Semi-Markov modeling of dependability of VoIP network in the presence of resource degradation and security attacks

Reliability Engineering and System Safety 96 (2011) 1627–1636

Contents lists available at SciVerse ScienceDirect

Reliability Engineering and System Safety

0951-83

doi:10.1

n Corr

E-m

dharma1 Cu

Univers

journal homepage: www.elsevier.com/locate/ress

Semi-Markov modeling of dependability of VoIP network in the presence ofresource degradation and security attacks

Vandana Gupta 1, S. Dharmaraja n

Department of Mathematics, Indian Institute of Technology, Delhi, India

a r t i c l e i n f o

Article history:

Received 19 August 2010

Received in revised form

26 July 2011

Accepted 2 August 2011Available online 25 August 2011

Keywords:

VoIP

Software rejuvenation

Semi-Markov model

Dependability attributes: availability,

reliability and confidentiality

20/$ - see front matter & 2011 Elsevier Ltd. A

016/j.ress.2011.08.003

esponding author. Tel.: þ91 11 26597104; fa

ail addresses: [email protected] (V. Gu

[email protected] (S. Dharmaraja).

rrent affiliation: Department of Applied Math

ity, Delhi.

a b s t r a c t

Nowadays VoIP has become an evolutionary technology in telecommunications. Hence it is very

important to study and enhance its dependability attributes. In this paper, an analytical dependability

model for VoIP is proposed. The study is focused on analyzing the combined effects of resource

degradation and security breaches on the Quality of Service (QoS) of VoIP, to enhance its overall

dependability. As a preventive maintenance policy to prevent or postpone software failures which

cause resource degradation, software rejuvenation is adopted. The dependability model is analyzed

using semi-Markov process which captures the effects of non-Markovian nature of the time spent at

various states of the system. The steady-state as well as the time-dependent analysis of the

dependability model is presented. The steady-state results are obtained analytically, whereas the

time-dependent results are obtained from simulation. Also, the analytical model is validated via

simulation. The model analysis using a numerical example indicates the feasibility of our approach.

Various dependability attributes such as availability, reliability and confidentiality are also obtained.

A comparative study is also done between our proposed model and the existing models.

& 2011 Elsevier Ltd. All rights reserved.

1. Introduction

Voice over Internet Protocol (VoIP), also known as Internettelephony, is the technology that enables people to use theInternet as the transmission medium for voice communications.It is a technology that allows to make voice calls using a broad-band Internet connection instead of a regular (or analog) phoneline. It has been evolving quite rapidly in the telecommunicationarea in recent years as it provides long distance calls at a very lowcost [1]. Hence, it is essential for well-designed VoIP networks tobe reliable and safe, to meet certain quality-of-service (QoS)requirements, and to provide its services in a timely manner, inthe wake of resource degradation and also in the context ofintrusions, attacks and accident failures in a hostile environment.Therefore, the main focus of this paper is on the QoS of VoIP in thecase of resource degradation and security breaches to improve itsavailability, reliability and safety. The QoS issues (availability,reliability, security) addressed in this paper can be considered as adependability issue. Dependability is global concept that sub-sumes the usual attributes of availability, reliability, security,

ll rights reserved.

x: þ91 11 26581005.

pta),

ematics, Delhi Technological

integrity, maintainability, etc. [2,3]. The consideration of securitybrings in concerns for confidentiality, in addition to availabilityand reliability.

Network dependability is an important issue for serviceproviders, vendors, and users. A lot of research has been doneon the area of network dependability. A survey on the existingmodel-based techniques for evaluating system dependability isdone in [4], and it is summarized that how these techniques canbe extended to evaluate system security. A comparative study onthe analytical models of computer system dependability andsecurity is carried out in [5]. The paper [6] outlines the detailsof how redundancy may be implemented by making enhance-ments to the basic IEEE 802.11 channel access protocol. In thispaper, the authors have presented the reliability, availability andsurvivability analysis of the two configurations to evaluate thedependability of the network under study, and compared themwith the scheme with no redundancy. In [7], a comprehensivedependability analysis of WLAN for system dependability mea-surement, modeling and evaluation is presented, and methods aresuggested to increase the communication link reliability andavailability of wireless LANs. An integrated solution to increasethe dependability of wireless mesh networks (WMNs) is proposedin [8]. The approach in this paper combines network coverageplanning on the physical layer, bandwidth management on thelink layer and live network monitoring to improve the reliability,availability and maintainability of a WMN. Hence, we can see that

www.elsevier.com/locate/ress

www.elsevier.com/locate/ress

dx.doi.org/10.1016/j.ress.2011.08.003

mailto:[email protected]

mailto:[email protected]

dx.doi.org/10.1016/j.ress.2011.08.003

Fig. 1. General VoIP architecture.

V. Gupta, S. Dharmaraja / Reliability Engineering and System Safety 96 (2011) 1627–16361628

a considerable amount of work has been conducted over the pastdecade on dependability issues in traditional networks [9]. How-ever, to the best of our knowledge, a general analytical frameworkfor dependability of a VoIP network has not been developed till date.

