Library

Volume 10, Number 3, November 2007

Metrics For Networked Systems Design In A Network-Centric Warfare Context

  1. 1 Finnish Defence Forces, CIS Centre Development Division, Kutojankulma 2, PL 210, 02631 Espoo, Finland.

Abstract

This paper presents modelling techniques for networked systems. A network metric is suggested for evaluation and comparison of different networked systems in a network-centric warfare context with random or targeted attacks against the network structure. A method is also presented to calculate the threshold values of link failure probabilities where it is optimal for an attacker to shift targeted attacks against links of lower degree nodes. This information is vital for the defender in planning and constructing more robust networks against targeted attacks.

Introduction

This paper discusses modelling networked systems of services and users. Expressions for robustness are derived for realistic military situations. The methods are not limited to low failure probabilities so they are suitable for vulnerable and robust systems.

The goal of this paper is to develop a general framework for studying and comparing different networked systems when network links (edges) and nodes (vertices) become non-functional. The models presented here have a common viewpoint that one connection is enough for two parties to communicate, two connections are enough for three parties and so on. Here we use the term connection when there is a path between nodes—that is, connectivity is maintained. When all the nodes break down during the same time period, the system is down for the next time period. It is possible that during the repair period the nodes are destroyed again.

In the basic model, all the functional nodes in the system can do the same job. This is crucial when network metrics are calculated and makes a big difference to another definition of network metrics used in [6], where all the possible connections and nodes have been summed and weighted with values of links and nodes.

A networked system comprises three different elements: network links, functional network nodes, and technical network nodes. Functional network nodes are computer centres, command centres, users of networked services, and so on. Technical nodes are, for example, network routers and there are no applications for end users. Destroying a functional network node is usually more serious than destroying a technical network node. [7]

The framework consists of the following four steps:

  • Evaluate the failure probability p for a general target, a node or a link.
  • Evaluate the failure probability for a system of several nodes (Section 3).
  • Evaluate the failure probability for a network connection (several links) (Sections 4 and 5).
  • Evaluate the failure probability for a combined system of nodes and connections (Section 6).

In the first step the failure probability is evaluated for one target where firing theory is the tool if weapons are used against infrastructure [15]. Computer viruses and technical errors have to be taken into account by different methods. At the end of this step failure probabilities for functional nodes and links have been evaluated.

In step two, scenarios for one or several nodes are studied where, in the case of a node breakdown, a task transfer to another node can occur. The receiving node can be a standby node or a non-standby node. Task transfer to a standby node happens automatically and immediately after the failure. Task transfer to a non-standby node can occur after manual operations or rebuilding of the system. The main difference is that a transition to a standby node happens directly without delays and a transition to a non-standby node requires a preparation phase.

The goal in Section 3 is to construct a model sufficiently general to allow different modifications. The theory behind is discrete or continuous time Markov processes [5]. For Markov processes future states of the system are not influenced by the past of the system, only the current state is important. The limiting distribution is calculated as a first model but given the initial state, time dependence can be studied easily. Markov matrices serve also as a visualization tool for understanding the system’s behaviour.

Step three is analogous to step two but the system is composed of network links. The probability for a connection between functional nodes is evaluated and a method is presented for the computation. Section 4 introduces some basic concepts of network connectivity. Section 5 presents a method to compute a measure of robustness for military networks or civilian networks under the threat of terrorist attacks. In the model attacks are not random but targeted so as to cause maximum damage to a network and unequal failure probabilities for network links are considered. Markov matrices or limiting processes are not used in Section 5 but the results can be utilized in Section 6 for limiting distributions. Alternatively, time-dependent solutions can be calculated by iterating waves of attacks with the methods of Section 5 alone.

In step four the system is regarded as a collection of functional nodes and links. The total failure probability for the system can be calculated. This is also a measure for comparing networks and networked systems. The survival probability of the system or the entire network is suggested as a new network metric (Equation (6.4)).

In the long run, if no repair takes place, the system will eventually break down. But if the number of spare parts or nodes is sufficiently large, compared to the time of hostile activity, the networked system can still operate until the end of the war. In this case the probability is fairly easy to compute. The probability distribution for the system in operation is given by the binomial distribution.

Models 1 and 2, in Section 3, give the limiting distributions π0 and π for the probabilities for the system not in operation and in operation respectively. In the models Q is the ratio of uptime to downtime of the system and it is a function of the number of replaceable nodes of the system. If in the system planning phase, a requirement for Q is given, a lower bound for the number of nodes can be solved.

