<%BANNER%>

Discrete Optimization for Network Security and Reliability

Permanent Link: http://ufdc.ufl.edu/UFE0043687/00001

Material Information

Title: Discrete Optimization for Network Security and Reliability
Physical Description: 1 online resource (147 p.)
Language: english
Creator: Xuan, Ying
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2011

Subjects

Subjects / Keywords: discrete -- network -- optimization -- reliability -- security
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Any network problems in essence equal to some principle questions in Discrete Mathematics, since all network elements can be abstracted as basic discrete structures, such as graphs, trees and permutations. One branch of discrete math, Graph Theory, serves as abundant sources of theoretical support for network researches, from which people have been exploring since the last decade. However, the potential of another branch, Combinatorial Math, has been overlooked, because of the intrinsic differences between its classic model and the practical network problems. In this thesis, we attempt to fill this gap between Combinatorial Math and Network Optimization problems. Specifically, we first perform a theoretical study over Combinatorial Group Testing, which is a kernel optimization technique in Combinatorial Math, provide a new size-constraint model for it, and propose an improvement over its traditional optimization solution. Then, we propose several novel solution frameworks based on Group Testing, Set Theory, Combinatorial Geometry and Graph Theory, towards a series of network security/reliablity problems, i.e., Defending Application-Layer and Wireless Jamming Denial-of-Service Attacks, Localizing All-Optical Network Link Failures and Assessing Network Topological Vulnerabilities. For each of these problems, we present a corresponding mathematical model, show the theoretical hardness, provide efficient algorithms with performance analysis, describe the implementation details and feasibility/scalability, and discuss over potential improvements and future directions.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Ying Xuan.
Thesis: Thesis (Ph.D.)--University of Florida, 2011.
Local: Adviser: Thai, My Tra.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2013-06-30

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2011
System ID: UFE0043687:00001

Permanent Link: http://ufdc.ufl.edu/UFE0043687/00001

Material Information

Title: Discrete Optimization for Network Security and Reliability
Physical Description: 1 online resource (147 p.)
Language: english
Creator: Xuan, Ying
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2011

Subjects

Subjects / Keywords: discrete -- network -- optimization -- reliability -- security
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Any network problems in essence equal to some principle questions in Discrete Mathematics, since all network elements can be abstracted as basic discrete structures, such as graphs, trees and permutations. One branch of discrete math, Graph Theory, serves as abundant sources of theoretical support for network researches, from which people have been exploring since the last decade. However, the potential of another branch, Combinatorial Math, has been overlooked, because of the intrinsic differences between its classic model and the practical network problems. In this thesis, we attempt to fill this gap between Combinatorial Math and Network Optimization problems. Specifically, we first perform a theoretical study over Combinatorial Group Testing, which is a kernel optimization technique in Combinatorial Math, provide a new size-constraint model for it, and propose an improvement over its traditional optimization solution. Then, we propose several novel solution frameworks based on Group Testing, Set Theory, Combinatorial Geometry and Graph Theory, towards a series of network security/reliablity problems, i.e., Defending Application-Layer and Wireless Jamming Denial-of-Service Attacks, Localizing All-Optical Network Link Failures and Assessing Network Topological Vulnerabilities. For each of these problems, we present a corresponding mathematical model, show the theoretical hardness, provide efficient algorithms with performance analysis, describe the implementation details and feasibility/scalability, and discuss over potential improvements and future directions.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Ying Xuan.
Thesis: Thesis (Ph.D.)--University of Florida, 2011.
Local: Adviser: Thai, My Tra.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2013-06-30

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2011
System ID: UFE0043687:00001


This item has the following downloads:


Full Text

PAGE 1

DISCRETEOPTIMIZATIONFORNETWORKSECURITYANDRELIABILITYByYINGXUANADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2011

PAGE 2

c2011YingXuan 2

PAGE 3

IdedicatethistomywifeTingandmydaughterEva. 3

PAGE 4

ACKNOWLEDGMENTS IwouldliketotakethisopportunitytothankmycommitteechairDr.Thaiforherpricelesshelpformydoctorateprogram.NotonlythechancethatsheofferedmetocometoUnitedStatestofurthermystudyandresearchoncomputernetworking,butalsoherpreciousguidanceovermy5-yeardoctoratestudyandresearch,areindispensabletothisthesis.Herstrongpassion,precisenessandprofoundknowledgeforresearchhavebeenenlighteningme.ThenancialsupportfromherevadesmefromthenancialproblemsforinternationalstudentsandsothatIcanconcentrateovertheresearches.Iwouldalsoliketothankalltheprofessorsinmycommitteefortheirtimefordiscussingovermyresearchtopicsandprovidingnumerousconstructiveopinions.Iwouldliketothankmygroupmembers,Ravi,Incheol,Yilin,Thang,Nam,Dungfortheirhelpinmystudyandwork. 4

PAGE 5

TABLEOFCONTENTS page ACKNOWLEDGMENTS .................................. 4 LISTOFTABLES ...................................... 8 LISTOFFIGURES ..................................... 9 ABSTRACT ......................................... 11 CHAPTER 1INTRODUCTION ................................... 13 1.1CombinatorialGroupTesting ......................... 13 1.2ExtendingandImprovingGTforModelingNetworkProblems ....... 14 1.3CombinatorialOptimizationsforNetworkSecurity .............. 15 1.4CombinatorialOptimizationsforNetworkReliability ............. 16 1.5ThesisOrganization .............................. 17 2ANEWCONSTRUCTIONOFERROR-TOLERANTDISJUNCTMATRIX .... 19 3AGROUPTESTINGBASEDDETECTIONOFAPPLICATIONDENIAL-OF-SERVICEATTACKERS ..................................... 22 3.1RelatedWorks ................................. 25 3.2ProblemModels ................................ 26 3.2.1AttackerModel ............................. 26 3.2.2Victim/DetectionModel ......................... 27 3.3StrategyandDetectionSystem ........................ 29 3.3.1SizeConstraintGroupTesting ..................... 29 3.3.2DetectionSystem ............................ 30 3.3.2.1Systemoverview ....................... 30 3.3.2.2Congurationdetails ..................... 32 3.4DetectionAlgorithmsandLatencyAnalyses ................. 37 3.4.1SequentialDetectionwithPacking .................. 38 3.4.2SequentialDetectionwithoutPacking ................. 41 3.4.3PartialNon-adaptiveDetection .................... 44 3.5SimulationCongurationsandResults .................... 52 3.5.1Congurations ............................. 52 3.5.2Results ................................. 54 3.6ConclusionsandDiscussions ......................... 58 3.6.1Conclusions ............................... 58 3.6.2DiscussionsoverFalseRate ...................... 59 5

PAGE 6

4ATRIGGERIDENTIFICATIONSERVICEFORDEFENDINGREACTIVEJAMMERSINWIRELESSSENSORNETWORKS ....................... 61 4.1RelatedWorks ................................. 63 4.2ProblemModelsandNotations ........................ 64 4.2.1NetworkModel ............................. 64 4.2.2AttackerModel ............................. 65 4.2.2.1Basicattackermodel .................... 65 4.2.2.2Advancedattackermodel .................. 66 4.2.3SensorModel .............................. 67 4.3ThreeKernelTechniques ........................... 68 4.3.1MinimumDiskCoverinaSimplePolygon .............. 68 4.3.2Clique-IndependentSet ........................ 69 4.4TriggerIdenticationProcedure ........................ 71 4.4.1AnomalyDetection ........................... 71 4.4.2JammerPropertyEstimation ..................... 73 4.4.3TriggerDetection ............................ 74 4.4.3.1Discoveryofinterference-freetestingteams ........ 77 4.4.3.2Estimationoftriggerupperbound .............. 80 4.4.4AnalysisofTimeandMessageComplexity .............. 81 4.5AdvancedSolutionsTowardSophisticatedAttackModels ......... 83 4.5.1UpperboundontheExpectedValueofz ............... 84 4.5.1.1Probabilisticjammingresponse ............... 85 4.5.1.2Variantreactiontime ..................... 85 4.5.2Error-tolerantAsynchronousTestingwithinEachTestingTeam .. 88 4.6ExperimentalEvaluation ............................ 88 4.6.1Overview ................................ 88 4.6.2BenetsforJamming-resistentRouting ................ 89 4.6.3ImprovementsonTimeComplexity .................. 91 4.6.4AccuracyinEstimatingJammerProperties .............. 94 4.6.5RobustnesstoVariousJammerModels ............... 95 4.7DiscussionandConclusions .......................... 96 5ANEFFICIENTMULTI-LINKFAILURELOCALIZATIONSCHEMEINALL-OPTICALNETWORKS ..................................... 97 5.1RelatedWorks ................................. 99 5.2BackgroundandProblemBranches ..................... 100 5.3Acentralizedalgorithmformoderatesizednetworks ............ 102 5.3.1Tree-decomposition ........................... 103 5.3.2Single-LinkFailureLocalizationonTree-subgraphs ......... 105 5.3.3RedundantTree-Subgraphs ...................... 106 5.4Alocalizedalgorithmforlarge-scalenetworks ................ 107 5.4.1RandomWalkbasedAlgorithm .................... 108 5.4.2CorrectnessandComplexity ...................... 109 5.4.3LocalRarestFirst ............................ 110 6

PAGE 7

5.5SimulationResults ............................... 111 5.5.1TheCentralizedAlgorithm ....................... 111 5.5.2TheLocalizedAlgorithm ........................ 112 5.6AdaptationtoAdditionalConstraints ..................... 116 5.6.1Case1:k-par .............................. 116 5.6.2Case2:q-fail .............................. 117 5.6.3Case3:d-unknown ........................... 119 5.7Summary .................................... 120 6AGRAPH-THEORETICQUALITY-OF-SERVICEAWAREVULNERABILITYASSESSMENTFORNETWORKTOPOLOGIES ................. 122 6.1ProblemModel ................................. 124 6.2Hardness .................................... 127 6.3ExactAlgorithm ................................. 127 6.4HeuristicSolutions ............................... 131 6.4.1AHeuristicSolutionforSmallm .................... 131 6.4.2AHeuristicSolutionforLargemandLargeNetworks ........ 132 6.5PerformanceEvaluations ........................... 133 6.5.1DatasetandSetup ........................... 133 6.5.2EfciencyofHeuristicSolutions .................... 134 6.6Summary .................................... 138 7CONCLUSION .................................... 139 REFERENCES ....................................... 140 BIOGRAPHICALSKETCH ................................ 147 7

PAGE 8

LISTOFTABLES Table page 3-1MainNotations .................................... 30 4-1MessageContainingTriggerDetectionSchedule ................. 75 4-2Notations ....................................... 84 5-1MainNotations .................................... 102 6-1ThetimecostofMFMCSP(MaxFlowMulti-ConstraintShortestPath) ..... 135 6-2ThetimecostofSDOP(SingleDimensionOptimalPath)forlargenetworks .. 138 6-3ThetimecostofSDOPforlargeconstraintamount ................ 138 8

PAGE 9

LISTOFFIGURES Figure page 1-1TheMathematicalPrincipleofGroupTesting ................... 14 3-1Victim/Detectionmodel ............................... 28 3-22-modediagramofthesystem ........................... 31 3-3Onetestingroundindangermode ......................... 32 3-4AdetectionexampleofhowSDP(SequentialDetectionwithPacking)andS-DoP(SequentialDetectionwithoutPacking)work. ................. 39 3-5Statusoftheback-endserver ............................ 55 3-6Robustnessbydifferentnumberofback-endservermachinesk ........ 56 3-7Robustnessbydifferentnumberofattackersd .................. 57 3-8Robustnessbydifferenttotalnumberofclientsn ................. 58 4-1PolynomialTimeReduction ............................. 70 4-2ReactiveJammingAttackModel .......................... 72 4-3EstimatedRandJammedArea ........................... 74 4-4InterferenceTeams .................................. 76 4-5IterativeLocalRenement .............................. 78 4-6Maximum#InterferingCliques ........................... 80 4-7Maximum#Jammersinvokedbyoneteam .................... 80 4-8Benetsforrouting .................................. 90 4-9TimeandMessagecomplexity ........................... 93 4-10EstimationerrorofR ................................. 94 4-11SolutionRobustness ................................. 96 5-1AnexampleofPath-trial ............................... 101 5-2MultiplebranchesoftheM-LFL(Multi-Linkfailurelocalization)problem ..... 101 5-3SingleLinkFailureLocalizationonTrees ...................... 107 5-4PerformanceofTDD(Tree-DecompositionDetection)centralizedalgorithm .. 113 5-5ScalabilityofR-WalklocalizedalgorithmtoNetworkSize ............ 114 9

PAGE 10

5-6RobustnessofR-WalklocalizedalgorithmtoLinkFailureRate ......... 115 5-7Performanceofadaptationtovariousconstraints ................. 118 6-1ConversionfromQoSCV(QualityofServiceCriticalVertex)toQoSCE(QualityofServiceCriticalEdge) ............................... 126 6-2IntegerProgrammingFormulation ......................... 126 6-3CombinedMethodofBranch-and-BoundandParetoOptimality ......... 130 6-4NSFNET(NationalScienceFoundationNetworks)T11991 ........... 134 6-5AccuracyofMFMCSP(MaxFlowMulti-ConstraintShortestPath) ........ 135 10

PAGE 11

AbstractofDissertationPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyDISCRETEOPTIMIZATIONFORNETWORKSECURITYANDRELIABILITYByYingXuanDecember2011Chair:MyT.ThaiMajor:ComputerandInformationScienceandEngineering AnynetworkproblemsinessenceequaltosomeprinciplequestionsinDiscreteMathematics,sinceallnetworkelementscanbeabstractedasbasicdiscretestructures,suchasgraphs,treesandpermutations.Onebranchofdiscretemath,GraphTheoryservesasabundantsourcesoftheoreticalsupportfornetworkresearches,fromwhichpeoplehavebeenexploringsincethelastdecade.However,thepotentialofanotherbranch,CombinatorialGroupTesting,hasbeenoverlooked,becauseoftheintrinsicdifferencesbetweenitsclassicmodelandthepracticalnetworkproblems. Inthisthesis,weattempttollthegapbetweenGroupTestingTheoryandNetworkOptimizationProblems,andthenprovidenoveltheoreticalframeworksandefcientsolutionsthroughdiscreteoptimizationsforfournetworksecurityandreliabilityproblems.Specically,werstprovideanewsize-constraintmodelforGroupTesting,whichthuscanndmanymatchestopracticalnetworkproblems,andthenproposeanimprovementoveritstraditionaloptimizationsolution.Then,westudytwonetworksecurityproblems:DefendingApplication-LayerandWirelessJammingDenial-of-ServiceAttacksandtworeliabilityproblems:LocalizingAll-OpticalNetworkLinkFailuresandAssessingNetworkTopologicalVulnerabilities.Foreachoftheseproblems,wepresentanoveloptimizationframework,showitstheoreticalhardness,provideefcientalgorithmswithperformanceanalysis,describetheimplementation 11

PAGE 12

detailsandfeasibility/scalability,anddiscussoverpotentialimprovementsandfuturedirections. 12

PAGE 13

CHAPTER1INTRODUCTION DiscreteOptimization,whichistoaddressoptimizationproblemsassociatedwithanitesetofobjects,haswideapplicationsinNetworkScience.Bymappingnetworknodesasverticesandlinksasedges,mostnetworkproblemsnaturallyfallintothecategoriesofGraphTheory,ComputationalGeometryandetc.Amainstreamofnetworktheoryresearchesfocusesonapplyingthesetechniquestopracticalnetworkproblems,wherenetworksecurityandreliabilityaretwoimportantelds.However,anotherbranchofcombinatorialoptimization,whichiscalledGroupTesting,hasbeenneglectedbythenetworkresearchers,duetothedifcultiesinapplyingitsclassicmodeltopracticalproblems. Inthisthesis,ononehand,wepresentatheoreticalimprovementovertheGroupTestingtheoryalongwithanextendedmodel,whichthencanndmanymatcheswithpracticalnetworkproblems;ontheotherhand,weprovidenoveltheoreticalframeworksandsolutionsforfournetworksecurityandreliabilityproblemsusingacombinationofGroupTestingtheory,GraphTheory,SetTheoryandComputationalGeometry. 1.1CombinatorialGroupTesting CombinatorialGroupTesting(CGT),akerneloptimizationtechniqueinCombinatorics,wasproposedinWWIItospeedupthedetectionofaffectedbloodsampleswithinalargesamplepopulation.Itskeyideaistotestitemsinmultipledesignatedgroups,insteadoftestingthemindividually.Thetraditionalmethodofgroupingitemscanbeillustratedbya0-1matrixMtnwherethematrixrowsrepresentthetestinggroupandeachcolumnreferstoanitem.AsFig. 1-1 shows,givenabinarytestingmatrixMandatestingoutcomevectorV.Assumedthatitem1(1stcolumn)anditem2(2ndcolumn)arepositive,thenonlythersttwogroupsreturnnegativeoutcomes,becausetheydonotcontainthesetwopositiveitems.Onthecontrary,alltheotherfourgroupsreturnpositiveoutcomes.M[i,j]=1impliesthatthejthitemappearsintheithtestinggroup,and0 13

PAGE 14

M=2666666400001111001100110101010111110000110011001010101037777775testing=)V=2666666400111137777775 Figure1-1. TheMathematicalPrincipleofGroupTesting otherwise.Therefore,thenumberofrowsofthematrixdenotesthenumberofgroupstestedinparallelandeachentryoftheresultvectorVreferstothetestoutcomeofthecorrespondinggroup(row),where1denotespositiveoutcomeand0denotesnegativeoutcome. Giventhatthereareatmostd
PAGE 15

Ontheotherhand,thistechniquehasrarelybeenusedfornetworksecurityandreliabilityproblemsduetothelimitationsinitsconventionalmodelsandalgorithms.Forexample,selectingnetworkingelementsintopoolshastofollowmuchmoreconstraints(connection/location/power)thanbiologicalsamples,whichbringsupthedifcultiesofapplyingthetraditionaltechniquemodels. Inthisthesis,weextendthetraditionalGTmodelsfornetworkproblemsandprovideanimprovedefcientconstructionofd-disjunctmatrix,whicheliminatesthetwoshacklespreventingtheuseofGTinnetworkoptimizations. 1.3CombinatorialOptimizationsforNetworkSecurity SeveralvariantsofDenial-of-Serviceattacksaretakenintoconsideration.ThedefenseframeworksweprovideuseGTmodelsasabackbone,butalsoinvolveGraphOptimizationandComputationGeometry. DetectingApplication-LayerDoSAttacks.Application-LayerDoSaimsatdisruptingapplicationserviceratherthandepletingthenetworkresource,hasemergedasalargerthreattonetworkservices,comparedtotheclassicDoSattack.OwingtoitshighsimilaritytolegitimatetrafcandmuchlowerlaunchingoverheadthanclassicDDoSattack,thisnewassaulttypecannotbeefcientlydetectedorpreventedbyexistingdetectionsolutions.ToidentifyapplicationDoSattack,weproposeaGTbasedapproachdeployedonback-endservers,whichnotonlyoffersatheoreticalmethodtoobtainshortdetectiondelayandlowfalsepositive/negativerate,butalsoprovidesanunderlyingframeworkagainstgeneralnetworkattacks.Morespecically,werstextendclassicGTmodelwithsizeconstraintsforpracticepurposes,thenre-distributetheclientservicerequeststomultiplevirtualserversembeddedwithineachback-endservermachine,accordingtospecictestingmatrices.Baseonthisframework,weproposea2-modedetectionmechanismusingsomedynamicthresholdstoefcientlyidentifytheattackers.Thefocusofthisworkliesinthedetectionalgorithmsproposedandthecorrespondingtheoreticalcomplexityanalysis. 15

PAGE 16

DefendingReactiveWirelessJammingAttacks.Duringthelastdecade,Re-activeJammingAttackhasemergedasagreatestsecuritythreattowirelesssensornetworks,duetoitsmassdestructiontolegitimatesensorcommunicationsanddifcultytobedisclosedanddefended.Consideringthespeciccharacteristicsofreactivejammernodes,anewschemetodeactivatethembyefcientlyidentifyingalltrig-gernodes,whosetransmissionsinvokethejammernodes,hasbeenproposedanddeveloped.Suchatrigger-identicationprocedurecanworkasanapplication-layerserviceandbenetmanyexistingreactive-jammingdefendingschemes.Inoursolution,ontheonehand,weleverageseveraloptimizationproblemstoprovideacompletetrigger-identicationserviceframeworkforunreliablewirelesssensornetworks.Ontheotherhand,weprovideanimprovedalgorithmwithregardtotwosophisticatedjammingmodels,inordertoenhanceitsrobustnessforvariousnetworkscenarios. 1.4CombinatorialOptimizationsforNetworkReliability Networkreliabilityproblemsnormallyinvolvewithfaulttoleranceofthenetworks.ManyofthemcanalsobeabstractedasadiscreteoptimizationproblemandthenaddressedusingGT,GraphTheoryandotherdiscretemathsolutions.Inthisthesis,westudytwoclassicreliabilityproblems:faultylocalizationandvulnerabilityassessment,whoseproblemcontextarehoweverquitenovel. FailureLocalizationinOpticalNetworks.Linkfailurelocalizationhasbeenanimportantandchallengingproblemforall-opticalnetworks.Themostgeneralmonitoringstructure,calledpath-trial,isalight-pathintowhichopticalsignalsarelaunchedandmonitored.Howtominimizethenumberofrequiredpath-trialsiscriticaltotheexpenseofthistechnique.Existingsolutionsarelimitedtolocalizingsinglelinkfailureorhandlingonlysmallnetworks.Moreover,somepracticalconstraints,likelackingofknowledgeofthefailurequantity,areignored.Toovercometheselimitationsisprospectivebutquitechallenging.Tothisend,weaddressthemulti-linkfailurelocalizationproblem.Ononehand,formoderate-sizenetworks,weprovideatree-decompositionbasedcentralized 16

PAGE 17

algorithm;ontheotherhand,arandomwalkbasedlocalizedalgorithmforlarge-scalenetworksisproposed.Inaddition,wefurtheradaptthesetwoalgorithmstocopewiththreepracticalconstraints. QoS-awareNetworkTopologicalVulnerabilityAssessment.Howtoassessthetopologyvulnerabilityofanetworkhasattractedmoreandmoreattentionsrecently.Duetotherapidgrowingnumberofreal-timeinternetapplicationsdevelopedsincethelastdecade,thediscoveryoftopologyweaknessrelatedtoitsqualityofservice(QoS)isofmoreinterest.WeprovideanovelQoS-awaremeasurementforassessingthevulnerabilityofgeneralnetworktopologies.Specically,weevaluatethevulnerabilitybydetectingtheminimumnumberoflinkfailuresthatdecreasethesatisfactoryleveloftheQoS-Optimalsource-destinationpathtoagivenvalue,whichmeansatopologywithasmalleramountofsuchlinkfailuresismorevulnerable.WeformulatethisprocessasagraphoptimizationproblemcalledQoSCE,studyitstheoreticalhardness/inapproximabilityandprovideseveralexactandefcientheuristicalgorithmsforvariousQoSconstraintamounts.Toourbestknowledge,thisistherstgraph-theoreticalframeworktoevaluateQoS-awaretopologyvulnerability. 1.5ThesisOrganization Theorganizationofthisthesisisasfollowing. Chapter 2 presentsanewrandomizedconstructionoferror-tolerantd-disjunctmatrix,whichachievesasmallermatrixsizethantheexistingsolutionsandcontributestothegoodperformancesofthefollowinggrouptestingapplications. Chapter 3 targetsattheapplicationdenial-of-serviceattacks,proposesasize-constraintgrouptestingmodelanda2-modedetectionmechanism,whichefcientlyidentiestheattackersbyregulatingthedistributionofservicerequeststocorrespondingservers,accordingtothreesequential/parrallelalgorithmsfordifferentnetworksettings. Chapter 4 illustratesatrigger-identicationservicewhichcanbeusedtofreezeandcatchthesophisticatedreactivejammingattackers.Besidesanadaptedgroup 17

PAGE 18

testingmodel,thisserviceleveragesseveraloptimizationproblemmodelsandachievestheoreticalperformanceguaranteeintermsoftheidenticationprecision. InChapter 5 ,anotherapplicationinlocalizingmultiplelinkfailuresinAll-OpticalNetworksisinvestigated.Agraph-constrainedgrouptestingmodelisintroducedtotacklethisproblem.Thischaptershowsatree-decompositioncentralizedalgorithmaswellasarandomwalkbasedlocalizedalgorithm,whosetheoreticalcorrectnessandefciencyisprovedthroughtheoreticalandexperimentalevaluations. AtheoreticalQoSvulnerabilityassessmentframeworkisproposedinChapter 6 ,whereefcientalgorithmsareprovidedtoinvestigatetherobustnessofanygivennetworktopologies. Asthelastcomponent,Chapter 7 sumsupthewholethesis. 18

PAGE 19

CHAPTER2ANEWCONSTRUCTIONOFERROR-TOLERANTDISJUNCTMATRIX Inordertohandleerrorsinthetestingoutcomes,theerror-tolerantnon-adaptivegrouptestinghasbeendevelopedusing(d,z)-disjunctmatrix,whereinanyd+1columns,eachcolumnhasa1inatleastzrowswherealltheotherdcolumnsare0.Therefore,a(d,1)-disjunctmatrixisexactlyd-disjunct.Straightforwardly,thedpositiveitemscanstillbecorrectlyidentied,inthepresenceofatmostz)]TJ /F6 11.955 Tf 12.25 0 Td[(1testerrors.Intheliterature,numerousdeterministicdesignsfor(d,z)-disjunctmatrixhavebeenprovided(summarizedin[ 16 ]),however,theseconstructionsoftensufferfromhighcomputationalcomplexity,thusarenotefcientforpracticaluseanddistributedimplementation. Ontheotherhand,toourbestknowledge,theonlyrandomizedconstructionfor(d,z)-disjunctmatrixduestoCheng'sworkviaq-narymatrix[ 11 ],whichresultsina(d,z)-disjunctmatrixofsizet1nwithprobabilityp0,wheret1is4.28d2log2 1)]TJ /F3 11.955 Tf 11.95 0 Td[(p0+4.28d2logn+9.84dz+3.92z2ln2n)]TJ /F6 11.955 Tf 11.95 0 Td[(1 1)]TJ /F3 11.955 Tf 11.95 0 Td[(p0withtimecomplexityO(n2logn).Comparedwiththiswork,weadvanceaclassicrandomizedconstructionford-disjunctmatrix,namely,randomincidenceconstruction[ 16 ][ 25 ],togenerate(d,z)-disjunctmatrixwhichcannotonlygeneratecomparablysmallertnmatrix,butalsohandlethecasewherezisnotknownbeforehand,instead,onlytheerrorprobabilityofeachtestisboundedbysomeconstant.Althoughzcanbequitelooselyupperboundedbyt,yettisnotaninput.Themotivationofthisconstructionliesintherealtestscenarios,theerrorprobabilityofeachtestisunknownandasymmetric,henceitisimpossibletoevaluatezbeforeknowingthenumberofpools. Theorem2.0.1. Mis(d,z)-disjunctmatrixwitht=2(d+1)d+1 dd(z)]TJ /F6 11.955 Tf 11.95 0 Td[(1+lns+(d+1)lnn)rowswithprobability(1)]TJ /F12 7.97 Tf 13.15 4.71 Td[(1 s)foraconstantswherescanbearbitrarilylarge. 19

PAGE 20

Algorithm1ETGconstruction 1: Input:n,d,z,s; 2: Output:(d,z)-disjunctmatrixwithprobability(1)]TJ /F12 7.97 Tf 13.15 4.7 Td[(1 s) 3: Setp=1 d+1, 4: Sett=2(d+1)d+1 dd(z)]TJ /F6 11.955 Tf 11.96 0 Td[(1+lns+(d+1)lnn) 5: ConstructatnmatrixMbylettingeachentrytobe1withprobabilityp. 6: returnM Proof. Misnot(d,z)-disjunctmatrixifforanysinglecolumnc0andanyotherdcolumnsc1,cd,thereareatmostz)]TJ /F6 11.955 Tf 13.07 0 Td[(1rowswherec0has1andallc1,cdhave0.Bydenotingp=(1 2)l,consideringaparticularcolumnanddothercolumnsinthematrix,theprobabilityofsuchfailurepatternis:z)]TJ /F12 7.97 Tf 6.59 0 Td[(1Xi=0ti[p(1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d]i[1)]TJ /F3 11.955 Tf 11.96 0 Td[(p(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d]t)]TJ /F7 7.97 Tf 6.59 0 Td[(i Sousetheunionboundforallpossiblecombinationsandpermutationsof(d+1)columns,wehavethefailurepossibilityboundedbyP1(d+1)nd+1z)]TJ /F12 7.97 Tf 6.59 0 Td[(1Xi=0ti[p(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d]i[1)]TJ /F3 11.955 Tf 11.95 0 Td[(p(1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d]t)]TJ /F7 7.97 Tf 6.59 0 Td[(i HereconsidertheCDFofbinomialseriesandassumethatz)]TJ /F6 11.955 Tf 11.96 0 Td[(1tp(1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d(assert1),wethenhaveP1nd+1exp()]TJ /F6 11.955 Tf 10.49 8.08 Td[((tp(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)]TJ /F3 11.955 Tf 11.95 0 Td[(z+1)2 2tp(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d) byChernoffbound.Toboundthisby1 s,i.e.,P1nd+1exp()]TJ /F6 11.955 Tf 10.5 8.09 Td[((tp(1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)]TJ /F3 11.955 Tf 11.96 0 Td[(z+1)2 2tp(1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)1 s wecanderivethat(assert2) p(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)dz)]TJ /F6 11.955 Tf 11.95 0 Td[(1+lns+(d+1)lnn t)]TJ /F9 11.955 Tf 10.5 19.18 Td[(p ln2(snd+1)+2(z)]TJ /F6 11.955 Tf 11.96 0 Td[(1)lnsnd+1 t 20

PAGE 21

(infeasiblebyassert1)orp(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)dz)]TJ /F6 11.955 Tf 11.95 0 Td[(1+lns+(d+1)lnn t+p ln2(snd+1)+2(z)]TJ /F6 11.955 Tf 11.96 0 Td[(1)lnsnd+1 t Therefore,wecanderivedthelowerboundt2(d+1)d+1 dd(z)]TJ /F6 11.955 Tf 11.95 0 Td[(1+lns+(d+1)lnn) Corollary2.0.1. Giventhateachtesthasanindependenterrorprobability,Mis(d,z)-disjunctmatrixwitht=lnn(d+1)2)]TJ /F12 7.97 Tf 6.58 0 Td[(2(d+1)ln1 s ()]TJ /F16 7.97 Tf 6.59 0 Td[((d+1))2withprobability(1)]TJ /F12 7.97 Tf 13.15 4.71 Td[(1 s)forarbitrarys. Proof. Substitutingzbytintheproofabovecompletesthisproof. Theorem2.0.2. TheETGalgorithmproducesa(d,z)-disjunctmatrixwithprobabilityp0wherep0canbearbitrarilyapproaching1. Theworst-casenumberofrowsofthismatrixisboundedby3.78(d+1)2logn+3.78(d+1)log(2 1)]TJ /F3 11.955 Tf 11.96 0 Td[(p0))]TJ /F6 11.955 Tf 11.96 0 Td[(3.78(d+1)+5.44(d+1)(z)]TJ /F6 11.955 Tf 11.95 0 Td[(1),muchsmallerthan4.28d2log2 1)]TJ /F7 7.97 Tf 6.58 0 Td[(p0+4.28d2logn+9.84dz+3.92z2ln2n)]TJ /F12 7.97 Tf 6.59 0 Td[(1 1)]TJ /F7 7.97 Tf 6.59 0 Td[(p0. Assumezt,theworst-casenumberofrowsbecomest=lnn(d+1)2)]TJ /F12 7.97 Tf 6.59 0 Td[(2(d+1)ln(1)]TJ /F7 7.97 Tf 6.59 0 Td[(p0) ()]TJ /F16 7.97 Tf 6.58 0 Td[((d+1))2where=(d=(d+1))dandasymptoticallyt=O(d2logn). Theorem2.0.3. ThetimecomplexityoftheETGalgorithmisO(d2nlogn),smallerthanO(n2logn),providedthatd


