Maximizing Availability of Content in Disruptive ... · Maximizing Availability of Content in Disruptive Environments by Cross-Layer Optimization ... solution to be part of a distributed

Maximizing Availability of Content in DisruptiveEnvironments by Cross-Layer Optimization

Minyoung KimComputer Science Laboratory

SRI InternationalMenlo Park, CA 94025, USA

[email protected]

Je-Min KimComputer Systems Laboratory

Sungkyunkwan UniversitySuwon 440-746, South Korea

[email protected]

Mark-Oliver StehrComputer Science Laboratory

SRI InternationalMenlo Park, CA 94025, USA

[email protected] Gehani

Computer Science LaboratorySRI International

Menlo Park, CA 94025, [email protected]

Dawood TariqComputer Science Laboratory

SRI InternationalMenlo Park, CA 94025, [email protected]

Jin-soo KimComputer Systems Laboratory

Sungkyunkwan UniversitySuwon 440-746, South Korea

[email protected]

ABSTRACTEmerging applications such as search-and-rescue operations,CNS (communication, navigation, surveillance), smart spaces,vehicular networks, mission-critical infrastructure, and dis-aster control require reliable content distribution under harshnetwork conditions and all kinds of component failures. Insuch scenarios, potentially heterogeneous networked compo-nents — where the networks lack reliable connections —need to be managed to improve scalability, performance,and availability of the overall system. Inspired by delay-and disruption-tolerant networking, this paper presents adistributed cross-layer monitoring and optimization methodfor secure content delivery as a first step toward decentral-ized content-based mobile ad hoc networking. In particu-lar, we address the availability maximization problem byembedding monitoring and optimization within an existingcontent-distribution framework. The implications of poli-cies at security, caching, and hardware layers that controlin-network storage and hop-by-hop dissemination of con-tent then are analyzed to maximize the content availabilityin disruptive environments. Additional benefits can be ob-tained by optimizing the control based on continuously ob-serving the response to anomalies caused by cyber-attacks.For example, if excessive (potentially fraudulent) content isinjected, the content distribution system can adapt withoutsignificantly compromising the availability.

Categories and Subject DescriptorsC.2.3 [Computer-communication Networks]: NetworkOperations—Network Management

General TermsDesign, Performance, Reliability, Security

Permission to make digital or hard copies of all or part of this work for

personal or classroom use is granted without fee provided that copies are

not made or distributed for profit or commercial advantage and that copies

bear this notice and the full citation on the first page. To copy otherwise, to

republish, to post on servers or to redistribute to lists, requires prior specific

permission and/or a fee.

SAC’13 March 18–22, 2013, Coimbra, Portugal

Copyright 2013 ACM X-XXXXX-XX-X/XX/XX ...$10.00.

KeywordsContent-based networking, distributed cross-layer monitor-ing and optimization, MANETs

1. INTRODUCTIONContent dissemination and service delivery in a disruptive

environment requires adaptive decentralized control to avoidslowing down the network and making critical services un-available when they are needed. Information access withina MANET (Mobile Ad-hoc Network) for search-and-rescueoperations by first responders who carry mobile devices canbe an operational demonstration scenario of content-basedmobile ad hoc networking where short latency and highavailability are crucial for a successful mission. In this situ-ation, wireless networks have severe bandwidth constraints,unreliable point-to-point communications, and very limitedbackhaul capability. Energy-constrained devices require ef-ficient utilization of resources. Under such circumstances,the naive flooding or gossiping of content delivery limitsscalability due to its high overhead. Strategies for activemanagement of content and resources require a decentral-ized content-based networking solution.

Content inserted into the network is stored and forwardedby cooperating nodes. Metadata and queries are also in-serted to represent essential attributes of content and to re-trieve appropriate content from the network. Routing andcaching perform in-network matching between metadata andqueries. Content and metadata/queries must be protectedby a decentralized security framework to enable access con-trol of content. Optimization of the content managementstrategy under constraints can be seen like many other prob-lems in networking as a utility maximization problem. Gen-erally, optimizations at each layer require situation- andresource-aware cross-layer adaptation that is cognizant offeatures, limitations, and dynamicity at each layer to main-tain content accessibility with reasonable tradeo↵s betweenavailability and bandwidth/energy e�ciency. For instance,the degree of redundancy for caching of content in a clusterof nodes should take into account the cluster density andstability (lower layer), and at the same time the type andimportance of the content (higher layer).

We propose a lightweight monitoring and optimization

framework to maximize the availability of content in a cross-layer manner. We extend an existing content-based net-working framework, Haggle [18], which is a suitable basisfor rapid prototyping and testing. Distributed monitoring isa core service to enable caching algorithms to make informedcontext-aware decisions about the state of the network with-out requiring a global view. Cross-layer optimization usesa notion of fitness or utility maintained for all nodes in adistributed fashion. Reactive and proactive caching policiesshould be guided by a measure of their utility to the nodes,which among other factors depends on the spatial distribu-tion of content over di↵erent storage sites.

