Citation
Modeling and monitoring the impact of cyber exploits on computer communications networks

Material Information

Title:
Modeling and monitoring the impact of cyber exploits on computer communications networks
Creator:
Mohamed, Ali
Publication Date:
Language:
English
Physical Description:
xi, 90 leaves : ; 28 cm

Subjects

Subjects / Keywords:
Computer networks -- Security measures ( lcsh )
Hackers ( lcsh )
Computer crimes -- Mathematical models ( lcsh )
Genre:
bibliography ( marcgt )
theses ( marcgt )
non-fiction ( marcgt )

Notes

Bibliography:
Includes bibliographical references (leaves 86-90).
General Note:
Department of Electrical Engineering
Statement of Responsibility:
by Ali Mohamed.

Record Information

Source Institution:
|University of Colorado Denver
Holding Location:
|Auraria Library
Rights Management:
All applicable rights reserved by the source institution and holding location.
Resource Identifier:
747818646 ( OCLC )
ocn747818646
Classification:
LD1193.E54 2011m M63 ( lcc )

Full Text
H
MODELING AND MONITORING THE IMPACT OF CYBER EXPLOITS ON
COMPUTER COMMUNICATION NETWORKS
By
Ali Mohamed
B.S., Sebha University, 1999
A thesis submitted to the
University of Colorado Denver
in partial fulfillment
of the requirements for the degree of
Master of Science
Electrical Engineering
2011


This thesis for the Master of Science
degree by
Ali Mohamed
has been approved
By
Hamid Fardi
Jan Bialasiewicz
Date


Mohamed, Ali (M.S, Electrical Engineering)
Modeling and Monitoring the Impact of Cyber Exploits on Computer Communication
Networks
Thesis directed by professor Titsa Papantoni
ABSTRACT
Network routers play a key role in data transports and consequently become attractive
targets to adversary attacks. By manipulating, diverting or dropping data packets
arriving at a compromised router, an adversary can mount denial-of-service,
surveillance or man-in-the-middle attacks.
In this thesis, we are focusing on the forms of malicious data forwarding attacks on
compromised routers and their impact on the network performance, as well as on the
development of techniques for detecting their presence. Our search is implemented
via the following constructive steps:
-We identify, categorize and model the various forms of malicious forwarding threats
on routers.
-We identify the operational performance metrics for networks, as evolving in time
and set their boundaries associated with satisfactory operation.
-We study the effect of each router attack on the network operational performance
metrics.
-Finally, we develop techniques for monitoring and detecting changes in the network
operational performance metrics, as affected by the adopted adversary models.
This abstract accurately represents the content of the candidates thesis. I recommend
its publication
signed.
Titsa Papantoni


DEDICATION
I dedicate this thesis to my parents, who gave me an appreciation of learning and
taught me the value of perseverance and resolve. I also dedicate this to my wife, for
her unfaltering support and understanding while I was completing this thesis.


ACKNOWLEDGEMENTS
This thesis was partially supported by U.S. Air Force Office of Scientific Research,
via a subcontract to UC Denver from the contract AFOSR FA9550-05-1-0388 to
George Mason University.
Special thanks to my advisor, Dr. Titsa Papantoni, for her guidance that kept me on
track and for her patience with me during this past year. An additional thanks goes
out to Dr. Hamid Fardi and Dr. Jan Bialasiewicz my thesis committee at the
University of Colorado at Denver.


TABLE OF CONTENTS
Figures........................................................................viii
Tables.......................................................................xi
Chapter
1 .Introduction...............................................................1
1.1 Network and System Model..................................................4
1.2 Simulation and Study of the System Model.................................7
1.2.1 Simulation and Study Regarding the Effect of Changing Buffer Size on the
Rejection Rate and the Expected Message Delay................................8
1.2.2 Simulation and Study the effect of Change the Admission Delay Constraint
on the Rejection rate and the Expected Message Delay.........................11
2. Threats Categorization and Modeling.......................................14
2.1 Threats Categorization..................................................14
2.1.1 Packet Loss............................................................14
2.1.2 Packet Fabrication.....................................................14
2.1.3 Packet Modification....................................................15
2.1.4 Packet Reordering......................................................15
2.1.5 Time Behavior..........................................................15
2.2 Threats Modeling........................................................15
2.2.1 Modeling the Packet Fabrication........................................15
2.2.2 Modeling the Packet Modification.......................................16
2.2.3 Modeling the Packet Reordering.........................................18
2.2.4 Modeling the Time Behavior Exploits....................................18
VI


2.3 Simulation and Study the Threats Model...................................19
2.3.1 Simulation and Study the Effect of Packet Fabrication..................19
2.3.2 Simulation and Study the Effect of Packet Modification.................26
2.3.3 Simulation and Study the Effect of Time behavior exploits..............28
3. Threats Monitoring and Detection...........................................33
3.1 Sequential Algorithms for the Detection of Changes in
Data Generating Processes.....................................................33
3.2 Sequential Algorithms between Poisson Processes..........................37
3.3 Sequential Algorithms to Detect the Change in
the Distribution of the Delay................................................39
3.4 Threshold Selection......................................................41
3.5 Simulation and Study of the Sequential Algorithms
between Poisson Processes.....................................................43
3.6 Simulation and Study for the Detection of Change in
Delay Distribution the packet Fabrication Model (a).........................56
3.7 Simulation and Study for Detection of Change in
the Delay Distribution the Time Behavior Exploits...........................60
4. Conclusions...............................................................67
Appendix
A.Matlab programs.............................................................70
References....................................................................86
vii


FIGURES
Figure
1.1- Illustration of the transmission for n-th message.............................7
1.2 - The rejection rates for different buffer sizes...............................9
1.3- Expected message delay for different buffers...................................10
1.4 - Expected message delay versus buffer size....................................10
1.5 - The rejection rate for different admission delays constraint.................12
1.6- The expected message delay for different admission delay constraints...........13
2.1 - The change on the rejection rate for packet fabrication model (a)............20
2.2 - The delay distribution before cyber attacks..................................21
2.3 - The delay distribution after adding additional attack messages with
average length 1....................................................................22
2.4 - The delay distribution after adding additional attack messages with
average length 2....................................................................23
2.5 - The effect of packet fabrication model (b) on the rejection rate.............24
2.6 - The delay distribution after inject Poisson stream of packets with rate 0.06.25
2.7 - The delay distribution after inject Poisson stream of packets with rate 0.1..26
2.8 - The change in the rejection rate after the modification packets..............27
2.9 The rejection rate before and after the time behavior exploits................29
2.10 The delay distribution before the time behavior exploits.....................30
2.11 - The delay distribution after the time behavior exploits average delay (100)....31
2.12 - The delay distribution after the time behavior exploits average delay (200)...32
3.1- False alarm and power curves for the m to / monitoring algorithm
threshold values 8 <8..................................................42
viii


3.2- False alarm and power probability values against n for the thresholds
values 105 and 110.......................................................44
3.3- Expected stopping time, A0 = .06, a0 = 2 , v0 = .02...............44
3.4- Expected stopping time, A0 = .06, a0 = 2 , vx = .025..............45
3.5- Expected stopping time, A0 = .06 , a0 = 2 , v2 = .03...............45
3.6- Expected stopping time, A1 = 0.1, a0 = 2 , v0 = .02...............46
3.7- Expected stopping time, 0.1, a0 = 2 , vx = .025..............46
3.8- Expected stopping time, Aj = 0.1, a0 = 2 ,v2 = .03..................47
3.9- Expected stopping time, A0 = .06 ax = 3 v0 = .02................47
3.10- Expected stopping time, A0 = .06 ax = 3 Vj = .025..............48
3.11- Expected stopping time, A0 = .06, ax = 3 ,v2 = .03.................48
3.12- Expected stopping time, Ax = 0.1, = 3 v0 = .02...................49
3.13- Expected stopping time, Ax = 0.1, = 3 ,vx = .025..................49
3.14- Expected stopping time, Ax = 0.1, = 3 v2 = .03..................50
3.15- The expected stopping time versus the attacker rate for algorithm 1.50
3.16- False alarm and power probability values against n for the thresholds
Values 65 and 75....................................................52
3.17- Expected stopping time, A0 = .09 , a = 2 v0 = .02 ...............52
3.18- Expected stopping time, A0 = .09 , a = 2 vx = .025 ..............53
3.19- Expected stopping time, A0 = .09, a = 2 v2 = .03.................53
3.20- Expected stopping time, Aj = 0.2 a = 2 ,vo = .02.................54
3.21- Expected stopping time, Ax = 0.2 , a = 2 vx = .025...............54
3.22- Expected stopping time, Ax = 0.2 , a = 2 v2 = .03................55
3.23- Expected stopping time versus the attacker rate for algorithm 2.....55
3.24- False alarm and power probability values against n for different
thresholds values 1600 and 2000.....................................58
IX


3.25- Expected stopping time when the attacker adds messages with
average length 1 Packet................................................58
3.26- Expected stopping time when the attacker adds messages with
average length 2 packets...............................................59
3.27- Expected stopping time when the attacker adds messages with
average length 3 Packets...............................................59
3.28- False alarm and power probability values against n for different
thresholds values 2500 and 2800........................................61
3.29- Expected stopping time for the average attacker delay 50 slots........61
3.30- Expected stopping time for the average attacker delay 100 slots.......62
3.31- Expected stopping time for the average attacker delay 150 slots.......62
3.32- False alarm and power probability values against n for different thresholds
values 1600 and 1800...................................................63
3.33- Expected stopping time for the average attacker delay 50 slots........64
3.34- Expected stopping time for the average attacker delay 100 slots.......64
3.35- Expected stopping time for the average attacker delay 150 slots.......65
3.36- The expected stopping time versus the average attacker delay..........65


TABLES
Table
1.1 - The rejection rates for different buffers...................................8
1.2- The rejection rate for different admission delays constraint..................11
2.1 - The effect of packet fabrication model (a) on the rejection rate.............19
2.2 - The effect of packet fabrication model (b) on the rejection rate.............24
2.3 - The change in the rejection rate after the modification packets..............27
2.4 - The change in the rejection rate after the time behavior exploits............28
XI


1. Introduction
Routers play a key role in modem packet switched network. To a first
approximation, networks can be modeled as a series of point-to-point links
connecting pairs of routers to form a directed graph. Since few endpoints are directly
connected, data must be forwarded hop-by-hop from router to router, towards its
ultimate destination. Therefore, if a router is compromised, it stands to reason that an
attacker may drop, delay, reorder, corrupt, modify or divert any of the packets passing
through. Such a capability can then be used to deny service to legitimate hosts, to
implement ongoing network surveillance or to provide an efficient man-in-the-middle
functionality for attacking end systems. Moreover, such attacks are not mere
theoretical curiosities, but they are actively employed in practice. Attackers have
repeatedly demonstrated their ability to compromise routers, through combinations of
social engineering and exploitation of weak passwords or latent software
vulnerabilities [2,21,27]. Once a router is compromised an attacker need not modify
the routers code base to exploit its capabilities. Current standard command line
interfaces from vendors such as Cisco and Juniper are sufficiently powerful to drop
and delay packets, send copies of packets to a third party, or divert packets through
a third party and back. In fact, several widely published documents provide a standard
cookbook for transparently tunneling packets from a compromised router through
an arbitrary third-party host and back again effectively amplifying the attackers
abilities, including arbitrary packet sniffing, injection or modification [18, 45]. Such
attacks can be extremely difficult to detect manually, and it can be even harder to
isolate which particular router or group of routers has been compromised. The
problem of detecting and removing compromised routers can be thought of as an
instance of anomalous behavior-based intrusion detection. That is, a compromised
1


router can potentially be identified by correct routers when it deviates from
exhibiting expected behavior. This problem can be broken into three distinct sub
problems:
1. Traffic validation.
Traffic information is the basis of detecting anomalous behavior: given traffic
entering a part of the network, and an expected behavior for the routers in the network
(i.e. a known routing configuration), anomalous behavior is detected when the
monitored traffic leaving one part of the network differs significantly from what is
expected. However, implementing such validation practically can be quite tricky and
requires tradeoffs between the overhead of monitoring, communication and accuracy.
2. Distributed detection.
It is impossible for a single router to establish that its neighbor is anomalous. Any
such detection requires synchronizing a collection of traffic information and
distributing the results so that anomalous behavior can be detected by sets of correct
routers.
3. Response.
Once a router, or set of routers, is thought to be faulty, the forwarding tables of
correct routers must be changed to avoid using those compromised nodes. In
addition, over longer time scales an appropriate alert must be raised so human
forensic experts can respond appropriately.
There are two threats posed by a compromised router: the attacker may attack by
means of the routing protocol (for example, by sending false advertisements) or by
having the router violate the forwarding decisions it should make based on its routing
tables. The first situation is often referred to as an attack on the control plane, while
the second is termed an attack on the data plane. The first threat has received, by far,
the lions share of the attention in the research community, perhaps due its potential
for catastrophic effects. By issuing false routing advertisements, a compromised
2