PAGE 22

CHAPTER3AGROUPTESTINGBASEDDETECTIONOFAPPLICATIONDENIAL-OF-SERVICEATTACKERS Denial-of-Service(DoS)attack,whichaimstomakeaserviceunavailabletolegitimateclients,hasbecomeaseverethreattotheInternetsecurity[ 24 ].TraditionalDoSattacksmainlyabusethenetworkbandwidtharoundtheInternetsubsystemsanddegradethequalityofservicebygeneratingcongestionsatthenetwork[ 66 ][ 24 ].Consequently,severalnetworkbaseddefensemethodshavetriedtodetecttheseattacksbycontrollingtrafcvolumeordifferentiatingtrafcpatternsattheintermediaterouters[ 69 ][ 54 ].However,withtheboostinnetworkbandwidthandapplicationservicetypesrecently,thetargetofDoSattackshaveshiftedfromnetworktoserverresourcesandapplicationproceduresthemselves,forminganewapplicationDoSattack[ 52 ][ 66 ]. Asstatedin[ 66 ],byexploitingawsinapplicationdesignandimplementation,applicationDoSattacksexhibitthreeadvantagesovertraditionalDoSattackswhichhelpevadenormaldetections:malicioustrafcisalwaysindistinguishablefromnormaltrafc,adoptingautomatedscripttoavoidtheneedforalargeamountofzombiemachinesorbandwidthtolaunchtheattack,muchhardertobetracedduetomultiplere-directionsatproxies.Accordingtothesecharacteristics,themalicioustrafccanbeclassiedintolegitimate-likerequestsoftwocases:(i)atahighinter-arrivalrate,(ii)consumingmoreserviceresources.Werefertothesetwocasesashigh-rateandhigh-workloadattacksrespectivelythroughoutthischapter. Sincetheseattacksusuallydonotcausecongestionatthenetworklevel,thusbypassthenetwork-basedmonitoringsystem[ 24 ],detectionandmitigationattheend-systemofthevictimservershavebeenproposed[ 52 ][ 30 ][ 48 ].AmongthemtheDDoSshield[ 52 ]andCAPTCHA-baseddefenses[ 30 ]aretherepresentativesofthetwomajortechniquesofsystem-basedapproaches:sessionvalidationbasedonlegitimatebehaviorproleandauthenticationusinghuman-solvablepuzzles.Byenhancingtheaccuracyofthesuspicionassignmentforeachclientsession,DDoSshieldcan 22

PAGE 23

provideefcientsessionschedulersfordefendingpossibleDDoSattacks.However,theoverheadforper-sessionvalidationisnotnegligible,especiallyforserviceswithdensetrafc.CAPTCHA-baseddefensesintroduceadditionalservicedelaysforlegitimateclientsandarealsorestrictedtohuman-interactionservices. Akernelobservationandbriefsummaryofourmethodis:theidenticationofattackerscanbemuchfasterifwecanndthemoutbytestingtheclientsingroupinsteadofone-by-one.Thusthekeyproblemishowtogroupclientsandassignthemtodifferentservermachinesinasophisticatedway,sothatifanyserverisfoundunderattack,wecanimmediatelyidentifyandltertheattackersoutofitsclientset.Apparently,thisproblemresemblesthegroup-testing(GT)theory[ 16 ]whichaimstodiscoverdefectiveitemsinalargepopulationwiththeminimumnumberoftestswhereeachtestisappliedtoasubsetofitems,calledpools,insteadoftestingthemonebyone.ThereforeweapplyGTtheorytothisnetworksecurityissueandproposespecicalgorithmsandprotocolstoachievehighdetectionperformanceintermsofshortdetec-tionlatencyandlowfalsepositive/negativerate.Sincethedetectionsaremerelybasedontheapplicationservicestatusofthevictimservers,noindividuallysignature-basedauthenticationsordataclassicationsarerequired,thusitmayovercomethelimitationsofthecurrentsolutions. Toourbestknowledge,therstattemptstoapplyGTtonetworkingattackdefenseareproposedinparallelbyThaiet.al[ 63 ](whichisthepreliminaryworkofthisjournal)andKhattabetal[ 34 ].ThelatterproposedadetectionsystembasedonReduced-RandomnessNonadaptiveCombinatorialGroupTesting[ 25 ].However,sincethismethodonlycountsthenumberofincomingrequestsratherthenmonitoringtheserverstatus,itisrestrictedtodefendinghigh-rateDoSattacksandcannothandlehigh-workloadones). Inasystemviewpoint,ourdefenseschemeistoembedmultiplevirtualserverswithineachphysicalback-endserver,andmapthesevirtualserverstothetesting 23

PAGE 24

poolsinGT,thenassignclientsintothesepoolsbydistributingtheirservicerequeststodifferentvirtualservers.Byperiodicallymonitoringsomeindicators(e.g.,averagerespondingtime)forresourceusageineachserver,andcomparingthemwithsomedynamicthresholds,allthevirtualserverscanbejudgedassafeorunderattack.BymeansofthedecodingalgorithmofGT,alltheattackercanbeidentied.Therefore,thebiggestchallengesofthismethodarethree-fold:(1)Howtoconstructatestingmatrixtoenablepromptandaccuratedetection.(2)Howtoregulatetheservicerequeststomatchthematrix,inpracticalsystem.(3)Howtoestablishproperthresholdsforserversourceusageindicator,togenerateaccuratetestoutcomes. SimilartoalltheearlierapplicationsofGT,thisnewapplicationtonetworksecurityrequiresmodicationsoftheclassicalGTmodelandalgorithms,soastoovercometheobstacleofapplyingthetheoreticalmodelstopracticalscenarios.Specically,theclassicalGTtheoryassumesthateachpoolcanhaveasmanyitemsasneededandthenumberofpoolsfortestingisunrestricted.However,inordertoproviderealapplicationservices,virtualserverscannothaveinnitequantityorcapacity,i.e.,constraintsonthesetwoparametersarerequiredtocompleteourtestingmodel. Ourmaincontributionsinthischapterareasfollows: Proposeanewsize-constrainedGTmodelforpracticalDoSdetectionscenarios. Provideanend-to-endunderlyingsystemforGT-basedschemes,withoutintroducingcomplexityatthenetworkcore. Providemultipledynamicthresholdsforresourceusageindicators,whichhelpavoiderrortestfromlegitimateburstsanddiagnoseservershandlingvariousamountofclients. Presentthreenoveldetectionalgorithmsbasedontheproposedsystem,andshowtheirhighefcienciesintermsofdetectiondelayandfalsepositive/negativerateviatheoreticalanalysisandsimulations. BesidesapplicationDoSattacks,ourdefensesystemisapplicabletoDoSattacksonotherlayers,e.g.protocol-layerattackSYNood[ 54 ]wherevictimserversareexhaustedbymassivehalf-openconnections.Althoughtheseattacksoccurindifferent 24

PAGE 25

layersandofdifferentstyles,thevictimmachineswillgraduallyrunoutofserviceresourceandindicateanomaly.Sinceourmechanismonlyreliesonthefeedbackofthevictims,insteadofmonitoringtheclientbehaviorsorproperties,itispromisingtotackletheseattacktypes. Thechapterisorganizedasfollows.Section 3.2 presentstheattackermodelandvictim/detectionmodelofoursystem.InSection 3.3 ,weproposethedetectionstrategyderivedfromtheadjustedGTmodel,andillustratethedetailedcomponentsinthepresentedsystem.DescriptionandlatencyanalysisofthreeconcretedetectionalgorithmsareincludedinSection 3.4 ,whileSection 3.5 providestheresultsofoursimulationintermsofthedetectiondelayandfalsepositiverate.Wereachourconclusionbysummatingourcontributionsandprovidingfurtherdiscussionsoverfalsepositive/negativerateinSection 3.6 3.1RelatedWorks NumerousdefenseschemesagainstDoShavebeenproposedanddeveloped[ 46 ].Bytakingeffectatdifferentlevels,thesedefensescanbecategorizedintonetwork-basedmechanismsandsystem-basedones. Existingnetwork-basedmechanismsaimtoidentifythemaliciouspacketsattheintermediateroutersorhosts[ 69 ][ 32 ],byeithercheckingthetrafcvolumesorthetrafcdistributions.However,theapplicationDoSattackshavenonecessarydeviationintermsofthesemetricsfromthelegitimatetrafcstatistics,therefore,network-basedmechanismscannotefcientlyhandlethisattacktype. Ontheotherhand,plentyofproposedsystem-basedmechanismstriedtocaptureattackersattheendserverbyauthentications[ 35 ][ 30 ]orclassications[ 52 ][ 32 ].Honeypots[ 35 ]areusedtotrapattackerswhoattempttoevadeauthentications,andcanefcientlymitigateoodattacks.However,thismechanismkindreliesontheaccuracyofauthentication.Oncetheattackerpassestheauthentication,alltheproductiveserversareexposedandtargeted.Classication-basedmethodsstudyon 25

PAGE 26

thetrafcbehaviormodel,forexample,theinter-arrivaltimedistribution[ 52 ]andthebandwidthconsumptionpattern[ 32 ].Witharigorousclassicationcriteria,abnormalpacketscanbelteredout,butthisrequiresindividuallycheckingeachsessionandcansignicantlyincreasetheoverheadofthesystem.Besidesthesetwodefensetypes,Kandulaetal.augmentstheprotectedservicewithCAPTCHApuzzleswhicharesolvablebyhumanclientsbutzombiemachines.Thistechniquecaneliminatetheservicerequestsfrombonnets,butitalsobringsinadditionaloperationsattheclientends,whichdelaystheconsumerfromreceivingservices. Inparallelwithus,Khattabetal.proposedanothersystem-basedlive-baitingdefenseschemebyapplyinggrouptestingtheorytoapplicationDoSdetection.Basedonahighprobabilityd-disjunct[ 25 ]matrix,theirsystemavoidedlargemodicationstothenetworktopologybyspanningtheincomingrequeststomultiplevirtualservesfortesting,usingencryptedtoken,whichwillalsobenetourdetectionsystem.However,thelive-baitingmechanismneedstobeimprovedinseveralfacets:Firstly,thenumberofstates(poolsfortesting)isnotassmallasO(d),asstated.ThereforethenumberofstatestomaintainisstillapproachingO(n).Secondly,thestaticthresholdHigh-Water-Mark(HWM),whichisthearrivingrequestaggregateateachserverperiodically,isnotaccurateforthepossibleasymmetricrequestdistributionontheassignedserverstooneclientinround-robin.Moreover,thisthresholdcannotbeusedtoserverswithdynamicclientset.Thirdly,thevirtualserversaremerelyrequestcounters,andcannottacklethehigh-workloadrequests.Inoursystem,virtualserverswithlimitedserviceresourcesaremappedtotestingpoolsandtestedwithdynamicthresholds,thuscanovercometheselimitations. 3.2ProblemModels 3.2.1AttackerModel Themaximumdestructioncausedbytheattacksincludesthedepletionoftheapplicationserviceresourceattheserverside,theunavailabilityofserviceaccessto 26

PAGE 27

legitimateuser,andpossiblefatalsystemerrorswhichrequirerebootingtheserverforrecovery.Weassumethatanymaliciousbehaviorscanbediscoveredbymonitoringtheserviceresourceusage,basedondynamicvaluethresholdsoverthemonitoredobjects.Datamanipulationandsystemintrusionareoutofthisscope. Similarto[ 52 ],weassumethatapplicationinterfacepresentedbytheserverscanbereadilydiscoveredandclientscommunicatewiththeserversusingHTTP/1.1sessionsonTCPconnections.Weconsideracasethateachclientprovidesanon-spoofID(e.g.SYN-cookie[ 38 ]),whichisutilizedtoidentifytheclientduringourdetectionperiod.DespitethattheapplicationDoSattackisdifculttobetraced,byidentifyingtheIDsofattackers,therewallcanblockthesubsequentmaliciousrequests. Asmentionedabove,theattackersareassumedtolaunchapplicationservicerequestseitherathighinter-arrivalrateorhighworkload,orevenboth.ThetermrequestreferstoeithermainrequestorembeddedrequestforHTTPpage.Sincethedetectionschemeproposedwillbeorthogonaltothesessionafnity,wedonotconsidertherepeatedone-shotattackmentionedin[ 52 ]. Wefurtherassumethatthenumberofattackersdnwherenisthetotalclientamount.Thisarisesfromthecharacteristicsofthisattack.Duetothebenetsofvirtualserversweemploy,thisconstraintcanberelaxed,butwekeepitforthetheoreticalanalysisinthecurrentwork. 3.2.2Victim/DetectionModel Thevictimmodelinourgeneralframeworkconsistsofmultipleback-endservers,whichcanbeweb/applicationservers,databaseserversanddistributedlesystems.Wedonottakeclassicmulti-tierwebserversasthemodel,sinceourdetectionschemeisdeployeddirectlyonthevictimtierandidentiestheattackstargetingatthesamevictimtier,thusmulti-tierattacksshouldbeseparatedintoseveralclassestoutilizethisdetectionscheme.Thevictimmodelalongwithfront-endproxiesareshowninFig. 3-1 27

PAGE 28

Figure3-1. Victim/Detectionmodel Weassumethatalltheback-endserversprovidemultipletypesofapplicationservicestoclientsusingHTTP/1.1protocolonTCPconnections.Eachback-endserverisassumedtohavethesameamountofresourcewiththeothers.Moreover,theapplicationservicestoclientsareprovidedbyKvirtualprivateservers(Kisaninputparameter),whichareembeddedinthephysicalback-endservermachineandoperatinginparallel.Eachvirtualserverisassignedwithequalamountofstaticserviceresources,e.g.,CPU,storage,memoryandnetworkbandwidth.Theoperationofanyvirtualserverwillnotaffectothervirtualserversinthesamephysicalmachine.Thereasonsforutilizingvirtualserversaretwo-fold:rst,eachvirtualservercanrebootindependently,thusisfeasibleforrecoveryfrompossiblehugedestruction;second,thestatetransferoverheadformovingclientsamongdifferentvirtualserversismuchsmallerthanthetransferamongphysicalservermachines. Aslongastheclientrequestsarriveatthefront-endproxy,theywillbedistributedtomultipleback-endserversforload-balancing,whethersessionstickornot.Noticethatourdetectionschemeisbehindthisfront-endtier,sotheload-balancingmechanism 28

PAGE 29

isorthogonaltooursetting.Onbeingacceptedbyonephysicalserver,onerequestwillbesimplyvalidatedaccordingtothelistofallidentiedattackerIDs(black-list).Ifitpassestheauthentication,itwillbedistributedtoonevirtualserverswithinthismachinebymeansofvirtualswitch.Thisdistributiondependsonthetestingmatrixgeneratedbythedetectionalgorithm.Byperiodicallymonitoringtheaverageresponsetimetoservicerequestsandcomparingitwithspecicthresholdsfetchedfromalegitimateprole,eachvirtualserverisassociatedwithanegativeorpositiveoutcome.Thereout,adecisionovertheidentitiesofallclientscanbemadeamongallphysicalservers,asdiscussedfurtherinthefollowingSection 3.3 3.3StrategyandDetectionSystem 3.3.1SizeConstraintGroupTesting Asmentionedinthedetectionmodel,eachtestingpoolismappedtoavirtualserverwithinaback-endservermachine.Althoughthemaximumnumberofvirtualserverscanbeextremelyhuge,sinceeachvirtualserverrequiresenoughserviceresourcestomanageclientrequests,itispracticaltohavethevirtualserverquantity(maximumnumberofservers)andcapacity(maximumnumberofclientsthatcanbehandledinparallel)constrainedbytwoinputparametersKandwrespectively.Therefore,thetraditionalGTmodelisextendedwiththeseconstraintstomatchoursystemsetting. Denition3.3.1. SizeConstraintGroupTesting(SCGT):Forany01-matrixM,letwi=Pnj=1M[i,j]betheweightoftheithpool,andtbethenumberofpools.Themodelisforidentifyingddefecteditemsintheminimumperiodoftime,byconstructingmatrixMtnandconductinggrouptestingproceduresbasedonthat,wherewiwforgivenwandtKforgivenserverquantityK. Themaximumnumberofattackersdisassumedknownbeforehand.Scenarioswithnon-deterministicdareoutofthescopeofthischapter.Infactthesescenarioscanbereadilyhandledbyrsttestingwithanestimatedd,thenincreasingdifexactlydpositiveitemsarefound. 29

PAGE 30

Table3-1. MainNotations n numberofclients K numberofservermachines d maximumnumberofattacks, 1dn(practically,dn) w maximumnumberofclientsthatcanbehandled byavirtualserverinparallel rleg themaximuminter-arrivalrate oflegitimaterequestsfromoneclient P lengthoftimeofeachtestinground A thesetofserversusedfortesting S thesetofsuspectclients I thesetofserverswhichareunderattack L thesetofclientsconnectingtonegativeservers G thenumberofnon-testingmachines 3.3.2DetectionSystem Theimplementationdifcultiesofourdetectionschemearethree-fold:howtoconstructpropertestingmatrixM,howtodistributeclientrequestsbasedonMwithlowoverheadandhowtogeneratetestoutcomewithhighaccuracy.Wewilladdressthelasttwointhissectionandleavetherstonetothenextsection. Table 3-1 includesthenotationsusedthroughoutthechapter. 3.3.2.1Systemoverview Asmentionedinthedetectionmodel,eachback-endserverworksasanindependenttestingdomains,whereallvirtualserverswithinitserveastestingpools.Inthefollowingsections,weonlydiscusstheoperationswithinoneback-endserver,anditissimilarinanyotherservers.Thedetectionconsistsofmultipletestingrounds,andeachroundcanbesketchedinfourstages(Fig. 3-3 ): First,generateandupdatematrixMfortesting. Second,assignclientstovirtualserversbasedonM.Theback-endservermapseachclientintoonedistinctcolumninManddistributesanencryptedtokenqueuetoit.Eachtokeninthetokenqueuecorrespondstoan1-entryinthemappedcolumn.i.e.,clientjreceivesatokenwithdestinationvirtualserveriiffM[i,j]=1.Bypiggybacked 30

PAGE 31

Figure3-2. 2-modediagramofthesystem withonetoken,eachrequestisforwardedtoavirtualserverbythevirtualswitch.Inaddition,requestsarevalidatedonarrivingatthephysicalserversforfakedtokensoridentiedmaliceID.ThisprocedureensuresthatalltheclientrequestsaredistributedexactlyashowthematrixMregulates,andpreventsanyattackersfromaccessingthevirtualserversotherthantheonesassignedtothem. Third,alltheserversaremonitoredfortheirserviceresourceusageperiodically,specically,arrivingrequestaggregateandaverageresponsetimearerecordedandcomparedwithsomedynamicthresholdstobeshownlater.Allvirtualserversareassociatedwithpositiveornegativeoutcomesaccordingly. Fourth,decodetheseoutcomesandidentifylegitimateormaliciousIDs.Byfollowingthedetectionalgorithms(presentedinthenextsection),alltheattackerscanbeidentiedwithinseveraltestingrounds. Tolowertheoverheadanddelayintroducedbythemappingandpiggybackingforeachrequest,thesystemisexemptedfromthisprocedureinnormalservicestate.AsshowninFig. 3-2 ,theback-endservercyclesbetweentwostates,whichwereferasNORMALmodeandDANGERmode.Oncetheestimatedresponsetime(ERT)ofanyvirtualserverexceedssomeprole-basedthreshold,thewholeback-endserverwilltransfertotheDANGERmodeandexecutethedetectionscheme.Whenevertheaverageresponsetime(ART)ofeachvirtualserverfallsbelowthethreshold,thephysicalserverreturnstoNORMALmode. 31

PAGE 32

Figure3-3. Onetestingroundindangermode 3.3.2.2Congurationdetails Severalcriticalissuesregardingtheimplementationareasfollows. SessionStateTransfer.Bydeployingthedetectionserviceontheback-endservertier,ourschemeisorthogonalwiththesessionstatetransferproblemcausedbytheload-balancingatthereverseproxies(front-endtier).Tosimplifythediscussionofimplementationdetails,weassumethatthefront-endproxiesdistributeclientrequestsstrictlyeventotheback-endservers,i.e.,withoutconsideringsessionstickissues.Thewayofdistributingtokenqueuestobementionedlateristightlyrelatedtothisassumption.However,eveniftheproxiesconductmoresophisticatedforwarding,thetokenqueuedistributioncanbereadilyadaptedbymanipulatingthetokenpiggybackingmechanismattheclientsideaccordingly. Sincethetestingprocedurerequiresdistributingintra-sessionrequeststodifferentvirtualservers,theoverheadformaintainingconsistentsessionstateisincurred.Ourmotivationofutilizingvirtualserversistodecreasesuchoverheadtotheminimum,sincemultiplevirtualserverscanretrievethelatestclientstatethoughthesharedmemory,whichresemblestheprincipleofNetworkFileSystem(NFS).Analternativewayoutistoforwardintra-sessionrequeststothesamevirtualserver,whichcallsforlongertestingperiodforeachround(tobefurtherdiscussedinthePsection),butwepreferfasterdetectioninthischapterandthusadopttheformermethod. 32

PAGE 33

MatrixGenerations.ThetestingmatrixM,whichregulatesdistributingwhichclientrequesttowhichserver,posesasthekernelpartofthischapter.AllthethreealgorithmsproposedinthenextsectionareconcerningwiththedesignofMforthepurposeofshorteningthetestingperiodanddecreasingthefalsepositve/negativerate.Sincethedetectionphaseusuallyundergoesmultipletestingrounds,Misrequiredtobere-generatedattheendofeachroundandusedforthenextround.ThetimeoverheadforcalculatingthisMisquitelowandwillbeshownviaanalyticalproofsinSection 3.4 DistributingTokens.Twomainpurposesofutilizingtokensareassociatingeachclientwithaunique,non-spoofedIDandassigningthemtoasetofvirtualserversbasedonthetestingmatrix.Onreceivingtheconnectionrequestfromaclient,eachback-endserverresponseswithatokenqueuewhereeachtokenisof4-tuple:(clientID,virtualserverID,matrixversion,encryptedkey).clientIDreferstotheuniquenon-spoofedindexforeachclient,whichweassumeunchangedduringourtestingperiod(DANGERmode).virtualserverIDistheindexofeachvirtualserverwithintheback-endserver.Thiscanbeimplementedasasimplyindexvalue,orthroughamappingfromtheIPaddressesofallvirtualservers.Theback-endserverblocksout-of-datetokensbycheckingtheirmatrixversionvalue,toavoidmessinguptherequestdistributionwithnon-uniformmatrices.Withregardtotheencryptedkey,itisanencryptedvaluegeneratedbyhashingtheformerthreevaluesandasecuredservicekey.Thishelpsruleoutanyfakedtokensgeneratedbyattackers. Assumethattheload-balancingattheproxiesisstrictlyevenforallback-endservers,theclienthastoagreeonpiggybackingeachrequestwithatokenattheheadofonetokenqueue,andthenthenextrequestwiththetokenattheheadofthenexttokenqueue,whenreceivingthisapplicationservice.Noticethattherearemultipletokenqueuesreleasedbymultipleback-endservers,itisnon-trivialtoimplementthecorrectrequestdistribution. 33

PAGE 34

LengthofTestingRoundP.SinceweneedtodistributetherequestsexactlythewayMregulates,itispossiblethat:ifPistooshort,someclientsmaynothavedistributedtheirrequeststoalltheirassignedservers,i.e.,notallthe1-entriesinMarematchingwithatleastonerequest.Foranattackerwholaunchesalow-ratehigh-workloadattack,itshigh-workloadrequestsmayonlyenterapartofitsassignedservers,sofalsenegativeoccursinthiscase.However,ifPistoolong,thedetectionlatencywillbesignicantlyincreased.Inthischapter,wepredeneapropervalueforP,whichislongenoughforeachclienttospreadtheirrequeststoalltheassignedservers,i.e.,eachcolumnneedstobemappedwithatleastPti=1M[i,j]requests.Therefore,P=nmaxj=1tXi=1M[i,j]=rmin wherermindenotestheminimuminter-arrivalrequestrate,providesatheoreticallowerboundofP. LegitimateProle.Thelegitimateproledoesnotrefertothesessionbehaviorproleforlegitimateclients,butinsteadrecordsthedistributionoftheARTonavirtualserverreceivingonlylegitimatetrafc.Maliciousrequestsarecertainlytogeneratedestructionstothevictimservermachines,whoseARTwillusuallybemuchhigherthanthatofnormalcases.Therefore,ARTcanworkasanindicatoroftheapplicationresourceusage.However,theresourceusagevariesfordifferenttimeintervals(peak/non-peaktime)duetothechangeofclientquantity,sowealsoinvestigatetheARTdistributionsregardingeachpossiblenumberofclients,assumingthatthereareatmostnclients. Asampleconstructionofthisproleis:ThedistributionsofARTinlegitimatetrafcatdifferenttimeintervalsforseveralweeksareobtainedafterthesystemisestablished.Legitimatetrafccanbeachievedbyde-noisingmeasuresandrulingouttheinuencesofpotentialattacks[ 55 ].TheithentryoftheprolerecordsthedistributionofARTonavirtualserverwithi2[1,n]clients.Specically,weassigniclientstoavirtualserver, 34

PAGE 35

andevenlydividetheroundlengthPinto100sub-intervals(whichwereferasPsubthroughoutthechapter),andmonitortheserverARTwithineachsub-intervalPsub. NORMALmodeandTransferThreshold.Todecreasethelengthofdetectionperiod,whereadditionalstatemaintenanceoverheadandservicedelaycannotbeavoided,theback-endserverclusterprovidesnormalservicetoclients,withoutanyspecialregulations.ThisisreferredasNORMALmode,whichtakesERT(estimatedresponsetime)asamonitoringobject.NoticethatERTisanexpectedvalueforARTinthenearfuture,andcanbecomputedviaERT=(1)]TJ /F11 11.955 Tf 11.96 0 Td[()ERT+ART whereisdecayweightforsmoothinguctuations.Sincetheinter-arrivalrateandworkloadofclientrequestcanberandomizeddistributed,itisdifculttoperfectlyttheARTdistributionusingclassicdistributionfunctions.ConsideringthatNormalDistribution[ 13 ]canprovideanapproximatettingtoART,weadoptasimpliedthresholdbasedonEmpiricalRule:IfanyvirtualserverhasanERT>+4(anddenotetheexpectedvalueandstandarddeviationofthettedARTdistribution),theback-endserverisprobablyundergoinganattack,andthustransferstoDANGERmodefordetection.Toenhancetheaccuracyofthisthreshold,moresophisticateddistributionscanbeemployedforttingthesamples,however,highercomputationoverheadwillbeintroducedforthethreshold. DANGERmodeandAttackThreshold.InDANGERmode,besidestheARTvalues,theback-endserversimultaneouslycountsthearrivingrequestaggregatewithineachPsubforeachvirtualserver.Themotivationofthisstrategyarisesfromthefactthat,high-rateDoSattacksalwayssaturatetheserverbufferwithalargeamountofmaliciousrequests.Bycountingthenumberofarrivingrequestsperiodically,possiblehigh-rateattackscanbedetectedevenbeforedepletingtheserviceresources. 35

PAGE 36

Wepre-deneRasamaximumlegitimateinter-arrivalrate,andderiveaupperboundofthearrivingrequestaggregateCjforvirtualserverjwithinperiodPsubas:Cj=XM[j,i]bPts=j+1M[s,i]+RPsub Ptk=1M[k,i]c Oncethisthresholdisviolatedinavirtualserver,itisforsureundergoinghigh-rateattacksorash-crowdtrafc.Apositiveoutcomecanbegeneratedforthistestinground. TheoutcomegenerationbymonitoringtheARTvalueforavirtualserverconsistsofthefollowingdetailedsteps: 1. checktheARTdistributionproleforthevaluesofparametersand,asmentionedintheNORMALmodesection; 2. amongallthe100sub-intervalsPsub(eachisP=100)withinthecurrenttestingperiodP,ifnoviolation:ART+4occursinanyPsub,thevirtualservergetsnegativeoutcomeforthistestinground; 3. ifforsomesub-intervalPsubs,ART+4occurs,thisvirtualserverisindanger,eitherunderattack,orundergoingash-crowdtrafc.Inthiscase,wewaittilltheendofthisroundtogetthedistributionofARTvaluesforallPsubsforfurtherdecision; 4. iftheratioofdangersub-intervalsPsubswithART+4,overthetotalsub-intervalamount(100inthiscase),exceedssomequantileregulatedbytheEmpiricalRule,e.g.,quantile4%forcondenceinterval[+2,1),thisvirtualserverwillbelabeledaspositive; 5. fortheothercases,thevirtualserverwillhaveanegativeoutcome. Afteridentifyinguptodattackers,thesystemremainsintheDANGERmodeandcontinuesmonitoringtheARTforeachvirtualserverforonemoreround.Ifallthevirtualservershavenegativeoutcomes,thisback-endserverisdiagnosedashealthyandreturntototheNORMALmode,otherwisefurtherdetectionswillbeexecuted(becauseoferrortests). Withregardtothetwoobjectsmonitored,Cjprovidesdifferentcountingthresholdsfordifferentvirtualservers,whileARTprolesuppliesdynamicthresholdsforvirtual 36

PAGE 37

servercontainingdifferentamountsofclient.Thecombinationofthesetwodynamicthresholdsarehelpsdecreasethetestinglatencyandfalserate. MultipleTestingDomains.Withrespecttothewholeback-endservercluster,multipletestingdomainsoperateduringtheDANGERmode.Testsoverthesameclientwithindifferenttestingdomainsprovideabenetfordecreasingthefalsepositiverate.Inanotherwords,duetotheexistenceoferrortests,somelegitimateclientsmightbeidentiedasmaliceinsomedomains,whilenotintheothers.Byanalyzingtheratioofeventsthatitisidentiedasmalice,thesystemcanprovideamorereliableidenticationresult.Ontheotherhand,itisoftenthecasethatattackersaimtoattackamajorityofservers,sotheycanstillbecaughtevenifsomedomainsfailtodetectthem.Therefore,bothfalsepositiveandnegativecasescanbefurtheralleviated. 3.4DetectionAlgorithmsandLatencyAnalyses Basedonthesystemframeworkabove,weproposethreedetectionalgorithmsSDP,SDoPandPNDinthissection.Notethatthelengthofeachtestingroundisapre-denedconstantP,henceweanalyzethealgorithmcomplexityintermsofthenumberoftestingroundsforsimplicity.Sinceallthesealgorithmsaredeterministicandintroducenofalsepositive/negativerate(comparedtothenon-deterministicconstructionin[ 34 ]),allthetesterrorsresultfromtheinaccuracyofthedynamicthreshold.WewilldiscussonthisinSection 3.6 Basedonourassumption,thereisauniqueIDforeachclient,thusthetwoitemsIDandclientareinterchangeableinthissection.Inaddition,allthefollowingalgo-rithmsareexecutedineachphysicalback-endserver,whichisanindependenttestingdomainasmentioned.Therefore,thetermserversdenotetheKvirtualserversinthissection. Forsimplicity,weassumethatn0(modK),n>wd1andjAjd+1.NoticethatthelastinequalityholdsinpracticebecauseofthepropertiesofapplicationDoSattacksindicatedabove. 37

PAGE 38

3.4.1SequentialDetectionwithPacking Thisalgorithminvestigatesthebenetofclassicsequentialgrouptesting,i.e.,optimizingthegroupingofthesubsequenttestsbyanalyzingexistingoutcomes.Similartotraditionalsequentialtesting,eachclient(column)onlyappearsinonetestingpool(server)atatime.However,tomakefulluseoftheavailableKservers,wehaveallserversconducttestinparallel.DetailscanbefoundinAlgorithm 2 Algorithm2SequentialDetectionwithPacking(SDP) 1: whilejSj6=0do 2: forallserveriinAdo 3: wi djSj jAje//Assignevennumberofdistinctclientstoeachserver. 4: endfor 5: G dn)]TJ /F12 7.97 Tf 6.59 0 Td[((jSj)]TJ /F12 7.97 Tf 8.94 0 Td[((jAnIj)wi) we//IdentiedlegitimateIDsexemptfromthefollowingtests.TheirsubsequentrequestsaredirectedtoandhandledbyGnon-testingservers,whichareselectedfromtheKserversandonlyprovidenormalservices(notesting).Wecallthisprocessaspackingtheclientsintonon-testingservers. 6: forallserveriunderattackdo 7: Q setofIDsoni 8: ifjQj=1then 9: S SnQ//ThisIDbelongstoanattacker.Additintotheblack-list. 10: endif 11: endfor 12: S SnL//AllIDsonsafe(withnegativetestoutcome)serversareidentiedaslegitimate. 13: A fserver1,...,server(K)]TJ /F3 11.955 Tf 16.6 0 Td[(G)g//SelecttherstGserversasnon-testingmachines. 14: endwhile AlgorithmDescription.ThebasicideaofSDPalgorithmcanbesketchedasfollows.GivenasetSofsuspectIDs,werstrandomlyconnectthemtotheavailabletestingserversinsetA,whereeachserverwillreceiverequestsfromapproximatelythesamenumberofclients,roughlywi=djSj jAje.Foreachtestround,weidentifytheIDsonthenegativeserversaslegitimateclients,andpackthemintoanumberGofnon-testingmachines.Sincetheyneednomoretests,onlynormalserviceswillbeprovidedforthefollowingrounds.Asmoretestingserverswillspeedupthetests,givenatmostK 38

