0 Introduction

The sensors，due to their small size，and strong networking performance，are easy to maintain and deploy［1，2］.Sensor networks are widely used in some sensitive environments such as the battlefield，and some wild animal reserve areas.For instance，in a wireless sensor network（WSN）for monitoring wild endangered animals，an electric sensor carried by apanda can send its own information to the sensors nearby，and then the event is transmitted through the WSN to the monitor center（sink）.The first sensor that receives the signals from the monitoring asset such as the panda，is called the source node，as shown in Fig.1.An attacker in the vicinity of V1，carrying apiece of signal detection equipment to eavesdrop，moves to V2according to the context infor－mation of the network such as the packet′s sending time and the location of the sending node，and he will repeat this process until he approaches the source node，namely the location of the panda.In the end，the privacy of the source location is disclosed.

Fig.1 Attack based on context

In practice，the object sensed by the source node normally demands for key protection，so the source location should not be revealed in the process of data transmission，in order to avoid severe loss of economy or resources.As a kind of privacy information，the source location can only be visited by the authorized person.The privacy can be classified into the content－based and the context－based［3］.The content－based privacy refers to the integrity and confidentiality of the content，that is，the content cannot be tampered.The privacy discussed in this paper is based on the context，which can be obtained by attackers to infer the source location.

The prior technologies for preserving the source privacy are implemented mainly by changing or increasing the current routing paths，such as phantom routing，multi－path routing，dummy sources injection and other security routing mechanisms.These technologies may achieve a certain safety at high expense of delay or energy cost，so they are not feasible for the wireless sensor networks（WSNs）application which have high requirements of efficient energy or real－time response.For instance，the main idea of multipath［4］is that packets are sent firstly to the pseudo source，and then to the sink by single path routing or flooding.Because the attacker is not visible in WSNs，in order to choose the pseudo node［5］，we need to know the entire network topology.Hence，the methods for choosing pseudo sources are normally very complex，leading to great energy cost and packet delay［6］.Furthermore，the routing with topology information is vulnerable to traffic analysis of global attackers［7］.

In an event－driven WSN，the routing is normally on－demand.For a specific event，it will choose the corresponding routing strategy.For example，in a wildlife reserve，for the requirement of privacy，a security routing is applied to transmit animal information through the monitoring WSN.In addition，the sensors will work as soon as an emergency is detected，when a shortest－path routing or flooding is usually applied due to the shortest delay.However，these schemes are vulnerable for revealing the location privacy［4］easily.In order to deal with these problems，it is urgent to find a kind of secure mechanism that not only has little impact on the original routing，but also can resist the attacker′s traffic analysis［8］.

With the development of hardware technologies and reduction of the cost，some monitoring sensors which are applied in critical applications，such as border surveillance and endangered animal reservation，are equipped with the sensor modules for detection of moving objects［9］and electric signals.These sensors can automatically recognize one moving attacker［10，11］，and then broadcast the location of the attacker to its neighbors by beacon signals.Rios et al.proposed a greedy routing algorithm of context－aware location privacy（CALP）［12］and silent zone（SZ）scheme based on such attacker－recognition technology.However，according to the Kerckhoffs′principle，the attacker will know the whole design of the secure system.We assume that the attacker knows the routing protocol and can decrypt the security protocol.Although CALP is also based on the shortest path，the packet would have great delay，because the privacy preserving function depends on the beacon scheduling to update the routing table every time，when the period of beacon increases.The application of beacons has brought new challenges to the network performance［13］.Despite the high privacy of SZ by isolating attackers from the whole network，the packet fails to be delivered successfully when a patient attacker stays near the sink.

The scheme presented in this study is independent from beacon frequency and can subtly entice adversaries far away from the real routing path.Therefore，as our scheme causes the least impact on the original routing，the packet can be delivered efficiently to the sink with no more delay.In this process，the location privacy is also preserved by stopping attackers from receiving any information.The main contributions of this paper are summarized as follows：

（1）We propose an intelligent silent zone（ISZ）mechanism to preserve the source location privacy，by enticing the attackers away from real packet routing path in a silent zone.

（2）ISZ can preserve the source location privacy even when the attacker knows the routing protocol.Besides，this scheme is applied in a universal scenario regardless of the routing policy.

（3）The path bias is introduced to measure the impact of secure policies on the current routing.ISZ mechanism can maintain the original path to the great extent.

①水资源量减少，产业用水、产业发展受到影响。农业方面，调水后，水位下降对农业灌溉产生不利影响，加大了农业灌溉成本；水量减少、流速减缓对汉江水生物物种资源带来不利影响，给渔业带来损失。工业方面，汉江中游地区以汽车、石化、机械电子、建材等耗水产业为主导产业，调水后大耗水工业的取水成本和治污成本显著增加，影响到沿江城镇主导产业的规模和效益，甚至可能导致部分企业重新选址或者搬迁。第三产业方面，中线工程将推动服务业的提升和发展，但会增加水资源依赖型的第三产业如生态旅游业的成本。

1 Related Work

The research on the source location privacy（SLP）［2，14］in WSNs has been drawing significant attention.According to their abilities，attackers come in two varieties，local and global.The global［7，15］one can know the whole network traffic.In order to resist the attacker′s global traffic analysis，dummy packets are usually injected in the real packet transmission interval，resulting in considerable energy cost.And the multi－path routing［6］can enhance the load balance and quality of service（QOS），which makes the global attacker difficult to track the packets［5］.The local attacker［16］can receive the information in the vicinity of him，while multiple local attackers can cooperate with one each other to get a wider range of network information［17］.As a local attacker，whose location is still invisible like a ghost to the entire network，he can analyze the network traffic to infer the source location.Previous studies have shown that there are mainly three techniques to hide the traffic.One is the phantom routing［4］proposed by kamat et al.in their panda－hunter model for the first time，which includes the first step of having random walk to a phantom source，followed by the shortest path or flooding to the sink in the end.However，as random walk increases，the packet gradually approaches the source node［4，18］，indicating the revelation of the source location in turn for a random walk phase.Shortly afterwards，some improved algorithms such as greedy random walk （GROW）［19］are proposed，which are associated with more energy cost to reduce the transmission delay and improve the security.The other two schemes are dummy packets mechanism［3，20］and pseudo source node mechanism［7，21］.These two methods can resist more powerful attackers，but because the number and the location of pseudo nodes are randomly distributed，some unnecessary energy cost is unavoidable.

