A Hierarchical Identity Based Key Management Scheme in Tactical ...

258

IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 7, NO. 4, DECEMBER 2010

A Hierarchical Identity Based Key Management Scheme in Tactical Mobile Ad Hoc Networks F. Richard Yu, Helen Tang, Peter C. Mason, and Fei Wang

Abstract—Hierarchical key management schemes would serve well for military applications where the organization of the network is already hierarchical in nature. Most of the existing key management schemes concentrate only on network structures and key allocation algorithms, ignoring attributes of the nodes themselves. Due to the distributed and dynamic nature of MANETs, it is possible to show that there is a security benefit to be attained when the node states are considered in the process of constructing a private key generator (PKG). In this paper, we propose a distributed hierarchical key management scheme in which nodes can get their keys updated either from their parent nodes or a threshold of sibling nodes. The dynamic node selection process is formulated as a stochastic problem and the proposed scheme can select the best nodes to be used as PKGs from all available ones considering their security conditions and energy states. Simulation results show that the proposed scheme can decrease network compromising probability and increase network lifetime in tactical MANETs. Index Terms—Hierarchical ID-based encryption, private key generator, compromising probability, network lifetime.

I. I NTRODUCTION

M

OBILE Ad hoc Networks (MANETs) have been identified as having tremendous potential for military communications, but securing these networks remains an on-going challenge. In particular, the application of cryptographic protocols, which are fairly mature for wired networks, continues to prove troublesome for distributed, dynamic environments without access to centralized services. Progress, however, is being made with technologies such as Identity (ID)-based cryptography which has a number of properties that make it attractive for building security services in mobile ad hoc networks (MANETs) [1]. ID-based cryptography typically involves a global trusted authority (TA) that has a master secret key and is responsible for generating private keys for other nodes based on their IDs. A user ID is usually composed of a unique identity such as an email address or a telephone number and a preset expiration time indicating the lifetime of the key. Upon expiration, a user must facilitate key update by contacting the TA to get a new private key. As a result, the security of the TA becomes integral to the security of the network. Since maintaining a secure central server for key distribution

Manuscript received October 25, 2009; revised July 7, 2010. The associate editor coordinating the review of this letter and approving it for publication was M. Sloman. F. R. Yu and F. Wang are with the Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada (e-mail: [email protected], [email protected]). H. Tang and P. C. Mason are with Defense R&D Canada - Ottawa, ON, Canada (e-mail: {helen.tang, peter.mason}@drdc-rddc.gc.ca). Digital Object Identifier 10.1109/TNSM.2010.1012.0362

is, generally speaking, inherently incompatible with MANET design due to its distributed and dynamic nature, threshold cryptography [2] has been proposed to allow multiple network nodes to share a network master key and collaboratively issue private keys for other nodes. If in a MANET with 𝑛 nodes, any 𝑘 nodes in the group are capable of generating private keys using their shares of the master key, this is then called (𝑘, 𝑛) threshold cryptography. In this case, the security of the network is maintained except when more than 𝑘 node secrets are compromised. In homogeneous MANETs, all nodes have the same communication capabilities. A recent theory study in [3] presents the throughput bounds of homogeneous MANETs. The limitation is fundamentally due to the spatial concurrency constraints on nearby nodes sharing the same channel. These results strongly suggest that we should consider a heterogeneous hierarchical structure to solve the MANETs problem [4]. For example, an Unmanned Aerial Vehicle (UAV) added to the ground embedded mobile backbone can naturally form a multi-level physical heterogeneous multi-hop network, which is a good infrastructure for multi-area military environments. Moreover, in tactical MANETs, the organization of the network may already be hierarchical in nature so a hierarchical key management structure could serve well for military applications. In hierarchical key management, an upper level TA needs only distribute keys to the layer below it, and the distribution process continues until all the end-nodes get their secret keys from the layer above them. Several hierarchical key management schemes have been proposed. In [5] the authors give a hierarchical and ID-based key management scheme with low memory requirements and high resistance to collusion attacks. In [6] the authors present a hierarchical key management scheme based on a subset in which a node distributes subsets of its keys to its children. The scheme proposed in [7] is an ID-based threshold system which is fully resilient against compromise of any numbers of leaves in the hierarchy and a threshold of nodes in each of the upper levels of the hierarchy. This scheme has non-interactive key management which combines the advantages of the schemes proposed in [5, 8]. While these works do take advantage of the network hierarchy, there are aspects of the key management that merit further investigation. In particular, methods for selecting which are likely to be the optimal nodes to act as private key generators (PKGs) are not currently dealt with. In hierarchical tactical MANETs, users can update their keys by having either their parents or a threshold of siblings acting as the PKG [7]. Due to the distributed nature of MANETs, a node’s security state can change dynamically;

c 2010 IEEE 1932-4537/10/$25.00 ⃝

WANG et al.: A HIERARCHICAL IDENTITY BASED KEY MANAGEMENT SCHEME IN TACTICAL MOBILE AD HOC NETWORKS

some nodes may be in a safe state while others may be under attack or even compromised by adversaries. Obviously, selecting a compromised node or a node under attack to function in the PKG process would pose a risk to the network security [9]. Therefore, when constructing the PKG, it would be prudent to consider the security state of the nodes. Note that this state may be treated as probabilistic in nature. In addition, since most mobile devices are powered by batteries with limited energy, a key management scheme should also take into account the energy levels of the nodes in order to improve overall network lifetime and functionality. With this in mind, we propose a distributed hierarchical key management scheme to select the best nodes to function as the PKG taking into account the nodes’ security conditions and energy states. The objectives of the scheme are to simultaneously improve the network security and maximizing the network lifetime. The proposed scheme can select the best nodes for constructing the PKG by formulating the problem as a stochastic system. Since the stochastic problem is known to be PSPACEHard, a primal dual index heuristic [10] is used to solve the problem. The priority indices can be computed offline and kept as an index table which ranks the nodes based on certain constraints, here the security and energy states. In online part of our scheme, the priority indices table can be easily used for node selection. Therefore, the computation and implementation complexity of the proposed scheme are reduced dramatically. The scheme is very suitable for military environment involving collaboration between forces from different countries and different agencies. Extensive simulation results are presented. It is illustrated that the proposed scheme can decrease network compromising probability and increase network lifetime in tactical MANETs. The rest of the paper is organized as follows. Section 2 describes the hierarchical key management and the system models. The stochastic formulation and the solution are given in Section 3. The key update process and related remarks are described in Section 4. Section 5 provides the simulation results and discussions. We conclude this study in Section 6. II. H IERARCHICAL K EY M ANAGEMENT IN TACTICAL MANET S In this section, we first introduce hierarchical key management in MANETs. We then present key update in our scheme and give the system models. A. ID-based Threshold Key Management in Hierarchical MANETs Here we describe a typical implementation that is based on multiple variables polynomial with ID-based threshold cryptography [7]. Each node has a secret polynomial (in the role of a secret key), and the shared key between two leaf nodes is computed by evaluating the polynomial held by one node at a point that corresponds to the identity of the other node. Let 𝐿 be the depth of the hierarchy, i.e., the nodes are arranged in a tree with 𝐿 levels. Each node identity corresponds to the path from the root to the node (thus a node at level 𝑖

