ATAW-TM: An Adaptive, Threshold-Free, and Automatically Weighted Trust Model for Mitigating Multiple Types of Denial-of-Service Attacks in Software-Defined Wireless Sensor Networks

1. Introduction

A wireless sensor network (WSN) comprises spatially distributed sensor nodes which include sensing, data processing, and communication components [1]. These nodes self-organize to create a multi-hop wireless network. The sensors can be used to detect and collect environmental or physical data, such as humidity, sound, and temperature. These data is transmitted through the network to a centralized hub (a base station or a sink node) and subsequently forwarded to an Internet-based server for analysis and processing. WSNs are widely used in a large variety of applications including military, environmental monitoring, smart homes, agriculture, animal husbandry, and health monitoring.

With Internet of Things (IoT) technology continuously to evolving, WSNs have become more widely used. At the same time their various limitations have become more and more obvious, such as when applications that require the WSNs to be tailored to meet unique functional and performance requirements, and the nodes are self-configuring distributed management. These limitations create challenges in terms of dynamic network management, scalability and node recycling. Incorporating the concept of Software-Defined Networking (SDN) (which facilitates more dynamic and manageable network operations through the functional separation of the control and the forwarding planes) into WSNs has helped meet these challenges and given g rise to a new type of WSNs: Software-Defined Wireless Sensor Networks (SDWSNs) [2]. Figure 1 presents the basic structure of an SDWSN, which includes a data plane and an application plane, and a central controller [3].

SDWSNs combine the flexibility of SDNs with the specific features of WSNs , which makes SDWSNs suitable for a broad range of applications. Compared to WSNs, SDWSNs have the following advantages [3,4]:

• Flexibility and Programmability

SDWSNs provide increased flexibility and programmability through segregating control plane activities from the data plane. The decoupling supports network adjustments and optimization in response to on real-time requirements.

2.

Centralized Management

SDWSNs enable centralized management including network configuration. The behavior and data flow of sensor nodes is coordinated by SDN controllers which improves network management efficiency.

3.

Dynamic Optimization

The control layer enables SDWSNs to optimize dynamically the se of network resources and to adjust data routing strategies. This improves network performance and reliability.

4.

Enhanced scalability

The entire set of sensor nodes across the data plane is visible to the central controller which facilitates efficient network management. This is especially beneficial in the case of large-scale network expansion.

As the IoT technology continues to advance, WSNs and SDWSNs are becoming widespread across the globe. However, they remain susceptible to denial-of-service (DoS) attacks. This is especially important in scenarios where WSNs are utilized for mission-critical applications. Despite extensive research on DoS attacks affecting the Internet and the development of various countermeasures, conventional security controls are often inadequate for WSNs and WSDWSNs. This inadequacy is due to some of their specific characteristics such as resource limitations, energy constraints, open wireless communications, and dynamic topology [1,5,6].

Trust models, which establishes a network of trust among entities by evaluating and predicting their behavior based on observed interactions [7], can provide effective defense against DoS attacks under uncertain conditions. These models consider node behavior and reputation when making decisions about trustworthiness (similar to how trust and reputation are established in the context of human behavior, through continuous interaction and observation . .

Trust models in WSNs have gained increasing recognition and have been widely studied. Numerous trust models have been proposed, with some specifically addressing the challenges of DoS attacks. However, trust models in WSNs are still new and haven’t set any standards yet [8,9]. There has been extensive research on mechanisms leveraging trust evaluation to defend against DoS threats in traditional WSN environments [7,10], especially in in addressing threshold limitations in trust evaluation [11,12], the assignment of weights to trust metrics [13,14,15,16], and the loss of trust information [12,17,18,19,20].

This study addresses the research gaps above in the context of SDWSNs. It explores the design of innovative trust mechanism applicable to SDWSNs and proposes a solution that advances WSN security and facilitates their integration of SDWSNs into IoT and other applications. This s study makes the following research contributions:

• A combined method of outlier detection and the Bayesian Beta approach to calculate direct trust values within the layered architecture of SDWSNs trust model. This approach eliminates the dependency on threshold-setting algorithms that rely on network administrators’ prior knowledge of specific SDWSNs.
• A method for integrating reciprocal weighting and entropy-based weighting to automatically assign adaptive weights to various trust metrics across the control and data planes of SDWSNs. This approach eliminates the inaccuracies in combined trust value calculations caused by fixed weights and the difficulties users face in assigning weights.
• A method for referencing the logistic function that converts the difference between historical combined trust values and current combined trust values into an aging factor. Within the centralized control framework of SDWSNs, this allows for dynamic automatic adjustment of the aging factor. Consequently, when a node exhibits malicious behavior, its trust value decreases rapidly, and when it returns to normal behavior, its trust value increases slowly.
• A trust information retrieval mechanism tailored for SDWSNs’ hierarchical structure that enables both member nodes and cluster head (CH) nodes to quickly recover lost trust information from the controller or cluster level. This feature leverages the centralized control and global visibility of SDWSNs to ensure the robustness and resilience of the trust management system after information loss.

The structure of the remainder of this paper is as follows: Section 2 provides an overview of related work. Section 3 presents the proposed trust model (ATAW-TM). Section 4 analyses ATAW-TM within the context of existing literature, highlighting its contributions. Section 5 discusses the results and concludes the paper; directions for future research are also outlines.

2. Related Work

There has been extensive research on mechanisms leveraging trust evaluation to defend against DoS threats in traditional WSN environments, including the identification of trust evidence necessary for trust models to effectively detect DoS attacks [13,17,21,22], developing methods for trust evidence extraction [23,24,25], and the trust computing techniques that facilitate the design of robust and reliable trust mechanisms to defend against DoS attacks [18,26,27]. In our extensive literature review [10] we identified existing approaches and challenges in developing adaptive trust mechanisms for detecting and defending WSNs against diverse DoS threats. However, research on using trust-driven approaches to address DoS vulnerabilities in SDWSNs remains limited, with only four studies available to date, including [12,28,29,30].

2.1. ETMRM: Trus-Based Routing and Management

In 2018, Wang et al. [12] developed a trust-based routing and management scheme (ETMRM) that was designed to enhance energy efficiency in SDWSNs, aimed at mitigating new flow attacks and selective forwarding attacks. This study leverages trust management methodologies initially designed for conventional WSNs. These techniques are combined with SDN flow tables and reporting mechanisms. The integration is carried out within the SDN-WISE model [31,32], an SDN-based framework for wireless sensor networks. Through this approach, the study establishes an initial trust model specifically designed for SDWSNs. This model has seven steps: recording trust, evaluating local trust, reporting trust, combining trust value, evaluating global trust, finding and isolating malicious nodes, and calculating routes based on trust.

To collect trust evidence, the trust record leverages an enhanced flow table to monitor successful and unsuccessful transmissions, encompassing both data and control packets, as well as new flow packets that do not align with existing rules. During the local trust evaluation phase, forwarding trust is determined using a Bayesian Beta approach, while new flow trust is assessed through a threshold-limiting technique. Nodes compile their local trust values for all neighbors into SDN-WISE messages, which are subsequently sent to an aggregation node. This node consolidates the data and relays it to the controller. The controller evaluates network-wide trust scores, identifies nodes exhibiting malicious behavior, and issues packet drop policies to neighboring nodes impacted by the threat. When a new flow packet arrives, handling of the relevant rule request is delegated to the controller. It determines the routing path by referencing trust values, Taking into account the node’s network-wide trust score and remaining energy level.

