Security and quality of service (QoS) co-design in cooperative mobile ad hoc networks

Cooperative communication has been considered as a promising technique to improve communication quality of service (QoS) in wireless networks, including mobile ad hoc networks (MANETs). Due to their unorganized and decentralized infrastructure, cooperative MANETs (CO-MANETs) are vulnerable to attacks initiated on relays. Although encryption and authentication protocols may prevent compromised data transmission when a selected relay is attacked, their cost is high. In this paper, we propose a game-theoretic approach to quantitatively analyze the attack strategies of the attacker so as to make a rational decision on relay selection and the authentication parameter adaptation to reach a trade-off between security and QoS in CO-MANETs. Simulation results show the effectiveness of the proposed approach for security and QoS co-design in CO-MANETs.


Introduction
Cooperative communication has been considered as a promising technique to improve quality of service (QoS) in wireless networks through the cooperation of users. The idea behind cooperative communication is that single-antenna mobile nodes in a multiuser scenario can share their antennas in a manner that creates a virtual multiple-input and multiple-output (MIMO) system [1]. Transmitting independent copies of the signal generates diversity and can effectively combat the deleterious effects of fading. Particularly, selecting the most suitable relay among available relays can achieve selection diversity in cooperative communications [2][3][4]. This promising technique has been considered in the IEEE 802.16j standard and is expected to be integrated into future 3GPP cellular networks [5].
While cooperative communication brings significant benefits, it also raises serious security issues. Particularly, mobile ad hoc networks (MANETs) with cooperative communications (CO-MANETs) [6] present significant challenges to secure routing, key exchange, key distribution and management, as well as intrusion detection and protection. For example, it is possible for malicious nodes *Correspondence: richard_yu@carleton.ca 1 Department of Systems and Computer Engineering, Carleton University, Ottawa, ON K1S 5B6, Canada Full list of author information is available at the end of the article to join the network and relay unsolicited information to a rogue destination, thereby compromise the network. It is also possible for some nodes to act in a selfish manner to conserve their own energy and not cooperate and relay information from other nodes, thereby discouraging cooperation.
Although encryption and authentication protocols can prevent compromised data transmission when the selected relay is attacked, these measures consume scarce bandwidth and reduce system throughput. It would be desirable to choose only trustworthy nodes as relays and only authenticate the packets through the nodes that are prone to attack. To achieve this goal, we would need to design a quantitative approach to analyze the actions of the attackers so as to make appropriate decisions on relay selection and the extent that encryption and authentication protocols are required.
Game-theoretic approaches have been proposed to improve network security [7]. Game theory addresses problems in which multiple players with contradictory incentives or goals compete with each other; thus, it can provide a mathematical framework for modeling and analyzing decision problems. In game theory, one player's outcome depends not only on her/his decisions, but also on those of her/his opponents' decisions. Similarly, the success of a security scheme depends not only on the http://jwcn.eurasipjournals.com/content/2013/1/188 actual defense strategies, but also on the actions taken by the attackers.
In this paper, we propose a quantitative decisionmaking approach that is based on game theory and takes both security and QoS in terms of throughput into consideration. To the best of our knowledge, using a game theoretical approach to jointly study security and QoS issues for MANETs with cooperative communications has not been considered in existing works. We propose a dynamic Bayesian game-theoretic approach to enable a node to make strategic decisions on relay selection and authentication parameter adaptation. A Bayesian game is a game in which the information about the characteristics of other players is incomplete [8]. A node in the network can update its beliefs in the maliciousness of relays according to the record of attack history. It does not need to authenticate all packets because there exists a possibility that the selected relay will not be attacked by the attacker. Compared with the approach proposed in [9] that authenticates all the packets without considering the possibility that the selected relay is cooperative, the proposed game-theoretic approach only authenticates the packets through the nodes prone to attack. Therefore, the proposed scheme can avoid unnecessary consumption of system resources and leads to a better system performance in terms of system throughput, which is shown in the simulation results.
We use an adaptive and lightweight protocol for both hop-by-hop and end-to-end authentications (ALPHA) [10], which is based on hash chains and Merkle trees, i.e., a tree of hashes. We take an integrated design approach to optimize the number of messages (or leaves) in the Merkle tree (an important parameter in the authentication scheme) and relay selection (an important process for QoS provisioning in cooperative communication networks). We will show that security schemes have significant impacts on the QoS in terms of throughput of MANETs, and our proposed scheme can improve the system throughput of MANETs with cooperative communications compared to the existing approach [7] that authenticates all packets.
The rest of the paper is organized as follows. Section 2 presents the related work. The proposed game-theoretic approach is presented in Section 3. Simulation results and discussions are given in Section 4. Finally, we conclude this paper in Section 5.