259

will have as identity a vector with 𝑖 components (𝐼1 , ..., 𝐼𝑙 ) where each 𝐼𝑖 is an integer). For desired threshold parameters 𝑡𝑖 , the root authority chooses a random polynomial 𝐹 (𝑥1 , 𝑦1 , . . . , 𝑥𝐿 , 𝑦𝐿 ), where the degree of 𝑥𝑖 , 𝑦𝑖 is 𝑡𝑖 . 𝐹 is chosen such that 𝐹 (𝑥1 , 𝑦1 , . . . , 𝑥𝐿 , 𝑦𝐿 ) ≡ 𝐹 (𝑦1 , 𝑥1 , . . . , 𝑦𝐿 , 𝑥𝐿 ), i.e. 𝐹 is symmetric between the 𝑥’s and 𝑦’s. A simple implementation to choose such polynomial is to choose a random polynomial 𝑓 on the same variables, and then set 𝐹 (𝑥1 , 𝑦1 , . . . , 𝑥𝐿 , 𝑦𝐿 ) = 𝑓 (𝑥1 , 𝑦1 , . . . , 𝑥𝐿 , 𝑦𝐿 ) + 𝑓 (𝑦1 , 𝑥1 , . . . , 𝑦𝐿 , 𝑥𝐿 ). The master secret key of the system is the polynomial 𝐹 itself. The secret key of node with identity 𝐼 in the first level of the hierarchy is the polynomial 𝐹𝐼 = 𝐹 (𝐼, 𝑦1 , 𝑥2 , 𝑦2 , . . .) that has 2𝐿−1 variables. Similarly, the secret key of a node at level i with identity 𝐼⃗ = ⟨𝐼1 , . . . , 𝐼𝑖 ⟩ is the polynomial: 𝐹𝐼⃗ = 𝐹 (𝐼1 , 𝑦1 , . . . , 𝐼𝑖 , 𝑦𝑖 , 𝑥𝑖+1 , 𝑦𝑖+1 , . . .) that has 2𝐿 − 𝑖 variables, and the secret key of the leaf with identity ⟨𝐼1 , . . . , 𝐼𝐿 ⟩ is the polynomial in L variables 𝐹 (𝐼1 , 𝑦1 , . . . , 𝐼𝐿 , 𝑦𝐿 ). The shared key between the two leaf nodes ⟨𝐼1 , . . . , 𝐼𝐿 ⟩ and ⟨𝐽1 , . . . , 𝐽𝐿 ⟩ is the value of the polynomial 𝐹 (𝐼1 , 𝐽1 , . . . , 𝐼𝐿 , 𝐽𝐿 ) = 𝐹 (𝐽1 , 𝐼1 , . . . , 𝐽𝐿 , 𝐼𝐿 ), that each node can compute by evaluating its secret polynomial on the points that correspond to its peer’s identity. An alternative approach to building a hierarchical scheme is to use subset-based key pre-distribution schemes as in [11], and extend it to a hierarchical scheme as in [6]. B. Key Update Schemes in Tactical Hierarchical MANETs Key management consists of initial key distribution and key updates. In a tactical MANET environment, there may be many instances or events that require a key update process, some examples among them include: ∙ The identifier in ID based systems may be a shortterm one, with an expiration time encoded as part of the identifier. If the operation will extend beyond the expiration time, key update is necessary. ∙ The node holding the private key may need to change its TA. For example, it may be temporarily assigned in the field to a coalition force and require an appropriate private key from the TA of that force in order to maintain communications with its new group of peers. This could be a form of role-based access control. ∙ The TA may decide to update its public parameters, necessitating an update to all private keys. This could be done in response to a perceived vulnerability or attack, or as a result of a change in the deployment – e.g. two TAs from different coalition forces may wish to generate a common set of public parameters and a common master secret, and to issue new private keys to all entities under their joint command. For these reasons, it is important to have a key management system in process that can act dynamically, flexibly, and with as little overhead as possible given the bandwidth and energy constraints of the system. We propose a scheme, with this philosophy in mind, that combines and extends some of the results in the field discussed below. Unlike hierarchical key management schemes that rely on parent nodes to act as the TA who supplies the private key,

260


the method introduced in [7] distributes the role of the PKG amongst a threshold of siblings, that is, nodes with the same parent. This method makes use of identity-based encryption (IBE) in which the identifier of a node acts as its public key. In [7], the master secret takes the form of a polynomial 𝐹 with degree 2𝐿 where 𝐿 is the depth of the hierarchy. Each node 𝐼 in the network is then assigned its own derivative of 𝐹 corresponding to its place in the hierarchy. If node 𝐼 is at level 𝑗 in the hierarchy, it will possess as its secret key the polynomial 𝐹𝐼 of degree 2𝐿 − 𝑗 constructed in such a way that it has the necessary symmetry to facilitate the bilinear mapping property of IBE [7]. An important advantage of the method in [7] is that it enables MANET security services to move away from a centralized model, but the method stops short of discussing a systematic way of choosing the threshold of nodes to act as the PKG. Our proposed scheme focuses on dynamically deciding which node(s) should work as PKG by taking into account the security and energy states. The PKG can be a parent node or a threshold of 𝑘 nodes among siblings with secret key shares and as such can be easily combined with any existing hierarchical key management schemes. It is also important to keep in mind that key updates in hierarchical networks could be processed differently at different levels since multiple PKGs could exist. If it is possible for nodes to get private keys from either its parent or a threshold of sibling nodes, the security risks of the hierarchical network is then distributable to different levels. For example, compromise of a subtree will not affect the security of another subtree if they do not have the same ancestors. Through optimal node selection, we can improve MANET security and extend the network lifetime. We give the system model below. A complete key update example of the proposed scheme is described in Section 4. C. System Models The experience in security of wireline networks indicates the importance of multi-level protections because there are always some weak points in the system, no matter what is used for prevention [12]. Therefore, intrusion detection systems (IDSs), serving as the second wall of protection, can effectively help to identify malicious activities by monitoring the current subject activities of network nodes [13]. We will assume there is an IDS in the network acting as a second line of defense [13]. This IDS can be distributed in nature and periodically monitors each node’s activities, comparing them with stored normal profiles in order to detect intrusions. In our proposed system, the IDS takes on the additional role of selecting the best node(s) to act as a PKG based on the reported security and energy conditions. In order to keep the security and energy information current, the system time can be divided into slots that correspond to the time intervals as described in [14]. The length of time slot depends on the security requirements and system environment. If the system is used in an extremely unsafe environment, the time interval can be reduced. 1) Security Model: Assume each node 𝑛(𝑛 ∈ {1, . . . , 𝑁 }) has a finite number of 𝐼𝑛 states representing the security conditions. For example, the security state space 𝒮 can be defined