router may manipulate how other routers view the network topology, and thereby
disrupt service globally. For example, if a router claims that it is directly connected to
all possible destinations, it may become a black hole for most traffic in the network.
While this problem is by no means solved in practice, there has been significant
progress towards this end in the research community, beginning with the work of
Perlman. In her PhD thesis [36], Perlman described robust flooding algorithms for
delivering the key state across any connected network and a means for explicitly
signing route advertisements. There have subsequently been a variety of efforts to
impart similar guarantees to existing routing protocols with varying levels of cost and
protection based on ensuring the authenticity of route updates and detecting
inconsistency between route updates [12, 15, 19, 22, 24, 26, 42,44]. By contrast, the
threat posed by subverting the forwarding process has received comparatively little
attention. This is surprising since, in many ways this kind of attack presents a wider
set of opportunities to the attacker not only denial-of-service, but also packet
sniffing, modification and insertion- and is both trivial to implement (a few lines
typed into a command shell) and difficult to detect. Here, we focus entirely on the
problem of malicious forwarding. The earliest work on fault-tolerant forwarding is
also due to Perlman [36, 37]. Perlman developed a novel method for robust routing
based on source routing, digitally signed route-setup packets, reserved buffers.
However, many implementation details are left open and the protocol requires higher
network level participation to detect anomalies. Several researchers have
subsequently proposed lighter-weight protocols for actively probing the forwarding
path to test for consistency with advertised routes. Subramanian et als Listen
protocol [44] does this by comparing TCP Data and Acknowledgment packets to
provide evidence that a path is part of end-to-end connectivity. This approach only
tests for gross connectivity and cannot reveal whether packets have been diverted,
modified, created, reordered or selectively dropped. Padmanabhan and Simons
Secure Traceroute [35] achieves a similar goalmonitoring the traffic to the
3


intermediate routers. Recently, Avramopoulos et al. [3, 4] presents a secure routing a
combination of source routing, hop by hop authentication, end-to-end reliability
mechanisms and timeouts. But still it has a high overhead to be deployable in modem
networks. The WATCHERS [9,13] protocol detects disruptive routers based on a
distributed network monitoring approach and a traffic invariant called conservation of
flow. However, the WATCHERS protocol had many limitations in both its traffic
validation mechanism and in its control protocol, many of which were documented by
Hughes et al. [23]. Many of these weaknesses arose from the absence of a formal
specification, a weak threat model and an excessive requirement for per-router state
(bounded only by the total size of the network). Herzberg and Kutten [20] present an
abstract model for Byzantine detection of compromised routers based on timeouts and
acknowledgments from the destination and possibly from some of the intermediate
routers to the source. The requirement of information from intermediate routers offers
a trade-off between fault detection time and message communication overhead.
1.1 Network and System Model
We consider a network that consists of individual homogeneous routers
interconnected via directional point-to-point links. This model is an intentional
simplification of real networks (e.g., it does not include broadcast channels or
independently failing network interfaces) but is sufficiently general to encompass
such details if necessary. Within a network, we presume that packets are forwarded
in a hop-by-hop fashion each router following the directions of a local forwarding
table. As well, we assume that these forwarding tables are updated via a distributed
link-state routing protocol such as OSPF or IS-IS. This is critical, as we depend on
the routing protocol to provide each node with a global view of the current network
topology. Finally, we also assume the administrative ability to assign and distribute
shared keys to sets of nearby routers. This overall model is consistent with the typical
construction of large enterprise IP networks or the internal structure of single ISP
4


backbone networks, but is not well-suited for networks that are composed of multiple
administrative domains using BGP. At this level of abstraction, we can assume a
synchronous network model of synchronized clocks and bounded message delays. If
the network behaves asynchronously for too long, then the routing tables will be
updated, thereby changing the network topology. This assumption is common to all
protocols we know of that have addressed the problem of detecting compromised
routers.
For our system model we assume that the arrivals are a Poisson stream of messages
generated as follows: Given an arrival at time t0, the time tx of the next arrivals is
found from the equation (1.1) below.
k = -A_1ln (1 y) (1.1)
Where X is the transmission rate and y is a random number between 0 and 1.
The messages in the arrival stream have lengths geometrically distributed in packet
units. The length of the message in packet units is the integer part of the equation
(1.2).
-loga(l-y)-l (1.2)
Where, for a in (0,1), 1/(1-a) is the average message length and y is a random
number between 0 and 1.
We consider a single transmission channel whose time is divided into
identical frames, where each frame is divided into slots and each slot corresponds to
the transmission of a single information packet.
We consider that the message will be successfully transmitted, if it can be
stored in the buffer; that is, if there is enough space in the buffer to store the whole
message.
5


A message may be unsuccessful, namely rejected, if within A time units from its
arrival, it does not find sufficient space in the buffer, to be stored in its totality. The
time limit A is termed admission delay constraint. We measure time in slot units,
where slot t occupies the time arrival [t, t + 1).
The head packets of the messages that are stored in the buffer are transmitted
on the first-come first-served basis, while successive packets in a single message are
transmitted within the same slot number of successive frames. The delay of a
massage is defined as the time spent by the message within the system, from its
arrival instant to the time its last packet has been successfully transmitted.. Hence,
delay encompasses the waiting time plus the total time required for transmission.
Then, given that the nth message arrival contains m packets, its delay Dn will be the
sum of the waiting- time and the time needed to transmit the last packet m (see Figure
1.1).
6


fl
/
Ft
A
S /

\

FnM

Fm
.a__
\
MESSAGE ARRIVES
jn: TRANSMISSION TIME OF i-th PACKET OF
n-th MESSAGE
MESSAGE DEPARTURES
Wjft WAITING-TIME OF j-th PACKET FOR THE
n-th MESSAGE
Figure 1.1: Illustration of the transmission for n-th message
Finally, we assume that the transmission channel is noiseless, and that the buffer
where data messages are stored has finite capacity. The messages arriving at the
buffer between clock times have to wait to begin transmission at the beginning of the
next clock instant.
1.2 Simulation and Study of the System Model
The system was studied by generating Poisson traffic of messages whose lengths are
geometrically distributed. The objective is to study the effect of different buffer sizes
and various admission delays constraints on the expected message delay and the
rejection rate. So, the rejection rate and the expected message delay were computed
for different buffer sizes and different admission delays constraints.
7


1.2.1 Simulation and Study Regarding the Effect of Changing Buffer Size on the
Rejection Rate and the Expected Message Delay.
Table 1.1 shows the rejection rates for buffer sizes 5, 10, 20 and 30 slots. It can be
noticed that, for different buffer sizes, as the transmission rate increases, the rejection
rate increases. Also, it is apparent from Figure 1.2 that increase in the buffer size,
decreases the rejection rate. For example, at transmission rate 0.06, the rejection rate
is 0.5; when the buffer size is 5slots, while the latter rate decreases to 0.0001; when
the buffer size is 30 slots.
Table 1.1: The rejection rates for different buffer sizes
A 0.06 0.09 0.1 0.2
RmS 0.5131 0.6964 0.7361 0.9395
^mlO 0.1295 0.3054 0.3511 0.7821
^m20 0.0025 0.0222 0.0334 0.3178
^m30 0.0001 .0003 .0001 0.0630
Number of arrival =10000 slots. Average length of the message 2 packets
Admission delay constraint 40 Slots
A : Transmission rate, In number of messages per slot
Rmi : Rejection rate for buffer size i.
8


Transmission rate
Figure 1.2: The rejection rates for different buffer sizes M=5,10,20,30,40
packets
Changing the buffer size, not only affects the rejection rate; it also affects message
delays. Figure 1.3 shows that, increase in the buffer size increases the expected
message delay. However, when the transmission rate is low, changes in the buffer
sizes have reduced effect on the expected message delays. From Figure 1.4 we
observe that, for a given transmission rate (A = 0.1), the expected message delay
increases as the buffer size increases. When the rejection rate is less than 10-4 (the
rejection rate corresponds to a buffer size of 40 packets), the expected message delay
increment with varying buffer length becomes negligible and can be approximated as
being a constant.
9


EXPECTED DELAY IN PACKET
Figure 1.3: Expected message delay for different buffers, M=20,25,30 slots
Figure 1.4: Expected message delay versus buffer size (transmission rate =0.1)
10


1.2.2 Simulation and Study the effect of Change the Admission Delay Constraint
on the Rejection rate and the Expected Message Delay
Table 1.2 shows the rejection rates for admission delays 5,10,20,40 slots. From the
table, we notice that, for fixed admission delay constraint, as the transmission rate
increases, the rejection rate increases as well. Also, from Figure 1.5 we observe that
as the admission delay constraint increases, the rejection rate decreases. For example,
at transmission rate 0.09 and admission delay constraint 5 slots, the rejection rate is
0.0307, while the latter rate decreases to 0.0151, for admission delay constraint 40
slots.
Table 1.2: The rejection rate for admission delays different admission delays
A 0.06 0.09 0.1 0.2 0.3
Ra5 0.0065 0.0307 0.0431 0.3369 0.6611
Raw 0.0057 0.0211 0.0349 0.3260 0.6595
Razo 0.0035 0.0177 0.0287 0.3210 0.6358
Raw 0.0023 0.0151 0.0268 0.2836 0.6284
Number of arrival =10000 slots. Average length of the message 2 packets
Buffer size 20 Slots
A : Transmission rate, In number of messages per slot
Rai : Rejection rate for admission delay constraint i.
11


Figure 1.5: The rejection rate for admission delays constraint 5,10,40 slots
Figure (1.6) shows that increased admission delay constraint increases the expected
message delay. The admission delay constraint of 10 slots induces the minimum
expected message delay, while, as the admission delay constraint increases to 20 and
40 slots, the expected message delay increases uniformly as a function of the input
rate.
12


Transmission rate
Figure 1.6: The expected message delay for different admission delay constraints
A=10,20, and 40 slots
13


2. Threats Categorization and Modeling
2.1 Threats Categorization
We assume that attackers can compromise one or more routers in a network and may
even compromise sets of adjacent routers as well. In general, we parameterize the
strength of the adversary in terms of the maximum number of adjacent routers along a
given path that can be compromised. However, we assume that between any two un-
compromised routers, there is sufficient path diversity so that the malicious routers do
not partition the network. In some sense, this assumption is pedantic, since it is
impossible to guarantee any network communication across such a partition. Another
way to view this constraint is that path diversity between two points in the network is
a necessary, but insufficient, condition for tolerating compromised routers.
The threats listed below completely cover the set of bad behaviors a router can exhibit
in forwarding data. When all of these metrics are zero, then no router is forwarding
traffic in a faulty manner.
2.1.1 Packet Loss.
A compromised router can drop any subset of the packets. As per Aimes et al. [1] loss
can be measured as the amount of data arriving at the sink of path segment subtracted
from the amount of data sent from its source.
2.1.2 Packet Fabrication.
A compromised router can generate packets and inject them into the traffic stream.
This can be measured as the number of packets which are reported at the sink of a
packet segment but not monitored as being sent by its source. Misrouting packets can
be considered an instance of both packet loss and packet fabrication
14


2.1.3 Packet Modification.
One can consider this threat as a combination of packet loss and fabrication, but it
may not be detectable by simply comparing the number of packets arriving at the sink
with the number sent from the source. Instead, some summary of the content needs to
be maintained, and one measures the number of modified packets.
2.1.4 Packet Reordering
A compromised router can reorder packets. Doing this can lead to performance
problems or, in the extreme, denial of service. There are many reasonable and
incompatible methods of measuring the amount of reordering, e.g. [5, 6, 31, 38].
2.1.5 Time Behavior
A compromised router can delay traffic. Like reordering, doing this can lead to
performance problems or, in the extreme, denial of service. There are simple metrics
one can use, such as the first n moments of the inter-packet delay distribution.
However, such metrics are notoriously sensitive in packet networks.
2.2 Threats Modeling
In this section, we present models for the four categories of data forwarding threats
listed in Section 2.1. We define by slot, the time occupied by a packet transmission.
2.2.1 Modeling the Packet Fabrication
a) The first model of the fabricated packets corresponds to adding geometrically
distributed of messages to the message arrivals. The effect on the network
performance is increased data rejection rates and delays.
b) The second model of packet fabrication corresponds to the injection of a Poisson
stream of packets, since Poisson traffic is a worst case scenario for a significant class
of transmission protocols. Specifically, we assume that per slot, the attacker inserts k
additional packets with probability PK as shown in equation (2.1), where X is the rate
of the contaminating injected traffic.
15


