Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ...
Military Communications and Information Technology: A Trusted ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Military</strong> <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> <strong>Technology</strong>:<br />
A <strong>Trusted</strong> Cooperation Enabler<br />
Volume 1<br />
Warsaw 2012
Reviewers:<br />
Prof. Milan Šnajder, LOM Praha, Czech Republic<br />
Prof. Andrzej Dąbrowski, Warsaw University of <strong>Technology</strong>, Pol<strong>and</strong><br />
Editor:<br />
Marek Amanowicz<br />
Co-editor:<br />
Peter Lenk<br />
© Copyright by Redakcja Wydawnictw Wojskowej Akademii Technicznej.<br />
Warsaw 2012<br />
ISBN 978-83-62954-31-5<br />
ISBN 978-83-62954-51-3<br />
Publication qualified for printing without editorial alterations made by the MUT<br />
Publishing House.<br />
DTP: Martyna Janus<br />
Cover design: Barbara Chruszczyk<br />
Publisher: <strong>Military</strong> University of <strong>Technology</strong><br />
Press: P.P.H. Remigraf Sp. z o.o., ul. Ratuszowa 11, 03-450 Warszawa<br />
Warsaw 2012
Contents<br />
Foreword ............................................................................ 7<br />
Chapter 1<br />
Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems .................... 9<br />
Building a Layered Enterprise Architecture Using COTS Products for NATO Air Comm<strong>and</strong><br />
& Control <strong>Information</strong> Services ......................................................... 11<br />
Hasan Turksoy, Mutlu Uysal, Orhan Cetinkaya, Atilla Malas, Ismail Akcaoglu, Yavuz Okur<br />
Applying NAF for Performance Analysis: Performance Analysis of SOA Systems<br />
Using LQN Models ................................................................... 21<br />
Arkadiusz Wrzosk<br />
Openness in <strong>Military</strong> Systems .......................................................... 37<br />
Jessica Connah, Abigail Solomon, John McInnes, Olwen Worthington, Dale Chambers<br />
The Concept of Integration Tool for the Civil <strong>and</strong> <strong>Military</strong> Service Cooperation During Emergency<br />
Response Operations .................................................................. 49<br />
Łukasz Apiecionek, Tomasz Kosowski, Henryk Kruszyński, Marek Piotrowski, Robert Palka<br />
CFBLNet: A Coalition Capability Enabling Network ....................................... 61<br />
Edgar Harmsen, Syvert Maesel, Fred Jordan, Rob Goode, Einar Thorsen, Jan-Willem Smaal<br />
Selected Aspects of Effective RCIED Jamming ............................................. 71<br />
K. Wilgucki, R. Urban, G. Baranowski, P. Grądzki, P. Skarżyński<br />
Advanced Road Traffic Service Demonstrator ............................................. 83<br />
Marek Małowidzki, Przemysław Bereziński, Tomasz Dalecki, Michał Mazur<br />
Modern Low Cost Aircraft Instruments .................................................. 93<br />
Radek Bystricky, Premysl Janu<br />
Chapter 2<br />
<strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong> <strong>Information</strong> Sharing ......... 103<br />
SOA in the CoNSIS Coalition Environment: Extending the WS-I Basic Profile for Using SOA<br />
in a Tactical Environment ............................................................ 105<br />
Hartmut Seifert, Markus Franke, Anne Diefenbach, Peter Sevenich<br />
CoNSIS: Demonstration of SOA Interoperability in Heterogeneous Tactical Networks .......... 117<br />
Trude H. Bloebaum, Ketil Lund<br />
Protected <strong>and</strong> Controlled Communication Between <strong>Military</strong> <strong>and</strong> Civilian Networks ............ 131<br />
Anders Fongen<br />
Use of Cross Domain Guards for CoNSIS Network Management ............................ 149<br />
Philipp Steinmetz
4 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The CoNSIS Approaches to Network Management <strong>and</strong> Monitoring .......................... 161<br />
Christoph Barz, Anne Diefenbach, Fatih Abut, Matthias Wilmes, Peter Sevenich,<br />
Pierre Simon, Norbert Bret<br />
Multi-Topology Routing for QoS Support in the CoNSIS Convoy MANET .................... 179<br />
Mariann Hauge, Jon Andersson, Margrete A. Brose, Jostein S<strong>and</strong>er<br />
Chapter 3<br />
<strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision Support Enhancement ........ 199<br />
Mathematical Foundations of Interoperability <strong>and</strong> Composability ........................... 201<br />
Andreas Tolk<br />
Semantic Interoperability by Means of Computer Languages ............................... 209<br />
Ľubomír Dedera<br />
Semantic Model for Context – Aware Service Provision in Disadvantaged Network Environment ...221<br />
Joanna Śliwa<br />
Run-Time Ontology on the Basis of Event Notification Service .............................. 239<br />
Kamil Gleba, Joanna Śliwa, Damian Duda, Joanna Głowacka, Piotr Pyda<br />
A Robust <strong>and</strong> Scalable Peer-to-Peer Publish/Subscribe Mechanism .......................... 253<br />
Tobias Ginzler<br />
Automatic Exploitation of Multilingual <strong>Information</strong> for <strong>Military</strong> Intelligence Purposes .......... 265<br />
S<strong>and</strong>ra Noubours, Matthias Hecking<br />
<strong>Information</strong> Fusion Under Network Constraints .......................................... 281<br />
Felix Govaers, Alex<strong>and</strong>er Charlish, Wolfgang Koch<br />
Examination of Combination Rules for the Purpose of <strong>Information</strong> Fusion in C2 Systems ....... 295<br />
Ksawery Krenc<br />
Comm<strong>and</strong>ing Multi-Robot Systems with Robot Operating System Using Battle<br />
Management Language .............................................................. 305<br />
Thomas Remmersmann, Alex<strong>and</strong>er Tiderko, Marco Langerwisch,<br />
Stefan Thamke, Markus Ax<br />
Application of CID Server in Decision Support for Comm<strong>and</strong> <strong>and</strong> Control .................... 317<br />
Krzysztof Muchewicz, Marek Piotrowski, Henryk Kruszyński, Robert Palka<br />
Managing Lessons Learnt from Daily Missions – Methodology <strong>and</strong> Tool ...................... 331<br />
Witold Hołubowicz, Wojciech Dymowski, Tomasz Springer<br />
Chapter 4<br />
<strong>Information</strong> Assurance & Cyber Defence ............................................. 345<br />
Federated Cyber Defence System – Applied Methods <strong>and</strong> Techniques ......................... 347<br />
Bartosz Jasiul, Rafał Piotrowski, Przemysław Bereziński, Michał Choraś,<br />
Rafał Kozik, Juliusz Brzostek<br />
Identity <strong>and</strong> Access Services in NATO Federation Scenarios ................................ 359<br />
Robert Malewicz, Rui Fiske, Graeme Lunt<br />
Development of High Assurance Guards for NATO ....................................... 377<br />
Konrad Wrona, Geir Hallingstad<br />
Network Traffic Characteristics for Detecting Future Botnets ............................... 395<br />
Jonathan P. Chapman, Felix Govaers
Contents<br />
5<br />
Methodology for Gathering Data Concerning Incidents in Cyberspace ........................ 415<br />
Adam Flizikowski, Jan Zych, Witold Hołubowicz<br />
Problems of Detecting Unauthorized Satellite Transmissions from the VSAT Terminals ......... 431<br />
Przemysław Bibik, Stanisław Gradolewski, Wojciech Zawiślak, Jacek Zbudniewek,<br />
Radoslav Darakchiev, Jerzy Krężel, Mateusz Michalski, Krzysztof Strzelczyk<br />
On Multi-Level Secure Structured Content: A Cryptographic Key Management<br />
– Independent XML Schema for MLS Content ........................................... 439<br />
Mikko Kiviharju<br />
Generation of Nonlinear Feedback Shift Registers with Special-Purpose Hardware ............. 455<br />
Tomasz Rachwalik, Janusz Szmidt, Robert Wicik, Janusz Zabłocki<br />
Effective Generation of Cryptographic Material for Large Hierarchical Communication Networks ...465<br />
Marcin Grzonkowski, Jacek Jarmakiewicz, Wojciech Oszywa<br />
Improving the Efficiency of Cryptographic Data Management by Using an Adaptive<br />
Method of Planning .................................................................. 475<br />
Tomasz Czajka, Wojciech Oszywa, Michał Gawroński, Rafał Gliwa<br />
Modern Usage of “Old” One-Time Pad .................................................. 485<br />
Mariusz Borowski, Marek Leśniewicz<br />
Acoustic Steganographic Transmission Algorithm, Using Signal Coherent Averaging ............ 497<br />
Krzysztof Wodecki, Zbigniew Piotrowski, Jarosław Wojtuń<br />
Index ............................................................................. 509
Foreword<br />
Modern military operations are conducted in a complex, multidimensional<br />
<strong>and</strong> disruptive environment. The challenging political <strong>and</strong> social environment<br />
of the operations necessitates establishing coalitions, consisting of many different<br />
partners of differing levels of trust, e.g. partners from NATO nations, as well<br />
as non-NATO nations <strong>and</strong> others such as the local government bodies <strong>and</strong> local<br />
forces. Tight collaboration with these partners <strong>and</strong> the guarantee that the appropriate<br />
information is shared within the community is vital to the mission efficiency.<br />
This also requires underst<strong>and</strong>ing of these differences <strong>and</strong> greater trust as well as<br />
acceptance of the greater risk involved.<br />
Dynamic environmental changes <strong>and</strong> limitations of the technical infrastructure<br />
assets creates additional challenging issues for the effective collaboration<br />
of the coalition partners. The fragile nature of the communications infrastructure,<br />
especially at the tactical level, requires robust methods <strong>and</strong> mechanisms to<br />
deal with long delays, communication failures or disconnections <strong>and</strong> available<br />
b<strong>and</strong>width limitations.<br />
These all necessitate a better underst<strong>and</strong>ing of the environmental conditions<br />
<strong>and</strong> appropriate procedural actions, as well as strong technological support, to<br />
provide the required levels of interoperability, flexibility, security <strong>and</strong> trusted collaboration<br />
in connecting heterogeneous systems of all parties involved in the action.<br />
Many research efforts aimed at the elaboration <strong>and</strong> implementation of innovative<br />
communications <strong>and</strong> information technologies for military systems,<br />
enabling trusted information exchange <strong>and</strong> successful collaboration in disadvantaged<br />
environments, have been undertaken world-wide. The latest selected<br />
results of such activities that include novel concepts for military communications<br />
<strong>and</strong> information systems, as well as innovative technological solutions, are<br />
presented in this book.<br />
The book contains the papers originally submitted to the 14 th <strong>Military</strong> <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> Systems Conference (MCC) held on 8–9 October 2012<br />
in Gdansk, Pol<strong>and</strong>. The MCC is an annual event that brings together experts from<br />
research establishments, industry <strong>and</strong> academia, from around the world, as well<br />
as representatives of the military <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
community. The conference provides a useful forum for exchanging ideas on the<br />
development <strong>and</strong> implementation of new technologies <strong>and</strong> military CIS services.
8<br />
<strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
It also creates a unique opportunity to discuss these issues from different points of<br />
view <strong>and</strong> share experiences amongst European Union <strong>and</strong> NATO CIS professionals.<br />
The papers included in this book are split into two volumes, each contains<br />
selected issues that correspond to the conference topics, <strong>and</strong> reflect the technology<br />
advances supporting trusted collaboration of all parties involved in joint<br />
operations. The first volume is focused on: Concepts <strong>and</strong> Solutions for <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> Systems, <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong><br />
for <strong>Trusted</strong> <strong>Information</strong> Sharing, <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong><br />
Decision Support Enhancement <strong>and</strong> <strong>Information</strong> Assurance & Cyber Defence, while<br />
the latter on the following: Tactical <strong>Communications</strong> <strong>and</strong> Networks, Spectrum<br />
Management <strong>and</strong> Software Defined Radio Techniques, Mobile Ad-hoc & Wireless<br />
Sensor Networks <strong>and</strong> Localization Techniques.<br />
The editors would like to take this opportunity to express their thanks to the<br />
authors <strong>and</strong> reviewers for their efforts in the preparation of this book. We trust<br />
that the book will contribute to a better underst<strong>and</strong>ing of the challenging issues in<br />
trusted collaboration in modern operations, scientific achievements <strong>and</strong> available<br />
solutions that mitigate the risk <strong>and</strong> increase the efficiency of information exchange<br />
in hostile <strong>and</strong> disruptive environments. We believe that the readers will find the<br />
content of the book both useful <strong>and</strong> interesting.<br />
Marek Amanowicz<br />
Peter Lenk
Chapter 1<br />
Concepts <strong>and</strong> Solutions<br />
for <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> Systems
Building a Layered Enterprise Architecture<br />
Using COTS Products for NATO Air Comm<strong>and</strong><br />
& Control <strong>Information</strong> Services<br />
Hasan Turksoy 1 , Mutlu Uysal 2 , Orhan Cetinkaya 2 ,<br />
Atilla Malas 2 , Ismail Akcaoglu 1 , Yavuz Okur 2<br />
1 STM A.S., Software Engineering Division, Ankara, Turkiye,<br />
{hturksoy, iakcaoglu}@stm.com.tr<br />
2 NCI Agency, Capability Development, C2 <strong>and</strong> Operations Services,<br />
{Mutlu.Uysal, Orhan.Cetinkaya, Atilla.Malas, Yavuz.Okur}@ncia.nato.int<br />
Abstract: The development of a Network Enabled Capability (NEC) is viewed by NATO as the most<br />
effective way to support future operations. In the current state of art, NATO NEC (NNEC) is achieved<br />
by integrating different systems within a layered Service Oriented Architecture (SOA). Using multi-<br />
-layered architecture is composed of well-defined st<strong>and</strong>ards-based services supported or provided<br />
by modern Commercial-off the Shelf (COTS) products. Although multiple COTS usage provides<br />
many benefits in terms of productivity, consistency <strong>and</strong> flexibility, it also brings some challenges<br />
such as harmonization of different COTS in a product <strong>and</strong> serving them in a layered architecture.<br />
This paper explains the utilization of heterogeneous COTS products/applications within a layered<br />
SOA based architecture in air comm<strong>and</strong> <strong>and</strong> control domain. Harvesting of COTS in multi-layered<br />
architecture will increase the flexibility <strong>and</strong> efficiency of the system, <strong>and</strong> therefore it will help to<br />
improve operational effectiveness in NATO.<br />
Keywords: Air Comm<strong>and</strong> & Control; Layered Architecture; COTS; Service Oriented Architecture<br />
(SOA)<br />
I. Introduction<br />
NATO Air Comm<strong>and</strong> & Control <strong>Information</strong> Services (AirC2IS) is a strategic<br />
<strong>and</strong> operational level comm<strong>and</strong> <strong>and</strong> control information system which provides<br />
an automated capability for supporting NATO operational staff to continuously<br />
adapt to the constantly changing NATO environment <strong>and</strong> to address the security<br />
challenges. AirC2IS will support the joint air planning, tasking, monitoring, <strong>and</strong><br />
analysis efforts for NATO air operations, including Tactical Ballistic Missile Defense<br />
(TBMD) operations.<br />
AirC2IS leverages a modern, robust, integrated <strong>and</strong> flexible Service Oriented<br />
Architecture (SOA)-based solution. It is the first example of the NATO Network
12 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Enabled Capability (NNEC) from the design, delivering the first air <strong>and</strong> TBMD<br />
service libraries to the NNEC services framework.<br />
Integration capability provides flexibility to operate with other Bi-Strategic<br />
Comm<strong>and</strong> Automated <strong>Information</strong> Systems (Bi-SC AIS) components <strong>and</strong> national<br />
systems. AirC2IS interacts with joint, l<strong>and</strong>, maritime, air <strong>and</strong> other information<br />
systems to support operational tasks. It will utilize existing Bi-SC AIS core services<br />
<strong>and</strong> other NATO Comm<strong>and</strong> <strong>and</strong> Control (C2) applications such as Core Enterprise<br />
Services (CES) to provide an integrated comm<strong>and</strong> <strong>and</strong> control capability to<br />
NATO air staff. AirC2IS provides execution of air C2 across all levels of comm<strong>and</strong><br />
as a single homogeneous process based on seamless, transparent <strong>and</strong> timely flow<br />
of data <strong>and</strong> information.<br />
These responsibilities <strong>and</strong> integration with Bi-SC AIS Functional Services <strong>and</strong><br />
Core Services capabilities need using modern software engineering technology<br />
<strong>and</strong> provides a comprehensive toolset which is needed to execute responsibilities<br />
of the NATO war fighter. For this, suitable Commercial-off the Shelf (COTS)<br />
software products are mindfully selected in order to improve system reliability,<br />
minimize development time, <strong>and</strong> reduce project risks.<br />
AirC2IS has a multi-layered architecture which ensures a flexible deployment to<br />
the target environment. The architecture is composed of well-defined st<strong>and</strong>ards-based<br />
services supported or provided by modern COTS products; hence, it is extendable <strong>and</strong><br />
scalable. Although multiple COTS usage provides many benefits in terms of productivity,<br />
consistency <strong>and</strong> flexibility, it also brings some challenges such as harmonization<br />
of different COTS in a product <strong>and</strong> serving them in a layered architecture.<br />
The following section explains the AirC2IS layered architecture <strong>and</strong> the COTS<br />
usage. Section 3 summarizes the challenges of using multiple COTS within a layered<br />
architecture <strong>and</strong> explains how to overcome these challenges. The core components<br />
to harmonize the architectures are explained in Section 4. Finally, the last section<br />
concludes the paper.<br />
II. NATO AirC2IS architecture<br />
AirC2IS has a layered <strong>and</strong> service-oriented software architecture which<br />
is modular <strong>and</strong> composed of well-defined st<strong>and</strong>ards-based services supported or<br />
provided by modern COTS products. AirC2IS maximizes the use of state-of-theart<br />
COTS software products to make the development faster with mature, proven,<br />
stable <strong>and</strong> pre-tested building blocks.<br />
The AirC2IS will be composed of:<br />
• Set of AirC2 <strong>and</strong> TBMD mission applications (exposed to the user at application<br />
client <strong>and</strong> portal client)<br />
• Corresponding data <strong>and</strong> business services, <strong>and</strong> their management,<br />
• Powerful <strong>and</strong> efficient integration services,<br />
• Enabling or cross-cutting services for all above.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
13<br />
A. Layered & SOA based architecture of AirC2IS<br />
The AirC2IS architecture is designed by taking into consideration newly<br />
introduced NATO CES framework [5] <strong>and</strong> SOA governance [4]. It is anticipated<br />
that after the delivery of AirC2IS, several services provided by this architecture<br />
will be seen as the first occurrence of the NATO CES envisaged capabilities. This<br />
is an important step to achieve service st<strong>and</strong>ardization <strong>and</strong> improve interoperability<br />
within the Bi-SC AIS environment (NATO enterprise).<br />
AirC2IS utilizes a layered architecture approach to support complex operational<br />
requirements with good maintainability, reusability, scalability, strength <strong>and</strong><br />
security which is depicted at the Fig. 1:<br />
Figure 1. AirC2IS layered software architecture<br />
The layers of AirC2IS (Fig. 1) are defined as:<br />
• Presentation Layer provides application’s user interfaces.<br />
• Service/Integration Layer provides access to all the services <strong>and</strong> the external<br />
system information.<br />
• Business Layer provides the business logic/functionality of the application<br />
• Domain Layer provides visibility to the domain concepts, business processes<br />
<strong>and</strong> domain rules<br />
• Data Persistence Layer provides the interaction with the databases.<br />
• Cross-Cutting Layer provides the generic technical capabilities to all layers<br />
B. COTS usage in AirC2IS<br />
COTS selection criteria includes its correct <strong>and</strong> efficient implementation<br />
support to requirements <strong>and</strong> staying within the overall performance, usability,
14 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> maintainability criteria provided for the project. In addition, extensibility <strong>and</strong><br />
easy customizability of the chosen COTS product is a big plus for an enterprise<br />
level project.<br />
For instance, instead of developing a SOA-based framework within this project,<br />
AirC2IS enjoys the use of a world-wide accepted product, such as Microsoft’s<br />
BizTalk Server (MS-BT) 2010 framework [1] to develop SOA-based integration with<br />
external systems. For content management, collaboration <strong>and</strong> portal capabilities,<br />
SharePoint Portal [2] solution is being used. There are also a few other complex<br />
COTS products which have their own architectures. Therefore it is essential to also<br />
consider the major COTS products’ architectures to have a better underst<strong>and</strong>ing<br />
of the overall structure of the AirC2IS.<br />
Fig. 2 lays out the general architecture, <strong>and</strong> also “zooms in” the COTS products’<br />
basic architecture as well.<br />
Figure 2. Software architecture utilizing COTS architecture<br />
III. Overcoming challenges of multiple COTS usage<br />
within a layered architecture<br />
Using frameworks <strong>and</strong> other reusable libraries helps reducing design <strong>and</strong><br />
development efforts <strong>and</strong> increases the success of the final product. It also allows<br />
reserving scarce project resources for effective development of critical mission<br />
services.<br />
On the other h<strong>and</strong>, system needs to be designed carefully to build an integrated<br />
<strong>and</strong> easily manageable environment including such different components<br />
each have its own (<strong>and</strong> different) architecture.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
15<br />
For instance Microsoft SharePoint is a full-blown system that has its own database<br />
schema, its own data, business <strong>and</strong> presentation layers. But AirC2IS needs to<br />
behave as one system for the user like reaching SharePoint content from application<br />
side or vice versa. Also, search system must search not only SharePoint content, but<br />
also mission data maintained by the application side. It is apparent that the system<br />
must provide some utilities to manage the system centrally.<br />
Having such different architectures inside one system, those components or<br />
systems are need to be included or developed with a modular approach <strong>and</strong> have<br />
a loosely coupled design. Basic principles followed in design of AirC2IS are:<br />
• Modular approach, loosely coupled design,<br />
• Separation of concerns,<br />
• Separation of mission functions,<br />
• Following open <strong>and</strong> industry st<strong>and</strong>ards.<br />
To achieve this, AirC2IS utilizes a SOA based modern architecture. First step<br />
is determining the decoupled components of the system like in Fig. 3. Next, it is<br />
necessary to clarify services <strong>and</strong> contracts for the integration of components.<br />
In this architecture, there are various COTS <strong>and</strong> modules to be harmonized<br />
into one system. A few of these architectural decisions will be specified in the following<br />
section.<br />
IV. Harmonizing independent architectures<br />
As shown in Fig. 3, AirC2IS composed of an integration system which is built<br />
on MS-BT, a portal system built on SharePoint Portal <strong>and</strong> application services built<br />
with Windows Communication Foundation (WCF) of .NET framework. Though<br />
all of them having different architectures of their own, they need to work like one<br />
system. For instance the system must have a centralized logging system, compatible<br />
exception h<strong>and</strong>ling capabilities, <strong>and</strong> centralized monitoring components.<br />
Figure 3. Modularizing AirC2IS<br />
AirC2IS architecture harmonizes all those components by providing decoupling<br />
interfaces between boundaries instead of forcing these architectures to<br />
change. These core components are explained in detail in the following sections.
16 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
A. Centralized logging<br />
From usage point of view, a system admin requires to keep all the system<br />
logs centrally view them through a central interface. Such a logging mechanism<br />
needs to behave in the same manner, with the same interfaces for different parts<br />
of the system such as client <strong>and</strong> server side application codes, integration module<br />
(including BizTalk capabilities) <strong>and</strong> SharePoint portal module.<br />
AirC2IS logging system (LOGS) provides necessary logging mechanisms<br />
for all these participants with the assistance <strong>and</strong> correct utilization of a collection<br />
of reusable components like Microsoft Enterprise Library (EntLib) [6] Logging Application<br />
Block which is designed by Microsoft Patterns <strong>and</strong> Practices team as a best<br />
practice implementation of an enterprise level logging system. Architecture of this<br />
centralized logging system supporting SOA logic is given in Fig. 4.<br />
Figure 4. AirC2IS logging system architecture<br />
Having a centralized logging architecture in such a system gives the system<br />
the benefit of managing all logs of the system from one location. General logging<br />
flow for AirC2IS components <strong>and</strong> the components in the figure are explained below:<br />
1. Logging Utility: Logging Utility is a utility for the Silverlight client which<br />
is responsible for caching Silverlight client logs for a specified size <strong>and</strong><br />
sending them to Remote Logging Service.<br />
2. Remote Logging Service: Remote logging service is responsible for sending<br />
operational logs. Using this service, all operational logs are passed on to<br />
the LOGS architecture, giving the system the advantage of managing all<br />
logs from a single location.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
17<br />
3. MSMQ: Microsoft Messaging Queue (MSMQ) [7] is a message queuing<br />
implementation provided by Microsoft in Windows operating systems<br />
which allows applications running on separate servers/processes to communicate<br />
in a failsafe manner. MSMQ stores the messages in its own store.<br />
The maximum limit of this store is configurable <strong>and</strong> this will be configured<br />
according to the performance of Log Storing Service,<br />
4. Log Storing Service: The log storing service is a local windows service for<br />
reading logs from MSMQ periodically <strong>and</strong> writing them to the Log database.<br />
5. AirC2IS Log & Audit DB: AirC2IS Log & Audit Database is an independent<br />
database for storing logs <strong>and</strong> audits.<br />
6. Log Management Service: Log Management Service is a service for viewing<br />
<strong>and</strong> managing logs located in AirC2IS Log & Audit DB.<br />
LOGS is composed of three main components at the server side Remote<br />
Logging Service, an MSMQ <strong>and</strong> Log Storing Service. The logging flow of LOGS<br />
can be seen in Fig. 5.<br />
Figure 5. Logging flow at the server side<br />
In Fig. 5, (1) Remote Logging Service passes operational logs into an MSMQ.<br />
Since AirC2IS provides a centralized logging architecture, MSMQ is located here to<br />
avoid concurrency <strong>and</strong> locking issues. (2) This MSMQ is configured so that it passes<br />
the logs to Log Storing Service periodically. (3) After these logs are read from<br />
the queue, they are written by the Log Storing Service to the log & audit database.<br />
Of course LOGS includes all the necessary capabilities expected from <strong>and</strong><br />
enterprise level system like configurable logging levels or log categorization. With<br />
such a modular approach we have achieved to build a SOA based modular logging<br />
system that can be consumed centrally by AirC2IS applications, portal module<br />
<strong>and</strong> integration module. This design gives necessary flexibility while maintaining<br />
the system since all the logging behavior can be configured <strong>and</strong> managed centrally.
18 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
B. Centralized exception h<strong>and</strong>ling<br />
Another important utility required from an enterprise level architecture<br />
is having a centralized exception h<strong>and</strong>ling mechanism to catch all the exceptions<br />
occurred throughout the system. Since AirC2IS system has n-tier design, it is<br />
important to pass exceptions between tiers according to the predetermined rules.<br />
AirC2IS exception h<strong>and</strong>ling utility basically supports four important features;<br />
1. H<strong>and</strong>ling exceptions according to the predetermined policies<br />
2. Replace the original exception (<strong>and</strong> message) if needed<br />
3. Logging all exceptions independent from the developer initiative<br />
4. Shielding of the service exceptions before returning to the client side to<br />
not allow an information leakage<br />
AirC2IS logging <strong>and</strong> exception h<strong>and</strong>ling mechanisms are totally decoupled<br />
from each other <strong>and</strong> developed as independent utilities. On the other h<strong>and</strong>, they<br />
can be fully integrated through clean interfaces. This design empowers SOA based<br />
approach of the overall system. Fig. 6 shows what happens when an exception<br />
occurs in a server side service.<br />
Figure 6. AirC2IS exception management <strong>and</strong> shielding approach<br />
Here also, AirC2IS follows best practices suggested by the Microsoft Patterns<br />
<strong>and</strong> Practices team’s Exception H<strong>and</strong>ling Application Block. Having cautious customization<br />
<strong>and</strong> configuration of these libraries results in a more stable <strong>and</strong> easy<br />
maintainable infrastructure for the AirC2IS.<br />
C. Centralized enterprise monitoring<br />
The MS-BT Business Activity Monitoring (BAM) component is responsible<br />
for tracking of business data <strong>and</strong> processes. Activities <strong>and</strong> views can be created for<br />
monitoring business data <strong>and</strong> processes within MS-BT.<br />
Moreover, MS-BT has an ESB Toolkit Management Portal, which provides<br />
useful functionality for administering MS-BT applications, such as:<br />
• Graphical metrics<br />
• Repair <strong>and</strong> resubmit functionality<br />
• Alerting based on exception events
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
19<br />
• Auditing trails for repair <strong>and</strong> resubmit<br />
• Unified view of the .NET Exception data <strong>and</strong> BizTalk context properties<br />
• Historical views of exception data<br />
• Remote web-based access<br />
• Filtering of exceptions based on application<br />
• Managing publish & subscribe parameters<br />
Fig. 7 shows an example of a console report.<br />
Figure 7. ESB Management Console reports [3]<br />
V. Conclusion<br />
AirC2IS is big enterprise level system which includes different capabilities,<br />
architectures <strong>and</strong> products embedded inside. There are various COTS products included<br />
in the overall architecture responsible from different capabilities of the system.<br />
All of these COTS products have their own architecture which does not aware from<br />
the other products of the system. But, as AirC2IS, all these different components<br />
<strong>and</strong> systems need to work as one system in a harmonized manner.<br />
With a well-structured modular design <strong>and</strong> appropriate SOA approach,<br />
AirC2IS integrates different architectures <strong>and</strong> combine them for one big system.<br />
In addition, such architecture requires carefully designed infrastructural utilities<br />
<strong>and</strong> capabilities that need to be re-used by different systems <strong>and</strong> architectures.
