An active and verifiable trust evaluation approach for edge computing

Billions of Internet of Thing (IoT) devices are deployed in edge network. They are used to monitor specific event, process and to collect huge data to control center with smart decision based on the collected data. However, some malicious IoT devices may interrupt and interfere with normal nodes in data collection, causing damage to edge network. Due to the open character of the edge network, how to identify the credibility of these nodes, thereby identifying malicious IoT devices, and ensure reliable data collection in the edge network is a great challenge. In this paper, an Active and Verifiable Trust Evaluation (AVTE) approach is proposed to identify the credibility of IoT devices, so to ensure reliable data collection for Edge Computing with low cost. The main innovations of the AVTE approach compared with the existing work are as follows: (1) In AVTE approach, the trust of the device is obtained by an actively initiated trusted detection routing method. It is fast, accurate and targeted. (2) The acquisition of trust in the AVTE approach is based on a verifiable method and it ensures that the trust degree has higher reliability. (3) The trust acquisition method proposed in this paper is low-cost. An encoding returned verification method is applied to obtain verification messages at a very low cost. This paper proposes an encoding returned verification method, which can obtain verification messages at a very low cost. In addition, the strategy of this paper adopts initiation and verification of adaptive active trust detection according to the different energy consumption of IoT devices, so as to reliably obtain the trust of device under the premise of ensuring network lifetime. Theoretical analysis shows that AVTE approach can improve the data collection rate by 0.5 ~ 23.16% while ensuring long network lifetime compared with the existing scheme.


