1 Introduction

Underwater Wireless Sensor Network (UWSN) is a network of self-governing sensor nodes which are distributed underwater to sense pressure, temperature etc. This sensed data can be utilized by the arrays of applications like in military surveillance, disaster avoidance, offshore exploration, pollution level examining, etc. that can be used for the benefit of humans [1]. UWSN face several issues like restricted bandwidth, greater propagation delay, random node mobility etc. which are yet to be handled appropriately. These issues give rise to new issues in each layer of the network protocol model [2]. One of the common issues faced in UWSN is the clock synchronization issue. For the appropriate functioning of the network, it is important to achieve a similar notion regarding time along with distributed aggregation of data, localization, time stamping of events, MAC, etc. UWSN is widely used for exploration of aquatic organisms, enemy tracing, discovery of possible resources, disaster prevention, underwater surveillance etc. [3]. A very important contribution of UWSN is automation of Water Quality Surveillance (WQS), since water is the fundamental need of a human being [4]. UWSN has enhanced the monitoring techniques to a great level and it also provides regular and promising surveillance. Since it is possible for an attacker to infuse false data into the network, it is critical to ensure the trustworthiness of the data being utilized for taking decisions.

Also, capability of the UWSN to handle issues and attacks in the real time environment remains an important field of exploration [5,6,7,8]. During the development of network protocols and techniques, security is considered as one of the critical aspects in UWSN. Here, sensors are prone to various attacks because of its cost factors, and also, it can be easily accessed since it is usually situated close to the event source. Moreover, it is possible for any random device to gain access to the information exchanged due to unrestricted nature of communication channel. Thus, attacking sensor nodes or channels in UWSN is an easy task. The security needs in UWSN are devised on the basis of factors are confidentiality, integrity, authentication, and re-authentication for secure acoustic communication. To ensure security in network, authentication is an important factor. For the conventional WSN which is designed for the land topology, several authentication protocols are developed like Blom’s symmetric matrix multiplication algorithm, RSA algorithm, etc. However, these protocols are not suitable for the UWSN because of the increased computation sophistication, low chances of correction, irreversible nature of network processes, etc. Hence, it is important to develop specialized authentication mechanisms for the UWSN.

To the best of author’s knowledge, very limited techniques have been suggested for security during data aggregation in UWSN. The advantages of our contribution in this paper of Secure Authentication and Protected Data Aggregation (SAPDA) are as follows:

  • SAPDA is based on real-time parameters and the same are taken in experiments also.

  • Multiple uses of sink nodes reduce delay, packet drop, and enhances packet delivery ratio.

  • SAPDA proves to be reliable and secure by using trusted encryption schemes.

  • Use of cluster based approach enhances network life time.

Here, the manuscript is abridged into six different sections; out of which, related work on existing security methods is described in Sect. 2. Further, the proposed scheme SAPDA is elaborated in Sect. 3. An analytical model for the proposed scheme is also shown in Sect. 4. The projected method is analyzed and compared with various techniques, whose outcomes are explicitly embodied in Sect. 5. The concluding remarks of the proposed scheme are described in Sect. 6.

2 Related Work

The use of encryption schemes improves the reliability of the system. Existing schemes were proposed to achieve forward or backward security by using hash function only but most of the techniques are not applicable to UWSN. Various existing schemes on reliability are as follows:

Karimi et al. [9] have utilized the techniques of machine learning for a fault tolerant, reliable, and secure framework. This technique suggests collection of information from the environment and passes its inconsistencies from events to actuators in the deployed network. A node has to follow specific rules in a network. This helps in building trust among the nodes. The trust is qualitative and asymmetric in nature [10]. If the rules are not followed by a node then it is identified as an errant node i.e. to be eliminated from the network to restrict further communication. CSLT is developed by Geetha et al. [11] for ensuring location security on the basis of trust model. The model divides the localization into five processes based on selection, localization and trust evaluation of a node. In this article a trust management system for WSNs is proposed that identified different parameters and trust based factors to influence trust variation. STKF a trust based framework is introduced by Kaur et al. [12] that relies on the past and present interaction between the nodes. In this framework the faulty node is isolated from the network route and a link is developed within remaining nodes.

