MAC-AODV Based Mutual Authentication Scheme for Constraint Oriented Networks

Wireless sensor networks (WSNs) is an infrastructure free organization of various operational devices. Due to their overwhelming characteristics, these networks are used in different applications. For WSNs, it is necessary to collect real time and precise data as critical decisions are based on these readings in different application scenarios. In WSNs, authentication of the operational devices is one the challenge issue to the research community as these networks are dynamic and self-organizing in nature. Moreover, due to the constraint oriented nature of these devices a generalized light-weight authentication scheme is needed to be developed. In this paper, a light-weight anonymous authentication techniques is presented to resolve the black-hole attack issue associated with WSNs. In this scheme, Medium Access Control (Mac) address is used to register every node in WSNs with its nearest cluster head (CH) or base station module(s). The registration process is performed in an off-line phase to ensure authenticity of both legitimate nodes and base stations in an operational network. The proposed technique resolves the black-hole attack issue as an intruder node needs to be registered with both gateway and neighbouring nodes which is not possible. Moreover, a hybrid data encryption scheme, elliptic curve integrated encryption standard (ECIES) and elliptic curve deffi-hellman problem (ECDDHP), is used to improve authenticity, confidentiality and integrity of the collected data. Simulation results show the exceptional performance of the proposed scheme against field proven techniques in terms of minimum possible end-to-end delay & communication cost, maximum average packet delivery ratio and throughput in presence of malicious node(s).


I. INTRODUCTION
Wireless sensor networks (WSNs) play a vital role in automating and upgrading different parts of our daily life activities such as patients diagnosis, smart homes or offices, parking, safety and security measures etc. Sensors embedded devices, i.e., sensor boards, are deployed to collect real time data such as detection of movable objects in smart homes application or pulse count in health care or intruder detection in military application [1], [2]. Generally in WSNs, data collected by sensor boards, which consists of confidential and sensitive information, is transmitted to a central location, The associate editor coordinating the review of this manuscript and approving it for publication was Kaiping Xue .
i.e., gateway or server, through either direct or multi-hop communication mechanism [3]. This sensitive data needs to be collected and accessed solely by authenticated device(s) in an operational network. Authentication of operational devices in WSNs is a primitive process which is used to verify the identity of both sender and receiver modules. Before initiation of the actual communication process, any board or device interested in sharing of information must prove its identify, i.e., it is an authentic node, to the receiving device and vice versa [4]. Usually in WSNs, Sensor boards or devices are limited in terms of processing, communication, power and sensing capabilities. Therefore, for these networks, authentication process is needed to light-weight and efficient particularly in terms of processing and power consumption to VOLUME 8, 2020 This avoid or prevent various attacks such as black-hole, man-inmiddle and reply etc [5].
In literature, various authentication schemes have been proposed to secure the collected data by ensuring devices authenticity prior to the initialization of the transmission process i.e., actual data transmission [6]- [8]. Although, these techniques have resolved the security problem associated with constraint oriented networks, they incur a comparatively higher computational and communication cost. The complexity of an authentication scheme has a direct correlation with the performance of an operational network in general and WSN in particular. Usually, existing techniques have utilized various cryptosystems, i.e., symmetric, asymmetric and hybrid systems, to guarantee authenticity, integrity and confidentiality of both data and devices [9]. Point-to-point authentication among nodes of an operational constraint oriented network is achieved through extensible authentication protocols, P2P, IPsec and host identity mechanism [10]- [13]. Likewise, trust based authentication and extended ad-hoc on demand distance vector (EAODV) were presented to address the black-hole attack issue associated with the constraint oriented networks [14]. Moreover, a two tier approach is proposed in literature to address this issue particularly the black-hole attack problem [15]. Although, these techniques perform exceptionally well in resolving the authenticity and confidentiality issues, but have compromised either on the complexity of the schemes or authenticity of the operational devices or both. These compromises lead to the blackhole attack in constraint oriented networks. For example in both AODV and EAODV authentication schemes, a malicious node is able to deceive a neighbouring node or gateway or both.
In this paper, a light-weight mutual authentication scheme for WSNs is presented to address the authenticity and confidentiality issues associated with an operational network particularly WSNs and IoTs. The proposed scheme is not only reliable in terms of the operational devices' authenticity issue, but it is also computationally efficient as described in the results section. A detailed description of the proposed MAC based registration process is depicted in Figure. 1 where both scenarios were presented i.e., a legitimate node C i and intruder node A k request and response process with the concerned base station S j . In figure 1, green lines represent the communication between legitimate nodes and BS whereas red lines are used to describe request initiation process of the malicious node(s) with the nearest BS.
The main contributions of this research work, particularly from WSNs' perspective, are described below.
1) A hybrid device authentication and communication algorithm 2) A node C i is Authentic iff its MAC address is registered with the concerned BS. 3) Avoidance measures for the black-hole attack through MAC address registration scheme in off-line phase. 4) A hybrid data encryption scheme for the resource limited devices to improve integrity and reliability of the collected or transmitted data. 5) The proposed approach uses minimum (possible) number of XOR operations and hash functions. 6) Various claims of the proposed approach is justified with appropriate simulation measures. The remaining paper is organized as follows. In subsequent sections II, an overview of the literature, preferably closely linked to the problem addressed such as black-hole attacks, is presented. In section III, a detail description of the proposed methodology with mathematical modelling is presented. In subsequent section, an informal security analysis of the proposed scheme is presented. In section V, various simulation parameters and results are discussed in detail. Finally, concluding remarks are given.

