1

Survivable Networks

Sundeep Selvaraj Pundamale

Department of Computer Science
University of Helsinki

Abstract -The term survivability is defined as the capacity of a As the global Internet started to evolve maintaining survivable
system or network in a working state to provide the essential networks efficiently proved to be more difficult. Because,
services under the deterministic set of values. Most of the there is a lack of central administration and the maintaining
networks are unbounded, meaning that they do not have a security is more complex in an unbounded network [1].
central administrative control and a unified security policy. Though there is lack of central administration in these kind of
The discipline of survivability can help such unbounded networks, autonomous administration is effective when done
systems to deliver essential services and maintain essential carefully.
properties such as integrity, confidentiality and performance
despite the presence of failures. Self-aware management This paper describes the importance of boundaries in a
allows the network to react and adapt to the changes inside the survivable network. The key characteristics are described with
network system. This paper describes the survivability appropriate examples. It is followed by self-aware
approach to a system that functions in a unbounded network management which helps to reduce the human intervention in
and lays emphasis on how the self-aware architecture manages handling a network . A policy based QoS management helps
IP QoS guarantees. It also includes the challenges faced by a an operator to establish service objectives and policies in order
survivable wireless networks and the techniques used for self- to implement the network resources in future. An agent
healing in wireless network. approach allows one to build a complex and sophisticated
system using modular components. .A self-aware system has
I. Introduction the ability to manage the processes itself. The architecture of
self-aware management describes different levels which
During the last two decades network systems started gaining include the access mediator, service mediator, resource
its significance drastically. Most of the educational institutes, mediator and network elements.. A survivable wireless
financial services, health sectors, transportation, network has different set of challenges due to the fact that
telecommunication companies etc now operate on a domestic, wireless communication travels through unpredictable
national and international level. They rely heavily upon these medium unlike the error free transmission provided by cables.
network systems to carry out their mission on a wide scale or a Security is an essential feature of survivable networks.
global level. Security has its own definition in survivable systems. It is
further explained in this paper with an example how security
As the demand for network systems started to raise people and efficiency of a system is maintained.
realized the consequences of a failure in network system.
Therefore some proactive measures are taken so as to increase II. The Domain of Survivability
the availability of these critical network systems. The
availability of a system can be increased by acquiring the While designing a survivable system it is important to
system services precisely and recover those services in a understand the computing environment with in which the
timely manner when there is a failure, attack or an accident. survivable system operates. The computing environment can
be classified into two broad categories namely bounded and
Automating the supervision of these network systems become unbounded network infrastructures.
very crucial due to various factors..The demand for quality of
service by the users increased and there is a cost involved to In a bounded system all the system parts are controlled by the
hire experts to maintain the network systems as per the users a single administrative body and can be fully controlled. In an
demands. Therefore it is important to reduce the human unbounded system there is no unified administrative control
intervention in the network management and increase the over the parts of the system. Here administrative control
automation of network process. This is often referred to as a means having the authority to implement certain actions in the
control plan. And increasing the automation in Network network rather than just being a member who recommends
Management is referred to as Management plan [2].While different solutions. In an unbounded system each participant
designing these plans it is very important to evaluate the has an incomplete view about the whole system so one has to
operational objectives of the network system. It should also be depend and trust on its neighbors. Also a participant cannot
enabled with respective monitoring and adaptation techniques. have control outside its own local domain. A single unbounded


 2

system can contain a collection of bounded and unbounded III. Characteristics of Survivable Network
systems connected together in a network. Figure 1 shows the
unbounded domain consisting of a collection of bounded One of the important characteristic feature of survivable
systems which has its own administrative control. There are network is their capability to survive and provide the most
three boxes representing different unbounded networks having essential services even in case of a failure [2]. While
their own local policies. These policies are exchanged to the delivering the services the system should also maintain some
other trusted systems ans these unbounded systems are viewed essential properties like specified levels of integrity,
as a single bounded network. confidentiality, performance and other important quality
attributes [1].For example a missile launcher is no more
effective if the target is out of the range of the missile before it
can be launched. These quality attributes play an important
role.

