Trust Based Security Mechanisms for Resource-Constrained Internet of Things-A Review

The Internet of Things (IoT) defined as the assembling of real-world objects that are connected over the Internet to make human lives become well-being. The implementation and success of an IoT depend on how it’s secured. But providing security is a critical task because of various natures of IoT devices such as shared and open environment, a wide range of communication protocols, standards, self-organized, lack of central control, heterogeneity of devices, etc. To provide security solutions and mechanisms, key management, cryptographic mechanisms such as private and public-key cryptography, Intrusion Detection System (IDS), and hash functions have been used. Though it is working well, it is not suitable for lightweight IoT devices. Because of such mechanisms always demand high computational, memory, and processing. To overcome these issues, researchers have chosen trust management for providing security. In this article, some of the trust-based solutions have presented. Besides, security issues, security loopholes/attacks in various layers of IoT, security requirements, trust management in IoT, properties of trust, trust management building blocks, the role of trust management in IoT, basic trust calculation methods have presented.


Introduction
The term Internet of Things first coined by Kevin Ashton in the year 1999. Initially, it is called pervasive computing. It has introduced to promote Radio Frequency Technology (RFID). The Internet of Things all about connected devices or objects. The objects categorized into two. One is called physical objects. The other one is called logical or information world or virtual objects. The physical objects are existing in the real world that are capable of sense, actuated, and connected. The logical objects, that are capable of the store, process, and access the real-world information. Therefore, The Internet of Things called IoT is well-defined by "Collection of real-world objects that may be living things or non-living things that are connected through the Internet to provide services to human beings" [1]. Things embedded with both software and hardware parts such as sensors, integrated chips, system-specific components, and applications. Besides, cloud platforms become one of the essential elements for deploying any IoT related applications. The connectivity among the objects or devices might be Person to Person (P2P), Machine to Person (M2P) and Machine to Machine(M2M). Like Some highlighted applications are transport, military, telemedicine, agriculture, logistics, etc. [2]. The IoT is also involved with some essential core elements such as heterogeneous access, detection, processing, applications, and administrations. The essential technologies that have involved in the IoT have shown in figure 3.

Figure
IoT has the following characteristics include open medium, shared wireless medium, self limited resources, and heterogeneous devices [3]. The   The unique features of IoT face numerous challenges such as computational and energy management, memory management, standardization, system architecture, integration, data storage and processing, scalability, environmental issues, privacy, and security [4]. Among the challenges, security is one of the problems because the success of any applications depends on how it can be secured but in this unique environment achieving such security is always a critical task. Based on the survey conducted, s all about connected devices and services must have trusted Identities. Owing to, the security of IoT concern with the data, applications, architecture, and communications. All the above factors are affected by threats in terms of various security attacks.
Achieving security in IoT is a complicated task because of various reasons. The first and constrained nature of devices involved in the IoT. Those devices are limited in their processing, memory, computational and speed compare with other devices. For instance, an electronic IoT sensor embedded wristwatch has used to monitor the patient in the healthcare sector. Typically, those devices are small in size. To provide security, applying complex possible. So, concerning security in those devices becomes difficult. Besides, the manufacturer of the IoT devices has been concentrating on the application part of the IoT devices. They are not in the security part of those devices. Then, the dynamic natu environment also leads to security violations because devices are roaming here and there. They can join and leave the network at any time. In this situation, a proper security mechanism to be needed to handle the dynamic nature. Also, IoT devices have located in an open and shared environment. Therefore, there is a possibility of physical damage that leads to security violations. The information which is transferring among the devices through the wireless medium. By default, wireless mediums re suspectable to various kind of attacks and these open and shared environment leads to more To enhance security, various security mechanisms have been proposed. Cryptographic techniques, key management, digital signatures, hash functions, Intrusion Detection System (IDS), Zero Knowledge Proof, Artificial intelligence, and most recently the blockchain technologies have been using. The above techniques are effective but it cannot be applied to lightweight devices which are ed in the IoT environment as it demands high processing, memory, and computational capabilities. To address these issues, trust management is playing a major role at present. Researchers have witnessed the impact of trust management in the IoT environment. Trust management deals with all kinds of security such as information security, device security, and network security. Because of such popularity, in this article, we are focusing on trust-related security mechanisms for resource The unique features of IoT face numerous challenges such as computational and energy management, memory management, standardization, system architecture, integration, data storage and processing, 4]. Among the challenges, security is one of the problems because the success of any applications depends on how it can be secured but in this unique environment achieving such security is always a critical task. Based on the survey conducted, s all about connected devices and services must have trusted Identities. Owing to, the security of IoT concern with the data, applications, architecture, and communications. All the above Achieving security in IoT is a complicated task because of various reasons. The first and constrained nature of devices involved in the IoT. Those devices are ompare with other devices. For instance, an electronic IoT sensor embedded wristwatch has used to monitor the patient in the healthcare sector. Typically, those devices are small in size. To provide security, applying complex possible. So, concerning security in those devices becomes difficult. Besides, the manufacturer of the IoT devices has been concentrating on the application part of the IoT devices. They are not in the security part of those devices. Then, the dynamic nature of the IoT environment also leads to security violations because devices are roaming here and there. They can join and leave the network at any time. In this situation, a proper security mechanism to be needed to ices have located in an open and shared environment. Therefore, there is a possibility of physical damage that leads to security violations. The information which is transferring among the devices through the wireless medium. By default, wireless mediums re suspectable to various kind of attacks and these open and shared environment leads to more To enhance security, various security mechanisms have been proposed. Cryptographic techniques, h functions, Intrusion Detection System (IDS), Zero Knowledge Proof, Artificial intelligence, and most recently the blockchain technologies have been using. The above techniques are effective but it cannot be applied to lightweight devices which are ed in the IoT environment as it demands high processing, memory, and computational capabilities. To address these issues, trust management is playing a major role at present. Researchers Trust management deals with all kinds of security such as information security, device security, and network security. Because of related security mechanisms for resource- The remainder of the article is composed as follows: Section 2, deals with security in IoT, following that security issues, security issues at various layers and security requirements have discussed Section 3, deals with an introduction to IoT, properties of trust, trust-building blocks, trust level, and trust computational methods Section 4, deals the trust-based security mechanisms and the final section concludes.

