H

MODELING AND MONITORING THE IMPACT OF CYBER EXPLOITS ON

COMPUTER COMMUNICATION NETWORKS

By

Ali Mohamed

B.S., Sebha University, 1999

A thesis submitted to the

University of Colorado Denver

in partial fulfillment

of the requirements for the degree of

Master of Science

Electrical Engineering

2011

This thesis for the Master of Science

degree by

Ali Mohamed

has been approved

By

Hamid Fardi

Jan Bialasiewicz

Date

Mohamed, Ali (M.S, Electrical Engineering)

Modeling and Monitoring the Impact of Cyber Exploits on Computer Communication

Networks

Thesis directed by professor Titsa Papantoni

ABSTRACT

Network routers play a key role in data transports and consequently become attractive

targets to adversary attacks. By manipulating, diverting or dropping data packets

arriving at a compromised router, an adversary can mount denial-of-service,

surveillance or man-in-the-middle attacks.

In this thesis, we are focusing on the forms of malicious data forwarding attacks on

compromised routers and their impact on the network performance, as well as on the

development of techniques for detecting their presence. Our search is implemented

via the following constructive steps:

-We identify, categorize and model the various forms of malicious forwarding threats

on routers.

-We identify the operational performance metrics for networks, as evolving in time

and set their boundaries associated with satisfactory operation.

-We study the effect of each router attack on the network operational performance

metrics.

-Finally, we develop techniques for monitoring and detecting changes in the network

operational performance metrics, as affected by the adopted adversary models.

This abstract accurately represents the content of the candidates thesis. I recommend

its publication

signed.

Titsa Papantoni

DEDICATION

I dedicate this thesis to my parents, who gave me an appreciation of learning and

taught me the value of perseverance and resolve. I also dedicate this to my wife, for

her unfaltering support and understanding while I was completing this thesis.

ACKNOWLEDGEMENTS

This thesis was partially supported by U.S. Air Force Office of Scientific Research,

via a subcontract to UC Denver from the contract AFOSR FA9550-05-1-0388 to

George Mason University.

Special thanks to my advisor, Dr. Titsa Papantoni, for her guidance that kept me on

track and for her patience with me during this past year. An additional thanks goes

out to Dr. Hamid Fardi and Dr. Jan Bialasiewicz my thesis committee at the

University of Colorado at Denver.

TABLE OF CONTENTS

Figures........................................................................viii

Tables.......................................................................xi

Chapter

1 .Introduction...............................................................1

1.1 Network and System Model..................................................4

1.2 Simulation and Study of the System Model.................................7

1.2.1 Simulation and Study Regarding the Effect of Changing Buffer Size on the

Rejection Rate and the Expected Message Delay................................8

1.2.2 Simulation and Study the effect of Change the Admission Delay Constraint

on the Rejection rate and the Expected Message Delay.........................11

2. Threats Categorization and Modeling.......................................14

2.1 Threats Categorization..................................................14

2.1.1 Packet Loss............................................................14

2.1.2 Packet Fabrication.....................................................14

2.1.3 Packet Modification....................................................15

2.1.4 Packet Reordering......................................................15

2.1.5 Time Behavior..........................................................15

2.2 Threats Modeling........................................................15

2.2.1 Modeling the Packet Fabrication........................................15

2.2.2 Modeling the Packet Modification.......................................16

2.2.3 Modeling the Packet Reordering.........................................18

2.2.4 Modeling the Time Behavior Exploits....................................18

VI

2.3 Simulation and Study the Threats Model...................................19

2.3.1 Simulation and Study the Effect of Packet Fabrication..................19

2.3.2 Simulation and Study the Effect of Packet Modification.................26

2.3.3 Simulation and Study the Effect of Time behavior exploits..............28

3. Threats Monitoring and Detection...........................................33

3.1 Sequential Algorithms for the Detection of Changes in

Data Generating Processes.....................................................33

3.2 Sequential Algorithms between Poisson Processes..........................37

3.3 Sequential Algorithms to Detect the Change in

the Distribution of the Delay................................................39

3.4 Threshold Selection......................................................41

3.5 Simulation and Study of the Sequential Algorithms

between Poisson Processes.....................................................43

3.6 Simulation and Study for the Detection of Change in

Delay Distribution the packet Fabrication Model (a).........................56

3.7 Simulation and Study for Detection of Change in

the Delay Distribution the Time Behavior Exploits...........................60

4. Conclusions...............................................................67

Appendix

A.Matlab programs.............................................................70

References....................................................................86

vii

FIGURES

Figure

1.1- Illustration of the transmission for n-th message.............................7

1.2 - The rejection rates for different buffer sizes...............................9

1.3- Expected message delay for different buffers...................................10

1.4 - Expected message delay versus buffer size....................................10

1.5 - The rejection rate for different admission delays constraint.................12

1.6- The expected message delay for different admission delay constraints...........13

2.1 - The change on the rejection rate for packet fabrication model (a)............20

2.2 - The delay distribution before cyber attacks..................................21

2.3 - The delay distribution after adding additional attack messages with

average length 1....................................................................22

2.4 - The delay distribution after adding additional attack messages with

average length 2....................................................................23

2.5 - The effect of packet fabrication model (b) on the rejection rate.............24

2.6 - The delay distribution after inject Poisson stream of packets with rate 0.06.25

2.7 - The delay distribution after inject Poisson stream of packets with rate 0.1..26

2.8 - The change in the rejection rate after the modification packets..............27

2.9 The rejection rate before and after the time behavior exploits................29

2.10 The delay distribution before the time behavior exploits.....................30

2.11 - The delay distribution after the time behavior exploits average delay (100)....31

2.12 - The delay distribution after the time behavior exploits average delay (200)...32

3.1- False alarm and power curves for the m to / monitoring algorithm

threshold values 8 <8..................................................42

viii

3.2- False alarm and power probability values against n for the thresholds

values 105 and 110.......................................................44

3.3- Expected stopping time, A0 = .06, a0 = 2 , v0 = .02...............44

3.4- Expected stopping time, A0 = .06, a0 = 2 , vx = .025..............45

3.5- Expected stopping time, A0 = .06 , a0 = 2 , v2 = .03...............45

3.6- Expected stopping time, A1 = 0.1, a0 = 2 , v0 = .02...............46

3.7- Expected stopping time, 0.1, a0 = 2 , vx = .025..............46

3.8- Expected stopping time, Aj = 0.1, a0 = 2 ,v2 = .03..................47

3.9- Expected stopping time, A0 = .06 ax = 3 v0 = .02................47

3.10- Expected stopping time, A0 = .06 ax = 3 Vj = .025..............48

3.11- Expected stopping time, A0 = .06, ax = 3 ,v2 = .03.................48

3.12- Expected stopping time, Ax = 0.1, = 3 v0 = .02...................49

3.13- Expected stopping time, Ax = 0.1, = 3 ,vx = .025..................49

3.14- Expected stopping time, Ax = 0.1, = 3 v2 = .03..................50

3.15- The expected stopping time versus the attacker rate for algorithm 1.50

3.16- False alarm and power probability values against n for the thresholds

Values 65 and 75....................................................52

3.17- Expected stopping time, A0 = .09 , a = 2 v0 = .02 ...............52

3.18- Expected stopping time, A0 = .09 , a = 2 vx = .025 ..............53

3.19- Expected stopping time, A0 = .09, a = 2 v2 = .03.................53

3.20- Expected stopping time, Aj = 0.2 a = 2 ,vo = .02.................54

3.21- Expected stopping time, Ax = 0.2 , a = 2 vx = .025...............54

3.22- Expected stopping time, Ax = 0.2 , a = 2 v2 = .03................55

3.23- Expected stopping time versus the attacker rate for algorithm 2.....55

3.24- False alarm and power probability values against n for different

thresholds values 1600 and 2000.....................................58

IX

3.25- Expected stopping time when the attacker adds messages with

average length 1 Packet................................................58

3.26- Expected stopping time when the attacker adds messages with

average length 2 packets...............................................59

3.27- Expected stopping time when the attacker adds messages with

average length 3 Packets...............................................59

3.28- False alarm and power probability values against n for different

thresholds values 2500 and 2800........................................61

3.29- Expected stopping time for the average attacker delay 50 slots........61

3.30- Expected stopping time for the average attacker delay 100 slots.......62

3.31- Expected stopping time for the average attacker delay 150 slots.......62

3.32- False alarm and power probability values against n for different thresholds

values 1600 and 1800...................................................63

3.33- Expected stopping time for the average attacker delay 50 slots........64

3.34- Expected stopping time for the average attacker delay 100 slots.......64

3.35- Expected stopping time for the average attacker delay 150 slots.......65

3.36- The expected stopping time versus the average attacker delay..........65

TABLES

Table

1.1 - The rejection rates for different buffers...................................8

1.2- The rejection rate for different admission delays constraint..................11

2.1 - The effect of packet fabrication model (a) on the rejection rate.............19

2.2 - The effect of packet fabrication model (b) on the rejection rate.............24

2.3 - The change in the rejection rate after the modification packets..............27

2.4 - The change in the rejection rate after the time behavior exploits............28

XI

1. Introduction

Routers play a key role in modem packet switched network. To a first

approximation, networks can be modeled as a series of point-to-point links

connecting pairs of routers to form a directed graph. Since few endpoints are directly

connected, data must be forwarded hop-by-hop from router to router, towards its

ultimate destination. Therefore, if a router is compromised, it stands to reason that an

attacker may drop, delay, reorder, corrupt, modify or divert any of the packets passing

through. Such a capability can then be used to deny service to legitimate hosts, to

implement ongoing network surveillance or to provide an efficient man-in-the-middle

functionality for attacking end systems. Moreover, such attacks are not mere

theoretical curiosities, but they are actively employed in practice. Attackers have

repeatedly demonstrated their ability to compromise routers, through combinations of

social engineering and exploitation of weak passwords or latent software

vulnerabilities [2,21,27]. Once a router is compromised an attacker need not modify

the routers code base to exploit its capabilities. Current standard command line

interfaces from vendors such as Cisco and Juniper are sufficiently powerful to drop

and delay packets, send copies of packets to a third party, or divert packets through

a third party and back. In fact, several widely published documents provide a standard

cookbook for transparently tunneling packets from a compromised router through

an arbitrary third-party host and back again effectively amplifying the attackers

abilities, including arbitrary packet sniffing, injection or modification [18, 45]. Such

attacks can be extremely difficult to detect manually, and it can be even harder to

isolate which particular router or group of routers has been compromised. The

problem of detecting and removing compromised routers can be thought of as an

instance of anomalous behavior-based intrusion detection. That is, a compromised

1

router can potentially be identified by correct routers when it deviates from

exhibiting expected behavior. This problem can be broken into three distinct sub

problems:

1. Traffic validation.

Traffic information is the basis of detecting anomalous behavior: given traffic

entering a part of the network, and an expected behavior for the routers in the network

(i.e. a known routing configuration), anomalous behavior is detected when the

monitored traffic leaving one part of the network differs significantly from what is

expected. However, implementing such validation practically can be quite tricky and

requires tradeoffs between the overhead of monitoring, communication and accuracy.

2. Distributed detection.

It is impossible for a single router to establish that its neighbor is anomalous. Any

such detection requires synchronizing a collection of traffic information and

distributing the results so that anomalous behavior can be detected by sets of correct

routers.

3. Response.

Once a router, or set of routers, is thought to be faulty, the forwarding tables of

correct routers must be changed to avoid using those compromised nodes. In

addition, over longer time scales an appropriate alert must be raised so human

forensic experts can respond appropriately.

There are two threats posed by a compromised router: the attacker may attack by

means of the routing protocol (for example, by sending false advertisements) or by

having the router violate the forwarding decisions it should make based on its routing

tables. The first situation is often referred to as an attack on the control plane, while

the second is termed an attack on the data plane. The first threat has received, by far,

the lions share of the attention in the research community, perhaps due its potential

for catastrophic effects. By issuing false routing advertisements, a compromised

2

router may manipulate how other routers view the network topology, and thereby

disrupt service globally. For example, if a router claims that it is directly connected to

all possible destinations, it may become a black hole for most traffic in the network.

While this problem is by no means solved in practice, there has been significant

progress towards this end in the research community, beginning with the work of

Perlman. In her PhD thesis [36], Perlman described robust flooding algorithms for

delivering the key state across any connected network and a means for explicitly

signing route advertisements. There have subsequently been a variety of efforts to

impart similar guarantees to existing routing protocols with varying levels of cost and

protection based on ensuring the authenticity of route updates and detecting

inconsistency between route updates [12, 15, 19, 22, 24, 26, 42,44]. By contrast, the

threat posed by subverting the forwarding process has received comparatively little

attention. This is surprising since, in many ways this kind of attack presents a wider

set of opportunities to the attacker not only denial-of-service, but also packet

sniffing, modification and insertion- and is both trivial to implement (a few lines

typed into a command shell) and difficult to detect. Here, we focus entirely on the

problem of malicious forwarding. The earliest work on fault-tolerant forwarding is

also due to Perlman [36, 37]. Perlman developed a novel method for robust routing

based on source routing, digitally signed route-setup packets, reserved buffers.