The general VoIP architecture [1] is depicted in Fig. 1. Asdepicted in the figure, QoS and security issues are the two mainconcerns of any VoIP network. Service quality degradation due toresource exhaustion of the service provider is one of the majorproblems that VoIP experiences. VoIP provider may run out ofresources when the resource demands by the users are increasedin large numbers. In that case, when a call demand arises, theprovider cannot serve it or even if the request is served, it mayaffect the quality of the ongoing calls [10]. Another most ques-tionable aspect of VoIP is its security. Since VoIP works overInternet, it is prone to many security intrusions. VoIP packetizesphone calls (i.e., voice signals) through the same routes used bynetwork and Internet traffic, and is consequently susceptible tothe same cyber threats that plague these carriers today. Mainservice thefts include phreaking, eavesdropping, VoIP phishing,viruses and malware, DoS (Denial of Service), SPIT (Spammingover Internet Telephony), call tampering and Man-in-the-middleattacks [11,12]. Now, it may not be either possible or it may notbe cost effective to design and implement software systems, thatare guaranteed to be entirely secure. In this scenario, intrusiontolerance is a practical alternative for building secure softwaresystems. An intrusion detection system (IDS) helps the adminis-trators to monitor and defend against security breaches [13].Further, an approach to overcome the problems of resourceexhaustion and security attacks in a VoIP system is softwarerejuvenation, which can be regarded as a preventive maintenancepolicy to prevent or postpone software failures. It is a techniquethat can be periodically adopted to combat the phenomenon ofsoftware aging [10,14].

In Dong Seong Kim et al. [15], proposed a general frameworkof survivability model for WSN, in the context of securitybreaches and adopted software rejuvenation policy. A VoIPservice system is considered in [16] and the effects of performingsoftware rejuvenation in order to prevent system failures causedby resource exhaustion due to the increasing number of calls isexamined. Authors in [17], have addressed a two-level softwarerejuvenation policy for aging in software systems. In [13], anapproach is presented for quantitative assessment of securityattributes for an intrusion tolerant system. In the literaturementioned above, either the software aging because of resourcedegradation is discussed or the security issues are handledseparately, but not together. Hence, this motivates us to proposean analytical framework of dependability model for VoIP whichmodels the QoS (availability, reliability and confidentiality) in thepresence of resource degradation as well as in case of securitybreaches, with software rejuvenation procedure. We model this

using a stochastic process based on semi-Markov process (SMP)because of the non-Markovian nature of the various eventsinvolved in the model [18]. We present the steady-state as wellas the time-dependent analysis of the proposed dependabilitymodel. The results of numerical analysis indicate the feasibility ofour proposed approach.

The rest of this paper is organized as follows. The proposedanalytical dependability model is explained in Section 2. Section 3deals with the steady-state analysis of the dependability model.The dependability attributes are discussed in Section 3.1. Section3.2 gives simulative verification of the analytical model, and asteady-state numerical illustration is provided in Section 3.3. Thetime-dependent analysis is presented in Section 4. Finally con-cluding remarks are given in Section 5.

2. VoIP dependability model description

A configuration of the dependability model is depicted inFig. 2. The figure represents a state transition diagram in whichcircles represent states and directed arcs represent transitions.

The states are explained as follows:

�
State P (Perfect): This is the highly efficient and highly robustexecution phase. Both rejuvenation and a repair/reconfigura-tion after a failure bring the system back to this state. Thesystem works perfectly in this state and is available to theusers. The objective of the attack resistance is to keep thesystem in this state as long as possible. � State M (Medium efficient): This is the medium-efficient
execution phase. Resource degradations start to occur in thesystem but they are not a threat yet. At this point, a checkabout the remaining resources has to be performed in order todetermine whether the system needs to be rejuvenated, or thesystem can still serve the new calls without call qualitydegradation. The system still works well in this state, and isavailable to users.
� State L (Low efficient): In this state, the system is running at a
low-efficient execution state. Some applications in the systemare in the failure prone state but it is still available. At thispoint also, a check on the remaining resources has to beperformed in order to determine whether the system can stillserve new calls, or needs to be rejuvenated.
� States C1 and C2 (Checking states): These are the decision
making states. In these states, the system is taken off line forchecking, where it is determined whether the system cansurvive with the remaining resources, or it needs to berejuvenated. Usually the decision is made very quickly, i.e.the sojourn time in this state is very short. The system isunavailable to users in these states.

R F

V

P

AC

C2C1

Res

ourc

e de

grad

atio

n

Resource degradation

Exp

osed

toat

tack

s

Exp

osed

toat

tack

s

performedAttack

Attack detected

Attack not detected

Repair / Reconfiguration

rejuvenationInvoke

Invokerejuvenation

Rejuvenation

Invokerejuvenation

Syst

em d

egra

datio

n

Exp

osed

to a

ttack

s

checkInvoke Invoke

checkSystem survives

System survives

Syst

em d

egra

datio

n

Failure

FailureM L

Fig. 2. VoIP dependability model.

V. Gupta, S. Dharmaraja / Reliability Engineering and System Safety 96 (2011) 1627–1636 1629

�
State V (Vulnerable): This is vulnerable state V where thesystem is exposed to security breaches. This state is verycritical because attackers and malicious users would want toexploit the vulnerabilities and try to make a successful attack.The system is available to users in this state. � State C (Compromised): This is a compromised state which is
reached when the system is successfully exploited by theattackers, and then unwanted damage follows. System isavailable to users in this state also.
� State A (Adaptation): This too is a decision making state. It
assesses the impact of damages occurred because of a success-ful attack and determines the appropriate strategies for recov-ery. The system is off line here, hence it is unavailable to usersin this state.
� State R (Rejuvenation): In this state, the system goes for
rejuvenation, and is unavailable to users.
� State F (Failure): The system crashes in this state, and goes for
repair or reconfiguration. It is unavailable to users in this state.

In this model, the system starts with perfect state P. At thisstate, when many resource requests arrive at the VoIP server anda high amount of calls are initiated, the system experiences aresource degradation, and moves to the medium efficient state M.At this point, a check on the remaining resources has to beperformed in order to determine whether the system needs to berejuvenated, or it can still serve new calls. This check is performedat state C1. Depending on the status of the remaining resources,the system either returns to state M where new calls arrive, or thesystem enters rejuvenation state R. When system returns to stateM, the same call setup procedure is initiated resulting in a higherlevel of resource degradation and hence system enters lessefficient state L. On reaching state L, the system has to be checkedonce again. As in state M, the system enters the checking state C2.From here, it either transits to state R, or it returns to state L. Onreturning to state L, system accepts new call requests. At thisstate, on experiencing further resource degradation, systementers the failure state F. In this case, the system is reconfi-gured/repaired and returns to state P.