The model has undergone prototyping, with experimental results demonstrating its capability to mitigate the effects of new flow and selective forwarding attacks while ensuring more balanced energy consumption. Nevertheless, the model evaluates trust solely within a single cycle during the local calculation phase, disregarding historical trust data. Incorporating past behaviors could enhance the robustness of trust assessments. Furthermore, the model’s defense is limited to control plane DoS attacks (new flow attacks) and does not address data plane DoS attacks, as it lacks mechanisms to log and analyze non-new flow data packets.

2.2. Hierarchical Trust Managemewnrt for Secure Communication

Bin-Yahya et al. [28,29] proposed a hierarchical trust management scheme (HTM) for secure communications in SDWSNs. This model calculates and records the trustworthiness of each node at various levels (node, CH, and controller) to promptly detect malicious nodes. In this approach, distinct trust values are maintained for control traffic and data traffic, where the trust evidence is derived from metrics including successful versus unsuccessful forwarding of control and data messages, together with their associated transmission rates.

Forwarding trust is assessed using a Bayesian method, while sending trust is evaluated through a threshold-limiting technique. Each node computes trust values for its neighbors and initiates trust update messages. The cluster head aggregates these updates, forwards them to the sink node, and finally transmits them to the controller. Trust aggregation is performed at both the cluster head and controller levels, with lower weights assigned to outliers based on score reliability during the aggregation process. To enhance responsiveness to malicious activities, the scheme integrates reward and penalty factors into the Bayesian model. It also capitalizes on specific characteristics of SDWSNs, such as leveraging flow table statistics collected by the controller and using designated control messages to evaluate intermediate nodes’ behavior. This scheme demonstrates high effectiveness in detecting a range of attacks and shows superior performance compared to ETMRM [12] in detecting DoS attacks.

2.3. Trust Managemenbt Framework with an Intrusion Detections System

Isong et al. [30] introduced an innovative Trust Management Framework (TMF) tailored for SDWSNs. This scheme incorporates two levels of trust evaluation: sensor-to-sensor (S2S) and controller-to-sensor (C2S) trust. It is structured into three key components: the information tracking component, the trust evaluation component, and the control logic component. The information tracking component gathers data from two sources: packet forwarding information collected via the sink node and network statistics obtained from the controller. This information is retained by both the controller and the sink node for further analysis. The trust evaluation component calculates trust score through both observed and inferred methods. The observed trust relies on the quantity of packets individual node successfully forwards and receives, while inferred trust is derived through traffic data analyzed by an Intrusion Detection System (IDS) model. To ensure continuous monitoring, the controller periodically retrieves statistical data from all network nodes. Finally, the decision-making unit utilizes the computed trust values to determine appropriate actions, such as isolating or monitoring nodes identified as malicious. This systematic approach allows the framework to enhance security by effectively detecting and addressing potential threats.

2.4. Research Gaps

A major limitation of the models reviewed above is the lack of focus on the integrity of the trust evidence. Moreover, the impact of variations in communication channel conditions on the reliability and precision of trust assessment is overlooked by all above existing approaches. Additionally, the first two models implemented and evaluated models have three research gaps we previously identified: setting threshold in trust evaluation, assigning weights to trust metrics, and addressing the loss of trust information. In the last model, the responsibility for trust evaluation is delegated to the IDS module, but the specific evaluation methods within the IDS module are not discussed in depth. Furthermore, this model has not yet been implemented or evaluated.

3. Materials and Methods

The proposed Adaptive, Threshold-Free, and Automatically Weighted Trust Model (ATAW-TM) is a trust model specifically designed for SDWSNs to detect DoS attacks within these networks. It eliminates the reliance on human prior knowledge during application, enhancing its usability, and incorporates trust information backup and rapid recovery mechanisms to improve stability. The model is implemented using SDN-WISE as the underlying architecture, with the SDN controller embedded within the sink node to simplify network design and reduce overhead.

ATAW-TM adopts a three-tier hierarchical architecture, comprising the node level, cluster head (CH) level, and controller level. Each level contributes to a layered and cooperative trust evaluation and decision-making process. An overview of the ATAW-TM is presented in Figure 2.

At the node level, each sensor node performs its own node-level evaluation process. First, start a timer for trust evaluation to perform periodic trust assessments. Second, nodes are tasked with extracting trust evidence and performing direct trust computation locally. At the beginning of each trust evaluation, assess the link quality between the node and its neighboring nodes. If the link quality is good, continue with the evaluation process; if the communication link becomes unstable or weak, wait for the next evaluation round. During the evaluation, nodes extract trust evidence and compute the direct trust value locally. Trust evidence encompasses communication, energy, and data indicators. Communication-related trust indicators include metrics such as the transmission and reception rates of both data and control packets, as well as their respective forwarding rates. These indicators were identified in [10] as the eight types of trust evidence, including data packets sending rate (DSR), control packets sending rate (CSR), data packets receiving rate (DRR), control packets receiving rate (CRR), data packets forwarding rate (DFR), control packets forwarding rate (CFR), energy consumption rate (ECR) and data accuracy (DA).

Next, each direct trust value corresponding to these metrics is then employed to calculate the combined trust value through an automatic weighting algorithm that integrates the direct trust values derived from individual metrics. The historical and current trust metrics are weighed using an aging factor to reflect temporal relevance, resulting in the local trust value. Finally, nodes periodically send their local trust value to the CH of its respective cluster.

The CH is responsible for collecting the local trust value reported by each node and forwarding the report message to the controller. It calculates the aggregated trust value by weighted averaging of the local trust values received from each node using its s own calculated local trust value, and relays l trust values to the controller to the controller. The CH uses the aggregated trust value to recognize node maliciousness. Subsequently, it halts forwarding any messages to and from malicious nodes., thus segregating detected malicious nodes .

The controller, positioned within the sink node, gathers trust values from all nodes and computes their aggregated trust values from a global perspective. It identifies malicious nodes according to their aggregated trust scores. It then adjusts the flow rules to isolate the identified malicious nodes.

3.1. Node Level Operations: Extracting Trust Evidence

3.1.1. Assessing the Link Quality

Before each trust evaluation, it assesses the quality of connections linking the node with its neighboring nodes to avoid low link quality affecting the trustworthiness scores of legitimate nodes. Because of the openness of WSNs’ wireless communication, the links between sensor nodes are unstable and can be influenced by the environment. With low-quality link, the communication capability decreases causing reductions in the rates of packet transmission, reception, and forwarding, resulting in a lower calculated trust value.

In ATAW-TM , we use the method proposed in [14] to evaluate link quality, which relies on the Link Quality Indicator (LQI). In the widely adopted CC2420 radio, the LQI is calculated from the first eight symbols of a received packet, ranging between 0 and 255. The proposed method involves the evaluation node collecting LQI data over a specific period of time, followed by the calculation of the mean value. If the calculated mean surpasses the threshold, such as 220, the link is considered normal and the evaluation process continues. If the mean value is below the threshold, the link is considered unstable and the assessment is temporarily halted and resumed in the next cycle to re-evaluate the link quality.

3.1.2. Extracting Trust Evidence

Figure 3 below illustrates the trust evidence included in our trust model, along with the corresponding extraction methods.

The rates at which data and control packets are sent and received are extracted using the sensor node’s promiscuous receiving mode. When this mode is enabled, any packet within the node’s receiving range (whether intended for it or another node) is processed. The packet count for a given node is incremented by one whenever a data or control packet from that node is identified. Additionally, by examining each incoming packet’s destination address and type, the system determines the target node and updates its associated count.

