Proceedings of the 2010 14th International Conference on Computer Supported Cooperative Work in Design
Game Theoretic Approach in Multipath Routing for
Tradeoff between Routing Security and Performance
Siguang Chen
Meng Wu
College of Computer
College of Telecommunications & Information Eng.
Nanjing University of Posts and Telecommunications
Nanjing University of Posts and Telecommunications
Nanjing, China
Nanjing, China
[email protected]
[email protected]
Abstract—This paper minimizes the routing security risk while
limiting the delivery ratio under an ideal value by 1) finding
multiple paths between source and destination node; 2)
employing the game theory to obtain the most reliability paths
and further optimize shares allocation on these paths; 3)
integrating secret sharing scheme, and achieving tradeoff
between security risk and delivery ratio according to the tradeoff
coefficient. Besides improving fault tolerance, it also improves
security. In particular, it makes the eavesdropping attacks
maximally difficult as the attackers would have to eavesdrop on
all possible paths. Simulation evaluations validate our theoretical
results and demonstrate how the routing protocol performs in
terms of both security risk and performance.
Keywords-Game theory; multipath routing; secret sharing;
optimization; cryptography; security.
In game theory routing optimization field, the purpose of
traffic allocation optimization can be divided into two
categories. One is for performance, currently, most work
application of game theory focus on improve the performance
of networks, such as: [7] proposed a game theoretic method,
called forwarding dilemma game, which provides the
probability of forwarding the flooding messages by
controlling routing overhead in ad hoc networks; [8] proposed
a new RG specifically designed for elastic traffic, where they
maximize the total utility through load-balancing only; In [9],
through calculating the delay utility function, the protocol
uses the link capacity difference among different paths to
obtain the optimal arrival rate for each selected path.
I.
INTRODUCTION
In conventional, protocols such as DSR [1] and AODV [2]
select single path to route data from source to destination
node, this mechanism is vulnerable to link failures and
compromising attack. Adversaries only need attack one path
can compromise the data and the packet delivery ratio is low
for unreliable link.
A multipath approach is used to protect transmission data.
This approach increases the network fault tolerance and
decreases the security risk of compromising. But it is
challenge to choose the best paths and how to allocate the
flows on these paths.
Other is for security, but few work attention it. [10]
proposed game theoretic stochastic routing to minimize the
impact of link, routing failure and improve security; in [11],
game theory is employed to solve and analyze the formulated
multipath routing problem for maximizing the delivery ratio,
minimizing
the
security
risk
and
achieving
security-performance tradeoff. The intuition behind these two
schemes is that the constraints on security risk is too stringent,
no redundant traffics transmit on paths, so it can not control
the security freely and further decrease the security risk and
improve fault tolerance of link failure.
We first propose a multipath routing finding algorithm for
building the node-disjoint multipath links between source and
destination node. Next, we formulate our multipath routing
security problem as a minimax problem and employ game
theory to find the optimal solution. The obtained solutions
provide the most reliability paths and optimal shares
allocation on these paths. Finally, we integrate the secret
sharing into our traffic allocation which achieves tradeoff
between security risk and delivery ratio and maximally
difficult as the attacker would have to attack all possible paths.
This mechanism provides flexible control of routing security
and can further decrease the security risk and improve fault
tolerance. Simulation evaluation shows our solutions make
the most security routing and improve the fault tolerance.
Many common routing optimization approaches have been
proposed for traffic allocation problems, such as: [3] proposed
a mathematical optimal routing algorithm with routing metric
combining both requirements on a node’s trustworthiness and
performance; [4] proposed a dynamic routing algorithm that
aims at the randomization of delivery paths for data
transmission to provide considerably small path similarity of
two consecutive transmitted packets to enhance security; [5]
devised two algorithms termed the Bound-Control algorithm
and the Lex-Control algorithm to optimize the data allocation
across multiple paths; In [6], It applies secret sharing to
spread data over multiple paths and proposes a security
optimized share allocation method.
