1

QoS2: A Framework for Integrating Quality ofSecurity with Quality of Service

Tarik TalebSenior Member, IEEEand Yassine Hadjadj-Aoul

Abstract—Different security measures have emerged to en-counter various Internet security threats, ensuring a certain levelof protection against them. However, this does not come withouta price. Indeed, there is a general agreement that high securitymeasures involve high amount of resources, ultimately impactingthe perceived Quality of Service (QoS).

The objective of this paper is to define a framework, dubbedQoS2, that provides means to find a tradeoff between securityrequirements and their QoS counterparts. TheQoS2 frameworkis based on the multi-attribute decision making theory. Theper-formance of theQoS2 framework is evaluated through computersimulations. A use-case considering worm email detection is usedin the performance evaluation.

I. I NTRODUCTION

Providing services with high perceived QoS is known tobe frequently antagonistic with the provision of highly secureservices. Indeed, security mechanisms clearly involve extraresources [3], which may impact the perceived QoS or evendegrade the overall system performance.

This observation has been also confirmed by some of ourprevious research work, pertaining to detection of Internetworms in large scale networks [4], and detection and traceback of sophisticated attacks using encrypted protocols [5].The work in [4] indicates that the longer the generatedsignature is, the more accurate the detection is. However, thisalso increases the end-to-end delay and impacts the overallQuality of Experience (QoE) of users. In [5], an IntrusionDetection System (IDS) capable of detecting attacks usingcryptographic protocols was devised. The devised IDS usesstrategically distributed Monitoring Stubs (MSs) that sniff theencrypted traffic, extract features for detecting these attacksand construct normal usage behavior profiles. Upon detectingsuspicious activities, the MSs notify the victim servers, whichmay then take necessary actions. Depending on the detectedattack, such actions may introduce additional delays to theend-to-end delay to disable attackers from making accurateestimates of the processing time required for the decryptionof a particular key (e.g., remote time attack [6]). Such actionsmay also involve a random discarding of packets (e.g., pass-word attack). All in all, existing network security measuresmay have a side effect on the overall QoS of the system. Itis thus imperative to deploy security requirements along withtheir QoS counterparts.

T. Taleb is with NEC Europe LTD, Heidelberg, Germany. Email:taleb-tarik@ieee.org.

Yassine Hadjadj-Aoul is with the University of Rennes, France. Email:yassine.hadjadj-aoul@irisa.fr

Many researchers have, recently, started using the terms“Quality of Protection”, when addressing the issue of in-tegrating QoS with security, whereby sensitive informationis protected using adequate authentication and cryptographicalgorithms to ultimately ensure QoS [7]. For example, thework in [8] introduces a middleware adaptation scheme thatdynamically tunes the encryption key length of the underlyingencryption algorithm to the actual end-to-end delay. Themajor drawback of this work consists in its vulnerability toattacks such as man-in-the-middle [9]; in other words the workensures a level of QoS but this comes at the price of somesecurity flaws.

In this paper, our main concern is to design a novel frame-work, entitledQoS2 (i.e., Quality of Service and Security),that enables network protection from malicious usage andattacks.However, in the absence of a potential threat, theQoS2 framework, in an autonomic way, relaxes the system’soverall security requirements in case the required QoS arenot met under the current security settings. The frameworkprovides an adjustable level of security to ensure acceptableQoS employing a Multi Attribute Decision Model (MADM)approach. An abridged version of this work has appeared in[1].

The remainder of this paper is organized as follows. SectionII provides an overview of the state of the art. Section IIIdescribe inn details the envisioned QoS2 framework. SectionIV portrays the simulation setup and discusses the obtainedresults. The paper concludes in Section V with a summaryrecapping the main advantages and achievements of the pro-posed frameworks.

II. RELATED WORK

In [2], Shenet. al. claimed that little work has been doneon the interaction between QoS and Security in networks.They noticed that while QoS and Security used to be treatedas separated entities, they strongly impact each other andthus should be considered together when designing protocolsfor Mobile Ad-Hoc Networks (MANETs). For this reason,they proposed a distributed dynamic management system thatshould keep QoS and Security as good as possible in MANETseven if the available network resources change.In [3], Irvineet. al.suggest a Quality of Security Service (QoSS) theory thathandles security as a dimension of QoS. A brief description ofthe proposed framework is given illustrating the use of variantsecurity mechanisms and policies that should allow distributedResource Management Systems (RMSs) to support the userrequirements for both performance and security.

