distributed algorithms for secure multipath routing patrick p. c. lee, vishal misra, dan rubenstein...
Post on 19-Dec-2015
223 views
TRANSCRIPT
Distributed Algorithms for Distributed Algorithms for Secure Multipath RoutingSecure Multipath Routing
Patrick P. C. Lee, Vishal Misra, Dan Rubenstein
Distributed Network Analysis (DNA) Lab,Columbia University
March 17, 2005
OutlineOutline
Motivation: Why do we use multipath routing to
achieve security?
Security objectives
Distributed algorithms: Bound-Control algorithm Lex-Control algorithm
Simulation results
MotivationMotivation
Problem of single-path routing:
sourcesink
An attack/failure shuts down the entire session.
MotivationMotivation
Protection with multipath routing:
sourcesink
An attack/failure causes less damage.
GoalsGoals Determine the multipath routes that achieve
the “best” security: Minimize the worst-case data loss with/without
bandwidth constraints Minimize “severe” data loss with/without
bandwidth constraints based on lexicographic optimization
Implement a distributed solution: No need to know the global network topology Allow nodes to locally decide link costs Suitable for independently administered networks
(e.g., RON)
Previous WorkPrevious Work
Lexicographic optimization: Minimize a non-increasing link-cost sequence a = (a1, a2, …, an) Find a*, where a* = (a1
*, a2*, …, an
*) ≤ a = (a1, a2, …, an) for every link-cost sequence a
Georgiadis et al.’s solution [ToN ’02]: Recursively solve minimax problems on subgraphs Limitations:
Centralized solution Does not consider varied bandwidth constraints
Our WorkOur Work Develop two distributed algorithms Bound-
Control and Lex-Control: Support fixed-rate model and maximal-rate model
Fixed rate: a data session sends data at a fixed rate Maximal rate: a data session sends data at the maximal
rate across all network links (i.e., equiv. to min-cut) Suitable for overlay networks and ad hoc
networks
Prove their optimality in response to single-link attacks.
Evaluate the algorithms via simulations in response to single-link and multi-link attacks.
Model AssumptionsModel Assumptions
Static network topology
Single source-sink pair Easily generalized to networks with
multiple customers/providers
Infrequent link attacks/failures Optimize solutions for single-link attacks Evaluate performance for both single-link
and multi-link attacks
How to Quantify the Cost How to Quantify the Cost of a Single-link Attack?of a Single-link Attack?
Attack cost of link l: al = xl * cl
xl – proportion of session data allocated to link l
cl - security constant Measure the vulnerability of link l to an attack Possible physical interpretations:
Attack success probability Proportion of xl lost during an attack
In practice, security constants can be obtained from security monitoring systems or statistical measurements
Example of Setting Example of Setting Security ConstantsSecurity Constants
In subsequent discussion of objectives, assume cl = 1 for all links, i.e., attack cost = data loss.
Wireless link
Wired link
More vulnerable to attacks (e.g., cl =
0.9)
Less vulnerable to attacks (e.g., cl =
0.1)
source sink
Objective 1Objective 1
Minimize the worst-case data loss under the single-link attack
sink
5
5
5
5
source
5
5Fixed data rate10Mb/s
One possible data allocation.
Objective 1Objective 1
sink
55
5
5source
5
5
Another possible data allocation.
Fixed data rate10Mb/s
Objective 1Objective 1
Worst-case data loss cannot be less than 50%
sink
5
5
5
5source
5
5
Another possible data allocation.
Fixed data rate10Mb/s
Objective 2Objective 2
Minimize the worst-case data loss subject to bandwidth constraints
sink
6
6
4
4
source
4
6
Bandwidth-limited link(Only 4Mb/s allowed)
Fixed data rate10Mb/s
sink
6
6
4
4
source
4
6
2
sink
3
3
2
source
4
6
22
33
Objective Objective 33
Minimize the ith worst-case data loss subject to bandwidth constraints, given already minimized attack costs for the worst-case, 2nd worst-case,…, (i-1)th worst-case.