PAGE 39

ASDPalgorithm BSDoPalgorithm Figure3-4. AdetectionexampleofhowSDP(SequentialDetectionwithPacking)andSDoP(SequentialDetectionwithoutPacking)work. servermachinesintotal,Gisthensupposedtobeminimizedtotheleast,aslongasallidentiedlegitimateclientscanbehandledbythenon-testingw-capacityservers.HenceG=dn)]TJ /F12 7.97 Tf 6.59 0 Td[((jSj)]TJ /F12 7.97 Tf 8.94 0 Td[((jAnIj)wi) we. WiththeassumptionjAj>d+1,wehaveatleastjAj)]TJ /F3 11.955 Tf 19.14 0 Td[(dserverswithnegativeoutcomesineachtestinground,henceatleast(jAj)]TJ /F3 11.955 Tf 18.41 0 Td[(d)wilegitimateIDsareidentied.IfanyservercontainingonlyoneactiveIDisfoundunderattack,theonlyIDissurelyanattacker.ThenitsIDisaddedintotheblack-listandallitsrequestsaredropped.IteratethealgorithmuntilallIDsareidentied,maliciousorlegitimate.Viathepackingstrategy,legitimateclientscanexemptfromtheinuenceofpotentialattacksassoonastheyareidentied. Example.A3-rounddetectionexampleinFig. 3-4A illustratestheexecutionofthisalgorithm.Matricesfromuptobottomarecorrespondingtothreedetectionsrespectively.Column1and3(incircle)arecorrespondingtotwomaliciousclients,whiletheothersarelegitimateones. 39

PAGE 40

Givenn=10,d=2,K=5,andw=4.LetjSj=10,jAj=5,andID1,3betheattackers.Intherstround,wi=2yieldstwoIDsoneachserver.Accordingtoourconguration,server1andserver2(containingID1and3respectively)willindicatebeingunderattack,i.e.,jIj=2andjAnIj=3,packlegitimateIDsontheotherthreeserversintoG=2servers.UpdatejSj=4andjAj=3.Inthesecondround,wi=2yieldsatmosttwoIDsoneachserver,assumethatserver1andserver3areunderattack,thenagainpackthelegitimateID4inserver2toserver4(server5isalreadyfull).Inthethirdround,server1and3onlycontainanattackerID1and3,respectively.Therefore,thetwoattackersareidentiedattheendofthisround. PerformanceAnalysis.WithregardtothecomputationaloverheadofthematrixMinthiscontext,itisare-mappingofthesuspectclientstothetestingserversbasedonquitetrivialstrategiesandprevioustestingoutcomes,thusisnegligibleanduptoO(1).ThetimecostofeachtestingroundisexactlyP,includingthere-computationtimeofthetestingmatrix. Besidesthis,theoveralltimecomplexityofthisalgorithmintermsofthenumberoftestingroundsaredepictedinthefollowingtheorems. Lemma3.4.1. Thenumberofavailabletestingservermachines:jAj2[K)-222(dn)]TJ /F7 7.97 Tf 6.59 0 Td[(d we,K]. Proof. Ineachround,thetotalnumberoflegitimateIDsn)]TJ /F6 11.955 Tf 13.11 0 Td[((jSj)]TJ /F6 11.955 Tf 20.25 0 Td[((jAnIj)wi)isnon-decreasing.Hence,thenumberofserversusedforservingidentiedlegitimateIDs,G=dn)]TJ /F12 7.97 Tf 6.59 0 Td[((jSj)]TJ /F12 7.97 Tf 8.94 0 Td[((jAnIj)wi) weisnon-decreasing.ThereforejAj=K)]TJ /F3 11.955 Tf 12.32 0 Td[(GwillnallyconvergetoK)-222(dn)]TJ /F7 7.97 Tf 6.59 0 Td[(d we. Theorem3.4.1. TheSDPalgorithmcanidentifyallthedattackerswithinatmostO(logK0 dn d)testingrounds,whereK0=K)-222(dn)]TJ /F7 7.97 Tf 6.59 0 Td[(d we. Proof. Ineachround,atmostdserversareunderattack,i.e.,atmostdjSj jAjIDsremainsuspect.Sinceattheendoftheprogram,alllegitimateIDsareidentied,atmostd 40

PAGE 41

maliciousIDsremainsuspect.Iftheyhappentobehandledbyddifferentservers,i.e.,eachpositiveservercontainsexactlyoneattacker,thenthedetectioniscompleted.Ifnot,onemoretestingroundisneeded.Assumeweneedatmostjtestingroundsintotal,thennd jAjj)]TJ /F12 7.97 Tf 6.59 0 Td[(1=dwhereK)-226(dn)]TJ /F7 7.97 Tf 6.58 0 Td[(d wejAjK.Therefore,jlog(K0 d)n d+1,whereK0=K)-222(dn)]TJ /F7 7.97 Tf 6.58 0 Td[(d we. 3.4.2SequentialDetectionwithoutPacking Algorithm3SequentialDetectionwithoutPacking(SDoP) 1: wi numberofIDsonserveri; 2: forallserverido 3: wi dS Ae//EvenlyassignclientstoserversasSDPdid. 4: endfor 5: 6: whilejSj6=0do 7: RandomlyreassignjSjsuspectIDstoKservers,andkeeplegitimateIDsunmoved. 8: L setofIDsonsafeservers 9: S Sn(S\L)//jS\LjIDsareidentiedaslegitimate. 10: forallserveriunderattackdo 11: Q setofIDsoni 12: ifjQ\Sj=1then 13: S SnQ//TheclientsinQ\Sareattackerandaddedintotheblack-list. 14: endif 15: endfor 16: forallserversido 17: ifwi=w//Thevolumeapproachesthecapacity.then 18: Reassignalln)-174(jSjlegitimateIDstoKservers,andgoto6//Loadbalancing. 19: endif 20: endfor 21: endwhile ConsideringthepotentialoverloadproblemarisesfromthepackingschemeadoptedinSDP,weproposeanotheralgorithmwherelegitimateclientsdonotshifttootherserversaftertheyareidentied.Thisemergesfromtheobservationthatlegitimateclientscannoteffectthetestoutcomessincetheyarenegative.Algorithm 3 includes 41

PAGE 42

theabstractpseudocodeofthisSDoPscheme.NoticethatinthisalgorithmfortheDANGERmode,requestsfromoneclientarestillhandledbyoneserver,asSDPdid. AlgorithmDescription.ThebasicideaoftheSDoPalgorithmcanbesketchedbelow.GivenasuspectIDssetSwithinitialsizen,evenlyconnectthemtotheKservermachines,similartoSDPintherstround.Afterwards,stillconnectsuspectIDstotheKserversinsteadofjAjavailableones.FortheidentiedlegitimateIDs,nevermovethemuntiltheirserversaretobeoverloaded.Inthiscase,reassignalllegitimateIDsovertheKmachinestobalancetheload.Forserverwithpositiveoutcome,theIDsactiveonthisserverbutnotincludedbythesetofidentiedlegitimateones,i.e.,suspectIDs,willbestillidentiedassuspect.However,ifthereisonlyonesuspectIDsofthiskindinapositiveserver,thisIDiscertainlyanattacker. Example.Fig. 3-4B containsa2-rounddetectionexampletoillustratetheexecutionofthisalgorithm.Assumen=10,d=2,K=5andtheclient1,3aretheattackers.Inthersttestinground,wi=2yieldstwoIDsoneachserver,thenonlyserver1and2willhavepositiveoutcomes.UpdatesuspectIDsetS=f1,2,3,4g.Inthesecondtestinground,sincenoattackershavebeenidentiedandnoserversareoverloaded,were-assignallsuspectIDstoKserverswhiledonotmovethelegitimateclients,andserver1and4turnouttobeunderattack.HencethelegitimateIDsetisL=f2,4,5,6,7,8,9,10gandthetwoattackersarecapturedwithintwotestingrounds. PerformanceAnalysis.ItistrivialtoseethatthecomputationoverheadofthetestingmatrixMissimilartothatoftheSDPalgorithm,thereforecanbeignored.Thefollowingtheoremsexhibitstheoveralldetectiondelayofthealgorithm,intermsofthenumberoftestingrounds. Lemma3.4.2. ThenumberofIDswionserveridoesnotexceedservercapacitywtillroundjwherej=logK dn n)]TJ /F7 7.97 Tf 6.59 0 Td[(w(K)]TJ /F7 7.97 Tf 6.59 0 Td[(d). Proof. Atmostdserversgetpositiveoutcomesineachround.Ifweassumeroundjisthelastroundthathasnooverloadedservers,thenthemaximumnumberofIDsonone 42

PAGE 43

serveratroundjis:wjmax=Pji=1(n K)(d K)i)]TJ /F12 7.97 Tf 6.59 0 Td[(1.Sinceroundj+1willhaveatleastoneoverloadedserver,wehavewjmax=w,thenj=logK dn n)]TJ /F7 7.97 Tf 6.58 0 Td[(w(K)]TJ /F7 7.97 Tf 6.59 0 Td[(d). Lemma3.4.3. AllmaliciousIDsareidentiedwithinatmostO(logK dn d)testingroundsifwn)]TJ /F7 7.97 Tf 6.59 0 Td[(d K)]TJ /F7 7.97 Tf 6.59 0 Td[(d. Proof. Ineachroundwithnooverloadedservers,atmostd KjSjlegitimateIDsremainsuspect.Afteri=logK dn KroundsatmostKsuspectIDsareleft,SOweneedonlyonemoreroundtonishthetesting.Hence,weneedi+1=logK dn drounds.Sinceitrequiresthatnoserversareoverloadedwithintheserounds,wehavei+1
PAGE 44

Theorem3.4.2. TheSDoPalgorithmcanidentifyallattackerswithinatmostO(logK dn d)testingrounds. Proof. DirectlyfromLemma 3.4.3 and 3.4.4 3.4.3PartialNon-adaptiveDetection Consideringthatinthetwosequentialalgorithmsmentioned,wecannotidentifyanyattackersuntilweisolateeachofthemtoavirtualserverwithnegativeoutcome.Itwillnotonlyleadtoahugenumberoftestingrounds,butalsotooluxurytoletonevirtualservertohandleonlyoneclient.Therefore,weproposeahybridofsequentialandnon-adaptivemethodinthissection.Inthisscenario,therequestsfromthesameclientwillbereceivedandrespondedbydifferentserversinaround-robinmanner.DifferentfromSDPandSDoP,ad-disjunctmatrixisusedasthetestingmatrixinthisschemeandattackerscanbeidentiedwithouttheneedofisolatingthemintoservers. AmatrixMiscalledd-disjunctifnosinglecolumniscontainedinthebooleansumofanyotherdcolumns,andallpositiveitemscanbeidentiedwithinoneround.Numerousconstructionmethodsford-disjunctmatrixhavebeenproposedin[ 17 20 ].AmongthemDu'smethod[ 17 ]hasabetterperformanceintermsofthesizecomplexity(numberofrows).ThereforeweadoptthismethodtogenerateMforeachtestinground. Lemma3.4.5. LetT(n)bethesmallestnumberofrowsintheobtainedd-disjunctmatrixbyAlgorithm3,thenT(n)=minf(2+o(1))d2log22n=log22(dlog2n),ng NextweintroduceourPNDdetectionmethodusingd-disjunctmatrix,fornowweassumethattherowweightoftheconstructedmatrixdoesnotexceedtheservercapacityw.Algorithmswithrespecttotheweight-constraintwillbeinvestigatedinthefuture.DuetothedynamicvalueofT(n)andmaximummachineamountK,thealgorithmdiffersintwocases. 44

PAGE 45

Algorithm4Constructad-disjunctmatrixbasedonaniteeldGF(q) 1: functiondDisjunct(n) 2: ConsideraniteeldGF(q),chooses,q,ksatisfying: 3: kdsq,nqk 4: ifqsnthen 5: Returnannnidentitymatrix 6: else 7: ConstructmatrixAsn 8: forx2[0,s)]TJ /F6 11.955 Tf 11.96 0 Td[(1]do 9: forallpolynomialspjofdegreekdo 10: A[x,pj] pj(x) 11: endfor 12: endfor 13: ConstructmatrixMtn 14: forx2[0,s)]TJ /F6 11.955 Tf 11.96 0 Td[(1]do 15: fory2[0,q)]TJ /F6 11.955 Tf 11.95 0 Td[(1]do 16: forallpolynomialpjofdegreekdo 17: ifA[x,pj]==ythen 18: M[(x,y),pj] 1 19: else 20: M[(x,y),pj] 0 21: endif 22: endfor 23: endfor 24: endfor 25: ReturnM 26: endif Case1:KT(n).AllnsuspectIDscanbeassignedtoT(n)serversaccordingtoaMT(n)nd-disjunctmatrix,andthusidentiedwithonetestinground. Case2:K
PAGE 46

Nevertheless,ifjAj
PAGE 47

Proof. Letusconsidertheworstcase.Ineachround,assumenoattackersareidentiedandlteredoutpreviously,wehaveT(n0)+dn)]TJ /F7 7.97 Tf 6.58 0 Td[(n0 we=K.SinceT(n0)n0thenn0Kw)]TJ /F7 7.97 Tf 6.58 0 Td[(w)]TJ /F7 7.97 Tf 6.58 0 Td[(n w)]TJ /F12 7.97 Tf 6.59 0 Td[(1.Thereforethemaximumnumberoftestingroundsneededis:dn K=Kw)]TJ /F7 7.97 Tf 6.58 0 Td[(w)]TJ /F7 7.97 Tf 6.58 0 Td[(n w)]TJ /F12 7.97 Tf 6.59 0 Td[(1dw2=(Kw)]TJ /F3 11.955 Tf 11.96 0 Td[(w)]TJ /F3 11.955 Tf 11.95 0 Td[(n)=O(dw2=(Kw)]TJ /F3 11.955 Tf 11.96 0 Td[(w)]TJ /F3 11.955 Tf 11.95 0 Td[(n)). ThiscomplexityforPNDisnotasgoodasthatoftheprevioustwoalgorithms.How-everwearestillinterestedinndingouthowitworksifwehavethed-disjunctmatrixconstructionmethodimproved.SincesomelowerboundsforT(n)havebeenproposed,wethenuseoneofthem[ 18 ]tocomputeT(n)andinvestigatethecorrespondingperformanceofPNDnext. Lemma3.4.7. (D'yachkov-Rykovlowerbound)[ 18 ]Letn>wd2andt>1beintegers.Foranysuperimposed(d)]TJ /F6 11.955 Tf 12.46 0 Td[(1,n,w)-code((d,n,w)-design)Xoflengtht(Xiscalleda(d)]TJ /F6 11.955 Tf 12.49 0 Td[(1)-disjunctmatrixwithtrowsandncolumns),thefollowinginequalityholds:tddn we ThefollowingaretherelatedperformanceanalysisbasedonthislowerboundofT(n). Corollary3.4.1. InthePNDalgorithm,givenwd1,wehave:n0=minfjAjw d+1,n)]TJ /F3 11.955 Tf -444.15 -23.91 Td[(Kw+w+jAjwg Proof. AccordingtoLemma 3.4.7 ,withnumberofcolumnsn002[1,jSj],wehavejAjd(d+1)n00 we(d+1)n00 w)n0=maxn00jAjw d+1 MeanwhileinthePNDalgorithm,foreachroundi,wehave:jAijK)-221(dn)]TJ /F3 11.955 Tf 11.95 0 Td[(n0 we)n0n)]TJ /F3 11.955 Tf 11.96 0 Td[(Kw+w+jAjw Lemma3.4.8. Inanytestingroundi: 47

PAGE 48

1. n0=jAijw d+1whenK2(d,dw+n+w w]; 2. n0=n)]TJ /F3 11.955 Tf 11.95 0 Td[(Kw+w+jAijwwhenK2[k1,dn+n+w w)withk1=dw+w+n+p (dw+w+n)2+4wnd2 2w Proof. AccordingtoCorollary 3.4.1 1. wehaveKdw+n+w w,wKdw+n+wjAjd+1,jAjwd d+1wd hencen+w)]TJ /F3 11.955 Tf 11.96 0 Td[(Kw+jAjwjAjw d+1 2. InordertogetjAjw d+1n)]TJ /F3 11.955 Tf 11.96 0 Td[(Kw+w+jAjw weneedjAj((K)]TJ /F6 11.955 Tf 11.95 0 Td[(1)m)]TJ /F3 11.955 Tf 11.95 0 Td[(n)(d+1) wdwhichrequiresK)]TJ /F6 11.955 Tf 13.15 8.08 Td[((K)]TJ /F3 11.955 Tf 11.96 0 Td[(d)n Kw((K)]TJ /F6 11.955 Tf 11.96 0 Td[(1)m)]TJ /F3 11.955 Tf 11.95 0 Td[(n)(d+1) wd henceweneedwK2)]TJ /F6 11.955 Tf 11.95 0 Td[((dw+w+n)K)]TJ /F3 11.955 Tf 11.96 0 Td[(nd20 Solvingthisinequality,wehaveK2[k1,+1).NoteifKddn+n we,weneednotdopartitionsinPNDalgorithmandsincek1dn+n+w w wehaveK2[k1,dn+n+w w) Moreoverk1>dw+w+n wd2+w+n wtherearethusnooverlapsbetweenthesetwointervals. 48

PAGE 49

Therefore,wesplitK2(d,+1)intofourdisjointintervalsandstudywhichintervalofvalueKyieldsO(1)testingroundsinworstcasebesidestheintervalK2[dn+n+w w,+1)shownabove,aswellascomplexityforotherintervals. I:K2(d,dw+n+w w]yieldsn0=jAjw d+1; II:K2(dw+n+w w,k1)yieldsn0=minfjAjw d+1,n)]TJ /F3 11.955 Tf 11.95 0 Td[(Kw+w+jAjwg; III:K2[k1,dn+n+w w)yieldsn0=n)]TJ /F3 11.955 Tf 11.95 0 Td[(Kw+w+jAjw; IV:K2[dn+n+w w,+1)yieldsONEtestingroundintotal. Lemma3.4.9. ThePNDalgorithmneedsatmostO(1)testingroundswithK2[k2,dw+n+w w],wheredw+p w2)]TJ /F6 11.955 Tf 11.96 0 Td[(4n2(n)]TJ /F3 11.955 Tf 11.95 0 Td[(w) 2(n)]TJ /F3 11.955 Tf 11.96 0 Td[(w) andk2=n+w+p n2+w2+2nw)]TJ /F6 11.955 Tf 11.95 0 Td[(4n2w+4d2wn+4dwn 2w Proof. Sinceatleastoneservergetspositiveoutcomeatthersttestinground,wehavejA0jK)-222(d(K)]TJ /F6 11.955 Tf 11.96 0 Td[(1)n Kwe Withsimplealgebraiccomputations,wecanreachtheinterval[k2,dw+n+w w]ontheconditionthatdw+p w2)]TJ /F6 11.955 Tf 11.96 0 Td[(4n2(n)]TJ /F3 11.955 Tf 11.95 0 Td[(w) 2(n)]TJ /F3 11.955 Tf 11.96 0 Td[(w) withinintervalI;however,forintervalIIandIII,nosuchdetailedsubintervalsofKyieldingO(1)testingroundscanbeobtained. Lemma3.4.10. WithinintervalI,PNDalgorithmcanidentifyallIDswithO(d+K p n)testingrounds. Proof. Wederivethetimecomplexityfromthefollowingrecurrence: Startinground0:jS0jdn K,andK)-222(d(K)]TJ /F12 7.97 Tf 6.59 0 Td[(1)n KwejA0jK)-222(d(K)]TJ /F7 7.97 Tf 6.58 0 Td[(d)n Kwe 49

PAGE 50

EndingroundT:0><>>:jAi+1jK)]TJ /F3 11.955 Tf 14.73 8.09 Td[(n w+jSij w)]TJ 18.31 8.09 Td[(jAij d+1)]TJ /F6 11.955 Tf 11.96 0 Td[(1S0PTi=0jAijw d+1 Inordertoestimatethemaximumtimecost,usejS0j=dn Ktoinitiatetheworststartingcase.Solvingthisrecurrence,wegetthefollowinginequality: Kw 2(d+1)T2)]TJ /F6 11.955 Tf 11.95 0 Td[((Kw 2(d+1)+dn K)]TJ /F3 11.955 Tf 11.95 0 Td[(K+n w+w)T)]TJ /F6 11.955 Tf 11.96 0 Td[((K)]TJ /F12 7.97 Tf 13.15 5.48 Td[((K)]TJ /F12 7.97 Tf 6.58 0 Td[(1)n w)]TJ /F7 7.97 Tf 13.15 5.48 Td[(dn(d+2) K+w)]TJ /F6 11.955 Tf 11.95 0 Td[(1)0, thereforeTd+1 Kw(+r d+1+2) where=Kw 2(d+1)+dn K+n w)]TJ /F3 11.955 Tf 11.96 0 Td[(K+w and=2K2w)]TJ /F6 11.955 Tf 11.96 0 Td[(2K2n+2Kn)]TJ /F6 11.955 Tf 11.96 0 Td[(2Kw+2Kw2)]TJ /F6 11.955 Tf 11.96 0 Td[(2d(d+2)nw Sincen wK,wKdw+n+wandn>w,wehave>0and>0.SowithtrivialcomputationwecangetT2(d+1) Kw+r d+1<1+2(d+1)2 K+r (4K)]TJ /F6 11.955 Tf 11.95 0 Td[(2)(d+1) n+2(d+1) d+1<1+2(d+1)+r 4K(d+1) n+2<3+p 2+2d+2K p n 50

PAGE 51

Therefore,PNDwillcompletetheidenticationwithinatmostO(d+K p n)testingrounds. NotethatsinceKisalwaysmuchsmallerthann,thecomplexitywillapproachO(d)infact. Lemma3.4.11. WithinintervalIII,PNDcanidentifyallIDswithatmostO(d)testingrounds. Proof. Similarlywederivethetimecomplexityfromthefollowingrecurrence: Startinground0:jS0j=dn KandK)-222(d(K)]TJ /F12 7.97 Tf 6.59 0 Td[(1)n KwejA0jK)-221(d(K)]TJ /F7 7.97 Tf 6.59 0 Td[(d)n Kwe EndingroundT:0
PAGE 52

atmostO(1)testingroundswhenK2[dn+n+w w,+1);where k1=dw+w+n+p (dw+w+n)2+4wnd2 2wandk2=n+w+p n2+w2+2nw)]TJ /F12 7.97 Tf 6.59 0 Td[(4n2w+4d2wn+4dwn 2w. Despitethenumberofneededtestingroundsdiffersforthesethreealgorithmsabove,thetimecomplexityofcalculatingeachtestingroundforthesealgorithmareapproximateinpractice.ItistrivialtoseethatthiscostsforSDPandSDoParenegligible,butnotforPNDalgorithmwhichinvolvespolynomialcomputationonGaloisField.However,consideringthattheupperboundofboththenumberofclientsnandattackersdareestimated,thedetectionsystemcanpre-computethed-disjunctmatricesforallpossible(n,d)pairsofine,andfetchtheresultsinreal-time.Therefore,theoverheadcanbedecreasedtoO(1)andtheclientrequestscanbesmoothlydistributedattheturnoftestingroundswithoutsufferingfromlongdelaysofmatrixupdate. 3.5SimulationCongurationsandResults Todemonstratethetheoreticalcomplexityresultsshownintheprevioussection,weconductasimulationstudyontheproposedsystem,intermsoffourmetrics:averagetestingdelayTwhichreferstothelengthofthetimeintervalfromattackersstartingsendingrequeststillthesystemrecoveringtoNORMALmode;averagefalsepositiveratefpandfalsenegativeratefn;aswellastheaveragenumberoftestingroundsRtestwhichstandsforthenumberoftestingroundsneededforidentifyingalltheclientsbyeachalgorithm. 3.5.1Congurations Thepurposeofthissimulationisnottofullyimplementadetectionsystemforuse,butinsteadtovalidateallthetheoreticalresultswederived.Althoughwemakeseveralassumptionsbelowtosimplytheimplementationofthesimulationenvironments,aswewillshowlater,theseissuesareorthogonaltotheperformanceofourscheme.Therefore,thesimulationresultscouldprovideareliableoverviewoftheapplicabilityandpracticalperformanceofourframeworkforgeneralnetworktypes. 52

PAGE 53

Tothisend,weimplementasimulatorinJavabymodelingboththenclientsandKvirtualserversasindependentthreads.Considerthatallback-endserversareindependenttestingdomains,weonlysimulateoneback-endserveraswedidforthealgorithms,andthusdoesnottesttheashcrowdscenariowhichwasmentionedandsettledinSection 3.3 usingmultipleback-endservers. Inordertomimictherealclient(includingattacker)behavioranddynamicnetworkenvironment,weimplementtheclient/serversystemasfollows: eachlegitimateclientjoinsinandleavesthesystematrandomtimeswhichareuniformlydistributed,whiletheattackerthreadsarriveattimet=30sandkeepliveuntilbeinglteredout(Morecomplicatedclientbehaviorsmightbemorefavored,butsinceourschemecontainsalearningphaseovervariousclientbehaviorandadjuststhethresholdaccordingly,theperformanceofthissystemwillnotsignicantlydecaybyapplyingittoadifferentnetworktype,i.e.,thenetworktypeisorthogonalwiththescheme.) bothlegitimateandmaliciousclientssendrequestswhicharewitharandominter-arrivalrateandCPUprocessingtime(workload)tothevirtualservers,however,legitimateonehaveamuchsmallerrandomrangethanthatoftheattackers. eachvirtualserverisequippedwithaninniterequestbufferandalltheclientrequestsarriveatthebufferswith0transmissionanddistributiondelays,aswellas1msaccesstimeforretrievingstatesfromthesharedmemory;eachserverhandlestheincomingrequestsinitsownbufferinFCFSmannerandrespondstotheclientoncompletingthecorrespondingrequest;theaverageresponsetimeandincomingrequestaggregatearerecordedperiodicallytogeneratethetestoutcomesbycomparingthemtothedynamicthresholdsfetchedfromestablishedlegitimateproles. Thepurposeofassumingbothtransmissionanddistributiondelaystobe0istoquantifythelengthofthewholedetectionphase(testinglatency).Withregardtothetransmissiondelay,itcanbelargeduetothegeographicaldistancesinlarge-scaledistributedsystemandpossiblycanbringupthetestinglatencyiftheclientsendsrequestinastop-and-waitmanner(itdoesnotsendarequestuntilthepreviousrequestsareallresponded,thereforetherequestrateisquitelowandthelengthofeachtestingroundisrequiredtobelonger),yetsincethedetectionwillbecompleted 53

PAGE 54

justinseveralrounds,suchincreasesinthedetectionlengthisnotsignicant.Theassumptionof0distributiondelayisalsopractical,sincethecomputationaloverheadsforthetestingmatrixanddynamicthresholdscanbenegligiblebypre-computingandfetchingtheresultsfromtheproles.Forthe1msstatemaintenancetime,sincealltheclientsareresidinginonephysicalservers,andallthevirtualserverscanquicklyretrievetheclientstatesfromthesharedmemory,thisisalsoapracticalassumption. Withregardtothedetailsofclientbehavior,thelegitimaterequestinter-arrivalrateisrandomizedfrom1to3requestperms,andthelegitimateworkloadisrandomizedfrom1to3msCPUprocessingtime.Onthecontrary,themaliciousrequestinter-arrivalratesrangefrom5to20perms,andmaliciousworkloadrangefrom5to20msCPUtime.Althoughrequestswitharbitrarilylargerateorworkloadarefavoredbyattackers,theyareinfacteasiertobediscovered,soweconsidermaliciousrequestswithsmallmarginfromlegitimateones. 3.5.2Results BysettingK=50,n=1000,w=100,d=40,P=1second,werstshowtheefciencyofourdetectionsystemusingPNDalgorithm,intermsofreducingtheserviceresourceusageratio(SRUR)andtheaverageresponsetime(ART),asshowninFig. 3-5A and 3-5B .ThevaluesofSRURandARTclimbupsharplyatt=30swhentheattackstarts,andthengraduallyfallstonormalbeforet=100s.Therefore,ittakesonly70sforthesystemtolteroutattackersandrecovertonormalstatus.Noticethatthelengthofactualdetectionperiodshouldbeshorterthanthis,becausethethresholdofARTforthesystemtoconvertfromDANGERmodebacktoNORMALmodeisslightlyhigherthannormalART.Therefore,thesystemSRURandARTwillrecovertonormalshortlyafterthedetectionperiodends. Inthefollowingweshowtherobustnessoftheperformancetowarddifferentenvironmentsetting:anincreasingnumberof1)givenvirtualserversK,2)maliciousclientsd,3)allclientsn. 54

PAGE 55

AServiceResourceUsageRatio BAverageResponseTime Figure3-5. Statusoftheback-endserver InFig. 3-6 ,wesimulatedtoidentifyd=10attackersoutofn=1000clientswiththenumberofvirtualserversrangingin[25,200].Itcanbeseen,oneonehand,thatallthefalsenegative(Fig. 3-6 (a))andpositive(Fig. 3-6 (b))ratesareupper-boundedby5%anddecreasingasKgoesupforallthethreealgorithms.Thismakessensesincethemostpossiblecaseforanattackertosucceedhidingitselfisthatitisaccompaniedbymanyclientswithlowrequestrateandworkloadsinatestingpool.Inthiscase,itisquitepossiblethattheaggregateinter-arrivalratesandworkloadsinthisserverisstilllessthanthatofaserverwithasamenumberoflegitimateclients.Therefore,thelessclientsservicedbyeachserver,thelesspossiblythisfalsenegativecasehappens.Ontheotherhand,thetestinglatenciesandnumberoftestingroundskeepdecliningfromlessthan11sand4roundsrespectively,whichisbecausetheidenticationwillbespeededupwithmoreavailablevirtualservers.Withrespecttothethreedifferentalgorithms,theyobtainedapproximateperformancesexceptthatSDoPincursslightlyhigherfalsenegativeratethantheothertwo.Thisisbecauseofthoselegitimateclientswhoareidentiedatearlierstagesandstayingintheserverstilltheendofthedetection.Sincetheirrequestratesandworkloadsarelikelytobesmallerthannormal(thatiswhytheyareidentiedearlier),theymaycamouageattackersinthefollowingrounds. 55

PAGE 56

Afalsenegativerate Bfalsepositiverate Cdetectionlatency D#testingrounds Figure3-6. Robustnessbydifferentnumberofback-endservermachinesk Duetothespacelimitation,webrieysummarizedtheresultsforthefollowingtwoexperiments.InFig. 3-7 ,wesimulatedtheidenticationsforn=1000,K=50,w=100,P=1swith[1,15]attackers,andfoundthatallthevaluesofthefourmeasuresslowlyincreaseasdgoesup.Overall,thefalsenegative/positiveratesarelimitedtolessthan5%andthetestinglatenciesaresmallerthan6secondswith5testingrounds.Similarasthepreviousexperiments,PNDandSDPexhibitsbetterperformancesthanSDoPintermsoffalsenegativerate,butfortheothermeasures,theyareapproximatelythesame. Fig. 3-8 showsitsrobustnessforthecasesd=10,K=50,w=100,P=1swith[1000,2000]clients.Apparently,boththefalseratesandnumberoftestingroundskeepstablybelow5%and4roundsrespectively,towardincreasingclientamount.The 56

PAGE 57

Afalsenegativerate Bfalsepositiverate Cdetectionlatency D#testingrounds Figure3-7. Robustnessbydifferentnumberofattackersd testinglatenciesgrowupfrom10secondsto20secondsforallthreealgorithms,duetotheincreasingtimecostsforstatemaintenancetowardadoublenumberofclients(from1000to2000).However,thissmalllatencyisstilltolerableinreal-timeapplicationsandcanbefurtherreducedbydecreasingthestatemaintenancetimecostwithinthesamephysicalmachine. Overall,thesimulationresultscanbeconcludedasfollows: ingeneral,thesystemcanefcientlydetecttheattacks,lteroutthemaliciousclients,andrecovertoNORMALmodeinashortperiodoftime,inreal-timenetworkscenarios; allthethreedetectionalgorithmscancompletethedetectionwithshortlatency(lessthan30s)andlowfalsenegative/positiverate(bothlessthan5%)forupto2000clients.Thustheyareapplicabletolargescaletime/error-sensitiveservices; 57

PAGE 58

Afalsenegativerate Bfalsepositiverate Cdetectionlatency D#testingrounds Figure3-8. Robustnessbydifferenttotalnumberofclientsn thePNDandSDPalgorithmsachieveslightlybetterperformancethantheSDoPalgorithm.Furthermore,theefciencyofthePNDalgorithmcanbefurtherenhancedbyoptimizingthed-disjunctmatrixemployed; thedetectiondelaycanbefurtherreducedbydecreasingthestatemaintenancetimecost. 3.6ConclusionsandDiscussions 3.6.1Conclusions WeproposedanoveltechniquefordetectingapplicationDoSattackbymeansofanewconstraint-basedgrouptestingmodel.MotivatedbyclassicGTmethods,threedetectionalgorithmswereproposedandasystembasedonthesealgorithmswasimplemented.Theoreticalanalysisandpreliminarysimulationresultsdemonstrated 58