as {𝑠𝑎𝑓 𝑒, 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑑, 𝑐𝑜𝑚𝑝𝑟𝑜𝑚𝑖𝑠𝑒𝑑}. The security state of a potential PKG node 𝑛 at the time instant 𝑡(𝑡 ∈ {1, . . . , 𝑇 }) can be defined as 𝑑𝑡𝑛 , and its state evolves according to an 𝐼𝑛 -state Markov chain with one-step transition probability matrix: 𝐴𝑎𝑛 = (𝜙𝑖𝑗 )𝑖,𝑗∈𝐼𝑛 = 𝑃 𝑟(𝑑𝑡+1 = 𝑗∣𝑑𝑡𝑛 = 𝑖), (1) 𝑛 where 𝑎 stands for an action. In our system there are two actions {0, 1}; action 1 means the node is selected or active (as a PKG), and 0 means the node is not selected or passive. So 𝐴1𝑛 is the transition probability matrix when the node is active and 𝐴0𝑛 is the transition probability matrix when the node is passive. The security condition 𝑑𝑡𝑛 is observed by IDS and we assume the state observation by the IDS is accurate. 2) Energy Model: Since mobile devices are powered by batteries with limited energy, the energy should be used carefully to maximize the network life. The residual battery energy can be detected locally and represented as 𝑒𝑡𝑛 . For simplification, the continuous battery residual energy can be divided into discrete levels, denoted by ℰ = (𝑒1 , 𝑒2 , . . . , 𝑒ℎ ), where ℎ is the number of available energy state levels. Inspired by [15], we model the transition of energy levels of nodes in MANETs as a Markov chain with one-step transition probability matrix: = 𝑗∣𝑒𝑡𝑛 = 𝑖). (2) 𝐵𝑛𝑎 = (𝜓𝑖𝑗 )𝑖,𝑗∈ℰ = 𝑃 𝑟(𝑒𝑡+1 𝑛 The residual energy model used in some other papers, such as [16], assumes the energy is reduced by a fixed amount after every data transmission action. This model can be considered a special case { of the Markov model, where 1, if 𝑗 is the lower state next to 𝑖, (3) 𝜓𝑖𝑗 = 0, otherwise. 3) Network Lifetime: The definition of lifetime ℒ depends on the underlying network application. A commonly used definition of lifetime is determined by the moment that the number of dead nodes reaches a threshold 𝐷𝑡ℎ beyond which the network can no longer achieve the targeted performance [16]. In our scheme, the network lifetime also terminates when there are 𝑁𝑡ℎ nodes compromised since we use threshold cryptography in our scheme. 4) Cost Model: A cost model can be defined according to the application. In this paper we consider breaches of security and usage of energy as the costs to be constrained when selecting node(s) to be work as PKG. At time 𝑡, the costs associated with the node selection are defined as security cost 𝑐𝑙 (𝑑𝑡𝑛 , 𝑎𝑡𝑛 ), from a potential compromise of the node, and the energy cost 𝑐𝑒 (𝑒𝑡𝑛 , 𝑎𝑡𝑛 ). 𝑎𝑡𝑛 ∈ {0, 1} stands for the action adopted by node 𝑛 at time 𝑡 where 1 means the node is selected and 0 means the node is passive. Finally, the instantaneous cost incurred due to the selection of node 𝑛 as a PKG is: (4) 𝑐𝑡𝑛 (𝑑𝑡𝑛 , 𝑒𝑡𝑛 , 𝑎𝑡𝑛 ) = (1 − 𝛾)𝑐𝑙 (𝑑𝑡𝑛 , 𝑎𝑡𝑛 ) + 𝛾𝑐𝑒 (𝑒𝑡𝑛 , 𝑎𝑡𝑛 ), where 𝛾 ∈ (0, 1) is the weight factor for the two kinds of costs and could be adjusted according to circumstances. If there are 𝑀 active nodes at time 𝑡 (𝑀 can be the threshold ∑𝑀 𝑁𝑡ℎ ), the cost of all the nodes for key update is 𝑞(𝑡) = 𝑖=1 𝑐𝑡𝑛 , where 𝑖 ∈ [1, . . . , 𝑀 ] means all active nodes at time 𝑡. The total expected discounted cost of over infinite time horizon is given


by:

[ 𝑍(𝑢) = 𝐸

∞ ∑

B. System Formulation

] 𝛽 𝑡 𝑞(𝑡) ,

261

(5)

𝑡=0

where 𝑢 denotes policy which is the history of all actions. 𝐸 denotes mathematical expectation; 𝛽 ∈ (0, 1) is the discount factor to ensure the expectation is bounded. The optimization objective is to find the optimal policy 𝑢 to minimize the cost in (5). In our system, the policy represents the method of selecting nodes to act as PKGs. III. S TOCHASTIC F ORMULATION AND S OLUTION In this section, we formulate the node selection problem as a stochastic problem, a well studied framework where a decision-maker must dynamically schedule multiple projects to get the maximum reward [17]. A. The Stochastic Problem The classical multiarmed bandit problem, originally described by Robbins in 1952 [18], is an analogy with a traditional slot machine (one-armed bandit) but with more than one lever. When pulled, each lever provides a reward drawn from a distribution associated to that specific lever. A multiarmed bandit is a special type of stochastic control problem. Although a relatively simple solution can be found in the multiarmed bandit problem, the assumptions in the formulation, such as only one active project and the unchanging state of inactive projects, may be unrealistic in our dynamic node selection problem in tactical mobile ad hoc networks. The restless bandit formulation is an extension of the classical multiarmed bandit problems where multiple projects can be active and all projects evolve at each time instant. The restless bandit problem can be simply described as: There are 𝑁 projects, of which 𝑀 can be worked on at any time period. Project 𝑛 is characterized at (discrete) time 𝑡 by its state 𝑠𝑡𝑛 , which belongs to a finite state space. If project 𝑛 is worked on at time 𝑡, one receives a reward 𝑟(𝑠𝑡𝑛 ). The state 𝑠𝑡𝑛 then evolves to a new state according to given transition probabilities. The states of all idle projects are also evolved, possibly using different transition probabilities. The goal is to find a policy which decides at each time period which projects to work on in order to maximize the expected sum of the discounted rewards over an infinite horizon. The restless bandit problem can be solved according to the indices of the projects, which is calculated by the linear programming (LP) relaxation [10]. Recent advances in solving the restless bandit problem make it a powerful modeling framework. It has been successfully used to solve clinical trial [17], project selection [10] and aircraft surveillance [19] problems, among others. In this paper, we use the restless bandit approach to solve the multiple sender selection problem in wireless mobile P2P networks. In our scheme, we use cost instead of reward, and the optimization objective is to minimize the cost. The detailed definition of the state, cost and policy will be discussed in the following.