Lexicographic Optimization
(6, 6, 6, 4, 4, 4, 0, 0, 0, 0)
(6, 4, 3, 3, 3, 3, 2, 2, 2, 2)
Bandwidth-limited link(Only 4Mbs allowed)
Fixed data rate10Mb/s
Solving Objective 1: Preflow-Solving Objective 1: Preflow-PushPush Map minimax problem to max-flow problem
Preflow-push algorithm [Goldberg & Tarjan, 89]: Nodes find the maximum flow from source to sink
in a distributed fashion.
Basic idea of solving Objective 1 [Ahuja, 86]: Each node sets capacity constraints of its
outgoing links: cap(l) = 1/cl. Nodes solve max-flow problem under capacity
constraints in a distributed fashion. Each node allocates data for its outgoing links:
(link flow) / (max flow).
Solving Objective 2: Bound-Solving Objective 2: Bound-ControlControl
Bandwidth constraint: fraction bound bl bl = (bandwidth of link l) / (session data rate)
Capacity constraint: cap(l) = min(1/cl, bl*f) f = flow reaching the sink Upper bound in max-flow problem
Basic idea of solving Objective 2: Repeat
Distributed execution of Preflow-Push Each node adjusts capacity constraints for its outgoing
links Until capacity constraints satisfied
Solving Objective 3: Lex-Solving Objective 3: Lex-ControlControl
Basic idea – solve lexicographic optimization: Repeat
Distributed execution of Bound-Control Each node identifies critical links
among its outgoing links Until all critical links spotted
Critical Links Links whose data allocation has to be fixed to
preserve the optimal attack cost
In practice, Lex-Control provides the necessary resilience in 3 or 4 lexicographic iterations.
Lexicographiciteration
Lex-Control algorithm
Bound-Control algorithm
Recap of AlgorithmsRecap of Algorithms
Preflow-Push algorithm
Hierarchical solution to the three security objectives
Experimental SetupExperimental Setup
Consider three random networks generated by BRITE: 200 nodes, 600 links 200 nodes, 800 links 200 nodes, 1000 links
Randomly assign security constants (0 to 1) and bandwidths (1 to 5 Mb/s) for all links
Metrics: Attack cost Number of executions of Preflow-push Routing overhead
Experiment 1 – Bound-Experiment 1 – Bound-ControlControl
Minimized worst-case attack cost vs. different session throughputs
Experiment 1 – Bound-Experiment 1 – Bound-ControlControl
Single shortest path approach
Network setting Attack cost
200 nodes, 600 links 0.73
200 nodes, 800 links 0.72
200 nodes, 1000 links 0.78
Bound-Control (for maximal-rate model)
Network setting Attack cost
200 nodes, 600 links 0.34
200 nodes, 800 links 0.19
200 nodes, 1000 links 0.16
Bound-Control reduces the worst-case attack cost by 50-70%.
Experiment 2 – Lex-Experiment 2 – Lex-ControlControl
Number of links with severe attack cost vs. number of lexicographic iterations.
Attack cost is severe if it’s at least 25% of the worst-case attack cost.
E.g., for the attack-cost sequence (1, 0.5, 0.25, 0.1, 0.1), number of links with severe attack cost is 3.
Summary of Summary of ExperimentsExperiments
Bound-Control vs. Single-Path Routing: Reduce the worst-case attack cost by 50-70%
Lex-Control vs. Bound-Control Reduce # of links with severe attack costs by
~50% Reduce aggregate attack cost in multi-link
attacks: by ~40% in the uniform 50-link attack by ~23% in the proportional 5-link attack by ~12% in the worst-case 5-link attack
3 or 4 lexicographic iterations are enough
ConclusionsConclusions
In this talk: Proposed two distributed algorithms
Bound-Control and Lex-Control that optimize respective security objectives.
Illustrated performance of Bound-Control and Lex-Control via simulation analysis.
More details in the paper: Optimality proof Simulation results for multi-link attacks