The rest of this paper is organized as follows. The
preliminaries and notations are presented in SectionĊ. In
978-1-4244-6763-1/10/$26.00 ©2010 IEEE
717
Section ċ we describe the proposed scheme. Simulation
results are showed and analyzed in Section Č . Some
concluding remarks are given in Sectionč.
II.
same asymmetric key ( pk , sk ) and the path set is computable
by attacker using traffic analysis and estimation [12].
B. Multiple Routes Discovery
PRELIMINARIES AND NOTATIONS
1) Route request phase
Source node: node will initiate the route discovery
procedure to dynamically find new routes to this destination
node by assembling a RREQ packet and locally broadcasting
it.
A. Nash Equilibrium
Nash equilibrium (named after John Forbes Nash, who
proposed it) is a solution concept of a game involving two or
more players, in which each player is assumed to know the
equilibrium strategies of the other players, and no player has
anything to gain by changing only his or her own strategy
unilaterally. If each player has chosen a strategy and no player
can benefit by changing his or her strategy while the other
players keep theirs unchanged, then the current set of strategy
choices and the corresponding payoffs constitute a Nash
equilibrium.
< RREQ,Re q _ ID, E pk (Re q _ ID ), pre _ add ,
hop _ count , Sou _ add , Des _ add , E pkd ( K sd ),{} >
Intermediate node: firstly, node decrypts E pk (Re q _ ID) by
secret key sk , if the value unequal the Re q _ ID ,discard this
packet, otherwise, insert intermediate node address to the
route request list and update the previous hop address and hop
count in route packet; then, insert the route into the route
cache; lastly, if this route request has the same request
identification and previous hop address from which the first
RREQ is received; or if this route request has the same
request identification, different previous hop address and hop
count is larger than the first RREQ is received; or if node own
address is already listed in the route list in the local route
request table, node discards this request packet. Otherwise,
node adds an entry for the route request in the local route
request table. Then propagate the updated packet as a local
broadcast packet.
B. Notations
For convenience and readability, all the notations of our
proposed protocol are summarized below.
Re q _ ID
Identification of route request
Sou _ add
Address of source node
Address of destination node
Des _ add
Address of intermediate node x
nx _ add
Previous hop address of route request
pre _ add
Sou _ add , Des _ add , E pkd ( K sd ),{n0 _ add } >
Asymmetric key of destination node
( pkd , skd )
Destination node: if this node is the destination of the
route discovery, it returns a RREP to the source node of the
route discovery; after the first RREQ received, the destination
node waits certain duration of time to receive more RREQs
and sends other RREPs to the source node. Where the route
request packet is like this.
Asymmetric key of legal nodes
( pk , sk )
Encryption with secret key z
E z ()
Hash function
H ()
{... || ...}
Nodes list
(... || ...)
Shares list
K sd
< RREQ,Re q _ ID, E pk (Re q _ ID), pre _ add , hop _ count ,
Count of pass nodes
hop _ count
< RREQ,Re q _ ID, Epk (Re q _ ID), pre _ add , hop _ count , Sou _ add ,
Shared symmetric secret key between source
Des _ add , Epkd (Ksd ),{n0 _ add || n1 _ add || ...|| Des _ add} >
and destination nodes
III.
2) Route reply phase
Destination node: firstly, insert this node address into the
route request list and update the previous hop address and hop
count in route packet; then, insert the route into the route
cache. Destination node stores K sd as session key. Later,
destination node sends RREP to the source node of route
request, the format of RREP is following:
THE PROPOSED PROTOCOL
A. Network Model
In this paper, the topology of the wireless network is
represented by the directed graph G = ( N , L) , where N is the
set of nodes and L is the set of directed links. Our analysis is
based on a data session between source node S and
destination node D. We define P as the set of paths between S
and D. Let f i denotes the number of shares from S to D that
traverses along path i ∈ P . We denote the rl as the reliability
probability of link l ∈ L . Let pi denotes the compromised
probability of path i ∈ P . The d denotes the packet delivery
ratio and θ denotes tradeoff coefficient between security and
performance. We assume that source node knows the public
key of destination node, every legal nodes is distributed a
< RREP, Des _ add, Epk (Des _ add),{nx _ add || nx−1 _ add ||...|| Sou _ add} >
Where nx _ add is the next hop address of RREP and also
the previous hop address of route request destination node,
Sou _ add is the destination node of RREP and Des _ add is the
source node of RREP.