Introduction
With the development of Internet of Things (IoT), there will be more than 20 billion IoT devices by 2020 [1][2][3]. Most of these IoT devices are deployed at the edge of the network [4][5][6]. Due to the huge number of these IoT devices and the development of micro-processing technology, their computing and storage capabilities have greatly improved. For example, the computing and storage capacity of mobile phones now exceeds that of personal computers more than 10 years ago [7][8][9]. These huge changes have led to extremely huge computing and storage capacity of the edge network, so the current network computing center is transferred from the network center to the edge of the network, forming an emerging computing model such as Edge Computing (EC) or Fog Computing [1,[10][11][12]. Because most applications are based on the data sensed and acquired by IoT devices [13,14], many emerging applications sensitive to latency and bandwidth, such as virtual reality, augmented reality and infrastructure for smart cities, benefit from edge computing. In the past, data needs to be sent to the cloud over a long distance, and the results of the cloud center are returned to the user through a long path. The edge computing is closer to the data source, which can reduce long delay, packet loss and large energy consumption [15][16][17][18].
However, the Edge network is an open network with various IoT devices in various forms connected [19][20][21]. For example, Luo et al. [4] gave a typical application of smart city as shown in Fig. 1. In smart city, a large number of IoT devices, most of which are wireless sensing devices, are deployed in various applications in the city to realize the perception of the surrounding environment [4,9,22,23]. These sensing devices are relatively simple and do not have the ability to communicate directly with the Internet [4,9,24]. They are often selforganized into networks [25][26][27]. Sensing devices on the roadside act as gateway to collect the data of the entire network [4], and then send the collected data to the passing mobile vehicles [28][29][30]. Due to the advanced hardware of mobile vehicles, they can communicate directly with the Internet. Thus, the low-cost opportunistic routing method can establish data communication with the edge network [4,9,31,32]. Such a data collection method has been widely applied in the current edge network due to its low cost [4,9].
In such a network, many IoT devices are generally selforganized into a network [4,33]. One or more nodes are selected as data collection nodes. The data collection nodes have different names in different networks [4]. In wireless sensor networks (WSNs), the data collection node is called sink [34,35], and the data collection node is gateway in the application shown in Fig. 1 [4]. A common feature of these networks is that the data collection node is the center. All other nodes transmit their data to the data collection node through multi-hop routing [36,37]. However, an important issue is the security of data collection [36][37][38][39]. Because of the network openness, many IoT devices can be added to the network autonomously [40,41]. Thus, the malicious IoT devices will maliciously prevent the normal data collection. The most common is an attack called black hole [36,42]. In such an attack, malicious nodes drop all packets forwarded by themselves to destroy the data collection [42]. The other is called selective forwarding attack (SFA), which is a smart attack [43]. In SFA attacks, malicious nodes are not as simple as black hole dropping data packets, but selectively dropping packets of some nodes [43]. Therefore, there is a certain packet loss rate in the wireless network. The malicious nodes can selectively drop some packets to effectively protect themselves from being discovered, so that they can initiate attacks at a critical time to cause longer-term and worse damage [43]. The data-based applications rely heavily on obtaining data consistency. The insecure behaviors such as the interception of data by malicious nodes can cause the loss of packets, which can cause the control center to make wrong decision in case of lack of data [43], further causing serious losses. Therefore, it is an important issue in the edge network to identify malicious nodes so as to clear them from the network or do not forward the data through them to avoid packet loss.
There are currently some related studies on protecting data collection. The studies are divided into two categories. The first type is targeted strategies to resist attacks. The main idea of the strategy is to take corresponding actions against attacks based on the characteristics of malicious nodes attacks, thereby invalidating the attack. For example, Liu et al. [42] proposed a Security and Energy-efficient Disjoint route (SEDR) strategy against black attack. In the SEDR scheme, data packets are divided into T shares through (T, M) -threshold secretsharing algorithm, which use the same hop routing method to route to as far apart as possible, and then to the sink. As long as the M shares in the T shares can reach the sink safely, the packet can be successfully recovered. In this way, SEDR uses multiple separate routes to reduce the probability of being attacked by malicious nodes and to increase the probability of data successfully transmitted to the sink. The method is designed for a specific attack, so it is highly targeted and effective. However, the disadvantage is that the adaptability is narrow and it is generally ineffective for other attacks. Another shortcoming is the high cost of the strategy. There are two reasons for the high cost. First, the implementation cost of the strategy is high with the packet divided into T shares. Due to the redundancy among the T shares, the sink only needs to receive the M shares to recover the entire data packet. Obviously, there is at least T-M shares of redundancy. Because the main energy consumption of wireless nodes is caused by the data transmission. The strategy pays for additional energy consumption, which affects its lifetime. The other is that the data will be lost after the network attacked. Then, t the network will pay a huge price for wrong decisions. The other type is a generally applicable method of defending against attacks. The most important method of defending against attacks is a strategy based on trust [5,6,11,14,30,34,36]. This type of strategy is not designed for a specific attack behavior, but adopts the corresponding data routing strategy to obtain the trust status of the node. If the behavior of the node conforms to the expected behavior, the node is considered to be trustworthy, and its trust is increased. Otherwise, its trust is reduced [36]. After obtaining the node's trust status, a node with high trust is selected as relay node to avoid the selection of malicious nodes when nodes transmit data, which can increase the probability of successfully data transmission to the sink [36]. Obviously, the behavior of trusted nodes is in line with expectations, and the behavior of dropping packets is not in line with expectations, thus the trust level is reduced. The strategy of using trust-based defense against attacks is not aimed at a specific attack, and it is effective for most network attacks. Therefore, it is a generally applicable method to resist attacks [36]. Relatively speaking, the cost of the method of obtaining trust is low.
The premise of trust-based attack defense methods is to obtain the trust of the node. However, how to effectively obtain the trust of the node is a challenge issue [36]. The main difficulties are as follows: (1) Observing the behavior of nodes is actually very difficult in the edge network. Because IoT devices have limited energy and hardware, their communication radius is small. Besides, they are deployed in some specific areas. It is difficult to observe the behavior of nodes forwarding data. Obviously, it is difficult to judge the trust degree of a node without observing the behavior of the node; (2) The node energy is very limited and the low lost trust system is needed to be designed.
Some strategies based on trust to resist attacks have been proposed. These studies are divided into two categories according to the way they gain trust: (1) Strategies for passive trust acquisition methods [6,11,30]. In this trust-based strategy, the system only observes the interaction behavior of nodes, but the system itself does not take action. These studies obtain the trust degree of nodes by observing the behavior of nodes, trust reasoning and evolution methods, and then take appropriate data collection strategies to avoid attacks according to the trust degree of nodes; (2) The other is the strategy of active trust acquisition [5,34,36]. Liu et al. first proposed an active trust acquisition method called Active-Trust for WSN [36]. In the proposed method, the node actively initiates a detection route and the data packet of the detection route is empty. However, the attacker does not know that it is a detection route. When the attacker initiates an attack, it will be exposed, thereby reducing trust degree. Obviously, this method can be initiated actively according to the needs of the application, which accelerates the speed and accuracy of trust acquisition, and thus has higher efficiency [36].
Although active trust acquisition has some advantages, there is still room for further research. In this paper, an Active and Verifiable Trust Evaluation (AVTE) approach is proposed to identify the credibility of IoT devices, so to ensure reliable data collection for edge computing with low cost. The main innovations of the AVTE approach compared with the existing work are as follows: (1) The AVTE method proposes an active trust detection strategy with active detection and feedback. The existing active trust detection strategy only initiates active detection without feedback. Thus, most of the trust acquisition occurs between neighboring nodes, which seriously affects the effectiveness of the strategy. The AVTE approach proposed in this paper requires the receiving node to return the information of the transmitted packet to confirm whether the packet received or not. Therefore, the trust acquisition of the AVTE approach is a verifiable method with higher reliability of trust acquisition ensured. It is different from the previous trust acquisition method which are not verifiable. (2) The AVTE method proposes a method to return verification information of multiple data packets at one time to reduce the node energy cost of returning feedback. Previous methods do not return a verification message or the cost of returning verification is high. In the method proposed in this paper, the node returns the encoding of the verification. We can know which packets successfully received by explaining the encoding. At the same time, the length of the encoding is the same as the information length of a packet, so the feedback information can obtain the verification message at a very low cost. In addition, the strategy of this article also uses initiation and verification of adaptive active trust detection according to the different energy consumption of IoT devices, so as to reliably obtain the trust of devices under the premise of ensuring network lifetime.
The rest of the paper is organized as follows. Related works are reviewed in Section 2. In Section 3, we describe the system model and formulate the problem of AVTE scheme. Sections 4 presents the detailed design of AVTE scheme. The proposed AVTE scheme is evaluated in Section 5. We conclude in Section 6.

Related works
Due to the rapid improvement of the computing, storage, and perception capabilities of IoT devices, IoT devices are widely deployed in various applications [44][45][46]. Although the storage and computing power of a single IoT device is relatively small [47], the massive amount of IoT devices deployed to the edge of the network have huge computing and storage capabilities. With more and more services are deployed to the network edge, current network is transferred from the cloud of the network to the edge of the network. Many applications are calculated on the edge of the network. Because the edge of the network is close to the data source, and the calculated result is also close to the user, so the data and results returned to the user do not need to go through a long transmission path like cloud computing, which brings users a higher Quality of Experiment (QoE) [48,49]. Due to the current development of artificial intelligence technology [12,31,38,39], the development of edge networks and edge computing is in the ascendant [48,50]. Secure data collection is an important guarantee for the applications development [27,34,37,51,52]. Therefore, how to ensure the safety of data collection is an important research issue and there have been quite a lot of researchers focusing on it [53][54][55]. Some related research results are given below in this section.
This article divides the studies into two categories according to the targets of defending security attacks in data collection. One is the security strategies for specific attack behaviors [36,37,41,43]. The other is the trustbased security data collection strategies [5,6,11,14,30,34,36]. Trust-based strategies are divided into active trust acquisition strategies and passive trust acquisition strategies.

