Historical philosophical, theoretical, and legal foundations of special and i...
Performance security tradeoff in Robotic Mobile Wireless Ad hoc Networks
1. Performance versus Security
Trade-off in RANETs
Muhammad Jawad Ikram
School of Computing, Informatics and Media, University of Bradford, UK.
2012
MSc Networks and Performance Engineering
Project Supervisor: Prof. Demtres D. Kouvatsos
2. Project Objectives
• To gain deep insights on the workings of MANETs and
RANETs and to understand the fundamental concepts.
• To understand the trade-off between Performance and
Security in computer networks in general and in RANETs in
particular.
• To understand the concepts of various performance-security
analysis tools that include Petri Nets and their extensions, and
gated queueing network model (G-QNM).
• To learn how to apply them to evaluate the performance and
security in RANETs.
3. Motivation
• A robotic mobile wireless ad hoc network (RANET) with
low operational cost, mobility and decentralized control
seems to be a most suitable architectural platform to
support the dynamic nature of their applications.
• Security mechanisms, such as encryption or security
protocols, come at a cost of extra computing resources
and therefore, have an adverse effect of RANET’s
performance.
• Thus, it is vital to develop quantitative models and
techniques, based on both performance and security
metrics, for the analysis of RANETs.
4. Related Work
• Most of the relevant work is based on the papers of Wolter
and Cho et al.
• Wolter has carried out a detailed literature review, mainly
based on the combined study of performance and security.
• Wolter also proposes that Stochastic Petri Nets are the best
tools to study the trade-off between performance and security.
• Cho et al propose an SPN model, in which they study group
communication in MANETs.
• They obtained optimal settings for the system that satisfy both
performance and security requirements.
6. MANETs
• Characteristics of MANETs
▫ Communication via wireless means
▫ Nodes can perform the roles of both hosts and routers
▫ No centralized controller and infrastructure
▫ Dynamic network topology
▫ Frequent routing updates
▫ Autonomous, no infrastructure needed
▫ Can be set up anywhere.
• Limitations of MANETs
▫ Limited resources
▫ Limited physical security
▫ Intrinsic mutual trust vulnerable to attacks
▫ Lack of authorization facilities
▫ Volatile network topology makes it hard to detect malicious nodes
▫ Route changes due to mobility
▫ Battery constraints
• Routing protocols of MANETs
▫ Proactive protocols (DSDV, OLSR ,WRP, CRSR)
▫ Reactive protocols (DSR, LMR, AODV, ABR)
▫ Hybrid protocols (ZRP)
7. MANETs- Advantages and Applications
Advantages Applications
• Cost-effective
• Lesser setup time
• Network is formed the fly and
adapt changes
• Easy of deploy
• Speed of deployment
• Less dependency on
infrastructure
• Military or police exercises
• Disaster relief operations
• Mine site operations
• Urgent Business meetings
• Robot data acquisition
8. • Why MANETs for RANETs?
• Basic modes of Robot communications
• Mobile Robot Applications
• Challenges of RANETs
9. RANETs and Robotic Communications
• At low cost solutions for wireless communication,
robots should be developed to successfully perform
cooperative work and have the capability to construct
a network.
• Why MANETs for RANETs?
▫ Low-powered transceivers allow only direct
communication
▫ Centralized scheme is known to be susceptible as a single
point of failure
▫ Using base stations increases total cost of networks
▫ MANETs are suitable for unpredictable environments
10. RANETS and Robotic Communications
• Basic Modes of Robot Communication
▫ Communication between mobile robots and a fixed
base station
▫ Communication between mobile robots without a base
station
▫ Communication between individual components of the
robot itself
• Mobile robots applications
▫ Robot soccer games
▫ Explosive ordnance or hazardous materials disposal
▫ Rescue and recovery operations
▫ Unmanned vehicles
▫ Planetary and volcano exploration
11. Challenges of RANETs
• Problems at control, perception and intersection of
communication that are created from coordination of
multiple autonomous robots must have to overcome.
• Fault Localisation in RANETs
▫ The dynamic changing topology of MANETs and, thus
RANETs, requires an efficient fault management system to
perform rapid intrusion detection, fault localisation i.e., the
process of deducing the exact source of a failure from a set
of observed failure indications and provide suitable self-
healing to mission-critical applications in a timely and
efficient manner.
12. •Petri Nets
•Stochastic Petri Nets (SPNs)
•Generalised Stochastic Petri Nets (GSPNs)
•Gated Queueing Network Model s(G-QNMs)
13. Petri Nets
• Formal notation
• Models concurrency, causality and conflict
• gives the formalism an easier intuitive
interpretation than the Markov process
• -- at least for small or moderately sized models
• Introduced in 1960 for modelling variety of
concurrent systems
• Use for Performance modelling originates from
1980s
14. Petri Nets
• Petri Net is a four- tuple i.e.