Use of clustering improves the lifetime of the system [13,14,15]. Xu et al. [16] proposed a CLUster-based Secure Synchronization (CLUSS) protocol that guarantees synchronization security even under harsh underwater environments w.r.t. numerous malicious attacks such as sybil attack, delay attack, replay attack, and message manipulation attack. In the CLUSS protocol, the procedure of time synchronization is classified into 3 classes: authentication, inter-cluster synchronization, and intra-cluster synchronization phase. Proposed protocol enhances the accuracy involved in time synchronization. Verma [17] have proposed a Cluster based Key management Protocol (CKP), for hierarchical networks. This protocol is proposed based on the analysis made around the security and mobility issues in UWSN. CKP also presents a communication model to manage mobility effectively and also to reduce the node compromise effect on itself. CKP offers authentication, freshness, confidentiality and also integrity to the network. Based on the performance study, it is proven that CKP is energy efficient as well as storage efficient. Yuan et al. [18] presented a low computational complexity authentication mechanism on the basis of the vandermonde matrix. Matrix multiplication has been replaced by the matrix addition in order to minimize the overhead involved with computation. Also, the proposed mechanism is self-sustaining and irreversible. This improves the UWSN security to a greater extent. Yun et al. [19] developed an appropriate ticket based authentication mechanism for UWSN after analysing the type of tickets selected in the authentication protocol for WSN.

Yavuz et al. [20] have proposed a set of signature mechanism called as Hash-Based Sequential Aggregate and Forward Secure Signature (HaSAFSS). It permits the signer to create a fixed size and compact signature which can be verified publicly with minimum computation expense. Elliptic curve cryptography based HaSAFSS and symmetric HaSAFSS are the 2 HaSAFSS mechanisms proposed there. The proposed scheme combines the proficiency of MAC-based signatures as well as public verifiability signatures along with the preservation of forwards security through Timed-Release Encryption (TRE). Ren et al. [21] have presented a secure as well as reliable data distribution mechanism, capable of facilitating forward secrecy. In this scheme, an optimized data distribution technique was presented to enhance the probabilistic backward secrecy as well as data reliability. Du et al. [22] and Dargahi et al. [23] have provided solutions for routing attacks. Du et al. provided a secure and anonymous routing technique in which short signature algorithm is used in route structure for validation between source–destination node pair. Anonymity is achieved using trap-door system in routing the messages. Dargahi et al. presented a distributed detection and mitigation technique to mitigate routing attacks. The behavior of neighbors is monitored by storing their ongoing traffic details. Dini et al. [24] proposed a security suite that bears a protected routing protocol and a set of cryptographic primitives. It assures privacy and reliability in underwater communication.

In past, very few schemes were suggested for reliable communication in UWSN and there created a space for further enhancement in attaining energy efficient technique having decreased delay and packet drop [25,26,27,28,29,30,31,32,33,34,35,36,37,38,39]. In recent past investigators have proposed the work in WSN and have designed numerous techniques for secure data aggregation. The situation has also created the need to implement the existing techniques in underwater network to explore the consequences in a diverse environment.

3 Secure Authentication and Protected Data Aggregation (SAPDA)

In this paper, a secured authentication and protected data aggregation scheme for UWSN is proposed in cluster based environment. The proposed technique consists of two modules: Secure authentication of cluster heads (CHs) and protected data aggregation. In first module, CHs are authenticated to gateways (GWs). The authentication is required to ensure that the CH serving each cluster is a valid node and is not compromised. This confirms that the cluster is under safe operation. In second module, each sensor protects the data using symmetric encryption, before sending to the CH. The data is then aggregated in a secure manner and transmitted to the base station. Any compromised data, if detected through time stamp values, is handled to ensure secure network operation. Figure 1 shows this model of SAPDA through the block diagram.