Defense strategies for specific attacks
This type of data collection strategy for specific attack behavior based on the characteristics of the attack adopts corresponding defense strategies. The following gives several important types of security strategies proposed for specific security attacks.
(1) Strategies to resist dropping packet attacks Black hole attack and SFA are the most widespread of these types of attacks [36,42,43]. Black hole attack is such an attack that malicious nodes drop all received data packets, which is similar to all data packets sent to malicious nodes as if entering black hole, so it is called black hole attack [36,42]. SFA is a more difficult attack to resist. If all data packets are dropped, it is easy to find, so the survival time of malicious nodes is not long. In SFA, malicious nodes only drop a part of the packets selectively, even are the same as the normal node for a long period of time, but they drop important data in critical periods. In this way, malicious nodes not only protect themselves, but also bring harm to the network. It is also known as gray hole attack [43]. For the black hole attack, the SEDR strategy proposed by Liu et al. [42] is mentioned earlier. In fact, the strategy is to send packets to the sink through multi-hop routing at the same time. Even if some routes are attacked, as long as a route successfully reaches the sink, it can guarantee the packets collection. In short, the basic principle of this type of method is to send redundant packets. Whether it is the method of sending multiple slices or the method of multi-routes, the key idea is exploiting multiple routes. Even if one or more routes are blocked, it is still possible to guarantee the security collection of packets. Relatively speaking, SFA is more difficult to resist. Xiao et al. [43] proposed a more classic strategy named CHEMAS (checkpoint-based multi-hop acknowledgement scheme) to resist selective forwarding attacks. The method of the CHEMAS mechanism is to select a certain number of nodes as checkpoint nodes in the routing path from the source node to the sink. Once the checkpoint node receives the data packet, it returns an ACK packet to the upstream of the data source. The ACK packet contains a time to live (TTL) that the ACK can survive. Each time the ACK packet passes a detection node, its TTL number is reduced by 1. If the TTL is 0, ACK packet is discarded. After the node forwards the data, it waits for the arrival of ACK packets. If the node does not receive the expected number of ACK packets, it sends a warning message to the source node [43].
(2) Defend against Sinkhole attack [37] Mo et al. Journal of Cloud Computing: Advances, Systems and Applications (2020) 9:51 Sinkhole attack is such an attack behavior. In WSNs, most data routing strategies rely on hop-based routing. Each node selects a node with a smaller hop count as the next hop node for data routing. In response to this, malicious nodes claim that they have a smaller number of hops to the sink, and broadcast their own hops to the sink. Therefore, neighbor nodes will choose malicious nodes as the next hop. Neighbor nodes then spread routing messages outward, so that the data of nodes within the scope of Sinkhole will be routed to malicious nodes, then malicious nodes drop the data collected by these nodes [37]. This causes the data of nodes within a certain range cannot be collected by sink. Liu et al. [37] proposed a better strategy for detecting and avoiding sinkholes. The main idea is to send a detection packet to sink every other detection cycle with a certain probability while the node normally sends data, and ask sink to return a confirmation packet. The confirmation packet must contain the sink's digital signature, confirming that its identity is true. If the node does not receive the return message of the true sink, it indicates that there is a sinkhole. Then take the far-sink routing method to avoid the influence of the sinkhole and to find the true sink. Then, notify the true sink to take measures to clear the sinkhole.
There are many security strategies for specific attack behaviors, such as how to resist clone attacks [48], and injection attacks [49], etc. Due to space limitations, they are not discussed one by one.

Trust-based security strategy
The main idea of this type of research is to evaluate the trust of nodes. The nodes that faithfully fulfill their commitments have a higher trust, while the nodes that behave badly are given a low trust evaluation, thereby avoiding the participation of low-trust nodes in the data collection process.
The total trust degree of a node is based on the integration of trust degree in the recent period. The simplest method used for the synthesis of trust degree is the average value of trust degree evaluation [36]. In practice, most studies use the principle of prioritization of recent information. The trust value closest to the current time is more important, and the further away from the current time the trust value becomes less important. Therefore, the trust value closer to the current time is given greater weight, and the trust value further away from the current time is given less weight. Integrating the trust degree weighting for a period of time forms a comprehensive trust degree evaluation [36].
Expanding the trust relationship is a method to enrich the trust relationship. The most commonly used mechanism is the reasoning and evolution of trust [5,11,14,30]. Infer the unknown trust relationship through the existing direct trust relationship, which can enrich the trust relationship and make the trust evaluation scope wider. The main idea of this type of research is that trust is divided into two types. One type is direct trust [36], that is, there is direct interaction between nodes, and the trust evaluation of the other party is obtained according to the result of direct interaction. The other type is indirect trust [36]. Although there is no direct interaction between the two nodes, there are indirectly interacted nodes, so an indirect trust relationship can be established. The calculation of indirect trust generally adopts the principle of trust multiplication. The product of the trust of the nodes on the transfer path is the indirect trust. In this way, indirect trust is actually a way of decay. Nodes can evaluate the trust of many nodes in the network according to the reasoning and evolution mechanism of trust. Finally, select the collaborators based on the nodes of the trust evaluation. But the biggest disadvantage of this kind of method is that the accuracy of indirect trust is difficult to verify. In addition, in such a trust inference mechanism, the number of nodes that a node directly interacts with is small, and the reliability of trust reasoning decreases sharply as the level of reasoning increases, making the results unreliable. Therefore, nodes often only get few the trust status of some nodes, while the trust status of most nodes may not be obtained.
In traditional research, the acquisition of trust is a passive acquisition method [6,11,30]. This is because the trusted evaluator does not take any special actions to gain trust, but only observe the interaction behavior of the evaluated object [6,11,30]. Then, the trust evaluation value is given based on the interaction behavior of the evaluated object. The disadvantage of this passive trust evaluation method is that the obtained trust relationship is relatively small, it takes a long time to obtain the trust value, and it cannot be applied to the network with strong dynamic change. Moreover, if the acquisition speed of the trust value is less than the speed of the dynamic change of the network, the acquisition of the trust value becomes very limited. At the same time, this method cannot perform on-demand and timely trust evaluation of key evaluated objects.
At present, there are not many studies on active trust acquisition. Liu et al. [36] are the first researchers to propose active trust. The main idea of the proposed strategy is that the node actively initiates some probe routes with no data content, and if a node launches an attack on it, its trust is reduced, so that it can obtain the trust status of more nodes in a shorter time. However, in the strategy proposed by Liu et al. [36], data routing does not return information. Therefore, non-neighbor nodes do not know which node the data route has reached and the forwarding situation of other nodes, which leads to certain difficulties in its accurate and rapid determination of the trust value. Based on the above analysis, this paper proposes an active trust acquisition strategy based on encoded return data routing information, which has better meaning.

