performance security tradeoff in robotic mobile wireless ad hoc networks

Performance versus Security Trade-off in RANETsMuhammad Jawad Ikram

School of Computing, Informatics and Media, University of Bradford, UK.

2012

MSc Networks and Performance Engineering

Project Supervisor: Prof. Demtres D. Kouvatsos

Project Objectives• To gain deep insights on the workings of MANETs and

RANETs and to understand the fundamental concepts.

• To understand the trade-off between Performance and Security in computer networks in general and in RANETs in particular.

• To understand the concepts of various performance-security analysis tools that include Petri Nets and their extensions, and gated queueing network model (G-QNM).

• To learn how to apply them to evaluate the performance and security in RANETs.

Motivation• A robotic mobile wireless ad hoc network (RANET) with

low operational cost, mobility and decentralized control seems to be a most suitable architectural platform to support the dynamic nature of their applications.

• Security mechanisms, such as encryption or security protocols, come at a cost of extra computing resources and therefore, have an adverse effect of RANET’s performance.

• Thus, it is vital to develop quantitative models and techniques, based on both performance and security metrics, for the analysis of RANETs.

Related Work

• Most of the relevant work is based on the papers of Wolter and Cho et al.

• Wolter has carried out a detailed literature review, mainly based on the combined study of performance and security.

• Wolter also proposes that Stochastic Petri Nets are the best tools to study the trade-off between performance and security.

• Cho et al propose an SPN model, in which they study group communication in MANETs.

• They obtained optimal settings for the system that satisfy both performance and security requirements.

MANETs• Characteristics, Limitations and Routing Protocols of

MANETs • Advantages, and application of MANETs

MANETs • Characteristics of MANETs

▫ Communication via wireless means ▫ Nodes can perform the roles of both hosts and routers▫ No centralized controller and infrastructure▫ Dynamic network topology▫ Frequent routing updates▫ Autonomous, no infrastructure needed▫ Can be set up anywhere.

• Limitations of MANETs▫ Limited resources▫ Limited physical security▫ Intrinsic mutual trust vulnerable to attacks▫ Lack of authorization facilities▫ Volatile network topology makes it hard to detect malicious nodes▫ Route changes due to mobility▫ Battery constraints

• Routing protocols of MANETs▫ Proactive protocols (DSDV, OLSR ,WRP, CRSR)▫ Reactive protocols (DSR, LMR, AODV, ABR)▫ Hybrid protocols (ZRP)

MANETs- Advantages and Applications

Advantages Applications

• Cost-effective

• Lesser setup time

• Network is formed the fly and adapt changes

• Easy of deploy

• Speed of deployment

• Less dependency on infrastructure

• Military or police exercises

• Disaster relief operations

• Mine site operations

• Urgent Business meetings

• Robot data acquisition

RANETs and Robotic Communications• Why MANETs for RANETs? • Basic modes of Robot communications • Mobile Robot Applications • Challenges of RANETs

RANETs and Robotic Communications

• At low cost solutions for wireless communication, robots should be developed to successfully perform cooperative work and have the capability to construct a network.

• Why MANETs for RANETs?▫Low-powered transceivers allow only direct

communication▫Centralized scheme is known to be susceptible as a

single point of failure▫Using base stations increases total cost of networks▫MANETs are suitable for unpredictable environments

RANETS and Robotic Communications

• Basic Modes of Robot Communication▫Communication between mobile robots and a fixed base

station▫Communication between mobile robots without a base

station▫Communication between individual components of the

robot itself • Mobile robots applications

▫Robot soccer games▫Explosive ordnance or hazardous materials disposal▫Rescue and recovery operations▫Unmanned vehicles▫Planetary and volcano exploration

Challenges of RANETs• Problems at control, perception and intersection of

communication that are created from coordination of multiple autonomous robots must have to overcome.

• Fault Localisation in RANETs▫ The dynamic changing topology of MANETs and, thus

RANETs, requires an efficient fault management system to perform rapid intrusion detection, fault localisation i.e., the process of deducing the exact source of a failure from a set of observed failure indications and provide suitable self-healing to mission-critical applications in a timely and efficient manner.