20 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
References<br />
[1] http://msdn.microsoft.com/en-us/biztalk<br />
[2] http://msdn.microsoft.com/en-us/sharepoint/<br />
[3] http://technet.microsoft.com/en-us/library/ff699654(BTS.70).aspx<br />
[4] OASIS Reference Model for Service Oriented Architecture 1.0, Committee Specification<br />
1, 2 August 2006<br />
[5] NATO Network Enabled Capability Feasibility Study (NNEC FS), vol. II, Version 2.0,<br />
October 2005, NATO Unclassified.<br />
[6] http://entlib.codeplex.com/<br />
[7] http://msdn.microsoft.com/en-us/library/windows/desktop/ms711472(v=vs.85).aspx
Applying NAF for Performance Analysis:<br />
Performance Analysis of SOA Systems<br />
Using LQN Models<br />
Arkadiusz Wrzosk<br />
<strong>Military</strong> University of <strong>Technology</strong>, Warsaw, Pol<strong>and</strong>,<br />
awrzosk@wat.edu.pl<br />
Abstract: Service Oriented Architecture (SOA) is a concept of architecture that supports interoperability<br />
which is a key factor to achieve network enabled capability. However, SOA principles have<br />
also negative impact on performance. Performance problems detected during the mission when<br />
the system is exploited can affect mission results. Late error correction in the software architecture<br />
can greatly increase costs. This paper describes the tools which can be used for design <strong>and</strong> performance<br />
evaluation of SOA systems. NATO Architecture Framework is used to document various<br />
views of architecture. Layered Queuing Networks are used to build a performance model of SOA<br />
system. An example of the system design <strong>and</strong> its performance model are presented to illustrate how<br />
described tools can be used for the performance analysis.<br />
Keywords: SOA; NAF; LQN; UML, performance; MARTE; SoaML<br />
I. Introduction<br />
Systems used during any mission led by NATO in collaboration with Nongovernmental<br />
organizations (NGO) create complex, distributed <strong>and</strong> heterogeneous<br />
environment. Network-enabled capability (NEC) require interoperability<br />
of the information systems provided by various mission members. The integration<br />
of heterogeneous systems can be time-consuming <strong>and</strong> expensive. Furthermore,<br />
the diversity of missions require from the used systems to be flexible <strong>and</strong> scalable.<br />
Described requirements force changes in the approach to system design.<br />
Service Oriented Architecture (SOA) is a concept of architecture that supports<br />
interoperability, scalability <strong>and</strong> flexibility of heterogeneous systems. SOA transforms<br />
architecture style of an application into a set of connected services (internal <strong>and</strong><br />
external provided by nations), used when they are considered necessary.<br />
Very important aspect of the mission systems are time constraints in which<br />
they operate. Operational processes realized during mission use services provided<br />
by these systems. Furthermore, the existing network infrastructure is used to transmit<br />
data on mission field. Therefore, the services performance <strong>and</strong> the network
22 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
throughput have a direct impact on the operational processes <strong>and</strong> consequently on<br />
mission effects. Cost of removing performance problems detected during exploitation<br />
can be high, therefore, it is very important to evaluate SOA systems quality<br />
attributes during the design stage.<br />
In this paper the tools which can be used for performance evaluation of SOA<br />
system during the design stage are described. They allow to choose an architecture<br />
design which fulfills important non-functional requirements. System architecture<br />
is documented using st<strong>and</strong>ard notation, recognized in engineers environment, such<br />
as Unified Modeling Language (UML). Views from NATO Architecture Framework<br />
(NAF) are used to structure the specification of the system architecture. System<br />
models documented in NAF views are transformed into a performance model<br />
based on Layered Queuing Networks (LQN).<br />
The document is structured as follows. Section II presents work related to<br />
the system performance evaluation on the early development stages. Section III<br />
describes fundamental concepts such as SOA, software model, NAF <strong>and</strong> performance<br />
model. Section IV describes mapping between software <strong>and</strong> performance models.<br />
Section V presents an example the SOA model <strong>and</strong> a corresponding performance<br />
model. Finally, section VI concludes the paper.<br />
II. Related work<br />
Paper [1] describes the method for evaluation of quality attributes of a monolithic<br />
system that has its architecture documented using UML notation. Based<br />
on UML diagrams, annotated with extensions aggregated in UML profile „UML<br />
profile for Schedulability, Performance <strong>and</strong> Time” (SPT) [6], an LQN performance<br />
model is generated. Resultant model can be solved using a LQN solver (for example<br />
by the Layered Queuing Network Solver [18]). Similar approach is introduced<br />
in paper [2]. LQN model is generated from UML diagrams with annotations from<br />
the MARTE [7] profile.<br />
In work [5] the method for generating LQN model from the SOA specific<br />
models is presented. UML diagrams used to document architecture design contain<br />
description of workflows, components responsible for services realization,<br />
scenarios <strong>and</strong> distribution of software on resources. MARTE profile is used for<br />
models annotation.<br />
Paper [3] introduces the tool for architecture performance <strong>and</strong> scalability evaluation<br />
using discrete event simulation. Similarly to other approaches existing UML<br />
artifacts are used. Different models can be run simultaneously, which allow analysis<br />
of different alternative architectures. Simulation results of a single model in different<br />
configurations (for example with various workload) also can be compared.<br />
Authors of [8-11] concentrate on the services orchestration performance<br />
(composed from internal <strong>and</strong> provided external services) which is responsible for<br />
operational processes realization. Presented approaches allow to compare different
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
23<br />
sets of composite services <strong>and</strong> obtain optimal configuration from the performance<br />
point of view.<br />
III. Background<br />
System performance is determined by the way a system uses resources. Different<br />
implementations of the same functionality can have different computational<br />
complexity. In the performance domain three basic concepts can be distinguished:<br />
workload, resources <strong>and</strong> scenarios. Scenario describes the system’s behavior including<br />
dem<strong>and</strong>s for resources. Each scenario is executed with a frequency defined by<br />
a workload. Resources can represent software (passive resources – for example:<br />
buffer, critical section, database connection pool) or an underlying platform (active<br />
resources – for example: processor, disk, network).<br />
To conduct the system performance evaluation two questions should be answered:<br />
how the system will be documented <strong>and</strong> which performance model should<br />
be used. In the following subsections SOA concept is described including basic elements<br />
which should be documented allowing performance evaluation. Moreover,<br />
notations <strong>and</strong> framework used to document SOA architecture is outlined. Finally,<br />
the performance model is described.<br />
A. Service Oriented Architectures<br />
Service Oriented Architecture is a concept of an architecture that supports<br />
interoperability, scalability <strong>and</strong> flexibility of heterogeneous systems. SOA defines<br />
a ‘service’ concept which represents well defined fragment of an operational functionality.<br />
Services introduce new abstraction layer between operational logic <strong>and</strong><br />
legacy systems used in organization increasing cohesion between them. SOA<br />
transforms architecture style of an application into a set of connected services used<br />
when they are considered necessary.<br />
Abstract view of SOA can be described using layered architecture. Fig. 1 depict<br />
high level view of layers [22].<br />
Looking at layers presented in the diagram (Fig. 1), the most important<br />
is the identification of processes <strong>and</strong> business services used by consumers. An operational<br />
process describes how an organization achieves its goals. The processes<br />
layer allows to underst<strong>and</strong> an operational domain which is the object of interest<br />
when the SOA architecture is defined. Furthermore, it allow to identify the process<br />
activities that should be supported by services.<br />
Services are described through well-defined interfaces. Interface definition<br />
is independent from an underlying platform on which the service implementation<br />
is running. This approach allows services, build on a heterogeneous<br />
systems, to interact in a uniform <strong>and</strong> universal manner. Two types of services<br />
can be defined:
24 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• basic – provides essential functionality related to data processing in a new<br />
or a legacy systems. Usually these services create fundamental operational<br />
layer for the specific system or domain. An example of the basic service<br />
functionality could be saving the location of military unit.<br />
Figure 1. SOA layers<br />
• composite – operates on the higher level than basic services. The composite<br />
services have access to many different systems <strong>and</strong> usually are composed<br />
of basic services (they act as a controller). An example of a composite service<br />
can be a service which updates location of a military unit in several<br />
different systems.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
25<br />
Software components implement functionality described by services <strong>and</strong><br />
are responsible for quality of those services. They can implement new logic or<br />
an adapter to a legacy system.<br />
Legacy systems are monolithic systems supporting organization’s activities.<br />
Through a layered structure, SOA allows to integrate those systems using introduced<br />
integration techniques.<br />
Services <strong>and</strong> legacy systems operate on organization infrastructure. This<br />
layer includes physical resources, operating systems <strong>and</strong> virtual machines forming<br />
an execution environment for components <strong>and</strong> legacy systems.<br />
B. Software model<br />
An important element of a system description is a notation used to document<br />
an architecture design. SOA design is associated with services, components <strong>and</strong><br />
legacy systems layers, but operational processes <strong>and</strong> infrastructure layers are also<br />
important for performance evaluation. The operational processes layer provides<br />
information about the system workload <strong>and</strong> scenarios which describe how the services<br />
are used. The infrastructure layer is included into design because it provides<br />
information about the underlying platform on which the SOA system operates.<br />
Language chosen to document the architecture of SOA systems is Unified<br />
Modeling Language [15]. It’s a normalized language which supports design, specification<br />
<strong>and</strong> documentation of artifacts created during information system development<br />
process. UML provides comfortable mechanisms which support extending<br />
language semantics. A set of created extensions is aggregated in a profile. UML<br />
notation is widely accepted <strong>and</strong> used. Fig. 2 depict which layers are modeled using<br />
the UML language.<br />
Figure 2. Notations for SOA modeling
26 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Three profiles are used to document SOA architecture. The ‘Service oriented<br />
architecture Modeling Language’ (SoaML) [16] is a st<strong>and</strong>ard used to design a SOA<br />
solution that is independent from its implementation. The ‘Modeling <strong>and</strong> Analysis<br />
of Real-Time <strong>and</strong> Embedded Systems’ (MARTE) [17] profile supports model-based<br />
description of real time <strong>and</strong> embedded systems. It provides a set of annotations with<br />
are required to perform performance analysis. BPEL profile [20] is concerned with<br />
modeling an individual process components which will be deployed as automated<br />
processes.<br />
C. NATO Architecture Framework<br />
The NATO Architecture Framework (NAF) [12] supports structured approach<br />
to documenting architectures <strong>and</strong> manage their complexity. It provides the rules,<br />
guidance, <strong>and</strong> product descriptions for developing, presenting <strong>and</strong> communicating<br />
architectures. It facilitates underst<strong>and</strong>ing, comparing <strong>and</strong> integrating the architectures<br />
developed by NATO <strong>and</strong> Nations.<br />
NAF defines ‘views’ <strong>and</strong> ‘subviews’ that can be used to communicate the architecture<br />
information to a variety of a stakeholders. A view is defined as a set<br />
of subviews grouped by purpose. A subview is defined as a pattern from which<br />
to develop an individual products. Each product has a defined purpose, audience<br />
<strong>and</strong> the techniques for its creation <strong>and</strong> analysis. The system model documented<br />
in NAF subviews is a base for performance model generation. The subviews selected<br />
to document a SOA system architecture are depicted on Fig. 3. Additionally,<br />
mentioned subviews are required for system performance evaluation.<br />
Figure 3. NAF subviews for SOA
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
27<br />
The purpose of NSOV-4 Service Orchestration is to describe how services are<br />
used to support an operational processes. The services are used in conjunction to<br />
fulfill an objective that cannot be achieved by any of the services alone. Depending<br />
on how the services interaction is controlled we can distinguish an orchestration<br />
<strong>and</strong> a choreography. For documentation of such services, activity diagram <strong>and</strong><br />
profiles: BPEL <strong>and</strong> MARTE are used.<br />
In a NSOV-2 Service Definitions subview services are defined in order to<br />
underst<strong>and</strong> an operational domain in terms of services supporting the operational<br />
activities. A definition of service concentrates on the service identification, outcome,<br />
properties (such QoS), interfaces <strong>and</strong> policies. To document the service class<br />
diagram a SoaML profile is used.<br />
NSOV-5 Service Behavior subview contains detailed description of behavior<br />
<strong>and</strong> functionality of an individual service. For this purpose sequence diagrams<br />
with the MARTE profile are used.<br />
The purpose of the NSV-1 System Interface Description is to depict which<br />
<strong>and</strong> how systems collaborate in an operational domain. Term ‘system’ has a broad<br />
meaning <strong>and</strong> can denote a federation of systems (FoS), system of systems (SoS),<br />
subsystem or a software component. Furthermore, a ‘system’ can denote network<br />
components <strong>and</strong> other hardware. The subview can document distribution<br />
of software systems to the hardware nodes including connections between them.<br />
To document the resources <strong>and</strong> software distribution deployment diagrams <strong>and</strong><br />
MARTE profile are used.<br />
The NSV-4 System Functionality Description subview describes systems<br />
in more details in terms of their structure <strong>and</strong> behavior. It’s used to identify <strong>and</strong><br />
describe software components which are responsible for realization of functions<br />
defined by the services. To document internal structure of systems, components<br />
diagram, sequence diagram <strong>and</strong> MARTE profile are used.<br />
The NSV-12 Service Provision subview depicts which systems contribute to<br />
the provision of particular services. It provides traceability between the services,<br />
components <strong>and</strong> legacy systems layers. Class diagram is used to document this<br />
mapping.<br />
D. Performance model<br />
A performance model is an abstract representation of a system. It describes the system’s<br />
properties associated with a performance domain. It can be used to performance<br />
evaluation of a different architecture designs. The results of the analysis can be used<br />
to support improvement of the system design. This approach allows to detect the architecture<br />
design errors <strong>and</strong> lower a cost of the errors correction on late development<br />
stages or the system configuration. Many different <strong>and</strong> widely known performance<br />
models exist, for example: queuing networks (QN), stochastic Petri nets or stochastic<br />
process algebra. In this work the Layered Queuing Network model is used [2].
28 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 4. Example LQN graph<br />
LQN is a graph in which two types of nodes can be distinguished. First type is related<br />
to a software modeling. Software is modeled using ‘tasks’. Every task has a message<br />
queue where incoming requests are waiting for service. Each task has ‘entries’ which<br />
represent services provided by a task. An entry execution time can be specified using<br />
‘phases’ <strong>and</strong> more complex interactions can be modeled using ‘activities’. A second<br />
type of nodes represent an computational resources (processors). They are associated<br />
with tasks which use them when serving requests. A software <strong>and</strong> hardware node<br />
can be a single-server or a multi-server. This allows to model multithread tasks <strong>and</strong><br />
multiprocessor servers. Nodes are connected with arcs. They denote service requests<br />
(send messages). There are three types of request: synchronous, asynchronous <strong>and</strong><br />
forwarding [14]. Fig. 4 depict example of a LQN network.<br />
At the top of Fig. 4 is a node which describes a class of clients. Each client sends<br />
dem<strong>and</strong>s for two services e2 <strong>and</strong> e3 provided by the ‘web service’ task (rectangle). Each<br />
service has an execution time <strong>and</strong> dem<strong>and</strong>s for other services. In this case, the ‘web<br />
service’ query the ‘database’. Each software task operates on a hardware node (circle).<br />
The entry e2 was decomposed into three activities with two alternative paths. Each<br />
activity has an execution time dem<strong>and</strong>s <strong>and</strong> can require service from other entries.<br />
IV. Mapping NAF subviews to performance model<br />
The SOA system model is a base for a performance model generation. The structure<br />
of a LQN model is generated from the high-level SOA architecture documented<br />
using NAF subviews. The subviews NSOV-2, NSOV-4, NSV-1 <strong>and</strong> NSV-4 are used<br />
to create LQN tasks. This subviews contain entities such as: executable operational<br />
processes, composite <strong>and</strong> basic services <strong>and</strong> components responsible for service
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
29<br />
realization. LQN tasks for network components are also generated to allow evaluation<br />
of messages transmission time. The subview NSV-1 is also used to create<br />
computational resources (LQN processors). A system workload is created based<br />
on NSOV-4, NSOV-5 <strong>and</strong> NSV-4 subviews. Operational processes are generators<br />
of a system workload but they aren’t the only workload generators. Services <strong>and</strong><br />
legacy systems can be loaded by other missions. A workload generated outside<br />
of a mission for which the SOA system is designed can be modeled using scenarios<br />
from the subviews mentioned above. Scenarios are documented in interaction<br />
diagrams in the subviews: NSOV-4, NSOV-5 <strong>and</strong> NSV-4. Finally, a service time for<br />
each entry <strong>and</strong> activity is computed from diagrams with annotations from MARTE<br />
profile. The subview NSV-12 is used to connect services, legacy systems <strong>and</strong> components<br />
layers. Some transformation rules from UML to LQN can be found in [1][21].<br />
Fig. 5 describes the transformation algorithm.<br />
Figure 5. Transformation algorithm<br />
V. Case study<br />
In the case of study a sample SOA model documented using NAF is presented.<br />
Fig. 6-11 contains models described in NAF subviews. The above mentioned models<br />
are required to generate the LQN graph which is presented in Fig. 12. The main goal<br />
of the example is to show how the models from the NAF subviews are mapped to<br />
the LQN performance model.<br />
Suppose that the executable operational process presented on Fig. 6 is performed<br />
during the mission. It’s documented using UML activity diagram <strong>and</strong> two<br />
profiles: BPEL <strong>and</strong> MARTE. The process is initiated by the message with target
30 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
information. In the first step a request is processed. Next, request for evacuation<br />
of civilians from a threatened area is send to service provided by external organization.<br />
Finally, the request for fire on target is send. Process results are saved. Initiating events<br />
are generated according to closed stream described using the GAWorkloadEvent stereotype.<br />
Process steps which consume time are modeled using the PaStep stereotype.<br />
Some of the services can use other services to fulfill their functionality.<br />
The TargetMsgService sends information about the target to two other services:<br />
ISTARService <strong>and</strong> ArtilleryService. The TargetMsgService behavior <strong>and</strong> its interaction<br />
with other services is shown on Fig. 7. Requests which consume time <strong>and</strong><br />
resources are modeled using the PaStep stereotype.<br />
Figure 6. Example NSOV-4 Operational Activity Model<br />
Figure 7. Example NSOV-5 Service Behaviour
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
31<br />
Figure 8. Example NSOV-2 Service Definitions<br />
Services are described through well-defined interfaces. An interface definition<br />
is an independent from the underlying platform on which a service implementation<br />
operates. Fig. 8 shows an example service definition. Class diagram<br />
with SoaML profile is used. The TargetMsgService provides two operations.<br />
To implement its functionality the services ISTARService <strong>and</strong> ArtilleryService<br />
are required. Fig. 7 describes the TargetMsgService behavior <strong>and</strong> depicts how<br />
the required services are used.<br />
A service is a concept which represents well defined fragment of an operational<br />
functionality so it is at a level above the technology details. Each<br />
functionality described by a service is implemented by software components or<br />
legacy systems which are responsible for quality of those services. Fig. 9 describes<br />
the software components as well as the provided <strong>and</strong> required service interfaces.<br />
The ISTARComponent is an adapter to the legacy system (ISTARSystem) <strong>and</strong><br />
implements the service defined by the ISTARService interface.<br />
A component implements a set of operations. The behavior of methods describes<br />
scenario <strong>and</strong> can be specified using interaction diagrams. Fig. 10 presents<br />
the specification of the example method. Furthermore, methods have dem<strong>and</strong>s<br />
for resources which is modeled using MARTE profile. Requests which consume<br />
resources are modeled using the PaStep stereotype, while communicates send<br />
by network are stereotyped using the PaCommStep.<br />
Figure 9. Example NSV-12 Service Provision
32 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 10. Example NSV-4 System Functionality<br />
Systems are distributed on hardware systems. Distribution of software on<br />
the nodes is documented using deployment diagrams. Fig. 11 shows the example<br />
components <strong>and</strong> their distribution on the nodes. Two computational resources<br />
(GaExecHost) <strong>and</strong> one network component (GaCommHost) are specified.<br />
Figure 11. Example NSV-1 System Interface Description<br />
The structure of a LQN model is generated from the high-level SOA architecture<br />
documented using presented NAF subviews. The example performance<br />
model presented on Fig. 12 is generated from the system models described above.<br />
The prepared model can be solved using a LQN solver [18]. Performance evaluation<br />
results can be used to propose architecture design improvements.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
33<br />
Figure 12. LQN graph<br />
Results of architecture evaluation, which performance model is presented on<br />
Fig. 13 are described below. For architecture evaluation only network throughput<br />
was modified, but more advanced analysis can also be made. Fig. 13 depict response<br />
times of operation TargetMsgService.addTarget for various number of clients <strong>and</strong><br />
network throughput. The plot shows, that a network 50% faster, generate twice<br />
lower response times for various number of users. Evaluation results can be used<br />
to align network throughput which satisfy nonfunctional requirements.<br />
Presented example <strong>and</strong> its evaluation results show that performance analysis<br />
can support an architect in the decision making about the architecture during<br />
the design stage.
34 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 13. Response time depend on number of clients <strong>and</strong> network throughput<br />
VI. Conclusions<br />
This paper has presented an approach for performance evaluation of SOA<br />
systems used during NATO missions. The algorithm for generation LQN performance<br />
model from software models documented in NAF subviews was presented.<br />
The performance model can be used for performance analysis of different architecture<br />
designs <strong>and</strong> the results of the analysis can be used to support improvement<br />
of the system design.<br />
One of the biggest challenges is that the analysis require many different models<br />
on various levels of abstraction. It requires time <strong>and</strong> knowledge to design <strong>and</strong> annotate<br />
diagrams correctly. Systems realized according to SOA principles are usually<br />
large so performance analysis can be complex. Furthermore, software designers<br />
are not trained in the formalisms required by performance analysis. The software<br />
models must be annotated with information from the performance domain which<br />
may affect the readability of diagrams used to document system design.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
35<br />
REFERENCES<br />
[1] D.C. Petriu, H. Shen, “Applying the UML Performance Profile: Graph Grammarbased<br />
Derivation of LQN Models from UML Specifications”, TOOLS ‘02 Proceedings<br />
of the 12th International Conference on Computer Performance Evaluation, Modelling<br />
Techniques <strong>and</strong> Tools, Springer-Verlag London, UK, 2002, pp. 159-177.<br />
[2] J. Babau, M. Blay-Fornarino, J. Champeau, “Model Driven Engineering for<br />
distributed Real-Time Systems”, ISTE Ltd <strong>and</strong> John Wiley & Sons Inc., 2010.<br />
[3] P.C. Brebner, “Performance Modeling for Service Oriented Architecture”, ICSE<br />
Companion ‘08 Companion of the 30th international conference on Software<br />
engineering, ACM New York, NY, USA, 2008.<br />
[4] C.U. Smith. L.G. Williams, “Performance Engineering of Software Systems”, IEEE<br />
Transactions on Software Engineering, vol. 19 Issue 7, July 1993, pp. 496.<br />
[5] M. Alhaj, D.C. Petriu, “Approach for generating performance models from<br />
UML models of SOA systems”, CASCON ‘10 Proceedings of the 2010 Conference<br />
of the Center for Advanced Studies on Collaborative Research IBM Corp. Riverton,<br />
NJ, USA, 2010, pp. 268-282.<br />
[6] Object Management Group, “UML profile for Schedulability, Performance <strong>and</strong> Time”,<br />
http://www.omg.org/technology/documents/ /profile_catalog.htm<br />
[7] Object Management Group, “UML Profile for Modeling <strong>and</strong> Analysis of Real-time<br />
<strong>and</strong> Embedded Systems (MARTE)”, http://www.omg.org/ /technology/documents/<br />
profile_catalog.htm<br />
[8] A. D’Ambrogio, P. Boccirelli, “Model-driven Approach to Describe <strong>and</strong> Predict<br />
the Performance of Composite Services”, WOSP ‘07 Proceedings of the 6th international<br />
workshop on Software <strong>and</strong> performance, ACM, New York, USA, 2007, pp. 78-89.<br />
[9] A. Maduko, R. Jafri, J.A. Miller, “Modeling <strong>and</strong> Simulation of Quality of Service<br />
for Composition Web Services”, 7th World Multiconference on Systemics, Cybernetics<br />
<strong>and</strong> Informatics, 2003, pp. 420-425.<br />
[10] D. Rud, A. Schmietendorf, R. Dumke, “Performance Modeling of WS-BPEL-Based<br />
Web Service Compsition”, SCW ‘06 Proceedings of the IEEE Services Computing<br />
Workshops IEEE Computer Society Washington, DC, USA, 2006, pp. 140-147.<br />
[11] J. Grundy, J. Hosking, L. Li, N. Liu, “Performance Engineering of Service Composition”,<br />
SOSE ‘06 Proceedings of the 2006 international workshop on Service-oriented software<br />
engineering, ACM New York, NY, USA, 2006, pp. 26-32.<br />
[12] NAF v.3 Enabling NNEC for NATO, http://www.nhqc3s.nato.int/ /ARCHITECTURE/<br />
docs/NAF_v3/ANNEX1.pdf<br />
[13] “Service-oriented modeling <strong>and</strong> architecture”, http://www.ibm.com/ /developerworks/<br />
library/ws-soa-design1/<br />
[14] G. Franks, P. Maly, M. Woodside, “Layered Queueing Network Solver <strong>and</strong> Simulator<br />
User Manual”, http://www.sce.carleton.ca/rads/lqns/<br />
[15] Object Management Group, “Unified Modeling Language”, http://www.uml.org/<br />
[16] Object Management Group, “Service oriented architecture Modeling Language”,<br />
http://www.omg.org/spec/SoaML/<br />
[17] Layered Queuing Network Solver, http://www.sce.carleton.ca/rads/lqns/<br />
[18] N.M. Josuttis, “SOA in Practice: The Art of Distributed System Design (Theory<br />
in Practice)”, O’Reilly Media, 2007.
36 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[19] Model Driven Solutions, “Enterprise Service Oriented Architecture Using the OMG<br />
SoaML St<strong>and</strong>ard”, http://www.omg.org/news/ /whitepapers/<br />
[20] T. Gardner, “Mapping from UML to the Business Process Execution Language for<br />
Web Services (BPEL4WS) Web Services”, MDA Implementers’ Workshop Succeeding<br />
with Model Driven Systems, Orl<strong>and</strong>o, USA, 2003.<br />
[21] D.C. Petriu, C. Shousha, A. Jalnapurkar, “Architecture Based Performance Analysis<br />
Applied to a Telecommunication Systems”, IEEE Transactions on Software Engineering,<br />
vol. 26 Issue 11, November 2000, IEEE Press Piscataway, NJ, USA, pp. 1049-1065.<br />
[22] U. Wahli, L. Ackerman, A. Di Bari, Building SOA Solutions Using the Rational SDP,<br />
Redbooks, 2007.
Openness in <strong>Military</strong> Systems<br />
Jessica Connah, Abigail Solomon, John McInnes,<br />
Olwen Worthington, Dale Chambers<br />
Defence Science <strong>and</strong> <strong>Technology</strong> Laboratory (Dstl), Salisbury, Wiltshire, Engl<strong>and</strong>,<br />
www.dstl.gov.uk<br />
Abstract: Traditional approaches to military network procurement taken by government can lead to<br />
vender lock-in, reducing the potential for competition when the systems need refreshing or major<br />
upgrades, <strong>and</strong> also for through life maintenance requirements. One solution to these problems could<br />
be to require an open systems approach in military systems procurement, reducing single supplier<br />
issues through well defined architectures, interfaces <strong>and</strong> ‘open by design’ concepts. The paper presents<br />
a technical analysis of UK military systems procurement over the last few decades to provide context<br />
for the current open systems approach. The paper then explicitly discusses the potential benefits <strong>and</strong><br />
risks of such an approach <strong>and</strong> finally explores how this may impact on air interface, network <strong>and</strong><br />
security systems. Research into Open Systems Architecture (OSA) approaches from two Ministry<br />
of Defence (MOD) programs is reviewed; the Modular Open Systems Architecture (MOSA), <strong>and</strong><br />
the L<strong>and</strong> Open Systems Architecture (LOSA), whose aim is to introduce openness within the l<strong>and</strong><br />
environment. The primary conclusions of the work which will be elaborated in the paper are; that<br />
openness is key to providing increased interoperability, flexibility <strong>and</strong> agility, <strong>and</strong> that benefits can be<br />
obtained from designing a degree of openness into all aspects of military networks, for example<br />
in security, air interfaces <strong>and</strong> waveforms.<br />
Keywords: open; open system; open system architecture; openness; military; MOD; networks;<br />
interoperability<br />
I. Introduction<br />
Where military capability is dependent on complex system technologies,<br />
UK defense has needed to invest heavily to sustain the advantage necessary for<br />
success in the battle space. The early costs of raising the technology boundary to<br />
the next level <strong>and</strong> exploiting this in new military equipment can be significant.<br />
Delivery times are often long; therefore the risk that the original capability requirement<br />
or technology opportunity has shifted increases.<br />
Once delivered, enhancements to bespoke military equipment can be expensive<br />
<strong>and</strong> often unaffordable, as the incumbent industrial supplier levers the Ministry<br />
© Crown copyright 2012. Published with the permission of the Defence Science <strong>and</strong> <strong>Technology</strong> Laboratory on<br />
behalf of the Controller of HMSO. Reference number DSTL/CP65717.
