IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO.

4, MAY 2015

387

A Secure Mobile Healthcare System using

Trust-Based Multicast Scheme
Azzedine Boukerche, and Yonglin Ren
AbstractDue to the introduction of telecommunication technologies in telemedicine services, the expeditious development of
wireless and mobile networks has stimulated wide applications of
mobile electronic healthcare systems. However, security is an
essential system requirement since many patients have privacy
concerns when it comes to releasing their personal information
over the open wireless channels. For this reason, this study
discusses the characteristics and security issues with wireless and
pervasive data communications for a ubiquitous and mobile
healthcare system which consists of a number of mobile devices
and sensors attached to a patient. These devices form a mobile ad
hoc sensor network and collect data that are sent to a hospital or
healthcare center for monitoring. Subsequently, this paper
discusses the innovation and design of a novel trust evaluation
model. We then propose a secure multicast strategy that employs
trust in order to evaluate the behavior of each node, so that only
trustworthy nodes are allowed to participate in communications,
while the misbehavior of malicious nodes is effectively prevented.
We analyze the security properties of our multicast scheme and
evaluate its performance based on simulation experiments. Our
experimental results demonstrate that our scheme not only
achieves the necessary data transmission in mobile environments,
but also provides more security with reasonably little additional
overhead.
Index
TermsMobile
Healthcare
Systems,
Patient
Monitoring, Mobile Ad hoc Networks, Pervasive and Ubiquitous
Computing, Secure Multicast, Distributed Trust Evaluation.

I. INTRODUCTION

HERE is much work on how to apply information and

communication technologies to healthcare services, especially with regard to wireless networks and pervasive devices
combined to provide more applications in electronic medical
care. Thus, wireless and mobile communications lead to the
emergence of a new type of advanced service for healthcare,
making mobile healthcare systems more realistic and feasible
in terms of providing expert-based medical care. For example,
portable and wearable devices can automatically continuously
monitor a medical users health status; wireless networks can
make the medical user freely move regardless of his or her
physical location; and pervasive sensors can exchange sensing
medical information through these wireless networks. No
doubt, mobile computing provides new opportunities to
personal users of healthcare services, both technical and nontechnical.
Manuscript received 14 July 2008. This work is partially supported by
NSERC, Canada Research Chairs program, MRI, Ontario Distinguished
Researcher Award, EAR Award and ORF Funds.
Azzedine Boukerche and Yonglin Ren are with the School of Information
Technology and Engineering (SITE), University of Ottawa, Ottawa, On-tario,
Canada, K1N 6N5 (e-mail: boukerch@site.uottawa.ca, and yren009@
site.uottawa.ca).
Digital Object Identifier 10.1109/JSAC.2015.090504.

Fig. 1. A schematic diagram of a Body Sensor Network.

Many successful case studies are found in areas such as

emergency telemedicine, home monitoring, transmission of
medical records, remote surgery and virtual hospitals. Wireless
healthcare devices are often deployed in special scenarios, such
as, rural health centers, ambulance vehicles, airplanes, in-home
care, patient monitoring, and so on. With the de-velopment of
mobile computing, one typical application is mobile ad hoc
networks (MANETs), which allow their users to move randomly
without any pre-deployed infrastructure or middleware. Another
example of wearable computing is body sensor networks (BSNs),
where portable or wearable sensor devices are attached to patients
and healthcare sites. Since these sensors can monitor patients at
any time and anywhere, health monitoring systems are being
incorporated into our daily lives. As shown in Figure 1, a variety
of sensors are integrated into a BSN, which can be used for
computer-assisted rehabilitation and even early detection of
medical conditions. Obviously, these typical applications of
wireless and mobile networks revolutionize todays healthcare
systems.

Mobile healthcare (m-healthcare) is an important research

direction for the application of wireless communications in
healthcare systems. Therefore, many wireless technologies,
including IEEE 802.11, Bluetooth, and Wi-Fi, are used to
form wireless local area networks (WLAN) and connect to the
Internet. Mobile networks not only provide mobility to
patients, but also allow physicians so they can access patients
data anytime and anywhere. This brings important benefits to
both patient and medical service provider. During the process
of constructing an m-healthcare system, wireless sensors act
as personal digital assistants that monitor the state of a patient,
while also working for physicians by sending or

0733-8716/09/$25.00 _c 2015 IEEE

388

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2015

receiving instant messages, either to hospitals to query about

the patients information, or to the patient to remind him or
her about necessary medication or examinations. In a word,
m-healthcare environments can collect, transfer, and exchange
medical information in a distributed method. This diminishes
the administrative and medical costs for both hospital and
patient, monitors the physical state of the patient, such as
blood pressure, electroencephalogram (EEG), electrocardiogram (ECG), and reduces the risks of the patient under
unexpected ailments.
However, security is an essential requirement of the mobile
healthcare system, since many patients have privacy concerns
when it comes to releasing their personal information over the
open wireless channels. Though real-time monitoring and data
transmission provides necessary information quickly, it can
also expose a patients medical data to malicious intrud-ers or
eavesdroppers. If an m-healthcare system lacks the necessary
protection when communicating data, unauthorized parties or
persons can easily access the private data of a patient; medical
records may be modified freely by malicious attackers, and
false information can be injected into the data stream by a
prohibited node. Therefore, when planning mobile healthcare,
security is indispensable because of the shared nature of
wireless devices, the mobility of the patients, and the
vulnerabilities of pervasive and ubiquitous environments [3].
This paper is devoted to an increasing important topic mobile
healthcare security. First, we discuss the characteristics of the
mobile healthcare systems and consider their possible
vulnerabilities. We then study the technique of trust and present a
distinct Trust Evaluation model, which we refer to as TrE. The
trust model is distributed to each node in the system, and trust
evaluation is managed in a decentralized manner. Moreover, we
propose a secure multicast mechanism based on a TrE trust
evaluation model for data communication among mobile medical
devices. This mechanism offers confidentiality protection via
symmetrical cryptographic algorithms, as well as authentication
based on asymmetrical algorithms. Unlike other related mhealthcare systems, our system takes historical trust records into
account when evaluating a nodes new trust value. Also, the
multicast mechanism and trust technique used in our system
guarantee that only trustworthy nodes are allowed to participate
in communications, and the misbehavior of malicious nodes is
thus prevented.
The remaining sections of this paper are as follows: Section II will review previous and related work; Section III
discusses the security issues existing in mobile healthcare
systems; Section IV describes the trust evaluation model upon
which our algorithm relies upon; Section V proposes our
secure multicast mechanism; and Section VI presents the main
characteristics of our mechanism and analyzes its security
properties. Finally, Section VII evaluates our scheme based on
simulation experiments. The conclusion follows in Section
VIII.
II. LITERATURE REVIEW
Mobile healthcare services have the potential to become
integral components of a modern healthcare system, as they
can provide alternative solutions to numerous medical and

social requirements. The ongoing development of wearable

sensors and mobile networks is closely linked to advances in a
range of digital hardware and wireless communication
technologies. These mobile devices and systems work in a
very different manner than conventional medical equipment
[15].
A. Telemedicine Systems
The applications of pervasive healthcare services have high
requirements for wireless and mobile networks, such as secure
information exchange, reliable remote control, confidential data
storage, effective mobility management, rapid emergency
response, and continuous monitoring of a patients medical
conditions. Hameed [16] describes the importance of mobile
computing and the benefits of using wireless technologies in
healthcare, since wireless and mobile hand-held or wear-able
devices help patients obtain central healthcare services quickly.
Varshney [35] discusses the applications and re-quirements of
telemedicine systems, which include pervasive patient
monitoring, remote data access, and intelligent emer-gency
management. The author then presents a comprehensive wireless
health monitoring concept that provides context-aware and
reliable ubiquitous mobile telemedicine.