PK = e~xXk/ k\
(2.1)
The injecting of the above Poisson stream of packets increases the traffic flow in
the network, resulting in queues overflows and denial of service. The effected
network performance metrics are: traffic rate, data rejection rates and delays. In view
of the Poisson packet fabrication model, we define the following metrics:
mn : New average message length, after generation of fabrication packets.
m0 : Average message length, before generation of fabrication packets.
Dn : Average message delay, after generation of fabrication packets.
D0 : Average message delay, before generation of fabrication packets.
Pn(k)\ Probability of k-capacity buffer overflows, after generation of fabrication
packets.
P0(/c): Probability of k-capacity buffer overflows, before generation of fabrication
packets.
Pb(r) : Probability that there are r non-fabricated packets in the buffer.
Where we have,
2.2.2 Modeling the Packet Modification
We model the packet modification as packets being transmitted through a
memoryless binary symmetric channel with probability of correct transmission p,
where p may be less than 0.5. This model also represents a worst case scenario, where
the less than 0.5 correct transmission conflicts with the well-established minimum
distance decoding scheme. The modified packets increase the error probabilities
induced by the deployed error correcting codes in the network. The affected network
mn = m0(l + X)
Dn = D0(l + A)
Pn(k) = P0(k) + 2*b0(1 2£ore'xXv/v\) Pb(k)
(2.2)
(2.3)
(2.4)
16


performance metrics is error detection and error correction performance. In view of
the packet modification model, we define,
p: probability of a bit not being modified by the aggregate effect of attack and
communication channel errors.
Pc : Probability of correct decoding by the network decoders.
Pe : Probability of incorrect decoding by the network decoders.
Let us assume a (2d+l) distance code (any two codewords are in 2d+l Hamming
distance from each other). Let us assume Minimum distance decoding, as employed by all
decoding schemes .Let all codewords be equally probable. Then, the probability of
correct decoding and probability of incorrect decoding are:
Pe = 1 Pc = 1 xj=0 Q (1 Py vm-i =Z5= Q (1 qy (2.6)
; Where m =2d+l and q= 1-p.
The communication channels normally induce probability of correct transmission
per bit that is quite higher than 0.5, denoted r. if the attacker changes this probability
to a value less than 0.5, say to 1-r, then the probability of correct decoding as
induced by the deployed minimum distance decoding scheme, becomes equal to the
probability of error induced by the same scheme before the attacker acted. We note
that if the attacker changes each bit independently with probability 0.5, then the
resulting probability of correct per bit transmission will be 0.5, regardless of the value
of the probability of the per bit correct transmission induced by the transmission
channel.
(2.5)
17


2.2.3 Modeling the Packet Reordering.
There are two possibilities here:
a) The attacker changes the overhead encoding of packets, to induce altered packet
ordering. This case may be absorbed within the packet modification model.
b) The attacker reshuffles the packets without changing their overhead encoding.
Then, correct reordering induces some process complexity and delay which may be
absorbed within the time behavior model.
2.2.4 Modeling the Time Behavior Exploits.
We model adversary time behavior by delaying each packet independently by a
random time T, measured in slot units. One choice for the distribution of the random
variable T is geometric, where:
Added random delay per packet may cause violations of admission and intra -packet
(jittering) delay constraints, resulting in increasing message rejection rate. The
affected network performance metrics are transmission delay and message/data
rejection rate .We may simplify the analysis by not distinguishing between message
admission delay constraints and jittering; thus, assuming that any packet is rejected
due to adversary time behavior if additional delay of at least k time units is imposed
on it by the attacker. In view of the delay model, the probability pk of rejection per
packet due to adversary time behavior is given by the expression,
The average of the additional delay due to adversary injection, Dk per packet is
given by the following expression:
P(T = n) = (1 a)an; n=0,l,....; 0 (2.7)
Pr = 1 (1 a) Sn=o aU = ak
(2.8)
Dk = (1 ak) 1 Xn=i n(l a)an
(2.9)
18


2.3 Simulation and Study of the Threats Models
2.3.1 Simulation and study for the Effect of Packet Fabrication
a) The first model of packet fabrication was simulated by generating geometrically
distributed messages with different lengths and adding them to the message arrivals.
The rejection rate and the distribution of the delays were computed before and after
the adversary injection. Table 2.1 shows the effect of the adversary injection on the
rejection rate. Figure 2.1 shows the change of the rejection rate for deferent average
length adversary messages, where the adversary was modeled as adding
geometrically disturbed messages with average lengths 1 versus 2 packets.
Table 2.1: The effect of packet the fabrication model (a) on the rejection rate
X 0.06 0.09 0.1 0.2
Ro 0.0023 0.0151 0.0268 0.2836
Ri 0.0044 0.1006 0.1634 0.5471
Rz 0.1561 0.3761 0.4415 0.8497
Number of arrival slots =10000. Average length o 'the original message 2 packets
Admission delay constraint 40 Slots. Buffer size 20 Slots.
X : Transmission rate, In number of messages per slot
R0 : Rejection rate before the adversary
R1 : Rejection rate after the adversary added messages with average length 1 packet
R2 : Rejection rate after the adversary added messages with average length 2 packets.
19


Figure 2.1: The change on the rejection rate for packet fabrication model (a)
Table and Figure 2.1 show how the increasing of the message lengths due to attack
injections affects rejection rates. Figures 2.2, 2.3 and 2.4 show the effect of
increased due to attacks message lengths on the induced message delays. The
expected delay increases then from 62.94 slots to 103.9 and 139.2 slots, respectively.
20


6000 r
The delay
Figure 2.2: The delay distribution before cyber attacks
Transmission rate=0.1. Mean=62.94. Standard devotion =54,776
21


5000 r
The delay
Figure 2.3: The delay distribution after adding additional attack messages with
average length 1 .Transmission rate=0.1. Mean=103.9142 .Standard devotion
=55.008
22


The delay
Figure 2.4: The delay distribution after adding additional attack messages with
average length 2. Mean=139.281. Standard devotion =73.4045
b) The second model of packet fabrication was simulated by generating a Poisson
traffic of fabricated packets. This fabricated traffic expanded each message packet by
a random number of packets and caused rejection of legitimate messages due to
violation of the admission delay constraint. Table 2.2 shows the effect of this
adversary model in the rejection rate, where traffic with different packet rates was
injected. From Figure 2.5, we observe how the rejection rate increases, as the
attacker increases the injection rates. The good traffic was injected with rates .06 and
0.1 of additional attack traffic, while its rate varied from 0.0023 to 0.6284.
23


Table 2.2: The effect of packet fabrication model (b) on the rejection rate
A 0.06 0.09 0.1 0.2 0.3
R0 0.0023 0.0151 0.0268 0.2836 0.6284
Ri 0.0086 0.0340 0.0456 0.3416 0.6904
r2 0.0118 0.0366 0.0510 0.3669 0.7091
Number of arrivals =10000 Slots. Average message 2 packets
Admission delay constraint 40 Slots. Buffer size 20 Slots.
A : Transmission rate,In number of messages per slot
R0 : Rejection rate before the adversary
Ri : Rejection rate after the adversary injection rate 0.06
R2 : Rejection rate after the adversary injection rate 0.1.
Transmission rate
Figure 2.5: The effect of packet fabrication model (b) on the rejection rate
24


Figures 2.6 and 2.7 show the delay distribution after the attacker injected the traffic
with a Poisson stream of packets whose rate is 0.06 or 0.1. The Figures show how the
expected message delay increases as the attacker increases the injection rate. Injecting
the traffic with rate 0.06, increased the expected delay from 62.94 to 63.96 slots.
Injecting the traffic with rate 0.1, instead, increased the expected delay to 64.79 slots.
a>
O)
CO
t/i

a>
E
a>
a>
JD
E
3
400
500 600
700
The delay
Figure 2.6: The delay distribution after inject Poisson stream of packets with
rate 0.06.Transmission rate=0.1. Mean=63.9638. Standard devotion =55.6163
25


6000 r
The delay
Figure 2.7: The delay distribution after inject Poisson stream of packets with
rate 0.1.Transmission rate=0.1. Mean=64.7943. Standard devotion =55.8791
2.3.2 Simulation and Study of the Effect of Packet Modification
The packet modification exploits were simulated when each legitimate packet was
correctly received by the second router with probability 0.5. The number of modified
packets were computed per message. If the total number of modified packets per
message exceeded a specific percentage, then the entire message was considered
rejected, in view of the deployed error correcting code Table 2.3 shows the
rejection rate increase after the transmission of each packet through a Memoryless
Binary Symmetric Channel (MBSC) with probability of correct transmission p=0.5.
Figure 2.8 shows the change in the rejection rate before and after the attack.
26


Table 2.3: The change in the rejection rate after the modification packets
X 0.06 0.09 0.1 0.2
Ro 0.0023 0.0151 0.0268 0.2836
Ri 0.4170 0.4305 0.4461 0.6001
Number of arrivals =10000 Slots. Average message length 2 packets
Admission delay constraint 40 Slots. Buffer size 20 Slots.
X : Transmission rate,In number of messages per slot
R0 : Rejection rate before the adversary
Rx : Rejection rate after the modification packets (percentage 50%)
Figure 2.8: The change in the rejection rate after the modification packets
27


2.3.3 Simulation and Study of the Effect of the Time Behavior Exploits.
The time behavior exploits were simulated by delaying each legitimate packet with a
random amount of time. If this amount exceeded a given fixed limit, the packet was
considered rejected. A rejected packet caused subsequent rejection of the message
which it belongs to. The performance metrics were computed (message rejection rates
and messages average delays for the successfully transmitted messages). These two
metrics were computed in both the presence and the absence of the exploits and the
results were compared. Table 2.4 and Figure 2.9 show the quantitative effect of the
exploits where each packet was delayed independently via a geometrically distributed
variable whose average delay is 20 slots.
Table 2.4: The change in the rejection rate after the time behavior exploits.
X 0.06 0.09 0.1 0.2
Ro 0.0023 0.0151 0.0268 0.2836
Ri 0.1292 0.1423 0.1515 0.4033
Number of arrivals =10000 Slots. Average message length 2 packets
Admission delay constraint 40 Slots. Buffer size 20 Slots.
X : Transmission rate,In number of messages per slot
Rq : Rejection rate before the adversary
R1 : Rejection rate after time behavior exploits. Average delay per packet 20 Slots.
28


0.8
0.7
0.6
0.5
a>
2
I 0.4
o
a>
aT
^ 0.3
0.2
0.1
-B Rejection rate before the attack
Rejection rate after the time behavior exploits
0.05
0.1

/ . y /
/ / / / X X
X
3
^ S y ,X''
0.15 0.2
Transmission rate
0.25
0.3
Figure 2.9: The rejection rate before and after the time behavior exploits
As shown in Figures 2.10, 2.11 and 2.12 below, in the presence of time behavior
exploits, the attacker increases the expected message delay. As the attacker increases
the average delay per packet, the expected message delay increases. When the
average per packet imposed attacker delay increases from 100 to 200, the expected
message delay increases from 92 to 99 slots.
29


6000
0 100 200 300 400 500 600
The delay
Figure 2.10: The delay distribution before time behavior exploits
The transmission rate 0.1. Mean=62.94 .Standard deviation=54.776
30


Number of the messages
The delay
Figure 2.11: The delay distribution after time behavior exploits .The
transmission rate=0.1.The average delay (100).Mean=92.148. Standard
deviation=70
31


6000
The delay
Figure 2.12: The delay distribution after time behavior exploits
The transmission rate=0.1. The average delay (200).
Mean=99.481. Standard deviation=84.645
32


3. Threats Monitoring and Detection
3.1 Sequential Algorithms for the Detection of Changes in Data Generating
Processes
In many robotic and computer vision applications, the stochastic process
which generates the observed data may be changing in time, and the single important
issue is then the development of algorithms, which effectively detect such changes.
Such applications include traffic in data networks, automated robotic industrial
control, detection of edges in images via computer vision and robotic fault detection
in devices[48].
Let f0(xn) and fi(xn) denote the n-dimensional density of two well
known, distinct, discrete-time, and mutually independent stochastic processes at the
vector point xn. Let it be known that the data sequence is initially generated by the
density function /0 Let it then be possible that, instead, at some point in time the
density function fx may become active and remain so from the point on. Then,
given an infinite data sequence x = {x;; i > 1} the possibilities are:
i. The /0 to fx change never occurs. Thus, the total sequence jc is generated by the
density function/0.
ii. The /0 to /j change occurs before the sequence x starts being observed: Thus, the
total sequence x is then generated by the density function /j .
iii. The fQ to fx change occurs just after the datum xm; m > 1. Thus, the subsequence x
is then generated by the density function /0 and the remaining sequence x^+1 =
[xk] k > m + 1} is then generated by the density function /j.
Given the infinite sequence x = {jCj; i > 1} and the density function /0(xn) and
/i(xn) V n > 1 and V xn, the objective is to detect a possible /0 to /j change as
reliably and quickly as possible. Since the very occurrence of the change is uncertain,
it is clear that only a sequential approach to the problem is meaningful. That is, to
33


detect the possible occurrence of an f0 to fx change, we must devise a sequential
detection scheme. To gain insight, we first formalize a preliminary, non-sequential,
optimal Bayesian detection scheme. In particular, we initially fix the size n of the
observation sequence x and we test the occurrence of the change at all the possible
points in the sequence x, assuming that those occurrences are equally probable. We
observe that, preliminary formalization, we conclude that, the f0 to change occurs
just after the datum Xj; 0 < j < n (hypothesis Hj), iff
From the studying of the Bayesian rule in (3.1), we observe that its test function
T'(xn) dose not possess characteristics for convenient sequential transformation. We
thus consider a variation of the test in (3.1) by replacing the conditional density
function j by V i Then the following variation of the test in
(3.1) arises.
Given the data block xn decide in favor of the hypothesis Hj, iff
Where
/oOi I *i ) =/oOi)
ZZ=j+i9i{xi) = 0rk?n(?.U+i9i(xi))
(3.2)
34


