Optimal Secure Multi-Layer IoT Network Design

4 downloads 187 Views 2MB Size Report
Jul 21, 2017 - IoT networks are naturally multi-layer with the cloud and cellular ... bound on the number of links a secure network requires for a given budget ...
RSU

I2I communication Cyber attacks

Optimal Secure Multi-Layer IoT Network Design

arXiv:1707.07046v1 [cs.GT] 21 Jul 2017

Juntao Chen, Corinne Touati, and Quanyan Zhu

Abstract— With the remarkable growth of the Internet and communication technologies over the past few decades, Internet of Things (IoTs) is enabling the ubiquitous connectivity of heterogeneous physical devices with software, sensors, and actuators. IoT networks are naturally multi-layer with the cloud and cellular networks coexisting with the underlaid device-todevice (D2D) communications. The connectivity of IoTs plays an important role in information dissemination for missioncritical and civilian applications. However, IoT communication networks are vulnerable to cyber attacks including the denialof-service (DoS) and jamming attacks, resulting in link removals in IoT network. Therefore, it is important to maintain the connectivity of IoT networks and make them secure and resistant to malicious attacks. In this work, we present a heterogeneous IoT network design problem in which a network designer can add links to provide additional communication paths between two nodes or secure links against failures by investing resources. We characterize the optimal strategy of the secure network design problem by first providing a lower bound on the number of links a secure network requires for a given budget of protected links, and then developing a method to construct networks that satisfy the heterogeneous network design specifications. Case studies on the Internet of Battlefield Things (IoBT) are used to corroborate our results.

I. I NTRODUCTION Driven by the advances in sensing, processing, storage and cloud technologies, Internet of Things (IoT) have witnessed a tremendous development with a variety of applications, such as virtual reality [1], intelligent supply chain [2] and smart home [3]. In this Internet world, IoT devices are massively deployed and connected to cellular or cloud networks. For example, in smart grids, wireless sensors are adopted to collect the data of buses and power transmission lines. The collected data can then be sent to a supervisory control and data acquisition (SCADA) center through cellular networks for grid monitoring and decision planning purposes. Smart home is another example of IoT application. Various devices and appliances in a smart home including air conditioner, lights, TV, tablets, refrigerator and smart meter are interconnected through the cloud, improving the quality of the living. IoT networks can be viewed as multi-layer networks with the existing infrastructure networks (e.g., cloud and cellular networks) and the underlaid device networks. The connections between different objects in the IoT network can be divided into two types. Specifically, the communications between devices themselves are called interlinks, while the J. Chen and Q. Zhu are with the Department of Electrical and Computer Engineering, Tandon School of Engineering, New York University, Brooklyn, NY 11201, USA. email: {jc6412,qz494}@nyu.edu C. Touati is with INRIA, F38330 Montbonnot Saint-Martin, France. email: [email protected]

UAV network

UGV/Soldier network

Fig. 1: In IoBT networks, a team of UAVs and a group of soldiers and ground vehicles execute missions cooperatively. The agents in the battlefield share critical information through device-to-device communications. The UAV network and the ground network form a two-layer network which faces cyber threats, e.g., jamming attacks which can cause link removals.

devices communicate with the infrastructure through intralinks. The connectivity of IoT networks plays an important role in information dissemination. On one hand, devices can communicate directly with other devices in the underlaid network for local information. On the other hand, devices can also communicate with the infrastructure networks to maintain a global situational awareness. In addition, for some IoT devices which are scarce of on-board computational resources such as wearables and drones, they can outsource heavy computations to the data centers through cloud networks, and hence extend the use of battery [4]. Vehicular networks is an illustrative example for understanding the multi-tier feature of IoT networks. In an intelligent transportation network, vehicle-to-vehicle (V2V) communications enable two vehicles to communicate and exchange information, e.g., accidents, speed alerts, notifications. In addition, vehicles can also communicate with roadside infrastructures or units (RSU) that belong to one or several service providers for exchanging various types of data related to different applications including GPS navigation, parking and highway tolls inquiry. In this case, the vehicles form one network while the infrastructure nodes form another network. Due to the interconnections between two networks, vehicles can share information through infrastructure nodes or by direct V2V communications. IoT communication networks are vulnerable to cyber attacks including the denial-of-service (DoS) and jamming attacks. These adversarial behaviors disrupt the communications between different devices which lead to link removals in IoT network. Therefore, to maintain the connectivity of devices, IoT networks need to be made secure and resistant