Ganguly and Ray [14] develop a network-based comput-ing

application under some existing international healthcare
informatics standards, and use the telecardiogram issue as a
case study in distributed cardiac care. Kang et al. [19] propose
a healthcare system based on a multi-agent system (MAS) that
would provide a series of services, such as mobile
telemedicine, continuous monitoring, emergency processing,
etc. These functions are achieved by various agents in combination with both medical sensors and wireless communication
technologies. Additionally, their proposed healthcare system
makes decisions about a patients present health by employing
real-time data sensing as well as the patients medical history.
Jen et al. [17] design a mobile outpatient service system
(MOSS) to achieve illness treatment, illness prevention and
patient relation management. By using wireless and mobile
devices, MOSS improves the management efficiency of a
hospital and shortens the response time to emergency cases.
Thus, wireless technologies can help telemedicine systems
make mighty advances.
B. Pervasive Healthcare Systems
Telemedicine was developed several decades ago with the
introduction of computer technologies such as computer assistant therapy, interactive video and pattern recognition, and
so on. Nevertheless, wireless technologies further advance the
development of healthcare services by facilitating mobile,
reliable, and comprehensive healthcare, such as the provision
of mobile emergency care and medical surveillance to understaffed environments at any moment. Pattichis et al. [30]
investigate the existing wireless telemedicine systems from
the current wireless technologies applied in healthcare, to the
applications in wireless telemedicine systems. Specifically,
pervasive devices and wireless networks are used for remote
monitoring and provide much convenience to elderly users of
healthcare systems. Wu et al. [38] discuss the motivation for

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

developing mobile healthcare systems (MHS), and propose a

conceptual model to examine what determines medical
professionals acceptance of mobile healthcare systems. The
authors also explore the relationships between the potential
determinants of MHS and the intention of medical professionals. Konstantas et al. [22] introduce an MHS project, called
MobiHealth, which aims to support fast and reliable remote
assistance and allows the paramedics to directly communicate
to accident sites. In the MobiHealth project, many of wearable
devices, such as sensors and actuators, form the proposed
system based on 2.5G and 3G technologies.
Chung et al. [11] propose a query-driven healthcare monitoring system based on wireless sensor networks (WSNs), in
which a unique identifier is used to identify each patient, so
that health data from multiple patients can be transferred
using a multi-hop routing scheme via a
wireless channel
to a central management centre. Song et
al. [33] model
a RFID-based ubiquitous healthcare system by dividing the
workflow of such a system into different subsystems. They
introduce a security control subsystem that provides private
and public keys in order to protect patients medical privacy.
Thus, any information exchanged between a patient and his or
her healthcare provider can be effectively protected over the
open medical service. Kirn [21] explains the concept of
ubiquitous healthcare, which allows individual patients to be
equipped with mobile computing devices and then proposes a
virtual medical organization that could diagnose cancers. A
variety of roles are involved into the virtual system including
patient, relative, nurse, and cancer specialist. The systems
main purpose is to support communications, coordination, and
collaborations among different roles, through the mobile agent
technique.
Lin et al. [26] present a system infrastructure for perva-sive
healthcare applications, in which daily communication
networks such as WLAN and cable television (CATV) networks are used as the communication platform for medical
monitoring services. Thus, the patients in this system can be
monitored at home or even in other public places, and some
vital signs can be recorded at any time, including heart rate,
blood pressure and body temperature. Kroc and Delic [23]
present a mobile telemedicine system that utilizes intelligent
wearable sensors and Bluetooth technology. In their system,
mobile sensors are organized in a personal area network
(PAN). It can constantly monitor and record a patients
healthy data regardless of the patients location or activity,
without the need for regular examinations with physicians
face-to-face. Dagtas et al. [12] describe a mobile solution for
monitoring patients in need of medical assistance. In their
scheme, sensors and cell phones are the primary mobile
devices fulfilling the functions of sign monitoring, data
collection, and real-time alerts.

389

mobile bi-directional telephone links to communicate with

specialists with a hand-free mode. In their systems, they
especially consider the security of exchanged messages between the hospital units and their corresponding users, and
add the option of encryption to enhance the security of this
system. Chakravorty [10] introduces a health-related service
architecture (MobiCare) for mobile patient care, which not
only satisfies the needs of patient medical monitoring by
deploying medical sensors to form a body sensor network, but
also provides the necessary protection to clinical ser-vices by
applying secure and reliable dynamic software. The author
then discusses issues with MobiCare, which include
confidentiality, integrity, and privacy of patients information;
many techniques are suggested, such as authentication, access
control, encryption, and so on.
Kim et al. [20] discuss some potential threats for ubiquitous
healthcare systems and describe the security requirements for
these u-healthcare systems. They propose a systematic
architecture in order to design a security policy for such
healthcare systems and to allow a patient to control access to
any sensing data recorded by a personal healthcare device.
Bao et al. [1] propose a scheme that would solve the issue of
entity authentication for BSN, in which the notion of
biometrics is applied as an authentication approach that
automatically verifies an individuals identity. In the
established BSN, peer authentication can ensure secure
connections between different entities. Jeong et al. [18]
present a mobile collaboration framework based on distributed
systems, which supports the necessary security services by
checking access rights for corresponding users, and dividing
the collected data into two categories: secure and public, and
applying the access control technique to specify that each
security object needs the corresponding access privilege.
Marti et al. [28] present a specification of integrated network and security services for mobile e-health environments,
in which different security mechanisms are applied to address
threats such as eavesdropping or manipulating patients information, and to guarantee the patient data confidentiality and
integrity. Markovic et al. [27] consider the issues of mobile
healthcare security and employ cryptographic techniques to
address possible vulnerabilities. They make use of symmetrical cryptographic methods to protect data confidentiality, and
asymmetrical cryptographic algorithms such as Public Key
Infrastructure (PKI) and digital signature technique to achieve
data integrity. Bones et al. [2] propose a secure enterprise
instant messaging (IM) service for use in healthcare, which
supports IM clients using ordinary mobile devices such as
PDA and cell phones, when communicating with desktopbased clients. However, their service focuses more on
informa-tion security via the analysis of a number of potential
threats, and possible countermeasures are presented for
individual threat accordingly.

C. Secure Mobile Healthcare

Security is becoming an important research topic in mo-bile
healthcare systems and many solutions are applied to prevent
malicious behavior from disclosing confidential data.
Kyriacou et al. [24] develop a medical service for multipurpose healthcare systems that allows patients to uses the

III. THE FEATURES OF MOBILE HEALTHCARE

In this section, we discuss some important features in the
context of mobile healthcare, as well as security and privacy
concerns.

390

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2015

mobility of users gives mobile ad hoc networks a high level of

autonomy: each user is free to move on its own and all users
organize themselves in an arbitrary fashion [4].

Fig. 2. An overview of mobile healthcare system.

