E-Health Sensitive Data Dissemination Exploiting Trust and Mobility of Users
IIEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 1
E-Health Sensitive Data DisseminationExploiting Trust and Mobility of Users
Agnaldo de Souza Batista , Michele Nogueira , Aldri Santos
Abstract —E-health services handle a massive amount of sensitive data, requiring reliability and privacy. The advent of newtechnologies drives e-health services into their continuous provision outside traditional care institutions. This creates uncertain andunreliable conditions, resulting in the challenge of controlling sensitive user data dissemination. Then, there is a gap in sensitive datadissemination under situations requiring fast response (e.g., cardiac arrest). This obligates networks to provide reliable sensitive datadissemination under user mobility, dynamic network topology, and occasional interactions between the devices. In this article, wepropose STEALTH, a system that employs social trust and communities of interest to address these challenges. STEALTH follows twosteps: clustering and dissemination. In the first, STEALTH groups devices based on the interests of their users, forming communities ofinterest. A healthcare urgency launches the second, in which STEALTH disseminates user sensitive data to devices belonging tospecific communities, subjected to the level of trust between devices. Simulation results demonstrate that STEALTH ensures datadissemination to people who can contribute toward an efficient service. STEALTH has achieved up to 97.14% of reliability in accessingsensitive data with a maximum latency of 170 ms, and up to 100% of availability during emergencies.
Index Terms —E-health,sensitive data dissemination, dynamic networks, critical events, dissemination control, safety. (cid:70)
This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version mayno longer be accessible.
NTRODUCTION T HE Internet allows us to access an increasing numberof online services, supporting the population in dif-ferent application domains like healthcare, transportation,surveillance, among other. Forecasts estimate that the sizeof digital health market can exceed USD 504.4 billion by2025 [1]. In this context, e-health services, like online patientmonitoring, continuous glucose monitoring, automated in-sulin delivery, and electronic health records, have leveragedcitizens’ quality of life streamlining care and contributingto reduce operational costs. These services collect and dis-seminate data often through opportunistic contacts betweengeographically near devices, when interactions enable thecommunication [2]. Data dissemination relies on sharing,being a demanding task, intensified by a high data dis-semination frequency, location, and content [3], [4]. Manyservices require dynamically established local or global net-works to support their operation under mobility.Mobile devices collect various types of data [5], allow-ing improvements in different domains. The interactionbetween people and smartphones has intensified, allowingthe formation of temporary local networks, where data areexchanged for different purposes and usually for a period.In general, these dynamics rely on structured wireless net-works (e.g., structured WiFi-based or cellular networks),which offer extensive coverage inside buildings and cities.These networks inhibit direct communication between de-vices, which often impacts the response time on criticalevents (e.g., traffic accident, health emergency, and environ-mental disaster). E-health services lean on well-structurednetworks in hospitals and clinics to disseminate sensitive
A.S. Batista, M. Nogueira and A. Santos are with the Federal University ofParan´a, Brazil. Email addresses: { asbatista,michel.nogueira,aldri } @ufpr.brManuscript received []; revised []. data. However, people also might need these services any-where and anytime, including exterior environments.People can be suddenly stricken by a health issue. In2011, more than 326 200 people experienced medical emer-gencies observed out-of-hospital in the United States [6].Therefore, building and maintaining urban outside environ-ments (e.g., streets and avenues) are a challenge, mainly toprovide e-health services, given the need for a reliable net-work infrastructure. The nature of sensitive health data ad-dressed by e-health services (e.g., vital data, blood pressureinformation, glucose measurements, exam results, and med-ical prescriptions) requires reliability in data disseminationand protection from unauthorized access. Furthermore, dueto their emergency nature, medical alerts must be promptlytransmitted [7] with a maximum latency of 125ms [8], oncethe consequences in the face of losses and delays can besevere to users health [9].Currently, the existing mechanisms are inadequate todeal with healthcare urgency in urban environments, suchas a cardiac arrest, change in blood pressure, or change inglucose level, because they require prompt treatment. Safetyservices deliver data to the right people and prevent leaks.Several works in the literature address data availability inunstructured networks in the contexts of Internet of Things(IoT) [10], [11], MANETs [12], and P2P [13]. But, they takeas basis previous interactions for the decision-making inhandling data. Few studies turn to situations where pre-vious interactions are unknown (zero-knowledge [14]), inwhich there is only information from current interactions.Therefore, these solutions are not suitable for dynamic andsparse urban environments, as they assume the existence ofa network infrastructure before data dissemination.The ubiquitous presence of smartphones in people’slives supports direct communication between them bymeans of technologies as bluetooth and WiFi [15]. Smart- a r X i v : . [ c s . C Y ] M a y EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 2 phones serve as gateways once they have multiple networkinterfaces, interconnecting users medical devices to the In-ternet [16] to disseminate their health data. However, datadissemination must occur under control in networks to de-liver data to the correct entities at the appropriate time [17].In this context, the social aspects of the devices owners andfrom their relationships enable grouping network devicesinto communities [11]. Furthermore, some works employtrust as a criterion to control data dissemination [10]. Al-though suitable for unstructured networks, these works usereputation and recommendation models to evaluate trust,which in general are techniques dependent on the pastinteractions between devices.This article presents the STEALTH ( S ocial T rust-Based HEALTH
Information Dissemination Control) system todisseminate personal sensitive health data in a controlledmanner to achieve a minimum level of data confidentialityin dynamic wireless local area networks. It forms commu-nities by grouping devices with common interests to createrelationships of trust with each other. As long as the devicesbelong to a community and they are in the same wirelesscoverage range, they maintain connectivity with each otherand their interactions occur between devices inside thecommunity [11]. STEALTH considers the social aspects ofdevices owners and their relationships to measure trust ofthe neighbors. Under urgent situations, the system dissemi-nates sensitive data controlling the process by choosing theappropriate device and user to receive them.We evaluate STEALTH in the NS-3 simulator [18] andwe analyze its dependability to disseminate sensitive healthdata through evaluation metrics. To the best of our knowl-edge, this is the first work aimed at disseminating healthdata in dynamic urban environments, outside conventionalenvironments (e.g., hospital or clinics). The results show thatSTEALTH reaches 97.14% in data dissemination reliabilityand a maximum latency of 170 ms, while data availabilityachieves 100% under urgencies.This article proceeds as follows. Section 2 reviews the re-lated works. Section 3 introduces trust models in networks.Section 4 details the proposed system. Section 5 describesthe evaluation methodology and results. Finally, Section 6concludes the article and presents future directions.