Intermediate node: if the intermediate node received the
RREP, firstly, node decrypts E pk ( Des _ add ) by secret key sk ,
if the value unequal the Des _ add ,discard this packet,
718
otherwise, node can determine the next hop to where this
route reply needs to be sent by the node address list. Node
forwards the following format packet to the next hop.
attackers, denotes as G1 . The strategy sets of source node and
attackers are { f i , i ∈ P} and { pi , i ∈ P} , respectively. The
source node is to minimize its utility function U s = r by f i and
attackers aim to maximize its utility function U A = r by pi . A
set of strategies is a Nash Equilibrium (NE) if no player can
do better by unilaterally changing his or her strategy, thus,
each strategy in a Nash equilibrium is a best response to all
other strategies in that equilibrium. John Forbes Nash in his
article Non-Cooperative Games was to define a mixed
strategy Nash Equilibrium.
< RREP, Des _ add, Epk (Des _ add),{nx _ add || nx−1 _ add ||...|| Sou _ add} >
Source node: source node caches this route in its route
cache and waits certain duration of time to receive more
RREPs. Finally, the source node builds the multiple paths
between source and destination node. Meanwhile, source node
takes the node disjoint paths as candidate paths for shares
allocation.
Theorem 1. In game G = {S1 , S 2 ,..., Sn ; u1 , u2 ,..., un } , there are
n players, Si and ui denote strategy set and utility function of
player i respectively, if n is finite and Si is a finite set of
strategies of every player i, then prove that at least one
(mixed strategy) Nash Equilibrium must exist in G.
C. Optimal Share Allocation and threshold value
In this subsection, we assume that there are totally
| P | node-disjoint paths, path 1, path 2 … path| P | , available
from the source to the destination node.
Definition 1. We define our routing protocol as the dependent
path routing protocol [13] which uses multiple node disjoint
paths in which data traversing separate paths are jointly
coded and secured.
Because players can choose strategy from finitely many
strategies and only two players in G1 , we can derive a (mixed
strategy) Nash Equilibrium is exist in our game model.
From definition 1, which means in our protocol, a set of
coded packets must be jointly decoded in order to recover the
original message.
Thus, we can transform our minimax optimization
problem to following form:
min max r = U s [ f i* (i ∈ P), pi * (i ∈ P )]
fi , i∈P pi ,i∈P
We formalize the share allocation in path set to minimize
the routing security risk while limiting the delivery ratio under
an ideal value. Nevertheless, the attackers make efforts to
maximize this risk and unreachable ratio. These can be
viewed as a following minimax optimization problem:
r * = min max ¦ f i (0.5 + 0.5∏ rl ) pi
fi , i∈P pi ,i∈P
i∈P
Where ( fi * , pi * ) is a mixed strategy NE of G1 .
Definition 5. In our protocol, every choice path has at most
one attacker.
(1)
From Ref. [12], we can know that the path set is
computable by attacker using traffic analysis and estimation,
in addition, the choice paths are node disjoint paths, the
intelligent choice of collusion attackers is attack one path at
most one attacker.
l ∈i
rl > 0.7, ∀l ∈ L
Subject to
¦p
i
≤ t , 0 ≤ pi ≤ 1, ∀i ∈ P
¦f
i
= n, fi ≥ 0, ∀i ∈ P
(2)
i∈P
Obviously, solve the minimax optimization problem equal
to find the NE in G1 . We cite the following lemma of mixed
strategy NE to compute the optimal solution.
i∈P
Where n equals the total shares of packet, t equals number
of attackers, r = ¦ f i (0.5 + 0.5∏ rl ) pi .