1) Node States: The state of nodes 𝑛 ∈ {1, 2, . . . , 𝑁 } in time slot 𝑡 ∈ {0, 1, . . . , 𝑇 − 1} is modeled as: (6) 𝑠𝑡𝑛 = [𝑑𝑡𝑛 , 𝑒𝑡𝑛 ], 𝑡 𝑡 where 𝑑𝑛 is the security state and 𝑒𝑛 is the energy state which are defined in system model. Note that the security state is independent of energy state. The state set of 𝑠𝑡𝑛 is represented as S𝑛 and 𝑠𝑡𝑛 ∈ S𝑛 . The state 𝑠𝑡𝑛 evolves with one-step transition probability matrix: 𝑃𝑛𝑎 = [𝐴𝑎𝑛 ⊗ 𝐵𝑛𝑎 ], (7) 𝑎 where 𝐴𝑛 is security state transition probability matrix and 𝐵𝑛𝑎 is energy states transition probability matrix. ⊗ denotes the Kronecker product. 2) Costs: The total expected discounted cost over the time horizon is defined in (5), and the optimization objective is: (8) 𝑍 ∗ = min 𝑍(𝑢). 𝑢∈U

3) Policies: The policy is the history of all the actions taken. We denote by U the class of all admissible policies. The admissible policy 𝑢 ∈ U is a 𝑇 × 𝑁 matrix, whose element of the 𝑡th row and the 𝑛th column is 𝑎𝑡𝑛 , representing the action taken by node 𝑛 in time slot 𝑡. The optimal policy 𝑢∗ is the policy that achieves the minimal cost. According to (8) the optimal policy is (9) 𝑢∗ = arg min 𝑍(𝑢). 𝑢∈U

4) Priority Index: The priority index for potential node 𝑛 with state 𝑠𝑡𝑛 at time 𝑡 is represented as 𝛿𝑘𝑛 . The optimal policy has an index rule: The 𝑀 nodes with the smallest indices in a given time slot 𝑡 act as the active nodes. That is, assuming {𝛿𝑘1 , 𝛿𝑘2 , . . . , 𝛿𝑘𝑀 } to be the set of indices arranged from the smallest value to the largest value in time slot 𝑡, node 𝑛’s action should be { 1, if 𝑛 ∈ {𝑘1 , 𝑘2 , . . . , 𝑘𝑀 }, 𝑎𝑡𝑛 = (10) 0, otherwise. Thus, to solve the PKG node selection problem, computing the priority indices is the key step. C. Solving the Restless Bandit Problem by Linear Programming Relaxation In this subsection, to solve the restless bandit problem, a hierarchy of increasingly stronger linear programming (LP) relaxations [10] is developed based on the result of LP formulations of Markov decision chains (MDCs). The restless bandit problem can be formulated as the following linear program: ∑ ∑ ∑ 𝑐𝑎𝑖𝑛𝑛 𝑥𝑎𝑖𝑛𝑛 , (11) 𝑍 ∗ = min 𝒙∈𝑋

𝑛∈N 𝑖𝑛 ∈S𝑛 𝑎𝑛 ∈{0,1}

where 𝑋 = {𝒙 = (𝑥𝑎𝑖𝑛𝑛 (𝑢))𝑖𝑛 ∈S𝑛 ,𝑎𝑛 ∈{0,1},𝑛∈N ∣𝑢 ∈ U }, S𝑛 denotes the state of node 𝑛 in state space S and 𝑐𝑎𝑖𝑛𝑛 is the cost for node 𝑛 in state 𝑖 and take action 𝑎. The first-order relaxation can be formulated as the linear program: ∑ ∑ ∑ 𝑐𝑎𝑖𝑛𝑛 𝑥𝑎𝑖𝑛𝑛 , 𝑍 1 = min 𝑛∈N 𝑖𝑛 ∈S𝑛 𝑎𝑛 ∈{0,1}

subject to 𝒙𝑛 ∈ 𝑄1𝑛 , 𝑛 ∈ N ,

262


∑ ∑ 𝑄1𝑛

𝑥1𝑖𝑛 =

𝑛∈N 𝑖𝑛 ∈S𝑛

𝑀 , 1−𝛽

(12)

where is the performance region of the first-order MDC corresponding to project 𝑛 and ∣Smax ∣ = max𝑛∈N ∣S𝑛 ∣, with the size polynomial in the problem dimensions [10].

1

Network 1

Network 2

IDS

2 IDS

Į2

Į1

3 Į1ȕ1

Į1ȕ3

Į2ȕ1

3

Į2ȕ2 4

ȝ1

2 Į2ȕ3

4

1

ȝ1Ȟ1

ȝ1Ȟ2

ȝ1Ȟ3

5 PKG

D. Primal-Dual Priority-Index Heuristic In this subsection, a heuristic for the restless bandit problem that uses the information contained in the optimal primal and dual solutions to the first-order relaxation (12) is used. The primal-dual heuristic is interpreted as a priority-index heuristic as well. The dual of (12) is ∑ ∑ 𝑀 𝜆, 𝛼𝑗𝑛 𝜆𝑗𝑛 + 𝐷1 = min 1−𝛽 𝑛∈N 𝑗𝑛 ∈S𝑛

subject to ∑ 𝜆𝑖𝑛 − 𝛽 𝑝0𝑖𝑛 𝑗𝑛 𝜆𝑗𝑛 ≥ 𝑐0𝑖𝑛 , 𝑖𝑛 ∈ S𝑛 , 𝑛 ∈ N , 𝑗𝑛 ∈S𝑛

∑

𝜆𝑖𝑛 − 𝛽

𝑝1𝑖𝑛 𝑗𝑛 𝜆𝑗𝑛 ≥ 𝑐1𝑖𝑛 , 𝑖𝑛 ∈ S𝑛 , 𝑛 ∈ N ,

𝑗𝑛 ∈S𝑛

𝜆 ≥ 0. (13) We denote by {𝑥𝑎𝑖𝑛𝑛 } and {𝜆𝑖𝑛 , 𝜆} the optimal primal and dual solution pair to the first-order relaxation (12) and its dual (13). Let {𝛾 𝑎𝑖𝑛𝑛 } represent the corresponding optimal reduced cost coefficients: ∑ 𝛾 0𝑖𝑛 = 𝜆𝑖𝑛 − 𝛽 𝑝0𝑖𝑛 𝑗𝑛 𝜆𝑗𝑛 − 𝑐0𝑖𝑛 , 𝑗𝑛 ∈S𝑛