The definition of survivability is often expressed in terms of

maintaining a balance among multiple quality attributes such
as performance, security, reliability, availability, fault-
tolerance and modifiability. The ability of a system to deliver
essential services, while maintaining its essential properties is
to sustain even if a significant portion of the system is not
functional. Also the capability of a system should not be
dependent on the survival of a specific information resource,
computation or communication link..The next important factor
of survivability is to identify the essential services and the
Figure 1 : An Unbounded Domain Viewed as a Collection essential properties that support them within a particular
of bounded systems operational system. Essential service can be defined as the
functions of the system that can be maintained in case of a
When an application is implemented in an environment which failure or hostile environment. For example in a military
has multiple administrative domains the system is said to have environment the essential services might be to maintain the
an unbounded environment. For example the Internet can be technical superiority and essential properties might be to
viewed as an unbounded environment. The Internet is a maintain integrity and confidentiality [1].
collection of many client-server and network applications .In
the case of a public web server its clients may lie within many In a public sector a survivable financial sector is the one that
different administrative domains on the Internet. There is no maintains integrity, confidentiality and availability of essential
central authority that that configures all the clients in a similar information such as account information and loan data
fashion. Therefore a web server can never rely on the way a information and financial services like transaction validation
particular client is configured . In this example the web server and processing, even if a particular node or communication
and the its client form the system. The multiple administrative link fails due to some attack or an accident. It must have the
domains are the the variety of site domains on the Internet. ability to recover this compromised information and services
Many of those domains have legitimate users. Other sites are in a timely manner. The important functionality of the system
used for intrusions in an anonymous setting. These latter sites is to adapt itself to the environment and deliver the essential
cannot be distinguished by their administrative domain, but services. The ultimate idea is to fulfill the mission of the
only client behavior. The interoperability between the server system just not making a portion of a system functional at all
and its client is defined by a hyper text transport protocol times. For example the essential services of a power delivery
which is a convention agreed upon between server and clients plant might be to distribute both electricity and natural gas. In
[2]. The system which composes of web servers and clients is this case the system is said to meet its mission if both the
geographically distributed widely through out the Internet. services are delivered in a timely manner. If either of the
Both the legitimate users and attackers are part of the same essential service is lost due to some reason it should be
environment and it is difficult to isolate these legitimate users replaced by another service that supports the systems mission
from the the attackers. In other words it is quite difficult to fulfillment in a different but equivalent way.
bound a environment only for these legitimate users under a
common administrative policy. Therefore security is IV. Policy-based Qos Management
considered to be a key factor in todays survivable network.
The Policy-Based Management (PBM) separates information
 3

related to control of resources and information related to their The agent based approach is mainly concerned with the
states. It allows an operator to establish service objectives and introduction of mobile agents that are responsible to handle
policies that are implemented by the network resources in the dynamic nature of the network system. A mobile agent is
future. Thus the decision on resource allocation and generally an independent program which acts on behalf of the
configuration can be taken locally in an autonomous way. user and is capable of moving from one network node to the
other. The important aspect of this approach is to negotiate
The Policy-Based management defined by the Internet with other processes and delegates work to other intelligent
Engineering Task Force (IETF) proposes an infrastructure to agents in order to reduce the load of communication in the
manage IP networks offering service guarantees [2].The network. The agent normally transports a business policy so
infrastructure proposed in the reference manage IP networks that the negotiations and the decisions can can be carried out
offering service guarantees. This infrastructure also allows a locally. The significant properties of the agent lies in its
flexible behavior of the network. In other words it reacts to mobility and the capacity to negotiate [2].
various events in the network based on the policy defined.
These policies are nothing but a set of rules that are applied to VI. Architecture for Self-aware management
the management and control of access to the network
resources. They also allow the network administrators or the Self-aware management can be described as the ability of the
service providers to manage the networks behavior based on management processes and the respective network
certain criteria like user identity or the type of application. infrastructure to maintain themselves with out the intervention
Policies can also be defined at different levels. For example of some external assistance. The role of the administration is
the highest level policy can be a business level policy that is just to layout the network operational structure. In order to
translated further to a network level policy and then into a low offer this self aware management it is important to consider
level policy which is understandable by the network element. the dynamic nature of the underlying network infrastructure
that should be managed [2]. The following four structures are
The Internet Engineering Task Force (IETF) in collaboration the basic elements of a self-aware management system :
with Distributed Management Task Force (DMTF) came up
with a new model called as Policy Core Information Model ● self-configuration: The ability of the system to
(PCIM) [2].In this model the network is considered as a state configure automatically with some high level
machine where the policies are used to control the state policies.
transitions. It is capable of identifying the states and monitor ● Self-optimization: The ability of a system to
their progress. This model also defines the role priorities and improve the performance and effectiveness of system
execution order. and system components automatically.
● Self Healing: The ability of a system to detect,
V. Agent Approach diagnose and repair the software and hardware
components automatically.
An agent approach is one of the promising feature in the ● Self Protection: The ability of the system to protect
survivable network. The agent approach allows one to build a itself from attacks and rollback from failures. The
complex or sophisticated system using modular components. system failures are captured and alarms are
The intelligent components are often referred as agents and the generated.
interaction among these agents is considered as the heart of
the multi-agent system. An agent can be a simple software An autonomic system known as a self managed system
which is responsible for the execution of a process within the consists of autonomic elements known as self managed
network. It might also have intelligence to automate some elements. These elements provide services to the end users and
task. other autonomic elements. Also they are responsible to
manage the state/behavior and controls the interaction of the
In general intelligent agent is responsible to maintain a elements with the environment. The self managed elements
cooperation between the user interfaces and the intelligent are referred to as Agents in this paper.
processes to carry out some common task. Thus the agents are
responsible to detect and solve the faults and maintain the The architecture of self-aware management is built by using
infrastructure as they are expected to be. These properties are the concepts of policy based management and multi-agent
autonomous but also responsible for adaptation and systems [2]. This kind of architecture allows the dynamic
distribution of the network. They allow automatic control and Quality of service management within the framework. It is
offers the services as per the users need. The presence of also in conformance with the architecture of the IST
agents makes the network smart i.e it makes the network CADENUS (Creation And Deployment of End User services
adaptable to some new situation and manage the services as in premium network) project[2]. This standard came up with a
per the conditions of the network system. Service Level Agreement (SLA) based on a frame work for
 4