Security in IoT
The following sections discuss the security issues in IoT, security requirements of IoT, security attacks at various layers of IoT, the importance of security in the IoT environment, and the architecture of IoT with respect to security concerns.

Security issues in IoT
As discussed earlier, the main security issues that arise from the IoT is a resource-constrained heterogeneous environment and the interconnection of networks through the open environment. These two factors lead the conventional security issues. The constrained nature means limited resources in memory, processing, and computational capabilities [4]. Granja et al., 2015 [5] recently surveyed that security issues also arise in terms of data, application, communication, and architecture. Granja et al.,2015 [5] also witnessed the security issues come in IoT protocols. Cloud computing is also playing a major role and it incorporated with IoT hence security issues also come in cloud platforms and it is witnessed by [6]. Unique identification objects, software that is used in IoT applications, and malware also identified as a platform for security violations [7]. The project called OWASP-Open Web Application Project elaborates on the vulnerabilities involved in the IoT environment. The vulnerabilities are devices involved insure environment, insecure of software and malware, unsuitable security configuration.

Security issues at various layers of IoT
The layers in IoT are divided into three major categories such as perception layer or sensing layer, middleware layer, and application layer. The layering concept of IoT is depicted in the following figure.1. Security issues are raised in all the above layers of IoT. The issues should be addressed at the initial stage of IoT application design or at the regular interval of time. Though the designers of IoT take care of everything in all the aspects of security, security violations till existing and all the layers of IoT are get affected.

Security problems at Perception/Sensing Layer
This layer interacts with the outside environment through sensors, Radio Frequency Identification (RFID), Wireless Sensor Networks (WSN), and other devices. The most common threats discuss herein.

Denial of Service Attack (DoS) [8]
This is one of the commonly faced attacks in the network environment. The aim is to network resources that become unavailable to legitimate users and exhaustion the resources of legitimate users by sending wrong network information to other legitimate devices and got the attention of them. [8] This attack executed by sending former messages again and again to the destination node by the way it tries to compromise the network and authenticated services.

Node Capture Attack [8]
An attacker will capture the node/device which is in the network environment and steal the confidential information from them. Besides, those devices may be compromised so it will disclose the confidential information of other nodes and itself.  [8] Due to the nature of the open environment, a fake node may be injected by an attacker. Therefore, the fake node may act as a legitimate node and circulate the wrong code or information over the network. The result is the entire network becomes damage.
2.2.1.5 Jamming attack: [9] [10] In this attack, an attacker makes use of radiofrequency signal and emitting to other devices in the network without followed by the protocol specification. Such interferences affect the network operations means sending and receiving of information. The result is an unpredictable working nature of the IoT system. [11] [12] The insecure installation also leads to improper function of IoT systems. Therefore, attention to be taken while installing and configuring security mechanisms. Insecure communication is also needed to be addressed to ensure secure communication. [13] This attack is executed by staying awake the sensor nodes while it is not functioning by the way their battery power gets drained and would not involve in the subsequent process.