𝛾 1𝑖𝑛

= 𝜆𝑖𝑛 − 𝛽

∑

𝑝1𝑖𝑛 𝑗𝑛 𝜆𝑗𝑛 − 𝑐1𝑖𝑛 ,

(14)

𝑗𝑛 ∈S𝑛

which must be non-negative. Furthermore, 𝛾 0𝑖𝑛 and 𝛾 1𝑖𝑛 can be interpreted as the rates of decrease in the objective-value of linear program (12) per unit increase in the value of the variable 𝑥0𝑖𝑛 and 𝑥1𝑖𝑛 , respectively. Based on the cost coefficients computed in (14), the index of the sender 𝑛 in state 𝑖𝑛 is defined as: (15) 𝛿𝑖𝑛 = 𝛾 1𝑖𝑛 − 𝛾 0𝑖𝑛 . The priority-index rule is to select the 𝑀 nodes that have the smallest indices to be active. In case of ties, select active node with 𝑥1𝑖𝑛 > 0. IV. K EY U PDATE P ROCESS OF T HE P ROPOSED S CHEME In order to decrease the computational complexity, the node selection and key update processes can be divided into offline and on-line components. We will show in Section V that the benefits achieved by our scheme merit the effort of the computations, especially considering when the majority of them can be done off-line. A. Off-line Priority Index Computation During the off-line process, priority indices are computed from (15). The input are nodes states, transition matrix and corresponding cost matrix of all available nodes. The priority indices are computed and saved as an index table. In the online part of our scheme, the priority index table will be used to select the best nodes based on nodes’ instantaneous states.

Fig. 1.

Key update process of the proposed scheme.

B. Online Key Update Process Fig. 1 illustrates the key update scenario of the proposed scheme. We assume our proposed scheme is used in network 1, which is combined with the existing hierarchical key management scheme we mentioned in Subsection 2.1. At the initialization of network 1, the root node in network 1 will publish a series of public parameters such as the depth of the network, threshold 𝑁𝑡ℎ at each level etc., and setup a secret polynomial. The coefficients of the polynomial play the role of the system secret and 𝑁𝑡ℎ = 2 at each level. The root node 1 then generates secret keys for its children 𝛼1 and 𝛼2 , which then further generate secret keys for their children respectively. When a node 𝜇1 𝜈1 in network 2 wants to join network 1, the key update process proceeds as follows: 1) Node 𝜇1 𝜈1 in network 2 at level 𝐿 wants to join network 1, it first sends a message to node 𝛼2 𝛽3 in network 1. 2) Node 𝛼2 𝛽3 in network 1 relays the message to the IDS. 3) The IDS performs a priority index table lookup to find the best nodes based on current states of all available nodes. In Fig. 1 we assume node 𝛼2 𝛽1 and 𝛼2 𝛽2 are selected. The IDS then sends messages to the selected nodes to request for construction of the PKG. 4) The selected nodes 𝛼2 𝛽1 and 𝛼2 𝛽2 construct a temporary PKG, which is done through computing the coefficients of the polynomial based on the coefficients held by 𝛼2 𝛽1 and 𝛼2 𝛽2 . With the polynomial and the ID of 𝜇1 𝜈1 (most probably 𝜇1 𝜈1 will be given a new ID for operating in network 1), the private key can be generated for node 𝜇1 𝜈1 . 5) The private key is transmitted to node 𝜇1 𝜈1 , and node 𝜇1 𝜈1 joins the network successfully. When a node leaves the network, the private key will expire, since an expiration time is encoded as part of the identifier in ID-based threshold key management scheme, and the key update process is not performed. C. Remarks on the Proposed Scheme In the online part of the proposed scheme, the IDS is responsible for storage of the priority indices and making node selection decisions, which may involve significant computation and traffic when there are many users in the network. Hierarchical intrusion detection systems (HIDE) [20, 21] could be used in the system to mitigate computation and traffic loads. One may also consider a network without an IDS where nodes make decisions locally. However this architecture would necessitate a great deal of network traffic (𝑂(𝑁 2 )) to accomplish the same goals since nodes need to communicate


with each other in order to learn their respective states. Moreover, compromised nodes may deliberately relay bogus information in order to become selected as a member of the PKG. Therefore, leaving the node selection to be processed in an IDS would be more secure and reliable. One might argue that the IDS, since it performs a monitoring function for the network, presents risk as a single-point of failure similar to a centralized trust authority. However, a significant discriminator between the two is that the IDS does not hold any keys. In addition, this IDS could be distributed in nature and periodically monitors each node’s activities, comparing them with stored normal profiles in order to detect intrusions. The IDS performs a priority index table lookup to find the best nodes based on current states of all available nodes. The index table is derived based on the stochastic restless bandit formulation, which is a well studied framework where multiple projects can be scheduled in a distributed manner with a maximum reward objective. The setup of the nodes’ transition matrices and cost matrices is a non-trivial task for the proposed scheme. In constructing these matrices, we assume that most node properties can be made known to the IDS, which should be realistic particularly for tactical MANETs where initial planning and device management is an a priori requirement. By “node properties” we mean the states and information that are used as input to the transition and cost matrices. In a dynamic environment, however, where heterogeneous nodes may join the network it may not be as realistic to know all the node properties. In that circumstance, we should be able to use the IDS to learn and predict the node properties from the history of actions and observations. This case can be modeled as a partially-observed Markov decision process (POMDP), an area that is left for future research. Clearly, the further the system evolves in real-time, the greater the likelihood that the information contained within the on-line accessible index table has become dated and the less optimal the node selection process becomes. A mitigating strategy could be to feed updated system information back to an off-line system for recalculation and redistribution. It is worth noting that a completely outdated index table means the decision-making process is no better than random, which is no worse than existing schemes. D. Security Analysis A briefly security analysis of the proposed scheme is given as follows. Our scheme has at least the same level of security as that in the existing node selection schemes (e.g., [22]) for ID-based (𝑘, 𝑛)-threshold key management in MANETs, since all of them use the same ID-based public/private keys and threshold cryptography. However, most of existing schemes do not consider how to dynamically select 𝑘 nodes among the 𝑛 nodes with master key shares at each time instant taking into account the nodes’ security conditions and energy states. Due to the distributed nature of MANETs, a node’s security state can change dynamically; some nodes may be in a safe state while others may be under attack by adversaries. Since adversaries can do cryptanalysis on the nodes with master key shares, these nodes would be compromised, and the security