A typical content dissemination framework consists of ap-plication, security, routing/caching, and hardware layers.For instance, the application aims to share content (e.g.,pictures) that matches interests (e.g., location) of users andnodes. In the security layer, parameterized control [6] canprovide a tradeo↵ space for information access control whilevarying its characteristics (e.g., reliability of access grantand revoke) at the granularity of individual content. In therouting/caching layer, utility-based dissemination [24, 2, 19]can move content closer to its destination by employing aresource allocation approach to determine the optimal con-tent to replicate or discard. Resources need to be managedto prolong the lifetime of devices and to maximize the de-livery of useful content within the given budget. In [10], wepresented preliminary results on a cross-layer security mech-anism in the context of group communication where eaves-dropping risk and data confidentiality were traded againstenergy consumption. In this paper, we extend the cross-layersolution to be part of a distributed content-based network-ing architecture and focus our e↵ort on the optimization ofavailability.

We present ideas for distributed monitoring and cross-layer optimization with dynamic adaptation in a layerless ar-chitecture.1 We embedded a monitoring/optimization man-ager into the Haggle framework, since it allows us to in-corporate existing algorithms, instead of mandating a spe-cific algorithm for each component. Parameterized security,utility-based replication, and energy policy are implementedas part of the security, forwarding, and resource managers,respectively. Our monitoring and optimization algorithmcollects and aggregates security, performance, and resource-related information and improves network performance andcontent availability by localized but coordinated distributedcross-layer control. We explore di↵erent policies and eval-uate their compositions on the CORE network simulator[1] with individual nodes represented by lightweight Linuxcontainers. The results indicate that lightweight monitoringand cross-layer optimization can improve content availabil-ity in disruptive environments.

2. CONTENT AVAILABILITY IN DISRUP-TIVE ENVIRONMENTS

In disruptive environments, the probability of a sourcebeing able to establish a simultaneous end-to-end path to adestination is very low. The use of opportunistic and possi-bly delayed contacts between the source and the destinationenables multihop communication with intermediate nodes

1Haggle is layerless architecture with its event-basedparadigm. The layers in this paper are logical conceptsrather than the implementation perspective.

acting as forwarders. The forwarding needs to be delay- anddisruption-tolerant in the sense that the intermediate nodesstore the messages (i.e., content) until forwarding opportu-nities will occur. This “store, carry, and forward” paradigmin opportunistic networks does not necessarily require any apriori knowledge on the network topology or link status at aglobal scale. Routing protocols and caching strategies noware very closely intertwined, because routes must be discov-ered hop by hop as each piece of content is being deliveredtoward its destination while the intermediate nodes evaluatethe utility of local caching and forwarding decisions.

To avoid causing congestion for other critical communica-tions, content is cached only opportunistically rather thanbeing flooded. However, there are situations or types ofcontent for which proactive replication is more e�cient andcan increase the availability of content. A replication algo-rithm should be not ad hoc, but inherently content-based,and intuitive concepts such as utility of replication need tobe expressed for e�cient and timely content delivery. Theutility should also take into account the probability of con-tent delivery to the destination (or a set of destinations).Security and resource provision are also important facets ofcontent availability. To make best use of resources, contentneeds to be protected by adaptive decentralized encryptionwith parameterized control for the key sharing and revoca-tion. Resources such as energy, bandwidth, and storage forcaching need to be traded o↵ against each other to optimizetheir usage.

2.1 Motivating ScenarioIn a search-and-rescue operation under challenging situa-

tions, participating nodes carried by the search-and-rescueteam are typically resource-constrained and often highly mo-bile (e.g., VANETs). Team members are interested in partic-ular types of content such as maps of the area and photos ofthe person to be rescued. Content is dynamically inserted tothe network and tagged with appropriate metadata such astimestamp and location. The success of a mission dependson reliable and e�cient content delivery to the interestednodes in a secure and timely manner with no assumptionon stable connectivities and resources. Consider situationswhere mobile nodes may pretend to be valid entities and,therefore, fraudulent information can be injected to severelycompromise the availability of content. Nodes generatingunnecessarily high volumes of content (due to all kinds ofreasons such as transient failures) impose excess load on thesystem, which can slow down the information flow.

This threat model requires dynamic configuration of indi-vidual (seemingly independent) techniques to compose ap-propriate protections against attack situations while alsomaking optimal use of resources. A content-sharing systemmust have mechanisms for resource management that opti-mize collective utility gained from the sharing system suchas content availability. For example, it is not recommendedto use nodes that su↵er from resource depletion (e.g., lowbattery, memory, bandwidth) to cache contents for futureforwarding. Strategies for securing content rather than hostsare parameterized to dynamically control the access of con-tent.

2.2 Rapid Prototyping in Haggle FrameworkHaggle [18] leverages the idea of in-network resolution to

o↵er content dissemination by matching content to interest.

Both metadata and interest are uniformly represented as at-tribute/value pairs. With weighted attributes and ranking,Haggle can limit the scope of local matching and prioritizeresults according to relative relevance. Applications registertheir interest for a certain content and also add content tothe network with metadata. The core system is an event-based framework consisting of a single event queue to co-ordinate the interactions among a set of managers with theHaggle kernel. Managers in Haggle are responsible for spe-cific tasks such as managing communication interfaces, en-capsulating a set of protocols, signing/verifying content, andsending content, etc. Managers use modules to implementspecific algorithms such as di↵erent forwarding algorithmsor protocols. The Haggle kernel and managers access a cen-tral repository, the Datastore, for content and informationabout nodes and their interfaces.