to malicious attacks. For example, V2V communication links of a car can be jammed, and hence the car loses the real-time traffic information of the road which may further cause traffic delays and accidents especially in the futuristic self-driving applications. Hence, IoT networks should be constructed in a tactic way by anticipating the cyber attacks. Internet of Battlefield Things (IoBT) is another example of missioncritical IoT systems [5]. As depicted in Fig. 1, in IoBT networks, a team of unmanned ground vehicles (UAVs) serves as one layer of wireless relay nodes for a team of soldiers equipped with wearable devices to communicate between themselves or exchange critical information with the command-and-control nodes. The UAV network and the soldier network naturally form a two-layer network in a battlefield which can be susceptible to jamming attacks. It is essential to design communication networks that can allow the IoBT networks robust to natural failures and secure to cyber attacks in order to keep a high-level situational awareness of agents in a battlefield. Due to heterogeneous and multi-tier features of the IoT networks, the required security levels can vary for different networks. For example, in IoBT networks, the connectivity of UAV networks requires a higher security level when they are more likely to be targeted by the adversary. Similarly, in vehicular networks, the communication links between RSUs need a high-level protection when they anticipate more attacks than the vehicles do. Therefore, it is imperative to design secure IoT networks robust to link attacks and maintain the multi-layer network connectivity with heterogeneous security requirements. To this end, we present a heterogeneous IoT network design problem in which network links are vulnerable to malicious attacks or random failures. To enhance the security and the robustness of the network, an IoT network designer can add extra links to provide additional communication paths between two nodes or secure links against failures by investing resources to protect the links. The goal of the multi-tier network design is to make the network connectivity resistant to link removal attacks by anticipating the worst attack behaviors. Different from previous works [7], [8] which have focused on the secure design of single-layer networks, in our work, the network designer needs to take into account the heterogeneous features of the IoT networks by imposing different security requirements on each layer which presents a new set of challenges for network design. In this paper, we focus on a two-layer IoT network and aim to design each network resistant to different number of link failures with minimum resources. We characterize the optimal strategy of the secure network design problem by first developing a lower bound on the number of links a secure network requires for a given budget of protected links. Then, we provide necessary and sufficient conditions under which the bounds are achieved and present a method to construct an optimal network that satisfies the heterogeneous network design specifications with minimum cost. Finally, we use IoBT as a case study to illustrate the analytical results and obtain insights in designing secure bat-

tlefield networks. We consider a common battlefield scenario in which the UAV network anticipates higher cyber threats than the soldier network, and the number of UAVs is less than the number of soldiers. We observe that as the cost of forming a protected communication link becomes smaller, more secure connections are formed in the optimal IoBT. In addition, the designed network is resilient to the change of agents in the battlefield. For example, when a group of soldiers joining in the battle, they only need to connect to a set of neighboring companions which is convenient to implement. For the scenario in which soldiers leave the battlefield, the optimal network can be designed in a similar fashion, i.e., those who lose some degree of communications should build up new connections with other neighbors to stay resistant to attacks. We also study in Section IV the reconfiguration of the UAV network as nodes leave and join the network. Related works: A number of works have focused on the emerging critical issue on IoT security [4], [5], [9], [10]. Our work addresses the secure design of IoT networks by considering the connectivity measure through the lens of graph theory [7], [8]. Specifically, we model the IoT as a multi-layer network [11], [12] and design each layer of network with heterogeneous security requirements. Organization of the paper: Section II formulates the heterogeneous two-layer IoT network design problem. Analytical results including the optimal network design strategies are presented in Section III. Case studies of IoBT networks are provided in Section IV, and Section V concludes the paper. II. H ETEROGENEOUS T WO -L AYER N ETWORK D ESIGN P ROBLEM Consider a two-layer IoT network with two sets of devices or nodes S1 and S2 . Each set of nodes is of a different type. Let n1 = |S1 | and n2 = |S2 | be the number of nodes of type 1 and 2 respectively. We identify them to n = n1 + n2 vertices that are numbered from 1 to n. Thus, a node labeled i is of type 1 if and only if i ≤ n1 . Each set of nodes forms a subnetwork. Together with the interconnection between the two set of nodes, the subnetworks form a two-layer network. In standard graph theory, an edge (or link) is an unordered pair of vertices: (i, j) ∈ J1, nK2 . We recall that two vertices (nodes) i0 and iL are said connected in a graph of nodes S1 ∪ S2 and set of edges E if there exists a path between them, i.e., a finite alternating sequence of nodes and distinct links: i0 , i0 i1 , i1 , i1 i2 , i2 , ..., iL−1 iL , iL , where il ∈ S1 ∪ S2 and il−1 il ∈ E for all 1 ≤ l ≤ L. We consider in our framework that edges are vulnerable, either to malicious attacks or to random failures. To keep its network robust, a designer can thus invest (i) in redundancy in the path, i.e., using extra links so that two nodes can communicate through different paths, or (ii) in securing its links against failures. We refer to these special edges as protected links, or (iii) in any combination of (i) and (ii). More precisely, we consider that for the designer the cost per link created is cN P and the cost per protected link created is

