Wireless communication technologies are the fastest growing segment of the telecommunications industry and their rapid developments have been promoting the evolution into the fifth generation (5G) communication . However, due to the broadcast nature of wireless mediums, communication over wireless networks is susceptible to the interception attacks of unintended recipients (i.e., eavesdroppers). Therefore, guaranteeing the security of wireless communication networks is becoming an increasingly urgent demand .
Traditionally, data is secured by applying the key-based enciphering (cryptographic) techniques in the upper layers of the network protocol stack . Although these cryptographic methods have shown their effectiveness in wired networks, the inherent difficulty of secret key distribution/management without centralized control and complex encryption algorithms may significantly limit their applications in decentralized wireless networks . This motivates the introduction of physical layer (PHY) security technology recently as the complementary approach to further enhancing the secrecy in wireless communications . The philosophy behind PHY security is to exploit the natural randomness of noise and the physical characteristics of wireless channels (like fading) to provide information-theoretic security, which has been regarded as the strongest form of security irrespective of the computing capabilities of eavesdroppers [6, 7, 8]. Thus, PHY security techniques are highly promising to guarantee everlasting secure communication for wireless networks [9, 10, 11].
The seminal work  by Wyner introduced the wiretap channel model as a basic framework for the PHY security which was laid down by Shannon’s definition of perfect secrecy in . Subsequently, many research activities have been devoted to the study of PHY security under other channel models, such as non-degrade channel , Gaussian channel , multi-antenna channel  and relay channel . Motivated by these early studies, diverse approaches for improving PHY security have been proposed in the literature, which mainly include channel precoding/beamforming [18, 19, 20], cooperative jamming [21, 22], channel coding [23, 24] and link/relay selection [25, 26, 27].
This paper focuses on the link/relay selection for securing the communication in wireless cooperative networks. The main advantage of link/relay selection is the implementation simplicity, as the sophisticated transmission techniques or explicit synchronization process is not required. Inspired by the pioneering work  which analyzes the fundamental benefits can be achieved by link/relay selection, extensive studies have been conducted to design efficient relay/link selection schemes under various network scenarios, such as max-min-ratio scheme , AFbORS and DFbORS schemes . Recently, the adoption of buffer-aided relaying has been proved that it can improve the cooperative communication performance in terms of throughput and diversity gains [28, 29]. Different from the conventional relaying scheduling, buffer-aided relaying exploits the flexibility offered by the buffer and enables the data transmission to be executed under favorable channel conditions.
Following this line, some initial selection schemes with buffer-aided relaying have been proposed for the secure communication in wireless cooperative networks [30, 31, 32, 33, 34]. Specifically, Chen et al.  put forward the max-ratio (MR) selection scheme for half-duplex decode-and-forward (DF) relaying networks. MR scheme activates the link with the largest channel gain ratio based on the knowledge of both legitimate and wiretap channel state information (CSI), such that it can achieve a better secrecy performance than the conventional max-min-ratio scheme . Taking into account the transmission efficiency and security constraint, Huang et al.  designed a link selection scheme in a two-hop DF relay network to achieve tradeoff between secrecy throughput and secrecy outage probability. The network scenario with multiple antennas and multiple eavesdroppers was further explored in , where a maximum likelihood (ML) criterion-based algorithm is proposed to select sets of relays for secure transmission. More recently, an artificial noise injection scheme and a hybrid half-/full-duplex scheme were investigated in  and , respectively, to enhance the physical layer security in cooperative networks with buffer-aided relaying.