Given the data lock xn decide in favor of the hypothesis//;, iff
Ei=l 9i(.Xl) = osfcsn (S=i3i(.x1))
(3.3)
Let us consider a sequential generalization of test (3.3). When data are observed
sequentially, it seems natural to conclude that as the deference,
£?=i/7i(*1) ~ osks (Zf=i5i(*l))> increases, the odds that the f0 to /x change has
occurred increase as well. Thus, the following sequential test naturally evolves.
Select some positive threshold 8. Observe data sequentially, and decide that the f0 to
/i change has occurred at the first time n such that
n*") = - osK (If=iSiW) > 6 (3.4)
It is easy to see that the sequential test in (3.4) can be expressed in the following
equivalent form.
Select some positive threshold 5. Observe data sequentially, and decide that
the /0 to /} change has occurred at the first time n such that T(xn) > 8 ,where
7(0) = 0
T(xn) = max {0, r(xn_1) + gn(xn); g: gi(xl)as in (3.3)} (3.5)
Clearly, the test in (3.5) is sequential, with updating step gn(xn).Also, it operates via
the use of two thresholds, 0 and 8, where 0 represents a reflecting barrier and 8
represents an absorbing barrier. When the two stochastic processes represented by
the densities f0 and /j are not memoryless, the memory xf-1 in the updating step
gn(xn) generally increases with increasing n. When the processes are instead
memoryless, the memory in the updating step is zero for all n. The test in (3.5) was
originally proposed by Page (1954, 1955) for memoryless processes. Its asymptotic
35


properties for such processes were studied by Lorden (1971). In its general from, the
test in (3.5) was proposed by Bansal (1983) and Bansal et al (1986), who also studied
its asymptotic properties for stationary and ergodic processes that also satisfy some
general regularity conditions. The test generally consists of repeated Wald test and is
asymptotically optimal in the sense that it requires the minimum possible expected
sample size for decision, subject to a false alarm constraint [49].
Let us denote by NS(X) the stopping variable induced by the test in (3.5) and let
EfQ{Ng(X)} and E^ {NS(X)} denote the expected value of the stopping variable when
the density function /0 and fx respectively, are active. Then
NS(X) = inf{T(xn) > 5} (3.6)
Let the density functions /0 and fx represent two ergodic and stationary stochastic
processes satisfying certain mixing conditions. Consider the stopping variable Ng(X)
induced by the sequential test in (3.5). Then for 8 -* oo, we have
£/{*(*)) £ S/2 (3.7)
WM) si logs I fy.-'fto} (3.8)
where /10 is the information number equal to /10 = lim^o, Ln
f (*n)
where, Ln = n~1log -j -. if N'(x) is the stopping variable of some arbitrary test,
JO\XnJ
then, subject to Ef0{N'(pc)} > 8/2 and for S - oo we have
Efl{NXx)} >1 logS I E^I10} .
This states that the test in (3.5) is optimal in an asymptotic sense. Specifically when
the threshold 5 is asymptotically large, then the test requires the minimum possible
expected time to cross that threshold, when the /0 to /^change has occurred before
36


the collection of the data,subject to the constraint that when the /0 to change never
occurs, then the expected time for threshold crossing is larger than 5/2. Therefore,
the test in (3.5) is asymptotically the fastest among all tests. In fact, due to the
relationship between 5/2 and 1 log 51 ,we conclude that the speed of the test
increases exponentially with 5. We note that this includes Lordens (1971) results, for
memoryless processes. In the latter case, the information number
/10equal / du fi(u)log [fi(u)/f0(u)].
Although, the asymptotic optimality of the test in (3.5) is a significant virtue, its
non-asymptotic properties are most important. Indeed, the very objective of the test
is fast detection change ,which imposes the selection of a relatively small 5, whose
selection is performed via the study of the false alarm and power curves.
3.2 Sequential Algorithms between Poisson Processes
As mention in 2.1.1(b), the injecting of a Poisson stream of packets affects
the overall data rate. As a result, to detect this Poisson adversary model, we monitor
the rate at the receiver and detect the change from the original unaffected
transmission rate rk to the resulting rate r;- after the adversary injection ;where r;- is
assumed to reflect the minimum data rate change caused by the adversary.
Let us assume that, given transmission rate rk ,the arrival process is stationary,
and let then fk(nlt... nq) denote its q-dimensional distribution in frame lengths; that
is,fk(nx,... nq) is the probability that, in a sequence of q consecutive frames, nt
packets arrivals occur in the first frame, and so on, with nq packets arrivals finally
occurring in the qth frame, given that the transmission rate is rk throughout. Let us
assume that the distributions {fk(nv ... nq) } are well known.
37


Our objective is to devise a monitoring system that will detect a possible shift from
the good traffic rate rk to the higher adversary-contaminated traffic rate ry. The
monitoring algorithm deployed is described below.
Let vkj (0) denote the value of the algorithm monitoring a { rk -* rj} shift at time
when the transmission starts; let vkj(r) donate its operating value at its rthadaptation
step. Then, the operating values of the algorithm are sequentially updates as follows:
vky( 0) = 0;
v*/(r + 1) = max {0,v*,(r) + !og(g^^)} (3.9)
si+1 is then the first time after st that the algorithm in (3.9) first crosses the given
positive threshold 6, at which time it is declared that the change from rkto rj has
occurred.
When the involved processes are Poisson [50], and when then {rk -> 7)} shifts
are monitored, the algorithm in (3.9) takes the form below, after some modifications:
vfc;(0) = 0;
vkj(r + 1) = max {0 ,vkj(r) + l[rk- r} + nr+1 log (^)]} (3.10)
where nr+1 denotes the number of packets that are transmitted within the (r +
l)th frame from the beginning of the [rk - r; } monitoring algorithm, and where / is
the length of the frame.
Let us define
(3.11)
: Where, min (rk, rj)< fa, Tj)< max (rk, rj). We approximate %(rk, r;) by a rational
number, as shown below, where tkj < skj:
38


(3.12)
As also stated in [51], the algorithmic threshold can be then selected as a positive
integer, without lack in generality, and the algorithmic adaptation in (3.10) takes the
form:
vfey(r + 1) = max {0,vfc;(r) + [skjnr+1 ltkj]} (3.13)
Let N denote the stopping variable induced by the algorithm in (3.13)
Let us define:
Ijk hmn_00 n 1log ljk E{ljk \rk}
Ikj lim^oo n log ^xny Ikj ~ E{Ikj\vj} (3.14)
The pertinent Kullback-Leibler numbers {Ikj} are as follows:
(3.15)
Subject to the satisfaction of the conditions in (3.14):
E{n\ rj}~77rri as 5-
1 1 J} E{Ikj\rj1
E{N\rk}>^ as 6 -oo (3.16)
3.3 Sequential Algorithms to Detect the Change of the Delay
As mentioned in sections 2.2.4 and 2.2.1.(a), fabricated by an adversary packets
increase the transmission delays of messages and modify their distributions. As a
result, we monitor the distribution of message delays at the receiver. We have
previously used the notations /0(xn) and fx(xn) to denote the n-dimensional
densities of two well known, distinct, discrete-time, and mutually independent
stochastic processes at the vector point xn. Here, /0(xn) is the density function of
the delay distribution in the absence adversary disturbance, and fx (xn) is the density
of same distribution when affected by an adversary attack. Let nk denote the measure
39


of a parametrically defined process [48], Let the process which initially generates the
unaffected information data be known to be the process Ho- Let it be possible that a
shift to Hi may occur, where the latter process reflects the presence of the adversary.
The objective is to detect the occurrence of a
Ho * Hi shift as accurately and as timely as possible. From equation (3.5) and
assuming exponential distributions representing both the po and pi processes, we
obtain the following form of the monitoring algorithm:
T(0)=0
TOO = max (O.TOt"-1) + (* 1) + Sj2/log (^)) (3.17)
(3.18)
Where oc0, oq between 0 and 1. Define then the integers t, s; t > s and
approximate ^(ao, ai) as follows:
5(o.i) = -; (319)
The algorithmic threshold can be then selected as a positive integer, and the
algorithmic adaptation in (3.18) takes the form below:
T(xn) = max (0,r(xn_1) + s(xn 1) t)) (3.20)
Let N denote the stopping variable induced by the algorithm in (3.20)
Let us define:
710 = limn_oo n~Hogfj^, 710 = E{I10\u0}
hi = limn^oo n~Hogfj^, I01 = E{J0i|ui} (3-21)
Subject to the satisfaction of the conditions in (3.21):
l0-f - , as 5-> oo
1 1 1J E{/01|ul}
40


8 - 00
(3.22)
£{N|ti0} > ^ , as
3.4 Threshold Selection
The objective in this section is to determine performance metrics and to subsequently
utilize these metrics to select the values of the decision threshold 8 After the
selection of the latter threshold is complete, the overall performance of the system
will be predictably known, with respect to the determined performance metrics [52].
To detect a change from the operational mode m to another / operational mode ;
where l^m Given threshold 8 > 0 the mode m to mode / change monitoring
algorithm is basically characterized by two time curves: the power and false alarm
curves, denoted respectively /?mi and ami where n denotes the time instant tn and
where,
: The probability that the m to / mode change monitoring algorithm crosses its
threshold before or at time tn, given that the operation mode is l throughout.
ami: The probability that the m to / mode monitoring algorithm crosses its threshold
before or at time tn, given that the operational mode is m throughout.
In Figure 3.1, we depict the pml and aml curves, to observe and discuss qualitative
behavior. We plot these curves for two different threshold values.
41


1
fiml
/
f y
/ /"
/ /
I,
I
I
i
a
mi
Figure 3.1: False alarm and power curves for the mtol monitoring algorithm.
Threshold values 8 < 8
From Figure 3.1, we note that as the value of the decision threshold increases, the
false alarm curve decreases, but so does the power curve. The threshold selection for
the m to / change monitoring algorithm may be based on a required lower bound for
the power and a required upper bound for the false alarm, at a given time instant tn ,
When the algorithm that monitor change from mode m are considered, the threshold
8 may be selected based on the following principle:
At given time tn have the power induced by the algorithm be above a predetermined
lower bound, while the false alarm induced by the algorithm remains below a
predetermined upper bound.
42


3.5 Simulation and study of the Sequential Algorithm between Poisson processes
For a robust design, the algorithm was designed at a minimum information-message
transmission rate A0 and a minimum cyber attack rate v0,where the minimum
average length of each information message was a0.The objective is then to detect
the change from the rate a0A0 to the rate a0A0 + v0 .To test robustness, the
algorithm was tested for higher cyber attack rates vx v2 ,.vn ; where Also, the
algorithm was tested for a different higher information-message transmission rate Ax
,where Ax > A0.
3.5.1 For numerical evaluations in this section, the minimum information-message
transmission rate was selected as Ao=0.06 the minimum average length was a0 = 2
and the minimum cyber attack rate was v0 = .02. The algorithm was designed to
detect the change from 0.12 (A0a0) to 0.14 (a0A0 + v0) .
From equations (3.11) and (3.12), we found = ~ = t/s To select the
decision threshold experimentally, we computed the false alarm and power
probability curves. In Figure 3.2, we plot the latter curves for threshold values 105
and 110 and we select the value of the operational threshold as r| = 105. In Figure
3.3 we plot crossing times for the latter threshold selection and compute from it the
expected stopping time as E{N}= 829.
43


B- "Pm power curve 105
B- false alarm curve 105
Ar- ~tfr. power curve 110
At- false alarm 110
n
Figure 3.2: False alarm and power probability values versus n for the threshold
values 105 and 110
700,
600
500 r H
S
> 400 H
0 200 400 600 800 1000 1200 1400
The frame number
Figure 3.3: Expected stopping time, A0 = 0.06, a0 2 v0 = 0.02
Below, we present cases a) to k), where the threshold 105 algorithm is tested for
various different values of information-message rates, average message lengths and
cyber attack Poisson packet rates.
44


a) Test the algorithm for information-message rate A0 = 0.06, average message
length a0 = 2 and cyber attack rate v1 = 0.025 .Expected stopping time
E{N}=737.
Figure 3.4: Expected stopping time, A0 = 0.06, a0 = 2 v* = 0.025
b) Test the algorithm for information-message rate A0 = 0.06, average message
length a0 = 2 and cyber attack rate v2 = 0.03 Expected stopping time
E{N}=688.
700 |---,----.--------------i------------------.-----1
I I
6001 -|
* \
500
O 200 400 600 800 1000 1200 1400 1600 1800 2000
The frame number
Figure 3.5: Expected stopping time, A0 = 0.06, a0 = 2 v2 = 0.03
45


c) Test the algorithm for information-message rate = 0.1, average message length
a0 = 2 and cyber attack rate v0 = 0.02 Expected stopping time E{N}= 131.
700 r----:-----,------,-----r-----,------,-----,------
600 r -1
500 H
Figure 3.6: Expected stopping time, = 0.1, a0 = 2 v0 = 0.02
d) Test the algorithm for information-message rate = 0.1, average message length
a0 = 2 and cyber attack rate Vi = 0.025. Expected stopping time E {N}= 122.
Figure 3.7: Expected stopping time, = 0.1, a0 = 2 Vj = 0.025
46


e) Test the algorithm for information-message rate Xx = 0.1, average message length
a0 = 2 and cyber attack rate v2 = 0.03 Expected stopping time E {N} =105.
Figure 3.8: Expected stopping time, Aj = 0.1, a0 = 2 v2 = 0.03
f) Test the algorithm for information-message rate A0 = 0.06, average message
length ax = 3 and cyber attack rate v0 = 0.02 Expected stopping time
E{N}=200.
700 ,---:----,----r----,-----r----,----------1---------
600
500 r H
S
1
| 400
I1 300
£
200 -
The frame number
Figure 3.9: Expected stopping time, A0 = 0.06, = 3 v0 = 0.02
47


g) Test the algorithm for information-message rate A0 = 0.06, average message
length ax = 3 and cyber attack rate vx = 0.025 .Expected stopping time
E{N}=185.
700 ,---.---,-----,----,---n----,----,----,----,-----1
600
Figure 3.10: Expected stopping time, A0 = 0.06, = 3 Vj = 0.025
h) Test the algorithm for information-message rate X0 = 0.06, average message
length at = 3 and cyber attack rate v2 = 0.03 Expected stopping time
E{N}=175.
400 |-------,---------------,-------.-------,-------
350 j-
300 l
I
Figure 3.11: Expected stopping time, A0 = 0.06, at = 3 v2 = 0.03
48


i) Test the algorithm for information-message rate X1 = 0.1, average message length
dj = 3 and cyber attack rate v0 = 0.02 Expected stopping time E{N}=126.
700--------,--------,-------,--------,-------,--------j
i
600 -
500 L
9
The frame number
Figure 3.12: Expected stopping time, Aj = 0.1, = 3 v0 = 0.02
j) Test the algorithm for information-message rate X1 = 0.1, average message length
ax = 3 and cyber attack rate vx = 0.025 Expected stopping time E{N}=120.
700 ,---------------,----------------,----------------[
600
Figure 3.13: Expected stopping time, Xx = 0.1, = 3 Vj = 0.025
49


k) Test the algorithm for information-message rate = 0.1, average message length
<*! = 3 and cyber attack rate v2 = 0.03 .Expected stopping time E{N}=37.
Figure 3.14: Expected stopping time, = 0.1, a* = 3 v2 = 0.03
Attacker rate
Figure 3.15: The expected stopping time versus the attacker rate
for algorithm 1
50