System model and problem statement
The network model The network model used in this article is similar to the network model of Ref. [36]. A certain number of wireless sensor nodes are deployed in a certain area, and there is a special node called sink to collect data of the entire network. The data of other nodes is transmitted to sink through multi-hop routing. But the network model in this paper is not only applicable to the typical planar wireless sensor network of active trust scheme, but also applicable to the network sites in many edge networks such as the linear network formed by many wireless sensor nodes deployed along oil pipelines in industrial applications, and the strip network deployed along river channels. At the same time, it is also suitable for the network formed by many IoT devices. For example, in the smart city proposed by Luo et al. [4], many IoT devices are deployed in various communities, and these IoT devices are self-organized into a network. As shown in Fig. 2, the nodes located on the side of the road act as gateways or sinks and are responsible for data collection for the entire network. Other IoT devices route their perceived data to the gateway node through multi-hop routing. When the mobile vehicles pass through the gateway communication range, the gateway node sends the collected data to the mobile vehicles, and the mobile vehicles send the received data to the edge network server to complete the data collection (Fig. 2). The energy consumption model and related definitions use a typical energy consumption model. Eq. (1) represents the transmission energy consumption, Eq. (2) represents the reception energy consumption. E elec represents the transmission circuit loss. The model uses free space and multipath fading (d 4 power loss) according to the distance between the transmitter and the receiver (d 2 power loss). ε f s and ε amp are respectively the energy required for power amplification in the two models. The energy consumption for receiving l-bit packets is shown in Eq. (2). The above parameters are shown in Table 1.
The problem statements The main objective of this paper is to design a feedback strategy based on data routing to improve the data collection rate. The purpose of returning the data routing information is to verify the correctness of the received data, thereby identifying malicious nodes, ensuring the safety of data collection. There are three main problems to be solved: (1) Maximize the data collection rate The data collection rate refers to the ratio of the number of data packets received to the total number of data packets sent. Malicious nodes in the network will drop the data packets, thus affecting the data collection. Considering that the number of data packets sent is M, and the number of data packets that successfully reach the sink is N, the formula for maximizing the data collection rate μ can be expressed as: (2) Trust acquisition The AVTE strategy can accurately and quickly obtain the trust value of a node. The given trust value depends on the behavior of the node. For the trusted node, the trust value is high, while for the untrusted node, the trust value is low. When the trusted nodes generally show high trust, it means that the AVTE strategy can effectively identify the trust of the nodes. The average trust degree of trusted nodes is defined as ξ, which is used to reflect the ability of AVTE method to identify the trust degree of nodes. The average trust value is higher, the ability to obtain the trust value is stronger.

(3) Network lifetime is maximized
Network lifetime is related to energy. Reducing the energy consumption of nodes can extend the lifetime of the network. We define the death time of the first node in the network as the network lifetime. If the energy consumption of node i is E i , the longest lifetime is expressed as In summary, the research goal of this paper is as follows: The design of AVTE scheme

Research motivation
ActiveTrust scheme is one of the methods to effectively detect black hole attacks and obtain node trust.
Nodes actively initiate detection routes and the data packets in the routes are empty. Empty packets routing will cause black hole attacks to expose the location of damaged nodes without causing loss or damage to data packets. However, there is room for improvement in this active trust scheme. This paper has improvements mainly in the following three aspects: (1) Add a feedback mechanism between the source node and the routing nodes to detect the reliability of the data received by the node. By verifying whether the two packets are consistent, determine whether there are data packets loss, so as to evaluate whether the trust value is increased or decreased. (2) The source node broadcasts an inquiry signal and sends it to all routing nodes, requiring the routing node to return feedback information after receiving all the data, instead of feeding back every time a packet received. Thus, the system pays a low price. (3) Using the k data packets as feedback signals consumes more energy, we consider encoding k data packets to a packet as a feedback signal after k data encoding and XOR, thereby reducing energy consumption. Figure 3 shows an overview of the AVTE scheme that includes detection routing, data routing, and feedback signals.

