On the Practical Feasibility of Secure Multipath Communication

,


I. INTRODUCTION
Private communication is traditionally achieved by means of encryption based on pre-shared secrets or public-key cryptography.The latter is known to never ultimately resist cryptanalysis because of its intractability based fundament, and any symmetric scheme is perfectly secure if and only if it is somehow isomorphic to the one-time pad.For this reason, secure communication services usually require the user to properly manage certificates and cryptographic keys, which is an intricate and error prone process.Multipath transmission (MPT) offers an elegant yet somewhat expensive alternative, by exploiting network path redundancy to achieve security, besides increased reliability.In particular, MPT does not rely on shared secrets, but assumes the network to be sufficiently meshed to prevent an attacker from sniffing on the entirety of a transmission (for the same reason, failure of network components may not cause a complete breakdown, thus increasing reliability of the system at the same time).Under this hypothesis and suitable channel coding schemes, the portion of the information that escapes the adversary's eyes acts in the very same way as a secret key protects information through encryption.Throughout this work, we consider end-toend communication between two (fixed) nodes in the network by means of MPT.
Communication by MPT, whenever applicable, offers some neat advantages: first, its security can be shown and retained under the assumption that whole parts of the network are fully under the attacker's control, including knowledge of all cryptographic keys and identity credentials.This threat model in particular covers situations in which software vulnerability exploits (e.g., buffer overflows, SQL-injections, etc.) give remote administrative permissions to an external attacker.Exploiting such vulnerabilities (possibly even zero-day attacks) in a whole set of components in the system is covered by the attacker model used in the sequel.
Second, MPT does not rest on any unproven mathematical conjectures or empirical indications, such as public-key and symmetric cryptography do.While both are considered highly trustworthy, insecurity due to human failure in the operation of the system remains a non-negligible threat.MPT naturally achieves risk diversion by removing duties of keymanagement, and thus somewhat limiting vulnerabilities by human error.
Network reference architectures (topologies) often have some redundancy for robustness against node failures, whose potential for secure communication, however, often remains hidden.Most theoretical treatments of MPT are explicitly devoted to perfectly secure transmission, which leads to very strong criteria on the network connectivity (cf.[1]).Whereas perfect privacy demands zero probability for an attacker to learn any of the communicated bits, the slightly weaker notion of arbitrarily secure transmission (introduced in III.E) asks for a way to communicate such that the attacker's chance to learn something from the transmission is bounded by some fixed (acceptably low) value .
Besides MPTs suitability for risk management and to gain some security against social engineering, there are also good reasons (cf.[2]) to theoretically study MPT, such as faulttolerant distributed computing, verifiable secret sharing, secure multiparty computation (SMC) or simply the interest in information-theoretic security (like in quantum cryptography [3]).All of these areas at some stage rely on perfectly secure channels, which MPT can create.The need for high-security communication primitives is also motivated by the advent of new computing models like quantum-or DNA-computing.The whole field of post-quantum cryptography [4] accounts for such future security demands, and MPT is another theoretical yet hardly practical alternative.www.ijacsa.thesai.orgThis work shall be a step towards making MPT more practical.To this end, we derive theoretical results on how MPT can be carried out over networks to get secure and reliable pairwise communication channels.We validate our results using a prototype implementation of the described methods, which works on hierarchically structured networks.That is, we consider communication not only within an enterprise network, but also across different administrative domains.The resulting network models are graphs that model wide area networks, connecting "black-box nodes" that are themselves local area networks (LANs).A security analysis towards secure communication across such a hierarchically structured infrastructure can be based on conventional graphtheoretic algorithms (shortest path and max-flow), which will be at the core of this work.

II. RELATED WORK
The authors of [5] and [6] discovered MPT as a necessity for perfectly confidential communication, and the work of [7] and [8] complemented this structural result with sharp lower bounds on the necessary communication overhead for such a transmission.Common to all these references are their strong hypotheses on the underlying network graph topology, which gave rise to the game-theoretic treatment in [9] attempting to apply these ideas in general rather than only strongly connected networks.Ever since then, the picture has been extended in various ways, such as by looking for lower bounds on the graph connectivity [8], [10]- [14] implications of synchrony and asynchrony in the transmission [15], [16] impossibility results [17], [18] or applications of MPT in ad hoc and wireless networks [19]- [23].
Multipath transmission is currently under standardization in the course of the Transmission Control Protocol (TCP), see [24].Experimental simulations have been done towards resource pooling and multipath transmission with a focus on other protocols such as the Stream Control Transmission Protocol (SCTP) and the Multipath RTP (MPTP) with concurrent multipath transmission; see [25] and [26], respectively.Furthermore, [27] introduced an improvement to multipath TCP (MPTCP) where the idea is to introduce fountain code to MPTCP to reduce the impact of paths with lower transmission quality on the overall throughput.Especially in the light of these latest developments, looking at the theoretical possibility of MPT under a more practical environment seems more demanding than ever.

