Fig. 1. All packets from the descendent nodes of compromised node α could be dropped by node α, since they are always forwarded via node α whose position is the root of its downstream nodes (grey ones). Each arrow indicates a node’s parent node.

Fig. 2. A solid arrow indicates a node’s first parent node, and a dashed arrow indicates its normal parent node. The number inside the circle indicates a hop count from the base station. With the alternate path scheme, packets from descendent nodes of compromised node α have an opportunity to bypass the node which arbitrarily drops them. Depending on the routing topology established in that round, there might exist some nodes (grey ones) which cannot bypass the compromised node.

Fig. 3. A dashed circle around compromised node α is a node’s transmission range of a route update. By advertising forged hop count 1 instead of hop count 3, the compromised node is able to attract network traffic so that it easily launches selective forwarding attacks. Compared with Fig. 2, much more nodes (grey ones) cannot bypass compromised node α, due to the inconsistent hop count from node α. The underlined numbers indicate the inconsistent hop count caused by the compromised node.

Fig. 4. A dashed circle around compromised node α is a node’s transmission range of a route update 1, I′, II′. Once re-broadcasting a route update, node β performs hop count verification with every subsequently received route update. Compromised node α advertises forged hop count 1, instead of hop count 3. However, node α cannot know the legitimate hopping number-I F(R) associated with a hop count 1. The underlined numbers indicate the inconsistent hop count caused by the compromised node.

Fig. 5. During route setup, node β detects a suspicious route update from node α. Node β reports the information about the suspect node (sid, h′, I′, II′, F(K′)) to the base station repeatedly through all the currently existing next-hop nodes. The bold arrows indicate the routes along which the reports from node β are sent.

Fig. 6. A dashed circle around compromised node α is a node’s transmission range of a route update. Compromised node α is able to advertise forged hop count 2 instead of hop count 3, by duplicating the route update from node β. Compared with Fig. 3, almost the same number of nodes (grey ones) cannot bypass compromised node α, due to this same-distance fraud. The underlined numbers indicate the inconsistent hop count caused by the compromised node.

Fig. 7. A dashed circle around compromised node α is a node’s transmission range of a route update 2, I′, II′. Once re-broadcasting a route update, node β performs hop count verification with every subsequently received route update. Compromised node α advertises forged hop count 2 instead of hop count 3, by duplicating the route update from the node β. However, compromised node α cannot know its legitimate first parent node’s hopping number-I F(R). Thus, node α fails to generate its legitimate hopping number-II II′. The underlined numbers indicate the inconsistent hop count caused by the compromised node.

Fig. 8. A dashed circle around compromised node α is a node’s transmission range of a route update 3, I′, II′. Once re-broadcasting a route update, node β performs hop count verification with every subsequently received route update. Legitimate node α advertises hop count 3, with hashing the hopping number-I of node β. Node β verifies the route update from node α, by seeing if F²(I) = I′ (in this case, there is nothing wrong with node α, since node α hashes the legitimate hopping number-I of its first parent node β.).

Fig. 9. The grey node indicates the neighbor node of suspect node α, which has to send the report after the summon message. The bold arrows indicate the routes along which the reports from these nodes are sent. If a node’s next-hop is only the suspect node which might be compromised, the node also forwards its own report and the relaying reports to all of its neighbor nodes. However, the node drops the reports already forwarded by itself before so that it prevents routing loop (e.g., A → B → A, then dropped).

Fig. 10. A chain reaction of neighbor reports. An inconsistent hop count from compromised node α is firstly reported by node β. As the inconsistency propagates by other legitimate nodes (grey ones), the nodes (bold circles) other than node β detect the inconsistency, and report to the base station.

Fig. 11. ARMS description: commitment pair distribution and the relation among ARMS packets. (a) Commitment pair distribution; (b) the relation among ARMS packets.

Fig. 12. Performance evaluation results (average over 20 runs). (a) With/without an alternate path scheme on 300 sensor nodes network, in the presence of Type-I compromised nodes; (b) with/without an alternate path scheme on 600 sensor nodes network, in the presence of Type-I compromised nodes; (c) with/without neighbor report system on 300 sensor nodes network, in the presence of Type-II compromised nodes, using the alternate path scheme; (d) with/without neighbor report system on 600 sensor nodes network, in the presence of Type-II compromised nodes, using the alternate path scheme.