另外，各高职院校在办学规模、硬件条件、软件设施、专业设置等方面存在较大差异，师资水平、学生基础方面也不尽相同。整体实力较强的院校在课程互开、学风互认、教师互聘等软件资源共享方面缺乏内在动力，条件优越的高职院校会对本校优质教育资源进行某种程度的保护。

With the development of the hardware，the attacker will be in visible for the wireless sensor network.By using the characteristics of attacker perceiving［12］，nodes relatively far from the attacker are chosen as the shortest path to the sink，which brings a new idea for solving this kind of problem.Moving object recognition technology［9－11］in resisting the attacker，enhances the certainty of the strategy，instead of randomness.However，the authorized moving objects can be allowed to enter the WSN，such as scientists detecting data in the field.Merely a simple authentication mechanism［22，23］can exclude the unauthorized migration of mobile objects.Between the external moving objects and sensors，the establishment of session key based on elliptic curve cryptography（ECC）is more simplified with smaller public key，compared with non－ECC mechanisms.

To further reduce the overhead of data transmission，according to the characteristics of the IEEE 802.15.4MAC layer，Shao et al.［24］made use of the payload of beacons to transmit data，which will be extracted through programs in the application layer.In addition，the Mac layer for maintaining a reliable communication link，can also be used to broadcast information by beacons.The MAC mentioned here is beacon－enabled，and the influence of varied MAC protocols on the network performance is different.According to Ref.［25］，a short interval between beacons will cause too much synchronization overhead，while a long interval will result in a longer guardian time for the time drift.The beacon interval can be adjusted adaptively according to the network traffic，such as changing the duty ratio to increase the throughput for tunable media access control（TMAC）and sync－MAC（S－MAC）［26］.The frequency can also be changed by the software depending on the specific application.There are two advantages of using beacons to transmit the data，the first is energy saving，and the second is to hide the path.

2 Problem Description

2.1 Network model

In a homogeneous wireless sensor network，there are Nnodes｛ni｜1≤i≤N｝，and each sensor has the same computing and storage capacity，with every node of niknown their location（xi，yi）and the sink（xs，ys）.

Assuming that the sensors are deployed in a free plane space，the distance between sensors is the Euclidean distance.If the location of node v1 and v2are located respectively in （x1，y1）and（x2，y2），the distance between v1and v2is

If there are a few neighbors in a sparse network，an attacker is easier to locate the sender near him.So the nodes of network are densely connected.

In the view of the external attacker，the format and the size of each packet is the same，and the node′s identity information is encrypted to prevent an attacker from decrypting the contents of packets，therefore he cannot distinguish between true packets and pseudo ones.

When the attacker is near the original routing path，the longer the minimum safety distance is，the more deviation of the routing path will be.It will lead to great energy consumption.Worst of all，it will result in the instability of the network.In order to make privacy protection mechanisms to be more widely used，it is necessary to let the attacker far from the source，and at the same time to remain the original routing path unbiased.The routing path bias is defined in the next section.The smaller routing path bias，the higher quality of network service.

2.2 Attack model

Due to the limited communication range of each sensor node in WSNs，the packets are transmitted hop by hop.The attacker locates the base station or the data source by using the time dependence of the packets and the traffic patterns.According to the attacker＇s reaction when he receives a packet，attackers come into two types［27］：（1）The patient attacker，he will not move until he receives a new packet，and then moves to the direct direction of the packet sending；（2）The cautious attacker，if he has been waiting at a node for a new packet for a fixed time，he will return back to the last location.No standards can be used to distinguish the ability of these two type attackers，for the perceptive attacker has the path analysis ability.While in some cases，the patient attacker can provide much more safety，which will be elaborated in Section 4.Therefore，when designing privacy schemes，we should take these two types of attackers into account.

上课伊始，教者提问：“你从哪里看出武松是个什么样的人？”学生互相启发补充，从“闪、抡、劈、丢、揪、按、踢”等一连串的动作看出武松智勇双全。这是全面捕捉课文信息，培养学生思维全面性的第一步。正当所有同学把目光都集中到描写武松的语句时，我轻轻发问：“难道表现武松只有从武松身上下手？”学生一下子有了发现：“哦！还可以从老虎‘一扑、一掀、一剪、咆哮、扒坑’等词语看出老虎的凶猛，老虎越是凶猛，越能反衬出武松的智勇双全。”

We assume that the attacker is local and passive.Local means that the attacker′s observing scope is only the sensors in his vicinity，and passive indicates that the attacker does not have any functional impact on the sensor network.The attacker knows the location of the sink node.As an external attacker，he can only eavesdrop on the packets in WSNs，but not control any internal sensor nodes.