Recovery of command centres

Because military systems may be targets for hostile attacks special actions are necessary to increase robustness of systems. One obvious way is to replicate application servers. If one copy of the system is destroyed another takes the task and so on. In this section we study robustness of the replicated system and in later sections networking is included in the model.

Next we present a mathematical model based on Markov chains for a system of nodes which are destroyed or where a technical error occurs at random times. The actions to get the system operational again are to repair or to replace the node. There are many scenarios that can be described with this model.

Our model is based on Markov chains [5]. The limiting distribution is:

πj=k=0,NπkPkj,j=0,1,...,N (3.1)

The distribution is unique for regular transition probability matrices (Pkj) [5, Theorem IV.1.1]. The number of states is N+1. The convergence means that, in the long run, the probability of finding the Markov chain in state j, is approximately πj, no matter in which state the chain began at time 0. The system has reached the stationary state.

Imagine a situation that one command centre is completely destroyed but with the help of advanced technology another command centre takes over in almost real time and users of the system are completely unaware of what has happened. In addition, it is assumed that the nodes not in operation are repaired in the background during the same time period. This is why the number of nodes n is kept constant. In state 0 nodes are still vulnerable and can be destroyed again during the repair period. This assumption may be unrealistic in practice and a more accurate model could be constructed. Later in this paper more refined Models 2 and 2B will be presented where more states of the system will be introduced.

The parameters of the model are p, pr and pt where p is the failure probability during the specified time interval, pr is the conditional probability to repair or replace the system during the time period and pt is the conditional probability of task transfer of a node.

The model is a simplification of the real world system in several respects. We assume that the process is a Markov process with constant parameters p, pt, and pr. The model for repairing the system is approximate because the distribution for the duration of the repair time is usually not known. An effect of discrete time is that the system always stays one time step or period in the state where it arrives, before it makes another transition

Fast task transfer to another node is studied in Model 1. States 1 and 2 are defined as a combination of several nodes: one or more of the n nodes are not destroyed. The only difference between states 1 and 2 is that they have different history. Transition to state 0 occurs when the last of the n nodes is destroyed. The Markov matrix becomes:

P=|1(1p)pr(1pn1)pt(1p)pr(1pn1)ptpn1pn0pn01pn| (3.2)

The ratio of uptime to downtime of the system Q(n) can be solved from the limiting distribution of (3.1)

Q(n)=ππ0=(1p)pr+(1pn1)ptpn (3.3)

The variables π0 and π = π1 + π2 =1–π0 give the probabilities for the system not operating and operating:

π0=11+Q(n) and π=Q(n)1+Q(n).

The values with parameters pr = pt = 0.01 of Q(n), n=2, 3, 4, 5 have been shown as a function of the failure probability p in Figure 1.

(Model 1, parameters pr = pt = 0.1). Ratio Q as a function of the failure probability p for one node, with 2, 3, 4 and 5 nodes in the system. The examples given in the text have been marked with dots.
Figure 1. (Model 1, parameters pr = pt = 0.1). Ratio Q as a function of the failure probability p for one node, with 2, 3, 4 and 5 nodes in the system. The examples given in the text have been marked with dots.

In [8] a network penalty factor has been introduced to account for negative effects of information overload. Heuristic logistic shape equation g(C) with parameters a and b has been introduced to account for additional network connectivity:

g(C)=(ea+bC)(1+ea+bC)

C is the total number of network links accessed by nodes on the critical path. The approach is opposite to this presentation where vulnerability is considered as a central phenomenon in networked systems. In our model no heuristic penalty functions are necessary because additional nodes and links are redundant and the only effect is to improve reliability of the network. (3.3) can be compared to the logistic penalty function of [8]. (3.4) gives n as a function of Q(n)

n=ln(pr+ptpprpQ+pt)lnp+1 (3.4)

For an example Q=50 (2% not in operation) and p=0.2, pr=pt=0.1, the result from (3.4) is n3.5—that is, four nodes are needed to maintain the system at 98% capacity. For a low value of Q=5 (20% not in operation) two nodes are almost enough to maintain the system at 80% level. In Figure 1 these examples have been marked with dots.