PAGE 59

theoutstandingperformanceofthissystemintermsoflowdetectionlatencyandfalsepositive/negativerate. OurfocusofthischapteristoapplygrouptestingprinciplestoapplicationDoSattacks,andprovideanunderlyingframeworkforthedetectionagainstageneralcaseofnetworkassaults,wheremaliciousrequestsarein-distinguishablefromnormalones.Wepresentedseveralpromisingdetectionalgorithmstoshortenthetestinglatencyforreal-timeimplementation,whileourfutureworkwillbearoundseverallimitations,whichinclude:(1)inSDPandSDoP,theidenticationofanysingleattackercanonlybecompletedbyisolatingitinavirtualserverwithpositiveoutcome.Thiswouldprobablybringuptestingoverhead,andwewouldimprovethesequentialalgorithmstoovercomethislimitation.(2)moreefcientd-disjunctmatrix(withlessrows)isrequiredtoenhancetheperformanceofthePNDalgorithm.Whatismore,theconstraintintherowweight(w)isnecessarytobeconsideredinthematrixconstruction.Hencewewillproposenewconstructionmethodforthematrix,butitisnon-trivialandcanbeamajortheoreticalworkforanotherpaper.(3)therearestillsomeimplementationdetailslefttobehandled,e.g.,theoverheadofmaintainingthestatetransferamongvirtualservers,whichcanbefurtherdecreasedbymoresophisticatedtechniques.(4)Noticethatboththefalsepositiveandnegativeratesofthissystemhavebeenshowntobequitelowinthesimulation,however,westillcanfurtherdecreasethemviafalse-tolerantgrouptestingmethods,asdiscussednext. 3.6.2DiscussionsoverFalseRate Thefalsepositive/negativerateofthisdetectionsystemcanpossiblyoriginatefromeitherinaccuracyofmatrixMorthephaseofoutcomegeneration. (1)Theaccuracyoftestingmatricesreferstowhetherthesematricesareexactlyd-disjunct.Notethatin[ 34 ],thematricesweregeneratedusingrandomizedconstructionmethod[ 25 ],thuswered-disjunctwithhighprobabilitybutnotdeterministic.Hence,falsepositive/negativeratesareinevitable.Onthecontrary,Du'smatrixconstructionalgorithm 59

PAGE 60

hasnosuchindeterminacies,andthusguaranteestheaccuracyofourd-disjunctmatricesfortesting. (2)Inoursystem,notonlythetriggeringofdetections(DANGERmode),butalsothegenerationofoutcomesfortests,aredependentuponpredenedthresholds.Sincethesethresholdsareobtainedbystudyinglegitimatetrafcs,constructinglegitimateproleforARTdistributionsandapproximatelyttingthembyNormalDistribution,inaccuraciesarethusbroughtin.Althoughsincerelyreectingthedynamictrafcinrealnetworks,theproactivelearningonlegitimatetrafccannotcompletelyavoidtheinuenceofthetrafcburstsfromlegitimateusers,moreover,notallhostilebehaviorsorbandwidthabusescanberuledout.Therefore,theARTsamplesobtainedpossiblytowerabovethatoflegitimatetrafc. WithrespecttothettingfortheARTdistributions,previousstudieshaveconcludedthatnoneexistingdistributionscanperfectlytthem[ 13 ][ 78 ][ 8 ],yetdifferentdistributionscanprovidebestttingsfordifferentscenarios.Consideringthecomputationaltimecomplexityforttingwithseveralclassicdistributions,likeNormalDistributionandDiffusion,ex-Gaussian,Gamma,Weibull[ 78 ],weadoptNormalDistributionwiththeshortesttimecost.However,withrelativelylargebiasfromtherealdistribution,NormalDistributionpossiblyincursinaccuracies.Wewillsearchforbetterdistributiontoenhanceoursystemperformanceinthefuturework. 60

PAGE 61

CHAPTER4ATRIGGERIDENTIFICATIONSERVICEFORDEFENDINGREACTIVEJAMMERSINWIRELESSSENSORNETWORKS Sincethelastdecade,thesecurityofwirelesssensornetworks(WSNs)hasattractednumerousattentions,duetoitswideapplicationsinvariousmonitoringsystemsandinvulnerabilitytowardsophisticatedwirelessattacks.Amongtheseattacks,jammingattackwhereajammernodedisruptsthemessagedeliveryofitsneighboringsensornodeswithinterferencesignals,hasbecomethemostcriticalthreattoWSNs.Thankstotheeffortsofresearcherstowardthisissue,assummarizedin[ 73 ],variousefcientdefensestrategieshavebeenproposedanddeveloped.However,areactivevariantofthisattack,wherejammernodesstayquiteuntilanongoinglegitimatetransmission(evenhasasinglebit)issensedoverthechannel,emergedrecentlyandcalledforstrongerdefendingsystemandmoreefcientdetectionschemes. ExistingcountermeasuresagainstReactiveJammingattacksconsistofjamming(signal)detectionandjammingmitigation. Ontheonehand,detectionofinterferencesignalsfromjammernodesisnon-trivialduetothediscriminationbetweennormalnoisesandadversarialsignalsoverunstablewirelesschannels.Numerousattemptstothisendmonitoredcriticalcommunicationrelatedobjects,suchasReceiverSignalStrength(RSS),CarrierSensingTime(CST),PacketDeliveryRatio(PDR),comparedtheresultswithspecicthresholds,whichwereestablishedfrombasicstatisticalmethodsandmulti-modalstrategies[ 59 ][ 73 ].Bysuchschemes,jammingsignalscouldbediscovered,however,howtolocateandcatchthejammernodesbasedonthesesignalsismuchmorecomplicatedandhasnotbeensettled. Ontheotherhand,variousnetworkdiversitiesareinvestigatedtoprovidemitigationsolutions[ 60 ].Spreadingspectrum[ 73 ][ 28 ][ 57 ]makinguseofmultiplefrequencybandsandMACchannels,Multi-pathroutingbenetingfrommultiplepre-selectedroutingpaths[ 60 ]aretwogoodexamplesofthem.However,inthismethod,thecapabilityof 61

PAGE 62

jammersareassumedtobelimitedandpowerlesstocatchthelegitimatetrafcfromthecamouageofthesediversities.However,duetothesilentbehaviorofreactivejammers,theyhavemorepowerstodestructthesemitigationmethods.Tothisend,othersolutionsareingreatneed.Amappingserviceofjammedareahasbeenpresentedin[ 70 ],whichdetectsthejammedareasandsuggeststhatroutingpathsevadetheseareas.Thisworksforproactivejamming,sinceallthejammednodesarehavinglowPDRandthusincapableforreliablemessagedelay.However,inthecaseofreactivejamming,aswewillshowlater,thisisnotalwaysthecase.Onlyaproportionofthesejammednodes,namedastriggernodes,whosetransmissionswakeupthereactivejammers,arerequiredtobeblockedtoavoidthejammingeffects. Inthischapter,wepresentanapplication-layerreal-timetrigger-identicationserviceforreactive-jamminginwirelesssensornetworks,whichpromptlyprovidesthelistoftrigger-nodesusingalightweightdecentralizedalgorithm,withoutintroducingneithernewhardwaredevices,norsignicantmessageoverheadateachsensornode. Thisserviceexhibitsgreatpotentialstobedevelopedasreactivejammingdefendingschemes.Asanexample,byexcludingthesetoftriggernodesfromtheroutingpaths,thereactivejammerswillhavetostayidlesincetransmissionscanbesensed.Eventhoughthejammersmovearoundanddetectnewsensorsignals,thelistoftriggernodeswillbequicklyupdated,soaretheroutingtables.Asanotherexample,withoutpriorknowledgeofthenumberofjammers,theradiusofjammingsignalsandspecicjammingbehaviortypes,itisquitehardtolocatethereactivejammerseventhejammedareasaredetected(e.g.by[ 70 ]).However,withthetriggernodeslocalized,thepossiblelocationsofreactivejammersaresignicantlynarroweddown. Althoughthebenetsofthistrigger-identicationserviceareexciting,itshardnessisalsoobvious,whichduestotheefciencyrequirementsofidentifyingthesetoftriggernodesoutofamuchlargesetofvictimnodes,thatareaffectedjammingsignalsfromreactivejammerswithpossiblyvarioussophisticatedbehaviors.Toaddressthese 62

PAGE 63

problem,anovelrandomizederror-tolerantgrouptestingschemeaswellasminimumdiskcoverforpolygonsareproposedandleveraged. Thebasicideaofoursolutionistorstidentifythesetofvictimnodesbyinvestigatingcorrespondinglinks'PDRandRSS,thenthesevictimnodesaregroupedintomultipletestingteams.Oncethegrouptestingscheduleismadeatthebasestationandroutedtoallthevictimnodes,theythenlocallyconductsthetesttoidentifyeachofthemasatriggerornon-trigger.Theidenticationresultscanbestoredlocallyforreactiveroutingschemesordeliveredtothebasestationforjamminglocalizationprocess. Intheremainderofthischapter,werstpresenttheproblemdenitioninSection 4.2 ,wherethenetworkmodel,victimmodelandattackermodelsareincluded.Thenweintroducethreekerneltechniquesforourscheme,RandomizedError-TolerantNon-adaptiveGroupTesting,Clique-independentSetandMinimumDiskCoverinaSimplePolygoninSection 4.3 .Thecoreofthischapter:triggeridenticationprocedureanditserror-tolerantextensiontowardsophisticatedjammerbehaviorsarepresentedrespectivelyinSection 4.4 and 4.5 .AseriesofsimulationresultsforevaluatingthesystemperformanceandvalidatingthetheoreticalresultsareincludedinSection 6.5 .WealsopresentsomerelatedworksinSection 5.1 andsummarizethewholechapterinSection 6.6 4.1RelatedWorks ExistingcountermeasuresagainstjammingattacksinWSNcanbecategorizedintotwofacets:signaldetectionandmitigation,bothofwhichhavebeenwellstudiedanddevelopedwithvariousdefenseschemes.Ontheonehand,amajorityofdetectionmethodsfocusonanalyzingspecicobjectvaluestodiscoverabnormalevents,e.g.,Xuet.al[ 75 ]studiedamulti-model(PDR,RSS)toconsistentlymonitorjammingsignals.Workbasedonsimilarideas[ 10 ][ 51 ][ 39 ]improvedthedetectionaccuracybyinvestigatingsophisticateddecisioncriteriaandthresholds.However,reactivejammingattacks,wherethejammernodearenotcontinuouslyactiveandthusunnecessaryto 63

PAGE 64

causehugedeviationsofthesevariablesfromnormallegitimateproles,cannotbeefcientlytackledbythesemethods.Inaddition,somerecentworksproposedmethodsfordetectingjammedareas[ 70 ]anddirectingnormalcommunicationsbypasspossiblejammedareausingwormhole[ 9 ].Thesesolutionscaneffectivelymitigatejammingattacks,buttheirperformancesrelyontheaccuracyofdetectiononjammedareas,i.e.thetransmissionoverheadwouldbeunnecessarilybroughtupifthejammedareaismuchlargerthanitsactualsize.Ontheotherhand,mitigationschemeswhichbenetfromchannelsurng[ 74 ],frequencyhoppingandspatialretreats[ 73 ],reactivelyhelplegitimatenodesescapefromthejammedareaorfrequency.Unfortunately,beinglackofpre-knowledgeoverpossiblepositionsofhiddenreactivejammernodes,legitimatenodescannotefcientlyevadejammingsignals,especiallyindensesensornetworkwhenmultiplemobilenodescaneasilyactivatereactivejammernodesandcausetheinterference.Forthesakeofovercomingtheselimitationsabove,in[ 56 ]westudiedontheproblemofidenticationtriggernodeswithashortperiodoftime,whoseresultscanbeemployedbyjamming-resistentroutingschemes,toavoidthetransmissionsofthesetriggernodesanddeactivatethereactivejammernodes.Inthischapter,wecompletethistriggeridenticationprocedureasalightweightservice,whichispromptandreliabletovariousnetworkscenarios. 4.2ProblemModelsandNotations 4.2.1NetworkModel Weconsiderawirelesssensornetworkconsistingofnsensornodesandonebasestation(largernetworkswithmultiplebasestationscanbesplitintosmallonestosatisfythemodel).Eachsensornodeisequippedwithomnidirectionalantennas,mradiosforintotalkchannelsthroughoutthenetwork,wherek>m.Forsimplicity,thepowerstrengthineachdirectionisassumedtobeuniform,sothetransmissionrangeofeachsensorcanbeabstractedasaconstantrsandthewholenetworkasaunitdiskgraph(UDG)G=(V,E),whereanynodepairi,jisconnectedifftheEuclideandistancebetweeni,j: 64

PAGE 65

(i,j)rs.Weleaveasymmetricpowersandpolygonaltransmissionareaforfurtherstudy. 4.2.2AttackerModel Weconsiderbothabasicattackermodelandseveraladvancedattackermodelsinthischapter.Inthenextsections,wewillrstillustrateourframeworksolutiontowardthebasicattackermodel,andthenvalidateitsperformancetowardmultipleadvancedattackermodelstheoreticallyandexperimentally. 4.2.2.1Basicattackermodel Conventionalreactivejammers[ 73 ]aredenedasmaliciousdevices,whichkeepidleuntiltheysenseanyongoinglegitimatetransmissionsandthenemitjammingsignals(packetorbit)todisruptthesensedsignal(calledjammerwake-upperiod),insteadofthewholechannel,whichmeansoncethesensortransmissionnishes,thejammingattackswillbestopped(calledjammersleepperiod).Threeconceptsareintroducedtocompletethismodel. JammingrangeR.Similartothesensors,thejammersareequippedwithomnidirectionalantennaswithuniformpowerstrengthoneachdirection.Thejammedareacanberegardedasacirclecenteredatthejammernode,witharadiusR,whereRisassumedgreaterthanrs,forsimulatingapowerfulandefcientjammernode.Allthesensorswithinthisrangewillbejammedduringthejammerwake-upperiod.ThevalueofRcanbeapproximatedbasedonthepositionsoftheboundarysensors(whoseneighborsarejammedbutthemselvesnot),andthenfurtherrened. Triggeringranger.Onsensinganongoingtransmission,thedecisionwhetherornottolaunchajammingsignaldependsonthepowerofthesensorsignalPs,thearrivedsignalpoweratthejammerPawithdistancerfromthesensor,andthepowerofthebackgroundnoisePn. Accordingtothetraditionalsignalpropagationmodel,thejammerwillregardthearrivedsignalasasensortransmissionaslongastheSignal-Noise-Ratioishigherthan 65

PAGE 66

somethreshold,i.e.,SNR=Pa Pn>wherePa=Ps rYwithandcalledjammingdecisionthresholdandpath-lossfactor,Yasalog-normallyrandomvariable.Therefore,r(Pn PsY)1 isarangewithinwhichthesensortransmissionwilldenitelytriggerthejammingattack,namedastriggeringrange.Aswillbeshownlater,thisrangerisboundedbyRfromabove,andrsfrombelow,wherethedistancesfromeitherboundsaredecidedbythejammingdecisionthreshold.Forsimplicity,weassumetriggeringrangeisthesameforeachsensor. Jammerdistance.Anytwojammernodesareassumednottobetooclosetoeachother,i.e.,thedistancebetweenjammerJ1andJ2is(J1,J2)>R.Themotivationsbehindthisassumptionsarethree-fold:1)thedeploymentofjammersshouldmaximizethejammedareaswithalimitednumberofjammers,thereforelargeoverlappingbetweenjammedareasofdifferentjammerslowersdowntheattackefciency;2)(J1,J2)shouldbegreaterthanR,sincethetransmissionsignalsfromonejammershouldnotinterferethesignalreceptionattheotherjammer,otherwise,thesensedsensorsignalsmixedwiththejammingsignalsfromtheotherjammerwillnotinvokethisjammer;3)thecommunicationsbetweenjammersareimpractical,whichwillexposethejammerstoanomalydetectionsatthenetworkauthority. 4.2.2.2Advancedattackermodel Althoughthebasicreactivejammingmodelisquiteenergy-efcient,theattackersmayaltertheirbehaviorstoevadethedetection,forwhichtwoadvancedreactivejammingmodels:probabilisticattackandasymmetricresponsetimedelayareconsideredinthischapter.Intherstone,thejammerrespondseachsensedtransmissionwithaprobabilityindependently.Inthesecondone,thejammerdelayseachofitsjammingsignalswithanindependentlyrandomizedtimeinterval. WedonotspecifythepossiblechangesofjammingrangeRasanadvancedmodel,sincethetriggersetinthiscasewillnotchange,thoughthevictimsetvaries.Further,wedonottheoreticallyanalyzetheeffectsofvariousjammingdecisionthresholdin 66

PAGE 67

thispaperversion,butweevaluatealltheseabovefactorsinthesimulationsection.Jammermobilitiesareoutofthescopeofthischapter,whichassumesthatthejammersarestaticduringourtrigger-identicationphase.Thisisquitereasonable,sincethetimelengthofthisphaseisshort,astobeshownlater. 4.2.3SensorModel Besidesmonitoringtheassignednetworkeldandgeneratingalarmsincaseofspecialevents(e.g.,re,hightemperature),eachsensorperiodicallysendsastatusreportmessagetothebasestation,whichincludesaheaderandamainmessagebodycontainingthemonitoredresults,batteryusage,andotherrelatedcontent.Theheaderisdesignatedforanti-jammingpurpose,whichis4-tuple:Sensor IDastheIDofthesensornode,Time Stampasthesendingouttimeindicatingthesequencenumber,aswellasaLabelreferringtothenode'scurrentjammingstatusandTTLasthetime-to-liveeldwhichisinitializedasthe2DwhereDisthediameterofthisnetwork. Accordingtothejammingstatus,allthesensornodescanbecategorizedintofourclasses:triggernodesTN,victimnodesVN,boundarynodesBNandunaffectednodeUN.Triggernodesrefertothesensornodeswhosesignalsawakethejammers,i.e.withinadistancelessthanrfromajammer.VictimnodesarethosewithinadistanceRfromanactivatedjammeranddisturbedbythejammingsignals.SinceR>r,TNVN.Otherthanthesedisturbedsensors,UNandBNaretheunaffectedsensorswhilethelatteroneshaveatleastoneneighborinVN,henceBNUN,andVN\UN=;.TheLabeleldofeachsensorindicatesthesmallestclassitbelongsto.TherelationshipsamongtheseclassesareshowninFig. 4-2 ,wherenodesingreyandbluearevictimnodesaroundjammernodes,andbluenodesarealsotriggernodes,whichinvokethejammernodes.Nodessurroundingthejammedareareboundarynodes,whiletheothersareunaffectednodes. 67

PAGE 68

Weassumethatthedetectionofjammedsignalscanbe100%correctlycompletedviacomparingtheSNR,PDRandRSS,asshownin[ 59 ]inthiswork.Althoughthisdetectionproblemisalsoquitechallenging,itisorthogonaltotheserviceframeworkproposedinthischapter.Wewilldigintothisprobleminourfuturework,wherevariousreal-timeapplicationsembeddedwiththisserviceframeworkwillbedeveloped. 4.3ThreeKernelTechniques Inthissection,wementionthreekerneltechniquesthatweresorttointheproposedprotocol.Mostexistinganti-jammingworksconsideronlyproactivejammers,whilereactivejammerscanbringuplargerdamageduetoefcientattackandhardnesstodetect.Tothisend,weembedagrouptestingprocess,i.e.,therandomizederror-tolerantgrouptestingbymeansofourdesignedrandomized(d,z)-disjunctmatrix,totheroutingupdatescheme,whichavoidsunnecessarilylargeisolatedareasas[ 70 ]does.Moreover,mostexistingtopology-basedsolutions[ 41 ][ 42 ]canonlyhandlethesingle-jammercase,sincelackingofknowledgeoverthejammingrangeandinevitableoverlappingofthejammedareasbringupstheanalyticaldifculties.Regardingtheseissues,weresorttoaminimumdiskcoverprobleminwithinsimplepolygonproblemandaclique-independentsetproblem. 4.3.1MinimumDiskCoverinaSimplePolygon Givenasimplepolygonwithasetofverticesinside,theproblemofndingaminimumnumberofvariable-radiidisksthatnotonlycoverallthegivenvertices,butalsoareallwithinthepolygon,canbeefcientlysolved. Thelatestresultsduetothenear-linearalgorithmproposedrecentlyby[ 31 ],whichinvestigatesthemedialaxisandvoronoidiagramofthegivenpolygon,andprovidestheoptimalsolutionusingO($+(log$+log6))timeandO($+loglog)space,wherethenumberofedgesofthepolygonis$andnodeswithinitas.WeemploythisalgorithmtoestimatethejammingrangeR. 68

PAGE 69

4.3.2Clique-IndependentSet Cliques-IndependentSetistheproblemtondasetofmaximumnumberofpairwisevertex-disjointmaximalcliques,whichisreferredtoasamaximumclique-independentset(MCIS)[ 27 ].Sincethisproblemservesastheabstractedmodelofthegroupingphaseofouridentication,itshardnessisofgreatinterestinthisscope.Toourbestknowledge,ithasalreadybeenprovedtobeNP-hardforcocomparability,planar,lineandtotalgraphs,howeveritshardnessonUDGisstillanopenissue.WeprovetheNP-hardnessofthisproblemonUDGviaapolynomial-timereductionfromtheMaximumIndependentSetproblemonplanargraphwithmaximumnodedegree3toit. From[ 23 ],theMaximumIndependentSetproblemisNP-hardonplanargraphwithmaximumdegree3,andfrom[ 65 ],anyplanargraphGwithmaximumdegree4canbeembeddedintheplaneusingO(jVj2)areaunitssuchthatitsverticesareatintegercoordinatesanditsedgesconsistoflinesegmentsoftheformx=iory=j,foranyintegersiandj. Theorem4.1. Clique-IndependentSetproblemisNP-hardonUnitDiskGraph. Proof. GivenaninstanceG0=(V0,E0)ofsuchaMISproblem,whoseoptimalvalueisdenotedasMIS(G0),weconstructaninstanceG=(V,E)oftheCISproblemasfollows: EmbedG0intheplaneinthewaymentionedabove[ 65 ]. Foreachnodevi2V0,attachtwonewnodesvi1andvi2toitandformatriangleNi=fvi1,vi2,vi3g,whereeachedgeofthistriangleNiisofaunitlengthr=p 3 3. Sinceeachnodesviisincidenttoatmostthreeedges,foralledges(vi,u),,(vi,v),movetheirendpointfromvitodifferentvijs,e.g.,(v1,u)changesto(v11,u)and(v1,v)to(v12,v).Afterwards,foreachofsuchedgese=(u,v),assumethatitisoflengtht,wedivideitintotpiecesandreplaceeachpiecewithaconcatenationof2triangles(notnecessarilyequilateral),asshowninFig. 4-1B .Therefore,anyedgeeij=(vi,vj)2E0oflengthjeijjbecomesaconcatenationof2jeijj3-cliques,denotedasfc1,1ij,c1,2ij,c2,1ij,cjeijj,1ij,cjeijj,2ijg.BecauseofthetrianglesNis,thetwotrianglesateachcornerofFig. 4-1B mayneedslightstenches,whichcanbedoneinpolynomialtime. 69

PAGE 70

TheresultinggraphGisthenaunitdiskgraphwithradiusr=p 3 3. AG0=(V0,E0) BG=(V,E) Figure4-1. PolynomialTimeReduction Thereductionisasfollows: ()):ifG0hasamaximumindependentsetM,foreachui2M,wechoosecliquesoftwokindsinthecorrespondinginstanceG:(1)thecliqueNiatui;(2)foreachincidentedgeeij=(ui,uj),choosecliquesfc1,2ij,c2,2ij,c3,2ij,,cjeijj,2ijg.SincethecliqueNjatujsharesavertexwithcjeijj,2ij,itcannotbeselected.Foranyedgeejk=(uj,uk)whereuj=2Manduk=2M,choosecliquesfc1,2jk,c2,2jk,cjejkj,2jkg.Itiseasytoverifythatallthecliquesselectedarevertex-disjointfromeachother. AssumethatafterembeddingG0intotheplane,eachnodevi2V0hascoordinate(xi,yi),thenedgelengthjeijj=kvi,vjk1=jxi)]TJ /F3 11.955 Tf 12.4 0 Td[(xjj+jyi)]TJ /F3 11.955 Tf 12.4 0 Td[(yjj.ThereforeifwehaveanindependentsetofsizejMj=kforG0,wethenhaveacliqueindependentsetofsizek0=k+P(i,j)2E0jeijj. (():ifGhasacliqueindependentsetofsizek0,sincethelengthsoftheembeddededgesareconstant,thenG0hasexactlyanindependentsetofsizek=k0)]TJ /F9 11.955 Tf 11.5 8.97 Td[(P(i,j)2E0jeijj.Theproofiscomplete. Therehavebeennumerouspolynomialexactalgorithmsforsolvingthisproblemongraphswithspecictopology,e.g.,Hellycircular-arcgraphandstronglychordalgraph[ 27 ],butnoneofthesealgorithmsgivesthesolutiononUDG.Inthischapter, 70

PAGE 71

weemploythescanningdiskapproachin[ 26 ]tondallmaximalcliquesonUDG,andthenndalltheMCISusingagreedyalgorithm.Infact,byabstractingthisproblemasaSetPackingproblem,wecanobtainap n-approximationalgorithm,however,itexhibitsworseperformancethanthegreedyalgorithmproposedinourtriggeridenticationprocedure. 4.4TriggerIdenticationProcedure Weproposeadecentralizedtrigger-identicationprocedure.Itislightweightinthatallthecalculationsoccuratthebasestation,andthetransmissionoverheadaswellasthetimecomplexityislowandtheoreticallyguaranteed.Noextrahardwareisintroducedintothescheme,exceptforthesimplestatusreportmessagessentbyeachsensor,andthegeographiclocationsofallsensorsmaintainedatthebasestation.Threemainstepsofthisprocedureareasfollows: 1. AnomalyDetectionthebasestationdetectspotentialreactivejammingattacks,eachboundarynodetriestoreporttheiridentitiestothebasestation. 2. JammerPropertyEstimationThebasestationcalculatestheestimatedjammedareaandjammingrangeRbasedonthelocationsofboundarynodes. 3. TriggerDetection thebasestationmakesashorttestingschedulemessageZwhichwillbebroadcastedtoalltheboundarynodes. boundarynodeskeepbroadcastingZtoallthevictimnodeswithintheestimatedjammedareaforaperiodQ. allthevictimnodeslocallyexecutethetestingprocedurebasedonZandaglobaluniformclock,identifythemselvesastriggerornon-trigger. 4.4.1AnomalyDetection Eachsensorperiodicallysendsastatusreportmessagetothebasestation.However,oncethejammersareactivatedbymessagetransmissions,thebasestationwillnotreceivethesereportsfromsomesensors.Bycomparingtheratioofreceivedreportstoapredenedthreshold ,thebasestationcanthusdecideifajammingattackishappeninginthenetworks.Whengeneratingthestatusreportmessage, 71

PAGE 72

Figure4-2. ReactiveJammingAttackModel eachsensorcanlocallyobtainitsjamming-statusanddecidethevalueoftheLabeleld(InitiallytriggerTN).Indetail,ifanodevhearsjammingsignals,itwillnottrytosendoutmessagesbutkeepitslabelasvictim.Ifvcannotsensejammingsignals,itsreportwillberoutedtothebasestationasusual,however,ifitdoesnotreceiveACKfromitsneighboronthenexthopoftheroutewithinatimeoutperiod,ittriesfor2moreretransmissions.IfnoACKsarereceived,itisquitepossiblethatthatneighborisavictimnode,thenvupdatesLabeltupleasboundaryBNinitsstatusreport.Anotheroutgoinglinkfromvwiththemostavailablecapacityistakentoforwardthismessage.IfthestatusreportissuccessfullydeliveredtothebasestationwithLabel=TN,thecorrespondingnodeisregardedasunaffected.AllthemessagesarequeuedinthebufferoftheintermediatenodesandforwardedinanFCFSmanner.TheTTLvalueisreducedby1perhopforeachmessage,andthemessagewillbedroppedonceitsTTL=0,toavoidself-loops. 72

PAGE 73

ThebasestationwaitsforthestatusreportfromeachnodeineachperiodoflengthP.Ifnoreportshavebeenreceivedfromanodevwithamaximumdelaytime,thenvwillberegardedasvictim.Themaximumdelaytimeisrelatedwithgraphdiameterandwillbespeciedlater.Iftheaggregatereportamountislessthan ,thebasestationstartstocreatethetestingscheduleforthetriggernodes,basedonwhichtheroutingtableswillbeupdatedlocally. 4.4.2JammerPropertyEstimation WeestimatethejammingrangeasRandthejammedareasassimplepolygons,basedonthelocationsoftheboundaryandvictimnodes. Inthesparse-jammercasewherethedistributionofjammersisrelativelysparseandthereisatleastonejammerwhosejammedareadoesnotoverlapwiththeothers,likeJ2inFig. 4-2 .BydenotingthesetofboundarynodesfortheithjammedareaasBNi,thecoordinateofthisjammercanbeestimatedas(XJ,YJ)=(PBNik=1Xk jBNij,PBNik=1Yk jBNkj) where(Xk,Yk)isthecoordinateofanodekisthejammedareaBNiandthenfurtherthejammingrangeRcanbeestimatedasR=min8BNifmaxk2BNi(p (Xk)]TJ /F3 11.955 Tf 11.95 0 Td[(XJ)2+(Yk)]TJ /F3 11.955 Tf 11.96 0 Td[(XJ)2)g sinceweassumeallthejammershavethesamerange. Otherwiseinthedense-jammercase,asshowninFig. 4-3 ,weneedtorstestimatethejammedareas,whicharesimplepolygons(unnecessarilyconvex)containingalltheboundaryandvictimnodes.Thisprocessconsistsofthreesteps:(1)discoveryofconvexhullsoftheboundaryandvictimnodes,wherenounaffectednodesareincludedinthegenerateconvexpolygons.(2)foreachboundarynodevnotonthehull,choosetwonodesonthehullandconnectvtotheminsuchawaythattheinternalangleatthisreexvertexisthesmallest,hencethepolygonismodiedby 73

PAGE 74

Figure4-3. EstimatedRandJammedArea replacinganedge(dottedoneinFig. 4-3 )bythetwonewones.Theresultedpolygonistheestimatedjammedarea.(3)executethenear-linearalgorithm[ 31 ]tondtheoptimalvariable-radiidiskcoverofallthevictimnodes,butconstrainedinthepolygon,andreturnthelargestdiskradiusasR. 4.4.3TriggerDetection Sincethejammerbehaviorisreactive,inordertondallthetriggernodes,astraightforwardwayisthateachsensorbroadcastsonebyone,andmonitorsifthejammersareinvokedbysensingthejammingsignals.However,thisindividualdetectionisquitetime-consumingandallthevictimnodesthushavetobeisolatedforalongdetectionperiod,orevenreturnswrongdetectionresultinthepresenceofmobilejammers.Inthiscase,thenetworkthroughputwouldbedramaticallydecreased.Therefore,topromptlyandaccuratelyndoutthesetriggersfromalargepoolofvictimnodes,emergesasthemostchallengingpartoftheproposedprotocol,forwhichtheideaofgrouptestingisapplied. Inthissection,weonlyconsiderabasicattackmodelwherethejammersdetermin-isticallyandimmediatelybroadcastsjammingsignalsonceitsensesthesensorsignal.Thereforeaslongasatleastoneofthebroadcastingvictimnodesisatrigger,somejammingsignalswillbesensed,andviceversa.Theperformanceofthisprotocoltoward 74

PAGE 75

Table4-1. MessageContainingTriggerDetectionSchedule TimeSlot Channel NodeList 0 f1 v1,v3,,vn 0 f2 v1,v2,v4,,vn)]TJ /F12 7.97 Tf 6.59 0 Td[(1 0 ... 0 fm v2,v5,,vn 1 f1 v2,v4,,vn)]TJ /F12 7.97 Tf 6.58 0 Td[(2 ... ... sophisticatedattackermodelswithprobabilisticattackstrategieswillbevalidatedinthenextsection. Allthefollowingisthetestingscheduleoverallthevictimnodes,whichisdesignedatthebasestationbasedonthesetofboundarynodesandtheglobaltopology,storedasamessage(illustratedinTable 4-1 )andbroadcastedtoalltheboundarynodes.Afterreceivingthismessage,eachboundarynodebroadcaststhismessageonetimeusingsimpleoodingmethodtoitsnearbyjammedarea.Allthevictimnodesexecutethetestingscheduleandindicatethemselvesasnon-triggersortriggers.Sinceallthesensornodesareequippedwithaglobaluniformclock,andnomessagetransmissionstothebasestationarerequiredduringthedetection,themechanismiseasytoimplementandpracticalforapplications. AsshowninTable 4-1 ,foreachtimeslot,msetsofvictimsensorswillbetested.Theselectionofthesesetsinvolvesatwo-levelgroupingprocedure. First-level,thewholesetofvictimsaredividedintoseveralinterference-freetestingteams.Herebyinterference-freewemeanthatifthetransmissionsfromthevictimnodesinonetestingteaminvokesajammernode,itsjammingareawillnotreachthevictimnodesinanothertestingteam.Therefore,bytryingbroadcastingfromvictimnodesineachtestingteamandmonitoringthejammingsignals,wecanconcludeifanymembersinthisteamaretriggers.Inaddition,allthetestsindifferenttestingteamscanbeexecutedsimultaneouslysincetheywillnotinterfereeachother.Fig. 4-4 providesanexampleforthis.3maximalcliquesC1=fv1,v2,v3,v4g,C2=fv3,v4,v5,v6g, 75