Cooperative communication
Cooperative communication allows single-antenna mobiles to reap some of the benefits of MIMO systems. The fundamental idea behind cooperative communication is that single-antenna mobiles in a multiuser scenario can share their antennas in a manner that creates a virtual MIMO system. It is well-known that the mobile wireless channel suffers from fading; in another word, signal attenuation can vary significantly over the course of a given transmission. Transmitting independent copies of the signal generates diversity and can effectively combat the deleterious effects of fading. Particularly, spatial diversity is generated by transmitting signals from different locations, thus allowing independently faded versions of the signal to arrive at the receiver [11,12]. Cooperative communication generates spatial diversity in a new and interesting way. As illustrated in Figure 1, in which a node represents a mobile device with one antenna, two nodes are communicating with the same destination. Each node has one antenna and cannot individually realize spatial diversity. However, it is possible for one node to receive the information sent from the other, in which case, it could forward received information along with its own information to the destination. Since the fading path from two nodes is statistically independent, spatial diversity is achieved [13].
In this study, we consider the mobile ad hoc networks, in which users may increase their effective quality of services through cooperation. Each wireless user is assumed to transmit data as well as function as cooperative relay to forward received data from its partners.

Opportunistic relaying
The proposed game-theoretic approach in this paper adopts a proactive opportunistic relaying process. As the name implies, opportunistic relaying selects the best relay according to different relay selection criteria among all candidate relays to forward the signal between the source and the destination [14]. An opportunistic relaying process consists of two time slots. In the first time slot, the source broadcasts the signal which could be heard by all relay nodes in its radio coverage and the destination; in the second time slot, if the signal received by the selected relay node could be decoded successfully, it would be forwarded to the destination; the destination then combines the received signal from the source and selected relay to recover the information sent from the source. The source selects the best relay before transmitting the data from the source to the destination [15]. There is no requirement on all intermediate relays to listen to the source's broadcasting except for the selected relay; thus, power or energy spent by unselected relays on listening to the channel and receiving the message sent by the source is saved. There are three proactive diversity schemes: fixed selective decode-and-forward (FSDF) with direct link combining, FSDF without direct link combining, and smart selective decode-and-forward [16].

Security in cooperative wireless communication networks
It is evident that cooperative communication brings significant benefit in improving the communication quality of wireless communication networks. Cooperative wireless communication was originally designed with the assumption that all the nodes involved always help each other and cooperate in a socially efficient manner. However, assumption on complete cooperation is broken by the facts that there exist relays that are attacked by the network attackers and misbehave for selfish or malicious intentions. Thus, it is acknowledged that security is one of the main concerns for cooperative communication. Various security issues show the importance of data integrity checking and the need to have recognized reliable relationship amongst the different nodes in cooperative wireless communication networks. Authentication is a process that involves in a communication process between an authenticator and supplicant to identify the identity of the supplicant [17][18][19]. Sometimes a trusted third party might be involved in an authentication process. Therefore, authentication is important, with the consequent need to know exactly who we are talking to and make sure that the message received from a node is exactly the message that had been sent by that node. Authentication, therefore, supports privacy, confidentiality, and access control by verifying and validating the received message. All nodes in the cooperative wireless communication networks should be able to carry out the authentication and act as authenticator and supplicant from time to time.
The authors of [20] make a survey that focuses on node-to-node authentication for wireless communication networks and classifies authentication taxonomy based on the type of credentials. Credentials can be classified into two classes: identity-based and context-based.
Identity-based credentials can be further classified into encryption-based and non-encryption-based.
For non-encryption based identity credential, information is hashed using a one-way hash function and the key processed by the supplicant. Thus, this method is computationally efficient. To verify the supplicant's identity, the authenticator must own the key used by the supplicant and know the one-way hash function used by the supplicant to regenerate the results that were disclosed by the supplicant as identity. Another form of hash based non-encryption identity credential uses a delayed key disclosure as in timed efficient stream losstolerant authentication (TESLA) [21], lightweight hopby-hop authentication protocol (LHAP) [22], hop-by-hop efficient authentication protocol (HEAP) [23], and adaptive and lightweight protocol for hop-by-hop authentication (ALPHA) [10]. TESLA is a broadcast authentication protocol based on loose time synchronization. However, hop-by-hop authentication is not supported by TESLA. What is more, the computational overhead of TESLA is also high due to the existence of network latencies and redundant hash elements. LHAP bases on the principles of TESLA to carry out both packet authentication and hop-by-hop authentication, wherein intermediate nodes authenticate all the packets received prior to forwarding them. However, LHAP also suffers from long latency and poor throughput and is not designed to prevent inside attacks. HEAP authenticates packets at every hop using modified hash message authentication codebased algorithm along with two keys and dropping any packet that originates from outsiders. However, HEAP still suffers from inside attack and could not provide end-to-end authentication. ALPHA, which makes use of interaction-based hash chains and Merkle trees, provides both end-to-end and hop-by-hop authentication and integrity protection and overcomes the shortcomings of the above-proposed protocols. Therefore, ALPHA is adopted as the authentication protocol in the proposed game-theoretic approach for security and QoS co-design in cooperative wireless communication networks.