The forwarding rates for data and control packets are determined using listening methods as follows. Promiscuous receiving mode is activated on the sensor node to allow the capture of all surrounding traffic. Once the node is ready to monitor forwarding behavior, it transmits a packet and starts a watchdog timer. During this monitoring window, the node observes the actions of the intended recipient. A successful forwarding is recorded if the target recipient relays the packet prior to the expiration of the timer; otherwise, a failed relaying is logged. Furthermore, to assess the control packet forwarding rate, the ACK-based mechanism can be employed as a supplementary technique alongside the listening method. Forwarding is considered successful if the forwarded packet or its corresponding ACK message is detected.

Using remaining energy information embedded in beacon messages, the ECR of a node is calculated. This rate is then compared to the ECR of other nodes to identify any differences.

For data trust evidence, the sensor node collects readings from all its neighboring nodes using promiscuous receiving mode. It then determines data deviation by comparing these readings with the neighborhood data references.

3.2. Node Level Operations: Calculating, Updating and Reporting Trust Values

3.2.1. The Process of Direct Trust Value Calculation

To overcome the obstacle of threshold setting in the threshold limitation approach that relies on the network administrator’s a priori knowledge of the particular network, we assign an cooperation probability to each value through the outlier detection method when calculating the direct trust values for DSR, CSR, DRR, CRR, ECR and DA, and then use the Bayesian beta method to derive the direct trust values.

By contrast, the forwarding-related metrics, DFR and CFR, represent fundamentally different types of evidence. Forwarding is not a continuous measure but a discrete binary event: a packet is either forwarded successfully, or it is not. Consequently, it is neither meaningful nor necessary to compute a probabilistic cooperation value based on distributional assumptions. Instead, forwarding trust is modeled using a binary assignment, where successful forwarding (observed through listening or ACK mechanisms) is assigned a cooperation value of 1, and unsuccessful forwarding is assigned a value of 0. These binary outcomes are then directly incorporated into the Bayesian Beta method. The processes of direct trust value calculation are shown in Figure 4.

The evaluation is conducted over a defined period of time using the following framework for each metric. At the start of an evaluation period, we initialize the Beta distribution parameters for each metric: the count of cooperative interactions ($\mathsf{\alpha }$) and the count of non-cooperative interactions ($\beta$). These two parameters form the basis for calculating trust values. The initial state for all nodes and all metrics is set to zero ($\alpha$ = 0, $\beta$ = 0), indicating no prior history.

Next, the node collects trust metric datasets for each metric. The cooperation probability ($p$) is calculated using a Gaussian distribution model based on the collected trust metric datasets. This allows the node to determine the likelihood that its neighbours are behaving cooperatively. It is used to update the $\alpha$ and $\beta$ parameters. The direct trust value ($T$) is computed from $\alpha$ and $\beta$ as the expected value of the Beta distribution at the end of the period, representing the trustworthiness of a node in a specific metric.

3.2.2. The Method of Cooperation Probability Calculation

Multiple studies, through experiments or simulations, have verified that in WSNs where node behavior is independent, homogeneous, and static, the traffic of nodes and the collected sample data approximately follow a Gaussian distribution when the number of nodes is large enough [33,34,35]. Therefore, we adopt a cooperation probability calculation method based on Gaussian distribution.

Let’s assume the evaluation node is node $i$, and the set of all $n$ neighboring nodes being evaluated is represented as $j = \{1, 2, 3, \dots , n\}$. In an evaluation period, node $i$ monitors its neighbours to build datasets for calculating the cooperation probabilities. The specific data collected for each metric is outlined in the Table 1.

This method assumes that the data follows a Gaussian distribution, meaning most data points are concentrated around the mean, and the probability of data points appearing decreases as they deviate further from the mean. Assume the data sample set collected by the sensor node is $X=\left\{x_1, x_2, \dots , x_n\right\}$. First, it is necessary to calculate the mean $\mu$ and standard deviation $\mathsf{\sigma }$ of the dataset as shown in Equation 1 and Equation 2,

$$\mu ={\displaystyle \frac{1}{n}}\sum _{i=1}^n{x}_i$$

(1)

$$\mathsf{\sigma }=\sqrt{{\displaystyle \frac{1}{n}}\sum _{i=1}^n{\left(x_i-\mu \right)}^2}$$

(2)

which are the basic parameters required for calculating the Gaussian distribution. For each data point $x$, the probability density value $P\left(x\right)$ can be calculated using the Gaussian distribution probability density function as shown in Equation 3:

$$P\left(x\right)={\displaystyle \frac{1}{\sigma \sqrt{2\pi }}}\exp \left(-{\displaystyle \frac{{\left(x-\mu \right)}^2}{2{\sigma }^2}}\right)$$

(3)

where ${\displaystyle \frac{1}{\sigma \sqrt{2\pi }}}$is the normalization constant of the Gaussian distribution, ensuring the total probability is 1, $\exp \left(-{\displaystyle \frac{{\left(x-\mu \right)}^2}{2{\sigma }^2}}\right)$is the probability density value for each data point, reflecting the degree of deviation of the data point from the mean. $P\left(x\right)$ is not the actual probability but the probability density value, indicating the relative frequency of occurrence near that point. The higher the density, the closer the data point is to the center (mean), and the higher the probability of occurrence; the lower the density, the further it is from the mean, possibly indicating an outlier. The curve of a Gaussian distribution probability density function is shown in Figure 5. In this figure, the mean (μ) is 50 and the standard deviation (σ) is 10.

Then, we define the cooperation probability of a data point as the ratio between its probability density and that of the mean, as shown in Equation 4,

$$P_{Co}\left(x\right)={\displaystyle \frac{P\left(x\right)}{P\left(\mu \right)}}=\exp \left(-{\displaystyle \frac{{\left(x-\mu \right)}^2}{2{\sigma }^2}}\right)$$

(4)

where $P_{Co}\left(x\right)$represents the cooperation probability of $x$. The function curve of our cooperation probability is shown in Figure 6. In this figure, the value of paraments μ and σ are the same as Figure 5.

From this figure, we can see the range of the cooperation probability is from 0 to 1. The closer the value is to the mean, the closer its cooperation probability is to 1; the further away from the mean, the closer its cooperation probability is to 0.

Since a single node $j$ sends multiple data packets ($m$ packets, where $m$ varies per node), a unique method is used to compute its overall DA cooperation probability. The final $P_{Co\_ij}^{da}$ for a node is the arithmetic mean of the cooperation probabilities calculated for each individual data packet it sent during the period as shown in Equation 5,

$$P_{Co\_ij}^{da}={\displaystyle \frac{\sum _{k=1}^m{P}_{Co\_ij\_k}^{da}}{m}}$$

(5)

where $P_{Co\_ij}^{da}$ represent the DA cooperation probability of node $j$, $P_{Co\_ij\_k}^{da}$ represent the cooperation probability of the DA for the $k^{th}$ data transmitted by node $j$, $m$ represents the total number of items sent by node $j$ during the evaluation period.