PAGE 76

Figure4-4. InterferenceTeams C3=fv5,v7,v8,v9gcanbefoundwithin3jammedareas.Assumethesethreecliquesarerespectivelythethreeteamswetestatthesametime.Ifv4inthemiddleteamkeepsbroadcastingallthetimeandJ2isawakenfrequently,nomatterthetriggerv2intheleftmostteamisbroadcastingornot,v3willalwayshearthejammingsignals,sothesetwoteamsinterfereeachother.Inaddition,node-disjointgroupsdonotnecessarilyinterference-free,astheleftmostandrightmostteamsshow. Second-level,withineachtestingteam,victimsarefurtherdividedintomultipletestinggroups.Thisiscompletedbyconstructingarandomized(d,1)-disjunctmatrix,mappingeachsensornodetoamatrixcolumn,andmakeeachmatrixrowasatest-inggroup(sensorscorrespondingtothecolumnswith1sinthisrowarechosen).Apparentlytestswithinonegroupwillpossiblyinterferethatofanother,soeachgroupwillbeassignedwithadifferentfrequencychannel. Thedurationoftheoveralltestingprocessisttimeslots,wherethelengthofeachslotisL.BothtandLarepredened,yettheformerdependsonthetotalnumberofvictimsandestimatednumberoftriggernodes,andthelatterdependsonthetransmissionrateofthechannel.Specically,atthebeginningofeachtimeslot,allthesensorsdesignatedtotestinthisslotbroadcasta-bittestpacketontheassignedchanneltotheir1-hopneighbors.Tilltheendofthisslot,thesesensorskeepsdetectingpossiblejammingsignals.Eachsensorswilllabelitselfasatrigger 76

PAGE 77

unlessinatleastoneslotofitstesting,nojammingsignalissensed,inwhichcase,thelabelisconvertedtoanon-trigger. Thecorrectnessofthistriggertestprocedureistheoreticallystraightforward.Giventhatallthetestingteamsareinterference-free,thenthetestingwithdifferentteamscanbeexecutedsimultaneously.Giventhatwehaveanupperbounddonthenumberoftriggernodesandeachtestinggroupfollowthe(d,1)-disjunctmatrix,whichguaranteesthateachnon-triggernodewillbeincludedinatleastonegroup,whichdoesnotcontainanytriggernode,soeachnon-triggernodewillnothearjammingsignalsinatleastonetimeslot,butthetriggernodeswillsincethejammersareactivatedoncetheybroadcastthetestpackets.Therefore,twocriticalissuesneedtobeaddressedtoensurethiscorrectness:howtopartitionthevictimsetintomaximalinterference-freetestingteamsandestimatethenumberoftriggernodesd,asfollows.Thoughthesetwoinvolvegeometricanalysisovertheglobaltopology,sinceitonlytakestheinformationofboundaryandvictimnodesasinputs,andiscalculatedatthebasestation,nomessagecomplexityisintroduced. 4.4.3.1Discoveryofinterference-freetestingteams Asstatedabove,twodisjointsetsofvictimnodesareinterference-freetest-ingteamsiffthetransmissionwithinonesetwillnotinvokeajammernode,whosejammingsignalswillinterferethecommunicationswithintheotherset.AlthoughwehaveestimatedthejammingrangeR,itisstillquitechallengingtondtheseinterference-freeteamswithoutknowingtheaccuratelocationsofthejammers.Noticethatitispossibletodiscoverthesetofvictimnodeswithinthesamejammedarea,i.e.withadistanceRfromthesamejammernode.Anytwonodeswithinthesamejammedareashouldbeatmost2Rfarfromeachother,i.e.ifweinduceanewgraphG0=(V0,E0)withallthesevictimnodesasthevertexsetV0andE0=f(u,v)j(u,v)2Rg,thenodesjammedbythesamejammershouldformaclique.Themaximumnumberofvertex-disjointmaximalcliques(i.e.clique-independentset(CIS))ofthiskindprovidesanupperbound 77

PAGE 78

Figure4-5. IterativeLocalRenement ofpossiblejammerswithintheestimatedjammedarea,whereeachmaximalcliqueislikelytocorrespondtothenodesjammedbythesamejammer. Thesolutionconsistsofthreesteps:CISdiscoveryontheinducedgraphfromtheremainingvictimwithouttestschedules,boundary-basedlocalrenementandinterference-freeteamdetection.Weiteratethreestepstodecidethescheduleforeveryvictimnode. CISdiscovery.WerstemployGupta'sMCEalgorithm[ 26 ]tondallthemaximalcliques,thenuseagreedyalgorithm,asshowninAlg. 4.4.3.1 togettheCIS. Algorithm6FindingClique-IndependentSet(FCIS) 1: Input:InducedSubgraphG0=(W,E0). 2: Output:ThesetCofmaximumnumberofdisjointmaximalcliques. 3: FindoutthesetSofallmaximal(notdisjoint)cliquesbyusingGupta'sMCEalgorithm[ 26 ]. 4: whileS6=;do 5: ChoosecliqueC2SwhichintersectswiththeminimumnumberofothercliquesinS; 6: C C[fCg 7: RemoveallthemaximalcliquesintersectingwithC; 8: S SnfCg 9: endwhile 10: returnC LocalRenement.Eachcliqueweselectisexpectedtorepresentthejammedareapoisonedbythesamejammer,andthisareashouldnotcovertheboundarynodes. 78

PAGE 79

However,wedidnottakethisintoaccountwhendiscoveringtheCIS,andneedtolocallyupdateit.Specially,foreachclique,wenditscircumscribedcircleCCandtheconcentriccircleCC0withradiusRofCC.InthecasethatCC0coversanyboundarynodes,welocallyselectanothercliquebyadding/removingnodesfromthisclique,toseeiftheproblemcanbesolve.Ifnot,wekeepthiscliqueasitis,otherwise,weupdateit.ThisisshowninFig. 4-5 ,wherecliqueC1=V1V2V3V4ischosenbyCIS,butitsCC0coversboundarynodeV0,thencliqueC2=V4V5V6V7replacesC1inthetestingteamfortherstround.CliqueV1V2V3areleftforthenextround. TeamDetection.ThecliquesinCIScanalsointerfereeachother,e.g.thecliqueV1V2V3V4andV5V7V8V9inFig. 4-4 .ThisisbecausethesignalsfromV4willwakeJ2,whowilltrytoblockthesesignalswithnoisesandaffectV5bytheway.ButifanytwocliquesC1andC2arenotconnectedbyanysingleedge,thentheyarestraightforwardlyinterference-free,sincetheshortestdistancebetweenanynodeinC1andC2islargerthan2R.ButthefarthestjammerwakenbyandfromC1isr
PAGE 80

Figure4-6. Maximum#InterferingCliques Figure4-7. Maximum#Jammersinvokedbyoneteam 4.4.3.2Estimationoftriggerupperbound Beforeboundingthetriggerquantityfromabove,thetriggeringrangershouldbeestimated.Asmentionedintheattackermodel,rdependsnotonlyonthepowerofbothsensorsandjammers,butalsothejammingthresholdandpath-lossfactor:r(Pn PsY)1 sincetherealtimePnandPsarenotgiven,weestimaterbasedontheSNRcutoff0ofthenetworksetting.Infact,thetransmissionrangeofeachsensorrsisamaximumradiustoguaranteeSNR=Pa Pn=PsY Pnrs0Therefore,wecanestimaterasrrs( 0)1 where0andarepartsofthenetworkinput,whileisassumedasaconstant,whichindicatestheaggressivenessofthejammer.Forthisestimation,canberstsetas10db,whichisthenormallylowerboundofSNRinwirelesstransmission,andthenadaptivelyadjustedtopolishtheservicequality. 80

PAGE 81

Withestimatedr,sinceallthetriggernodesinthesameteamshouldbewithina2rdistancefromeachother,byndinganotherinducedgraphG00=(Wi,E00)fromthevictimnodesWiinteami,withE00=f(u,v)2E00if(u,v)2rg,thesizeofthemaximalcliqueindicatestheupperboundofthetriggernodes,thuscanbeanestimateoverd. Asmentionedabove,alltheparalleltestingteamsselectedareinterference-free,thereforeweroughlyregardeachteamtobethejammedareaofonejammer.Asadeeperinvestigation,thenumberofjammersthatcanbeinvokedbythenodesinthesameteam(six3-cliquewithintheredcircles)canbeupto6,sincetheminimumdistancebetweentwojammersisgreaterthanRandrR,asshowninFig. 4-7 .Thereforeontheinducedgraph,thelargest6cliquesformthepossibletriggerset.However,sincethejammerdistributioncannotbethatdenseforthesakeofenergy-conserving,theformerestimateoverdislargeenough. 4.4.4AnalysisofTimeandMessageComplexity Timecomplexity:Bytimecomplexitywemeantheidenticationdelaycountedsincetheattackhappenstillallthenodessuccessfullyidentifythemselvesastriggerornon-trigger.Therefore,thecomplexitybreakdownsintofourparts:(1)thedetectionofjammingsignalsatlocallinksTd;(2)theroutingofsensorreporttothebasestationfromeachsensornode,andthetestingscheduletoeachvictimnodefromthebasestation,aggregatedasTr;(3)thecalculationofCISandRatthebasestationTc;(4)thetestingateachjammedareaTt. ThelocaljammingsignaldetectioninvolvesthestatisticalpropertiesofPDR,RSSandSNR,whichisorthogonaltoourwork.WeregardTdasO(1)sinceitisanentirelylocaloperationandindependentwiththenetworkscale. Theroutingtimeoverheadisquitecomplicated,sincecongestionsneedtobeconsidered.Forsimplicity,weconsiderthatallthe1-hoptransmissiontakesO(1)timeandboundTrusingthediameterDofthegraph.Asmentionedearlier,thebase 81

PAGE 82

stationwaitsatmostO(2D)forthereports,sothatistheupperboundoftheone-wayrouting.Astotheotherway,wealsobounditusingO(2D)tomatchanycollisionandretransmissioncases. ThecalculationofCISresortstothealgorithmin[ 26 ],whichndsO(l)maximalcliquesonUDGwithinO(l2)time,wherel=jEjandreferstothemaximumdegree.WeusedagreedyalgorithmtondaMCISfromtheseO(l)cliqueswithO(l33Q)time:O(l)-timeforeachcliquetochecktheoverlappingwithothercliques,O(l)-timetondacliqueoverlappingwithminimumothercliques,andQdenotesthenumberoftestingteams.Noticethatinpractice,sensornetworksarenotquitedense,sothenumberofedgeslandmaximumdegreeareactuallylimitedtosmallvalues.Ontheotherhand,thetimecomplexityofestimatingRisuptoO(n 2+n(logn 2+log6n)usingtheminimumdiskcoveralgorithmasmentioned. ThetestingdelayTtdependsonthenumberoftestingroundsandthelengthofeachround.Sincethereactivejammingsignaldisappearsassoonasthesesensed1-hoptransmissionnishes,eachroundlengthisthenO(1).ThenumberoftestingroundsishowevercomplicatedandboundedbyTheorem 4.2 Lemma1. BasedontheETGalgorithm,thenumberofteststoidentifydtriggernodesfromjWjvictimnodesisupperboundedbyt(jWj,d)=O(d2idlnjWje)w.h.p. Theorem4.2. (Main)ThetotalnumberoftestingroundsisupperboundedbyO(Qmaxi=1f13minfd2idlnjWije,jWijg mg)w.h.p,withdi=minfP6s=1jcs(Gi)j,jWijgandcs(Gi)isthesthlargestcliqueoveraninducedunitdisksubgraphGi=(Wi,Ei,2r)inthetestingteami. Proof. First,fromLemma 1 ,atmostt(jWj,d) m=d2idlnjWje mtestingroundsareneededtoidentifyallnodesintestingteami.Second,thesetoftestingteamsthatcanbetestedinparallelis13,asmentionedearlier.Combiningwiththeworst-caseupperboundoftriggersineachteam,theupperboundonroundisderived. 82

PAGE 83

IfthejammingrangeRisassumedknownbeforehand,similarto[ 56 ],thewholetimecomplexityisthusO(Qmaxi=1f13d2idlnjWije,jWijg m) andasymptoticallyboundedbyO(n2logn).Itisasymptoticallysmallerthanthatof[ 56 ]:O((H)Xi=1maxjd(2+o(1))d2jlog22jWjj log22(djlog2jWjj),=me) where(H)referstothemaximumdegreeoftheinducedgraphH(inthisnewsolution,maximumdegreeisnotinvolved).BytakingthecalculationoverheadforRintoaccount,theoveralltimecomplexityisasymptoticallyO(n2logn+nlog6n),whichisO(nlog6n)forn4. MessageComplexity:Ontheonehand,thebroadcastingoftestingscheduleZfromthebasestationtoallthevictimnodescostsO(n)messagesintheworstcase.Ontheotherhand,theoverheadofroutingreportstowardthebasestationdependsontheroutingschemeusedandthenetworktopologyaswellascapacity.Theupperboundisstraightforwardobtainedinalinegraphwiththebasestationatoneend,whosemessagecomplexityisO(n(n)]TJ /F12 7.97 Tf 6.58 0 Td[(1) 2). Withregardtothemessageoverheadofthetestingprocess.ConsideringthatthereareapproximatelyjWij d+1victimnodesineachtestinggroupofteamWi(mentionedintheconstructionofrandomized(d,z)-disjunctmatrixinAppendix),theoverheadofeachtestinggroupinatestingroundisjWij d+11-hoptestingmessagebroadcastedbyallvictimnodesineachgroupofteamWi.Therefore,theovermessagecomplexityisO(n2+QXi=1jWijQmaxi=1fdidlnjWije,jWijgm)whichisO(n2logn). 4.5AdvancedSolutionsTowardSophisticatedAttackModels Inthissection,weconsidertwosophisticatedattackermodels:probabilisticattackandvariantresponsetimedelay,wherethejammersrelyeachsensedtransmission 83

PAGE 84

Table4-2. Notations Notation Content T+ Thenumberoffalsepositiveoutcomes T)]TJ ET q .398 w 147.84 -62.96 m 147.84 -48.52 l S Q BT /F1 11.955 Tf 157.95 -58.63 Td[(Thenumberoffalsenegativeoutcomes u(i) Thenumberoftriggernodesintesti x(i) Thereactiontimeofjammertowardtesti g(i) Theoutcomeoftesti withdifferentprobabilities,insteadofdeterministically,ordelaythejammingsignalswitharandomtimeinterval,insteadofimmediately.Thismaymismatchwiththeoriginaldenitionofreactivejamming,whichtargetsattransmissionsignals,insteadofnodesorchannels.However,cleverjammerscanpossiblychangetheirstrategiestoevadepossiblesenseddetections.Also,acommonsenseindicatesthataslongasanactivityissensedbythejammer,itisquitepossiblethatsomeotheractivitiesarefollowingthis.Sodelayingtheresponsetimestillguaranteestheattackefciency,butminimizetheriskofbeingcaughtbyreactivedetections. Sinceourschemeisrobustandaccurateinthestepsofgrouping,generatingdisjunctmatrixanddecodingthetestingresults,theonlypossibletesterrorsarisefromthegenerationoftestingoutcomes.Nevertheless,byusingtheerror-tolerantdisjunctmatrixandrelaxingtheidenticationprocedurestoasynchronousmanner,ourschemewillprovidesmallfalseratesinthesecases.SomenotationscanbefoundinTable 4-2 .Inthissection,thetermstestandgroup,thetermscolumnandnodesareinterchangeable. 4.5.1UpperboundontheExpectedValueofz First,weinvestigatethepropertiesofbothjammingbehaviorsandobtaintheexpectednumberoferrortestsinbothcasesthroughthefollowinganalysis.Sinceinpractice,itisnottrivialtoestablishaccuratejammingmodels,wederiveanupperboundoftheerrorprobabilitywhichdoesnotrequirethebeforehandknowledgeoftheobjectivejammingmodels,whichisthereforefeasibleforreal-timeidentications.Sinceitisarelaxedbound,itcouldbefurtherstrengthenedvialearningthejamminghistory. 84

PAGE 85

4.5.1.1Probabilisticjammingresponse Acleverjammercanchoosenottorespondtosomesensedongoingtransmissions,inordertoevadethedetection.Assumethateachongoingtransmissionhasanindependentprobabilitytoberesponded.InourconstructionalgorithmETG,whereeachmatrixentryisIIDandhasaprobabilityptobe1,thereforeforanysingletestiwithi2[1,t]: Pr[u(i)=x]=dxpx(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)]TJ /F7 7.97 Tf 6.59 0 Td[(x(4) Henceforeachtesti,theeventthatitcontainsnotriggernodesbutreturnsapositiveresult,hasaprobabilityatmost:Pr[g(i)=0&u(i)1]=dXx=1(1)]TJ /F11 11.955 Tf 11.95 0 Td[()xdxpx(1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)]TJ /F7 7.97 Tf 6.58 0 Td[(x=[(1)]TJ /F11 11.955 Tf 11.95 0 Td[()p+1)]TJ /F3 11.955 Tf 11.96 0 Td[(p]d)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d=(1)]TJ /F11 11.955 Tf 11.95 0 Td[(p)d)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d<(1)]TJ /F11 11.955 Tf 11.96 0 Td[()p Meanwhile,theeventthatitcontainsatleastonetriggerbutreturnsanegativeresult,hasaprobability: Pr[g(i)=1&u(i)=0]=0(4) Sinceinpractical1 2,wethereforehavetheexpectednumberoffalsepositiveandnegativetestsisrespectivelyatmostpt=2and0. 4.5.1.2Variantreactiontime Theintroductionofgrouptestingtechniquesaimstodecreasetheidenticationlatencytotheminimum,therefore,ifthejammerwouldnotrespondintermediatelyaftersensingtheongoingtransmissions,butinsteadwaitforarandomizedtimedelay,thetestoutcomeswouldbemessedup.Sinceitisexpensivetosynchronizethetestsamongsensors,weuseapredenedtestinglengthasL,thusthetestoutcomeoftesti2[1,t] 85

PAGE 86

isgeneratedwithintimeinterval[(di me)]TJ /F6 11.955 Tf 20.09 0 Td[(1)L,di meL].Therearetwopossibleerroreventsregardinganytesti. Fp(i):testiisnegative,butsomejammingsignalsaredelayedfromprevioustestsandinterferethistest,wherewehaveafalsepositiveevent; Fn(i):testiispositive,butthejammeractivatedinthistestdelayeditsjammingsignalstosomesubsequenttests,meanwhile,nodelayedjammingsignalsfromprevioustestsexists,wherewehaveafalsenegativeevent. Sincethejammersinthischapterareassumedtoblockcommunicationsonlyonthechannelswheretransmissionsaresensed,forthefollowinganalysis,weclaimthattheinterferencescanonlyhappenbetweenanytwotestsi,jwithij(modm).DenotethedelayofjammingsignalsasarandomvariableX=fx(1),x(2),x(3),x(t)gwherex(i)isthedelayforpossiblejammingsignalsarisenfromtesti.(1)ForeventFp(i),considerthetesti)]TJ /F3 11.955 Tf 12.27 0 Td[(m,inordertohaveitsjammingsignalsdelayedtotesti,wehaveaboundonx(i)]TJ /F3 11.955 Tf 12.46 0 Td[(m)2(0,2L).Similarly,inordertohavethesignalsofanytestjdelayedtoi,wehavex(j)2[(i)]TJ /F7 7.97 Tf 6.59 0 Td[(j m)]TJ /F6 11.955 Tf 12.42 0 Td[(1)L,(i)]TJ /F7 7.97 Tf 6.59 0 Td[(j m+1)L].FurtherassumetheprobabilitydensityfunctionofXisP(i)=Pr[X=x(i)].Considerallthetestspriortoi,whicharei%m,1+i%m,,i)]TJ /F3 11.955 Tf 11.96 0 Td[(m,wethenhavetheprobabilityforFp(i): (1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)di)]TJ /F7 7.97 Tf 6.58 0 Td[(mXj=i%mZ(i)]TJ /F13 5.978 Tf 5.76 0 Td[(j m+1)L(i)]TJ /F13 5.978 Tf 5.76 0 Td[(j m)]TJ /F12 7.97 Tf 6.58 0 Td[(1)LP(w)dw(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)(4) Tosimplifythisexpression,weassumethatX=Lfollowsauniformdistributionwithintherange[0,]withasmall,whichisreasonableandefcientforattackersinpractice.Sincethenatureofjammingattacksliesinadaptingtheattackfrequencyduetothesensedtransmissions,toolargedelaydoesnotmakesensetotackletheongoingtransmissions.Underauniformdistribution,theprobabilityofFp(i)becomes:(1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)di)]TJ /F7 7.97 Tf 6.59 0 Td[(mXj=maxi%m,i)]TJ /F7 7.97 Tf 6.59 0 Td[(m)]TJ /F16 7.97 Tf 6.58 0 Td[()]TJ /F12 7.97 Tf 6.58 0 Td[(12 =(1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d(di me)]TJ /F6 11.955 Tf 19.93 0 Td[(1)2 86

PAGE 87

Therefore,theexpectednumberoffalsepositivetestsisatmostT+tXi=1(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d()2 2tXi=1(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d2(1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)dt (2)ForeventFn(i),followingthesimilarargumentsabove,wehaveanupperboundoftheprobabilityforFn(i)(assumethatanydelayslargerthanlattestiwillinterferethetestsjfollowingiwherej2[max(i%m,i)]TJ /F3 11.955 Tf 11.96 0 Td[(m)]TJ /F11 11.955 Tf 11.96 0 Td[()]TJ /F6 11.955 Tf 11.95 0 Td[(1),i)]TJ /F3 11.955 Tf 11.95 0 Td[(m]):(1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)Z+1lP(w)dw 1)]TJ /F9 11.955 Tf 11.96 11.36 Td[(XjZ(i)]TJ /F13 5.978 Tf 5.75 0 Td[(j m+1)L(i)]TJ /F13 5.978 Tf 5.76 0 Td[(j m)]TJ /F12 7.97 Tf 6.59 0 Td[(1)LP(w)dw(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)!(1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)(1)]TJ /F6 11.955 Tf 11.96 0 Td[(2(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d))()]TJ /F3 11.955 Tf 11.96 0 Td[(l)=(1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)(1)]TJ /F6 11.955 Tf 11.96 0 Td[(2(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)) Sotheexpectednumberoffalsenegativetestsisatmost T)]TJ /F2 11.955 Tf 10.4 -4.94 Td[((1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d)(1)]TJ /F6 11.955 Tf 11.95 0 Td[(2(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d))t(4) Therefore,wecoulduseaunionboundandobtainaworst-caseerrorrateofeachtest:=p 2+2(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)(1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d+(1)]TJ /F6 11.955 Tf 11.96 0 Td[((1)]TJ /F3 11.955 Tf 11.96 0 Td[(p)d)(1)]TJ /F6 11.955 Tf 11.96 0 Td[(2(1)]TJ /F6 11.955 Tf 11.95 0 Td[((1)]TJ /F3 11.955 Tf 11.95 0 Td[(p)d))=(10)]TJ /F6 11.955 Tf 11.96 0 Td[(82)]TJ /F11 11.955 Tf 11.96 0 Td[()]TJ /F7 7.97 Tf 6.59 0 Td[(d)]TJ /F6 11.955 Tf 11.95 0 Td[(1)=2 where=(d=(d+1))d.Intuitively,wecanhaveanupperboundonthenumberoferrortestsasz=t=(10)]TJ /F6 11.955 Tf 12.68 0 Td[(82)]TJ /F11 11.955 Tf 12.68 0 Td[()]TJ /F7 7.97 Tf 6.58 0 Td[(d)]TJ /F6 11.955 Tf 12.68 0 Td[(1)=2,andtakeitasaninputtoconstructthe(d,z)-disjunctmatrix.However,noticethatzdependsont,i.e.,thenumberofrowsof 87

PAGE 88

theconstructedmatrix,wethereforederiveanotherboundoftrelatedto,asshownbyCorollary 2.0.1 intheappendix. 4.5.2Error-tolerantAsynchronousTestingwithinEachTestingTeam Byapplyingthederivedworst-castnumberoferrortestsintotheETGconstruction,wecanobtainthefollowingalgorithmwheretestsareconductedinanasynchronousmannertoenhancetheefciency. AsshowninAlgorithm 7 ,afterallthegroupsaredecided,conductgrouptestingontheminmpipelines,whereineachpipelineanydetectedjammingsignalswillendthecurrenttestandtriggerthenexttestswhilegroupsreceivingnojammingsignalswillberequiredtoresendtriggeringmessagesandwaittillthepredenedroundtimehaspassed.Thesechangesovertheoriginalalgorithm,especiallytheasynchronoustestingarelocatedineachtestingteam,thuswillnotintroducesignicantoverheads,however,theresultederrorratesarelimitedtoaquitelowlevel. 4.6ExperimentalEvaluation 4.6.1Overview Asalightweightdistributetrigger-identicationservice,oursolutionwillbeexperimentallyevaluatedfromfourfacets: inordertoshowthebenetofthisservice,wecompareitwithJAM[ 70 ]intermsoftheend-to-enddelayanddeliveryratioofthedetourroutesfromthebasestationtoallthesensornodes,asthenumberofsensorsn,sensorrangers,andnumberofjammersJvarywithinpracticalintervals. inordertoshowtheaccelerationeffectoftheclique-independentsetinthissolution,wecomparethecomplexityofthissolutiontoourpreviouscentralizedone[ 56 ],withvaryingtheabovefourparameters,wherebothjammingandtriggeringrangeRandrareassumedtobeknownbeforehand. inordertoshowtheaccuracyofestimatingthejammingrangebyusingthepolygondiskcoveralgorithm,weprovidetheestimatedjammingrangesaswellastheerrorratetotheactualvalues. 88

PAGE 89

Algorithm7AsynchronousTesting 1: Input:nvictimnodesinatestingteam. 2: Output:alltriggernodeswithinthesevictimnodes. 3: Estimatedasmentioned. 4: Set=(10)]TJ /F6 11.955 Tf 11.96 0 Td[(82)]TJ /F11 11.955 Tf 11.96 0 Td[()]TJ /F7 7.97 Tf 6.58 0 Td[(d)]TJ /F6 11.955 Tf 11.95 0 Td[(1)=2.//upperboundoferrorprobabilityforeachtest. 5: Sett=lnn(d+1)2 ()]TJ /F16 7.97 Tf 6.58 0 Td[((d+1))2.//numberofrows. 6: Constructa(d,z)-disjunctmatrixusingETGalgorithmwithtrows,anddivideallthenvictimnodesintotgroupsaccordinglyfg1,g2,,gtg. 7: 8: /*Foreachround,conductgrouptestingonmgroupsusingmdifferentchannels(radios).Thetestingisasynchronousinthat,themgroupstestedinparalleldonotwaitforeachothertonishthetesting,instead,anynishedtestjwilltriggerthetestj+m,i.e.,thetestsareconductedinmpipelines.*/ 9: fori=1todt=medo 10: Conductgrouptestingingroupsgim+1,gim+2,gim+minparallel; 11: Ifanynodesingroupgjwithj2[im+1,im+m]detectsjammingnoises,thetestinginthisgroupnishesandstarttestingongj+m. 12: Ifnonodesingroupgjdetectjammingnoises,whileatleastoneothertestinparalleldetectsjammingnoises,letallthenodesingroupgjresend3moremessagestoactivatepossiblehiddenjammers.Ifnojammingsignalsaredetectedtilltheendofthepredenedroundlength(L),returnanegativeoutcomeforthisgroupandstarttestingongj+m. 13: endfor inordertoshowitsperformanceandrobustnesstowardstrickyattackers,weprovideitsfalsepositive/negativerate,whentakingintoaccountthosetwoadvancedjammermodels,aswellastheestimationofR. ThesimulationisdevelopedusingC++onaLinuxWorkstationwith8GBRAM.A10001000squaresensoreldiscreatedwithuniformlydistributednsensornodes,onebasestationandJrandomlydistributedjammernodes.Allthesimulationresultsarederivedbyaveraging20randominstances. 4.6.2BenetsforJamming-resistentRouting JAM[ 70 ]proposedajamming-resistentroutingscheme,whereallthedetectedjammedareaswillbeevadedandpacketswillnotpassthroughthejammednodes.Thismethodisdedicatedforproactivejammingattacks,whichsacricessignicantpacketdeliveryratioduetotheunnecessarilylongroutesselected,thoughtheeffectsofjammingsignalsareavoided.Wecomparetheend-to-enddelaybetweeneach 89

PAGE 90

AAverageend-to-enddelaybyJ BAverageend-to-enddelaybyR CAverageend-to-enddelayby Figure4-8. Benetsforrouting sensornodeandthebasestation,oftheselectedroutesbyevadingthejammedareasdetectedbyJAM,withthatoftheonesevadingonlytriggernodes.Althoughtherearemanyexistingroutingprotocolsforunreliablenetworkenvironments,theaimofthisexperimentistoshowthepotentialofthisservicetovariousapplications,insteadofbeingadedicatedroutingprotocol. ThreekeyparametersforroutingcouldbethenumberofJammersJ,jammingrangeR,jammingthreshold.Asmentionedearlier,indicatestheaggressivenessoftheattackerandthetriggeringrangerrs( 0)1 .Therefore,withrs,0andasxednetworkinputs,theeffectofcanbeexactlyindicatedbystudyingtheeffectofrinstead. 90

PAGE 91

Thewholenetworkhasn=1500nodesandsensortransmissionrangers=50.TheresultswithrespecttothethreeparametersJ2[1,20],R2[100,200],r2[50,150]areincludedinFig. 4-8A 4-8B and 4-8C respectively.Noticethatforeachexperiments,theothertwoparametersaresetasthemedianvalueoftheircorrespondingintervals.Therefore,R=150forFig. 4-8C ,whichmatchestheextremecaseR=r.Furthermore,forthenodesthatareinjammedareasforJAMandthataretriggersforourmethod,inanotherword,unabletodeliverpacketstoorfromthebasestation,wecountthedelayasn+1,whichisanupperboundoftheroutelength. AsshowninFig. 4-8A and 4-8B ,whenjandRincreases,theroutingdelaygoesup,whichisquitereasonablesincethejammingareasgetlargerandmoredetourshavetobetaken.ThelengthofroutesbasedonJAMquicklyclimbsuptotheupperbound,whilethatofourtriggermethodismuchlowerandmorestable,specicallykeepslessthan900seconds.Whentriggeringrangerissmall,asinFig. 4-8C ,theend-to-enddelayofTrigger-basedroutingismuchsmallerthantheother,whileasrincreasesthetwoapproacheseachother,sincemorevictimnodesaretriggersnow. 4.6.3ImprovementsonTimeComplexity Inourpreviouswork[ 56 ],weproposedapreliminaryideaofthistriggerdetection,andprovidedadisk-basedsolution.However,itshightimecomplexitylimitsitsusageinreal-timenetworks.Asmentionedabove,thetimecomplexityofournewclique-baseddetectionisprovedtobeasymptoticallylowerthantheprevious,whilethemessagecomplexitiesareapproachingeachother. AlthoughthecomputationaloverheadforestimatingRisasymptoticallyhuge,thephaseisnotthekeypartofourscheme,andcanbeeasilyimprovedbymachinelearningtechniques.Therefore,inthissection,weassumethatbothRandrareknownbeforehand,andvalidatethetheoreticalresultsthroughsimulationsonnetworkinstanceswithvarioussettings.Specically,thenetworksizenrangingfrom450to550withstep2,transmissionrsfrom50to60withstep0.2andnumberofjammersJfrom3 91

PAGE 92

to10withstep1.Parametervalueslowerthantheseintervalswouldmakethesensornetworklessconnectedandjammingattacklesssevere,whilehighervalueswouldleadtoimpracticaldensescenariosandunnecessaryenergywaste. Sincethelengthofeachreactiveattackisequaltothetransmissiondelayoftheobjectsensorsignal,notethatinourtriggerdetection,onlyonemessageisbroadcastbyeachsensorinthetestinggroups.Therefore,itisreasonabletopredenethelengthofeachtestingroundasaconstant.Wesetthisas1second,whichisfarmoreenoughforanysinglepackettobetransmittedfromonenodetoitsneighboringnodes.Henceforth,thetimecostshowninFig. 4.6.3 onlyindicatesthenumberofnecessaryroundstondoutallthetriggers,andcanbefurtherreduced.Themessagecomplexityismeasuredviatheaveragemessagecostoneachsensornode. AsshowninFig. 4-9A and 4-9B ,thisclique-basedschemecompletestheidenticationwithsteadilylessthan10seconds,comparedtotheincreasingtimeoverheadwithmorethan15secondsofthedisk-basedsolution,asthenetworkgrowsdenserwithmoresensornodes.Meanwhile,itsamortizedcommunicationoverheadsareonlyslightlyhigherthanthatoftheothersolution,whereasbotharebelow10messagespervictimnode.Therefore,thenewschemeisevenmoreefcientandrobusttolarge-scalenetworkscenarios. Withthesensortransmissionradiusgrowingup,thetimecomplexityofthedisk-basedsolutiongraduallyascends(Fig. 4-9D and 4-9C )duetotheincreasedmaximumdegree(H)mentionedintheaboveanalysis.Comparatively,thetimecostofclique-basedsolutionremainsbelow10seconds,whilethemessagecomplexitystillapproximatestheotherone. Sincesensornodesareuniformlydistributed,themorejammernodesplacedinthenetworks,themorevictimnodesareexpectedtobetested,theidenticationcomplexitywilltherewithraises,astheperformanceofdisk-basedschemeshowsinFig. 4-9F and 4-9E .Encouragingly,theproposedschemecanstillnishtheidenticationpromptly 92