However, many implementation details are left open and the protocol requires higher

network level participation to detect anomalies. Several researchers have

subsequently proposed lighter-weight protocols for actively probing the forwarding

path to test for consistency with advertised routes. Subramanian et als Listen

protocol [44] does this by comparing TCP Data and Acknowledgment packets to

provide evidence that a path is part of end-to-end connectivity. This approach only

tests for gross connectivity and cannot reveal whether packets have been diverted,

modified, created, reordered or selectively dropped. Padmanabhan and Simons

Secure Traceroute [35] achieves a similar goalmonitoring the traffic to the

3

intermediate routers. Recently, Avramopoulos et al. [3, 4] presents a secure routing a

combination of source routing, hop by hop authentication, end-to-end reliability

mechanisms and timeouts. But still it has a high overhead to be deployable in modem

networks. The WATCHERS [9,13] protocol detects disruptive routers based on a

distributed network monitoring approach and a traffic invariant called conservation of

flow. However, the WATCHERS protocol had many limitations in both its traffic

validation mechanism and in its control protocol, many of which were documented by

Hughes et al. [23]. Many of these weaknesses arose from the absence of a formal

specification, a weak threat model and an excessive requirement for per-router state

(bounded only by the total size of the network). Herzberg and Kutten [20] present an

abstract model for Byzantine detection of compromised routers based on timeouts and

acknowledgments from the destination and possibly from some of the intermediate

routers to the source. The requirement of information from intermediate routers offers

a trade-off between fault detection time and message communication overhead.

1.1 Network and System Model

We consider a network that consists of individual homogeneous routers

interconnected via directional point-to-point links. This model is an intentional

simplification of real networks (e.g., it does not include broadcast channels or

independently failing network interfaces) but is sufficiently general to encompass

such details if necessary. Within a network, we presume that packets are forwarded

in a hop-by-hop fashion each router following the directions of a local forwarding

table. As well, we assume that these forwarding tables are updated via a distributed

link-state routing protocol such as OSPF or IS-IS. This is critical, as we depend on

the routing protocol to provide each node with a global view of the current network

topology. Finally, we also assume the administrative ability to assign and distribute

shared keys to sets of nearby routers. This overall model is consistent with the typical

construction of large enterprise IP networks or the internal structure of single ISP

4

backbone networks, but is not well-suited for networks that are composed of multiple

administrative domains using BGP. At this level of abstraction, we can assume a

synchronous network model of synchronized clocks and bounded message delays. If

the network behaves asynchronously for too long, then the routing tables will be

updated, thereby changing the network topology. This assumption is common to all

protocols we know of that have addressed the problem of detecting compromised

routers.

For our system model we assume that the arrivals are a Poisson stream of messages

generated as follows: Given an arrival at time t0, the time tx of the next arrivals is

found from the equation (1.1) below.

k = -A_1ln (1 y) (1.1)

Where X is the transmission rate and y is a random number between 0 and 1.

The messages in the arrival stream have lengths geometrically distributed in packet

units. The length of the message in packet units is the integer part of the equation

(1.2).

-loga(l-y)-l (1.2)

Where, for a in (0,1), 1/(1-a) is the average message length and y is a random

number between 0 and 1.

We consider a single transmission channel whose time is divided into

identical frames, where each frame is divided into slots and each slot corresponds to

the transmission of a single information packet.

We consider that the message will be successfully transmitted, if it can be

stored in the buffer; that is, if there is enough space in the buffer to store the whole

message.

5

A message may be unsuccessful, namely rejected, if within A time units from its

arrival, it does not find sufficient space in the buffer, to be stored in its totality. The

time limit A is termed admission delay constraint. We measure time in slot units,

where slot t occupies the time arrival [t, t + 1).

The head packets of the messages that are stored in the buffer are transmitted

on the first-come first-served basis, while successive packets in a single message are

transmitted within the same slot number of successive frames. The delay of a

massage is defined as the time spent by the message within the system, from its

arrival instant to the time its last packet has been successfully transmitted.. Hence,

delay encompasses the waiting time plus the total time required for transmission.

Then, given that the nth message arrival contains m packets, its delay Dn will be the

sum of the waiting- time and the time needed to transmit the last packet m (see Figure

1.1).

6

fl

/

Ft

A

S /

\

FnM

Fm

.a__

\

MESSAGE ARRIVES

jn: TRANSMISSION TIME OF i-th PACKET OF

n-th MESSAGE

MESSAGE DEPARTURES

Wjft WAITING-TIME OF j-th PACKET FOR THE

n-th MESSAGE

Figure 1.1: Illustration of the transmission for n-th message

Finally, we assume that the transmission channel is noiseless, and that the buffer

where data messages are stored has finite capacity. The messages arriving at the

buffer between clock times have to wait to begin transmission at the beginning of the

next clock instant.

1.2 Simulation and Study of the System Model

The system was studied by generating Poisson traffic of messages whose lengths are

geometrically distributed. The objective is to study the effect of different buffer sizes

and various admission delays constraints on the expected message delay and the

rejection rate. So, the rejection rate and the expected message delay were computed

for different buffer sizes and different admission delays constraints.

7

1.2.1 Simulation and Study Regarding the Effect of Changing Buffer Size on the

Rejection Rate and the Expected Message Delay.

Table 1.1 shows the rejection rates for buffer sizes 5, 10, 20 and 30 slots. It can be

noticed that, for different buffer sizes, as the transmission rate increases, the rejection

rate increases. Also, it is apparent from Figure 1.2 that increase in the buffer size,

decreases the rejection rate. For example, at transmission rate 0.06, the rejection rate

is 0.5; when the buffer size is 5slots, while the latter rate decreases to 0.0001; when

the buffer size is 30 slots.

Table 1.1: The rejection rates for different buffer sizes

A 0.06 0.09 0.1 0.2

RmS 0.5131 0.6964 0.7361 0.9395

^mlO 0.1295 0.3054 0.3511 0.7821

^m20 0.0025 0.0222 0.0334 0.3178

^m30 0.0001 .0003 .0001 0.0630

Number of arrival =10000 slots. Average length of the message 2 packets

Admission delay constraint 40 Slots

A : Transmission rate, In number of messages per slot

Rmi : Rejection rate for buffer size i.

8

Transmission rate

Figure 1.2: The rejection rates for different buffer sizes M=5,10,20,30,40

packets

Changing the buffer size, not only affects the rejection rate; it also affects message

delays. Figure 1.3 shows that, increase in the buffer size increases the expected

message delay. However, when the transmission rate is low, changes in the buffer

sizes have reduced effect on the expected message delays. From Figure 1.4 we

observe that, for a given transmission rate (A = 0.1), the expected message delay

increases as the buffer size increases. When the rejection rate is less than 10-4 (the

rejection rate corresponds to a buffer size of 40 packets), the expected message delay

increment with varying buffer length becomes negligible and can be approximated as

being a constant.

9

EXPECTED DELAY IN PACKET

Figure 1.3: Expected message delay for different buffers, M=20,25,30 slots

Figure 1.4: Expected message delay versus buffer size (transmission rate =0.1)

10

1.2.2 Simulation and Study the effect of Change the Admission Delay Constraint

on the Rejection rate and the Expected Message Delay

Table 1.2 shows the rejection rates for admission delays 5,10,20,40 slots. From the

table, we notice that, for fixed admission delay constraint, as the transmission rate

increases, the rejection rate increases as well. Also, from Figure 1.5 we observe that

as the admission delay constraint increases, the rejection rate decreases. For example,

at transmission rate 0.09 and admission delay constraint 5 slots, the rejection rate is

0.0307, while the latter rate decreases to 0.0151, for admission delay constraint 40

slots.

Table 1.2: The rejection rate for admission delays different admission delays

A 0.06 0.09 0.1 0.2 0.3

Ra5 0.0065 0.0307 0.0431 0.3369 0.6611

Raw 0.0057 0.0211 0.0349 0.3260 0.6595

Razo 0.0035 0.0177 0.0287 0.3210 0.6358

Raw 0.0023 0.0151 0.0268 0.2836 0.6284

Number of arrival =10000 slots. Average length of the message 2 packets

Buffer size 20 Slots

A : Transmission rate, In number of messages per slot

Rai : Rejection rate for admission delay constraint i.

11

Figure 1.5: The rejection rate for admission delays constraint 5,10,40 slots

Figure (1.6) shows that increased admission delay constraint increases the expected

message delay. The admission delay constraint of 10 slots induces the minimum

expected message delay, while, as the admission delay constraint increases to 20 and

40 slots, the expected message delay increases uniformly as a function of the input

rate.

12

Transmission rate

Figure 1.6: The expected message delay for different admission delay constraints

A=10,20, and 40 slots

13

2. Threats Categorization and Modeling

2.1 Threats Categorization

We assume that attackers can compromise one or more routers in a network and may

even compromise sets of adjacent routers as well. In general, we parameterize the

strength of the adversary in terms of the maximum number of adjacent routers along a

given path that can be compromised. However, we assume that between any two un-

compromised routers, there is sufficient path diversity so that the malicious routers do

not partition the network. In some sense, this assumption is pedantic, since it is

impossible to guarantee any network communication across such a partition. Another

way to view this constraint is that path diversity between two points in the network is

a necessary, but insufficient, condition for tolerating compromised routers.

The threats listed below completely cover the set of bad behaviors a router can exhibit

in forwarding data. When all of these metrics are zero, then no router is forwarding

traffic in a faulty manner.

2.1.1 Packet Loss.

A compromised router can drop any subset of the packets. As per Aimes et al. [1] loss

can be measured as the amount of data arriving at the sink of path segment subtracted

from the amount of data sent from its source.

2.1.2 Packet Fabrication.

A compromised router can generate packets and inject them into the traffic stream.

This can be measured as the number of packets which are reported at the sink of a

packet segment but not monitored as being sent by its source. Misrouting packets can

be considered an instance of both packet loss and packet fabrication

14

2.1.3 Packet Modification.

One can consider this threat as a combination of packet loss and fabrication, but it

may not be detectable by simply comparing the number of packets arriving at the sink

with the number sent from the source. Instead, some summary of the content needs to

be maintained, and one measures the number of modified packets.

2.1.4 Packet Reordering

A compromised router can reorder packets. Doing this can lead to performance

problems or, in the extreme, denial of service. There are many reasonable and

incompatible methods of measuring the amount of reordering, e.g. [5, 6, 31, 38].

2.1.5 Time Behavior

A compromised router can delay traffic. Like reordering, doing this can lead to

performance problems or, in the extreme, denial of service. There are simple metrics

one can use, such as the first n moments of the inter-packet delay distribution.

However, such metrics are notoriously sensitive in packet networks.

2.2 Threats Modeling

In this section, we present models for the four categories of data forwarding threats

listed in Section 2.1. We define by slot, the time occupied by a packet transmission.

2.2.1 Modeling the Packet Fabrication

a) The first model of the fabricated packets corresponds to adding geometrically

distributed of messages to the message arrivals. The effect on the network

performance is increased data rejection rates and delays.

b) The second model of packet fabrication corresponds to the injection of a Poisson

stream of packets, since Poisson traffic is a worst case scenario for a significant class

of transmission protocols. Specifically, we assume that per slot, the attacker inserts k

additional packets with probability PK as shown in equation (2.1), where X is the rate

of the contaminating injected traffic.

15

PK = e~xXk/ k\

(2.1)

The injecting of the above Poisson stream of packets increases the traffic flow in

the network, resulting in queues overflows and denial of service. The effected

network performance metrics are: traffic rate, data rejection rates and delays. In view

of the Poisson packet fabrication model, we define the following metrics:

mn : New average message length, after generation of fabrication packets.

m0 : Average message length, before generation of fabrication packets.

Dn : Average message delay, after generation of fabrication packets.

D0 : Average message delay, before generation of fabrication packets.

Pn(k)\ Probability of k-capacity buffer overflows, after generation of fabrication

packets.

P0(/c): Probability of k-capacity buffer overflows, before generation of fabrication

packets.

Pb(r) : Probability that there are r non-fabricated packets in the buffer.

Where we have,

2.2.2 Modeling the Packet Modification

We model the packet modification as packets being transmitted through a

memoryless binary symmetric channel with probability of correct transmission p,

where p may be less than 0.5. This model also represents a worst case scenario, where

the less than 0.5 correct transmission conflicts with the well-established minimum

distance decoding scheme. The modified packets increase the error probabilities

induced by the deployed error correcting codes in the network. The affected network

mn = m0(l + X)

Dn = D0(l + A)

Pn(k) = P0(k) + 2*b0(1 2Â£ore'xXv/v\) Pb(k)

(2.2)

(2.3)

(2.4)

16

performance metrics is error detection and error correction performance. In view of

the packet modification model, we define,

p: probability of a bit not being modified by the aggregate effect of attack and

communication channel errors.

Pc : Probability of correct decoding by the network decoders.

Pe : Probability of incorrect decoding by the network decoders.

Let us assume a (2d+l) distance code (any two codewords are in 2d+l Hamming

distance from each other). Let us assume Minimum distance decoding, as employed by all

decoding schemes .Let all codewords be equally probable. Then, the probability of

correct decoding and probability of incorrect decoding are:

Pe = 1 Pc = 1 xj=0 Q (1 Py vm-i =Z5= Q (1 qy (2.6)

; Where m =2d+l and q= 1-p.