providing the appropriate services to the end users. The SLA

defines the standards that a customer is expected to get when
he subscribes with a service provider. This customer can be a
user or another provider offering the same level o f service
some times also called as a horizontal SLA. The customer
might also be a service provider whose offer is at a different
level which is referred to as a vertical SLA. The major part of
the SLA specifies the services that must be delivered. The
Service Level Specification is the technical part of SLA. It
also contains the services description in technical terms.

The CADENUS project recommends the use of three levels

for telecommunication services, the Access mediator, Service
Mediator and Resource Mediator. The Architecture described
in this paper includes the above mentioned three mediators. Figure 3. Access Mediator [2]
Also some new monitoring functions are introduced to allow
each policy level to adapt its behavior with respect to the An agent called User Overseer (UO) is located on the users
network that it is controlling. Each level is a self managed terminal. It sends the mobile agent called User Negotiator
(UN) to the Access Mediators in order to negotiate the
entity .Therefore it has the ability to provision services on its
services according to the users needs. They now send the User
own with out much human intervention. The level of
Overseer about the results of their negotiation as well as the
autonomy required is reached by introducing the operational
new offers that may interest the user. The User Overseer now
objectives and the parameters to be followed in the selects the best offer among the services it received. An agent
infrastructure, as well as by providing respective monitoring called as an Access Negotiator (AN) negotiates services and
and adaptation means. The necessity to use management provides the classification based on on behalf of the Access
system decreases and the operator does not need to apply Mediators.
corrections and adaptations so much any more. Thus the The Access Mediator contains a multi agent platform and two
management system is simplified and is more oriented access modules namely :
towards the definition of policies and operational parameters.
Each level implements their own method of monitoring and ● SLA Subscription: The SLA subscription is an
have a meta-control level which allows to adapt its agreement between the customer and the service
behavior to the dynamic nature of environment. The meta- provider upon certain QOS parameters. It also helps
control level contains two categories of agents : the service provider to precisely identify the needs ot
the customer from this document.
● The Monitoring Agent: It controls the adherence of ● SLA Translation: It translates the new service
networks or the network elements behavior with the request into an XML format and sends it to the
policies that were applied earlier. Service Mediator Concerned.
● Adaptation Agent: It modifies the mediator/network.
Element behavior in order to improve its operation B. The Service Mediator
performance and to optimize the service
configuration. The Service Mediator is responsible for informing the acces-
mediators of all the new service offers. It is also responsible
Each level is explained in detail in the following sub-sections: for the management of the physical access to the services
through the appropriate underlying network using the resource
mediators concerned. The Service Mediators do not have a
A . The Access Mediator:
direct contact with the end users for SLA. It deals with other
service providers to compose its services and with network
The Access Mediator is mainly responsible for the cooperation
providers to support its services.
between the end-user and several service providers. It has
knowledge about the end-users,access link,terminal type and C. The Resource Mediator
gives them access to particular service provider. The Access
Mediator provides a user with a wider selection of services at The resource mediator manages the underlying network. It is
the lowest cost. It also simplifies the process of service responsible to maintain the network performance as per the
selection. It can also immediately notify the user when a new demand of the the service providers. In a policy based
service becomes available. A mobile agent is used for dynamic management environment it plays the role of a Policy
negotiation of SLA between customer and several other -
Access Mediators.
 5