Lower bound on number of non-protected links n1 (k1 +1)+n2 (k2 +1) 2

A Slope

k2 +1 2

B

n1 (k1 +1)+2(k2 +1) 2

Slope

(k2 +1)+(k2 −k1 ) 2

C

(n1 +1)(k1 +1) 2

Slope

k1 +1 2

D

k1 +1 2

Slope k1 + 1 E

0

n2 − 2

n2 − 1

n1 + n2 − 2 n1 + n2 − 1

p

Fig. 2: Lower bound on the number of non protected links as a function on the number of protected links in the network.

cP . It is natural to have cN P ≤ cP . Let ENP ⊆ E be the set of non-protected links and EP ⊆ E be the set of protected links. In this work, we assume the protection is perfect, i.e., links will not fail under attacks if they are protected. Therefore, an adversary does not have an incentive to attack protected links. Hence it is sufficient to consider attacks on a set of links EA ⊆ ENP . Consider that the nodes have different criticality levels (respectively k1 and k2 for nodes of type 1 and 2 with k1 , k2 ∈ J0, |ENP |K). It means that the nodes should remain connected or attainable through the failure of k1 and k2 links respectively. More precisely, consider a network of vertices S1 ∪S2 and edges EP ∪ENP . The designer needs to guarantee that: (a) if |EA | ≤ k1 , then all nodes remain attainable, that is: ∀i, j ∈ S1 ∪ S2 , there exists a path in the graph ((S1 ∪ S2 ), (EP ∪ ENP \EA )) between i and j. (b) if |EA | ≤ k2 , nodes of type 2 remain attainable, that is: ∀i, j ∈ S2 , there exists a path in the graph ((S1 ∪ S2 ), (EP ∪ ENP \EA )) between i and j. We call such networks (k1 , k2 )-resistant (with k1 < k2 ). Then, given the system’s parameters S1 , S2 , k1 , k2 , an optimal strategy for the designer is the choice of a set of links EP ∪ ENP and protected links EP : sD = (S1 ∪ S2 , EP ∪ ENP ), s.t. EP ⊆ J1, nK2 , ENP ⊆ J1, nK2 , EP ∩ ENP = ∅. such that: (i) sD is (k1 , k2 )-resistant. (ii) sD is of minimal cost cp |EP | + cN P |ENP |. Without loss of generality, we make the following assumptions: (A1) k1 ≤ k2 . (A2) n1 ≥ 1, n2 ≥ 1.

III. O PTIMAL S TRATEGIES In this section, we provide an analytical study of the designer’s optimal strategy, that is to say to the optimal network design. To that end, we first develop, for given system’s parameters S1 , S2 , k1 , k2 , cP and cN P , and for each possible number of protected links p a lower bound on the number of links that have any (k1 , k2 )-resistant network with p protected links (Section III-A). Then, we study 3 important cases, namely when p takes values 0, n2 −1 and n1 +n2 −1, and give for each of them sufficient conditions under which the bounds are attained as well as a construction for an optimal network (Section III-B). Based on this study, we can obtain the main theoretical result of this paper, which is the optimal strategy for the designer, i.e. a (k1 , k2 )-resistant network with minimal cost (Section III-C). We finally end this section with an illustrative example (Section III-D). A. A Lower Bound on the Number of (Non-protected) links Recall that the system parameters are S1 , S2 , k1 , k2 , cP and cN P (resp. the set of nodes of criticality level 1 and 2, the values of criticality and the unitary cost of creating protected and non-protected links). We first address the question of a lower bound on the cost for the designer with an additional constraint, which is the number of protected links of the network p. Since the cost is linear with the number of non-protected links, it amounts to find a lower bound on the number of non protected links that are required in any (k1 , k2 )-resistant network with p protected links. Proposition 1 (Lower bound on |ENP |) Let sD be a p (k1 , k2 )-resistant graph containing p protected links. Then, the number of non-protected links of sD p is at least of •



n1 (k1 + 1) + (n2 − p)(k2 + 1) if p ≤ n2 − 2, 2 (n − p)(k1 + 1) if n2 − 1 ≤ p ≤ n1 + n2 − 2, 2



0

p = n1 + n2 − 1.