Analysis Tools•Petri Nets •Stochastic Petri Nets (SPNs)•Generalised Stochastic Petri Nets (GSPNs)•Gated Queueing Network Model s(G-QNMs)

Petri Nets

•Formal notation •Models concurrency, causality and conflict•gives the formalism an easier intuitive

interpretation than the Markov process • -- at least for small or moderately sized

models• Introduced in 1960 for modelling variety of

concurrent systems•Use for Performance modelling originates

from 1980s

Petri Nets• Petri Net is a four- tuple

i.e. PN = <P, T, I, O> • P: a finite set of places,

{P1, P2, ..., Pn}

• T: a finite set of transitions, {T1, T2, ..., Tn}

• I: an input function, (T x P) --> {0, 1}

• O: an output function, (T x P) --> {0, 1}

• M0: an initial marking, P --> N

• <P, T, I, O, M0> -- a marked Petri net

Petri net Marking

•The state of the Petri net system at any time, is characterised by the distribution of tokens over the places, generally termed a marking: m : P --> N, where M(p) = n means that there are n tokens on place p.

The Firing Rule•A transition t is enabled in a marking M, if all

the pre-places of t (those connected by an input arc) have a marking that is greater than or equal to the multiplicity of that input arc.

•Otherwise t is said to be disabled.

•A transition which is enabled in M may fire.

•When t fires, a new marking is reached.

Reachability Graph• Starting from an initial marking and following the firing rule we can

progress through all the possible states/markings of the model.

• Continuing in this way, the reachability set is obtained that gives all the possible states of the model.

• Also called playing the token game.

• Initial marking is important.

• Different initial markings might lead to different reachability sets.

• While playing the token game, we come across all the possible states of the system, reachability graph is obtained by recording the transitions between those states.

Example: Reachability Graph

P1

P3

P2

T1

T2

M0 = (3, 2, 0)


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

T1


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1

M3 = (2, 2, 0) T2


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1

M3 = (2, 2, 0)

M4= (0, 2, 3)

T1

T2


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1

M3 = (2, 2, 0)

M4 = (0, 2, 3)

T1

M5 = (1, 2, 1)

T1T2

T2


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1

M3 = (2, 2, 0)

M4 = (0, 2, 3)

T1

M5 = (1, 2, 1)

T1T2

T2

M6 = (0, 2, 2)

T1T2


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1

M3 = (2, 2, 0)

M4 = (0, 2, 3)

T1

M5 = (1, 2, 1)

T1T2

T2

M6 = (0, 2, 2)

T1T2

M7 = (1, 2, 0) T2


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1

M3 = (2, 2, 0)

M4 = (0, 2, 3)

T1

M5 = (1, 2, 1)

T1T2

T2

M6 = (0, 2, 2)

T1T2

M7 = (1, 2, 0) T2

M8 = (0, 2, 1)

T1T2


P1

P3

P2

T1

T2

M0 = (3, 2, 0)

M1 = (2, 2, 1)

M2 = (1, 2, 2)

T1

T1

M3 = (2, 2, 0)

M4 = (0, 2, 3)

T1

M5 = (1, 2, 1)

T1T2

T2

M6 = (0, 2, 2)

T1T2

M7 = (1, 2, 0) T2

M8 = (0, 2, 1)

T1T2

M9 = (0, 2, 0)

T2

Stochastic Petri Nets• Emerged as a modelling formalism for performance

analysis in the early 1980s.

• An exponentially distributed delay is associated with the firing of each transition.

• The delay occurs between when the transition becomes enabled and when it fires.

• The reachability graph of an SPN forms the state transition diagram of an underlying Markov process.

Generalised Stochastic Petri Nets•Generalised Stochastic Petri Nets (GSPN)

represent an extension of the SPN formalism,

•Two new primitives are added to the notation▫immediate transitions ▫inhibitor arcs

Immediate Transitions• Immediate transitions describe

events that are assumed to take no time.