AVTE design
The source node sends m packets at time t, and the data is sent in binary encoding. Assuming that m data are respectively encoded as n-bit binary data, the node in the network receives the data. At time t + a, the source node broadcasts an inquiry signal, requiring all routing nodes to return a feedback signal to the source node to confirm whether the node has received the packet sent by the source node. Nodes encode and XOR the received k (k ≤ m) packets, and the obtained result is fed back to the source node. The source node compares the feedback data routing information with the source data to determine whether they are consistent. If they are consistent, it means that the behavior of transmitting data is credible, which improves the trust of nodes, and vice versa. Through feedback routing, the trust of the nodes can be further improved. Select nodes with high trust for data transmission, thus ensuring the security of data collection and at the same time feeding back the results of k data XOR, which can reduce energy cost. a. Encoding rules for source data: After receiving the XOR result, we must determine the unique composition of the target data and ensure that the result of the XOR is unique after taking any k of the m data. b. The composition form of the feedback signal: the feedback signal includes not only k data encoding and XOR results, but also binary encoding of the received data by the routing node, which is then fed back to the source node as the prefix of XOR results This can increase the uniqueness of the target data determination.

Encoding method of feedback signal
Assuming that ε data is uniformly encoded as a ζ bit binary number b 1 b 2 b 3 …b ζ , b ζ takes the value 0 or 1. Each data is uniquely determined after encoding, and the data sent is Node receives k data. After the operation of XOR, we get a n a n − 1 a 0 b ζ b 1 b 3 …b 2 , where a n = 0 or 1. a n a n − 1 a 0 is the binary encoding of the amount of data received. Assuming that it means that the node is reliable. If it does not exist, the following two reasons are discussed. Case 1: If a n 2 n + a n − 1 2 n − 1 + …a 0 2 0 < k, it shows that the received data is less than k, there is data lost during the data transmission, and the trust value needs to be reduced.
Case 2: If a n 2 n + a n − 1 2 n − 1 + …a 0 2 0 = k, the node may indeed receive k data or may not. If a node receives k data, but the feedback signal or the code bit of the received data is lost when it is returned to the source node, this will cause the source node to make an error in the judgment of the amount of data received. Therefore, it cannot be verified successfully and the trust value also is reduced. If not, it is similar to case 1.
Theorem 1: Assuming that ε source data is represented by a binary digit of ζ, there is the most suitable value for ζ Proof: ζ bits are needed to be able to represent ε data completely. And ζ bits can represent 2 0 + 2 1 + 2 2 + … + 2 ζ = 2 ζ + 1 − 1 numbers, so 2 ζ + 1 − 1 ≥ ε. Considering energy consumption, the length of ζ is not as long as possible, because the more digits the more energy is consumed. Therefore, ζ is rounded up and ζ = ⌈log 2 (ε + 1) − 1⌉.
It should be noted that if the result is not unique when x data of ζ-bit XOR, the length of the code needs to be increased.
Theorem 2: Assuming that m data is sent, n bits represent the amount of data received. The amount of data received by each node is different, and the value of n is also different. The range of n is: Proof: n bits can represent 2 0 + 2 1 + 2 2 + … + 2 n = 2 n + 1 − 1 data, and a node can receive up to m data. 2 n + 1 − 1 ≤ m, that is n ≤ log 2 (m + 1) − 1, and n is an integer, so the maximum value of n is: Therefore, the feedback signal is n +ζ bit. Once ζ is determined, each source data is ζ bits and ζ-bit data XOR is still ζ bits. Thus, the feedback signal of each node is fixed with ζ bits. By observing the previous n bits, we can know the amount of data received by the node. If all the sent data are lost, there is no XOR result, then n = 0.
We assume that the source node sends such a set of data: 001001,010111,011100,101011,111000, any k from the 5 data to form a group for XOR, the results are listed in Table 2.
Taking the verification node n 1 as an example, the signal 10010101 indicates that n 1 receives two data, and the result of the XOR of the two data is 010101. As shown in Table 3, we can know that 001001⊕011100 = 010101, from which we can know that node n 1 does not lose data, improving its trust. The verification status of the remaining 3 nodes is also shown in Table 3.
For node n 3 , we can see that the feedback signal is abnormal, which shows that node receives 3 data, but there is no set of data that matches it. This is contradictory. Since 010111⊕011100=001011, we can conclude that node n 3 is likely to lose a data. Here we will not discuss the exact reason, but we can conclude that the n 3 node drops the data and the trust value will be reduced. Algorithm 1 is the detailed description of AVTE strategy.

Calculation of trust value
When receiving a feedback signal, we can know whether the data received by the node is consistent with the data sent, so as to obtain the trust of the node. If the trust value is lower than the threshold, it is regarded as a malicious node, and this node will not be selected in the future routing. The neighbor node with high reliability will be selected to participate in the data routing to improve the security of data collection for the entire route. Algorithm 2 gives the data routing scheme.
Theorem 3 (change of trust value of a single node): the initial trust value of the node is Φ, and the change degree of the trust value is φ, then the trust value after transmitting data is: Proof: 1-Φ represents the gap with full reliability, and multiplied by φ indicates the change of this gap. "+" means that the gap is reduced and the trust value is increased; "-" means that the gap is enlarged and the trust value is reduced. Therefore, "+" is taken when the verification is successful, and "-" is taken when the verification fails. We can know whether the verification is successful based on the feedback data, and then use Eq. (9) to calculate the change of node trust. Assign an initial value to the initial trust value Φ of node A and the degree of change φ of the trust value 3: If node A is trusted then 4: = + (1 -) × 5:

7:
If <Θ then 8: node A is no longer selected as a routing node 9 End if 10: End if 11 End for Theorem 4 (trust value of sink): Assuming that there are l nodes on routing path, the trust value of the first node can be calculated by Eq. (9) and use the trust value of the first node as the initial value of the next node. So, the trust value of the second node can be calculated. By analogy, the trust value of the third, the l-1th, and the lth nodes, that is, the trust value of sink can be calculated.
Γ n refers to the trust value of the node, Φ 1 is the initial trust value of the first node, and φ is the degree of change of the trust value of each node. Algorithm 3 shows calculation of the trust value.
The following is a specific example. Considering a routing path, the model is simplified as shown in Fig. 5. We discuss the calculation of trust in three situations: successful data verification, failed data verification and random data verification. Finally, the trust value of the node to the sink is discussed. Case 1 (data verification is successful): Assuming that the initial trust value of node 1 is Φ 1 = 0.5, the degree of change of trust value is φ = 10%. First feedback signal shows that the data received by the node and the data sent by the source node are normal, then the trust value of node 1 becomes 0.5+ (1-0.5) × 10% = 0.55, and the trust value increases by 0.05. If the data verification is successful in the second time, the trust value of node 1 becomes 0.55+ (1-0.55) × 10% = 0.595, and the trust value increases by 0.045 on the original basis.
If each feedback signal indicates that the data received by node 1 is consistent with that of the source node, its trust value will continue to increase, and the trust value is close to 80% after 10 verifications. After multiple verifications, the trust value will be close to 1, and the reliability of the node is very high. When φ is changed, the trust value changes accordingly. When φ = 15% or φ = 20%, the change of node 1 trust value is shown in Table 4. Figure 6 demonstrates the results of change of node trust value when the initial value is the same and the φ is variable.
Case 2 (data verification is failed): Assuming that the initial trust value of node 2 is 0.5 and φ = 10%. The first feedback signal shows that the data received by the node and the data sent by the source node are inconsistent, then the trust value of node 1 becomes 0.5-(1-0.5) × 10% = 0.45, the trust value is reduced by 0.05. If the second feedback signal still cannot find the source data corresponding to the received data, the trust value will be reduced again to (1-0.45) × 10% = 0.055, the trust value will drop to 0.0256 after 7 times, which is very close to 0. At this point, the node is already very unreliable. If we set the threshold Θ = 0.2, the trust value has fallen below 0.2 after 5 rounds of data transmission, and node will not be selected in the future routing process. Considering its neighbor node, calculate the trust value of node 2 to decide whether it can be selected as the next hop node.
It can be seen from Table 5 and Fig. 7 that changing the initial value and φ, trust value is different. When φ = 15%, the trust value of node 2 is reduced from 0.8 to 0.1909(< 0.2). If the 11th data verification fails, the trust value will be reduced to 0.0695, so we can get the trust value of the node through 10 rounds of data transmission, providing a basis for the selection of routing nodes. By comparing with the threshold, we can also know that the node can participate in several rounds of data transmission at most. For example, when φ = 15%, the trust value of the first four rounds of data transmission is greater than 0.7, so node 2 can still participate in data transmission with high reliability.
Case 3 (data verification is random): Assuming the initial trust value of node 3 is Φ 1 = 0.2, φ = 10%. The first   feedback signal shows that the data received by the node and the data sent by the source node are normal, then the trust value of node 1 becomes 0.5+ (1-0.5) × 10% = 0.55, and the trust value increases by 0.05. When the second data transmission fails verification, the trust value of node 3 becomes 0.55-(1-0.55) × 10% = 0.505, the probability of successful verification each time is random, and the trust value after 10 rounds of data transmission is shown in Table 6. Figure 8 presents the change in node trust value after different rounds of data transmission and if verification is random. Case 4 (consider all the nodes on the routing path in Fig. 5 and calculate the trust value of the sink after a round of data transmission): Assuming that the initial value of node 1 is 0.5 and φ = 90%. The probability of each data verification success is random, we assume that the data received by node 1 during the first data transmission is correct and passes to the neighbor node, the initial trust value of node 2 becomes 0.5+ (1-0.5) × 90% = 0.95. If node 2 data verification fails and the data continues to be passed to node 3, it will affect the trust value of node 3, and so on. We can get the reliability of the data when it reaches the sink. The trust value of sink is shown in Table 7.
Therefore, the trust value of the data transmitted through this routing path to the sink becomes 0.9123. This is the result of a round of data transmission. After each round of data transmission is completed, the trust of the data that reaches the sink will change. We calculate the results after ten rounds of data transmission as shown in Table 8, and the trust of the data arriving at the sink is shown in Fig. 9.

Trust acquisition
The AVTE method can not only identify malicious nodes, but also accurately obtain the node trust degree. In the active trust scheme, the node that does not attack the detection route is evaluated as a good node, and the trust state of the node is qualitatively obtained. However, Fig. 6 Change of trust value if verification is successful Table 5 Change of node 2 trust value in Case 2  Table 6 Change of node 3 trust value in Case 3 the AVTE method gives the trust degree of the node quantitatively, which provides a more accurate standard for selecting the next hop.
According to the criterion of high trust given by trusted nodes and low trust given by untrusted nodes, the average trust degree of trusted nodes is used to evaluate the ability of AVTE scheme to identify trusted nodes. The trust degree of these trusted nodes is generally high, so the average trust degree is also high. Based on the calculation of the trust degree in Section 4.5, we consider that there are n 1 , n 2 , …, n m nodes in total, among which h nodes of n 2 , n 5 , …, n d , n q are not malicious nodes. The given trust degrees are T 2 , T 5 , …, T d , T q , then the average trust degree is: If the average trust level is below 0.5, it means that the AVTE strategy has an error in identifying the trusted node. The higher the average trust degree, the higher the security of trusted nodes, and the stronger the ability of AVTE to identify the credibility of nodes.
With the number of detections increases, the trust value of good nodes will continue to increase, the average trust value will also increase, and the trust value of bad nodes will decline. Figure 10 shows that after 11 data verifications, the average trust degree of trusted nodes is continuously rising and higher than 0.5, indicating that the trust value obtained by the AVTE method is effective.

