A multi-domain trust management model for supporting RFID applications of IoT

The use of RFID technology in complex and distributed environments often leads to a multi-domain RFID system, in which trust establishment among entities from heterogeneous domains without past interaction or prior agreed policy, is a challenge. The current trust management mechanisms in the literature do not meet the specific requirements in multi-domain RFID systems. Therefore, this paper analyzes the special challenges on trust management in multi-domain RFID systems, and identifies the implications and the requirements of the challenges on the solutions to the trust management of multi-domain RFID systems. A multi-domain trust management model is proposed, which provides a hierarchical trust management framework include a diversity of trust evaluation and establishment approaches. The simulation results and analysis show that the proposed method has excellent ability to deal with the trust relationships, better security, and higher accuracy rate.


Introduction
The term Internet of Things (IoT) arises from the need to establish heterogeneous environments where the devices with varying processing capabilities can cooperate and communicate in an intelligent environment transparently to the user [1]. In its background and current research of IoT section, Radio Frequency Identification (RFID) technology is considered as a foundational technology for IoT. RFID has been widely used in many and diverse areas, such as logistics, pharmaceutical production, retailing and supply chain management [2]. The use of RFID technology in complex and distributed environments often leads to a multi-domain RFID system in which security issues such as authentication of tags and readers, granting access to data, and revocation of readers turn into an administrative challenge. A common scenario is eEnabled airplanes scenario [3], where on-board RFID tags and readers will be connected to different ground systems across multiple management domains, for logistics and access control. The part maintenance history contained in on-board RFID tags is the airline's proprietary information and the access should be protected against random or intentional access from illegal RFID readers of other management domains.
Many cryptographic authentication and data protection techniques have been proposed to solve the security issues in the literature [4][5][6][7][8]. Although conventional cryptographic a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 mechanisms can provide data confidentiality, data integrity and node authentication for exchanged messages and protect the system from external attacks, they fail to deal with insider attackers [9]. For example a reader owning legitimate cryptographic keys can easily launch an internal attack inside the system by altering data or injecting bogus information without being identified. So we need to introduce trust management into IoT RFID system.
Trust management is a mechanism that also allows identifying malicious, selfish, and compromised nodes. Trust computation model and trust management systems have been implemented successfully in commercial applications. There is also a rapidly growing literature around topics of trust and reputation management for IoT [10,11]. Devices in the IoT may be equipped with inexpensive low-performance microcontrollers that provide just enough computing power to periodically perform their intended tasks, i.e. obtain sensor readings and communicate with other nodes. The problem of trustworthiness and trust management of lowpower low performance computing nodes has been discussed in previous research, in particular in the context of Wireless Sensor Networks (WSNs) [12]. Importantly, most techniques proposed in this field focus on building trust relationship between nodes of the same domain based on observing the communication behavior of these nodes. The current trust management mechanisms in the literature do not meet all requirements for a functional implementation for the IoT context.
In the multi-domain RFID paradigm, a mobile tag will potentially interact with numerous readers from different management domains for a coalition, as well as leverage available (foreign) infrastructure for information access while on the move. However, trust establishment among entities from heterogeneous domains without past interaction or prior agreed policy, is a challenge. We analyze the special challenges on trust management in the multi-domain RFID system, when compared to conventional RFID system in IoT environments, and identify the implications and the requirements of the challenges on the solutions to the trust management of multi-domain RFID systems.
Heterogeneity of management domains: Two different management domains, who want to establish a coalition, may carry their own policies for authentication and authorization. They need to negotiate for permitting access to each other's RFID tags. The trust management of multi-domain RFID systems is required to provide a flexible and configurable trust model, enable readers and authentication centers of different domains to negotiate and collaborate.
Diverse trust requirements: There exists multi-type entities include RFID tags, RFID readers and authentication centers in the multi-domain RFID systems. These entities have diverse trust requirements due to the different of their number, capability and stability. The trust management of multi-domain RFID systems has to be providing a diversity of trust evaluation approaches to accommodate potentially a diversity of trust requirements. Support of multiple applications: There is a wealth of potential RFID applications such as object identification, any subsequent tracking and record management. Each application has its unique requirements on implementation. However, a generic trust module underlying all the RFID application will be ideal as it increases reusability & scalability. A trust management solution is preferred to be adaptive to the diverse applications.
Large scale Systems: With the advances in IoT technologies, the number of nodes available in multi-domain RFID systems will be enormous. Thus, the trust management solution needs to be scalable. The trust management approaches are required to include efficient algorithms in terms of computation, communication and/or storage for trust evaluation and establishment, so to handle access requests and information exchange from a potentially large number of collaborative entities.
Based on the specific requirements in multi-domain RFID systems, this paper focuses on the critical trust management issues and proposes a multi-domain trust management model.
The proposed trust management model provides a hierarchical trust management framework. The main contributions of our system are: 1. A hierarchical trust model including RFID reader trust layer and authentication center trust layer is proposed by us, which provides a diversity of trust evaluation and establishment approaches to accommodate heterogeneous management domains and diverse trust requirements.
2. The D-S theory is introduced to compute the trustworthiness of readers. To make the D-S theory fit into multi-domain RFID systems; we creatively define three interaction events and nine event assumptions, which is adaptive to the multiple applications.
3. Another trust evaluation method of reader is proposed based on verification of interaction proof. The proposed method verifies the authorization use of a reader by saving its interaction proof in the tag. Only saving the recent interaction feedback record in the tag is suitable for limited built-in memory tag.