III. PRELIMINARIES
Let a network be modeled as an undirected graph with node set comprising all network devices (computers, routers, switches, etc.), and the edge set giving the (physical or logical) connections between them.Let the nodes be weighted by a security measure defined as The value can be set to either exclude a node from any attack (say, by organisational assumptions, non-cryptographic protections or contractual regulations if models the subnet of a transmission service provider), or to express the (pessimistic) assumption that zero-day exploits or other intrusions on the device may be expected.In that case, we may put , which can also be done if the "probabilistic security" of a node is difficult or impossible to obtain reliably.In other cases, assigning appropriate resilience to each node is left to probabilistic security models or general statistical approaches (e.g., betareputation [28], [29]).Note that it is not necessary to weight edges, as an edge with weight can be replaced by two unweighted edges to an artificial node with weight in between: .
We write to denote the vertex-and edge-sets of a graph .Moreover, given subsets , we write for the induced subgraph.The symbol denotes the power-set of .
The degree of a node is the number of edges that is part of.For two distinct nodes , hereafter representing the sender and receiver of a transmission, an --path or wire in is a subgraph of nodes and edges, where and the degree of all nodes is two, and only and have degree one.That is, a path is a subgraph that forms a connection from to as a sequence of nodes and edges.The set of all --paths is called the set of wires, and denoted by .This set again constitutes a subgraph of .Two -paths are called (node-)disjoint, if .
Random variables are as well denoted by uppercase letters, as those will exclusively be set-valued (thus justifying the overloaded notation here).We write whenever the distribution of is .The symbol denotes a random draw from a set , according to the probability distribution (supported on ).

A. Adversary Model
Assuming that nodes in a network have common or similar security properties, say by running on the same firmware or residing in the same physical location, our attacker model is a family of subsets of that share common vulnerabilities.This models situations in which exploits on several machines create a path through the network towards the valuable data (an attack path).Formally, we model the attacker as a subset , where a set describes an attack scenario in which the adversary has gained full access and control over all nodes in (elsewhere called an adversary structure [30], [8].As the attacker's behavior is unknown, let be a random variable supported on , whose realization corresponds to the mounting of an attack.We will need this later for our formalization in section III.C.

B. Abstract MPT and its Prerequisites
We write to denote a general MPT protocol that transmits a message over a network, taking random coins to make internal decisions.In particular, the random variable is assumed to steer the choices of transmission paths, besides other protocol-specific actions that use randomness.As our upcoming treatment of security will heavily rely on what paths are chosen for transmission, and what nodes have been attacked successfully (random variable ), let us write for the random variable that selects transmission paths.A particular transmission of a secret message from a sender to a receiver then works by selecting transmission www.ijacsa.thesai.orgpaths by sampling from and running the MPT protocol over the chosen set of paths.This captures most of the theoretical work on MPT cited in section II, where the set of paths is always assumed to be fixed prior to the transmission, when some additional assumptions are adopted, which commonly appear implicitly throughout the MPT literature (e.g., [6]- [8] and others): 1) The network topology is reliably known, so that paths can be selected.Here, we can allow only for partial knowledge of the topology, treating all parts of the network with unknown topologies as black boxes (and taking advantage of the hierarchical graph modeling mentioned above and detailed later).
2) Packets can be routed over fixed chosen paths.Although such source routing is an existing yet mostly disabled feature of the internet protocol (IP), such routing can be over virtual LANs resembling the paths (network layer 2), or using port routing on layer 3 (transport).
3) The routing is reliable in the sense that a packet does not deviate from its designated transportation route.Although we explicitly assume this here, one can relax this assumption to a limited extent, while still retaining the possibility of secure communication [31].We do not explore this any further here.
4) An exhaustive set of scenarios can be identified under which an adversary can attack.This is usually the result of topological vulnerability analysis (searching for attack paths and attack graphs), the results of which make up the abstract family of component sets that are vulnerable to a specific attack.In section IV.B, we show how to derive an approximation of from the anyway required computation of node-disjoint paths.
We stress that these assumptions exclude adversaries being able to mimic a certain number of virtual nodes (Sybil attacks), which would mean that the network topology information is itself unreliable.It is subject of future work, yet outside the scope of this article, to consider adversaries with such power.