Sybil attack [14]
An attacker makes use of fake identifies and gets into the network environment and will degrade the functionality of the entire system.

Insecure physical [15]
The poor security nature of the IoT environment leads to security loopholes and becomes a threat to the functionality of the IoT environment. Software access can be done through the insecure wireless environment and it may be exploited to legitimate devices' testing and debugging tasks.

Security problems at Middleware Layer
Heterogeneity nature means to network and application devices involved here are having to vary in their resources. Different protocols and technologies are used here. So, maintain the coordination among is always a difficult task hence it leads to security violations. Another issue in this layer is scalability. Depends on the application nature number of devices involved in IoT may increase. In addition, n new device may join and leave at any time. Therefore, this dynamic nature leads to security violations. Most importantly, an attacker makes use of the social engineering concept to collect sensitive information from the IoT environment so the security of IoT becomes in question. Thus, middleware security issues mainly concentrate on routing, communication, and session management of IoT. The following attacks are mostly affecting the middleware layer of IoT. [16] In IoT, the route discovery process will execute prior to the actual data transmission happen. This is happening to find out the secure route to the destination. Here, an attacker may make use of the route discovery process and can inject false routing information and it leads to misguide to legitimate users. [17] In this attack, an attacker responds quickly to the route request compare with ordinary nodes and get attention. Thereafter the nodes who want to transmit packets to other nodes make use of this sinkhole attack by the way all the incoming packets routed via this route may be dropped.  [18] This attack will execute by creating a tunnel between two nodes. So the packets which are transferred via this tunnel is dropped. [19] Usually, nodes in the network make use of buffer space to re-assemble the incoming packets. Here, an attacker will send incomplete packets to the victim node and increase the buffer size by sending unwanted packets. The result may be the denial of service to legitimate users due to the space occupied by the spoofed packets.

5.Sybil attack [20][21]
In a Sybil attack, an attacker makes use of fake identities to communicate with other nodes. The result of these attacks may lead to various security violations such as disseminating malware, spamming, and phishing attacks.

6.Blackhole attack [22]
In this attack, an attacker advertises itself that is having the shortest path to the destination. By advertising this, it will get attention from others. Hence, the packets transmitted via this node may be dropped.

7.DDoS attack [8]
An attacker will send too many empty/spoofed messages to the target node. By processing those packets, the target node may drain their energy and become unavailable to legitimate users. This is called denial of service attack. If the attack can be launched by more than one attacker, it is called a distributed denial-of-service attack. [23] Cloud services are being acted as a service provider between two nodes. In this case, a malicious cloud provider may act as a genuine provider and steal confidential information to be transmitted to others.

Session Hijacking attack [24][25]
An attacker may impersonate the victim node and inject it between two legitimate nodes. The conversation between these two legitimate nodes hacked by an attacker. This attack normally happens in the transport layer.

2.2.2.10.RPL attack [26]
The routing protocol for Low Power Lossy Network (RPL) is currently and mostly used protocol in IoT applications. Due to a lack of security mechanisms in the design of protocol itself, it may be affected by various security threats. The result will lead to denial of service attacks and eavesdropping.

Security problems at Application Layer
This layer deals with end-user applications. IoT is used in various applications and each application is having a variety of end-users. Each user is having different access privileges to ensure the right access privilege proper authentication mechanism is needed. Along with users, data privacy also needs to take care of. A complex and huge data processing algorithm is needed to handle the huge volume of data. Besides, application-specific vulnerabilities are also there because the security mechanism is suitable for one application may not suitable for other application. Some of the notable attacks are discussed herein.

Uncertain interface [25]
To effectively access the IoT services, the platform such as web, mobile, cloud, and other services are used. Those platforms must be protected from unauthorized access to ensure data privacy.

2.2.3.2.
Insecure software [26] The codes which are used for developing IoT platform need to be tested and executed carefully. The codes are HTML, XML, XSS, MQTT, and others. There is a possibility of malicious codes may inject into this code.