4.
A centralized trust evaluation scheme is proposed to evaluate the trustworthiness of authentication centers. An administration center is in charge of managing the trust of authentication center based on the abnormal event reports of readers of its own domain. Using more abnormal event reports helps trust convergence more quickly. Therefore our scheme can deal with large scale RFID applications.
This paper is organized as follows. Section 2 describes related work. In Section 3, the proposed trust management method is discussed. Section 4 describes the test scenario and simulation results. Finally, we conclude with a summary of our results and directions for new research in Section 5.

Related work Trust management in IoT environments
In the literature, there is a rapidly growing literature around topics of trust and reputation management for IoT [11]. Several trust management systems have been proposed for RFID systems in IoT environments. Basically, trust management is the mechanisms to evaluate, establish, maintain, and revoke the trust between devices of the same or different networks within the IoT environment. The trust computation techniques in [13] are classified on four design dimensions: trust composition, trust propagation, trust aggregation and trust update. The authors summarize advantages and drawbacks of each dimension's options, and highlight the effectiveness of defense mechanisms against malicious attacks.
The work in [14] proposes an IoT protocol framework for RFID-based devices-the Scalable RFID Security Framework and Protocol Supporting IoT (SRSFPSI). The proposal entails an effective ID procedure founded on a hybrid framework (group-based and collaborative technique) and highly adaptive security monitoring handoff for RFID IoT networks. The protocol offers adaptability and scalability while upholding secure and adaptable RFID net-works. Other than preventing the introduction of malicious nodes and facilitating scalability, the protocol is integrated with a malware recognition tool.
In [15], the authors propose a lightweight and robust trust establishment scheme. The proposed trust scheme is lightweight thanks to a simple trust estimation method. The comprehensiveness and flexibility of the proposed trust estimation scheme make it robust against different types of attack and misbehavior. But evaluation results show one drawback of the proposed scheme is that it is sensitive to false-positive alarms, compared to other trust mechanisms.
The work in [16] presents a trust management scheme based on revised Dempster-Shafer (D-S) evidence theory. D-S theory is preponderant in tackling both random and subjective uncertainty in the trust mechanism. A trust propagation mechanism including conditional trust transitivity and dynamic recommendation aggregation is developed for obtaining the recommended trust values from third part nodes. Our proposed scheme is inspired by [16], but we use the different Dempster rules in our mole. In addition, the shortcomings of D-S evidence theory based trust scheme are analyzed in our paper.
The work in [17] proposes a computational model for the trust management. In order to enhance the security of data sharing and access control, the trust evaluation is built into the process of transactions of the data exchange and authorization. An example shows the performance of the proposed computational trust model. In [18], the authors investigate the personalized applications and services of IoT by detecting people-object gestures with a passive RFID tag. The proposal is analyzed based on people-object gestures classification. In [19], the authors also present a hierarchical trust model for the Internet of Things, similar to our work. Though the simulation results show the benefit of hierarchical trust model, the proposed model doesn't explain the details about how to calculate the trust of reader. Our work is different with [19]. The trust relationship is classed into three classes: intra-domain trust, inter-domain trust and cross-domain, and time window mechanism is introduced in our multi-domain trust management model.
In [20], the authors evaluate the existing approaches to trust management in the Internet of Things based on three parameters. The first parameter focuses on trust management protocol in IoT, the second parameter concerns scalable solutions for trust management in IoT, and the third parameter addresses context-aware assessment in IoT. The paper has given a comparative evaluation of each existing approach for trust modeling in IoT, based on these parameters. Finally, the authors consider that the further research into trust management in IoT is required to develop scalable and context-aware trust solutions in IoT networks.
All these trust management schemes do not focus on the trust issue of multi-domain RFID systems. Designing a suitable trust management model to evaluate the trust of entities from heterogeneous domains without past interaction or prior agreed policy, is a challenge. In the paper, we analyze the special challenges on trust management in multi-domain RFID systems, and identify four trust requirements for multi-domain RFID systems. Finally, a hierarchical trust management framework is proposed to build the trust relationships among entities from heterogeneous domains.