C. Simple MPT -An Example
To motivate the general treatment and show how secure MPT may work, we use an inefficient yet simple example protocol.Suppose that the network permits nodedisjoint --paths , where .Let the message be a bitstring , which the sender writes as , where is the bitwise XOR.This representation is immediately found by choosing random strings , and putting We call each a share to .From a cryptographic viewpoint, this is an -out-of--sharing, as no subset of less than of the shares reveals any information on .This is easy to see, as any unknown share, say , acts as a one-time pad encryption of .
For the same reason, an attacker is required to get all shares in order to correctly recover .So, if each share travels over a distinct path , then no set with cardinality will suffice to disclose .Consequently, any attack on less than nodes will necessarily fail, and only those attack scenarios will be successful (for the adversary), in which all paths are intercepted. 1.

Recall that
were random variables describing the (random) path choices and (unknown) compromised node sets.Let us introduce an (efficiently decidable) predicate that equals 1 if and only if attack fails under transmission scenario .Then is also a binary random variable, which measures the success rate of the (generic) protocol where is under the sender's control, and is coming from the adversary and thus unknown.The next section will define security in terms of the predicate , more precisely, its expectation.

D. Security Measures
It is common in cryptography to capture attack scenarios in abstract "games".Security is then defined in terms of the likelihood for the attacker to win the game.
: Let be the message to be sent over from to . 1) The (honest) sender chooses .
2) The adversary conquers a node-set .
3) The protocol is executed, resulting in either success ( ) or failure ( ).

4) Output
as the game's outcome.
The security of an MPT transmission is the attacker's advantage in winning the above game, .
A widely unexploited feature of MPT is the degree of freedom to choose the paths (in particular, all prior research seems to keep the path choices fixed a priori in an attempt to guard against every scenario described by .We take a more general direction here, by using game-theory to optimize the honest party's behavior ( ) and the attacker's behavior ( ) simultaneously.This leads to the computation of a (Nash-) equilibrium for , which satisifes for any distributions .
The appeal of imposing a zero-sum hypothesis on the competition between the sender and the attacker lies in the validity of the right of the above inequalities under any real behavior of the attacker.Put differently, if the advantage is computed as the Nash-equilibrium solution , then this value lower-bounds the success-rate of the MPTprotocol regardless of what the attacker actually does (see [9] and [32] for formal proofs), conditional on the only hypothesis that no attack outside is mounted (in which case, however, any security analysis would fail).www.ijacsa.thesai.org The converse probability, called the vulnerability, (2) measures how many messages are discovered by the attacker, relative to the entire lot of transmitted information.This upper bounds the likelihood for an attack, which is why we can consistently use the same symbol as for the nodeweights.The important difference here is that (2) refers to a whole transmission from to , rather than a single node.

E. Definitions
Since our adversary can control his advantage via clever choices about the compromised nodes, we extend the usual model of an adversary structure towards a probability distribution supported on an adversary structure.

Definition 1.
Given a network , an adversary is described by a probability distribution supported on a family of possibly compromised nodes.Concerning semantics, we define .The attacker is computationally unconstrained regarding the processing of information in his possession.
Imposing no limit on the attacker's power is actually not unrealistic under our adversary model: by assumption, once the attacker has conquered a set of nodes, we assume full control over all nodes in , including full knowledge about the data residing in these nodes.Hence, the attacker can compute anything that the honest parties could compute too, thus precluding (and invalidating) all intractability assumptions that would otherwise establish security of conventional public-key and symmetric cryptography.
Nevertheless, to keep things practical, we need to impose bounds on the computational power of the honest parties (no transmission scheme can feasibly handle inputs of exponential size), and on the size of the adversary structure (to keep the running time of our algorithms within reasonable bounds).