38 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
of Defence’s (MOD’s) ‘lock-in’ to the single provider of the original equipment. This<br />
vendor lock-in drives high support costs through unique component supply loops,<br />
while early selection of base technology drives early <strong>and</strong> expensive obsolescence.<br />
The MOD has, over the past decade, recognized the importance of moving to<br />
open systems in a series of policy documents [1], [2] <strong>and</strong> [3]. The latest document,<br />
“National Security Through <strong>Technology</strong>: <strong>Technology</strong>, Equipment, <strong>and</strong> Support for<br />
UK Defence <strong>and</strong> Security” has re-emphasized that the UK’s defense <strong>and</strong> security<br />
requirements should be provided through open competition in the domestic <strong>and</strong><br />
global market, <strong>and</strong> through buying commercial products which use open st<strong>and</strong>ards<br />
[4]. Indeed, it states clearly that “science & technology spend will focus on<br />
modular approaches, based around packages of incremental development, that<br />
lend themselves to efficient <strong>and</strong> effective technology insertion, making use of open<br />
st<strong>and</strong>ards <strong>and</strong> architectures to fulfil our equipment needs”, replacing policy in [1]<br />
<strong>and</strong> [2].<br />
The MOD has also published its System of Systems Approach (SOSA) rulebook<br />
[5], a shared, structured <strong>and</strong> managed resource for use in the acquisition<br />
of defense capability. SOSA offers nine design principles for decision makers to<br />
guide behaviors throughout the acquisition lifecycle <strong>and</strong> all nine have the potential<br />
to be met through the adoption of an open approach [6].<br />
Open systems are defined in [4] as, “Systems which are based on publically<br />
known st<strong>and</strong>ard interfaces that allow anyone to use <strong>and</strong> communicate with equipment<br />
that adheres to the same st<strong>and</strong>ards”. There are a series of benefits that open<br />
systems have over closed systems which the defense domain seeks:<br />
• Shared research <strong>and</strong> development investment;<br />
• Competitive vendor options;<br />
• Interoperability compliance;<br />
• Simplified vulnerability evaluation;<br />
• Enhanced modelling <strong>and</strong> planning support;<br />
• Simplified extensibility <strong>and</strong> maintenance of equipment.<br />
There are also a number of barriers to the adoption of open systems which<br />
may deter commercial companies from adhering to open systems. These include:<br />
• Business models that do not support working with open systems;<br />
• <strong>Information</strong> sharing constraints.<br />
This paper addresses the benefits <strong>and</strong> risks that openness may present to<br />
the military communications community, <strong>and</strong> specifically covers open air interfaces,<br />
open network design <strong>and</strong> open security. Openness has been identified<br />
as an important consideration in a number of future MOD programs including<br />
the L<strong>and</strong> Environment Tactical Communication <strong>and</strong> <strong>Information</strong> Systems (LE Tac-<br />
CIS) project. The Modular Open Systems Architecture (MOSA), which has been<br />
seeking to introduce a systems approach in naval combat system procurement, <strong>and</strong><br />
the L<strong>and</strong> Open Systems Architecture (LOSA), which aims to introduce openness<br />
within the l<strong>and</strong> environment are two examples which are discussed in the paper.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
39<br />
These projects have developed approaches to the use of open systems architectures<br />
that can be applied throughout the MOD.<br />
II. Context: The aspiration for openness in MOD systems<br />
The design <strong>and</strong> procurement of network equipment in the MOD has changed<br />
significantly over the decades. In the past, the MOD focussed on the functionality<br />
<strong>and</strong> capability required to fulfil a specific aim; this led to systems built on<br />
custom st<strong>and</strong>ards that performed the function they were designed for, but which<br />
were completely incompatible with other hardware or software which had not<br />
been specifically designed to interoperate. The support of these systems had to be<br />
managed by the MOD itself <strong>and</strong> could not be outsourced due to the knowledge<br />
of the systems only being contained within the MOD or specific partners. Systems<br />
such as these, <strong>and</strong> those made in commercial industry, which are designed to proprietary<br />
st<strong>and</strong>ards <strong>and</strong> do not interoperate with other hardware <strong>and</strong> software, are<br />
often called ‘closed systems’.<br />
This method of systems procurement could only be sustained with a large<br />
expert workforce within the MOD, <strong>and</strong> a large budget. Once the MOD’s funding<br />
started to decrease it became ever harder to compete on a cutting edge technological<br />
basis with commercial markets <strong>and</strong> hence it became less viable to design all military<br />
systems internally. The MOD therefore, in the more effective management of risk<br />
<strong>and</strong> delivery of programs, adopted a prime contractor model, outsourcing design<br />
<strong>and</strong> manufacture. This option enabled the MOD to choose off the shelf solutions,<br />
which was cheaper, but which allowed less flexibility. Defense suppliers often used<br />
proprietary technologies <strong>and</strong> solutions, <strong>and</strong> this has resulted in problems arising<br />
because different UK systems cannot interoperate, or in some cases even be operated<br />
in the same space due to conflicting technical requirements. Occasionally,<br />
the technical underst<strong>and</strong>ing of a particular system is tied up with the original<br />
supplier, meaning costly support contracts are required to ensure the equipment<br />
can be operated until it reaches out-of-service date.<br />
Most recently, ‘smart-procurement’ has loosely described an approach in which<br />
network design is treated as service delivery, with separate off the shelf products<br />
being integrated in a system of systems architecture. An acknowledged drawback to<br />
this approach is the continued lack of interoperability across the network (without<br />
custom-made gateways) <strong>and</strong> vendor lock-in for minor issues due to proprietary<br />
information within off the shelf technology.<br />
It is thought that the service delivery approach currently favoured for the MOD’s<br />
network procurement may be significantly improved by requiring openness from<br />
discrete network elements. Open protocols would reduce the burden of ensuring<br />
network wide interoperability, avoid vendor lock-in <strong>and</strong> provide a far greater<br />
underst<strong>and</strong>ing of the technology used within the MOD. Such an approach would<br />
also ensure that suppliers can be compared more effectively, <strong>and</strong> can be selected
40 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
based on service merit. This would enable the MOD to be a much more intelligent<br />
customer who is not tied in to particular vendors, with the ability to choose the most<br />
cost effective solution at every stage of the networks lifetime.<br />
The UK MOD is developing the next generation of tactical networks, <strong>and</strong><br />
a key driver of this is the use of open architectures <strong>and</strong> st<strong>and</strong>ards. The approach<br />
taken is to define an architecture which is underpinned by open interfaces between<br />
encapsulated, heterogeneous systems. The LE TacCIS programme [7] is delivering<br />
this approach, attempting to deliver the transition from a current system of systems<br />
architecture within Comm<strong>and</strong> <strong>and</strong> Control <strong>Information</strong> Infrastructure (CCII) to<br />
next generation L<strong>and</strong> Environment Tactical CIS.<br />
III. Assessing the benefits <strong>and</strong> risks of open systems<br />
A. Benefits<br />
A key benefit of open systems to defense is that they enable interoperability,<br />
making both joint <strong>and</strong> coalition working easier. Interoperability is a key requirement<br />
for military communications systems, driven by top level strategies such<br />
as Network-Enabled Capability (NEC) <strong>and</strong> politically through increased coalition<br />
working in all major recent military operations. The need to strengthen partnerships<br />
through bilateral <strong>and</strong> multinational relationships is continually highlighted in toplevel<br />
MOD policy, most recently in the latest Strategy for Defence policy as part<br />
of “<strong>Military</strong> Task 3 – To succeed in other operations” [8]. Achieving both joint <strong>and</strong><br />
coalition interoperability requires components which can be operated alongside,<br />
in conjunction or integrated with systems controlled by separate operators. In terms<br />
of communications systems, at the technology level this requires either compatible<br />
st<strong>and</strong>ard interfaces, which would be the optimal solution, or use of gateways, which<br />
can lead to bottlenecks, vulnerable points <strong>and</strong> communications delay.<br />
Making technical specifications available to a wider market audience enables<br />
open st<strong>and</strong>ard interfaces <strong>and</strong> promotes greater objective competition. This objectivity<br />
in comparing networking systems is critical to allowing intelligent decision making<br />
in procurement. A report by the national audit office, reviewing the procurement<br />
of the UK Bowman system, found that “Agile decision making must be underpinned<br />
by high quality information” [9]. Vendor lock-in emerges from limiting the technical<br />
knowledge of a system to one supplier, meaning costly support contracts are<br />
required to ensure the equipment can be operated until it reaches out-of-date service.<br />
A high level of interoperability would potentially support a modular approach to<br />
changing technological components based on mission requirements.<br />
It may be assumed that by using the well known Open Systems Interconnection<br />
(OSI) model that openness can be achieved by appropriately defined interfaces.<br />
In practice the OSI model only defines interactions between adjacent layers in a protocol<br />
<strong>and</strong> may not necessarily deliver the design intent across a dynamic system.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
41<br />
One example would be a custom-made real-time transport protocol which works<br />
regardless of physical layer, but may not deliver the real-time intent of the protocol.<br />
Table I summarises the benefits of open systems.<br />
TABLE I. Benefits of Open Systems<br />
Benefit<br />
St<strong>and</strong>ard Interfaces<br />
Security Assessment<br />
Network Design & Planning<br />
Spectrum Management<br />
Competition<br />
Increased Modularity<br />
Description<br />
Sharing data between separate technologies is possible by providing<br />
st<strong>and</strong>ard interfaces to manufacturers.<br />
Open st<strong>and</strong>ards allow the buyer to underst<strong>and</strong> <strong>and</strong> better mitigate<br />
the risks.<br />
Planning wide area networks <strong>and</strong> managing loading is simplified<br />
if interfaces of different networks are open.<br />
Efficiently exploiting spatial reuse must be underpinned by information<br />
on interference characteristics.<br />
Proprietary advantages can be objectively compared between<br />
vendors.<br />
Modular systems can be bought that fit requirements <strong>and</strong> are<br />
cost effective. These can simply be replaced when required.<br />
B. Risks<br />
The adoption of open systems is thought to be likely to provide both technical<br />
<strong>and</strong> operational benefits, but a careful underst<strong>and</strong>ing of the risk is required to<br />
avoid compromise of operational security.<br />
There are a number of potential barriers to the adoption of open systems<br />
in defense. The shift to assessing <strong>and</strong> adopting a broad range of technologies will<br />
place greater burden on the system integrator, <strong>and</strong> this role has largely been filled<br />
by industry suppliers. This would be a highly complex task, requiring not only<br />
the detailed technical management of systems but also the evaluation of competing<br />
technologies <strong>and</strong> vendors for each new system component, <strong>and</strong> would require<br />
a trusted partner to fill this role.<br />
In defense, there are some cultural constraints to openness, based on how things<br />
have always been done; technical details of military systems are typically kept to<br />
a ‘need-to-know’ basis, partly to reduce the possibility of vulnerability discovery<br />
through a security-by-obscurity approach, <strong>and</strong> partly because Intellectual Property<br />
rights of supplying organisations must be protected. Often, the business models<br />
of contractors does not support the information sharing necessary for open systems;<br />
therefore a culture shift is essential to maximize the effectiveness the military achieves<br />
from off the shelf components. Public release of technical specifications may lead to<br />
an ‘arms race’ of vulnerability discovery <strong>and</strong> defensive patching; the military is likely<br />
to be an attractive target to a range of attackers. There are some situations where<br />
openness may never be wanted – for example, where equipment from foreign allies
42 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
is being used <strong>and</strong> must be protected for commercial reasons, or where legacy equipment<br />
with known vulnerabilities is required for an operation. War-time technical<br />
specifications (e.g. cryptographic algorithms) may be kept secret for national security<br />
reasons. The issue of not revealing too much about what we know about an attacker’s<br />
capability may also arise; for example, governments may choose to avoid disclosing<br />
that a certain attack has been uncovered to allow the attack’s duration <strong>and</strong> success to<br />
be monitored to learn about the capabilities of an adversary.<br />
IV. Applications of openness<br />
A. Open air interfaces<br />
There is a persistent aspiration within defense to exploit open air-interface<br />
st<strong>and</strong>ards developed by industry bodies, such as Wi-Fi developed by the IEEE [10],<br />
the Universal Mobile Telecommunications System (UMTS) developed by the 3 rd<br />
Generation Partnership Project (3GPP) [11] <strong>and</strong> the tactical data network, Link 16,<br />
which was developed by NATO under the St<strong>and</strong>ardized Agreement (STANAG)<br />
framework [12].<br />
For the specific scope of air-interfaces ‘openness’ may be defined in terms<br />
of system performance for various scenarios. Underst<strong>and</strong>ing true radio performance<br />
is critical to several core functions within the MOD including:<br />
• Defining acceptance criteria for systems procurement;<br />
• Aiding in mission planning for link <strong>and</strong> emission ranges;<br />
• Efficient spectrum allocation through spatial reuse;<br />
• Underst<strong>and</strong>ing impact of electronic warfare on links.<br />
The following is a list of objective criteria which could be used to create<br />
a st<strong>and</strong>ard evaluation approach, deriving metrics from non-intrusive lab testing:<br />
• Channel Equalization;<br />
• Link Performance;<br />
• Spectral Characteristics;<br />
• Packet Completion;<br />
• Signaling & Synchronization.<br />
B. Open network design<br />
Network design <strong>and</strong> planning is currently done on a program-by-program<br />
basis in the MOD, partly due to the lack of guaranteed interoperability between<br />
devices. It is not that there is a strict lack of confidence in network layer interoperability,<br />
but more fundamentally, there is no acknowledged way to consistently<br />
capture vital network statistics.<br />
The information required for network design diverges widely based on the user<br />
requirements; high level traffic loading analysis is required for strategic planning
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
43<br />
however does not require packet statistics, similarly the optimization of a tactical<br />
deployed network need not be concerned with network resources, but the actual<br />
performance of those resources at a packet level. This implies that to create a holistic<br />
network model solution, as much in-depth information must be obtained as possible.<br />
This ensures that the right information is available for the appropriate level<br />
of network design <strong>and</strong> analysis.<br />
Network layer equipment detail is only half the challenge, as traffic loading<br />
is equally important for accurate network analysis. This is often based on a network<br />
‘as-is’ <strong>and</strong> for accuracy will require levels of network monitoring not currently deployed<br />
in most tactical networks. In practice, estimation based on the information<br />
exchange requirements (IER) is a good approach for all but system-in-the-loop<br />
network optimization, as it allows the dynamics of various topology designs to be<br />
understood in context.<br />
C. Open security frameworks<br />
<strong>Military</strong> systems must be protected from a wide range of potential attackers<br />
as system failure could have dire consequences, potentially resulting in loss of life<br />
<strong>and</strong> mission failure. St<strong>and</strong>ard military Security Operating Procedures (SyOPs),<br />
expressed as stringent requirements <strong>and</strong> strict orders, are often seen as an obstacle<br />
to open systems.<br />
While making systems more open may, if not done carefully, reduce security,<br />
it is important to consider whether open security mechanisms <strong>and</strong> st<strong>and</strong>ards can be<br />
developed <strong>and</strong> used in defense. This is particularly important when considering<br />
openness as a driver for interoperability; some st<strong>and</strong>ardization of protection mechanisms<br />
is needed to ensure interoperability is not prevented by security constraints.<br />
This can be complex, as security measures encompass people <strong>and</strong> processes as well<br />
as technology.<br />
Historically, a ‘security through obscurity’ approach has been taken to ensuring<br />
the security of defense systems, with details of technologies, procedures <strong>and</strong> even<br />
capabilities kept secret. Such an approach is a clear block to openness <strong>and</strong> interoperability<br />
with allies; interoperability can be achieved only through the disclosure<br />
of information to trusted partners, which restricts the degree of interoperability<br />
achievable <strong>and</strong> rules out any working with less trusted parties.<br />
Significant progress has been made towards establishing public st<strong>and</strong>ards<br />
for security mechanisms through the involvement of organisations such as the US<br />
National Institute of St<strong>and</strong>ards <strong>and</strong> <strong>Technology</strong> (NIST), <strong>and</strong> it is more widely accepted<br />
that leaving technical specifications undisclosed does not protect against<br />
motivated attackers using techniques such as reverse engineering.<br />
This is seen most strongly in the field of cryptographic research, where much<br />
work is carried out to analyse widely-used cryptographic algorithms, <strong>and</strong> the openness<br />
of a technical specification is viewed as a positive endorsement of security.
44 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Through st<strong>and</strong>ardization, access to ‘best practice’ is possible, <strong>and</strong> wide use of a public<br />
st<strong>and</strong>ard is an endorsement of that technology. Even if the details of a system’s<br />
technical operation is known, it cannot be compromised due to the strength of,<br />
<strong>and</strong> confidence in, protection mechanisms within the system. This can lead to<br />
system owners adopting a more sensible risk posture; instead of trying to develop<br />
costly, custom-made security solutions, a posture of adopting open st<strong>and</strong>ards<br />
<strong>and</strong> technologies may result in more thought being given to appropriate levels<br />
of security – resulting in a move to a ‘risk balanced’ approach, which is based on<br />
careful analysis of the threat, rather than a ‘protect against everything’ mentality<br />
which is financially inefficient <strong>and</strong> increasingly more difficult to justify. Openness<br />
as a posture may also be a deterrent to some attackers as it demonstrates confidence<br />
in your protection mechanisms. Particular security mechanisms can be adopted<br />
to deter would-be attackers, for example if an attacker knows they will be traced<br />
then they may be less likely to attack.<br />
Whilst there are clear benefits from using st<strong>and</strong>ardized <strong>and</strong> interoperable security<br />
mechanisms, public disclosure of a security mechanism is still seen as a risk<br />
to security: attackers are given an awareness of how the system works, without<br />
requiring the effort involved in reverse-engineering which decreases the skill level<br />
needed for basic attack attempts. There is also a concern that successful attacks<br />
against a public st<strong>and</strong>ard may not be disclosed.<br />
Whilst a more open <strong>and</strong> st<strong>and</strong>ards-based approach to security can enable<br />
interoperability, the increased information disclosure has a risk of making<br />
it easier to identify attack vectors against a system <strong>and</strong> reducing the level of skill<br />
needed to attack a system. Moving from a small number of trusted suppliers<br />
to a potentially global market for providing security mechanisms will result<br />
in a wider range of available technical options, but may also require a different<br />
stance to be taken with respect to trust in sourcing components <strong>and</strong> provenance<br />
of software <strong>and</strong> hardware.<br />
D. Technical case studies: MOSA, GVA <strong>and</strong> LOSA<br />
This paper will now outline the MOD case studies which refined the principles<br />
for developing open systems which have been stated above.<br />
MOSA has delivered a technical architecture, an enterprise model <strong>and</strong> a migration<br />
strategy <strong>and</strong> has progressed issues such as the management of Intellectual<br />
Property Rights (IPR), designing for modular test <strong>and</strong> acceptance <strong>and</strong> designing<br />
for modular certification <strong>and</strong> accreditation.<br />
MOSA aimed to provide a st<strong>and</strong>ardized structure for flexibly assembling<br />
combat system components to provide an overall combat capability using looselycoupled,<br />
non-proprietary, published interfaces. The fundamental characteristic<br />
of MOSA is that combat systems will be constructed of replaceable modules i.e.<br />
components will be upgradeable <strong>and</strong> interchangeable.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
45<br />
The specific objectives of the MOSA program were to:<br />
• Reduce whole life cost as current combat systems <strong>and</strong> delivery <strong>and</strong> sustainment<br />
approaches are increasingly unaffordable;<br />
• Deliver combat agility to provide new capabilities <strong>and</strong> counter new threats<br />
<strong>and</strong> to do so rapidly;<br />
• Deliver acquisition agility to exploit a broader industrial supply base, avoid<br />
vendor lock-in <strong>and</strong> field new technologies as they become available;<br />
• Sustain capability through platform life, including countering technological<br />
obsolescence <strong>and</strong> enabling platform life extension;<br />
• Exploit the opportunities offered by COTS, modularity <strong>and</strong> openness;<br />
• Foster a common underst<strong>and</strong>ing <strong>and</strong> industrial openness to the benefit<br />
of the MOD in performing its mission <strong>and</strong> also to benefit industry.<br />
The MOSA architecture was developed by a consortium of seven industry<br />
companies which are major UK combat system experts. The architecting process,<br />
illustrated in Fig. 1, is generic <strong>and</strong> can be applied to systems in other domains with different<br />
functional <strong>and</strong> non-functional requirements. It describes the process that yielded<br />
a complete architectural description of the functionality of multiple applications,<br />
software infrastructure <strong>and</strong> hardware infrastructure, using suitable open st<strong>and</strong>ards.<br />
From the functional decomposition of the system, the key interfaces were defined.<br />
Figure 1. MOSA Architecting Process<br />
MOSA has provided the following benefits to the MOD:<br />
• Improved maintenance through component <strong>and</strong> interface commonality;<br />
• Cheaper <strong>and</strong> quicker updates <strong>and</strong> technology insertion through modular<br />
decoupled design;<br />
• Increased re-use of software, potential for reduced duplication;
46 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• Increased operational availability through greater flexibility in repair <strong>and</strong><br />
upgrade;<br />
• Reduced reliance on specialized test equipment;<br />
• Reduced risk of obsolescence through design (technology can be refreshed<br />
more quickly).<br />
From a project-level perspective, MOSA was successful because:<br />
• The work was performed as a true joint MOD/Industry effort, with collaboration<br />
central to the consortium dynamic. There was no division between<br />
the MOD <strong>and</strong> Industry <strong>and</strong> this allowed free <strong>and</strong> open discussions <strong>and</strong> all<br />
participants to share successes equally;<br />
• In assembling the consortium, great effort was taken to ensure that individual<br />
participants were the best people from each organization. The participants<br />
had to have the best skills, experiences <strong>and</strong> influence available, over <strong>and</strong><br />
above a keenness to develop such skills, to ensure that no single participant<br />
could dominate;<br />
• The use of consortium-wide peer review gave everybody a voice. Supported<br />
by a MOD-led governance regime to kick in where any difference<br />
or disagreement occurred, the approach reinforced buy-in to all aspects<br />
of the architecture.<br />
The Generic Vehicle Architecture (GVA) <strong>and</strong> Defence St<strong>and</strong>ard (Def Stan)<br />
23-09 [13] provides for the development of all future vehicles using a single, logically<br />
connected, cohesive <strong>and</strong> coherent architecture while enabling field comm<strong>and</strong> to<br />
derive the best logistically from its military assets. It also sets the stage for a more<br />
competitive procurement process for future vehicle development that has been<br />
validated by industry.<br />
LOSA provides an architecture in which common features for GVA, <strong>and</strong><br />
on-going development for similar st<strong>and</strong>ards for Generic Soldier Architectures<br />
(GSA) <strong>and</strong> Generic Base Architectures (GBA) can enable better interoperability<br />
<strong>and</strong> coherency between the three platform types within the operational context<br />
of the Multi-Role Brigade.<br />
Chief of Materiel L<strong>and</strong> (COM(L)) has chosen an architectural approach<br />
based on the LOSA architecture to manage <strong>and</strong> govern the acquisition <strong>and</strong> support<br />
activities of Defense Equipment <strong>and</strong> Support (DE&S). The L<strong>and</strong> force capability<br />
provided to Brigades, Battle groups <strong>and</strong> Companies will be governed by the MOSA<br />
principles. Delivery of coherent force elements is based on the integration/interoperability<br />
of systems within a deployed brigade, which places the brigade as a system<br />
of systems, <strong>and</strong> places military doctrine at its foundation.<br />
V. Future MOD direction<br />
Current UK tactical communications systems provide voice <strong>and</strong> data capability<br />
on the battlefield. The main element of this system is the Bowman <strong>and</strong> Common
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
47<br />
Battlefield Application Toolset (ComBAT), Infrastructure & Platform (BCIP), but<br />
also includes LE TacCIS.<br />
A Transformation Program has been established to bring a more coherent<br />
approach to supporting LE TacCIS <strong>and</strong> to do things better <strong>and</strong> more cost effectively.<br />
This will be implemented under the Change <strong>and</strong> Successor programs but<br />
in the interim continuing support <strong>and</strong> sustainment is needed for the presently inservice<br />
BCIP <strong>and</strong> other LE TacCIS equipment. This Legacy Sustainment Program<br />
will need to cover the period from April 2013 to March 2016 <strong>and</strong> it is proposed to<br />
use this program to start the process of improving the way in which support <strong>and</strong><br />
sustainment is undertaken.<br />
BOWMAN <strong>and</strong> its successor will benefit from the introduction of openness,<br />
but first a way must be found to remove or lessen the proprietary nature of BOW-<br />
MAN as it is today. To progress to open systems, the MOD will need an effective<br />
engagement strategy with industry, particularly the current manufacturer.<br />
The MOD must work collaboratively with the current supplier to move to open<br />
st<strong>and</strong>ards, engaging the supplier by articulating the potential risk to their future<br />
business of preserving a system which the MOD cannot afford to maintain or<br />
improve, <strong>and</strong> by the potential revenue sources of fulfilling a systems integrator<br />
role <strong>and</strong> the potential for new markets. The benefits of openness should not be<br />
exclusive to the MOD if industry is to follow. Industry manufacturers may not<br />
wish to participate in transitioning to open st<strong>and</strong>ards whereas the MOD may not<br />
be able to support the future cost. Future requirements may need to be defined<br />
for the future LE TacCIS Successor program that cannot be met without making<br />
the system more open.<br />
The transition to openness requires an effective Governance Framework for<br />
Defense encapsulating Maritime, L<strong>and</strong> <strong>and</strong> Air environments. This framework must<br />
have the authority, directions <strong>and</strong> guidance functions, including financial control,<br />
<strong>and</strong> be compliant with strategic doctrine. The LOSA project is effectively a governance<br />
framework which provides guidance, direction <strong>and</strong> policy, <strong>and</strong> it can be<br />
use to arbitrate between architectural proponents. The MOD should make use<br />
of previous investment by talking to both the MOSA consortium <strong>and</strong> the LOSA<br />
owner in COM(L) for their guidance.<br />
Acknowledgment<br />
The authors would like to acknowledge Dr Stuart Farquhar <strong>and</strong> Dr Chris Williams<br />
for providing in-depth expertise in MOD radio networking procurement,<br />
<strong>and</strong> Prof. Bob Madahar for his numerous constructive review comments.
48 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
References<br />
[1] Ministry of Defence, “Defence Industrial Strategy”, Cm 6697, 2005.<br />
[2] Ministry of Defence, “Defence <strong>Technology</strong> Strategy”, 2006.<br />
[3] Ministry of Defence, “Innovation Strategy”, 2007.<br />
[4] Ministry of Defence, “National Security Through <strong>Technology</strong>: <strong>Technology</strong> Equipment<br />
<strong>and</strong> Support for UK Defence <strong>and</strong> Security”, White Paper Cm8278, 2012.<br />
[5] Ministry of Defence (2011) The Systems of Systems Approach web page. [Online].<br />
Available: http://www.aof.dii.r.mil.uk/aofcontent/tactical/sosa/content/sosa_rulebook.<br />
htm<br />
[6] Loughborough University (2011) SOSA Community Forum web page. [Online].<br />
Available: http://hdl.h<strong>and</strong>le.net/2134/8828<br />
[7] Lt Col A. Coulston, “LE TacCIS Strategy – Industry Release 1.0”, 2011, internal.<br />
[8] Ministry of Defence, “The Strategy for Defence”, DMC 00307 11/12, 2011.<br />
[9] National Audit Office, “Delivering digital tactical communications through<br />
the Bowman CIP programme”, HC 1050 Session 2005-2006, ISBN: 0102942307.<br />
[10] IEEE (2012) St<strong>and</strong>ards association 802.11 st<strong>and</strong>ard web page. [Online]. Available.<br />
http://st<strong>and</strong>ards.ieee.org/findstds/st<strong>and</strong>ard/802.11-2012.html<br />
[11] 3GPP (2012) UMTS specification web page. [Online]. Available. http://www.3gpp.<br />
org/article/umts<br />
[12] NATO (2012) NATO STANAG 5516 web page. [Online]. Available: http://engineers.<br />
ihs.com/document/abstract/PBQYIBAAAAAAAAAA<br />
[13] Ministry of Defence Defence St<strong>and</strong>ard 23-09, “Generic Vehicle Architecture (GVA)”,<br />
Issue 1, 2010.
The Concept of Integration Tool for the Civil<br />
<strong>and</strong> <strong>Military</strong> Service Cooperation During<br />
Emergency Response Operations<br />
Łukasz Apiecionek, Tomasz Kosowski, Henryk Kruszyński,<br />
Marek Piotrowski, Robert Palka<br />
Research & Development Department,<br />
TELDAT Sp. J., Bydgoszcz, Pol<strong>and</strong>,<br />
{lapiecionek, tkosowski, hkruszynski, mpiotrowski, rpalka}@teldat.com.pl<br />
Abstract: Civil-<strong>Military</strong> Co-operation is tool which allows achieving common aims by forces designated<br />
originally for different purposes. The most common example of such cooperation are emergency<br />
response operations, conducted, for example, during natural disasters. Despite the obvious need for<br />
the right tool which could support simultaneously soldiers <strong>and</strong> civilians, one can see that usually,<br />
in Pol<strong>and</strong>, means of communications <strong>and</strong> methods of operations for sharing the information are<br />
created ad hoc, according to situation <strong>and</strong> given resources. In given examples of emergency response<br />
plans one can find description of using only cell <strong>and</strong> stationary phones for communication [1].<br />
Instant collection <strong>and</strong> dissemination of information, efficient collaboration <strong>and</strong> common emergency<br />
situational awareness are factors needed in order to secure effective cooperation with both military<br />
<strong>and</strong> civilian organizations. This can be achieved only by study of NATO doctrines <strong>and</strong> concepts,<br />
such as NNEC [2-4], EU NEC [5] or CIMIC [6], <strong>and</strong> newest technology capabilities, regarding both<br />
hardware <strong>and</strong> software.<br />
Based on that study, a specially designed information system can be introduced that is scalable, flexible,<br />
interoperable <strong>and</strong> extendable. Crisis Management System Jasmine is a solution for army <strong>and</strong><br />
other civilian forces requirements, which highly increases awareness <strong>and</strong> speed of decision process.<br />
Described in the article solution can be used as a support for different operations managed <strong>and</strong><br />
executed both on the field <strong>and</strong> stationary posts.<br />
Keywords: Comm<strong>and</strong> <strong>and</strong> Control <strong>Information</strong> Systems, NNEC, CIMIC, EXPEDITIONARY OPE-<br />
RATIONS, Web Portal, Web Services, operational level, emergency response operations<br />
I. Introduction<br />
Civil-<strong>Military</strong> Co-operation is tool which allows achieving common aims by<br />
forces designated originally for different purposes. The most common example<br />
of such cooperation are emergency response operations, conducted, for example,<br />
during natural disasters. Despite the obvious need for the right tool which could<br />
support simultaneously soldiers <strong>and</strong> civilians, one can see that usually, in Pol<strong>and</strong>,
50 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
ways of communications <strong>and</strong> methods of operations for sharing the information<br />
are created ad hoc, according to situation <strong>and</strong> given resources. In given examples<br />
of emergency response plans one can find description of using only cell <strong>and</strong><br />
stationary phones for communication [1]. Instant collection <strong>and</strong> dissemination<br />
of information, efficient collaboration <strong>and</strong> common emergency situational awareness<br />
are factors needed in order to secure effective cooperation with both military<br />
<strong>and</strong> civilian organizations. This can be achieved only by study of NATO doctrines<br />
<strong>and</strong> concepts, such as NNEC [2] [3] [4], EU NEC [5] or CIMIC [6], <strong>and</strong> newest<br />
technology capabilities, regarding both hardware <strong>and</strong> software.<br />
II. Collaboration of different types of crisis management units<br />
during natural disasters in Pol<strong>and</strong> [7-8]<br />
Collaboration of different types of response forces during natural disasters,<br />
combined <strong>and</strong> joint engagements is regulated as crisis management, which is understood<br />
primarily as an activity of public administration:<br />
• Crisis prevention.<br />
• Preparing to take control over crisis situations through planned actions.<br />
• Responding in the event of an emergency.<br />
• Removing the effects of crisis.<br />
• Reconstruction of resources <strong>and</strong> critical infrastructure.<br />
• Cooperation during joined <strong>and</strong> combined engagements.<br />
In Pol<strong>and</strong>, there are several administrative levels, which must share information:<br />
country, state, county, municipality. Their tasks are:<br />
• Preparation of crisis management or combined, joint engagements plans.<br />
• Preparation of structures used in emergency or other situations.<br />
• Preparation <strong>and</strong> maintenance of teams necessary to perform tasks included<br />
in the plan for management.<br />
• Maintaining the databases needed in the process of management.<br />
• Preparation of solutions in the case of the destruction or disruption of critical<br />
infrastructure.<br />
• Ensuring consistency between the management plans <strong>and</strong> other plans<br />
drawn up in this regard by the competent public authorities.<br />
• Evaluation <strong>and</strong> forecasting of threats (real <strong>and</strong> potential).<br />
• Surveillance, monitoring <strong>and</strong> decision function both during performing<br />
missions <strong>and</strong> planning.<br />
On each of the levels of information, management process can be proceed<br />
in two main situations:<br />
• to monitor the situation when no events of a crisis or other emergency<br />
happen,<br />
• to response in case of any emergency.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
51<br />
During an emergency situation there is a need to generate reports at a specified<br />
interval. In these reports two groups of information can be distinguished: about<br />
important events <strong>and</strong> actions of special units <strong>and</strong> about rescue – for example fire<br />
fighting ones. Frequently they are statistical in nature, however, in some cases,<br />
they may contain certain elements in more details. Reports should be accessible<br />
in accordance with established security policies for all units working together<br />
within the different departments: military <strong>and</strong> police, fire, medical services, <strong>and</strong><br />
organized to support the civilians.<br />
Rescue teams are a separate core of emergency response, their activities are<br />
focused on actions in the field, where on the basis of given orders they are planning<br />
their tasks. They also need to collect all kind of information which is forwarded<br />
according to data flow structure.<br />
III. Concept of realization<br />
Described ways of collaboration impose directed implementation of solution.<br />
Many people <strong>and</strong> organisations need to collaborate at different levels <strong>and</strong> share<br />
common information.<br />
Implementation should be flexible <strong>and</strong> have clear, consistent architecture<br />
from business point of view. Furthermore it should be capable <strong>and</strong> ready for future<br />
expansion. It should contain independent services which are responsible for<br />
different topics <strong>and</strong> areas in defined communities of interests. Shared information<br />
should be exchanged with established <strong>and</strong> acceptable workflow.<br />
Moreover system should be able to connect to multiple sources <strong>and</strong> gain various<br />
data from different interfaces. It is not so important from civilian point of view,<br />
however, this feature is a must for military troops <strong>and</strong> their need of cooperation<br />
with forces from other nations, using other systems of C3IS <strong>and</strong> derivative class.<br />
Besides flexible data management, software users will need strong social collaboration.<br />
All these conditions implicate usage of Service Oriented Architecture<br />
in the design <strong>and</strong> production stage.<br />
Service Oriented Architecture is concept promoted by NATO Network<br />
Enabled Capability [2] (Fig. 1) <strong>and</strong> EU Network Enabled Capability [5] pointed<br />
as right one for military comm<strong>and</strong> systems. Although crisis management solution<br />
can not be defined as strictly military, however mentioned principles are appropriate<br />
in all information management systems. Main assumption of NNEC <strong>and</strong> EU NEC<br />
is modularity of business services for greater flexibility. Software systems are built<br />
from components with defined interfaces, which interior is undefined from business<br />
point of view. Every component represents service with defined scope of action.<br />
Furthermore, it is assumed that already existing <strong>and</strong> fielded software components<br />
of JASMINE System [9-10] (Fig. 2) will be used. They will be implemented<br />
on both the server, individual workstation <strong>and</strong> other, dedicated devices sides to<br />
extend capabilities <strong>and</strong> functionalities of the Web Portal <strong>and</strong> devices.