D-S evidence theory
In 1976, Shafer published a book named A Mathematical Theory of Evidence [21]. Dempster-Shafer Theory has a wide range of application on uncertainty reasoning, decision analysis and predication. Evidence theory is based on belief function and plausible reasoning [22].
First of all, we define Θ as a frame of discernment {T, ¬T} as the set of propositions under consideration where T and ¬T mean that the given agent considers a given correspondent to be trustworthy or not to be trustworthy, respectively. The sign 2 Θ indicates the set composed of all the subset generated by the frame of discernment. For a hypothesis set, denoted by A, m (A)![0,1] Ø is the sign of an empty set. The function m is the basic belief assignment.
Dempster's rule of combination combines two independent evidences.
Dempster's rule of more than two evidences: Suppose there are m evidences that are independent.
The basic probability assignments are m 1 ,m 2 ,. . ..m p . The focal elements are A 1 ,A 2 ,. . ..,A p . m (A) is a basic probability assignment which describes the combined evidence.
The trust evaluation strategy of readers in section 3.2 is proposed based on the D-S evidence theory in our paper.

Proposed trust management model
Our work will focus on the authentication and a measure of trust between RFID tags and readers by using a hierarchical trust model, which regulates the authentication process based on the trustworthiness of entities. In the section, we express the details of the proposed trust management model.

System model
Our RFID system model consists of one or more domains which in turn include four types of entities: RFID tags, RFID readers, authentication centers and an administration center (see Fig 1). In addition, RFID readers are also named as nodes. It is similar with the model in [23]. The RFID tag located on the object to be identified is the data carrier in the RFID system. The RFID reader is be able to interact with a tag include both reading data from and writing data to a tag. Every domain has an authentication center. The authentication center authorizes a reader of its own domain or other domain to interact with a tag of its own domain, and utilizes the data obtained from the tag in some useful manner. An administration center manages and maintains the trust of authentication centers.
In particular, a tag T k and a reader R j belong to an administrative domain A which is controlled by an authentication center C A -which in the following is referred to as home domain. While a tag is typically attached to an object that may roam to other administrative domains, also referred to as visited domains, a reader will always remain in its home domain only. Furthermore, we assume that a reader is always connected to its home authentication center via a secure channel. Also, an authentication center is always connected to the administration center via a secure channel, while the communication between tags and readers is insecure.
In the paper, we class the trust relationship in a multi-domain RFID system into three categories (marked with red color in Fig 1) based on trust domain boundaries: 1) Intra-domain trust refers to the trust relationship between tags and the readers of the domain. 2) Inter-domain trust is a kind of trust relationship which is set up by the authentication centers in the system levels. 3) Cross-domain trust means the trust relationship between tags and the readers of different domains.
A hierarchical trust management framework shown in Fig 2 is proposed to build the trust relationships among entities from heterogeneous domains. We assume that RFID tag is protected and trusted. Thus, we only focus on evaluating the trustworthiness of RFID reader and authentication center. We refer to two layers of trust in the framework: RFID reader trust layer and authentication center trust layer. In RFID reader trust layer: We propose two kinds of scheme to evaluate the trust of readers: D-S evidence theory based scheme (D-S scheme) and verification of interaction proof based scheme (VIP scheme). Section 3.2 and 3.3 represent the details of evaluating the trustworthiness of RFID reader.
In authentication center trust layer: An administration center is used to manage the trustworthiness of authentication centers in a centralized way. The trust of an authentication center is eventually obtained by aggregating the abnormal event reports of all readers of its own domain. The system model section describes how to management and evaluate the trust of authentication center.