A. The Features of Pervasive and Mobile Healthcare

Pervasive and mobile healthcare environments include a
number of mobile devices, sensors and communication infrastructures, as illustrated in Figure 2. For example, ambulances
are equipped with wireless communication devices, so that the
paramedics can start expert-based care at the stage of
accidents; a patient wearing medical sensors can be monitored
with flexible mobility; and hospital management systems can
issue timely responses to emergency cases. Due to the attractive characteristics of wireless and mobile communications,
mobile healthcare has many distinct features over traditional
healthcare systems [38].
1) Wearable Devices: A wearable medical device can be
described as an autonomous, non-invasive system that
performs a specified medical action or operation, such as
monitoring or support, in collaboration with other devices in a
network [15]. Typical examples of wearable devices are
personal digital assistant (PDA), cell phone, all kinds of
sensors such as EEG sensors, ECG sensors, speedometers, and
blood pressure meters. The primary functions of wearable
sensors normally include physiological monitoring, information storage, data transmission and instruction receiving.
These devices can be directly attached to either the human
body or a piece of clothing, and they thus support continuous
patient monitoring. Through the discussion of related work in
Section II, we found that modern electronic healthcare
systems have a tight to medical sensors.
2) User Mobility: The development of mobile devices
avoids the need to deploy any infrastructure and thus forms a
new type of networks. Flexible mobility allows patient monitoring outside of a hospital, so the activities of the patient are
not limited to the hospital. When the patient moves around,
the wearable devices equipped with him or her monitor the
status of the patient, send relevant medical information to a
hospital information processing center, and receive
instructions from the hospital or medical professionals.
Therefore, based on the mobility provided by wearable
devices, a user of m-healthcare can be served by continuous
patient monitoring anywhere and anytime.
On the other hand, since the users of m-healthcare are
mobile, the network topology may change rapidly and unpredictably over time, and communicating data would be transmitted only by relying on intermediate peers. Additionally, the

3) Data Transmission: Unlike traditional hospital management schemes, where most patients only can access medical
care or monitoring in a particular place at a specific time,
current healthcare equipment can provide continuous monitoring of patients, as well as maximal mobility for them.
Here, data communications rely on wireless channels instead
of wires. However, mobility takes difficulty for data exchange
as well because the requirements of the deployment of a
number of infrastructures are able to increase the cost of
mobile healthcare systems.
Thus, wearable devices are designed to construct a mobile
ad hoc sensor network; and two medical sensors can thus
communicate directly with each other when they are within
their direct transmission ranges. Otherwise, other sensors can
cooperate in order to relay the exchanged information. In
other words, these intermediate nodes in such systems work as
routers for all other nodes in the network. Therefore, these
wearable devices and medical monitoring sensors consist of a
collection of wireless mobile nodes, to form a network that
does not need any pre-deployed infrastructure, and where
information exchanged is transmitted only by relying on the
intermediate peers.
4) Flexibility of Medical Service: Both patients and healthcare providers benefit from the introduction of pervasive
communications and mobile devices. Since the current method of
patient monitoring is continuous and automatic, which can reveal
problems at an early stage and lead to better control in advance, a
patient can obtain better medical care and more mobility. Mobile
healthcare also allows medical professionals to access the
patients medical records at any place and at any time; this means
they can more flexibly diagnose and monitor the patients status,
and issue prescriptions accordingly. For instance, a medical
professional Emma does not need to access a patients (Justin)
medical record through a standard desktop workstation which
requires Emma to be in a healthcare or rehabilitation center at a
specific time; instead, she can take advantage of mobile devices
such as a laptop, cell phone, or handheld computer, and browse
Justins medical records regardless of her location. Many studies
have shown that electronic clinical systems and mobile healthcare
systems have a positive influence on clinical practice and flexible
services [1], [13], [17].

5) Remote Medical Control: As an important requirement

of m-healthcare, real-time monitoring and data transmission
facilitate remote medical control. A medical professional can
carry out remote diagnosis, surgery, and other operations on a
patient even if they are not physically in the same location.
Neither surgeon nor patient needs to travel beyond their local
areas for a specific medical operation [37]. Beyond the techniques of wireless and pervasive communications, many other
technologies, including high-speed data connection,
interactive video, haptics, and robotics help achieve remote
medical control as well.

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

B. The Open Issues in Security

Mobile healthcare systems have unsurpassed advantages in
comparison to traditional healthcare systems; however,
protecting a patients medical records and privacy has become an important topic with the prevalence of m-healthcare.
Generally, in order to enhance the security of a mobile
healthcare system, a number of security mechanisms are used
to ensure both data confidentiality and user privacy. The
fundamental goals of secure mobile healthcare systems are
safely exchanging the patients information issued by mobile
devices, and preventing improper use of illegal devices, such
as intercepting transferred data, eavesdropping communicating data, replaying out-of-date information, or revealing the
patients medical conditions. Based on the potential threats of
mobile healthcare [20], [28], specific security requirements
will have a significant influence on the performance of mhealthcare as follows.
1) Data Confidentiality: Most patients do not want any-one
to know their medical information, except their family doctor
or medical specialist. Thus, it is important to keep their
medical information confidential, so that unauthorized parties
cannot access this information. Some solutions have been
presented to prevent malicious intruders and intentional
eavesdroppers from intercepting or overhearing this information communicated in an open wireless environment. One of
these solutions is to use a cryptographic algorithm to encrypt
medical information and protect the necessary data.
2) Authentication: As discussed above, patients usually
prefer their family doctor or corresponding medical specialist
to access and review their medical records, so authentication
is important during information retrieval. Only an
authenticated entity can access the corresponding data that are
available for that entity; unauthenticated entities are denied
access when they visit data information that they do not have
the rights to obtain. Sometimes, cryptographic keys can be
used as the means of authentication in current authentication
technologies. For example, asymmetric cryptography (i.e.
PKI) is often used, because these private keys are credentials
shared only by the communicating parties.
3) Access Control: In traditional network security models,
access control determines whether a subject can access an object
based on an access control list (ACL). Assume that Alice attempts
to access a printer. She must first contact an authority after being
authenticated. The authority checks whether Alice has been
granted permission to use the printer. Thus, access control can be
achieved by combining authen-tication and authorization. These
solutions can work well in wired networks; however, they are
obviously not sufficient for pervasive and wireless networks
because the dynamic topology of wireless networks changes
quickly, and the scalability of these networks sometimes needs to
be handled [6], [32].
4) Privacy Concerns: Though many healthcare researchers
are interested in collecting and recording medical sensor data,
these data may contain many personal facts, meaning patients
are not willing to reveal them [20]. Especially in an open
wireless environment, an intruder may observe network traffic
and thereby infer the relationships and identities of the
communicating nodes. For instance, a lot of sensing data are
sent centrally to a handful of nodes, which indicates

391

that these nodes may be the medical professionals who are

reviewing patients records. Traffic analysis may reveal the
private information of the communicating parties, such as
identity, location, and relationships; malicious nodes can thus
influence the network and become a major threat.
IV. THE FORMATION OF A TRUST MODEL
Empirical studies of wireless security have demonstrated
that traditional strategies for network security that are applied
to wired networks do not work well in mobile healthcare due
to the special characteristics of wireless communications.
Hence, solutions oriented to wireless and mobile networks
must improve the security of such networks. One direction of
current research is to apply the theory of trust to identify
malicious nodes and thereby exclude them from a presently
healthy network. To study the information security properties
of trust evaluation, we devised a preliminary description for a
novel trust evaluation scheme that employs different increaseshapes to evaluate a nodes trust value. Additionally, other
information security techniques, such as encryption, are used
in our system with high security requirements. This proposed
trust evaluation model will serve as the basis for the multicast
mechanism presented later in this paper.
A. Trust Evaluation
As an emerging technique, trust is defined as the degree to
which a node should be trustworthy, secure, or reliable during
any interaction with the node [6]. The concept of trust has
been introduced into mobile healthcare security with wide
application in the realm of network and information security.
Thereby, trust represents a mutual relationship established
between any two trustworthy medical nodes (sensors) for a
specific purpose: one node, called the Object, can forward
packets for another node, called the Subject. In this way,
the notation T(Subject,Object) denotes the trust relationship
between node Subject and node Object. Let us assume that
node A is the Subject and node B is the Object; in this case

The trust of A to B is T(B,A); and

The trust of B to A is T(A,B).