Proposed game-theoretic approach
In this section, the proposed game-theoretic approach for security and QoS co-design in cooperative wireless communication networks is described in detail by setting up the system model and presenting the utility of the attacker brought by attacking target selection and the utility of the source brought by relay selection, Nash equilibrium of the proposed game-theoretic approach, and equations of system performance analysis.

Model description
The proposed game-theoretic approach focuses on twohop cooperative wireless communication networks, as http://jwcn.eurasipjournals.com/content/2013/1/188 illustrated in Figure 2, consisting of source, destination, four intermediate relays, and a slow-fading channel that satisfies Rayleigh distribution. All of the relays are originally assumed to be cooperative, and the selected relay forwards the received information from the source to the destination. However, in reality, some relays are compromised by the attacker and do not do what they are supposed to do or do what they are not supposed to do.
In this paper, we represent the set of relays as R. Attack on relays initiated by the attacker is independent from each other. The interactions between the attacker and the source are modeled as a non-cooperative game since both the tendencies of the attacker and the source are to maximize their total utility through the strategic selection of attacking target and relay. The attacker selects the attacking probability distribution P = { p 1 , p 2 , . . . , p K } over all relays in R, where p i is the probability of selecting R i as attacking target and K is the number of candidate relays in the radio coverage of the source. In each play of the game, the attacker chooses one relay to attack; thus, we have K i p i = 1. For the source, it selects all candidate relays with a probability distribution Q = {q 1 , q 2 , . . . , q K }, where q i is the probability of selecting R i as relay. In each play of the game, the source chooses one relay from all candidate relays; thus, we have K i q i = 1. We assume that each relay processes a combination of information and security assets denoted by α I I i + α S S i , i ∈ 1, 2, . . . , K, which represents the loss of information and security assets when the attacker's attacking target selection coincides the source's relay selection. α I and α S represent the weights of information and security assets in the asset combination. The information asset of a relay depends on the mutual information, while the security asset of a relay depends on its role in the network. In practice, the information asset is evaluated by the mutual information which affects the system throughput of cooperative wireless communication networks, and the security asset is evaluated in the risk analysis using formal analysis before system deployment.

Dynamic Bayesian game-theoretic approach
The proposed dynamic Bayesian game-theoretic approach also consists of two players, the source which selects the best relay from all candidate relays that brings maximum utility and the attacker which selects relay as attacking target. The set of strategies of the source contains 'Select' and 'Not select' . ' Attack' and 'Not attack' consist of the attacker's strategies on relay R i when the attacker may choose relay R i to attack; otherwise, there is only one strategy when the attacker does not choose relay R i as attacking target, i.e., Not attack. Since the source is uncertain about the type of each relay, it holds an a priori belief μ We assume that the game in the proposed dynamic gametheoretic approach is played repeatedly every period t k , where k = 0, 1 . . .. We assume that the utility of players in each stage remain the same. We assume that each relay node processes a combination of information and security assets denoted by α I I i + α S S i . α I and α S represent the weights of information and security assets in the asset combination and vary in various networks. If the selection of relay of the source and the selection of attacking target of the attacker coincide, the attacker will obtain utility α I I i + α S S i , while the source will lose the same amount of utility. Otherwise, the utility for the attacker and the source is −(α I I i + α S S i ) and α I I i + α S S i , respectively. Substitute α I I i +α S S i by A i , Table 1 illustrates the utility matrix of attacker and source on relay R i with probability μ t k i being malicious at stage t k . In the matrix, a denotes the detection rate of the source, b denotes the false alarm rate, and 0 ≤ a, b ≤ 1. The cost of attacking for malicious node and monitoring for the source, C a and C m , are taken into consideration in our model and assumed proportional to the value set of relay R i , denoted by C a (α denotes the loss of the source caused by false alarm. Table 2 illustrates the utility matrix of attacker and source on relay R i with probability 1 − μ t k i being cooperative at stage t k .