Apart from resource degradation, the VoIP system can beexposed to security breaches anytime. Hence, when the systemis in state P, M or L, and if any kind of penetration into theresistance mechanism occurs, the system enters the vulnerablestate V. If the present monitoring system can successfully detectthe state, it takes necessary actions and returns once again tostate P. But if the system remains in state V and a successfulattack is made, it causes the system to enter the compromisedstate C. If the intrusion detection system can successfully recog-nize the compromised state, the system goes to adaptation stateA, otherwise the system goes to state F, from where it goes back tostate P. In state A, the impact of the damages caused due to theattack is assessed and recovery strategies are determined. Therecovery actions depend on the requirement of the dependabilityand types of attack detected. If the critical requirements of thesystem are integrity and confidentiality, the system moves torejuvenation state R. On the other hand, if the requirement is onlythe availability of the system, the system moves to either state Mor state L. Otherwise, if the impact of attack is such that thesystem can no longer survive, it goes to state F. From here, thesystem returns back to state P after repair/reconfiguration.

Note that the transition from one state to another can beinfluenced by many factors (system parameters) and it exhibitsrandom behavior. Therefore, this randomness can be modeled bysome well known stochastic models such as Poisson process,Markov Chain, SMP and so on [19]. As the behaviors of resourcedegradation, attacks, system responses to the attacks, intrusiondetection, etc., cause sojourn time of some states to follow non-exponential distribution, simple Markov chain cannot representsuch a system. Moreover, the assumption that all the processes ofa stochastic system have exponential distributions, may result insignificant errors [20]. Hence, to cover real life scenarios, weassume that the time spent in various states may or may notfollow exponential distribution. We also assume that the transi-tion epochs possess the Markov property to facilitate modelingusing SMP. Consequently, we model the VoIP network as aSMP. The advantage of using SMP is to allow non-exponentialdistributions for transitions between states and to generalizeseveral kinds of stochastic processes [21]. In [22], SMP models

P0

A7

V5

C6

F9

R8

C1 C2

F80

F01

F56F67

F29

F50F05

F42F31

F38F15

F71

F25

F90

F12

F13 F24

F72

M1

L2

43

F78

F79

F69

F48

Fig. 3. SMP model for VoIP dependability.


for systems undergoing periodic test and maintenance are devel-oped. In particular, systems undergoing specific changes of stateat predetermined instances of time and transiting to states withgenerally distributed sojourn times are considered.

The SMP model for VoIP dependability is shown in Fig. 3. Theactual cumulative distribution functions (cdfs) of the time spentin each state are given in Table 1. In the table, Fij denotes the CDFassociated with the arc i-j, ði,j¼ 0;1,2, . . . ,9Þ.

Note that the time to trigger check C1 and C2 is of fixed duration(say T time units). The time to resource exhaustion can bemodeled by an increasing failure rate distribution (Weibull dis-tribution) as the software resources are exhausted in an increasingmanner with respect to the time that the system has served [23].Similarly, as more time is spent in vulnerable state V, chances of asuccessful attack is increased. Hence, because of increasing failurerate, the time spent in state V before transit to state C can also bemodeled via Weibull distribution. Whereas time spent in state Vbefore transit to state P can be modeled via Pareto distributionbecause the more is the time spent in state V, less are the chancesof going back to state P, so it has decreasing failure rate. Each statein this model is a regenerative state, because from any state,enabling of an event will disable the occurrence of any other eventfrom the same state, and hence at each transition epoch Marko-vian property is held. Therefore, the underlying stochastic processis an SMP. In the subsequent sections, we present the steady-stateand the time-dependent analysis of the dependability model.

Table 1List of distributions.

CDF Distribution Parameter CDF Distribution Parameter

F01 Exponential l01 F05 Exponential l05

F12 Weibull a,l12 F13 Deterministic T

F15 Exponential l15 F24 Deterministic T

F25 Exponential l25 F29 Weibull b,l29



F50 Pareto Z,d F56 Weibull g,l56





3. Steady-state analysis

In this section, we present the steady-state analysis of theunderlying SMP of the dependability model. We then describevarious dependability attributes relevant for the proposed model.We also validate the proposed model using simulation, and finallya numerical example is given for illustration purpose.

For convenience, the 10 states of the dependability model arenumbered sequentially as shown in Fig. 3. The state space can bedenoted as O¼ f0;1,2, . . . ,9g. We take the two-stage method tosolve the SMP model [17,24], which can be fully described by itskernel matrix K(t) as follows:

KðtÞ ¼

0 1 2 3 4 5 6 7 8 9

0

1

2

3

4

5

6

7

8

9

0 k01ðtÞ 0 0 0 k05ðtÞ 0 0 0 0

0 0 k12ðtÞ k13ðtÞ 0 k15ðtÞ 0 0 0 0

0 0 0 0 k24ðtÞ k25ðtÞ 0 0 0 k29ðtÞ

0 k31ðtÞ 0 0 0 0 0 0 k38ðtÞ 0

0 0 k42ðtÞ 0 0 0 0 0 k48ðtÞ 0

k50ðtÞ 0 0 0 0 0 k56ðtÞ 0 0 0

0 0 0 0 0 0 0 k67ðtÞ 0 k69ðtÞ

0 k71ðtÞ k72ðtÞ 0 0 0 0 0 k78ðtÞ k79ðtÞ

k80ðtÞ 0 0 0 0 0 0 0 0 0

k90ðtÞ 0 0 0 0 0 0 0 0 0

266666666666666666664

377777777777777777775

The elements of K(t) are defined as kijðtÞ ¼ PfY1 ¼ j,T1rt

9Y0 ¼ ig; i,jAO, where fðYn,TnÞ,nZ0g is the underlying Markovrenewal sequence of random variables. In other words, kij(t)is the probability that if the SMP has just entered state i;the next transition occurs within time t and the next state isstate j. Therefore, the non-zero elements of K(t) are given inTable 2.