Definition 2.
[5] A transmission is called -private (for ), if for any two plain text messages, the corresponding random ciphertexts have distributions that are statistically indistinguishable (distant in the 1-norm) up to a difference of .A transmission is called -reliable for , if with probability at least , the delivery is correct.A transmission is -secure, if it is both,private and -reliable, and it is called perfectly secure if .The transmission is called efficient, if its bitand round-complexity is polynomial in the size of the network and the message, as well as and , wherever and/or .
The vulnerability definition (2) is naturally linked to the above security concepts by the following fact: Theorem 1.
[9] Assume a Nash-equilibrium behavior for the honest parties in , and let be computed as in (2) for a predicate .If indicates a successful confidential (not necessarily correct) transmission using , then isri ate Alternatively, if indicates a successful correct (not necessarily confidential) transmission using , then is -reliable This is a major difference to the treatment common in cryptography.As opposed to the abstract games serving for complexity-theoretic reduction arguments towards security proofs, for multipath transmission we explicitly attempt to execute the game in reality.The optimal way of doing this is determined by techniques of game-theory, whose details are not relevant here (see [9] for a full treatment).Theorem 1 is the permission to use the following as our security definition: A protocol is called -, if there is some such that for every distribution over .The protocol is said to achieve arbitrarily secure message transmission (ASMT), if it is -secure for every .A 0-secure protocol is said to achieve perfectly secure message transmission (PSMT).
Notice that ASMT can achieve the same level of secrecy as any conventional encryption, if we set to be the likelihood of guessing the key (e.g., for a Bit AES key).However, and more generally than PSMT, the Nashequilibrium based analysis of security is extensible towards multiple interdependent security goals in a consistent way [33].Other concepts like Definition 2 are much more difficult to handle or extend.
Obviously, PSMT implies ASMT.The converse is not true, since ASMT allows for a strictly positive residual chance of disclosing the message, which PSMT explicitly rules out.The advantage of ASMT over PSMT, however, is that the former may be possible in cases where PSMT is ruled out by insufficient graph connectivity.The remainder of this work is dedicated to a discussion on how to set up the transmission game so that either ASMT is possible, or neither PSMT nor ASMT are achievable (provably).
Going through the literature on MPT (and also section III.C), one finds the idea of "by assing" the attacker by irtue of using multiple paths to be a common denominator among most (if not all) MPT protocols.The next definition captures this more explicitly.

Definition 4.
Let a (directed) graph and a subset be given.For two distinct nodes , we define the (directed) residual --capacity of w.r.t., denoted as , as the number of --paths that circumvent , i.e., the number of paths that do not go through any node in .
The residual capacity is important as it characterizes the possibility or impossibility of secure transmission based on whether a person-in-the-middle attack between and is possible (or the attacker can be circumvented).
Proposition 1. ASMT from to is possible against an active adversary , if and only if the residual capacity for all .
Proof.For the necessity, suppose that PSMT is possible then the likelihood of a message to circumvent any is 1.Then for every there exists at least one path that avoids , hence the residual capacity is .Conversely, if the residual capacity is , then the following protocol can do www.ijacsa.thesai.orgarbitrarily secure message transmission: put and observe that by hypothesis.Now (as described in section II.B), let us divide the message by a -out-of--sharing as , and transmit over another distinct path (exhausting the set of available paths).Let denote the probability of to bypass all compromised nodes.Furthermore, implies that (note that the distributions that control the choice of paths and compromised nodes can be omitted, since for any ).Since recovery of the message requires all shares (the predicate would thus be defined as 1 in this case only), the likelihood for all these getting caught is as .So for any given , if is chosen sufficiently large.
The rather simple transmission protocol used in the proof of Proposition 1 is clearly suboptimal in terms of communication overhead (yet its overhead is polynomial in , thus nevertheless being efficient in the sense of Definition 2).Its meaning for our investigation, is merely to prove that ASMT is possible based on a certain graph connectivity.Nevertheless, the security of multipath transmission is in any case determined by the likelihood to circumvent compromised nodes.Consequently, a larger of paths to choose from will eventually maximize the chances of bypassing the adversary.Our algorithms for path enumeration given in section IV.A will therefore attempt to give a maximal number of such paths.

IV. SETTING UP THE MPT-GAME
Our main objective in the following is to practically instantiate for a given protocol , which for any MPT protocol requires two initial tasks: 1) enumerate a maximal set of paths to choose from, and 2) compute the most vulnerable points in the network (as those may be the most likely targets for an attack).
As an exhaustive enumeration of paths is infeasible (usually, there are exponentially many of them), and an exhaustive enumeration of attack strategies is also difficult, we shall "a roximate" both ingredients to , and use the approximations and in place of and throughout the rest, where the goodness of this approximation will be in the center of attention now.