3.2.3. The Method of Direct Trust Value Calculation

The direct trust value is then computed using the classical Bayesian Beta approach. Ganeriwal et al. [7,36] provided a detailed investigation into how Bayesian formulations and Beta distributions can be applied to trust modelling within WSNs. They extended the cooperation metric from a binary rating to an interval rating, meaning it is no longer simply cooperative or non-cooperative but is a probability. They applied the Dirichlet process and derived that the parameter update formulas for binary ratings are similarly applicable to interval ratings. After a single transaction, if the assigned cooperation probability is $P_{Co\_j}$, the Beta parameters are updated as shown as Equation 6.

$${\alpha }_{ij}^{new}={\alpha }_{ij}+P_{Co\_ij}{\beta }_{ij}^{new}={\beta }_{ij}+1-P_{Co\_ij}$$

(6)

From the viewpoint of node $i$. The parameters ${\alpha }_{ij}$ and ${\beta }_{ij}$ characterize the cooperative and non-cooperative behaviours observed between nodes $i$ and $j$ at the initiation of a transaction. Similarly, ${\alpha }_{ij}^{new}$ and ${\beta }_{ij}^{new}$ characterize the cooperative and non-cooperative behaviours of nodes $i$ and $j$ as observed by node $i$ upon the completion of a single transaction. The trust score of the node $j$ computed from node $i$‘s perspective is the expected value of the beta distributions, which can be easily computed as shown in Equation 7.

$$T_{ij}=E\left(Beta\left\{{\alpha }_{ij},{\beta }_{ij}\right\}\right)={\displaystyle \frac{{\alpha }_{ij}}{{\alpha }_{ij}+{\beta }_{ij}}}$$

(7)

We consider the behaviour of sending or receiving packets within an evaluation period as a single transaction. By substituting Equation 6 into Equation 7, we can derive the method for calculating the direct trust values for DSR, CSR, DRR, CRR, ECR, and DA at the end of an evaluation period, as shown in Equations 8,

$$\begin{gathered} T_{ij}^{ds}={\displaystyle \frac{\left({\alpha }_{ij}^{ds}+P_{Co\_ij}^{ds}\right)}{\left({\alpha }_{ij}^{ds}+{\beta }_{ij}^{ds}+1\right)}} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} T_{ij}^{cs}={\displaystyle \frac{\left({\alpha }_{ij}^{cs}+P_{Co\_ij}^{cs}\right)}{\left({\alpha }_{ij}^{cs}+{\beta }_{ij}^{cs}+1\right)}} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} T_{ij}^{dr}={\displaystyle \frac{\left({\alpha }_{ij}^{dr}+P_{Co\_ij}^{dr}\right)}{\left({\alpha }_{ij}^{dr}+{\beta }_{ij}^{dr}+1\right)}} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} T_{ij}^{cr}={\displaystyle \frac{\left({\alpha }_{ij}^{cr}+P_{Co\_ij}^{cr}\right)}{\left({\alpha }_{ij}^{cr}+{\beta }_{ij}^{cr}+1\right)}} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} T_{ij}^{ec}={\displaystyle \frac{\left({\alpha }_{ij}^{ec}+P_{C{o}_{ij}}^{ec}\right)}{\left({\alpha }_{ij}^{ec}+{\beta }_{ij}^{ec}+1\right)}} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} T_{ij}^{da}={\displaystyle \frac{\left({\alpha }_{ij}^{da}+P_{Co\_ij}^{da}\right)}{\left({\alpha }_{ij}^{da}+{\beta }_{ij}^{da}+1\right)}} \end{gathered}$$

(8)

for each metric $X$, where $X$ represents six behavioural metrics (DSR, CSR, DRR, CRR, ECR, and DA) respectively. ${\alpha }_{ij}^X$ and ${\beta }_{ij}^X$ represent the count of cooperative interactions and the count of noncooperative interactions of metric $X$ of nodes $j$. $P_{Co\_ij}^X$ represents the assigned cooperation probability for node $j$ with metric $X$. This probability is calculated based on observed behaviours. It is used to update the ${\alpha }_{ij}^X$ and ${\beta }_{ij}^X$ parameters $T_{ij}^X$ represents the direct trust value of node $j$ in metric $X$. This value is computed from ${\alpha }_{ij}^X$ and ${\beta }_{ij}^X$ at the end of the period. The relationship between these parameters for all six metrics is summarized in the Table 2:

3.2.4. The Specific Case of DFR and CFR

The direct trust values for DFR and CFR are also calculated using the classical Bayesian Beta method, as shown in Equation 5. However, unlike other trust metrics, there is no need to calculate the cooperation probability of the dataset. Instead, the cooperation probability is defined as a binary number, either 1 or 0, as in Equation 4, where $P_{Co\_ij}$ is 1 or 0. When it is confirmed through monitoring or ACK methods that node $j$ has successfully forwarded a packet, $P_{Co\_ij}$ is assigned a value of 1; otherwise, it is assigned a value of 0. At the end of the evaluation period, the Beta parameters are updated as shown in Equation 9,

$${\alpha }_{ij}^{new}={\alpha }_{ij}+m\overline{P_{Co\_ij}}{\beta }_{ij}^{new}={\beta }_{ij}+\mathrm{m}-m\overline{P_{Co\_ij}}$$

(9)

where $m$ represents the total number of data or control packets that node $j$ either successfully forwarded or failed to forward during the evaluation period. For each forwarding action, a cooperation rating is assigned: $1$ if the packet was forwarded successfully, and$0$ otherwise. These ratings form the set: $P_{Co\_ij}$ = {$P_{Co\_ij\_1}$, $P_{Co\_ij\_2}$, $P_{Co\_ij\_3}$, …, $P_{Co\_ij\_m}$} ∈ {0, 1}. By substituting Equation 9 into Equation 5, the formula for the direct trust values of DFR and CFR at the end of an evaluation period is obtained, as in Equations 10,

$$T_{ij}^{df}={\displaystyle \frac{\left({\alpha }_{ij}^{df}+m\overline{P_{Co\_ij}^{df}}\right)}{\left({\alpha }_{ij}^{df}+{\beta }_{ij}^{df}+m\right)}}\mathrm{br}-\mathrm{to}-\mathrm{break} T_{ij}^{cf}={\displaystyle \frac{\left({\alpha }_{ij}^{cf}+m\overline{P_{Co\_ij}^{cf}}\right)}{\left({\alpha }_{ij}^{cf}+{\beta }_{ij}^{cf}+m\right)}}$$

(10)

where $T_{ij}^{df}$ and $T_{ij}^{cf}$ represent the direct trust value of DFR, CFR for nodes $j,$ respectively. The parameters ${\alpha }_{ij}^{df}$, ${\beta }_{ij}^{df},$ ${\alpha }_{ij}^{cf}$, and ${\beta }_{ij}^{cf}$represent the counts of cooperative and non-cooperative forwarding actions for data and control packets, respectively at the begin of an evaluation period. For initialization, all Beta parameters are set to zero.

3.2.5. Calculating the Combined Trust Value

When calculating the combined trust value, we use a method that combines the reciprocal method and entropy-based method [37] to assign weights to the direct trust values of each trust metric.

By taking the reciprocal of the direct trust values, we assign higher weights to lower trust values, accelerating the decline of combined trust for anomalous nodes. This helps achieve the goal of quickly identifying malicious nodes. We form a dataset of all direct trust values , organized according to the trust metrics in the sequence: $T_{ij}^{ds}$, $T_{ij}^{cs}$, $T_{ij}^{dr}$, $T_{ij}^{cr}$, $T_{ij}^{ec}$, $T_{ij}^{da}$, $T_{ij}^{df}$, $T_{ij}^{cf}$ represented as: $\{T_{ij}^1, T_{ij}^2, T_{ij}^3, T_{ij}^4, T_{ij}^5, T_{ij}^6, T_{ij}^7, T_{ij}^8\}$. The weighting scheme for each trust metric, illustrated in Equation 11,

$${\rho }_{ij}^r={\displaystyle \frac{1}{T_{ij}^r+ϵ}}$$

(11)

is derived by applying the reciprocal function to each trust value. Where ${\rho }_{ij}^r$ represents the weighting factor assigned to the direct trust value from node $i$ to node $j$ for the $r^{th}$ trust metric. The values of $r$ ranges from 1 to 8. $ϵ$ is a very small number to prevent division by zero.