Bayesian updating rule on beliefs in the maliciousness of relays
In this section, we define a Bayesian updating rule on beliefs in the maliciousness of relays, which is based on the source's initial beliefs and the source's record of attacker's attacking histories on relays [24,25]. For a given relay R i , we define a sequence of random is called the likelihood function and defined as follows:

Not attack
Select It can be shown that the posterior probability density function f t k i (m, n, t) follows a Beta distribution. The Beta distribution with parameters a and b is defined as follows: then given that M , which are defined recursively as follows: Therefore, belief in the maliciousness of relay R i at stage t k is which could be calculated recursively through the record of a i and b i [26].
At the system initial stage t 0 , there is no information for the cooperative wireless communication networks. Therefore, we assume that T t 0 i has the uniform distribution over the interval [0, 1], i.e., which indicates the source's indifference to the selected relay's behavior at stage t 0 .

Finding Nash equilibrium of the proposed game-theoretic approach
In cooperative wireless communication networks, both the attacker and the source have limited system resources, such as limited battery life and limited computational capacity; it is natural for the attacker to focus on attacking some targets that are more beneficial compared by initiating attack on others. We sort the targets according to their combination of information and security assets and divide the whole target set into three subsets: sensible, quasi-sensible, and non-sensible target sets according http://jwcn.eurasipjournals.com/content/2013/1/188 to the weight of each relay's asset over the overall assets composed by all relays that belong to R. The sensible target set R S , the quasi-sensible target set R Q , and non-sensible target set R N are defined as follows: The cardinality of R S could be calculated as follows: determined by the following formulas: Quasi-sensible target set R Q consists of relay nodes whose assets are equal to The first step in finding the Nash equilibrium of the proposed dynamic Bayesian game-theoretic approach used for modeling the interactions between the source and the attacker is to apply Harsanyi transformation that converts the incomplete information game into a normal form game. Given that the Harsanyi transformation is a standard concept in the game theory, we introduce it literally without introducing a mathematical formula concerning Harsanyi transformation [27]. For each relay, there are two possible types, malicious with probability μ t k i and cooperative with probability 1 − μ t k i . We combine the utility matrix of Table 1 and the utility matrix of Table 2 to  obtain Table 3 whose components are expected utilities of malicious type relay and cooperative type relay. There are two combined attacking strategies for the attacker: Attack and Not attack*, and Not attack and Not attack*, in which Not attack* is the pure strategy of the attacker on cooperative relay.
Denote the total utility for the attacker and the source by U t k A (P, Q) and U t k S (P, Q) at stage t k as: The attacker and the source select their strategies P * and Q * to maximize U t k A (P, Q) and U t k S (P, Q). Similar to the Nash equilibrium obtained from the proposed static game-theoretic approach, it holds that which can be shown by noticing the attacker's total utility function U , then the attacker is inclined to decrease p * i and increase p * j ; and if k , then the attacker obtains more utility by adding p * i to p * k and setting p * i equal to 0. Similarly, noticing the source's total utility function U t k S (P, Q), it holds that To find the Nash equilibrium (P * , Q * ) of the proposed dynamic Bayesian game-theoretic approach, we need to reclaim that we have For the proposed dynamic Bayesian game-theoretic approach, Nash equilibrium (P * , Q * ) at stage t k is given as follows: where i∈R p * i = i∈R q * i = 1.
Nash equilibrium (P * , Q * ) of the proposed static gametheoretic approach is the special case of the Nash equi-librium of the proposed dynamic Bayesian game-theoretic approach by setting μ i equal to 1, which assumes that all candidate relay nodes are completely malicious.