2

To enable service providers to advertise Security of Service(SoS) to their clients, researchers investigated the incorpo-ration of security parameters into the Service Level Speci-fications (SLS) [10], [11]. The selected security parametersare integrated to enhance SLA-based management of QoSwith the generation of network policies that guarantee thereservation of adequate resources for meeting both securityand QoS needs. In [11], it is found that the integrated securityprotocol impacts the resources during the initialization phasein which the security context is established (i.e., during keygeneration, negotiation of the used algorithms, and so forth).This consumes the processing power of the end hosts, memory,and also adds to the end-to-end delay. The specific protocoldata (IPSEC/TLS header) also consumes higher bandwidth. Inorder to determine the precise impact of the security protocolon the network bandwidth, different security levels applied onIPSec revealed the bandwidth costs for a MPEG video and aDVD sequence. It is found that while the multimedia sequencequality, the confidentiality level, and the authenticationandintegrity level do not impact much the bandwidth cost, thechoice of the security services and the protocol do.

To ensure both QoS and security requirements, some re-searchers addressed the problem using an adequate adaptivetheory. For instance, the work in [12] exploits the co-operativegame theory-based strategies to model the interaction betweenintruders and IDSs in MANETs and wired networks. On theother hand, Bayesian Nash algorithm is employed in [13] toanalyze the interaction between an intruder and a defenderin both static and dynamic network settings with the aid ofmonitoring systems. Nash equilibrium-based game theoreticstudies have also been conducted towards solving QoS prob-lems (i.e., without any security incorporation) involvingpowerand rate control problem where network users compete witheach other to obtain maximum throughput with minimumenergy consumption [14]. While these work, based on gametheory and probabilistic models, may be able to formulate theproblem of intrusion detection in a general case, they are notrealistic for addressing the intricate interaction of multi-levelQoS and security requirements. In order to formulate the QoS-security problem, we resort to the use of a distributed andelegant algorithm obtained from the Multi Attribute DecisionMaking (MADM) theory. As defined in [18], MADM means”making preference decisions (e.g., evaluation, prioritization,selection) over the available alternatives that are characterizedby multiple, usually conflicting attributes”.MADM approachcan be applied using different algorithms. Some of the com-monly used ones are the Simple Additive Weighting (SAW)and Minimal Distance to Utopia Point (MDUP) algorithms.Authors in [17] conclude their performance evaluation thattheTechnique for Order Preference by Similarity to Ideal Solution(TOPSIS) algorithm outperforms both the SAW and MDUPalgorithms. The advantages offered by MADM approach aremore evident with the implementation of TOPSIS which weuse in this paper.

III. E NVISIONED SOLUTION

Before delving into details about possible security-QoSintegration, it is important to investigate the security challenges

and their counter-measures. To this end,in the Europeanresearch group ResumeNet [15]1, a taxonomy is developedto systematically document and assess the impact of variouschallenges, which pose a threat to the system. This taxonomyfirst identifies the challenge categories that reflect the nature ofthe challenge. A second-level classification is then formulatedbased on the specific scenario to which this challenge applies.The work then addresses the need to formulate defensivemechanisms for each of the challenges in different scenarios,and to also find the appropriate defensive measures. Byperforming rigorous system analysis and understanding thechallenges that lead to the high likelihood of systems failures,in addition to learning from past events, in the ResumeNetproject a library of the best possible defensive mechanismsspecific to the given challenge and the prevailing scenario orset-up is built. Whilst the purpose of our current work is notto explicitly deal with these defensive mechanisms, we intendemploying feedback from them in our QoS2 framework forintegrating security with QoS attributes.

In this paper, we envision a “network security advisorysystem” with a number of threat levels ranging from lowto severe. The security advisory system defines the threatlevel of the network based on events reported by entitiessuch as firewalls and IDSs. It analyzes the events in specifictimeslots and constantly updates the threat level. For eachthreat level and each associated security level, a particulardefensive measure can be applied, following the taxonomydeveloped in [15].