From Figure 3.15 we notice that if we design the algorithm at a minimum
transmission rate of 0.06 and a minimum attacker rate 0.02, then, as the attacker
increases the cyber rate, the probability of detection increases, while, alternatively,
the decision stopping time decreases.
As exhibited from the preceding results, for fixed information-message rate 0.06,
when the cyber rate is 0.02, the expected stopping time is 829, while for cyber rate
0.03, the expected stopping time decreases to 688.
In addition, as can be seeing from Figure 3.15, as the information-message rate
increases, the probability of detection increases as well. For cyber attack rate 0.02
and information-message rate 0.06, the expected stopping time is 823, while the latter
time decreases to 131, when the information-message rate is instead 0.1 and the cyber
attack rate remains 0.02.
3.5.2 For performance evaluation purposes of the algorithm presented above,
another algorithm was designed by assuming that the minimum information-message
rate is 0.09, the minimum cyber attack rate is 0.02 and the average message length is
2 packets. This algorithm was designed to detect the change from aggregate rate 0.18
to aggregate rate 0.2.
From equations (3.11) and (3.12), we found ^(rk,r;) = ~ = t/s .
To select the decision threshold experimentally, we computed the false alarm and
power probability curves and via them the threshold value q = 65 was selected. From
the Figure 3.17, we observe that the computed expected stopping time is then
E{N}=370.
51


Figure 3.16: False alarm and power probability values versus n for the
thresholdsValues 65 and 75
250
200
s
5 150
I
I
| 100-
Q
0 50 100 150 200 250 300 350 400 450 500
The frame number
Figure 3.17: Expected stopping time, A0 = 0.09, a = 2 v0 = 0.02
52


In the cases a) to e) below, we evaluate the present algorithm for various different
values of the information-message rate, cyber attack rate and average message length,
a) Test the algorithm for information-message rate A0 = 0.09, average message
length a = 2 and cyber attack rate vx = 0.025 .The expected stopping time
E{N}=367.
250-----,----t----,-----,----,----,---------,-----,----1
200 l
S
150 J-
I
I
^ 100
0 50 100 150 200 250 300 350 400 450 500
The frame number
Figure 3.18: Expected stopping time, A0 = 0.09, a = 2 v* = 0.025
b) Test the algorithm for information-message rate A0 = 0.09 average message
length a = 2 and cyber attack rate v2 = 0.03. The expected stopping time E{N}=
326.
250 [---,----,----;----,----,----t----,----,----1----;
200 l
S
5 150
The frame number
Figure 3.19: Expected stopping time, A0 = 0.09, a = 2 v2 = 0.03.
53


c) Test the algorithm for information-message A1 = 0.2, average message length
a=2 and cyber attack rate v2 = 0.02 The expected stopping time E{N}=147.
250 |------,-------,--------,-------,-------,-------
200 r
8
150 -
I
I
^ 100 r
Â¥
The frame number
Figure 3.20: Expected stopping time, Aj = 0.2, a = 2 v0 = 0.02
d) Test the algorithm for information-message rate A1 = 0.2, average message length
a = 2 and cyber attack rate v2 = 0.025 The expected stopping time E{N}= 134.
250
200
8
I
I
] 150
100
50
OiL-L
0

50
5)^ i
4ii.
100 150 200
The frame number
250 300
Figure 3.21: Expected stopping time, = 0.2 a = 2 v1 =. 025
54


e) Test the algorithm for information-message rate = 0.2, average message length
a = 2 and cyber attack rate v2 = .03 The expected stopping time E{N}=124.
250 r
200
The frame number
Figure 3.22: Expected stopping time, =. 2, a = 2 v2 =. 03
Attacker rate
Figure 3.23 : Expected stopping time versus the attacker rate
for algorithm 2
55


Figure 3.23 shows the results of applying the current alternate algorithm, designed at
the minimum information-message rate 0.09 and the minimum cyber attack rate 0.02.
Similarly with the first algorithm, designed at the minimum information message rate
0.06 and the minimum cyber attack rate 0.02, as the cyber attack rate increases, the
probability of detection increases manifested by decreased stopping time. Also, as
the information-message transmission rate increases, the algorithmic probability of
correct detection increases. The expected stopping time is 370, when the information-
message transmission rate is 0.09 and the cyber attack rate is 0.02. When the cyber
attack rate increases to 0.03, the expected stopping time decreases to 326.
In addition, increase of the information-message transmission rate to 0.2 results in
reduced expected stopping time. When the cyber attack rate is 0.02 and the
information-message transmission rate is 0.09, the expected stopping time is 370; the
expected stopping time decreases to 134, for information-message transmission rate
0.2 and cyber attack rate remaining fixed at 0.02.
3.5.3 The two algorithms, presented in sections 3.5.1 and 3.5.2 and respectively
named algorithm 1 and algorithm 2, are designed at information-message
transmission rates 0.06 and 0.09, respectively, while the design cyber attack rate for
both is 0.02. From the results presented in sections 3.5.1 and 3.5.2, we conclude that
algorithm 2 detects faster increases in cyber attack rates, while algorithm 1 detects
faster increases of information-message transmission rates.
3.6 Simulation and Study for the Detection of Change in Delay Distribution -
the Packet Fabrication Model (a)
As discussed earlier, packet fabrication results in increased delays of the information-
message arrivals. Such fabrication may be manifested by the injection of a Poisson
traffic of cyber exploit messages whose lengths are geometrically distributed, while
the effect is change in the induced expected delays of the transmitted message traffic.
We designed a monitoring algorithm which monitors message delays, to detect the
56


presence of such cyber exploit injected traffic. The algorithmic design is based on the
detection of change among two geometric distributions with different expected
delays, where the expected message delay in the absence of cyber exploits was
selected equal to n0 = 62.24 (corresponding to Poisson information-message rate
0.06 and average information-message length equal to two packets), and where the
added cyber exploit traffic was modeled by geometrically distributed messages with
average length a single packet; the resulting average message delay in the presence of
cyber exploits is then \xx = 102.91. The algorithm was then tested for the cases
where the average length of the cyber exploit messages is also 2 and 3 packets,
instead regarding the design of the monitoring algorithm at the geometric delay
distributions with averages /r0 = 62.24 and ixx = 102.91, from equation (3.18) we
find:
Kao.aJ = -78.17 = -t/s = -156/2 .
To select the algorithmic decision threshold experimentally, we first computed the
false alarm and power probability curves for various thresholds. Finally, the
threshold value r| = 1600 was selected. As concluded from Figure 3.25, the expected
stopping time of the selected algorithm is E{N}=39.
57


B- ~&m Power curve 1600
B- False alarm curve 1600
A- $ Power curve 2000
A- eti False alarm curve 2000
n
Figure3.24: False alarm and power probability values versus n for different
threshold values 1600 and 2000.
2500 |----,------,-------,-----t-------,------,------,---
2000 -
Steps
Figure 3.25: Expected stopping time when the attacker adds messages with
average length 1 packet
58


In the cases a) and b) below, we evaluate the present algorithm for average
additional messages 2 and 3 packets.
a)-Test the algorithm when the attacker adds geometrically distributed messages with
average length 2.The expected stopping time is then E{N}=20.
2500
Figure 3.26: Expected stopping time when the attacker adds messages with
average length 2 packets
b)-Test the algorithm when the attacker adds geometrically distributed messages with
average length 3. The expected stopping time is then E{N}=10
2500
100
120
140
60 80
steps
Figure 3.27: Expected stopping time when the attacker adds messages with
average length 3 packets
59


From the figures above, we can see that, as the attacker increases the average length
of the cyber exploit injected traffic, the expected stopping time decreases. The
expected stopping time is 39, when the attacker adds messages with average length 1
packet, while the expected stropping time is respectively 20 and 10, when the average
message length of the injected traffic is 2 and 3, instead.
3.7 Simulation and Study for Detection of Change in the Delay Distribution -
the Time Behavior Exploits.
As discussed earlier, when each message packet is delayed independently due to
cyber exploits, the expected message delay increases. To detect such time-behavior
cyber exploits, we designed a monitoring algorithm that monitors changes in message
delay distributions. Towards a robust design, the algorithm was designed at a
minimum expected information-message delay that corresponds to a minimum
information-message transmission rate. The algorithm was also designed at a
minimum expected message delay caused by the injected cyber exploit traffic that
corresponds to a minimum average per packet forced additional delay lmin.
3.7.1 For numerical evaluations in this section, the minimum expected message delay
of the induced traffic in the absence of cyber exploits is fJ.Q = 62.24 (information- rate
A=0.06 and average message length = 2 packets). In the presence of cyber exploits,
the minimum expected message delay is instead pLx = 75.93 (lmin = 50 slots).
Regarding the design of the monitoring algorithm, from the equation (3.18) we then
find:
S(a0la1) = -67.62 = -t/s = -134/2 .
To select the decision threshold experimentally, we computed the false alarm and
power probability curves for various threshold selections. We subsequently selected
the threshold value T| = 2500. From Figure 3.29, we observe that the expected stopping
time of the resulting algorithm is E{N}=142.
60


Figure 3.28: False alarm and power probability values versus n for different
thresholds values 2500 and 2800
Figure 3.29: Expected stopping time for the average attacker delay 50 slots
61


In the cases a) and b) below, we evaluate the present algorithm for two different
average cyber attack delays corresponding to 100 and 150 slots.
a)Test the algorithm when the attacker delays each packet independently with average
delay 100 slots per packet. The expected stopping time is then E{N}=61.
Figure 3.30: Expected stopping time for average attacker delay 100 slots
b) Test the algorithm when the attacker delays each packet independently with
average delay 150 slots. The expected stopping time is then E{N}=36
Figure 3.31: Expected stopping time for average attacker delay 150 slots
62


3.7.2 For performance evaluation purposes of the algorithm presented above, another
algorithm was designed, based on the assumptions that the expected information-
message delay is fi0 = 67.31 (traffic rate A=0.3 and average message length = 2), and
that the minimum expected message delay after the cyber attack is fxt = 80.97
(l-min = 50 slots) .Then, from equation (3.18) we find:
<(a0,ai)= -72.72 = \
To select the decision threshold experimentally, we computed the false alarm and
power probability curves for various thresholds and finally selected the threshold
value r| = 1600 (see Figure 3.33). The expected stopping time is E{N}=78.
-a- Power curve 1600
B- False alarm curve 1600
A - Power curve 1800
A- - False alarm curve 1800
0 500 1000 1500 2000 2500
n
Figure 3.32: False alarm and power probability values against n for different
thresholds values 1600 and 1800
63


3000
Figure 3.33: The expected stopping time for the average attacker delay
50 slots
In the cases a) and b) below, we evaluated the present algorithm for two values of
the average cyber attack delay; 100 and 150 slots.
a)Test the algorithm when the attacker delays each packet independently with
average delay 100 slots .The expected stopping time is then E{N}=39
3000,----- ------------------.---------------.----.----
2500
a>
3
ra
>
E 2000
20 40 60 80 100 120 140 160 180 200
steps
Figure 3.34: Expected stopping time for average attacker delay 100 slots
64


b)-Test algorithm when the attacker delays each packet independently with average
delay 150 slots. The expected stopping time is then E{N}=29
3000 -
2500
E 2000
1500
1000
$
P
500
1
steps
Figure 3.35: Expected stopping time for average attacker delay 150 slots
Figure 3.36: The expected stopping time versus the average attacker delay
65