ELATED W ORK
Effective and fast data dissemination is a challenge [19]. Itcomes from issues like dissemination frequency, dissemina-tion location, and the nature of the content to be dissem-inated [3], [4]. Data dissemination also suffers from linklosses, eavesdropping, and devices mobility [20]. Consid-ering these issues, one may define an appropriate strategyfor data dissemination at the right time and to the rightperson [17]. Hence, there are different strategies in the litera-ture to address these issues. The applied strategies comprisesending data in either an occasional or periodic fashion.Also, they send data from a source to a specific destination,or from a source to multiple destinations simultaneously.Data dissemination raises security and safety concerns,particularly, if the information is sensitive and vulnera-ble to privacy attacks. The commonly applied techniquesto data dissemination are broadcasting data [21], multi-hopping transmission [22], and data replication [23]. In dynamic scenarios (when there is a intense device mobility) ,broadcasting data is an adequate solution [17]. The authorsin [21] proposed a protocol to disseminate data in mobileIoT networks. This protocol combines the neighborhoodknowledge from nodes and adapts the connectivity factorto calculate the probability to determine whether a packetshould be broadcast to other nodes or discarded, to preventredundant packet broadcast. Although it is an effective strat-egy to data dissemination, it can cause channel collisionsand compromise sensitive data privacy, as nodes do notcontrol whom effective is receiving the disseminated data.Multi-hopping data transmission can be applied in dy-namic and infrastructure-free environments. In [22], theauthors presented a general-purpose IoT platform based ona combination of Low-power Wireless Personal Area Net-work (LoWPAN) and multi-hop Wireless Sensor Network(WSN) technology. This platform provides multi-hop long-range connectivity between sensors and data sinks for real-time sensor data dissemination and analytics. This solutiondisseminates data in real-time, but it relies on the supportof known devices to implement a multi-hop operation.Another strategy employed in data dissemination is datareplication. In [23], the authors proposed a mechanism todeploy large scale observation systems in remote areas,when there is not a permanent connection with the Internet.The mechanism employs replication and distributed storagetechniques to increase the amount of data stored withinwireless sensor networks and to reduce the probability ofdata loss. This strategy addresses the infrastructure issue,but it does not meet the low latency requirements forsensitive data dissemination.Trust techniques contribute to ensure safety and securityin data dissemination, but there are challenges investigatedby several works from the literature [24]. Reputation [25]and recommendation [10] models are techniques commonlyapplied, as well as communities of interest (CoI) [11], toevaluate the trust level of devices in networks. In general,recommendation and reputation techniques lean on previ-ous interactions of the devices, hence their behavior can becharacterized over time. Few works focus on zero-knowledge environments, where maintaining interaction records is notalways feasible due to the dynamic of environments, devicesmobility and, sometimes, the constrained computationalresources for processing and storing information, like in IoT.Dynamic interactions of devices over time are briefly useful.In [10], the authors presented a protocol based on rec-ommendation techniques and sharing information betweenhealth devices in IoT for decision-making on access tospecific sites. The protocol evaluates environments in whichdevices owners have been at a particular time and place, andit builds a database for the future decision-making process.The recommendation techniques incorporate characteristicsof social relationships from device owners to manage theaccess to environments. However, they require many in-teractions between devices, what is not always possiblein dynamic network environments. Therefore, those tech-niques can inhibit the construction of database, making thedecision-making process unfeasible.In [25], the authors presented the Reputation, Experienceand Knowledge (REK) approach, whose goal is to assesstrust based on multi-dimensional aspects: reputation , expe- EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 3 rience and knowledge . Reputation consists in a public opin-ion about who is evaluated.
Experience takes into accountprevious interactions with who is evaluated.
Knowledge cor-responds to the understandings about who is evaluated.Although reputation allows choosing specific devices toperform critical tasks, it demands knowledge of devicesinteractions over time. Recommendations and experienceface the same issue. Also, measuring subjective indicators,such as knowledge and experience, is a challenging [24].In [11], the authors proposed a protocol to manage trustin social IoT environments, where conditions are dynam-ically changing (e.g., increasing misbehaving node pop-ulation/activity, changeable behavior, rapid membershipchanges, and interaction pattern changes). The protocolestablishes communities clustering devices based on rec-ommendations and the relational trust attributes from thesocial relationships of device owners, such as honesty andcooperation. Network devices can participate in a clusteror leave it any time. However, as recommendations relyon past interactions, the protocol is unsuitable to dynamicenvironments with eventual interactions.Although all the above works offer important contribu-tions, they do not make it possible to disseminate sensi-tive data outside traditional care institutions. Existing solu-tions employ techniques (e.g., reputation [25], recommen-dation [10], experience, and knowledge [25]) that dependon past interactions of the network devices. Hence, thosetechniques inhibit to work under
Zero-Knowledge condi-tions [14]. Most importantly, data dissemination by broad-casting data [21], multi-hopping transmission [22], and datareplication [23] faces issues like devices mobility and sparseenvironments. These issues demand controlled data dissem-ination, avoiding unauthorized access to data. STEALTHovercomes these shortcomings.
ACKGROUND AND O VERVIEW
Ensuring robustness in the dissemination of sensitive dataon IoT requires a level of trust among the existing de-vices [26], that can be obtained from social aspects of theirowners (i.e., characteristics of people and social relation-ships). The application domain defines the social aspects tobe employed (e.g., emotional, logical, and relational trust).In dynamic environments, where there is no history of previ-ous device interactions (i.e.,
Zero-Knowledge conditions [14]),proposals for evaluating trust are still incipient.A range of trust techniques has supported solutionsin different networks, like Mobile Ad Hoc Networks(MANETs) [12]; Peer-to-Peer (P2P) [13], [27]; and, recently,the Internet of Things (IoT). In IoT, one observes trust tech-niques through centralized [10], [28], [29], and distributedapproaches [11], [25], [30], [31], [32], [33]. A set of tech-niques stands out in the trust composition, such as messageexchange, communities of interest, and recommendation.Among the attributes for trust evaluation, there is thenumber of messages received and forwarded, interactions,and activities. Communities group devices based on somecriteria (i.e., common characteristics or interests).The trust assessment of network devices follows dif-ferent approaches. The number of data writing and for-wards within predicted limits may indicate a trustworthydevice. By exchanging specific messages, the authors have demonstrated the correct functioning of a system or mecha-nism [13]. Few evaluation techniques take as basis social re-lationships among devices owners, observing information,such as user profiles, location, or interests. Information fromsocial networks, like Facebook, Linkedin, and Foursquare,for example, improves the evaluation of the relationshipsbetween network devices; meanwhile, they restrict access toinformation to only trusted ones [27].Reputation techniques are commonly part of a trust as-sessment process of IoT devices. This may happen throughcentralized [10], [28], [29], or distributed approaches [11],[25], [30], [31], [32], [33]. Although centralized approachesfor IoT are not commonly found in the literature, there areany works available. These solutions usually assess trustthrough reputation techniques and the number of messagesreceived and forwarded. These approaches do not meet allIoT configurations, mainly in dynamic environments (i.e.,where devices are highly mobile and eventually partici-pate in the network). Distributed approaches suit better toIoT, and, generally, the solutions associate reputation withother trust techniques, like recommendation. This processimproves efficiency and effectiveness. Intrusion detectionsystems employ reputation techniques [28]. They combinereputation with watchdog strategies and trust to groupdevices and handle their density and mobility. Therefore,they can detect attacks in routing, and prevent, identify, andisolate their effects on the network [28]. In such cases, theycalculate the reputation of a network device from the rela-tion between the number of receiving and transmitting data.They classify the device behavior based on that relation.Devices propagate their reputation to others in the network,allowing them to also calculate trust.Recommendations are indirect observations and allowdevices to share information, for instance, about particularenvironments (e.g., temperature, humidity, and time) [10].This procedure helps in decision making, such as decidingwhether people can access some locations. Recommenda-tions make feasible to compute the reputation of networkdevices, taking into account direct observations that othernodes make about it. Besides that, the choice of recommen-dations to the detriment of older information contributesto the increasing convergence speed of trust [31]. The re-lationship between device owners at IoT enables groupingdevices to establish clusters or communities, given socialaspects such as honesty and cooperation [11], [30], [31].Device interactions inside communities are more intensethan between distinct communities, where data traffic re-duces to some extent. In this context, devices perform trustassessment within the cluster they belong to. Besides, CoIsallow coping with network scalability.