Based on the alert level indicated by the security advisorysystem, we are interested in devising a security/QoS policycontrol that indicates the security level that should correspondto a desired QoS level. When under the indicated threat level,the security advisory system recommends a range of secu-rity levels (e.g., range of encryption/decryption key lengths,anomaly detection score, worm signature lengths, etc), weare interested in finding out the highest security level thatshould be selected in a way that the QoS requirements of usersare not compromised. If for a particular security level, fromwithin the recommended range, the QoS requirements of userscannot be satisfied (i.e., this can be inferred from a learningphase), the security/QoS policy control unit asks for securityrelaxation. In contrast, if the network is under potential attackand the security advisory system recommends the highestsecurity level, the system has to stick to the recommended levelalthough this decision may compromise the required QoS. QoSrelaxation (e.g., transmission rate adaptation), thus, becomesmandatory in such a case.

Note that the proposed framework can be integrated intoService-Oriented Architectures (SOA), as either: (i) a module,which helps to decide the best suited quality, into the SOAlayer, or (ii) a web service into the implementation layer.Particularly, it can clearly enriches the framework, providedin [23], which allows to integrate dependability and securityconcepts in service-oriented architectures. Indeed, thiscanpermits to find-out the tradeoff existing between securityrequirements and their QoS counterparts provided by the users,

1The present research work is part of the ResumeNet project.

3

as it is not provided by the framework proposed in [23].

A. Envisioned architecture

Fig. 1 depicts an example deployment scenario, portray-ing a carrier transport network administrated by a particularNetwork Operator (NO) and connecting a number of con-tent/service providers (i.e., clients of the network operator)to their customers, located in different local networks. Thecorresponding network architecture along with the envisionedinterfaces between the different network components is illus-trated in Fig. 2. The architecture is divided into two levels,namely the network and the service levels, which are in turnsplit into the control and data planes. The overall networktopology comprises a number of Monitoring Stubs (MSs),which are intelligently deployed over the core network nexttostrategic routers. These MSs form a hierarchical threat detec-tion system, consisting of two layers, namely Local SecurityMonitors (LSMs) and Metropolitan Security Monitors (MSM).The LSMs gather information about behavioral anomaly of aparticular local network and deliver them to the respectiveMSMs (i.e., using interfaceF1 in Fig. 2). Upon receivinginformation about a suspicious event from one of its LSMs, aMSM filters through its database of past attacks and evaluatesif the threat is real. If the suspicious event is matched withone of the previous threats, the MSM notifies the securityadvisory (i.e., via interfaceA2). The security advisory containsa library of existing attacks and their counter-measures (i.e.,following the taxonomy developed in [15]). The securityadvisory verifies if a similar threat originated from any otherlocal networks administrated by another MSM (e.g., in case ofrapid worm spread or DDoS traffic). The security advisory alsoconsults its library of counter-measures (i.e., built followingthe taxonomy developed in [15]) to find the most appropriatemechanism to combat against the arising challenge. Then,the security advisory defines the threat level and relays theinformation pertaining to the threat detection and countermechanism to all MSMs (i.e., viaA2 interface), which inturn, forward the information to all collaborating LSMs (i.e.,via F1 interface). When security measures are to be partiallyor fully enforced at the network elements (e.g. routers), thesecurity advisory instructions are communicated by LSMsand MSMs to the respective network elements via theI1and I2 interfaces. The security advisory also notifies theservice managers of the different service providers (i.e.,viaA1interface) of details on the on-going threat and triggers them totake adequate measures to adapt their QoS demands to the newnetwork dynamics. Instructions on QoS adaptation/relaxationis communicated either to servers usingSM2 interface, to endusers usingSM1 interface, or to both when required.

B. MADM-based QoS-security level decision model

The QoS2 system aims to apply a security level under acertain attack while maintaining a good level of QoS. QoS andsecurity requirements are known to be conflicting in general,hence the merits behind employing a multi-attribute decisionmaking (MADM) algorithm for the determination of securitylevel vs. QoS level. QoS2 relies on the advisory system that

Fig. 1. An example deployment scenario.