Figure 3.36 shows the expected stopping time induced by the two different algorithms
discussed above. Both algorithms induce decreased expected stopping times, as the
cyber average delay per packet increases. As induced by the first algorithm, the
expected stopping time for average cyber delay 50 slots is 140; as the average cyber
delay increases to 100 and 150 slots, the expected stopping time decreases to 61 and
36, respectively. As induced by the second algorithm, when the average cyber delay
per packet increases from 50 to 100 to 150 slots, the expected stopping time decreases
from 78 to 39 to 29.
3.7.3 The two algorithms, presented in sections 3.7.1 and 3.7.2, respectively named
algorithm 1 and algorithm 2, are designed at expected information-message delays
HQ = 62.24 and n0 = 67.31 (information-message transmission rates 0.06 and 0.3),
respectively, while the design average per packet cyber attack delay for both is
Imin = 50 slots. From the results presented in sections 3.7.1 and 3.7.2, we conclude
that algorithm 2 detects faster increases in cyber attack delays, while the detection
effectiveness of algorithm 1 approaches that of algorithm 2, as average cyber attack
delays increase.
66


4. Conclusion
In this thesis, we modeled various data forward cyber exploits on the routers of a data
computer-communication network. We then studied the effects of such exploits on
the information carrying network traffic of a point-to-point link that includes two
routers and a buffer. The studied affected performance metrics of the information
carrying traffic were traffic rejection rates and delay distributions, where admission
delay constraints on the information carrying traffic were imposed as well. We
finally adopted performance monitoring algorithms on these metrics, to detect the
various types of cyber exploits.
In Chapter 1, we discussed the network model used in our study and discussed its
variable parameters. We also introduced the system model used throughout the thesis
comprised of synchronous data transmissions, a Poisson information-message arrival
stream, geometrically distributed message lengths in packet units, a limited capacity
buffer and a first-come-first serve Time Division Multiple Access (TDMA)
transmission policy. We simulated the system in the absence of cyber exploits using
various different traffic rates, various buffer sizes and various delay constraints. We
computed traffic rejection rates and delay distributions of the successfully transmitted
messages. The obtained results are exhibited in Figures 1.2 to 1.6. From the results,
we observe that for a fixed-size buffer, the rejection rate increases with increasing
traffic rate. With increase in the traffic rate, the expected message delay increases, as
expected. For selected traffic rates and varying buffer sizes, the rejection rate
decreases as the buffer size increases. The expected message delay increases as the
buffer size increases, where the increment of the delay increase becomes negligible at
certain buffer sizes.
67


In Chapter 2, we presented the various types of data forward cyber exploits. We then
presented models for four cyber exploit categories: packet fabrication, packet
modification, packet reordering and time behavior exploits. Subsequently, we
simulated the presence of such exploits in network model of Chapter 1, where packet
reordering was incorporated into either the packet modification or the time behavior
model. Rejection rates and the expected message delays were computed and
compared to those induced when cyber exploits are absent. Figures 2.1 to 2.12
exhibit the results. We observed that packet fabrication increases both the traffic rate
and the expected messages delay. Time behavior exploits increase expected message
delays. Also, all the considered cyber exploits (packet fabrication, packet
modification, time behavior exploits) increase the rejection rate.
In the last major chapter, Chapter 3, we introduced a class of sequential algorithms
designed for the detection of changes in data generating processes. We derived
special forms of these algorithms, as induced when the change among different
Poisson processes and change among different geometric distributions are to be
detected. Subsequently, we deployed the latter algorithms for the detection of the
various cyber exploit categories considered in this thesis. In our deployment, we
considered various information-message transmission and cyber exploit rates, as well
as the injection of various cyber delays per information packet, and we studied the
performance of the cyber-exploit detection algorithms. The results of our simulations
are presented in Figures 3.2 to 3.36. We observed that the deployed algorithms were
very effective, where their effectiveness increases as the severity of the cyber exploits
does.
For future research, the models of cyber exploits may be extended to include
additional distributions of injected traffics and packet delays. In addition, different
information traffic models may also be considered subsequently inducing different
forms of the cyber-exploit detection sequential algorithms. The models induced by
68


the extensions discussed above should then be studied in terms of their performance,
and possible appropriate pertinent modifications should be subsequently deployed.
69


Appendix
A, Matlab Programs
1-The following program was used to calculate the transmission delay and the
rejection rate before the adversary model.
%transmission with average length=2
close all
clear all
alpha=0.5;
lambda=0.3;
n=10000;
intevral=-log(rand( 1 ,n))./lambda;
intevrall=intevral;
for i=2:n;
intevral 1 (i)=intevral 1 (i)+intevral 1 (i-1);
end
arrival_time=intevral 1;
maximum_arrivals_time=max(arrival_time);
fram=40;
d=0
l=ceil(maximum_arrivals_time/40);
count=0
for i=l:l;
c=arrival_time(fmd((arrival_time<=d+fram)&(arrival_time>=d)));
numbr_of_arrivals_in_each_ffam(i)=length(c);
if d>maximum_arrivals_time,break,end
k=['F',num2str(i),' = c'];
eval(k);
d=d+fram ;
count=count+l
end
max_ffam_length=max(numbr_of_arrivals_in_each_ffam);
mean_ffarn_arrivals=mean(numbr_of_arrivals_in_each_ffam);
d=0;
A=zeros(count,max_ffam_length);
for j=l:l;
c 1 =arrival_time(find((arrival_time<=d+ff am)&(arrival_time>=d)));
ffam_equal=[c 1 ,zeros( 1 ,max_ffam_length-length(c 1))];
A(j, :)=A(j, :)+fr am_equal;
if d>maximum_arrivals_time, break, end
70


t=['z')num2str(j),'=fTam_equal];
eval(t)
d=d+fram ;
end
mstart=floor(-log(rand(count,max_ffam_length))./(-log( 1 -alpha)))+1;
for i=l :count
for j=l :max_fram_length
if A(ij)~=0
masseg_matrix(i,j)=mstart(ij);
else if A(i j)==0
masseg_matrix(ij)=0;
end
end
end
end
[I,J]=size(A);
% Delay infinite buffer................................................
for i=l:2:I;
for j=l:J;
if A(ij)~=0
delay(ij)=i*fram-A(i,j)+( masseg_matrix(i,j)-l)*fram+(j-l);
delay_first(ij)=i*ffam-A(ij)+(j-l);
else if A(ij)==0 ,dday(ij)=0;delay_first(i,j)=0;
end
end
end
for i=2:2:I
for j=l:J;
if A(ij)~=0
delay(i j)=i*ffam-A(i j)+numbr_of_arrivals_in_each_ffam(i-1)+(masseg_matrix(i j)-1 )*fram+(j-l);
delay _first(ij)=i*fram-A(ij)+(j-l)+ numbr_of_arrivals_in_each_ffam(i-1);
else if A(i j)==0
delay(ij)=0;delay_first(ij)=0;
end
end
end
end
end
delay l=delay';
delay 2=delay 1 (find(delay 1 ~=0));
delay2=delay2;
%hist(delay2);
%The buffer simulation and the delay and the rejection rate
BUFFER=20;
number_of_the_packets_in_each_fram = sum(masseg_matrix');
for i=l:I
71


TFIE TRANSMITTED ?ACKET_PER FRAM(i)=length(find(masseg_matrix(i,:)>0));
end
THETRAN SMITTED_PACKET_PER_FRAM=THE_TRAN SMITTEDPACKETPERFRAM;
number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam;
THE PACKET THAT OCCPIED_THE_BUFFER( 1 )=number_of_the_packets_in_each_fram( 1);
for i=2:I
THE_PACKET_THAT_OCCPIED_THE_BUFFER(i)= numberofjhe jacketsJnj?ach_fram(i-1 )-
THE_TRANSMITTED_PACKET_PER_FRAM(i-])+number_of_the_packets_in_each_fram(i);
end
number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam
THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM
THE PACKET THAT OCCPIED THE BUFFER=THE PACKET THAT OCCPIED THE BUFF
ER
[l,k]=find(THE_PACKET_THAT_OCCPIED_THE_BUFFER>BUFFER)
lk=k+l;
ASS=(lk)
% the number of packet in the rejected frams
numer_of_packets_in_rejected_ffam=THE_PACKET_THAT_OCCPIED_THE_BUFFER(k)
numer_of_messges_we_consider_rejected_per_ffam=ceil((numer_of_packets_in_rejected_fram-
BUFFER)/(1 /alpha))
the_real_number_of_the_messagest_in_the_rejected_fram= numbr_of_arrivals_in_each_ffam(k)
for i=l:length(the_real_number_of_the_messagest_in_the_rejected_ffam)
if numer of_messges_we_consider_rejected_per_fram(i)<=
the_real_number_of_the_messagest_in_the_rejected_ffam(i)
the_rejection_messages(i)=numer_of_messges_we_consider_rejected_per_ffam(i)
else if numer_of_messges_we_consider_rejected_per_fram(i)>
the_real_number_of_the_messagest_in_the_rejected_ffam(i)
the_rejection_messages(i)=the_real_number_of_the_messagest_in_the_rejected_fram(i)
end
end
end
delay_after_rejection=delay;
for l=l:length(k)
delay_after_rejection(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-
the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))=0;
end
delay_after_rejection 1 = delay_after_rejection';
delay_after_rejection2=delay_after_rejectionl(fmd(delay_after_rejectionl~=0));
delay_after_rejection2=delay_after_rejection2';
%figure
%hist(delay_after_rejection2);
yl=zeros(size(A));
count 1=0;
for l=l:length(k)
y= A(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-
the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))
72


kx=['Fx,,num2str(i),' = y'];
eval(kx);
numbr_of_ejected_ffam(l)=length(y);
countl=countl+l;
end
max_rejected_fram=max(numbr_of_ejected_ffam)
Ar=zeros(countl,max_rejected_fram);% create the matrix that will enclode the rarrivals that will be
rejected with 0 admission delay
Arl =zeros(countl ,max_rejected_fram);
for 1= 1: length(k)
%k(l)*ffam-
z=A(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-
the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l));
y=k(l)*ffam-A(k(l),the_real_number_of_the_messagest_in_the_rejected_fram(l)-
the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))
ffamequal 1=[y,zeros( 1 ,max_rejected_fram-length(y))];
ffam_equal2=[z,zeros(l,max_rejected_ffam-length(z))];
Ar(l,:)=Ar(l,:)+fram_equall;
Arl(l,:)=Arl(l,:)+fram_equal2;
end
the_rjection_rate 1 =sum(the_rejection_messages)/n
%-------------Create the admission delay
admission_delay=40;
delay_diffemc=delay-delay_after_rejection;
for i=l:I
for j=l:J
if delay_diffemc(i,j)~=0;
arrivals_buff_rj(ij)=A(ij);
else if delay_diffemc(ij)==0;
arrivals_buflf_rj(ij)=0;
end
end
end
end
for i=l:I
for j=l:J
if arrivals_buff_rj(ij)~=0;
arrivals_buff_rj 1 (i j)=i*fram-arrivals_buff_rj(i j);
else if arrivals_buff_rj(i j)==0;
arrivalsbuffrj l(ij)=0;
end
end
end
end
THE_PACKET_THAT_OCCPIED_THE_BUFFERl=THE_PACKET_THAT_OCCPIED_THE_BUF
FER';
arrivals_buff_rj l_with_buffer=[arrivals_buff_rj 1 ,THE_PACKET_THAT_OCCPIED_THE_BUFFER
l;zeros(l,J+l)];
73


for i=l:I
for j=l:J+l
if arrivals_buff_rjl_with_buffer(i+l,end)> BUFFER;
A_adm(ij)=0;
else if arrivals_buff_rjl_with_buffer(i+l,end)<
BUFFER&arrivals_buff_rj 1 _with_buffer(i j) A_adm(i j)=arri valsbuffrj 1 withbuffer(ij);
end
end
end
end
A_adm=A_adm( 1 :end, 1 :end-1);
the_rjection_rate=(sum(the_rejection_messages)-length(find(A_adm)))/n
for i=l:I
for j=l :J
if A_adm(ij)~=0;
delay_admin(i,j)=delay(ij);
else if A_adm(ij)==0;
delay_admin(ij)=0;
end
end
end
end
delay_fmal_admin=delay_admin+delay_after_rejection;
delay fmal admin 1 = delay final admin';
delay_final_admin2=delay_final_admin 1 (find(delay_final_admin 1 ~=0));
delay_fmal_admin2=delay_fmal_admin2';
figure
hist(delay_final_admin2);xlabel('The delay') ;ylabel('number of the messages')
for i=l:I;
for j=l:J
if delay_fmal_admin(i j)=0;
masseg_mattrix_after_rej(ij)=masseg_matrix(ij);
else if delay_final_admin(ij)==0;
masseg_mattrix_after_rej (i,j )=0;
end
end
end
end
masseg_mattrix_after_rej 1= masseg_mattrix_after_rej';
masseg_mattrix_after_rej2=masseg_mattrix_after_rej 1 (find(masseg_mattrix_after_rej 1 ~=0));
masseg_mattrix_after_rej2= masseg_mattrix_after_rej2';
74