The communication channels normally induce probability of correct transmission

per bit that is quite higher than 0.5, denoted r. if the attacker changes this probability

to a value less than 0.5, say to 1-r, then the probability of correct decoding as

induced by the deployed minimum distance decoding scheme, becomes equal to the

probability of error induced by the same scheme before the attacker acted. We note

that if the attacker changes each bit independently with probability 0.5, then the

resulting probability of correct per bit transmission will be 0.5, regardless of the value

of the probability of the per bit correct transmission induced by the transmission

channel.

(2.5)

17

2.2.3 Modeling the Packet Reordering.

There are two possibilities here:

a) The attacker changes the overhead encoding of packets, to induce altered packet

ordering. This case may be absorbed within the packet modification model.

b) The attacker reshuffles the packets without changing their overhead encoding.

Then, correct reordering induces some process complexity and delay which may be

absorbed within the time behavior model.

2.2.4 Modeling the Time Behavior Exploits.

We model adversary time behavior by delaying each packet independently by a

random time T, measured in slot units. One choice for the distribution of the random

variable T is geometric, where:

Added random delay per packet may cause violations of admission and intra -packet

(jittering) delay constraints, resulting in increasing message rejection rate. The

affected network performance metrics are transmission delay and message/data

rejection rate .We may simplify the analysis by not distinguishing between message

admission delay constraints and jittering; thus, assuming that any packet is rejected

due to adversary time behavior if additional delay of at least k time units is imposed

on it by the attacker. In view of the delay model, the probability pk of rejection per

packet due to adversary time behavior is given by the expression,

The average of the additional delay due to adversary injection, Dk per packet is

given by the following expression:

P(T = n) = (1 a)an; n=0,l,....; 0

(2.7)

Pr = 1 (1 a) Sn=o aU = ak

(2.8)

Dk = (1 ak) 1 Xn=i n(l a)an

(2.9)

18

2.3 Simulation and Study of the Threats Models

2.3.1 Simulation and study for the Effect of Packet Fabrication

a) The first model of packet fabrication was simulated by generating geometrically

distributed messages with different lengths and adding them to the message arrivals.

The rejection rate and the distribution of the delays were computed before and after

the adversary injection. Table 2.1 shows the effect of the adversary injection on the

rejection rate. Figure 2.1 shows the change of the rejection rate for deferent average

length adversary messages, where the adversary was modeled as adding

geometrically disturbed messages with average lengths 1 versus 2 packets.

Table 2.1: The effect of packet the fabrication model (a) on the rejection rate

X 0.06 0.09 0.1 0.2

Ro 0.0023 0.0151 0.0268 0.2836

Ri 0.0044 0.1006 0.1634 0.5471

Rz 0.1561 0.3761 0.4415 0.8497

Number of arrival slots =10000. Average length o 'the original message 2 packets

Admission delay constraint 40 Slots. Buffer size 20 Slots.

X : Transmission rate, In number of messages per slot

R0 : Rejection rate before the adversary

R1 : Rejection rate after the adversary added messages with average length 1 packet

R2 : Rejection rate after the adversary added messages with average length 2 packets.

19

Figure 2.1: The change on the rejection rate for packet fabrication model (a)

Table and Figure 2.1 show how the increasing of the message lengths due to attack

injections affects rejection rates. Figures 2.2, 2.3 and 2.4 show the effect of

increased due to attacks message lengths on the induced message delays. The

expected delay increases then from 62.94 slots to 103.9 and 139.2 slots, respectively.

20

6000 r

The delay

Figure 2.2: The delay distribution before cyber attacks

Transmission rate=0.1. Mean=62.94. Standard devotion =54,776

21

5000 r

The delay

Figure 2.3: The delay distribution after adding additional attack messages with

average length 1 .Transmission rate=0.1. Mean=103.9142 .Standard devotion

=55.008

22

The delay

Figure 2.4: The delay distribution after adding additional attack messages with

average length 2. Mean=139.281. Standard devotion =73.4045

b) The second model of packet fabrication was simulated by generating a Poisson

traffic of fabricated packets. This fabricated traffic expanded each message packet by

a random number of packets and caused rejection of legitimate messages due to

violation of the admission delay constraint. Table 2.2 shows the effect of this

adversary model in the rejection rate, where traffic with different packet rates was

injected. From Figure 2.5, we observe how the rejection rate increases, as the

attacker increases the injection rates. The good traffic was injected with rates .06 and

0.1 of additional attack traffic, while its rate varied from 0.0023 to 0.6284.

23

Table 2.2: The effect of packet fabrication model (b) on the rejection rate

A 0.06 0.09 0.1 0.2 0.3

R0 0.0023 0.0151 0.0268 0.2836 0.6284

Ri 0.0086 0.0340 0.0456 0.3416 0.6904

r2 0.0118 0.0366 0.0510 0.3669 0.7091

Number of arrivals =10000 Slots. Average message 2 packets

Admission delay constraint 40 Slots. Buffer size 20 Slots.

A : Transmission rate,In number of messages per slot

R0 : Rejection rate before the adversary

Ri : Rejection rate after the adversary injection rate 0.06

R2 : Rejection rate after the adversary injection rate 0.1.

Transmission rate

Figure 2.5: The effect of packet fabrication model (b) on the rejection rate

24

Figures 2.6 and 2.7 show the delay distribution after the attacker injected the traffic

with a Poisson stream of packets whose rate is 0.06 or 0.1. The Figures show how the

expected message delay increases as the attacker increases the injection rate. Injecting

the traffic with rate 0.06, increased the expected delay from 62.94 to 63.96 slots.

Injecting the traffic with rate 0.1, instead, increased the expected delay to 64.79 slots.

a>

O)

CO

t/i

a>

E

a>

a>

JD

E

3

400

500 600

700

The delay

Figure 2.6: The delay distribution after inject Poisson stream of packets with

rate 0.06.Transmission rate=0.1. Mean=63.9638. Standard devotion =55.6163

25

6000 r

The delay

Figure 2.7: The delay distribution after inject Poisson stream of packets with

rate 0.1.Transmission rate=0.1. Mean=64.7943. Standard devotion =55.8791

2.3.2 Simulation and Study of the Effect of Packet Modification

The packet modification exploits were simulated when each legitimate packet was

correctly received by the second router with probability 0.5. The number of modified

packets were computed per message. If the total number of modified packets per

message exceeded a specific percentage, then the entire message was considered

rejected, in view of the deployed error correcting code Table 2.3 shows the

rejection rate increase after the transmission of each packet through a Memoryless

Binary Symmetric Channel (MBSC) with probability of correct transmission p=0.5.

Figure 2.8 shows the change in the rejection rate before and after the attack.

26

Table 2.3: The change in the rejection rate after the modification packets

X 0.06 0.09 0.1 0.2

Ro 0.0023 0.0151 0.0268 0.2836

Ri 0.4170 0.4305 0.4461 0.6001

Number of arrivals =10000 Slots. Average message length 2 packets

Admission delay constraint 40 Slots. Buffer size 20 Slots.

X : Transmission rate,In number of messages per slot

R0 : Rejection rate before the adversary

Rx : Rejection rate after the modification packets (percentage 50%)

Figure 2.8: The change in the rejection rate after the modification packets

27

2.3.3 Simulation and Study of the Effect of the Time Behavior Exploits.

The time behavior exploits were simulated by delaying each legitimate packet with a

random amount of time. If this amount exceeded a given fixed limit, the packet was

considered rejected. A rejected packet caused subsequent rejection of the message

which it belongs to. The performance metrics were computed (message rejection rates

and messages average delays for the successfully transmitted messages). These two

metrics were computed in both the presence and the absence of the exploits and the

results were compared. Table 2.4 and Figure 2.9 show the quantitative effect of the

exploits where each packet was delayed independently via a geometrically distributed

variable whose average delay is 20 slots.

Table 2.4: The change in the rejection rate after the time behavior exploits.

X 0.06 0.09 0.1 0.2

Ro 0.0023 0.0151 0.0268 0.2836

Ri 0.1292 0.1423 0.1515 0.4033

Number of arrivals =10000 Slots. Average message length 2 packets

Admission delay constraint 40 Slots. Buffer size 20 Slots.

X : Transmission rate,In number of messages per slot

Rq : Rejection rate before the adversary

R1 : Rejection rate after time behavior exploits. Average delay per packet 20 Slots.

28

0.8

0.7

0.6

0.5

a>

2

I 0.4

o

a>

aT

^ 0.3

0.2

0.1

-B Rejection rate before the attack

Rejection rate after the time behavior exploits

0.05

0.1

/ . y /

/ / / / X X

X

3

^ S y ,X''

0.15 0.2

Transmission rate

0.25

0.3

Figure 2.9: The rejection rate before and after the time behavior exploits

As shown in Figures 2.10, 2.11 and 2.12 below, in the presence of time behavior

exploits, the attacker increases the expected message delay. As the attacker increases

the average delay per packet, the expected message delay increases. When the

average per packet imposed attacker delay increases from 100 to 200, the expected

message delay increases from 92 to 99 slots.

29

6000

0 100 200 300 400 500 600

The delay

Figure 2.10: The delay distribution before time behavior exploits

The transmission rate 0.1. Mean=62.94 .Standard deviation=54.776

30

Number of the messages

The delay

Figure 2.11: The delay distribution after time behavior exploits .The

transmission rate=0.1.The average delay (100).Mean=92.148. Standard

deviation=70

31

6000

The delay

Figure 2.12: The delay distribution after time behavior exploits

The transmission rate=0.1. The average delay (200).

Mean=99.481. Standard deviation=84.645

32

3. Threats Monitoring and Detection

3.1 Sequential Algorithms for the Detection of Changes in Data Generating

Processes

In many robotic and computer vision applications, the stochastic process

which generates the observed data may be changing in time, and the single important

issue is then the development of algorithms, which effectively detect such changes.

Such applications include traffic in data networks, automated robotic industrial

control, detection of edges in images via computer vision and robotic fault detection

in devices[48].

Let f0(xn) and fi(xn) denote the n-dimensional density of two well

known, distinct, discrete-time, and mutually independent stochastic processes at the

vector point xn. Let it be known that the data sequence is initially generated by the

density function /0 Let it then be possible that, instead, at some point in time the

density function fx may become active and remain so from the point on. Then,

given an infinite data sequence x = {x;; i > 1} the possibilities are:

i. The /0 to fx change never occurs. Thus, the total sequence jc is generated by the

density function/0.

ii. The /0 to /j change occurs before the sequence x starts being observed: Thus, the

total sequence x is then generated by the density function /j .

iii. The fQ to fx change occurs just after the datum xm; m > 1. Thus, the subsequence x

is then generated by the density function /0 and the remaining sequence x^+1 =

[xk] k > m + 1} is then generated by the density function /j.

Given the infinite sequence x = {jCj; i > 1} and the density function /0(xn) and

/i(xn) V n > 1 and V xn, the objective is to detect a possible /0 to /j change as

reliably and quickly as possible. Since the very occurrence of the change is uncertain,

it is clear that only a sequential approach to the problem is meaningful. That is, to

33

detect the possible occurrence of an f0 to fx change, we must devise a sequential

detection scheme. To gain insight, we first formalize a preliminary, non-sequential,

optimal Bayesian detection scheme. In particular, we initially fix the size n of the

observation sequence x and we test the occurrence of the change at all the possible

points in the sequence x, assuming that those occurrences are equally probable. We

observe that, preliminary formalization, we conclude that, the f0 to change occurs

just after the datum Xj; 0 < j < n (hypothesis Hj), iff

From the studying of the Bayesian rule in (3.1), we observe that its test function

T'(xn) dose not possess characteristics for convenient sequential transformation. We

thus consider a variation of the test in (3.1) by replacing the conditional density

function j by V i Then the following variation of the test in

(3.1) arises.

Given the data block xn decide in favor of the hypothesis Hj, iff

Where

/oOi I *i ) =/oOi)

ZZ=j+i9i{xi) = 0rk?n(?.U+i9i(xi))

(3.2)

34

Given the data lock xn decide in favor of the hypothesis//;, iff

Ei=l 9i(.Xl) = osfcsn (S=i3i(.x1))

(3.3)

Let us consider a sequential generalization of test (3.3). When data are observed

sequentially, it seems natural to conclude that as the deference,

Â£?=i/7i(*1) ~ osks (Zf=i5i(*l))> increases, the odds that the f0 to /x change has

occurred increase as well. Thus, the following sequential test naturally evolves.

Select some positive threshold 8. Observe data sequentially, and decide that the f0 to

/i change has occurred at the first time n such that

n*") = - osK (If=iSiW) > 6 (3.4)

It is easy to see that the sequential test in (3.4) can be expressed in the following

equivalent form.

Select some positive threshold 5. Observe data sequentially, and decide that

the /0 to /} change has occurred at the first time n such that T(xn) > 8 ,where

7(0) = 0

T(xn) = max {0, r(xn_1) + gn(xn); g: gi(xl)as in (3.3)} (3.5)

Clearly, the test in (3.5) is sequential, with updating step gn(xn).Also, it operates via

the use of two thresholds, 0 and 8, where 0 represents a reflecting barrier and 8

represents an absorbing barrier. When the two stochastic processes represented by

the densities f0 and /j are not memoryless, the memory xf-1 in the updating step

gn(xn) generally increases with increasing n. When the processes are instead

memoryless, the memory in the updating step is zero for all n. The test in (3.5) was

originally proposed by Page (1954, 1955) for memoryless processes. Its asymptotic

35

properties for such processes were studied by Lorden (1971). In its general from, the

test in (3.5) was proposed by Bansal (1983) and Bansal et al (1986), who also studied

its asymptotic properties for stationary and ergodic processes that also satisfy some

general regularity conditions. The test generally consists of repeated Wald test and is

asymptotically optimal in the sense that it requires the minimum possible expected

sample size for decision, subject to a false alarm constraint [49].