YSTEM M ODEL
This section provides an overview of the network model andthe STEALTH architecture. Next, we illustrate an example ofthe operating STEALTH.
STEALTH relies on social aspects and relationships fromthe device owners to create local networks over time andto maintain communities of interest, as depicted in Fig. 1.Under a critical event leading to an emergency, STEALTH
EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 4 disseminates sensitive data to appropriate receivers who arephysically close, taking as basis the receiver competence.Hence, STEALTH supports emergency care to a person.Fig. 1: Network model and sensitive data disseminationSTEALTH carries out on a set of portable devices(nodes), denoted by D = { d , d , d , ..., d j } , where d j ∈ D ,interconnected in a wireless communication network. Thesenodes have processing and communication resources togroup nodes and disseminate data. Each node possesses aunique identifier ( Id ) to identify it over time. Each deviceleverages the competence (skill) and interests from its owneror user, as attributes for trust calculation in STEALTH.Hence, in a skill set S = { s , s , s , ..., s k } , | S | (cid:54) = 0 , acompetence level s m , such that s m ∈ S , is a value in therange 0 to 1, represents a skill or knowledge from the owneror user of a device d w , where d w ∈ D , in a particular fieldof activity (e.g., doctor, police officer, other). Each node alsoholds a set of interests I n = { i , i , i , ..., i z } , where | I n | (cid:54) = 0 and I n ⊂ I , and I is the set of all interests. An interest is ahobby, taste or preference (e.g., music, health, other).Nodes are grouped by common interests and form com-munities over a given period of time. A community C is a set of distinct tuples (cid:104) node, period, interest (cid:105) , where C = {(cid:104) d , P l , i z (cid:105) , (cid:104) d , P l , i z (cid:105) , ..., (cid:104) d n , P l , i z (cid:105)} and P l =(( t s , t e ) , ( t s , t e ) , ..., ( t sl , t el )) , with t s ∗ ≤ t e ∗ . The effi-ciency of applying node interests as a criterion for formingcommunities is associated with their closeness, while com-petence are effective inside each community. By simplicity,we assume that disconnected or intermittent failing nodesdo not act on the network. Also, connected nodes behave inan honest manner, disregarding attacks on system health.
Fig. 2 illustrates the STEALTH ( S ocial T rust-Based HEALTH
Information Dissemination Control system) architecturethat comprises two main modules: the
Community Man-agement module (CMM) and the
Critical Event Manage-ment module (CEM). The first module is responsible for cre-ating and updating the communities of interest establishedover time from the interaction among people. The secondmodule is responsible for verifying and disseminating thesensitive data of a person in an emergency, The next subsec-tions describe each module.
This module measures the trust level of nearby devicesand includes them in a community. A device joins a com-
1. Definition adapted from the concept of dynamic communitiesproposed by [34] and revised by [35]
Fig. 2: STEALTH Architecturemunity depending on its health interest and upon receiv-ing the node identification message with its Id , interests,and competence. CMM is also responsible for identify-ing the node to a neighbor that is searching for neigh-boring nodes to form their communities. It comprisesfive components: Neighborhood , Interests , Competence , Trust and
Community Maintenance . The
Neighborhood componentsearches for neighboring nodes. It sends an identificationmessage to other nodes that are searching for neighborsto identify its neighborhood. The
Interests component an-alyzes the interests of neighboring nodes when receivingthem, it identifies common interests to group nodes andform communities of interest. The
Competence componentdeals with the competence of the neighboring nodes whenreceiving it to know their health competence level. Basedon their interests, the
Trust component measures the trustlevel of neighboring nodes when receiving their interestsand competence. It verifies on their health community theneighbor with the highest health competence level. Finally,the
Community Maintenance component coordinates the cre-ation, extinction, and modification of CoIs, from nodesinteractions. It ensures the communities of interest followingthe evolution of local networks established over time.Network nodes start operating in an isolated way and, asthey move, find other nodes, and establish communities ofinterest with those that are health-interested. As described inAlgorithm 1, each node periodically initializes its neighborlist ( l .3), announces its presence by broadcasting messages( l .4) searching for neighboring nodes and wait for a timeinterval to a new announcement ( l .5). When a neighbornode takes notice that a node announces its presence ( l .8),it forwards to this announcing node an identification message ( l .11). Upon receiving this message, the announcing nodeverifies whether they are both health-interested ( l .14). If theyare, the announcing node measures the trust level of theneighboring node through EvaluateNeighborTrust ( l .15) andit includes the neighboring node into its neighbor list ( l .16)inside its health community. This takes into account the trustlevel of the neighboring node, its competence ( l .20) and thecommon interests with the announcing node ( l .21-23). Competence Classification
Every device user possesses certain abilities to perform thedaily activities, which are competences obtained from pro-fessions, skills, or hobbies, for example. STEALTH takes into
EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 5
Algorithm 1:
Community Management for each node d ∈ D do procedure S EARCH N EIGHBORS while (true) do NL ← SendAnnounce ( ) W aitInterval ( ) end while end procedure procedure R ECEIVE A NNOUNCE ( ) nskill ← GetSkill ( ) ninterest ← GetInterests ( ) AnswerAnnounce ( id, nskill, ninterest ) end procedure procedure R ECEIVE A NSWER ( id, nskill, ninterests ) if ( CommonInterests ( ninterests ) AND HealthInterest ( ninterests ) ) ntrust ← EvaluateNeighborT rust ( nskill, ninterests ) NL ← RegNeighbor ( id, nskill, ninterests, ntrust ) end if end procedure procedure E VALUATE N EIGHBOR T RUST ( nskill, ninterests ) skilltrust ← GetSkillT rust ( skill, SkillsT axonomy ) ncinterests ← GetNCInterests ( interests ) nninterests ← GetNNInterests ( ) itrust ← ncinterests / nninterests return ( skilltrust + intereststrust ) / end procedure account competences to disseminate sensitive data to theright person (i.e., who is health-skilled). Therefore, a set ofhealth competences is hierarchically organized employingthe level of each profession knowledge as a criterion. Thisorganization gives rise to a skill taxonomy ( S T ), depictedin Fig. 3, which distributes health competences of eachprofession in levels, as proposed by [36].STEALTH follows an extension of this taxonomy withother competences, according to the current need. It classi-fies nodes based on the health knowledge of the device own-ers. It organises devices related to people with healthcareknowledge into two distinct areas - medicine and nursing.In the branch of medicine, there are doctors. In the field ofnursing, there are nurses and several other professionals,as well as a class of professionals with reduced healthskills, here called practitioners. This group encompassescaregivers, police officers, firefighters, and other profession-als trained to provide first aid.Fig. 3: Healthcare skill taxonomySTEALTH evaluates the similarity of people competenceemploying a skill taxonomy based on [37], [38] and depictedin Fig. 3. Fig. 4 illustrates the verification of the similarity ofa competence. In this work, the reference competence ( s ref )is a doctor, because this professional has the highest health-care knowledge. STEALTH calculates Sim s through (1),where N corresponds to the number of levels from the Fig. 4: Measure of similarity between skillscommon level ( l common ) closest to the neighbor competenceand the reference competence, to the root of the taxonomy( Root ). The N is the number of levels from the neighborcompetence ( s Neigh ) to the root of the taxonomy (
Root ),and N is equal to the number of levels from the referencecompetence ( doctor ) to the root of the taxonomy ( Root ). Thevalues of