Lemma 1. Every action in the support of any player’s NE
mixed strategy yields the same payoff [14].
With respect to the above optimization and following
model, we define these concepts as follows:
If ¦ pi = t , then we apply the lemma 1, we can derive the
i∈P
l∈i
i∈P
following equation:
Definition 2. If link l ∈ L is compromised by attacker, then any
message traverse the link l will be eavesdropped or modified.
r * = min* nt / ¦ [1/(0.5 + 0.5∏ rl )]
i∈P
Definition 3. The path i ∈ P is compromised if and only if
there is at least one link l ∈ i for which is compromised.
i∈P*
Subject to ∏ rl ≥ 2t /
l∈i
Under the definition 2 and 3, we further define the
compromise of integrated message.
(3)
l∈i
¦ [1 /(0.5 + 0.5∏ r )] − 1
l
j∈P*
(4)
l∈ j
We denote the packet delivery ratio as follows:
d = [ ¦ f i ∏ rl (1 − pi )] / k
Definition 4. The entire message transmission along path
set P is compromised if and only if the compromised shares
equal or bigger than k.
i∈P*
l∈i
Afterward, NE ( fi * , pi * ) can be figured out as follows:
We employ game theory to model our optimization
problem as a noncooperative game between source node and
719
(5)
f i* = n / [(0.5 + 0.5∏ rl ) ¦ 1 /(0.5 + 0.5∏ rl )]
(6)
pi * = t / [(0.5 + 0.5∏ rl ) ¦ 1 /(0.5 + 0.5∏ rl )]
(7)
l ∈i
l ∈i
a1 , a2 ,..., ak −1 and define
l∈ j
j∈P*
Meanwhile, we define the k’s value of secret sharing
scheme (k, n) [15] as follows:
k = n | P* | / ¦ 1 /(0.5 + θ ∏ rl )
j∈P*
l∈ j
i∈P
shares
Where No denotes the identification number of data M, k
is the threshold.
The structure of transmission packet on path i is following:
< DFWD, Sou _ add, Epk (Sou _ add), EKsd (Fi ),
1: Input: path set P which was established by our
multipath routing finding algorithm.
{n0 _ add || n1 _ add || ...|| Des _ add} >
Intermediate node: firstly, node decrypts E pk ( Sou _ add )
2: For each path i ∈ P do
by secret key sk , if the value unequal the Sou _ add , discard
this packet, otherwise, transmits data packet to next hop.
3: If path i ∈ P satisfies the constraints (4), hold this
path in P .
Destination node: Destination node can obtain the S I by
decrypting with K sd . After node has received k random
shares ( S1 , S2 ,..., Sk ) , then can reconstruct the original data M
and A by Lagrange interpolation.
4: Else: delete this path from P .
5: End for
6: Return new P which P* = P
Algorithm 1: Optimal path set computation algorithm
k
f ( x ) M = h( x ) M = ¦ f ( I I ) M
*
If path set P is found, then, minimize our security risk
through the NE. From equations (3) and (8) we can deduce
that if the t ( t ≥| P* | ) attackers collusion and attackers select
the optimal attack strategy (mean that every path has at most
one attacker (intelligent choice) and select pi ∗ ), which can
nearly compromise our data.
I =1
k
f ( x ) A = h( x ) A = ¦ f ( I I ) A
I =1
( x − Il )
mod Q (14)
l =1, l ≠ I ( I I − I l )
k
∏
( x − Il )
mod Q
l =1, l ≠ I ( I I − I l )
k
∏
(15)
Where I I denote the value of I in S I = ( I , f ( I ) M , f ( I ) A ) .
Then we can compute the f (0) M = M , f (0) A = A . Next,
verify the A = H ( M ) , if the equation is right, destination
node send the data M to high layer since there are no modified
shares in reconstruction process.