Trust evaluation of RFID readers based on D-S evidence theory
In our trust model, the formation of an opinion about trustworthiness of a RFID reader depends on its interaction behaviors with other entities. Every node is implemented a watchdog agent that detects the interaction behaviors of neighbor nodes [24]. Table 1 shows three kinds of interaction events observed by neighbor nodes.
In order to adapt easily to multiple application scenarios, nine assumptions of interaction behavior are defined. The behavior of reader is divided into three levels: malicious reader, normal reader, malfunctioning reader. Let R j denotes the neighbor node of reader R i . Let T lo ji ðt k Þ denotes the local trust of R i that is evaluated by its neighbor node R j in time window t k . Here, we introduce time window mechanism, and the main objective of the timing window is to record recent records and forget previous records [25]. The time window in Fig 3 consists     In time window t k , neighbor node R j records the number of interaction behavior of R i , and uses them to compute T lo ji ðt k Þ as follows: where: M ji : the reader R i ' local trust value of malicious behavior calculated by R j in t k ; F ji : the reader R i ' local trust value of malfunctioning behavior calculated by R j in t k ; The proposed algorithm of computing T lo ji ðt k Þ is described in the following  Every node maintains two tables: local malicious node table (LMT) and local malfunctioning node table (LFT). In Fig 4, ϑ 2 < N ji −M ji < ϑ 1 . ϑ 1 , ϑ 2 and π 1 is the trust threshold value. In order to prevent the malicious behavior, a high value is given to ϑ 1 and ϑ 2 . π 1 is used to evaluate the malfunctioning status of reader. In our simulation experiments, the value of ϑ 1 , ϑ 2 and π 1 are 0.7, 0.5, 0.3, respectively. After every Δ period, the time window slides to the right, recording recent information and forgetting information recorded earlier.
The interaction events of a RFID reader can be observed by other neighbor nodes except neighbor node R j . We can get a global trust value of RFID reader by efficiently integrating the local trust opinions calculated by all neighbor nodes in time window t k . However, the local trust opinions of neighbors have strong subjectivity and uncertainty. Evidence theory proposed by Dempster and Shafer can briefly express the important conceptions, such as 'uncertainty' or 'not-knowing'. Based on the Dempster knowledge rule in section 2.2, the global trust value of reader R i is eventually obtained as follows: The proposed algorithm of computing T gl i ðt k Þ is described in the following Fig 5. The global trust of reader R i is calculated by its authentication center. In addition, the global trust value of reader R i is stored in its authentication center.
In the end, the trust computing process of reader R i based on D-S scheme is summarized as four steps: 1) The interaction event of reader R i is detected by its neighbors; 2) The neighbor nodes of reader R i calculate the local trust of R i by using a time window mechanism and send the local trust value to the authentication center; 3) The authentication center of reader R i calculates the global trust of R i by synthesizing these local trust opinions based on the Dempster knowledge rule; 4) If the reader R i is a malicious or malfunctioning node, the authentication center sends the abnormal event report to administration center.