if

This result is illustrated in Figure 2. Proof: Using the similar methodology of [8], we introduce the notion of contraction of network as follows. Let g = (S1 ∪ S2 , EP ∪ ENP ) be a network. Given a link (i, j) ∈ EP , the network denoted by g (i, j) refers to the one obtained by contracting the link (i, j); that is, by merging the two nodes i and j into a single node {i, j} (sometimes called supernode), and making any node a adjacent to the (new) node {i, j} in g (i, j) if and only if a is adjacent to i or j in the network g. In other words, all links, other than those incident to neither i nor j, are links of g (i, j) if and only if they are links of g. Then gˆ, the contraction of network g is the (uniquely defined) network obtained from g by sequences of link contractions for all links in EP . We illustrate the contraction of a network g in Figure 3. This example consists of 5 nodes and 2 protected links (represented in bold lines between nodes 1 and 2 and between nodes 3 and 4). The link 1, 2 is contracted and thus both nodes 1 and 2 in g are merged into a single node denoted by {1, 2} in gˆ. Similarly the link 3, 4 is contracted. The resulting network thus consists of node 5 and supernodes {1, 2} and {3, 4}. Since g contains a link between nodes 5 and 1 in g then nodes 5 and {1, 2} are connected through a link in network gˆ. Similarly, since nodes 1 and 3 are adjacent in g then supernodes {1, 2} and {3, 4} are adjacent in network gˆ.

Thus, a lower bound on the number of non-protected links in sD p is    ν1 (k1 + 1) + (ν0 + ν2 )(k2 + 1) if ν2 + ν0 > 1   2 if ν1 + ν2 + ν0 = 1 A= 0   (ν + 1)(k + 1) 1 1   if ν1 ≥ 1 and ν2 + ν0 = 1. 2 Let us finally comment on the values of ν0 , ν1 and ν2 . If no protected link is used (that is p = 0), then ν1 = n1 , ν2 = n2 and ν0 = 0 and ν0 + ν1 + ν2 = n1 + n2 = n. Adding any protection allows to decrease the total number of elements ν1 + ν2 + ν0 by 1. (Or to remain constant if the link induce a loop in a protected component of g). Thus ν0 + ν1 + ν2 ≥ n − p. Further, the number of elements of ν1 is upper bounded by n1 the number of nodes of type 1. Similarly, ν2 ≤ n2 . Finally, since n1 ≥ 1 then ν1 + ν0 ≥ 1 and since n2 ≥ 1 then ν2 + ν0 ≥ 1. Thus, for any p, a lower bound on the number of nonprotected links in sD p is given by min

ν1 ,ν2 ,ν0 , ν0 +ν1 +ν2 ≥n−p ν1 ≤n1 , ν2 ≤n2 , ν1 +ν0 ≥1, ν2 +ν0 ≥1

2

5

{1, 2} 5

3

4

(a) Network g = (N, EP ∪ ENP )

{3, 4} (b) Network gˆEP

Fig. 3: Illustration of network contraction: the links (1, 2) and (3, 4) are contracted.

Consider a network g having p protected links, and gˆ its contraction. Let • • •

ν1 be the set of nodes of type 1 of gˆ (and supernodes containing only nodes of type 1), ν2 be the set of nodes of type 2 of gˆ (and supernodes containing only nodes of type 2), ν0 be the set of supernodes of gˆ that contains nodes of both type 1 and 2.

Note that if ν1 + ν2 + ν0 = 1, (that is, if there is a unique supernode containing all nodes of the network), then no non-protected link is needed to ensure any level of (k1 , k2 )resistancy. Otherwise, for the network to be (k1 , k2 )-resistant, each element of ν1 , ν2 and ν0 must have a degree of (at least) k1 + 1. Further, if there exist more than 1 element not in ν1 , that is if ν0 + ν2 ≥ 2, then each of them should have a degree of (at least) k2 + 1.

(LP)

To solve this optimization problem, we consider 3 cases. Case 1: First, assume that p < n2 −1. From ν0 +ν1 +ν2 ≥ n − p, we get that ν0 + ν2 > 1. Thus, (LP) reduces to min

1

A.

ν1 ,ν2 ,ν0 , ν0 +ν1 +ν2 ≥n−p ν1 ≤n1 ,ν2 ≤n2 ν1 +ν0 ≥1, ν2 +ν0 ≥1

ν1 (k1 + 1) + (ν0 + ν2 )(k2 + 1) . 2

Since k2 ≥ k1 then the minimum is obtained when ν0 +ν2 is minimized, that is when all protections involve nodes of type 2. Thus, the lower bound is n1 (k1 +1)+(n2 2 −p)(k2 +1) . This observation is illustrated by the blue line in Figure 2 joining points A and B. Case 2: Now, assume that n2 − 1 ≤ p ≤ n1 + n2 − 2. Then n − p ≤ n1 + 1. Therefore, for a given p that is for a given minimal value of ν0 + ν1 + ν2 we can have either ν0 + ν2 > 1 or ν0 + ν2 = 1. Again, since k2 ≥ k1 , the lower 1 +1) bound is (n−p)(k . It is illustrated by the brown line in 2 Figure 2 joining points C and D. Case 3: Finally, when p = n2 − 1, ν0 + ν1 + ν2 = 1, and thus no non-protected link is needed, which is represented by point E in Figure 2. B. Special Values of p We have studied in the previous subsection for each potential number of protected links p a lower bound on m(p) the minimum number of non protected links for a network with sets S1 and S2 to be (k1 , k2 )-resistant. The cost associated with such network is pcP + m(p)cN P . Since the goal of the designer is to minimize its cost, we need to investigate the value of p minimizing such function. Looking at Figure 2, we note that the plot of a graph of equal cost P (iso-cost) K is a line of equation K−pc cN P . It is thus a line