Building on the reciprocal method, we further use the entropy-based method to adjust the final weights. By calculating the “volatility” (entropy) of each metric, we automatically identify which metrics are more important in the network scenario and accordingly increase the weights of these trust values. This allows the trust evaluation to automatically adapt to different network or attack scenarios. For example, in scenarios where the attack affects transmission rates, such as alarm systems, the trust value weights of communication metrics are automatically strengthened. In scenarios where the attack aims to affect DA, such as medical monitoring systems, the impact of DA metrics is automatically amplified.

Shannon’s information theory defines entropy as a fundamental metric for quantifying uncertainty in a system [37]. If a random variable $X$ has a set of possible values $\{x_1,x_2,...,x_n\}$ with a corresponding probability distribution $\left\{p\right(x_1),p(x_2),...,p(x_n\left)\right\}$, then the entropy $\left(H\right)$ is defined as shown in Equation 12:

$$H\left(X\right)=-\sum _{i=1}^{n}p\left(x_i\right){\log }_{b}p\left(x_i\right)$$

(12)

where $H(X$) represents entropy of the random variable $X$; $p\left(x_i\right)$ represents probability of the event $x_i$; $b$ represents the base of the logarithm, typically $2$ (for bits), $e$ (for natural entropy, in nats), or $10$. The more uniform the probability distribution, the greater the entropy, and the higher the uncertainty of the system. The choice of the logarithmic base in entropy calculation significantly affects the sensitivity and discrimination of the resulting weights. In this study, we choose base $b=2$ for the entropy function, as it offers higher sensitivity to ‘probability imbalance’. To illustrate the effect of logarithm base, consider a simple probability distribution: Let $P=\left[\mathrm{0.8,0.2}\right]$. Then, entropy values computed with different bases are show in the Table 3:

It can be seen that among these three entropy values, the binary entropy value is the largest, indicating that it is more sensitive to the degree of value fluctuation. Furthermore, we calculate the information entropy with bases $2$, $e$, and $10$ for the probability distributions (0.8, 0.2), (0.6, 0.4), and (0.5, 0.5) respectively, and perform a comparative analysis as shown in Table 4.

From Table 4, we can see that the difference in entropy values for different probability distributions is the largest when the base is $2$. Therefore, in our trust model, using base $2$ for the entropy function can more clearly distinguish which trust metrics are more important. For normalization, we use the factor $k=1/{\log }_{2}n$, which ensures that the entropy values are scaled into the [0,1] interval.

First, we ‘normalize’ each trust metric to form a pseudo-probability distribution, so that it can be used as an input for information entropy to measure the fluctuation of each metric. Suppose the dataset of the $r^{th}$ trust metric collected by node $i$ from all its neighboring nodes is $X_i^r=\left\{x_{i1}^r,x_{i2}^r,\dots ,x_{in}^r\right\}$. Normalize this trust metric as shown in Equation 13,

$$p\left(x_{ij}^r\right)={\displaystyle \frac{x_{ij}^r}{\sum _{j=1}^n{x}_{ij}^r}}$$

(13)

where $n$ denotes the count of immediate neighbours of node $i$. $P\left(X_i^r\right)=\left\{p\left(x_{i1}^r\right), p\left(x_{i2}^r\right), \dots , p\left(x_{in}^r\right)\right\}$ is the pseudo-probability distribution corresponding to $X_i^r=\left\{x_{i1}^r,x_{i2}^r,\dots ,x_{in}^r\right\}$, $\sum _{j=1}^{n}p\left(x_{ij}^r\right)=1$.

To quantify uncertainty in the$r^{th}$ trust metric, we employ Equation 12 to compute its entropy and normalize it as shown in Equation 14,

$${\theta }_i^r=-{\displaystyle \frac{1}{{\log }_{2}n}}\sum _{j=1}^{n}p\left(x_{ij}^r\right){\log }_{2}p\left(x_{ij}^r\right)$$

(14)

where ${\theta }_i^r$ represents the normalized entropy of the $r^{th}$ metric calculated by node $i$ within its neighborhood. The smaller ${\theta }_i^r$, the greater the variation, and the more important the metric, which should be given a higher weight. The entropy weight factor calculation method is shown in Equation 15,

$${\lambda }_i^r={\displaystyle \frac{1-{\theta }_i^r}{\sum _{r=1}^8(1-{\theta }_i^r)}}$$

(15)

where ${\lambda }_i^r$ represents the entropy weight factor for the $r^{th}$ metric calculated by node $i$ within its neighborhood.

Combining of The Reciprocal Weighting and The Entropy-based Weighting

Following the reciprocal computation, the weights are modified using the adjustment factor ${\lambda }_i^r$, and normalized to produce the final set of weights, as illustrated in Equation 16,

$$w_{ij}^r={\displaystyle \frac{{\rho }_{ij}^r{\lambda }_i^r}{\sum _{\mathrm{r}=1}^8{\rho }_{ij}^r{\lambda }_i^r}}$$

(16)

where $w_{ij}^r$ represents the weight of the $r^{th}$ trust metric.

Finally, to derive the combined trust score, we compute the weighted average of all trust metrics, as specified in Equation 17,

$${CT}_{ij}=\sum _{\mathrm{r}=1}^8{w}_{ij}^r{T}_{ij}^r$$

(17)

where ${CT}_{ij}$ denotes the combined trust score assigned by node $i$ to node $j$.

3.2.6. Updating the Local Trust Value

By weighing the historical and current combined trust values with an aging factor, we derive the local trust value. To achieve a rapid decline in trust value when a node exhibits malicious behavior and a slow recovery of trust value after the node returns to normal behavior, we use a dynamically and automatically adjusted aging factor. Based on the logistic function [38], we perform a nonlinear transformation to convert the change from the historical to the current combined trust value into an aging factor between 0 and 1, as shown in Equation 18,

$$w_{ij}^{age}={\displaystyle \frac{1}{1+\exp \left({CT}_{ij}(t-∆t)-{CT}_{ij}\left(t\right)\right)}}$$

(18)

where $t$ denotes the current moment, ∆t denotes the evaluation period. ${CT}_{ij}(t-∆t)$ and ${CT}_{ij}\left(t\right)$ denote the combined trust values from the previous and current evaluation periods, respectively. $w_{ij}^{age}$ denotes the aging factor.

As indicated by the formula, a higher current combined trust value relative to the historical value results in an aging factor close to 1, while a lower value leads it closer to 0. The range of $\left({CT}_{ij}(t-∆t)-{CT}_{ij}\left(t\right)\right)$ is (-1, 1), so the range of the aging factor is $\left({\displaystyle \frac{1}{1+\mathit{exp}\left(1\right)}},{\displaystyle \frac{1}{1+\mathit{exp}\left(-1\right)}}\right)$ approximately (0.27, 0.73).

Then, the combined trust value updated through the aging factor is used as the local trust value, as shown in Equation 19,

$${LT}_{ij}=w_{ij}^{age}{CT}_{ij}(t-∆t)+\left(1-w_{ij}^{age}\right){CT}_{ij}\left(t\right)$$

(19)

where ${LT}_{ij}$ represents the value of local trust. When a node exhibits malicious behavior, the current combined trust value decreases, the aging factor becomes smaller, and the weight of the current combined trust value increases, causing the local trust value to decline rapidly. Conversely, when the node returns to normal behavior, the current combined trust value increases, the aging factor becomes larger, and the weight of the historical combined trust value increases, causing the local trust value to rise slowly.

3.2.7. Reporting the Local Trust Value

Each node needs to periodically send its local trust values for all its neighbors to the CH and the controller for trust aggregation. To avoid introducing additional transmission overhead, we use the method from ETMRM [12] for reporting local trust values. This method involves inserting the local trust values into the SDN-WISE report messages that nodes send to the controller. The SDN-WISE report messages from all nodes within the cluster are forwarded to the controller by the cluster head. The format of the SDN-WISE report message is shown in Figure 7.

