You are on page 1of 36

Self-healing networks

When the going gets tough, the tough get going


L.Spaanenburg. Groningen University, Department of
Computing Science. P.O. Box 800, 9700 AV, Groningen.
Mail: ben@cs.rug.nl, http://www.cs.rug.nl/~ben
2001 IPA Spring Days
on
Security
April 2001 IPA Spring Days - Security 2
Motivation
Security involves the guaranteed access
to all resources at all times with top quality

Threats: - from outside
- from inside

Here: internal diseases only
What is security?
April 2001 IPA Spring Days - Security 3
Agenda
The nature of the net
Disasters with central control
The nature of self-healing
In-line monitoring
A hardware / software perspective
Research view
What we need and what we cant
April 2001 IPA Spring Days - Security 4
The weak spot
A network is billions of tightly connected
distributed heterogeneous components
Things happen on a wide time/spatial scale with
massive interaction
A local disturbance can spread widely in zero
time
Relationships and interdependencies are too
complex for mathematical theories
It is the small dog that bites!
April 2001 IPA Spring Days - Security 5
Users perspective on networks
An integrated Power Information
Communication technology
April 2001 IPA Spring Days - Security 6
Telephone network
A network can be a tree with central control
connection
local
exchange
2nd-order
exchange
1st-order
exchange
short distance
medium distance
long distance
April 2001 IPA Spring Days - Security 7
Data Network
Connectionless communication by broadcast
Subnet
LAN
Host Router
April 2001 IPA Spring Days - Security 8
Means of Communication
Synchronous
PDH: Plesiochronous Digital Hierarchy
SDH: Synchronous Digital Hierarchy
ISDN: Integrated Services Digital Network

Asynchronous
FDDI: Fiber Distributed Data Interface
FR: Frame Relay
ATM: Asynchronous Transfer Mode

Sigh, there are some many ways to communicate
April 2001 IPA Spring Days - Security 9
Sources of Abnormality
Attacks from the outside world
(service attack)
Hick-ups in the network communication
Failures on the network nodes

Its a detection problem!
What goes wrong, will go wrong
April 2001 IPA Spring Days - Security 10
The Keeler-Allston disaster
On 10 August 1996, the Keeler-Allston 500 kV
power line tripped creating voltage depression
and the McNary Dam went to maximum
The Ross-Lexington 230 kV line also tripped
and pushed the McNary Dam over the edge
The McNary Dam sets off oscillations that went
to 500 MW within 1.5 minutes
The North-South Pacific INTER-tie isolated 11
US states and 2 Canadian provinces
The network is vulnerable for local abnormalities
April 2001 IPA Spring Days - Security 11
The 1998 Galactic page out
In May 1998, the Galaxy-IV satellite was
disabled by unknown causes
US National Public Radio and 40M pagers
went out, airline flights delayed and data
networks had to be manually reconfigured
Many geo-stationary satellites are 800 1400
km; 13 (60-), 35 (70-), 69 (80-) and 250 (90-)
10 million pieces of debris > 1 mm
The weak belly of the Earth
April 2001 IPA Spring Days - Security 12
Other fault cascades
Finagles Law
Anything that can go wrong, will

Antibiotics cause resistance (DDT)
Code replication also works for errors
Cause/effect relations occur frequently
April 2001 IPA Spring Days - Security 13
Self-healing in history
1993 AT&T announced the self-healing
wireless network
1998 SUN bought the RedCape Policy
Framework for self-healing software
1998 HP released the sefl-healing version
of OpenView Network Node Manager
2001 Concord Com. Announced
self-healing for the home
The name has been used before
April 2001 IPA Spring Days - Security 14
Self-Healing ingredients
Application handling the communication
Presentation message formatting
Session controls traffic between parties
Transport converts packets into frames v.v.
Network controls frame routing
Data Link frames of bit sequences
Physical relays physical quantities
Self-healing = Detection + Diagnosis + Self-Repair
Network
Test
Node
Test
Recon-
figure
April 2001 IPA Spring Days - Security 15
An Initiative in Self-Healing
The CIN/SI is funded by the Electronic Power
Research Institute and the US Dept. of Defense
as part of the Government-Industry
Collaborative University Research program
28 universities in 6 consortia started Spring
1999 to spent $30 M in 5 years
The approach is multi-agent technology
The Complex Interactive Networks/Systems Initiative
April 2001 IPA Spring Days - Security 16
CIN/SI consortia
[CalTech] CIN Mathematical Foundation
[CMU] Context-dependent Agents
[Cornell] Failure Minimization
[Harvard] Modeling and Diagnosis
[Purdue] Intelligent Management
[Washington] Defense to Attacks
The different aspects of self-healing
April 2001 IPA Spring Days - Security 17
Key issues
Pre-programming misses the target by lack of
context dependence
No damage would have occurred if the load on
the McNary Dam would have decreased by
0.4% during the next 30 minutes