of (negative) slope cP /cN P that crosses the y-axis at point K/cN P . Recall also that the graph that shows m(p) as a function of p is on the upper-right quadrant of its lower bound. Thus the optimal value of p corresponds to the point where an iso-cost line meets the graph m(p) for the minimal value K. From the shape of the lower bound drawn in Figure 2, the points A, C and E are good candidates. We thus investigate in this subsection the condition under which the lower bounds are reached in these points and what are some corresponding optimal graphs. Proposition 2 For any value of p, denote by sD p a (k1 , k2 )network with p protected links and the minimum number of non-protected links. • •



Each sD link n−1 contains exactly 0 non-protected m l (n1 +1)(k+1) D nonEach sn2 −1 contains exactly 2 protected links if and only if k1 + 1 ≤ n1 . If we have the following asumptions: (i) k1 mod 2 = 1, (ii) n2 > k2 − k1 andthat (iii) n2 k12+1 ≤ n1 , then  each n (k + 1) + n (k + 1) 1 1 2 2 . sD 0 contains exactly 2

Proof: We successively show the 3 items of the proposition: (i) sD n−1 contain exactly n − 1 protected links. It is thus possible to construct a tree network among the nodes of S1 ∪ S2 that consists only of protected nodes. Thus no non-protected node is required and the lower bound can be reached. (ii) Now, suppose that p = n2 − 1. If k1 + 1 ≤ n1 , construct any tree protected network on the nodes of S2 . Further, construct a (k1 + 1)-Harary network (the definition of such networks as well as a constructive method is given in [6]) on the nodes of S1 ∪ {n1 + 1}, that is the nodes of the first type and one node of the second type. Such construction is possible since k1 + 2 ≤ n1 +l 1. The totalmnumber of non protected links is then exactly (n1 +1)(k+1) . 2 Now if k1 +1 > n1 then suppose that a network g achieves the lower bound. Consider its associated contracted network gˆ. Since g contains n2 −1 protected links, then gˆ is such that ν0 + ν1 + ν2 ≥ n1 + 1. From the shape of the lower bound function A, then necessarily ν0 + ν2 = 1 and ν1 = n1 . Thus all nodes of S2 needs to be connected together by protected links. Since there are n2 such nodes, then this requires at least n2 − 1 protected links, which equals p. Thus, there cannot be any protected link involving nodes of set S1 . In addition, each of the n1 nodes of S1 needs to be connected to at least k1 + 1 other nodes. Since k1 + 1 > n1 , then (k1 + 1) − (n1 − 1) ≥ 2 represents the number of nodes of S2 that needs to be connected to any node of S1 . (Indeed, recall that in a complete graph of m nodes, each node has a degree of m−1). Thus the network admits at least n1 (n21 −1) + n1 ((k1 + 1) − (n1 − 1)) = n1 (k1 + 1) − n1 (n21 −1) . Thus the extra number of links (compared to the lower bound)

required is: n1 (n1 − 1) n1 − 1 = (k1 + 1 − n) > 0 2 2 (iii) Finally, suppose that p = 0. Renumber the nodes according to the following sequence: k1 + 1 k1 + 1 , n2 , + 1, ..., k1 + 1, n2 + 1, 1, 2, ..., 2 2 k1 + 1 k1 + 2, ..., 3 , n2 + 2, ... 2 Then, we build a (k1 + 1)-Harary network. Note that since n2 k22+1 ≤ n1 , then the last k12+1 indices of the sequence only contain nodes of type 1. Thus, by construction, note that there are no links between any two nodes of S2 . Then, construct a k2 − k1 -Harary network on the nodes of S2 . This is possible since n2 > k2 − k1 . n1 (k1 + 1) −