Fig. 2. Network architecture of the envisionedQoS2 framework.

recommends for a given threat level, a range of security levelsthat could counter the attack. Then the system tries to choosethe highest security level that keeps QoS requirements as goodas possible.

Let SM andPM denote the group of QoS metrics (e.g.,bandwidth, delay, packet loss rate, etc) and the group of secu-rity metrics (e.g., encryption/decryption key length, timeliness,etc)2, respectively. LetNs andNp denote the number of theQoS and security metrics, respectively. We assume that a user’sService Level Agreement (SLA) hasS levels of QoS andP

2The work in [16] provides an extensive list of important security and QoSmetrics.

4

levels of security. When a user3 connects to the network, thesystem advisory of QoS2 must serve the user with a securitylevel in such a manner to maintain good QoS requirements(i.e., QoS level). The suggested procedure is as follows.

1) Step 1: Defining all possible QoS level and securitylevel combinations: For each QoS level, there are somerequirements related to the values of its metrics that should berespected. These values should not be beyond (resp., below)a predefined threshold for cost metrics (resp., for benefitmetrics). For example, for a given QoS level, the bandwidth(BW) should exceed a threshold (e.g.,BWth ≤ BW ) and thedelay should be less than a threshold (i.e.,D ≤ Dth).

On the other hand, when we apply a security level, thevalues of the QoS metrics get negatively influenced in general.This means that these values cannot exceed some thresholdsthat we can measure by experiments. Consequently, somecombinations will be impossible. Indeed, letQoSsup denotesthe highest QoS level andSecsup denotes the highest securitylevel. Let’s suppose that forQoSsup, the bandwidth (BW)is (BWhigh ≤ BW ) and that forSecsup, the bandwidthwill be such asBW < BWhigh. Thus, the combination(Secsup, QoSsup) is impossible. Hence, the possible combi-nations (alternatives) of a QoS level and a security level willbe limited. Let J denote the number of these alternatives(J < Ns · Np). For each QoS levels ∈ {1, ..., S}, thevalue of the QoS metricsm (sm ∈ SM ) would be suchas sms ∈ [(sms)min, (sms)max] (i.e., sms: the value of themetric sm as defined in the QoS levels). On the other hand,for a security levelp ∈ {1, ..., P}, the value of the QoS metricsm (smp) will be such assmp ∈ [(smp)min, (smp)max].

As for the values of security metrics, they may have exactvalues (e.g., encryption key length) or may belong to aninterval (e.g., timeliness) like all QoS metrics. The valuesof security metrics do not intervene in the definition of thealternatives. Now the selection of a combination of a QoSlevel (s ∈ {1, ..., S}) and a QoP level(p ∈ {1, ..., P}) willnot be possible unless the following condition is satisfied:

{[(sms)min, (sms)max] ∩ [(smp)min, (smp)max] 6= Φ} (1)

In the remainder of this paper, an alternative (a combination)is denoted asj (i.e., j ∈ {1, ..., J}).

2) Step 2: Defining the Decision Matrix (DM) for a user’sconnectionc: Let Xc

jk(t) be the value of metrick measuredat time instantt for a connectionc when the QoS-securitycombinationj is used (i.e.,k ∈ {1, ...,K} being the index ofthe QoS-security metric). As we deal with different kinds ofmetrics (e.g., some expressed in kbps, others in seconds, etc),we normalize their values to be able to compare among them.This is done as follows:

X̂cjk(t) =

Xcjk(t)

max(Xcjk(t))

(2)

3In this paper, the term ”user” has a wider scope as it refers toa client of thenetwork operator (e.g., content/service provider). Additionally, a connectiondoes not necessarily refer to an end-to-end connection between a serverand a client, but it does rather refer to the communication path between acontent/service provider and a local network where some of its subscribersreside (Fig. 1).