Let us denote by NS(X) the stopping variable induced by the test in (3.5) and let

EfQ{Ng(X)} and E^ {NS(X)} denote the expected value of the stopping variable when

the density function /0 and fx respectively, are active. Then

NS(X) = inf{T(xn) > 5} (3.6)

Let the density functions /0 and fx represent two ergodic and stationary stochastic

processes satisfying certain mixing conditions. Consider the stopping variable Ng(X)

induced by the sequential test in (3.5). Then for 8 -* oo, we have

Â£/{*(*)) Â£ S/2 (3.7)

WM) si logs I fy.-'fto} (3.8)

where /10 is the information number equal to /10 = lim^o, Ln

f (*n)

where, Ln = n~1log -j -. if N'(x) is the stopping variable of some arbitrary test,

JO\XnJ

then, subject to Ef0{N'(pc)} > 8/2 and for S - oo we have

Efl{NXx)} >1 logS I E^I10} .

This states that the test in (3.5) is optimal in an asymptotic sense. Specifically when

the threshold 5 is asymptotically large, then the test requires the minimum possible

expected time to cross that threshold, when the /0 to /^change has occurred before

36

the collection of the data,subject to the constraint that when the /0 to change never

occurs, then the expected time for threshold crossing is larger than 5/2. Therefore,

the test in (3.5) is asymptotically the fastest among all tests. In fact, due to the

relationship between 5/2 and 1 log 51 ,we conclude that the speed of the test

increases exponentially with 5. We note that this includes Lordens (1971) results, for

memoryless processes. In the latter case, the information number

/10equal / du fi(u)log [fi(u)/f0(u)].

Although, the asymptotic optimality of the test in (3.5) is a significant virtue, its

non-asymptotic properties are most important. Indeed, the very objective of the test

is fast detection change ,which imposes the selection of a relatively small 5, whose

selection is performed via the study of the false alarm and power curves.

3.2 Sequential Algorithms between Poisson Processes

As mention in 2.1.1(b), the injecting of a Poisson stream of packets affects

the overall data rate. As a result, to detect this Poisson adversary model, we monitor

the rate at the receiver and detect the change from the original unaffected

transmission rate rk to the resulting rate r;- after the adversary injection ;where r;- is

assumed to reflect the minimum data rate change caused by the adversary.

Let us assume that, given transmission rate rk ,the arrival process is stationary,

and let then fk(nlt... nq) denote its q-dimensional distribution in frame lengths; that

is,fk(nx,... nq) is the probability that, in a sequence of q consecutive frames, nt

packets arrivals occur in the first frame, and so on, with nq packets arrivals finally

occurring in the qth frame, given that the transmission rate is rk throughout. Let us

assume that the distributions {fk(nv ... nq) } are well known.

37

Our objective is to devise a monitoring system that will detect a possible shift from

the good traffic rate rk to the higher adversary-contaminated traffic rate ry. The

monitoring algorithm deployed is described below.

Let vkj (0) denote the value of the algorithm monitoring a { rk -* rj} shift at time

when the transmission starts; let vkj(r) donate its operating value at its rthadaptation

step. Then, the operating values of the algorithm are sequentially updates as follows:

vky( 0) = 0;

v*/(r + 1) = max {0,v*,(r) + !og(g^^)} (3.9)

si+1 is then the first time after st that the algorithm in (3.9) first crosses the given

positive threshold 6, at which time it is declared that the change from rkto rj has

occurred.

When the involved processes are Poisson [50], and when then {rk -> 7)} shifts

are monitored, the algorithm in (3.9) takes the form below, after some modifications:

vfc;(0) = 0;

vkj(r + 1) = max {0 ,vkj(r) + l[rk- r} + nr+1 log (^)]} (3.10)

where nr+1 denotes the number of packets that are transmitted within the (r +

l)th frame from the beginning of the [rk - r; } monitoring algorithm, and where / is

the length of the frame.

Let us define

(3.11)

: Where, min (rk, rj)< fa, Tj)< max (rk, rj). We approximate %(rk, r;) by a rational

number, as shown below, where tkj < skj:

38

(3.12)

As also stated in [51], the algorithmic threshold can be then selected as a positive

integer, without lack in generality, and the algorithmic adaptation in (3.10) takes the

form:

vfey(r + 1) = max {0,vfc;(r) + [skjnr+1 ltkj]} (3.13)

Let N denote the stopping variable induced by the algorithm in (3.13)

Let us define:

Ijk hmn_00 n 1log ljk E{ljk \rk}

Ikj lim^oo n log ^xny Ikj ~ E{Ikj\vj} (3.14)

The pertinent Kullback-Leibler numbers {Ikj} are as follows:

(3.15)

Subject to the satisfaction of the conditions in (3.14):

E{n\ rj}~77rri as 5-

1 1 J} E{Ikj\rj1

E{N\rk}>^ as 6 -oo (3.16)

3.3 Sequential Algorithms to Detect the Change of the Delay

As mentioned in sections 2.2.4 and 2.2.1.(a), fabricated by an adversary packets

increase the transmission delays of messages and modify their distributions. As a

result, we monitor the distribution of message delays at the receiver. We have

previously used the notations /0(xn) and fx(xn) to denote the n-dimensional

densities of two well known, distinct, discrete-time, and mutually independent

stochastic processes at the vector point xn. Here, /0(xn) is the density function of

the delay distribution in the absence adversary disturbance, and fx (xn) is the density

of same distribution when affected by an adversary attack. Let nk denote the measure

39

of a parametrically defined process [48], Let the process which initially generates the

unaffected information data be known to be the process Ho- Let it be possible that a

shift to Hi may occur, where the latter process reflects the presence of the adversary.

The objective is to detect the occurrence of a

Ho * Hi shift as accurately and as timely as possible. From equation (3.5) and

assuming exponential distributions representing both the po and pi processes, we

obtain the following form of the monitoring algorithm:

T(0)=0

TOO = max (O.TOt"-1) + (* 1) + Sj2/log (^)) (3.17)

(3.18)

Where oc0, oq between 0 and 1. Define then the integers t, s; t > s and

approximate ^(ao, ai) as follows:

5(o.i) = -; (319)

The algorithmic threshold can be then selected as a positive integer, and the

algorithmic adaptation in (3.18) takes the form below:

T(xn) = max (0,r(xn_1) + s(xn 1) t)) (3.20)

Let N denote the stopping variable induced by the algorithm in (3.20)

Let us define:

710 = limn_oo n~Hogfj^, 710 = E{I10\u0}

hi = limn^oo n~Hogfj^, I01 = E{J0i|ui} (3-21)

Subject to the satisfaction of the conditions in (3.21):

l0-f - , as 5-> oo

1 1 1J E{/01|ul}

40

8 - 00

(3.22)

Â£{N|ti0} > ^ , as

3.4 Threshold Selection

The objective in this section is to determine performance metrics and to subsequently

utilize these metrics to select the values of the decision threshold 8 After the

selection of the latter threshold is complete, the overall performance of the system

will be predictably known, with respect to the determined performance metrics [52].

To detect a change from the operational mode m to another / operational mode ;

where l^m Given threshold 8 > 0 the mode m to mode / change monitoring

algorithm is basically characterized by two time curves: the power and false alarm

curves, denoted respectively /?mi and ami where n denotes the time instant tn and

where,

: The probability that the m to / mode change monitoring algorithm crosses its

threshold before or at time tn, given that the operation mode is l throughout.

ami: The probability that the m to / mode monitoring algorithm crosses its threshold

before or at time tn, given that the operational mode is m throughout.

In Figure 3.1, we depict the pml and aml curves, to observe and discuss qualitative

behavior. We plot these curves for two different threshold values.

41

1

fiml

/

f y

/ /"

/ /

I,

I

I

i

a

mi

Figure 3.1: False alarm and power curves for the mtol monitoring algorithm.

Threshold values 8 < 8

From Figure 3.1, we note that as the value of the decision threshold increases, the

false alarm curve decreases, but so does the power curve. The threshold selection for

the m to / change monitoring algorithm may be based on a required lower bound for

the power and a required upper bound for the false alarm, at a given time instant tn ,

When the algorithm that monitor change from mode m are considered, the threshold

8 may be selected based on the following principle:

At given time tn have the power induced by the algorithm be above a predetermined

lower bound, while the false alarm induced by the algorithm remains below a

predetermined upper bound.

42

3.5 Simulation and study of the Sequential Algorithm between Poisson processes

For a robust design, the algorithm was designed at a minimum information-message

transmission rate A0 and a minimum cyber attack rate v0,where the minimum

average length of each information message was a0.The objective is then to detect

the change from the rate a0A0 to the rate a0A0 + v0 .To test robustness, the

algorithm was tested for higher cyber attack rates vx v2 ,.vn ; where Also, the

algorithm was tested for a different higher information-message transmission rate Ax

,where Ax > A0.

3.5.1 For numerical evaluations in this section, the minimum information-message

transmission rate was selected as Ao=0.06 the minimum average length was a0 = 2

and the minimum cyber attack rate was v0 = .02. The algorithm was designed to

detect the change from 0.12 (A0a0) to 0.14 (a0A0 + v0) .

From equations (3.11) and (3.12), we found = ~ = t/s To select the

decision threshold experimentally, we computed the false alarm and power

probability curves. In Figure 3.2, we plot the latter curves for threshold values 105

and 110 and we select the value of the operational threshold as r| = 105. In Figure

3.3 we plot crossing times for the latter threshold selection and compute from it the

expected stopping time as E{N}= 829.

43

B- "Pm power curve 105

B- false alarm curve 105

Ar- ~tfr. power curve 110

At- false alarm 110

n

Figure 3.2: False alarm and power probability values versus n for the threshold

values 105 and 110

700,

600

500 r H

S

> 400 H

0 200 400 600 800 1000 1200 1400

The frame number

Figure 3.3: Expected stopping time, A0 = 0.06, a0 2 v0 = 0.02

Below, we present cases a) to k), where the threshold 105 algorithm is tested for

various different values of information-message rates, average message lengths and

cyber attack Poisson packet rates.

44

a) Test the algorithm for information-message rate A0 = 0.06, average message

length a0 = 2 and cyber attack rate v1 = 0.025 .Expected stopping time

E{N}=737.

Figure 3.4: Expected stopping time, A0 = 0.06, a0 = 2 v* = 0.025

b) Test the algorithm for information-message rate A0 = 0.06, average message

length a0 = 2 and cyber attack rate v2 = 0.03 Expected stopping time

E{N}=688.

700 |---,----.--------------i------------------.-----1

I I

6001 -|

* \

500

O 200 400 600 800 1000 1200 1400 1600 1800 2000

The frame number

Figure 3.5: Expected stopping time, A0 = 0.06, a0 = 2 v2 = 0.03

45

c) Test the algorithm for information-message rate = 0.1, average message length

a0 = 2 and cyber attack rate v0 = 0.02 Expected stopping time E{N}= 131.

700 r----:-----,------,-----r-----,------,-----,------

600 r -1

500 H

Figure 3.6: Expected stopping time, = 0.1, a0 = 2 v0 = 0.02

d) Test the algorithm for information-message rate = 0.1, average message length

a0 = 2 and cyber attack rate Vi = 0.025. Expected stopping time E {N}= 122.

Figure 3.7: Expected stopping time, = 0.1, a0 = 2 Vj = 0.025

46

e) Test the algorithm for information-message rate Xx = 0.1, average message length

a0 = 2 and cyber attack rate v2 = 0.03 Expected stopping time E {N} =105.

Figure 3.8: Expected stopping time, Aj = 0.1, a0 = 2 v2 = 0.03

f) Test the algorithm for information-message rate A0 = 0.06, average message

length ax = 3 and cyber attack rate v0 = 0.02 Expected stopping time

E{N}=200.

700 ,---:----,----r----,-----r----,----------1---------

600

500 r H

S

1

| 400

I1 300

Â£

200 -

The frame number

Figure 3.9: Expected stopping time, A0 = 0.06, = 3 v0 = 0.02

47

g) Test the algorithm for information-message rate A0 = 0.06, average message

length ax = 3 and cyber attack rate vx = 0.025 .Expected stopping time

E{N}=185.

700 ,---.---,-----,----,---n----,----,----,----,-----1

600

Figure 3.10: Expected stopping time, A0 = 0.06, = 3 Vj = 0.025

h) Test the algorithm for information-message rate X0 = 0.06, average message

length at = 3 and cyber attack rate v2 = 0.03 Expected stopping time

E{N}=175.

400 |-------,---------------,-------.-------,-------

350 j-

300 l

I

Figure 3.11: Expected stopping time, A0 = 0.06, at = 3 v2 = 0.03

48

i) Test the algorithm for information-message rate X1 = 0.1, average message length

dj = 3 and cyber attack rate v0 = 0.02 Expected stopping time E{N}=126.