This paper considers a more practical wireless cooperative system which composes one source-destination pair, one trusted relay with infinite buffer and one passive eavesdropper. Taking into account the fact that the eavesdropper intercepts data transmission in a passive way which can be hardly monitored, we adopt the assumption that the exact instantaneous/statistical CSI of the eavesdropping channel is unavailable, reflecting the more realistic scenario than those assumed in the aforementioned works. Moreover, in contrast to  where only the relay-to-destination channel is wiretapped, we consider a more hazardous and more practical eavesdropping scenario that the eavesdropper overhears data transmission from both the source-to-relay and relay-to-destination links in order to intercept the confidential information with a higher probability. Therefore, to ensure the end-to-end secure communication in wireless cooperative networks, novel link selection schemes should be redesigned, which motivates the conducting of this study. The main contributions of this paper are summarized as follows:
Depending on the availability of instantaneous channel state information at the source, two cases of transmission mechanisms, i.e., adaptive-rate transmission and fixed-rate transmission are considered. We design link selection policies to ensure the communication security for both cases. Particularly, according to the qualities of legitimate channels, the policies fully utilize the flexibility provided by buffer-aided relaying to select source-to-relay, relay-to-destination, or no link transmission, which are different from the conventional on-off schemes.
For the proposed link selection policies, closed-form expressions of end-to-end secrecy outage probability (SOP), secrecy outage capacity (SOC) and exact secrecy throughput (EST) are derived, respectively. We further prove the condition that EST reaches its maximum, and explore how to minimize the SOP and maximize the SOC by optimizing the link selection parameters.
We conduct simulations to demonstrate the validity of theoretical performance evaluation, and provide extensive numerical results to illustrate the efficiency of the proposed link selection polices for the secure communication in wireless cooperative networks.
The remainder of this paper is outlined as follows. Section II introduces the system models and necessary definitions. Section III elaborates the design of link selection policies under the adaptive-rate and fixed-rate transmission mechanisms, respectively. The general problem formulations are presented in Section IV Section V conducts the performance evaluation and explores the performance optimization issues We provide simulation and numerical results in Section VI and finally concludes this paper in Section VII.
Ii System Models and Definitions
In this section, we introduce the system models and some definitions involved in this study.
Ii-a Network Model
As shown in Fig. 1, we consider a two-hop wireless cooperative network which consists of a source (Alice), a destination (Bob), a relay (Relay) and a passive eavesdropper (Eve). We assume that there is no direct link from Alice to Bob so that the messages from Alice can be delivered to Bob only via Relay. Relay is equipped with infinite buffer to temporarily store the messages from Alice and operates in the half-duplex mode, thus it can not transmit and receive simultaneously. Moreover, we apply the randomize-and-forward (RF) strategy , with which Relay decodes the original signal from Alice and store the message in its buffer, later it forwards the message to Bob by transmitting independent randomization signal. We assume that Alice and Relay transmit messages with fixed power and , respectively. Eve attempts to intercept signals from both Alice and Relay, but it cannot combine signals of the two hops with combining techniques such as MRC [36, 37] due to the RF strategy.
Ii-B Wireless Channel Model
We consider a time-slotted system where the time is divided into successive slots with equal duration. All wireless links are characterized by the quasi-static Rayleigh block fading such that the channel fading coefficient of each link remains constant during one time slot, but changes independently and randomly from one time slot to the next. We use to denote the fading coefficient from node to node at time slot , where and (here , , ,
are short for Alice, Relay, Bob and Eve, respectively). With the quasi-static Rayleigh block fading model, the channel gain of a link is independently and exponentially distributed with mean, where
is the expectation operator. In addition, complex additive white Gaussian noise (AWGN) is imposed on each link and its variance at Relay, Bob and Eve are, and , respectively. Therefore, the instantaneous signal-to-noise ratio (SNR) of a link at time slot is determined as
is also exponentially distributed with the probability density function (p.d.f) given by
where . Considering the fact that Eve is a passive eavesdropper, the instantaneous CSIs from Alice and Relay to Eve, i.e., and , are unavailable. Moreover, in this study we assume that Relay always knows the instantaneous CSI at Bob while Alice may or may not know the instantaneous CSI at Relay, as explained later.