II. LITERATURE REVIEW
Authentication of devices in an operational network is a challenging issue for the research community in general and networks of resource limited devices in particular [16]. As these networks, i.e., WSNs and Internet of things (IoTs), have limited processing and transmission powers subjected to the devices' infrastructure i.e., processors and Xbee modules [17]. Hence, authentication scheme(s) for these constraints oriented networks must be light-weight in terms of excessive processing and communication overheads. Moreover, authentication scheme(s) need to resolve or prevent majority of the possible threats or attacks such as black-hole, jamming, tempering, and Sybil etc.
To address the authentication issue, various techniques have been presented in literature. A complete review of those mechanisms is beyond the scope of this paper, therefore, a comprehensive review of existing methodologies which are closely linked to the proposed approach is presented. Initially, AODV based methods were used to secure the constraint oriented networks against the aforementioned attacks particularly black-hole [18], [19]. These protocols have ensured the loop free structure of the operational networks, i.e., WSNs and IoTs, with proper routes management system through a sequence of RREQ and RREP messages. However, these techniques solely rely on reliability of the neighbouring node which is not always possible in the resource limited networks. A trusted model based authentication scheme was proposed by Liu et al. [20] to address the black-hole issue in WSNs. This model generates various routing paths with prior information about the attacker behaviours and compromised regions, which are susceptible to the malicious node(s), in WSNs. A node interested in transmission finds a trusted neighbour(s) via searching in its own trust database. This process not only secures the communication, but it improves the success ratio of packets. A chaotic feature based technique known as BP-AODV is presented by El-Semary and Diab [21] to resolve the black hole issue in mobile adhoc networks (MANETs). Although, this scheme is very effective against routing attacks, but the authentication is an energy consuming process. A forge packet based routing infrastructure, which is an enhanced version of the ad hoc on demand vector routing(AODV) scheme [22], [23], is presented to address the black-hole issue [24]. Fake route request RREQ messages, that is strongly correlated to the original messages, are transmitted to identify malicious nodes in WSNs. As these messages are known to the legitimate nodes, therefore, only malicious nodes will reply. A sensor node behaviours based routing infrastructure is presented by Shahabi et al. [25] to address the black-hole issue. Usually, a malicious node replies (rout reply RREP) to each and every route request (RREQ) messages received from neighbouring nodes. Moreover, the malicious node has the minimum possible hop count than legitimate nodes which is embedded in its RREP message(s). A malicious node has maximum RREP and minimum RREQ messages in the network whereas a legitimate node frequently initiates the rout request RREQ messages in the network. A neighbouring node activity based mechanism was presented to address the black-hole issue associated with point-to-point (P2P) devices networks [13]. For example, if a device, i.e., Node-A, sends a packet to another device, i.e., Node-B, then digital signature is used by Node-A to sign the packet which is verified by Node-B or other neighbouring devices via information maintained in their activity tables. Legitimate neighbouring nodes simply ignores this packet where a malicious or intruder node sends a PREPs message that is unsigned. Similarly, a timer based baited technique which consists of two phases was presented to resolve the black-hole issue [15]. A legitimate node uses a bait timer, i.e., 5 usec, to generate and broadcast a message embedded with fake ID which is used to identify malicious nodes in its closed proximity. A trust value based routing mechanism is presented which bounds a node interested in communication to prefer a trusted path over the shortest path in an operational network [26]. The trust value of every intermediate node is computed, preferably after 0.07 sec, using their packets and PREQs forwarding abilities. This scheme is embedded in AODV based routing mechanism to prevent the black-hole attack. Likewise, an alternative approach where cross-checking of nodes, i.e., sender and neighbour to forward it further, is thoroughly performed to safeguard the network from black-hole attacks. To achieve this, every node has to maintain additional information in its routing table in the form of zero and one where 1 and 0 represent true and false values. Similarly, an AODV based scheme was presented by Hassan et al. [27] which is specifically designed for the smart meter networks. It uses two functions i.e., function-I updates sequence number at destination, if any RREQ is received whereas function-II denies DRREP acknowledgement from intruder node(s). Although, these techniques provides different ways to resolve the blackhole issue, however, these techniques are either applications specific or complex. Moreover, the probability of black-hole attack still exist and needed to addressed. A three-phase registration and authentication scheme were presented by He et al. [28] to address the device authenticity issue associated with resource limited networks. Although, this scheme was convincing as far as device authenticity is concerned, but it was overlay complex (due to three phases authenticity). Moreover, this scheme creates various overheads and compromises on lifetime of both individual devices and network. Similarly, a distributed query based authentication scheme was proposed by Ma et al. [29]. However, this scheme compromises on lifetime of individual nodes as these devices are bounded to use a complex encryption and decryption scheme. VOLUME 8, 2020