C. Optimal Strategy Based on the following proposition, we can assess the optimal strategy for the designer, depending on the parameters’ values in a wide range of situations. Let us briefly review and comment on the scenarios they represent: • The number of nodes is relately large compared to the link failure risks (n2 ≥ k2 − k1 + 1, and n1 ≥ k1 + 1). Indeed, they represent the fact that the nodes could satisfy, alone, the necessary number of links to protect the network without protections. Indeed, even a full graph with m nodes can protect against (at most) m − 1 link failures. • The nodes of type 2, i.e. the set of critical nodes, requiring extra protection measures represent a relatively small subset of the network (n2 k12+1 ≤ n1 ). • Finally, the constraints k1 mod 2 = 1 and n2 (k2 + 1) mod 2 = 0 are present only to simplify the proofs and the presentation of the present paper. They do not, however, affect significantly the result. The different cases corresponding to k1 mod 2 = 0 or n2 (k2 + 1) mod 2 = 1 can be studied in a similar fashion as in the previous study, the only difference being for certain values of the parameters sD n2 −2 may be an optimal strategy in a similar analysis as in [8]. Proposition 3 Suppose that n1 ≥ k1 + 1, n2 ≥ k2 − k1 + 1, n2 k12+1 ≤ n1 , k1 mod 2 = 1 and n2 (k2 + 1) mod 2 = 0. Then: c D 1 • If 2 c P ≥ k2 + 1 + kn22−k −1 , then S0 are optimal NP strategies. k +1 D 1 • If k1 + 1 + 1n ≤ 2 ccNPP ≤ k2 + 1 + kn22−k −1 , then Sn2 −1 1 are optimal strategies c k +1 D • 2 c P ≤ k1 +1+ 1n , then Sn−1 are optimal strategies. 1 NP Proof: From Proposition 2, under the proposition’s D assumptions, S0D , SnD2 −1 and Sn−1 achieve the lower bounds of Proposition 2. Consider Figure  2. Note that the  slope of the line between 1 A and C is 21 k2 + 1 + kn22−k and between C and E is −1   k1 +1 1 . 2 k 1 + 1 + n1

From the proposition’s assumptions and since k2 ≥ k1 , the line between A and C has higher slope than that between C and E. Thus, if the lines of iso-costs have a slope higher than the slope of the line (AC) then the minimum cost is obtained at A. Similarly, if the slope is less than that of (CE) then the minimum cost is obtained at E. Otherwise, the minimum is obtained at C. Noting that the slope of the lines of iso-costs is cP /cN P leads to the result. D. Example We develop in this section some optimal networks sD p for all values of p between 0 and n1 + n2 − 1 in the case where: k1 = 3, k2 = 5, n1 = 7, n2 = 3. Figure 4 shows some constructions of networks. Nodes of type 1 are represented in white while nodes of type 2 are represented with black dots. Non-protected links are drawn in normal lines while protected links are represented in thick lines. The subfigures 4((a)-(j)) represent possible configurations for p growing from 0 to n−1 = 9 respectively. For each subfigure, the caption gives the number of nonprotected links needed and compares it to the lower bound computed in Proposition 1. Note that the bounds are reached in the example except for the cases where the number of nodes is too low to construct proper Harary network, that is: • When p ≤ n2 − 1 and n2 − p ≤ k2 − k1 . (case b, ν2 = k2 − k1 = 2) • When p > n2 and 1 < n − p ≤ k1 (cases g, h and i where ν1 values 4, 3 and 2 respectively). From Proposition 3, c • network depicted in Figure 4a is optimal iff c P ≥ 3.5, NP • network depicted in Figure 4c is optimal iff 16/7 ≤ cP cN P ≤ 3.5, c ≤ • network depicted in Figure 4j is optimal iff c P NP 16/7. Figure 4 also gives insight on the evolution of the graph in a potential dynamic scenario when p evolves (due to the sytem constraints or change of costs). Indeed any time when a protected network needs to be removed, the optimal strategy is to remove by order of preference: (i) (any) protected link joining two nodes of type 1, or if no such link exists (ii) a link between a node of type 1 and one of type 2, and if no such link exists (iii) one link between two nodes of type 2. Then, the protected link that has been removed is replaced by the proper number of non-protected links.

