Filed under: Uncategorized | Tags: algorithms, game theory, networks, security, theory

This is the final post of a two part series. Guest post by Navin Rustagi.

If a faulty detector node misfires a false alert, it will end up propagating this false alert through the whole network, thus unnecessarily congesting the network. In our recent paper we address this issue to some extent. We do it by implementing a Time To Live(ttl) field in the alert messages and the nodes. We have a parameter for the system called ** τ**, which is used to initialize the value of the ttl field of the detector nodes, when they get alerted for the first time. After that each node which gets alerted decrements its ttl field by one in each successive time step and sends out its alert messages with that value. New nodes which get alerted get initialized with the value of the ttl field in the alert message which alerts them. If they get an alert message with a higher ttl value than their existing one, they update their ttl value to reflect the new value. Once the ttl value goes to zero, the alerted nodes stop propagating but remain alerted throughout. Observe that this ttl mechanism ensures that if τ =O(loglogn), the influence of false alerts is limited to at most poly logarithmic number of nodes.

In the paper which we have submitted to SSS, we show that for worms which are designed to last for at most O(log n) time steps, there are certain conditions on the parameters which ensure that with the alert strategy adapted slightly from our paper in OPODIS, all but o(n) nodes in the network will be alerted w.h.p.

We call the lower bound on the expected rate of growth of alerts as** p **and the upper bound on the expected rate of growth of worms as** q**. We choose the values of α, β and γ s.t p ≥ 2q². For these values of the parameters, we show that w.h.p all but o(n) nodes would be alerted if the worms are constrained to spread in at most O(log n) time steps. In this paper, we assume that the overlay network has degree O(log n)(as opposed to a constant degree in the previous paper) so that we can make use of the resulting high vertex and edge expansion in our analysis. The rate of growth of alerts as characterized by p only provably holds true till O(n/log n) nodes are alerted. After that, the lower bound on the expected rate of growth of alerts till the number of alerted nodes exceed n/3, is called p_{1}=(1+e^{-α} /4).

In our paper in OPODIS, so far as p was greater than q we gained significant advantage over the worms in terms of the number of nodes alerted. Since once a node gets alerted, it continues to send alert messages throughout the game, the worm is not really successfully in gaining any ground by slowing down the infection process. But in this paper, due to the constraints imposed by the ttl mechanism, alerted nodes have to stop propagating once their ttl field expires. So the worms can wait for the ttl to expire before starting the infection again. We show in our analysis that we can avoid worrying about the number of nodes which stop propagating alerts by alerting enough number of detector nodes in one round which in τ more rounds would alert all but o(n) nodes in the network. To do that we define a* small step round* to be a round when the number of virgin(neither infected nor alerted) nodes that receive worm messages is no more than 1/(log_{p1}n) times the number of infected nodes at the end of the previous round. A round

which is not a small step round is called a *large step round*.

We observe that for a worm to take over the network in O(log n) rounds, there has to be a large step round after n/(log_{p1}^{2r+1}n) nodes have been infected and before κ_{0 }n/(log_{p1}^{2r+1}n) nodes have been infected, where κ_{0} is a fixed constant. We make use of the high edge and vertex expansion of the underlying network, coupled with the fact that p ≥ 2q² to show that the detector nodes alerted at the end of this large step round are good enough to alert all but o(n) nodes in τ more rounds.

A simulation implementing our algorithm on a network of 500 nodes with degree 10 and α=4, γ=0.15, β=1 and τ=3 is given here.

**Leave a Comment so far**

Leave a comment