III. PROPOSED METHODOLOGY: A HYBRID APPROACH
To resolve the aforementioned issue, i.e., black-hole attack specifically in the resource limited networks, a hybrid approach consists of medium access control (MAC) and AODV based protocol (MAC-AODV) is presented. Every device C i ∈ WSNs must have a valid MAC address that is shared with the concerned or nearest base station module S j , particularly in offline phase, using appropriate cryptographic measures. The base station S j decrypt this information and stores the device C i in a repository or data dictionary i.e., MAC table. When a device, i.e., either a legitimate node C i or an intruder node A k , request to initiate the communication process with base station S j then its authenticity is confirmed using MAC table information. Moreover, various encryption algorithms were incorporated in the proposed technique to achieve integrity and confidentiality of the collected data in the constraint oriented networks i.e., WSNs. The proposed hybrid scheme consists of two phase 1) Registration phase 2) Operational phase.

A. DEVICE REGISTRATION PHASE
In this phase which is off-line, every node or device C i in WSNs generates a request message which includes its MAC address information and encrypts it using well-known encryption methods i.e., elliptic curve deffi-hellman problem (ECDDHP) and elliptic curve integrated encryption scheme (ECIES). In addition to the 48-bits MAC address, source and destination address information is included in the message generated by C i . The encrypted message is sent to the concerned or nearest base station S j which decrypt it using the aforementioned methods to collect the MAC address of sending device C i . S j adds the C i 's MAC address the data dictionary i.e., MAC table in this case. When MAC address is added to the MAC table then S j sends a confirmation message to the concerned C i in cypher text form. The concerned device or node C i decrypt this message and updates it routing table entries. A detailed decryption of the off-line phase is presented in Figure. 2. Moreover, the registration (off-line phase) process is completed before the deployed network becomes operational i.e., starts it main function to achieve its target or goals. Therefore, the entrance probability of an intruder device A k is almost negligible particularly in registration (off-line) phase. An intruder device A k entry, specifically in off-line phase, is possible only if there is an adversary in the deployment team.

B. OPERATIONAL PHASE: LEGITIMATE DEVICE IDENTIFICATION
Every node C i ∈ WSNs is needed to be registered with the nearest base station S j as described in subsection III-A preferably after the deployment phase through MAC addressing scheme where i = 1, 2, 3, . . . n and j = 1, 2, 3 . . . m such that m < n. It is to be noted that parameters m and n are adjusted according to the application requirements. Moreover, every S j maintains a registration table, i.e., MACTable, where member nodes information is stored, i.e., C i ∈ S j . A device/node C i is allowed to trigger the communication process with a particular S j iff C i is registered with S j i.e., C i ∈ member(S j ) or C i ∈ MACTable(S j ). For example, when a device C 1 ∈ member(S i ) initiates the communication process with its concerned base station that is C i sends an encrypted request message to the base station S J . The concerned S j module decrypts this message which contains requesting device information such as 48 bit MAC address, source and destination addresses. The concerned base station S j ensures authenticity of the requesting device C i through a crosschecking mechanism i.e., search the requesting device MAC address in its MAC table. If a match is encountered, that is MAC(C i ) ∈ Registered(MAC), then requesting device C i is allowed to start the communication activity that is transmission of its collected data. A complete description of this activity is depicted in Figure. 3.