A. Enumerating Transmission Paths
A useful result from graph theory (Theorem 5.17 in [34]) equates the number of node-disjoint paths between any two nodes in to the cardinality of a minimal vertex cut between and , where an --cut} in a graph is a set so that any --path has .For the adversary, conquering a cut is equivalent to mounting a personin-the-middle attack, which is the only way to effectively intercept an MPT transmission.The problem of finding a minimal vertex cuts is computationally simple and solvable by min-cut-max-flow techniques.The latter basically work by computing node-disjoint paths (cf.[35]), which we need anyway.So, the node-disjoint paths can be used to run MPT, while the graph cuts that are computed alongside can be used to identify neuralgic points in the network that potentially match attack strategies in (hence "approximate" ).
So far, there is no real computational difficulty, whenever the number of paths is known and constant.Here is the problem: the number of paths is determined by the power of the adversary in terms of how many nodes can be corrupted at the same time.Moreover, even if this number is known, if any logical connection within the network would use the maximal number of paths, network congestions become highly likely and congestion control may randomly cause paths to intersect.Such congestions can be even due to the adversary; a scenario that has received attention in [31], where the reliability of routing was in the focus of interest.This shows another limitation of the aforementioned references in terms of practicability.Although [8] provides a sharp limit on the minimal required amount of bandwidth for MPT, and many results assuring perfectly private communication under certain graph connectivity assumptions are known, a network whose bandwidth and connectivity undercut the theoretical minimum requirements for PSMT may rule out the latter, yet still enable ASMT.

Let
denote the set of all candidate paths, from which the protocol may select a subset for transmission.This is basically an approximation to the set , whose cardinality may be exponential (and thus infeasible to handle).

To set up , we compute the maximal number of nodedisjoint --paths by running a conventional edge-capacity based min-cut-max-flow algorithm on a transformed version of
The transformation is well-known and detailed in [35] It basically substitutes each node in the graph by two connected nodes , setting the capacity of the internal (directed) edge to 1 so as to limit the flow through this node.All other undirected edges are replaced by two directed edges and , both of which have infinite capacity.The only exception to this rule are the sender's node , from which only outgoing edges are drawn, and the receiver's node , having only incoming edges.
It is easy to see that an integral maximal --flow over a network with vertex capacities all set to 1 equals the number of node-disjoint --paths.We can also permit intersections of paths in certain selected nodes, say in case that a node has zero vulnerability, and thus cannot be conquered in any scenario in .To let paths intersect at a node, we simply increase its internal edge weight from 1 to , so that any number of paths may pass this node.
Taking a closer look at the internals of the Ford-Fulkerson min-cut-max-flow algorithm, we see that the algorithm in each step increases the flow by searching for another flowaugmenting path through nodes with positive remaining capacity.On this residual network, we can construct a flowaugmenting ath by looking for the "most secure" --path.This is easy by virtue of a shortest-path algorithm that takes the vertex security as the length of the internal edge from , taking all other edges (connecting different nodes to each other) with zero length.Observe that we now have two different weights assigned to each node, one of which is either 1 or to limit the number of paths through this node; while the other weight serves to compute another flowaugmenting path by taking the (next) most secure --path.www.ijacsa.thesai.orgOutput: a set of non-intersecting --paths.
Steps: 1) Insert two artificial nodes and connect to every node in and to every node in .Call the resulting graph .
2) Compute a maximal --flow with vertex capacities and a minimal cut on .
3) If there are intermediate nodes between and , respectively and , call Algorithm 1 to compute nodedisjoint paths from to , resp.from to .
4) Assemble the partial -and -paths to --paths and put them into a set .