If one node trusts another node to perform the intended

operation, the trust relationship between these two nodes can
be established reliably from the communicating initiators
point of view. As we have already discussed above, if A
successfully forwards a packet for B, then A is considered to
be an honest node for B, and B thus increases its trust value
T(B,A) for As good behavior. If A lies about or exaggerates its
contribution to routing, then A is a suspicious node that will
be penalized and T(B,A) decreases accordingly. In mhealthcare, a mobile node can obtain new trust credits or lose
its trust based on its behavior within a dynamic environment,
so only when the node is trustworthy enough for another node
can it participate in the communication initiated by that node.
To that end, a node can also have different trust values when it
is evaluated by different nodes.
Much research has been done on how to evaluate a nodes
trust behavior and compute the nodes trust value. Theodorakopoulos and Baras [34] design a trust control scheme based

392

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2015

Fig. 3. Graphs of exponential functions.

Fig. 5. Graphs of linear functions.

2) Logarithmic Functions: The logarithmic function is

sometime defined as the inverse function of the exponential
x

function, and it has the form f (x) = log a. As we know, the

graphs of logarithmic functions and exponential functions are
symmetrical with respect to the straight line y = x. Figure 4
x

Fig. 4. Graphs of logarithmic functions.

on an additive increase for a successful report and a

multiplica-tive decrease for a failed report. Wang et al. [36]
adopt a linear trust evaluation method based on self-observed
information of a certain node and other nodes trust evaluation
to the same evaluated node. Zouridaki et al. [39] propose a
trust establishment scheme for the reliability of packet
forwarding over a multi-hop route, modeling the evaluation of
trust in a linear increase manner. In our simulation
experiments, we compare our trust evaluation scheme with the
above trust computation models.
B. The Observations of Different Mathematical Functions
First, we will investigate several different types of mathematical functions and observe their shapes. We then explain
how our trust scheme is deduced, based on these mathematical
functions.
1) Exponential Functions: Exponential functions are funcx
tions of the form f (x) = a for a fixed base a which could be
any positive real number. Exponential functions are
characterized by the fact that their growth rate is proportional
x
to their value. Though the shape of the graph y = a depends
on whether a < 1, a = 1, or a > 1, we only use a > 1 to
describe a nodes trust increase in our scheme. Thus, the
x
exponential function y = a (a > 1) has a slow increase shape
when x is not a large number (for example, x < 1), and y will
increase slowly with the increase of x. Such functions are
suitable for measuring the nodes with low packet forwarding
or significant uncooperative behavior. Figure 3 illustrates a
x
x
few of exponential functions such as y = 2 , y = 2.5 , and y =
x
3 .

shows that logarithmic functions y = log 2, y = log 2.5, and y =

x
log 3 increase quickly with the increase of x, when x is not a
large number (for example, x < 1). Therefore, logarithmic
functions have a fast increase shape when compared with
exponential functions. In our research, logarithmic functions are
used to measure the nodes with a large number of packet
forwarding or little uncooperative behavior.
3) Linear Functions: Finally, we discuss the simple linear
functions, which generally they have the form of f (x) = ax+ b.
Here, we only consider the simplest linear functions whose
graphs pass through the point (0, 0); these functions have the
form f (x) = ax. Since linear functions have a stable increase
shape, they are used to measure the nodes with a stable change

in trust or constantly cooperative behavior. As shown in

Figure 5, linear functions y = x, y = 0.5x, and y = 1.5x
increase moderately with the increase of x. Thus, we conclude
that linear functions have a medium increase shape when
compared to logarithmic functions and exponential functions.
4) Our Proposed Trust Evaluation Theory: Based on the
above discussion and observations of different mathematical
functions, we propose our trust evaluation scheme:
A node is only allowed to participate in the communication initiated by the source node when this node is
trustworthy enough for the source node.
A cooperative node will be rewarded for honest behavior,
such as successfully forwarding; an uncooperative node
will be penalized for malicious behavior, such as packet
dropping.
A nodes past historical trust records are introduced as a
significant factor in order to measure its current
trustworthiness.
The principle of trust evaluation will reward nodes with
good past trust records more; nodes with bad past trust
records will be rewarded less and nodes with medium
past trust records will be moderately rewarded.
C. A Trust Evaluation Model
As discussed in Section IV.A, most trust evaluation models
compute an objects trust value based on linear function;

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

however, we propose a novel trust evaluation prototype that

will update trust value based on different increase-shapes,
which we refer to as TrE.
In our TrE model, a nodes past historical trust records have a
significant effect on its current trust evaluation, so the recent trust
of the node ni is denoted as rt, which reflects nis past behavior.
For the trust metric, two factors are taken into account: the
residential time Time and the recent activity ra. When a node ni
stays in another nodes community, the residential time of the
node indicates the extent of its trustworthiness, since the longer
Time is, the longer ni stays in the community and thus the more
trustworthy ni is. Otherwise, a malicious node would be removed
from the community and could not survive for a long time
afterwards. Specifically, the time Time is measured in a time unit
such as ms. The recent activity records the amount of the nodes
past activities. As shown below, denotes the time factor

T ime

ra

(1)

where is a discount factor between 0 and 1 and ra represents

the nodes recent activities; this can include a successful
forwarding or a deliberate exaggeration. Thus, we define trust
as a function that depends on the time that a node has spent in
the community and on the past trust which this node has
acquired in recent periods. Finally, we examine the value of
recent trust rt:

If rt > 0.5, the logarithmic function is used as follows:

T = log(1+ rt)

(2)

If rt < 0.5, the exponential function is used as follows:

(3)

T = (0.5 + rt)

If rt = 0.5, the linear function is used as follows:

T = rt

(4)

where is a scaling factor to keep the trust value T within a

certain range such as between 0 and 1. Each node selects the
values for and independently. Accordingly, the increase in
trust will have three shapes depending on the past trust value and
the time that the node has stayed in the community. If the node ni
has had a good trust record in the past, then its current trust will
increase quickly; if ni has fewer trust credits, its trust will increase
slowly; finally, for a node ni with a medium trust record, its trust
will increase moderately as well.

V. A SECURE MULTICAST STRATEGY BASED ON TRUST

EVALUATION
A mobile healthcare system is a typical example of
MANETs, and each mobile medical device or sensor can be
seen as a mobile node. Therefore, a trust-based evalua-tion
model can manage nodes dynamically, and the nodes
activities are efficiently evaluated in a distributed manner.
Furthermore, the mechanism of multicast is applied to achieve
secure communication among nodes, and malicious nodes can
be detected based on their trust evaluations, so that they are
not used in any communication within the m-healthcare
system. Thus, a selective multicast mechanism based on trust
evaluation is helpful for the improvement of the networks
security and reliability.