PAGE 93

A#Roundsbyn B#Messagesbyn C#Roundsbyr D#Messagesbyr E#RoundsbyJ F#MessagesbyJ Figure4-9. TimeandMessagecomplexity 93

PAGE 94

Figure4-10. EstimationerrorofR withlessthan10seconds,whichgrowsupmuchslowerthantheother.Ithasslightlymorecommunicationoverheads(10messagespervictimnodes)butisstillaffordabletopower-limitedsensornodes. 4.6.4AccuracyinEstimatingJammerProperties ThoughtheestimateofjammingrangeRisonlytoprovideanupperboundforR,suchthatthetestingteamsobtainedaccordinglyareinterference-free,wearealsointerestedintheaccuracyofthisestimation.AsshowninFig. 4-10 ,weinvestigatetheerrorrateRforR=[50,100]whentherearerespectivelyJ=5,10,15jammers. Twoobservationsarestraightforwardfromtheseresults:(1)alltheestimatedvaluesareabovetheactualones,however,lessthan10%difference.ThismeetsourrequirementforatightupperboundofR.(2)theerrorratesincaseoffewerjammersarerelativelylowerthanthosewithmorejammers.Thisisbecausejammerscouldhavelargeoverlapsintheirjammingareas,whichintroducesestimateinaccuracies.ThankstotheaccurateestimationofR,theoverallfalsepositive/negativerateisquitesmall,astobeshownnext. 94

PAGE 95

4.6.5RobustnesstoVariousJammerModels Inordertoshowtheprecisionofourproposedsolutionunderdifferentjammingenvironments,wevarythetwoparametersofthejammerbehaviorsabove:JammerResponseProbabilityandTestingRoundLength/MaximumJammingDelayL=XandillustratetheresultedfalseratesinFig. 4-11A and 4-11B .Tosimulatethemostdangerouscase,weassumeahybridbehaviorforallthejammers,forexample,thejammersinthesimulationofFig. 4-11A notonlylaunchthejammingsignalsprobabilistically,butalsodelaythejammingmessageswitharandomperiodoftimeupto2L.Ontheotherhand,thejammersinthesimulationofFig. 4-11B respondeachsensedtransmissionwithprobability0.5aswell.Allthesimulationresultsarederivedbyaveraging10instancesforeachparameterteam. Asshowninbothgures,weconsidertheextremecaseswherejammersrespondtransmissionsignalswithaprobabilityassmallas0.1,ordelaythesignalstoupto10testingroundslater.Thisactuallycontradictswiththenatureofreactivejammingattacks,whichaimatdisruptingthenetworkcommunicationassoonasanylegitimatetransmissionstarts.Themotivationofsuchparametersettingistoshowtherobustnessofthisschemeeveniftheattackerssensethedetectionandintentionallyslowdowntheattacks.Theoverallfalseratesarebelow20%foranyparametervalues. InFig. 4-11A ,when>1=2whichcorrespondstopracticalcases,wendthatthefalsenegativeratesgenerallydecreasefrom10%to5%asincreases.Meanwhilethefalsepositiverategrowsgently,butisstillbelow14%,thisisbecauseasmoreandmorejammingsignalsaresent,duetotheirrandomizedtimedelays,moreandmorefollowingtestswillbeinuencedandbecomefalsepositive.InFig. 4-11B ,consideringthepracticalcaseswhereL=X>1=2,bothratesaregoingdownfromaround10%to1%,sincethemaximumjammingdelaybecomesshorterandshortercomparedtothetestingroundlengthL,inwhichcase,thenumberofinterferencesbetweenconsecutivetestsisdecreasing. 95

PAGE 96

AProbabilisticJammerResponse BRandomJammingDelay Figure4-11. SolutionRobustness 4.7DiscussionandConclusions Oneleftoverproblemtothisserviceframeworkisthejammermobility.Althoughtheidenticationlatencyhasbeenshownsmall,itwouldnotbeefcienttowardjammersthataremovingatahighspeed.Thiswouldbecomeaninterestingdirectionofthisresearch. Anotherleftoverproblemistheapplicationofthisservice.Jamming-resistentroutingandjammerlocalizationsarebothquitepromising,yettheserviceoverheadhastobefurtherreducedtoforreal-timerequirements. Asasummary,inordertoprovideanefcienttrigger-identicationserviceframework,weleverageseveraloptimizationproblemmodelsandprovidecorrespondingalgorithmstothem,whichincludestheclique-independentproblem,randomizederror-tolerantgrouptesting,andminimumdiskcoverforsimplepolygon.Theefciencyofthisframeworkisprovedthroughboththeoreticallyanalysistowardvarioussophisticatedattackmodelsandsimulationsunderdifferentnetworksettings.Withabundantpossibleapplications,thisframeworkexhibitshugepotentialsanddeservesfurtherstudies. 96

PAGE 97

CHAPTER5ANEFFICIENTMULTI-LINKFAILURELOCALIZATIONSCHEMEINALL-OPTICALNETWORKS Duetothesidebenetofelectronicswitchinginopticalnetworks[ 43 ],theproblemoflinkfailurelocalization,namelyefcientlyndingcriticalerrorslikebercutsandopticalamplierbreakdowns,hasseizedanincreasingattentions[ 3 ][ 58 ][ 68 ]. Besidestheconventionalmonitoringschemeswhereeachlinkisequippedwithamonitor,majorrecentsolutions[ 44 ][ 79 ][ 72 ][ 71 ][ 29 ][ 61 ][ 1 ]employspecicsetoflight-pathseachwithapairoftransmitterandreceiver.Wavelengthsignalsarelaunchedatthetransmitterandmonitoredatthereceiverforanysyndromeslikesignaldisruption,anomalyhighsignal-to-noiseratio(SNR)orbit-error-rate(BER).Thefailedlinksexistinthelight-pathswithsuchsyndromesandarelocalizedviacombinatorialanalysis. Mostsolutionsbasedonthisstrategytargetatsinglelinkfailureinasmallnetwork,andtrytominimizethenumberoflight-paths(wecallitpath-trial).However,toourbestknowledge,fewofthemprovideanefcientsolutiontomultiplelinkfailurelocalization.Itisobviousthatasthenumberoflinkfailuresincreases,thehardnessofthisproblemalsogoesup.Inaddition,existingsolutionsrelyoncentralizedcalculationsandthuscannotbeappliedtolarge-scalenetworks,wherethequantityoflinkfailuresisalsorelativelylargerasmorelinksareinvolved.Specically,amongthelatestworks,Harveyetal.in[ 29 ]provideacompletetheoreticalreviewovertheapplicationofnon-adaptivegrouptestingtotheprobeselectionforthefailurelocalizationovervariousgraphtopologies,however,onlypreliminarycentralizedsolutionsaresketchedalongwiththeoreticalcomplexitybounds.In[ 61 ],Tapolcaiet.alproposeanefcientrandomcodeassignmentbasedsolution,however,onlysingle-linkfailurecanbehandled.Ahujaetal.in[ 1 ]proveseveralinterestingnecessaryandsufcientconditionsonthegraphconnectivityforthelinkfailurestobeunambiguouslylocalized.Butthecentralizedsolutiontheyproposeisbasedonthediscoveryof(k+2)-edge-connectedsubgraph 97

PAGE 98

forklinkfailures.Thesolutionislimitedtosmallnetworksduetoitsexpensivesubgraphsearch. Besidestheselimitationsoftheexistingsolutions,somepracticalconstraintshavenotbeeninvestigated.Therstandthemostimportantoneisthatthenumberoffailedlinkscannotbeknownbeforehand,ortightlyupper-bounded.Weformulatetheproblemofestimatingthisfailurequantityasagraphoptimizationproblem,avg--disruptor,whichiswithinthescopeofnetworktopologyvulnerabilityassessment[ 15 ][ 76 ].Basedonthisestimatedvalue,ourproposedschemesgothrough.ThesecondconcernisthelimitedcapacityoftheWDM(wavelength-divisionmultiplexing)techniqueassummarizedin[ 7 ].Dense-WDM(DWDM)providesupto128channelsinasingleber,whichrequiresmorepower,higheraccuratelasersandwavelters,aswellasmoreexpensiveEDFA'sforampliersthanCoarse-WDM(CWDM)whichhasonly18channels.Sotakingthesetupexpenseintoaccount,somenetworksmayadoptCWDMandthecapacityofeachlinkislimited.Third,somelinksmaycausetransmissionfailuresonlytoaproportionofwavelengths[ 1 ],andsomeperformancemetrics,likeSNRmaynotalwayscorrectlyreecttheresultsofthepath-trials. Toourbestknowledge,thisistherstattempttominimizethenumberofpath-trialsformultiplelinkfailurelocalizationinvariousnetworkscenarios.Ourcontributionsare: Forsmallnetworkswithcentralcontrolandmultiplemonitoringlocations,weprovideacentralizedtree-decompositionbasedmethod,tolocalizedmultiplelinkfailureswhosequantityisproportionaltothenetworksize,insteadofaconstant. Forlarge-scalenetworkswithoutcentralcontrolandonlyonemonitoringlocation,weprovidealocalizedrandom-walkbasedalgorithm. Forvariousnetworkscenarioswithspecicconstraints,weeliminateunrealisticassumptionsandprovideefcientadaptationstotheproposedschemes. Besidestheoreticalsupportsfortheperformancecomplexity,wepresentextensivesimulationresultsfornetworkswithdifferenttopologiesandsizes. Therestofthischapterisorganizedasfollows:Section 5.2 providesareviewovertheconceptofthepath-trialsolutionandtheformaldenitionsofthelocalization 98

PAGE 99

problem,aswellasthebreakdownofouralgorithms.Section 5.3 presentsourcentralizedlocalizationmethodandSection 5.4 showsthelocalizedsolution.InSection 6.5 ,simulationresultsareexhibitedwhiletherelatedworksareincludedinSection 5.1 .InSection 5.6 ,weprovideadaptedversionsofthetwoschemeswithrespecttopracticalconstraints.Section 6.6 summarizesthiswholechapter. 5.1RelatedWorks Fortheexistingworksusingthetrialoflight-paths[ 44 ][ 79 ][ 72 ][ 71 ][ 29 ][ 61 ][ 1 ],therearetwomeasuresovertheexpenseofthisscheme,thenumberofpath-trialstakenandthemonitoringlocationsrequired.Theyaredifferentsincemultiplelight-pathscansharethesamereceiverthereforemonitorsarealwayslessthanthelight-paths.Amongthelatestworks,[ 29 ]and[ 61 ]focusonminimizingtheformermeasure,while[ 1 ]thelatter.Thesethreepapersrepresentthreedirectionsofsolvingthisproblem.Ahujaetal.in[ 1 ]employmonitoringcyclesandpathsandaimtominimizethemonitoringlocations.Theirsolutionrevealstherelationshipbetweenthegraphconnectivityandtheexpenseofsingle-linkfailuredetection,whichisquiteinteresting.However,limitedbythehighcomputationaloverheadinndingthehighly-edge-connectedsubgraph,thistechniqueishardtobeengraftedtolarge-scalenetworkswithmultiplelinkfailures.In[ 61 ],Tapolcaiet.alproposearandomcodeassignmentbasedsolution,whichusesthebinaryrepresentationofeachlinkastheiralarmcodes,thereforeeachsinglelinkcanbeunambiguouslydiagnosed,combinedwiththedetectionsyndromes.Thealgorithmissimpleandthelocalswappingoptimizationcanbecompletedattheoff-linestage,however,howtohandlemultiplelinkfailureshasnotbeendiscussed.Harveyetal.in[ 29 ]providetherstapplicationofgrouptestingtheoryintothislocalizationtopicandpresentaseriesoftheoreticalboundoverthepreliminarysolutiononvarioustopologies.Nevertheless,thebiggestdifferencebetweenthesetwoeldsiswhetherthetestingpool(path-trial)isrequiredtobeconnectedonthegraph.Byresortingtoarandomwalkbasedscheme,weovercomethisgapandpresentanefcientsolution.Amongexisting 99

PAGE 100

works,manyassumptionslikethepre-knowledgeofthefailurequantityhavebeenmade,whichbringdowntheefciencywhenappliedtoindustrialapplications.Moreover,asthescaleofall-opticalnetworkskeepsgrowing,simplebutefcientsolutionsthatcanhandlelargenetworksisbecomingagreatdemand.Tothisend,weincludeourschemesinthischapter. 5.2BackgroundandProblemBranches Asstatedin[ 1 ][ 61 ],apath-trialisalightpathwhichconsistsofmultiplelinks.Thetwoendsofthepath-trialarecalledtransmitterandreceiverrespectively.Eachpath-trialwillbeequippedwithamonitoratthereceiverend,whichmonitorsthereceivedwavelengthsignalafteritisinjectedatthetransmitterandtraversesthroughthepath,tocatchanyabnormalsignslikehighSNRorBER(whichwecallpositive)toindicateifanyofthelinkswithinthepatharefailed.Notethateachlinkcanbeincludedbymultiplepath-trials,andafailedlinkwillpoisonallthetrialscontainingit,thereforebycarefullydesigningthepath-trialsandobservingthemonitoredresultofeachone,itispossibletocatchthefailurelinksviacombinatorialmethods. WeincludeanexampleofthissolutioninFig. 5-1 :Giventwographs,bothofwhichcontain5verticesand8edges.Blacknodesrefertomonitoringlocations.Theredarrowsindicatethepath-trialsconsistingofmultipleedges,e.g.thearrowintheleft-handgraphs!v!w!sisapath-trialwhereawavelengthsignalisinjectedintos,goesthroughthistrial,andmonitoredatsforabnormalsigns.Ifsfailstoreceivethesignal,thenatleastoneof(s,v),(v,w),(s,w)isfailed,otherwiseallaregoodlinks.Theleft-handandright-handgraphrefertothetwoproblembranchesstudiedinthischapter:Multi-LOCandst-LOC,i.e.,multiplemonitoringlocations(s,t,v,)andsingle-pairlocations(s,tonly).Thelatterproblemishardersinceeachtrialisrestrictedtobestartingfroms,endingatt. Therefore,giventhatanypath-trialcontainingatleastonelinkfailurewillreturnapositivemonitoringresult,andthoseconsistingofoperativelinkswillreturnnegative 100

PAGE 101

Figure5-1. AnexampleofPath-trial Figure5-2. MultiplebranchesoftheM-LFL(Multi-Linkfailurelocalization)problem results,theproblemoflocalizingmulti-linkfailuresisthusconvertedtoatrial-selectionproblem,whichcanbeabstractedasthefollowinggraphoptimizationproblemM-LFL(Multi-Linkfailurelocalization): Denition5.2.1(M-LFL). GivenanundirectedconnectedgraphG=(V,E),whereVreferstothevertexsetandEedgeset.WedenotethecardinalityofthevertexsetbyjVjandedgesetbyjEj,wherejVj=nandjEj=maretwogivenconstants.Giventhatd>1edgesarefailed,theproblemasksustominimizethenumberofpath-trialsrequiredtolocalizethem. 101

PAGE 102

Table5-1. MainNotations V(g) vertexsetofgraphg E(g) edgesetofgraphg D(g) diameterofgraphg n,m thenumberofnodesandlinksinthenetwork deg(v) thenode-degreeofv d upperboundofthenumberoflinkfailures (v) v-Spangraphrootedatvertexv R upperboundofthenumberofrandomwalkstaken T thenumberofpath-trialsused Westudybasicallytwobranchesofthisproblem,i.e.,Multi-LOCandst-LOC,whichrespectivelyrefertothecasewithunlimitednumberofmonitoringlocationsandonlyanodepair(s,t)asthetransmitterandreceiver,i.e.,asinglemonitoratt.Thesetwobranchesinfactmatchdifferentapplicationscenarios:fornetworkswithrelativesmallersizeandsimplertopology,itispracticaltofreelyplacemonitorsatarbitrarynodes.Sincecentralizedalgorithmsareeasytoexecuteonthisunderlyingstructure,weprovideacentralizedtree-decompositionalgorithmforit.Ontheotherhand,forlarge-scalenetworkswithcomplicatedtopologies,itisexpensivetoequipmonitorsandtransmitresultsattheintermediatenodesbutonlyafewterminalnodes,sowepresentalocalizedrandomwalkbasedalgorithmreturningthesetofpath-trialsstartingandendingatasinglenode-pair.Beyondthis,weconsiderthreepracticalconstraints,i.e.,k-par,d-unknownandq-failasmentioned.Fig. 5-2 showsthechapterow. ThemainnotationsforthischapterareincludedinTable 5-1 .Thetermsnodeandvertex,linkandedge,networkandgraphareinterchangeable. 5.3Acentralizedalgorithmformoderatesizednetworks Inthisbranch,wecanplaceamonitoratanynodewithinthegraphandwanttominimizethenumberofpath-trialsused.Sincethereexistmanysingle-linkfailurelocalizationschemes,itisstraightforwardtoconsiderpartitioningthegraphintosmallpieceswhereeachisexpectedtocontainasingle-linkfailure,andlocatingthemonebyone.However,lotsofchallengingproblemsarehiddenbehindthisidea:(1)howtodo 102

PAGE 103

thepartitionsuchthateachsubgraphcontainsonlyonefailure?(2)eventhepartitionisfeasible,howtominimizethecostofthelocalizationineachsubgraph?(3)giventhatthelocalizationineachsubgraphisefcientlyhandled,isthetotalcostalsolowenough? WedesignacentralizedalgorithmTDD(Alg. 8 ),whichusesatree-decompositionprocesstopartitionthegraphintoedge-disjointtree-subgraphs,andemploysanefcientsingle-linkfailurelocalizationalgorithmwiththeoreticalcostboundoneachtree.Tohandlethesechallengingproblemsandoptimizethesolution,weembedseveraltechniques,likecycle-breakoperation,L-degreebasedgreedyaswellaslocalprioritystrategy,intothealgorithm.Inaddition,aredundanttree-subgraphschemeisintroducedtofurtherimprovethealgorithmperformance.Allthesewillbeillustratedindetailsinthefollowingthreesubsections. 5.3.1Tree-decomposition ItisreasonabletoassumethatthelinkfailuresfallintoaBernoullidistribution[ 68 ],whereeachedgeehasauniformprobabilityfe=ptobefailedforsomeconstantp2(0,1).ThenLemma 5.3.1 follows. Lemma5.3.1. Giventhatatmostdoutofmlinksinfailed,andthelinkfailureratefollowsani.i.dBernoullidistribution,theexpectedsizeofsubgraphswithatmost1linkfailureism d. Knowingthissizeupperboundforeachsubgraph,weaimtoaddressthelefttwoquestion.Wedeneav-SpangraphandL-degreeforeachvertexv,andadoptagreedystrategy. Denition5.3.1. (v-Spangraph)GivengraphG=(V,E)andconstantd<
PAGE 104

Algorithm8TDD(tree-decompositionbaseddetection) 1: Input:GraphG=(V,E)andconstantd. 2: Output:ThesetFoffailedlinkset. 3: 4: F ;; 5: /*Decomposethegraphintoasetofedge-disjointtree-subgraphsT=fT1,T2,,Td,,Trg*/ 6: T ;; 7: Vs V;.localpriority. 8: whileE6=;do 9: Findthev-Spangraphofeachvertexvas(v)(theymayoverlap). 10: ifVs==;then 11: Vs V;.ifnoabandonedverticesleft,thegreedyselectionscopeisthewholegraph,otherwiseonlywithinthesetofabandonvertices. 12: endif 13: 14: ForalltheverticesinVs,sortthembytheirL-degreeinanon-decreasingorderasv1,v2,;.greedyonL-degree 15: T T[(v1);.usethev-Spangraphoftherstvertexinthisorder 16: E EnE((v1));.edge-disjoint 17: Vs Vsnfv1g;.updatethesetofabandonedvertices 18: Vs Vs[newabandonedverticesinndingv-Spanforv1. 19: endwhile 20: 21: /*Localizesingle-linkfailureoneachtree-subgraph*/ 22: Runasingle-linkfailurelocalizationalgorithmHA(Ti)oneachtree-subgraphTiwithi=1,rinparallel. 23: ifHA(Ti)returnsonefailedlinkethen 24: F F[feg; 25: endif 26: 27: returnFailedlinksetF iteratethisprocesstillthenumberofedgesin(v):E((v))=m d. Denition5.3.2. Foranyvertexv,theL-degreeofvisD((v))+logjE((v))j jE((v))j ThisL-degreeservesasthemeasureinourgreedystrategyfordecomposingthegraph.Specically,weiterativelychooseavertexwiththeminimumL-degree,andtakingitscorrespondingv-Spangraphasatree-subgraphtillthateachedgeintheoriginalgraphiscoveredinexactonetree-subgraph. 104

PAGE 105

Therearethreedetailstobenoticedinthisscheme.First,thethirdstepinformingv-Spangraph(Denition 5.3.1 )isacycle-breakoperation,whichisusedtoavoidisolatededge.Anisolatededgereferstotheoneallofwhoseneighboringedges(thosesharingendpointswiththisedge)havebeenincludedinsometree-subgraphalreadyinthedecomposingprocess,inwhichcasewewillhavetouseanothertree-subgraphtocoverthissingletonedgeandapath-trialonlyconsistingofit,whichisquiteluxury.Second,Vsatline7inTDD(Alg. 8 )isintroducedtoprovidelocalpriorityandavoidabandonedvertex.Abandonedverticesrefertothosewhichhavebeenvisitedbythespanningprocessofpreviouslychosentrees,butnotincluded.Inotherwords,theyareinvolvedwithcyclesandruledoutbythecycle-breakoperation.Itiseasytoseethatnormallyvertexwithsmallnode-degreehasalargeL-degree,thereforetheseabandonedverticesgetlesslikelytobechosenforspanningatree-subgraphasmoreandmoreedgesareremovedfromthegraph.Theywillbecomesmallleftoverfragmentsifweonlyspanthetree-subgraphfromverticeswithglobalsmallestL-degree.Similartothecaseofisolatededge,thisdecompositioncanbequiteinefcient.Therefore,theseabandonedverticeswhichareclosedtothepreviouslyselectedsubgraphareincludedinasetVsandgivenhigherprioritiestobeselected.Third,thedenitionofL-degreereectsthecostofthesingle-linkfailurelocalizationalgorithmineachtree,astobeexplainedlater. Althoughthedetectionofv-Spantree-subgraphsisaniterativeprocess.Fornetworkswithxedtopology,thisisanoff-linealgorithmwhichmeansallthepath-trialscanbepre-calculatedfortheneedofreal-timefailurelocalization. 5.3.2Single-LinkFailureLocalizationonTree-subgraphs Thereareplentyofexistingalgorithmsforsingle-linkfailurelocalization,e.g.depth-basedmethodin[ 29 ]andRCAmethodin[ 61 ].Generally,theyallcanbeusedassubroutineforthesecondstepofourTDDalgorithmframework.Inthischapter,we 105

PAGE 106

employthedepth-basedalgorithmproposedbyHarvey[ 29 ](denotedasHA(G)ongraphG)fortreegraph. Thealgorithmcanbesketchedintwosteps:rstrandomlypickarootfromthetree,andtestlevelbyleveltolocalizethelevellwherethefailurehappens;secondusethealltheedgesinlevel0,,l)]TJ /F6 11.955 Tf 12.15 0 Td[(1ashubstolocatethesinglefailureinlevell.Therearetwodepthsdenedforeachedge,tohandletheheavilyunbalancedtrees:depthreferstothenumberofnodesinthepathfrometotheroot;light-depthreferstothenumberoflightedgesonthatpath.Bydeningtheweightofnodeasitsnumberofchildren,apathfromanodetoitsheaviestchildisaheavyedge,otherwiselightedge.Alltheedgesofthesamedepthorlight-depthisincludedinasubtreetraversedbyatrial.WithregardtothetreeinFig. 5-3 ,where(1,0)meansadepth1andlight-depth0.Assumeedge(b,f)fails,itcanbelocalizedbytheabove3trialsalongwiththedepthinformation.Itscomplexityisstraightforward. Lemma5.3.2. ForanytreeG,whenthenumberoffailureedgesd=1,wehavetheminimumnumberoftrialsL(G)asL(G,1)=O(D+logm) wherem=D(G)andm=jE(G)j. Proof. IttakesatmostDtrialstolocatetherstlevelwithfailures,andthebinarysearchwithinthislevelwilltakeatmostO(logm)trials. ItcanbenoticedthatthedenitionofL-degreereectsthecostineachtree-subgraph,accordingtoLemma 5.3.2 .Withdifferentsinglefailurelocalizationsubroutineused,thisdenitioncanbeadaptedaccordingly. 5.3.3RedundantTree-Subgraphs Asisshown,ifeachofthetree-subgraphcontainsatmostonefailedlink,thelocalizationcanbecompletedwithinasingleiteration.Otherwise,themultiple-linkfailurescontainedbyasinglesubgraphbecomefalsenegativeones(positiveitems 106

PAGE 107

Figure5-3. SingleLinkFailureLocalizationonTrees diagnosedasnegative).Itisnaturaltofurtherdiagnosisthesesubgraphsaftertherstiterationoflocalization.However,fornetworkswithlonggeographicdistancesbetweennodepair,andthuslargetransmissionlatency,thetradeoffintimecomplexityofmulti-iterationlocalizationisnotworthwhile. Weresorttoredundanttree-subgraphstoaddressthisproblem.Theredundantsubgraphsshareedgeswiththoseselectededge-disjointtree-subgraphs.Inanotherword,wegeneratemorev-Spangraphstoprovideredundantpath-trials.Sincethemostinefcientpartofthetree-decompositionschemeliesinthoseisolatededgesorsmalltreeswithfewedges,weselectanothersetoftree-subgraphstocoveralltheedges,whicharespannedfromverticeswithsmallnode-degree. 5.4Alocalizedalgorithmforlarge-scalenetworks Sincemostofexistingfailurelocalizationschemesarecentralizedorrequiringexcessivelocalmessageexchange,theyareinefcientforindustrialimplementationandmaintenanceinlarge-scalenetworks.Withoutanycentralcontrolsandarbitrarymonitoringlocations,thelocalizationproblembecomesmorechallengingandisbeyondthecapabilityofourcentralizedtree-decompositionmethod.Moreover,duetothe 107

PAGE 108

transparencyrequirementoftheberdata-connections,monitorsmayonlybeplacedatspeciclocations,soeverypath-trialwillberestrictedatbothends,andevenO(jEj)trialscannotprovidereliableresults. Inordertosolvethisproblem,weprovidealocalizedrandomwalkbasedalgorithm,whichrequiresnegligibleimplementationexpenseandresultsingreatperformance.Thekernelofthisschemeisaconceptofd-disjuntmatrix[ 16 ],whichoriginatesfromgrouptestingtheoryandperfectlymatchesthelocalizationproblem.Furthermore,weembedalocalrarestrststrategytoenhancetheperformanceofthescheme. 5.4.1RandomWalkbasedAlgorithm Ad-disjunctmatrixisabinarymatrixMwherewithinanycombinationofd+1columns,foreachsinglecolumnc0andtheotherdcolumnsc1,,cd,thereisatleastonerowrwithM[r,c0]=1andM[r,ci]=0foralli=1,d.Duetothesimpledecodingmethodofthismatrixkind,ithasbeenwidelyappliedtotheanomalylocalizationoutofvariouslarge-scaleinstances.Inthecontextoflinkfailurelocalization,assumethenumberoflinkfailuresisupperboundedbyd,weleteachcolumnofthematrixrepresentalink,andeachrowrepresentasetoflinks.Ifeachrowformsapath-trial,sinceanygoodlinkwillexistinatleastonepath-trialwithnegativemonitoringresults(noanomalydetected),guaranteedbythepropertyofMmentionedabove,byeliminatingallthelinkscontainedbynegativepath-trials,wecanidentifyalltheleftoverlinksasfaultyones. Theimplementationofthisideaisnon-trivial,sincerstlytheconstructionofd-disjunctmatrixitselfisquitechallenging[ 16 ],yetrestrictingalltherowsaspathsonthegivengraphmakesitevenmoredifcult.Inthischapter,weprovidearandomwalkbasedschemewhichreturnsafeasibled-disjunctmatrixonthegraph,andthusasolutiontolocalizethefailures.WereferitasR-walk,asshowninAlg. 9 108

PAGE 109

Algorithm9R-walk(RandomWalk) 1: Input:NetworkG=(V,E),atransmitters,receivert. 2: Output:ThelistFoffailedlinks. 3: 4: Eachlinkcontainsauniqueidentierwithin[1,,jEj]. 5: Thesetoffailedlinksismaintainedatt,initializedasF E,i.e.allthelinks. 6: LaunchapredenedR0numberofwavelengthsignalsfromsatthesametimeC0,whichisknownbyt./*ThevalueofR0iscritical.*/ 7: Eachnodeforwardsitsreceivedsignalsrandomlytoanincidentlink,andattachesthelinkidentierinaheaderofthesignal. 8: twaitsforapredenedlengthoftime,retrievesfromeachsuccessfullyreceivedsignaltheidentierofeachtraversedlink,andexemptsthemfromF. 5.4.2CorrectnessandComplexity Fromthefollowinglemmas,wecanseethatwithregardingtheseR0path-trialsasrows,theywillformad-disjunctmatrixwithahighprobability.Basedonthedenitionofd-disjunctmatrix,eachgoodlinkwillbetraversedbyatleastonepath-trial,whichdoesnotgothroughanyofthedfailedlinks.Therefore,allgoodlinkswillbeexemptedfromthefailedlinklist.Thefollowinglemmasrevealthatwithahighprobability,thepath-trialstakenbyAlg, 9 formad-disjunctmatrix. Lemma5.4.1. GiventhatGisnotbipartite,thestationarydistributionoftheedgerandomwalkis(y,z)=1 2jEjforany(y,z)2E. Proof. DenotethetransitionmatrixasP,itisstraightforwardthatP((x,y),(y,z))=1 deg(y)forthetransitionprobabilityfromedge(x,y)toedge(y,z).Thereforethedistributiononanyedge(y,z)is(PT)(y,z)=Xx:(x,y)2E1 deg(y)1 2jEj=1 2jEj Basedonthisstationarydistribution,wefurtherinvestigatetheprobabilityofawalktraversingaspecicvertexbutnotanydothers.Duetothespacelimit,weonlyprovidetheconclusionandomittheproof,whichissimilartothatin[ 12 ]. 109

PAGE 110

Lemma5.4.2. AnyrandomwalkWwithlengthtpassesanysingleedgee2Ewithprobability(t jEjT(jEj))whereT(jEj)isa(1 4jEj)2-mixingtimeofG,i.e.,thesmallestlengtht0ofrandomwalkswhichendsupwithadistribution0ask0)]TJ /F11 11.955 Tf 11.96 0 Td[(k1(1 4jEj)2. Lemma5.4.3. Givenanyanedgee,anedgesetSEwithe=2SandjSjd,theprobabilitythatanyedgerandomwalkinR-walkpassesebutnotanyedgesinSis(1 d2T4(n)). Theorem5.4.1. BychoosinguptoR=O(d3T4(jEj)log(jEj=d))randomwalks,theconstructedmatrixMisd-disjunctwithprobability1)]TJ /F3 11.955 Tf 11.95 0 Td[(o(1). Remark:Sincesocialnetworkswithpower-lawtopologyareclaimedtobefastmixing,i.e.,O(logn)-mixingtime,R=O(d3log4(jEj)log(jEj=d))isenoughtoapproachthed-disjunctness. 5.4.3LocalRarestFirst Theorem 5.4.1 providesacomplexityupper-boundofthisalgorithm.WecanfurthermoreimprovethisalgorithmbyaLocalRarestFirststrategyusuallywhichisfavoredbyBit-torrenttechniques.Theideaistosetupacounter(e)foreachedgee,whichstandsforthenumberofdifferentwalksthathavetraversedit.Insteadofrandomlychoosingoneincidentedgeforthenextstep,eachwalkchoosestheonewiththeminimumcounter,calledraresttoproceed.Theimplementationforthisisquitesimple,sinceeachnodeisonlyrequiredtomaintainthecountersofallofitsincidentlinks,andforwardthesignalstotherarestlink. Thepurposeofthisschemeistospanthewalksoverthewholenetworksinaminimumlatency.Infact,thisadaptationtothealgorithmR-walkstillkeepstheupperboundinTheorem 5.4.1 ,thoughunnecessarilytight.Itiseasytoseethatifthecountervaluesofalltheedgessharingthesameendpointcometothesame,theneach 110