Using the following notation(K = Ns+Np), the normalizedvector for a given QoS-QoP levelj at a time instantt is:

(

X̂cj1, ...X̂

cjk, ...X̂

cjK

)

(3)

Depending on the provided service and the user requirements,the QoS-Security metrics may not have the same importance.Thus, we assign each attribute a weight such as the sum ofall the weights is equal to one. LetY c

jk(t) be the normalizedvalue of the metrick multiplied by its relative weightwc.k.We obtain the Decision Matrix for a given user’s connectionc at a time instantt as follows:

DM c =

Y c11

... Y c1k ... Y c

1K

... ... ... ... ...Y 1

j1 ... Y cjk ... Y c

jK

... ... ... ... ...Y 1

J1 ... Y cJk ... Y c

JK

(4)

It should be noted that a decisionD taken at a time instanttremains valid for a period∆T c

D during which the system gath-ers information from monitoring stubs and the collaboratingnetworks.

3) Step 3: Applying a MADM algorithm to find the bestalternatives among the available ones:In order to find theideal alternatives or utopia points, we need to account fortwo types of QoS2 parameters, namely “cost” metrics (e.g.,bandwidth, delay, security level) and “benefit” metrics (e.g.,throughput and fairness). The objective of formulating anutopian vector is to maximize the benefit while minimizingthe cost as much as possible. In other words, the utopia vectorshould permit selection of the best value for each single QoS2

attribute amongst all the alternatives. This is characterized bythe utopia vector of attributes at timet, defined in Eq. 5.

(

utopiaY c1, ...utopiaY c

k , ...utopiaY c

K

)

(5)

where each component of the utopia vector may be obtainedusing the following expression.

utopiaY cjk =

Y cjk : j = argmin

j∈{1,J}

Y cjk, for cost metrics

Y cjk : j = argmax

j∈{1,J}

Y cjk, for benefit metrics

(6)In a reverse way, it is also possible to obtain the knowledgepertaining to the worst alternatives or nadir points inDM c.The nadir point may be computed as follows.

(

nadirY c1, ...nadirY c

k , ...nadirY c

K

)

(7)

In this case, each component of the nadir vector holds similarconsiderations as those for Eq. 6 and is given by:

nadirY cjk =

Y cjk : j = argmax

j∈{1,J}

Y cjk, for cost metrics

Y cjk : j = argmin

j∈{1,J}

Y cjk, for benefit metrics

(8)The TOPSIS selection algorithm [17] is derived from the

MADM theory to extend these two contrasting utopia and

5

nadir points to exploit the knowledge of both. We employthe TOPSIS selection algorithm for choosing the appropriatesecurity level for ensuring the appropriate QoS requirements.To this end, the TOPSIS algorithm selects the optimum TOP-SIS vector fromJ alternatives, by minimizing the similarityto positive-ideal solution as follows.

jc,optimumTOPSIS (t) = argmax

j∈{1,J}

(

Sngj

Spsj + Sng

j

)

(9)

whereSpsj andSng

j denote the Positive and Negative separa-tions, respectively. The former implies the Euclidean distancebetween the alternatives and the utopia point while the latterdenotes that between the alternatives and the nadir point.Sps

j

andSngj are expressed by Eqs. 10 and 11, respectively.

Spsj =

√

√

√

√

K∑

k=1

(Y cjk − utopiaY c

k )2 (10)

Sngj =

√

√

√

√

K∑

k=1

(Y cjk − nadirY c

k )2 (11)

IV. PERFORMANCEEVALUATION

Having described details on our MADM-basedQoS2 ap-proach, we now direct our focus to its performance evaluationusing the Network Simulator (NS3) [19]. Given their strictQoS requirements, we consider IPTV streaming services. Asa network threat, we envision the spread of Internet worms ina number of local networks whereby a number of subscribersto the IPTV service are located. As a counter measure, weadopt a signature-based worm detection approach as in ourprevious research work [4]. Along with a vast spread of theInternet worm, the security advisory recommends to MSMsand LSMs the filtering of inbound and outbound traffic usinga generated signature with a particular length. The longer thesignature length is, the longer the filtering-due delay becomes[4]. This intuitively impacts the end-to-end delay betweenthecontent servers and the end-clients (Fig. 1). At the securityadvisory, six threat levels are defined to the above mentionedsecurity counter measure; each threat level is characterizedby i) a range of worm signature substring lengthLworm

(i.e., principally responsible for additional delays at routerscollocated with LSMs and MSMs) andii) a minimum numberof signature substringsSmin that should exist in a traffic flowto generate an alarm (Table I).