Using the distributions given in Table 1, we get the elements ofK(t) as follows:

k01ðtÞ ¼l01

ðl01þl05Þ½1�e�ðl01þl05Þt�

k05ðtÞ ¼l05


Table 3Sojourn times.

h0 ¼R1

0 F 01ðtÞF 05ðtÞ dt h1 ¼R1

0 F 12ðtÞF 13ðtÞF 15ðtÞ dt

h2 ¼R1

0 F 24ðtÞF 25ðtÞF 29ðtÞ dt h5 ¼R1

0 F 50ðtÞF 56ðtÞ dt

h6 ¼R1

0 F 67ðtÞF 69ðtÞ dt h7 ¼R1

0 F 71ðtÞF 72ðtÞF 78ðtÞF 79ðtÞ dt

h8 ¼R1

0 F 80ðtÞ dt h9 ¼R1

0 F 90ðtÞ dt

Table 2Non-zero elements of K(t).

k01ðtÞ ¼R t

0 F 05ðxÞ dF01ðxÞ k05ðtÞ ¼R t

0 F 01ðxÞ dF05ðxÞ

k12ðtÞ ¼R t

0 F 13ðxÞF 15ðxÞ dF12ðxÞ k13ðtÞ ¼R t

0 F 12ðxÞF 15ðxÞ dF13ðxÞ

k15ðtÞ ¼R t



k25ðtÞ ¼R t



k31ðtÞ ¼R t



k42ðtÞ ¼R t



k50ðtÞ ¼R t



k67ðtÞ ¼R t



k71ðtÞ ¼R t

0 F 72ðxÞF 78ðxÞF 79ðxÞ dF71ðxÞ k72ðtÞ ¼R t

0 F 71ðxÞF 78ðxÞF 79ðxÞ dF72ðxÞ

k78ðtÞ ¼R t

0 F 71ðxÞF 72ðxÞF 79ðxÞ dF78ðxÞ k79ðtÞ ¼R t

0 F 71ðxÞF 72ðxÞF 78ðxÞ dF79ðxÞ

k80ðtÞ ¼ F80ðtÞ k90ðtÞ ¼ F90ðtÞ


k12ðtÞ ¼

aðl12Þ

aR t

0 xa�1e�l15x�ðx=l12Þa

dx, trT

0, t4T

8<:

k13ðtÞ ¼e�ðT=l12Þ

a�l15T , tZT

0, toT

(

k15ðtÞ ¼l15

R t0 e�l15x�ðx=l12Þ

adx, trT

0, t4T

(

k24ðtÞ ¼e�ðT=l29Þ

b�l25T , tZT

0, toT

(

k25ðtÞ ¼l25

R t0 e�l25x�ðx=l29Þ

bdx, trT

0, t4T

(

k29ðtÞ ¼

bðl29Þ

b

R t0 xb�1e�l25x�ðx=l29Þ

bdx, trT

0, t4T

8><>:

k31ðtÞ ¼l31


k38ðtÞ ¼l38


k42ðtÞ ¼l42


k48ðtÞ ¼l42


k50ðtÞ ¼dZd

R t0

1

xdþ1e�x=ðl56Þ

gdx, x4Z

0, xrZ

8<:

k56ðtÞ ¼

gl56

R t0 1�

Zx

� �d� �x

l56

� �g�1

eðx=l56Þg

dx, xZZ

0, xoZ

8><>:

k67ðtÞ ¼l67


k69ðtÞ ¼l69


k71ðtÞ ¼l71

ðl71þl72þl78þl79Þ½1�e�ðl71þl72þl78þl79Þt�

k72ðtÞ ¼l72


k78ðtÞ ¼l78


k79ðtÞ ¼l79


k80ðtÞ ¼ 1�e�l80t

k90ðtÞ ¼ 1�e�l90t

Note that the row sum of KðtÞ becomes 1 as t-1.Following the two-stage analysis of SMP, let Z ¼ Kð1Þ ¼

limt-1KðtÞ be the one-step transition probability matrix of theembedded Markov chain (EMC) of the SMP.

By solving the following system of linear equations, ~v of thesteady-state probabilities of the EMC are obtained:

~v ¼~vKð1Þ,X

i

vi ¼ 1, iAO ð1Þ

KðtÞ ¼

0 1 2 3 4 5 6 7 8 9

0

1

2

3

4

5

6

7

8

9

0 p01 0 0 0 p05 0 0 0 0

0 0 p12 p13 0 p15 0 0 0 0

0 0 0 0 p24 p25 0 0 0 p29

0 p31 0 0 0 0 0 0 p38 0

0 0 p42 0 0 0 0 0 p48 0

p50 0 0 0 0 0 p56 0 0 0

0 0 0 0 0 0 0 p67 0 p69

0 p71 p72 0 0 0 0 0 p78 p79

1 0 0 0 0 0 0 0 0 0

1 0 0 0 0 0 0 0 0 0

26666666666666666664

37777777777777777775

The steady-state probability of state i, for the SMP model aregiven by

pi ¼vihiP

jAOvjhj, iAO ð2Þ

where hi is the mean sojourn time that the process spends at eachstate i. These sojourn times are given in Table 3.