Sim s vary in the range [0 , , as showed in (2). Sim s = 2 × N N + N (1) Sim s = , if s ∈ { other } ]0 , , if s / ∈ { other, doctor } , if s ∈ { doctor } (2) Assuming the necessity to evaluate the similarity be-tween life-saving ( Sim s ) and doctor competences, we followthe taxonomy in Fig. 3. The competence of a doctor is threelevels up to the root of the taxonomy and corresponds to N . The life-saving competence is four levels up to the root ofthe taxonomy and equals to N . Finally, STEALTH obtainsthe distance of the common level from the assessed andreference competences ( health ) to the root of the taxonomy, N = 1 . By means of (1), STEALTH obtains Sim s = 0 . ,which is the similarity of the life-saving to doctor competence. Trust Measurement
STEALTH measures trust level for the nodes based on socialaspects of their devices owners: an individual -
Competence - and a relational one -
Similarity . Competence is a skillperceived in a node, inherited from the device owner toperform a task [24] (e.g., a profession, a hobby). Trust isa variable value, and it increases as the healthcare compe-tence of the assessed node resembles the doctor competence.Similarity is related to common interests that the evaluatingnode and the evaluated one possess. Therefore, trust valueincreases as the number of common interests increases. Anode evaluates the trust of other nodes only if they arehealth-interested. Hence, the measurement occurs wheneverthe evaluated node possesses at least health interest, whichimplies a minimum trust value always greater than 0.One consider a node x encounters a node y and mea-sures its trust level about the common interests betweenthem, T Ixy . It is a ratio between their common interests, I x ∩ I y , and the interests of the evaluating node itself, I x . T Ixy is obtained through (3), which is based on [31]. The valuesof T Ixy vary in the range [0 , , as showed in (4). This trustmeasurement occurs whether node y is health-interested. T Ixy = | I x ∩ I y || I x | (3) EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 6 T Ixy = , if I y (cid:54)⊃ { health } ]0 , , if I x ∩ I y (cid:54) = 0 , I x (cid:54) = I y and { health } ⊂ I x ∩ I y , if I x = I y and { health } ⊂ I x ∩ I y (4) Checking the similarity of node y competence withthat of a doctor enables computing trust about node y competence, T Skillxy . STEALTH deems the competence ofa doctor as the highest in health and the calculation of T Skillxy is done on a skills taxonomy ( S T ) presented in Fig. 3,based on [36], [38]. Therefore, T Skillxy equals the distance( D ST ) from node y competence ( s y ) relative to the healthcompetence within that taxonomy, and is obtained by (5).In this work, we assume a distance function D ST ( S ) thatreceives as input a competence S from a evaluated node andreturns a value in the range of [0 , . This value indicates thecloseness of informed competence to doctor competence inthe taxonomy S T . The distance function D ST is based onthe measure established by [37] and revised by [39]. Thepossible values of T Skillxy vary in the range [0 , , as in (6). T Skillxy = Sim y (5) T Skillxy = , if s y ∈ { other } ]0 , , if s y / ∈ { other, doctor } , if s y ∈ { doctor } (6) Finally, the trust level of node x over node y ( T xy ) is , whether they are not both health-interested. Otherwise, T xy corresponds to the sum of trust related to their commoninterests, T Ixy , with that derived from node y competence( T Skillxy ), as in (7). When T Ixy > , the values of T xy vary inthe range ]0 , , depending on the values of T Ixy and T Skillxy ,as showed in (4) and (6), respectively. T xy = T Ixy + T Skillxy (7) For example, considering a node x that assesses the trustlevel of a node y , whose competence is caregiver , and bothhold a single interest, health . Employing the skills taxon-omy ( S T ) presented in Fig. 3 and the interest described, Sim s ( caregiver ) will hold a value of 0.28 (i.e., T Skillxy = T Ixy holds value 1, as it’s calculated by (3), since nodesare health-interested only. Hence, through (7), T xy = 0 . . In this module, the
Monitoring component verifies a personhealth condition upon receiving her health status from hersensing system. The medical device, carried by a person,is responsible for identifying a critical event and report-ing to STEALTH. The
Sensitive Data component obtainsthe person sensitive data in an emergency and ensures itsdissemination only under these conditions. The
Availability component verifies the appropriate device to disseminatedata, ensuring that it is the one with the highest healthcompetence. The
Dissemination component coordinates thesensitive data dissemination upon receiving them and theidentification of the appropriate person. This disseminationoccurs through alert messages sent only to people whobelong to the health community of the node and allowingfor its health competence.
Algorithm 2:
Critical Event Management for each node d ∈ D do procedure H ANDLE E MERGENCY E VENT ( ) neighid ← GetHigherScoreNeighbor ( ) neighskill ← GetNeighborSkill ( neighid ) criticaldata ← GetCriticalData ( neighskill ) SendAlert ( neighid, criticaldata ) SendStopAnnounce ( ) end procedure procedure R ECEIVE A LERT ( id, criticaldata ) SendAckAlert ( ) end procedure procedure R ECEIVE S TOP A NNOUCE ( Id ) NL ← RemoveNeighbor ( Id ) end procedure Nodes belonging to a health community support thenodes that represent a person in an emergency, as describedin Algorithm 2. When a critical event occurs with a par-ticular node (i.e., a person entered in an emergency), itverifies the neighbor node with the highest trust level ( l .2)and obtains the appropriate sensitive data from the personin an emergency ( l .3-4). Next, it sends an alert message tothe selected node ( l .5) with its sensitive data. Besides, it an-nounces by broadcast the interruption of its operation ( l .6).Upon receiving an alert message, the node acknowledgesit ( l .9). When a node notices that another node announcesthat is interrupting the operation, it removes the announcernode from its neighbor list ( l .11). Therefore, this reactionprevents a node in an emergency from being selected toreceive sensitive data from other nodes. This section illustrates the operation of the STEALTH sys-tem in an urban environment and demonstrates its con-tribution to the controlled dissemination of sensitive datain an emergency, hence the user can receive a first aid.The illustrative scenario lies in a metropolitan area wheresix people walk down the streets: a nurse, a patient, anexecutive, a police officer, a fireman, and a doctor. Each onehas a profession or ability to perform specific tasks daily.While the doctor is the most health-skilled, the police officer,for instance, has some health knowledge to provide first aid.The patient eventually needs emergency care.All these people are health-interested and do not main-tain relationships with each other. The nurse, the policeofficer, the fireman, and the doctor are health-interestedbecause of their profession. The executive, for example,is health-interested to help people in need. However, thepatient is health-interested to receive some aid. All thosepeople carry mobile devices (i.e., smartphones) to connectto networks. STEALTH runs on these smartphones and it isset to operate. The patient carries a medical device close oron the body to analyze the blood pressure, for instance, andreport to an application installed on the smartphone. Theapplication reports the measured blood pressure values andtheir normality for the patient.People interactions change over time ( t = { , , ..., } )due to their mobility, as illustrated in Fig. 5 left. Theirdevices establish ad hoc networks for data exchange. At t , the device of the patient and his smartphone interactwith other users, as represented by graph G (Fig. 5 right) EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 7
Fig. 5: Interactions over timeTABLE 1: Trust Measurement
Trust Competence doctor Nurse Police Officer T Skill T CoI
T rust
TABLE 2: Simulation settings
Parameters Values and each device forms its health community. The device ofthe patient measures the trust level of neighboring nodesand inserts them into its neighbor list with trust valuesdisplayed in Table 1. On the assumption that the patiententers an emergency at t (i.e., a critical event occurs at t ),STEALTH running on the smartphone of the patient verifiesin his health community that the doctor is the person withthe highest trust, and disseminates the sensitive data to him. ERFORMANCE E VALUATION
This section presents the performance evaluation for avail-ability and reliability in the dissemination of people sensi-tive data in an emergency. The next subsections describe thesimulation settings, scenarios and results.