Data collection rate
There are detection routes, data routes, and feedback routes in the edge network at the same time. The detection routes are responsible for identifying malicious IoT devices, the data routes are responsible for sending data to the sink, and the feedback routes are responsible for returning data routing information to the source node. When the data route transfers the data of node n i to node n j , the detection route detects two nodes are not black nodes. The trust of node n i to node n j is called direction trust. Direction trust refers to the trust relationship established by two nodes directly transmitting data. At the same time, there is also indirect communication between nodes in the network. Data is transmitted to another node through an intermediate node. The trust relationship established at this time is called indirect trust. In the edge network, nodes mostly establish direct    trust through direct interaction, and the direct trust obtained is more accurate and reliable. Therefore, the network relationship is simplified in our manuscript, and Fig. 3 only shows the relationship between nodes directly transmitting data to nodes. Therefore, Theorem 5 and Theorem 6 in our manuscript only consider direction trust, which has no effect on the result of data collection rate.
After receiving the data, the node will choose the neighbor node closer to the sink as the next-hop node. Therefore, detection routes need to detect whether the neighbor node is a black node. When all its neighbor nodes are black nodes, it means that the transmission fails.
Theorem 5: Considering the number of hops from the source node n i to sink is ω, the number of nodes is α, and the ratio of malicious nodes is λ. If only direction trust is considered, the number of nodes with direction trust is β, then the data collection rate of the sink is Proof: First, calculate the success rate of single hop transmission of any node A. The failed transmission means that node A finds that all of the detected nodes whose hop number smaller than its own are black holes. The detected nodes cannot be selected, and A must select from the undetected nodes. If the selected undetected node is a black hole, the transmission fails.
Therefore, the failure probability is as follows. There are three states for node A, that is, more than, less than, and equal to the hop count of node A. For the number of nodes α, the number of nodes whose hops are smaller than A's is α/3. If the number of nodes with direction trust is β, there are β detections in total. For nodes with hop count less than node A, the total detections is β/3.
If β ≥ α, all neighbors of node A can be detected. The proportion of malicious nodes is λ, and the probability that all detected nodes are malicious nodes is λ α/3 , so the probability of transmission failure is λ α/3 .
If β<α, all neighbor nodes cannot be detected. The probability that the detected nodes are malicious nodes is λ β/3 . The probability of being a malicious node at the next hop node is λ, so the failure probability is λλ β/3 = λ β/3 + 1 .
The source node n i has ω hops to sink. Considering that the last hop is not a malicious node, the probability that the sink successfully collects data is Theorem 6: The number of hops from source node n i to sink is ω, the number of nodes is α, and the ratio of malicious nodes is λ. Only the direction trust is considered, the number of nodes with direction trust is β, and the ratio of malicious nodes changes to γ, then the probability that the sink successfully collects the data packet is Proof: The feedback mechanism verifies the data received and the data sent. If the packets are inconsistent, the trust value is reduced. If the trust value drops below the threshold, the node is a malicious node. The active trust scheme can detect whether neighbor node is a malicious node, our scheme can further detect malicious nodes on the data route, so our scheme makes the ratio of malicious nodes change from the previous λ to λ (1γ). The rest of the proofs are as in Theorem 5.
Theorem 7: The source node sends the data to the sink through ω hops. When using the shortest path protocol, the data collection rate is Proof: When using the shortest path protocol, the nodes are randomly selected, and the probability that these selected nodes are black nodes is λ. The last hop is not a black node, so the probability of choosing a nonblack node after ω hop η = (1 − λ) ω − 1 . Figure 11 shows the data collection rate when the ratio of malicious nodes is different in the AVTE scheme and the ActiveTrust scheme, where α =6, β =8, ω =15. Figure 12 is the data collection rate comparison of the AVTE scheme and the ActiveTrust scheme under different hop counts, where γ = 0.2, α =6, β =8, λ =0.2. Figure 13 presents the data collection rate of the two schemes when the number of nodes with direction trust is less than the number of nodes, where γ = 0.2, α =9, β =6, ω =10. From the above three figures, we can see that the data collection rate of the AVTE scheme is higher than that of the ActiveTrust scheme. The performance of the AVTE scheme is improved comparing with the active trust scheme. Figure 14 shows the probability of successful data collection of ActiveTrust scheme, AVTE scheme and the shortest path. The shortest path has the lowest data collection rate. When ω =15, λ =0.2, the total data collection rate drops below 0.1. The ActiveTrust scheme and the AVTE scheme have maintained a high success rate (> 60%). And the AVTE scheme is superior to the Acti-veTrust scheme, because the active trust can identify all black nodes. The next hop only needs to select a good non-black node for routing, but the reliability of all nonblack nodes is different. Adding a feedback mechanism can compare the reliability of neighbor nodes that are not black nodes, so as to provide non-black next-hop routing nodes with higher trust for data routing. Therefore, the AVTE scheme has higher data collection rate than the ActiveTrust scheme. Figure 15 shows the ratio of the data collection rate of AVTE, the ActiveTrust scheme and the shortest route scheme when the number of malicious nodes is different. It can be seen that the AVTE scheme and the Acti-veTrust scheme have a significant improvement over the shortest route. With the increase of malicious nodes, the AVTE scheme has improved the performance by more than 8 times and the ActiveTrust scheme has improved by more than 6 times.
Compared with the ActiveTrust scheme, the ratio of data collection rate of AVTE scheme remains above 1 and increases slightly. This is because the greater the ratio of malicious nodes, the ActiveTrust scheme can effectively detect the location of malicious nodes and avoid their application in data routing, so that the success rate of data packets to sink is greatly increased. On the basis of ActiveTrust scheme, the AVTE scheme detects black nodes that have been used as routing nodes in data routing and selects nodes with higher trust as next hop routing nodes, once again increasing the data collection rate.