• They have priority over any enabled timed transitions.

• Two or more immediate transitions can be enabled at the same time.

• The probability that each of them is the one to fire must be declared in the model.

Immediate Transitions• Immediate transitions usually represent control

and logical actions.

• The control actions ensure the correct behaviour of the model and are executed in negligible time.

• Logical actions happen when there are two or more alternatives and the system makes a choice amongst them.

• Immediate actions give an additional tool for abstraction within the model.

Inhibitor Arcs• An inhibitor disables a transition,

rather than enables it.

• An inhibitor arc from a place to a• transition, means the transition

cannot fire if there is a token in the place;

• It can fire when there is no token in the place.

• The inhibitor arcs impose an additional constraint to the usual firing rule.

Gated QNMs•A RANET Node with Gated Queue in two

equivalent ways.

Gated QNMsRANET node with Intermittent Link (i) and Intermittent Server (ii)

Performance-Security Trade-off•Motivation•Performance Models•Performance Metrics•Security Measurements and Metrics •Modeling Security with GSPN •Combined Performance-Security Model •Performance-Security Tradeoff in RANETs•Security Attacks in RANETs•Rekeying and IDS Techniques •System Model•Results and Analysis

Motivation• What does the Performance-Security tradeoff mean?

• How to measure Performance?

• How to measure Security?

• What are the costs of Performance?

• What are the costs of Security?

• Can we trade one against the other?

Performance-Security Trade-off

•A situation in which one quality or feature of something is lost in return for gaining another quality or feature is called trade-off.

•The performance-security trade-off means that both performance and security can be measured together and if we want to improve one, we have to pay in terms of the other.

Performance Measurement- Motivation • To know the cost of an activity.

• To identify the connection between parts of the system.

• To identify the number of operations.

• To study the effects of growing traffic on the system.

• To determine the think time of the system.

Performance Models

•Markov Chains•Queueing Network Models•Petri Nets Models

Performance MetricsTypical performance metrics for RANETs include;

• Throughput

• Packet Loss Probability

• End-to-End Delay

• Average Number of Hops

• Optimal Number of hops

• Routing Overhead

• Channel Utilization

• Energy/Power consumption

Security Measurement - Motivation•To minimize security costs.

•According to Forrester Research survey of 28 companies held in 2007, security breaches cost $90 to $305 per lost record and 25% respondents do not know how to quantify that loss.

Security Engineering• Prevention

▫ Protection of data and communication is needed to avoid security breaches.

• Diagnosis/Detection▫ It is important to identify whether and when security incident has

occurred?

• Response▫ Security attacks should be stopped immediately to avoid further

damage.

• Recovery▫ Recovery from security breach should be performed. New key

should be assigned for encryption.

Measuring Security• Using the approach of reliability, the system may be

assumed to be either in;

• Secure state,

• Insecure state or,

• Recovery state between insecure and secure.

The state of the system may change from secure to insecure, from insecure to recovery and from recovery back to secure.

Measuring SecurityTBI

t1 td1

tr1 t2 td2

tr2 t

TTID

TTIR

TBDR

Security incidents occurs at times t1, t2, t3, ……, tn. i is the security incident occurring at time ti that is followed by its detection time tdi and recovery from this incident at time tri

Security Metrics

Modeling Security with GSPN

recover secure fail

Insecure

detect

restoring

Combined Performance-Security Model

Performance-Security Trade-off in RANETs• Two metrics are taken into account;

▫Security is measured in terms of mean time to security failure (MTTSF).

▫Performance is measured in terms of service response time (R).

• The main objective is to find optimal settings that includes the best intrusion detection interval and best batch rekey interval under which MTTSF is maximized while satisfying performance requirement in terms of R.

Security Attacks in RANETs• Outsider attacks

▫ come from outside of the network, ▫ for example if an external intruder attempts to gain

unauthorized access to the group communication in the system. ▫ can be controlled by prevention methods like authentication and

encryption.