According to the angle and the strength of the received transmission signal，the attacker strarts from the sink node and follows the direction of the direct sender to capture him.If the attacker does not receive any packets within a certain period of time T，he will have random walk to find a node sending apacket，and continue to eavesdrop.Here：

（1）If the time of Tis short，it is a curious attacker；

（2）If Tis infinite，it is a patient attacker.

A simulator Castalia based on OMnet＋ ＋is applied to verify the efficiency of our methods.We deploy a squared field of 100×100m，where all sensors are distributed uniformly.The sink is arranged randomly in the central.Assuming that there is only an attacker，we let the monitored source asset be located in different distance from the sink.The MAC protocol is based on IEEE 802.15.4，including information load part as mentioned above.Once an attacker is detected，an alarm beacon is sent.Although ISZ does not reply on the routing protocol，in this comparative evaluation，we use ISZ based on shortest－path routing（SP），which is also applied as a baseline to reflect the impact of other approaches along with phantom routing（PR）and CALP［12］.The phantom algorithm has been discussed in the second chapter，and the process of attacker－detection in CALP is also based on the beacon technique.The main process of CALP is that each node maintains a routing table containing all its neighbors.When an attacker is found，a beacon is broadcast to update the routing table，in which the node closet to the shortest path and furthest to the attacker is chosen as the next hop node.Here we will analysis not only the curious but also the patient attacker.The beacon does not cost additional energy，but dummy packets does.The simulation is carried out for 50times，and a total of 500new packets are sent from the source node for each time.

3 Method

3.1 Attack－preserving technology

Traditional intrusion detection system is unable to detect the attacker since the passive attacker has no affection on the whole network.While because of the inherent character of the attacker as a moving object with electromagnetic signal，sensor nodes equipped with special models can monitor and track unauthorized moving objects［28］.

上述各种FPGA的布局算法中，均以矩形模型作为待布局逻辑功能的描述模型，其具有易于表达，建模简单的优点.但是在真实的开发过程中，逻辑功能的客观形状一般均不是矩形[11]，如图2(a)所示为基于Xilinx ISE14.6开发环境下的部分逻辑功能布局图，其中红色实线框为实际占用的可重构资源.采用矩形模型容易产生过多的内部碎片而导致资源利用率降低，图2(b)为矩形模型示意图，可见因内部碎片而造成的资源浪费达25%.

The sensor node applied here includes two functional models：M－DS and control mode，as shown in Fig.2.

左小龙的体温瞬间回到了三十七度，但突然间想到自己钱还没凑齐，又回到了三十九度。他问：这么快，不是说差不多一个月么。

Fig.2 Functional models

The module is used to detect whether an attacker is nearby，relying on the existing technology.If an attacker approaches，an alarm is sent by the M－DS module to the control module.The control module then transmits beacon signals to inform sensors nearby.

3.2 Silent zone scheme

SZ scheme is introduced by Rios in Ref.［12］.The main idea is that as soon as the mobile attacker is detected by the sensor nearby，the senor will notify all other neighbours of the attacker′s location，and the neighbours that receive the warning message will be set silent.All silent nodes fail to forward packets any more，even if they receive these packets and then discard them.We call these nodes as SILENT，which can be achieved by the software.

Delivery time in ISZ，similar to that in SP，only depends on the path length （i.e.，the source to the sink distance is s－d），regardless of beacon intervals，which have affection on network traffic.In fact，the curious attacker will have random walk for he can not receive any packets near the sink.In ISZ，it is less likely to get close to silent zones in the vicinity of source routing，so it will not cause much bias to the original path as pure SZ method does，and the increased traffic is very limited.An attacker starts from the sink and the initial data approaches to the sink when ISZ mechanism plays a role，especially for a patient attacker who will be enticed away from the original path，causing no more additional delay.

Once an attacker appears，all nodes within the security boundary are notified by the aforementioned beacons.If the node H ＿node is the first one that detects the attacker，it can determine the location of the attacker，and then send a beacon.Taking H＿node as the center of a disk，all the sensors within communication radius R will receive the Rsignal and set their states to be silent.

Each node knows the location of the sink and its own，and can send information by beacon signals.Intuitively，the SZ mechanism significantly decreases the number of real packets captured by an attacker.According to the attack model in Section 2.2，the attacker will walk randomly until he captures a packet in the network.When the attacker is close to the real data transmission path，the next delivery will deviate from the original route.Such deviation will lead to an increase in the path length and the energy consumption of the network.With the increasing number of walk steps，the walk area is increasing accordingly.If the source node is close to the sink node，the attacker can find the source node in a short time by completely random walking.

In order to prevent attackers from receiving new packets by SZ mechanism，there are two disadvantages when an attacker is near the sink node：（1）It would make packets not arrive at the destination，resulting in a very low delivery rate.The corresponding solution is that when the attacker is in the vicinity of the sink，the minimum safety distance is set small，and when the attack－er is far away，the minimum safety distance is changed back to the communication radius.（2）It would make the attacker easier to find the source node nearby，because no packer is captured by the attacker，and then he will have a random walk，as discussed before.

The advantages of completely isolating the attacker from real packets is obvious.The attacker can not receive any context information any more，meanwhile he has random walk.Given the current node position as CN0 （x0，y0）after h step，the coordinate can be followed as

X＝CNi－CNi－1（i＞0），where Xis an independent distribution of random variables，namely｛（1，0），（－1，0），（0，1），（0，－1）｝.

k·hwalkis distance from CN0to the location after hwalkstep，where｛k｜0＜k＜1｝，the asymptotic probability of k·hwalkis as follows

When the number of hwalkcontinues to increase，the probability of going back to the original location for the attacker tends to 1.The attacker can only walk around for ensuring the location privacy of the source node.When the distance between the source node and the sink is relatively small，the source node is within this small range.As the hwalkincreases，the source node could be found only in a limited time.However，it has been proved that when the source node is far away from the attacker，the probability of finding the sink node is very small.Therefore，one of the design goals in this paper is to let the attacker move away from the source node，which can be achieved as long as the moving direction of packets captured by the attacker is opposite to that of the source.