For our experiments, we modified three managers:

1. Resource manager — Nodes need to adjust their be-havior when resources are scarce. The resource man-ager issues resource policies, based on measurementsof residual battery, disk space, bandwidth, and so on.Under resource constraints, this may include limitingthe scope of dissemination, managing the level of secu-rity, and controlling power consumption in transmit-ting data. For distributed monitoring and optimiza-tion, the resource manager may also disseminate itspolicy to neighbors. Cross-layer optimization withineach node decides local resource policies based on dis-tributed monitoring and guides corresponding man-agers. The details of monitoring and optimization areexplained in Section 4.3.

2. Forwarding manager — When nodes are connected toothers, the forwarding manager is determined how con-tent is disseminated to its neighbors. A forwardingmodule that is plugged into the forwarding managerimplements a specific forwarding algorithm. An im-portant aspect of the forwarding architecture in Hag-gle are delegates, i.e., nodes that can relay and carrycontent in which they have no interest. We extendedthe existing forwarding manager to work with a newmodule for proactive replication of the content. Theforwarding manager tunes the dissemination to fit theresource policy (e.g., degree of replication).

3. Security manager — Providing primitives for signingand verifying content, authenticating neighbors, en-crypting/decrypting the content, and performing in-tegrity checks on content would be responsibilities of asecurity manager in Haggle. To make current practicedecentralized and content-specific, access control withmultiple consumers of content needs to be a policy-based operation. Dynamic policy on access requestand revocation needs to be controlled by parameterselection to allow applications to trade o↵ between se-curity characteristics and performance. We added asimple analytic model in Section 3.1 to the originalsecurity manager of Haggle to measure the impact ofdi↵erent access controls.

3. UTILITY-BASED OPTIMIZATIONWith heterogeneous nodes that are severely limited in

terms of their capabilities and resources in disruptive en-vironments, secure delivery of the content requires careful

0

50

100

a

0

50

100

b

0.000

0.005

0.010

r

(a)

0

50

100

a

0

50

100

b

0.000

0.005

0.010

r

(b)

Figure 1: Reliability of both request and revocationoperations as ↵ and � are varied from 0 to 100 each,with ⇢

c

= 0.9 and (a) µ = 0.3, (b) µ = 0.4.

investigation of the utility of both content and nodes. Tomaximize the availability of content, content with highercontent utility may have to be prioritized by using relayswith higher node utility. The content utility should be de-fined by the nature/amount of interest and the degree ofmatching. Access control for the content also plays a rolein content utility, as we explain in Section 3.1. In subse-quent subsections, our definition of the node utility will beintroduced.

3.1 Security Layer — Parameterized AccessControl

We use parameterized access control (PAC) operations bysplitting each permission into � fragments, of which ↵ arerequired for access to an object proposed in [6]. As long as(� � ↵+ 1) can be removed, revocation succeeds. Reducing↵ or increasing � improves the rate of finding su�cient frag-ments for an access request to complete. Decreasing (��↵)increases the probability of successfully revoking a right. Bytuning ↵ and �, the e�ciency of granting, revoking, and re-questing a right can be traded. Nodes may be unreachablebecause of a network partition, simply be powered o↵ ordisconnected, or actively refusing to cooperate. We modelthe collected behavior by assuming that each node operatescorrectly with probability 1 � µ. Selecting ↵ and � so thatthe ratio ↵

�

exceeds µ ensures that access control operationsare e↵ected with high reliability [6].

We define the utility of PAC in terms of the benefit ofthe reliability of the request and revocation operations, andthe cost of the computational, storage, and networking re-sources used by the PAC subsystem. Once we set param-eters ↵ and �, the reliability with which an access controlrequest will complete can be modeled with ⇢

request

(↵,�) =P��↵

i=0

��

i

�(1�µ)��i

µ

i

. Similarly, the reliability of revoca-

tion can be modeled with ⇢

revoke

(↵,�) =P

↵�1i=0

��

i

�(1�

µ)��i

µ

i

. Therefore, we examined the combined benefit of

(⇢request

� ⇢

c

)⇥ (⇢revoke

� ⇢

c

)

with reliability constraint ⇢c

, as shown in Figure 1.A capability can be split into � fragments, of which ↵

are needed to reconstruct it, using Shamir’s secret sharingscheme [21] or a derivative. Such schemes are implementedby evaluating an (↵ � 1)-degree polynomial at � points,which requires computing a total of (↵ � 1)� terms. How-ever, the latency introduced by this operation is negligiblein comparison to the storage and networking costs. Sincecopies of � fragments must be retained at nodes in the sys-tem, the storage cost is proportional to �. The networkingcost comprises components for transmitting � fragments to

remote nodes during a grant operation, retrieving fragmentsfrom at least ↵ remote nodes during a permission request,and contacting at least (��↵) remote nodes during a revo-cation operation.

If the insertion and retrieval of each fragment was carriedout serially, the complexity would be lower bounded belowby ↵ for fragment retrieval, and by (� � ↵) for e↵ecting arevocation. In practice, all three networking operations havecomplexity � since all fragments are inserted or requestedin parallel to minimize latency. From these observations,we simplify the cost factor to be proportional to �. Theutility consists of the reliability benefit normalized by thissimplified operational cost (i.e., �).