Fig. 1
figure 1

Block diagram of SAPDA

Full size image

3.1 System Model

The system model of UWSN is considered as made up of sensor nodes, CH, GW and base station (BS). Figure 2 shows the proposed system model of UWSN. Each sensor node is a part of minimum one cluster that itself is managed by a CH. The base station links CH with the GW through acoustic links. This GW has unlimited energy resources and perfect timing information. If there are 2 or more than 2 GWs, then they transfer information with each other through radio frequency (RF) links.

Fig. 2
figure 2

System model

Full size image

3.2 Module 1: Secure Authentication of Cluster Head

After route establishment among the clusters, all the CHs are authenticated to the GW. Here, every CH in the network initially generates secret key and registration request with GW. CH further creates hash value and signs it using secret key for sending the request to GW. The request is decrypted at GW using public key of CH and retrieves the time stamp. GW generates registration confirmation by using hash value received and time stamp. Both hash values are compared by ignoring small variation to authenticate CH. GW sends registration response to CH after signing hash value using secret key of GW. CH determines that it has been authenticated by decrypting the registration response received using public key of GW. The process of CH authentication is also described in Algorithm 1.

Notations

Meaning

\(SK_{CH}\)

Secret key generated by CH

\(PK_{CH}\)

Public key of CH

\(CH_{id}\)

ID of the CH

\(GW_{id}\)

ID of the gateway

\(CH\_RR\)

CH registration request

\(CH\_RC\)

CH registration confirmation

\(M_{RREQ}\)

Registration request message

\(M_{RRES}\)

Registration response message

\(H\)

Hash function

\(T_{s1}\)

Time stamp at which the request was generated at CH

\(T_{s2}\)

Time stamp at which the reply was generated at GW

\(SK_{GW}\)

Secret key of gateway

\(PK_{GW}\)

Public key of gateway

figure d

In this way, every CH is individually and securely authenticated by the GW to ensure that any malicious node is not controlling the cluster operation leads to safeguarding the cluster from being compromised.

3.3 Module 2: Protected Data Aggregation

After ensuring that the selected CH is authentic, the sensor nodes transfer data to its CH. Each sensor protects the data using symmetric encryption, before sending to the CH. The data at CH is aggregated securely and further transmitted to Base station where compromised data, if any detected, is handled accordingly. This process is described in Algorithm 2.

Notations

Meaning

\(S_{i}\)

Sensors

\(S_{id}\)

ID of \(S_{i}\)

\(T_{s3}\)

Time stamp at which the data is sensed at \(S_{i}\)

\(K_{m}\)

Master key

\(K_{i}\)

Encryption key

\(K_{d}\)

Decryption key

\(Enc_{K}\)

Encryption using \(K_{i}\)

\(D\)

Sensed data

\(D_{Enc\left( i \right)}\)

Encrypted data at \(S_{i}\)

\(D_{{Enc\left( {col} \right)}}\)

Collection of encrypted data from all \(S_{i}\) at CH

\(D_{{Enc\left( {CH} \right)}}\)

CH’s encrypted data

\(D_{{Enc\left( {agg} \right)}}\)

Aggregation of encrypted data

figure e

In this way, the data transmission is performed with high security and securely aggregated by the CH. The aggregated data is checked for its authenticity by the base station through its time stamp and detected compromised data is discarded to ensure the safety of the remaining aggregated data. The detected compromised/malicious node is then isolated from the cluster to maintain network security.

To show overall processing of information through process flow diagram of SAPDA Fig. 3 is depicted here. In this diagram, the process flows 1 and 2 indicate the CH authentication with its GW. Process flow 3 indicates the symmetric encryption of data by the sensor nodes and process flow 4 indicates decryption of received data by the BS.

Fig. 3
figure 3

Process flow of SAPDA

Full size image

4 Analytical Model

Due to packet drop of some control packets, signature mismatch may occur, leading to the false detection and isolation of honest node. The probability of false detection and isolation becomes necessary and can be derived as follows:

Let,\(P_{r} =\) probability, \(P_{D} =\) probability of packet drop, \(R =\) packet generation rate, \(t =\) time interval, \(SM_{i} =\) number of signature mismatches of node \(N_{i}\) among its neighbours.