As mentioned earilier，the attacker－recognition module can tell the location of the attacker H（xh，yh）.The authorization mechanism is introduced to eliminate the interference in the process of identifying moving objects，and the unauthorized target（with electromagnetic signal）is regarded as an attacker.The moving object authorization is ignored，for example，the scientists carry a personal device to examine the data collected in the field，so such moving object is not an attacker.

3.3 The proposed mechanism

First，we need to define the routing path bias.The smaller routing path bias will has the less impact on the original routing path.

Definition 2 Givenμas the mean length of routing paths.When the security mechanism is applied and the length of the ith routing path is counti，the routing path bias S2 is defined as follows

之所以有必要在沙盘实训课程中引入激励理论，是因为该课程在实施过程中易出现一些问题，影响了学生学习的积极性。

To minimize the routing path bias，we need to optimize SZ scheme.This article presents a novel solution called ISZ，whose main idea is that the routing for real packets is complemented outside the silent zone，and while the packet routes are near the silent zone，a false packet is sent to a bait node chosen intelligently，to entice the attacker away from the original routing path.The false packets can get through the silent zone，which will be described as shown in Table 1.Here，the greedy shortest path routing is chosen for the efficient purpose.The specific steps of ISZ will be described below.

Communication between sensors，we adopt acknowledgement mechanism to ensure the reliability of data transmission.As shown in Fig.3，when the node Aforwards a packet Mto B，A will receive an implicit confirmation when Bforwards the packet Mdownstream.If Adoes not hear B′s acknowledgement in some abnormal situations，such as interruption of link or silent state of nodes，the node A will notify its neighbors of their current states，and then select the next hop node prior to retransmitting the packet.The blue shadow section indicates the zone or area of an attacker′s eavesdropping.Fig.3illustrates an attacker walking away from the delivery path of the real packet.The dashed arrow represents the state that after the node A has delivered a packet to B successfully，B is broadcasting a packet.If B receives an acknowledgement from C，the dashed arrow will change into the solid line like that from Ato B.

Through personification and symbolization, lot of local oral literature advised us that, human being should harmoniously coexist with nature, take good care of animals and keep yourself from evil.

Fig.3 Packet transmission outside the silent zone

The number of the relaying nodes and selection strategies varies depending on the routing protocols.For the greedy shortest path routing protocol，we assume that the node Ois supposed to be the next hop of A.When Oreceives A′s signal，the state of Ois silent（in shadow warning area）.As mentioned above，Ochanges into a silent state when it receives the warning beacon signal from H＿node.Therefore，the packet will be discarded，as shown in Fig.4（a）.Provided that the node Acannot receive the acknowledgement from the node O，it will reselect a new relay for the real packet and simultaneously send a false packet M.The detailed process is carried out in two phases，an update phase and an operational phase.

Fig.4 Illustration of a packet delivery process

We assume that each sensor has a list of its neighbors.In the update phase，the node Aobtains all the information of its neighbor nodes which belongs to SET－Nei＿A，using one－hop broadcast message.According to the states information of neighbors，the currently active neighbors′information is updated as SET＿Active＿A，where SET＿Active＿A＝SET＿Nei＿ASET＿Silent＿Zone.In the operational phase，Band B′are chosen to be the successor of A.The node Bis for the real packet M，and B′is for the false packet M ，as shown in Table 1.From the perspective of an attacker，Mhas no difference from M.The node which receives M，will continue to deliver Mto the next hop Next＿Hop＿Real according to the original routing outside the silent zone.While the node chosen to forward Mwill elect the next hop Next＿Hop＿Fals according to Algorithm 1.

Table 1 Two types of packets

Packet Property 1Property 2 Property 3 Real packet M Deliver to the sink Include true data Cannot be transmitted by silent nodes False packet M Deliver to the bait node Include false data Can be transmitted by silent nods

Algorithm 1 The next hop outside the silent zone

In the update phase，the node Acan identify the silent nodes by the feedback from its neighbors.For example，the nodes which are geographically adjacent in the silent zone，such as O and O1，are concluded to be in silent states because they are unable to send acknowledgements to A.The nodes which send acknowledgements are intuitively evaluated to be active，as shown in Fig.5.Although there are some nodes that do not send signals because of other abnormal factors，such as energy depletion，one of the reasons that these nodes are not identified to be silent is that their geographical locations are not contiguous.However，such abnormal situation is beyond our scope of discussion，and there are only two states are taken into account，silent and active.After the update，as shown in Fig.4（b），the active node B，which is closest to the sink，is chosen according to the greedy shortest path routing protocol.As each node knows the location of its own and the sink according to the neighbor list as shown in Table 2，where Ddenotes the distance，we also can select the node B′to forward the false packet，and the selection principle is that the node should be close to the silent zone but away from the node O.As shown in Fig.5，B3is the best node because it is further away from Othan B1 and B2and closer to the silent zone than B4.Obviously，B′is the locally optimal relaying node，if X，B′∈SET＿Active＿A∧X≠B′，∠BOX≤∠BOB′.