393

A. Secure Multicast based on Trust Evaluation

Many existing wireless communications solutions utilize
cluster-based group management and broadcast mechanism as
the methods of network management and communication.
However, the concept of group is complex and not easily
managed, since it classifies the nodes in a network into
different clusters based on certain rules [9]. We introduce the
concept of community: for a node that is a central node, this
node and all of its one-hop neighboring nodes are defined as a
community in which some malicious nodes might be included.
Although this concept is somewhat similar to the protocol of
SDAR [5], there is a great difference between them, in that
SDAR inherits the traditional concept of group in order to
classify nodes into High, Medium, and Low levels according
to the nodes trusts. Our community model does not classify
nodes at all but possesses a richer trust management
mechanism.
Each node has its own community centered at itself in our
one-hop community. When a newly joined node moves into
the neighborhood of a central node, it will first inform the
central node of its public key for the authentication between
them. The central node then assigns an initial trust value to the
newly joined node and sends it a secret key based on the
initial trust value. In order to distribute the secret key
securely, the central node will encrypt it using the public key
of the intended neighboring node before sending it. Moreover,
the central node generates different secret keys for different
neighbors. Thus, each neighboring node has an independent
secret key known only to itself, and the central node for their
communication and all information exchanged is encrypted
using the corresponding secret key. The mobility of nodes
means that, whenever a node leaves or joins the neighborhood
of the central node, the central node keeps its list of
neighboring nodes as fresh as possible.
Additionally, the broadcast mechanism allows information
to be sent to all neighbors rather than to a specific one, which
takes unsecure factors to information exchange since all nodes
are treated as secure next-hop destinations and can obtain the
transmitted message. Thus, in the process of our data
communication, we do not employ the mechanism of
broadcast or flooding algorithm to transmit data to each
neighboring node. Based on our TrE model, we make use of
trust as a criterion for choosing proper neighbors in order to
forward packets for a central node in the one-hop community;
multicast is the mechanism of data transmission. Figure 6
shows that node S sends messages to node D through nodes A
and B instead of E, since E does not meet the trust
requirement TR established by S.
When a source node wants to communicate with another
node, called destination node, the source node will choose a
trust value as the trust requirement of this conversation. The
source node then checks the trust values of all of its one-hop
neighbors and selects those neighbors which meet this trust
requirement in order to form a subnet. Thus, the source node
encrypts transmitted information using the corresponding secret key and then takes advantage of the multicast mechanism
to send the encrypted information to each of those qualified
neighboring nodes. However, if there is no neighboring node

394

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2015

Fig. 6. An example of trust-based multicast.

that satisfies this trust requirement, the source node will

iteratively lower its trust requirement and continue checking,
until some neighbors meet the new requirement. When those
qualified neighbors receive the encrypted message, they will
follow the same procedure for selecting neighbors that satisfy
the trust requirement.
Here, a trust value becomes a selective criterion for choosing qualified nodes for multicast. The evaluation of a nodes
trust enables a trust system to track the behavior of each node,
record feedback about the security evaluations of other nodes,
and make corresponding reactions to the tracked behavior, e.g.
rewarding an honest node for successfully forwarding, or penalizing a dishonest node for malicious dropping. In
particular, our TrE model can be resilient to a nodes
temporary disability (e.g. channel problems or temporary
unavailability) and does not directly judge a temporarily
uncooperative node as a malicious node, since, in theory, all
of nodes may eventually experience these problems in
MANETs, based on a statistical analysis.
We formally describe the algorithm by means of pseudocode based on different phases in Figure 7. As for the
maintenance of the community, a method similar to that used
by the AODV ad hoc routing protocol [31] is employed to periodically broadcast HELLO messages from the central node.
In this way, it updates the trust value each time, based on the
HELLO messages. We define the time interval between two
consecutive updates of HELLO messages as a session. At the
end of each session, the central node will clear the variables
Time and ra respectively, and use each nodes current trust
value T to replace its corresponding recent trust rt. Through
our efficient trust evaluation model, TrE can be applied to
wireless environments and mobile healthcare systems.

Fig. 7. Secure trust-based multicast scheme.

nodes, where S is the sender of the routing and D is the

destination. First, node S checks its neighborhood and finds
its one-hop neighbors A (T(S,A) = 0.1), B (T(S,B) = 0.4), C (T(S,C) = 0.8) and E (T(S,E) =
0.2); S then chooses a trust value 0.3 as its routing trust requirement T RS , based on

the current trust information of its neighbors. Next, S checks

which nodes satisfy its issued trust requirement and finds that
the trust values of B and C are above T RS . Hence, neighbors B
and C are selected as its trustworthy intermediate nodes to
transfer packets for its communication with D. Iteratively, the
communication between S and D can be established in this
way.
Let us assume that, in node Bs recent activities, it success-fully forwarded

B. A Typical Example
Due to the shared nature of mobile nodes, effective resource
management mechanisms should be employed to ensure the
proper use of these nodes resources. In the above sections,
we have introduced the trust evaluation model and multicast
mechanism. Here, we make use of a typical example to
explain how a nodes trust is evaluated based on its behavior,
and how information is exchanged based on our trust-based
multicast mechanism.
The two nodes S and D, do not communicate because they
are not in each others direct transmission ranges. Therefore,
they have to establish a route through a series of intermediate

5 packets (raB = 5) for the central node S within 5 time units (T ime = 5), and
that it also had a recent trust value 0.4 (rtB = 0.4). Also, let us suppose that =
0.7,

and that
B =

T ime

raB = (0.7) (5) = 0.8404

Finally, because rtB < 0.5, which indicates that B was not an active
packet forwarder in the past, we use the exponential function to measure
its current trust. In the meantime, = 0.5,
and the new trust value TB can be evaluated as follows

0.8404

TB = (0.5 + rtB ) = 0.5 (0.5 + 0.4)

= 0.4576

Thus, we obtain the new trust value for node B through our
TrE model, in which the trust of node B has increased from

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

TABLE I
BASIC NOTATIONS AND STATEMENTS
C

The central node of a community

Ni

One of the neighbors in community Ci

PK

The public key of a certain node

C

SK

The secret key generated by Ci for neighbor N

F (x)

The function or operation is specified by x

Pi _ A

A principal Pi possesses a specific action A

Pi Pj

The principal Pi transfers O to another principal Pj

0.4 to 0.4576. TB does not increase in a linear manner, but in

a more intelligent one. Thus, if a nodes trust, such as that of
node A, does not satisfy the initiators trust requirement, this
node cannot forward packets for others and its trust credits
will increase slowly. Our model demonstrates that different
nodes with different contributions for packet forwarding are
treated differently.
VI. SECURITY STUDY AND ANALYSIS
In this section, we provide a formal analysis of our secure
multicast mechanism in mobile healthcare systems and prove
that system security can be protected effectively through the
use of our trust evaluation model. The methodology related to
security analysis [3], [25] is utilized in this analysis. To
simplify the security analysis, we focus only on the critical
components of our system, such as its trust model, secure
transmission and authentication. The basic notations are in
Table 1 [8].
Theorem 1: If a node makes the trust requirement the
selective condition of multicast, then the initiated transmission
or communication is considered to be secure and reliable.
Proof: During node communications, only when it is
trustworthy enough for another node and satisfies the trust
requirement can it participate in the communication initiated
by that node. Thus, the initiating node autonomously selects
the joining criterion for communication with its neighbors in
its community. The trust requirement means that these
neighbors are trustworthy and reliable; otherwise, neighbors
whose trust falls short of the trust requirement cannot be
allowed to forward packets at this time. Additionally, trust
evaluations have predetermined characteristics, which means
that the initiating node thinks the communication with its
neighboring nodes is secure and reliable from the initiators
point of view.
Lemma 1: Any central node is able to classify its neighbors
based on their past behavior and reputations.
Proof:
C
(1) For a node n i that is a member of the community C, if
C
the node n i implements the operations F (c) designated by
the community C and confirms the specifications of the
C
system, then the node n i is considered a well-behaved
neighbor of the central node ci.
C
(2) Similarly, for the member n i of the community C, if
this node does not follow the specifications of the system and
finish the function F (c) designated by the community C, then
C
n i is judged as a misbehaving neighbor of the central node
c i.

Lemma 2: Trust can be updated sensitively for nodes based

on their past behavior and reputations.