700--------,--------,-------,--------,-------,--------j

i

600 -

500 L

9

The frame number

Figure 3.12: Expected stopping time, Aj = 0.1, = 3 v0 = 0.02

j) Test the algorithm for information-message rate X1 = 0.1, average message length

ax = 3 and cyber attack rate vx = 0.025 Expected stopping time E{N}=120.

700 ,---------------,----------------,----------------[

600

Figure 3.13: Expected stopping time, Xx = 0.1, = 3 Vj = 0.025

49

k) Test the algorithm for information-message rate = 0.1, average message length

<*! = 3 and cyber attack rate v2 = 0.03 .Expected stopping time E{N}=37.

Figure 3.14: Expected stopping time, = 0.1, a* = 3 v2 = 0.03

Attacker rate

Figure 3.15: The expected stopping time versus the attacker rate

for algorithm 1

50

From Figure 3.15 we notice that if we design the algorithm at a minimum

transmission rate of 0.06 and a minimum attacker rate 0.02, then, as the attacker

increases the cyber rate, the probability of detection increases, while, alternatively,

the decision stopping time decreases.

As exhibited from the preceding results, for fixed information-message rate 0.06,

when the cyber rate is 0.02, the expected stopping time is 829, while for cyber rate

0.03, the expected stopping time decreases to 688.

In addition, as can be seeing from Figure 3.15, as the information-message rate

increases, the probability of detection increases as well. For cyber attack rate 0.02

and information-message rate 0.06, the expected stopping time is 823, while the latter

time decreases to 131, when the information-message rate is instead 0.1 and the cyber

attack rate remains 0.02.

3.5.2 For performance evaluation purposes of the algorithm presented above,

another algorithm was designed by assuming that the minimum information-message

rate is 0.09, the minimum cyber attack rate is 0.02 and the average message length is

2 packets. This algorithm was designed to detect the change from aggregate rate 0.18

to aggregate rate 0.2.

From equations (3.11) and (3.12), we found ^(rk,r;) = ~ = t/s .

To select the decision threshold experimentally, we computed the false alarm and

power probability curves and via them the threshold value q = 65 was selected. From

the Figure 3.17, we observe that the computed expected stopping time is then

E{N}=370.

51

Figure 3.16: False alarm and power probability values versus n for the

thresholdsValues 65 and 75

250

200

s

5 150

I

I

| 100-

Q

0 50 100 150 200 250 300 350 400 450 500

The frame number

Figure 3.17: Expected stopping time, A0 = 0.09, a = 2 v0 = 0.02

52

In the cases a) to e) below, we evaluate the present algorithm for various different

values of the information-message rate, cyber attack rate and average message length,

a) Test the algorithm for information-message rate A0 = 0.09, average message

length a = 2 and cyber attack rate vx = 0.025 .The expected stopping time

E{N}=367.

250-----,----t----,-----,----,----,---------,-----,----1

200 l

S

150 J-

I

I

^ 100

0 50 100 150 200 250 300 350 400 450 500

The frame number

Figure 3.18: Expected stopping time, A0 = 0.09, a = 2 v* = 0.025

b) Test the algorithm for information-message rate A0 = 0.09 average message

length a = 2 and cyber attack rate v2 = 0.03. The expected stopping time E{N}=

326.

250 [---,----,----;----,----,----t----,----,----1----;

200 l

S

5 150

The frame number

Figure 3.19: Expected stopping time, A0 = 0.09, a = 2 v2 = 0.03.

53

c) Test the algorithm for information-message A1 = 0.2, average message length

a=2 and cyber attack rate v2 = 0.02 The expected stopping time E{N}=147.

250 |------,-------,--------,-------,-------,-------

200 r

8

150 -

I

I

^ 100 r

Â¥

The frame number

Figure 3.20: Expected stopping time, Aj = 0.2, a = 2 v0 = 0.02

d) Test the algorithm for information-message rate A1 = 0.2, average message length

a = 2 and cyber attack rate v2 = 0.025 The expected stopping time E{N}= 134.

250

200

8

I

I

] 150

100

50

OiL-L

0

50

5)^ i

4ii.

100 150 200

The frame number

250 300

Figure 3.21: Expected stopping time, = 0.2 a = 2 v1 =. 025

54

e) Test the algorithm for information-message rate = 0.2, average message length

a = 2 and cyber attack rate v2 = .03 The expected stopping time E{N}=124.

250 r

200

The frame number

Figure 3.22: Expected stopping time, =. 2, a = 2 v2 =. 03

Attacker rate

Figure 3.23 : Expected stopping time versus the attacker rate

for algorithm 2

55

Figure 3.23 shows the results of applying the current alternate algorithm, designed at

the minimum information-message rate 0.09 and the minimum cyber attack rate 0.02.

Similarly with the first algorithm, designed at the minimum information message rate

0.06 and the minimum cyber attack rate 0.02, as the cyber attack rate increases, the

probability of detection increases manifested by decreased stopping time. Also, as

the information-message transmission rate increases, the algorithmic probability of

correct detection increases. The expected stopping time is 370, when the information-

message transmission rate is 0.09 and the cyber attack rate is 0.02. When the cyber

attack rate increases to 0.03, the expected stopping time decreases to 326.

In addition, increase of the information-message transmission rate to 0.2 results in

reduced expected stopping time. When the cyber attack rate is 0.02 and the

information-message transmission rate is 0.09, the expected stopping time is 370; the

expected stopping time decreases to 134, for information-message transmission rate

0.2 and cyber attack rate remaining fixed at 0.02.

3.5.3 The two algorithms, presented in sections 3.5.1 and 3.5.2 and respectively

named algorithm 1 and algorithm 2, are designed at information-message

transmission rates 0.06 and 0.09, respectively, while the design cyber attack rate for

both is 0.02. From the results presented in sections 3.5.1 and 3.5.2, we conclude that

algorithm 2 detects faster increases in cyber attack rates, while algorithm 1 detects

faster increases of information-message transmission rates.

3.6 Simulation and Study for the Detection of Change in Delay Distribution -

the Packet Fabrication Model (a)

As discussed earlier, packet fabrication results in increased delays of the information-

message arrivals. Such fabrication may be manifested by the injection of a Poisson

traffic of cyber exploit messages whose lengths are geometrically distributed, while

the effect is change in the induced expected delays of the transmitted message traffic.

We designed a monitoring algorithm which monitors message delays, to detect the

56

presence of such cyber exploit injected traffic. The algorithmic design is based on the

detection of change among two geometric distributions with different expected

delays, where the expected message delay in the absence of cyber exploits was

selected equal to n0 = 62.24 (corresponding to Poisson information-message rate

0.06 and average information-message length equal to two packets), and where the

added cyber exploit traffic was modeled by geometrically distributed messages with

average length a single packet; the resulting average message delay in the presence of

cyber exploits is then \xx = 102.91. The algorithm was then tested for the cases

where the average length of the cyber exploit messages is also 2 and 3 packets,

instead regarding the design of the monitoring algorithm at the geometric delay

distributions with averages /r0 = 62.24 and ixx = 102.91, from equation (3.18) we

find:

Kao.aJ = -78.17 = -t/s = -156/2 .

To select the algorithmic decision threshold experimentally, we first computed the

false alarm and power probability curves for various thresholds. Finally, the

threshold value r| = 1600 was selected. As concluded from Figure 3.25, the expected

stopping time of the selected algorithm is E{N}=39.

57

B- ~&m Power curve 1600

B- False alarm curve 1600

A- $ Power curve 2000

A- eti False alarm curve 2000

n

Figure3.24: False alarm and power probability values versus n for different

threshold values 1600 and 2000.

2500 |----,------,-------,-----t-------,------,------,---

2000 -

Steps

Figure 3.25: Expected stopping time when the attacker adds messages with

average length 1 packet

58

In the cases a) and b) below, we evaluate the present algorithm for average

additional messages 2 and 3 packets.

a)-Test the algorithm when the attacker adds geometrically distributed messages with

average length 2.The expected stopping time is then E{N}=20.

2500

Figure 3.26: Expected stopping time when the attacker adds messages with

average length 2 packets

b)-Test the algorithm when the attacker adds geometrically distributed messages with

average length 3. The expected stopping time is then E{N}=10

2500

100

120

140

60 80

steps

Figure 3.27: Expected stopping time when the attacker adds messages with

average length 3 packets

59

From the figures above, we can see that, as the attacker increases the average length

of the cyber exploit injected traffic, the expected stopping time decreases. The

expected stopping time is 39, when the attacker adds messages with average length 1

packet, while the expected stropping time is respectively 20 and 10, when the average

message length of the injected traffic is 2 and 3, instead.

3.7 Simulation and Study for Detection of Change in the Delay Distribution -

the Time Behavior Exploits.

As discussed earlier, when each message packet is delayed independently due to

cyber exploits, the expected message delay increases. To detect such time-behavior

cyber exploits, we designed a monitoring algorithm that monitors changes in message

delay distributions. Towards a robust design, the algorithm was designed at a

minimum expected information-message delay that corresponds to a minimum

information-message transmission rate. The algorithm was also designed at a

minimum expected message delay caused by the injected cyber exploit traffic that

corresponds to a minimum average per packet forced additional delay lmin.

3.7.1 For numerical evaluations in this section, the minimum expected message delay

of the induced traffic in the absence of cyber exploits is fJ.Q = 62.24 (information- rate

A=0.06 and average message length = 2 packets). In the presence of cyber exploits,

the minimum expected message delay is instead pLx = 75.93 (lmin = 50 slots).

Regarding the design of the monitoring algorithm, from the equation (3.18) we then

find:

S(a0la1) = -67.62 = -t/s = -134/2 .

To select the decision threshold experimentally, we computed the false alarm and

power probability curves for various threshold selections. We subsequently selected

the threshold value T| = 2500. From Figure 3.29, we observe that the expected stopping

time of the resulting algorithm is E{N}=142.

60

Figure 3.28: False alarm and power probability values versus n for different

thresholds values 2500 and 2800

Figure 3.29: Expected stopping time for the average attacker delay 50 slots

61

In the cases a) and b) below, we evaluate the present algorithm for two different

average cyber attack delays corresponding to 100 and 150 slots.

a)Test the algorithm when the attacker delays each packet independently with average

delay 100 slots per packet. The expected stopping time is then E{N}=61.

Figure 3.30: Expected stopping time for average attacker delay 100 slots

b) Test the algorithm when the attacker delays each packet independently with

average delay 150 slots. The expected stopping time is then E{N}=36

Figure 3.31: Expected stopping time for average attacker delay 150 slots

62

3.7.2 For performance evaluation purposes of the algorithm presented above, another

algorithm was designed, based on the assumptions that the expected information-

message delay is fi0 = 67.31 (traffic rate A=0.3 and average message length = 2), and

that the minimum expected message delay after the cyber attack is fxt = 80.97

(l-min = 50 slots) .Then, from equation (3.18) we find:

<(a0,ai)= -72.72 = \

To select the decision threshold experimentally, we computed the false alarm and

power probability curves for various thresholds and finally selected the threshold

value r| = 1600 (see Figure 3.33). The expected stopping time is E{N}=78.

-a- Power curve 1600

B- False alarm curve 1600

A - Power curve 1800

A- - False alarm curve 1800

0 500 1000 1500 2000 2500

n

Figure 3.32: False alarm and power probability values against n for different

thresholds values 1600 and 1800

63

3000

Figure 3.33: The expected stopping time for the average attacker delay

50 slots

In the cases a) and b) below, we evaluated the present algorithm for two values of

the average cyber attack delay; 100 and 150 slots.

a)Test the algorithm when the attacker delays each packet independently with

average delay 100 slots .The expected stopping time is then E{N}=39

3000,----- ------------------.---------------.----.----

2500

a>

3

ra

>

E 2000

20 40 60 80 100 120 140 160 180 200

steps

Figure 3.34: Expected stopping time for average attacker delay 100 slots

64

b)-Test algorithm when the attacker delays each packet independently with average

delay 150 slots. The expected stopping time is then E{N}=29

3000 -

2500

E 2000

1500

1000

$

P

500

1

steps

Figure 3.35: Expected stopping time for average attacker delay 150 slots

Figure 3.36: The expected stopping time versus the average attacker delay

65

Figure 3.36 shows the expected stopping time induced by the two different algorithms

discussed above. Both algorithms induce decreased expected stopping times, as the

cyber average delay per packet increases. As induced by the first algorithm, the

expected stopping time for average cyber delay 50 slots is 140; as the average cyber

delay increases to 100 and 150 slots, the expected stopping time decreases to 61 and

36, respectively. As induced by the second algorithm, when the average cyber delay

per packet increases from 50 to 100 to 150 slots, the expected stopping time decreases

from 78 to 39 to 29.

3.7.3 The two algorithms, presented in sections 3.7.1 and 3.7.2, respectively named

algorithm 1 and algorithm 2, are designed at expected information-message delays

HQ = 62.24 and n0 = 67.31 (information-message transmission rates 0.06 and 0.3),

respectively, while the design average per packet cyber attack delay for both is

Imin = 50 slots. From the results presented in sections 3.7.1 and 3.7.2, we conclude

that algorithm 2 detects faster increases in cyber attack delays, while the detection

effectiveness of algorithm 1 approaches that of algorithm 2, as average cyber attack

delays increase.

