G.Chen et al. Computer Networks 190(2021)107952 environment and hence saves storage and computing resources evaluated by the trustor.If the trustor is satisfied with the service of IoT objects.Although in some previous work [4-7]and [8], provided by the trustee,it will give the trustee a high trust rating. the authors proposed hybrid architectures which are similar to However,the trustor cannot interact with all trustees directly all the ours,they did not specify what components are included in their time.In this situation,the trustor needs recommendations from other proposed architecture and they did not explain how to apply their objects that have interaction histories with trustees.Those objects who trust models to the architectures they proposed.Instead,we clar- give recommendations to the trustor are called recommenders. ify the components included in our architecture and the functions According to the above descriptions,we know that there are two of these components.Meanwhile,we explain the process of trust types of trust relationships including direct trust and recommendation evaluation and the interaction process of these components in the trust between a trustor and a trustee.The type of a given trust relation- architecture we proposed. ship depends on the way the trustor communicates with the trustee.If Considering that the impact of past feedback will decrease over the trustor communicates with the trustee directly,this trust relation- time,we introduce a sliding window to store feedback and use ship is considered direct trust.Otherwise,we call the trust relationship a time decay function to reduce the weight of the previous recommendation trust.In our trust model,the trustor evaluates the feedback.The differences from [5]and [6]are that we not only trustee's trust value by synthesis trust that combines direct trust and use the decay function to reduce the impact of previous feedback, recommendation trust by adaptive weight. we also propose a sliding window to save the feedback of the most recent period of time.The use of the sliding window can reflect 2.2.Attack model the changes in the trust value of the IoT objects more quickly because of the fact that recent behaviors can better reflect the A malicious object is dishonest and can perform malicious attacks current trust status of IoT objects. such as providing bad service or recommending adverse trust informa- We design a recommendation filtering algorithm based on k- tion about trustees to the trustor.We call these attacks trust related means to filter out bad recommendations provided by malicious attacks.The trust related attacks are summarized as follows: recommenders.Although a similar filtering algorithm was pro- On-off attacks:A malicious object behaves well for a period of posed in [5],we also introduce three important factors on the time and badly at other times.For example,a trustee can provide basis of our filtering algorithm.Even if the filtering algorithm a trustor with good service that does not need many resources and cannot completely filter out the bad recommendations,the use prefers not to serve the trustor when the trustor needs too many of these three important factors can reduce the negative impact resources. of the bad recommendations on the calculation of the recommen- Self promoting attacks:A malicious object can promote its dation trust as much as possible. reputation by offering good recommendations about itself so We introduce an adaptive weight that can adjust automatically ac- that it can be selected as a service provider and then provides cording to the dynamic environment to combine direct trust and poor service.A service requester can hardly select good service recommendation trust.The experimental results indicate that our providers under these attacks if the trust model does not ignore adaptive trust model enables fast and accurate trust evaluation bad recommendations about the malicious object itself. and resists malicious attacks in the dynamically hostile environ- Bad mouthing attacks:A malicious recommender can slander ment.Compared with the fixed weight used in [9]and [10],our the reputation of a well-behaved trustee by providing the trustor adaptive weight enables fast and accurate trust evaluation and with bad recommendations about that trustee.As a result,the resists malicious attacks in the dynamically hostile environment. trustee that is evaluated by the trustor with a low trust rating cannot be selected as a service provider. The remainder of this paper is organized as follows.In Section 2,we introduce the concept of trust and attack model in loT.In Section 3,we Ballot stuffing attacks:These attacks are similar to bad survey the related work of IoT trust models.In Section 4,we propose mouthing attacks.A badly-behaved trustee that cannot offer the system architecture and the process of trust evaluation.In Section 5, satisfying service will be highly rated by malicious recommenders we elaborate on our adaptive trust model and we give the experimental that give opposite recommendations to the trustor.When multi- results and relevant analysis in Section 6.Finally,we summarize the ple recommenders collaborate with each other to perform these paper and outline the future work in Section 7. attacks at the same time,they can boost the reputation of a bad trustee quickly. 2.Background Selective misbehavior attacks:A malicious recommender pro vides the trustor with bad recommendations about some trustees In this section,we first introduce the concept of trust in IoT,the and gives correct recommendations about others.In such a case, the trustor can hardly judge if the recommender is malicious main participants in the trust model and the types of trust.Then,we because of its intermittent malicious behavior. list some trust related attacks that can break the trust management system.Finally,we introduce some common outlier detection methods From the above description of trust related attacks,we know that which can be used to detect bad recommendations caused by those trust models are under many security threats that can break the func- trust related attacks and filter out them from all the recommendations tionality of trust management systems.Therefore,trust models should received by the trustor. consider multiple trust factors in order to evaluate trustees accurately. They should also take more defensive measures to avoid the negative 2.1.Trust in internet of things effect of bad recommendations so as to improve the stability of trust evaluation in the dynamically hostile environment. In human society,trust usually indicates the degree of subjective belief between people.People are more likely to communicate with 2.3.Outlier detection methods people they trust.Similarly,IoT objects are more willing to use services provided by trusted objects.Objects can evaluate the trust value of In Section 2.2,we have already introduced that malicious rec- others through trust models before using their service. ommenders which perform some trust related attacks such as bad There are three main participants in a trust model:trustor,trustee mouthing attacks and ballot stuffing attacks will provide bad recom- and recommender.A trustor is an object who wants to evaluate the mendations to the trustor.If the trustor uses these bad recommen- trust value of others.Correspondingly,a trustee is an object who is dations,the accuracy of the recommendation trust evaluation will be 2Computer Networks 190 (2021) 107952 2 G. Chen