Using the distributions given in Table 1, we get hij0s as follows:

h0 ¼1

l01þl05

h1 ¼

Z T

0ð1�0Þ:e�l15t�ðt=l12Þ

adtþ

Z 1Tð1�1Þ:e�l15t�ðt=l12Þ

adt

¼

Z T

0e�l15t�ðt=l12Þ

adt

h2 ¼

Z T

0ð1�0Þ:e�l25t�ðt=l29Þ

bdtþ

Z 1Tð1�1Þ:e�l25t�ðt=l29Þ

bdt

¼

Z T

0e�l25t�ðt=l29Þ

bdt


h5 ¼

Z Z

01:e�ðt=l56Þ

gdtþ

Z 1Z

Zx

� �de�ðt=l56Þ

gdt

h6 ¼1

l67þl69

h7 ¼1

l71þl72þl78þl79

h8 ¼1

l80

h9 ¼1

l90

The mean sojourn times at the check states are assumed to beequal to zero in comparison with the remaining of the sojourntimes. Hence, h3 ¼ 0 and h4 ¼ 0.

3.1. Dependability attributes

�
Availability: In our model, states 0, 1, 2, 5 and 6 are the onlystates in which VoIP service is available to the users. Hence,the steady-state service availability is given by
A¼ pPþpMþpLþpVþpC ¼ p0þp1þp2þp5þp6

where p0is can be obtained from Eq. (2).
� Confidentiality: Confidentiality is a measure of security of the
system. By confidentiality [13] of a system, we mean thatsensitive information is not disclosed to any unauthorizedrecipients. Confidentiality can be computed in the context ofsome security attacks. The exploitation of the vulnerability ofthe system allows an attacker to traverse the entire system,thus compromising confidentiality. Therefore, in the context ofsuch attacks, states C and F are identified with the loss ofconfidentiality. Therefore, the steady-state confidentialitymeasure can then be computed as

SSC ¼ 1�ðpCþpF Þ ¼ 1�ðp6þp9Þ

�

Table 4Parameter values (per unit time).

l01 ¼ 1:5 l05 ¼ 1 l12 ¼ 2:5 l13 ¼ 5

l15 ¼ 2 l24 ¼ 6 l25 ¼ 5 l29 ¼ 3:5

l31 ¼ 6 l38 ¼ 4 l42 ¼ 7 l48 ¼ 4

l50 ¼ 6 l56 ¼ 4 l67 ¼ 4 l69 ¼ 2

l71 ¼ 7 l72 ¼ 6 l78 ¼ 3 l79 ¼ 2

l80 ¼ 7 l90 ¼ 6

Reliability: For quantifying the reliability of a software system,mean time to failure (MTTF) is a commonly used reliabilitymeasure. In order to study the reliability of the presented VoIPsystem, state F of Fig. 2 is assumed to be an absorbing state. Inother words, no repair action is taken when the system runsout of resources or there is a security breach, and the systemeventually fails. Hence the state space O of the model ispartitioned into two new subsets, T ¼ f0;1,2;3,4;5,6;7,8g andA¼ f9g, containing the transient and the absorbing states,respectively. In this case the corresponding one step transitionprobability matrix of the EMC is given by Z0 which is same asthe matrix Z with the last row replaced by [0 0 0 0 0 0 0 00 0 1].Using the approach introduced in [19], MTTF can be computedaccording to following equation:

MTTF ¼XiAT

Nihi ð3Þ

where hi is the mean sojourn time of state i, and Ni denotes theaverage number of times that state i, iAT is visited, before theEMC is absorbed. These elements can be obtained by solvingthe system of equations:

Ni ¼ pi0 þXjAT

Njpji0, i,jAT ð4Þ

with pi0 denoting the probability that the EMC starts at state i

and pij0 the ijth element of matrix Z0. In our case, we assume

that P is the initial state, hence, the initial probability vector is

~p0 ¼ ½pi0� ¼ ½1 0 0 0 0 0 0 0 0� ð5Þ

3.2. Simulation verification of analytical model

Simulation results are presented in this section and compara-tive studies are preformed in order to validate the proposedmodel and evaluate the accuracy of the results.

In this section, we evaluate the dependability attributes viasimulation for the verification of the analytical results. Wesimulate the dynamics of the system using MATLAB. For the sakeof comparison, we take all the distributions to be exponential(since obtaining the analytical results is very difficult owing to thenon-Markovian nature of the various time distributions). The listof parameters used for the purpose of comparison is given inTable 4. In this table, lij denotes the parameter of the distributionFij. We have taken these values only for the purpose of illustration.

Using these parameters, we solved the SMP model developedin Section 2 analytically using the software SHARPE [25] as themodel gets reduced to a continuous time Markov chain bytaking all distributions to be exponential. We then simulatedthe dependability model using MATLAB (for the same set ofparameters) for a time period of 100 time units for 30 times.The comparison between the analytical results and the simulationresults for various steady-state measures are presented inFig. 4. To check the accuracy of the simulation results, we use t

distribution test. We adopted the following methodology: we runthe simulation 30 times for same set of parameters and obtained30 values for a metric. Then we evaluated the mean and standarddeviation of the 30 values of the metric and obtained theconfidence interval for 99% accuracy of the result. The confidencelimits (c.l.) for 99% confidence interval can be obtained by

c:l:¼ x7s� t0:01,n�1ffiffiffi

np

where, x is the sample mean, s is the sample standard deviation,t0:01,n�1 is the tabulated value for 99% confidence interval andn�1 degrees of freedom, and n is the sample size.

The graphical results are shown in Fig. 4. In the figure, theanalytical results are plotted in bold, while simulation results areplotted with thinner lines and 99% confidence interval.