Energy consumption and network lifetime
The energy of nodes is mainly consumed in sending and receiving, detecting and confirming packets. The network lifetime is defined as the death time of the first node. When each node needs to send confirmation packet to the source node in the presence of data routing and detection routing, it will consume part of the energy. We need to calculate the energy consumption in the network and analyze the impact of the feedback mechanism on the network lifetime. The composition of the confirmation packet is the same as the data packet, so the energy consumed is equivalent to the energy consumption of the unit data packet. The data packet contains the m-bit binary code of k data. The feedback data packet is a binary code after k data XOR. Because the amount of data has fewer coded bits, and the energy consumption of the encoded feedback signal itself is low, the energy consumption of the coded bits of the number of received data can be ignored, which is equivalent to m-bit encoding. Therefore, the composition of the feedback data packet is the same as that of the data packet. The energy consumption per unit data packet is e p . The feedback data packet contains one piece of data so the energy consumed by the feedback signal is also e p .
We analyze whether the remaining energy in the network can establish detection routes after the data packets and confirmation packets consume some energy. The energy consumption is related to the number of packets carried by the node. Consider the network radius is R, the transmission radius of the node is r, the event occurrence rate is υ, and the distance from the node to the sink is l [36]. According to the Ref. [36], we can get the number of data packets loaded by the node is z is an integer and satisfies l + zr < R.
Eq. (17) shows that the energy consumption depends on the amount of data and the lifetime of the network depends on the node with the highest energy consumption. We consider that the maximum data load of the node is d max and the energy consumption is d max e u . The node with the data loads less than d max has residual energy. The remaining energy can be used to send feedback packets to the source node and construct detection routes. For a node with a distance l to the sink, the remaining energy is (d max − d l )e u . If the distance of the active probe route is measured by the hops and after sending a confirmation packet, the available hops of the active probe route are as follows.
Theorem 8: If the distance from the node to the sink is l, the maximum number of detection hops that the remaining energy can reach is Where k 1 is the ratio of the length of the data packet to the detection packet, and k 2 is the ratio of the body length of the data packet to the packet header of the detection packet.
Proof: According to Eq. (17), for the node with distance l from the sink, the data load is d l = ((z + 1) + (z(z + 1)r/2l))υ. Therefore, the node closest to the sink has the largest data load d max = ((z + 1) + (z(z + 1)r/ 2l min ))υ. e p represents the energy consumption for sending and receiving a unit data packet. Each node sends a confirmation packet to the source node, so the energy consumption of the node for the feedback signal is also e p . The remaining energy of the node is (d max − d l )e p − e p = (d max − d l − 1)e p .
Considering that the energy consumed by sending and receiving one bit data is e u , e p = xe u , x = x 1 + x 2 , where x  is the unit packet length, x 1 is the packet header length, and x 2 is the packet body length. The available remaining energy is (d max − d l − 1)xe u = (d max − d l − 1)e u (x 1 + x 2 ). The energy consumption of sending and receiving a detection packet is e q = ye u = e u (y 1 + y 2 ), where y is the packet length of the detection packet, y 1 is the packet header length, and y 2 is the packet body length. Considering x 1 = y 1 , x 2 = k 1 y 2 , x 2 = k 2 y 1 , the hop counts of the active detection routes that can be achieved by the remaining energy of the node are Assuming R = 500, r = 50, υ = 0.8, l min = 10, Fig. 16 shows the maximum detection hops that can be provided by the remaining energy of nodes at different distances to the sink. When k 1 and k 2 are different, the number of detection hops can reach hundreds. The closer the node is to sink, the greater the data load of the node, the less energy left, and the fewer hops available for detecting the path. The amount of data of nodes far away from the sink is small. Thus, there is more residual energy, and the number of hops available for the detection path is up to 500. In addition to the energy consumed by the node sending and receiving packets and confirming packets, the node has enough energy to build the detection route for monitoring. Figure 17 shows that the number of hops of the detection route decreases when the network radius and the transmission radius are increased, but it can still reach 200 hops.
Consider R = 500, υ = 0.8, l min =50, k 1 =5, k 2 =5, Fig. 18 shows the number of hops of the detection path at different distances from sink under different transmission radius. It can be seen that the number of hops of the detection path gradually increases. The initial growth is relatively large and detection hops grow slowly near the sink. The maximum data load is smaller with the larger transmission radius. The detection hops afforded by remaining energy of nodes decreases, but the maximum hops remain above 200. The maximum detection hops can be up to 500, which shows that the remaining energy in the network is sufficient to support the establishment of the detection path. The ActiveTrust mechanism verifies that the lifetime of the network is the same as other solutions without any security strategy. Compared with the ActiveTrust scheme, our scheme can establish up to hundreds of hops for the active detection path. Therefore, we can conclude that the network lifetime of our scheme is the same as that of the ActiveTrust scheme and the scheme without any security strategy.

Conclusion
In this paper, an Active and Verifiable Trust Evaluation (AVTE) approach is proposed to identify the credibility of IoT devices, so to ensure reliable data collection for Edge Computing with low cost. The main innovation of the AVTE approach is the use of an encoding-based feedback mechanism for data routing. This method can more accurately and directly obtain the trust status of more nodes, so that a richer trust relationship can be obtained more quickly, making evolution and reasoning of trust is more credible and richer. Our theoretical analysis proves its effectiveness. The conclusion of this article is: (1) Compared with the traditional passive trust mechanism, the AVTE approach is an active trust mechanism and it has a great advantage in obtaining trust, which can improve the data collection rate very well.