and situational awareness of each agent in the battlefield, a secure and reliable communication network resistant to malicious attacks is inevitable. The IoBT network designer determines the optimal strategy on creating links with/without protection between agents in the battlefield. The ground layer and aerial layer in IoBT generally face different levels of cyber threats, e.g., DoS and jamming attacks, which aim to disrupt the network communications. In the following case studies, we investigate the scenario that the IoBT network designer anticipates more cyber attacks on the UAV network than the soldier and UGV networks. To create protected D2D communication links, one method is to use moving target defense (MTD) [13]. Specifically, instead of using a single communication channel between agents which is easy for attackers to compromise (unprotected link), the designer can create multiple channels and use switching strategies when one is down. Hence, the connection of two agents through multi-channel technology can be seen as a protected link. The cost ratio between c forming a protected link and a unprotected link cNpP is critical in designing the optimal IoBT network. This ratio cp cN P depends on the number of channels used in creating a safe link though MTD. We will analyze various cases in the following studies. A. Optimal IoBT Network Design Consider an IoBT network consisting of n1 = 20 soldiers and n2 = 5 UAVs. The designer aims to design the ground network and the UAV network resistant to k1 = 5 and k2 = 9 attacks, respectively. Hence the global IoBT network is (5, 9)-resistant. Based on Proposition 3, we have two critical points T1 := (k1 + 1 + k1n+1 )/2 = 3.15 and T2 := 1 k2 −k1 (k2 + 1 + n2 −1 )/2 = 5.5, at which the topology of optimal IoBT network encounters a switching. For example, when a protected link adopts 3 channels to prevent from attacks, c i.e., cNpP = 3, the optimal IoBT network is an sD 24 graph as shown in Fig. 5a. When a protected link requires 5 channels c to be perfectly secure, i.e., cNpP = 5, then the optimal IoBT network is of sD 4 configuration which is depicted in Fig. 5b. In addition, if the cyber attacks are difficult to defend against c (e.g., require 7 channels to keep a link safe, i.e., cNpP = 7), the optimal IoBT network becomes an sD 0 graph as shown in Fig. 5c. The above three types of optimal networks indicate that the smaller the cost of a protected link is, the more secure connections are formed starting from the UAV network to ground network. B. Resilience of the IoBT Network

IV. C ASE S TUDIES In this section, we use case studies of IoBT to illustrate the optimal design principals of secure networks with heterogeneous components. In a battlefield scenario, the soldiers, unmanned ground vehicles (UGV) and unmanned aerial vehicles (UAV) execute missions together. The realtime information sharing and collaboration between different agents enabled by device-to-device (D2D) communications are critical. To enhance the information transmission quality

The numbers of UAVs, UGVs and soldiers can be dynamically changing. To study the resilience of the designed network, we first investigate the scenario that a number of UGVs/soldiers join the battlefield which can be seen as army backups. As n1 increases, the threshold T1 decreases slightly while T2 remains unchanged. Therefore, the optimal IoBT network keeps with a similar topology except that the newly joined UGVs/soldiers connect to a set of their neighbors. To illustrate this scenario, we present the optimal network

(a) p = 0 (point A):

(d) p = 3:

4∗7 2

4∗7+6∗3 2

= 23 links

(b) p = 1: 21 links (instead of 20) (bound NOT reached)

(e) p = 4:

= 14 links (bound reached)

(g) p = 6: 9 links (bound NOT reached)

4∗6 2

(c) p = 2 (point C): reached)

4∗8 2

= 16 links (bound

(f) p = 5:

4∗5 2

= 10 links (bound reached)

= 12 links (bound reached)

(h) p = 7: 3 ∗ 4/2 = 6 links (bound NOT reached)

(i) p = 8: 4 links (bound NOT reached)

(j) p = 9: 0 links (bound reached)

Fig. 4: Possible optimal networks for all values of p.

c

with n1 = 22 and cNpP = 5 in Fig. 6a, and all the other parameters stay the same as those in Section IV-A. When n1 decreases, the network remains almost unchanged except those UGVs/soldiers losing communication links build up new connections with neighbors. An illustrative example with n1 = 17 is depicted in Fig. 6b. Another interesting scenario is that when the number of UAVs n2 changes due to backup aerial vehicles joining in and current vehicles leaving the battlefield for maintenance. When n2 increases, then the threshold T1 remains the same c while T2 decreases. If the cost ratio cNpP lies in the same regime with respect to T1 and T2 even though T2 decreases, c then under cNpP ≤ T2 , the newly joined UAV will connect

with another UAV with a protected link which either creates cp D or sD an Sn−1 n2 −1 graph. Otherwise, if cN P > T2 , the UAV first connects to other UAVs and then connects to a set of UGVs/soldiers both with unprotected links which yields an sD 0 graph. When a number of UAVs leaving the battlefield, i.e., n2 , decreases, then T1 stays the same and c T2 will increase under which the cost ratio cNpP previous cp belonging to regime I ( cN P ≥ T2 ) may change to regime c II ((T1 ≤ cNpP ≤ T2 )). Note that regime switching can also happen when n2 increases. Therefore, the optimal IoBT D network switches from sD 0 to sn2 −1 (for the increase of n2 case, the switching is in a backward direction). For example, c when the network contains n2 = 6 UAVs and cNpP = 5.4,

UGV/Soldier network

UAV network

Two soldiers joining in

Protected link Unprotected link

UAV network

UAV network

Protected link

UGV/Soldier network

UGV/Soldier network Rewired links

UGV/Soldier network

Zoom-in topology Benchmark 2

(a)

Two soldiers joining in

(a) sD 24 IoBT networkBenchmark 1 UAV network

UAV network

UAV network Unprotected link

Protected link Unprotected link UGV/Soldier network

UGV/Soldier network

UGV/Soldier network

(b)

Benchmark 3

(b)

sD 4

IoBT network Benchmark 2 (3,4,5,9,10,11) (15,16,17,18, 19,20)

UAV network (6,7,8,12,13,14) (1,2,5,6,7,8)

3

13

8

5

20

12

16

19

10

4 1

18

17

14

2 7

The numbers refer to the UGVs/soldiers that UAV connects to.