263

of the whole network is breached when a threshold number of shareholders are compromised. Selecting a node under attack or a compromised node to function in the PKG process would pose a risk to the network security. By contrast, the proposed scheme takes into account the security conditions derived from intrusion detection systems to select the best nodes for reconstructing the full secret. In our scheme, the nodes with low security levels will be eliminated from reconstructing the full secret. Therefore, our scheme will have better performance than the existing scheme. In addition, the proposed scheme also takes into account the energy levels of the nodes in order to improve overall network lifetime and functionality. V. S IMULATION R ESULTS AND D ISCUSSIONS In this section, we illustrate some of the performance benefits of our proposed scheme. An initial simulation scenario has one parent node and five heterogeneous child nodes, each with different transition probabilities, states, and cost matrices. We increase the number of nodes up to 30 in different simulation scenarios. We compare the performance of the proposed scheme with an existing scheme [22], in which PKG nodes are selected randomly without consideration of the security context. The performance of our scheme without a parent node is also compared with an existing scheme. We further show the decrease of network compromising probability and the improvement of network lifetime. A. Performance Improvement over the Existing Scheme For simplicity, we use two security states: 𝑠𝑎𝑓 𝑒(𝑠) and 𝑐𝑜𝑚𝑝𝑟𝑜𝑚𝑖𝑠𝑒𝑑(𝑐) and three energy states: ℎ𝑖𝑔ℎ(𝑏1), 𝑚𝑖𝑑𝑑𝑙𝑒(𝑏2), 𝑙𝑜𝑤(𝑏3). There are a total of six states: 𝑠𝑏1, 𝑠𝑏2, 𝑠𝑏3, 𝑐𝑏1, 𝑐𝑏2, 𝑐𝑏3. The threshold 𝑁𝑡ℎ is set to 2. The security state transition probability matrices, which are defined in (1), of these nodes when they are active are set as follows: 𝐴11 = (0.94, 0.06; 0.05, 0.95), 𝐴12 = (0.97, 0.03; 0.05, 0.95), 𝐴13 = (0.92, 0.08; 0.03, 0.97), 𝐴14 = (0.91, 0.09; 0.03, 0.97), 𝐴15 = (0.94, 0.06; 0.02, 0.98), 𝐴16 = (0.999, 0.001; 0.001, 0.999). Transition probability matrix stands for the probability changes from one state to another state. For example node 1 could be compromised with probability 0.06, and it could be snatched back from the compromised state to the safe state with probability 0.05. Node 6 is a parent node and has high transition probability 0.999 that means it is more stable than lower level nodes. We also assume that when a node is not selected, the transition probability is lower than when the node is selected. Therefore, the passive transition probability matrices are defined as follows, using the assumption that parent nodes are less likely to be compromised: 𝐴0𝑖 = (0.99, 0.01; 0.01, 0.99), for 𝑖 = (1, . . . , 5), and 𝐴06 = (0.999, 0.001; 0.001, 0.999) for node 6. Node 6 is a parent node and has a lower safe-state to compromised-state transition probability of 0.001. In the simulations, we change the transition probability matrix to check the impacts of these transition probabilities. Fig. 3 shows the cost comparison over the existing scheme when the first component in the state transition probability matrix changes from 0.85 to 0.98.

264


28 Existing Schme Proposed Scheme without Parent Node Proposed Scheme with Parent Node

26 24

24

22 Existing Scheme Proposed Scheme without Parent Node Proposed Scheme with Parent Node

Average Cost

Average Cost

22 20 18 16

20

18

16

14 14

12 10

0

20

40

60

80

12 0.84

100

Step

Fig. 2.

Cost with different steps.

Fig. 3.

0.86

0.88

0.9 0.92 0.94 Transition Probability

0.96

0.98

Cost with different security transition probabilities. 40

35 Existing Scheme Proposed Scheme without Parent Node Proposed Scheme with Parent Node

30 Average Cost

The energy transition probability matrices, which are defined in (2), of nodes 𝐵𝑖1 in the simulation are: (0.98, 0.02, 0; 0, 0.97, 0.03; 0, 0, 1) for 𝑖 = (1, . . . , 5), and 𝐵61 = (0.99, 0.01; 0; 0, 0.99, 0.01; 0, 0, 1). When the node is passive, we set 𝐵𝑖0 = (0.99, 0.01, 0; 0, 0.99, 0.01; 0, 0, 1) for 𝑖 = (1, . . . , 6). Since the risk of damage to the network would be further increased if a compromised node were chosen to act as a PKG, we set the cost of selecting a safe node to lower values than those associated with compromised node selection. The cost matrices for the simulation are defined as follows: 𝐶1 = (5.5, 7.5, 15, 60, 62, 100), 𝐶2 = (8, 10, 15, 55, 58, 95), 𝐶3 = (4.5, 6.5, 15, 47, 50, 90), 𝐶4 = (6, 8, 15, 50, 55, 110), 𝐶5 = (9, 10, 15, 55, 57, 110), 𝐶6 = (15, 21, 25, 150, 150, 200), which are corresponding to the system state matrix (𝑠𝑏1, 𝑠𝑏2, 𝑠𝑏3, 𝑐𝑏1, 𝑐𝑏2, 𝑐𝑏3). The parameters are chosen based on the assumption that nodes further up in the hierarchy, if compromised, could have higher security impact on the network than would be the case for lower level nodes, which is likely in a military environment. Therefore, in our model, the cost of selecting upper level nodes as a PKG is higher than selecting the lower level nodes which have only parts of the secret shares. We compare the cost in different schemes along simulation steps. The step can be regarded as a fixed time slot such as one hour or one day etc. The proposed scheme shows distinct cost reduction over the existing scheme as shown in Fig. 2. For direct comparison with the scheme presented in [7], we constrain our proposed scheme to avoid selection of parent nodes. In this case, also presented in Fig. 2, we also demonstrate better performance than the existing scheme. Thus through optimal node selection, the cost is kept low and the system security is improved. We also perform parameter-sensitivity analysis on the proposed scheme by considering different transition probabilities. We perform simulations with 400 steps for 20 times and calculate the average cost of each time slot. Fig. 3 shows the cost comparison over the existing scheme when the first component in the state transition probability matrix changes from 0.85 to 0.98. With the increase of the transition probabilities (which

25

20

15

10

Fig. 4.

5

10

15 20 Total Number of Nodes

25

30

Cost with different numbers of nodes.

is the probability that the node remains in its current state), the system becomes more secure and the proposed scheme always has lower cost than the existing scheme. Fig. 4 shows the cost comparison when there are more nodes in the network. With the number of available nodes in the network increases from 6 to 30, the cost of all schemes becomes lower since there are more nodes that can be selected. The cost of the proposed scheme is shown to be lower than existing scheme in all circumstances. B. Network Compromising Probability Improvement In these simulations, we investigate the probability of the network being compromised by an attacker who is attempting to assemble enough key information to deduce the master key. We will assume the attacker knows all public parameters of the system. The network is deemed compromised when the root node is compromised or a threshold 𝑁𝑡ℎ of children are compromised. To make the simulations more realistic, we use three security states: 𝑠𝑎𝑓 𝑒(𝑠), 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑑(𝑎) and 𝑐𝑜𝑚𝑝𝑟𝑜𝑚𝑖𝑠𝑒𝑑(𝑐), and two energy states: ℎ𝑖𝑔ℎ(𝑏1), 𝑙𝑜𝑤(𝑏2), so in total there are six states: 𝑠𝑏1, 𝑠𝑏2, 𝑎𝑏1, 𝑎𝑏2, 𝑐𝑏1, 𝑐𝑏2. Since our proposed scheme tends to select nodes of higher security levels, the


0.035

265

0.025

Existing Scheme Proposed Scheme without Parent Node Proposed Scheme with Parent Node

0.03

Compromising Probability

Compromising Probability

0.02

0.025

0.02

0.015

0.01


0.015

0.01

0.005

0.005

0 0.9

0.92

0.94 0.96 Transition Probability

0.98

0

1

Fig. 5. Network compromising probabilities with different security transition probabilities.