3.2 Routing/Caching Layer — Replicationwith Opportunistic Forwarding

In [24], the authors investigated the notion of fitness orutility in opportunistic networking. Rather than storing andforwarding a copy of content to the first nodes encountered,they maintain utility function at all nodes in a distributedfashion and replicate portions of available copies accordingto utility. In particular, the authors of [24] control param-eter L, the number of copies to be replicated with an epi-demic forwarding mechanism. A node with L replicas mayforward its copy L more times. Discovering the better re-lays is based on the utility function. Utility can be definedin several forms: destination-dependent (e.g., last-seen-first)or independent (e.g., most-mobile-first, most-social-first).We combine the utility-based replication approach with

Haggle’s delegation forwarding that allows replication sincethe delegators may not be interested in the content. TheProphet [16] forwarding module implements a probabilisticrouting protocol to delegate forwarding based on the statis-tics of node encounters and transitivity. The so-called pre-dictability in the Prophet routing metric tries to approxi-mate the idea that the relay will more likely deliver a mes-sage to the destination. Therefore, more replicas are appro-priate, and the definition of utility needs to incorporate thisaspect.Here we simply define the replication utility u

r of node i

for destination j as

u

r(i, j) = p(i, j)

where the probabilistic metric p(i, j) is computed as deliverypredictability from every node i for each known destinationj in Prophet [16]. For our experiments, we use the followingsample utility-based replication policy. If a node i1 carryingcontent for a destination j encounters node i2, it forwards

u

r(i2,j)u

r(i1,j)+u

r(i2,j)of its copies of that content to node i2 ac-

cording to the delivery predictability to node j.

3.3 Hardware Layer — Resource ProvisionTransmission power control can be an e↵ective way to

minimize the eavesdropping risk in an ad hoc wireless net-work as proposed in [8], where the w-th eavesdropping risk isdefined as the maximum probability of packets being eaves-dropped with w adversarial nodes. Using a simple model,the first order eavesdropping risk is bounded below by 1

3r,where r is the normalized transmission radius with nodes inan arbitrary random network. We define the destination-independent utility of node i as

u

p(i) =e(i)r(i)

Distributed M

onitoring &

Cross-Layer O

ptimization

Content Security Layer

Applications

Hardware Layer

Parameterized Access Control

Resource Provision

�, �

�c

µ, e

Control' Observable'

System

Constraint'

CORE Network Simulator Real Deployment

r, th

Content Routing/Caching Layer

LReplication with Opportunistic Forwarding'

Figure 2: Distributed monitoring and cross-layer op-timization framework.

where e(i) and r(i) represent residual energy and eaves-dropping risk of node i, respectively. When node i1 en-counters node i2, it avoids using i2 as a delegator node ifu

p(i1) ⇥ th > u

p(i2), where th indicates the threshold thatcontrols the load balancing based on energy resources.

4. CROSS-LAYER OPTIMIZATIONFigure 2 illustrates our system architecture for distributed

monitoring and cross-layer optimization. We adapt individ-ual layers’ utility-based optimization techniques as in Sec-tion 3. We aim to maximize the content availability byoptimizing an objective function based on observables suchas latency, energy, reliability, and user-defined soft and hardrequirements.2 The situation that the system behavior re-sides within the soft requirements is most desirable. Whenthe system is observed in between soft and hard require-ments, however, the optimizer needs to tune parameters suchas ↵,�. A hard requirement indicates an upper limit, abovewhich a user cannot tolerate the quality degradation. We de-fine the cost function of the observables X = (x

l

, x

e

, x

b

, x

r

)as

cost(x) =

8<

:

1 if x � h

1h�x

� 1h�s

if h > x � s

0 otherwise

where h and s represent user-defined hard and soft require-ments, respectively. The observables x

l

, x

e

, x

b

, x

r

concernlatency, energy consumption, bandwidth, and (un-)reliabilityin PAC, respectively. The objective function is defined as

obj(X) =1P

i

(weight

i

⇥ cost(xi

))

4.1 Optimization ProceduresGiven the objective function above, we adapt a simulated

annealing (SA) approach with a neighborhood operation [17]as optimization procedure. In [17], the authors implementedthe concept of exploitation and exploration in SA for con-tinuous parameter optimization from the observation that2We are not deriving content availability from u

s

, u

r

, u

p.Our focus is to use existing techniques at di↵erent layersrather to devise a new utility-based optimization. Moregeneric approaches that can take utility as an optimizationcriterion in a uniform way will be future work.

Neighborhood*Center*of*Solu2on*Region*

i0

i1

i2

i�0

i�1

in

Possible*Solu2on*Regions*at***i0( ), i1( ), i2( )

Solu2on*Space*

(b)(a)

Figure 3: Optimization procedures: (a) exploitationvs. exploration with neighborhood, (b) solution re-gion refinement by sampling.

with a vast search space it is impractical to choose directneighbors of the current solution as new candidate solutions.Instead, new candidate solutions can be chosen from somedistance of the current solution (i.e., neighborhood). Thereexists a tradeo↵ between exploitation (related to accuracy)and exploration (related to completeness) in selecting anappropriate size of the neighborhood. If the neighborhoodis too small, SA presents good exploitation capabilities butthe probability of reaching the global optimum is reduced.If the neighborhood is too large, SA has good explorationcapabilities to find the region of the search space containingthe global optimum but is less likely to exploit the optimumwithin the given region.