66

4. Conclusion

In this thesis, we modeled various data forward cyber exploits on the routers of a data

computer-communication network. We then studied the effects of such exploits on

the information carrying network traffic of a point-to-point link that includes two

routers and a buffer. The studied affected performance metrics of the information

carrying traffic were traffic rejection rates and delay distributions, where admission

delay constraints on the information carrying traffic were imposed as well. We

finally adopted performance monitoring algorithms on these metrics, to detect the

various types of cyber exploits.

In Chapter 1, we discussed the network model used in our study and discussed its

variable parameters. We also introduced the system model used throughout the thesis

comprised of synchronous data transmissions, a Poisson information-message arrival

stream, geometrically distributed message lengths in packet units, a limited capacity

buffer and a first-come-first serve Time Division Multiple Access (TDMA)

transmission policy. We simulated the system in the absence of cyber exploits using

various different traffic rates, various buffer sizes and various delay constraints. We

computed traffic rejection rates and delay distributions of the successfully transmitted

messages. The obtained results are exhibited in Figures 1.2 to 1.6. From the results,

we observe that for a fixed-size buffer, the rejection rate increases with increasing

traffic rate. With increase in the traffic rate, the expected message delay increases, as

expected. For selected traffic rates and varying buffer sizes, the rejection rate

decreases as the buffer size increases. The expected message delay increases as the

buffer size increases, where the increment of the delay increase becomes negligible at

certain buffer sizes.

67

In Chapter 2, we presented the various types of data forward cyber exploits. We then

presented models for four cyber exploit categories: packet fabrication, packet

modification, packet reordering and time behavior exploits. Subsequently, we

simulated the presence of such exploits in network model of Chapter 1, where packet

reordering was incorporated into either the packet modification or the time behavior

model. Rejection rates and the expected message delays were computed and

compared to those induced when cyber exploits are absent. Figures 2.1 to 2.12

exhibit the results. We observed that packet fabrication increases both the traffic rate

and the expected messages delay. Time behavior exploits increase expected message

delays. Also, all the considered cyber exploits (packet fabrication, packet

modification, time behavior exploits) increase the rejection rate.

In the last major chapter, Chapter 3, we introduced a class of sequential algorithms

designed for the detection of changes in data generating processes. We derived

special forms of these algorithms, as induced when the change among different

Poisson processes and change among different geometric distributions are to be

detected. Subsequently, we deployed the latter algorithms for the detection of the

various cyber exploit categories considered in this thesis. In our deployment, we

considered various information-message transmission and cyber exploit rates, as well

as the injection of various cyber delays per information packet, and we studied the

performance of the cyber-exploit detection algorithms. The results of our simulations

are presented in Figures 3.2 to 3.36. We observed that the deployed algorithms were

very effective, where their effectiveness increases as the severity of the cyber exploits

does.

For future research, the models of cyber exploits may be extended to include

additional distributions of injected traffics and packet delays. In addition, different

information traffic models may also be considered subsequently inducing different

forms of the cyber-exploit detection sequential algorithms. The models induced by

68

the extensions discussed above should then be studied in terms of their performance,

and possible appropriate pertinent modifications should be subsequently deployed.

69

Appendix

A, Matlab Programs

1-The following program was used to calculate the transmission delay and the

rejection rate before the adversary model.

%transmission with average length=2

close all

clear all

alpha=0.5;

lambda=0.3;

n=10000;

intevral=-log(rand( 1 ,n))./lambda;

intevrall=intevral;

for i=2:n;

intevral 1 (i)=intevral 1 (i)+intevral 1 (i-1);

end

arrival_time=intevral 1;

maximum_arrivals_time=max(arrival_time);

fram=40;

d=0

l=ceil(maximum_arrivals_time/40);

count=0

for i=l:l;

c=arrival_time(fmd((arrival_time<=d+fram)&(arrival_time>=d)));

numbr_of_arrivals_in_each_ffam(i)=length(c);

if d>maximum_arrivals_time,break,end

k=['F',num2str(i),' = c'];

eval(k);

d=d+fram ;

count=count+l

end

max_ffam_length=max(numbr_of_arrivals_in_each_ffam);

mean_ffarn_arrivals=mean(numbr_of_arrivals_in_each_ffam);

d=0;

A=zeros(count,max_ffam_length);

for j=l:l;

c 1 =arrival_time(find((arrival_time<=d+ff am)&(arrival_time>=d)));

ffam_equal=[c 1 ,zeros( 1 ,max_ffam_length-length(c 1))];

A(j, :)=A(j, :)+fr am_equal;

if d>maximum_arrivals_time, break, end

70

t=['z')num2str(j),'=fTam_equal];

eval(t)

d=d+fram ;

end

mstart=floor(-log(rand(count,max_ffam_length))./(-log( 1 -alpha)))+1;

for i=l :count

for j=l :max_fram_length

if A(ij)~=0

masseg_matrix(i,j)=mstart(ij);

else if A(i j)==0

masseg_matrix(ij)=0;

end

end

end

end

[I,J]=size(A);

% Delay infinite buffer................................................

for i=l:2:I;

for j=l:J;

if A(ij)~=0

delay(ij)=i*fram-A(i,j)+( masseg_matrix(i,j)-l)*fram+(j-l);

delay_first(ij)=i*ffam-A(ij)+(j-l);

else if A(ij)==0 ,dday(ij)=0;delay_first(i,j)=0;

end

end

end

for i=2:2:I

for j=l:J;

if A(ij)~=0

delay(i j)=i*ffam-A(i j)+numbr_of_arrivals_in_each_ffam(i-1)+(masseg_matrix(i j)-1 )*fram+(j-l);

delay _first(ij)=i*fram-A(ij)+(j-l)+ numbr_of_arrivals_in_each_ffam(i-1);

else if A(i j)==0

delay(ij)=0;delay_first(ij)=0;

end

end

end

end

end

delay l=delay';

delay 2=delay 1 (find(delay 1 ~=0));

delay2=delay2;

%hist(delay2);

%The buffer simulation and the delay and the rejection rate

BUFFER=20;

number_of_the_packets_in_each_fram = sum(masseg_matrix');

for i=l:I

71

TFIE TRANSMITTED ?ACKET_PER FRAM(i)=length(find(masseg_matrix(i,:)>0));

end

THETRAN SMITTED_PACKET_PER_FRAM=THE_TRAN SMITTEDPACKETPERFRAM;

number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam;

THE PACKET THAT OCCPIED_THE_BUFFER( 1 )=number_of_the_packets_in_each_fram( 1);

for i=2:I

THE_PACKET_THAT_OCCPIED_THE_BUFFER(i)= numberofjhe jacketsJnj?ach_fram(i-1 )-

THE_TRANSMITTED_PACKET_PER_FRAM(i-])+number_of_the_packets_in_each_fram(i);

end

number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam

THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM

THE PACKET THAT OCCPIED THE BUFFER=THE PACKET THAT OCCPIED THE BUFF

ER

[l,k]=find(THE_PACKET_THAT_OCCPIED_THE_BUFFER>BUFFER)

lk=k+l;

ASS=(lk)

% the number of packet in the rejected frams

numer_of_packets_in_rejected_ffam=THE_PACKET_THAT_OCCPIED_THE_BUFFER(k)

numer_of_messges_we_consider_rejected_per_ffam=ceil((numer_of_packets_in_rejected_fram-

BUFFER)/(1 /alpha))

the_real_number_of_the_messagest_in_the_rejected_fram= numbr_of_arrivals_in_each_ffam(k)

for i=l:length(the_real_number_of_the_messagest_in_the_rejected_ffam)

if numer of_messges_we_consider_rejected_per_fram(i)<=

the_real_number_of_the_messagest_in_the_rejected_ffam(i)

the_rejection_messages(i)=numer_of_messges_we_consider_rejected_per_ffam(i)

else if numer_of_messges_we_consider_rejected_per_fram(i)>

the_real_number_of_the_messagest_in_the_rejected_ffam(i)

the_rejection_messages(i)=the_real_number_of_the_messagest_in_the_rejected_fram(i)

end

end

end

delay_after_rejection=delay;

for l=l:length(k)

delay_after_rejection(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-

the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))=0;

end

delay_after_rejection 1 = delay_after_rejection';

delay_after_rejection2=delay_after_rejectionl(fmd(delay_after_rejectionl~=0));

delay_after_rejection2=delay_after_rejection2';

%figure

%hist(delay_after_rejection2);

yl=zeros(size(A));

count 1=0;

for l=l:length(k)

y= A(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-

the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))

72

kx=['Fx,,num2str(i),' = y'];

eval(kx);

numbr_of_ejected_ffam(l)=length(y);

countl=countl+l;

end

max_rejected_fram=max(numbr_of_ejected_ffam)

Ar=zeros(countl,max_rejected_fram);% create the matrix that will enclode the rarrivals that will be

rejected with 0 admission delay

Arl =zeros(countl ,max_rejected_fram);

for 1= 1: length(k)

%k(l)*ffam-

z=A(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-

the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l));

y=k(l)*ffam-A(k(l),the_real_number_of_the_messagest_in_the_rejected_fram(l)-

the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))

ffamequal 1=[y,zeros( 1 ,max_rejected_fram-length(y))];

ffam_equal2=[z,zeros(l,max_rejected_ffam-length(z))];

Ar(l,:)=Ar(l,:)+fram_equall;

Arl(l,:)=Arl(l,:)+fram_equal2;

end

the_rjection_rate 1 =sum(the_rejection_messages)/n

%-------------Create the admission delay

admission_delay=40;

delay_diffemc=delay-delay_after_rejection;

for i=l:I

for j=l:J

if delay_diffemc(i,j)~=0;

arrivals_buff_rj(ij)=A(ij);

else if delay_diffemc(ij)==0;

arrivals_buflf_rj(ij)=0;

end

end

end

end

for i=l:I

for j=l:J

if arrivals_buff_rj(ij)~=0;

arrivals_buff_rj 1 (i j)=i*fram-arrivals_buff_rj(i j);

else if arrivals_buff_rj(i j)==0;

arrivalsbuffrj l(ij)=0;

end

end

end

end

THE_PACKET_THAT_OCCPIED_THE_BUFFERl=THE_PACKET_THAT_OCCPIED_THE_BUF

FER';

arrivals_buff_rj l_with_buffer=[arrivals_buff_rj 1 ,THE_PACKET_THAT_OCCPIED_THE_BUFFER

l;zeros(l,J+l)];

73

for i=l:I

for j=l:J+l

if arrivals_buff_rjl_with_buffer(i+l,end)> BUFFER;

A_adm(ij)=0;

else if arrivals_buff_rjl_with_buffer(i+l,end)<

BUFFER&arrivals_buff_rj 1 _with_buffer(i j)
A_adm(i j)=arri valsbuffrj 1 withbuffer(ij);

end

end

end

end

A_adm=A_adm( 1 :end, 1 :end-1);

the_rjection_rate=(sum(the_rejection_messages)-length(find(A_adm)))/n

for i=l:I

for j=l :J

if A_adm(ij)~=0;

delay_admin(i,j)=delay(ij);

else if A_adm(ij)==0;

delay_admin(ij)=0;

end

end

end

end

delay_fmal_admin=delay_admin+delay_after_rejection;

delay fmal admin 1 = delay final admin';

delay_final_admin2=delay_final_admin 1 (find(delay_final_admin 1 ~=0));

delay_fmal_admin2=delay_fmal_admin2';

figure

hist(delay_final_admin2);xlabel('The delay') ;ylabel('number of the messages')

for i=l:I;

for j=l:J

if delay_fmal_admin(i j)=0;

masseg_mattrix_after_rej(ij)=masseg_matrix(ij);

else if delay_final_admin(ij)==0;

masseg_mattrix_after_rej (i,j )=0;

end

end

end

end

masseg_mattrix_after_rej 1= masseg_mattrix_after_rej';

masseg_mattrix_after_rej2=masseg_mattrix_after_rej 1 (find(masseg_mattrix_after_rej 1 ~=0));

masseg_mattrix_after_rej2= masseg_mattrix_after_rej2';

74

2- The following two programs were used to calculate the delay and the rejection

rate after packet fabrication model

Program 1

ll=length(fmd (masseg_matrix~=0))

alphal=0.5;

y=floor(-log(rand( 1,11))./(-log( 1 -alpha 1)));

[iijj,massges]=find(masseg_matrix);

massges=massges;

massege_after_ad=massges+y;

massege_after_ad=massege_after_ad';

massges_after_ad=sparse(iijj,massege_after_ad);

masses_af_ad_ready=full(massges_after_ad);

[I,J]=size(A);

for i=l:3:I;

for j=l:J;

if A(i j)~=0

delay_ad(ij)=i*ffam-A(ij)+(masses_af_ad_ready(i,j)-l)*fram+(j-l);

else if A(i j)=0 ,delay_ad(ij)=0;

end

end

end

for i=2:3:I

for j=l:J;

if A(ij)~=0

delay_ad(ij)=i*ffam-A(i,j)+numbr_of_arrivals_in_each_ffam(i-1)+( masses_af_ad_ready(ij)-

l)*fram+(j-l);

else if A(i j)=0

delay _ad(ij)=0;

end

end

end

end

end

for i=3:3:I

for j=l:J;

if A(i j)=0

delay_ad(ij)=i*ffam-A(ij)+numbr_of_arrivals_in_each_fram(i-

1 )+numbr_of_arrivals_in_each_ffam(i-2)+(masses_af_ad_ready(i,j)-1 )*fram+(j-1);

else if A(i j)==0

delay_ad(i,j)=0;