PAGE 111

ofthisedgehasbeentraversedbythesameamountofpath-trials,whichcoincidestheexpectedoutcomeoftherandomwalk. 5.5SimulationResults Asmentionedabove,ourworkistherstattempttosolvethemulti-linkfailurelocalizationproblemongeneralgraphs,withminimizingthenumberofpath-trials.Therefore,inthiscurrentversion,wedonotcomparetheperformanceofthetwoschemeswiththeexistingsolutions,i.e.,(k+2)-edge-connectedsubgraphbasedMP/MCalgorithmin[ 1 ]withadifferentobjectivefunction(minimizingthenumberofmonitoringlocations);ILPandRCA-basedsolutionsaddressingasubproblem(onlysingle-linkfailure)in[ 71 ]and[ 61 ]respectively.Instead,wepresenttheexperimentalevaluationsovertheperformanceofoursolutionsfordifferentnetworkscenariosintermsofnetworksizes,topologiesandlinkfailurerate.ThesimulationisimplementedbyC++ontheVisualC++2005platform,andexecutedonaWindowsPCwith4GBRAM.Alltheresultsareaveragedvaluesfrom100instances. 5.5.1TheCentralizedAlgorithm TDDisdesignedfornetworkswithmoderatesize,thereforeweadoptonerealnetworkARPANETwithn=20vertices,m=32edges,aswellasthreegeneratednetworkswithn0=100vertices,m0=1000edges,whichfollowErdos-Renyi,Power-Law[ 47 ]andWaxman[ 67 ]modelsrespectively.TheresultsareincludedinFig. 5-4 wheretwomeasures:theratio=T mi.e.,numberofpath-trialsovernumberofedgesandtheratioofcorrectlylocalizedfailedlinksareinvestigated,asthelinkfailurerated=m2[1%,9%]. EffectofRedundantTree-subgraphs.Theintroductionofredundanttree-subgraphsdramaticallyenhancesthelocalizationefciency.Asisshown,withoutredundancy,ARPANETrequireslessthan0.4m=12path-trialstolocateupto3failureswithsuccessprobabilitygreaterthan90%,whilefortheserandomnetworks,TDDrequiresaround0.3m0=300path-trialstolocateupto90failureswithsuccessprobabilitygreater 111

PAGE 112

than60%.Ontheotherhand,withredundanttree-subgraphs,ARPANETcostsaround10%morepath-trialsandthesuccessprobabilityisslightlybetter.ThisisbecausethenumberoflinkfailuresinARPANETisnotlargerthan3,sotheprobabilityofeachtree-subgraphfromT-divcontainsnomorethanonefailedlinkisquitehigh.SotheredundancyhelpslittleforARPANET.However,fortherandomnetworks,withatrade-offofaround25%m0=250morepath-trials,thesuccessratestaysabove90%forupto90failures.Thenumberofpath-trialsusedonlyaccountsisupto0.6m0,whichisO(jEj),butitismuchmoreefcientthanconvectionalschemeswhereeachlinkisamonitor.Sincemultiplepath-trialssharevertices,whichcanbeusedasmonitoringlocations.ThenumberofmonitoringlocationsisfarlessthanjVj.Howtooptimizethenumberofmonitoringlocations,fortheseselectedpath-trialswillbeourfuturework. EffectofLinkFailureRate.Anincreasingnumberoflinkfailuresbringsupthedifcultyofthelocalization,however,weconcludethatthelocalizationcomplexityisalmoststableasd=mincreasesfromtheexperimentalresults.AsshowninFig. 5-4C andFig. 5-4D ,thenumberofpath-trialskeepsbelow0.6m0=600withthegreaterthan90%,asthefailurerateincreasesfrom0.01to0.09. EffectofTopologyVariation.Resultsforthethreetopologymodelsaredifferentduetotheirvariationofthenode-degreedistribution.ComparedtoErdos-RenyiandWaxmanmodel,Power-Lawmodelhasalargerdegreevariation,whichresultsinmanylow-degreenodesandisolatededgesinthetree-decompositionprocess.Therefore,withoutredundanttree-subgraphs,thepower-lawnetworkhasrelativelylowersuccessprobabilitythanothers,whilebyincludingredundantsubgraphsspannedfromlow-degreenodes,thenumberofisolatededgesisdecreased,anditssuccessprobabilityincreasestothesamelevelwiththeothers. 5.5.2TheLocalizedAlgorithm Toinvestigatetheperformanceofthelocalizedalgorithm,wetestitonlarge-scalerandomsparsenetworks,whicharegeneratedfollowingthePower-lawmodelwith 112

PAGE 113

ATDDwithoutredundancy BTDDwithoutredundancy CTDDwithredundancy DTDDwithredundancy Figure5-4. PerformanceofTDD(Tree-DecompositionDetection)centralizedalgorithm averagenode-degree2and3.Ononehand,wegraduallyincreasethesizeofR0andstopwhentheaveragefalsepositiverateis5%orlower(Accordingtothedecodingalgorithmofd-disjunctmatrix,allintactlinksareidentiedandallleftoveronesarediagnosedasfailures,sofalsenegativeratiois0,thisisdifferentfromTDD).Ontheotherhand,forthesetofrandomwalkspassingnofailedlinksamongtheseR0ones,wealsochecktheiraveragelength,whichhelpsthereceivertodecidehowlongitshouldwaitforasignaltoarrive,orregarditasafailure.Therefore,itreectstheonlinetimecomplexityofthisalgorithm.Weinvestigatetherobustnessofthealgorithmtoincreasingnetworksizeintermsofthenumberoflinksmandlinkfailureratedenedasd=masabove.Foreachnetworkinstance,wextwoverticeswiththelargestnode-degreeasthetransmitterandreceiver. 113

PAGE 114

Anumberofpath-trialsbynetworksizem Bupperboundd2logm Croughupperbounddlogm Daveragetriallengthbynetworksizem Figure5-5. ScalabilityofR-WalklocalizedalgorithmtoNetworkSize Upperboundonthenumberofpath-trials.Wegeneratenetworkswitharangeof500to2500nodes,respectively1000to5000links.Thefailurerated=missetto5%whichislargerthannormalcases.R-WalkisdifferentfromTDDinthatthenumberofpath-trialsispre-dened,sowevarythisvalueandchecktheresultedlocalizationsuccessrate.AsshowninFig. 5-5A and 5-6A ,asthenetworksizeorthefailurerateincreases,therequirednumberofpath-trialstolocalizethelinkfailuresisincreasingaswell.Thisisinevitable,sincethemorelinkfailureswehave,theharderthelocalizationis.However,fromFig. 5-5B and 5-6B ,wecanseethattheexpenseismuchsmallerthand2logm,whichisthetheoreticalupperbound[ 16 ]ofthenumberofrowsofthed-disjunctmatrix,i.e.thenumberoftrialstolocatedfailureswithoutthegraphconstraint,letalonethetheoreticalboundd3log5masinLemma 5.4.1 .Furthermore,fromFig. 5-5C and 114

PAGE 115

Anumberofpath-trialsbyfailurerated=m Bupperboundd2logm Croughupperbounddlogm Daveragetriallengthbyfailurerated=m Figure5-6. RobustnessofR-WalklocalizedalgorithmtoLinkFailureRate 5-6C ,wecanobtainaroughupperboundas#path-trialsfordfailuresinmlinks=cdlogm wheretheconstantfactorcislessthan5foranetworkwithupto5000linksand250failedones. Averagelengthofeachnegativepath-trial.Ononehand,asshowninFig. 5-5D ,theaveragenegativetriallengthincreasesfromaround30to100asthenetworksizeincreasesfrom1200to5000links.Sinceweonlyhaveapairoftransmitterandreceiver,theirdiametercanbeaslargeasthediameterofthegraph,whichincreasesasthegraphgetslarger.Basedonthis,thetransmittercanusethemaximumtransmissiontimeof100hopsasthedeadlinefortheWDMsignals.Ontheotherhand,Fig. 5-6D 115

PAGE 116

showsasmorelinkswithinthesamenetworkfail,theaveragetriallengthalmostkeepsthesameatround35foranetworkwith1000links. EffectofTopologyDensity.AsshowninFig. 5-5A ,fromaveragenode-degreefrom2to3,theexpenseofthelocalizationincreases.Withadensertopology,alargeamountofrandomwalkswilltraversethesamesetoflinksorcycles,whichbringsdowntheefciencyofthepath-trials.However,itisstillboundedbyO(dlogm)andinthecaseofsmalld,thealgorithmcanalsohandledensenetworks. 5.6AdaptationtoAdditionalConstraints Inthissection,weconsiderthreescenariotypes,k-par,q-failandd-unknown,wherethersttwoarerelativelyeasieryetthelastoneisquitechallenging.Thecasesinrealnetworkscouldbeamixtureofthesethreetypes.Forsimplicity,weonlyconsiderthemindividuallyandleavethecomplicatedcaseforfurtherwork.Duetothespacelimit,weonlyprovidethesimulationresultsoftheseadaptationtotherandomwalkalgorithmforlarge-scalenetworks,yetforTDDonmoderatesizednetworks,weonlysketchtheadaptationidea. 5.6.1Case1:k-par k-parreferstothecasethateachWDMlink(notincludingout-edgesofsandin-edgesoft)canonlybetraversedbyinatotalofkpath-trials.AlthoughthecapacityofWDMlinkreferstothemaximumnumberofsignalsitcansimultaneouslysupport,sinceunexpectedtransmissiondelaysalwayshappen,wecanpreciselypre-determineneitherthetime-lineofeachsignal,northesetofsignalstraversingthesamelinkatanytime-point.Sinceanoverloadatanysinglelinkmayruintheoveralllocalizationresult,westrengthentheconstraintonthelinkcapacityandupperboundthetotaltrialquantitytraversingeachlink,insteadofsimultaneousones. Itiseasytoadaptouralgorithmstothiscase.ForTDD,afterlocatingthev-Spangraphforeachvertexv,sincethepath-trialsoneachtreearedeterministic,theloadofeachlink(thenumberoftrialstraversingit)isalsoknown,andwecanlabelthelinks 116

PAGE 117

withheavyload(>k).Byavoidingselectingthesetree-subgraphswithheavyloadlinks,thealgorithmisfeasible.Ontheotherhand,forR-Walk,sincethesoletransmitterandreceiverhaveinevitabletransmissionload,wedonotconsiderthisconstraintontheedgesoutgoingfromthetransmitterorenteringthereceiver,butitappliestoalltheotheredges.Straightforwardly,thresholdonthetrialcounterusedforourlocalrarestrststrategyaddressesthisproblem.Fig. 5-7A showsthatinaPower-Lawnetworkwithaveragedegree2,asthelinkfailureraterangesfrom1%to4.5%whenrestrictingthemaximumnumberpath-trialstraversingeachlinkask=18(accordingtothestandardofCWDM),therequirednumberofpath-trialskeepsalmostthesamewiththecaseofun-restrictedk.Whenthefailurerategrowsbiggerthan4.5%,werequiremorepath-trialssincetheconstraintonkstartstodisqualifysomerandomwalks.Asthefailurerategrows,thegapcouldbebigger,butsincemostrealnetworkshaveasmallerfailureratethan5%,thesolutionisgenerallyfeasible. 5.6.2Case2:q-fail Inthecasethatthewavelengthsignalsofsomepath-trialscanstillpasssomefailedlinks,falsenegativerateincreases.Assumethateachfailedlinkcanneversupportmorethanqwavelengths,thenthecerticateofagoodlinkistoappearinatleastq+1negativepath-trials.Therefore,forTDD,byduplicatingeachpath-trialby(q+1)differentwavelengthsignals,i.e.with(q+1)min((D(G)logm),(D(G)+log2m))path-trials,allthefailurescanbeunambiguouslylocalized. Ontheotherhand,forR-Walk,theerror-tolerant(d,q)-disjunctmatrixwhichcanbeusedtolocalizedpositiveitemsinthepresenceofqerrortests,comesintopicture.Moreformally,itisrequiredthateachcolumnCihasatleastq+1differentrowsrjwhereM[rj,ci]=1andM[rj,ck]=0foranyotherdcolumnsckwithk6=i. 117

PAGE 118

Aperformancefork-par Bperformanceforq-fail Clocalizationerrorrateford-unknown Dnumberofpath-trialsusedford-unknown Figure5-7. Performanceofadaptationtovariousconstraints ThroughthesameinductionasinSection 5.4 and[ 12 ],theR-walkalgorithmforhandlingthisscenariorequires2q2d3log4(m) 1)]TJ /F6 11.955 Tf 11.95 0 Td[(2q 4q log(m=d)+1+2q i.e.,O(qd3log4m),path-trialsintheworst-case.AsshowninFig. 5-7B ,whenqincreasesfrom1to5,thecostincreasesatmostby4times(whend=m=7%),whichmatchesthederivedbound.However,thecurveforq=10almostcoincideswiththatforq=5,sowhenqisbiggerenough,itsinuenceoverthenumberoftrialsisnegligible.Therefore,R-walkisfeasibleforvariousvaluesofq. 118

PAGE 119

5.6.3Case3:d-unknown Whenthenumberoffaultylinksisunknown,alltheexistingsolutionsfailattherststep.Therefore,howtoestimatethisvaluehastosolvedbeforehand.Trial-and-errormethodsareinapplicablesincethelonglocalizationlatencyisnotaffordable,whilesimpleguessoverdmayresultinanunnecessarylargevalue,whichdrawstoomanypath-trials. Sincethefailurelocalizationprocedurewillnotkeeprunningallthetime,theeventthattriggersitcouldbesomeanomaliesdetectedatthenetwork,forexample,thethroughputorPDR(packetdeliveryratio)betweenspecicnode-pairsharplydecreases.WesimplydenotethismeasurefortheglobalnetworkGasM(G),andassumethatthelocalizationprocedureistriggeredwhenM(G)fallsbelowspecicthreshold.Apparently,M(G)isrelatedwithsomefunctionregardingwiththegraphtopology.Therefore,itispossibletoinvestigatethegraphtopologyintheoff-linesteptoprovideanestimationoverdcorrespondingtotheM(G)value.Sinceourworkisorthogonalwiththisdetectionphase,butfocusesonthelocalizationstep,forsimplicity,weformulateafunctionpairwiseroutingconnectivityCONN(G)=Xs,t2V(s,t)wheretheroutingconnectivity(s,t)betweenanynodepair(s,t)isdenedasfollows: Denition5.6.1. Anypathswithoutafailedlinkarecalledoperationalpaths.Givenanodepair(s,t)andasetofroutingpathsQ(s,t)predeterminedintheroutingtable,theroutingconnectivity(s,t)is:(s,t)=8>><>>:1,ifatleastonepathinQ(s,t)isoperational0,otherwise Therefore,CONN(G)referstothecommunicationabilitybetweenanynodepairinthepresenceofthelinkfailures. 119

PAGE 120

Basedonthisobservation,weresorttoanavg--disruptorproblem,whichndsanaveragesizeofedgesetwhosedeletionfromthegraphmakesCONN(G),toapproachthesizeofthereallinkfailures.Specically,foranetworkwithCONN(G),werstguessavaluedxasthenumberoffailures,randomlychoosedxlinksasfailuresandcheckifthecorrespondingCONN(G),ifnot,increasedxtillthisissatised.Foreachnetworkinstance,weobtainanestimateddxbyaveragingtheresultsof100executions.WeinvestigateitsperformanceonaPower-Lawnetworkwithm=1000linksandanincreasingfailureratiofrom1%to9%,usingtheR-Walkalgorithm.AccordingtothesimulationresultsinFig. 5-6C ,5dlogmpath-trialsisenoughforthenetworkswiththesamesize,topologydensityandfailurerate,soweuset=5dxlogmpath-trialstocheckthelocalizationerrorrate(Fig. 5-7C )andthecostratiooverthetheoreticalbound(Fig. 5-7D ).Therefore,atleast90%failedlinkscanbecorrectlylocalizedandthenumberofpath-trialsalmostapproachestheoneinthecasewithknownd. NoticethatweintroduceCONN(G)toillustratetheframeworkforestimatingd,butitisnotlimitedtothisandcanbeappliedtovariousM(G). 5.7Summary Inthischapter,wepresenttwoefcientpath-trialalgorithmstotacklethemultiplelinkfailurelocalizationprobleminall-opticalnetworks.Thecentralizedtree-decompositionmethodcatchesallthelinkfailureswithhighprobabilityformoderatesizednetworkswithun-restrictedmonitoringlocations,andthelocalizedrandom-walkbasedalgorithmhandleslarge-scalenetworkswithsingle-pairmonitoringlocation.Forimplementationpurpose,wealsoconsidervariouspracticalconstraintsandincludeadaptationstoourschemecorrespondingly.Theseadaptations,especiallytheoneforunknownfailurequantity,provideageneralsolutionframeworkassociatedwithnetworkvulnerabilityassessment,whichcouldenlightenthefurtherresearchesanddevelopments.Sincetheprincipleoftheprovidedsolutionsmatchesthegrouptestingtheory,theyarealso 120

PAGE 121

capableforanomalydetectionprobleminvariousnetworktypes,notlimitedinall-opticalnetworks. 121

PAGE 122

CHAPTER6AGRAPH-THEORETICQUALITY-OF-SERVICEAWAREVULNERABILITYASSESSMENTFORNETWORKTOPOLOGIES Networktopologyvulnerabilityattractsmoreandmoreattentionssincethelastdecade.Assummarizedin[ 15 ],numerousevaluationmetricshavebeenproposedforthispurpose,mostofwhicharerelatedwiththenetworkconnectivity,specically,howfragmentedthenetworkitisinthepresenceoffailures.However,toourbestknowledge,noneofthemtakethenetworkqualityofservice(QoS)intoconsideration.Inthischapter,weobservethatevenbeforethenetworkbeingfragmentedintopieces,itsQoSmayalreadydroptoanintolerantlowlevel,andthenetworkcannolongerprovideservices.Tothisend,wepresentanovelQoS-awarevulnerabilityassessmentframework. QoS-awaretopologyvulnerabilityiscriticalfortheInternet.AstheInternetservesasthemaincarrierofmoreandmorereal-timeapplications,ithastosatisfyseveralQoSmeasureswithpredenedthresholds,whichincludejitter,delay,bandwidth,packetlossandetc.PlentyofQoSroutingprotocols,e.g.,Q-OSPFandPNNI[ 5 ],havebeendevelopedtomeettheserequirements.Inpracticalnetworks,malfunctionsoftentakeplaceatintermediatenetworknodes/linksforrouting,consequently,eventheoptimalroutingpathfromsourcetodestinationcansatisfyfewoftheQoSconstraints.Inthiscases,onlyimprovementsoverroutingprotocolscannotenhancetherobustnessinunreliablenetworkenvironments.Therefore,weareinterestedinstudyhowmanynode/linkfailuresarerequiredtobreakdownthenetworktosuchanextent.Noticethateventhesubproblemofthisstudy,detectinganoptimalroutingpathsatisfyingasetofQoSconstraints,isnontrivial. Inpracticalapplications,theconstraintsthataresatisedbytheQoSoptimalroutingpathcanbecategorizedintoadditiveandnon-additiveones.Specically,jitter,delayandpacketlossofaroutingpatharethesumofeachmetricoverallthelinksbelongingtothispath.However,constraintslikebandwidtharenotadditivefromedgetoedge,butmin/maxormultiplicativefunctions.Inprinciple,multiplicative 122

PAGE 123

measurescanbeconvertedintoadditiveonesinalogarithmicmannerandmin/maxnon-additivemeasurescanbesatisedbyrulingoutalltheunsatisedsinglelinks.Therefore,classictheoreticalstudiesovertheQoSroutingarenormallyformulatedasamulti-additive-constraintpath(MCP)problem[ 36 ][ 37 ][ 53 ]:ConsideranetworkG(V,E,s,t)withdesignatedsourcenodes,destinationnodet,andmadditiveconstraint(c1,,cm),whereeachedge(u,v)2Ehasmadditiveweightswi(u,v)0,i2[1,..,m].FindapathPfromstotwithwi(P),X(u,v)2Pwi(u,v)Ciforalli2[1,m],ifitexists. MCPhasbeenshowntobeNP-completebutnotstronglyNP-complete[ 37 ],thusitistractableforpracticalnetworksizes.Xueet.al[ 77 ]proposedapproximationalgorithmstowardsthisproblemandseveralothervariants,howeversinceMCPismerelyasubproblemofourassessment,todecideifagivensetofnode/linkisafeasiblesolutiontoourproblem,theapproximationratiotoMCPcannotbegrafted.AssummarizedbyKhadivietal.in[ 33 ],plentyofmixed-metricbasedheuristicshavebeenproposedtotackleMCP,however,anyinaccuraciesbroughtbytheheuristicswillpossibleprovideasolutionsetthatisfarfromoptimaltoourproblem.In[ 40 ],Lietal.modiedclassicdynamicprogrammingalgorithmforMCPandprovidedafastexactsolutionbyeffectivelycompactingthesearchspace.However,astobefurtherdenedlater,thepathsstudiedinourproblemarenotlimitedtothosesatisfyingallgivenconstraints,butmaysatisfyonlyasubsetofthem.Therefore,itismuchmorechallengingthanMCP. Thepurposeofvulnerabilityassessmentistodiscovertheweaknessoftheobjectnetworktopology,whoseresultcanbeappliedtooptimizingnetworktopologydesign,enhancingnetworkrobustnessordestroyingterroristnetworks.Werefertotheseweaknodes/linksascriticalnodes/links,specically,theminimumsetofnodes/linkswhose 123

PAGE 124

failurecanbringdownthenetworkQoStoacertainlowlevelarecalledQoScriticalnode/linkset.Therefore,giventwonetworksofthesamesize,theonewhichhasasmallerQoScriticalnode/linksetisofcoursemorevulnerable.Inthischapter,wemeasurethenetworkQoSbytheoptimalQoSsource-destinationroutingpath,whichsatisfythemostQoSconstraintsoverallroutingpaths.ByrequiringhowmuchsuchanoptimalpathsatisesthemultipleQoSconstraints,weputathresholdonthenetworkQoSanddiscovertheQoScriticalnode/linksetcorrespondingly. Ourcontributionsinthischapterare:(1)providetherstgraph-theoreticQoS-warevulnerabilityassessmentmethod;(2)abstracttheassessmentproblemasagraphoptimizationproblemandstudyitshardness;(3)presentoneexactsolutionandtwoefcientheuristicalgorithmsforgeneralnetworkcases. Therestofthischapterisorganizedasfollows.NotationsandtheproblemmodelareincludedinSection 6.1 ,whereanintegerprogramandpreliminaryhardnessdiscussionsarealsopresented.Weincludeanexactalgorithmusingbranch-and-boundandparetooptimalityinSection 6.3 .Anear-optimalsolutionforanetworkwithsmallconstraintquantityandanefcientbetweenness-basedheuristicforgeneralnetworksareintroducedinSection 6.4 .ExtensivesimulationstudiesovertheperformanceoftheproposedassessmentalgorithmsarepresentedinSection 6.5 .Section 6.6 summariesthewholechapter. 6.1ProblemModel Thesystemdenitionofthisproblemis:givenanetworkwithseveraladditiveQoSmeasuresandadesignatedsource-destinationpair,thereexistsasetofsource-destination(s)]TJ /F3 11.955 Tf 13.13 0 Td[(t)paths,eachofwhichsatisestheconstraintsofsomeofthesemeasures.Eachmeasureisassumedwithdifferentcredits(forexample,delayismuchmoreimportantthanothersinreal-timeapplications),thensatisfyingtheconstraintonthemostsignicantmeasurewillearnagreatestcreditforthesource-destinationpath.Therefore,thelevelofsatisfyingmultipleconstraintsbyeachpathisquantiedasa 124

PAGE 125

credit,whichwecallsatisfactoryscoreofthespecicpath.Withathresholdonthissatisfactoryscore,ans)]TJ /F3 11.955 Tf 12.24 0 Td[(tpathiscalledQoSoperational.AnetworkfailsifQoSoper-ationals)]TJ /F3 11.955 Tf 12.18 0 Td[(tpathcanbefound.Henceforth,bycheckinghowmanynode/linkfailuresagivennetworktopologycantolerantbeforeitfails. ThisevaluationprocesscanbeabstractedintoagraphoptimizationproblemcalledQoS-CriticalVertices(QoSCV)/QoS-CriticalEdges(QoSCE)asfollowing. GivenadirectedgraphG(V,E,s,t)withm-dimedgeweightvector(u,v)2E:(w1(u,v),w2(u,v),,wm(u,v)).Theweightvectorforeachs)]TJ /F3 11.955 Tf 12.2 0 Td[(tpathPisdenedasW=(w1(P),w2(P),,wm(P))wherewi(P)=P(u,v)2Pwi(u,v)foralli2[1,,m].GivenaconstraintthresholdvectorC=(c1,c2,,cm)withcorrespondingcreditvector=(1,2,,m),wedeneaSATscorefunctionFforpathPasF(P,C,)=g(W,C) where gi(W,C)=8>><>>:1ifwi(P)ci0otherwise(6) TheproblemQoSCEasksfortheaminimumsubsetSofE(eachedgehasauniformcostas1),whereF(P,C,)foranys-tpathPinG(V,EnS).ThedenitionofQoSCVissimilar. Thesolutionedges/verticesarereferredasQoScriticaledges/verticesrespectively.NoticethatQoSCVcanbereadilyconvertedintoanon-uniformcostversionofQoSCEthroughthefollowingconstruction:foreachvertexu2V,replaceuwithtwonewverticesu1andu2,thenaddanedges(v,u1)foreveryedge(v,u)2Eandanedge(u2,w)foreveryedge(u,w)2E.Setcost(v,u1)=+1,cost(u2,w)=+1,cost(u1,u2)=1,asshowninFig. 6-1 .Therefore,weonlyconsiderQoSCEproblemintheremainingofthispaper. 125

PAGE 126

Figure6-1. ConversionfromQoSCV(QualityofServiceCriticalVertex)toQoSCE(QualityofServiceCriticalEdge) minXe2E(1)]TJ /F3 11.955 Tf 11.96 0 Td[(Xe)s.t.Pmi=1YPii,8s)]TJ /F3 11.955 Tf 11.96 0 Td[(tpathPPe2Pwi(e))]TJ /F3 11.955 Tf 11.96 0 Td[(YPi+Pe2P(1)]TJ /F3 11.955 Tf 11.95 0 Td[(Xe)+ci,8i,PPe2Pwi(e)>1)]TJ /F3 11.955 Tf 11.95 0 Td[(YPi)]TJ /F9 11.955 Tf 11.96 8.97 Td[(Pe2p(1)]TJ /F3 11.955 Tf 11.96 0 Td[(Xe)+ci,8i,PXe2[0,1]YPi2[0,1] Figure6-2. IntegerProgrammingFormulation Wecanformulatetheproblemasanintegerprogram.Byintroducingseveralvariables:Xe=1ifedgeeisNOTremovedintheoptimalsolution,0otherwise;YPi=1ifas)]TJ /F3 11.955 Tf 12.02 0 Td[(tpathPhaswi(P)ci,0otherwise;alargeconstant=maxifPe2Ewi(e)g,wecandescribeQoSCEbythefollowingintegerprograminFig. 6-2 TherstconstraintdemandsthattheremaininggraphsatisestheSATscorethreshold.Thesecondconstraintdemandsthatw.r.tanyconstraint,foranypathP,ifnoedgeofPisremoved(Pe2P(1)]TJ /F3 11.955 Tf 9.64 0 Td[(Xe)=0)andPsatisestheithconstraint(YPi=1),thenwerequirewi(P)ci.Otherwise,wi(P)isunrestricted.ThethirdconstraintdemandsthatifnoedgeofPisremoved,andPdoesnotsatisfyconstrainti,thenwi(P)>ci.Itcanbeseenthatthenumberofconstraintsofthisprogramcanbeexponential,andthushardtobesolvedbystandardLPmethods.Furthermore,theproblemisNP-hardandcannotbeapproximatedwithafactor2evenwhenm=1,asshownnext. 126

PAGE 127

6.2Hardness QoSCEproblemisquitechallenginganditscomplexityclassisstillanopenissue.WendthatitdoesnotbelongtoNPclassanditcannotbeapproximatedwithafactorof2. Lemma6.2.1. QoSCEisnotinNP. Proof. GivenanedgesubsetSasacerticatetoQoSCEproblemongraphG,theprocessofverifyingthiscerticateequalstoanotherdecisionproblemQoS-SPontheremaininggraphGnS:doesthereexistapathP2GnSsatisfying(P)?ThisproblemisNP-CompletebyreductionfromMCP[ 37 ]problemwithletting=Pmi=1i.ThenifthereexistsasolutionfortheQoS-SPproblem,thenthepathisafeasiblepathtoMCP,otherwise,MCPhasnosolution. Therefore,thecerticateofQoSCEisnotveriableinpolynomialtime,thusnotintheclassofNP. Lemma6.2.2. QoSCEisNP-hardandithasno2-approximationalgorithmunlessP=NP. Proof. ConsideraspecialcaseofQoSCEwherem=1andtheproblembecomesanedgeblockerproblem:ndaminimumsetofedgestoremove,suchthats-tshortestpathislongerthanathreshold.ThisproblemhasbeenprovedasNP-hardin[ 4 ]andnotabletobeapproximatedby2byreducingfromvertexcover[ 6 ]. 6.3ExactAlgorithm Despitethenegativeresultsmentionedabove,forsparsenetworksofasmallsizewecanstillapproachtheexactsolutionusingabruteforcesearch,acceleratedbyacombinedmethodofbranch-and-boundandparetooptimality. Firstofall,aconceptofParetoOptimalPath(PO),whichistightlyrelatedtheproblemsofmulticonstraintshortestpath[ 36 ][ 37 ][ 33 ][ 53 ],issketchedasfollows. Denition6.3.1. ApathpisParetoOptimaliffpisnotdominatedbyanyotherpaths,i.e.theredoesnotexistsapathqwithwi(q)
PAGE 128

Algorithm10ParetoSearch 1: Input:directgraphG=(V,E),constant. 2: Output:aminimumsetofedgesSE. 3: 4: !sizeofmins-tcutofG;BupperboundofS 5: 6: foreveryedgee2Edo 7: ~(e) 0;B#ofPOs)]TJ /F28 10.909 Tf 10.91 0 Td[(tpathscontaininge,updatedbytheFindFeasiblePathfunction. 8: endfor 9: Sortalledgesase1,e2,ejEjwith~(ei)~(ei+1); 10: 11: r 1;BlowerboundforjSjinthebinarysearch 12: whilerdo 13: r+()]TJ /F28 10.909 Tf 10.91 0 Td[(r)=2; 14: nd[] false;set[] ;; 15: 16: L all-combinationofedges;B)]TJ /F8 7.97 Tf 5 -4 Td[(jEj 17: SortLasl1,,ljLjwithPe2li~(e)Pe2li+1~(e) 18: 19: forj 1tojLjdo 20: T Lj; 21: ifFindFeasiblePath(G,,T)=truethen 22: continue;Btrynextcombination 23: else 24: nd[] true;set[] T;break; 25: endif 26: endfor 27: ifnd[]=truethen 28: )]TJ /F27 10.909 Tf 10.91 0 Td[(1; 29: else 30: ifnd[+1]=truethen 31: returnset[+1]; 32: else 33: r +1; 34: endif 35: endif 36: endwhile 128

PAGE 129

Algorithm11FindFeasiblePath 1: Input:directedgraphG=(V,E),constant,at-subsetofedgesT. 2: Output:trueifsatisablepathsexist,falseotherwise.Update~(e)foreachedgee2E. 3: G G(V,EnT); 4: Bndtheweightlower-boundforanypathfromsANDfromeachvertexvtothedestinationt. 5: ConstructreversegraphG0=(V,E0)whereedge(u,v)2E0iffedge(v,u)2E. 6: forallverticesv2Vdo 7: useDijkstra'salgorithmonGandG0tond[LB1(s,v),LB2(s,v),,LBm(s,v)]and[LB1(v,t),LB2(v,t),,LBm(v,t)]whereLBiistheweightoftheshortestpathonithmetric. 8: V VnfvgifthesetofmconcatenatedshortestpathsthroughvstillhaslowerSATs-corethan;BrulingoutimpossibleverticesforPOpaths. 9: endfor 10: 11: BLv,[(W1(P1),W2(P1),,Wm(P1),prev(P1)),...,(W1(Pk),W2(Pk),,Wm(Pk),prev(Pk))]whereP1,...,PkrefertoallkPOpathsfromstov,andprev(Pk)referstothepredecessorofvonpathPk. 12: 13: Lv ;foreachv2Vnfsg; 14: S fsg;Ls [(0,...,0,s)]; 15: whileS6=;do 16: extractanyufromS; 17: Bcheckusingweightlowerboundfromutot 18: foreachPOpathPifromstoudo 19: upperboundofSATscore0(Pi) Pj:Wj(Pi)+LBj(u,t)
PAGE 130