Ii-C Transmission Mechanism
To guarantee the secrecy transmission, we employ the well-known Wyner’s encoding scheme . When a transmission is conducted, the transmitter (Alice or Relay) chooses two rates, one is the rate of transmitted codewords, another is the rate of confidential messages. The difference between the two rates, i.e., the rate redundancy, reflects the cost of the secrecy transmission against eavesdropping. Since we consider the practical scenario that the instantaneous/statistical CSI of the wiretap channel is unknown, the transmitter cannot determine the cost needed to prevent eavesdropping. As a result, in our transmission mechanism, Alice and Relay set a fix rate for the confidential messages, denoted as .
Regarding the transmission from Alice to Relay, we consider two cases, i.e., Alice knows and does not know the corresponding instantaneous CSI (the availability of instantaneous CSI at Alice is dependent on the link selection policy adopted, as explained in Section III). For the former case, Alice adaptively adjusts the codeword rate to be arbitrarily close to the channel capacity , termed as adaptive-rate transmission. Thus, when Alice-to-Relay link is selected in time slot , the transmission rate of codewords is determined as
For the case that Alice does not know the instantaneous CSI, when Alice-to-Relay link is selected, it sets a fix rate () to transmit the codewords, termed as fixed-rate transmission.
Regarding the transmission from Relay to Bob, Relay always knows the corresponding instantaneous CSI based on the link selection policies as introduced later. Thus, when Relay-to-Bob link is selected in time slot , the transmission rate of codewords is determined as
We use to denote the amount of confidential data (in bits) stored in the buffer of Relay at the end of time slot . Then, the evolution of data stored in Relay’s buffer at the next time slot can be characterized as111It should be noted that after decoding the signal from Alice, Relay only stores the useful data, i.e., the confidential messages, in its buffer.
As introduced in the next section, our link selection polices can guarantee that the rate of codewords is always no less than the rate of confidential messages . More specifically, when Alice-to-Relay link is selected in time slot and the adaptive-rate transmission is adopted, always satisfies; when Relay-to-Bob link is selected in time slot , always satisfies.
Iii Link Selection Policies
In this section, we first present the overall scheduling in a time slot, and then detail the link selection policies.
Iii-a Overall Scheduling
Regarding the overall scheduling in a time slot, in order to ensure the transmission security and avoid channel outage 
, we first need to estimate the instantaneous CSIs of legitimate links. Then, link selection is made based on our new policies. Finally, the system conducts transmission operation orremains idle according to the selection decision. Therefore, the overall scheduling consists of the following three stages and can be illustrated in Fig. 2.
Alice and Bob transmit the pilot sequences to Relay in turn. By assuming that the reciprocity property  of antenna holds, Relay can estimate the CSIs of Alice-to-Relay and Relay-to-Bob links, respectively.
With the CSIs of two links, Relay acts as the ‘central node’ to make link selection decision based on some policies. According to whether Relay feed back the CSI to Alice, we consider the following two cases.
With CSI feedback: Relay makes link selection decision based on the policy described in Section III-B. If Alice-to-Relay link is selected, Relay sends the decision signal and feeds back the CSI to Alice.
Without CSI feedback: Relay makes link selection decision based on the policy described in Section III-C. If Alice-to-Relay link is selected, Relay sends the decision signal to Alice.
Based on the link selection decision, Alice or Relay transmits the message with the transmission mechanism introduced in Section II-C, or the system remains idle.
It is worth noting that the overall scheduling incurs at most three handshakes before the real message transmission, thus it is low-complexity for the system operation.
Iii-B Link Selection Policy with CSI Feedback
With the existing link selection policies such as , either Alice-to-Relay or Relay-to-Bob link is selected for data transmission in all time slots. However, since the eavesdropper Eve intercepts messages from both links, once in a time slot the channel qualities of both legitimate links are worse than those of corresponding wiretap links, the transmission security cannot be ensured no matter which link is selected. Therefore, a new selection policy with such a consideration should be carefully designed.