2- The following two programs were used to calculate the delay and the rejection
rate after packet fabrication model
Program 1
ll=length(fmd (masseg_matrix~=0))
alphal=0.5;
y=floor(-log(rand( 1,11))./(-log( 1 -alpha 1)));
[iijj,massges]=find(masseg_matrix);
massges=massges;
massege_after_ad=massges+y;
massege_after_ad=massege_after_ad';
massges_after_ad=sparse(iijj,massege_after_ad);
masses_af_ad_ready=full(massges_after_ad);
[I,J]=size(A);
for i=l:3:I;
for j=l:J;
if A(i j)~=0
delay_ad(ij)=i*ffam-A(ij)+(masses_af_ad_ready(i,j)-l)*fram+(j-l);
else if A(i j)=0 ,delay_ad(ij)=0;
end
end
end
for i=2:3:I
for j=l:J;
if A(ij)~=0
delay_ad(ij)=i*ffam-A(i,j)+numbr_of_arrivals_in_each_ffam(i-1)+( masses_af_ad_ready(ij)-
l)*fram+(j-l);
else if A(i j)=0
delay _ad(ij)=0;
end
end
end
end
end
for i=3:3:I
for j=l:J;
if A(i j)=0
delay_ad(ij)=i*ffam-A(ij)+numbr_of_arrivals_in_each_fram(i-
1 )+numbr_of_arrivals_in_each_ffam(i-2)+(masses_af_ad_ready(i,j)-1 )*fram+(j-1);
else if A(i j)==0
delay_ad(i,j)=0;
75


end
end
end
end
BUFFER=20;
number_of_the_packets_in_each_firam = sum(masses_af_ad_ready');
for i=l:I
THE TRANSMITTED PACKET_PER_FRAM(i)=length(find(masses_af_ad_ready(i,:)>0));
end
THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM;
number_of_the_packets_in_each_ffam=number_of_the_packets_in_each_fram;
THE PACKET THAT OCCPIED THE BUFFER( 1 )=number_of_the jacketsineach _ffam( 1);
for i2:1
THE_PACKET_THAT_OCCPIED_THE_BUFFER(i)= number_of_the_packets_in_each_fram(i-1 )-
THE_TRANSMITTED_PACKET_PER_FRAM(i-1 )+number_of_the_packets_in_each_ffam(i);
end
number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam
THE TRANSMITTED PACKET PER FRAM^THE TRAN SMITTED PACKET PER FRAM
THE PACKET THAT OCCPIED THE_BUFFER=THE_PACKET_THAT_OCCPIED_THE_BUFF
ER
[l,k]=find(THE_PACKET_THAT_OCCPIED_THE_BUFFER >BUFFER)
% the number of packet in the rejected trams
numer_of_packets_in_rejected_fram=THE_PACKET_THAT_OCCPIED_THE_BUFFER(k)
numer_of_messges_we_consider_rejected_per_ffam=ceil((numer_of_packets_in_rejected_fram-
BUFFER)/(l/0.33))
the real number of the messagest in the rejected_fram= numbr of arrivals in each fram(k)
for i= 1 :length(the_real_number_of_the_messagest_in_the_rejected_ffam)
if numer_of_messges_we_consider_rejected_per_ffam(i)<=
the_real_number_of_the_messagest_in_the_rejected_ffam(i)
the_rejection_messages(i)=numer_of_messges_we_consider_rejected_per_ffam(i)
else if numer_of_messges_we_consider_rejected_per_ffam(i)>
the_real_number_of_the_messagest_in_the_rejected_ffam(i)
the_rejection_messages(i)=the_real_number_of_the_messagest_in_the_rejected_ffam(i)
end
end
end
delay _after_rejection_ad=delay_ad;
for 1= 1: length(k)
delay_after_rejection_ad(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-
the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))=0;
end
delay_after_rejection_adl= delayafterrejectionad';
delay_after_rejection_ad2=delay_after_rejection_adl(find(delay_after_rejection_adl~=0));
delay_afterrejection2=delayafterrejection2';
%figure
%hist(delay_after_rejection_ad2);
%the_rjection_rate_ad=sum(the_rejection_messages)/n
76


admission_delay=40;
delay_diffemc_ad=delay_ad-delay_after_rejection_ad;
for i=l:I
for j=l:J
if delay_diffemc_ad(i j)~=0;
arrivals_buff_rj_ad(ij)=A(ij);
else if delay_diffemc_ad(ij)==0;
arrivals_buff_rj_ad(ij)=0;
end
end
end
end
for i=l:I
for j=l:J
if arrivals_buff_rj_ad(ij)~=0;
arrivals_buff_rjl_ad(ij)=i*ffam-arrivals_buff_rj_ad(ij);
else if arrivals_buff_rj_ad(ij)==0;
arrivalsbuffrj l_ad(ij)=0;
end
end
end
end
THE_PACKET_THAT_OCCPIED_THE_BUFFERl=THE_PACKET_THAT_OCCPIED_THE_BUF
FER';
arrivals buff rj 1 _with_buffer_ad=[arrivals_buff_rj 1 _ad,THE_PACKET THAT OCCPIED THE B
UFFER1 ;zeros( 1, J+1)];
for i=l:I
for j=l:J+l
if arrivals_buff_rjl_with_buffer_ad(i+l,end)> BUFFER;
A_adm(ij)=0;
else if arrivals_buff_rjl_with_buffer_ad(i+l,end)<
BUFFER&arrivals_buff_rj 1 _with_buffer_ad(i j) A_adm_ad(ij)=arrivals_buff_rjl_with_buffer_ad(i,j);
end
end
end
end
A_adm_ad=A_adm_ad( 1 :end, 1 :end-1);
the_rjection_rate=(sum(the_rejection_messages)-length(find(A_adm_ad)))/n
for i=l:I
for j=l:J
if A_adm_ad(i j)=0;
delay_admin_ad(ij)=delay_ad(ij);
else if A_adm_ad(ij)=0;
delay_admin_ad(i,j)=0;
end
end
end
77


end
delay_final_admin_ad=delay_admin_ad+delay_after_rejection_ad;
delayfinaladminad 1 = delay_final_admin_ad';
delay_final_admin_ad2=delay_final_admin_ad 1 (find(delay_fmal_admin_ad 1 ~=0));
delay_final_admin_ad2=delay_fmal_admin_ad2';
figure
hist(delay_final_admin_ad2);xlabel('The delay') ;ylabel('number of the messages')
programm2
close all
clear all
alpha=0.5;
lambda=0.06;
n=10000;
intevral=-log(rand( 1 ,n))./lambda;
intevral 1=intevral;
for i=2:n;
intevral 1 (i)=intevral 1 (i)+intevral 1 (i-1);
end
n_ad=5000;
lambda_ad=0.1;
intevral_ad=-log(rand( 1 ,n_ad))./lambda_ad;
intevral l_ad=intevral_ad;
for i=2:n_ad;
intevral 1 _ad(i)=intevral l_ad(i)+intevral l_ad(i-1);
end
final_inveral=[intevral l_ad,intevral 1 ];
final_inveral=sort(fmal_inveral);
arrival_time=fmal_inveral;
maximum_arrivals_time=max(arrival_time);
ffam=40;
d=0
l=ceil(maximum_arrivals_time/40);
count=0
for i=l:l;
c=arrival_time(fmd((arrival_time<=d+ffam)&(arrival_time>=d)));
numbr_of_arrivals_in_each_ffam(i)=length(c);
if d>maximum_arrivals_time,break,end
k=['F',num2str(i),' = c'];
eval(k);
d=d+fram ;
count=count+l;
end
max_fram_length=max(numbr_of_arrivals_in_each_fram);
78


mean_ffam_arrivals=rnean(nurnbr_of_arrivals_in_each_ffam);
d=0;
A=zeros(count,max_fram_length);
for j= 1:1;
c 1 =arrival_time(find((arrival_time<=d+ffam)&(arrival_time>=d)));
fram_equal=[c 1 ,zeros( 1 ,max_ff am_length-length(c 1))];
A (j,: )=A(j,: )+fram_equal;
if d>maximum_arrivals_time,break,end
t=['z',num2str(j),=ffam_equar];
eval(t)
d=d+fram ;
end
mstart=floor(-log(rand(count,max_ffam_length))./(-log(l-alpha)))+l;
for 1=1 :count
for j=1 :max_fram_length
if A(ij)~=0
masseg_matrix(i,j)=mstart(i,j);
else if A(i,j)==0
masseg_matrix(ij)=0;
end
end
end
end
[I,J]=size(A);
for i=l:2:I;
for j=l:J;
if A(i,j)~=0
delay(i ,j)=i*fram-A(i,j)+( masseg_matrix(ij)-l)*fram+(j-l);
delay_first(i j)=i*ffam-A(i ,j)+(j-1);
else if A(ij)==0 ,delay(ij)=0;delay_first(i,j)=0;
end
end
end
for i=2:2:I
for j=l:J;
if A(ij)~=0
delay(ij)=i*fram-A(ij)+numbr_of_arrivals_in_each_ffam(i-l)+( masseg_matrix(ij)-l)*fram+(j-l);
delay_first(ij)=i*fram-A(i,j)+(j-l)+masseg_matrix(ij)*nunibr_of_arrivals_in_each_fram(i-l);
else if A(i,j)==0
delay(ij)=0;delay_first(i,j)=0;
end
end
end
end
end
79


number_of_the_packets_in_each_fram = sum(massegmatrix');
for i=l:I
THE TRANSMITTED ?ACKET_PER_FRAM(i)=length(find(masseg_matrix(i,:)>0));
end
THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM;
number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam;
THE_PACKET_THAT_OCCPIED THE_BUFFER( 1 )=number_of_the_packets_in_each_fram( 1);
for i=2:I
THE PACKET_THAT_OCCPIED_THE_BUFFER(i)= numberofjhe jackets Jn_each_fram(i-1 )-
THE_TRANSMITTED_PACKET_PER_FRAM(i-l)+number_of_the_packets_in_each_ffam(i);
end
number_of_the_packets_in_each_ffam=number_of_the_packets_in_each_fram
THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM
THE_PACKET_THAT_OCCPIED_THE BUFFER=THE_PACKET_THAT_OCCPIED_THE_BUFF
ER
[l,k]=find(THE_PACKET_THAT_OCCPIED THE BUFFER >BUFFER)
lk=k+l;
ASS=(lk)
numer_of_packets_in_rejected_ffam=THE_PACKET_THAT_OCCPIED_THE_BUFFER(k)
numer_of_messges_we_consider_rejected_per_fram=ceil((numer_of_packets_in_rejectedfram-
BUFFER)/(1/alpha))
the_real_number_of_the_messagest_in_the_rejected_ffam= numbr_of_arrivals_in_each_fram(k)
for i=1: length(the_real_number_of_the_messagest_in_the_rejected_ffam)
if numer_of_messges_we_consider_rej ected_per_ff am(i)<=
the_real_number_of_the_messagest_in_the_rejected_ffam(i)
the_rejection_messages(i)=numer_of_messges_we_consider_rejected_per_ffam(i)
else if numer_of_messges_we_consider_rejected_per_fFam(i)>
the_real_number_of_the_messagest_in_the_rejected_ffam(i)
the_rejection_messages(i)=the_real_number_of_the_messagest_in_the_rejected_ffam(i)
end
end
end
de layafterrej ection=delay;
for l=l:length(k)
delay_after_rejection(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-
the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))=0;
end
delayafterrejection 1= delay_after_rejection';
delay_after_rejection2=delay_after_rejectionl(find(delay_after_rejectionl~=0));
delay _after_rejection2=delay_after_rejection2';
%figure
%hist(delay_afler_rejection2);
for i=l:I;
for j=l:J
if delay_after_rejection(ij)~=0;
masseg_mattrix_after_rej(ij)=masseg_matrix(ij);
else if delay_after_rejection(ij)==0;
masseg_mattrix_after_rej(ij)=0;
80


end
end
end
end
masseg_mattrix_after_rej 1= masseg_mattrix_after_rej';
masseg_mattrix_after_rej2=masseg_mattrix_after_rej 1 (find(masseg_mattrix_after_rej 1 ~=0));
masseg_mattrix_after_rej2= masseg_mattrix_after_rej2';
yl=zeros(size(A));
count 1=0;
for 1=1 :length(k)
y= A(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-
the rejection messages(l)+l:the real number of the messagest in the rejected ffam(l))
kx=[Fx',num2str(i), = y];
eval(kx);
numbr_of_ejected_fram(l)=length(y);
count l=count 1+1;
end
max_rejected_fram=max(numbr_of_ejected_fram)
Ar=zeros(countl,max_rejected_fram);% create the matrix that will enclode the rarrivals that will be
rejected with 0 admission delay
Ar 1 =zeros(count 1 ,max_rejected_fram);
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
for l=l:length(k)
z=A(k(l),the_real_number_of_the_messagest_in_the_rejected_fram(l)-
the_rejection_messages(l)+1 :the_real_number of_the_messagest_in_the_rejected_ffam(l));
y=k(l)*fram-A(k(l),the_real_number_of_thejnessagest_in_the_rejected_ffam(l)-
the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_fram(l))
ffam_equal 1=[y,zeros( 1 ,max_rejected_ffam-length(y))];
ffam_equal2=[z,zeros( 1 ,max_rejected_ffam-length(z))];
Ar(l, :)=Ar(l, :)+ffam_equal 1;
Arl(l,:)=Arl(l,:)+ffam_equal2;
end
the_rjection_ratel=sum(the_rejection_messages)/n %compute the rjection from the buffer 0
admission delay
admission_delay=40;
delay_diffemc=delay-delay_after_rejection;
for i=l:I
for j=l:J
if delay_diffemc(i,j)~=0;
arrivals Jmff_rj(i,j)=A(ij);
else if delay_diffemc(ij)==0;
arrivals_buff_rj(ij)=0;
end
end
end
end
for i=l:I
81