TABLE IWORM SPREAD THREAT LEVELS AND CORRESPONDING WORM SIGNATURE

GENERATION/DETECTION PARAMETERS.

Threat level Lworm range (Bytes) Smin

1 0 - 40 112 40 - 73 93 73 - 115 74 115 - 166 55 166 - 226 36 226 - 295 1

Fig. 3. Reordering delay for different threat levels.

In the simulations, we consider a network topology similarto that of Fig. 1 with video data streamed from a singlecontent provider (i.e., Service Provider 1) toNu subscriberslocated in local networkLN3. To avoid multicast scenarios,each subscriber is receiving a different video content overadedicated session. At the content provider side, differentvideotraces, encoded in MPEG-4, are used [20] and servers useUser Datagram Protocol (UDP) to provision IPTV service fol-lowing the framework described in [21]. To simulate networkdynamics, we input some worm-affected background trafficalong the path between Customer Edge Routers (CERs) 1 and2 simulating different Variable Bit Rate (VBR) UDP flows.The sending rate of each UDP flow is varying during thecourse of the simulation and is randomly chosen every1s ina way that Core Network Edge routers (i.e., thebrownroutersin Fig. 1) are operating at loads exceeding70% their fullcapacity. In the simulations, a noticeable increase or decreasein the background traffic rate triggers the security advisory toincrease or decrease the threat level. With no specific purposein mind, the aggregate propagation delays of links betweenProvider Edge Router (PER1) and CER3 is set to15ms.Without any loss of generality, all links are given a capacityequal to50Mbps (i.e., customer/provider edge links as wellas core network links). In order to remove limitations due tosmall buffer sizes on the network congestion, buffers equaltothe bandwidth-delay product of the end-to-end link are used[22]. Due mostly to its simplicity and its wide usage in today’sswitches and routers, all simulated routers use Drop-Tail astheir packet-discarding policy. The data packet size is fixed to1336B. The client side has a limited playback buffer lengthB, set to100pkts. The IPTV streams are characterized by anaverage streaming rate denoted asRp and equal to100pkts/s(i.e., 0.8Mbps). Simulations were all run for 900s; a durationlong enough to ensure that the system has reached a consistentbehavior. The presented results are averaged over the simulatedNu (= 15) subscribers, averaged again on the total simulationruns (i.e.,36 times).

6

As shown in Table I, for each threat level the securityadvisory recommends a range of parameters for signaturegeneration, subsequent traffic filtering and worm detection.In the envisionedQoS2 approach, the TOPSIS algorithm isrun to select the best set of parameters (i.e., from withinthe recommended range) to meet both the QoS and securityrequirements. As comparison terms, we compare the perfor-mance of theQoS2 approach against that of two conventionalmethods whereby the highest (i.e., longest) and the lowest(i.e., shortest) security levels (i.e., signature substring length)are selected. As parameters to quantify the users’ perceivedQoS, we consider the following metrics:

• Packet reordering delay: Difference between the arrivaltime of a packet and the arrival time of its precedingone. This metric is important for real time multimediastreaming services (e.g., IPTV) as if it exceeds the end-user’s playback delay (i.e.,B

Rp

), the corresponding packetwill be simply discarded before being transmitted to theapplication layer. The user shall then notice ruptures inthe streaming service, a fact that impacts the perceivedvideo quality.

• Playback ratio: Defined as ratio of the playback rate to theaverage streaming rateRp. The playback rate is computedas the number of packets that were transmitted to theapplication layer every monitoring period of time (e.g.,playback buffer delayB

Rp

) and were indeed displayedover the monitoring period of time.

• Queue occupancy: The number of packets residing in theclient’s buffer and awaitingreordering before theirtrans-mission to the application layer.This metric ismeasuredevery monitoring period of time (i.e.,B

Rp

). To achieveacceptable perceived QoS, this metric should not exceedthe client’s buffer size (i.e., overflow) and should not bein the vicinity of zero (i.e., underflow). Indeed, keepinga moderate value of this metric is highly important asit ensures for the application layer that there are alwaysenough packets to display without having to discard themat the queue due to overflow.