5) Construct
from the so-obtained "ground set" of paths by selecting sets of disjoint paths with the desired cardinality.
The max-flow algorithm itself remains intact by this modification, since the Ford-Fulkerson algorithm does not prescribe the method by which the flow-augmenting path is to be found (see [37]).
Observe that the so constructed set of node-disjoint paths is not maximal, as local alternative routes may be taken.In order to exhaust the set of existing --paths and to construct nodedisjoint selections from these, we recursively apply the maxflow technique between and the minimal --cut , and between and .Intuitively, this is correct since the cut is such that any --path must traverse it at some stage, yet alternative routes towards the cut may exist in the network and need to be found.Algorithm 1 describes this recursive procedure to constructs a set of transmission paths between and , where and at the initial invocation.The role of the constant is to limit the resulting number of paths to a polynomial number (as will be detailed in the proof of Lemma 1).
Figure 1 illustrates a single step in this algorithm using the graph from Figure 3 as an example.First, we compute the minimal --cut and a maximal flow (shown bold) in the initial graph, and then moves onwards to compute a multisource-multi-sink flow from to .For that matter, it introduces two artificial nodes with infinite capacities along incident edges, and computes a minimal cut between and as in this recursion step, where the corresponding maximal flow is shown bold again.Sparing further recursions for brevity, the assembly of the so-found partial paths between any sub-cuts gives the boldly shown paths illustrated in the right side of Figure 1.The union of all these paths, making up the ground set .The paths in may indeed intersect and form the basis from which we can select disjoint paths to create .
Based on Proposition 1, our path enumeration algorithm attempts to maximize the residual capacity subject to the polybound constraint of the honest player.More formally, it seeks the set so that the graph restricted to the paths in only, has maximal residual capacity.

Lemma 1.
Let a graph with nodes be given.Algorithm 1 outputs a set of size , with the following property: for any fixed compromised set , the residual capacity w.r.t. is maximal.Moreover, we cannot get better security by using any more paths than in already, i.e., in that sense is "maximal".
Proof .Write for the graph consisting only of the chosen --paths.Take any and assume that the residual capacity is not maximal, i.e., there is a --path bypassing that is not captured by .Take the two closest cuts that "enclose" from the left and the right (coming from and respectively).Then the --flow can be augmented by the path bit of between and , thus contradicting the maximality of the flow.Hence, there cannot be such a path unless it has already been found and included in the output at some stage of the recursion.
To see the "maximality" of , assume that we would add another path and use the set for constructing .Since , it must differ from at least one path in at least one node.So let the paths and partially coincide on , and consider the different bits , as illustrated in Figure 2. Take the bounding cuts and as constructed by Algorithm 1 between which are located.By construction, the --flow is already maximal, so cannot be more reliable than .Therefore, the route over is less secure than the route , and adding to the ground set is pointless when constructing .
It remains to investigate the cardinality of .The number of strategies that our divide-and-conquer algorithm digs up is determined by as follows: let be the number of nodes in the network, and let count the number of strategies constructed in the recursive manner as sketched in Figure 1.Algorithm 1 divides the graph with nodes into two www.ijacsa.thesai.orghalves of size , and combines the flows in each path accordingly into a set of node-disjoint paths from to .Hence, , where the remainder term counts the number of ways in which the partial paths can be connected.The recursion reaches the trivial case after no more than steps.So, if we enumerate no more than a constant number of connections in the path assembly, then the overall number of paths returned by the algorithm is no more than and thus polynomial in .
The particular choice of affects how many paths are returned by the algorithm, however, Algorithm 1 returns a limited selection of the most secure paths.Thus, choosing smaller values of may yield suboptimal network utilization as some perhaps secure routes remain unused.In that case, there may be no security achievable against the given adversary, if the paths are selected from this limited family only.In that case, one can increase to find more paths in order to ultimately bypass the attacker and gain security of MPT.
Our prototype limits the number of enumerated paths in the matching to .Moreover, the experiment showed that we can take advantage of the loose connectivity of scalefree network topologies, such as observed on large-scale networks like the Internet.For many of our experiments, the sizes of the cuts (and flows) were actually small, so that even the full enumeration gave a feasible number of path combinations.
Constructing the flows by virtue of most secure paths naturally prefers reliable routes over vulnerable ones.For example, if there is a fully protected channel available, then there is no need to use any other channel (and hence PSMT by single-path transmission is doable).Conversely, if all paths are equally vulnerable, then optimal risk diversion means equiprobable transmission of shares over all available paths.Given different and individual node vulnerabilities, the optimum lies somewhere in between, and Algorithm 1 identifies the most promising paths based on known (or computed) node vulnerabilities.