Fig.5 Neighbours′state

Table 2 List of A′s neighbors

Neighbors（A） Dto sink Silent Dto A Dto B1 Dto B2 Dto B3 Dto B4 Dto B5 O（xO，yO） d（O，sink） 1 d（O，A） d（O，B1） d（O，yB2） d（O，B3） d（O，B4） d（O，B5）B1（xB1，yB1）d（B1，sink） 0 d（B1，A） 0 d（B1，B2） d（B1，B3） d（B1，B4） d（B1，B5）B2（xB2，yB2）d（B2，sink） 0 d（B2，A）d（B2，B1） 0 d（B2，B3） d（B2，B4） d（B2，B5）B3（xB3，yB3）d（B3，sink） 0 d（B3，A）d（B3，B1） d（B3，B2） 0 d（B3，B4） d（B3，B5）B4（xB4，yB4）d（B4，sink） 0 d（B4，A）d（B4，B1） d（B4，B2） d（B4，B3） 0 d（B4，B5）B5（xB5，yB5）d（B5，sink） 0 d（B5，A）d（B5，B1） d（B5，B2） d（B5，B3） d（B5，B4） 0

Algorithm 2 Choosing a bait node intelligently in silent zone

Definition 3 In order to measure the privacy performance of the network，for a single attacker with definite attack model，safety period and capture likelihood［4］are adopted.

Step 2 If there is one of the silent neighbors of the current node in SET＿Silent＿Curren，and this neighbor node′ meets the requirement，namely d（node′，O）＞ R，where Ris the attack radius，node′is the bait＿node we are looking for.Otherwise，go to step 3.

Step 3 If the node′is not in the silent zone or d（node′，O）≤R，the current node will continue to search the next hop Next＿Hop＿False（Current＿node），which is the nearest to the silent zone，as presented in Algorithm 1.Move to the next hop，and initialize this node into the Current＿node.

(2)建设护理质量管理控制体系。在日常护理工作中结合等级医院评审相关要求,建设"院控、科控、自控"的护理质量管理控制体系,科室成立护理质量管理控制小组,采取医院抽查、科室互查、自我复查的方式,从护理病案质量、临床护理质量等方面定期组织督导考核,将相关结果反馈并督促整改到位。

在裂隙网络中，线单元及其两端节点为基本单元，如果节点i为线单元j的一个端点，则称j单元衔接于i节点，节点i的度数为与其相衔接的线单元的个数。构成闭合路径的裂隙段集合称为该裂隙网络的回路，其中所含裂隙段数目为回路的维数。

Repeat the above steps until the required bait＿node is met，as shown in Fig.4（c）.The false packet continues to being forwarded prior to being broadcast by the bait node.The one－hop broadcast packet entices the attacker to move away from the original routing path.The nodes which receive this fake packet simply discards it.Besides，in order to select the optimal bait＿node，we need to ensure our network is deployed densely.

3.4 Privacy analysis

As shown in Fig.6，the network employing ISZ mechanism will have the following two states depending on the location of an attacker.The first state is cautionary when the attacker is close to the routing path.For the contextual privacy，a longer route is chosen to avoid the attacker′s eavesdropping.In the meantime，the attacker will receive false packets from a bait＿node，instead of real messages.As a consequence，the attacker will move to the bait＿node，which is far away from the original routing，and achieve the second state，that is，safe state.In the safe state，the routing bias caused by the SZ mechanism will gradually disappear and the packet will be delivered by the original routing.

根据中国政府采购网公布的政府采购严重违法失信行为，本文随机选取最近被处罚的500家单位共640次违法违规行为进行了分析(见表1)。

Step 1 First，the neighbors′states are obtained by the current node，and two sets are classified：the set of silent neighbors SET＿Silent＿Current and active neighbors SET＿Active＿Nenode.

（1）safety period§ ：The number of monitoring data sent by the source node，before the attackers capture it.

例1(第7题) 为“赏中华诗词，寻文化基因，品生活之美”，中央电视台举办了诗词知识比赛．每场比赛的第一轮为个人追逐赛，有4名选手参加．在第一轮中，每名选手在答题前随机不放回地抽取第1，2，3，4组题目中的一组题目．已知第一个出场选手在第一轮中擅长第1组和第3组题目，那么他在第一轮能抽到自己擅长题目的概率为

（2）likelihood L：In a fixed time，the probability that attackers capture the source node.

Fig.6 Two state models

Before the source node is captured，the more packets are sent，the longer the safety period is，and the higher the privacy level is.Within a fixed time and distance from the source node to the sink，s－d，the higher the capture likelihood is，the worse the privacy level is.

As mentioned before there are two states in Fig.6.We assume that the probability of the network in the cautionary state is PC.As the area of the silent zone increases to cover the attacking range，the attacker can no longer receive any real packets.Therefore，the real packet capture likelihood is 0.Meanwhile，the attacker will track the false packets.Consequently，the network changes into a safe state，whose probability is assumed to be PS，as shown in Fig.6（b），when the attacker can receive neither real nor false packets.For a patient attacker，he will stay there all the time（for a long time），and the privacy of the network is guaranteed，that is，the source capture likelihood is 0.For a curious attacker in the safe state，he will have random walk，so the source capture likelihood is L＝PS/N （Nis the number of sensor nodes in the network）.When he moves close to the routing path，he will be enticed by the bait node.As a result，the source capture likelihood for a curious attacker in the cautionary state is L＝PC×0＝0，because he will receive none of real packets and move to a false direction.So，the probability of capturing the source for a curious attacker is PS/N，where PC＋PS＝1.

As seen from Fig.6intuitively，the attacker does not interfere with the network in the safe state，while in the cautionary state，the length of real－packet path increases and false packets will generate extra energy.Therefore，we will briefly estimate the energy consumption theoretically，and in the next section，the performance of our proposed mechanism in the network will be verified experimentally.