System performance analysis
In our model, the system security requirement is defined as the maximum percentage of packets forwarded to the destination through the selected relay that are compromised by the attacker if the attacker's attacking target selection coincides with the source's relay selection. Denote the utility brought by a successful attack on targeted relay R i as u A (p i , q i ). We assume that the attacker prefers selecting relay R i with the attacking probability p * i that maximizes u A (p i , q i ) as its attacking target; the attacker's attacking target selection may coincide with the source's relay selection. If the attacker's selection coincides with the relay selection of the source, then both identity-authentication and packet-integration checking processes are needed to guarantee a secured communication. However, when a decision on relay selection is made, the source could not make sure which relay is the target of the attacker except for a probability of being attacked, but the source could detect the attack initiated by the attacker on relays. Therefore, with the satisfaction of the system security requirement, the source would not necessarily authenticate all packets, according to the possibility that packets forwarded by the selected relay are not compromised by the attacker because the source's relay selection is different from the attacker's attacking target selection. Since not all the packets sent by the source are needed to be authenticated, compared with the stringent authentication relay selection method [28], which authenticates all transmitted packets, the proposed game-theoretic approach provides a quantitative approach to calculate the authentication probability based on the attacker's attacking probabilities on relays and system security requirement and to avoid the unnecessary consumption of system resources.
Denote the probability of message authentication as p a . To satisfy system security requirement p s , we have 0 ≤ (1 − p a ) · p * i ≤ p s by selecting relay R i as relay with probability p * i being attacked by the attacker.

Outage probability and capacity
In the proposed game-theoretic approach, denote I i as the maximum value between the mutual information of direct communication I DC and the minimal value between I SR i , the mutual information between the source and the selected relay R i , and I MRC , the mutual information sum of source destination and relay R i destination [29]. We define SNR as the average signal-to-noise ratio from the source node to the destination node [16]. I DC is given by: and I SR i is given by: where |h SR i | is the channel between the source and relay R i . Given the half-duplex constraint in cooperative wireless communication networks which means a relay could not transmit and receive signal simultaneously, the factor 1 2 mirrors the two time slots for relaying. I MRC is given by: where |h SD | is the channel between the source and the destination and |h R i D | is the channel between the selected relay R i and the destination. Suppose the data transmission rate between the source and the destination is r, the outage probability P I i out is defined as the probability that the mutual information I i between the source and the destination through relay R i is lower than the transmission data rate r, i.e., P I i out = P{I i < r}, which characterizes the probability of transmission data loss.
In the case of the proposed game-theoretic approach, the outage probability is defined as follows: from which we can obtain, where ω equals to exp(2 ln v − (ln v) 2 γ ) and v equals to exp(− 2 r −1 γ ). d SR i denotes the distance between the source and selected relay R i , d R i D denotes the distance between selected relay R i and the destination, and γ denotes the average transmitted SNR between any nodes.
The outage capacity C I is defined as the largest data transmission rate r that can be supported if the outages are allowed to occur with a certain probability , which is the probability that the transmission cannot be decoded with negligible error probability. Solving P I i out = , we have v . Thus, we have Outage capacity is used instead of Shannon capacity in slow-fading channel since the slow-fading channel is different from the additive white Gaussian noise channel as delay constraints on the order of channel coherence time.

Bit error rate
Bit error rate (BER) is the percentage of bits that has errors relative to the total number of bits sent in a transmission. The end-to-end BER, is given by: where P SR i out is the outage probability of the link from the source to the selected relay R i [30], P DC e is the probability of error in direct communication form source to destination over Rayleigh channel, and P div,i e is the probability that an error occurs in combined transmission from the source to the destination through the selected relay R i . P SR i out is given as follows: P DC e is given by: P div,i e is given as follows: where γ DC denotes the SNR between the source and the destination and γ R i D denotes the SNR between the selected relay R i and the destination.