for j=l:J
if arrivals_buff_rj(ij)~=0;
arrivals_buff_rj 1 (i j)=i*ffam-arrivals_buff_rj(i j);
else if arrivals_buff_rj(ij)==0;
arrivalsbuffrj 1 (i j)=0;
end
end
end
end
THE_PACKET_THAT_OCCPIED_THE_BUFFERl=THE_PACKET_THAT_OCCPIED_THE_BUF
FER';
arrivalsbuffrj l_with_buffer=[arrivals_buff_rj 1 ,THE_PACKET_THAT_OCCPIED_THE_BUFFER
l;zeros(2,J+l)];
for i=l:I
for j=l:J+l
if arrivals buff rj l_with_buffer(i+1 ,end)<
BUFFER|arrivals_buff_rjl_with_buffer(i+2,end) A_adm(i ,j)=arrivals_buff_rj 1 _with_buffer(i j);
end
end
end
A_adm=A_adm(l :end,l :end-l);
the_rjection_rate=(sum(the_rejection_messages)-length(find(A_adm)))/n
for i=l:I
for j=l: J
if A_adm(i,j)~=0;
delay_admin(ij)=delay(ij);
else if A_adm(ij)==0;
delay_admin(i,j)=0;
end
end
end
end
delay _final_admin=delay_admin+delay_after_rejection;
delayfmaladmin 1 = delay_final_admin';
delay_final_admin2=delay_final_admin 1 (fmd(delay_fmal_admin 1 ~=0));
delay_fmal_admin2=delay_fmal_admm2';
figure
hist(delay_fmal_admin2);
3-The following program was used to compute the rejection rate after packet
modification model
zl = masseg_matrix(find(masseg_matrix~=0));
k=l;
1=1;
for i=l: d ;
for j=l:zl(i);
82


if rand < .5;
z0=i;
else
zG)=0;
end
xl(k)=z(j);
fl2(l,k)=xl(k);
k=k+l;
end
1=1+1;
end
ftr2=fl2';
sum_ftr2=sum(flr2);
nonzero_elment2=(sum_ftr2~= 0);
themessages_rejected2=sum(nonzero_elment2);
ldx 1 = d-themessages_rejected2
the_regection_rate_with_expilots=(n-ldx 1 )/n
4-The following program was used to calculate the delay and the rejection rate
after time behavior exploits
ALFA=.02;
alfa_l=ALFAA-l;
delay_aversary3=zeros(I,J);
11 =length(find(masseg mattrix_after_rej~=0));
max_matrixm=max(max(masseg_mattrix_after_rej));
for i=l:I;
for j=l:J;
if m asseg_mattri xafterrej (i ,j )~=0;
yl=geornd(ALFA,[l masseg_mattrix_after_rej(i,j)]);
if max(yl)>alfa_l;
delay_aversary3(ij)=0;
else if max(yl) delay_aversary3(ij)= delay_aversary3(i,j)+sum(yl);
end
end
end
end
end
z 1 = masseg_mattrix_after_rej(find(masseg_mattrix_after_rej~=0));
yl=max(zl);
for i=l:length(zl);
ml=geomd(ALFA,[l zl(i)])+l;
for j= 1 :y 1
for k=l:zl(i);
if j<=k
fdl(ij)=ml(k);
else if j>k
83


fdl(ij)=0;
end
end
end
end
end
adversary_rejection=(length(find(fdl(:, 1 )>alfa 1 ))+the_rjectionrate* n )/n
final_delay_adverary3=delay_aversary3+ delay_final_admin;%delay maybe change after the buffer
and admission delay
final_delay_adverary3=final_delay_adverary3';
final_delay_adverary3=final_delay_adverary3(find(final_delay_adveraiy3~=0));
final_delay_adverary3=final_delay_adverary3';
figure
hist(fmal_delay_adverary3)
5- The following program was used to monitor the change in Poisson rates
t=4;
s=10;
gamma=75;
[I,J]=size(A);
number_of_the_packets_in_each_ffam_after_rejection = sum(masseg_mattrix_after_rej');
TX(1)=0;
for i=l:I
TX(i+1 )= max(0,TX(i)+s*number of_the_packets_in_each_fram_after_rejection(i)-40*t);
end
for i=l:l
T(i)=TX(i);
end
for i=l:I
if (T(i))>=gamma
for k=i+l:I
T(k)=0;
end
end
sl=zeros(l,I);
sl=sl+gamma;
end
[kk,ll,mm]=fmd(TX>gamma);
if 11(1)==0;
corssing_time_with_adversary=0;
else if 11(1)~=0
corssing_time_with_adversary=l 1( 1)
end
end
figure
plot(T,'-rs')
84


hold on
plot(sl)
axis([0 800 0 400]);
xlabel('The frame number');ylabel('The Algorithm value ')
6-The following program was used to monitor the change in the delay
distribution
t=145;
s=2;
gamma=1600;
il=length(fmal_delay_adverary3);
TX(1)=0;
for i=l: il
TX(i+l)= max(0,TX(i)+s*(final_delay_adverary3(i)-l)-t);
end
for i=l:I
T(i)=TX(i);
end
for i=l:I
if (T(i))>=gamma
for k=i+l:I
T(k)=0;
end
end
sl=zeros(l,I);
sl=sl+gamma;
end
[kk,ll,mm]=find(TX>gamma);
if 11(1)==0;
corssing_time_with_adversary22=0;
else if 11(1 )~=0
corssing_timewith_adversary22=ll( 1)
end
end
figure
plot(T,'~rs')
hold on
plot(sl)
axis([l 200 0 3000]),xlabel('The frame number');ylabel('The Algorithm value ')
6-The following program was used to find the average of the expected stopping
time as function in the previous program
1=1000;
for i=l:l;
y(i)=stoptime
end
averag_stop_time=sum(y)/l
85


REFERENCES
[1] G. Aimes, S. Kalidindi, and M. Zekauskas. A one-way packet loss metric for
IPPM. RFC 2680, Sept. 1999.
[2] X. Ao. Report on DIMACS Workshop on Large-Scale Internet Attacks, Sept.
2003.
[3] I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy. Amendment
to: Highly secure and efficient routing, Feb. 2004. Amendment.
[4] I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy. Highly secure
and efficient routing. In Proceedings of INFOCOM 2004 Conference, March 2004.
[5] J. Bellardo and S. Savage. Measuring packet reordering. In ACMSIGCOMM
Internet Measurement Workshop(IMW02).
[6] J. C. R. Bennett, C. Partridge, andN. Shectman. Packet reordering is not
pathological network behavior. IEEE/ACM Transactions on Networking (TON),
7(6):789-798, 1999.
[7] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway. UMAC: Fast
and secure message authentication. Lee. Notes in CS, 1666:216-233, 1999.
[8] B. H. Bloom. Space/time trade-offs in hash coding with allowable errors.
Comm. Of the ACM, 13(7):422^126, July 70.
[9] K. A. Bradley, S. Cheung, N. Puketza, B. Mukheijee, and R. A. Olsson.
Detecting disruptive routers: A distributed network monitoring approach. In Proc.
of the IEEE Symposium on Security and Privacy, pages 115-124, May 1998.
[10] T. D. Chandra and S. Toueg. Unreliable failure detectors for reliable distributed
systems. Journal of the ACM, 43(2):225-267, 1996.
[11] K. M. Chandy and L. Lamport. Distributed snapshots: determining global states
of distributed systems. ACM Transactions on Computer Systems, 3(1 ):6375, 1985.
86


[12] S. Cheung. An efficient message authentication scheme for link state routing.
In ACSAC, pages 90-98, 1997.
[13] S. Cheung and K. Levitt. Protecting routing infrastructuresfrom denial of
service using cooperative intrusion detection. In New Security Paradigms
Workshop, 1997.
[14] Cisco Systems. Load balancing with cisco express forwarding
http//www.cisco.com/warp/public/cc/pd/ifaa/pa/much/prodlit/loadb an.pdf.
[15] Y. Cosendai, M. Dacier, and P. Scotton. Intrusion detection mechanism to
detect reachability attacks in PNNI networks. In Recent Advances in Intrusion
Detection, 1999.
[16] N. G. Duffield and M. Grossglauser. Trajectory sampling for direct traffic
reservation in COMMOO, pages 271-282.
[17] W. Feghali, B. Burres, G.Wolrich, and D. Carrigan. Security:Adding protection
to the network via the network processor. Intel Technology Journal, 06:40-49, Aug.
2002.
[18] Gauis. Things to do in Ciscoland when youre dead.. Jan. 00.
[19] M. T. Goodrich. Efficient and secure network routing algorithms.Jan 2001.
Provisional patent filing.
[20] A. Herzberg and S. Kutten. Early detection of message forwardingfaults.
SIAMJ. Comput, 30(4):1169-1196, 2000.
[21] K. J. Houle, G. M. Weaver, N. Long, and R. Thomas. Trends indenial of service
attack technology. Technical report,CERT Coordination Center, Oct. 2001.
[22] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secureon-demand routing
protocol for ad hoc networks. In The 8thACMInt. Conf. on MobiCom, Sep 2002.
[23] J. R. Hughes, T. Aura, and M. Bishop. Using conservation offlow as a security
mechanism in network protocols. In IEEESymp. on Security and Privacy, pages
132-131,2000.
87


[24] Y. Jou, F. Gong, C. Sargor, X. Wu, S. Wu, H. Chang, andF. Wang. Design and
implementation of a scalable intrusiondetection system for the protection of network
infrastructure. In DISCEXOO Proceedings, volume 2, pages 69-83, 2000.
[25] Juniper Networks. JUNOS 6.4 Routing ProtocolsConfiguration Guide.
http://www.iuniper.net/techpubs/software/iunos/iunos64/swconfig64-routing/html/.
[26] S. Kent, C. Lynn, J. Mikkelson, and K. Seo. Secure BorderGateway Protocol
(Secure-BGP). IEEE Journal on SelectedAreas in Communications, 18(4):582592,
Apr. 2000.
[27] C. Labovitz, A. Ahuja, and M. Bailey. Shining light on darkaddress space.
Technical report, Arbor Networks, Nov. 2001.
[28] L. Lamport, R. Shostak, and M. Pease. The Byzantine generalsproblem.MCM
Trans, on Programming Languages andSystems, 4(3):382-401, 1982.
[29] Y. Minsky, A. Trachtenberg, and R. Zippel. Set reconciliationwith nearly
optimal communication complexity. In Int.Symp. on Information Theory, page 232,
June 2001.
[30] A. T. Mizrak, K. Marzullo, and S. Savage. Detecting maliciousrouters.
Technical Report CS2004-0789, UCSD, 2004.
[31] A. Morton, L. Ciavattone, G. Ramachandran, S. Shalunov,and J. Perser. Packet
reordering metric for IPPM. Mar. 2003.
[32] J. T. Moy. Multicast extensions to OSPF. RFC 1584, IETF,Mai. 1994.
[33] National Institute of Standards and Technology. Data encryptionstandard.
FIPS PUBS 46-3, Oct. 1999.
[34] National Institute of Standards and Technology. Advancedencryption
standard. FIPS PUBS 197, Nov. 2001.
[35] V. N. Padmanabhan and D. Simon. Secure trace route to detect faulty or
malicious routing. SIGCOMMComp. Comm.Review, 33(1):7782, 2003.
[36] R. Perlman. Network Layer Protocols with Byzantine Robustness.'PhD thesis,
MIT LCS TR-429, Oct. 1988.
88


[37] R. Perlman. Interconnections: Bridges and Routers. Addison Wesley
Longman Publishing Co. Inc., 1992.
[38] D. Pullin, A. Corlett, B.Mandeville, and S. Critchley. Packet reordering: The
minimal longest ascending subsequence metric, Feb. 2002.
[39] P. Rogaway. UMAC Performance (more).www.cs.ucdavis.edu/
rogaway/umac/2000/perf00bis.html.
[40] N. Shah. Understanding network processors. Masters thesis,University of
California, Berkeley, September 2001.
[41] C. Shannon, D. Moore, and K. C. Claffy. Beyond folklore: observations on
fragmented traffic. IEEE/ACM Trans. Netw., 10(6):709-720, 2002.
[42] B. R. Smith and J. Garcia-Luna-Aceves. Securing the border gateway routing
protocol. In Proc. Global Internet96.
[43] N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP topologies with
Rocket fuel. In Proc. ofACM/SIG COMM, pages 133-145, 2002.
[44] L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz. Listen and
Whisper: Security Mechanisms for BGP. In Proc. ofNSDI, Mar. 2004.
[45] D. Taylor. Using a compromised router to capture network traffic, July 2002.
Unpublished Technical Report.
[46] R. Teixeira, K. Marzullo, S. Savage, and G. M. Voelker. In search of path
diversity in ISP networks. In Proc. of the ACM/SIGCOMMIMC, pages 313-318,
2003.
[47] R. Thomas. ISP Security BOF, NANOG 28, June 2003.
[48] P. Papantoni-Kazakos and Anthony Burrell. Robust Sequential Algorithms
for the Detection of Changes in Data Generating Processes. IEEE Trans. J Intell
Robot Syst (2010) 60:3-17.
[49] D. Kazakos and P. Papantoni-Kazakos. Detection and Estimation .New York:
Computer Science Press, 1990.
89