3.5 Energy analysis of ISZ

Initially，an attacker starts from the sink，and the source begins to deliver the data to the sink.Assuming that the energy caused by beacons is negligible，the delay and the energy cost in the network is mainly attributed by packet transmission and reception.Therefore，the routing path length and the number of packets sent and received are mainly calculated.

In the best case，the attacker is far away from the real transmission path，as shown in Fig.6（b）.Without false packets，the energy is simply related to the routing protocol.Generally，since the shortest path costs the least energy，assuming the shortest path length is h，the total energy consumption of transmission for each event to the sink is＝h·Esr，where Esris the energy cost of the transmission and reception of each packet for a single node.The path bias is affected by the attackering area.In the worst case，the real routing path and the false path nearly circle around the attacking range，as shown in Fig.6（a）.Let the radius of the eavesdropping area be Rhops，and assuming that the real packet length is h，the total energy consumed for each event to the sink in the worst case is a－average energy is

4 Performance Evaluation

An attacker moves at a constant speed of VA，where VA≤Vmand Vmrepresents the speed of packets between nodes.The eavesdropping range of an attacker is not greater than the communication range of a node，that is，D ≤ R，where Dand Rrepresent the eavesdropping range and the communication radius of the sensor node，respectively.

（1）Delay.Delay means the sending time of a packet from the source to the sink，which includes two aspects：one is the delay caused by the beacons，and the other is packet delay due to routing policies，such as re－transmission time，routing path and etc..Therefore，relying on the beacons to update the routing table，CALP policy have a great delay，which depends on the beacon updating frequency and the path length.The path length in CALP changes when the attack type changes.Compared with the curious attacker，the patient attacker causes much more delay in CALP，as shown in Fig.7.Because CALP needs more time for beacons to update the routing，it causes more delay than other mechanisms.

Similar to CALP，the path bias of SZ is also affected by attack types.When a curious attacker does not receive any packets，he would be likely to walk randomly around the sink.Therefore，the delivery path to the sink is unstable，and the latency in this case is slightly higher than that in PR and SP，as shown in Fig.6（a）.Nevertheless，for a patient attacker，SZ leads to significantly higher delay than that of SP，as shown in Fig.7（b）.Because when the attacker is near the sink，the path bias is great，leading to more than 97%of packets that can not be delivered to the sink.Suffering from great delay，some packets jump 157hops before reaching the sink node.The delay in phantom routing is higher than that in SP for the additional steps by random walk.The phantom routing method will not be affected by the attack types，so the packet delay has nothing to do with the patient or curious attacks.

Definition 1 There are four possible states defined by an enum.SLEEP and ACTIVE are steady states and SEND is transient，and SILENT is also a transient state that the nodes will simply discard or store the packets they receive，without forwarding it.

Fig.7 Packets delay comparison using different mechanisms for two kinds of attackers

（2）Privacy.There are two main measures of privacy：safety period and capture likelihood.We conducted 50experiments，and use the capture times to measure the source privacy in a given time.The less times to be captured are，the longer the safety period will be.The smaller the capture likelihood is，the higher the privacy will be.As shown in Fig.8，with the increase of s－d，the privacy of the shortest path do not increase.On the contrary，it is the worst，because once a packet is captured，the attacker will follow the shortest path to find the source.As our experiment shown，the capture likelihood of a curious attacker is less than that of a patient attacker.That is because the curious attacker will walk away from the sink if he waits awhile without receiving any packets.Thus，the patient attacker has a higher capture likelihood.Phantom routing in the simulation is no better than the shortest path when a patient attacker，as s－d increases，the random walk increases，the curious attacker would receive none of packets due to leaving away from the real transmission path，and lose some chances to capture sources.The essence of CALP is the greedy shortest path routing，but choosing the most furthest one from the attacker.Obviously，since CALP is related to the eavesdropping range of the attacker，in the simulation when the communication radius is set as the same as the eavesdropping range，the patient attacker can receive a few real packets in the vicinity of the sink，while the curious attacker also can catch the source after random walk if the attacker does not receive any information，when s－dis short.

Because he cannot receive any packets in SZ，the curious attacker will have random walk according to the probability distribution of random walk in Eq.（3）.When the source is close to the sink，the attacker would walk to the source and capture it，as shown in Fig.8（a）.For the patient attacker，he will not receive any packets for tracing source and stay where he is.Therefore，SZ has the better privacy for a patient attacker than that for a curious attacker.In ISZ，when the distance between the sink and the source is short，the attacker has high capture likelihood for h is small at this time.Because of the interference by dummy packets，ISZ has more privacy than SZ when facing a curious attacker，as shown in Fig.8（b）.With the increase of s－d，the corresponding routing path h will increase.Both for curious and patience，ISZ has excellent performance in preserving the privacy of the source location.

公式(1)中，Y、K、L分别表示创新产品的销售额、研发经费、研发劳动力。我们用创新产品销售额作为产业创新效益的代理变量，该值越大，表明企业新产品对企业经济效益的影响越大，创新效益也就越高。α、β分别为研发经费、研发劳动力的弹性系数，A为全要素生产率。参考俞立平等的做法，采用单位时间内某产业创新成果的数量作为产业创新速度的代理变量S。⑦考虑消除异方差的需要，对公式(1)两边同时取对数，整理后得:

Fig.8 Privacy performance comparison using different mechanisms for two kinds of attackers

（3）Path bias.According to Definition 2，the path bias shows the impact of security mechanisms on the original routing.The pure SP routing has almost no bias because the path is deterministic.Four kinds of privacy schemes are ana－lyzed here，and the shortest path is selected as the original routing path.As shown in Fig.9，PR has the biggest path bias，compared with other three mechanisms.The path bias of PR depends the number of hops of random walk，irrelevant to the types of attackers.The bias value for PR is unstable，because the direction of random walk is uncertain.If the direction is against the sink，the bias will increase.While if the some steps are canceled each other by random walk，the bias might just remain low.