52 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 1. The flow of the information in the NNEC model [2]<br />
Figure 2. JASMINE System<br />
The system contains many nodes <strong>and</strong> each of them can be dedicated to different<br />
tasks. That means, that both hardware <strong>and</strong> software should be carefully selected<br />
to complement each other. It is possible to identify, in general (Fig. 3):
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
53<br />
• nodes of groups of people acting directly with consequences of disasters<br />
or designed plans,<br />
• nodes which are responsible for planning <strong>and</strong> giving the orders to nodes<br />
lower in hierarchy.<br />
Figure 3. Nodes structure in crisis management<br />
Because the most important thing in this type of information management<br />
systems is fast <strong>and</strong> reliable data delivery, proper communication medium should<br />
be selected. Such medium has to assure good quality <strong>and</strong>, usually, b<strong>and</strong>width.<br />
Among all kinds of radio means there should be pointed out that because of commonness,<br />
great coverage <strong>and</strong> possibility to easily add mobile ad hoc points, good<br />
option are cellular networks (for example Code Division Multiple Access – CDMA<br />
technology [11]).<br />
Groups of people should be able to use mobile hardware designed to resist difficult<br />
weather conditions <strong>and</strong> physical damage in spite of incidental falls. Hardware<br />
should be equipped with support for preselected communication medium. That<br />
is why in Crisis Management JASMINE System there exist two types of mobile terminals,<br />
equipped with CDMA modems: T1000 <strong>and</strong> T4 (which is the smaller one).<br />
Furthermore, some users will be able to use dedicated device called Rescuer TAG,<br />
which is capable to send messages, about position of different accidents, to the system.<br />
Technical specification of dedicated hardware equipment (Fig. 4) includes many<br />
features. The most important ones are low weight, small LCD, touchable screens,
54 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
CDMA, WIFI <strong>and</strong> Bluetooth support. They contain built in camera or two, depending<br />
on version. They have the possibility to work long on battery <strong>and</strong> be able to<br />
work under heavy conditions. They were also tested for falling from 1 m height<br />
<strong>and</strong> they are able to withst<strong>and</strong> it (even when they are switched on).<br />
Figure 4. Tactical Terminals: T4, T1000 <strong>and</strong> Rescuer Tag<br />
Stationary nodes on different administrative levels are equipped with dedicated,<br />
ruggedized servers. Servers should be also built in mobile manner.<br />
Mobile terminals require additional equipment – designed for touchable<br />
sceen applications. Software <strong>and</strong> servers should provide information to other<br />
nodes, with some kind of SOA interface, it assures that functionalities can be<br />
quickly exp<strong>and</strong>ed. The most compatible, with this idea, solution, seems to be<br />
based on WebServices.<br />
The more granular the components (the more pieces), the more they can be<br />
reused. When functions in a system are made into st<strong>and</strong>-alone services that can be<br />
accessed separately, they are beneficial to several parties. This architecture also<br />
provides a way for consumers of services, such as web-based applications, which<br />
are the most common <strong>and</strong> known example of using SOA, to be aware of available<br />
SOA-based services.<br />
The best solution for desired needs is a Web based server that can be used to<br />
customize portals <strong>and</strong> content management sites for collaboration. It should be<br />
versatile in number of features:<br />
• management of content: capabilities for managing various files types,<br />
audio, video <strong>and</strong> images, support for terms <strong>and</strong> keywords, content organizer,<br />
ability to define content types <strong>and</strong> re-use them across site,
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
55<br />
• application integration: possibility to use services like Web 2.0 [12] blogs<br />
<strong>and</strong> wikis,<br />
• social computing: like blogs <strong>and</strong> wikis, rich member profiles, tagging <strong>and</strong><br />
comments, activity feeds, people search, workspaces,<br />
• business intelligence: possibility to use scorecards, dashboards <strong>and</strong> selfservice<br />
analysis functionality.<br />
Users use the workstations that run Web browsers <strong>and</strong> additional software<br />
components that allow them to take advantage of the functionality offered by<br />
the Crisis Management JASMINE System.<br />
The same analysis has been performed for software dedicated to mobile terminals.<br />
The best choice leads to using JASMINE software components to create<br />
applications designed for common database <strong>and</strong> communication infrastructure.<br />
Web Portal consists of different components responsible for data presentation,<br />
database storage, services that automate user work as well as other components<br />
of the system.<br />
Crisis Management System Web Portal JASMINE is a platform designed for<br />
collaboration <strong>and</strong> working with groups of files which allows concurrent cooperation<br />
on documents <strong>and</strong> their exchange between different organisational units or<br />
users. The system includes a set of services that leverages the power of the engine<br />
<strong>and</strong> integrates them with the JASMINE system components used in software part<br />
of Crisis Management System. Thus creates a platform on which different units<br />
of various types can work regardless of number of functional groups.<br />
On workstations, software components have an ability of connecting directly<br />
to system native data sources <strong>and</strong> provide user with functions capable of data presentation<br />
<strong>and</strong> manipulation. Furthermore, in the context of other data sources on<br />
the server, native ways of replicating data between other comm<strong>and</strong> posts are used.<br />
In addition, software components, which work directly on files allow users<br />
to manipulate them on workstations, while the outcome of their work is stored on<br />
the server as files or in database.<br />
IV. System functionalities<br />
Crisis Management System design has been based on previous experiences<br />
with very well tested <strong>and</strong> flexible JASMINE System. It uses existing components<br />
regarding infrastructure of communication <strong>and</strong> database, what means that it is<br />
able to exchange data over different of military protocols.<br />
Crisis Management System Web Portal JASMINE is a portal with many<br />
subpages connecting with various services. This is the basement for work of all<br />
forces involved in emergency situations or combined engagements. We can distinguish<br />
user modules specialized in user-friendly service of organizational <strong>and</strong><br />
individual cells – which are part of the functional structure of crisis management<br />
network.
56 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
System supports different dedicated modules responsible for wide area of interests.<br />
Each module was designed to fulfil needs of unit dealing with one kind of tasks:<br />
• Video Streaming Web Part (Fig. 5, part 1): possibility to receive video<br />
streams from rescuers or unmanned aerial vehicles,<br />
• Web Operational Client (Fig. 5, part 2): supports the process of coordinating<br />
the work of all of the staff regarding operational data, plans of emergencies,<br />
provision of maps <strong>and</strong> other topographic documents, the daily operations,<br />
situation map,<br />
• Mail Web Part (Fig. 5, part 3): possibility to edit, receive <strong>and</strong> send mails<br />
to predefined contacts from Contacts Manager, ability to create multiple<br />
inboxes <strong>and</strong> automatic filters for incoming messages,<br />
• Contacts Manager Web Part (Fig. 5, part 4): possibility to manage all<br />
contacts, used in sending <strong>and</strong> receiving messages, documents <strong>and</strong> files,<br />
contacts can represent both individuals <strong>and</strong> logical units,<br />
• Calendar Web Part (Fig. 5, part 5): possibility to create <strong>and</strong> manage tasks<br />
scheduled for time <strong>and</strong> date <strong>and</strong> assigned to individuals <strong>and</strong> units,<br />
• Collaboration Web Part (Fig. 5, part 6): supports creating, editing <strong>and</strong><br />
managing documents of all kinds, with the possibility to collaborate within<br />
group of individuals <strong>and</strong> units, ability to use templates <strong>and</strong> generate<br />
reports in many forms,<br />
• Documents View Web Part (Fig. 5, part 7): supports viewing <strong>and</strong> navigating<br />
documents of all Microsoft Office kinds,<br />
• File Explorer (Fig. 5, part 8): ability to manage files within Web Portal,<br />
sending to recipients,<br />
• Message Communication Web Part: possibility to send <strong>and</strong> receive text<br />
messages using own protocol <strong>and</strong> JCHAT, XMPP,<br />
• Documents Exchange Web Part: ability to send all documents, prepared<br />
in other Web Parts, with the help of different protocols.<br />
All modules should allow to work with the formalized documents that are created<br />
from predefined templates. Each module will have a typical set of the documents<br />
templates characteristic for its job. It enables to work through a web browser with<br />
the following types of MS Office documents: MS Word, MS Excel, MS PowerPoint.<br />
A. <strong>Information</strong> sharing <strong>and</strong> dissemination<br />
Portal functionality, beyond the storage of files, provides an implementation<br />
of the documents relevant access policy, archiving, sharing management information,<br />
business processes <strong>and</strong> publishing content. Portal fully integrates with<br />
the operating system. Documents can be easily managed from a file manager built<br />
into the operating system (Explorer) or from File Explorer Web Part. Documents<br />
in the portal can also be viewed directly from the operating system.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
57<br />
Crisis Management System Web Portal JASMINE allows coordination<br />
of information between multiple types of databases through integration with<br />
JASMINE System.<br />
Figure 5. Web Portal JASMINE – main page<br />
B. Communication among users<br />
Crisis Management System allows communication between users in different<br />
levels, specialties <strong>and</strong> affiliation. Methods of communication are different for<br />
various purposes <strong>and</strong> depend on dem<strong>and</strong>. They include:<br />
• Instant text messaging – communication via text messaging available via<br />
the Internet or via a web browser application (including JCHAT, XMPP<br />
protocols).<br />
• E-mail – communication using e-mail.<br />
• Video – communication using video image coupled with the transmission<br />
of voice (videoconference). As for voice chat would be possible with one<br />
or more people.<br />
• Forums – communication using forums or newsgroups.
58 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
V. Practical implementation<br />
In current paragraph there will be described imaginary example of Crisis Management<br />
System practical implementation (Fig. 6). It has to be assumed that exist<br />
few nodes in system. We have stationary nodes with dedicated Crisis Management<br />
System Web Portal Jasmine servers, each dedicated for different administrative level:<br />
• country one, where all main decisions <strong>and</strong> general planning takes place,<br />
• county node, where all information from given area is collected <strong>and</strong> analyzed,<br />
• the same goes for level of district <strong>and</strong> municipality, but areas of responsibility<br />
are smaller,<br />
• nodes located in military forces comm<strong>and</strong> post,<br />
• nodes located in fire fighters comm<strong>and</strong> post.<br />
Figure 6. Example – situation presenting cooperation during crisis management
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
59<br />
Furthermore there are many terminals T4 <strong>and</strong> T1000, h<strong>and</strong>ed out to people<br />
divided into groups. Each group leader receives T4, the bigger version of mobile<br />
equipment, which can be mounted in vehicle. Others receive either smaller version<br />
– T1000 or Rescuer Tag. The first phase relies on plans preparations. Country<br />
node, during this process, sends messages to nodes located lower in hierarchy with<br />
orders to fulfil local plans for crisis situations. Nodes in local areas receive message<br />
<strong>and</strong>, according to templates, start to fill in their smaller versions of bigger plan.<br />
Next they send drafts to country node, which combines documents altogether.<br />
Stage two starts when flood begins. Troops data is being sent to dangerous<br />
areas, where they collect information <strong>and</strong> insert on map operational symbols<br />
representing localization of different accidents. Operational crisis view is shared<br />
between all nodes <strong>and</strong> troops. Furthermore they send each other (between groups)<br />
text messages which describe current situation <strong>and</strong> status. These messages are<br />
being used by local areas county <strong>and</strong> other nodes to generate reports which are<br />
next being forwarded to country node. Country node displays current view <strong>and</strong><br />
combines it with all text information, gathered from bigger surface. It decides,<br />
according to previously created plans, that it is time to ask for help additional<br />
forces <strong>and</strong> sends email to fire fighting troops <strong>and</strong> request documents to police.<br />
Special forces are coming to designated areas <strong>and</strong> decide to call emergency –<br />
flying vehicle to evacuate most injured civilians. Aircraft arrives, which can be<br />
seen on the map, takes survivors <strong>and</strong>, according to route drawn on map, returns<br />
to base via safest path.<br />
VI. Summary<br />
For many years till now, NATO is constantly developing many doctrines<br />
<strong>and</strong> concepts that describe effective collaboration within information organisations<br />
<strong>and</strong> with the outside world. It is very important that all rules are taken<br />
into account during planning <strong>and</strong> execution phase of all tasks resulting from<br />
civil-military cooperation.<br />
Considering all aspects presented in the article, described system, based on<br />
components of JASMINE, altogether with dedicated hardware <strong>and</strong> Crisis Management<br />
System Web Portal Jasmine fulfils all needs regarding efficiency, information<br />
quality <strong>and</strong> collaboration. Furthermore, using proven <strong>and</strong> common communication<br />
technology, it assures its reliability. Everything described as part of Crisis Management<br />
System proves that technologies such as Service Oriented Architecture, Web<br />
Services, Web Portals are crucial to ensure system scalability, flexibility, interoperability<br />
<strong>and</strong> future development.<br />
Crisis Management System JASMINE is dedicated information system that<br />
meets all essential requirements of every level nodes dealing with natural disasters.<br />
It is a right tool for right people to secure collaboration of unit’s sections <strong>and</strong> groups<br />
as well as cooperation within civilian, military <strong>and</strong> other, special organizations.
60 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
References<br />
[1] “Miejski plan reagowania kryzysowego. Plan główny. Załącznik nr 6.4”, Ośrodek<br />
koordynacyjno-informacyjny ochrony przeciwpowodziowej. Regionalny<br />
zarząd gospodarki wodnej w Krakowie. http://oki.krakow.rzgw.gov.pl/<br />
Content%5CEdukacja%5Cpdf_ogr_skutkow%5CLPSOPiP_miasto_Krakow%5C6.<br />
Zalaczniki%5C6.4_Miejski_plan_reagowania_kryzysowego.pdf<br />
[2] ISSC NATO Open Systems Working Group, Allied Data Publication 34 (ADatP-34)<br />
NATO.<br />
[3] Maj. Yavuz Fildis, J. Troy Turner, NATO Network Enabled Capability (NNEC)<br />
Data Strategy, 2005.<br />
[4] P. Copel<strong>and</strong>, M. Winkler, Technical note 1197 Analysis of Nato <strong>Communications</strong><br />
st<strong>and</strong>ards for the NNEC, 2006.<br />
[5] EXTRACT FROM THE NEC VISION EU NEC VISION REPORT, www.eda.europa.<br />
eu/WebUtils/downloadfile.aspxFileID=1152<br />
[6] AJP-9, NATO CIVIL-MILITARY CO-OPERATION (CIMIC) DOCTRINE, 2003.<br />
[7] „Ustawa z dnia 26 kwietnia 2007 r. o zarządzaniu kryzysowym” (Dz.U. z 2007 r. nr 89,<br />
poz. 590, z późn. zm.), 2007.<br />
[8] „Rozporządzenie Ministra Spraw Wewnętrznych i Administracji z dnia 31 lipca<br />
2009 r. w sprawie organizacji i funkcjonowania centrów powiadamiania ratunkowego<br />
i wojewódzkich centrów powiadamiania ratunkowego” (Dz.U. 2009 nr 130<br />
poz. 1073), 2009.<br />
[9] W. Zawadzki, „JASMIN wkracza do armii”, Nowa Technika Wojskowa nr 5/2007.<br />
[10] H. Kruszynski, „Sieciocentryczna platforma teleinformatyczna”, Bellona, Ministerstwo<br />
Obrony Narodowej, nr 2/2011.<br />
[11] J. Bannister, P. Mather, S. Coope, „Convergence Technologies for 3G Networks:<br />
Ip, Umts, Egprs <strong>and</strong> Atm”, 2004.<br />
[12] T. O’Reilly, „What Is Web 2.0. Design Patterns <strong>and</strong> Business Models for the Next<br />
Generation of Software”, http://oreilly.com/web2/archive/what-is-web-20.html, 2005.
CFBLNet: A Coalition Capability Enabling Network<br />
Edgar Harmsen, Syvert Maesel, Fred Jordan, Rob Goode,<br />
Einar Thorsen, Jan-Willem Smaal<br />
Cyber Defence <strong>and</strong> Assured <strong>Information</strong> Assurance Sharing,<br />
NII Communication Infrastructure Services, NATO <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Agency,<br />
The Hague, The Hague, the Netherl<strong>and</strong>s,<br />
{Edgar.Harmsen, Syvert.Maesel, Frederic.Jordan, Rob.Goode,<br />
Einar.Thorsen, Jan-Willem.Smaal}@ncia.nato.int<br />
Abstract: CFBLNet federates the facilities of mission partners to support distributed test <strong>and</strong> interoperability<br />
assessment of mission systems in a multinational environment prior to operational<br />
deployment. Many significant Initiatives have been supported <strong>and</strong> contributed to coalition success,<br />
notably ISAF training missions. CFBLNet membership is open to all NATO Nations <strong>and</strong> mission<br />
partners of which five are presently members <strong>and</strong> is growing further.<br />
Keywords: CFBLNet; C4ISR; RDT&A; federation; coalition, cyber defence; testing; exercise; training<br />
I. Introduction<br />
This paper introduces the operational <strong>and</strong> cost saving benefits that nations<br />
can rapidly achieve by using CFBLNet for the preparation <strong>and</strong> transition to operation<br />
of their C4ISR capabilities. This paper provides essential information for<br />
decision makers at National MODs who are responsible for preparing Comm<strong>and</strong>,<br />
Control, <strong>Communications</strong>, Computers, Intelligence, Surveillance <strong>and</strong> Reconnaissance<br />
(C4ISR) for multinational operations, addressing both ‘train as you fight’ <strong>and</strong><br />
‘coalition interoperability’ validation. The CFBLNet supports the entire spectrum<br />
of ‘Smart Defence’ <strong>and</strong> is a potential model for future federated mission networks.<br />
The capability is available to the majority of the International Security Assistance<br />
Force (ISAF) mission partners today <strong>and</strong> in future accessible to new members. It reduces<br />
significantly the cost to each of the national participants through the mechanism<br />
of one capability being re-used by many partners.<br />
II. Background<br />
CFBLNet was established in 2001 <strong>and</strong> is currently open to 34 Mission partners.<br />
These mission partners are: all 28 NATO nations <strong>and</strong> Austria, Australia, Finl<strong>and</strong>,<br />
New Zeal<strong>and</strong>, Sweden <strong>and</strong> the NATO organisations. Operating as a true federa-
62 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
tion; no single nation owns the CFBLNet. Each member is responsible provisioning<br />
<strong>and</strong> operation for its own sites <strong>and</strong> systems. CFBLNet grew out of the need for<br />
persistent joint multinational <strong>and</strong> cost effective infrastructure for trial, assessment,<br />
testing, exercise <strong>and</strong> training. The capability allows for various national collaborations;<br />
e.g. CCEB, NATO, bilateral <strong>and</strong> multilateral. CFBLNet is accessible through<br />
sponsorship to additional partner nations, international organisations, industry<br />
<strong>and</strong> academia.<br />
Today CFBLNet recognizes over 234 sites globally which are participating<br />
in multiple initiatives throughout the year.<br />
CFBLNet operates under the CFBLNet charter, which establishes a common<br />
framework consisting of well-defined processes, security procedures <strong>and</strong> agreed<br />
technical st<strong>and</strong>ards.<br />
III. Current <strong>and</strong> potential operational benefits<br />
Every nation recognizes how difficult it is to maintain the multiple potential<br />
overlapping bilateral <strong>and</strong> multinational collaboration infrastructures. With its common<br />
framework, CFBLNet works as a coordinated capability while maintaining<br />
the required national <strong>and</strong> multinational security assurance.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
63<br />
A. Advantages of the multinational federated infrastructure<br />
There are several benefits from the multinational federated infrastructure.<br />
Firstly, there is a potential for significant cost saving through sharing of resources<br />
for joint activities in the C4ISR domain. Secondly, the quality of products developed<br />
<strong>and</strong> tested in this way is improved by exposure <strong>and</strong> validation in a multinational<br />
environment. Thirdly, nations can reuse their national defence infrastructure<br />
assets to perform testing which faithfully replicates operational systems. Finally<br />
the infrastructure was designed from the start to support secure multinational<br />
interoperability testing; <strong>and</strong> is now tried <strong>and</strong> tested with a ten year track record.<br />
B. Recent examples of successes<br />
CFBLNet has hosted many significant <strong>and</strong> successful multinational C4ISR<br />
events, for example those listed in Table 1 below.<br />
USA<br />
NATO<br />
USA<br />
NATO<br />
USA<br />
USA<br />
GBR<br />
USA<br />
NATO<br />
AUS<br />
GBR<br />
USA<br />
Lead<br />
Initiative Acronym/Name<br />
CTE2 CIAV– Coalition Test <strong>and</strong> Evaluation Environment,<br />
Coalition Interoperability Assurance & Validation<br />
CWIX – Coalition Warrior Interoperability Exercise<br />
CWID – Coalition Warrior Interoperability Demonstration<br />
AMN Training Federation Unified Endeavor – series<br />
EC – Empire Challenge (ISR problem resolution for imagery exchange)<br />
GEMINI – GEoint Multi-domain ISR Net-Centric Initiatives as a permanent<br />
CCEB PKI – CCEB Public Key Infrastructure<br />
ACP 145 – Allied Comm<strong>and</strong> Protocol 145 (Coalition <strong>Military</strong> Messaging)<br />
NATO AITB – NATO ALT-DAMB Integrated Test Bed (Missile Defence of Europe)<br />
CDIFT – Coalition Distributed <strong>Information</strong> Fusion Test bed<br />
GPDN – Griffin Prototyping <strong>and</strong> Development Network<br />
CDEP – Coalition Distributed Engineering Plant (Radar in the loop)<br />
USA / NATO MAJIIC – Multi-Sensor Aerospace Ground Joint ISR Interoperability Test<br />
GBR<br />
GBR<br />
CAN<br />
GBR<br />
PTDLIOT – Partner Nation TDL Interoperability Test<br />
NTDLIOT – NATO Nation TDL Interoperability Test<br />
CF-JTEN – Canadian Forces JTEN (Teaming with other networks)<br />
GUST – Germany/United Kingdom Synthetic Training Trial<br />
NATO QoS & IPv6 – Quality of Service & Internet Protocol version 6<br />
USA<br />
SIGDM&S – Secure International Geographically Distributed Modeling & Sim
64 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In addition CFBLNet has supported several key pre-deployment war fighter<br />
programs <strong>and</strong> activities, including; multinational connectivity for air picture; messaging<br />
services; collaboration; multi-level security initiatives; homel<strong>and</strong> defence <strong>and</strong><br />
crisis response tools; ship-to-ship comm<strong>and</strong> <strong>and</strong> control; unmanned aerial vehicle<br />
imagery <strong>and</strong> situational awareness via enhanced tactical data link interoperability.<br />
Imagery <strong>and</strong> video systems proven on CFBLNet are currently supporting operations<br />
in Afghanistan <strong>and</strong> other missions. CFBLNet supported key second-tier war fighting<br />
objectives including on-line distributed war gaming <strong>and</strong> multinational training exercises.<br />
1) Some specific success stories include the following:<br />
CFBLNet supported the build, validation <strong>and</strong> verification of the NATO ALT-<br />
BMD program with high speed simulations. Its Integration Test Bed (ITB) is a high<br />
profile interoperability <strong>and</strong> requirements validation capability for the program <strong>and</strong><br />
for NATO. The effectiveness of the ITB has been further enhanced by the turnkey<br />
solutions <strong>and</strong> capability offered by the CFBLNet. The existence of a test network<br />
with connections already in place to the majority of ALTBMD national labs <strong>and</strong><br />
system sites facilitated the ITB connection to hardware-in-the-loop testing some<br />
9 months earlier than originally planned.<br />
Lessons-learned in live <strong>and</strong> unmanned Intelligence, Reconnaissance <strong>and</strong><br />
Surveillance aircraft <strong>and</strong> satellite surveillance in Empire Challenge were applied<br />
immediately in support of ISAF – Afghanistan.<br />
The multinational training federation initiative focuses on providing high<br />
quality mission training with high grade federated modeling <strong>and</strong> simulation capability<br />
to the warfighter. In addition, it functions as a pre-deployment <strong>and</strong> staging<br />
platform to shorten the time to operation in theatre.<br />
An example:<br />
The ISAF Coalition forces joining the Afghanistan Mission Network (AMN)<br />
required at short notice a persistent test <strong>and</strong> evaluation infrastructure to perform<br />
Coalition Interoperability Assurance <strong>and</strong> Validation (CIAV) activities with regards<br />
to the national system joining the AMN. For this reason CFBLNet was requested to<br />
create Coalition Test <strong>and</strong> Evaluation Environment (CTE2). The goal of the coalition<br />
test <strong>and</strong> evaluation environment is to establish a distributed test network to support<br />
interoperability testing between the coalition applications <strong>and</strong> data interchanges.<br />
CFBLNet worked closely with the CTE2 community lead representatives to<br />
build the persistent CFBLNet CTE2 secure network community within weeks. This<br />
was achieved through supporting the initiative team with their request <strong>and</strong> coordinated<br />
through the CFBLNet secretariat, national lead representatives, network,<br />
security <strong>and</strong> initiative workgroups. After approval for execution from the CFBLNet<br />
Executive Group the initiative was scheduled. Once the sites <strong>and</strong> initiative security<br />
accreditation was accepted by the MSAB the CTE2 network community became<br />
operational <strong>and</strong> was ready for the first scheduled tests <strong>and</strong> evaluations.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
65<br />
The participating coalition nations are able to bring accurate examples of their<br />
national mission CIS <strong>and</strong> C2 systems to the community thereby creating an accurate<br />
representation of the AMN for testing. From there the participants initiate interoperability<br />
testing with the tempo <strong>and</strong> priorities dictated by ISAF Joint Comm<strong>and</strong>,<br />
based on the Coalition Mission Thread <strong>and</strong> <strong>Information</strong> Exchange Requirement, all<br />
applications to be deployed on the operational network were assessed to identify capabilities<br />
<strong>and</strong> limitations, with associated operational impacts. The warfighter benefit<br />
achieved through the CTE2/CIAV initiative was that it allowed all applications to be<br />
tested on pre-deployment test network prior to operational deployment. All the interoperability<br />
issues <strong>and</strong> patches could be applied before they were introduced into<br />
the operational environment thus ensuring minimal impact to the operator. In addition<br />
<strong>and</strong> equally important to applications testing, the test environment is able to<br />
simulate the actual operational environment which consists of many nodes with<br />
multiple application configurations. At a fairly fast rate the CTE2/CIAV team fostered<br />
the incremental addition of appropriate service <strong>and</strong> coalition labs as enclave nodes<br />
to simulate the operational environment. The CTE2 community started initially<br />
with NATO, the UK <strong>and</strong> USA. Shortly afterwards Canada, Italy, France, Norway,<br />
Germany <strong>and</strong> the Netherl<strong>and</strong>s joined. By adding sites that have national extensions<br />
to the AMN, the CTE2 provides the Warfighter with an operationally realistic test<br />
<strong>and</strong> evaluation environment to mitigate risk on the AMN. Between March 2010<br />
<strong>and</strong> July 2012, during 9 periods of 90 days validation cycles, 28 systems were tested<br />
of which 26 are currently fielded in ISAF.
66 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
CFBLNet was selected since it mimics the operational federated infrastructure<br />
of the AMN. Application issues are able to be resolved without affecting ongoing<br />
operations <strong>and</strong> CFBLNet is able to create the required community within a short<br />
time frame due to its network range within the participating nations <strong>and</strong> NATO.<br />
The resulting network architecture will help to redefine the way the mission partners<br />
support their operational forces <strong>and</strong> help them to identify the suite of mission<br />
partner applications required to successfully plan <strong>and</strong> execute missions. In addition<br />
persistent testing saves time <strong>and</strong> money since the network architecture does not<br />
have to be built each time a capability is to be tested on the AMN.<br />
C. Potential areas of expansion<br />
• CFBLNet provides the infrastructure to the significant group of initiatives<br />
which support the current mission network. Logically the infrastructure<br />
can serve seamlessly for multinational common development, interoperability,<br />
evaluation, validation, support <strong>and</strong> training infrastructure for future Federated<br />
Mission Networks.<br />
• Additional efficiency can be established by using Distributed Networked Battle<br />
Labs (DNBL) services over CFBLNet.<br />
• Several bi-lateral cyber defence initiatives are using CFBLNet. There is a growing<br />
potential for multinational NATO <strong>and</strong> coalition cyber defence initiatives<br />
to interconnect <strong>and</strong> strengthen their capabilities by using the trusted infrastructure.<br />
These could be supported by future value -added distributed cyber<br />
defence services providers (e.g. CDSEV-DNBL)<br />
IV. Value<br />
The CFBLNet community works with customers to identify the various ways<br />
in which investment in CFBLNet can both reduce total cost of Research, Development,<br />
Trial <strong>and</strong> Assessment (RDT&A), Testing, Exercise <strong>and</strong> Training <strong>and</strong> provide<br />
added value:<br />
A. Reduced costs<br />
• Infrastructure cost shared across many nations/organizations.<br />
• High b<strong>and</strong>width available on scheduled basis, <strong>and</strong> can throttle back to replicate<br />
operational limits.<br />
• Flexible options for national infrastructure.<br />
• Side benefit of multinational secure video conferencing.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
67<br />
B. Rapid event st<strong>and</strong>-up<br />
• St<strong>and</strong>ing infrastructure <strong>and</strong> support teams in 13 countries <strong>and</strong> NATO, with<br />
gateway to national training networks.<br />
• Potential access to the most current mission partner C4ISR applications<br />
baseline with CTE2 / CIAV.<br />
• Well-documented workflows for new st<strong>and</strong>-up.<br />
• Successfully supporting major events for over 10 years.<br />
C. Initiative risk reduction<br />
• Close ties with Multi-National Security Accreditation Board (MSAB).<br />
• Well practised at working with multinational security procedures – nationally<br />
cross certified.<br />
• Reduced initiative risk for timely crypto, security <strong>and</strong> accreditation community.<br />
• Community of multinational C4ISR <strong>and</strong> IA contacts.<br />
• Single point of contact for each nation/organization.<br />
• Web presence for information sharing.<br />
The network effect is visible in the CFBLNet environment: As more nations join,<br />
the cost per participant goes down, <strong>and</strong> at the same time the potential benefits goes up.<br />
Several members recognize the good practices of the federated model internally<br />
<strong>and</strong> achieved significant savings <strong>and</strong> efficiencies within their national environments.<br />
As an additional win, by connecting to the CFBLNet it easily extends the national<br />
capacity for bi-lateral <strong>and</strong> multilateral initiatives.<br />
CFBLNet supports the elements of Smart Defence which will enhance the investment<br />
in the short, medium <strong>and</strong> long term, rather than the ad-hoc, general<br />
expensive <strong>and</strong> time consuming solutions that provide limited functionality.<br />
V. Vision strategy <strong>and</strong> organisational structure<br />
A. Working vision<br />
CFBLNet is the provider of infrastructure for international Comm<strong>and</strong>, Control,<br />
<strong>Communications</strong>, Computers, Intelligence, Surveillance <strong>and</strong> Reconnaissance<br />
(C4ISR) research, development, trials, assessment, testing, validation <strong>and</strong> training to<br />
explore, promote, <strong>and</strong> confirm coalition/combined capabilities for the participants.<br />
B. Strategy<br />
The strategy of the CFBLNet community to achieve the vision is to focus on<br />
user-value, <strong>and</strong> to reach out to new partners. A third str<strong>and</strong> of user-driven evolution<br />
has recently been added.