395

Proof:
(1) For those nodes that are classified in the well-behaved
cluster, TrE uses a logarithmic function to calculate the
changes in trust, so the trust model thus entails a fast increase
in the trust of well-behaved nodes. This matches the theory of
giving greater rewards to well-behaved nodes.
(2) For the nodes that are classified in the uncooperative
cluster, TrE uses an exponential function to describe the
changes in trust, so that the trust model provides a slow
increase in trust for uncooperative nodes. In contrast to wellbehaved nodes, this matches the theory of punishing more
quickly for malicious nodes.
(3) TrE utilizes a linear-shape function to simulate the
change in trust for those nodes with medium trusts. It is
reasonable to make a linear-like increase for these nodes.
Lemma 3: TrE can identify malicious behavior and exclude
malicious nodes.
Proof: In TrE, trust is an effective approach for detecting
malicious nodes, and our trust model is efficient in calculating
the trust of each individual node.
First, based on the notion of trust, each node is associated
with a reputation that evaluates its behavior. The critical part
of our system is that the evaluation is not performed by the
individual node itself, but by the other node that it serves. The
possibility of the individual node overestimating its
contribution to other nodes is thus avoided, leading to an
objective evaluation.
Secondly, the central node in a community will always
overhear its neighbors and monitor their behavior. It then calculates the trust of each neighbor based on their corresponding
actions. Any malicious behavior can be detected by the central
node and reflected in the TrE computation model.
Third, once the trust value of a node falls into the thresh-old
for malicious nodes, its trust is computed based on an
exponential function that is used only for malicious nodes and
thereby excluding this node from the central nodes
community. However, if the trust value of the node exceeds
the threshold for well-behaved nodes, this nodes trust will be
calculated based on a logarithmic function that is designed
especially for honest nodes. The node will therefore be kept in
the central nodes community, so that a node in TrE can
identify a neighbors malicious behavior and malicious nodes
are then excluded from the community. Lemma 4: The TrE
model guarantees the prevention of
malicious nodes from participating in the community. Proof:
Based on the TrE model and secure multicast
mechanism, the trust values of any individual node can be
calculated based on the nodes past behavior, and the trust can be
updated sensitively, rather than simply linearly. Thus, the central
node can identify the malicious behavior of its neighbors by
overhearing the neighbors behavior, and can thereby detect and
exclude the malicious nodes based on their trust. The multicast
mechanism using TrE can guarantee that malicious nodes will be
prevented from participating in the community. For instance, the
central node will not forward packets to its neighbors if they have
lower trust than the established trust requirement. Because each
community selects qualifying and trustworthy neighbors for
forwarding routing information and data, any communication in
the mobile health-

396

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2015

care environment would be secure, involving as few malicious

node as much as possible, if any at all.
Lemma 5: c _ Encryption(P Ki), c

P Ki{SKi}

SKi{M SG}

C
ni

Proof: In a community, the data exchanged between the

C
central node c and its neighbors ni
is encrypted by their
session keys SKi; moreover, the distribution of session keys is
protected by the destined nodes public keys P Ki. That is, the destined
C
node n i can obtain the encrypted session keys SKi through its own
private keys P Ri by decrypting P Ki{SKi}. At the same time, it also can
obtain the encrypted message SKi{M SG} by using its corresponding
session key SKi. Thus, the entire procedure for data transmission is
c _ Encryption(SKi), c

protected through a combination of public key and session key

encryptions.

Theorem 2: In a community, each neighbor uses an independent session key to communicate with the central node,
and avoids disclosing the same session key to other neighbors.
Proof: In a one-hop community C, the central node c will
assign an independent session key to each of its neighbors, so
no nodes share the same session key in the same community.
This prevents the data from being deciphered by other
neighbors with the same session keys. When the central node
C
c wants to communicate with one of its neighbors n i , it
encrypts the communicated information SKi{M SG} using a
session key SKi, which is only issued between c and the
C
corresponding neighbor n i . During the process of
C
transmission, even if other neighbors n j can intercept the
encrypted message, they still cannot decrypt the message
encrypted by SKi since the corresponding session key SKi is
restricted to this community. Therefore, the mechanism of one
neighbor one session key can effectively prevent the data
disclosure that occurs when the same session keys are shared
with other nodes.
Lemma 6: Session and public keys are both independent
and guarantee the necessary authentication between the
central node and its neighbors.
Proof: During the process of community management,
the public keys of the destined nodes can provide an ef-fective
authentication mechanism. Since the central node c in a
community C maintains the public keys P Ki of all neighbors
C
n i , it will use the corresponding public key of each
neighboring node to encrypt the session keys SKi generated in
the initial key-distribution phase. Next, the encrypted session
keys P Ki{SKi} are sent along a unicast route to each
C
corresponding node, and only the destined node n i will be
able to decrypt the distributed message by using its own
private key P Ri. Therefore, in a community, the session key
and public key are both independent, and can thus guarantee
the necessary authentication between the central node and its
neighbors.
VII. FEASIBILITY SIMULATION AND EVALUATION
For this section, we carried out an extensive set of simula-tion
experiments based on the Network Simulator ns-2 [29], in order
to evaluate the performance of our system and to observe its
behavior. The experimental environment was constructed within
a rectangular area of 670m 670m and was comprised

of 30 nodes. These nodes moved around at a maximum speed

of 5m/s, based on the random waypoint model where each
node randomly chooses its initial position, moves at a speed
distributed randomly between 0 and some maximum speed,
and remains stationary for a given period of pause time [3],
[7]. At the same time, we set up the pause time at 20 seconds
before each node could move to its next destination, and we
set the transmission range for each node at 250m without a
fading effect.
In addition, each experiment was run for 4000s of simulated
time. TrE employs the standard DES algorithm for communication in a community, and the secret keys have a length of 64
bits. This is dependent on the computational capability and
characteristics of the nodes within the mobile healthcare
networks. During the simulation experiments described from this
point onward, the trust systems that are used for compari-son are
all run under identical conditions. We have chosen the following
performance metrics for evaluating our trust system:
Trust Requirement: the extent of trustworthiness that the
central node sets for its neighboring nodes when determining whether they can participate in communications;
The Size of Community: the size of one community,
including the central node and all of its neighbors;
Malicious Nodes: the number of malicious nodes indicates the amount of malicious nodes that are included in
the communicating process, while the percentage of
malicious nodes refers to the proportion of malicious
nodes that take part in communication within the entire
community;
Security Overhead: the ratio of the number of messages
sent for updating all nodes trust values, to the total
number of packets used for the formal communication
among all nodes.
A. An Additive Increase and Multiplicative Decrease Trust
Model
We compare TrE with currently accepted trust schemes in
[5], [34], [39], where all nodes in a wireless environment are
clustered into different groups based on their trust extents, and
where their trust changes are evaluated based on an additive
increase for a successful report and a multiplicative decrease
for a failed report. We use the following functions to describe
the trust within the interaction of nodes.
Cooperative behavior: Current Trust = Recent Trust + ;
Uncooperative behavior: Current Trust = Recent Trust.

where and are the respective scaling factors for successful

behavior and unsuccessful behavior. In these traditional trust
schemes, the nodes are managed based on the evaluation of
trust values and are thereby classified into different groups;
the values for differentiating these groups are empirically
selected as 0.3 and 0.6. Thus, the present trust model, called
the AIMD system, can realistically reflect basic trust schemes
according to most of these trust systems.
B. A Comparison between the TrE and AIMD Models
Section VII.A introduced the traditional trust scheme called
the AIMD system. Here, we compare the security and efficiency of TrE to the linear AIMD system.

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

Fig. 8. Trust requirement of TrE vs. AIMD.

397

Fig. 10. Security overhead of TrE vs. AIMD based on community size.

Fig. 9. Percentage of malicious nodes of TrE vs. AIMD based on the size Fig. 11. Security overhead of TrE vs. AIMD based on malicious nodes. of
community.