Trust evaluation of reader based on verification of interaction proof
The pre-condition to use D-S based trust evaluation scheme is that the interaction events can be monitored by neighbor nodes. However, the events sometimes may not be monitored by neighbors due to the limited communication range in RFID systems. In addition, the sparse distributed readers also lead to the low monitoring efficiency. Therefore, we propose another trust evaluation method of reader based on verification of interaction proof (VIP scheme) in the section. We assume the following scenario: R i and R j are denoted as the readers. Let C A and C B to denote the authentication center of R i and R j . T i is denoted as a tag and its authentication center is C B . At time t, a reader R i wants to interact with the tag T i .
The process of pre-authorizing is described in the following.
1. Reader R i finds Tag T i , and sends the interaction request to T i , then T i responds the request and sends the information about its number, name of its home domain, etc., to the R i .

2.
After R i receives the response information, it sends the authorization request to the authentication center of T i . The authentication center of T i makes the interaction decision based on the trust of R i .
3. If the authorization is approved, the authentication center of T i sends the authorization certificate to R i . Then, Reader R i shows the authorization certificate to T i and finishes the interaction at time t. Finally, T i saves the interaction feedback record (R i ,t,S i ). S i expresses feedback score. Tag T i rates 1 if it is satisfied with the interaction and 0 otherwise. 4. At next time t', tag T i interacts with Reader R j . T i adds the interaction feedback record (R i ,t, S i ) to the data packet D, and delete the record in its own memory. 7. After the authentication center C B receives M', it will check whether there is an abnormal event of misusing the authorization or not at time t based on the feedback score. If the feedback score is 0, the authentication center C B of reader R j will send the abnormal event report to authentication center C A of reader R i and administration center, respectively.

Then
Here, we also introduce the time window mechanism. Fig 6 shows the example of time window mechanism in VIP scheme.
In time window t k , the authentication center of reader R j records the number of interaction behavior of R i , and uses them to compute the global trust value T gl i ðt k Þ of reader R i as follows: where: The trust computing process of VIP scheme is summarized as four steps: 1) The authentication center pre-authorizes reader R i to interact with the tag T i ; 2) The interaction feedback record at time t is saved in the tags; 3) At the time of next interaction, the tag T i interacts with the reader R j .The interaction feedback record at time t is added into the data packet and transmitted to the authentication center of reader R j ; 4) If the feedback score is 0, the authentication center of R j will send the abnormal event report to authentication center of R i and administration center, respectively.
Main advantages of the proposed method based on verification of interaction proof are: 1. The authentication center tracks the authorization use of a reader by checking the interaction feedback record.
2. The tag saves the interaction feedback record at time t. At the next time t', the interaction feedback record at time t is added into the data packet, and then tag deletes the record in its own memory. Only saving the recent interaction feedback record is suitable for limited built-in memory tag.
3. Intermediate readers will verify the integrity of data packet by checking h and h'. As a result, the proposed method guarantees the route security during the process of transmitting the data packet.
4. The proposed method can effectively prevent the tampering, replaying or forging attacks by checking h, adding random number and time stamp in the data packet.

Trust management of authentication centers
The number of authentication centers is few, and their status is stable in a multi-domain RFID system. Therefore, a centralized trust evaluation scheme is proposed to evaluate the trustworthiness of authentication centers. An administration center is in charge of managing the trust of authentication center based on the abnormal event reports of readers of its own domain. The authentication center needs to collect the abnormal events of readers of its own domain periodically, and sends the abnormal event reports to administration center. The abnormal events can be found based on D-S scheme or VIP scheme. The administration center receives the abnormal event reports and computes the trust of authentication center, as shown in Fig 8. Let A and B denote two different domains. C A and C B denote their authentication center, respectively. A tag T i belongs to the domain A. Before a reader R i interacts with a tag T i , R i need to be authorized by the authentication center C A of tag T i . R i sends the authorization request to C A . If R i and T i is in the same domain A, C A computes the trust of R i as follows: where T intra i ðR i Þ is intra-domain trust, which can be obtained with Eq(9) or Eq(8). If R i and T k isn't in the same domain A. R i belongs to the domain B. C A computes the trust of R i as follows: where T cross ðC B Þ is computed by the administration center, as shown in Fig 8. β is weighting factor.
If reader R i is malicious node or malfunctioning node, the authorization is refused, otherwise approved. When an abnormal event of R i is found, the authentication center C A will consider the behavior status of R i as malicious reader or malfunctioning node, and send the abnormal event report to administration center. Then, the trust of authentication center of C B is changed by the administration center.