System throughput
We derive the throughput for partial authentication process with ALPHA-M protocol [10] and modify it to cover both direct communication and sourcerelay-destination communication. Furthermore, we formulate the throughput equations for both selective repeat [31] and Go-Back-N [32] automatic repeat request retransmission schemes by taking the error rate into consideration.
The payload for packets with authentication is given as follow: (34) where S payload is the amount of payload that can be transmitted with a single pre-signature, n is the number of data blocks at the bottom of the Merkle tree, S packet is the size of packet, and S h is the hash output [10].
The payload for packets without authentication is Generally, throughput is defined as the payload divided by the total time used for processing and transmitting the payload. In our case, the total time spent on payload processing and transmitting consists of two parts: T 1 , the time for the initial pre-signature process between the source http://jwcn.eurasipjournals.com/content/2013/1/188 and the destination, and T 2 , the time for the actual authenticated and non-authenticated message transmission and delivery. The general throughput T could then be defined as: The values for the time parameters in T 1 and T 2 vary according to two communication paths, direct communication and source-relay-destination, which are presented in Tables 4 and 5.
The message sequence charts that show the transmission of message from the source to the destination and acknowledgment between the destination and the source with and without the use of relay are shown in Figure 3.
The parameters presented in Tables 4 and 5 are explained as follows: • t prop1 is the propagation time for the S 1 packet from the source to the destination or the propagation time for the A 1 packet sent from the destination to the source. In the case of direct communication, t prop1 is given by d SD c , where d SD is the distance between the source and the destination and c is the speed of light. In the case of source-relay-destination, this consists of the time for the S 1 packet sent from the source to the selected relay R i and from the selected relay R i to the destination or for the A 1 packet sent from the destination to the selected relay R i and from the selected relay R i to the source, which is given by the sum of • t prop2 is the propagation time for the S 2 packet from the source to the destination or for the A 2 packet from the destination to the source. In the case of direct communication, this is given by d SD c . In case of source-relay-destination, this consists of the propagation time for the S 2 packet from the source to the selected relay R i and from the selected relay R i to the destination or for the A 2 packet from the destination to the selected relay R i and from the • t f1 is the packet transmission time for the S 1 packet, which is given by u f1 r . u f1 is the number of bits in the S 1 packet, and r is the data transmission rate.
• t f2 is the packet transmission time for the S 2 packet, which is given by u f2 r . u f2 is the number of bits in the S 2 packet, and r is the data transmission rate.
• t ack1 is the packet transmission time for the A 1 packet, which is given by u ack1 r . u ack1 is the number of bits in the A 1 packet, and r is the data transmission rate.
• t ack2 is the packet transmission time for the A 2 packet, which is given by u ack2 r . u ack2 is the number of bits in the A 2 packet, and r is the data transmission rate.
• t proc1 is the processing time at the source and the destination for S 1 and A 1 packets in direct communication, which includes the Merkle tree generating time for S 1 packet at the source and the acknowledgment Merkle tree for A 1 packet at the destination along with processing at the selected relay R i in source-relay-destination. • t proc2 is the processing time at the source and the destination for S 2 and A 2 packets in direct communication, along with processing time at the selected relay R i in source-relay-destination.
Wireless channels have high error rates due to multipath fading which characterizes mobile radio channels. However, many networks require that the error rates should be significantly small. In addition to the poor channel quality, the design of wireless communication systems is complicated by the rapidly changing quality of the radio channel [33]. To increase the apparent quality of a communication channel, two distinct approaches are used: • Forward error correction which employs error-correcting codes to combat bit errors which are due to channel imperfections by adding redundancy, such as henceforth parity bits, to information packets before they are transmitted. This redundancy is used by the receiver to detect and correct errors that are introduced in the transmission process. • Automatic repeat request (ARQ) wherein only error detection capability is provided and no attempt to correct any packets received in error is made. Packets received in error are retransmitted by the sender.
In the throughput analysis, ARQ retransmission is incorporated, and the following is a brief review of three typical ARQ retransmission schemes [34].
• Stop and wait (SW) ARQ. When using the SW ARQ scheme, the sender transmits a packet only when all  previously transmitted packets have been successfully acknowledged by the receiver. Hence, when using SW ARQ scheme, the sender, after transmitting a packet, waits for its acknowledgment. Once its acknowledgment has been received, the next packet is transmitted. However, if an acknowledgment does not arrive until a timeout timer expires, the packet is retransmitted by the sender. Therefore, in SW ARQ, there is never more than a single packet that is unacknowledged at any given instant of time. Since the sender does not use the available channel during time intervals, it waits for an acknowledgment and the maximum data transfer rate that can be supported is limited. This limits cases where the SW ARQ protocol can be employed. Huge buffer is needed to buffer unacknowledged packets. • Selective repeat (SR) ARQ. Unlike SW ARQ, when using SR ARQ, packets are transmitted continuously by the sender. As before, the receiver acknowledges each successfully received packet by transmitting an ACK bearing the sequence number of the packet being acknowledged. If an acknowledgment is not received for a packet before the expiration of the timeout, the packet is retransmitted. Once a packet has been retransmitted, the sender resumes transmission of packets from where it is left off, i.e., if a is the packet with the largest sequence number that has been transmitted, packet with sequence number a + 1 is transmitted next. Here, we assume that no other timers have expired in the meantime. Since the SR ARQ protocol is employed, packets are continuously being transmitted and the inefficiency associated with SW ARQ is eliminated. Observe that when SR ARQ is employed, packets can be accepted out of sequence. Hence, packets received out of sequence have to be buffered and sequenced before they can be delivered. • Go-Back-N (GBN) ARQ. When GBN ARQ is employed, packets are transmitted continuously as in SR ARQ. However, the receiver accepts packets only in the order in which they were transmitted. Packets received out of sequence are discarded and not acknowledged. Since the receiver accepts packets only in sequence, after a timeout, the sender retransmits the packet that timed out and all packets with sequence numbers that follow the one that was retransmitted. Hence, each time a timeout occurs, all packets that are yet to be acknowledged are retransmitted. It is important to observe that GBN ARQ attempts to combine the desirable features of http://jwcn.eurasipjournals.com/content/2013/1/188 SR and SW ARQs, i.e., packets are transmitted continuously, as in SR ARQ, without the need to buffer out-of-sequence packets and there is no re-sequencing overhead.
To incorporate the error control schemes into our throughput equation, we expand the general throughput equation by including the error rate. Define the packet error rate P c as the probability that the received packet with the length of S packet bits contains no error as P c = (1 − P I i e ) S packet . Let T SR denote the modified throughput with SR ARQ, which is given as follows: Concerning the GBN ARQ, the throughput equation is further modified to allow the retransmission of an error frame along with all frames that have been transmitted until the time a negative acknowledgment is received from the destination. Thus, the modified throughput with GBN ARQ, denoted by T GBN , is given as: where W s is the window size which is calculated by dividing the product of the data rate of the transmission channel and the reaction time by the packet size.