Correspondingly, we also need to convert the local trust values calculated in the previous section from real numbers between 0 and 1 (4 bytes) to unsigned integers between 0 and 100 (1 byte) [12], as shown in Equation 20.

$${LT}_{ij}=⌈{100\bullet LT}_{ij}⌉$$

(20)

3.3. CH Level Operations

3.3.1. Collecting the Local Trust Values of Cluster Member Nodes

The CH node also calculates local trust values for its neighbors. After receiving the SDN-WISE report message from its cluster member nodes, the CH node reads the reported local trust values from these messages. These secondhand trust values, along with the local trust values calculated by the CH node itself, are stored in the global array of the CH in the form of a matrix, as shown in Equation 21,

$$\left[{LT}_{ij}\right]=\left[\begin{array}{cccc}{LT}_{11}& {LT}_{12}& \dots & {LT}_{1n}\\ {LT}_{21}& {LT}_{22}& \dots & {LT}_{2n}\\ ⋮& ⋮& \ddots & ⋮\\ {LT}_{n1}& {LT}_{n2}& \dots & {LT}_{nn}\end{array}\right]$$

(21)

where ${LT}_{ij}$ denotes the local trust value that node $i$ assigns to node $j$, its neighbour. $n$ is the total number of nodes within the cluster, $i, j \in [1, n]$. If node $j$ is not within the neighbourhood of node $i$, then node $i$ cannot perform a trust evaluation on node $j$. In this case, ${LT}_{ij}$ equals 0. Node $i$ is not allowed to evaluate itself, so its self-trust value is set to 0.

3.3.2. Trust Aggregation at CH level

In the trust aggregation process, we adopt the approach proposed by Bin-Yahya et al [28], which incorporates two key metrics: score reliability and node reliability. To compute score reliability, we measure how much a local trust value deviates from the average of all local trust values assigned to the evaluated node by its neighbors. We then use this metric to calculate node reliability and to assign weights to each trust value during aggregation.

To determine node reliability, we take the arithmetic mean of the score reliability values corresponding to a node’s trust evaluations of all its neighbors. This metric enables us to identify nodes that may be engaging in trust manipulation behaviors, such as good-mouthing or bad-mouthing attacks.

To calculate the score reliability metric, we first need to compute the arithmetic mean of the local trust values of node $j$ given by all its neighbor nodes within the cluster. We take all elements greater than 0 in the $j^{th}$ column of the matrix and calculate their arithmetic mean, as shown in Equation 22,

$${AT}_{avg,j}={\displaystyle \frac{{\sum }_{i\in X}{LT}_{ij}}{N_X}}$$

(22)

where $X$ represents the group of neighboring nodes associated with node $j$, $N_X$ represents the total count of node $j$’s neighbors. Then we calculate the score reliability of the local trust value assigned by node $i$ to node $j$ using Equation 23.

$${SR}_{ij}=100-\left|{LT}_{ij}-{AT}_{avg,j}\right|$$

(23)

Then, to compute the node reliability, metric, we use the score reliability metrics as input, as shown in Equation 24,

$${NR}_i={\displaystyle \frac{\sum _{j\in Y}{SR}_{ij}}{N_Y}}$$

(24)

where ${NR}_i$ represents the node reliability metric of node $i$, $Y$ represents the set of neighbor nodes of node $i$, $N_Y$ represents the total count of node $i$’s neighbors. The node reliability metric is iteratively updated using the historical and current values according to the method in Equation 19.

To aggregate local trust values ion based on the score reliability metric and the node reliability metric, we set a lower threshold ${NR}_{th}$ for the node reliability metric, and we only aggregate the local trust values given by nodes whose node reliability metric exceeds this threshold. We derive the aggregated trust value using the method outlined in Equation 25,

$${AT}_{C,j}={\displaystyle \frac{\sum _{i\in C}{LT}_{ij}\bullet {SR}_{ij}}{\sum _{i\in C}{SR}_{ij}}}$$

(25)

where C represents the group of node $j$’s neighbor nodes within the cluster whose node reliability metric exceeds the threshold. ${LT}_{ij}$ is the local trust value given by node $i$ of node $j$, and ${SR}_{ij}$ is the score reliability metric of that local trust value. ${AT}_{C,j}$ is the aggregated trust value of node $j$ at the CH level.

3.3.3. Forwarding the Local Trust Values

CH periodically sends its local trust values for all its neighbors to the controller through the SDN-WISE report message. Additionally, it forwards the SDN-WISE report messages from the cluster member nodes to the controller. These messages contain the local trust values computed by each node for its immediate neighbors.

3.3.4. Identifying and Isolating Malicious Nodes at CH Evel

The CH detects malicious nodes by analyzing the aggregated trust values of cluster members. It then stops forwarding any messages to the malicious nodes and stops forwarding any messages from the malicious nodes.

3.4. Controller Level Operations

3.4.1. Collecting the Local Trust Values of All Nodes in the Network

Upon receiving an SDN-WISE message from a network node, the controller extracts the local trust values of neighboring nodes embedded in the message. These values are then organized into a matrix and stored in the controller’s global array, following the method outlined in Equation 21. This trust matrix offers a comprehensive global view of the network’s trust landscape.

3.4.2. Trust Aggregation at Controller ;Evel

In conducting trust aggregation at the controller level, we apply the same approach as that used at the CH level. The computation is grounded in the trust matrix that provides a global perspective, as previously introduced.

3.4.3. Identifying and Isolating Malicious Nodes at Controller Level

The controller detects malicious nodes by evaluating the aggregated trust values within the network. It then adjusts flow rules. If the detected malicious node is the CH, a new CH needs to be selected, and the network topology needs to be re-established. When a malicious node $j$ is identified as a regular node, a control message with a drop rule is sent by the controller to the CH of the corresponding cluster. The CH then propagates the control message throughout its cluster by forwarding it to each member node. Upon receiving this control message, the member nodes modify the flow table stored locally. This modification includes inserting a drop rule <src_addr =‘j’, action =‘Drop’> into the flow table and removing the rule with <next_hop =‘j’> from the flow table to avoid forwarding packets to the malicious node. In SDN-WISE, the flow table includes three parts: Matching Rules, Actions, and Statistics. Figure 8 is an example of a flow table in SDN-WISE. For specific explanations of each field, please refer to SDN-WISE [31,32].

3.5. Retrieval of Trust Information

We assume that the controller has unlimited storage resources, allowing for full backup of trust information, and the single point of failure problem of the controller is not addressed in our work. Therefore, only ordinary sensor nodes and CH nodes need to retrieve trust information after it is lost. Since the controller acts as a global repository of trust information for the entire network and each CH manages the trust data of its respective cluster, both cluster heads and ordinary nodes have the ability to recover missing trust records by accessing the controller or the CH. Therefore, we define a pair of new messages based on the existing SDN-WISE messages to request and return trust information. These messages are only exchanged when trust information is lost and do not burden normal communication. The trust information request message does not carry any payload, while the trust reply conveys either cluster-wide trust information or the trust record of the requesting node. The message structures are shown in Figure 9.

The “No. Node” field in the trust information reply message indicates the number of nodes whose trust information is included in the message. If a node requests trust information from the CH, the value of this field in the CH’s reply message is 1. When a cluster head (CH) requests trust data from the controller, the reply message contains a field specifying the number of nodes that belong to the CH’s cluster. Within the message format, “Node1 Address” identifies the address of Node 1, while “No. Neighbor” indicates how many neighboring nodes are associated with Node 1. Following this, the reply provides the detailed addresses and trust values of each neighboring node. Node 2’s trust information is added sequentially after Node 1’s in the same structure, and this continues until the trust records of all cluster nodes are included.