Experimental study
In this section, in order to evaluate the effectiveness of the proposed trust management, a series of test scenarios are developed. Experiments were run using the ns3 simulator [26] on which the creation of trust patterns, behaviors and interactions model was easier than with other network simulators. Fig 9 shows the network topology, where red, green and pink points express RFID readers, RFID tags and authentication centers respectively. We assume that 100 readers are distributed at the area of three domains (C A , C B and C D ) whose size is 1500m x 1000m 2 . Each reader is located at a random position. Communication range of a reader and a tag is 200m and 70m. Here, we simulate active tags which have a wide transmission range of more than 70m [27]. The total simulation time is 260s. Firstly, trust evaluation accuracy is examined by comparing our schemes with other scheme [28]. In addition, we also study the effect of mobility and communication range of tag on detection rate of malicious event. Table 2 expresses the default simulations parameters.

Accuracy of trust evaluation
Trust evaluation accuracy plays an important role of evaluation the performance of the trust scheme. In the section, we examine trust evaluation accuracy of D-S scheme and VIP scheme, and make comparisons with Bayes-based scheme [28].
In the first group of experiment, 100 readers are distributed in the area of three domains (C A , C B and C D ) whose size is 900m x 600m 2 . Other parameters are default parameters. We vary fraction (P M ) of malicious readers who discards data packet from as low as 10% to as high as 50%. A reader selected to be in this "malicious" population is benign initially, but turns malicious after a period of time t2[0, 120s] randomly generated is elapsed. The initial trust value of authentication center C A is 0.9. In the experiment, D-S scheme is used to evaluate the trust of C A . In our trust management framework, the trustworthiness of authentication center is evaluated by administration center. Based on trust evaluation algorithm in the system model section, the trust of authentication center is evaluated by collecting the abnormal event reports. The trust evaluation results are shown in Fig 10. We can see that there are four malicious events at 50s, which are found by neighbor nodes at 60s, and six malicious event reports are sent to administration center. A malicious event may be detected by multi-neighbors, so there are multi-reports. Once administration center receives the malicious event reports, the trust value of C A is immediately updated. As the report number of malicious events increases, the trust value of C A drops quickly. We see that after the behavior status changes, our trust scheme quickly converges towards the new trust value. The reason is that using more malicious event reports helps trust convergence more quickly. Therefore our scheme can deal with large scale RFID applications.
In the second group of experiment, we compare our schemes with Bayes-based scheme. The trust of C A is respectively evaluated three times by VIP scheme, D-S scheme and Bayesbased scheme. The number of readers is respectively 50, 70 and 90 every time. The fraction (P M ) of malicious readers is 20%. A reader selected to be in this "malicious" population turns malicious after a period of time t2[0, 120s]. Other parameters are default parameters. The results are shown in Fig 11 and Fig 12. We can see that the trust value of C A is changeless in the first and second time experiment of D-S scheme. But the trust value decreases in the third time experiment of D-S scheme. The reason is that the sparse distributed readers lead to the low malicious event detection rate. Because the number of readers is less than 90, the malicious events aren't be detected by neighbor nodes. The trust evaluation results of D-S scheme and VIP scheme are similar. VIP scheme outperforms all other mechanisms, which detects earlier the node misbehavior and decreases the trust level of C A . Even if the number of readers is 50, the malicious events can also be detected by VIP scheme. D-S scheme and Bayes-based scheme adjust the trust value of C A based on observing the communication behavior of readers. But, the behaviors sometimes may not be detected due to the limited communication range in RFID systems. Fig 12 shows the results of malicious event detection rate. In the figure, the number of readers is 90. From Fig 12, we can see that as the time increases, the malicious behavior detection rate also rises. When time = 80s, the detection rate of VIP scheme reaches to the best value. When time = 160s, the detection rate of D-S and Bayes-based scheme reaches to the best value. The detection rate of malicious events in Bayes-based scheme is the lowest.