In Model 2, the state space is larger than before, also the limiting probabilities for n, n–1, n–2, …, 1 nodes in operation will be calculated. In the basic model, constant repair time is assumed. For example, if there are three nodes in the system the Markov matrix is:

P=|000100p1p0p22p(1p)(1p)2p33p2(1p)3p(1p)2(1p)3| (3.5)

The elements of the matrix are the probabilities P{X=k}=(n|) of binomial distribution with parameters n and p. The states of the system are labelled according to the number of nodes in operation i=0, 1, 2, 3. The limiting distribution is:

π0=p3(1+p)3,π1=3p2(1+p)3,π2=3p(1+p)3,π3=1(1+p)3

The general equations for n nodes for the limiting distribution are:

πk=i=nk,ni!(nk)!(in+k)!pnk(1p)in+kπi (3.6)

and the normalization equation is i=0,nπi=1. By Theorem [5, IV.1.1] the solution is unique for 0<p<1 and we get:

πi=(n|) (3.7)

where: (n|)

Equation (3.7) can be verified by substitution into (3.6). The factor 1/(1+p)n is for normalization. When p<1 and n the probability of no operation π00 for Models 1 and 2. The striking difference is that π01, in Model 1, and π01/2n, in Model 2, when p1. As the number of nodes increases the probability for a system not in operation goes to zero in Model 2. The difference is due to the higher repair activity of Model 2 compared to Model 1. In Figures (2a) and (2b) Models 1 and 2 are compared for the parameter values pr = pt = 0.1. The probabilities of no operation have been shown as a function of the failure probability p with n=1,..,15 replaceable nodes in the system.

For realistic applications more accurate models may be necessary. In Model 2B, the repair time of nodes will be taken into account. The 4×4-matrix corresponding to (3.5) is:

P=|(1pr)33pr(1pr)2......(1pr)2p(1pr)2(1p)+2pr(1pr)p......(1pr)p22(1pr)p(1p)+prp2......p33p2(1p)......|
|......3pr2(1pr)pr3......2(1pr)pr(1p)+pr2ppr2(1p)......(1pr)(1p)2+2prp(1p)pr(1p)2......3p(1p)2(1p)3| (3.8)

The limiting distribution for n nodes in the system is:

πi=(n|) (3.9)

The theory can be generalized in many ways. For example combined states of nodes and links can be considered or history of the system can be included in the model. Also different failure or repair rates can be incorporated for different number of broken nodes resulting in different values of p and pr on matrix lines in (3.8).

Probability for an operative connection

Our next step is to connect the command centres in a wide area network. The same model can be applied for connecting computers in a local area network or people with telephone lines and so on. We assume that there is a connection between two sites if there is at least one connection, or path, in operation. Figure 3a shows two simple networks which we take as examples. A general method to calculate the failure probability will be presented based on the first example. [10] In Section 5 the second test network is studied in more detail.

We assume that the failure probability for every link in the graph is pl during the specified time period and the probability is independent of the length of the link. We investigate the first test network of Figure 3a. To make the situation practical we can list all the combinations of broken links. There are 32 all together, when the case with no broken links, is also counted. The probability that one link is broken is pl(1pl)4, the probability that two links are broken is pl2(1pl)3 and finally the probability that all the links are broken is pl5. There are one, five, ten, ten, five and one combinations for zero, one, two, three, four and five broken links. This is the familiar Pascal triangle rule. The normalization is:

s=0,5(5|)

In our example if only one link fails there is a connection between all the nodes. For two link failures two there are two possibilities of no connection, and so on. The link connectivity is two for the network. We calculate the probability of no connection between the marked nodes one and four of the first test network of Figure 3a as:

pL=1[(1pl)5+5pl(1pl)4+10pl2(1pl)3
+10pl3(1pl)2+5pl4(1pl)+pl52pl2(1pl)3
8pl3(1pl)25pl4(1pl)pl5)]
=2pl2+2pl35pl4+2pl5 (4.1)

where, in the parenthesis, the probabilities of no connection have been subtracted. If we think that the failure probability for one link is small, it is a good approximation, to take only the first powers of pl. In the example pL2pl2 if pl is small. Generally, for low values of pl we have pLACplCwhere C is the link connectivity and AC is given later in (5.3). In Figure 3b the probability of no connection between nodes one and four for the first test network and nodes four and nine for the second test network are shown as a function of the link failure probability. The connection in the first network is more robust than the connection in the second network.

Note that the theory presented in Section 3 applies also for links in the network. For example from (3.9) the probability of operation is:

π=1pn(pr+p)n12npl2n(pr+2pl2)n (4.2)

and the ratio:

Q=ππ0=(prpL+1)n1(pr2pl2+2pl35pl4+2pl5+1)n1(pr2pl2+1)n1 (4.3)

In system design, the lower bound for links n, can be solved from (4.3) when the value of required Q is given.