When a curious attacker moves near the original routing path as shown in Fig.9（b），CALP always selects the furthest node from the attacker as long as the attacker is still nearby.Consequently，the original path shifts many times.If the attacker does not receive any packets，he will have random walk，and the shift will not disappear until the attacker moves far away from the original path.In the SZ scheme，when the source is closer to the sink，that is，s－dis small，the curious at－tacker will capture some packets and stay on the path，resulting in a great path bias.As s－dincreases，the curious attacker may walk randomly to a safe state，so the path bias declines relatively.The ISZ scheme causes the smallest path bias because every time when an attacker approaches near the original routing，false packets will entice him far away from the original routing，and the curious attacker will have random walk.As s－d increases，the probability of capturing the source becomes smaller，as well as the path bias.

When facing apatient attacker，as shown in Fig.9（a），the bias for SZ is not found.It is because when the patient attacker is near to the sink，more than 97%of packets can not reach the sink，as mentioned before that some packets jump 157hops before reaching the sink，leading to enormous bias.In addition，the path bias is related to the attacking range，which is set the same as the area of sensor communication.For CALP，when a patient attacker can not receive any packet，he will stay near the original path，so the bias will always exist，slightly larger than that for a curious one.The path bias of ISZ for a patient attacker is even smaller than that for a curious one.Once a patient attacker is enticed by false packets far away from the original routing，and can not receive any packets，he will no longer move.Thus the network will maintain a safe state for a long time and the following packets are delivered by the shortest path.

（4）Energy.The research has shown that for wireless sensors，the energy cost by executing 3 million of general program instructions is equivalent to that by transmitting data in the distance of 100m［29］.

The parameters used in this simulation are listed in Table 3.

根据调查，海外游客主要是通过旅行社的推荐介绍了解蜀冈-瘦西湖风景名胜区的情况，可见景区自身在海外的宣传促销力度不够.应针对海外旅游者的特点，充分利用国内外各种宣传媒体、海外旅行社、网络及报刊杂志等媒介，创新旅游宣传促销方式，加大旅游宣传促销的力度；制定海外重点客源市场促销计划，根据细分后的海外客源目标市场，有重点、分层次地进行旅游宣传；认真办好一年一度的“烟花三月国际经贸旅游节”，不断创新经贸旅游节的内容和方式，吸引更多的海外宣传媒体和贸易商参会，以招徕更多的海外旅游者.

It can be seen that with fixed number of packets and routing policies in the network，theenergy consumption related to the distance between nodes is O（d2）.The total amount of the energy is related to the path length squared，so the routing algorithm itself affects the energy consumption.In Fig.10（a），the abnormal case of SZ occurs when facing apatience attacker，and the packet is always around the sink but can not arrive，which consumes much more energy.Obviously，ISZ mechanism is less likely to interfere with the original routing path.We implement the shortest path，CALP，SZ and ISZ to compare with the shortest path routing，showing the effect on the energy consumption of the whole network.Beacon scheduling itself does not generate additional energy consumption，although CALP has high delay，still maintaining the energy level of the shortest path.While for ISZ，dummy packets cause additional energy，as mentioned before，dummy packets only occur when there is a silent zone near the real routing path.In the simulation，after the attacker was tempted to leave the original path，the situation is not distinct between SZ and ISZ.Therefore，when the three strategies in the face of the curious attacker，the actual difference might not be too much，as shown in Fig.10（b）.As sorted by the energy efficiency，ISZ has the best energy performance.

Table 3 Parameters setting

Parameter Value Eelec/（nJ·bit－1） 60 ξamp/（pJ·bit－1·m－2） 10 n 2

Fig.9 Path bias comparison using different mechanisms for two kinds of attackers

Fig.10 Energy cost comparison using different mechanisms for two kinds of attackers

5 Conclusions

In this article，we propose an improved solution for source location privacy in WSNs，which is vulnerable to backtracking attack by a local adversary.The proposed solution of ISZ can be suitable to many event－driven WSNs applications by preventing a local attacker from receiving contextual information.Compared with SZ，ISZ combines an isolated area as a trap for adversary and entices the adversary far away from the original routing path.As shown in the results，the ISZ method outperforms its counterparts e.g.，PR and SP in the safety period as well as in energy consumption.However，cautious local adversaries as well as beaconing influence on WSNs are rarely considered.Further researches are needed to ad－dress these issues.

Acknowledgements

This work was supported by the National Natural Science Foundation of China （Nos.61373015，61300052，41301047），the Priority Academic Program Development of Jiangsu Higher Education Institutions，and the Important National Science and Technology Specific Project（No.BA2013049）。

References：

［1］ CONTI M，WILLEMSEN J，CRISPO B.Providing source location privacy in wireless sensor networks：A survey［J］.IEEE Communications Surveys Tutorials，2013，15（3）：1238－1280.

［2］ WANG B，ZHANG X.WSNs routing protocol of airfield lighting monitoring system based on energy balance［J］.Journal of Nanjing University of Aeronautics and Astronautics，2015，47（4）：525－533.

［3］ ZHOU Qian，QIN Xiaolin，DING Youwei.Preserving source－location privacy efficiently based on attack perceiving in wireless sensor network［J］.Journal on Communications，2018，39（1）：101－116.