Figure 4 Network Element

decision Point (PDP). It now has the responsibility to identify ● Monitoring PEP : It is used for configuration of
which policy rules are applicable to the network elements that monitoring tools.
satisfy the service mediators. The main role of PDP in this
architecture is to send the network level policies that Also each network element includes a Meta-Control level
cannot be directly executed by the network elements. Policy consisting of two agents, the Provisioning agent and the
rules are generally of the following type : monitoring agent. The major role of the provisioning agent is
to push the new configuration rules to PEP depending on the
Policy : Service Configuration network state and the policy rules sent by the RM.
For: Edge Router 1
On : Source IP Address VII. Survivable Wireless Networks
Do : PHB type
Unlike the error free transmission provided by cables the
D. The Network Elements : environment the that wireless communication travels through
is unpredictable. To name a few environmental radio-
Each network element has a local Policy Decision point (PDP) frequency (RF), noise produced by powerful motors, other
and Policy Enforcement point ( PEP ). The PEP has the wireless devices, micro waves and moisture content in the
application point of policies. It is also responsible for packet air can make the wireless communication unreliable.
filtering,bandwidth reservation,traffic priority etc. The local
PDP receives the decisions and the policy rules from the Generally the wireless networks follow the traditional wired
Resource Mediators (RM) and translates these policy rules models and are manually configurable. This means that to
into policy rules or commands which is understandable by the join a particular node or a transceiver enabled device it
PEP. To do that it has an information database that contains must be programmed to direct its communication to another
the different policy rules to be executed according to the particular node which is generally a central base station [5].
decisions received from the RM and its perception about its The biggest challenge here is that if the node looses contact
environment. Figure 4 mentioned represents the network with its designated peer the communication ends. In order to
element. A network element consists of 2 modules to compensate this drawback these nodes where placed in the
implement the policy rules : optimal space. However even this decision also could not
guarantee reliability as the environment can change from
● Provisioning PEP : It is used for enforcement of day to day.
provisioning for policy rules.
 6

The most promising developments in the area of self-healing

wireless networks is Ad hoc network. They are decentralized, VIII. Survivability and Security
self-organizing and automatically reconfigure without with
out human intervention when there is some degradation in Computer security is often treated as binary. Which means at
communication or broken communication links between the any given time a system is either safe or compromised. But
transceiver. These networks may have bridges or gateways to this definition of security does not hold good in survivable
other networks such as wired Ethernet or 802.11.The major networks. As per the definition of a survivable system the
strength of this kind of architecture is that they do not require systems component must collectively accomplish their
a base station or central point of control [5].

In the decentralized network each node acts as both a end

point and router for other nodes. This naturally increases the
redundancy of the network and increases the scalability of the
network. Automated network analysis through link and route
discovery and evaluation are the most prominent features of
the self healing network algorithms. Through discovery netw-
orks establish one or more routes between the originator and
recipient of a message. Through evaluation networks detect
route failures,triggers renewed discovery and select the best
route available for the message.