B. Approximating the Adversary
Unfortunately, we cannot use the same approach as for the path enumeration to identify the adversary's most likely targets in the same blow.It is indeed true that the adversary, knowing that only the paths are used, has no incentive to attack elsewhere than on the set , since no other node contributes to any transmission.Moreover, any hitting set for the family is a trivial cut for this path set, but hitting sets are infeasible to compute.Without question, the most valuable target for an attack is a minimal cut, however its general ambiguity demands care.
Figure 3 displays a network in which a minimal cut derived from the information of the previous execution to get the nodedisjoint paths misleads us to a belief in a suboptimal attack strategy.This minimal cut, even if it is taken as the most vulnerable one, would be along the path and is (shown gray), since it has the likelihood of to withstand an attack, as opposed to the alternative cut at node 5, whose attack resilience is .However, the adversary would surely not attack node 2 only, since this leaves the alternative (dotted) route intact.
The reason for the failure of such simple vulnerability analysis by computing cuts lies in its ignorance of local alternative routes.For instance, the route , where the local detour is shown dashed (cf. Figure 3), may be less reliable (i.e. less resilient against an attack), however, it can indeed enforce the adversary to attack elsewhere than in node 2, since only part of the payload is delivered over this boldly shown channel.This is yet another reason why Algorithm 1 needs to (recursively) compute local detours for each path.
If the adversary structure is partially or entirely unknown, we can approximate by a set for the gametheoretic model by seeking the most vulnerable points in the network.The adversary's most promising target is undoubtedly a minimal cut, since any such cut has the property that every --path must intersect with .So there is no point in attacking elsewhere.However, cuts are notoriously non-unique and care is needed when we attempt to take certain possible attack scenarios off the radar when constructing .In analogy to the previous section, we will again use a min-cut-max-flow technique to narrow down the action space for the attacker, however, with two modifications: 1) We restrict the graph to contain only the total set of candidate paths for transmission (since attacking elsewhere is pointless).
2) We seek a cut of maximal vulnerability.Since the node weight denotes the likelihood (risk) of a successful attack on the node , it is straightforward to replace the weights with its respective negative logarithmic values so that the weight of the minimal cut equals the smallest likelihood of repelling an attack.
To make especially the first point precise assume that Algorithm 1 has led to a path ground set from which has been constructed.The respective ground set from which we www.ijacsa.thesai.orgconstruct is then simply the union of all nodes that are used by at least one path in , i.e., , and restrict the graph to contain only the nodes in when we consider the adversary's attack strategies by seeking a cut whose weight (as determined by the negative logarithms of the node weights) is maximal.The goodness of the approximation of the unknown adversary structure through the set is readily established, since attack on attack on attack on attack on .
for every --cut .Hence, the adversary is best off attacking nodes in , as these form the most vulnerable points in the system.The algorithmic details are unchanged, since the max-flow algorithm directly provides us with the sought cut as the most vulnerable point in the network.This is where we can expect an attack with maximal probability, so that can be constructed as the family of subsets of .Specifically, if a set shall be compromised, then either is already a cut, in which case contains a set of larger weight, i.e., better chance to fail under an attack, or is not a cut, in which case its chances to breach the security of the transmission is less than for any cut, especially those contained in .We conclude these observations as

Proposition 2. (Approximation of the adversary
) Let be a set in the unknown adversary structure .Then the likelihood to attack the nodes in is no larger than the likelihood to attack some set in .
V. HIERARCHIAL NETWORKS Many practical networks are organized in a hierarchical manner, such as company networks can be scattered throughout a country with local area networks (LANs) that are interconnected subnets of a larger wide area network (WAN).For instance, if the sub-networks are hosted by some provider, then we can model the provider's network topology only to the extent to which it is known.If so, then we can use the techniques here to get a risk estimate for the provider's network .Otherwise, we can (subjectively or based on service level agreements) assign a trust level to the ro ider's network and treat it as a black box for the overall risk analysis.As another application scenario, think of a large enterprise network, in which we divide the whole network into local subnets (e.g.designated core-switches for different departments within the company) that are part of the larger network.This is modeled as the "WAN" although it basically is a condensed view on a big LAN.