4. Results and Analysis

In this section, we present the theoretical analysis of the key algorithm in ATAW-TM. We implemented these algorithms in Python and applied them to representative datasets to analyze and evaluate their performance.

4.1. Theoretical Analysis Using Cooperation Probability and Bayesian Inference

We begin by analyzing the calculation of direct trust values of eight trust metrics using cooperation probabilities and Bayesian inference. We take DSR metric as an example. Cooperation probabilities are computed using a Gaussian distribution-based formula, and trust values are subsequently calculated through Bayesian inference.

4.1.1. Arithmetic Mean and Standard Deviation Calculation

The dataset consists of data packet sending counts from 20 neighboring nodes in one evaluation period. The values are:

$\mathrm{Data}\text{:} x_i= \left\{\mathrm{100,110,105,99,101,98,103,102,97,150,104,99,107,97,103,99,104,106,96,98}\right\}$The mean ($\mu$) and standard deviation ($\sigma$) of the dataset are calculated using equation 1 and equation 2. The result is $\mu ={\displaystyle \frac{1}{20}}\sum _{i=1}^{20}{x}_i=103.9$，$\sigma =\sqrt{{\displaystyle \frac{1}{20}}\sum _{i=1}^{20}{\left(x_i-103.9\right)}^2}=11.1933$.

4.1.2. Cooperation Probability Calculation

The cooperation probability for each node is computed using equation 4

$P_{Co}\left(x\right)=\exp \left(-{\displaystyle \frac{{\left(x-103.9\right)}^2}{2\mathrm{*}{11.1933}^2}}\right)$.

4.1.3. Using Bayesian Inference to Calculate Direct Trust Values

The Bayesian inference process is used to calculate the trust values of each node. Initially, the parameters of the Beta distribution are set to ${\alpha }_0=0$ and ${\beta }_0=0$. We use equation 6 to update the parameters of the Beta distribution, and use equation 8 to calculate the direct trust values. The calculated direct trust values for each node are as shown in Table 5.

4.1.4. Analysis

The calculated direct trust values indicate the level of trust each node has within the network based on their observed cooperation behavior. The number of data packets sent by Node 10 is 150, much higher than the average of 103.9, which is inconsistent with the behavior of other nodes. The calculated direct trust value of Node 10’s DSR is close to 0. This effectively identifies Node 10 as a potential malicious node exhibiting flooding attack. For clarity, we have plotted the data from Table 5 in Figure 10.

To demonstrate the model’s adaptability, we applied it to a second scenario with a higher baseline data rate

$\mathrm{Data}\text{:} x_i= \left\{1110,1000,1020,995,1010,980,1040,1020,970,\mathrm{1600,1040},980,1060,970,1040,990,1050,960,970,1030\right\}.$In this scenario, the model similarly identified the outlier (Node 10 with a count of 1600), as shown in Figure 11.

These results demonstrate ATAW-TM’s ability to function effectively across different network conditions without manual threshold reconfiguration.

4.2. Theoretical Analysis of the Hybrid Reciprocal and Entropy-based Weighting Strategy

This subsection analyzes the hybrid weighting strategy that dynamically assigns importance to the eight trust metrics, enabling ATAW-TM to adapt to various network conditions and attack patterns.

4.2.1. Direct Trust Value Calculations

Assume we have calculated the direct trust values for eight trust metrics (DSR, CSR, DRR, CRR, ECR, DA, DFR, CFR) for a specific node $j$ from the perspective of node $i$. The trust values are as follows:

$\mathrm{Direct} \mathrm{Trust} \mathrm{Values}\text{:} T_{ij}^r=\{0.9411, 0.8952, 0.9086, 0.9670, 0.3269, 0.5350, 0.8703, 0.9857\}$where $r = 1 to 8$ represents the eight trust metrics respectively. The low ECR (0.3269) and moderate DA (0.5350) trust values suggest potential malicious activity in energy consumption and data accuracy. Other metrics’ trust values are very high.

4.2.2. Reciprocal Weighting Calculation

The reciprocal weighting factors are computed using Equation 11, where $ϵ=0.0001$ to prevent division by zero. The calculated reciprocal weights are:

${\rho }_{ij}^r=\left\{\mathrm{1.062,1.117,1.100,1.034,3.058,1.869,1.149,1.014}\right\}$

4.2.3. Entropy-Based Weight Calculation

To compute entropy weights, we first collect trust metric datasets from all neighboring nodes. Assume node $i$ has 5 neighbors with the following trust values for each metric, among them, the volatility of ECR and DA is relatively high, as shown in bold:

$$\begin{gathered} X_i^1=\{0.9411, 0.8620, 0.9952, 0.8002, 0.9099\}\mathrm{DSR} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} X_i^2=\{0.8952, 0.9780, 0.8870, 0.9920, 0.9030\}\mathrm{CSR} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} X_i^3=\{0.9086, 0.8950, 0.9120, 0.9510, 0.8880\}\mathrm{DRR} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} X_i^4=\{0.9670, 0.9540, 0.9020, 0.8610, 0.8580\}\mathrm{CRR} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} X_i^5=\{0.3269,0.8950,0.9120,0.9010,0.8880\}\mathrm{ECR} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} X_i^6=\{0.5350,0.7150,0.8980,0.6560,0.8740\}\mathrm{DA} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} X_i^7=\{0.8703, 0.8560, 0.9820, 0.8410, 0.9670\}\mathrm{DFR} \\ \mathrm{br}-\mathrm{to}-\mathrm{break} X_i^8=\{0.9857, 0.9720, 0.8910, 0.9780, 0.8040\}\mathrm{CFR} \end{gathered}$$

We normalize these values using Equation 13 to form pseudo-probability distributions. The normalized entropy is calculated using Equation 14. The entropy weight factors are computed using Equation 15:

$${\lambda }_i^r={\displaystyle \frac{1-{\theta }_i^r}{{\sum }_{r=1}^8(1-{\theta }_i^r)}}=\left\{\mathrm{0.034,0.014,0.004,0.016,0.650,0.218,0.027,0.037}\right\}$$

4.2.4. Combined Wight Calculation

The final weights are computed by combining reciprocal and entropy weights using Equation 16:

$$w_{ij}^r={\displaystyle \frac{{\rho }_{ij}^r{\lambda }_i^r}{{\sum }_{r=1}^8{\rho }_{ij}^r{\lambda }_i^r}}=\left\{\mathrm{0.014,0.006,0.002,0.006,0.784,0.161,0.012,0.015}\right\}$$

4.2.5. Combined Trust Value Calculation

The combined trust score is calculated using Equation 17:

$${CT}_{ij}=\sum _{\mathrm{r}=1}^8{w}_{ij}^r{T}_{ij}^r=0.3940$$

The weighting analysis results are consolidated in Table 6 and Figure 12.

4.2.6. Analysis

The results demonstrate the effectiveness of the hybrid weighting strategy. The ECR metric, despite having the lowest direct trust value (0.3269), receives the highest final weight (0.784) due to the combined effect of reciprocal weighting (emphasizing low values) and entropy weighting (reflecting its importance in energy-constrained scenarios). The ECR metric and DA metric have higher entropy weighting due to their higher volatility. Although the direct trust values of most metrics are very high, the combined trust value (0.3940) calculated using our weighting method accurately reflects the node’s overall malicious behavior. This represents a 51.0% increase in detection sensitivity compared to a simple average (which would be 0.8037).

4.3. Theoretical Analysis the Dynamically Adjusted Aging Factor

Finally, we analyze the aging factor mechanism, which enables the trust model to respond rapidly to malicious behavior while allowing for slow, stable recovery.