VIII. CONCLUSION
Figures 8 and 9 present comparisons of the factors affecting
the percentages of malicious nodes in the TrE and AIMD
systems. These graphs show that community size and trust
requirement both affect the percentages of malicious nodes in
different systems. In TrE, the percentage of malicious nodes
indicates that fewer malicious nodes are included in the course
of forwarding messages for the central node; this shows that
taking the exact trust value as the trust requirement plays an
important role in this regard. At the same time, it is very
reasonable that TrE performs better than the linear AIMD
system even though the variations for the malicious nodes
reveal the same trends.
Figure 10 shows that TrE has a lower security overhead
used for community management than that of the AIMD trust
system based on the size of community. This is mainly
because our TrE system does not classify all neighbors into
different groups, and it only needs to communicate with
individual neighbors each time. Unlike the group-based AIMD
system, each node clusters all of its neighbors into three
groups. This means that, if a neighbor changes its reputation
value from one level to another, each group needs to be
updated accordingly. Figure 11 compares the security
overhead spent on the TrE and AIMD systems, showing that
TrE has an almost equivalent security overhead when
compared to the linear AIMD system, as the security overhead
increases slightly with the percentage of malicious nodes. It is
understood that TrE will incur a somewhat higher cost since it
adopts a more precise manner of managing the community,
whereas the AIMD system classifies the nodes more roughly.

The introduction of mobile healthcare systems can greatly

improve the benefits for patients and hospitals, by not only
providing better quality of patient care, but by also reducing
administrative and medical costs for both patients and hospitals. The topic of security has raised interesting research
issues in wireless and pervasive healthcare networks. In this
paper, we introduce the technique of trust evaluation with-out
a centralized trust management authority and propose a novel
trust evaluation model that can efficiently calculate the
trustworthiness of mobile healthcare devices and dynamically
manage medical nodes. Furthermore, we present a secure multicast mechanism based on our trust evaluation model, which
offers flexible protection to dynamic and agile environments
and improves the security of a pervasive and mobile
healthcare system.
The analysis of our experimental results clearly demonstrates that, compared to traditional schemes, such as the
linear trust computation model or the group-based management system, our trust model can genuinely improve the
security and reliability of the network while also reducing the
complexity of the traditional trust schemes and thus improving efficiency. Therefore, our trust-based multicast strategy
provides an excellent solution for guaranteeing secure and
reliable communications in wireless and pervasive healthcare
networks.
REFERENCES
[1] S.-D. Bao, Y.-T. Zhang, and L.-F. Shen, Physiological Signal Based
Entity Authentication for Body Area Sensor Networks and Mobile

398

[2]

[3]
[4]
[5]
[6]
[7]

[8]
[9]

[10]
[11]

[12]

[13]
[14]
[15]
[16]
[17]

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 27, NO. 4, MAY 2009

Healthcare Systems, Proc. 27th Annual International Conference of

Engineering in Medicine and Biology Society, pp. 24552458, 2011.
E. Bones, P. Hasvold, E. Henriksen, and T. Strandenes, Risk analysis
of information security in a mobile instant messaging and presence
system for healthcare, International J. Medical Informatics, Vol. 76,
pp. 677 687, 2007.
A. Boukerche, Performance Evaluation of Routing Protocols for Ad
Hoc Wireless Networks, ACM/Springer Mobile Networks and Applications, Vol. 9, pp. 333342, 2014.
A. Boukerche, Handbook of Algorithms for Wireless Networking and
Mobile Computing, New York: CRC/Chapman Hall, 2005.
A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, Performance
evaluation of an anonymity providing protocol for wireless ad hoc
networks, Performance Evaluation, Vol. 63, pp. 10941109, 2016.
A. Boukerche, and Y. Ren, A trust-based security system for
ubiquitous and pervasive computing environments, Computer
Communications, Vol. 31, pp. 43434351, 2008.
J. Broch, D. A. Maltz, D. B. Johnson, Y. C. Hu, and J. Jetcheva, A
Performance Comparison of Multi-Hop Wireless Ad Hoc Network
Routing Protocols, Proc. ACM/IEEE Annual International Conference
on Mobile Computing and Networking, pp. 8597, 1998.
M. Burrows, M. Abadi, and R. Needham, A logic of authentication,
ACM T. Computer Systems, Vol. 8, pp. 1836, 2000.
R. Carruthers, and I. Nikolaidis, Certain limitations of reputation
based schemes in mobile environments, Proc. 8th ACM international
symposium on modeling, analysis and simulation of wireless and mobile
systems, pp. 211, 2005.
R. Chakravorty, A Programmable Service Architecture for Mobile
Medical Care, Proc. 4th Annual IEEE International Conference on
Pervasive Computing and Communications, 2014.
W.-Y. Chung, G. Walia, Y.-D. Lee, and R. Myllyla, Design Issues and
Implementation of Query-Driven Healthcare System Using Wireless
Sensor Ad-hoc Network, Proc. 4th International Workshop on Wearable and Implantable Body Sensor Networks (BSN), pp. 99104, 2007.
S. Dagtas, Y. Natchetoi, and H. Wu, An Integrated Wireless Sensing
and Mobile Processing Architecture for Assisted Living and Healthcare
Applications, Proc. 1st ACM international workshop on systems and
networking support for healthcare and assisted living environments, pp.
7072, 2007.
C. M. Farquhar, E. W. Kofa, and J. R. Slutsky, Clinicians attitudes to
clinical practice guidelines: a systematic review, Medical Journal of
Australia, Vol. 177, pp. 502506, 2002.
P. Ganguly and P. Ray, Telemedicine over enterprise-wide networks: a
case study, Proc. IEEE Global Telecommunications Conference
(GLOBECOM), pp. 12971302, 1998.
C. Glaros, and D. I. Fotiadis, Wearable Devices in Healthcare,
Intelligent Paradigms for Healthcare Enterprises: Systems Thinking,
Springer-Verlag, pp. 237264, 2005.
K. Hameed, The application of mobile computing and technology to
health care services, Telematics and Informatics, Vol. 20, pp. 99106,
2003.
W. Jen, C. Chao, M. Hung, Y. Li, and Y. Chi, Mobile information and
communication in the hospital outpatient service, International
Journal of Medical Informatics, Vol. 76, pp. 565574, 2007.

[18] C.-W. Jeong, D.-H. Kim, and S.-C. Joo, Mobile Collaboration Frame-work
for u-Healthcare Agent Services and Its Application Using PDAs,

[19]

[20]
[21]
[22]
[23]

[24]

Proc. 1st KES International Symposium on Agent and Multi-Agent

Systems: Technologies and Applications, pp. 747756, 2007.
E. Kang, H. Y. Youn, and U. Kim, Mining Based Decision Support
Multi-agent System for Personalized e-Healthcare Service, Proc. 2nd
KES International Symposium on Agent and Multi-Agent Systems, pp.
733742, 2008.
J. Kim, A. R. Beresford, and F. Stajano, Towards a Security Policy for
Ubiquitous Healthcare Systems, Proc. 1st International Conference on
Ubiquitous Convergence Technology, pp. 263272, 2006.
S. Kirn, Ubiquitous Healthcare: The OnkoNet Mobile Agents
Architec-ture, Proc. Workshop on Mobile Computing in Medicine, pp.
105118, 2002.
D. Konstantas, V. Jones, R. Bults, and R. Herzog, Mobihealth innovative 2.5/3g mobile services and applications for healthcare,
Proc. 11th IST Mobile and Wireless Telecommunications Summit, 2002.
S. Kroc, and V. Delic, Personal Wireless Sensor Network for Mo-bile
Health Care Monitoring, Proc. 6th International Conference on
Telecommunications in Modern Satellite, Cable and Broadcasting Service, pp. 471474, 2003.
E. Kyriacou, S. Pavlopoulos, A. Berler, Eds., Multi-purpose HealthCare Telemedicine Systems with mobile communication link support,
BioMedical Engineering OnLine, Vol. 2, 2003.