Generally wireless self-healing network have pro-active or on

demand discovery and single path and dynamic routing. These
characteristics affects the network latency, throughput, reso-
urce needs and power consumption in varying amounts. The
pro-active discovery networks configure and reconfigure Figure 5 Gradient Routing in ad hoc network
constantly. They assume that link breakages and performance
changes are always happening and they are structured to mission even under attack and intrusions that can damage the
continuously discover and reinforce optimal linkages. Proacti- significant portion of the system. Here is an example that
ve discovery occurs when nodes assume that all routes are assumes the survivability of a network to be yes or no under a
possible and attempt to discover every one of them. The on given scenario. Figure 2 shows a representation of N/Node
demand discovery in contrast establish only the routes that are unidirectional path switched ring. The availability, A of the
requested by higher layer software. This allows the nodes to existing system/network can be calculated based on the past
save power and bandwidth and keeps the network free from performance data. However to predict the availability of a
traffic. In case of a single path routing as the name suggests new system probabilistic approach can be used.
there exists a single route for a given source and destination. Unavailability is the complement of availability i.e
Some times even the end - to -end route is also predetermined. (Unavailability=1-Availability).A system network
With the case of a Dynamic routing messages are broad casted Unavailability is expressed in minutes per year or
to all the neighbors and forwarded according to a cost-to- U=MTTR/MTBF where MTTR is the mean time to repair
destination scheme. Although this type of routing has the from a failure and MTBF is the mean time between those
advantage of of multiple redundant routes from originator to failures. [3]
the destination it generates lot of traffic on the network.

A. Self-healing techniques in wireless networks

The Gradient routing in ad hoc networks is an example of total

dynamic routing. It is illustrated in figure 5 .GRAd's
routing emphasizes on potential availability of redundant
routes from originator to destination nodes to optimize for
lowest latencies. To reduce the network traffic once the
message has made it to the destination, GRAd suppresses
the message loops by returning an acknowledgment The
maintenance of multiple sets of routes adds memory cost and Figure 6. N-node unidirectional path switched ring
network traffic but the return is an increase in both reliability
and speed of message delivery [5].
 7

It would make sense to restrict the discussion of this example IX . Conclusion

to Unidirectional communication instead of bi-directional
circuits because the discussion for the reverse direction from In this article results were selected from the recent research
T to S (two nodes communicating with each other as including the modeling of various self-healing architectures in
represented in figure 2) is practically same as S to T . Also order to compute the service ability, QoS guarantees which
both directions of a given transport signal generally traverse allow self configuration,self provisioning and self monitoring
through the same set of links and nodes between S and T. services. The agent concept described in this paper enables
Hence the service availabilities of both the directions can be automation which is a key functionality of survivable
assumed to be mathematically identical and the bidirectional networks. Despite of the best efforts in maintaining security in
service availability can be assumed to be mathematical unbounded networks. The discipline of survivability help to
intersection of these two directions. In the Unidirectional path tighten security in unbounded networks. There are further
switched ring the transport signal is duplicated at the promising research areas in Survivable Network.
originator node S and transmitted onto both the directions of
the unidirectional path switched ring such that two copies of XII . References
the transport signal are presented to the patch selector at the
destination node T. In this model we assume the upper path as [1] R.J Ellison, D.A Fisher, R.C Linger, H.F Lipson, T
service path which traverse through h links of the N nodes in Longstaff, N.R Mead,Survivable Network systems,November
the unidirectional patch switched ring. If a link or node along 1997.
this h link path between S and T fail the path selector at the
destination node T would perform a path protection switch to [2] Francine Krief, Self-aware management of IP networks
receive the copy of the transport signal arriving via the N-h with QoS guarantees,pg 351-364,2004
link lower path and thus restore from failure. Once the failure
is repaired the path selector can be reversed such that it is [3]Mark R Wilson,“The Quantitative impact of survivable
switched back to the upper path or if the failure continues, Network Architectures on Service Availability”, IEEE
the path selector selects the lower path connection which then communication magazine may 1998.
becomes the new service path. Thus the service bearing
transport signal survives even if one or more intermediate [4] R.C.Linger, N.R.Mead and H.F.Lipson “Requirements
links or nodes along the path 'h' fails. Definition for Survivable Network Systems”, Carnegie Mellon
University.
The above example captures all the failure scenarios and
makes the model mathematically complete. Robustness under [5] Robert Poor,Cliff Bowman, Charlotte Burgess Auburn,
a attack plays a vital role here. Robustness in particular can be Ember Corporation, ACM queue vol 1,may 2003.
compared to recoverability which is also an essential
characteristic of survivable systems. In the policy based
management intelligent agents are also used to implement
security policies. The security management in a system is
divided in to three plans :

● User plan
● Intelligent plan
● Network plan

In the user plan the administrator defines the security policies

to be applied in the network. The security policy is built in
such a way so that when there is an attack , the system has to
detect and also guide the agents behavior. The intelligent plan
is the intelligent part of the system. It is formed by one or
more multi agents. The network plan represents a network. It
is responsible to collect various events related to security with
in the network, analyze it and based on it future attacks are
prevented.