68 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
CFBLNet has matured over the last ten years into a well-managed stable <strong>and</strong><br />
cost-effective infrastructure with an efficient suite of fully documented working<br />
practices. As it reaches the next stage in its lifecycle, more energy can be devoted<br />
to customer-driven improvements <strong>and</strong> outreach to new mission partners. One<br />
easy performance metric for CFBLNet is the number of supported initiatives; but<br />
a more important aspect is user satisfaction with the services they use.<br />
Therefore CFBLNet is looking into applying additional measurements <strong>and</strong><br />
metrics to evaluate the user satisfaction with the aim of continuous improvement.<br />
C. Organisational structure<br />
The governance <strong>and</strong> management structure of CFBLNet have proven to be<br />
effective way to represent the interests of the mission partners. CFBLNet has a threeperson<br />
Senior Steering Group <strong>and</strong> a three-person Executive Group.<br />
The NATO representation to the CFBLNet management team is provided<br />
by the NCIA. The NCIA General Manager is the NATO Senior Steering Group<br />
representative for CFBLNet through endorsement of NATO Secretary General.<br />
NCIA also provides the NATO representation at the Executive level. Finally NCIA<br />
as the NATO operational authority for CFBLNet provides the NATO <strong>and</strong> European<br />
CFBLNet Network Operation Centre (NOC) <strong>and</strong> NATO Point of Presence<br />
(PoP), as a cost effective central network hub for nations <strong>and</strong> NATO organisations<br />
to join CFBLNet.<br />
VI. NATO <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Agency<br />
The NCI Agency is part of the NATO Communication <strong>and</strong> <strong>Information</strong> Organisation<br />
(NCIO) <strong>and</strong> its mission is to strengthen the Alliance through connecting<br />
its forces, NCIA delivers secure, coherent, cost effective <strong>and</strong> interoperable communications<br />
<strong>and</strong> information systems <strong>and</strong> services in support of consultation, comm<strong>and</strong><br />
& control <strong>and</strong> enabling intelligence, surveillance <strong>and</strong> reconnaissance capabilities, for<br />
NATO, where <strong>and</strong> when required. It includes IT support to the Alliances’ business<br />
processes (to include provision of IT shared services) to the NATO HQ, the Comm<strong>and</strong><br />
Structure <strong>and</strong> NATO Agencies. NCIA is authorized by its Charter to provide<br />
technical advice, support <strong>and</strong> services to customers who are either NATO bodies<br />
or nations.<br />
As the potential legal framework of a multinational program, NCIA has established<br />
C4ISR Memor<strong>and</strong>um of Agreement (MOA) with a number of nations.<br />
The MOA is a framework agreement covering full cooperation on C4ISR activities,<br />
with the collaboration terms defined in advance. For the execution of a specific<br />
scope of work, the C4ISR MOA can be complemented by Technical Agreements<br />
describing the work <strong>and</strong> financial terms.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
69<br />
In addition NCIA can act as a multi-national executive coordination agent<br />
in support of capability development in any area covered under the technical<br />
framework. The support can span from research contributions <strong>and</strong> correlation to<br />
procedure design <strong>and</strong> engineering <strong>and</strong> procurement. In this role, NCIA can also<br />
facilitate the discussion with the C4ISR operational community about the definition<br />
<strong>and</strong> establishment of maturity levels for the technical elements under investigation<br />
so as to provide prioritization <strong>and</strong> guidance for implementation.<br />
Finally, NCIA can support the set up <strong>and</strong> maintenance of a framework for<br />
sharing information about NATO, national <strong>and</strong> coalition research activities.<br />
VII. How to join<br />
Non-CCEB, NATO mission partners can request guest mission partner status<br />
via one of the CFBLNet core mission partners (CCEB, NATO, USA).<br />
NATO nations currently not active on CFBLNet can join seamlessly.<br />
When accepted as a CFBLNet member, nations can join through:<br />
• Notifying the CFBLNet secretariat<br />
• Establish a national CFBLNet PoP in their nation,<br />
• Link up to the nearest regional CFBLNet NOC<br />
• Subscribe to the shared service multinational CFBLNet project.<br />
CFBLNet strongly recommends re-using national available infrastructure to<br />
extend CFBLNet to national battle labs, exercise <strong>and</strong> training sites.<br />
VIII. Conclusion<br />
Real world examples have been given of how using the CFBLNet provides<br />
operational benefits <strong>and</strong> value to nations preparing for coalition operations.<br />
CFBLNet continues to evolve with a customer driven strategy to achieve its vision.<br />
Many nations are already engaged. As it grows with additional mission partners<br />
the value for all will continue to increase. The governance structure, coalition coordination<br />
<strong>and</strong> security accreditation procedures <strong>and</strong> processes have a proven track<br />
record. The current mission partners selected CFBLNet as their infrastructure for<br />
multinational C4ISR trial, assessment, testing, exercise <strong>and</strong> training.<br />
CFBLNet is proving its value for the ISAF coalition <strong>and</strong> NATO. Investing<br />
in CFBLNet is Smart, less money is spent, invested better, versus maintaining<br />
the legacy infrastructures for RDT&A, Testing, Exercise <strong>and</strong> Training. Many<br />
partners exp<strong>and</strong>ed the CFBLNet model nationally <strong>and</strong> created additional savings.<br />
Acknowledgment<br />
The CFBLNet infrastructure is the product of many years of effort <strong>and</strong> investment<br />
by the mission partners, <strong>and</strong> the Authors would like to extend their thanks
70 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
to all those who have made this possible. Special thanks must go to David Wood,<br />
Tony DeSteffano, Tom Burns, Andrew Tape, Jim Rutups, Susan Kidd, Glen Wiggins,<br />
Bernie Yocum, <strong>and</strong> Russ Richards.<br />
References<br />
[1] Combined Federated Battle Labs Network, Publication 1, http://CFBLNet.info
Selected Aspects of Effective RCIED Jamming<br />
K. Wilgucki, R. Urban, G. Baranowski, P. Grądzki, P. Skarżyński<br />
Radiocommunication <strong>and</strong> Electronic Warfare Department,<br />
<strong>Military</strong> Communication Institiute (MCI), Zegrze Południowe, Pol<strong>and</strong>,<br />
k.wilgucki@wil.waw.pl<br />
Abstract: In recent years it is observed an increasing number of attacks on convoy <strong>and</strong> military<br />
vehicles with the use of Improvised Explosive Devices (IED). It is difficult to counter these threats<br />
because explosive devices are detonated using varied, often non-st<strong>and</strong>ard methods. Bombs are fashioned<br />
from easily obtained materials <strong>and</strong> with continually developed detonator technologies. One<br />
of the popular technique of detonation is triggering explosion by radio signals. These devices are<br />
called radio controlled IED (RCIED).<br />
In this article were presented various aspects which influence on effectiveness RCIED countermeasure<br />
system. At the beginning an brief overview of the IED techniques <strong>and</strong> technologies were mentioned.<br />
Then basic jamming principles <strong>and</strong> specific to RCIED aspects were discussed. Taking into consideration<br />
this problems <strong>and</strong> limitations, own RCIED jamming system conception was also described.<br />
At the end an analysis of capability of planned system <strong>and</strong> short summary was presented.<br />
Keywords: RCIED, spectrum monitoring, jamming<br />
I. Introduction<br />
Detection <strong>and</strong> RCIED jamming is conducted to ensure the safety of the soldiers<br />
involved in the stabilization missions abroad. Improvised explosive devices are used<br />
to destroy manpower <strong>and</strong> opponent military equipment by various organizations<br />
<strong>and</strong> terrorist forces. Wide use of IED is a main reason of heavy casualties among<br />
Coalition Forces in Iraq <strong>and</strong> Afghanistan [2]. Reducing this threat is one of priority<br />
to ensure safety of soldiers during ISAF missions.<br />
Mitigation of an IED detonation is a very complex task, because of continuous<br />
improvement <strong>and</strong> modification of such weapon <strong>and</strong> frequent tactics shift. It requires<br />
sophisticated detection <strong>and</strong> countermeasure systems. Explosive devices can be detonated<br />
using varied, often non-st<strong>and</strong>ard methods, including remote radio controlled<br />
devices. The element of surprise is very important for insurgents, therefore IEDs are still<br />
changing to circumvent the electronic countermeasures. Effective jamming of RCIED<br />
is very difficult because the detection <strong>and</strong> reaction time to the threat must be short.<br />
In this article different aspects of effective countermeasure system against<br />
RCIED threats were discussed. There were mentioned basic jamming principles
72 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> problems in ensuring effective work of radio-frequency (RF) jammer. Moreover<br />
description of designed RCIED jamming system conception was presented.<br />
II. IED technology<br />
An IED is a homemade bomb, constructed <strong>and</strong> deployed in improvised manner<br />
incorporating destructive, lethal, noxious, pyrotechnic or incendiary chemicals<br />
<strong>and</strong> designed to destroy or incapacitate personnel or vehicles. In principle, any<br />
explosive weapon not originated from an industrial production line may be classified<br />
as an IED [1][5].<br />
Historically, there is nothing new about IEDs which have been used in terrorist<br />
actions for a long time or in unconventional warfare by guerrillas during World<br />
War II. Recently wide use of IEDs is a main threat for Coalition Forces in Afghanistan.<br />
IEDs are extremely diverse in design, <strong>and</strong> may contain many types of initiators,<br />
detonators, penetrators, <strong>and</strong> explosive loads. This kind of devices is very effective<br />
as they are made of elements that are easily available at low cost. Generally IED<br />
consists of five components: a switch/trigger (activator), an initiator (fuse), container<br />
(body), charge (explosive filler), <strong>and</strong> a power source (battery) if applicable. IEDs<br />
can be produced in different sizes, functioning methods, containers, <strong>and</strong> delivery<br />
methods. IEDs can utilize commercial or military explosives, homemade explosives,<br />
or ordnance components. IEDs are triggered by various methods, including<br />
radio remote control, infra-red or magnetic triggers, pressure-sensitive bars or trip<br />
wires [3]. However, now there is a shift to more sophisticated detonation devices,<br />
such as high-powered cordless phones or GSM h<strong>and</strong>sets.<br />
IEDs can be divided into three main categories, depending on the explosion<br />
initiation:<br />
• Victim Operated Devices – triggered by victims movement or pressure;<br />
• Timed – triggered with the use of different kinds of timers;<br />
• Comm<strong>and</strong> Operated – triggered by pulling out a safety pin using gossamerlike<br />
wires/ropes, by generating an electric pulse over comm<strong>and</strong> wire or by<br />
sending a trigger comm<strong>and</strong> over radio transmitter.<br />
RCIED are classified to the Comm<strong>and</strong> Operated group, where the trigger<br />
comm<strong>and</strong> is send by a radio transmitter to a hidden bomb attached to a receiver<br />
linked to an electrical firing circuit. For this purpose, as radio transmitter can be<br />
used a broad range of equipment from household gadget like a key fob car alarm<br />
switch, remote controlled toys or a wireless doorbell buzzer to more sophisticated<br />
pagers, CBs, cellular phones, modified HF/VHF/UHF transceivers <strong>and</strong> satellite<br />
phones. Frequency range used by these devices is very diverse. RCIED triggers use<br />
mainly commercial frequency b<strong>and</strong>s listed in [1].<br />
The simplest method that can prevent the activation of RCIED is disrupting RC<br />
triggers by blocking the radio signal. For this purpose jamming techniques are<br />
used. Effective jamming of the whole frequency range used by RCIED is practically
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
73<br />
impossible <strong>and</strong> meaningless, because it would block own radio links. Therefore<br />
it is, necessary to provide a selective distortion emission, based on information<br />
obtained from the electromagnetic spectrum monitoring.<br />
III. Jamming principles <strong>and</strong> techniques<br />
In this chapter we discuss basic techniques <strong>and</strong> parameters of jamming signal.<br />
In order to disrupt radio signals there are applied devices which ensure appropriate<br />
parameter values of jamming signals. The major parameter determining the degree<br />
to which jamming will be successful is jamming (J) to signal (S) ratio JSR, described<br />
by the general formula shown below [5]<br />
JSR[dBm] = ERP J – ERP S – L J + L S + G RJ – G R (1)<br />
ERP J – effective radiated power of jamming station in dBm;<br />
ERP S – effective radiated power of transmitter signal in dBm;<br />
L J – propagation loss from jamming station in dB;<br />
– propagation loss from transmitter signal in dB;<br />
L S<br />
G RJ<br />
G R<br />
– jammed receiver antenna gain in the direction of jamming station in dBi;<br />
– jammed receiver antenna gain in the direction of transmitter station in dBi.<br />
The minimum value of JSR is dependent on the signal type which is jammed,<br />
signal propagation <strong>and</strong> jamming technique.<br />
Jammer designers can use various techniques of jamming. All techniques<br />
have their own advantages <strong>and</strong> disadvantages <strong>and</strong> application each of them is directly<br />
associated with type of jammed signal. The basic techniques include: noise<br />
jamming, tone jamming, swept jamming, pulse jamming, follower jamming <strong>and</strong><br />
smart jamming [3].<br />
A. Noise jamming<br />
Noise jamming is based on jamming carrier signal which is modulated with<br />
a r<strong>and</strong>om (Gaussian) noise waveform. This technique causes disruption of communication<br />
between transmitter <strong>and</strong> receiver by inserting high level noise. A b<strong>and</strong>width<br />
of jamming signal can have different width. Depending on the b<strong>and</strong>width occupied<br />
by noise jamming signal, it can be distinguished the following types of signals:<br />
broadb<strong>and</strong> noise (BBN), partial-b<strong>and</strong> noise (PBN) <strong>and</strong> narrowb<strong>and</strong> noise (NBN).<br />
BBN places noise energy inside entire b<strong>and</strong>width used by the communication<br />
system which is planned to jam. Generally BBN jamming signals fills the channel<br />
capacity. If the noise power is raised by inserting BBN signals into the channel,<br />
the signal to noise decrease <strong>and</strong> according to Shannon theorem, channel capacity<br />
also decrease [4].<br />
PBN places noise energy inside multiple channels indicated to disrupt.<br />
The channels may be contiguous or noncontiguous.
74 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In the case of NBN all jamming energy is placed into single channel, where<br />
activity of a communication system was detected.<br />
B. Tone jamming<br />
The next mentioned technique is tone jamming. In this type of jamming one<br />
or several tones are placed in the spectrum. When there is used only one tone,<br />
only one frequency is disrupted. If multi tones are applied, the tones are placed at<br />
previously chosen frequencies.<br />
C. Swept jamming<br />
Swept jamming technique is similar to broadb<strong>and</strong> or partial-b<strong>and</strong> noise<br />
jamming. Jamming can be realized by using narrow tone signal or PBN signal.<br />
In this technique relatively narrowb<strong>and</strong> signal is sweeping across part of spectrum.<br />
As a result of this, at any instant of time, only part of interesting b<strong>and</strong> is jammed.<br />
D. Pulse jamming<br />
Pulse jamming is similar to partial b<strong>and</strong> noise jamming. The main factor<br />
of pulse jamming is so called duty cycle, which means how long the jammer is switch<br />
on relative to switch off. The results of jamming strictly depend on the peak power<br />
<strong>and</strong> value of duty cycle.<br />
E. Smart jamming<br />
Smart jamming exploits weak sides of particular network, such as e.g. GSM<br />
or UMTS. Technique is based on assault on vulnerabilities e.g.: error correction<br />
checksums, messages related with acknowledgements, synchronization channels,<br />
time slots. Identification of a network type <strong>and</strong> synchronization in time are crucial<br />
for successful jamming. Known methods of attack include among others: station<br />
overloading, preventing positive call initiation, preventing from achieving connectivity,<br />
forged calls to the subscribers, disrupting communications by introducing<br />
errors into checksums, or distortions in messages related with acknowledgements.<br />
In this type of a jamming, the knowledge of transmission protocol is the key issue.<br />
F. Following jamming.<br />
Following jamming is usually applied against frequency hopping transmission.<br />
Such jammer search for emissions <strong>and</strong> when the signal is detected, it is jammed.<br />
The jammer follows carrier frequency changes of transmitted signal <strong>and</strong> continues<br />
jamming.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
75<br />
A coarse model for jamming effective range, that should be workable in any<br />
situation for the most of the world, is presented in [6]. Maximum effective range<br />
is given by<br />
where necessary jamming power P J is<br />
(2)<br />
P t – effective power output by the enemy transmitter;<br />
H J – elevation of jamming antenna above sea level;<br />
H t – elevation of enemy transmitter antenna above sea level;<br />
D J – jammer to receiver link distance in km;<br />
D t – enemy transmitter to receiver link distance in km;<br />
K – jammer tuning accuracy: 2 (for FM in VHF), 3 (for CW or AM in VHF);<br />
n – terrain <strong>and</strong> ground conductivity factor:<br />
5 – very rough terrain, poor conductivity;<br />
4 – moderately rough terrain, fair to good conductivity;<br />
3 – rolling hills, good conductivity;<br />
2 – level terrain, good conductivity.<br />
IV. Aspects of effective RCIED jamming<br />
As it was already mentioned, the trigger for RCIED can be both a mobile phone<br />
<strong>and</strong> modified remote control device for a child’s toy or other easily <strong>and</strong> cheaply<br />
available electronic gadget (fig. 1). All of those transmission systems can be jammed<br />
by suitable transmitters that can provide some protection around a vehicle or a patrol.<br />
The size of the protection zone depends on the JSR – relation of the jammer’s<br />
power to transmitted power of the device used to trigger the IED (1).<br />
Radio jamming not only prevents the remote detonation of RCIEDs but also<br />
obstructs the communication channels of terrorist or riot organizers. Unfortunately<br />
it can have influence on our own radio communications.<br />
Therefore it is important to design jammers which can leave ‘windows’ to<br />
enable friendly communications. Such intelligent, working in a reactive mode, jamming<br />
sets deployed on mobile platforms have already a few implementations, e.g.<br />
the Crew Duke [10] used by the U.S. Army.<br />
RCIED jamming is different from typical electronic warfare involving actions<br />
taken to impair the effectiveness of hostile electronic devices, equipment or systems.<br />
In military receiving equipment, in contrast to RCIEDs, are implemented ECCM<br />
(3)
76 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
(Electronic Counter-Countermeasures) mechanisms which attempt to reduce or<br />
eliminate the effect of electronic jamming. In such case response time of jamming<br />
system can be longer, because usually the transmitted information does not directly<br />
affect on destroying equipment <strong>and</strong> killing people.<br />
Figure 1. RCIED jamming<br />
In order to provide effective protection against RCIED, the response to<br />
the emerging radio signals must be immediate <strong>and</strong> effective. Hence, there is no<br />
possibility of using sophisticated methods of signals detection <strong>and</strong> identification<br />
which are time consuming. Precise <strong>and</strong> fast response is needed. Duration of jamming<br />
transmission is dependent on the speed of a vehicle, which in a few dozen<br />
seconds could leave dangerous zone.<br />
If the jammer starts too late it might not protect against the signal that triggers<br />
the explosion. On the other h<strong>and</strong> a threat of an initiating signal is temporary<br />
because a convoy moves <strong>and</strong> passes possible place of IED installation. Then it is<br />
possible to switch off the jammer <strong>and</strong> continue searching for threats. Due to<br />
the fact that technical details <strong>and</strong> vulnerabilities of public transmission systems<br />
are known, it is not necessary to transmit continuously jamming signal. Jammer<br />
can disturb at least one third of the jammed signal in time or frequency domain to<br />
be effective [4]. It follows that only part of the time could be used for effective<br />
jamming, <strong>and</strong> remaining time can be utilized for target acquisition in different<br />
frequency b<strong>and</strong>s.<br />
Moreover, military jamming systems are more complex than RCIED protection<br />
systems <strong>and</strong> with the exception of air platforms, mainly designed to work from<br />
a static outposts. In contrast, RCIED jamming systems are mounted on vehicles
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
77<br />
<strong>and</strong> work in constant motion. This affect on reducing the system power supply <strong>and</strong><br />
as a result decreases protection zone.<br />
Significant impact on the effectiveness of jamming has type of devices used<br />
to trigger RCIED. It is easier to neutralize RCIEDs based on commercial solutions<br />
because there is knowledge of signals, their frequency, modulation which allows<br />
to define range of jamming in advance. A disadvantage is the unpredictability<br />
of the trigger method <strong>and</strong> a great variety of solutions. Easy access to such technology<br />
<strong>and</strong> low cost cause difficulties in monitoring such market to eliminate bomb<br />
planters. More sophisticated solutions to trigger RCIED, which use for example<br />
spread spectrum or multib<strong>and</strong> emissions, sometimes on unusual frequency ranges,<br />
are more difficult to detect <strong>and</strong> effectively jam.<br />
In article [1] possible transmission systems are mentioned which can be used<br />
to initiate ignition of main charge of an RCIED. Every transmission system has its<br />
own vulnerability to jamming. From documentation, measurements <strong>and</strong> experiments<br />
it can be assessed two timing parameters: maximum time to start jamming<br />
(delay time) <strong>and</strong> required duration of a jamming transmission to successfully block<br />
receiver. Maximum delay time is in the worst case less than 100 ms, what imposes<br />
requirements on the speed of threat detection. Required jamming duration to efficiently<br />
jam in a synchronized manner, the desired signal is varying from several<br />
μs to several dozen ms. Other way, 1÷30% of jammed signal duration is required<br />
depending on the transmission system.<br />
Analyzing possibilities for RCIED jamming system it is necessary to consider<br />
such aspects as:<br />
A. Receiver/detector capabilieties:<br />
• receiver tuning time (speed of synthesizer) <strong>and</strong> its accuracy;<br />
• dynamic range, required more than 90 dB;<br />
• resistance to high voltage on the input of a receiver (levels greater than +30 dBm);<br />
• sensitivity, should be close to requirements for a GSM h<strong>and</strong>set at a much wider<br />
b<strong>and</strong>width;<br />
• tuning/switching/setting time of preselectors;<br />
• frequency range for searching a suspected signals;<br />
• quality A/D converters, required 16 bit resolution;<br />
• using appropriate time-frequency transform with matched resolution in time<br />
<strong>and</strong> frequency;<br />
• threat identification algorithm, required FPGA FFT implementation with<br />
DSP support;<br />
• time for frequency range analysis, shorter than maximum delay time to start<br />
jamming.
78 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
B. Jammer capabilieties:<br />
• tuning time of an upconverter, required less than 1 ms;<br />
• reaction time (memory access, switching time between waveforms) of an exciter;<br />
• D/A converters quality, required 16 bit resolution;<br />
• power amplifier, resistant to high temperature;<br />
• utilization of switched RF filters on the amplifier output for protection of friendly<br />
communications systems;<br />
• selective jamming, required time synchronization <strong>and</strong> exact frequency channel<br />
matching.<br />
C. Propagation, terrain type <strong>and</strong> fading influence:<br />
• jammer antenna height, placement <strong>and</strong> its impact on protection range;<br />
• RCIED antenna placement <strong>and</strong> its impact on jamming effectiveness in fading<br />
environment [7];<br />
• ground conductivity factor, unfavorable in dry rough terrain;<br />
• link budget (including height, gain of antennas <strong>and</strong> effective radiated power).<br />
V. RCIED jamming system conception<br />
Taking into consideration previously discussed aspects, a concept of automated,<br />
self-contained RCIED jamming system is based on guidelines:<br />
• simultaneous multi-b<strong>and</strong> spectrum monitoring <strong>and</strong> simultaneous multi-b<strong>and</strong><br />
reactive <strong>and</strong> barrage jamming of detected signals;<br />
• simultaneous multi-b<strong>and</strong> detection, classification <strong>and</strong> measurement of signal<br />
parameters using programmable FPGA hardware <strong>and</strong> DSP support;<br />
• utilization of filter block for protection of friendly forces communications;<br />
• cooperation of multiple RCIED jamming devices in a network;<br />
• user programmable interface for frequency preservation <strong>and</strong> a jam planning;<br />
• limited dimensions <strong>and</strong> weight that allow installation on various types of vehicles.<br />
At MCI counter RCIED solution is developed which consists following stages:<br />
1. designing <strong>and</strong> developing receiver block <strong>and</strong> validation of its performance<br />
<strong>and</strong> accuracy;<br />
2. designing <strong>and</strong> developing transmitter block <strong>and</strong> its integration with a receiver<br />
block <strong>and</strong> a controller;<br />
3. integration <strong>and</strong> testing also in a cooperative sensor/jammer network.<br />
Previously effective data processing algorithms for target acquisition <strong>and</strong><br />
identification were developed. It was done using data from commercial wideb<strong>and</strong>
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
79<br />
receiver R&S EM510/550. Currently final solution is developed on DSP/FPGA<br />
board which cooperates with wideb<strong>and</strong> fast tuning receiver.<br />
RCIED jamming system model will have one receiving (two b<strong>and</strong>) <strong>and</strong> one<br />
transmitting (three b<strong>and</strong>) antenna (Fig. 2). A receiving block is composed of two<br />
tuners intended for constant spectrum monitoring over multiple frequency b<strong>and</strong>.<br />
Tuners, with wide-b<strong>and</strong> IF filters <strong>and</strong> DSP/FPGA board perform discrimination <strong>and</strong><br />
identification of signals [1][9]. After detection, jamming is started on a frequency<br />
b<strong>and</strong>, where the trigger signal was detected. It is performed by the jammer block,<br />
consisted of three exciters (Fig. 3), amplifiers <strong>and</strong> two sets of collocation filters.<br />
Jamming signals are transmitted in frequency b<strong>and</strong>s: 20÷500 MHz, 500÷1000 MHz,<br />
1÷6 GHz, as a:<br />
• single tone sweep or narrowb<strong>and</strong> noise sweep;<br />
• narrowb<strong>and</strong> or wideb<strong>and</strong> barrage noise;<br />
• prepared signals from a controller’s memory.<br />
Figure 2. Scheme of reconnaissance-jamming system model<br />
Figure 3. Scheme of exciter (jammer) model
80 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
User interface of the jammer enables to program frequency b<strong>and</strong>s for jamming<br />
<strong>and</strong> friendly communication. Controller of the counter RCIED jamming<br />
system is responsible for programming a jammer block in a reactive jamming<br />
mode. Jamming decision is taken based on data from tuners. Expected emission<br />
identification parameters:<br />
• emission detection range – several km (depending on the radiated power<br />
of trigger transmitter);<br />
• scan time of frequency range 26 MHz ÷2,6 GHz below 50 ms;<br />
• frequency resolution: better than 25 kHz for VHF <strong>and</strong> 100 kHz for UHF;<br />
• maximum reaction delay between detected incoming signal <strong>and</strong> jamming<br />
transmission beginning should be below 100 ms.<br />
VI. Summary<br />
In this paper some aspects which influence on detection <strong>and</strong> jamming parts<br />
of RCIED countermeasure system was discussed. A conception of a model RCIED<br />
jamming system was proposed to overcome some of the pointed difficulties. Results<br />
from counter RCIED project would be taken into account in newly developed applications<br />
<strong>and</strong> EW systems created in MCI.<br />
Limitations which arise from specific IED operation <strong>and</strong> profile of mobile<br />
jamming sets result in a lot of restrictions that have influenced on construction<br />
of C-RCIED devices, detection <strong>and</strong> jamming methods. Compact size <strong>and</strong> restricted<br />
power source cause that the device provides a limited area of protection. Mobility<br />
of a vehicle <strong>and</strong> diversity of possible signals sources cause inability of exploitation<br />
more sophisticated methods for emission detection <strong>and</strong> identification in order to<br />
provide faster response to possible threat. Placing the receiver near the transmitter<br />
impairs the effectiveness of detection of hostile transmissions.<br />
To improve detection <strong>and</strong> jamming performance, it is planned creation<br />
a cooperative network of several receivers <strong>and</strong> jammers placed apart. Such system<br />
allows to mitigate an effect of hiding small signals in interference phenomenon <strong>and</strong><br />
noise background <strong>and</strong> could combat effect of fading, caused by ground reflections.<br />
Transmitters working in a network can attack the same emissions (extend coverage)<br />
or react to different frequencies simultaneously combating multi-frequency triggering.<br />
Receivers which scan in a network can achieve higher probability of detection<br />
(cooperative detection) or faster scanning rate in case of independent scanning<br />
adjacent frequency ranges. Physical separation of receivers from transmitters (one<br />
vehicle perform scanning other jamming) lead to better sensitivity <strong>and</strong> extend<br />
range of detection. For data transmission between network elements, nonst<strong>and</strong>ard<br />
wireless connections or infrared technology should be used.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
81<br />
REFERENCES<br />
[1] K. Wilgucki, R. Urban, G. Baranowski, P. Grądzki, P. Skarżyński, „Automated<br />
protection system against RCIED”, MCC2011.<br />
[2] https://www.jieddo.dod.mil/content/docs/JIEDDO_2010_Annual_Report_U.pdf<br />
[3] Improvised Explosive Device Defeat FMI 3-34.119/MCIP 3-17.01.<br />
[4] R.A. Poisel, “Modern <strong>Communications</strong> Jamming Principles <strong>and</strong> Techniques”, Second<br />
Edition, Artech House, Inc., 2011.<br />
[5] D.L. Adamy, “Tactical Battlefield <strong>Communications</strong> Electronic Warfare”, Artech House,<br />
Inc., 2009 pp. 251-306.<br />
[6] A. Graham, “<strong>Communications</strong>, Radar <strong>and</strong> Electronic Warfare”, John Willey & Sons,<br />
Inc., 2011, pp. 137-144, 357-363.<br />
[7] M. Dapper, J.S.Wells, T. Schwaillie, L. Huon, “RF propagation in short range<br />
sensor communications”.<br />
[8] B. Piette, “VHF/UHF Filters <strong>and</strong> Multicouplers”, John Willey & Sons, Inc., 2010.<br />
[9] G. Baranowski, R. Urban, K. Wilgucki, „Detekcja emisji FH na podstawie analizy<br />
czasowo-częstotliwościowej widma”, Przegląd Telekomunikacyjny, 8-9/2011.<br />
[10] http://srcinc.com/uploadedFiles/src/what-we-do/CREW_Duke.pdf
Advanced Road Traffic Service Demonstrator<br />
Marek Małowidzki, Przemysław Bereziński,<br />
Tomasz Dalecki, Michał Mazur<br />
<strong>Military</strong> Communication Institute, Zegrze, Pol<strong>and</strong>,<br />
{m.malowidzki, p.berezinski, t.dalecki, m.mazur}@wil.waw.pl<br />
Abstract: We propose a software architecture for an advanced routing service demonstrator, a key<br />
component of the traffic subsystem in Insigma 1 . We discuss novel capabilities that are designed to<br />
fulfill Insigma’s specific requirements. We also describe the approach taken to decompose the complex<br />
problem of finding optimal routes into a number of manageable entities. Preliminary conclusions<br />
from our development are presented.<br />
Keywords: road traffic, routing, route prediction, Open Street Map (OSM)<br />
I. Introduction<br />
The Insigma project is aiming at the development of an intelligent information<br />
system for global monitoring, detection <strong>and</strong> identification of threats. The system<br />
collects data from various kinds of sensors, cameras, <strong>and</strong> users, <strong>and</strong> processes<br />
the data to identify threats <strong>and</strong> notify appropriate public services. One of Insigma’s<br />
tasks is road traffic optimization <strong>and</strong> control, which includes streetlights, information<br />
boards, <strong>and</strong> route planning.<br />
In the paper, we discuss the architecture of a demonstrator of our routing<br />
service. The service includes most features that could be found in similar solutions;<br />
additionally, a number of advanced <strong>and</strong> forward-looking capabilities are<br />
being developed, some of them are unique <strong>and</strong> specific to Insigma. While there<br />
are a number of mature, commercial solutions available (with Google Maps [15]<br />
as a premier example), we believe it would be interesting <strong>and</strong> instructive to have<br />
a look at a large, complex, open-source based development – its assumptions, design<br />
decisions, <strong>and</strong> conclusions.<br />
The paper is organized as follows: First, we overview requirements placed on<br />
the routing service that stem from Insigma’s goals. Then, we present the service architecture,<br />
discussing each component in detail. Finally, we state the current state of work<br />
<strong>and</strong> future work. We end the paper with overview of related work <strong>and</strong> conclusions.<br />
1<br />
The work has been co-financed by the European Regional Development Fund under the Innovative Economy<br />
Operational Program, INSIGMA project no. POIG.01.01.02-00-062/09.