We employ simulations to evaluate STEALTH using theNS-3 simulator, version 3.28. The environment has in-cluded a Dell Inspiron with Intel(R) Core(TM) [email protected] 64 bits, 8GB RAM. A VM VirtualBox, version5.2.18, r124319, supports a Debian operating system, version9.1, to execute NS-3. Table 2 shows the main simulationsettings. We have conducted analysis in a scenario of 100mobile devices (nodes), following a user mobility modelin an urban environment. These users carry a portableequipment (i.e., smartphone). They had been deployed ina 400 m x 430 m area. Users have walked in this area withspeeds ranging from 0.5 m/s to 2.0 m/s.Users have followed the mobility model introduced in[40], [41]. This is a realistic model implemented in LegionStudio, a pedestrian simulator used for designing large TABLE 3: Distribution of social aspects assigned to nodes
Competence
Doctor 10 Health 20Nurse 15 Music 30Caregiver 20 Tourism 45Other 25 Movies 60Books 15 public spaces. The mobility is based on analytical models,which allow mimic aspects of an individual movement in-cluding personal preferences, surrounding awareness, andperception of behaviors [42]. The mobility patterns followthe least effort principle, where, just like in reality, each entitytries to minimize the dissatisfaction before choosing its nextmove. The employed scenario models the ¨Ostermalm areaof central Stockholm and consists of a grid of interconnectedstreets, where each street is 2 m wide and lengths varybetween 20 m and 200 m. There are 12 passages that connectthe area to the outside world and one assumes that allstreets have equal node arrival rates. Upon arriving at anintersection, nodes continue to move on the same street (ifpossible) with probability of 50% or turn to other adjoiningstreets with equal probability. The mobility trace file con-tains a snapshot of the positions of all nodes every 0.6 sec.The model considers a Poisson arrival process due to theuniform and the truncated normal distributions resemblereality to a higher extent [41].Nodes have established ad hoc networks through trans-mission applying the IEEE 802.11a standard and the UDPtransport protocol. A 50 m radius transmission allows nodescreating communities to the extent that they move. Besides,we configure nodes randomly with social aspects at eachsimulation repetition. They keep a single competence and aset of interests, with a minimum of one and a maximumof five interests. Table 3 presents the distribution of theassigned social aspects to the nodes. We have extendedNS-3 class node to incorporate social attributes to nodes.The guidelines for running the application and its codes,which include STEALTH, the modified NS-3 node class, andmobility traces can be found at GitHub. We label nodes in simulation from 1 to 100. As definedin each scenario, we have performed system behavior eval-uation through four of them: 37, 52, 69, and 70. These nodeskeep the same configuration in all carried-out simulationrepetitions, while the other 97 nodes are randomly config-ured in each simulation repetition. The total simulation timeis 900 s, and the selected nodes come into an emergency at300 sec and 485 sec of a simulation repetition, according tothe evaluated scenario. We assume that all nodes exhibithonest behavior, and there are security mechanisms forvalidating their identities and protecting data transmission.We also consider that people carry a device close to the bodyresponsible for the identification of a critical event and toinform STEALTH. Results correspond to an average of 35repetitions with a 95% confidence interval.
We employ three distinct evaluation scenarios in STEALTHanalysis, as detailed next.
2. https://github.com/agnaldosb/stealth
EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 8
SENACK: Single event, access to sensitive data, nonacknowledgement . Three nodes (i.e., 37, 52, and 70) alwaysbehave in the same way at every repetition. They had beenselected because they move throughout the total simulationtime and travel the longest paths in the selected urbanenvironment. We assign to those nodes the same compe-tence in all repetitions - other - and all possible interests - health, tourism, music, movies, and books . The critical eventsoccur at the simulation time 300 sec, which represents themoment a person enters in an emergency. At this time,nodes have moved intensively and often interact to eachother. Therefore, there was always a neighborhood around.
SEACK: Single event, access to sensitive data, ac-knowledgement . It is similar to SENACK, but the nodethat receives sensitive data must acknowledge it. Whilethis confirmation is not received, nodes in an emergencycontinue to look for neighboring nodes and keep theirhealth community up to date. Nodes stop searching fornew neighboring nodes and receiving new messages whenit receives the acknowledgement or when there is no otherneighboring node in its health community. Critical eventshave occured at 300 sec of the simulation time.
MEACK: Multiple events, access to sensitive data, ac-knowledgement . MEACK is similar to SEACK, except for thenodes in an emergency disseminate their sensitive data anda service priority indicator. This indicator makes it possibledecision-making process about the attending order thatmust be followed by the appropriate entity when receivingsimultaneously sensitive data from multiples persons. Itsan integer value varying from 1 to 4, where 1 indicatesthat a person needs the highest priority in health attending,while 4 is the lowest one. Thus, when multiple nodes arein an emergency and disseminate their sensitive data to asingle node, this node verifies the service priority indicatorsreceived in order to acknowledges in the correct order. Ifthe received indicators holds distinct priorities, the acknowl-edgement occurs in descending order of priority (i.e., fromthe highest to the lowest). Otherwise, the acknowledgementfollow the sensitive data reception order. The nodes selectedto meet this are 52, 69, and 70. A fourth node, 63, isresponsible for receiving data from those nodes. We havechosen these nodes because they were close enough at theinstant 485 sec of the simulation to exchange data. We haveassigned to nodes 52, 69, and 70 the same competence in allrepetitions - other - and all possible interests - health, tourism,music, movies, and books . Node 63 has also received all thesame interests, but a different competence - doctor . Hence,it has achieved the highest trust level within the healthcommunities of the neighboring nodes, increasing its chanceof being selected to receive sensitive data.
We employ specific evaluation metrics aiming to verifythe network behavior and its performance. Therefore, wediscuss the results about the urban pedestrian mobility be-havior through the metric
Average Number of Neighbors ( N N ).The evaluation of data availability provided by STEALTHtakes into account the evolution of health communitiesover time and the Average Number of Health Communities ( N C ). The assessment of data reliability in the disseminationservice follows the metrics: Hit Rate ( HR ), Fault Rate ( F R ), Average Time to Access Sensitive Data ( AT ), and Hit Rate byCompetence ( HR Skill ). Next, all these metrics are described.