D. Data Transmission
The idea of Shamir’s (k, n) threshold system is to share a
secret key between n parties [15]. Each group of any k
participants (share holders), can cooperate to reconstruct the
shares and recover the secret. On the other hand, no group of
k-1 participants can get any information about the secret. Our
data transmission based on (k, n) secret sharing is presented as
follows.
IV.
SIMULATION RESULTS
In the simulation, the network coverage area is a
1000m*1000m square with 100 mobile nodes. Each node has
radio power range of 200m. The channel capacity is 2 Mbps.
The IEEE 802.11 wireless LAN standard is used as the MAC
layer protocol. The interval time to send packets is 0.25
second. The size of all data packets is set to 64 bytes. We
compare our proposed protocol with algorithm in [16] to
evaluate performance and security by security risk and packet
delivery ratio.
Source node: node splits the transmission data into n
shares according to the optimal solution, and regulates only
receiving k shares can recover the data. We input data M and
public hash function H () , compute A = H ( M ) . The source
node obtains Ith share by evaluating a polynomial of degree
(k-1).
f ( x) A = (a0 + a1 x + ... + ak −1 x k −1 ) mod Q
n
i
l∈i
f ( x) M = (a0 + a1 x + ... + ak −1 x k −1 ) mod Q
(12)
Fi = [ No, ( S I +1 & S I + 2 & ... & S I + f * ), k ], I ∈ 1, 2,..., n (13)
We introduce an algorithm to find our path set P* such
that r * = min* nt / ¦ [1 / (0.5 + 0.5∏ rl )] .
*
SI = ( I , f ( I )M , f ( I ) A )
As a result, source node generates
( S1 , S2 ,..., Sn ) and assigns fi * shares on path i .
(8)
Where | P* | denotes the number of paths which select to
transmit shares.
i∈P
(11)
The Ith share is
l∈ j
j∈P*
f (0) M = M , f (0) A = A
The reliability of Link l ∈ L is generated through a normal
distribution N ( μ = 0.7, σ 2 = 0.2) . The simulation performs in
a multiple attackers’ case. The simulation assume that our
transmission exist in the worst case in which the attackers
know the path set and every path allocate at most one attacker.
(9)
(10)
Where x = I , Q is a prime number greater than any of
coefficients. To select randomly k − 1 coefficients
DPSP denote the algorithm in [16]. Our scheme denotes
720
reliability path and maximum the paths can avoid or reduce
the compromising probability and increase the delivery ratio.
the protocol proposed in this paper. We observe the fact that
the number of maximum paths in this experiment is around 6
and the maximum routing overhead is around 8 (routing
overhead: the ratio of the total hop count from source to
destination node in our multipath routing to the minimum hop
count in single-path routing).
In conclusion, the simulation results show that the design
of the scheme further improve the routing security and fault
tolerance ability, and can flexibly achieve tradeoff between
security risk and delivery ratio via θ .
1
0.9
V.
DPSP
Our scheme =0.65
0.8
In this paper, we focus the problem of how to select best
paths and how to allocate the message shares on these paths in
wireless multihop networks. Firstly, we establish the node
disjoint multipath between source and destination node by our
routing finding algorithm; next, we employ game theory to
choice paths and optimize shares allocation on paths; finally,
the secret sharing scheme is used to further improve fault
tolerance and security. Simulation results show that the
protocol improves the routing security and fault tolerance.
Our scheme =0.75
Security risk
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
1
2
3
4
Number of attackers
CONCLUSIONS
5
ACKNOWLEDGMENT
This research is supported by the National High
Technology Research and Development Program of China
(863 Program) under Grant No. 2006AA01Z208, Natural
Science Foundation of Jiangsu province under Grant No.
BK2007236 and Six Talented Eminence Foundation of
Jiangsu Province under Grant No. SJ207001.
6
Fig.1 Security risk
Delivery ratio
REFERENCES
[1]
[2]
[3]
[4]
[5]
Fig.1 depicts the security risk at different number of
attackers. Figure shows that the security risk rises
significantly with the increase of the number of attackers, and
the risk decreases with the θ rises from 0.65 to 0.75.