84 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
II. Routing service capabilities<br />
The main goal of the routing service is computing “optimal” routes (optimal<br />
– according to specified criteria), taking into account both static (the map) <strong>and</strong><br />
dynamic (traffic intensity, weather conditions, threats, etc.) data. The fact that our<br />
routing service is a key component of Insigma dictates a requirement for the service<br />
to implement a number of additional functions, which include:<br />
• Planning dedicated routes for privileged vehicles (police, fire brigade,<br />
ambulances, other special-purpose vehicles);<br />
• Taking into account traffic prediction for longer routes (as traffic conditions<br />
may change during the drive); also, route prediction (computing routes<br />
with drive starting at some time in the future);<br />
• A number of public security related options: planning of “safe” routes (bypassing<br />
dangerous places), additional route computation modes (as manyto-one,<br />
which allows e.g. to compute the optimal route from the nearest<br />
hospital to the place of accident). This requires a dynamic map containing<br />
data about threats (of various types).<br />
• Support for traffic load-balancing: calculation of alternative routes. Such<br />
a function is currently available e.g. in Google Maps. However, in Insigma,<br />
the routing service will be closely coordinated with traffic monitoring <strong>and</strong><br />
control, <strong>and</strong> alternative routes will allow to evenly distribute traffic.<br />
III. Architecture<br />
Insigma’s traffic subsystem architecture is shown in Fig. 1. Its main components<br />
include the client (described in section X), the route server (discussed throughout<br />
the paper) <strong>and</strong> the traffic warehouse, containing historical traffic data <strong>and</strong> supporting<br />
traffic prediction.<br />
Figure 1. Insigma’s traffic subsystem architecture<br />
During the early phase of the project, a number of specific, unrelated APIs<br />
have been defined. The APIs have been based on different programming models <strong>and</strong>
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
85<br />
employed incompatible data types; their integration would be extremely complex.<br />
Thus, for our routing service, we have decided to divide the server into a number<br />
of separate elements, each offering a compact API <strong>and</strong> performing a well-defined<br />
task. As a result, the server is composed of the following components (refer to Fig. 2):<br />
• Input/output, a component responsible for h<strong>and</strong>ling messages for clients,<br />
providing security (if necessary) <strong>and</strong> dealing with quality-of-service issues<br />
(also – if necessary);<br />
• Database, containing the static map <strong>and</strong> dynamic data (section IV);<br />
• Graph builder, responsible for transforming map data into a graph (section V);<br />
• Adapter(s), computing graph weights (section VI);<br />
• Algorithm(s), performing route optimizations (section VII);<br />
• Finally, dispatcher, managing the above-mentioned elements (section VIII).<br />
Figure 2. The route server’s internal architucture<br />
The server is implemented in the Microsoft .NET framework environment.<br />
The software architecture is organized around a number of interfaces (with each<br />
component having its dedicated interface(s)) <strong>and</strong> components (classes contained<br />
in .NET assemblies) that implement these interfaces <strong>and</strong> may be easily replaced<br />
for research or testing purposes. For example, adapters <strong>and</strong> algorithms (see sections<br />
VI <strong>and</strong> VII) are dynamically loaded according to the server’s configuration.<br />
In the following sections, we describe each of the server’s components in detail.<br />
IV. The Database: Static Map <strong>and</strong> Dynamic Data<br />
We have selected the OpenStreetMap [8] project as our source of static maps.<br />
OSM provides free geographic data for the whole world. The data may be encoded<br />
in XML or stored in a PostGIS [14] database (with conversion performed
86 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
by osm2pgsql [12]). OSM maps are supported by popular rendering software, such<br />
as OpenLayers [9]; the rendering process is sufficiently flexible for most applications.<br />
Unfortunately, OSM maps in their default format (<strong>and</strong> taking into account<br />
their content) are not suitable for route computation. First, the data lack majority<br />
of important information about roads. Second, while there are some proposals<br />
of crossroads modeling, the maps do not contain any reasonable definitions. In addition,<br />
OSM elements representing ways may be arbitrarily long <strong>and</strong> span a number<br />
of crossroads (which makes building a graph harder). Summarizing, the OSM data<br />
in their default form need a lot of work on restructuring <strong>and</strong> adjustment.<br />
Taking the above into account, necessary extensions have been designed<br />
as a joint work of teams at the AGH University of Science <strong>and</strong> <strong>Technology</strong> <strong>and</strong><br />
the <strong>Military</strong> Communication Institute. A number of additional PostGIS tables <strong>and</strong><br />
dedicated conversion software has been developed in order to supplement <strong>and</strong><br />
restructure the original OSM data.<br />
The main OSM tables include nodes, ways <strong>and</strong> way_nodes (specifying both<br />
roads <strong>and</strong> contours) <strong>and</strong> node_tags/way_tags, containing parameter values for<br />
nodes <strong>and</strong> ways, respectively. Our main extension tables are as follows (see Fig. 3):<br />
• way_segments – a way segment is a part of a single way <strong>and</strong> connects two<br />
crossroads;<br />
• lanes – a table modeling one-directional lanes, possible multiple, of a way.<br />
Lanes start <strong>and</strong> end at way segments <strong>and</strong> in places where an important<br />
road parameter changes (e.g., a speed limit road sign is located).<br />
• crossroads – basically, a crossroad is a container for turns (see below);<br />
• turns, turn_vias – turns define rules for changing way segments at crossroads.<br />
For complex crossroads, shortcuts are defined in the form of additional way<br />
segments gathered in the turn_vias table.<br />
• turn_properties, lane_properties – contain parameter values (a turn may<br />
be defined as forbidden by the traffic rules).<br />
Figure 3. Modeling of ways <strong>and</strong> crossroads in PostGIS
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
87<br />
The static map is supplemented with dynamic data related to current traffic<br />
situation (cameras observing queue lengths at crossroads <strong>and</strong> sensors estimating<br />
average speed); in future, dynamic data will also contain other important information,<br />
as weather conditions or Insigma-specific security events <strong>and</strong> threats.<br />
V. Graph builder<br />
The main task of the graph builder is to construct a directed graph, containing<br />
static (map of roads <strong>and</strong> crossroads) <strong>and</strong> dynamic (current traffic <strong>and</strong> other<br />
dynamic data) parameters describing its edges. The complete graph is returned<br />
in a single step: A client could influence the graph, supplying problem parameters<br />
(including start, destination, <strong>and</strong> intermediate points), vehicle profile <strong>and</strong> some<br />
additional options, but there is no possibility of a gradual graph construction (this<br />
is a design decision which allows to make the interface simple). Note that graphs<br />
for privileged <strong>and</strong> non-privileged vehicles may significantly differ.<br />
The graph builder is responsible for graph reduction in case the routing points<br />
are sufficiently distant. While the neighborhood of the specified points contains<br />
a complete network of ways, more distant areas would only include main roads.<br />
A constructed graph is equipped with a h<strong>and</strong>le to data warehouse (for traffic<br />
prediction) <strong>and</strong> needs an adapter to be configured before the graph is passed to<br />
an optimization algorithm. This is discussed in the next section.<br />
VI. Graph adapters<br />
The purpose of an adapter is the calculation of weights in graph edges. The calculation<br />
takes into account static <strong>and</strong> dynamic parameters that describe an edge<br />
(<strong>and</strong> a way it represents). The selection of parameters <strong>and</strong> their significance depends<br />
on a user’s request (route type, vehicle profile, etc.) <strong>and</strong> a routing algorithm. Generally,<br />
the dispatcher (see section VIII) selects an algorithm <strong>and</strong> an adapter, which,<br />
together, are expected to be able to solve the problem. Adapters are registered<br />
in the server for a specified task type.<br />
An example of a (somehow trivial) adapter could be a shortest path adapter,<br />
which simply uses way lengths as weights values. However, more advanced adapters<br />
would usually compose weights in a more complex way, taking into account<br />
a number of properties. For non-additive parameters, an adapter could use a vector<br />
of weights.<br />
As the weights include dynamic parameters (e.g., the current traffic intensity<br />
at a given way segment), they are functions of time. The adapter computes them<br />
when necessary <strong>and</strong> decides on a caching strategy (for weights that are expensive<br />
to compute, e.g., require a request to traffic data warehouse).<br />
Note that the “physical” graph structure is not altered by an adapter. However,<br />
in practice, the graph could be modified by weights values (e.g., a high weight value<br />
that practically eliminates a given way at a specified time).
88 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Calculation of weights values by an adapter is a very important step, as it directly<br />
influences the result of route optimization.<br />
VII. Routing algorithms<br />
The role of an optimization algorithm is simply to find the best route given<br />
a weighted graph. Algorithms that do not support dynamic weight values, such<br />
as the classic Dijkstra [1], would only use the time value of 0 <strong>and</strong> thus work on<br />
a snapshot (of a graph at relative time 0). In contrast, time-aware algorithms provide<br />
predicted values of time as they “travel” across the graph.<br />
We distinguish two main problem categories: Those with additive weights <strong>and</strong><br />
those with weights that are non-additive. In the former case, we believe that edge<br />
costs are represented as a scalar (i.e., a scalar function of time). In the latter case,<br />
a vector of weights is used. Algorithms that support independent edge weights<br />
have been considered for routing in telecommunication networks [2]. A practical<br />
example could be the work discussed in [4], with SAMCRA algorithm [2] (Self-<br />
Adaptive Multiple Constraints Routing Algorithm) computing paths with one weight<br />
representing used b<strong>and</strong>width <strong>and</strong> another one referring to a delay time. As a result,<br />
the optimal route fulfilled required spare b<strong>and</strong>width on all links <strong>and</strong>, at the same<br />
time, assured bounded (acceptably small) delay times for packets.<br />
Our approach assumes that a complete graph is built before optimization<br />
starts. However, there is a category of algorithms [citation needed] that construct<br />
the graph gradually as the calculation progresses. They use azimuth <strong>and</strong> distance<br />
to destination <strong>and</strong> exploit heuristics in order to find the solution. We believe that<br />
such an approach would require multiple queries to database, which would severely<br />
affect performance. In any case, this mode is not directly supported (by graph API);<br />
still, such algorithms could work in our demonstrator’s environment, building their<br />
graphs out of a complete graph returned by the graph builder.<br />
VIII. The Dispatcher<br />
The dispatcher’s task is to combine the activities of the other components.<br />
First, it identifies a set of algorithm-adapter pairs able to solve the problem defined<br />
by a client’s request, <strong>and</strong> selects a pair on the basis of some criteria (r<strong>and</strong>omly<br />
in a simple case). Then, it builds a graph, configures the adapter for the graph, <strong>and</strong><br />
asks the algorithm to compute the route. In case of failure, the dispatcher could<br />
repeat some or all of the steps (build a larger graph, select another algorithm, etc.).<br />
When the route is found, it is supplemented with geographical data (detailed route<br />
shape) <strong>and</strong> additional info (road signs, traffic situation, important events, etc.), <strong>and</strong><br />
returned to the client. We would like to emphasize that the mapping of graph edges<br />
(composing the optimal route) back to ways is quite a complex task, e.g., shortcuts<br />
through crossroads need to be exp<strong>and</strong>ed to real, detailed tracks.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
89<br />
A more advanced dispatcher could, for research purposes or even in production,<br />
if resources allow, start a number of parallel optimizations (each using a different<br />
algorithm), taking the result of the fastest algorithm (<strong>and</strong> canceling the rest).<br />
IX. Other components<br />
Our route server also supports a few typical services, such as auto-complete<br />
<strong>and</strong> geocoding, although its capabilities are not as advanced as in e.g. Google Maps.<br />
(As Insigma puts stress on innovation, it is not a goal to repeat features that are<br />
already widely available on the market.) Perhaps a novel idea is the option to specify<br />
routing points (start, destination, intermediates) in the form of a well-known location<br />
types (drugstore, hospital, etc.), with a type denoting all points of this type<br />
located within a considered area.<br />
Unfortunately, during the development we encountered a number of problems<br />
related to OSM (<strong>and</strong> the quality of open-source data). These problems include<br />
incomplete OSM map content for tested area, some errors <strong>and</strong> “mess” in the data<br />
(e.g., incorrect city borders, inconsistent naming), <strong>and</strong>, finally, poor performance<br />
(at least on a budget PC machines), which enforced pre-caching results (e.g., a list<br />
of cities in Pol<strong>and</strong> for auto-completion) in files. A real-world deployment of our<br />
service would definitely require better map data.<br />
X. The Client<br />
The primary task of a client application is to generate a request for server <strong>and</strong><br />
display its response (a route with additional information). In future, we plan to<br />
extend its functionality with GPS-based position tracking <strong>and</strong> route recalculation<br />
during the drive.<br />
The client is implemented in JavaScript <strong>and</strong> employs a number of related<br />
technologies:<br />
• User interface is built using jQuery Mobile [7], a popular library optimized<br />
for mobile web browsers;<br />
• Map display is based on OpenLayers [9];<br />
• Communication with server utilizes Web Services with JSON as data encoding<br />
format; a high-level Ajax-based API has been developed for this<br />
purpose;<br />
• Finally, the geolocation API [5], provided by a browser (see [6] for an example),<br />
is required for location tracking (in case of a mobile terminal).<br />
The client has been tested on a PC (with Google Chrome or Firefox) <strong>and</strong><br />
a mobile terminal (a Samsung tablet with Android 3.1 OS, running its default web<br />
browser – see Fig. 4). Performance <strong>and</strong> functionality are comparable in both cases.
90 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 4. Samsung tablet running our client<br />
XI. Current <strong>and</strong> future work<br />
The current work involves the development of various versions of the server’s<br />
main components <strong>and</strong> performing experiments that evaluate results in terms<br />
of correctness <strong>and</strong> performance. Besides new algorithms <strong>and</strong> adapters, we work on<br />
graph reduction. In addition, a simulator of traffic warehouse is being developed.<br />
We also plan to implement an advanced road traffic simulator that would cooperate<br />
with routing <strong>and</strong> traffic control Insigma’s components. The simulator will be<br />
used for carrying out complex experiments with integrated traffic management<br />
in a simulated town <strong>and</strong> assessing whether Insigma improves the overall performance<br />
of the town’s road system.<br />
XII. Related work<br />
In this section, we review a few selected works that concern various issues<br />
related with a successful routing service.<br />
The work described in [16] concerns traffic conditions prediction <strong>and</strong> alternative<br />
routes. The system architecture is presented <strong>and</strong> additional discussion about<br />
read network modeling, congestion data interpolation, <strong>and</strong> route computation<br />
is included. Lee’s algorithm [17] has been selected as it is time-aware (maintains<br />
time lapse as it travels along the graph); thus, predicted traffic intensity is taken<br />
into account.<br />
Reference [18] combines optimal routes <strong>and</strong> traffic intensity data obtained<br />
from simulation to enable more efficient planning of truck routes (their start time<br />
<strong>and</strong> order). The work in [19] discusses the vehicle navigation system supported by<br />
a framework that enables real-time traffic data collection <strong>and</strong> modeling. The authors<br />
of [21] propose a fast <strong>and</strong> efficient algorithm for computing alternative routes
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
91<br />
(which are paramount for traffic load balancing). Finally, reference [20] discusses<br />
the problem of fairness of alternative routes, from the perspective of drivers.<br />
We believe that Insigma’s routing service, in order to enable effective traffic<br />
management <strong>and</strong> control, will have to combine all the elements mentioned above<br />
in the cited works.<br />
XIII. Conclusions<br />
In the paper, we discuss the architecture of an advanced routing service that<br />
is one of key components in the Insigma project. The architecture has been designed<br />
in order to support novel features on one h<strong>and</strong>, <strong>and</strong> decompose the complex problem<br />
into a number of simple, manageable components on the other h<strong>and</strong>. These<br />
components may be easily replaced with more sophisticated versions, as the work<br />
develops. In future, we will be reporting how the development progresses.<br />
References<br />
[1] E.W. Dijkstra, “A note on Two Problems in Connexion with Graphs, Numerische<br />
mathematic”, 1, 269-271, 1959.<br />
[2] P. Van Mieghem <strong>and</strong> F.A. Kuipers, “Concepts of Exact Quality of Service Algorithms”,<br />
IEEE/ACM Transaction on Networking, vol. 12, no. 5, pp. 851-864, October 2004.<br />
[3] P. Van Mieghem, H. De Neve <strong>and</strong> F.A. Kuipers, “Hop-by-hop Quality of Service<br />
Routing”, Computer Networks, vol. 37. no 3-4, pp. 407-423, 2001.<br />
[4] W. Góralski et al., “On Dimensioning <strong>and</strong> Routing in the IP QoS System”, in Journal<br />
of Telecommunications <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> 2011, nr 3, s. 21-28.<br />
[5] W3C, Geolocation API Specification. W3C C<strong>and</strong>idate Recommendation, 7 September<br />
2010. Available:<br />
[6] http://www.w3.org/TR/geolocation-API/<br />
[7] Geolocation: http://html5demos.com/geo<br />
[8] jQuery Mobile: http://jquerymobile.com/<br />
[9] OpenStreetMap: http://www.openstreetmap.org/<br />
[10] OpenLayers: http://openlayers.org<br />
[11] Osmosis: http://wiki.openstreetmap.org/wiki/Osmosis<br />
[12] Mapnik: http://mapnik.org/<br />
[13] Osm2pgsql: http://wiki.openstreetmap.org/wiki/Osm2pgsql<br />
[14] PostGIS: http://postgis.refractions.net/<br />
[15] Google Maps Developer Documentation: https://developers.google.com/maps/<br />
documentation/<br />
[16] J. Fawcett, P. Robinson, “adaptive Routing for oad Traffic,” in IEEE Computer<br />
Graphics <strong>and</strong> Applications, May/June 2000.<br />
[17] C.Y. Lee, “An Algorithm for Path Connectivity <strong>and</strong> its Applications,” IRE Trans. on<br />
Electronic Computers, vol. 10, no. 3, Sept. 1961, pp. 346-365.
92 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[18] O. Franzese, S. Joshi, “Traffic simulation application to plan real-time distribution<br />
routes”, in Proceedings of the 2002 Winter Simulation Conference.<br />
[19] S. Ying, Y. Yang, “Study on Vehicle Navigation System with Real-time Traffic<br />
<strong>Information</strong>,” 2008 International Conference on Computer Science <strong>and</strong> Software<br />
Engineering.<br />
[20] O. Jahn, R.H. Möhring, A.S. Schulz, N.E. Stier-Moses, “System-Optimal Routing<br />
of Traffic Flows with User Constraints in Networks with Congestion,” in OPERATIONS<br />
RESEARCH vol. 53, no. 4, July–August 2005.<br />
[21] D. Luxen, D. Schieferdecker, “C<strong>and</strong>idate Sets for Alternative Routes in Road<br />
Networks,” Experimental Algorithms – 11th International Symposium, SEA 2012,<br />
Bordeaux, France, June 7-9, 2012.
Modern Low Cost Aircraft Instruments<br />
Radek Bystricky 1 , Premysl Janu 2<br />
1 Department of Aerospace Electrical Systems<br />
2 Department of Radar <strong>Technology</strong>, Faculty of <strong>Military</strong> <strong>Technology</strong>,<br />
University of Defence, Brno, Czech Republic,<br />
{radek.bystricky, premysl.janu}@unob.cz<br />
Abstract: The usage of multifunction displays (MFD) in nowadays aircraft boards is about to increase.<br />
They are usually able to show a big number of relevant information at once, so their contribution<br />
cannot be denied. But it is hard to imagine that, in case of emergency (e.g., space disorientation),<br />
the pilot will browse between pages on the display. In this case, he immediately needs to know basic<br />
information about speed, altitude, etc. <strong>and</strong> will therefore rather rely on conventional gauges instruments.<br />
This paper therefore deals with the design <strong>and</strong> development of classical <strong>and</strong> especially cheap<br />
gauge instrument connected the on-board data bus.<br />
Keywords: MFD; aircraft instrument; CAN; CANaerospace; microcontroler, Time-triggered<br />
I. Introduction<br />
First we need to ask ourselves what must be an inexpensive aircraft instrument<br />
able to do, except that it must be accurate, reliable <strong>and</strong> rugged. It must be able to<br />
measure the flight parameter with sufficient accuracy at first. It is also advantageous<br />
if this flight parameter can be transmitted to other devices using some kind<br />
of a data bus. Finally, it must have sufficiently precise scale with a fine gauge step<br />
<strong>and</strong> be able to detect their own faults <strong>and</strong> report them.<br />
II. Hardware conception<br />
Our concept is based on the division of the device into individual components<br />
that can exist independent to the measured flight parameter. This concept is adopted<br />
from real instruments build by Czech company MESIT <strong>and</strong> used for example on<br />
the aircraft L159 ALCA, see Figure 1. But the concept itself is the only thing what<br />
ours instruments replicates [1]. The rest differs significantly.<br />
Basic components are:<br />
• Power block.<br />
• Signal processing block.
94 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• Display block.<br />
• Data storage block.<br />
• BITE block.<br />
The first part of the conception is the power supply block [11], consisting<br />
mainly from the DC/DC converter allowing the device operation in a wide input<br />
voltage range (6-36 V) with 5 V output. This wide range allows the device to be<br />
used in many types of aircraft. It is able to provide a voltage spikes filtering <strong>and</strong><br />
even independent voltage source with galvanic isolation for the purpose of the safe<br />
bus communication. This block is basically same for every instrument.<br />
Figure 1. Example of a gauge instrument from MESIT company<br />
Second mentioned part is the signal processing block [11]. For signal processing<br />
is necessary to divide them to several groups according to way of physical<br />
principle of quantity sensing (employed sensor) <strong>and</strong> according to way of its analyzing<br />
at measuring chain. Signals from sensors are impedance matched <strong>and</strong> eventually also<br />
separated. Anti-aliasing filter for suppression of unnecessary spectrum part follows.<br />
Figure 2. Example of a measurement blocks<br />
All signals are consequently normalized, thus DC offset is cut off. By amplification<br />
(attenuation) their magnitude is adapted to useful range of measuring<br />
converter. Afterwards precision is given by converter bit resolution.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
95<br />
Each processing chain or group of chains represents particular modules which<br />
are designed like an intelligent sensors or on-board instruments connected to data<br />
bus. Modules of intelligent sensors are based on 8-bit microcontrollers Atmel AVR.<br />
More complex instruments, which carry out more complex signal processing like<br />
radio communication, are based on FPGAs if any.<br />
The signal processing block is essentially the only block that is different<br />
from instrument to instrument. The result of the signal acquisition is transmitted<br />
via CAN into the on-board system <strong>and</strong> since that moment can be used by other<br />
instruments. Figure 2 shows some examples of signal processing blocks that we<br />
recently created [16].<br />
Third part of the instruments is the display block. Unlike conventional devices<br />
that use stepper motors for displaying the flight parameter, our prototype is equipped<br />
with a servo [2]. The main reason is with any doubt the price.<br />
Figure 3. Servomotor as a gauge instrument<br />
Servomechanism is driven by the microcontroller using a PWM (Pulse-width<br />
modulation). The position of the servomechanism is related to the pulse length,<br />
as shown the basic principle in Figure 3. The basic operational range of 180 degrees<br />
can be enlarged by a simple gear mechanism. The precision is theoretically<br />
limited only by a microcontroller timer/counter bit resolution. The precision for<br />
16 bit counter is:<br />
180 16 0.00275 (1)<br />
2<br />
This is sufficient precision to the show the flight parameter using a gauge.<br />
Microcontroller reads the instrument corresponding value e.g. RPM, from CAN<br />
<strong>and</strong> convert this information to the required length of the pulse [2]. What is more<br />
important, the microcontroller can apply different modification to the displayed<br />
signal e.g. linearization. The advantage is that the original signal still exists on<br />
the CAN unmodified. The measured flight parameter is displayed also in the form<br />
of number as a supplement, see Figure 1. The only thing that has to be modified
96 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
according to specific instrument is the scale, <strong>and</strong> of course the program running<br />
inside the microcontroller.<br />
The fourth part is the data storage block. It mainly serves to store measured<br />
flight data parameter into the memory card <strong>and</strong> thus could serve to two primary<br />
goals. Since this is in particular a very cheap instrument, we can basically assume<br />
that it will be primary used on board of ultra-light aircraft where no flight data<br />
recorder is present [3]. The flight data recorder in case of accident is thus the first<br />
possibility. The second possibility is to serve as flight documentation. Every piece<br />
written to the memory contains not only value but also a time stamp of the event.<br />
It’s easy than to read when some specific event occurred <strong>and</strong> its value, e.g. crossing<br />
the maximum of speed limit or G‐force. The memory is divided into two parts.<br />
One is permanent holding those specific events <strong>and</strong> the second part which is acting<br />
as an infinite loop erasing the oldest data, when the maximum capacity is reached.<br />
This part is still under development <strong>and</strong> at this moment presented by an SD memory<br />
card as can be seen in Figure 4.<br />
Figure 4. SD card storage evaluation board<br />
The last part is the BITE (Built In Test Equipment) block. This block is basically<br />
a second instrument integrated in one PCB (Printed circuit board), running at much<br />
lower speed, which checks out some of the functions of the whole instrument. In case<br />
that the instrument gives too different results then BITE, the instrument is disconnected<br />
<strong>and</strong> an error flag is transmitted into the system, keeping the rest of the system<br />
untouched by this error. In most cases this block could be the same for more instruments,<br />
but with different I/O ports connected, as well as the program running inside.<br />
Since the whole system is network (bus) based the network capability is the essence<br />
of the whole system<br />
III. Network capability<br />
The proposed instrument is integrated into the on-board aircraft electronic<br />
system, which acquires data from sensors <strong>and</strong> provides them to the NEC environment<br />
[6, 16]. The whole system consists of two control modules <strong>and</strong> individual<br />
modules providing aircraft <strong>and</strong> flight parameters.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
97<br />
Data bus CAN [4, 6-9 <strong>and</strong> 16] for its simplicity, very effective diagnostic tools <strong>and</strong><br />
because of the fact that many microcontrollers have a CAN driver integrated was used<br />
for mutual communication of individual modules. The bus CAN has specification<br />
for avionic systems by CANaerospace protocol that operates at the application layer<br />
of ISO/OSI reference model. The protocol is not already widely used, as is evidenced<br />
by only small number of projects in the Czech Republic <strong>and</strong> abroad (Ae270, SATS,<br />
V220 <strong>and</strong> V300 aircraft engines, SOFIA [6]), so this area is still under development.<br />
It is important for avionic systems that individual messages are sent <strong>and</strong> received<br />
in precisely defined instants, so that time-triggered method was chosen [7, 9<br />
<strong>and</strong> 16]. The basis of the method is a time schedule, which is defined by so called<br />
Cycle matrix [6, 7]. Complete designed on-board aircraft electronic system consists<br />
of the following parts.<br />
The NEC station as needed (asynchronously) sends messages with CAN ID<br />
selected from high-priority area of the CANaerospace protocol service messages,<br />
thus makes an interface between aircraft <strong>and</strong> ground station. There is a message,<br />
which makes master block to assign the communication schedule. There are also<br />
messages that tell the master unit to start or stop communication, i.e. reference<br />
message transmission. It also allows sending other messages of the node service<br />
protocol, which generally accelerate <strong>and</strong> make more precise the communication<br />
of individual modules (e.g. message for system baud rate reconfiguration).<br />
The MASTER receives important messages that the NEC station transmits<br />
<strong>and</strong> adequately reacts on them. It stops communication according previous Cycle<br />
matrix after the communication schedule assignment comm<strong>and</strong> reception, <strong>and</strong><br />
ensures assignment messages transmission that include flight data messages CAN<br />
ID allocation in the new Cycle matrix. The number of assignment messages corresponds<br />
to the number of elements in the Cycle matrix. Subsequently it starts to<br />
periodically transmit reference message for the time synchronization of communication,<br />
which period determines the value set in the comparative timer register<br />
of its microcontroller, based on the number of Cycle matrix columns (time slots).<br />
It stops the synchronization message transmitting after communication end message<br />
reception. It resumes communication reference message transmission by communication<br />
start message reception.<br />
Individual modules fill predefined Cycle matrix with specific messages that<br />
provide to the system after assignment message reception. The nodules start to<br />
provide data to the system by synchronization messages reception. The time interval<br />
during which the module must send the message is defined by so called time slot.<br />
1<br />
tS<br />
nD d<br />
(2)<br />
bitrate<br />
where t S is time slot length, n D is bit number of the message (maximum number<br />
of stuff bits is supposed, thus bit number of the message is 135), d is time delimiter,<br />
the message to be send in order.
98 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
This time interval is set into the comparative timer register of the microcontroller.<br />
The message is sent only once in the time-triggered mode, no further<br />
arbitration is performed.<br />
Each row of the matrix is begun by synchronization message [6, 7], followed by<br />
the CAN ID that characterize the various flight parameters. Free frames reserved for<br />
asynchronous messages of the CANaerospace protocol can be found here. The time<br />
required for the matrix reconfiguration depends on its dimension, e.g. reconfiguration<br />
of the matrix with size of 10 x 6, takes 77.76 ms. This value is not critical.<br />
However, complete on-board aircraft electronic system provides far greater number<br />
of messages. For imagination, the time required for the Cycle matrix reconfiguration<br />
with maximum possible number of elements, which enables CANaerospace<br />
protocol specification [5], it is the matrix of size 256 x 256, is 1 min 25 s. This time,<br />
when the system does not provide any data, is quite critical <strong>and</strong> can have fatal consequences<br />
for flight safety. Maximal system bit rate reduces the value to 10.62 s. This<br />
time is also still quite critical, <strong>and</strong> therefore it is necessary to select a compromise<br />
among the transmission period of synchronous messages, the number of necessary<br />
broadcast messages <strong>and</strong> the number of elements in the Cycle matrix. In the case,<br />
that is impossible to avoid the number of elements of the Cycle matrix approaching<br />
to the possible maximum according to the CANaerospace specification, it is necessary<br />
to use some other reconfiguration algorithm of the Cycle matrix [6, 7 <strong>and</strong> 9].<br />
IV. Mathematical analysis<br />
Certain parameters, which quantitatively express the level of communication<br />
over the bus is necessary to establish to evaluate the communication behavior on<br />
the bus. The most important parameters for the mathematical analysis of the bus<br />
behavior are bus capacity C CANAS <strong>and</strong> bus utilization U. To obtain these parameters<br />
is important to come out of the following values.<br />
The data frame length n D is considered for 11-bit identifier. It is possible to<br />
work with up to 2 11 messages, which is 2048 with 11-bit identifier. Such number<br />
of messages is excessively adequate for designed on-board aircraft electronic system.<br />
Data frame length n D in this case is given by:<br />
348N<br />
D<br />
<br />
nDround<br />
478N<br />
D<br />
5<br />
<br />
(3)<br />
<br />
where N D is number of data byte.<br />
Round function signifies cutting off the decimal part. Division by five in the argument<br />
of the function is due to the application of stuff bits insertion mechanism.<br />
Number of stuff bits is not possible or hardly ever to analytically determine. Inserting<br />
or not inserting of stuff bits depends on a combination of bits in the CAN<br />
identifier, data length control field, data field <strong>and</strong> CRC sequence [4, 6], when more<br />
than five bits of the same level must not follow, so here is the stuff bit inserted.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
99<br />
In the case of CANaerospace protocol, when all 8 bytes of data are transmitted,<br />
mean length of the data frame 123 bits is taken in a count. The data frame length<br />
without bit stuffing mechanism application is 111 bits <strong>and</strong> in case of maximum<br />
bit stuffing is 135 bits.<br />
The duration of one bit transmission τ is defined by reciprocal value of bus<br />
bit rate according to the equation:<br />
1<br />
(4)<br />
bitrate<br />
The transmission message period is very important parameter for the following<br />
calculations. In this case it is transmission message period at hundred percent<br />
of bus utilization, thus when the messages are transmitted in close behind. For<br />
the transmission message period p U100% is defined equation:<br />
p<br />
U100%<br />
n (5)<br />
Hundred percent of bus utilization is supposed during the bus capacity calculation<br />
C CANAS , when the transmission message period is given by n D τ. The bus<br />
capacity determines the number of messages that is possible to send over the bus<br />
per second. Then the bus capacity is defined by:<br />
1<br />
CCANAS<br />
(6)<br />
p<br />
D<br />
U100%<br />
Maximum bus capacity reaches at the minimum data frame length <strong>and</strong><br />
the maximum bit rate. The value of maximum bus capacity is the 8771 messages/s.<br />
The value of maximum bus capacity depends on the number of inserted complementary<br />
bits in the process of bit stuffing. The occurrence of these bits is very stochastic.<br />
Bus utilization by synchronous messages is defined by:<br />
U<br />
S<br />
M<br />
1<br />
nS 100<br />
(7)<br />
p<br />
i1<br />
where U S is bus utilization by synchronous messages, n S is frame length of synchronously<br />
transmitted message, p S is transmission period of synchronous message<br />
frames.<br />
The maximum bus utilization by synchronous messages is reached at the state<br />
of maximum bit rate 1 Mbit/s <strong>and</strong> at small transmission message period.<br />
Bus utilization by asynchronous messages is defined by:<br />
M<br />
S<br />
UAS nAS xAS<br />
100<br />
(8)<br />
i<br />
where U AS is bus utilization by asynchronous messages, n AS is frame length of asynchronously<br />
transmitted message, x AS is a number of asynchronous message transmitted<br />
frames.