Average Number of Neighbors ( N N ): computes the num-ber of nodes belonging to the local area network of a specificnode over time, which represents its neighborhood. N R corresponds to the average of the sum of all node neigh-bors at each time interval, j = t s , when we compute thisneighborhood, and the total number of time intervals, t s ,throughout all repetitions ( N R ). We obtain N N through (8). N N = N R (cid:88) i = 1 t s (cid:88) j = 1 N ij t s × N R (8) Average Number of Health Communities ( N C ) accountsthe average number of communities established by a nodeacross time. N C corresponds to the average of the sum ofall health communities formed by a node throughout allrepetitions ( N R ), as presented in (9). N C = N R (cid:88) i = 1 t s (cid:88) j = 1 C ij t s × N R (9) Hit Rate ( HR ) indicates the rate of success for deliveringdata to the appropriate person. HR corresponds to theratio of the total hits to sensitive data ( A Sucess ) to the totalnumber of times sensitive data available to be accessed( A Disp ), and it’s obtained through (10). HR = A Success A Disp × (10) Fault Rate ( F R ) accounts data disseminated and not ac-cessed by other nodes. It’s the percentage of data protectedin an emergency and calculated by (11).
F R = 100 − HR (11) Hit Rate by Competence ( HR Skill ) is equivalent to HR ,but it evaluates hit rate for each competence individually, ac-cording to competences seen in Table 3. HR Skill is the ratiobetween the hit rate of a single competence, A Skill , and totalhits to sensitive data ( A Sucess ). It’s obtained through (12). HR Skill = A Skill A Success × (12) Average Time to Access Sensitive Data ( AT ) computesthe time to access sensitive data in an emergency. AT corresponds to the sum of the ratio from the time differenceof ( t r ) and the time of their dissemination ( t d ), and the totalof repetitions ( N R ). It’s calculated by (13). AT = N R (cid:88) i = 1 t r ( i ) − t d ( i ) N R (13) This subsection presents the results obtained during the sim-ulations performed for each evaluated scenario. We analyzethem in terms of STEALTH dependability (availability andreliability) and safety (availability). The STEALTH transientstate ended at 25 sec of each repetition. This was the momentthat the system has reached its steady-state performance(i.e., when all nodes were able to send and receive mes-sages). Hence, the transient removal has encompassed thedeletion of results obtained until 25s of each repetition.
EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 9
Fig. 6: Dynamics and size of local networks over time
The applied mobility model comprises pedestrians, andeach node always takes the same path in all simulationrepetitions [43]. The average number of neighboring nodes( N N ) characterizes the model by the nodes previously se-lected in each scenario and Fig. 6 presents their neighbor-hood behavior. We verify the neighborhood evolution alongeach repetition until a determined chosen time until themoment nodes enter in an emergency. Fig. 6 top comparesthe behaviors of the neighborhoods of nodes 37, 52 and 70.While nodes 37 and 52 keep a similar N N in the SENACKand SEACK scenarios, node 70 neighborhood stands out forthe number of nodes. MEACK scenario brings out differentresults, as demonstrates Fig. 6 top right, where Node 69presents a very small neighborhood ( N N = 0 ).The average number of neighbors ( N N ) shows the mo-bility model and indicates the presence of a node neighbor-hood. But, it does not demonstrate neighborhood evolutionacross time. Fig. 6 down show the evolution of the neighbor-hood for nodes 37, 52, 69 and 70 in the evaluated scenarioand in a given simulation repetition. The presence of thenode 70 neighborhood in SENACK scenario, for example,indicates that STEALTH has created local networks aroundthat node for 100% of the time it was active in the simulationrepetition (Fig. 6 down left). The opposite has happenedwith node 69 in scenario MEACK (Fig. 6 down right). Thisnode starts creating local networks around it at 393 sec fromthe beginning of the simulation until 485 sec (i.e., during14.6% of its running simulation time), when it entered inan emergency. In both cases, this behavior results from theemployed mobility model.The moment chosen to an emergency to happeninfluences the node neighborhood size. For instance,Fig. 6 down left shows the node 70 neighborhood composedof 22 nodes at 300 sec of the SENACK scenario. Hence, node70 could disseminate its sensitive data to several neighborsduring an emergency. The MEACK scenario presents a distinct behavior. Fig. 6 down right shows the neighborhoodevolution around nodes 52, 69 and 70. Node 69 establishedlocal networks only at time 393s from the simulation, over . of its uptime until it stops the operation at time485 sec. Hence, it has maintained a tiny neighborhood( N N = 0 ), and at that time, it had only 2 neighbors. In themajority of the simulation time, its mobility takes it awayfrom the other nodes. We evaluate STEALTH availability (i.e., how successfulSTEALTH is in efficiently disseminating people sensitivedata in an emergency.) Fig. 7 top presents system behaviorby synthesizing the average number of health communities( N C ) created over time in each scenario. Although SENACKand SEACK behave similarly, we observe a distinct be-havior in each evaluated scenario. Node 37, for instance,establishes N C = 4 in all simulations in SENACK. Thebest performance in all scenarios was achieved by node70, but in MEACK it stands out for establishing almost 20communities on average in each simulation. This behaviorimproves the system availability for the dissemination ofsensitive data in emergencies. N C characterizes the dynam-ics of established local networks, mainly their topology.As expected, nodes mobility through distinct paths andtheir social aspects - interests - significantly impacts onthe creation of health communities. The dynamics of theevaluated health communities and their size over time in aspecific simulation repetition is depicted in Fig. 7 down. Themobility model made it possible interactions between nodesuntil the moment they entered in an emergency. Resultsshow that STEALTH follows the dynamics of the establishedlocal networks, mainly owing to nodes mobility. STEALTHhas verified changes in the node neighborhood and keepits health communities up to date. In the SENACK andSEACK scenarios, nodes 37, 52, and 70 have maintainedhealth communities for 100% of the time they were active.Over this time, STEALTH was always ready to disseminate EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 10
Fig. 7: Availability of health communities over timenode sensitive data, because there were other nodes assist-ing them. In the MEACK scenario, one observes a distinctbehavior, as shown in Fig. 7 right. Node 52 keeps healthcommunities over 93.39% of the time it was active. Uponentering an emergency, it has created a community witha couple of its neighbors, and successfully disseminatedits sensitive data. Node 69 maintains a distinct behaviorand keeps communities only over 11.30% of the time untilit enters an emergency, Finally, we observe that node 70has maintained health communities the longest, 98.26%. Inall scenarios, STEALTH has identified node neighborhoodsacross the time. It successfully creates health communitiesand keeps them available to support a sensitive data dis-semination in an emergency.The size of communities is smaller than or equal tothe size of the neighborhood at the same instant of time.Health communities contemplate nodes around who arehealth-interested. Node 69 had been in a critical condition inMEACK scenario. It has created its first health communityonly at the time 393s, (Fig. 7 – right). Until that moment,node 69 could not disseminate its sensitive data.