The probabilities pL,uj should be computed for different connections between nodes u and j in the network. Usually, in real networks, the probabilities pL,uj are different for each connection, as a result of the network structure. This problem is studied for random and not random failure probabilities in Section 5. As an example, consider a system of a user u and two nodes 1 and 2 where the user needs a connection Lu1 or Lu2 to one of the nodes. Equation (3.8) for three states transforms into:

P=|(1pr)22pr(1pr)pr2(1pr)pL,u1prpL,u1+(1pr)(1pL,u1)pr(1pL,u1)pL,u222pL,u2(1pL,u2)(1pL,u2)2| (4.4)

where pL,u1 and pL,u2 are the failure probabilities for the connections Lu1 and Lu2. The analysis for the model proceeds as before and the quantities π0,π1,π2,π,Q,... can be solved.

Networked command centres

The last step is to combine the results of the previous sections. A networked system is composed of nodes and connections where failure probabilities for individual nodes and connections are denoted by pN (notation p in Section 3) and pL,ij correspondingly. Consider a combination of one node and a connection between the node and a user in the network (second node is a user). The failure probability for the networked system is:

pN,ij=pL,ij+pNpNpL,ij (6.1)

For the first example network of Figure 3a and the connection between the nodes one and four

pL,14=2pl2+2pl35pl4+2pl5

where pl is the link failure probability. Usually, the failure probabilities are different for the networked system states, because of the network structure. The values of pL,ij are different on each line of the Markov matrix, for example, from (5.2):

pL,12=pl2+2pl33pl4+pl5

between nodes one and two and:

pL,23=4pl34pl4+pl5

between nodes two and three.

As a simple example consider the Markov matrix where the time period is the approximate repair time as in Model 2 in Section 3:

|000100p11p10p201p2p1p2(1p1)p2p1(1p2)(1p1)(1p2)| (6.2)

where p1=pN=4,14 and p2=pN=2,12 from (6.1). Node one is the user of the system. The model states are described in Table 1.

The stationary distribution of the example is:

π0=p1p2π3,
π1=p2π3,
π2=p1π3 and
π3=(1+p1+p2+p1p2)1.

Generally, the metric for an entire network can be computed as:

M=1Sj=1,...,Ns=1,...,Sπjs=11Ss=1,...,Sπ0s (6.3)

where S is the number of independent systems or applications in the network, N is the number of operational states in the system and state zero is the non operational state. The metric M takes values between zero and one where values near one indicate robustness of the networked system. The limiting probabilities 1π0s, of Models 1 or 2, are used in (6.3). The failure probability p for a system of a node and a connection is given in (6.1). If users of the system connect to the network from different locations, the average over connection points should be included in (6.3).

Higher weights for critical applications may be used. Because weights for applications are difficult to evaluate, the metric M works better comparing alternate structures of a networked system. For one system s the value M=1π0s gives the metric which depends on the network topology of nodes and links.

If no repairing occurs, for example during targeted attacks, the metric can be computed for a specified time period with the methods of Section 5. From (5.4) the metric is M=1PL. Without repairing the stationary distribution gives the state where finally all the systems have failed and this is not useful information for comparing robustness of systems.

If the links are invulnerable the results of Section 3 are used and the network topology has no effect. In rare situations where the network is symmetric and symmetry is approximately maintained, pN,ijp in (6.1) for all nodes and connections and the methods of Section 3 are suitable.

Table 2. Summary of Section 3.
Model 1Model 2B
π=pr+ptpn11pn1+(pr+pt)π=1pn(pr+p)n
Q=ππ0=(1p)pr+(1pn1)ptpnQ=(prp+1)n1
n=ln(pr+ptpprpQ+pt)lnp+1n=ln(Q+1)ln(pr+p)lnp

The main results of Section 3 have been collected in Table 2. The first row is the probability for the system in operation, the second row gives the fraction Q of operation for n nodes and the third row gives the lower bound for the number of nodes if the capacity level Q has been given as a planning principle.

The steps of the method have been summarized here:

Step 1: Calculate or evaluate the failure probabilities for individual nodes and links. Firing theory or simulation can be used.

Step 2: (Section 3) Calculate the limiting distribution of failure probabilities for several replaceable nodes. Markov chains are used as a tool. (If more than one node is necessary for the system to operate then calculate the probability for the relevant combination of nodes by the same method.)

Step 3: (Sections 4 and 5) Calculate or evaluate the failure probabilities for connections of the system. One connection comprises of one or more links. (If more than one node is necessary for the system to operate then calculate the probability for the relevant combination of links by the same method.)

Step 4: (Section 6) Calculate the failure probabilities for pairs of a node and a link of the system. (If more than one node and one connection is necessary for the system to operate calculate the probability for the relevant combination of nodes and links by the same method.) In Step 4 each combination of a node and a link is considered as a ‘combined node’ and the new probability is inserted into the analysis of Step 2. Alternatively a specified time period can be investigated by the method of Section 5 if no repairing occurs or the assumption of stationary state distribution is not suitable. This may occur in targeted attacks of Section 5.