Device heterogeneous [27][28]
IoT environment is incorporated with various devices and those devices are heterogeneous in nature. So, to provide collaborative IoT service, those devices need to cooperate without compromising any security loopholes.

CoAP security violations [28][29]
CoAP called as Constrained Application Protocol especially developed for constrained devices in the IoT environment. It supports web transfer so proper encryption mechanism is needed to safeguard this protocol. The open and shared architecture of IoT leads to security violations on this protocol.

Security requirements of IoT
In IoT, data will be shared from devices to devices, devices to users, and vice versa. Shared data must be transferred securely without any loss or modification. To secure the IoT environment, various security requirements are needed and these requirements must meet by any applications. Then only we can say, the IoT environment is secured. The security requirements are [30] [31]. Figure 5 shows the security requirements of IoT.

Authentication
Due to the heterogeneous nature of IoT, every device in the environment must trust other devices with a proper authentication mechanism. It is defined as "a device ensures the identity of other devices with which it is communicating". It ensures the initial level of security and it can be achieved in two ways such as pre-authentication and post-authentication.

Authorization
Due to the open and shared environment of IoT, a proper authorization mechanism is needed to ensure the right access to the devices as well as information. Simply, only authorized users are allowed to access.

Accounting
To maintain consistency, accountability to be needed. It monitors the usage of available network resources as IoT poses resource-constrained devices. Besides, it also deals with auditing, reporting, and monitor the utilization of resources and devices.

Data Privacy
It ensures the data which has shared in the IoT environment that has used for the intended purpose. Alternatively, it ensures the right of individual users and how their information is collected and used by users.

Confidentiality
IoT involved with the diverse nature of services and devices. Data will travel through multiple hops hence there is a possibility of data that will disclose to unauthorized access. It should not happen since it has sensitive information.

Integrity
While data travel from one place to another place, the data should not alter/modify by unauthorized users. It ensures the reliability of the data which is stored.

Availability of Services
There is a possibility of denial of service by IoT participating devices as they drain their resources due to environmental nature. It ensures all-time availability of resources through denial of service occurs.

Energy efficient
IoT devices should be energy efficient at all times. The process of forged services and requests for redundant services leads to energy consumption. Due to heterogeneous and dynamic natures of IoT devices, failure of hardware and software may happen at any time in the network. To address such issues, alternative solutions to be needed with a tamper-proof and fault-tolerant environment.

Trust Management in the Internet of Things
Balze et al., 1996 [32] introduced the trust management. It derived from social science. The definition is "the trustor is ready to depend on another trustee" [32]. The concept of trust has been using in various fields which shows in figure 6. According to the networks and communication field, trust defines as "a combination of relationships among devices that take part in the protocol constructed on the earlier communication of devices within the protocol [33][34][35]". Trust has used as a core concept for decisions on the network and communication field included authentication, Intrusion Detection System (IDS), Key Management, Access Control, Identifying malicious behavior, and more [36].

3.1Properties of Trust
The following section discusses the properties of trust. There are five essential properties which show in figure 7.

Dynamic
Because of the dynamic nature of the IoT environment, trust relationships among the participating devices will change often. Hence, it is harder to predict the trust value of one device with respect to another device. Besides, as IoT supports scalability, the new device can join or old devices can leave from the IoT environment at any time [37].

Subjectivity
IoT has different types of devices and it offers different services to different users. Because of this heterogeneity nature, devices in IoT might have the same level of trust with respect to other devices. Every device has different communication experiences with other devices [38].

Transitive
For instance, if device d1 trusts device d2, device d2 trusts device d3 simultaneously device d1 need not require to trust device d3. In this case, the transitivity between device d1 and device d3 or device d1 trusts in the device d3's reference of the third parties [39].

Asymmetric
Due to the heterogenicity nature, the devices are varying in terms of their resources such as memory, bandwidth, battery, processing, and computational. Therefore, the device who is having high capacity may not trust the device who is having the lowest capacity and vice versa [39].

Context-dependent
A device with high computational power considered as a trusted device and the device with the low computational power is untrusted but it is not malicious [40].