(12,13,14,17,20)

9

UGV/Soldier network

Fig. 6: (a) and (b) show the optimal IoBT network reconfiguration 3 soldiers leavingrespecwhen two UGVs/soldiers join in and leave the battlefield, tively.

6

11

(c) sD 0 IoBT network

15

Benchmark 3

cp

Fig. 5: (a) When cN P = 3 < T1 , the optimal IoBT network is an cp sD 24 graph with all protected links. (b) When T1 < cN P = 5 < T2 , D the optimal network is an s4 graph, where the UAV network is connected with protected links and the ground network with all c unprotected links. (c) When cNpP = 7 > T3 , the optimal IoBT D network adopts an s0 configuration with all unprotected links.

the cost of using protected and unprotected links. We have shown a lower bound on the number of non-protected links of the optimal network and developed a method to construct networks that satisfy the heterogeneous network design specifications. We have demonstrated the design methodology in the IoBT networks with a team of UAVs and a team of soldiers. It has been shown that the optimal network can reconfigure itself adaptively as nodes enter or leave the system. In addition, the optimal IoBT network configuration may encounter a topological switching when the number of UAVs changes to an extent. As part of the future work, we would investigate the method of network construction under different parameter regimes and extend the two-layer network problem to a multi-layer one. R EFERENCES

and the other parameters are the same as those in Section IV-A, from Proposition 3, the optimal IoBT network is an sD 0 graph. However, Fig. 5b shows that the optimal network adopts an sD 4 topology when n2 = 5. Therefore, by adding a UAV to the aerial layer, the optimal IoBT network switches D from sD 4 to s0 in this scenario. The interpretation is that a smaller number of UAVs is easier for the aerial network to defend against attacks, and hence protected links are used between UAVs instead of redundant unprotected links. V. C ONCLUSION In this work, we have studied a multi-layer secure network formation problem for IoT networks in which the network designer aims to form a two-layer communication network with heterogeneous security requirements while minimizing

[1] Cisco. [Online]. Available: http://www.cisco.com/c/en/us/solutions/ internet-of-things/virtual-reality-demonstration.html. [2] Z. Pang, et al. ”Value-centric design of the internet-of-things solution for food supply chain: value creation, sensor portfolio and information fusion.” Information Systems Frontiers 17.2 (2015): 289-319. [3] M. Wang, et al. ”An IoT-based appliance control system for smart homes.” in Proceedings of the Fourth International Conference on Intelligent Control and Information Processing (ICICIP). IEEE, 2013. [4] Z. Xu, and Q. Zhu. ”Secure and resilient control design for cloud enabled networked control systems.” in Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or Privacy. ACM, 2015. [5] M. J. Farooq, and Q. Zhu, “Secure and Reconfigurable Network Design for Critical Information Dissemination in the Internet of Battlefield Things (IoBT),” in Proceedings of 15th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt), Telecom ParisTech, Paris, France, 2017. [6] F. Harary. The maximum connectivity of a graph. Proceedings of the National Academy of Sciences of the United States of America, 48(7):1142, 1962.

[7] M. Dziubiski, and S. Goyal. ”Network design and defence.” Games and Economic Behavior 79 (2013): 30-43. [8] C. Bravard, L. Charroin, and C. Touati. ”Optimal design and defense of networks under link attacks.” Journal of Mathematical Economics 68 (2017): 62-79. [9] L. Zhou, and H. C. Chao. ”Multimedia traffic security architecture for the internet of things.” IEEE Network 25, no. 3 (2011). [10] R. H. Weber. ”Internet of ThingsNew security and privacy challenges.” Computer law & security review 26, no. 1 (2010): 23-30. [11] J. Chen, and Q. Zhu. ”Resilient and decentralized control of multilevel cooperative mobile networks to maintain connectivity under adversarial environment.” in Proceedings of the 55th Conference on Decision and Control (CDC), pp. 5183-5188. IEEE, 2016. [12] J. Chen, and Q. Zhu. ”Interdependent network formation games with an application to critical infrastructures.” in Proceedings of the American Control Conference (ACC), pp. 2870-2875. IEEE, 2016. [13] Q. Zhu, and T. Basar. ”Game-theoretic approach to feedback-driven multi-stage moving target defense.” in Proceedings of International Conference on Decision and Game Theory for Security, pp. 246-263. Springer International Publishing, 2013.