Then the probability of \(SM\) exceeding the maximum threshold \(SM_{th}\) is given by

$$P_{r} \left( {SM > SM_{th} } \right) = 1 - \mathop \sum \limits_{i = 1}^{{SM_{th} }} \left( {\begin{array}{*{20}c} {Rt} \\ i \\ \end{array} } \right)P_{D}^{i} \left( {1 - P_{D} } \right)^{Rt - i}$$

Let,\(W =\) number of warnings received by node \(N_{i}\) when any of its neighbour turns to be malicious.

The probability of \(W\) exceeding the maximum threshold \(W_{th}\) is given by

$$P_{r} \left( {W\left( {N_{j} } \right) > W_{th} } \right) = 1 - \mathop \sum \limits_{i = 1}^{{W_{th} }} \left( {\begin{array}{*{20}c} {NH} \\ i \\ \end{array} } \right)P_{FD} \left( {N_{j} } \right)^{i} \left( {1 - P_{FD} \left( {N_{j} } \right)} \right)^{NH - i}$$

where,\(NH\) is the number of neighbours of node \(N_{i}\), \(P_{FD} \left( {N_{j} } \right)\) is the probability of False Detection of node \(N_{j}\) which is given by

$$P_{FD} \left( {N_{j} } \right) = 1 - exp\left[ { - 2 \cdot \frac{{\left( {R \cdot t \cdot P_{D} - SM_{th} } \right)^{2} }}{R \cdot t}} \right]$$

Then the probability of False Isolation \(P_{FI}\) is given by

$$P_{FI} \left( {N_{j} } \right) = 1 - exp\left[ { - 2 \cdot \frac{{\left( {NH \cdot P_{FD} \left( {N_{j} } \right) - W_{th} } \right)^{2} }}{NH}} \right]$$

5 Results and Analysis

The AquaSim tool of NS2 is used. To simulate the proposed scheme in UWSN, the UnderwaterChannel and UnderwaterPropagation model are used. We have used UnderwaterMac as the MAC layer protocol and considered area size as 1000 × 1000 m2 region for a span of 100 s. Here, 200 sensor nodes are randomly deployed that remain static. The numbers of attackers varied from 1 to 10. The other parameters used are given in Table 1.

Table 1 Parameters used
Full size table

The proposed SAPDA is compared with HaSAFSS [20], ES [21], FDRT [25] and IDACB [27] schemes. Although HaSAFSS allows signer to produce a fixed-size and freely verifiable signature in sequence but, it requires asymmetry between the (distinguish characterised) senders and receivers. ES scheme applies RS code so that the encrypted data is encoded into \(n\) shares where the BS collects data, say \(m\), shared by nodes and reconstructs data using \(\left( {m,n} \right)\) RS codes. Although this scheme ensures reliability of data but, it involves high computational cost and delay. FDRT uses scheduling (TDMA based) for collision free data transmission but it doesn’t ensure secure data aggregation because when number of attackers is more it takes time to confront them. IDACB uses receiver oriented sleep scheduling mechanism with data fusion at cluster head but did not implement encryption during data transfer for secure communication.

The malicious nodes or numbers of attackers are taken randomly and varied from 1 to 10. The results so obtained of the proposed SAPDA and existing HaSAFSS, ES and IDACB named schemes are compared graphically below. The performance metrics considered for comparison are:

Average End-to-End Delay It is the total time consumed by data packet to arrive BS which includes encryption time at sensors, aggregation time at CH, transmission time from CH to BS, and decryption time at BS. Figure 4 displays the results of end-to-end average delay for the proposed and existing techniques.

Fig. 4
figure 4

Average end-to-end delay varying according to number of attacker nodes

Full size image

When the attackers are increased from 1 to 10 the delay of proposed technique SAPDA increases from 0.0020 to 0.0034 whereas the delay incurred in existing ES scheme increases from 0.0053 to 0.023, the delay in existing HaSAFSS increases from 0.024 to 0.031, the delay in existing FDRT increases from 0.01209 to 0.030902 and the delay of existing IDACB increases from 0.002055 to 0.00743. Hence the delay of SAPDA is 91% lesser when compared to HaSAFSS, 72% less when compared to ES, 84% less when compared to FDRT and 41% less than IDACB. This is due to the fact that HaSAFSS necessitates an ExpOp to set each time and ES scheme requires RS encoding and decoding.