We analyze the STEALTH reliability in disseminating sensi-tive data from people in an emergency, We have conductedthis analysis by evaluating the behavior of nodes 37, 52, 69,and 70 in each evaluated scenario. In the SENACK scenario,Table 4 shows that node 70 successfully disseminates ( HR )its sensitive data in 100% of the emergencies throughout allrepetitions. Nodes 37 and 52 have achieved a slighter differ-ence in results than node 70, when they have disseminatedtheir sensitive data in 97.14% and 94.29% of emergencies,respectively. In the SEACK scenario, node 70 was successfulin 85.71% of emergencies. Although all nodes in the MEACKscenario were 100% successful in disseminating their data,this result was expected given the chosen emergency time.Grouping nodes in CoIs impacts on hit rate ( HR ), becauseclusters ensure the dissemination of sensitive data to specificnodes inside the community. We observe the importance TABLE 4: Data dissemination Scenario SENACK SEACK MEACKMetric HR (%) F R (%) HR (%) F R (%) HR (%) F R (%)
Node
37 97.14 2.86 74.29 - -52 94.29 5.71 77.14 22.86
069 - - - - TABLE 5: Latency in access to disseminated data
Average Time to Access Sensitive Data (ms)
Scenario SENACK SEACK MEACKNode < < -52 2.5 3
69 - - <
70 17 of CoI in controlling data dissemination through the faultrate ( F R ) metric. In the SEACK scenario, the sensitive datafrom node 37 was successfully accessed by other nodes in25.71% of emergencies. This behavior is due to the lack of ahealth community at these moments, or the disruption of itsconnection to other nodes due to their mobility.The cost to access the sensitive data, disseminated overtime, is represented by the average time to access it ( AT ),which is influenced by the dynamics of the established localarea networks. Table 5 shows that the results mostly meetthe IEEE maximum latency for medical alert delivery - 125ms [8]. In the SENACK and SEACK scenarios, nodes havepromptly accessed sensitive data from node 37 ( AT < interests and competences ) in associa-tion with CoIs allow to assess the trust level of nodes andenable controlling their sensitive data dissemination. This
EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 11
TABLE 6: Dissemination control
Scenario SENACK SEACK MEACKNode
37 52 70 37 52 70 52 69 70 HR Skill
Doctor 44.12 81.82
100 100 100
Nurse 32.35 18.18 8.57 7.69 30 13.63 0 0 0Caregiver 23.53 0 0 7.69 16.67 36.36 0 0 0Other 0 0 0 dissemination occurs only to nodes belonging to a healthcommunity and in light of the node competence (Table 3).This process succeeds under a zero-knowledge condition (i.e.,regardless node previous interactions). The relevance ofthe node competence is evaluated by the metric successfulaccess to data by competence ( HR Skill ), as shown in Table 6.In the SEACK scenario, 76.92% of the total sensitive datadissemination went to nodes with other competences. In50% of sensitive data dissemination from node 52, therewas a node with doctor competence to access its data. Thisbehavior indicates that in 50% of emergencies, STEALTHfound out the presence of at least one doctor in the availablehealth community. The success observed in the MEACKscenario (100% of data disseminated to nodes with doctorcompetence) is expected since both competences and emer-gency time contribute to this.The network topology of the SENACK scenario in onespecific simulation is depicted in Fig. 8. We observe theneighborhood of the evaluated nodes and their health com-munity. There was only one neighbor inside node 37 healthcommunity (i.e., node 50) who held the nurse competence(Fig. 8 left). As nodes 3, 35, and 56 were not health-interested, node 37 has disseminated its sensitive data tonode 50. The node 52 neighborhood was more significantand impacted in its health community size. This conditionhas increased the likelihood of node 52 health commu-nity having members with different skills, as shown inFig. 8 middle. There are two nodes with doctor competence(i.e., nodes 60 and 62), the first one was the appropriate toaccess sensitive data from node 52. Although both possessthe same competence, their interests were distinct. Thenumber of interests in common between nodes 60 and 52is greater than between 60 and 62. Hence, node 60 achievesa higher trust level and it is selected. Something similarhappens to node 70, which its neighborhood is the biggest(Fig. 8 right). However, its health community comprisesonly two neighboring nodes (i.e., nodes 13 and 89), and theyboth possess the other competence. Hence, the selection ofthe node to disseminate the sensitive data occurs based onthe number of common interests they had each other. In thiscase, node 13 is selected. Sensitive data is disseminated ina controlled manner, with no exposure of the data to unau-thorized people. The decision-making process for choosingnodes to disseminate data is similar in the other scenarios.
ONCLUSION AND FUTURE WORK
This article presented STEALTH, a system for disseminatingsensitive health data in a controlled manner in dynamicwireless local area networks. It builds virtual clusters takinginto account communities of interest and it employs socialtrust to enable the devices to decide on data disseminationunder an emergency. Simulation results from realistic sce-nario have shown STEALTH ability to ensure the dissemina- tion of sensitive data. STEALTH has achieved a reliability ofup to 97.14% in the access to disseminated data, a maximumlatency of 170 ms, and up to 100% of availability. As futurework, the reliability in decision-making will be contrastedunder security threats and simultaneous severe events tocomplement the safety vision presented in this work. R EFERENCES
IEEE Transactions on Mobile Computing , vol. 7, no. 6, pp. 792–804,2008.[3] R. B. Vivekavardhana and K. R. Sudhindra, “Survey of Trust Mod-els in Wireless Sensor Networks,”
International Journal of AdvancedInformation Science and Technology (IJAIST) , vol. 31, no. 31, 2014.[4] V. Umarani and K. S. Sundaram, “Survey of various trust modelsand their behavior in wireless sensor networks,”
InternationalJournal of Emerging Technology and Advanced Engineering , vol. 3,no. 10, pp. 180–188, 2013.[5] A. J. Ruiz-Ruiz, H. Blunck, T. S. Prentow, A. Stisen, and M. B.Kjærgaard, “Analysis methods for extracting knowledge fromlarge-scale wifi monitoring to inform building facility planning,”in
PerCom 2014 . IEEE, 2014, pp. 130–138.[6] D. Mozaffarian, E. J. Benjamin, A. S. Go, D. K. Arnett, M. J.Blaha, M. Cushman, S. De Ferranti, J.-P. Despr´es, H. J. Fullerton,V. J. Howard et al. , “Executive summary: heart disease and strokestatistics—2015 update: a report from the american heart associa-tion,” circulation , vol. 131, no. 4, pp. 434–441, 2015.[7] S. Movassaghi, M. Abolhasan, J. Lipman, D. Smith, and A. Ja-malipour, “Wireless body area networks: A survey,”
IEEE Commu-nications surveys & tutorials , vol. 16, no. 3, pp. 1658–1686, 2014.[8] I. S. Association et al. , “802.15. 6-2012 IEEE Standards for Localand Metropolitan Area Networks–Part 15.6: Wireless Body AreaNetworks,” pp. 1–271, 2012.[9] B. Latr´e, B. Braem, I. Moerman, C. Blondia, and P. Demeester, “Asurvey on wireless body area networks,”
Wireless Networks , vol. 17,no. 1, pp. 1–18, 2011.[10] H. Al-Hamadi and R. Chen, “Trust-based decision making forhealth IoT systems,”
IEEE Internet of Things Journal , vol. 4, no. 5,pp. 1408–1419, 2017.[11] F. Bao, R. Chen, and J. Guo, “Scalable, adaptive and survivabletrust management for community of interest based Internet ofThings systems,” in
ISADS 2013 , 2013, pp. 1–7.[12] Y. Wang, R. Chen, J.-H. Cho, and J. J. Tsai, “Trust-based task assign-ment with multiobjective optimization in service-oriented ad hocnetworks,”
IEEE Transactions on Network and Service Management ,vol. 14, no. 1, pp. 217–232, 2017.[13] E. Vasilomanolakis, J. H. Wolf, L. B¨ock, S. Karuppayah, andM. M ¨uhlh¨auser, “I Trust my Zombies: A Trust-enabled Botnet,”
CoRR , vol. abs/1712.03713, 2017.[14] U. Feige, A. Fiat, and A. Shamir, “Zero-knowledge proofs ofidentity,”
Journal of cryptology , vol. 1, no. 2, pp. 77–94, 1988.[15] L. Zamora, N. Suzuki, and S. Kashihara,
SOS Message Distributionfor Searching Disaster Victims . BoD–Books on Demand, 11 2017.[16] D. Wood, N. Apthorpe, and N. Feamster, “Cleartext data transmis-sions in consumer iot medical devices,” in
Proceedings of the 2017Workshop on Internet of Things Security and Privacy . ACM, 2017,pp. 7–12.[17] A. Bujari, “A survey of opportunistic data gathering and dis-semination techniques,” in . IEEE, 2014, pp.2420–2425.[20] L. Wallgren, S. Raza, and T. Voigt, “Routing attacks and counter-measures in the rpl-based internet of things,”
International Journalof Distributed Sensor Networks , vol. 9, no. 8, p. 794326, 2013.