Summary

The main results of this paper are the techniques of incorporating services, users, and the network topology in the same model and the calculation of targeted attacks against the network structure.

A networked system is studied in the network-centric warfare scenario. Failure probabilities for a system of several replaceable nodes have been calculated and a method for calculating failure probabilities for connections between nodes has been given.

A networked system is composed of nodes and connections where a connection has one or more links. The probabilities are for the worst case scenario, and as a baseline the networked system is assumed to be in operation, if only one node and one connection, or path, is in operation. The same model can be applied for systems of several nodes if the nodes are not replaceable. Markov chains and stationary system states have been used as a tool.

The theory presented in this paper gives the fraction of uptime 1π0s to downtime π0s of the networked system s. In system design the lower bound for the number of replaceable nodes n can be computed when a specified ratio of uptime to downtime Q is required for the system. A new network metric can be computed as the normalized average of the values of 1π0s of Section 6. The metric can be computed for a system or for the entire network. In a network-centric warfare scenario, systems and networks can be compared using metric values.

Targeted attacks against nodes and links can be taken into account as described in Section 5. We show that for hostile forces to cause maximum damage, if locations of services in the network are unknown, is to attack all the network links for high values of link failure probability. For lower failure probabilities, below a threshold value, it is optimal for the attacker to shift the attacks against lower degree nodes. Usually the optimal set of links goes through several intermediate thresholds depending on the network structure. The threshold values of link failure probabilities for different combinations of links of the network are valuable information in planning and constructing robust network structures.

References

[1] A.H. Dekker and B. Colbert, “Network Robustness and Graph Topology”, Proceedings of the 27th Australasian Computer Science Conference, Dunedin, New Zealand, 26, 359–368, 2004. Available electronically at crpit.com/confpapers/ CRPITV26Dekker.pdf.

[2] A.H. Dekker, “Network Topology and Military Performance”, MODSIM 2005 International Congress on Modelling and Simulation, Modelling and Simulation Society of Australia and New Zealand, December 2005, pp. 2174–2180, 2005. http://www.mssanz.org.au/modsim05/papers/dekker.pdf.

[3] J. Galtier, A. Laugier, and P. Pons, “Algorithms to Evaluate the Reliability of a Network” Proceedings 5th International Workshop on Design of Reliable Communication Networks, 2005.

[4] P. Holme and B.J. Kim, “Attack Vulnerability of Complex Networks”, Physical Review, E 65, 056106, 2002.

[5] S. Karlin and H. Taylor, An Introduction to Stochastic Modelling, Third Edition, Academic Press, 1998.

[6] M.L. Ling, “Proposed Network Centric Warfare Metrics: From Connectivity to the OODA Cycle”, MORS Journal, Vol. 10 No. 1, April 2005.

[7] J. Moffat, Command and Control in the Information Age Representing its Impact, The Stationery Office, 2002.

[8] J. Moffat “Quantifying the Benefit of Collaboration Across an Information Network”, Journal of Defence Science, Vol. 8, No. 3, pp. 123–129, September 2003.

[9] L.B. Page, “A Practical Implementation of the Factoring Theorem for Network Reliability”, IEEE Transactions on Reliability, Vol. 37, No. 3, August 1988.

[10] L.B. Page and J.E. Perry, “Reliability Polynomials and Link Importance in Networks”. IEEE Transactions on Reliability, Vol. 43, No. 1, March 1994.

[11] W.L. Perry and J. Moffat, Information Sharing Among Military Headquarters—The Effects on Decision Making, RAND Corporation, 2004

[12] P.S. Pulat, “Network Reliability with Arc Failures and Repairs” IEEE Transaction on Reliability, Vol. 37, No.3, 1988 August

[13] T. Tanizawa, G. Paul, R. Cohen, S. Havlin and H.E. Stanley, “Optimization of Network Robustness to Waves of Targeted and Random Attacks”, Physical Review, E 71, 047101, 2005.

[14] J. Shaio, “A Family of Algorithms for Network Reliability Problems” IEEE International Conference on Communications, 2002.

[15] A.R. Washburn, Notes on Firing Theory, Naval Postgraduate School, 2002.

Author

Vesa Kuikka works at the CIS Centre of the Finnish Defence Forces. He is a Licentiate of Philosophy (Physics) 1986 from the University of Helsinki. He also holds a Licentiate of Philosophy (Mathematics) degree from the Åbo Academy since 2004. Address Finnish Defence Forces, CIS Centre, Kutojankulma 2, PL 210, 02631 Espoo, Finland, e-mail vesa.kuikka@mil.fi.