Optimizing the number of messages
Besides strategically selecting relay, the source also needs to determine the optimal number of messages once its relay is selected. For various packet sizes S packet and authentication probability p a , the optimal value of the number of messages n that results in the highest throughput is denoted as n * . The optimal number of messages for selected relay R i is driven from: where n ∈ {1, 2, . . .} for the selected relay R i .

Simulation results and discussions
In this section, we evaluate the performance of the proposed game-theoretic approach for security and QoS codesign in cooperative wireless communication networks    Figure 4, we set up a network topology with the source and the destination located 1,000 m apart in two separate corners and four relays randomly located between the source and the destination in an area of 1, 000 × 300 m 2 . We set the transmission data rate equal to 1 Mbps, path loss exponent equal to 3.5, and fixed outage probability equal to 0.01. Similar to [35], firstly, we consider a network with emphasis on system security, e.g., military network, where there are tight confidential requirements. In this network, the security asset weights heavier than the information asset and the combined asset is much higher than the attack monitoring cost, e.g., α I < α S and C a , C m , C f 1. We set C a = C m = 0.01 and C f = 0.01. Terminals in military network usually own high-performance attack monitoring equipments and powerful processing capability; thus, we set a = 0.9 and b = 0.05.
Secondly, a network with loose emphasis on system security is considered, e.g., commercial WLAN. In this network, the information asset weights heavier than the security asset and the related attacking and attack monitoring cost is relatively high, i.e., α I > α S , and we set C a = C m = 0.1 and C f = 0.3. The terminals in the commercial network are not as efficient as those in the military network; thus, we set a = 0.6 and b = 0.2.
In both networks, there are four relays with normalized information and security assets: Tables 6 and 7 show the NE(P * , Q * ) of the Table 7 Nash equilibrium and players' utility in the commercial network