100 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The maximum bus utilization by asynchronous messages occurs at the low<br />
bit rate <strong>and</strong> at very frequent transmission of asynchronous messages.<br />
The CANaerospace specification according to Michael Stock [5] recommends<br />
bus utilization by synchronous messages from 80% to be prepared sufficient bus<br />
capacity for eventual transmission of CANaerospace asynchronous messages. Great<br />
bus utilization for asynchronous messages remains at long period of synchronous<br />
transmitted message <strong>and</strong> at low bus bit rate. Conversely when the bit rate is maximal<br />
<strong>and</strong> very small period of synchronous transmitted message, low bus utilization for<br />
asynchronous messages remains, so these parameters must be chosen with respect<br />
of CANaerospace specification recommendations<br />
V. Conclusion<br />
This hardware solution can gives us a unique instrument set able to communicate<br />
thought CAN, able to detect their own faults with the same accuracy as prestigious<br />
instrument for price of only few hundreds of euro (dollars). Since only one hardware<br />
block is different at each instrument it is also cheap to maintain it in perfect shape.<br />
Also the program running inside can be easily modified to fulfill any possible needs.<br />
Application of the bus CAN with CANaerospace protocol to the avionic systems<br />
is relatively new area. The bus CAN seem to be suitable for the implementation<br />
because of its simple way of communication <strong>and</strong> high quality of diagnostic tools.<br />
According to the mathematical analysis is evidenced, that the bus enables to provide<br />
high number of messages, which is important for aircraft electronic systems.<br />
Acknowledgment<br />
The work presented in this paper has been supported by the Ministry of Defence<br />
of the Czech Republic (K206 Department development program “Complex<br />
aviation electronic system for unmanned aerial systems”).<br />
References<br />
[1] J. Cizmar, R. Jalovecky, “Development of a Digital Fuel Quantity Indicating System<br />
for Aircraft.”, In: Proceeding of the International Conference on <strong>Military</strong> Technologies<br />
„ICMT 2007“, Brno: Univerzita obrany, Brno, 2007, ISBN 978-80-7231-238-2.<br />
[2] R. Bystricky, “Dynamic system mathematical model of UAV helicopter.”, Brno,<br />
29.03.2010, Disertation thesis, University of Defence, Supervisor prof. Ing. Rudolf<br />
Jalovecky, CSc (in Czech).<br />
[3] R. Bystricky, J. Bajer, P. Janu, “Proposal of low cost flight data recorder for ultralight<br />
aircraft.”, In: Modern Safety Technologies In Transportation, Košice, Slovensko:<br />
Suprema Ltd., 2011, p. 54-59, ISSN 1338-5232, ISBN 978-80-970772-0-4.
Chapter 1: Concepts <strong>and</strong> Solutions for <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems 101<br />
[4] W. Voss, “A Comprehensible Guide to Controller Area Network.”, 2nd, Greenfield,<br />
Massachusetts, USA: Copperhill Technologies Corporation, 2005-2008, 152 s., ISBN<br />
978-0976511601.<br />
[5] M. Stock, “CANaerospace” [online], [cit. 2009-04-05], Available on: .<br />
[6] P. Janu, “Acquisition <strong>and</strong> data processing from on-board aircraft systems.”, Brno,<br />
31.08.2011, Disertation thesis, University of Defence, Supervisor prof. Ing. Rudolf<br />
Jalovecky, CSc (in Czech).<br />
[7] P. Janu, R. Bystricky, J. Bajer, “Proposal of a time-triggered avionic electrical<br />
subsystem using CANaerospace.”, In ICMT\’09: International Conference on <strong>Military</strong><br />
Technologies 2009, 1st edition, Brno: [s.n.], 2009, Electronics Avionic Systems,<br />
p. 387-393, ISBN 9788072316496.<br />
[8] P. Janu, J. Parizek, “The canaerospace protocol contribution to the reliability <strong>and</strong><br />
safety of the CAN.”, In: ICMT’11 – International Conference on <strong>Military</strong> Technologies<br />
2011, Brno: University of Defence, 2011, p. 657-663, ISBN 978-80-7231-787-5.<br />
[9] P. Janu, J. Bajer, “Dynamic time-slot assignment method applied on CAN with<br />
CANaerospace protocol during the aircraft phase of flight transitions.”, In: ICMT ’11<br />
– International Conference on <strong>Military</strong> Technologies 2011, Brno: University of Defence,<br />
2011, p. 619-625, ISBN 978-80-7231-787-5.<br />
[10] P. Janu, J. Parizek, “CAN Messages Transmission Diagnostic Analysis of Avionic<br />
System.”, Cybernetic Letters, 2011, no. 9, p. 1-9, ISSN 1802-3525.<br />
[11] P. Bajer, P. Janu, R. Jalovecky, “Controller Area Network based On-board<br />
Data Acquisition System on <strong>Military</strong> Aircraft.”, In: Concepts <strong>and</strong> Implementations<br />
for Innovative <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Technologies. Warsaw,<br />
Polska: <strong>Military</strong> University of <strong>Technology</strong>, 2010, p. 589-598, ISBN 978-83-61486-70-1.<br />
[12] J. Bajer, P. Janu, “Systematic proposal of aircraft electronic system with CANaerospace<br />
protocol.”, In: <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems Conference: MCC<br />
2009, Prague, Czech Republic: University of Defence, 2009, ISBN 978-80-7231-678-6.<br />
[13] J. Bajer, R. Bystricky, P. Janu, “Proposal of a time-triggered avionic electrical<br />
subsystem using CANaerospace.”, In: ICMT’09 International Conference on <strong>Military</strong><br />
Technologies 2009, Brno, Czech Republic: University of Defence, 2009, ISBN 978-80-<br />
-7231-649-6.<br />
[14] D. Paret, “Multiplexed networks for embedded systems – CAN, LIN, FlexRay, Safeby-<br />
-Wire... Wiley.”, 2007, p. 418, ISBN 978-0-470-03416-3 (HB).<br />
[15] N. Navet, F. Simonot-lion, “Automotive Embedded Systems H<strong>and</strong>book<br />
(Industrial <strong>Information</strong> <strong>Technology</strong>).”, [online], [cit. 2009-04-05], Available on:<br />
.<br />
[16] J. Bajer, P. Janu, R. Jalovecky, “Controller Area Network based On-board Data<br />
Acquisition System on <strong>Military</strong> Aircraft.” In Concepts <strong>and</strong> Implementation for<br />
Innovative <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Technologies. Warsaw, Pol<strong>and</strong>:<br />
<strong>Military</strong> University of <strong>Technology</strong>, 2010, p. 589-598. ISBN 978-83-61486-70-1.<br />
[17] “ISO 11898-4:2004.” [online], [cit. 2009-06-30], Available on: .
Chapter 2<br />
<strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> <strong>Technology</strong><br />
for <strong>Trusted</strong> <strong>Information</strong> Sharing
SOA in the CoNSIS Coalition Environment:<br />
Extending the WS-I Basic Profile for Using SOA<br />
in a Tactical Environment<br />
Hartmut Seifert 1 , Markus Franke 1 , Anne Diefenbach 2 , Peter Sevenich 2<br />
1 Dept. Networks <strong>and</strong> Architectures, Industrieanlagenbetriebsgesellschaft mbH,<br />
Ottobrunn, Germany, seifert@iabg.de<br />
2 Communication Systems Group, Fraunhofer FKIE, Wachtberg, Germany,<br />
anne.diefenbach@fkie.fraunhofer.de<br />
Abstract: This article describes the elements necessary to allow SOA based CCIS systems to operate<br />
in a mobile tactical environment. All elements which are m<strong>and</strong>atory to allow a SOA based implementation<br />
to react to limited b<strong>and</strong>width, jammed <strong>and</strong> temporarily unavailable network connections <strong>and</strong><br />
to span a common information domain across various coalition partners are listed in comparison<br />
to the WS-I Basic Profile.<br />
Keywords: autarchy, non-hierarchical, fully distributed, SOAP-based security mechanisms, schema-<br />
-based compression, NNEC<br />
I. Introduction<br />
Future Comm<strong>and</strong>, Control <strong>and</strong> Intelligence Systems (CCIS) will not be developed<br />
from scratch anymore. <strong>Military</strong> operators are interested in specific military<br />
functionalities, <strong>and</strong> they do not care about how these functions communicate <strong>and</strong><br />
cooperate with each other as long as a defined service level agreement is fulfilled.<br />
One approach to realize such a system is to base it upon a service oriented<br />
architecture (SOA), where military applications will use commonly available core<br />
services (like basic messaging or repository services) to provide their capabilities<br />
to human operators.<br />
This decomposition is originally derived from the NATO Network Enabled<br />
Capability (NNEC) feasibility study [1], where various steps are described to come<br />
from the current position of stove-pipe systems to a coalition wide shared services<br />
approach.<br />
The SOA paradigms, <strong>and</strong> the tools <strong>and</strong> frameworks developed to help implement<br />
them, are intended for use in fixed, broadb<strong>and</strong> company networks. Web<br />
services, the technology commonly used to realize a SOA (<strong>and</strong> the one suggested
106 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
by NNEC), along with their numerous advantages also come with some disadvantages,<br />
such as a very large overhead. <strong>Military</strong> networks, however, often do<br />
not meet the conditions expected in civil company networks. <strong>Military</strong> networks<br />
in the tactical domain, especially mobile networks, suffer from low b<strong>and</strong>width,<br />
large delays, frequent disruption <strong>and</strong> the threat of jamming. Therefore, steps need<br />
to be taken to mitigate these disadvantages <strong>and</strong> ensure adequate performance. This<br />
paper takes the Web Services Interoperability (WS-I) Basic Profile [2], developed by<br />
an industry consortium to ensure interoperability between web services, <strong>and</strong> suggests<br />
several additions to be prescribed to web services in a military environment.<br />
The resulting architecture is described in principle <strong>and</strong> verified within a national<br />
implementation, the Reference Environment for Services “Referenzumgebung<br />
Dienste” (RuDi).<br />
RuDi was the German SOA framework used in the international project<br />
CoNSIS (Coalition Networks for Secure <strong>Information</strong> Sharing). Work in CoNSIS,<br />
performed in five distinct tasks, aimed to develop a comprehensive, federated<br />
environment comprising heterogeneous networks from different nations in which<br />
to securely share information. This article is based on work carried out in Task 2,<br />
the <strong>Information</strong> Services task, concerned with connecting SOA frameworks from<br />
different nations – namely Germany <strong>and</strong> Norway.<br />
II. Limitations for SOA in mobile systems<br />
A. Mobile Node Autarchy<br />
In battlefield scenarios, such as a convoy operation as assumed in the CoNSIS<br />
scenario, mobile units may become cut off from communication with an upper<br />
comm<strong>and</strong> level (e.g. HQ). In this case, the units still need to be able to complete<br />
the operation they were sent out on – which means that any necessary information<br />
or supporting routine must be available locally – in our scenario, within a convoy.<br />
The SOA framework must be set up in such a way as to be able to provide the required<br />
services to the users (consumers) with the best quality of service achievable under<br />
current conditions. In the most extreme case, this means that all critical services<br />
must be completely available within each node (e.g. vehicle within the convoy),<br />
as stipulated in [3].<br />
B. B<strong>and</strong>width limitations<br />
The communications within a mobile environment is the most limiting factor<br />
for SOA: <strong>Military</strong> communications are either radio based (traditional or ad-hoc<br />
radio networks) or supported by tactical satellite communications. In both cases,<br />
the available b<strong>and</strong>width is significantly lower than in backbone systems (from a couple<br />
of kilobits per second up to a lower megabits per second rate, which is shared
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
107<br />
between a number of nodes). In comparison to several hundred megabits per second<br />
up to a few gigabits per second for stationary systems, this is a severe limitation.<br />
To cope with these limitations, several optimizations are necessary within<br />
the WS-I Basic Profile:<br />
• Services should, where possible, be executed on local nodes. A remote invocation<br />
of services (e.g. within a portal) consumes too much b<strong>and</strong>width.<br />
• The main information exchange between military users is message oriented.<br />
For this purpose, a st<strong>and</strong>ard SOA service, a notification broker, is used to<br />
provide one or more users (consumers) with the same kind of information.<br />
To save b<strong>and</strong>width, the notification broker has to use the broadcast capability<br />
of radio networks to distribute the same information to a number of consumers<br />
in a multicast mode (necessary multicast extension to the notification broker).<br />
To enhance the performance further, it is recommended to distribute these<br />
multicast messages in simplex mode (without acknowledgement transfers<br />
from the recipients). This avoids unnecessary send/receive mode changes<br />
in the involved radio systems.<br />
• XML coding of messages within a SOA environment is not b<strong>and</strong>width efficient.<br />
To reduce the network load, message compression is required. To allow<br />
a maximum compression, the usage of schema-aware algorithms is highly<br />
recommended. Efficient XML Interchange (EXI) [4] is the W3C recommendation,<br />
<strong>and</strong> the more experimental mechanism XENIA [5] achieves compression<br />
results of about 97% of the original message size.<br />
• In a highly dynamic environment, service availability will change heavily over<br />
time. To provide users with the most recent service availability under current<br />
restrictions, service discovery mechanisms need to be able to cope with these<br />
frequent changes. CoNSIS uses WS-Discovery [6] with a few extensions,<br />
as described more fully in [7]. RuDi uses this protocol proactively to report<br />
periodically about the service availability in different nodes. However, as this<br />
service generates a significant load within the radio network, administrators<br />
have to carefully decide how to set the period of retransmission of WS-<br />
Discovery messages.<br />
C. Secure SOA in a coalition environment<br />
Obviously, a military network has to be secured to protect the confidentiality,<br />
integrity <strong>and</strong> authenticity of the data. Here too, the WS-I offers a profile to specify<br />
how the different web service security st<strong>and</strong>ards can be made to work together:<br />
the Basic Security Profile [8]. However, a military environment places more strident<br />
requirements on security than a civil one, <strong>and</strong> moreover the security measures<br />
usually need to be formally accredited. So web service security can only serve<br />
as an additional safeguard, superimposed on traditional, accredited measures.<br />
But SOA, with its highly distributed architecture, also introduces new challenges.
108 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Within a single, national implementation of a SOA environment a hierarchical<br />
model with well-defined roles <strong>and</strong> access rules may work. In a coalition environment,<br />
the various information domains may overlap several technical domains (here<br />
used as a synonym for national domains). To operate within such an environment,<br />
the following assumptions are made:<br />
• The basic protection of information is being done at network level. Modern<br />
approaches like HAIPE 3.x or NINE 2.x are used to encrypt IP packets<br />
at the network layer (hopefully end-to-end, realistically within a single<br />
technical domain).<br />
• To protect messages individually, all information types <strong>and</strong> services are<br />
encapsulated within a SOAP message <strong>and</strong> protected individually on their<br />
route between the involved communication partners by their individual<br />
certificates. This allows a specific protection <strong>and</strong> encryption of SOAP messages,<br />
based on the individual conditions of the participating roles. In addition,<br />
these SOAP messages are enhanced by XML labels to allow label<br />
switching at any domain boundary between participating partners. This<br />
way, differently classified information domains can be interconnected. To<br />
support the exchange of protected information across domain boundaries,<br />
cross domain certification is required.<br />
III. Principles of RuDi realisation<br />
To cover the previous limitations, the German SOA environment in CoNSIS,<br />
RuDi, was specified <strong>and</strong> realized in a specific way. The design principles are introduced<br />
in this section.<br />
A. Principles for service access<br />
To get sufficient information about available services in a mobile node, each<br />
user (consumer) has to contact his local service registry. This registry informs<br />
the user under which conditions (including the b<strong>and</strong>width limitations to access<br />
a remote service) a service can be used.<br />
To generate <strong>and</strong> maintain the information on different radio links, methods like<br />
PPPoE [9] for the calculation on physical link conditions <strong>and</strong> multi-topology routing<br />
(MTR) [10] to manage end-to-end conditions within the radio network are used.<br />
Figure 1 shows that the principles of cross-domain service invocation as realized<br />
in CoNSIS are the same as with local service invocation. To invoke a service,<br />
a consumer first contacts their local service registry (part of the local SOA infrastructure)<br />
to find an appropriate provider. The registry lists all service providers<br />
available to consumers in their domain, no matter whether those providers are<br />
located in the same domain or different ones. To achieve this, synchronization<br />
between infrastructures across domains is m<strong>and</strong>atory. This can be realized either
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
109<br />
by a peer-to-peer synchronization (SyncD, for details see STANAG 5524 ed. E) or,<br />
more applicable for tactical domains, using WS-Discovery [6].<br />
Figure 1. Service use across technical domains<br />
The above service registry is a st<strong>and</strong>ard UDDI v.3 with a schema extension for<br />
network conditions (add-on, optional, therefore compatible with st<strong>and</strong>ard UDDI<br />
as specified in the WS-I Basic Profile).<br />
B. Overcoming b<strong>and</strong>width limitations<br />
The h<strong>and</strong>ling of multicast information in an (ad-hoc) radio network is not<br />
simple. To avoid a larger group management behavior, within tactical radio networks<br />
Simple Multicast Forwarding (SMF) [11] is used.<br />
As various radio networks may be interconnected, it is necessary to provide<br />
a routing strategy which allows the integration of various link capabilities<br />
within a heterogeneous network overlay. Here the MTR approach [10] is used.<br />
It allows the end-to-end definition of a sequence of paths for a specific capability<br />
(e.g. for a minimum b<strong>and</strong>width between end nodes). The propagation of local link<br />
capabilities is here generated <strong>and</strong> provided by PPPoE [9]. If any radio systems do<br />
not support PPPoE (which is currently the case with most of the military radios<br />
in NATO), a PPPoE proxy or simple manual configuration may be used.<br />
Some core services were modified to be more b<strong>and</strong>width efficient. The<br />
WS-Notification [12] service for example, in which a broker distributes topic-sorted<br />
notifications published by one party to multiple subscribed consumers, now uses<br />
multicast to send out notifications if more than one consumer is subscribed to<br />
a topic. The broker will also no longer expect acknowledgements, nor will consumers<br />
send any. Apart from saving b<strong>and</strong>width, this also means that radios do not have<br />
to switch between sending <strong>and</strong> receiving mode as frequently.
110 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
To learn about published or available services from partners, WS-Discovery [6]<br />
is used. Based on the local policy, each domain will announce the services which are<br />
available for partners. WS-Discovery also uses multicast. When used in pro-active<br />
mode, each active WS-Discovery provider distributes available services periodically<br />
on a specific multicast address. This can induce a very heavy load indeed for radio<br />
networks, depending on the number of available services to be distributed <strong>and</strong> the period<br />
for re-transmission. Practical experience in the CoNSIS experiment at WTD 81<br />
in Greding in June 2012 has shown that the period, at least for l<strong>and</strong> based systems,<br />
should not be in a range of a few seconds, but between 30 seconds <strong>and</strong> 1 minute [13].<br />
Last but not least, XML, on which web services are based, is very verbose.<br />
In b<strong>and</strong>width constrained environments, exchanging larger XML messages will<br />
take a long time. This is a fundamental problem when using radios, independent<br />
of their type.<br />
The obvious solution is to use compression. As mentioned above in section<br />
II.B, the most efficient ones are those which are able to interpret the specific<br />
coding schema of the source itself. Based on this schema information, the original<br />
source can be compressed in a range of about 97% which makes an XML input<br />
more transferable in narrowb<strong>and</strong> radio networks. In the case of XML structures,<br />
the underlying schema information (which is by definition identical between source<br />
<strong>and</strong> sink) can be retrieved both by the sender <strong>and</strong> the receiver from one common or<br />
various distributed repositories within the network. The only requirement in a coalition<br />
environment is that the same schema files are used on all communication<br />
sites. This is an aspect of mission pre-planning.<br />
The remaining question, then, is which compression algorithm to use. In CoN-<br />
SIS, RuDi implemented both GZIP <strong>and</strong> XENIA [5], as the most efficient algorithm.<br />
The Norwegian framework supported GZIP <strong>and</strong> EXI [4], the st<strong>and</strong>ard-based<br />
choice. The compromise then was to use GZIP in cross-nation communication,<br />
but of course this solution is not desirable. A recommendation of which algorithm<br />
to use is to be worked out.<br />
Please note that if using WS-Security [14] in combination with compression,<br />
the XML body of the relevant SOAP message must be compressed prior to their<br />
encryption. Otherwise compression is no longer possible.<br />
The last aspect in the area of radio networks is the change in end-to-end transport<br />
services: As the transmission time <strong>and</strong> link availability may vary tremendously<br />
within interconnected radio networks, CoNSIS has mainly given up the concept<br />
of using TCP as the principal transport protocol. Instead, CoNSIS is using SOAP<br />
directly over UDP. The original specification [15] allows only the transfer of one<br />
UDP packet, which means that the SOAP message must fit completely into one UDP<br />
frame. This is not the case in every military network, with the consequence that<br />
the UDP specification has to be enhanced to allow segmentation <strong>and</strong> re-assembly<br />
as well as the recovery of lost or erroneous UDP frames. RuDi achieved this by using<br />
a wireless session protocol [16]. This approach is called the reliable UDP protocol [17].
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
111<br />
C. Security considerations in a tactical environment<br />
Within a single, national implementation of a SOA environment a hierarchical<br />
model with well-defined roles <strong>and</strong> access rules may work. In a coalition environment,<br />
the various information domains may overlap various technical domains (which<br />
is used as a synonym for national domains). To operate within such an environment,<br />
the following assumptions are made:<br />
Usage of SOAP<br />
SOAP (Simple Object Access Protocol) is the basic element of web services.<br />
SOAP is a W3C protocol st<strong>and</strong>ard. It enables st<strong>and</strong>ardized communication between<br />
distributed applications <strong>and</strong> objects, particularly in the SOA/ESB environment.<br />
Web services use SOAP for information exchange purposes <strong>and</strong> HTTP as a medium<br />
of transport. In their basic form, both SOAP as communication protocol <strong>and</strong><br />
HTTP as transport protocol do not support any security requirements. Instead,<br />
data is transmitted in plain text. HTTP is, therefore, usually employed via SSL 3.0<br />
<strong>and</strong>/or TSL 1.0 (HTTPS) to ensure the secure exchange of SOAP messages.<br />
In RuDi an additional “object protection” transmitted together with the original<br />
SOAP message is being implemented for information objects transmitted via SOAP.<br />
The OASIS st<strong>and</strong>ard WS-Security has established itself as the primary technology<br />
in this context. WS-Security defines how to use existing st<strong>and</strong>ards such as XML<br />
Encryption, XML Signature <strong>and</strong> X.509 certificates together. WS-Security is an essential<br />
enhancement of the SOAP st<strong>and</strong>ard. It is applied to fulfill the requirements<br />
with regard to message integrity, confidentiality, authenticity, <strong>and</strong> the authenticity<br />
<strong>and</strong> authority of the entities involved. It makes use of authentication <strong>and</strong> authorization<br />
based on SAML (Security Assertion Markup Language).<br />
The security architecture is probably the most problematic area for interoperability,<br />
as not only the used protocols are of interest, but the way how the security<br />
is h<strong>and</strong>led on the sending <strong>and</strong> receiving side may differ. First results in CWIX 2012<br />
have shown that this area needs a deeper agreement between partners.<br />
Figure 2. IT security services of the SOA (ESB) infrastructure
112 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The basic IT Security Architecture is based upon the RuDi Outline Concept<br />
Chapter 6.5.2 <strong>and</strong> Chapter 6.9.1 [18].<br />
In the BI-SC AIS/NNEC SOA Implementation Guidance [19] NATO document,<br />
the layers depicted in Figure 3 are classified as IT security technology that<br />
RuDi is also based upon.<br />
Figure 3. Example of a layer-based security architecture<br />
The IT security architecture of the Reference Environment for Services is based<br />
on two components:<br />
• Elementary / basic protection (basic security of the classified Bundeswehr<br />
LAN on network level)<br />
Elementary protection: the Virtual Private Network (VPN) technology<br />
protects the transmitted information from undesired access by setting up<br />
a “tunnel” protected by powerful cryptographic mechanisms that is going<br />
through insecure networks.<br />
Basic protection: The encryption by means of HAIPE, NINE or SINA with<br />
its IPSec internet protocol is based on the network level.<br />
• Object protection (security on information level)<br />
Object protection is used to secure objects – information objects – by way<br />
of authentication, encryption, integrity securing <strong>and</strong> labeling (signature).<br />
Generally, the SOA framework is an addition to the existing elementary /<br />
basic protection, which it uses. The elementary / basic protection is not described<br />
<strong>and</strong> analyzed in any more detail in this document.<br />
RuDi implements object protection on the information level (application <strong>and</strong><br />
web services) in the IT security architecture.<br />
Certificate / Key structure in RuDi<br />
Put in technical terms, an X.509 certificate is a data construct that includes a user’s<br />
public key, their personal data <strong>and</strong> a digital signature of the relevant certificate authority<br />
(CA). RuDi security is based upon certificates in accordance with the X.509 v3<br />
st<strong>and</strong>ard. Using a root certificate, every user is able to verify whether the information<br />
signed by means of these certificates <strong>and</strong> the following certificate chain is authentic.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
113<br />
An OpenDS is used as directory for certificates. It is based on the ACP 133 [20]<br />
format (ed. C or D) in order to be smoothly interoperable in the NATO context.<br />
Figure 4 shows an example of the CA structure (grayed out boxes) <strong>and</strong> an extract<br />
of the respective (Sub) CA certificate store.<br />
In the example Mission RootCA Straussberg forms the highest-level Root CA<br />
(layer 1). The SubCAs for operations (missions, layer 2) that may be located on a stationary<br />
IT system in the home country are derived from this Root CA.<br />
Figure 4. CA structure <strong>and</strong> extract of certificate store
114 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In the example the SubCA mission-A is derived from the central SubCAmission-A<br />
<strong>and</strong>, therefore, inherits its trust relationships. This means that the central<br />
SubCA-mission-A has a trust relationship with the central SubCA-mission-B<br />
in the example above.<br />
Further deployable <strong>and</strong> autonomous IT systems may exist in the theater of operations.<br />
These systems derived from the central SubCA-mission contain a separate<br />
SubCA. These SubCAs form the deployable SubCA mission of layer 4.<br />
Depending on the requirements of the theater of operations, mobile <strong>and</strong><br />
autonomous IT systems (SubSubCAs) are distributed from the deployable SubCA<br />
mission <strong>and</strong>, if applicable, also from the central SubCA-mission. These IT systems<br />
(may) contain separate limited mobile SubCAs (layer 5).<br />
The establishment of trust relationships may be required independent of the CA<br />
layer. The example in Figure 4 illustrates the establishment of a trust relationship<br />
to a Greek SubCA in the mobile SubCA operation-1b.<br />
CA* <strong>and</strong>/or SubCA* are introduced due to the fact that technical domains are<br />
autonomous but not every technical domain of layer 5 automatically needs to have<br />
its own CA* or SubCA*. Like a CA or SubCA, the CA* <strong>and</strong>/or SubCA* receives<br />
a share of information from its respective higher-level CA. This CA* or SubCA*<br />
does, however, not form a CA or SubCA in organizational terms, but it remains<br />
assigned to its issuing CA or SubCA.<br />
Synchronizations used to compare changes in the trust relationship <strong>and</strong><br />
in the revocation list are required due to the CA structure <strong>and</strong> the direct trust<br />
relationship. Figure 5 illustrates the synchronization relationships resulting from<br />
the CA structure <strong>and</strong> the direct trust relationships in the example in Figure 4.<br />
Figure 5. CA structure & trust synchronization relationships<br />
Details of the procedures to create <strong>and</strong> maintain the various certificates in RuDi<br />
are described in [18], chapter 3.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
115<br />
SOA runtime security<br />
The SOA Runtime Security is concerned with all steps <strong>and</strong> capabilities of IT<br />
security during service use <strong>and</strong> comprises:<br />
• Authentication (checking the identity – identification);<br />
• Authorization (check of authorization – access authorization);<br />
• Encryption (digital encryption);<br />
• Signature (electronic signature/ identification).<br />
The definition of “addressing <strong>and</strong> identification” forms the basis of the SOA<br />
Runtime Security.<br />
For all considerations concerning IT security it has to be noted that the IT security<br />
mechanism is regarded across technical domains (see Figure 6). It must be ensured<br />
that the mechanism is the same, both domain-internally <strong>and</strong> externally, <strong>and</strong> that<br />
simplifications working only domain-internally are not being established too quickly.<br />
Figure 6. Federation <strong>and</strong> trust configuration<br />
This means that the transmitter <strong>and</strong> receiver instance may be located in different<br />
technical domains, each with its own SOA (ESB) infrastructure.<br />
IV. Conclusion<br />
While web services have come a long way in ensuring interoperability, the profiles<br />
written for use in civil systems are insufficient for use in tactical military<br />
networks. We have in this article introduced the areas which have been identified<br />
in CoNSIS as the areas in which further specifications are necessary. Solutions for<br />
these areas have been developed in the German national project Reference Environment<br />
for Services RuDi <strong>and</strong> are being verified in various field tests including
116 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
CoNSIS. Following the full analysis of the final CoNSIS field experimentation of June<br />
2012, if the proposed elements are proven mature they may be included in a profile<br />
for SOA in tactical networks to be recommended to NATO for st<strong>and</strong>ardization, to<br />
be included e.g. in STANAG 5524 (NISP) [21].<br />
References<br />
[1] T. Buckman, “NATO network enabled capability feasibility study”, v2.0, NC3A,<br />
October 2005.<br />
[2] Web Services Interoperability Organisation, WS-I Basic Profile version 1.1, ISO/IEC<br />
29361:2008.<br />
[3] A. Diefenbach, M. Gerharz, S. Hunke, T. Lüke, <strong>and</strong> J. Tölle, Abschlussbericht<br />
SOA-Keimzelle Analyse Referenzarchitektur (SKAR), January 2010.<br />
[4] W3C, Efficient XML Interchange (EXI) Format 1.0, http://www.w3.org/TR/2011/<br />
REC-exi-20110310/, March 2011.<br />
[5] Ch. Werner, “Xenia: Die smarte XML-Kompression aus Lübeck”, FOCUS MUL, 24.<br />
Jahrgang Heft 3, September 2007.<br />
[6] OASIS, Web Services Dynamic Discovery (WS-Discovery) version 1.1, http://docs.<br />
oasis-open.org/ws-dd/discovery/1.1/os/wsdd-discovery-1.1-spec-os.docx, July 2009.<br />
[7] T. Hafsøe Bloebaum <strong>and</strong> K. Lund, ”CoNSIS: Demonstration of SOA interoperability<br />
in heterogeneous tactical networks”, MCC 2012, Gdansk, Pol<strong>and</strong>, in press.<br />
[8] Web Services Interoperability Organisation, WS-I Basic Security Profile 1.1,<br />
January 2010.<br />
[9] B. Berry, “PPP over Ethernet (PPPoE) extensions for credit flow <strong>and</strong> link metrics”,<br />
IETF RFC 5578, February 2010.<br />
[10] P. Psenak, “Multi-topology (MT) routing in OSPF”, IETF RFC 4915, June 2007.<br />
[11] J. Macker, “Simplified multicast forwarding”, IETF draft-ietf-manet-smf-14, March<br />
2012.<br />
[12] OASIS, Web Services Notification, consisting of WS-BaseNotification 1.3,<br />
WS-BrokeredNotification 1.3 <strong>and</strong> WS-Topics 1.3, October 2006.<br />
[13] CoNSIS-SC, CoNSIS final report, October 2012, unpublished.<br />
[14] OASIS, Web Services Security 1.1, February 2006.<br />
[15] xmlsoap.org, SOAP over UDP, September 2004.<br />
[16] Wireless Application Protocol Forum, Wireless Session Protocol specification, WAP-<br />
230-WSP, July 2001.<br />
[17] CoNSIS-SC, “Reliable UDP”, CoNSIS-DEU-Task1-DU-002.doc, November 2010.<br />
[18] M. Franke, H. Seifert, “IT security architecture”, IT-AmtBw, Project RuDi,<br />
E/IB1S/9A031/6F125, January 2012.<br />
[19] NATO, “BI-SC AIS/NNEC SOA implementation guidance”, final draft 1.0, December<br />
2009.<br />
[20] CCEB, Common Directory Services <strong>and</strong> Procedures, ACP 133(D), July 2009.<br />
[21] NATO, NATO Interoperability St<strong>and</strong>ards <strong>and</strong> Profiles, ADatP-34(F), December 2011.