Obviously, the security risk of our scheme is less than DPSP,
and these results are not the best of our algorithm since the
value of k is less than n. We can obtain a better value of
security risk by adjusting tradeoff coefficient θ . The
simulation results demonstrate that our scheme further
enhances the security of the network subject to the worst case.
It also confirm that the message will nearly be compromised
if the number of attackers t ≥| P* | .
[6]
[7]
[8]
[9]
[10]
We consider the attack which not only compromise our
packets, but also can disrupt the communication. Fig.2 shows
that the delivery ratio reduces saliently with the increase of
the number of attackers, and also decreases with the increase
of θ . The delivery ratio of our scheme is still higher than
DPSP, although in order to keep the low security risk, we
sacrifice the part of the delivery ratio. Combination the Fig.1
and Fig.2 we can deduce that our scheme is more robustness
and flexibility than DPSP’s; we also can derive that choice the
[11]
[12]
[13]
721
D. Johnson et al., “The dynamic source routing protocol for mobile Ad
Hoc networks (DSR),” draft-ietf-manet-dsr-09.txt, Apr. 2003.
C. Perkins et al., “Ad hoc on demand distance (AODV) vector routing,”
RFC 3561, Jul. 2003
M. Yu et al., “A secure routing protocol against byzantine attacks for
MANETs in adversarial environments,” IEEE transactions on vehicular
technology, vol. 58, no. 1, pp. 449-460, Jan. 2009.
C. F. Kuo et al., “Dynamic routing with security considerations,” IEEE
transactions on parallel and distributed systems, vol. 20, no. 1, pp. 48-58,
Jan. 2009.
P. P. C. Lee et al., “Distributed algorithms for secure multipath routing
in attack-resistant networks,” IEEE/ACM transactions on network,
vol.15, no.6, pp. 1490-1501, Dec. 2007.
W. Lou et al., “SPREAD: Improving network security by multipath
routing in mobile ad hoc networks,” Wireless Networks, vol. 15, no. 3,
pp. 279-294, Apr. 2009.
M. Naserian et al., “Game theoretic approach in routing protocol for
wireless ad hoc networks,” Ad Hoc Networks, vol.7, no. 3, pp. 569-578,
May. 2009.
F. Larroca et al., “Routing games for traffic engineering,” in Proc. the
IEEE ICC 2009, 2009, pp. 1-6.
T. Hui et al., “A game theory based load-balancing routing with
cooperation stimulation for wireless ad hoc networks,” in Proc. the 11th
IEEE international conference on high performance computing and
communications, 2009, pp. 266-272.
S. Bohacek et al., “Game theoretic stochastic routing for fault tolerance
and security in computer networks,” IEEE transactions on parallel and
distributed systems, vol. 18, no. 9, pp. 1227-1240, Sep. 2007.
L. Chen et al., “On multipath routing in multihop wireless networks:
security, performance, and their tradeoff,” Eurasip journal on wireless
communications and networking, vol. 2009, pp. 1-13, 2009
G. Danezis and R. Clayton, “Introducing Traffic Analysis,” Digital
Privacy: Theory, Technologies, and Practices, A. Acquisti, S. Gritzalis,
C. Lambrinoudakis, and S. di Vimercati, eds., Auerbach, Dec. 2007.
P. Tague et al., “Evaluating the vulnerability of network traffic using
joint security and routing analysis,” IEEE transactions on dependable
and secure computing, vol. 6, no. 2, pp. 111-123, Apr-Jun. 2009.
[14] M. J. Osborne and A. Rubinstein, A Course in Game Theory, MIT Press,
Cambridge, Mass, USA.
[15] A. Shamir, “How to Share a Secret,” Communications of the ACM, vol.
22, no. 11, pp. 612-613, Nov. 1979.
[16] P. Papadimitratos et al., “Path set selection in mobile ad hoc networks,”
in Proc. the International Symposium on Mobile Ad Hoc Networking
and Computing (MobiHoc ’02), 2002, pp. 1–11.
722