Figure 3(a) shows a sample execution of SA based on anempirically designed scaling function defining a neighbor-hood reduction phase i0 ! i1 ! i2 ! ... ! i

n

. Our on-line adaptive SA repeats the process of exploration and ex-ploitation to balance between accuracy and completeness.For continuous optimization, sometimes the neighborhoodneeds to be expanded between phases (e.g., i

n

! i

00) to

explore further possibilities or to take into account signif-icant changes in operational conditions (e.g., perturbationin environment or anomaly has been detected). However,we have not implemented neighborhood expansion in thisstudy. For exploitation, we use a fixed number of iterations(i.e., constant n) to perform experiments in Section 5.

We extend SA to improve robustness and composabilityby representing the current solution as a region [13], in-stead of a single best parameter setting that gives a max-imum objective value. As shown in Figure 3(b), we ob-tain observables by iterative sampling over the current re-gion represented by the Cartesian product of intervals foreach of the parameters. Given the parameter space P, aregion P 2 R(P) is a closed convex set P ✓ P, i.e., ifx, z 2 P and x < y < z, then y 2 P and P is finitelyrepresentable (e.g., interval-based). Each layer’s region hasthe form P

layer

= [pmin

1

, pmax

1

] ⇥ ... ⇥ [pmin

k

, pmax

k

], where[pmin

k

, p

max

k

] represents the interval for parameter pk

.We subsequently refine the region to achieve a given goal

(e.g., maximizing the average objective values for perfor-mance, maximizing the minimum objective values for ro-bustness). SA generates new candidate solutions within aneighborhood (i.e., current region). Based on the samplesavailable and the given refinement ratio ⌧ (0.0 < ⌧ < 1.0),P

0 is a possible refinement of P if size(P 0) = size(P ) ·⌧ andP

0 has an available sample in the center (see Figure 3(a)).The refinement that maximizes the objective based on itsenclosed samples becomes the new region for the next iter-

Parameter''Parameter'' pxpx

Parameter''Parameter'' pxpxParameter''p

y

Parameter''p

y

Parameter''p

y

Parameter''p

y

(a)Parameter''Parameter'' pxpx

Parameter''Parameter'' pxpx

Parameter''p

y

Parameter''p

y

Parameter''p

y

Parameter''p

y

(b)Parameter''Parameter'' pxpx

Parameter''Parameter'' pxpx

Parameter''p

y

Parameter''p

y

Parameter''p

y

Parameter''p

y

(c)

Parameter''Parameter'' pxpx

Parameter''Parameter'' pxpx

Parameter''p

y

Parameter''p

y

Parameter''p

y

Parameter''p

y

(d)

Figure 4: Solution refinement of (a) local vs. (b)global vs. (c)(d) compositional optimization.

ation. We define our compositional optimization based onthis representation in the following section.

4.2 Cross-Layer CompositionTo support online cross-layer optimization that computes

the refined parameter settings, a constraint refinement ap-proach [13] allows encapsulation of detailed system optimiza-tion information. In Figure 2, the key idea underlying thecompositional optimization is to exchange the local optimiz-ers’ solutions for a more informed parameter selection. Morespecifically, each local optimizer uses the other optimizer’srefinement results as its constraints. As an example, if thesecurity layer optimizer refines the PAC parameter ↵ to [20,60] and � to [15, 45], then the caching layer optimizer re-fines its parameter L to [5, 10], taking the security layer pa-rameter ranges as constraints. The caching layer results aretransmitted to the other layers’ optimizers for further refine-ment. Thus, constraints can be used as the generic interfaceamong di↵erent local optimizers, leading to improvement ofsolution quality at low complexity.

Figure 4 shows a simple example of solution refinementof local vs. global vs. compositional optimization, whereeach layer optimizes p

x

and p

y

, respectively. Solution refine-ment is a sequence of exploited sub-regions (of the parame-ter space) that satisfy a given goal using the interval-basedrepresentation. The input (P ) and output (P 0) of each re-finement step are regions. With local optimization, depictedin Figure 4(a), the refinement proceeds without consideringother layers, as illustrated with dashed boxes. The inter-section of refined regions is the set of admissible parametersettings at termination. Global optimization, depicted inFigure 4(b), samples over the entire parameter space to findan optimal solution. Our compositional approach lifts thelevel of abstraction by treating P as constraints when we re-strict the resampling space to find P

0. With the same num-ber of samples generated by SA, compositional optimizationshown in Figure 4(c) optimizes p

x

and restricts the samplingspace of other layers as shown in Figure 4(d).

Note that compositional optimization through constraintrefinement enables a controller to coordinate existing opti-

0

5

10

15

20

25

30

35

40

0 10 20 30 40 50 60 70 80 90 100

Ob

ject

ive

(M

in-A

vg-M

ax)

n-th Run

Objective Statistics

Average of Avg. Objective = 2.197Objective (Min-Avg-Max) Maximazing Avg

(a)

0

5

10

15

20

25

30

35

40

0 10 20 30 40 50 60 70 80 90 100

Ob

ject

ive

(M

in-A

vg-M

ax)

n-th Run

Objective Statistics

Average of Avg. Objective = 10.133Objective (Min-Avg-Max) Maximizing Avg

(b)

0

5

10

15

20

25

30

35

40

0 10 20 30 40 50 60 70 80 90 100

Ob

ject

ive

(M

in-A

vg-M

ax)

n-th Run

Objective Statistics

Average of Avg. Objective = 9.550Objective (Min-Avg-Max) Maximizing Avg

(c)