Fig. 4(a) depicts the behavior of system availability with theincrease in the rate of invoking check C1 at state M. It shows thatsystem availability decreases on increasing the rate of invokingcheck C1. Fig. 4(b) shows that the system availability decreases asthe rate of successful attack increases, which is expected. Similarly,Fig. 4(c) depicts that as the rate of successful attack increases, theconfidentiality of the system decreases. And Fig. 4(d) shows that asthe rate of adaptation after a successful attack increases, the failurestate probability decreases. It is observed from the graphs that theresults from the proposed analytical approach and simulation showgood agreement for all computations presented. Hence, this vali-dates the analytical model.

1 2 3 4 5 6 7 8 90.76

0.78

0.8

0.82

0.84

0.86

Rate of invoking check C1 at state M (λ13)

Ste

ady−

stat

e av

aila

bilit

yExact analyticalSimulation

0 1 2 3 4 5 6 7 8

0.78

0.8

0.82

0.84

Rate of successful attack (λ56)

Ste

ady−

stat

e av

aila

bilit

y

Exact analyticalSimulation

0 1 2 3 4 5 6 7 80.84

0.86

0.88

0.9

0.92

0.94

0.96

Rate of successful attack (λ56)

Ste

ady−

stat

e co

nfid

entia

lity


0 1 2 3 4 5 6 7 8

0.045

0.05

0.055

Rate of adaptation (λ67)Fa

ilure

sta

te p

roba

bilit

y


Fig. 4. Comparison of analytical and simulation results.


3.3. Numerical illustration of steady-state results

In this paper, we focus on analyzing the feasibility of theframework of dependability model. We illustrate the evaluationof the dependability attributes of the VoIP system in this section.For the model to be accurate, it is important to accurately estimatethe model parameters (i.e., parameters of the various distributionsused in the model). However, in this paper, our focus is primarilyon developing a methodology for analyzing quantitatively thedependability attributes of the system rather than accurate modelparameterizations. Moreover, in the long run, rather than theactual distributions and their parameters, the mean sojourn timesand the transition probabilities of the EMC play a role in obtainingthe steady-state probabilities. Hence, we assume some reasonablevalues for the mean sojourn times and the transition probabilitiesof the EMC for the purpose of numerical illustration. These valuesare obtained as follows:

Mean sojourn times: It is assumed that the system spends moretime in state P than in state M, and the time spent in state M is inturn more than that in state L. Hence, we assume that the meantime spent in state P is more than that of state M, which is againmore than that of state L. Also, a good system must spend moretime in state P and state V than in state C. The time spent in stateC must be as short as possible. Accordingly, we assume that themean time of state C is less than that of both the states P and V.On the other hand, rejuvenation must be faster than any otheractivities to avoid denial of service attack. Hence, we assume thatthe mean time of being in state R is shorter than that of F, M andL. Moreover, the mean sojourn times at the check states C1 and C2

are very small when compared to rest of the sojourn times. Hence,without loss of generality, we assume the mean sojourn times atstates C1 and C2 to be zero [16]. The following values of meansojourn times are randomly chosen for our analysis in time unit:

hP ¼ 1, hM ¼ 0:5, hL ¼ 0:4, hC1¼ hC2

¼ 0,

hV ¼ 0:35, hC ¼ 0:2, hA ¼ 0:4, hR ¼ 0:3, hF ¼ 0:4

Transition probabilities: We assume that resource degradationwhich brings the system from state P to state M is more likely tohappen than getting exposed to some vulnerabilities, as new callskeep coming. Also, it is assumed that a successful attackthat brings the system from state V to state C is less likely tooccur than the detection of the attack and bringing the systemback from state V to state P. The probability of returning to stateM after the resource check completion in state C1 is greater thanthe probability of returning to state L after check in C2, becausethe level of resource exhaustion in state L is higher than that instate M, as more calls are served at this time. Similarly, othertransition probabilities are defined based on the likelihood ofthe occurrence of the event. The non-zero elements of thetransition probability matrix Z of the EMC taken for our analysisare given below:

p01 ¼ 0:60, p05 ¼ 0:40, p12 ¼ 0:40, p13 ¼ 0:40, p15 ¼ 0:20,

p24 ¼ 0:30, p25 ¼ 0:35, p29 ¼ 0:35, p31 ¼ 0:80, p38 ¼ 0:20,

p42 ¼ 0:20, p48 ¼ 0:80, p50 ¼ 0:60, p56 ¼ 0:40, p67 ¼ 0:80,

p69 ¼ 0:20, p71 ¼ 0:40, p72 ¼ 0:30, p78 ¼ 0:20, p79 ¼ 0:10

For the case of EMC, the steady-state probabilities are obtained byEq. (1) and are given below:

vP ¼ 0:1941, vM ¼ 0:2084, vL ¼ 0:1102, vC1¼ 0:0834,

vC2¼ 0:0331,

vV ¼ 0:1579, vC ¼ 0:0632, vA ¼ 0:0505, vR ¼ 0:0532,

vF ¼ 0:0461

For the case of SMP the steady-state probabilities are obtained byEq. (2), and are given below

pP ¼ 0:4175, pM ¼ 0:2241, pL ¼ 0:0948, pC1¼ 0, pC2

¼ 0,

pV ¼ 0:1189, pC ¼ 0:0272, pA ¼ 0:0435, pR ¼ 0:0343,

pF ¼ 0:0397

0.1 0.2 0.3 0.4 0.5 0.6 0.70.84

0.85

0.86

0.87

0.88

0.89

0.9Av

aila

bilit

yModel 1Model 3

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.90.75

0.8

0.85

0.9

0.95

1

Avai

labi

lity

Model 2Model 3

0.2 0.3 0.4 0.5 0.6 0.7 0.80.03

0.04

0.05

0.06

0.07

0.08

0.09

Failu

re s

tate

pro

babi

lity Model 2

Model 3

Probability of invoking check (p13) Probability of active attack (p56)

Probability of adaptation (p67)

Fig. 5. Comparison of our model with existing models.