Figure6-3. CombinedMethodofBranch-and-BoundandParetoOptimality Straightforwardly,afterremovingasetofedges,themaxSATscoreislessthenifandonlyifF(P,C,)
PAGE 131

heuristichavesomegapsfromtheoptimalsolution,itisstillaccurateinthesenseofvulnerabilityassessment,asshowninthesimulationresultslater. 6.4HeuristicSolutions Inthissection,weprovidetwoheuristicsolutionsMFMCSPandSDOPwheretheformeroneisnear-optimaltonetworkswithasmallsetofconstraintsandthelatteroneisefcientforgeneralnetworkswitharbitrarilylargeconstraintsets. Algorithm12MFMCSP 1: Input:directedgraphG=(V,E),constraintsetM=fc1,,cmg,creditvector(1,2,,m),satisfactoryscorethreshold; 2: Output:solutionsetofedgeofQoSCE. 3: S alltheminimalcombinationsssofMwithPci2ssi>; 4: foreachedge(i,j)2Edo 5: f(i,j) 0;f(j,i) 0; 6: cf(i,j) 1andcf(j,i) 0. 7: endfor 8: whileS6=;do 9: ss extractedfromS; 10: while9q theshortestpathsatisfyingalltheconstraintsinssdo 11: foreachedge(u,v)2qdo 12: cf(q) minfcf(u,v):(u,v)2qg; 13: f(u,v) f(u,v)+cf(q);f(v,u) )]TJ /F3 11.955 Tf 24.58 0 Td[(f(u,v); 14: cf(u,v) c(u,v))]TJ /F3 11.955 Tf 11.95 0 Td[(f(u,v);cf(v,u) c(v,u))]TJ /F3 11.955 Tf 11.96 0 Td[(f(v,u); 15: endfor 16: endwhile 17: endwhile 18: alltheverticesreachablefromsontheresidualnetworkinducesacutT. 19: returnT. 6.4.1AHeuristicSolutionforSmallm Inrealapplicationscenarios,thesetofconstraintsthataretakenintoaccountisverylimited,whichmayonlyconsistjitter,packetloss,delayandsomeothers.Therefore,itisquitepracticaltoconsidermasanotquitelargevalue,whichgivesrisetoanexactsolutioncalledMFMCSP. Thebasicideaistorstenumerateallthepossiblesatisablecombinationsofconstraints,forexample(c1,c3,c5)if1+3+5.Therefores)]TJ /F3 11.955 Tf 12.09 0 Td[(tpathsthatsatisfy 131

PAGE 132

alltheconstraintswithinsuchacombinationisasatisablepath.Weonlyconsiderthesetofminimalconstraintcombinations,sincethesetofpathssatisfyingasetofconstraintsissurelythesupersetofthosesatisfyingasupersetoftheseconstraints.(setofpathssatisfying(c1,c3)ofcoursecontainsthosesatisfying(c1,c3,c5).)Withthissetofminimalcombinations,werevisetheclassicEdmondsKarpalgorithm[ 19 ]tondtheminimumsizeofedgecuttocutalltheaugmentings)]TJ /F3 11.955 Tf 12.27 0 Td[(tpathswhichatthesametimesatisfyanyofthesecombinations. Thepesudo-codeofthisalgorithmisincludedinAlgorithm 12 6.4.2AHeuristicSolutionforLargemandLargeNetworks TohandlegeneralnetworkscenarioswitharbitrarynumberofQoSconstraints,weprovideanefcientheuristicalgorithminthissection. Alg. 11 checksiftheremaininggraphhasasatisablepath.However,whenitcomestolarge-scalenetworks,thelocalsearchprocessforPOpathsmaytaketoolong.Therefore,wedenearelaxedmetric'(e)foreachedgee,andproposeanalgorithmcalledSAT TEST(Algorithm 13 )toapproximatelydecideifthereexistasatisfactorypathintheremaininggraph. Algorithm13SAT TEST 1: Input:directedgraphG=(V,E),constant; 2: Output:trueifasatisfactorypathprobablyexists,falseotherwise. 3: foreveryedgee2Edo 4: '(e) Pmi=1wei cii; 5: endfor 6: p shortests-tpathonmetric'; 7: if'(p)>then 8: returnfalse; 9: else 10: returntrue; 11: endif Basedonthistest,consideringthattheshortestpathw.r.teachmeasure(singlemetricshortestpath)ismorelikelytobeasatisablepath,wecountabetweennessmetric,i.e.,numberofappearancesofeachedgeinsuchpathkind,andremovethe 132

PAGE 133

edgewiththegreatestnumberofappearancesonebyoneuntiltherelaxedtestreturnsfalse.ThegreedyheuristiciscalledSDOPandincludedinAlgorithm 14 Algorithm14SDOP 1: Input:directedgraphG=(V,E),constant; 2: Output:asetDofedgestoberemoved. 3: SetT ;; 4: whileSAT TEST(G)=falsedo 5: ndallmsinglemetricshortestpathsfp1,,pmg 6: foralledgese2Edo 7: ndtheoneappearsinthemaximumnumberofsuchpath.; 8: endfor 9: T T[feg;E Enfeg; 10: endwhile 11: returnT. 6.5PerformanceEvaluations Inprinciple,thesimulationsareofthree-fold:(1)toshowthenear-optimalityofMFMCSP,wecompareitsresultforQoSCEwiththeoptimalsolutionreturnedbytheexactsolutiononasmallnetwork;(2)toshowtheefciencyandaccuracyoftheheuristicSDOP,wecompareitsassessmentresultsandtimecomplexitywithMFMCSPoverrandomgeneratednetworksfollowingvarioustopologies;(3)toshowthescalabilityofSDOP,wetestitonaseriesofpower-lawnetworkswithincreasingsizeandconstraintquantity. 6.5.1DatasetandSetup Withregardtothetopologiesadopted,for(1)weuseaclassicbackbonenetwork:NSFNETT11991networkwith14nodesand21bidirectionaledges[ 50 ];for(2)and(3)weuseawell-knownInternettopologygeneratorBRITE[ 45 ]togeneratetopologiesatthreedifferentinternetlevels:FlatRouter-Levelonly,FlatAS-Levelonly,HierarchicalTop-downthatfollowtwomodels:Power-lawandWaxman. Regardingtheedgeweights,similarto[ 2 ][ 77 ],alledgeweightsaregeneratedfollowingUniformDistributionwithintherange[1,10]andtheeachdimensionoftheconstraintpriorityvector(1,,m)obeysthesamedistribution.WecallPmiiasthe 133

PAGE 134

Figure6-4. NSFNET(NationalScienceFoundationNetworks)T11991 fullscoreofthegiventopology,andinordertoguaranteethattheQoS-optimalpathofthetopologycanachievesuchafullscorebeforeanyedgesareremoved,weusetheweightvectorofashortestpath(w.r.thop)countinthegiventopologyastheconstraintvector.Thesatisfactoryrateisdenedastheratioofthethresholdoverfullscore,i.e.=Pmii.AllthetestsareimplementedinC++andperformedona2.33GHzLinuxWorkstationwith8GBRAM. 6.5.2EfciencyofHeuristicSolutions WeruntheexactalgorithmParetoSearchandheuristicMFMCSPontheNSFNETbackbonewithm=5and30teamsofrandomassignededgeweights,thresholdandcreditvectors. FirstweinvestigatehowfastMFMCSPiscomparedtoParetoSearch.AsshowninTable 6-1 ,thetimecostofMFMCSPismuchlowerthanthatofParetoSearch,wherethelatteronecanbeupto65timesoftheformerone. 134

PAGE 135

Figure6-5. AccuracyofMFMCSP(MaxFlowMulti-ConstraintShortestPath) Table6-1. ThetimecostofMFMCSP(MaxFlowMulti-ConstraintShortestPath) 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 MFMCSP(sec) 3.872 3.459 2.998 2.746 2.653 2.694 2.189 2.447 2.102 ParetoSearch(sec) 196.629 191.563 168.187 149.720 144.053 141.992 138.214 139.327 140.806 ThenourinterestistoseehowlikelyMFMCSPwillreturntheexactsolution,whichinoursimulationisquantiedastheratiooftheinstanceswhereMFMCSPcatchestheoptimal(wecallitsuccessprobability). AsshowninFig. 6-5 ,when0.6,withatleastprobability0.7,MFMCSPcancatchtheexactsolution.Sincefromtheattackerpointofview,targetingatalargerthan0.6makeslittlesense,theslightlylowersuccessprobabilityfor2[0.7,0.9]doesnotruinthealgorithm.Generally,thissuccessprobabilitygoesdownastheincreases.Thisisnaturalsincethesmallis,thenearerthesolutionistothemins-tcut.Whenislarge,itisharderforthemaxowalgorithmtocatchtheminimumsolution. Furthermore,wewouldliketoseehowfaristheresultofMFMCSPfromtheexactsolution.AlsoshowninFig. 6-5 ,atleast83%MFMCSPresultsarelessthan1.5timesoftheexactsolution. 135

PAGE 136

AThevulnerabilityassessedbyMFMCSPford-ifferentnetworktopologies BThetimecostofMFMCSPforevaluatingdifferentnetworktopologies CThevulnerabilityassessedbySDOPfordifferentnetworktopologies DThetimecostofSDOP(SingleDimensionOptimalPath)forevaluatingdifferentnetworktopologies Asstatedabove,MFMCSPcanserveasanearoptimalsolutionfornetworksmallnumberofconstraints.However,itsscalabilityisstilllimitedbyitsconstraintenumerationandowaugmentationphase.Therefore,wewouldliketoseeifSDOPcanacceleratethiscalculationprocess,aswellasretainthecorrectnessoftheassessment. Fig. 6-6A reportsthesolutionsizesofQoSCEdetectedbyMFMCSPonsix500-node1500-edgenetworkswithmoderatem=5,asshown.Foreachmodel,thesolutionsizeofQoSCEw.r.tsatisfactoryratesrangingwith[0.05,0.95]withastep0.05arepresented.SincelargerQoSsolutionsizesindicatesahighervulnerability,wecanderivethefollowingroughsequencewiththeQoSvulnerability,whichstartswiththemostrobusttopology:Router-PowerLaw>AS-Waxman>Hierarchical-Waxman> 136

PAGE 137

Router-Waxman>Hierarchical-Powerlaw>AS-Powerlaw.Basedonthisevaluation,forRouter-onlylevelQoS-sensitivenetworks,PowerLawmodelismorerobust,whileforAS-onlylevelnetworks,Waxmanmodelisabetterchoice.AnotherobservationisthattheQoSCEsolutionsizesofmostnetworktopologiesarequitestabledespitethechangesofsatisfactoryrate.Thisduestotheuniformlydistributededgeweightsassumed,wherealargeamountofs)]TJ /F3 11.955 Tf 13.06 0 Td[(tpathsexistandhavesimilarsatisfactoryscores,therefore,allthesepathsarerequiredtobecutandtheminimums)]TJ /F3 11.955 Tf 12.54 0 Td[(tcutofthegraphbecomestheoptimalsolutionofQoSCE,whichremainsunchangedasthesatisfactoryratedecreases.ThetimecostofMFMCSPonthesetopologiesareboundedbyaround15seconds,asshowninFig. 6-6B .Asthesatisfactoryratedecreases,thetimecomplexityincreasesbecausemoresatisfactorypathsarediscoveredandow-augmented.Thoughthisnetworkhasonly1500edges,sincetheow-augmentingprocessinMFMCSPonlyvisitseachedgeonce,thissolutioncanalsobeappliedtoalarge-scalenetwork.However,theproposedheuristicSDOPisshowntoachievethesimilarperformancevulnerabilityassessmentwithmuchlesstimeexpense,sowedonottestMFMCSPonlargenetwork. Fig. 6-6C presentstheQoSCEsolutionsizesderivedbySDOPforthesamesixtopologiesasabove.AlthoughthesolutionsizesarelargerthantheoptimalvaluesreturnedbyMFMCSP,itprovidesthesamerobustnesssequence.Therefore,theSAT TESTdoesprovideagoodestimationoverthenetwork.Furthermore,thetimeexpenseoftheassessmentisreducedfrom15secondsto2secondsbyuseofthisalgorithm.Thereforeforreal-timenetworkswithdynamiclinksandQoSmeasurerequirements,thisalgorithmcanbeappliedbypromptlyrecalculatetheQoSCEproblemforeachtimeslotswithdifferentinputs. ToshowthescalabilityoftheSDOPalgorithmandthisassessmentframework,wetestthetimeexpenseonrandomnetworksgeneratedfromthePower-Lawmodelwithsizeincreasingfrom1000-nodeto10000-node,aswellasthedensityincreasingto6 137

PAGE 138

Table6-2. ThetimecostofSDOP(SingleDimensionOptimalPath)forlargenetworks n 1000 2000 3000 5000 7000 9000 10000 TimeCost(sec) 6.624 7.533 8.522 17.996 28.205 37.184 41.553 Table6-3. ThetimecostofSDOPforlargeconstraintamount m 5 15 20 30 50 75 100 TimeCost(sec) 6.343 18.769 23.809 38.321 64.811 99.320 134.576 edgespernode.TheresultsareincludedinTable 6-2 .Asthenetworksizeincreases,thetimecostgoesupfromaround6secondsto41seconds,whichissurelyaffordablebyreal-timeapplications.Amajorityofthetimeexpensearisesfromthecalculationofshortestpathsw.r.teachconstraint,therefore,SDOPcanbefurtheracceleratedthroughsamplingtechniques,insteadofenumeratealltheshortestpaths.Furthermore,wetestitsefciencyforaPower-Lawnetworkwith5000-nodeupto100constraints,bytakingintoaccountpossibleextremelymanyconstraintsinthenext-generationInternet.AsshowninTable 6-3 ,SDOPcanterminatewithin135secondsinthisextremecase. 6.6Summary WeproposetherstQoS-awareassessmentframeworkfornetworktopologyvulnerabilities,whichisformulatedasagraphoptimizationproblemwhosetheoreticalintractabilityisshown.Byprovidingonenear-optimalsolutionandoneefcientheuristic,thescalabilityofthisframeworkisvalidatedthroughextensivesimulationstudiesoverseveralpopularnetworkmodels. 138

PAGE 139

CHAPTER7CONCLUSION Inthisthesis,weinvestigatetheapplicationofdiscreteoptimizationtechniques,inparticularGroupTestingandGraphOptimizations,infournetworksecurityandreliabilityproblems.Theresultswederivedinclude a2-modereal-timemalicedetectionframeworkagainstapplicationDoSattacks; atriggerdetectionserviceforfreezingandlocatingwirelessreactivejammingattacks; agraph-constrainedgrouptestingbasedmulti-linkfailuredetectionalgorithmforall-opticalnetworks; aQoS-waretheoreticalvulnerabilityassessmentframeworkforgeneralnetworks. Mostoftheseworksprovideabrandnewperspectiveovertheprobleminthecorrespondingeld,byovercomingthedifcultyofapplyingtheclassicmathematicalmodelstopracticalproblemscenarios.Thankstothelongresearchhistoryofdiscreteoptimizations,moreandmorenetworkproblemscouldndsufcienttheoreticalsupportsinthere,whichwillbethefocusofmyfuturework,besidesimprovingthesolutionsofthelistedproblems. 139

PAGE 140

REFERENCES [1] Ahuja,S.S.,Ramasubramanian,S.,andKrunz,M.SRLGFailureLocalizationinOpticalNetworks.Networking,IEEE/ACMTransactionson19(2011).4:989. [2] Andersen,R.,Chung,F.,Sen,A.,andXue,G.OndisjointpathpairswithwavelengthcontinuityconstraintinWDMnetworks.INFOCOM2004.Twenty-thirdAnnualJointConferenceoftheIEEEComputerandCommunicationsSocieties.vol.1.2004,4. [3] Assi,C.,Ye,Y.,Shami,A.,Dixit,S.,andAli,M.Ahybriddistributedfault-managementprotocolforcombatingsingle-berfailuresinmesh-basedDWDMopticalnetworks.GlobalTelecommunicationsConference,2002.GLOBE-COM'02.IEEE.vol.3.2002,26762680vol.3. [4] Bar-noy,Amotz,Khuller,Samir,andSchieber,Baruch.TheComplexityofFindingMostVitalArcsandNodes.Tech.rep.,TRCS-TR-3539,InstituteforAdvancedStudies,UniversityofMaryland,CollegePark,1995. [5] Black,U.IProutingprotocols:RIP,OSPF,BGP,PNNIandCiscoroutingprotocols.PrenticeHall(2000). [6] Boros,Endre,Borys,Konrad,Gurvich,Vladimir,andRudolf,Gabor.InapproximabilityBoundsforShortest-PathNetworkInterdictionProblems.Tech.rep.,TR:2006-13,Rutgers,2006. [7] Brackett,C.A.Densewavelengthdivisionmultiplexingnetworks:principlesandapplications.SelectedAreasinCommunications,IEEEJournalon8(1990).6:948. [8] Brownlee,N.andZiedins,I.Responsetimedistributionsforglobalnameservers.PassiveandActiveMeasurementworkshop(PAM)(2002). [9] Cagalj,M.,Capkun,S.,andHubaux,J.-P.Wormhole-BasedAntijammingTechniquesinSensorNetworks.MobileComputing,IEEETransactionson6(2007).1:100. [10] Cakiroglu,MuratandOzcerit,AhmetTuran.Jammingdetectionmechanismsforwirelesssensornetworks.Proceedingsofthe3rdinternationalconferenceonScalableinformationsystems.InfoScale'08.ICST,Brussels,Belgium,Belgium:ICST(InstituteforComputerSciences,Social-InformaticsandTelecommunicationsEngineering),2008,4:1:8. [11] Chen,Y.-X.andDu,D.-Z.NewConstructionsofOne-andTwo-StagePoolingDesigns.JournalofComputationalBiology15(2008).2:195. [12] Cheraghchi,M.,Karbasi,A.,Mohajer,S.,andSaligrama,V.Graph-constrainedgrouptesting.InformationTheoryProceedings(ISIT),2010IEEEInternationalSymposiumon.2010,1913. 140

PAGE 141

[13] Chu,Yunn-KuangandKe,Jau-Chuan.MeanresponsetimeforaG/G/1queueingsystem:Simulatedcomputation.AppliedMathematicsandComputation186(2007).1:772779. [14] Deng,Ping,Thai,MyT.,andWu,Weili.ANon-UniqueProbesSelectionAlgorithmUsingd-DisjunctMatrix.BIOCOMP.2007,574. [15] Dinh,T.N.,Xuan,Ying,Thai,M.T.,Park,E.K.,andZnati,T.OnApproximationofNewOptimizationMethodsforAssessingNetworkVulnerability.INFOCOM,2010ProceedingsIEEE.2010,1. [16] Du,D.Z.andHwang,F.K.PoolingDesigns:GroupTestinginMolecularBiology.Singapore:WorldScientic,2006. [17] Du,D.Z.,Hwang,F.K.,Wu,W.,andZnati,T.NewConstructionforTransversalDesign.Journalofcomputertationalbiology13(2006).4:990. [18] Dyachkov,A.G.,Macula,A.J.,Torney,D.C.,andVilenkin,P.A.TwoModelsofNonadaptiveGroupTestingforDesigningScreeningExperiments.mODa6-AdvancesinModel-OrientedDesignandAnalysis.eds.AnthonyC.Atkinson,PeterHackl,andWernerG.Mller,ContributionstoStatistics.Physica-VerlagHD,2001.63. [19] Edmonds,JackandKarp,RichardM.TheoreticalImprovementsinAlgorithmicEfciencyforNetworkFlowProblems.J.ACM19(1972):248. [20] Eppstein,David,Goodrich,MichaelT.,andHirschberg,DanielS.ImprovedCombinatorialGroupTestingAlgorithmsforReal-WorldProblemSizes.SIAMJ.Comput.36(2006):1360. [21] Farach,M.,Kannan,S.,Knill,E.,andMuthukrishnan,S.Grouptestingproblemswithsequencesinexperimentalmolecularbiology.CompressionandComplexityofSequences1997.Proceedings.1997,357. [22] Gao,H.,Hwang,F.K.,Thai,M.T.,Wu,W.,andZnati,T.Constructionofd(H)-DisjuntMatrixforGroupTestinginHypergraphs.JournalofCombinatori-alOptimization12(2006).3:297. [23] Garey,M.G.,Johnson,andD.S.TheRectilinearSteinerTreeProblemisNP-Complete.32(1977).4:826834. [24] Gligor,VirgilD.GuaranteeingAccessinSpiteofDistributedService-FloodingAttacks.InProceedingsoftheSecurityProtocolsWorkshop.2003. [25] Goodrich,MichaelT.,Atallah,MikhailJ.,andTamassia,Roberto.Indexinginformationfordataforensics.In3rdAppliedCryptographyandNetworkSecurityConference(ACNS),volume3531ofLectureNotesinComputerScience.Springer,2005,206. 141

PAGE 142

[26] Gupta,R.,Walrand,J.,,andGoldschmidt,O.Maximalcliquesinunitdiskgraphs:Polynomialapproximation.INOC(2005). [27] Guruswami,VenkatesanandRangan,C.Pandu.Algorithmicaspectsofclique-transversalandclique-independentsets.DiscreteAppliedMathematics100(2000).3:183202. [28] Hang,Wang,Zanji,Wang,andJingbo,Guo.PerformanceofDSSSagainstRepeaterJamming.Electronics,CircuitsandSystems,2006.ICECS'06.13thIEEEInternationalConferenceon.2006,858. [29] Harvey,N.J.A.,Patrascu,M.,Wen,Yonggang,Yekhanin,S.,andChan,V.W.S.Non-AdaptiveFaultDiagnosisforAll-OpticalNetworksviaCombinatorialGroupTestingonGraphs.INFOCOM2007.26thIEEEInternationalConferenceonComputerCommunications.IEEE.2007,697. [30] Kandula,Srikanth,Katabi,Dina,Jacob,Matthias,andBerger,Arthur.Botz-4-sale:Survivingorganizedddosattacksthatmimicashcrowds.In2ndSymposiumonNetworkedSystemsDesignandImplementation(NSDI.2005. [31] Kaplan,Haim,Katz,MatthewJ.,Morgenstern,Gila,andSharir,Micha.Optimalcoverofpointsbydisksinasimplepolygon.Proceedingsofthe18than-nualEuropeanconferenceonAlgorithms:PartI.ESA'10.Berlin,Heidelberg:Springer-Verlag,2010,475. [32] Kargl,Frank,Maier,Joern,andWeber,Michael.Protectingwebserversfromdistributeddenialofserviceattacks.Proceedingsofthe10thinternationalconferenceonWorldWideWeb.WWW'01.NewYork,NY,USA:ACM,2001,514. [33] Khadivi,P.,Samavi,S.,Todd,T.D.,andSaidi,H.Multi-constraintQoSroutingusinganewsinglemixedmetric.Communications,2004IEEEInternationalConferenceon.vol.4.2004,20422046Vol.4. [34] Khattab,S.,Gobriel,S.,Melhem,R.,andMoss,D.LiveBaitingforService-levelDoSAttackers.2008. [35] Khattab,S.M.,Sangpachatanaruk,C.,Mosse,D.,Melhem,R.,andZnati,T.Roaminghoneypotsformitigatingservice-leveldenial-of-serviceattacks.Dis-tributedComputingSystems,2004.Proceedings.24thInternationalConferenceon.2004,328337. [36] Korkmaz,T.andKrunz,M.Multi-constrainedoptimalpathselection.INFOCOM2001.TwentiethAnnualJointConferenceoftheIEEEComputerandCommunica-tionsSocieties.Proceedings.IEEE.vol.2.2001,834. [37] Kuipers,F.A.andVanMieghem,P.F.A.ConditionsThatImpacttheComplexityofQoSRouting.Networking,IEEE/ACMTransactionson13(2005).4:717730. 142

PAGE 143

[38] Lemon,Jonathan.ResistingSYNoodDoSattackswithaSYNcache.Proceed-ingsoftheBSDConference2002onBSDConference.BSDC'02.Berkeley,CA,USA:USENIXAssociation,2002,10. [39] Li,Mingyan,Koutsopoulos,I.,andPoovendran,R.OptimalJammingAttacksandNetworkDefensePoliciesinWirelessSensorNetworks.INFOCOM2007.26thIEEEInternationalConferenceonComputerCommunications.IEEE.2007,1307. [40] Li,Yuxi,Harms,J.,andHolte,R.FastExactMultiConstraintShortestPathAlgorithms.Communications,2007.ICC'07.IEEEInternationalConferenceon.2007,123. [41] Liu,Hongbo,X,Wenyuan,Chen,Yingying,andLiu,Zhenhua.Localizingjammersinwirelessnetworks.Proceedingsofthe2009IEEEInternationalConferenceonPervasiveComputingandCommunications.Washington,DC,USA:IEEEComputerSociety,2009,1. [42] Liu,Zhenhua,Liu,Hongbo,Xu,Wenyuan,andChen,Yingying.WirelessJammingLocalizationbyExploitingNodes'HearingRanges.DCOSS'10.2010,348. [43] Maeda,M.W.Managementandcontroloftransparentopticalnetworks.SelectedAreasinCommunications,IEEEJournalon16(1998).7:1008. [44] Mas,C.,Tomkos,I.,andTonguz,O.K.FailureLocationAlgorithmforTransparentOpticalNetworks.SelectedAreasinCommunications,IEEEJournalon23(2005).8:15081519. [45] Medina,A.,Lakhina,A.,Matta,I.,andByers,John.BRITE:UniversalTopologyGenerationfromaUser'sPerspective.(UserManual)BU-CS-TR-2001-003(2001). [46] Mirkovic,JelenaandReiher,Peter.AtaxonomyofDDoSattackandDDoSdefensemechanisms.SIGCOMMComput.Commun.Rev.34(2004):39. [47] Mitzenmacher,M.Abriefhistoryofgenerativemodelsforpowerlawandlognormaldistributions.InternetMathematics1(2003).2:226251. [48] Mori,G.andMalik,J.Recognizingobjectsinadversarialclutter:breakingavisualCAPTCHA.ComputerVisionandPatternRecognition,2003.Proceedings.2003IEEEComputerSocietyConferenceon.vol.1.2003,IIvol.1. [49] Muller-Hannemann,MatthiasandWeihe,Karsten.ParetoShortestPathsisOftenFeasibleinPractice.Proceedingsofthe5thInternationalWorkshoponAlgorithmEngineering.WAE'01.2001. [50] NSFNET.ftp://ftp.uu.net/inet/maps/nsfnet/.1991. [51] Poisel,R.A.ModernCommunicationsJammingPrinciplesandTechniques.ArtechHouse(2004). 143

PAGE 144

[52] Ranjan,Supranamaya.DDoSresilientschedulingtocounterapplicationlayerattacksunderimperfectdetection.inProceedingsofIEEEINFOCOM.2006,23. [53] Reinhardt,LineBlanderandPisinger,David.Multi-objectiveandmulti-constrainednon-additiveshortestpathproblems.Comput.Oper.Res.38(2011):605. [54] Ricciulli,Livio,Lincoln,Patrick,andKakkar,Pankaj.TCPSYNFloodingDefense.InProceedingsofCNDS.1999. [55] Sekar,VyasandMerwe,JacobusVanDer.LADS:Large-scaleAutomatedDDoSDetectionSystem.InProc.ofUSENIXATC.2006,171. [56] Shin,Incheol,Shen,Yilin,Xuan,Ying,Thai,MyTra,andZnati,Taieb.Reactivejammingattacksinmulti-radiowirelesssensornetworks:anefcientmitigatingmeasurebyidentifyingtriggernodes.Proceedingsofthe2ndACMinternationalworkshoponFoundationsofwirelessadhocandsensornetworkingandcomput-ing.FOWANC'09.NewYork,NY,USA:ACM,2009,87. [57] Sidek,O.andYahya,A.Reedsolomoncodingforfrequencyhoppingspreadspectruminjammingenvironment.AmericanJournalofAppliedSciences5(2008).10:12811284. [58] Stanic,S.,Subramaniam,S.,Choi,H.,Sahin,G.,andChoi,Hyeong-Ah.Onmonitoringtransparentopticalnetworks.ParallelProcessingWorkshops,2002.Proceedings.InternationalConferenceon.2002,217223. [59] Strasser,Mario,Danev,Boris,andCapkun,Srdjan.Detectionofreactivejamminginsensornetworks.ACMTrans.Sen.Netw.7(2010):16:1:29. [60] Tague,P.,Nabar,S.,Ritcey,J.A.,andPoovendran,R.Jamming-AwareTrafcAllocationforMultiple-PathRoutingUsingPortfolioSelection.Networking,IEEE/ACMTransactionson19(2011).1:184. [61] Tapolcai,J.,Wu,Bin,andHo,Pin-Han.OnMonitoringandFailureLocalizationinMeshAll-OpticalNetworks.INFOCOM2009,IEEE.2009,1008. [62] Thai,M.T.,MacCallum,D.,Deng,P.,andWu,W.DecodingAlgorithmsinPoolingDesignswithInhibitorsandFaultTolerance.InternationalJournalofBioinformaticsResearchandApplications(IJBRA)(2007). [63] Thai,M.T.,Xuan,Ying,Shin,Incheol,andZnati,Taieb.OnDetectionofMaliciousUsersUsingGroupTestingTechniques.DistributedComputingSystems,2008.ICDCS'08.The28thInternationalConferenceon.2008,206. [64] Thai,MyT.,Deng,Ping,Wu,Weili,andZnati,Taieb.Approximationalgorithmsofnon-uniqueprobesselectionforbiologicaltargetidentication.AIPConferenceProceedings953(2007).1:174. 144

PAGE 145

[65] Valiant,LeslieG.UniversalityconsiderationsinVLSIcircuits.IEEETrans.Comput.30(1981):135. [66] Vries,S.ACorsaireWhitePaper:ApplicationDenialofService(DoS)Attacks.http://research.corsaire.com/whitepapers/040405-application-level-dos-attacks.pdf(2004). [67] Waxman,BernardM.Routingofmultipointconnections.LosAlamitos,CA,USA:IEEEComputerSocietyPress,1991,347. [68] Wen,Yonggang,Chan,V.W.S.,andZheng,Lizhong.Efcientfault-diagnosisalgorithmsforall-opticalWDMnetworkswithprobabilisticlinkfailures.LightwaveTechnology,Journalof23(2005).10:33583371. [69] Whitepaper.Serviceproviderinfrastructuresecurity:detecting,tracing,andmitigatingnetwork-wideanomalies.http://www.arbornetworks.com(2005). [70] Wood,A.D.,Stankovic,J.A.,andSon,S.H.JAM:ajammed-areamappingserviceforsensornetworks.Real-TimeSystemsSymposium,2003.RTSS2003.24thIEEE.2003,286297. [71] Wu,Bin,Ho,Pin-Han,andYeung,K.L.MonitoringTrail:ANewParadigmforFastLinkFailureLocalizationinWDMMeshNetworks.GlobalTelecommunicationsConference,2008.IEEEGLOBECOM2008.IEEE.2008,1. [72] Wu,BinandYeung,K.L.OPN07-5:M2-CYCLE:anOpticalLayerAlgorithmforFastLinkFailureDetectioninAll-OpticalMeshNetworks.GlobalTelecommunica-tionsConference,2006.GLOBECOM'06.IEEE.2006,1. [73] Xu,Wenyuan,Ma,Ke,Trappe,W.,andZhang,Yanyong.Jammingsensornetworks:attackanddefensestrategies.Network,IEEE20(2006).3:4147. [74] Xu,Wenyuan,Wood,Timothy,andZhang,Yanyong.Channelsurngandspatialretreats:defensesagainstwirelessdenialofservice.inProceedingsofthe2004ACMworkshoponWirelesssecurity,2004.ACMPress,2004,80. [75] Xu,Wenyuan,Zhang,Yanyong,andWood,Timothy.Thefeasibilityoflaunchinganddetectingjammingattacksinwirelessnetworks.InACMMOBIHOC.2005,46. [76] Xuan,Ying,Shen,Yilin,Nguyen,N.P.,andThai,M.T.AGraph-TheoreticQoS-AwareVulnerabilityAssessmentforNetworkTopologies.GLOBECOM2010,2010IEEEGlobalTelecommunicationsConference.2010,1. [77] Xue,Guoliang,Sen,Arunabha,Zhang,Weiyi,Tang,Jian,andThulasiraman,Krishnaiya.FindingaPathSubjecttoManyAdditiveQoSConstraints.Networking,IEEE/ACMTransactionson15(2007).1:201. 145

PAGE 146

[78] Zandt,T.V.Howtotaresponsetimedistribution.PsychonomicBulletinandReview(2000). [79] Zeng,Hongqing,Huang,Changcheng,andVukovic,Alex.ANovelFaultDetectionandLocalizationSchemeforMeshAll-opticalNetworksBasedonMonitoring-cycles.PhotonicNetworkCommunications11(2006):277. 146

PAGE 147

BIOGRAPHICALSKETCH YingXuanreceivedhisDoctorofPhilosophyincomputerinformationscienceandengineeringfromtheUniversityofFloridainthefallof2011.HeobtainedhisBachelorofEngineeringincomputerscienceandengineeringfromtheUniversityofScienceandTechnologyofChinainthesummerof2006.Hisresearchtopicsincludegrouptestingtheory,networksecurity,networkreliabilityandsocialnetworks. 147