EEE TRANSACTIONS ON MOBILE COMPUTING, VOL. [], NO. [], MONTH YEAR 12
Fig. 8: SENACK scenario: Nodes 37, 52 and 70 health communities on a critical event at 300 sec of Simulation [21] W. Liu, K. Nakauchi, and Y. Shoji, “A neighbor-based probabilisticbroadcast protocol for data dissemination in mobile iot networks,”
IEEE Access , vol. 6, pp. 12 260–12 268, 2018.[22] G. Daneels, E. Municio, K. Spaey, G. Vandewiele, A. Dejonghe,F. Ongenae, S. Latr´e, and J. Famaey, “Real-time data disseminationand analytics platform for challenging iot environments,” in . IEEE,2017, pp. 23–30.[23] P. Gonizzi, G. Ferrari, V. Gay, and J. Leguay, “Data disseminationscheme for distributed storage for iot observation systems at largescale,”
Information Fusion , vol. 22, pp. 16–25, 2015.[24] J.-H. Cho, K. Chan, and S. Adali, “A survey on trust modeling,”
ACM Computing Surveys , vol. 48, no. 2, p. 28, 2015.[25] N. B. Truong, H. Lee, B. Askwith, and G. M. Lee, “Toward a trustevaluation mechanism in the social internet of things,”
Sensors ,vol. 17, no. 6, p. 1346, 2017.[26] J. Guo, R. Chen, and J. J. Tsai, “A survey of trust computationmodels for service management in internet of things systems,”
Computer Communications , vol. 97, pp. 1–14, 2017.[27] X. Zuo and A. Iamnitchi, “A survey of socially aware peer-to-peersystems,”
ACM Computing Surveys , vol. 49, no. 1, p. 9, 2016.[28] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos, “Detectionof sinkhole attacks for supporting secure routing on 6LoWPANfor Internet of Things,” in
IFIP/IEEE International Symposium onIntegrated Network Management , 2015, pp. 606–611.[29] H. Son, N. Kang, B. Gwak, and D. Lee, “An Adaptive IoT TrustEstimation Scheme Combining Interaction History and Stereotyp-ical Reputation,” in , 2017, pp. 349–352.[30] F. Bao and I.-R. Chen, “Dynamic trust management for internet ofthings applications,” in
ACM Proceedings of the 2012 internationalworkshop on Self-aware internet of things, 2012 , 2012, pp. 1–6.[31] F. Bao and R. Chen, “Trust management for the internet of thingsand its application to service composition,” in
WoWMoM 2012 ,2012, pp. 1–6.[32] T. Nguyen, D. Hoang, and A. Seneviratne, “Challenge-responsetrust assessment model for personal space IoT,” in
IEEE In-ternational Conference on Pervasive Computing and CommunicationWorkshops (PerCom Workshops), 2016 , 2016, pp. 1–6.[33] H.-K. Oh, J.-W. Kim, S.-W. Kim, and K. Lee, “A unified frameworkof trust prediction based on message passing,”
Cluster Computing ,pp. 1–13, 2018.[34] M. Coscia, F. Giannotti, and D. Pedreschi, “A classification forcommunity discovery methods in complex networks,”
StatisticalAnalysis and Data Mining , vol. 4, no. 5, pp. 512–546, 2011.[35] G. Rossetti and R. Cazabet, “Community discovery in dynamicnetworks: a survey,”
ACM Computing Surveys , vol. 51, no. 2, p. 35,2018.[36] B. Carminati, E. Ferrari, and M. Guglielmi, “Detection of Un-specified Emergencies for Controlled Information Sharing,”
IEEETransactions on Dependable and Secure Computing , vol. 13, no. 6, pp.630–643, 2016.[37] Z. Wu and M. Palmer, “Verbs semantics and lexical selection,”in
ACM Proceedings of the 32nd annual meeting on Association forComputational Linguistics, 1994 , 1994, pp. 133–138.[38] S. Mohammad and G. Hirst, “Distributional Measures of SemanticDistance: A Survey,”
CoRR , vol. abs/1203.1858, 2012.[39] P. Resnik, “Semantic similarity in a taxonomy: An information-based measure and its application to problems of ambiguity innatural language,”
Journal of artificial intelligence research , vol. 11,pp. 95–130, 1999. [40] ´O. Helgason, S. T. Kouyoumdjieva, and G. Karlsson, “Oppor-tunistic communication and human mobility,”
IEEE Transactionson Mobile Computing , vol. 13, no. 7, pp. 1597–1610, 2014.[41] ——, “Does mobility matter?” in
Agnaldo de Souza Batista received the B.E.degree from Catholic University of Pelotas,Brazil, and is Master M.S. in Informatics fromFederal University of Parana (UFPR). He is nowpursuing his Ph.D. degree in computer scienceat UFPR. His research interests are robust sys-tems, data security, wireless networking, Internetof Things (IoT), e-health, and management ofcritical events, Agnaldo is member of BrazilianComputer Society (SBC).
Michele Nogueira is professor of computer sci-ence at Federal University of Parana, where shehas been since 2010. She received her doc-torate in computer science from the UniversityPierre et Marie Curie – Sorbonne Universites,Laboratoire d’Informatique de Paris VI (LIP6) in2009. She was a Visiting Researcher at GeorgiaInstitute Technology (GeorgiaTech) and a Visit-ing Professor at University Paul Sabatier in 2009and 2013, respectively. Her research interestsinclude wireless networks, security and depend-ability. She has been a recipient of Academic Scholarships from Brazil-ian Government on her undergraduate and graduate years, and of inter-national grants such as from the ACM SIGCOMM Geodiversity program.She is also Associate Technical Editor for the IEEE CommunicationsMagazine and the Journal of Network and Systems Management.