Local agents making real-time decision would
have eliminated the Keeler-Allson disaster.
Central control comes too late by definition
April 2001 IPA Spring Days - Security 18
Basic agent types
Agents are called cognitive or rational when
equipped with clear rules and algorithms
Agents are called reactive when their
functioning depends on the interrogation of the
environment
Both type of agents are required on the decision-
making layers handling respectively reaction,
coordination and deliberation
What are agents?
April 2001 IPA Spring Days - Security 19
CIN/SI architecture (1)
Operational control of the power plant
Power System
Protection
Agents
Generation
Agents
Controls
Faults Isolation
Agents
Frequency Stability
Agents
Events/alarm
Filtering Agents
Model update
Agents
Command
Agents
Events/
alarms
Triggering events Plans/Decisions
April 2001 IPA Spring Days - Security 20
CIN/SI architecture (2)
Strategic management of the power grid
Events/alarm
Filtering Agents
Model update
Agents
Command
Agents
Triggering events Plans/Decisions
Events Identification
Agents
Planning
Agents
Restoration
Agents
Vulnerability Assessment
Agents
Hidden Failure
Monitoring Agents
Reconfiguration
Agents
April 2001 IPA Spring Days - Security 21
Monitoring the process
Strategic decisions on tactic control
Monitor
Process Control
Sensor
Actuator
April 2001 IPA Spring Days - Security 22
The network emphasis
The network glues the agents together
Network
Agent
Agent Agent
Agent Agent
Agent
April 2001 IPA Spring Days - Security 23
Defect looses all
But what we need is:
Mutual observation between nodes
Group decision of testing agents
Implied reconfiguration of the network

How can we facilitate
testing with agent properties?
Majority voting is a centralized consensus scheme
April 2001 IPA Spring Days - Security 24
Agent characteristics
What is security?
sen
sors
effec
tors
Behaviour
mouse
messages
...
other agents
messages
move
change appearance
speak
Independent, Reactive,Proactive, Social
April 2001 IPA Spring Days - Security 25
Built-in Block Observation
Testing complex systems requires autonomy
generator
process
verifier
April 2001 IPA Spring Days - Security 26
Linear Feedback Shift-register
When data flows over identical nodes,
the typical function can be characterized
by the feedback polynomial
Generation of ordered bit strings by EXORs
0 1 6
x x x +
April 2001 IPA Spring Days - Security 27
Friedmann model
The aim is for a locally compacted set of patterns


Process


I O
Q
April 2001 IPA Spring Days - Security 28
A basic function
A simple low-pass filter



Takes a data sampling routine,
multiplying adder and final function 1/N.
Proto-typical software on a small PIC controller

=

=
1
0
) (
1
N
i
i t i
x c
N
z
April 2001 IPA Spring Days - Security 29
A neuron
A simple neuron



Is similar to the low-pass filter except for
the incoming data. Operates from the
same input data ring-buffer.
Intelligence can be built from filtering
|
|
.
|

\
|
=

=
1
0
) (
N
i
ij i
x w f z
April 2001 IPA Spring Days - Security 30
A neural network
A feed-forward network




Differs only in the layer-by-layer
switching of the I/O-blocks
Where there is one neuron, there can be more
|
|
.
|

\
|
|
|
.
|

\
|
|
|
.
|

\
|
=

=
1
0
1
0
) (
M
j
N
i
ij i j
x w f w f z
April 2001 IPA Spring Days - Security 31
Non-Linear Feedback SR
When data flows over identical nodes,
the typical function can be characterized
by the globally recurrent neural network
Generation of ordered patterns by Correlators


t
x w
April 2001 IPA Spring Days - Security 32
Neural Observation
Analog correlation is about finding the
functional similarity
Digital correlation is the same except for the
effect of crisping
Random access storage is always larger than
storage of an ordered function
The neurally approximated function allowes
for a dense salvage of ordered I/O-pairs
Analog correlation looks like digital EXOR
April 2001 IPA Spring Days - Security 33
Data-Flow Architecture
When data flows over identical nodes,
the typical function can be characterized
Built-In Logic Block Observation
The BIFBO can also be shared with
neighboring nodes
Built-In Function Block Observation
The local test does not differentiate between
hardware and software
Data discrepancy is low-level abnormal behavior
April 2001 IPA Spring Days - Security 34
Question 1
If you can not test it, then its not worth
to design it.
Hierarchical design needs a hierarchical
test.
Abstraction gives a condensed view on
reality.
Abstraction provides for scalability.
Is there an abstractional test?
April 2001 IPA Spring Days - Security 35
Question 2
Interaction is good, conflicts are less
If resources have a state, access should be
bounded by state
Conflicting services pose basically a
scheduling problem
Its hard to schedule over an arbitrary
network
Is feature interaction really a static problem?
April 2001 IPA Spring Days - Security 36
Question 3
Design should be scalable; test is no exception.
Detection can do without diagnosis;
Diagnosis can not go without detection.
Testing can be based on area (coverage) or on
frontier (sensitivity)
The boundary between software and hardware
is still moving
Do neural networks provide for a built-in test?

You might also like