5

10

15 20 Total Number of Nodes

25

30

Fig. 6. Network compromising probabilities with different numbers of nodes. 0.025

C. Network Lifetime Improvement In these simulations we investigate the network lifetime improvement of the proposed scheme. We first check the performance when different energy transition probabilities are used. We use 6 nodes in the network, and 𝐷𝑡ℎ is set to 2, so if two nodes of the 6 nodes run out of power, the network is considered to be dead. The first component of the energy transition probability matrix is in the range from 0.88 to 0.98. The energy transition probability reflects the probability that, even when that node is selected as a PKG, it will remain in its current energy state. As shown in Fig. 8, the proposed scheme always has longer network lifetime than the existing scheme

0.02 Compromising Probability

probability of compromising the keys should be decreased. In order to quantify and compare different schemes, we will use as a metric the probability of compromise that is inversely proportional to the number of steps required by the attacker to compromise the network. Compromising probability is a system security metric widely used in the literature [23]. We first compare the network compromising probability when security transition probabilities are in the range from 0.90 to 1.0, which is translated into a less than 10% chance of the selected node being compromised, and 𝑁𝑡ℎ = 2. The results in Fig. 5 indicate the proposed scheme has lower network compromising probability than the existing scheme. When the transition probabilities are closer to 1, the compromising probabilities of all schemes asymptotically approaches 0. This is because if the nodes security state remains safe, any method of key management is safe. In Fig. 6 we compare the network compromising probability when there are more nodes in the network. With an increase in the total number of nodes in the network, all the schemes show a downward trend in compromising probabilities because there are more choices for selecting the best nodes for key management. In Fig. 7 we investigate the compromising probability when different thresholds are used. It is shown that when the security threshold increases, the network compromising probabilities are decreased, while the proposed scheme always has lower compromising probabilities than the existing scheme.


0.015

0.01

0.005

0

Fig. 7.

2

2.5

3

3.5

4 Threshold

4.5

5

5.5

6

Network compromising probabilities under different threshold 𝑁𝑡ℎ .

because the proposed scheme selects nodes considering their energy states. Fig. 9 shows the simulation results when there are more nodes in the network. When the number of available nodes increases, the network lifetime increases as well. The proposed scheme shows consistent improvement over the existing scheme in network lifetime. In Fig. 10, we evaluate the network lifetime under different threshold 𝐷𝑡ℎ . There are totally 10 nodes available. We can observe that the proposed scheme always has longer network life time than the existing scheme. From the simulation results in Figs. 2-10, we can also see that the performance of the proposed scheme using the parent node is better than that without the parent node. This is because having the opportunity of selecting the parent node provides the proposed scheme with more choice to make the node selection, and also we assume, in general, that the parent node will have stronger security (less exposure to attack) and greater power resources. VI. C ONCLUSIONS AND F UTURE W ORK In this paper, we have presented a distributed hierarchical key management scheme which we believe would be well-

266


200

250 Proposed Scheme with Parent Node Optimal Scheme without Parent Node Existing Scheme

160

Average Lifetime

Average Lifetime

200

180

150

100

Proposed Scheme with Parent Node Optimal Scheme without Parent Node Existing Scheme

140 120 100 80 60

50

40 20

0 0.88

Fig. 8.

0.9

0.92 0.94 Transition Probability

0.96

0.98

Network lifetime with different energy transition probabilities.

Fig. 10.

2

2.5

3

3.5

4 Threshold

4.5

5

5.5

6

Network lifetime under different threshold 𝐷𝑡ℎ .

300

250

Average Lifetime

R EFERENCES

Proposed Scheme with Parent Node Optimal Scheme without Parent Node Existing Scheme

200

150

100

50

0

Fig. 9.

6

8

10

12

14 16 18 20 22 Total Number of Nodes

24

26

28

30

Network lifetime with different numbers of nodes.

suited for tactical MANETs. The proposed scheme can dynamically select the best nodes to work as the PKG to improve MANET security and maximize the network lifetime. The node selection is formulated as a stochastic restless bandit problem. We use a primal dual heuristic to solve the restless bandit problem, and divide the key update process into offline and on-line components, which reduce the computation complexity significantly. Simulation results show that the proposed scheme can significantly improve network security and maximize the network lifetime. Future work is in progress to consider more node states, such as wireless route and channel states, in hierarchical key management for tactical MANETs. In addition, since off-line priority index computation may not work well in dynamic environment, we are working on some structural results [24] to minimize off-line priority index computation. VII. ACKNOWLEDGMENT We thank the reviewers for their detailed reviews and constructive comments, which have helped to improve the quality of this paper.