Suppose that we have a WAN
, in which each subgraph node itself represents another LAN subnet , and each edge connects two "border-gateways" (these are the entry-and exit-points to the subnet) . Figure 4 shows an example.The analysis of the WAN and its subnets is based on the following two intuitions: 1) From the WAN perspective, each subnet is represented as a single node, whose duty is only the delivery of payload through it.For that matter, we must assume that a subnet is a connected sub-graph, for otherwise, the WAN would contain routes that are physically impossible by the subnet topology.Depending on the particular internal structure of the subnet, we must do an individual and specific vulnerability analysis for the subnet and carry over this information as node-weight to the WAN for the higher-level vulnerability analysis within the WAN.All of these assessments are done using multipath transmission games in the way as described in the previous sections.
2) Each subnet delivers its payload using MPT, exactly as the WAN does.Let be the bordergateways within , then we set up and solve an MPT game (yielding the equilibrium ) and get a vulnerability estimate for the connection -for Within the super-graph the representation of the subnet is a single node with a weightvector, and where the particular node-weight to set up the game-matrix is determined according to the exact entry-and exit-gateway when traversing the subnet .If the transmission game is played using the optimal choice rule , then the value upper bounds the probability for a f l atta k on th "nod " by the properties of the equilibrium distribution (see (1)).It can therefore be used to analyze the WAN in the final step, by treating the game as non-deterministic and taking the weights in the WAN.
To exemplify the treatment of subnets, especially the second of the above intuitions, consider a snippet of a WAN , showing a single subnet that is connected to three other nodes in Figure 4a sketches the full network.The condensed network , shown in Figure 4b, has reduced to a single node with a vector of three weights that represent the vulnerabilities for the channels , and through the subnet Now, consider the multipath game within , and a strategy that takes the (sub)route , then within this route, the node would receive the weight , since from , the payload enters through and leaves towards via the exit-gateway .Similarly, in the path , the "node" would have weight for the same reason.This simple trick extends our multipath transmission game setup to very large scale networks at a computationally efficient level.

VI. EXPERIMENTAL EVALUATION
For a practical evaluation, we implemented the described algorithms in a C++ prototype, and fed a total of 210 random networks with scale-free topology (sampled under the Barabási-Albert model [38]) with node counts ranging from 20 to 150 (in steps of 10).
For outlier robustness, we computed the median running time in seconds for 15 random testcases per network size.Figure 5 displays the growth of the running time dependent on the network size.All benchmarks were carried out on an Intel Core i7 3.4 GHz with four physical cores and four virtual cores (through hyper threading) with 8 GB of RAM and Windows 7 x64 installed.www.ijacsa.thesai.orgSince the actual running time is strongly dependent on the network topology, we give an empirically and statistically justified estimate of the time-complexity of our method.Calling the network size and the median running time, we fitted a linear model of the form with residues having a Gaussian distribution with zero mean (the exact parameters were of no interest, as the Gaussian distribution was assumed only for theoretical simplicity).The value of was obtained using standard techniques of linear regression, and the residue dataset for the -th testcase was tested for a Gaussian distribution using an Anderson-Darling test in the statistical software suite R (www.rproject.org).This null-hypothesis of Gaussian residues with zero mean was accepted by the test with a -value of 0.5069 at a significance level of .In addition, the Pearson-correlation coefficient came to , thus further substantiating the linear correlation between and empirically.This confirms the expected polynomial relationship between and , of roughly the form for the median calculation time in seconds for a network with nodes.Considering the problem and graph algorithms in charge, this growth is unfortunately not surprising.On the bright side, it turned out in the experiments that the analysis was rather fast for networks with up to nodes.Consequently, the analysis remains efficient for hierarchically structured networks.For instance, given a network with nodes, each of which is a subset with internal nodes and an average connectivity of, say , this makes independent simulations per subnet, and a total of simulations for all subsets, plus one final simulation for the WAN.Taking the median experimental running time seconds as representative, we would expect a running time of approximately hours for a network with nodes.Considering the obvious potential of parallelizing this process within a cloud (easy since all simulations whether in the same or in different subsets are entirely independent), the analysis of large-scale networks is feasible with nowadays available computing power.

VII. CONCLUSION
Our results indicate that multipath transmission is indeed doable and feasible in a network with many nodes, provided that some of the "bottleneck" nodes (cuts) can be secured by organizational or non-cryptographic means.
We showed how to practically set up the (otherwise abstract theoretical) transmission game that models the security of a multipath transmission via the attacker's advantage in breaking the security.Using analysis techniques of game-theory, this gives a quantitative communication risk measure that can soundly be defined for more than just one security and adversary model.At the same time, it comes at serious computational cost, which can be relieved substantially by using heuristics and exploiting the network topology.Our proposed techniques require no change to existing implementations of max-flow or shortest-path algorithms, and therefore impose only little overhead in the implementation.As a by-product, we gain transmission reliability by choosing the most stable paths and as well identify neuralgic points in the network by searching for the most vulnerable cut.All of this remains feasible even for very large networks, thanks to the efficiency of the known min-cut-max-flow algorithms.In a companion paper to this work, we will report on a practical implementation of the scheme in real networks.