Table 5Parameter values (per unit time).

l01 ¼ 1 l05 ¼ 0:5 l12 ¼ 1:5 a¼ 1:5

T¼0.5 l15 ¼ 2 l25 ¼ 1

l29 ¼ 3 b¼ 1:5 l31 ¼ 8 l38 ¼ 6

l42 ¼ 8 l48 ¼ 4 Z¼ 1 d¼ 3

l56 ¼ 6 g¼ 1:5 l67 ¼ 8 l69 ¼ 5

l71 ¼ 7 l72 ¼ 6 l78 ¼ 3 l79 ¼ 2

l80 ¼ 8 l90 ¼ 7


Using the assumed values of the input parameters and thesteady-state probabilities of the SMP, we obtain the steady-stateavailability of the system as, A¼0.8825, and the steady-stateconfidentiality as, C¼0.9331. Using Eq. (3), we get MTTF¼9.6602time units.

We also compare the dependability attributes of our modelwith the model given in [16] (where availability is obtained onlyin presence of resource degradation), and with the model pre-sented in [15] (where availability is obtained only in case ofsecurity attacks). For the sake of comparison, the parameters forthe three models are kept in consistence with each other. Wehenceforth refer to the model given in [16] as model 1, modelgiven in [15] as model 2, and model presented in this paper asmodel 3.

Fig. 5(a) represents that the system availability increases asthe probability of invoking check C1 increases. This shows thatwhen system is in state M, the check for system survival shouldbe done more frequently. Moreover, the graph also shows thatmodel 3 gives more availability as compared to model 1.Fig. 5(b) represents that the system availability decreases as theprobability of an active attack increases, as expected. Further, italso shows that model 3 outperforms model 2 in this regard.Fig. 5(c) represents that the steady-state probability of the systemgetting stuck in failure state ðpF for SMP) decreases as theprobability of triggering adaptation mechanism, p67 increases.The graph also shows that model 3 gives better results thanmodel 2. The reason for the better performance of model 3 is thatmodel 3 incorporates more failure and recovery effects of thesystem as compared to models 1 and 2.

4. Time-dependent analysis

In this section, we present the time-dependent dependabilityattributes obtained from simulation. The analytical technique, ofcourse, produces accurate results, but unfortunately it becomesinapplicable quickly, due to the size and complexity of models,and due to non-Markovian nature of the problems involved.

In such cases, simulation becomes inevitable. When the systemis non-Markovian, very few analytic–numeric methods are avail-able. Simulation is then the natural and often the only possibility.Hence, because of the non-Markovian nature of our model, weadopted the simulation technique to obtain the time-dependentsolution. To get the time-dependent attributes, we have used thedistributions defined in Table 1. The list of parameters values aregiven in Table 5.

Using the above set of parameters, we simulated the depend-ability model using MATLAB for a time period of 25 time units for30 times. To check the accuracy of the simulation results, we use t

distribution test. We obtained various measures within 95%confidence interval for different set of parameters. The resultsobtained are shown in Fig. 6.

Fig. 6(a) depicts that how availability behaves over time fordifferent rates of adaptation ðl67Þ. The different lines in the figurecorrespond to different values of l67. It can be observed from thefigure that the availability first decreases and then reaches asteady-state value. Also, availability increases on increasing therate of adaptation. Similarly, Fig. 6(b) depicts the behavior offailure state probability over time for different rates of adaptationðl67Þ. The different lines in the figure correspond to differentvalues of l67. From the figure, it can be seen that the failure stateprobability first increases and then reaches a steady-state value.Also, the probability of going to the failure state decreases onincreasing the rate of adaptation. Fig. 6(c) depicts the behavior ofavailability over time for different values of time to invoke check

0 5 10 15 200.8

0.85

0.9

0.95

1

1.05

Time, t (days)

Ava

ilabi

lity

λ67 = 5λ67 = 7λ67 = 9

0 5 10 15 200

0.02

0.04

0.06

0.08

Time, t (days)

Failu

re s

tate

pro

babi

lity

λ67 = 5 λ67 = 7 λ67 = 9

0 5 10 15 200.75

0.8

0.85

0.9

0.95

1

1.05

Time, t (days)

Ava

ilabi

lity

T = 0.6T = 0.4T = 0.2

0 5 10 15 200.8

0.85

0.9

0.95

1

1.05

Time, t (days)A

vaila

bilit

y

λ80 = 4λ80 = 6λ80 = 8

Fig. 6. Time-dependent results.


C1ðTÞ. The different lines in the figure correspond to differentvalues of C1. It can be seen from the figure that the availabilityfirst decreases and then reaches a steady-state value over time. Itcan also be observed that availability increases as we increase thetime to invoke check. Finally, Fig. 6(d) depicts that how avail-ability behaves over time for different rates of rejuvenation ðl80Þ.The different lines in the figure correspond to different values ofl80. The figure shows that as the rate of rejuvenation is increased,the availability also increases. Also, it can be observed from all thegraphs that how various measures reaches a steady-state valueover time.