4.3.1. Trust Value Inputs

Assume that for a given node $j$, the historical combined trust value from the previous evaluation period is ${CT}_{ij}(t-\mathsf{\Delta }t)=0.850$, and the current combined trust value is ${CT}_{ij}\left(t\right)=0.394$. These values reflect a significant decline in trust, suggesting potential malicious activity during the current period.

4.3.2. Aging Factor Calculation

The aging factor $w_{ij}^{age}$ is computed using Equation 18:

$$w_{ij}^{age}={\displaystyle \frac{1}{1+\mathrm{e}\mathrm{x}\mathrm{p}(0.850-0.394)}}={\displaystyle \frac{1}{1+\mathrm{e}\mathrm{x}\mathrm{p}\left(0.456\right)}}\approx {\displaystyle \frac{1}{1+1.578}}\approx 0.388$$

4.3.3. Updating the Local Trust Value

The local trust value ${LT}_{ij}$ is then updated using Equation 19:

$${LT}_{ij}=0.388\times 0.850+(1-0.388)\times 0.394=0.329+0.241=0.570$$

To further illustrate the behavior of the aging factor under different scenarios, we consider two additional scenarios:

Scenario 1: Trust Improvement

If ${CT}_{ij}(t-\mathsf{\Delta }t)=0.400$ and ${CT}_{ij}\left(t\right)=0.800$, then:

$$w_{ij}^{age}={\displaystyle \frac{1}{1+\mathrm{e}\mathrm{x}\mathrm{p}(0.400-0.800)}}={\displaystyle \frac{1}{1+\mathrm{e}\mathrm{x}\mathrm{p}(-0.400)}}\approx {\displaystyle \frac{1}{1+0.670}}\approx 0.599{LT}_{ij}=0.599\times 0.400+0.401\times 0.800=0.240+0.321=0.561$$

Scenario 2: Stable Trust

If ${CT}_{ij}(t-\Delta t)=0.700$ and ${CT}_{ij}\left(t\right)=0.710$, then:

$$w_{ij}^{age}={\displaystyle \frac{1}{1+\mathrm{e}\mathrm{x}\mathrm{p}(0.700-0.710)}}={\displaystyle \frac{1}{1+\mathrm{e}\mathrm{x}\mathrm{p}(-0.010)}}\approx {\displaystyle \frac{1}{1+0.990}}\approx 0.502$$

The results are summarized in Table 7.

We have plotted the relationship between the trust change $\mathsf{\Delta }CT={CT}_{ij}(t-\mathsf{\Delta }t)-{CT}_{ij}\left(t\right)$ and the aging factor $w_{ij}^{age}$ in Figure 13.

4.3.4. Analysis

The results demonstrate the effectiveness of the dynamically adjusted aging factor in balancing historical and current trust values. When trust declines significantly (e.g., due to malicious behavior), the aging factor decreases, giving more weight to the current low trust value and causing a rapid decline in the local trust value. Conversely, when trust improves, the aging factor increases, emphasizing historical trust and allowing for a slower, more stable recovery. This mechanism enhances the model’s robustness in dynamic SDWSN environments.

This dynamically adjusted aging factor is a crucial defense against On-Off Attacks, where a malicious node switches between good and bad behavior to build trust and then exploit it. ATAW-TM counters this with an asymmetric response:

• During the “Off” (malicious) phase, a sharp drop in current trust leads to a small aging factor, causing the local trust value to plummet rapidly for quick detection and isolation.
• During the “On” (normal) phase, recovery is intentionally slow. A larger aging factor prioritizes the node’s poor history, preventing it from quickly regaining trust after brief good behavior.

This mechanism significantly raises the cost and reduces the effectiveness of on-off attacks, thereby mitigating the associated risk.

5. Discussion

The ATAW-TM model proposed above was designed specifically for r SDWSNs. The model addresses key limitations of existing trust models, particularly those related to threshold configurations, weight allocation, and the loss of trust information in the presence of DoS attacks. ATAW-TM enhances the detection of DoS attacks and supports dynamic, self-adjusting trust evaluations by adopting a layered architecture with components at the node, CH, and controller levels. While at the sensor nodes at the node layer evaluate their trust locally by assessing link quality, extracting trust evidence, and calculating direct trust values, at the CH layer these values are processed to calculate aggregated trust scores and to identify and isolates malicious nodes. At the controller layer, the process of global trust aggregation results in isolates malicious nodes by adjusting flow rules.

The core principle of ATAW-TM is adaptability in response to changing node network behavior ; the depictable trust evaluation mechanism removes the need for manual threshold configuration, through outlier detection and Bayesian inference. The model automatically computes trust values and assigns weights to various trust metrics using a hybrid reciprocal and entropy-based weighting strategy. This ensures that the model can dynamically adjust its focus based on the prevailing network conditions, making it highly adaptable to different attack types. Additionally, the incorporation of a logistic function-based aging factor balances the influence of historical and current trust value, allowing for more accurate evaluations of node behavior over time. The model features as well a trust information retrieval mechanism to facilitate rapid recovery when trust information is lost, ensuring the resilience and stability of the network.

5.1. Comaparisoin to Other Models s

We propose e a resilient trust model for SDWSNs, designed to effectively identify various types of DoS attacks. Compared to the previous trust models designed for SDWSNs [12,28,29,30], the proposed model has the following advantages:

First, our trust model considers and addresses the issue of wireless link qualities between sensor nodes being affected by the environment, while others didn’t consider link qualities at all. Moreover, our trust model is comprehensively designed to account for multiple types of DoS attacks, whereas other models typically consider only a subset of these attacks.

Second, our trust model does not use thresholds for evaluating packet transmission behavior, eliminating the need for network administrators to configure thresholds, making it easily applicable to various WSNs. Previous models such as the ones described in [12,28] used threshold-based algorithms, which had issues with threshold configuration. The model proposed in [30] did not use threshold-based algorithms but considered using a complex IDS module, whereas our model is more lightweight.

Furthermore, in our trust model, the weights of various trust metrics are dynamically and automatically assigned based on their values through an algorithm when calculating the combined trust value. This prevents a malicious node’s good performance in one aspect from masking its malicious behavior in another aspect. In previous trust models [28,29], researchers left the task of assigning weights to users, which was a significant obstacle to the widespread application of trust models. In [12], fixed weights were used for the metrics of data packet forwarding rate and control packet forwarding rate, resulting in poor flexibility and accuracy. The model proposed in [30] did not involve this weight assignment issue but considered using a complex IDS module.

Additionally, our trust model uses a dynamically adjusted aging factor in the iterative update process of historical and current trust values, effectively balancing historical and current trust values. The models described in [12,30] did not consider historical trust values, while the model introduced in [28] considered historical trust values but used a fixed aging factor, resulting in poor flexibility and accuracy.

Finally, we designed a trust information retrieval mechanism that allows for the quick retrieval of trust information for sensor nodes and cluster head nodes after trust information is lost, enabling rapid recovery of the trust system. Previous models did not consider the issue of trust information loss.

5.2. Limitations and Directins for Furtehr Researcxh

While the theoretical analysis of the ATAW-TM trust model provides insights into its practical application for evaluating node trustworthiness in SDWSNs, a major limitation of this work is that the ATAW-TM has not yet been implemented or evaluated experimentally. This limitation will be addressed in our future work, including the implementation and evaluate of ATAW-TM in real-world scenarios and conducting an in-depth analysis of its performance. Furthermore, we will explore the integration of the ATAW-TM trust model with SDWSN routing protocols to improve their efficiency and expedite the network’s response to DoS attacks, ensuring stable operations even during malicious disruptions.