C. OPERATIONAL PHASE: MALICIOUS DEVICE IDENTIFICATION
Conversely, if the requesting device A k is a malicious or adversary node then,surely, it MAC address will not be registered with any base station S j in an operational network and it is a mandatory step, particularly in the proposed mechanism, to initiate a communication process with any S j ∈ WSNs. Hence, its request is denied by the concerned S j as MAC(A k ) / ∈ MACtable(S j ) where k = 1, 2, 3 . . . .. Additionally, every neighbouring node resides in closed proximity, i.e., C i ∈ S j , are informed about this malicious activity. The requesting process of A k to initiate a communication session with a base station is depicted in Figure. 4.
The MAC based registration process of every C i with its nearest S j minimizes the probability of A k in the operational WSNs. Moreover, the registration process of nodes C i with a particular S j is performed in an off-line phase as described above and S j are prohibited to register further MAC addresses once the networks become operational. Hence, an intruder node A k didn't find a way to mimic a legitimate node C i ∈ S j and starts communication. Additionally, in the proposed scheme, every device C i is assumed to have the ability to communicate directly with the concerned S j in an operational network.
Moreover, every device C i in an operational network has a defined waiting time, i.e., back-off time which is the time needed for a particular C i to receive confirmation response from the concerned S j module.
where T i represents the time needed for a request message generated a C i to reach its destination i.e., S j and T r is the registration confirmation response time from S j . T p is used to differentiate the malicious nodes/devices A k responses from legitimate one. Every legitimate device C i waits for the confirmation response from S j until T p is expired which means either the request or the response is lost. Therefore, the process is repeated i.e., C i resends the request packet to the concerned S j for initiating a communication process. Theorem-1: A device C i generates an authentication or data processing request with the concerned S j iff C i ∈ member(S j ).
Proof: Lets assume that, an intruder node A k initiates an authentication request to the nearest sink S j by sending its MAC address. S j will authenticate the requesting device A k by triggering a lookup operation where MAC of A k is searched in registered MAC addresses table T j . Since, a match is not available for the MAC of A k , hence, S j denies the request of A k or simply ignore it. Conversely, if a legitimate node C i initiates an authentication request to the concerned S j then it will be verified successfully as MAC of C i ∈ member(S j ). Hence, only a legitimate node C i , C i ∈ member(S j ) initiates a request to process the collected data.
Theorem-2: An authentication request is processed by a legitimate sink node S j only.
Proof: Assume that an intruder node A k intercepts an authentication request destined for a particular S j . A k needs to process this request within stipulated time i.e., waiting time of a legitimate device C i represented by T p to receive an authentication process confirmation from the intended S i . Every device stores this information at the off-line phase where registration activity is performed. An intruder node A k lacks this information and is unable to respond within stipulated time frame i.e., T p . Additionally, in scenarios where a response from a particular S j is intercepted by an intruder A k VOLUME 8, 2020 and forwards it with malicious information to the concerned C i . A legitimate C i has the capacity to differentiate this malicious packet from the original via its T p i.e., C i will observe an unusual delay. Hence, it will discard that packet.
Conversely, if C i s authentication request is processed by a legitimate S j then C i will receive the response within stipulated time i.e., T p .
Hence, an authentication request is processed by a legitimate sink S j only not an intruder device A k .
Additionally, the proposed approach uses a 48-bits MAC addressing scheme where 24-bits represent the manufacturer ID and the remaining bits are used for the identification of an individual sensor node in an operational network. This scheme is quiet effective in differentiating legitimate nodes from the adversary node(s) specifically in the deployment phase i.e., C i or A k ∈ (Legitimate−node−Class). Moreover, if an adversary node A k attempts to initiate a data processing request which is denied by the intended base station S j as described above in theorem-1 and the concerned BS adds the MAC address of this A k node to its black list. Blacklist mechanism is adopted to avoid or prevent further disturbance or process initiation request generated by A k as presented in Algorithm below. Class−Authenticate is used to store MAC addresses of the legitimate nodes in an operational network whereas Black − list class stored the blacklisted devices information which are represented by A k in the proposed system. Variable i is used to represent the actual sensor nodes deployed in a particular infrastructure. if MAC address (C i ∈ Class − Authen) then 7: C i is allowed to initiate info processing req 8: elseif MAC address (C i / ∈ Class − Authen) then 9:

Algorithm 1 Proposed Light-Weight Authentication
C i is not allowed to initiate info processing req 10: C i is aided to class Black − list k 11: end if 12: end for 13: return Class-Authen and BlackList The proposed scheme uses access control list (ACL) based gateways to prohibit unauthentic devices A k from communication either with an S j or C i in an operation network specifically resource limited. ACL facilitates the administrator, S j in this case, to control scalability of the underline network i.e., node dies or deployment and management of new nodes.
Well-known encryption schemes, i.e., elliptic curve deffihellman problem (ECDDHP) and elliptic curve integrated encryption scheme (ECIES), are adopted in the proposed algorithm to achieve the desired level of data authenticity and confidentiality specifically in the constraint oriented networks environments. These schemes are selected based on their connection with MAC addressing scheme and complexity.

IV. INFORMAL SECURITY ANALYSIS OF THE PROPOSED SCHEME
In this section, the proposed scheme resilience against wellknown security breaches or attacks is described in detail particularly in the operational WSNs. Some of these attacks and their prevention measures adopted by the proposed scheme is described below.

A. CLIENT IMPERSONATES ATTACKS
Suppose that an intruder node A k tries to send a login information request, that is a request to trigger the communication process, to the concerned base station S j in an operational WSN. A k needs to use an encrypted version of its MAC address information, 48-bits in this case, and share it with S j . The MAC address information of a client device C i is not shared with its neighbouring nodes as we have assumed that every device C i has the capacity to communicate directly with its concerned base station S j . Moreover, breaking 48-bits MAC address will require 2 4 8 iterations to decipher a particular client device C i message and it is beyond the processing capabilities of an ordinary node. Therefore, it is difficult for an intruder device A k to mimic the behaviours of a legitimate node C i in an operational network that is possible in existing schemes such as [18], [21]. Moreover, every C i and S j have a pre-defined turn around time T r , the time in which a sender device expects a response from the concerned receiver. If a response message arrives after T r is expired then it is considered as malicious response and is ignored.

B. SENSING DEVICE IMPERSONATION ATTACKS
Assume that an intruder A k interrupts an ongoing communication process between a client device C i and base station S j by intercepting the transmitted messages. A k tries to modify a captured message and re-transmit it to convince either a legitimate node C i or a base station S j that the message contents came from an authentic source. However, due to the limited computational capabilities of an ordinary node we believe that it is impossible to break a 48-bits encrypted message within stipulated time frame i.e., turn around time T r as described above.Hence, in proposed communication and authentication infrastructure, the probability of device impersonation attack is negligible in operational networks that is possible in existing approaches such as [18], [21].

C. BASE STATION/GATEWAY IMPERSONATION ATTACK
The proposed scheme is prune against the base station/gateway S j impersonation attack as every device C i has a defined time frame in which its expects to receive a response from a concerned S j . For example, an intruder node A k tries to impersonate a base station S j in the operational WSNs by intercepting messages from various client devices C i destined for that particular S j . However, it is computationally expensive and beyond the processing capacities of sensor nodes to decipher the original message and re-broadcast an updated version within the defined time frame T r . Moreover, the intruder device A k needs to generate its own MAC table, which is generated in off-line phase in the proposed scheme. As opposed to the existing scheme [19], [20], this attack is not feasible in the proposed infrastructure specifically in operational mode.

D. EAVESDROPPING ATTACK
Suppose that an intruder node A k collects each and every message which is transmitted in an operational WSN. These messages are re-transmitted in modified form on in-secure channel(s). However, eavesdropping is not feasible in the proposed authentication and communication infrastructure as every node C i needs to transmit data in cipher form which is formed through well-known encryption methods as describe above. Moreover, both sensor C i and base station S j modules create their data dictionaries in off-line phase where deployment probability of an intruder device A k is negligible.