10

20

30

40

50

60

70

80

90

100

0 20 40 60 80 100

Be

ta

Alpha

Parameter Settings

L=1L=2L=3L=4L=5L=6L=7L=8 10

20

30

40

50

60

70

80

90

100

0 20 40 60 80 100

Be

ta

Alpha

Parameter Settings

L=1L=2L=3L=4L=5L=6L=7L=8

(d)

10

20

30

40

50

60

70

80

90

100

0 20 40 60 80 100

Be

ta

Alpha

Parameter Settings

L=2L=3L=4L=8

10

20

30

40

50

60

70

80

90

100

0 20 40 60 80 100

Be

ta

Alpha

Parameter Settings

L=2L=3L=4L=8

(e)

10

20

30

40

50

60

70

80

90

100

0 20 40 60 80 100

Be

ta

Alpha

Parameter Settings

L=2L=3L=4L=8

10

20

30

40

50

60

70

80

90

100

0 20 40 60 80 100

Be

ta

Alpha

Parameter Settings

L=2L=3L=4L=8

(f)

0

0.2

0.4

0.6

0.8

1

0 20 40 60 80 100

Th

resh

old

Communication Range (%)

Parameter Settings

0

0.2

0.4

0.6

0.8

1

0 20 40 60 80 100

Th

resh

old

Communication Range (%)

Parameter Settings

(g)

0

0.2

0.4

0.6

0.8

1

0 20 40 60 80 100

Th

resh

old

Communication Range (%)

Parameter Settings

0

0.2

0.4

0.6

0.8

1

0 20 40 60 80 100

Th

resh

old

Communication Range (%)

Parameter Settings

(h)

0

0.2

0.4

0.6

0.8

1

0 20 40 60 80 100

Th

resh

old

Communication Range (%)

Parameter Settings

0

0.2

0.4

0.6

0.8

1

0 20 40 60 80 100

Th

resh

old

Communication Range (%)

Parameter Settings

(i)

Figure 5: Objective statistics and parameter settings of (a)(d)(g) local vs. (b)(e)(h) global vs. (c)(f)(i)compositional optimization. (a)-(c) show that a local optimization leads to significantly low objective valuescompared that of global and compositional optimizations. (d)-(f) show that global and compositional opti-mizations can refine the replication parameter (L) to 4 with appropriate security layer parameter settings(alpha, beta) while a local optimization cannot find the stable parameter settings. (g)-(i) show that bothglobal and compositional optimizations find upper left corner (i.e., higher threshold and lower range) asproper settings for hardware layer parameters (threshold, range).

mizers that can potentially have conflicting objectives andbe possibly distributed. Treating local optimizers as blackboxes permits processing di↵erent objectives in parallel. Dif-ferent solutions obtained in parallel can be unified by takingthe intersection, which corresponds to the conjunction at thesymbolic level of constraints.

4.3 Implementation within HaggleDistributed monitoring involves measurements of local ob-

servables, across di↵erent layers — e.g., location of content,sources of interest, node density, degree of mobility, residualenergy, bandwidth consumption — which can be compactlydisseminated as system metadata. Among many observ-ables, we focus on latency, energy consumption, bandwidth,and reliability as a measure of availability. We add infor-mation to each Haggle node description with a particulartag (e.g., <attribute=energy, value=80>) to exchange theobservables.

Local utility-based optimizers (Section 3) are implementedin various managers of Haggle as we explained earlier. Forthe cross-layer optimization, we implemented the composi-tional method in this section within the resource managerof Haggle. In the resource manager, the monitoring modulecollects the observables in a distributed manner and keepsthem up to date with suitable aging mechanisms. The mon-itoring module maintains the mapping from the parametersettings to the observables. The optimizing module thenconsults the monitoring module to compute the e↵ect of pa-rameter settings (i.e., objective values). It specifically com-bines SA with constraint refinement to enable compositionaloptimization across layers.

5. EXPERIMENTSWe test our prototypical implementation on the CORE

network simulator [1]. We assume that 20 nodes move ac-cording to the random waypoint mobility model. An esti-

mate of the probability that a node misbehaves (µ) is com-puting the fraction of nodes to which it is connected. Sincethis value is di↵erent for each node at a particular point intime, we average it across all nodes. The value is normal-ized over the length of the simulation. The bandwidth used(x

b

) is measured by the number of bytes transferred in thesimulation. Given µ and parameter settings of ↵ and �, thereliability estimate (x

r

) is modeled in the security managerand observed by the monitoring module. The transmissionrange of a node (r) is a parameter of the simulation, and theresidual energy of a node (x

e

) is derived using a free spacemodel. We measure the average latency (x

l

) of a node at theapplication level. The fine-grained instrumentation code forcollecting the observables (e.g., per content latency) at theHaggle daemon level is ongoing work. As a first step towardonline optimization, we pre-train the monitoring module toprovide observables instantaneously.

We study the e↵ect of composition as a coordination mech-anism for cross-layer optimization. For the baseline, wecompare local optimization without interaction and globaloptimization in terms of the availability and parameter set-tings in Figure 5. Compositional cross-layer optimizationpresents reasonably close solutions to the global approachin the sense that the average objective value of the composi-tional approach resides between that of local and global op-timization. The relative execution time of the compositionalapproach is longer than the local optimization (without anycoordination) and shorter than the global approach (mostcomplex). Note that the refined parameter setting as deter-mined by local optimization is very di↵erent from that ofthe global approach while compositional optimization givessimilar results.