We let be an indicator variable to denote the link decision in time slot . indicates Alice-to-Relay link is selected, indicates Relay-to-Bob link is selected, and indicates the system remains idle in this time slot. We also introduce two non-negative parameters and which serve as the thresholds for the channel qualities of two legitimate links, respectively. Specifically, only if the condition (resp. ) satisfies, Alice-to-Relay (resp. Relay-to-Bob) link can be selected for message transmission, if and , no link will be selected, which ensures a high channel quality of the selected link and thus provides a good security performance. Moreover, in order to guarantee that the rate of codewords of the selected link can cover the rate of confidential messages , we set and . Finally, when both the legitimate links are in high channel quality, i.e., and , the link with a better relative quality will be selected for message transmission, i.e., if and if . Therefore, our link selection policy with CSI feedback can be summarized as Algorithm 1.
Iii-C Link Selection Policy without CSI Feedback
Regarding another case that Relay will not feed back the instantaneous CSI to Alice if Alice-to-Relay link is selected due to the system complexity concern, instead of adaptively adjusting the codeword rate to be the channel capacity, Alice uses a fixed rate to transmit the codewords. Considering that may be larger than the channel capacity which will incur the channel outage if Alice conducts the transmission, in order to avoid the channel outage, Relay should not select Alice-to-Relay link when it finds that (even if ). Therefore, our link selection policy without CSI feedback can be summarized as Algorithm 2.
In order to make a better understanding of our link selection policy, we illustrate in Fig. 3 the value of in different SNR regions. We can see from Fig. 3(a) that when we set the threshold , the value of in different SNR regions decided by the policy without CSI feedback is the same as that decided by the policy with CSI feedback. However, if we set the threshold , when , and , Relay-to-Bob link will also be selected to transmit message (i.e., ), as shown in the triangle area of Fig. 3(b).
Iv General Optimization Problem Formulation
In this section, we first derive the general expression for secrecy outage capacity, end-to-end secrecy outage probability and exact secrecy throughput, then we formulate the general optimization problems about these performance metrics.
Iv-a Performance Metrics
Iv-A1 Secrecy Outage Probability
Differing form the tradition SOP  , a better expression for SOP  is defined as the conditional probability that capacity of the wiretap channels exceeds the rate redundancy under message successful transmission (i.e., , where ). Expediently, we use and as secrecy outage variables in two hops respectively, which are expressed as
Considering there exists two wiretap channels, the system SOP can be characterized as a combination of the individual SOP of each hop, and end-to-end SOP is expressed as
where and , which are derived in Section V.
Iv-A2 Secrecy Outage Capacity
The secrecy outage constraint throughput (SOCT) is defined as the largest achievable secrecy rate under end-to-end SOP constraint at destination
where when and otherwise. Furtherly, the SOCT can be generally rewritten as
Iv-A3 Secrecy Throughput
The average rate securely and reliably delivered to the queue of Bob via Relay over multiple scheduling is defined as the end-to-end secrecy throughput. A novel formulation (called successful transmission probability in ) to characterize the reliability and security levels of transmission in both two hops oh the buffer-aided relaying system, which are defined as
Using the notation introduced above, the general expression for the average successful arriving rate in the buffer queue of Relay is derived as
where is due to always satisfies when . Similarly, the average successful accepting rate (i.e., the secrecy throughput) securely successfully delivered to Bob can be generally expressed as
Note that is valid because of the buffer-aided relaying protocol and when , the queue of buffer is said to be unstable or in the absorbing sate according to . In our system, we have following lemma:
When the secrecy throughput reached the maximum, the necessary condition for optimal link selection policy is that the buffer queue is always at the edge of non-absorbing (i.e., ) and the link selection parameters , are optimal.