The role of Trust in IoT
The main motivation of using trust in IoT is, conventional cryptographic methods always involved with computational overhead in terms of executing and processing the algorithms. Moreover, they always in need of a trusted third party, and based on key management this leads to an increase in computational overhead again and will decrease the performance of the IoT environment. The result is achieving performance metrics such as throughput, robustness and availability are in question [Wei Gong et al., 2009]. Most importantly, IoT environment compromises of various smart devices, and these devices are human-related devices or human carried devices hence social relationship among the human also considered in terms of their ownership, friendship, and community. Ownership denotes the human own devices. Friendship denotes the cooperation or friends among themselves and community denotes the devices involved in IoT are belong to some communities. To handle these types of social

Trust Management building blocks
The following section discusses the trust management building blocks. It consists of various entities such as trust computation, trust propagation, trust aggregation, trust prediction [41]. The following figure 8 depicts the trust management building blocks.

Trust level
Trust level has defined by the trust possibility of trustor regard performs by way of predictable or not in the opinion of the trustor. The trust level is varying from 0 (complete distrust) and 1 (complete trust). Figure 9 depicts the trust level.

Basic methods of Trust Computation
There two basic methods are used to compute the trust first one is, direct trust and another one is indirect trust. Both the trusts will be calculated either in a centralized manner or a decentralized manner. Sometimes a hybrid approach that means the c will be used [41]. If the trust metrics have calculated from the immediate devices, that trust will be named as direct trust. If the trust metrics are calculated based on the recommendation from others means not direct evaluation, that trust is called indirect trust. If combine both direct and indirect, that metric is called hybrid trust. Anyone of these trust metrics will be followed during the trust computation. The following figure depicts the trust evaluatio relationships between the communicating devices conventional cryptographic methods are not suitable. To solve these problems, trust management has introduced.

Trust Management building blocks
The following section discusses the trust management building blocks. It consists of various entities such as trust computation, trust propagation, trust aggregation, trust prediction, and trust applications [41]. The following figure 8 depicts the trust management building blocks.

Figure.8 Trust management building blocks
Trust level has defined by the trust possibility of trustor regarding trustee i.e whether the trustee performs by way of predictable or not in the opinion of the trustor. The trust level is varying from 0 (complete distrust) and 1 (complete trust). Figure 9 depicts the trust level.

Basic methods of Trust Computations
There two basic methods are used to compute the trust first one is, direct trust and another one is indirect trust. Both the trusts will be calculated either in a centralized manner or a decentralized manner. Sometimes a hybrid approach that means the combination of both direct and indirect trusts will be used [41]. If the trust metrics have calculated from the immediate devices, that trust will be named as direct trust. If the trust metrics are calculated based on the recommendation from others t direct evaluation, that trust is called indirect trust. If combine both direct and indirect, that metric is called hybrid trust. Anyone of these trust metrics will be followed during the trust computation. The following figure depicts the trust evaluation. relationships between the communicating devices conventional cryptographic methods are not The following section discusses the trust management building blocks. It consists of various entities , and trust applications ing trustee i.e whether the trustee performs by way of predictable or not in the opinion of the trustor. The trust level is varying from 0 There two basic methods are used to compute the trust first one is, direct trust and another one is indirect trust. Both the trusts will be calculated either in a centralized manner or a decentralized ombination of both direct and indirect trusts will be used [41]. If the trust metrics have calculated from the immediate devices, that trust will be named as direct trust. If the trust metrics are calculated based on the recommendation from others t direct evaluation, that trust is called indirect trust. If combine both direct and indirect, that metric is called hybrid trust. Anyone of these trust metrics will be followed during the trust  Figure 9. Trust Level

Trust Based Security Schemes
The following section discusses the trust-based security schemes for the IoT environment.

S.No
Authors Security issues/Objectives Malicious components are exposed and in the end isolated

Malicious behavior
Feedback based

Conclusions and Future Direction
As IoT environment compromises of heterogeneous devices, proper security mechanisms to be needed to ensure the security of the environment. The security mechanisms which are proposed by various researchers are not suitable for all the applications. Because of each application varies in terms of their processing, computational, nature of work, utilization of memory, and other capabilities. With this idea in mind, this review article focused on trust-based security mechanisms that are suitable for lightweight applications, and devices involved in this environment are always resource-constrained. This paper discussed some of the substantial works towards trust-based security mechanisms in the IoT environment. Before this, security associated things such as security issues in various layers of IoT, attacks that are affected the layers of IoT, requirements of security, finally, the core concepts of trust management and its role in IoT environment have discussed. In the future, the research work will be focusing on the Distributed Denial of Service (DDoS) attack over the Internet of Things based military environment. Therefore, the trust-based solution will be implemented to address the DDoS attack by the way the security of Military based IoT will be ensured.