Fig. 3 plots the average reordering delay experienced bythe end-terminals for different threat levels and that is whenthe three security approaches (i.e.,QoS2 approach, and thesecurity approaches applying the highest and the lowest se-curity levels) are in use. Whilst the average reordering delayremains largely lower than the playback delay (i.e.,B

Rp

) forthe three simulated approaches, in the simulations there weresome instants when the value of this reordering delay exceededthe playback delay, and that is particularly when the highestsecurity level is adopted in the event of high threat levels.The corresponding packet got intuitively discarded and thisobviously would have been noticeable at the terminal’s display.This will be manifested in poor playback ratio as indicatedin Fig. 5. It should be noted that whilst the envisionedQoS2 approach and the lowest security level exhibit relativelysimilar performance in Fig. 3, their main differentiator consistsintuitively in their adopted security levels.

Figs. 4 and 5 show the impact of the three security ap-proaches on QoS in terms of two correlating metrics, namely

Fig. 4. Buffer occupancy for different threat levels.

average buffer occupancy and playback rate, respectively.Thetwo figures indicate an obvious observation: the best QoS isachieved when the lowest security level is adopted.Indeed,the lowest security measures induce only few reordering,which directly impacts the queue occupation length (i.e. thelatency before transmission to the application playout buffer).However, this may not be acceptable from the security point ofview. When the security measures are tight using parameterscorresponding to the highest security level, the performancedegrades significantly as there is not sufficient data at the ter-minal’s playoutbuffer to play and consequently the playbackrate is remarkably poor. In contract to these two approaches,the proposedQoS2 approach ensures an acceptable level ofsecurity and simultaneously achieves a QoS performance moreor less similar to that obtained when the lowest security levelis adopted.

The above simulation results show how the QoS2 systemjointly addresses the conflicting QoS and security requirementsand demonstrate that adaptation of the security level accordingto QoS requirements yield satisfying results. However, itshould be recalled that for a significantly high threat level, theadvisory system may recommend significantly high securitylevels even if the QoS requirement are not met. In such events,QoS relaxation at servers and/or end-terminals becomes theonly rescue.

V. CONCLUSION

In this study, we addressed the problems of providing highperceived QoS, while provisioning security requirements.Weclearly demonstrated the need of addressing jointly theseantagonistic problems. Thus, we devised a MADM-basednetwork policy framework, namedQoS2, which provides amean to find the tradeoff between security requirements andtheir QoS counterparts. The proposed framework is intendedtobe used at the global security advisory system, which selectthemost suitable security conditions based on real-time feedbacksfrom different monitoring systems deployed over the networks.

7

Fig. 5. Playback rate for different threat levels.

Extensive simulations considering the IPTV servicesshowed that our envisioned QoS2 framework achieves itsdesign goals, as it provides simultaneously guarantees in termsof terms of perceived QoS and security. In the future, theproposed policy framework system is expected to evolve tocope with more complex network scenarios, different services,and more complex security counter measures that impact notonly the E2E delay but also the bandwidth consumption and/orpacket drops.

ACKNOWLEDGMENT

The work presented in this paper is supported by theEuropean Commission, under Grant No. FP7-224619 (theResumeNet project).

REFERENCES

[1] T. Taleb, Y.H. Aoul, and A. Benslimane, “Integrating Security with QoSin Next Generation Networks,” inProc. IEEE Globecom 2011, Miami,USA, Dec. 2010.

[2] Z. Shen, J.P. Thomas, “Security and QoS Self-Optimization in MobileAd Hoc Networks,” in IEEE Transactions on Mobile Computing, Vol.7 No. 9, September 2008, pp. 1138-1151.

[3] C. Irvine, T. Levin, E. Spyropoulou, and B. Allen, “Security as adimension of quality of service in active service environments,” in Proc.Active Middleware Services Workshop, San Francisco, CA, USA, Aug.2001.

[4] K. Simkhada, T. Taleb, Y. Waizumi, A. Jamalipour, and Y. Nemoto,“Combating against internet worms in large-scale networks: an auto-nomic signature-based solution,”J. Security and Communication Net-works, Vol. 2, No. 1, pp. 11–28, Aug. 2008.