E. PERFECT FORWARD AND BACKWARD SECRECY
Suppose that an intruder node A k hijacks an ongoing transmission session between a legitimate node C i and base station S j . Although, the message are transmitted in cipher form, but if we assume that A k has deciphered it and forwards an updated version of the original message. However, this processing is needed to be completed within a specified time frame, which is fixed in off-line phase. As we know that in the proposed infrastructure, both node C i and base station S j use message arrival time to differentiate an original message from a malicious one. Hence, the proposed scheme is prune to perfect forward and backward attack while existing scheme [27] are sensitive to this attack particularly in operation mode.
A comparative analysis of the proposed scheme security features against well-known and field proven schemes is presented in Table 1. In this table, an entry with Yes means that the scheme is prune or not-vulnerable to those attacks.

V. RESULTS AND PERFORMANCE EVALUATION
In this section, a detail description of the simulation results are presented to elaborate and verify the proposed scheme performance against field proven algorithms over different evaluation metrics such as throughput, packets delivery ratio, end to end delay and by launching various intruder attacks in an operational WSN etc. These algorithms were implemented in OMNET++, which is an open source simulation environment specifically designed for the constraint oriented networks (WSNs), using similar deployment and performance metrics. Initially, a random topological infrastructure with embedded propagation delay is adopted to mimic the real deployment process of the constraint oriented networks i.e., WSNs. Moreover, path loss ratio and interference parameters were kept constant for the whole network as these parameters are beyond the scope of our proposed authentication and communication infrastructure. Various parameters used in the simulation setup of the proposed infrastructure is presented in table 2. To comply with the real node deployment and lifetime issues, standard battery powers, available of different development platforms, are used such as libelium.
The proposed scheme is compared with Ad hoc on demand distance vector (AODV) and enhance Ad hoc on demand distance vector (EAODV) based mechanism specifically from the black-hole attacks and routing perspective. The malicious node(s) A k were deployed in operational networks of AODV-based, EAODV-based and proposed MAC-AODV based schemes preferably after the deployment phase. We have observed that a malicious node is easily adjusted, i.e., becomes a legitimate node, in an operational network (WSN in this case) particularly in AODV and EAODV-based  authentication schemes. However, the MAC address binding mechanism in the concerned base station S j minimizes the adjustment probability of an intruder node A k in an operational WSN.

A. COMPUTATIONAL COST
Due to the resource limited nature of WSNs, a security scheme with the lowest possible computational cost is preferred over a computationally expensive scheme(s) if it doesn't compromise on the security measures. Table 3 provides a detailed comparative analysis of the proposed scheme and field proven scheme in terms of the computational cost. In Table 3, T h represents the time required to compute a hash function and T XOR describes the exclusive OR operation. T ran represents the random nonce used in communication infrastructure, however, as opposed to hash function(s) its computational cost is negligible. A blank entry is used to describe situations where a security scheme doesn't use that measure i.e., in Vaidya et al. sensor side authentication is not needed, hence, it is represented with "-". It is evident from the analysis in Table. 3 that the proposed scheme is more suitable for WSNs as it needs the lowest computational cost than its rival schemes.

B. COMMUNICATION COST
In order to compare the communication cost of the proposed with existing schemes, we have assumed only those messages which are necessary, including both off-line (if any) and on line phases, to establish a proper communication session between legitimate nodes in an operational network. It is evident from Table.4 that the proposed scheme has minimum communication overhead than existing approaches except [3], [19]. However, both of these mechanisms are computationally complex, i.e., needs more processing time, than the proposed scheme as shown in Table.3

C. END-TO-END DELAY
Generally in networking and particularly in WSNs, a communication or routing scheme with the lowest possible endto-end delay ratio is considered as an ideal solution in different realistic environments. Therefore, performance of the proposed hybrid scheme in terms of end-to-end delay metric is compared with well-known techniques. Simulation results show that the proposed scheme performance is better than its rival schemes as shown in Figure. 5. Moreover, this parameter is highly effected, its value is decreased, if a technique is vulnerable to the black-hole attack(s). These results were obtained by introducing various malicious nodes in operational networks of the proposed and existing approaches.