6. RELATED WORKA variety of techniques have been developed to trade the

use of authentication, signing, and encryption, at variouslayers in network communication [22]. The techniques mayreconfigure application-layer protocols, such as SSH and SSL,Internet protocols, such as IPsec, and MAC layer protocols,such as WEP and WPA, to avoid redundant security assur-ance [5]. Some of the earlier schemes trade security withother aspects of system utility, much in the way our workdoes. However, unlike earlier schemes, our work trades thesecurity characteristics of the system using parameterizedaccess control, which is a property of the data objects, ratherthan the network links they traverse.

Content-based routing and caching solutions for disruption-tolerant networking (DTN) [7, 14, 25, 18] require resourceprovisioning to determine storing or forwarding of a particu-lar piece of content to maximize its availability. Quantifyingthe benefit and cost of such operations can be formulated asa utility maximization problem [24, 2]. Our compositionaloptimization improves content-based utility by treating in-dividual layers as modules, which makes it easier for furthergeneralization to incorporate various local optimizers, suchas di↵erent routing or caching schemes.

Cross-layer optimization under constraints has been stud-ied in networking previously. Examples include formulatingthe network resource allocation problem as a cross-layer con-trol of transmission strategies [20] and modeling the networkas a utility maximization problem by layered decomposition[3]. While other work focused on the architectural decisions,a resource allocation framework [26] aimed at tuning the sys-

tem parameters across layers for energy-QoS-security gain.However, the solution requires full awareness of the systemdynamics (i.e., global optimization), which leads to highcomplexity unlike our compositional method that trades lo-cal utilities with each other.

7. CONCLUDING REMARKSBy integrating existing policies on secure content dissemi-

nation and resource provision across all layers, we have ana-lyzed their availability implications and presented a tech-nique to facilitate information access in a situation- andresource-aware manner. The prototype version implementedin the Haggle framework has the advantage of being ag-ile and flexible, which enables our work to be extended formore complex operating scenarios and protocol optimiza-tions. Even though we mainly focus on the improvement ofsystem availability and the utilization of limited resources inthis paper, the proposed approach of distributed monitoringand cross-layer optimization is also more generally useful forsystems with significant uncertainty or failures due to unre-liable components and physical phenomena as is typical forcyber-physical systems.

The overhead of monitoring (e.g., to what extent full sys-tem information is available, and at what cost) and runtimeaspects of the approach will have to be included and tradedwithin the parameter space. We are currently extendingour composition methods to handle a variety of utility func-tions (e.g., role-based information access) with compositemetrics (e.g., rate and latency of content delivery) for moreconcrete measure of availability. For higher-level measures,light-weight information fusion and aggregation techniquesneed to be developed, as they are used in sensor networks.We plan to explore content linkage to reduce the latencyproactively (e.g., store in proximity or prefetch). Further-more, the optimization objective should be adaptive to ac-commodate the application behavior and interest.

We also plan to improve our models to include real-worldimplementations of parameterized security and energy man-agement on Android devices. Applying our compositionalmethod with routing mechanisms for e�cient content deliv-ery (e.g., potential-based routing [4], interest-driven routing[23]) and network coding for MANETs [15] is another inter-esting avenue. The declarative networking framework [11]and its logical foundation [12] for control and optimization ofcyber-physical systems can also benefit from this approach.For instance, the compositional method can leverage thepartially ordered knowledge sharing model by integratingit into the PADO (Parallel And Distributed Optimization)framework [9].

AcknowledgmentsThis material is based in part upon work supported by the U.S.Department of Homeland Security under Grant Award Number2006-CS-001-000001, under the auspices of the Institute for In-formation Infrastructure Protection (I3P) research program. TheI3P is managed by Dartmouth College. The views and conclu-sions contained in this document are those of the authors andshould not be interpreted as necessarily representing the o�cialpolicies, either expressed or implied, of the U.S. Department ofHomeland Security, the I3P, or Dartmouth College.

This material is based upon work supported by the NationalScience Foundation under Grants CPS-0932397 and IIS-1116414.Any opinions, findings, and conclusions or recommendations ex-

pressed in this material are those of the authors and do not nec-essarily reflect the views of the National Science Foundation.

Additional support from the National Research Foundation ofKorea (NRF) Grant No. 2010-0026511 funded by the KoreanGovernment (Ministry of Education, Science and Technology) isgratefully acknowledged.

8. REFERENCES[1] http://cs.itd.nrl.navy.mil/work/core.[2] A. Balasubramanian, B. Levine, and

A. Venkataramani. DTN routing as a resourceallocation problem. In Proc. Conf. on Applications,Technologies, Architectures, and Protocols forComputer Communications, SIGCOMM ’07. ACM,2007.

[3] M. Chiang, S. H. Low, A. R. Calderbank, and J. C.Doyle. Layering as optimization decomposition:amathematical theory of network architectures. InProceedings of the IEEE, volume 95, pages 255–312,Jan. 2007.

[4] S. Eum, K. Nakauchi, T. Usui, M. Murata, andN. Nishinaga. Potential based routing for ICN. InProc. 7th Asian Internet Engineering Conf., AINTEC’11, pages 116–119. ACM, 2011.

[5] F. Foukalas, V. Gazis, and N. Alonistioti. Cross-layerdesign proposals for wireless mobile networks: asurvey and taxonomy. Communications Surveys &Tutorials, IEEE, 10(1):70–85, 2008.