Average Data Delivery/Reliability Ratio It is said to be the ratio of data packages successfully received w.r.t. the entire sum of packages transmitted from source. It totally reflects the reliability and efficiency of the network. Figure 5 demonstrates the results of data reliability for the proposed and existing methods.

Fig. 5
figure 5

Average data delivery ratio variation according to number of attacker nodes

Full size image

As attackers are increased from 1 to 10 the average delivery ratio of SAPDA decreases interestingly from 0.7186 to 0.5322 while the average delivery ratio of HaSAFSS decreases from 0.4274 to 0.3056, the delivery ratio of ES decreases from 0.5874 to 0.3542, the average delivery ratio of FDRT decreases from 0.4272 to 0.31205 and the average delivery ratio of IDACB decreases from 0.6186 to 0.4322. Hence the average delivery ratio of technique SAPDA is 12% greater than HaSAFSS, 20% higher than ES, 36% higher than FDRT and 14% higher than IDACB schemes.

Average Packet Drop It is counted as the number of packets dropped due to attacks. Figure 6 depicts the simulation results of average packet drop for the techniques under consideration.

Fig. 6
figure 6

Average packets dropped comparison with varying to number of attacker nodes

Full size image

As shown in the above graph, when the attackers are increased from 1 to 10, the packet drop of SAPDA increases from 15 to 23 however the packet drop of ES scheme increases from 16 to 57, the packet drop of HaSAFSS increases from 47 to 88, the packet drop of FDRT increases from 26 to 71 whereas the average packet drop of IDACB increases from 16 to 40. Hence the packet drop of SAPDA is 71% less when compared to HaSAFSS, 19% less when compared to ES, 57% less when compared to FDRT and 21% less in comparison to IDACB schemes. This is due to the fact that HaSAFSS, ES, FDRT and IDACB schemes did not possess strong authentication before the data reaches to BS. Hence data drop occurs at intermediate nodes along the path.

Average Energy Consumption It is analysed as the total amount of energy consumed by all the nodes during data packets transmission in the network. Figure 7 shows the effects of energy consumption for the proposed and existing techniques.

Fig. 7
figure 7

Average energy consumed variation according to number of attacker nodes

Full size image

The graph in Fig. 7 represents that with the increase in attackers from 1 to 10, the average energy consumption of SAPDA increases from 392 to 1222 joules, the average energy consumption of ES increases from 1429 to 5266 joules, the average energy consumption of HaSAFSS increases from 671 to 2820 joules, the average energy consumption of FDRT increases from 576 to 1449 joules and of IDACB increases from 492 to 1522 joules. Hence the delay of SAPDA is 43% lesser when compared to HaSAFSS, 67% lesser when compared to ES, 19% less when compared to FDRT and 17% less in comparison to IDACB schemes. This is due to the fact that HaSAFSS, ES and IDACB schemes involve high computational overhead as opposed by the proposed SAPDA technique.

6 Conclusion

A secured authentication and protected data aggregation mechanism is proposed for improving QoS in scalable and survivable cluster based underwater network. It works in two modules: authentication and data aggregation. In first module, the cluster head of each cluster is authenticated by the gateway. In the second module, the sensor node within the cluster secures its data through encryption. The base station analyses the data and detects compromised data using timestamp value. The compromised data thus detected is discarded. Its associated node referred as malicious node gets isolated from the network. In this way, the proposed scheme ensures data security and node authentication. Presented scheme is having application in marine and underwater vehicle communication security where energy efficiency is crucial requirement with lower packet drop. The performance of the proposed scheme is analysed in terms of data reliability ratio, packet drop, average energy consumption and end-to-end delay in UWSN and compared with existence techniques. The graphical representation of results states the outstanding performance of proposed scheme SAPDA in comparison to existing schemes.