D. AVERAGE THROUGHPUT
If the deployment process is random then the WSNs with relatively higher throughput, particularly with available resources, are preferred in various real scenarios or applications. In Figure.6, the throughput comparison of the proposed and existing schemes is presented which clearly depicts the exceptional performance of the proposed scheme.These measures were computed in the presence of various malicious nodes in the operational networks i.e., WSNs. As the proposed scheme is not susceptible to the black-hole attacks, conclusively, it results in better throughput than the rival schemes. Moreover, diverse scalability does not affect the proposed scheme performance specifically average throughput.

E. AVERAGE PACKET DELIVERY RATIO
Packet delivery ratio describes the ratio of successfully received packets, particularly at the intended destination node(s), to the transmitted one and it is directly proportional to the average throughput of an operational network. The proposed scheme has a better performance ratio than the field proven schemes as shown in Figure. 7. Moreover, possibility of malicious node(s) activities, preferably black-hole attack, is thoroughly considered in the simulation environment and it is evident from Figure. 7 that the proposed scheme performance is not affected by these activities. It is due to the fact that the proposed scheme is not vulnerable to the black-hole attack.

VI. CONCLUSION AND FUTURE WORK
A tightly coupled issue with the resource limited networks, specifically WSNs, is the authentication process of various operational devices which becomes more complex if both sensor nodes & base station modules are mobile. Therefore, authentication scheme for these networks must be lightweight and should be smart enough i.e., accommodate easily in the changing topological infrastructures of WSNs. In this paper, a light-weight anonymous authentication techniques, MAC based AODV, for the constraint oriented networks was presented to resolve the aforementioned issue particularly black-hole attack. Every node was needed to be registered with its concerned (or nearest) base station that was carried out in an off-line phase. Intruder nodes were introduced in operational networks and it was observed that the proposed authentication scheme performance was incredible as malicious nodes' entry were almost impossible except, in scenarios, if melodious nodes were deployed at the offline phase. Moreover, a hybrid data encryption scheme, elliptic curve integrated encryption standard (ECIES) and elliptic curve Deffi-Hellman problem (ECDDHP), was used to further strengthen the authenticity, confidentiality and integrity of both data and nodes. Simulation results verified the proposed scheme exceptional performance against its rival techniques particularly in achieving minimum end-toend delay & communication cost, maximum average packet delivery ratio and throughput.
In the future, we are eager to extend the proposed authentication scheme to make it applicable for the multi hop communication infrastructure as well. Moreover, device-todevice or node-to-node authentication is needed to incorporated in the proposed scheme as direct communication of sensor node(s) with base station is not always possible and realistic. MOHAMMED AL-ZAHRANI is currently a Faculty Member with the College of Computer Science and Information Technology, King Faisal University, Saudi Arabia, where he is also the Dean of the Information Technology Unit. He has several international publications to his credit and has vast consultancy experience in networks. His research interests include wireless sensor networks and the Internet of Things.
MUHAMMAD ZAKARYA received the Ph.D. degree in computer science from the University of Surrey, Guildford, U.K. He is currently a Lecturer with the Department of Computer Science, Abdul Wali Khan University Mardan, Pakistan. His research interests include cloud computing, mobile edge clouds, performance, energy efficiency, algorithms, and resource management. He has deep understanding on the theoretical computer science and data analysis. Furthermore, he also owns deep understanding on various statistical techniques which are, largely, used in applied research.
MUHAMMAD SAEED AMJAD received the M.S. degree in computer science from NCBA & E, Lahore, and the master's degree in information technology from the University of the Punjab, Pakistan. After completing his master's degree, he joined the Army Public College of Management Sciences (APCOMS), Gujranwala, as a Computer Lecturer and has been teaching various subjects related to computer science and information technology for one and half year. He also has to his credit the experience of serving Pakistan Army Aviation for one and half year as a Network Supervisor. He has been a member of the Faculty of Computer Science and Information Technology, Virtual University of Pakistan, since November 2010. His major area of interest is computer networks.
REHAN AHMED received the B.E. degree in computer systems from the Quaid-e-Awam University of Engineering Sciences and Technology, Nawabshah, Pakistan, and the M.Phil. degree in computer science. He has been serving as an Instructor with the Department of Computer Science, Virtual University of Pakistan, since September 2007. His main area of interest is computer networks. He has to his credit the experience of teaching at the Nawab Shah Institute of Information Technology, for one year, as a Computer Lecturer. He also has the experience in Policy Planning Cell, Ministry of (L&M) Islamabad, for one and half year, as a Data manager. VOLUME 8, 2020