PN = <P, T, I, O>
• P: a finite set of places,
{P1, P2, ..., Pn}
• T: a finite set of transitions,
{T1, T2, ..., Tn}
• I: an input function, (T x P) --
> {0, 1}
• O: an output function, (T x P) -
-> {0, 1}
• M0: an initial marking, P --> N
• <P, T, I, O, M0> -- a marked
Petri net
15. Petri net Marking
• The state of the Petri net system at any time, is
characterised by the distribution of tokens over
the places, generally termed a marking: m : P -->
N, where M(p) = n means that there are n tokens
on place p.
16. The Firing Rule
• A transition t is enabled in a marking M, if all
the pre-places of t (those connected by an input
arc) have a marking that is greater than or equal
to the multiplicity of that input arc.
• Otherwise t is said to be disabled.
• A transition which is enabled in M may fire.
• When t fires, a new marking is reached.
17. Reachability Graph
• Starting from an initial marking and following the firing rule we can
progress through all the possible states/markings of the model.
• Continuing in this way, the reachability set is obtained that gives all
the possible states of the model.
• Also called playing the token game.
• Initial marking is important.
• Different initial markings might lead to different reachability sets.
• While playing the token game, we come across all the possible states
of the system, reachability graph is obtained by recording the
transitions between those states.
28. Stochastic Petri Nets
• Emerged as a modelling formalism for performance
analysis in the early 1980s.
• An exponentially distributed delay is associated with
the firing of each transition.
• The delay occurs between when the transition
becomes enabled and when it fires.
• The reachability graph of an SPN forms the state
transition diagram of an underlying Markov process.
29. Generalised Stochastic Petri Nets
• Generalised Stochastic Petri Nets (GSPN)
represent an extension of the SPN formalism,
• Two new primitives are added to the notation
▫ immediate transitions
▫ inhibitor arcs
30. Immediate Transitions
• Immediate transitions describe events
that are assumed to take no time.
• They have priority over any enabled
timed transitions.
• Two or more immediate transitions can
be enabled at the same time.
• The probability that each of them is the
one to fire must be declared in the
model.
31. Immediate Transitions
• Immediate transitions usually represent control and
logical actions.
• The control actions ensure the correct behaviour of
the model and are executed in negligible time.
• Logical actions happen when there are two or more
alternatives and the system makes a choice amongst
them.
• Immediate actions give an additional tool for
abstraction within the model.
32. Inhibitor Arcs
• An inhibitor disables a transition, rather
than enables it.
• An inhibitor arc from a place to a
• transition, means the transition cannot fire
if there is a token in the place;
• It can fire when there is no token in the
place.
• The inhibitor arcs impose an additional
constraint to the usual firing rule.
33. Gated QNMs
• A RANET Node with Gated Queue in two
equivalent ways.
35. •Motivation
•Performance Models
•Performance Metrics
•Security Measurements and Metrics
•Modeling Security with GSPN
•Combined Performance-Security Model
•Performance-Security Tradeoff in RANETs
•Security Attacks in RANETs
•Rekeying and IDS Techniques
•System Model
•Results and Analysis
36. Motivation
• What does the Performance-Security tradeoff mean?
• How to measure Performance?
• How to measure Security?
• What are the costs of Performance?
• What are the costs of Security?
• Can we trade one against the other?
37. Performance-Security Trade-off
• A situation in which one quality or feature of
something is lost in return for gaining another
quality or feature is called trade-off.
• The performance-security trade-off means that
both performance and security can be measured
together and if we want to improve one, we have
to pay in terms of the other.
38. Performance Measurement- Motivation
• To know the cost of an activity.
• To identify the connection between parts of the
system.
• To identify the number of operations.
• To study the effects of growing traffic on the system.
• To determine the think time of the system.
40. Performance Metrics
Typical performance metrics for RANETs include;
• Throughput
• Packet Loss Probability
• End-to-End Delay
• Average Number of Hops
• Optimal Number of hops
• Routing Overhead
• Channel Utilization
• Energy/Power consumption
41. Security Measurement - Motivation
• To minimize security costs.
• According to Forrester Research survey of 28
companies held in 2007, security breaches cost
$90 to $305 per lost record and 25%
respondents do not know how to quantify that
loss.
42. Security Engineering
• Prevention
▫ Protection of data and communication is needed to avoid security
breaches.
• Diagnosis/Detection
▫ It is important to identify whether and when security incident has
occurred?
• Response
▫ Security attacks should be stopped immediately to avoid further
damage.
• Recovery
▫ Recovery from security breach should be performed. New key
should be assigned for encryption.
43. Measuring Security
• Using the approach of reliability, the system may be
assumed to be either in;
• Secure state,
• Insecure state or,
• Recovery state between insecure and secure.
The state of the system may change from secure to
insecure, from insecure to recovery and from recovery
back to secure.
44. Measuring Security
TBI
t1 td1 tr1 t2 td2 tr2 t
TTID
TTIR
TBDR
Security incidents occurs at times t1, t2, t3, ……, tn. i is the
security incident occurring at time ti that is followed by its
detection time tdi and recovery from this incident at time tri
48. Performance-Security Trade-off in
RANETs
• Two metrics are taken into account;
▫ Security is measured in terms of mean time to security
failure (MTTSF).