[5] Z. M. Fadlullah, T. Taleb, A. Vasilakos, M. Guizani, and N. Kato,“DTRAB: Combating against attacks on encrypted protocols throughtraffic-feature analysis,” in IEEE/ACM Transactions of Networking(TON). (to appear)

[6] D. Brumley and D. Boneh, “Remote timing attacks are practical,” inProc. 12th USENIX Security Symposium, Washington DC, USA, Aug.2003.

[7] S. N. Foley, S. Bistaerlli, B. O’Sullivan, J. Herbert, and G. Swart,“Multilevel security and quality of protection,” in1st Workshop onQuality of Protection, Como, Italy, Sep. 2005.

[8] W. He and K. Nahrstedt, “An integrated solution to delay and securitysupport in wireless networks,” inProc. IEEE WCNC, Las Vegas, NV,USA, Apr. 2006.

[9] Z. Fadlullah, T. Taleb, N. Nasser, and N. Kato, “Exploring the securityrequirements for quality of service in combined wired and wirelessnetworks,” inProc. IWCMC’09, Leipzig, Germany, Jun. 2009.

[10] J. Jason, L. Rafalow, and E. Vyncke, “IPSec configuration policyinformation model,” Network Working Group,RFC 3585, Aug. 2003.

[11] S. Duflos, V. C. Gay, B. Kervella, and E. Horlait, “Improving the SLA-based management of QoS for secure multimedia services,” inProc.8th Int. Conf. on Management of Multimedia Networks and Services(MMNS’05), Barcelona, Spain, Oct. 2005.

[12] H. Otrok, M. Mehrandish, C. Assi, M. Debbabi, and P. Bhattacharya,“Game theoretic models for detecting network intrusions,”ComputerCommunications, Vol. 31, No. 10, Jun. 2008. pp. 1934-1944.

[13] Y. Liu, C. Comaniciu, and H. Man, “A bayesian game approachfor intrusion detection in wireless ad hoc networks,” inProc. ACMGameNets’06, Pisa, Italy, Oct. 2006.

[14] L. Chen and J. Leneutre, “A game theoretic framework of distributedpower and rate control in ieee 802.11 wlans,”IEEE JSAC, Vol. 26, No.7, Sep. 2008. pp. 1128-1137.

[15] M. Scholler and P. Smith, “Resilience and survivability for futurenetworking: Framework, mechanisms, and experimental evaluation,”ResumeNet Deliverable D1.1b, URL: www.resumenet.eu.

[16] G.A. Fink, B.L. Chappell, T.G. Turner, and K.F. O’Donoghue , “Ametrics-based approach to intrusion detection system evaluation fordistributed real-time systems,” Pentagon Reports, Apr. 2002.

[17] F. Bari and V. Leung, “Multi-Attribute Network Selection by IterativeTOPSIS for Heterogeneous Wireless Access,” in Proc. IEEE ConsumerCommunications and Networking Conference, Las Vegas, NV, USA,Jan. 2007.

[18] K. P. Yoon and C. L. Hwang, “Multiple attribute decisionmaking: anintroduction,” in Sage Publications, Inc., Thousand Oaks,CA, USA,1995.

[19] NS-3, “The network simulator ns-3”, available at URL:http://www.nsnam.org/, 2011.

[20] P. Seeling, M. Reisslein, and B. Kulapala, “Network PerformanceEvaluation with Frame Size and Quality Traces of Single-Layer andTwo-Layer Video: A Tutorial,” IEEE Communications SurveysandTutorials, Vol. 6, No. 3, Third Quarter 2004. pp. 58-78.

[21] C. H. Ke, C. K. Shieh, W. S. Hwang, A. Ziviani, “An Evaluation Frame-work for More Realistic Simulations of MPEG Video Transmission, J.of Information Science and Engineering, Vol. 24, No. 2, pp.425-440,March 2008.

[22] R. Goyal and R. Jain, “Buffer management and rate guarantees for TCPover satellite-ATM networks,” Int. J. Satellite Commun., vol. 19, no. 1,pp. 111129, 2001.

[23] J. Hu, I. Khalil, S. Han, A. Mahmood, “Seamless integration ofdependability and security concepts in SOA: A feedback control systembased framework and taxonomy”, Journal of Network and ComputerApplications, Volume 34, Issue 4, Pages 1150-1159, July 2011.