75

end

end

end

end

BUFFER=20;

number_of_the_packets_in_each_firam = sum(masses_af_ad_ready');

for i=l:I

THE TRANSMITTED PACKET_PER_FRAM(i)=length(find(masses_af_ad_ready(i,:)>0));

end

THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM;

number_of_the_packets_in_each_ffam=number_of_the_packets_in_each_fram;

THE PACKET THAT OCCPIED THE BUFFER( 1 )=number_of_the jacketsineach _ffam( 1);

for i2:1

THE_PACKET_THAT_OCCPIED_THE_BUFFER(i)= number_of_the_packets_in_each_fram(i-1 )-

THE_TRANSMITTED_PACKET_PER_FRAM(i-1 )+number_of_the_packets_in_each_ffam(i);

end

number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam

THE TRANSMITTED PACKET PER FRAM^THE TRAN SMITTED PACKET PER FRAM

THE PACKET THAT OCCPIED THE_BUFFER=THE_PACKET_THAT_OCCPIED_THE_BUFF

ER

[l,k]=find(THE_PACKET_THAT_OCCPIED_THE_BUFFER >BUFFER)

% the number of packet in the rejected trams

numer_of_packets_in_rejected_fram=THE_PACKET_THAT_OCCPIED_THE_BUFFER(k)

numer_of_messges_we_consider_rejected_per_ffam=ceil((numer_of_packets_in_rejected_fram-

BUFFER)/(l/0.33))

the real number of the messagest in the rejected_fram= numbr of arrivals in each fram(k)

for i= 1 :length(the_real_number_of_the_messagest_in_the_rejected_ffam)

if numer_of_messges_we_consider_rejected_per_ffam(i)<=

the_real_number_of_the_messagest_in_the_rejected_ffam(i)

the_rejection_messages(i)=numer_of_messges_we_consider_rejected_per_ffam(i)

else if numer_of_messges_we_consider_rejected_per_ffam(i)>

the_real_number_of_the_messagest_in_the_rejected_ffam(i)

the_rejection_messages(i)=the_real_number_of_the_messagest_in_the_rejected_ffam(i)

end

end

end

delay _after_rejection_ad=delay_ad;

for 1= 1: length(k)

delay_after_rejection_ad(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-

the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))=0;

end

delay_after_rejection_adl= delayafterrejectionad';

delay_after_rejection_ad2=delay_after_rejection_adl(find(delay_after_rejection_adl~=0));

delay_afterrejection2=delayafterrejection2';

%figure

%hist(delay_after_rejection_ad2);

%the_rjection_rate_ad=sum(the_rejection_messages)/n

76

admission_delay=40;

delay_diffemc_ad=delay_ad-delay_after_rejection_ad;

for i=l:I

for j=l:J

if delay_diffemc_ad(i j)~=0;

arrivals_buff_rj_ad(ij)=A(ij);

else if delay_diffemc_ad(ij)==0;

arrivals_buff_rj_ad(ij)=0;

end

end

end

end

for i=l:I

for j=l:J

if arrivals_buff_rj_ad(ij)~=0;

arrivals_buff_rjl_ad(ij)=i*ffam-arrivals_buff_rj_ad(ij);

else if arrivals_buff_rj_ad(ij)==0;

arrivalsbuffrj l_ad(ij)=0;

end

end

end

end

THE_PACKET_THAT_OCCPIED_THE_BUFFERl=THE_PACKET_THAT_OCCPIED_THE_BUF

FER';

arrivals buff rj 1 _with_buffer_ad=[arrivals_buff_rj 1 _ad,THE_PACKET THAT OCCPIED THE B

UFFER1 ;zeros( 1, J+1)];

for i=l:I

for j=l:J+l

if arrivals_buff_rjl_with_buffer_ad(i+l,end)> BUFFER;

A_adm(ij)=0;

else if arrivals_buff_rjl_with_buffer_ad(i+l,end)<

BUFFER&arrivals_buff_rj 1 _with_buffer_ad(i j)
A_adm_ad(ij)=arrivals_buff_rjl_with_buffer_ad(i,j);

end

end

end

end

A_adm_ad=A_adm_ad( 1 :end, 1 :end-1);

the_rjection_rate=(sum(the_rejection_messages)-length(find(A_adm_ad)))/n

for i=l:I

for j=l:J

if A_adm_ad(i j)=0;

delay_admin_ad(ij)=delay_ad(ij);

else if A_adm_ad(ij)=0;

delay_admin_ad(i,j)=0;

end

end

end

77

end

delay_final_admin_ad=delay_admin_ad+delay_after_rejection_ad;

delayfinaladminad 1 = delay_final_admin_ad';

delay_final_admin_ad2=delay_final_admin_ad 1 (find(delay_fmal_admin_ad 1 ~=0));

delay_final_admin_ad2=delay_fmal_admin_ad2';

figure

hist(delay_final_admin_ad2);xlabel('The delay') ;ylabel('number of the messages')

programm2

close all

clear all

alpha=0.5;

lambda=0.06;

n=10000;

intevral=-log(rand( 1 ,n))./lambda;

intevral 1=intevral;

for i=2:n;

intevral 1 (i)=intevral 1 (i)+intevral 1 (i-1);

end

n_ad=5000;

lambda_ad=0.1;

intevral_ad=-log(rand( 1 ,n_ad))./lambda_ad;

intevral l_ad=intevral_ad;

for i=2:n_ad;

intevral 1 _ad(i)=intevral l_ad(i)+intevral l_ad(i-1);

end

final_inveral=[intevral l_ad,intevral 1 ];

final_inveral=sort(fmal_inveral);

arrival_time=fmal_inveral;

maximum_arrivals_time=max(arrival_time);

ffam=40;

d=0

l=ceil(maximum_arrivals_time/40);

count=0

for i=l:l;

c=arrival_time(fmd((arrival_time<=d+ffam)&(arrival_time>=d)));

numbr_of_arrivals_in_each_ffam(i)=length(c);

if d>maximum_arrivals_time,break,end

k=['F',num2str(i),' = c'];

eval(k);

d=d+fram ;

count=count+l;

end

max_fram_length=max(numbr_of_arrivals_in_each_fram);

78

mean_ffam_arrivals=rnean(nurnbr_of_arrivals_in_each_ffam);

d=0;

A=zeros(count,max_fram_length);

for j= 1:1;

c 1 =arrival_time(find((arrival_time<=d+ffam)&(arrival_time>=d)));

fram_equal=[c 1 ,zeros( 1 ,max_ff am_length-length(c 1))];

A (j,: )=A(j,: )+fram_equal;

if d>maximum_arrivals_time,break,end

t=['z',num2str(j),=ffam_equar];

eval(t)

d=d+fram ;

end

mstart=floor(-log(rand(count,max_ffam_length))./(-log(l-alpha)))+l;

for 1=1 :count

for j=1 :max_fram_length

if A(ij)~=0

masseg_matrix(i,j)=mstart(i,j);

else if A(i,j)==0

masseg_matrix(ij)=0;

end

end

end

end

[I,J]=size(A);

for i=l:2:I;

for j=l:J;

if A(i,j)~=0

delay(i ,j)=i*fram-A(i,j)+( masseg_matrix(ij)-l)*fram+(j-l);

delay_first(i j)=i*ffam-A(i ,j)+(j-1);

else if A(ij)==0 ,delay(ij)=0;delay_first(i,j)=0;

end

end

end

for i=2:2:I

for j=l:J;

if A(ij)~=0

delay(ij)=i*fram-A(ij)+numbr_of_arrivals_in_each_ffam(i-l)+( masseg_matrix(ij)-l)*fram+(j-l);

delay_first(ij)=i*fram-A(i,j)+(j-l)+masseg_matrix(ij)*nunibr_of_arrivals_in_each_fram(i-l);

else if A(i,j)==0

delay(ij)=0;delay_first(i,j)=0;

end

end

end

end

end

79

number_of_the_packets_in_each_fram = sum(massegmatrix');

for i=l:I

THE TRANSMITTED ?ACKET_PER_FRAM(i)=length(find(masseg_matrix(i,:)>0));

end

THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM;

number_of_the_packets_in_each_fram=number_of_the_packets_in_each_ffam;

THE_PACKET_THAT_OCCPIED THE_BUFFER( 1 )=number_of_the_packets_in_each_fram( 1);

for i=2:I

THE PACKET_THAT_OCCPIED_THE_BUFFER(i)= numberofjhe jackets Jn_each_fram(i-1 )-

THE_TRANSMITTED_PACKET_PER_FRAM(i-l)+number_of_the_packets_in_each_ffam(i);

end

number_of_the_packets_in_each_ffam=number_of_the_packets_in_each_fram

THE_TRANSMITTED_PACKET_PER_FRAM=THE_TRANSMITTED_PACKET_PER_FRAM

THE_PACKET_THAT_OCCPIED_THE BUFFER=THE_PACKET_THAT_OCCPIED_THE_BUFF

ER

[l,k]=find(THE_PACKET_THAT_OCCPIED THE BUFFER >BUFFER)

lk=k+l;

ASS=(lk)

numer_of_packets_in_rejected_ffam=THE_PACKET_THAT_OCCPIED_THE_BUFFER(k)

numer_of_messges_we_consider_rejected_per_fram=ceil((numer_of_packets_in_rejectedfram-

BUFFER)/(1/alpha))

the_real_number_of_the_messagest_in_the_rejected_ffam= numbr_of_arrivals_in_each_fram(k)

for i=1: length(the_real_number_of_the_messagest_in_the_rejected_ffam)

if numer_of_messges_we_consider_rej ected_per_ff am(i)<=

the_real_number_of_the_messagest_in_the_rejected_ffam(i)

the_rejection_messages(i)=numer_of_messges_we_consider_rejected_per_ffam(i)

else if numer_of_messges_we_consider_rejected_per_fFam(i)>

the_real_number_of_the_messagest_in_the_rejected_ffam(i)

the_rejection_messages(i)=the_real_number_of_the_messagest_in_the_rejected_ffam(i)

end

end

end

de layafterrej ection=delay;

for l=l:length(k)

delay_after_rejection(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-

the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_ffam(l))=0;

end

delayafterrejection 1= delay_after_rejection';

delay_after_rejection2=delay_after_rejectionl(find(delay_after_rejectionl~=0));

delay _after_rejection2=delay_after_rejection2';

%figure

%hist(delay_afler_rejection2);

for i=l:I;

for j=l:J

if delay_after_rejection(ij)~=0;

masseg_mattrix_after_rej(ij)=masseg_matrix(ij);

else if delay_after_rejection(ij)==0;

masseg_mattrix_after_rej(ij)=0;

80

end

end

end

end

masseg_mattrix_after_rej 1= masseg_mattrix_after_rej';

masseg_mattrix_after_rej2=masseg_mattrix_after_rej 1 (find(masseg_mattrix_after_rej 1 ~=0));

masseg_mattrix_after_rej2= masseg_mattrix_after_rej2';

yl=zeros(size(A));

count 1=0;

for 1=1 :length(k)

y= A(k(l),the_real_number_of_the_messagest_in_the_rejected_ffam(l)-

the rejection messages(l)+l:the real number of the messagest in the rejected ffam(l))

kx=[Fx',num2str(i), = y];

eval(kx);

numbr_of_ejected_fram(l)=length(y);

count l=count 1+1;

end

max_rejected_fram=max(numbr_of_ejected_fram)

Ar=zeros(countl,max_rejected_fram);% create the matrix that will enclode the rarrivals that will be

rejected with 0 admission delay

Ar 1 =zeros(count 1 ,max_rejected_fram);

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

for l=l:length(k)

z=A(k(l),the_real_number_of_the_messagest_in_the_rejected_fram(l)-

the_rejection_messages(l)+1 :the_real_number of_the_messagest_in_the_rejected_ffam(l));

y=k(l)*fram-A(k(l),the_real_number_of_thejnessagest_in_the_rejected_ffam(l)-

the_rejection_messages(l)+l:the_real_number_of_the_messagest_in_the_rejected_fram(l))

ffam_equal 1=[y,zeros( 1 ,max_rejected_ffam-length(y))];

ffam_equal2=[z,zeros( 1 ,max_rejected_ffam-length(z))];

Ar(l, :)=Ar(l, :)+ffam_equal 1;