Nash equilibrium
Players' utility proposed static game-theoretic approach obtained using analytical results. As shown in Tables 6 and 7, both the attacker and the source focus only on the relays in the sensible target set, which bring them more utility. The setup of the parameters is a non-trivial task for the proposed scheme. In constructing these parameters, we assume that most network properties can be made known, which should be realistic in practical networks, where initial planning and network management is an a priori requirement.
The attacker would choose the relay that brings maximum attacking utility as its attacking target. According to the obtained Nash equilibrium, the attacker in the military network is prone to select relay 3 as its attacking target. However, in the real network, the attacking target is selected randomly by the attacker. To simulate the randomness of attacker's selection on attacking target, we generate random numbers r that satisfy 0-1 uniform distribution and set following attacking target selection standard, e.g., if (i−1) * 0.25 ≤ r < i * 0.25, i = {1, 2, 3, 4}, relay i is selected as attacking target.
In this section, we discuss dynamic beliefs in the maliciousness of relays according to the attacker's attacking histories on relays and dynamic total utility of the source brought by its dynamic beliefs in the maliciousness of relays. At each stage, the source updates its belief in maliciousness of the selected relay according to its record of attacker's attack on the selected relay. At each stage, if the selected relay by the source is also selected by the attacker as attacking target, packets sent to the destination through the selected relay are considered compromised and could not be used by the destination to recover the original information sent by the source; otherwise, packets sent through the selected relay arrive at the destination without being compromised and could be used by the destination to recover the original information. Figure 5 shows the simulation results of dynamic change of attacking target of the attacker and the dynamic change of the selected relay of the source for the first 20 consecutive stages of the proposed dynamic game-theoretic approach. Figures 6 and 7 show the dynamic belief change of the source in the maliciousness of relays 1 and 4, respectively. The source updates its beliefs in the maliciousness of relays according to its record of attacker's attack on relays. At the commence of simulations, the source's beliefs in the maliciousness of all relays are unbiased; in another word, belief in the maliciousness and cooperativeness is 50:50. Between every two consecutive stages, the source monitors the attacking target selection of the attacker. If the selected relay by the source is not the attacking target, then the source increases its belief in the cooperativeness of the selected relay; if the selected relay is selected as attacking target, then the source increases its belief in the maliciousness of the selected relay; otherwise, other relays are neither selected as relay by the source nor are selected as attacking target by the attacker, and the source's beliefs in the maliciousness or cooperativeness of other relays stay unchanged.
As shown in Figure 5, at stage 1, the observed attacking target is relay 4, and the relay selected by the source is relay 1. At this stage, the attacking target does not coincide with the selected relay. Therefore, the source's belief in the maliciousness of relay 1 decreases, the source's belief in the maliciousness of relay 4 increases, and the source's beliefs in the maliciousness of relays 2 and 3 stay unchanged. Simulation results in Figures 6 and 7 keep consensus with the above analysis. Figure 8 shows the comparison of the total utility of the source in the military and commercial networks in the first 20 stages. The source in the military network has lower monitoring cost C m and false alarming cost C f ; thus, when each relay is assigned the same amount of combined information and security assets, the total utility obtained by the source in the military network is higher than the total utility obtained by the source in the commercial network.
In this section, we discuss the impact of dynamic belief update in the maliciousness of relays on system throughput and compromising probability of the proposed dynamic game-theoretic approach, which enables the source update its beliefs in the maliciousness of relays based on the attacker's attacking histories on selected relays. Numerous simulations are executed to draw reliable results concerning the impact of dynamic beliefs in the maliciousness of relays on throughput and compromising probability.  Compromising probability comparison between the military and commercial networks is shown in Figure 9. From Figure 9, we can see that the compromising probability of the military network is smaller than that of the commercial network. Since the security requirement of the military network is more stringent than the security requirement of the commercial network, the authentication probability of the military network is higher than the authentication probability of the commercial network. Figure 10 shows the throughput comparison between the military and commercial networks. From Figure 10, we can see that the system throughput of the commercial network is higher than that of the military network due to the higher authentication probability of the military network.

Conclusions
In this paper, we have proposed a game theoretical approach for security and QoS co-design in MANETs with cooperative communications. With the consideration of system throughput and system security requirement, the proposed game theoretical approach enables the system to strategically select its relay by dynamically updating its belief in the maliciousness of relays according to its record of attacks. Simulation results have been presented to show the effectiveness of the proposed dynamic game-theoretic approach. Future work is in progress to consider multihop/multirelay cooperative communications in MANETs.