• Insider Attacks▫ come from trusted members who become compromised due to

some reasons ▫ They can share the group key with some outsider attackers to

break the security of the system. ▫ Intrusion detection system (IDS) methods are developed to

detect compromised nodes and evict them from group formation to achieve better security .

Rekeying Techniques• Individual Rekeying

▫ Rekeying is performed each time after a robot join or leave the system, or if a compromised node is removed from the system .

• Trusted And Untrusted Double Threshold-based rekeying (TAUDT) ▫ Rekeying is performed when the thresholds (k1, k2) are

reached k1= rekey limit on (trusted) join and leave requests. k2= rekey limit on detected and falsely detected

compromised nodes.

• Join And Leave Doubled Threshold-based rekeying▫ Rekeying is performed when the thresholds (k1, k2) are

reached k1 = rekey limit on join requests. k2 = rekey limit on leave requests and evicted nodes.

IDS Techniques• Host-based IDS

▫ A local detection is performed by each node (robot) to know whether a neighbouring node is compromised or not?

Characterized by false negative and false positive probabilities p1

and p2.

• Voting-based IDS • Voting is performed by m vote participants, against a periodically

selected node, called target node. • If the majority of vote goes against the target, then the target node

would be evicted from the system. Characterized by false negative and false positive probabilities Pfn and Pfp.

Security of RANETs• Group communication amongst

Robots in RANETs using group key • IDS checks for compromised nodes


Robots in RANETs using group key • IDS checks for compromised nodes• IDS may not detect (false negative)


Robots in RANETs using group key • IDS checks for compromised nodes• IDS may not detect (false negative) • IDS may erroneously detect (false

positive)



positive) • IDS may correctly detect



positive) • IDS may correctly detect and

remove



positive) • IDS may correctly detect and

remove • Node is excluded



positive) • IDS may correctly detect and remove • Node is excluded • To maintain secure group

communication, key change is necessary

Performance analysis of dynamic group communication systems with intrusion detection integrated with batch rekeying in mobile ad hoc networks. J.-H. Cho, I.-R. Chen, and P.-G. Feng. AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications { Workshops, pp. 644{649, Washington, DC, USA, 2008.,

Rekeying in RANETs•Rekeying frequency

▫rekeying increases security▫rekeying increases load (cost)▫batch rekeying after n membership

changes

•optimisation problem▫how often to change key for optimal

performance and security?

SPN Model

Optimal Double Thresholds (k1 and k2)

Mean Time to Security Failure

System Performance Metrics

Parameters• k1 rekey limit on (trusted) join and leave requests• k2 rekey limit on detected and falsely detected

compromised nodes

Intrusion Detection Interval

• Rekeying strategies▫ individual rekeying (after each join, leave, evict

event)▫ threshold-based rekeying

TAUDT, k1, k2 as above JALDT, k1 = limit on join requests, k2 = limit in leave

requests and evicted nodes.

• Parameters▫ Investigate optimal IDS interval (firing time)▫set TAUDT: (k1, k2) = (4,1), JALDT: (k1, k2) = (5,2)

(enabling condition)

Optimal Intrusion Detection IntervalMean Time to Security Failure

System Response Time

• TIDS = 480 optimises MTTSF for individual rekeying• TIDS = 600 optimises MTTSF for threshold-based rekeying • TIDS = 600 optimises response time for all rekeying strategies

Conclusions• Security and performance of wireless group

communication system in RANETs

• Security is measured in terms of MTTSF

• Performance is measured in terms of response time

• Intrusion detection threshold and Intrusion detection interval are chosen as to optimise those measures

Future Work• Future work• Proposed SPN Model

Future WorkAfter providing a comprehensive review and detailed analysis performance-security trade-off in RANETs,

• The SPN model can be simulated in java or any other object oriented language to study the effect of changing system parameters.

• Combination of SPNs, QPNs and QNMs can be used to study various aspects of RANETs more efficiently.

Proposed SPN Model with Gated Queue

Questions

performance security tradeoff in robotic mobile wireless ad hoc networks

Education

security protocols

manets advantages

analysis of ranets

workings of manets

application of manets

performance modelling

wireless communication

petri nets petri net