5. Conclusion

In this paper, a general analytical framework of dependabilitymodel for a VoIP system is presented and the model is analyzed in amathematical manner. A state transition model that describes thedynamic behavior of such a system is used as a basis for developinga stochastic model. Since the memoryless property of exponentialdistribution implies the absence of aging and learning, it would notbe appropriate for modeling system degradation and attacker’sbehavior. Hence, the model is studied under semi-Markov processin order to capture the dependencies of the system’s behavior on thetime that the system spends at each state. The model analysis isillustrated with the help of a numerical example. The theoreticalsteady-state analysis of the SMP model is provided in closed-form.Also, the steady-state results of the analytical model is validated viasimulation. The issue of the absence of exact values of modelparameters is addressed by studying the sensitivity of differentattributes to small changes in the parameter values. Moreover,various dependability attributes such as availability, confidentialityand reliability of the VoIP system are obtained. Hence, this kind ofmodeling can help in selecting the different parameters to enhancethe various dependability attributes. The results of our model arealso compared with the results of the models proposed in [15,16],

and the comparison points toward the fact that our model has thepotential to enhance the dependability level of the VoIP system.

Finally, the time-dependent analysis of the dependabilitymodel is presented in this paper. Because of the numericalcomplexities involved due to non-Markovian nature of the model,simulation technique is adopted to get the time-dependentdependability attributes. It can be visualized from the graphicalresults that the time-dependent measure ripples for some timebefore it settles down to a constant value.

Acknowledgment

This research work is supported by the Department of Scienceand Technology, India. One of the authors (V.G.) would like tothank CSIR, India for providing her financial support throughSenior Research Fellowship.

References

[1] Karapantazis S, Pavlidou FN. VoIP: a comprehensive survey on a promisingtechnology. Computer Networks 2009;53:2050–90.

[2] Avizienis A, Laprie JC, Randell B. Fundamental concepts of dependability. In:Third information survivability workshop; 2000.

[3] Avizienis A, Laprie JC, Randell B, Landwehr C. Basic concepts and taxonomy ofdependable and secure computing. IEEE Transactions on Dependable andSecure Computing 2004;1:11–33.

[4] Nicol DM, Sanders WH, Trivedi KS. Model-based evaluation: from depend-ability security. IEEE Transactions on Dependable and Secure Computing2004;1:148–65.

[5] Sang Y, Shen H, Defago X, Zhang Z. A Brief comparative study on analyticalmodels of computer system dependability and security. In: Sixth interna-tional conference on parallel and distributed computing, applications andtechnologies; 2005. p. 493–97.

[6] Chen D, Garg S, Kintala C, Trivedi KS. Dependability enhancement for IEEE802.11 wireless LAN with redundancy techniques. In: International confer-ence on dependable systems and networks; 2003, p. 521–28.

[7] Hneiti W, Ajlouni N. Dependability analysis of wireless local area networks.Information and Communication Technologies 2006;2:2416–22.

[8] Lukas G, Herms A, Ivanov S, Nett E. An integrated approach for reliability anddependability of Wireless Mesh Networks. In: IEEE international symposiumon parallel and distributed processing; 2008. p. 1–8.


[9] Trivedi KS, Jindal V, Dharmaraja S. Stochastic modeling techniques for secureand survivable systems. In: Qian Y, Joshi J, Tipper D, Krishnamurthy P, editors.Information assurance: dependability and security in networked systems.Morgan Kaufmann; 2008. p. 171–207.

[10] Koutras VP, Platis AN. Optimal rejuvenation policy for increasing VoIP servicereliability. In: European safety and reliability conference; 2006. p. 2285–90.

[11] Kuhn DR, Walsh TJ, Fries S. Security considerations for voice over IP Systems,US National Institute of Standards and Technology (NIST) Special PublicationSP800-58; 2005.

[12] Dwivedi H. Unconventional VoIP security threats, Hacking VoIP: protocols,attacks, and countermeasures, No Starch Press; 2008. p. 131–52.

[13] Madan B, Popstojanova KG, Vaidyanathan K, Trivedi KS. A method formodeling and quantifying the security attributes of intrusion tolerantsystems. Performance Evaluation 2004;56:167–86.

[14] Trivedi KS, Vaidyanathan K, Postojanova KG. Modeling and analysis ofsoftware aging and rejuvenation. In: IEEE annual simulation symposium;2000. p. 270–79.

[15] Kim DS, Shazzad KM, Park JS. A framework of survivability model for wirelesssensor network. In: First international conference on availability, reliabilityand security (ARES’06); 2006, p. 515–22.

[16] Koutras VP, Platis AN. VoIP availability and service reliability through soft-ware rejuvenation policies. In: International conference on dependability ofcomputer systems; 2007. p. 262–69.

[17] Xie W, Hong Y, Trivedi KS. Analysis of a two-level software rejuvenationpolicy. Reliability Engineering and System Safety 2005;87:13–22.

[18] Gupta V, Dharmaraja S. An analytical framework of survivability model forVoIP. In: International symposium on software reliability engineering(ISSRE); 2009.

[19] Trivedi KS. Probability and statistics with reliability queuing and computerscience applications. second ed.John Wiley & Sons; 2001.

[20] Faria JA, Matos MA. An analytical methodology for the dependabilityevaluation of non-Markovin systems with multiple components. ReliabilityEngineering and System Safety 2001;74:193–210.

[21] Limnios N. Dependability analysis of semi-Markov systems. ReliabilityEngineering and System Safety 1997;55:203–7.

[22] Papazoglou IA. Semi-Markovian reliability models for systems with testablecomponents and general test/outage times. Reliability Engineering andSystem Safety 2000;68:121–33.

[23] Koutras VP, Platis AN. Semi-Markov availability modeling of a redundantsystem with partial and full rejuvenation actions. In: DepCoS-RELCOMEX;2008. p. 127–34.

[24] Kulkrani VG. Modeling and analysis of stochastic systems. Chapman & Hall;1995.

[25] Sahner RA, Trivedi KS, Puliafito A. Performance and reliability analysis ofcomputer systems: an example based approach using the SHARPE softwarepackage. Massachusetts, USA: Kluwer Academic Publishers; 1996.

Documents

Semi-Markov modeling of dependability of VoIP network in the presence of resource degradation and security attacks