[6] A. Gehani and S. Chandra. Parameterizing accesscontrol for heterogeneous peer-to-peer applications.3rd International Conference on Security and Privacyin Communication Networks (SecureComm), 2007.

[7] V. Jacobson, D. K. Smetters, J. D. Thornton, M. F.Plass, N. H. Briggs, and R. L. Braynard. Networkingnamed content. In CoNEXT ’09: Proc. 5th Int. Conf.on Emerging Networking Experiments andTechnologies, pages 1–12. ACM, 2009.

[8] J.-C. Kao and R. Marculescu. Minimizingeavesdropping risk by transmission power control inmultihop wireless networks. IEEE Trans. Comput.,56(8):1009–1023, 2007.

[9] J. Kim, M. Kim, M.-O. Stehr, H. Oh, and S. Ha. Aparallel and distributed meta-heuristic frameworkbased on partially ordered knowledge sharing.ELSEVIER Journal of Parallel and DistributedComputing (JPDC), 72(4):564–578, 2012.

[10] M. Kim, M.-O. Stehr, A. Gehani, and C. L. Talcott.Ensuring security and availability throughmodel-based cross-layer adaptation. In UIC, volume6905 of Lecture Notes in Computer Science, pages310–325. Springer, 2011.

[11] M. Kim, M.-O. Stehr, J. Kim, and S. Ha. Anapplication framework for loosely coupled networkedcyber-physical systems. In 8th IEEE Int. Conf.Embedded and Ubiquitous Computing (EUC’10), 2010.

[12] M. Kim, M.-O. Stehr, and C. Talcott. A distributedlogic for networked cyber-physical systems. In Proc.IPM Int. Conf. on Fundamentals of SoftwareEngineering, FSEN’11. Springer-Verlag, 2011.

[13] M. Kim, M.-O. Stehr, C. Talcott, N. Dutt, andN. Venkatasubramanian. Constraint refinement foronline verifiable cross-layer system adaptation. In

DATE ’08: Proc. Design, Automation and Test inEurope Conf. and Exposition, 2008.

[14] R. Krishnan, P. Basu, J. M. Mikkelson, C. Small,R. Ramanathan, D. W. Brown, J. R. Burgess, O. L.Caro, M. Condell, N. C. Go↵ee, R. R. Hain, R. E.Hansen, C. E. Jones, V. Kawadia, D. P. Mankins, B. I.Schwartz, W. T. Strayer, J. W. Ward, D. P. Wiggins,and S. H. Polit. The SPINDLE disruption-tolerantnetworking system. In IEEE Military CommunicationsConference, 2007.

[15] U. Lee, J.-S. Park, S.-H. Lee, W. W. Ro, G. Pau, andM. Gerla. E�cient peer-to-peer file sharing usingnetwork coding in MANET. J. Communications andNetworks (JCN), Special Issue on Network Coding,10(4):422–429, Dec. 2008.

[16] A. Lindgren, A. Doria, and O. Schelen. Probabilisticrouting in intermittently connected networks.SIGMOBILE Mob. Comput. Commun. Rev.,7(3):19–20, July 2003.

[17] L. Nolle, A. Goodyear, A. A. Hopgood, P. D. Picton,and N. S. J. Braithwaite. On step width adaptation insimulated annealing for continuous parameteroptimisation. In Proc. Int. Conf. 7th Fuzzy Days onComputational Intelligence, Theory and Applications,pages 589–598, 2001.

[18] E. Nordstrom, P. Gunningberg, and C. Rohner. Asearch-based network architecture for mobile devices.Uppsala University, 2009.

[19] J. Reich and A. Chaintreau. The age of impatience:Optimal replication schemes for opportunisticnetworks. In Proc. Int. Conf. Emerging NetworkingExperiments and Technologies, CoNEXT ’09, pages85–96, New York, NY, USA, 2009. ACM.

[20] M. V. D. Schaar and S. Shankar. Cross-layer wirelessmultimedia transmission: challenges, principles, andnew paradigms. IEEE Wireless Communications,12:50–58, 2005.

[21] A. Shamir. How to share a secret. Commun. ACM,22(11):612–613, 1979.

[22] S. Sharma, R. Mishra, and K. Singh. A survey oncross layer security. In IJCA Proceedings on NationalConference on Innovative Paradigms in Engineeringand Technology (NCIPET 2012), number 5.Foundation of Computer Science (FCS), 2012.

[23] I. Solis and J. J. Garcia-Luna-Aceves. Robust contentdissemination in disrupted environments. In Proc.Third ACM Workshop on Challenged Networks,CHANTS ’08, pages 3–10. ACM, 2008.

[24] T. Spyropoulos, T. Turletti, and K. Obraczka.Utility-based message replication for intermittentlyconnected heterogeneous networks. In WOWMOM,pages 1–6. IEEE, 2007.

[25] V. Kawadia, N. Riga, J. Opper, and D. Sampath.Slinky: An adaptive protocol for content access indisruption-tolerant ad hoc networks. In ACM MobiHoc2011 International Workshop on Tactical Mobile AdHoc Networking, 2011.

[26] W. Wang. Quality-driven cross layer design formultimedia security over resource constrained wirelesssensor networks. Ph.D. dissertation, University ofNebraska, Lincoln, Dept. of Computer and ElectronicsEngineering, 2009.