［4］ KAMAT P，ZHANG Y，TRAPPE W，et al.Enhancing source－location privacy in sensor network routing［C］//25th IEEE International Conference on Distributed Computing Systems.Columbus：IEEE，2005：599－608.

［5］ ZHANG Y，WANG G，HU Q，et al.Design and

performance study of a topology－hiding multipath routing protocol for mobile ad hoc networks［C］//35th Annual IEEE International Conference on Computer Communications.Orlando：IEEE，2012：10－18.

［6］ RAHAT A，EVERSON R，FIELDSEND J，et al.Evolutionary multi－path routing for network lifetime and robustness in wireless sensor networks［J］.Ad Hoc Networks，2016，52：130－145.

［7］ MEHTA K，LIU D，WRIGHT M.Protecting location privacy in sensor networks against a global eavesdropper［J］.IEEE Transactions on Mobile Computing，2012，11（2）：320－336.

［8］ YANG Y，SHAO M，ZHU S，et al.Towards statistically strong source anonymity for sensor networks［J］.ACM Trans Sen Netw，2013，9（3）：34：1－34：23.

［9］ LOUREN O P，BATISTA P，OLIVEIRA P，et al.Simultaneous localization and mapping in sensor networks：A GES sensor－based filter with moving object tracking［C］//European Control Conference.Linz：IEEE，2015：2354－2359.

［10］NANDHINI S，RADHA S.Compressed sensing based object detection and tracking system using measurement selection process for wireless visual sensor networks［C］//International Conference on Wireless Communications，Signal Processing and Networking.Chennai：IEEE，2016：1117－1122.

［11］APICHARTTRISORN D， APICHARTTRISORN K，KASETKASEM T.A moving object tracking algorithm using support vector machines in binary sensor networks［C］//13th International Symposium on Communications and Information Technologies.Surat Thani：IEEE，2013：529－534.

［12］RIOS R，LOPEZ J.Exploiting context－awareness to enhance source－location privacy in wireless sensor networks［J］.The Computer Journal，2011，54（10）：1603－1615.

［13］BURATTI C.Performance analysis of IEEE 802.15.4 beacon－enabled mode［J］.IEEE Transactions on Vehicular Technology，2010，59（4）：2031－2045.

［14］BRADBURY M，LEEKE M，JHUMKA A.A dynamic fake source algorithm for source location privacy in wireless sensor networks［C］//IEEE Trustcom/BigDataSE/ISPA.Helsinki：IEEE，2015：531－538.

［15］OUYANG Y，LE Z，LIU D，et al.Source location privacy against laptop－class attacks in sensor networks［C］// Proceedings of the 4th International Conference on Security and Privacy in Communication Networks.New York：IEEE，2008：1－10.

［16］RAJ M，LI N，LIU D，et al.Using data mules to preserve source location privacy in wireless sensor networks［J］.Pervasive and Mobile Computing，2014，11（2）：244－260.

［17］JHUMKA A，LEEKE M，SHRESTHA S.On the use of fake sources for source location privacy：Trade－offs between energy and privacy［J］.The Computer Journal，2011，54（6）：860－874.

［18］SHI R，GOSWAMI M，GAO J，et al.Is random walk truly memoryless：Traffic analysis and source location privacy under random walks［C］//The 32nd IEEE International Conference on Computer Communications.Turin：IEEE，2013：3021－3029.

［19］XI Y，SCHWIEBERT L，SHI W.Preserving source location privacy in monitoring－based wireless sensor networks［C］//The 20th IEEE International Parallel Distributed Processing Symposium.Rhodes Island：IEEE，2006：355－355.

［20］ALOMAIR B，CLARK A，CUELLAR J，et al.Toward a statistical framework for source anonymity in sensor networks［J］.IEEE Transactions on Mobile Computing，2013，12（2）：248－260.

［21］MEHTA K，LIU D，WRIGHT M.Location privacy in sensor networks against a global eavesdropper［C］//International Conference on Network Protocols.Beijing：IEEE，2007：314－323.

［22］AMIN R，BISWAS G P.A secure light weight scheme for user authentication and key agreement in multi－gateway based wireless sensor networks［J］.Ad Hoc Networks，2016，36（1）：58－80.

［23］SRINIVAS J，MUKHOPADHYAY S，MISHRA D.Secure and efficient user authentication scheme for multi－gateway wireless sensor networks［J］.Ad Hoc Networks，2017，54：147－169.

［24］SHAO M，HU W，ZHU S，et al.Cross－layer enhanced source location privacy in sensor networks［C］//6th Annual IEEE Communications Society Conference on Sensor，Mesh and Ad Hoc Communications and Networks.Rome：IEEE，2009：1－9.

［25］XING Y，CHEN Y，YI W.Optimal beacon interval for TDMA－based MAC in wireless sensor networks［C］//11th International Conference on Innovations in Information Technology.Dubai：IEEE，2015：156－161.

［26］LIU C J，HUANG P，XIAO L.TAS－MAC：A traffic－adaptive synchronous MAC protocol for wireless sensor networks［J］.ACM Trans Sen Netw，2016，12（1）：1－30.

［27］ZHOU L，WAN C，HUANG J，et al.The location privacy of wireless sensor networks：Attacks and countermeasures［J］.Wireless Networks，2014，8（5）：521－534.

［28］BAO Y，JI C，CHEN G，et al.WSN node applied to large－scale unattended monitoring［J］.Transactions of Nanjing University of Aeronautics and Astronautics，2016，33（3）：386－395.

［29］POTTIE G，KAISER W.Wireless integrated network sensors［J］.Communications of ACM，2000，43（5）：51－58.