[1] S. Balfe, K. D. Boklan, Z. Klagsbrun, and K. G. Paterson, “Key refreshing in identity-based cryptography and its applications in MANETs," in Proc. IEEE MILCOM 2007, Orlando, FL, USA, Oct. 2007. [2] Y. Desmedt and Y. Frankel, “Threshold cryptosystems," in Proc. CRYPTO’89, Santa Barbara, CA, USA, Aug. 1989. [3] P. Gupta and P. Kumar, “The capacity of wireless networks," IEEE Trans. Inf. Theory, vol. 46, pp. 388-404, Mar. 2000. [4] D. Gu, G. Pei, H. Ly, M. Gerla, and X. Hong, “Hierarchical routing for multi-layer ad-hoc wireless networks with UAVs," in Proc. MILCOM 2000. [5] G. Hanaoka, T. Nishioka, Y. Zheng, and H. Imai, “A hierarchical non-interactive key-sharing scheme with low memory size and high resistance against collusion attacks," Comput. J., vol. 45, no. 3, pp. 293303, 2002. [6] M. Ramkumar, N. Memon, and R. Simha, “A hierarchical key predistribution scheme," in Proc. EIT’05, Lincoln, NE, USA, May. 2005. [7] R. Gennaro, S. Halevi, H. Krawczyk, T. Rabin, S. Reidt, and S. D. Wolthusen, “Strongly-resilient and non-interactive hierarchical keyagreement in MANETs," in Proc. ESORICS’08, Berlin, Heidelberg, Springer-Verlag, 2008. [8] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, “Perfectly secure key distribution for dynamic conferences," Inf. Comput., vol. 146, no. 1, pp. 1-23, 1998. [9] F. Wang, H. Tang, F. R. Yu, and P. C. Mason, “A hierarchical identity based key management scheme in tactical mobile ad hoc networks," in Proc. IEEE Milcom’09, Boston, MA, USA, Oct. 2009. [10] D. Berstimas and J. Nino-Mora, “Restless bandits, linear programming relaxations, and a primal dual index heuristic," Operations Research, vol. 48, no. 1, pp. 80-90, 2000. [11] E. Laurent and D. G. Virgil, “A key-management scheme for distributed sensor networks," in Proc. 9th ACM Conf. Comput. Commun. Security, Washington, DC, USA, 2002. [12] Y. Zhang, W. Lee, and Y. Huang, “Intrusion detection techniques for mobile wireless networks," Mobile Net. and App., vol. 9, pp. 45-56, Sep. 2003. [13] A. Mishra, K. Nadkarni, and A. Patcha, “Intrusion detection in wireless ad hoc networks," IEEE Wireless Commun., vol. 11, pp. 48-60, Feb. 2004. [14] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: ubiquitous and robust access control for mobile ad hoc networks," IEEE/ACM Trans. Networking, vol. 12, pp. 1049-1063, Dec. 2004. [15] P. Hu, Z. Zhou, Q. Liu, and F. Li, “The HMM-based modeling for the energy level prediction in wireless sensor networks," in Proc. IEEE 2nd Conf. Industrial Electron. Applications, Harbin, P.R. China, pp. 22532258, May 2007. [16] Y. Chen, Q. Zhao, and V. Krishnamurthy, “Transmission scheduling for optimizing sensor network lifetime: a stochastic shortest path approach," IEEE Trans. Signal Processing, vol. 55, no. 5, pp. 2294-2309, 2007. [17] P. Whittle, “Restless bandits: activity allocation in a changing world," A Celebration of Applied Probability, J. Gani, editor, vol. 25 of J. Appl. Probab., pp. 287-298, Applied Probability Trust, 1988.


[18] H. Robbins, “Some aspects of the sequential design of experiments," Bulletin American Mathematical Society, vol. 55, pp. 527-535, 1952. [19] J. L. Ny, M. Dahleh, and E. Feron, “Multi-agent task assignment in the bandit framework," in Proc. 45th IEEE Conf. Decision Control, San Diego, CA, pp. 5281-5286, Dec. 2006. [20] Z. Zhang, J. Li, C. Manikopoulos, J. Jorgenson, and J. Ucles, “Hide: a hierarchical network intrusion detection system using statistical preprocessing and neural network classification," in Proc. IEEE Workshop Inf. Assurance Security, pp. 85-90, 2001. [21] D. G. Marks, P. Mell, and M. Stinson, “Optimizing the scalability of network intrusion detection systems using mobile agents," J. Netw. Syst. Manage., vol. 12, no. 1, pp. 95-110, 2004. [22] H. Deng, A. Mukherjee, and D. Agrawal, “Threshold and identity-based key management and authentication for wireless ad hoc networks," in Proc. ITCC’04, Washington, DC, USA, Apr. 2004. [23] X. Du, Y. Xiao, M. Guizani, and H. H. Chen, “An effective key management scheme for heterogeneous sensor networks," Elsevier Ad Hoc Netw., vol. 5, pp. 24-34, Jan. 2007. [24] V. Krishnamurthy and B. Wahlberg, “Partially observed Markov decision process multiarmed bandits–structural results," Math. Oper. Res., vol. 34, pp. 287-302, May 2009.

F. Richard Yu (S’00-M’04-SM’08) received the PhD degree in electrical engineering from the University of British Columbia (UBC) in 2003. From 2002 to 2004, he was with Ericsson (in Lund, Sweden), where he worked on the research and development of 3G cellular networks. From 2005 to 2006, he was with a start-up in California, USA, where he worked on the research and development in the areas of advanced wireless communication technologies and new standards. He joined Carleton School of Information Technology and the Department of Systems and Computer Engineering at Carleton University in 2007, where he is currently an Assistant Professor. He received the Leadership Opportunity Fund Award from Canada Foundation of Innovation in 2009 and best paper awards at IEEE/IFIP TrustCom 2009 and Int’l Conference on Networking 2005. His research interests include crosslayer design, security and QoS provisioning in wireless networks.

267

Dr. Yu is a senior member of the IEEE. He serves on the editorial boards of several journals, including IEEE C OMMUNICATIONS S URVEYS & T UTORIALS , EURASIP Journal on Wireless Communications Networking, Ad Hoc & Sensor Wireless Networks, Wiley Journal on Security and Communication Networks, and International Journal of Wireless Communications and Networking. He has served on the Technical Program Committee (TPC) of numerous conferences and as the Publication Chair of ICST QShine 2010, Co-Chair of ICUMT-CWCN’2009, TPC Co-Chair of IEEE INFOCOMCWCN’2010, IEEE IWCMC’2009, VTC’2008F Track 4, WiN-ITS’2007. Helen Tang received her Ph.D. degree in the Department of System and Computer Engineering at Carleton University, Ottawa, Canada in 2005. From 1999 to 2005, she had worked in a few R&D organizations in Canada and USA including Alcatel-Lucent, Mentor Graphics and Communications Research Center Canada. In Oct. 2005, she joined Network Information Operations Section at Defence R&D Canada as a Defence Scientist. She is a member of IEEE. She has published more than 20 research papers in international journals and conferences including IEEE T RANSACTIONS ON W IRELESS C OMMUNICATIONS , Journal of Security and Comm. Networks, IEEE ICC, IEEE VTC, IEEE Milcom, and IEEE Globecom. She has served as reviewer, session chair and technical committee member for various conferences. Her research interests include ad hoc and sensor networks, wireless network security, communication protocols and performance analysis. Dr. Peter C. Mason is a scientist and leader of the Secure Mobile Networking Group at Defence Research and Development Canada (DRDC). He holds an undergraduate degree in mathematics and graduate degrees in experimental physics. He heads a five year research project funded by DRDC focusing on the security of mobile ad hoc networks. Peter is also an adjunct professor at the University of Ottawa and the University of Ontario Institute of Technology where he is the supervisor of several graduate students. Peter lives in Canada’s capital city of Ottawa with his young son, maniacal yellow lab, stoic wife, and murderous cat. His free time is spent either riding, repairing, racing, or embedded in the ground beneath one of his six bicycles, one of which usually accompanies him wherever he happens to be in the world.

A Hierarchical Identity Based Key Management Scheme in Tactical ...

A Hierarchical Identity Based Key Management Scheme in Tactical ...

Suggest Documents