Arl(l,:)=Arl(l,:)+ffam_equal2;

end

the_rjection_ratel=sum(the_rejection_messages)/n %compute the rjection from the buffer 0

admission delay

admission_delay=40;

delay_diffemc=delay-delay_after_rejection;

for i=l:I

for j=l:J

if delay_diffemc(i,j)~=0;

arrivals Jmff_rj(i,j)=A(ij);

else if delay_diffemc(ij)==0;

arrivals_buff_rj(ij)=0;

end

end

end

end

for i=l:I

81

for j=l:J

if arrivals_buff_rj(ij)~=0;

arrivals_buff_rj 1 (i j)=i*ffam-arrivals_buff_rj(i j);

else if arrivals_buff_rj(ij)==0;

arrivalsbuffrj 1 (i j)=0;

end

end

end

end

THE_PACKET_THAT_OCCPIED_THE_BUFFERl=THE_PACKET_THAT_OCCPIED_THE_BUF

FER';

arrivalsbuffrj l_with_buffer=[arrivals_buff_rj 1 ,THE_PACKET_THAT_OCCPIED_THE_BUFFER

l;zeros(2,J+l)];

for i=l:I

for j=l:J+l

if arrivals buff rj l_with_buffer(i+1 ,end)<

BUFFER|arrivals_buff_rjl_with_buffer(i+2,end)
A_adm(i ,j)=arrivals_buff_rj 1 _with_buffer(i j);

end

end

end

A_adm=A_adm(l :end,l :end-l);

the_rjection_rate=(sum(the_rejection_messages)-length(find(A_adm)))/n

for i=l:I

for j=l: J

if A_adm(i,j)~=0;

delay_admin(ij)=delay(ij);

else if A_adm(ij)==0;

delay_admin(i,j)=0;

end

end

end

end

delay _final_admin=delay_admin+delay_after_rejection;

delayfmaladmin 1 = delay_final_admin';

delay_final_admin2=delay_final_admin 1 (fmd(delay_fmal_admin 1 ~=0));

delay_fmal_admin2=delay_fmal_admm2';

figure

hist(delay_fmal_admin2);

3-The following program was used to compute the rejection rate after packet

modification model

zl = masseg_matrix(find(masseg_matrix~=0));

k=l;

1=1;

for i=l: d ;

for j=l:zl(i);

82

if rand < .5;

z0=i;

else

zG)=0;

end

xl(k)=z(j);

fl2(l,k)=xl(k);

k=k+l;

end

1=1+1;

end

ftr2=fl2';

sum_ftr2=sum(flr2);

nonzero_elment2=(sum_ftr2~= 0);

themessages_rejected2=sum(nonzero_elment2);

ldx 1 = d-themessages_rejected2

the_regection_rate_with_expilots=(n-ldx 1 )/n

4-The following program was used to calculate the delay and the rejection rate

after time behavior exploits

ALFA=.02;

alfa_l=ALFAA-l;

delay_aversary3=zeros(I,J);

11 =length(find(masseg mattrix_after_rej~=0));

max_matrixm=max(max(masseg_mattrix_after_rej));

for i=l:I;

for j=l:J;

if m asseg_mattri xafterrej (i ,j )~=0;

yl=geornd(ALFA,[l masseg_mattrix_after_rej(i,j)]);

if max(yl)>alfa_l;

delay_aversary3(ij)=0;

else if max(yl)
delay_aversary3(ij)= delay_aversary3(i,j)+sum(yl);

end

end

end

end

end

z 1 = masseg_mattrix_after_rej(find(masseg_mattrix_after_rej~=0));

yl=max(zl);

for i=l:length(zl);

ml=geomd(ALFA,[l zl(i)])+l;

for j= 1 :y 1

for k=l:zl(i);

if j<=k

fdl(ij)=ml(k);

else if j>k

83

fdl(ij)=0;

end

end

end

end

end

adversary_rejection=(length(find(fdl(:, 1 )>alfa 1 ))+the_rjectionrate* n )/n

final_delay_adverary3=delay_aversary3+ delay_final_admin;%delay maybe change after the buffer

and admission delay

final_delay_adverary3=final_delay_adverary3';

final_delay_adverary3=final_delay_adverary3(find(final_delay_adveraiy3~=0));

final_delay_adverary3=final_delay_adverary3';

figure

hist(fmal_delay_adverary3)

5- The following program was used to monitor the change in Poisson rates

t=4;

s=10;

gamma=75;

[I,J]=size(A);

number_of_the_packets_in_each_ffam_after_rejection = sum(masseg_mattrix_after_rej');

TX(1)=0;

for i=l:I

TX(i+1 )= max(0,TX(i)+s*number of_the_packets_in_each_fram_after_rejection(i)-40*t);

end

for i=l:l

T(i)=TX(i);

end

for i=l:I

if (T(i))>=gamma

for k=i+l:I

T(k)=0;

end

end

sl=zeros(l,I);

sl=sl+gamma;

end

[kk,ll,mm]=fmd(TX>gamma);

if 11(1)==0;

corssing_time_with_adversary=0;

else if 11(1)~=0

corssing_time_with_adversary=l 1( 1)

end

end

figure

plot(T,'-rs')

84

hold on

plot(sl)

axis([0 800 0 400]);

xlabel('The frame number');ylabel('The Algorithm value ')

6-The following program was used to monitor the change in the delay

distribution

t=145;

s=2;

gamma=1600;

il=length(fmal_delay_adverary3);

TX(1)=0;

for i=l: il

TX(i+l)= max(0,TX(i)+s*(final_delay_adverary3(i)-l)-t);

end

for i=l:I

T(i)=TX(i);

end

for i=l:I

if (T(i))>=gamma

for k=i+l:I

T(k)=0;

end

end

sl=zeros(l,I);

sl=sl+gamma;

end

[kk,ll,mm]=find(TX>gamma);

if 11(1)==0;

corssing_time_with_adversary22=0;

else if 11(1 )~=0

corssing_timewith_adversary22=ll( 1)

end

end

figure

plot(T,'~rs')

hold on

plot(sl)

axis([l 200 0 3000]),xlabel('The frame number');ylabel('The Algorithm value ')

6-The following program was used to find the average of the expected stopping

time as function in the previous program

1=1000;

for i=l:l;

y(i)=stoptime

end

averag_stop_time=sum(y)/l

85

REFERENCES

[1] G. Aimes, S. Kalidindi, and M. Zekauskas. A one-way packet loss metric for

IPPM. RFC 2680, Sept. 1999.

[2] X. Ao. Report on DIMACS Workshop on Large-Scale Internet Attacks, Sept.

2003.

[3] I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy. Amendment

to: Highly secure and efficient routing, Feb. 2004. Amendment.

[4] I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy. Highly secure

and efficient routing. In Proceedings of INFOCOM 2004 Conference, March 2004.

[5] J. Bellardo and S. Savage. Measuring packet reordering. In ACMSIGCOMM

Internet Measurement Workshop(IMW02).

[6] J. C. R. Bennett, C. Partridge, andN. Shectman. Packet reordering is not

pathological network behavior. IEEE/ACM Transactions on Networking (TON),

7(6):789-798, 1999.

[7] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway. UMAC: Fast

and secure message authentication. Lee. Notes in CS, 1666:216-233, 1999.

[8] B. H. Bloom. Space/time trade-offs in hash coding with allowable errors.

Comm. Of the ACM, 13(7):422^126, July 70.

[9] K. A. Bradley, S. Cheung, N. Puketza, B. Mukheijee, and R. A. Olsson.

Detecting disruptive routers: A distributed network monitoring approach. In Proc.

of the IEEE Symposium on Security and Privacy, pages 115-124, May 1998.

[10] T. D. Chandra and S. Toueg. Unreliable failure detectors for reliable distributed

systems. Journal of the ACM, 43(2):225-267, 1996.

[11] K. M. Chandy and L. Lamport. Distributed snapshots: determining global states

of distributed systems. ACM Transactions on Computer Systems, 3(1 ):6375, 1985.

86

[12] S. Cheung. An efficient message authentication scheme for link state routing.

In ACSAC, pages 90-98, 1997.

[13] S. Cheung and K. Levitt. Protecting routing infrastructuresfrom denial of

service using cooperative intrusion detection. In New Security Paradigms

Workshop, 1997.

[14] Cisco Systems. Load balancing with cisco express forwarding

http//www.cisco.com/warp/public/cc/pd/ifaa/pa/much/prodlit/loadb an.pdf.

[15] Y. Cosendai, M. Dacier, and P. Scotton. Intrusion detection mechanism to

detect reachability attacks in PNNI networks. In Recent Advances in Intrusion

Detection, 1999.

[16] N. G. Duffield and M. Grossglauser. Trajectory sampling for direct traffic

reservation in COMMOO, pages 271-282.

[17] W. Feghali, B. Burres, G.Wolrich, and D. Carrigan. Security:Adding protection

to the network via the network processor. Intel Technology Journal, 06:40-49, Aug.

2002.

[18] Gauis. Things to do in Ciscoland when youre dead.. Jan. 00.

[19] M. T. Goodrich. Efficient and secure network routing algorithms.Jan 2001.

Provisional patent filing.

[20] A. Herzberg and S. Kutten. Early detection of message forwardingfaults.

SIAMJ. Comput, 30(4):1169-1196, 2000.

[21] K. J. Houle, G. M. Weaver, N. Long, and R. Thomas. Trends indenial of service

attack technology. Technical report,CERT Coordination Center, Oct. 2001.

[22] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secureon-demand routing

protocol for ad hoc networks. In The 8thACMInt. Conf. on MobiCom, Sep 2002.

[23] J. R. Hughes, T. Aura, and M. Bishop. Using conservation offlow as a security

mechanism in network protocols. In IEEESymp. on Security and Privacy, pages

132-131,2000.

87

[24] Y. Jou, F. Gong, C. Sargor, X. Wu, S. Wu, H. Chang, andF. Wang. Design and

implementation of a scalable intrusiondetection system for the protection of network

infrastructure. In DISCEXOO Proceedings, volume 2, pages 69-83, 2000.

[25] Juniper Networks. JUNOS 6.4 Routing ProtocolsConfiguration Guide.

http://www.iuniper.net/techpubs/software/iunos/iunos64/swconfig64-routing/html/.

[26] S. Kent, C. Lynn, J. Mikkelson, and K. Seo. Secure BorderGateway Protocol

(Secure-BGP). IEEE Journal on SelectedAreas in Communications, 18(4):582592,

Apr. 2000.

[27] C. Labovitz, A. Ahuja, and M. Bailey. Shining light on darkaddress space.

Technical report, Arbor Networks, Nov. 2001.

[28] L. Lamport, R. Shostak, and M. Pease. The Byzantine generalsproblem.MCM

Trans, on Programming Languages andSystems, 4(3):382-401, 1982.

[29] Y. Minsky, A. Trachtenberg, and R. Zippel. Set reconciliationwith nearly

optimal communication complexity. In Int.Symp. on Information Theory, page 232,

June 2001.

[30] A. T. Mizrak, K. Marzullo, and S. Savage. Detecting maliciousrouters.

Technical Report CS2004-0789, UCSD, 2004.

[31] A. Morton, L. Ciavattone, G. Ramachandran, S. Shalunov,and J. Perser. Packet

reordering metric for IPPM. Mar. 2003.

[32] J. T. Moy. Multicast extensions to OSPF. RFC 1584, IETF,Mai. 1994.

[33] National Institute of Standards and Technology. Data encryptionstandard.

FIPS PUBS 46-3, Oct. 1999.

[34] National Institute of Standards and Technology. Advancedencryption

standard. FIPS PUBS 197, Nov. 2001.

[35] V. N. Padmanabhan and D. Simon. Secure trace route to detect faulty or

malicious routing. SIGCOMMComp. Comm.Review, 33(1):7782, 2003.

[36] R. Perlman. Network Layer Protocols with Byzantine Robustness.'PhD thesis,

MIT LCS TR-429, Oct. 1988.

88

[37] R. Perlman. Interconnections: Bridges and Routers. Addison Wesley

Longman Publishing Co. Inc., 1992.

[38] D. Pullin, A. Corlett, B.Mandeville, and S. Critchley. Packet reordering: The

minimal longest ascending subsequence metric, Feb. 2002.

[39] P. Rogaway. UMAC Performance (more).www.cs.ucdavis.edu/

rogaway/umac/2000/perf00bis.html.

[40] N. Shah. Understanding network processors. Masters thesis,University of

California, Berkeley, September 2001.

[41] C. Shannon, D. Moore, and K. C. Claffy. Beyond folklore: observations on

fragmented traffic. IEEE/ACM Trans. Netw., 10(6):709-720, 2002.

[42] B. R. Smith and J. Garcia-Luna-Aceves. Securing the border gateway routing

protocol. In Proc. Global Internet96.

[43] N. Spring, R. Mahajan, and D. Wetherall. Measuring ISP topologies with

Rocket fuel. In Proc. ofACM/SIG COMM, pages 133-145, 2002.

[44] L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz. Listen and

Whisper: Security Mechanisms for BGP. In Proc. ofNSDI, Mar. 2004.

[45] D. Taylor. Using a compromised router to capture network traffic, July 2002.

Unpublished Technical Report.

[46] R. Teixeira, K. Marzullo, S. Savage, and G. M. Voelker. In search of path

diversity in ISP networks. In Proc. of the ACM/SIGCOMMIMC, pages 313-318,

2003.

[47] R. Thomas. ISP Security BOF, NANOG 28, June 2003.

[48] P. Papantoni-Kazakos and Anthony Burrell. Robust Sequential Algorithms

for the Detection of Changes in Data Generating Processes. IEEE Trans. J Intell

Robot Syst (2010) 60:3-17.

[49] D. Kazakos and P. Papantoni-Kazakos. Detection and Estimation .New York:

Computer Science Press, 1990.

89