Because the 1 only is an extension of theorem 1 in  in our network scene with Relay having three working states (i.e., accepting, transmitting and idle), we just provide a brief proof. We denote the set of indices with by and the set of by (where is the complementary set of set ). Assume that we have a link selection policy resulting in (i.e., the queue is in the absorbing state). The policy can always can be improved by moving the indices in to to to increase the secrecy throughput until (i.e., the queue is at the edge of non-absorbing), which leads to an increase of at the expense of a decrease of . From the law of the conservation of flow, we know that both and will decrease if we move the indices and further once the point is reached. Therefore, When the buffer queue switches form absorbing state to non-absorbing state, the secrecy throughput exactly reached the maximum value.
When the link selection policy is optimal, the event can be negligible and the maximum exact secrecy throughput can be generally written as
We denote the set of indices with by and the set of by . we also denote the cardinalities of and as and , respectively. Thus, if the queue is absorbing, always holds, which means . As a result, the secrecy outage capacity is
Iv-B General Optimal Formulation
Now we are ready to formulate the general optimal problem. We respectively derive the optimal link selection policy (i.e., optimal and ) and optimal secrecy rate that the encoders use for encoding to maximize secrecy outage capacity under a desired certain outage probability, and minimize SOP under the desired certain secrecy outage capacity.
The general problem for maximizing the secrecy outage capacity can be formulated as
Because the high probability that Relay keeps idle (i.e., ) leads to the higher delay, constraint C1 is required. In C2, denotes the desired SOP of the system. Note that C1 and C2 represent two QoS metrics for information security and delay in cooperative communication, respectively.
Then the optimal problem to minimum the end-to-end SOP which represents transmission security performance of the system under secrecy outage capacity constraints, is generally formulated as following
where is the desired minimum secrecy outage capacity.
Based on Lemma 1 and Lemma 2, we formulate the optimal problem about exact secrecy throughput as follow
where constraint C2 ensures that the link selection policy is optimal to make the exact secrecy throughput reach maximum value.
V Performance Analysis and Optimization
In this section, we first derive the closed-form expressions for above introduced performance parameters. Based on these closed-form expressions, we re-formulate the detail optimal problem P1 and P2 under adaptive-rate and fixed-rate transmission models, respectively.
V-a Performance Analysis For Adaptive-rate Transmission Model
According the link selection scheme (9), the transmission probability at time slot when Alice is selected to transmit message can be given by
By symmetry, we can obtain the transmission probability for Relay
So the probability that Relay is idle due to security consideration can be presented as
Remark 2: According to the link selection scheme (9), the condition is required to avoid the decoding outage, i.e., .
Then we derive the E2E secrecy outage probability. Based on IV, the SOP in the first hop can be expressed as
Similarly, the SOP in the second hop is
substituting the p.d.f.s of ,, and , the detailed expression of and can be derived as (27)(28), which are shown at the bottom of this page, respectively. Thus the E2E SOP can be obtained based on (14).
Now we are ready to reformulate the optimal problems about secrecy capacity and SOP. We denote the secrecy outage capacity maximization and SOP minimization as PA1 and PA2 in adaptive-rate transmission model, respectively.
Problem PA1 is formulated as
and for Problem PA2, we have
It is notable that (27) and (28) include the transcendental function and it’s hard to analyze the monotonicity of , thus the closed-form solutions in PA1 and PA2 are generally not possible. Inspired by the Zoutendijk Method , we apply the algorithm 3 to solve the optimal problems. before introducing the algorithm 3, we introduce the the following lemma:
where , , and is the first derivative of function with respect to .
According to , is the decline direction of 222the equivalent problem of maximizing is the one of minimizing .Thus this paper focuses on the the feasible decline direction of . if and only if at the point . Furthermore, if holds at , is called the strictly feasible direction. Thus we call as the strictly feasible descent direction, if there exists such that
The Algorithm 3 is as follows:
Because of the non-negative, ergodic and stationary process, we have the following proposition.
Proposition 1: When Alice transmits message to Relay with adaptive rate, the average accept rate