▫ Performance is measured in terms of service response
time (R).
• The main objective is to find optimal settings that
includes the best intrusion detection interval and
best batch rekey interval under which MTTSF is
maximized while satisfying performance
requirement in terms of R.
49. Security Attacks in RANETs
• Outsider attacks
▫ come from outside of the network,
▫ for example if an external intruder attempts to gain unauthorized
access to the group communication in the system.
▫ can be controlled by prevention methods like authentication and
encryption.
• Insider Attacks
▫ come from trusted members who become compromised due to
some reasons
▫ They can share the group key with some outsider attackers to
break the security of the system.
▫ Intrusion detection system (IDS) methods are developed to detect
compromised nodes and evict them from group formation to
achieve better security .
50. Rekeying Techniques
• Individual Rekeying
▫ Rekeying is performed each time after a robot join or leave the
system,
or if a compromised node is removed from the system .
• Trusted And Untrusted Double Threshold-
based rekeying (TAUDT)
▫ Rekeying is performed when the thresholds (k1, k2) are reached
k1= rekey limit on (trusted) join and leave requests.
k2= rekey limit on detected and falsely detected compromised
nodes.
• Join And Leave Doubled Threshold-based
rekeying
▫ Rekeying is performed when the thresholds (k1, k2) are reached
k1 = rekey limit on join requests.
k2 = rekey limit on leave requests and evicted nodes.
51. IDS Techniques
• Host-based IDS
▫ A local detection is performed by each node (robot) to know
whether a neighbouring node is compromised or not?
Characterized by false negative and false positive probabilities p1
and p2.
• Voting-based IDS
• Voting is performed by m vote participants, against a periodically
selected node, called target node.
• If the majority of vote goes against the target, then the target node
would be evicted from the system.
Characterized by false negative and false positive probabilities Pfn and
Pfp.
52. Security of RANETs
• Group communication amongst Robots in
RANETs using group key
• IDS checks for compromised nodes
53. Security of RANETs
• Group communication amongst Robots in
RANETs using group key
• IDS checks for compromised nodes
• IDS may not detect (false negative)
54. Security of RANETs
• Group communication amongst Robots in
RANETs using group key
• IDS checks for compromised nodes
• IDS may not detect (false negative)
• IDS may erroneously detect (false
positive)
55. Security of RANETs
• Group communication amongst Robots in
RANETs using group key
• IDS checks for compromised nodes
• IDS may not detect (false negative)
• IDS may erroneously detect (false
positive)
• IDS may correctly detect
56. Security of RANETs
• Group communication amongst Robots in
RANETs using group key
• IDS checks for compromised nodes
• IDS may not detect (false negative)
• IDS may erroneously detect (false
positive)
• IDS may correctly detect and remove
57. Security of RANETs
• Group communication amongst Robots in
RANETs using group key
• IDS checks for compromised nodes
• IDS may not detect (false negative)
• IDS may erroneously detect (false
positive)
• IDS may correctly detect and remove
• Node is excluded
58. Security of RANETs
• Group communication amongst Robots
in RANETs using group key
• IDS checks for compromised nodes
• IDS may not detect (false negative)
• IDS may erroneously detect (false
positive)
• IDS may correctly detect and remove
• Node is excluded
• To maintain secure group
communication, key change is
necessary
Performance analysis of dynamic group communication systems with intrusion detection
integrated with batch rekeying in mobile ad hoc networks. J.-H. Cho, I.-R. Chen, and P.-G.
Feng. AINAW '08: Proceedings of the 22nd International Conference on Advanced Information
Networking and Applications { Workshops, pp. 644{649, Washington, DC, USA, 2008.
,
59. Rekeying in RANETs
• Rekeying frequency
▫ rekeying increases security
▫ rekeying increases load (cost)
▫ batch rekeying after n membership changes
• optimisation problem
▫ how often to change key for optimal performance
and security?
61. Optimal Double Thresholds (k1 and k2)
Mean Time to Security Failure System Performance Metrics
Parameters
• k1 rekey limit on (trusted) join and leave requests
• k2 rekey limit on detected and falsely detected compromised nodes
63. Optimal Intrusion Detection Interval
Mean Time to Security Failure System Response Time
• TIDS = 480 optimises MTTSF for individual rekeying
• TIDS = 600 optimises MTTSF for threshold-based rekeying
• TIDS = 600 optimises response time for all rekeying strategies
64. Conclusions
• Security and performance of wireless group
communication system in RANETs
• Security is measured in terms of MTTSF
• Performance is measured in terms of response time
• Intrusion detection threshold and Intrusion
detection interval are chosen as to optimise those
measures
66. Future Work
After providing a comprehensive review and detailed
analysis performance-security trade-off in RANETs,
• The SPN model can be simulated in java or any
other object oriented language to study the effect of
changing system parameters.
• Combination of SPNs, QPNs and QNMs can be used
to study various aspects of RANETs more efficiently.