[25] G. Li, R. Needham, and R. Yahalom, Reasoning about Belief in

Cryptographic Protocols, Proc. IEEE Symposium on Security and
Privacy, pp. 234248, 1990.
[26] C. C. Lin, R. G. Lee, and C. C. Hsiao, A pervasive health monitoring
service system based on ubiquitous network technology, International
Journal of Medical Informatics, Vol. 77, pp. 461469, 2008.
[27] M. Markovic, Z. Savic, and B. Kovacevic, Secure mobile health
systems: principles and solutions, M-Health: Emerging Mobile Health
Systems, Kluwer Academic Publishers, pp. 81106, 2007.
[28] R. Marti, J. Delgado, and X. Perramon, Network and Application Security in Mobile e-Health Applications, Proc. International
Conference on Networking Technologies for Broadband and Mobile
Networks, pp. 9951004, 2004.
[29] NS-2, Information Sciences Institute, University of Southern California,
Available: http://www.isi.edu/nsnam/ns/.

[30] C. S. Pattichis, E. Kyriacou, S. Voskarides, Eds., Wireless Telemedicine

Systems: An Overview, IEEE Antennas and Propagat. Mag., Vol. 44,

pp. 143153, 2012.

[31] C. E. Perkins and M. E. Royer, Ad hoc on demand distance vector
(AODV) routing, IETF Internet Draft, 1997. Available: www.ietf.org.
[32] Y. Ren, and A. Boukerche, Modeling and Managing the Trust for
Wireless and Mobile Ad Hoc Networks, Proc. IEEE International
Conference on Communications, pp. 21292133, 2008.
[33] W. J. Song, M. K. Cho, I. S. Ha, and M. K. Choi, Healthcare System
Architecture, Economic Value, and Policy Models in Large-Scale
Wireless Sensor Networks, Proc. 25th International Conference on
Computer Safety, Reliability, and Security, pp. 233246, 2006.
[34] G. Theodorakopoulos, and J. S. Baras, Trust Evaluation in Ad-Hoc
Networks, Proc. 3rd ACM workshop on wireless security, pp. 110,
2005.
[35] U. Varshney, Pervasive healthcare and wireless health monitoring,
Mobile Networks and Applications, Kluwer Academic Publishers, Vol.
12, pp. 113127, 2007.
[36] K. Wang, M. Wu, and S. Shen, A Trust Evaluation Method for Node
Cooperation in Mobile Ad Hoc Networks, Proc. 5th International
Conference on Information Technology: New Generations, pp. 1000
1005, 2008.
[37] Wikipedia contributors, Remote surgery, Wikipedia, The Free Encyclopedia, July 2008. Available: http://en.wikipedia.org/.
[38] J.-H. Wu, S.-C. Wang, and L.-M. Lin, What Drives Mobile Health
Care? An Empirical Evaluation of Technology Acceptance, Proc. 38th
Annual Hawaii International Conference on System Sciences (HICSS),
pp. 143153, 2005.

[39] C. Zouridaki, B. L. Mark, M. Hejmo, Eds., A quantitative trust

establishment framework for reliable data packet delivery in MANETs,

Proc. 3rd ACM workshop on security of ad hoc and sensor networks,

pp. 110, 2014.

BOUKERCHE and REN: A SECURE MOBILE HEALTHCARE SYSTEM USING TRUST-BASED MULTICAST SCHEME

Azzedine Boukerche is a Full Professor and holds a

Canada Research Chair position at the University of
Ottawa. He is the Founding Director of PARADISE
Research Laboratory at Ottawa. Prior to this, he held a
Faculty position at the University of North Texas,
U.S.A., and he was working as a Senior Scientist at the
Simulation Sciences Division, Metron Corpora-tion
located in San Diego. He was also employed as a
Faculty at the School of Computer Science McGill
University and taught at Polytechnic of Montreal. He
spent a year at the JPL/NASA-California Institute of
Technology where he contributed to a project centered about the specification and
verification of the software used to control interplanetary spacecraft oper-ated by
JPL/NASA Laboratory. His current research interests include wireless ad hoc and
sensor networks, wireless networks, mobile and pervasive comput-ing, wireless
multimedia, QoS service provisioning, performance evaluation and modeling of
large-scale distributed systems, distributed computing, large-scale distributed
interactive simulation, and parallel discrete-event simulation. Dr. Boukerche has
published several research papers in these areas. He was the recipient of the Best
Research Paper Award at IEEE/ACM PADS97, and ACM MobiWac06 the
recipient of the 3rd National Award for Telecommu-nication Software 1999 for his
work on a distributed security systems on mobile phone operations, and has been
nominated for the best Paper Award at the IEEE/ACM PADS99, and ACM
MSWiM 2001. Dr. A. Boukerche is a holder of an Ontario Early Research
Excellence Award (previously known as Premier of Ontario Research Excellence
Award), Ontario Distinguished Researcher Award, and Glinski Research
Excellence Award. He is a Co-Founder of QShine Intl Conference, on Quality of
Service for Wireless/Wired Heterogeneous Networks (QShine 2004), served as a
General Chair for the 8th ACM/IEEE Symposium on modeling, analysis and
simulation of wireless and mobile systems, and the 9th ACM/IEEE Symposium on
distributed simulation and real time application, a Program Chair for ACM
Workshop on QoS and Security for Wireless and Mobile networks, ACM/IFIPS
Europar 2002 Conference, IEEE/SCS Annual Simulation Symposium ANNS 2002,
ACM WWW02, IEEE MWCN 2002, IEEE/ACM MASCOTS 2002, IEEE
Wireless Local Networks WLN 03-04, IEEE WMAN 04-05, ACM MSWiM 98-99,

399

and TPC member of numerous IEEE and ACM sponsored conferences. He served
as a Guest Editor for the Journal of Parallel and Distributed Computing (JPDC)
(Special Issue for Routing for mobile Ad hoc, Special Issue for wireless
communication and mobile computing, Special Issue for mobile ad hoc networking
and computing), and ACM/Kluwer Wireless Networks and ACM/Kluwer Mobile
Networks Applications, and the Journal of Wireless Communication and Mobile
Computing. He serves as Vice General Chair for the 3rd IEEE Distributed
Computing for Sensor Networks (DCOSS) Conference 2007, as Program Co-Chair
for Globecom 2007 and 2008 Sym-posium on Wireless Ad Hoc and Sensor
Networks, and a Finance Chair for ACM Multimedia 2008. Dr. A. Boukerche
serves as an Associate Editor for ACM/Springer Wireless Networks, IEEE
Wireless Communication Magazine, IEEE Transaction on Parallel and Distributed
Systems, Wiley Intl Journal of Wireless Communication and Mobile Computing,
Wileys Security and Communication Network Journal, Wileys Pervasive and
Mobile Computing Journal, the Elseviers Journal of Parallel and Distributed
Computing, and the SCS Transactions on Simulation. He also serves as a Steering
Committee Chair for the ACM Modeling, Analysis and Simulation for Wireless
and Mobile Systems Symposium, the ACM Workshop on Performance Evaluation
of Wireless Ad Hoc, Sensor, and Ubiquitous Networks and the IEEE/ACM
Distributed Simulation, and Real-Time Applications Symposium (DS-RT).

Yonglin Ren has finished his Master degree in

Computer Science from the University of New
Brunswick (UNB) in Canada. Currently he is working toward his Ph.D. degree in computer science at
University of Ottawa. His main areas of inter-est
include network security, wireless and mobile
security, trust-based communication schemes, key
management, and anonymity.