reputation systems
Sinkhole Verify routing metrics independently Authenticated routing updates
Wormhole Timing analysis (tunneled packets arrive too fast) Geographic/timing constraints
Sybil Identity verification, resource testing PKI, physical verification
Jamming Detect high collision rates Frequency hopping, spread spectrum

475.6 Knowledge Check

Question 1: A reputation system monitors nodes and calculates: Reputation = (Packets_forwarded / Packets_requested) x 0.3 + Previous_reputation x 0.7. Node A was asked to forward 100 packets, forwarded 60, and had previous reputation 0.8. What happens?

Calculate: Current_ratio = 60/100 = 0.6. New_reputation = 0.6 x 0.3 + 0.8 x 0.7 = 0.18 + 0.56 = 0.74. The reputation dropped from 0.8 to 0.74 due to poor forwarding (only 60%). This is not catastrophic yet (threshold for exclusion is typically less than 0.5), but the node is now flagged for monitoring.

Question 2: A node forwards 95% of packets when neighbors monitor it, but drops to 50% when unmonitored, while still reliably transmitting its own sensor data. What is the most likely classification?

Selfish nodes are conditionally cooperative (they forward more when monitored) to preserve their own lifetime. Malicious nodes tend to drop regardless of monitoring, and failed nodes typically cannot forward or transmit reliably.

Question 3: A node with a 5000 mAh battery consumes 50 mAh/hour for its own sensing and transmission. If it forwards packets for neighbors, it consumes an additional 30 mAh/hour. What is the lifetime difference between cooperative and selfish behavior?

Cooperative node: Total consumption = 50 + 30 = 80 mAh/hour. Lifetime = 5000 / 80 = 62.5 hours. Selfish node: Consumption = 50 mAh/hour (refuses to relay). Lifetime = 5000 / 50 = 100 hours. The selfish node gains 60% more lifetime by refusing to forward packets. This demonstrates the tragedy of the commons.

Question 4: Which attack involves two colluding nodes that create a “shortcut” tunnel through an out-of-band connection, making distant network areas appear adjacent?

A wormhole attack uses two colluding nodes connected via a private link (Ethernet, Wi-Fi, or cellular). Packets captured by one node are tunneled to the other and re-broadcast, making the wormhole appear as the shortest path. This confuses routing protocols into sending traffic through the malicious tunnel.

Scenario: In a WSN, Node X forwards only 40% of packets it is asked to relay. Neighbor nodes calculate X’s reputation = 0.40 (below 0.50 threshold). Node X claims its battery is at 15% and it is conserving energy for its own critical sensing tasks.

Think about:

  1. Is Node X selfish (rational energy conservation) or malicious (active attack)?
  2. How can the network verify X’s battery claim?
  3. What is the appropriate response: exclusion, reduced trust, or full cooperation?

Key Insight: Node X is likely selfish, not malicious, but verification is crucial.

Distinguishing selfish vs malicious:

  1. Selfish nodes preserve energy for self-interest but respond predictably - forward when monitored, drop when unmonitored
  2. Malicious nodes actively attack regardless of monitoring - may forward 0% or selectively drop critical packets

Verification strategies:

  1. Cross-check battery reports: Monitor X’s transmission power. Strong signal with claimed low battery = lying (malicious)
  2. Monitor duty cycle: Selfish nodes extend sleep periods. Malicious nodes maintain normal activity but drop packets
  3. Behavioral consistency: Offer cooperation incentives. Selfish nodes accept; malicious nodes refuse

Appropriate response:

  • If selfish: Gradual exclusion - route less traffic through X, reserve X’s energy for its own sensing
  • If malicious: Immediate exclusion - broadcast warning to all neighbors

475.7 Summary

This chapter covered intentional misbehavior in wireless sensor networks:

  • Selfish Nodes: Nodes that prioritize energy conservation over network cooperation, with 40-60% forwarding rates and conditional cooperation when monitored
  • Economic Rationality: Selfish behavior can extend node lifetime by 60% or more, creating a tragedy of the commons
  • Reputation Systems: EWMA-based reputation tracking with gradual degradation preventing false positives while catching persistent selfishness
  • Incentive Mechanisms: Tit-for-tat, virtual currency, reciprocity, and exclusion threats to encourage cooperation
  • Malicious Attacks: Black hole, sinkhole, wormhole, and Sybil attacks with their characteristics and impacts
  • Defense Strategies: Multi-path routing, authenticated updates, timing analysis, and PKI for identity verification

The key distinction is that selfish nodes respond to incentives while malicious nodes require cryptographic defenses.

475.8 What’s Next

The next chapter explores Dumb Nodes and Connectivity Recovery, covering temporary communication failures caused by environmental factors and the CoRD/CoRAD schemes for recovering data from isolated nodes using mobile relays and drones.