et al. environment and hence saves storage and computing resources of IoT objects. Although in some previous work [4–7] and [8], the authors proposed hybrid architectures which are similar to ours, they did not specify what components are included in their proposed architecture and they did not explain how to apply their trust models to the architectures they proposed. Instead, we clar￾ify the components included in our architecture and the functions of these components. Meanwhile, we explain the process of trust evaluation and the interaction process of these components in the architecture we proposed. • Considering that the impact of past feedback will decrease over time, we introduce a sliding window to store feedback and use a time decay function to reduce the weight of the previous feedback. The differences from [5] and [6] are that we not only use the decay function to reduce the impact of previous feedback, we also propose a sliding window to save the feedback of the most recent period of time. The use of the sliding window can reflect the changes in the trust value of the IoT objects more quickly because of the fact that recent behaviors can better reflect the current trust status of IoT objects. • We design a recommendation filtering algorithm based on 𝑘- means to filter out bad recommendations provided by malicious recommenders. Although a similar filtering algorithm was pro￾posed in [5], we also introduce three important factors on the basis of our filtering algorithm. Even if the filtering algorithm cannot completely filter out the bad recommendations, the use of these three important factors can reduce the negative impact of the bad recommendations on the calculation of the recommen￾dation trust as much as possible. • We introduce an adaptive weight that can adjust automatically ac￾cording to the dynamic environment to combine direct trust and recommendation trust. The experimental results indicate that our adaptive trust model enables fast and accurate trust evaluation and resists malicious attacks in the dynamically hostile environ￾ment. Compared with the fixed weight used in [9] and [10], our adaptive weight enables fast and accurate trust evaluation and resists malicious attacks in the dynamically hostile environment. The remainder of this paper is organized as follows. In Section 2, we introduce the concept of trust and attack model in IoT. In Section 3, we survey the related work of IoT trust models. In Section 4, we propose the system architecture and the process of trust evaluation. In Section 5, we elaborate on our adaptive trust model and we give the experimental results and relevant analysis in Section 6. Finally, we summarize the paper and outline the future work in Section 7. 2. Background In this section, we first introduce the concept of trust in IoT, the main participants in the trust model and the types of trust. Then, we list some trust related attacks that can break the trust management system. Finally, we introduce some common outlier detection methods which can be used to detect bad recommendations caused by those trust related attacks and filter out them from all the recommendations received by the trustor. 2.1. Trust in internet of things In human society, trust usually indicates the degree of subjective belief between people. People are more likely to communicate with people they trust. Similarly, IoT objects are more willing to use services provided by trusted objects. Objects can evaluate the trust value of others through trust models before using their service. There are three main participants in a trust model: trustor, trustee and recommender. A trustor is an object who wants to evaluate the trust value of others. Correspondingly, a trustee is an object who is evaluated by the trustor. If the trustor is satisfied with the service provided by the trustee, it will give the trustee a high trust rating. However, the trustor cannot interact with all trustees directly all the time. In this situation, the trustor needs recommendations from other objects that have interaction histories with trustees. Those objects who give recommendations to the trustor are called recommenders. According to the above descriptions, we know that there are two types of trust relationships including direct trust and recommendation trust between a trustor and a trustee. The type of a given trust relation￾ship depends on the way the trustor communicates with the trustee. If the trustor communicates with the trustee directly, this trust relation￾ship is considered direct trust. Otherwise, we call the trust relationship recommendation trust. In our trust model, the trustor evaluates the trustee’s trust value by synthesis trust that combines direct trust and recommendation trust by adaptive weight. 2.2. Attack model A malicious object is dishonest and can perform malicious attacks such as providing bad service or recommending adverse trust informa￾tion about trustees to the trustor. We call these attacks trust related attacks. The trust related attacks are summarized as follows: • On–off attacks: A malicious object behaves well for a period of time and badly at other times. For example, a trustee can provide a trustor with good service that does not need many resources and prefers not to serve the trustor when the trustor needs too many resources. • Self promoting attacks: A malicious object can promote its reputation by offering good recommendations about itself so that it can be selected as a service provider and then provides poor service. A service requester can hardly select good service providers under these attacks if the trust model does not ignore bad recommendations about the malicious object itself. • Bad mouthing attacks: A malicious recommender can slander the reputation of a well-behaved trustee by providing the trustor with bad recommendations about that trustee. As a result, the trustee that is evaluated by the trustor with a low trust rating cannot be selected as a service provider. • Ballot stuffing attacks: These attacks are similar to bad mouthing attacks. A badly-behaved trustee that cannot offer satisfying service will be highly rated by malicious recommenders that give opposite recommendations to the trustor. When multi￾ple recommenders collaborate with each other to perform these attacks at the same time, they can boost the reputation of a bad trustee quickly. • Selective misbehavior attacks: A malicious recommender pro￾vides the trustor with bad recommendations about some trustees and gives correct recommendations about others. In such a case, the trustor can hardly judge if the recommender is malicious because of its intermittent malicious behavior. From the above description of trust related attacks, we know that trust models are under many security threats that can break the func￾tionality of trust management systems. Therefore, trust models should consider multiple trust factors in order to evaluate trustees accurately. They should also take more defensive measures to avoid the negative effect of bad recommendations so as to improve the stability of trust evaluation in the dynamically hostile environment. 2.3. Outlier detection methods In Section 2.2, we have already introduced that malicious rec￾ommenders which perform some trust related attacks such as bad mouthing attacks and ballot stuffing attacks will provide bad recom￾mendations to the trustor. If the trustor uses these bad recommen￾dations, the accuracy of the recommendation trust evaluation will be