Effect of mobility of tag
A tag is typically attached to an object that may roam to other administrative domains. The mobility of tag plays an important role when designing trust management mechanisms and protocols. Since the tag moves from one domain to another domain, the network topology also keeps continuously changing. These changes will have effect on detecting the malicious events. In the section we evaluate the effect of mobility of tag on detecting malicious event.
Our experiments are divided into two groups. In the process of experiment, we use D-S scheme to evaluate the trustworthiness of reader. The fraction (P M ) of malicious readers is 20%. The communication range of tag is 70m. In the two groups of experiments, the tags are moving continuously at 15m/sec and 70m/sec, respectively. Other parameters are default parameters. Fig 13(A)-13(D) shows the simulation results. In the Fig 13, the square mark, triangle mark and circle mark respectively indicates the malicious event, detected malicious event and the trust value of C A . From Fig 13, one can see that as the moving speed of tags increases, the occurrence rate of malicious events visibly decreases, but the detection rate of malicious events becomes higher. Faster moving of tags leads to the shorter interaction time with readers. Thus, the average number of malicious events decreases. One can see that the average number of malicious events is respectively 120 and 40 in Fig 13(A) and Fig 13(C).

Effect of communication range of tag
In the section, we evaluate the effect of communication range of tag on detection rate of malicious event. We assume that the communication range of tag is d tag . The experiment is simulated three times. Communication range of tag is set to 30m, 60m and 90m respectively. The fraction (P M ) of malicious readers is varied from 10% to as 50%. We use D-S scheme to evaluate the trustworthiness of reader. Other parameters are default parameters. The Fig 14 shows the trust evaluation result of the authentication center C A .
We can see that the trust value of C A hasn't any changes in the first experiment (d tag = 30m). As the malicious events increase in the second experiment (d tag = 60m), the trust value of C A starts to decrease. After a while, no new malicious event is detected, and then the trust value of C A gradually increases. In the third experiment (d tag = 90m), the trust value of C A quickly drops to the lowest value and remain steady.
As shown in Fig 14, the trust evaluation results of C A are different in three experiments. The main reason is analyzed in the following: The number of readers is n. The network area of readers is S. " N is the average number of readers met by a tag.
When the communication range is 30m, " N ¼ 0:29. Thus, the interaction is difficult to be detected by other readers in the first experiment. As a result, the performance of D-S scheme is far from satisfied, if the communication range of tag is too short.

Conclusions and future
In the multi-domain RFID paradigm, a mobile tag will potentially interact with numerous readers from different management domains for a coalition, as well as leverage available (foreign) infrastructure for information access while on the move. However, trust establishment among entities from heterogeneous domains without past interaction or prior agreed policy, is a challenge. Based on the specific requirements in multi-domain RFID systems, this paper focuses on the critical trust management issues and proposes a multi-domain trust management model. The proposed trust management model provides a hierarchical trust management framework include a diversity of trust evaluation and establishment approaches. We refer to two layers of trust in the framework: RFID reader trust layer and authentication center trust layer. In RFID reader trust layer: We propose two kinds of scheme to evaluate the trust of readers: D-S evidence theory based scheme (D-S scheme) and verification of interaction proof based scheme (VIP scheme). In authentication center trust layer: An administration center is used to manage the trustworthiness of authentication centers in a centralized way. In the experiment section, we compare our schemes with Bayes-based scheme. The simulation results and analysis show that VIP scheme outperforms all other mechanisms, which detects earlier the node misbehavior. The detection rate of malicious events in Bayes-based scheme is the lowest. In addition, the performance of D-S scheme is far from satisfied, if the communication range of tag is too short. The malicious behaviors in D-S scheme and Bayesbased scheme sometimes may not be detected due to the limited communication range in RFID systems.
There are a few directions for our future work. In future work, the value of ϑ 1 , ϑ 2 and π 1 will be studied in the algorithm simulation. We plan to develop a full list of threats against the proposed hierarchical trust management framework and analyze the vulnerability of the system to these threats. Performance optimization of the trust management system is another focus of our future research work.