CoNSIS: Demonstration of SOA Interoperability<br />
in Heterogeneous Tactical Networks<br />
Trude H. Bloebaum, Ketil Lund<br />
Norwegian Defence Research Establishment (FFI), Kjeller, Norway,<br />
{trude-hafsoe.bloebaum, ketil.lund}@ffi.no<br />
Abstract: The Coalition Network for Secure <strong>Information</strong> Sharing (CoNSIS) conducted a large scale<br />
experiment in Germany in June 2012. During this experiment, multiple aspects of interoperability<br />
in the tactical domain were tested in practice. This paper presents the challenges faced by Task 2,<br />
which focuses on service orientation, <strong>and</strong> the use of Web services technology as a means to achieve<br />
interoperability between nations. Furthermore, it describes how these challenges were addressed<br />
by the different information infrastructures involved. We also present our experiences with several<br />
central Web service st<strong>and</strong>ards, <strong>and</strong> describe some lessons learned when it comes to utilizing these<br />
st<strong>and</strong>ards in tactical networks.<br />
Keywords: SOA; Web services;service discovery; publish/subscribe<br />
I. Introduction<br />
The Service-Oriented Architecture (SOA) concept, most commonly implemented<br />
as Web services, is seen as a key enabler for meeting the technical<br />
interoperability requirements needed to achieve the NATO Network Enabled<br />
Capabilities (NNEC) vision. Within NATO, Web services technology has been<br />
the focus of the Core Enterprise Services (CES) working group, which has defined<br />
a number of common infrastructure services as core enterprise services.<br />
Having a common underst<strong>and</strong>ing of how these services are to be implemented<br />
<strong>and</strong> used is critical when attempting to achieve interoperability across national<br />
<strong>and</strong> systems boundaries. An important part of the work towards achieving this<br />
common underst<strong>and</strong>ing is to utilize these services in experimentation, in which<br />
the c<strong>and</strong>idate technologies are tested under conditions similar to those found<br />
in an operational network.<br />
The Coalition Network for Secure <strong>Information</strong> Sharing (CoNSIS) is a multinational<br />
group consisting of members from Germany, France, USA, <strong>and</strong> Norway,<br />
with participants from both research institutions <strong>and</strong> industry. The objectives of this<br />
group are to develop, implement, test, <strong>and</strong> demonstrate technologies <strong>and</strong> methods<br />
that will facilitate the partners’ abilities to share information <strong>and</strong> services securely
118 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
in ad-hoc coalitions, <strong>and</strong> between military <strong>and</strong> civil communication systems,<br />
within the communications constraints of mobile tactical forces.<br />
The group has focused on practical application of information infrastructure<br />
technologies in a network-of-networks, consisting of a variety of low capability<br />
network technologies. The work done within the CoNSIS group has been divided<br />
into a number of tasks, each focusing on a different aspect of interoperability issues.<br />
This paper focuses on the work done by Task 2, which, together with [1], covers<br />
the domain of SOA <strong>and</strong> its application in limited capacity networks. During June<br />
2012 CoNSIS conducted a large-scale experiment in Greding, Germany, in which all<br />
the different aspects of technical interoperability were tested; integrating the work<br />
of all the task groups of CoNSIS.<br />
II. Background<br />
For Task 2, the goal of the CoNSIS experimentation was to show that by using<br />
the Web service st<strong>and</strong>ards specified by the NNEC CES as interoperability enablers,<br />
independent implementations are able to interoperate with only the service<br />
specifications as a common reference. The reasoning behind focusing on st<strong>and</strong>ards<br />
as a means of achieving interoperability was that it enables us to evaluate not only<br />
the implementations used, but also the st<strong>and</strong>ards themselves. In other words,<br />
we can assess how suitable the st<strong>and</strong>ards specified in the NNEC CES are for use<br />
in tactical networks.<br />
A. SOA challenges<br />
Assessing Web services (<strong>and</strong> other SOA implementation approaches) through<br />
the use of st<strong>and</strong>ards based experimentation is not new; multiple other experiments<br />
covering several topics of Web service interoperability have been performed previously.<br />
One of the most recent of these was the “Making Services Interoperable”<br />
– experiment conducted by the NATO RTO IST-090 working group last year [2].<br />
In this experiment, three different SOA-based information infrastructures were connected<br />
together <strong>and</strong> interoperability was achieved. This experiment does however<br />
differ from the CoNSIS experiment in multiple ways:<br />
• The CoNSIS experiment network was considerably more complex<br />
than the network used duing the IST-090 experiments. This added complexity<br />
meant larger fluctuations in the network conditions experienced<br />
by the Web service frameworks being used.<br />
• The IST-090 experiment focused on service invocation, while the CoNSIS<br />
experiment covers both service discovery <strong>and</strong> service invocation.<br />
• IST-090 managed to achieve interoperability between both Web service <strong>and</strong><br />
Data Distribution Service (DDS) implementations of SOA, but this required<br />
the use of specialized gateways which only supported some service types.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
119<br />
The CoNSIS experiments are limited to Web service based implementations<br />
only, which allows for a more generic approach to service interoperability.<br />
• The CoNSIS experiment was performed using an IPv6 network, while<br />
the IST-090 experiment was done on IPv4. This difference meant that<br />
there were additional challenges imposed on the CoNSIS experimentation<br />
as the support for IPv6 in pre-existing software <strong>and</strong> software development<br />
tools is limited.<br />
There were primarily two NNEC core services that we wanted to test with<br />
respect to interoperability, namely service discovery <strong>and</strong> publish/subscribe. In addition,<br />
we also saw the need for focusing on topics, which is a method for classifying<br />
information, <strong>and</strong> as such constitutes the intersection between service discovery <strong>and</strong><br />
publish/subscribe. These three areas are further described in the following sections.<br />
B. Experimentation networks<br />
The CoNSIS l<strong>and</strong> mobile part of the network consists of contributions from<br />
Germany <strong>and</strong> Norway. In addition to four German <strong>and</strong> four Norwegian mobile<br />
nodes located on military vehicles, there was also an NGO vehicle. However, this<br />
NGO vehicle was not used in the SOA experiments <strong>and</strong> will therefore not be further<br />
described in this paper. Fig. 1 shows the parts of the CoNSIS network that<br />
was being using during the SOA experiments.<br />
Figure 1. CoNSIS network, initial configuration<br />
Two different radio types were used. This is partly because Germany <strong>and</strong><br />
Norway do not have the same radio systems, but also because different wireless
120 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
technologies, having different properties with regards to e.g., range, are needed.<br />
Together the two radio links form a heterogeneous network. Within the German part<br />
of the convoy the IABG HiMoNN radio was used, whereas the Kongsberg WM600<br />
radio was used within the Norwegian part of the convoy. To interconnect the two<br />
parts one German radio was placed on a Norwegian vehicle <strong>and</strong> one Norwegian radio<br />
was placed on a German vehicle.<br />
In addition to the vehicle nodes, one mobile network node was physically colocated<br />
with the deployable HQ network. This node connected the mobile network<br />
to the rest of the CoNSIS network, <strong>and</strong> was connected to mobile nodes terrestrial<br />
radio links as indicated.<br />
The eight vehicles formed two convoys, one German <strong>and</strong> one Norwegian.<br />
In the scenario, these two convoys were separated from the start, but at a later<br />
point in time, they merged into one large convoy. In addition, the network topology<br />
changed during the experiments, something that affected delay <strong>and</strong> available b<strong>and</strong>width.<br />
One such alternative topology is shown in Fig. 2.<br />
Figure 2. CONSIS network, alternative network topology<br />
Germany <strong>and</strong> Norway each provided implementations of selected parts<br />
of the NNEC CES, using Web services technology as their foundation. The two<br />
implementations were technologically quite different, as the German implementation,<br />
Referenzumgebung Dienste (RuDi) [1], is based on an Enterprise Service Bus<br />
(ESB), while the Norwegian solution consisted of multiple st<strong>and</strong>-alone components<br />
implementing the set of core services.<br />
In the experiment, the core services were used to provide a infrastructure for<br />
functional services providing three types of information:
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
121<br />
• Vehicle positions: Each vehicle reported its position (through a GPS-based<br />
positioning service) to the lead vehicle of its convoy. The lead vehicle then<br />
aggregated the positions of all convoy vehicles into a convoy Common<br />
Operational Picture (COP), which in turn was delivered to the HQ, where<br />
the two convoy COPs were aggregated into a full COP. This full COP<br />
was then distributed back to the vehicles.<br />
• Operational messages: This is a service for sending messages to other users.<br />
The messages can be of the types Alert, Warning, <strong>Information</strong>, <strong>and</strong> Comm<strong>and</strong>.<br />
File attachments are also possible.<br />
• Chat: This service provides ordinary chat functionality, based on chat rooms.<br />
All information types are distributed using WS-Notification, which is the Web<br />
service st<strong>and</strong>ard for Publish/Subscribe that is specified by the NNEC CES. Furthermore,<br />
all information types were distributed among all the vehicles as well<br />
as the HQ, as illustrated in Fig. 3.<br />
Figure 3. <strong>Information</strong> types <strong>and</strong> flows<br />
III. Service Discovery<br />
Service Discovery is the process of finding the services that are available<br />
in the network. NNEC CES has recommended the use of the registry based<br />
solution Universal Description, Discovery <strong>and</strong> Integration (UDDI) for this core<br />
service. However, when operating in a wireless network environment where node<br />
mobility <strong>and</strong> shifting network conditions can cause network partitions <strong>and</strong> loss<br />
of network connections, it is vital to use a service discovery mechanism that does not<br />
rely on the availability of any given node. In other words, we need a fully distributed<br />
service discovery mechanism [3]. The only st<strong>and</strong>ardized Web service discovery<br />
protocol that currently fulfills this requirement by operating in a distributed mode is<br />
WS-Discovery [4], which was utilized during the SOA experiments.<br />
WS-Discovery is designed for use in one of two modes: managed <strong>and</strong> ad hoc.<br />
In managed mode all nodes communicate through a discovery proxy, an entity
122 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
which performs the service discovery function of behalf of all the other nodes, <strong>and</strong><br />
which communicates with the other nodes using unicast messages. This mechanism<br />
can be used to achieve interoperability between registry based service discovery<br />
mechanisms <strong>and</strong> WS-Discovery.<br />
In ad hoc mode, on the other h<strong>and</strong>, communication is fully distributed.<br />
Requests for service information are sent using multicast to a known address,<br />
<strong>and</strong> each node is responsible for answering requests from others about its own<br />
services. The ad hoc mode is intended to be used for local communication only,<br />
<strong>and</strong> the st<strong>and</strong>ard recommends limiting the scope of multicast messages by setting<br />
the time-to-live (TTL) field of the IPv4 header to 1, or by using a link-local multicast<br />
address for IPv6.<br />
The CoNSIS experiment consists of a number of ad hoc networks connected<br />
to each other using Multi-Topology Routers (MTRs) [5], forming a IPv6 based<br />
network-of-networks. The dynamic character of these networks implies that one<br />
cannot rely on a managed mode discovery proxy to remain available, meaning that<br />
the distributed ad hoc mode should be used. However, since this mode is limited to<br />
link local communication it will not provide the multi-network service discovery<br />
capability required in the CoNSIS experiments. In order to work around this issue,<br />
we decided to go against the recommendations in the st<strong>and</strong>ard, <strong>and</strong> allow the multicast<br />
discovery messages to travel across network boundaries by using a site-local<br />
IPv6 address, <strong>and</strong> increasing the Hop Limit in the IPv6 header. This solution works<br />
within a controlled network environment such as the one used during the CoNSIS<br />
experiments, but it is less than ideal for use in larger scale networks. That is because<br />
increasing the scope of the multicast messages might cause the messages to travel<br />
further than intended, <strong>and</strong> thus cause increased network load in networks where<br />
the messages are not needed.<br />
WS-Dicovery is a hybrid discovery protocol, meaning that it has both a proactive<br />
<strong>and</strong> a reactive element (see [3] for further details on the different types of discovery<br />
protocols). The proactive element consists of the HELLO <strong>and</strong> BYE messages nodes<br />
send out when they first make a new service available, <strong>and</strong> when they remove a service,<br />
respectively. Other nodes then store the information gathered from these proactive<br />
messages, allowing them to perform service discovery without having to actively query<br />
for information. This proactive mode works well under stable network conditions,<br />
since the likelihood of these messages reaching all other nodes is high. The CoNSIS<br />
network is however not stable, which means that many of these messages will be<br />
lost, rendering the proactive element of WS-Discovery unable to provide service<br />
information to all nodes. This means that one has to rely on the reactive element<br />
of WS-Discovery, the PROBE <strong>and</strong> PROBE MATCH messages.<br />
In this reactive mode a node that requires the use of a service will ask for<br />
services matching its needs by sending a PROBE message. This message is sent using<br />
multicast, <strong>and</strong> with the extended scope of multicast messages described above,<br />
the probe will reach all other nodes that it currently has a network connection to.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
123<br />
Nodes offering a matching service send a unicast PROBE MATCH message back<br />
to the probe sender. Note that this reactive mode should be used sparingly in low<br />
capacity networks as it generates some network traffic.<br />
The flow of WS-Discovery multicast messages is illustrated in Fig. 4. Since<br />
we allowed the packets to flow across routers, a request sent by any one node<br />
in the network is received by all other nodes. If the message sent was a probe for<br />
available services, then all nodes that did offer a service matching the request would<br />
reply with a unicast message to the sender.<br />
Figure 4. WS-Discovery information flow<br />
On the German side, WS-Discovery was integrated into the RuDi system, <strong>and</strong><br />
connected to the internal service registry. This meant that any announcement made<br />
on WS-Discovery would be added to the service registry, which in turn meant that<br />
the announced service could be invoked from within RuDi. This was done by allowing<br />
RuDi to periodically probe for information, but at a low enough frequency<br />
so as not to overload the network. On the Norwegian side, WS-Discovery was used<br />
as the only discovery mechanism. A self-contained WS-Discovery application<br />
was therefore used for announcing <strong>and</strong> searching for services, which made it possible<br />
to limit the amount of probes sent into the network by only probing when<br />
a new service was needed.<br />
As mentioned above, allowing the multicast packets to traverse routers is not<br />
an ideal solution. An alternative is to combine the managed <strong>and</strong> ad hoc modes<br />
in one deployment. When a WS-Discovery proxy announces its presence, all other<br />
nodes are asked to enter managed mode, relying on the proxy for service discovery.<br />
However, the WS-Discovery specification does not require the nodes to change to<br />
managed mode, <strong>and</strong> by allowing the majority of nodes to remain in ad hoc mode<br />
<strong>and</strong> at the same time keep a link local message scope, one can secure local service<br />
discovery without the risk of generating unneeded network traffic in other networks.
124 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Combined with discovery proxies that function as relays between the networks,<br />
cross-network discovery can be achieved as well.<br />
Note that, even though the WS-Discovery specification does allow nodes to<br />
choose not to enter managed mode when receiving a message telling it to do so,<br />
it does not clearly state what the expected behavior of nodes is once the network<br />
consists of nodes in both modes simultaneously. This combination of modes<br />
is desirable when working with multiple interconnected mobile networks, <strong>and</strong><br />
therefore a profile of how to use the WS-Discovery st<strong>and</strong>ard in this context should<br />
be developed by NATO for interoperability between nations.<br />
IV. Publish/Subscribe<br />
In the CoNSIS experiment the majority of the information exchanged was distributed<br />
according to the publish/subscribe paradigm. This means that instead<br />
of a node having to repeatedly check if there is new information, the node simply<br />
send a subscription request to the information provider, asking to be notified whenever<br />
new information is available (see Fig. 5). Using Publish/Subscribe instead<br />
of the Request/Response paradigm has several advantages: The network traffic<br />
is reduced, since the client doesn’t have to send periodic requests; the server load<br />
is reduced, since there are fewer requests to process; <strong>and</strong> the client will potentially<br />
receive new data sooner, although this is dependent on the request frequency<br />
in a Request/Response setting (which in turn will affect network <strong>and</strong> server load).<br />
Figure 5. Request/Response versus Publish/Subscribe<br />
WS-Notification [6] is an OASIS st<strong>and</strong>ard <strong>and</strong> consists of a group of specifications<br />
that enable Publish/Subscribe-based communication between Web services.<br />
It comprises WS-BaseNotification, WS-BrokeredNotification <strong>and</strong> WS-Topics. While<br />
WS-BaseNotification defines which interfaces consumers (clients) <strong>and</strong> producers
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
125<br />
(servers) should expose, WS-BrokeredNotification introduces the concept of a message<br />
broker, an intermediary node which decouples consumers <strong>and</strong> publishers, <strong>and</strong><br />
relieves producers from several tasks associated with Publish/Subscribe. NNEC CES<br />
specifies WS-Notification as the st<strong>and</strong>ard to be used for Publish/Subscribe in NATO.<br />
The notifications are normally always of the same type, independent of the actual<br />
information that is delivered (i.e., the payload of the notification). When<br />
a client wants to subscribe to a specific type of data, it therefore expresses the type<br />
of information it is interested in by including a topic in the subscription request.<br />
For WS-Notification, the WS-Topics st<strong>and</strong>ard specifies how such topics should<br />
be expressed. It also defines three topic expression dialects, to allow for expression<br />
topics of different complexity. This use of topic dialects means that one can express<br />
a number of different topic structures within the same st<strong>and</strong>ard, including define<br />
one’s own dialect for h<strong>and</strong>ling topics. This topic h<strong>and</strong>ling scheme is flexible, but<br />
the added complexity using such topics means that one needs to agree not only<br />
on which topics to use, but also which dialect they want to use to express topics<br />
before communication is possible.<br />
One added complexity when using WS-Notification in a limited capacity<br />
network it that the st<strong>and</strong>ard is designed to use unicast message transmission only.<br />
That means that, even when multiple nodes in the same network want the same<br />
information, WS-Notification will send one unicast message to each recipient<br />
rather than send one multicast message that reaches all recipients. In radio based<br />
networks, where the transmission medium is shared, there is a potential for a significant<br />
reduction in network load by switching from unicast to multicast. Note<br />
that making such as switch will require further functionality to be implemented<br />
into WS-Notification, namely the ability to manage multicast group memberships.<br />
A. Norwegian infrastructure<br />
The Norwegian infrastructure used during the CoNSIS experiments consists<br />
of a number of internally developed components. The core of the infrastructure<br />
is an implementation of the core features of WS-BaseNotification <strong>and</strong> WS-<br />
BrokeredNotification. This Java implementation has support for subscribing <strong>and</strong><br />
unsubscribing, as well as for receiving <strong>and</strong> sending notifications. While not being<br />
a full implementation of the WS-Notification st<strong>and</strong>ard, this light-weight solution<br />
is well suited for use in test environments like the CoNSIS network. During<br />
the experiments all the Norwegian units were running a notification broker, <strong>and</strong><br />
all clients <strong>and</strong> services on a node subscribed to, respectively delivered notifications<br />
to, its local broker. Between nodes, the brokers subscribe to each other.<br />
Web services, including WS-Notification, normally relies on HTTP over TCP<br />
for message delivery, meaning that it is necessary to establish an end-to-end TCP<br />
connection between client <strong>and</strong> service. In the CoNSIS network this means that<br />
TCP connections in many cases would have to be established across several radio
126 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
networks with unstable links <strong>and</strong> often very high delays. To enable st<strong>and</strong>ards-based<br />
Web services over such connections, we used our Delay <strong>and</strong> Disruption Tolerant<br />
SOAP Proxy (DSProxy) [7]. These proxies constitute a middleware that hides network<br />
delay <strong>and</strong> disruptions from the applications <strong>and</strong> also compresses all traffic,<br />
allowing XML to be sent over low b<strong>and</strong>width connections.<br />
B. German infrastructure<br />
The German infrastructure consists of a complete SOA environment, RuDi,<br />
covering a range of functionality in addition to the aspects described here. For<br />
a more elaborate description of RuDi, including the German national security<br />
experiments conducted during CoNSIS, refer to [1].<br />
In order to connect the Norwegian <strong>and</strong> German infrastructures together, ensuring<br />
reliable message delivery in an unstable environment, the DSProxy was used.<br />
RuDi supports the use of multiple transport protocols at the same time, <strong>and</strong> by<br />
including the DSProxy as one of these transport options, connectivity between<br />
the Norwegian <strong>and</strong> German infrastructures was achieved.<br />
C. Experiment information flow<br />
In addition to these infrastructure components, each vehicle had a GPS component<br />
that reads the vehicle’s position from a GPS, creates an NFFI message, <strong>and</strong><br />
delivers this as a notification to the local broker. Furthermore, there was a component<br />
for creating Operational Messages, <strong>and</strong> delivering these as notifications to the local<br />
broker. There was also a chat component, which both subscribed to, <strong>and</strong> delivered<br />
notifications to, the local broker. Next, there was an aggregator function that subscribed<br />
to the position of each vehicle, <strong>and</strong> then combined all vehicle positions into<br />
one NFFI message which was then delivered to the local broker as a notification.<br />
Finally, there was a viewer application, which subscribed to NFFI tracks <strong>and</strong> Operational<br />
Messages from its local broker, <strong>and</strong> displayed them on a map (see Fig. 6).<br />
Figure 6. The viewer component
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
127<br />
As mentioned earlier, the COP was built in two steps, with the lead vehicle<br />
of each convoy building a convoy COP by subscribing to the positioning service<br />
of each vehicle, <strong>and</strong> then the HQ building the full COP by combining the two vehicle<br />
COPs. This is illustrated in Fig. 7, <strong>and</strong> represents the initial flow of position<br />
information.<br />
Figure 7. Initial configuration of flow position information<br />
Later in the scenario, the two convoys merged into one. However, since<br />
the communication between the two convoy elements was done via the HQ,<br />
information flow between them was prone to disruptions <strong>and</strong> delays even when<br />
the two convoy elements were traveling together. In order to improve upon this<br />
situation, <strong>and</strong> take advantage of the higher capacity network connections now<br />
available within the convoy, we then changed the information flow: The two lead<br />
vehicles stopped subscribing to the full COP from the HQ, <strong>and</strong> instead started<br />
subscribing to each other’s vehicle COPs. The full COP could then be built locally<br />
at each lead vehicle, <strong>and</strong> then distributed to the other vehicles in the convoy<br />
(see Fig. 8). Due to the flexibility of WS-Notification this change in information<br />
flow was easily performed, with the added benefit of both an improved response<br />
time for positional updates within the convoy, <strong>and</strong> less traffic load on the narrow<br />
reach-back links.<br />
Thus, because the notification interface is the same, regardless of information<br />
type, any subscriber can subscribe to <strong>and</strong> receive notifications from<br />
any broker, as long as the business logic behind is able to parse the payload<br />
of the notification.
128 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 8. Flow of position information after merging of convoys<br />
V. Topic h<strong>and</strong>ling<br />
All Publish/Subscribe systems require a mechanism for describing content<br />
of interest, <strong>and</strong> WS-Notification uses topics for this purpose. A topic is a way of classifying<br />
content into logical channels, <strong>and</strong> topics are usually organized into hierarchies.<br />
Thus, the highest level topic, the root topic, represents the most general classification,<br />
<strong>and</strong> then an arbitrary number of subtopic levels refine this classification.<br />
This organization of information flows based on topics is fundamentally different<br />
from the Request/Response paradigm: When looking for a Request/Response<br />
service you are interested in a service with a particular interface. This is because that<br />
interface is the only aspect of the service that is known to the consumer, <strong>and</strong> thus<br />
represents the only interface that consumer is about to invoke. The service description<br />
for a service, the WSDL file, does not contain information about the actual<br />
content provided by the service.<br />
For Publish/Subscribe, on the other h<strong>and</strong>, all services are equal with respect to<br />
the actual interface, <strong>and</strong> you need information about the content the service offers<br />
in order to distinguish between content providers. A consequence of this transition<br />
from Request/Response to Publish/Subscribe is that traditional service discovery<br />
becomes less useful. This is because all Publish/Subscribe endpoints will appear<br />
as the same service type, generating a need for additional meta-information about<br />
services, namely the topics. This shift in interest from service types to information<br />
types makes topic discovery an important issue when dealing with WS-Notification.<br />
In [8] we have described how WS-Discovery can be used to distribute information<br />
about which topics a service covers, while at the same time remaining backwards<br />
compatible with the WS-Discovery st<strong>and</strong>ard. As a preparation for the CoNSIS<br />
experiment, initial testing with topic discovery was performed at the Coalition<br />
Warrior Interoperability Experiment (CWIX), where WS-Discovery with topic<br />
support was tested by multiple partners. During this initial testing, as well as during
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
129<br />
the CoNSIS experiment execution, we discovered that while this approach provides<br />
enough information for nodes to be able to distinguish between the content offered<br />
by the different providers, certain extra functionality is desirable.<br />
In particular for notification brokers (as described in the previous section),<br />
which can serve many nodes <strong>and</strong> offer information on many different topics, it would<br />
be very useful to be able to query the broker itself about topics: For instance, which<br />
topics a broker currently provides notifications on, which topics it knows about (i.e.,<br />
has seen at some point), <strong>and</strong> if <strong>and</strong> when it has last seen notifications on a given topic.<br />
One challenge when working with topic based information exchange is that<br />
it requires all the involved parties to have prior knowledge about how topics are<br />
organized. In order for an information consumer to get the information it desires,<br />
it needs to know in advance which topic to request from the broker. In the CoN-<br />
SIS experiment we were working with two partners, making a priori distribution<br />
of topic information possible. We decided that a client normally needs information<br />
following a given schema, <strong>and</strong> we therefore chose to have a 1:1 relationship<br />
between root topic <strong>and</strong> the XML Schema of the information in question. Thus, we<br />
had the root topics “nffi”, “OpMsg” <strong>and</strong> “Chat”. However, in other contexts, other<br />
classifications may be better suited.<br />
In general, for larger scale implementations of topics, it is necessary to utilize<br />
a common information model that describes how topics are organized. This means<br />
that NATO should be the driving force behind such a model, which would then be<br />
used by all member nations.<br />
VI. Conclusion<br />
Performing practical experiments with the technologies that will form<br />
the foundation of future operational networks is vital to ensure that these technologies<br />
will be capable of meeting the interoperability requirements of complex<br />
operations. During the CoNSIS experiment we had the opportunity to test Web<br />
services in a complex network, allowing us to verify that Web services can be<br />
used as an interoperability enabler also in limited capacity tactical network. Using<br />
the Web service st<strong>and</strong>ards as the common reference between nations made<br />
interoperability possible, but there is a need for further development <strong>and</strong> profiling<br />
of st<strong>and</strong>ards in order for them to fully support the interoperability challenges<br />
faced by the nations.<br />
Due to the potential performance benefits of using the Publish/Subscribe paradigm<br />
in tactical networks, use of the WS-Notification st<strong>and</strong>ard is recommended. To<br />
be able take full advantage of the benefits of Publish/Subscribe however, multicast<br />
support for notification should be implemented. In addition, topic h<strong>and</strong>ling must<br />
be addressed, preferably by introducing a NATO recommendation addressing<br />
both the issue of incompatibilities between different topic expression dialects, <strong>and</strong><br />
containing a common topic vocabulary <strong>and</strong> structure.
130 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
References<br />
[1] H. Seifert, M. Franke, “SOA in the CoNSIS coalition environment”, IEEE MCC,<br />
Gdansk, Pol<strong>and</strong>, 2012, in press.<br />
[2] F.T. Johnsen, T.H. Bloebaum, L. Schenkles, J. Śliwa, P. Caban, “SOA over<br />
disadvantaged grids experiment <strong>and</strong> demonstrator”, IEEE MCC, Gdansk, Pol<strong>and</strong>, 2012,<br />
in press.<br />
[3] F.T. Johnsen, T. Hafsøe, M. Skjegstad, ”Web services <strong>and</strong> service discovery in military<br />
networks”, 14 th ICCRTS, Washington D.C, US, June 2009.<br />
[4] V. Modi, D. Kemp (eds.), “Web services dynamic discovery (wsdiscovery) version 1.1,”<br />
http://docs.oasis-open.org/ws-dd/discovery/1.1/wsdd-discovery-1.1-spec.pdf, July<br />
2009.<br />
[5] M. Hauge, J. Andersson, M. Brose, J. S<strong>and</strong>er, “Multi-topology routing for QoS<br />
support in the CoNSIS convoy MANET”, IEEE MCC, Gdansk, Pol<strong>and</strong>, 2012, in press.<br />
[6] OASIS, Web services Notification TC, http://www.oasis-open.org/committees/tc_home.<br />
phpwg_abbrev=wsn<br />
[7] K. Lund, E. Skjervold, F.T. Johnsen, T. Hafsøe, A. Eggen, ”Robust web services<br />
in heterogeneous military networks”, IEEE <strong>Communications</strong> Magazine, October 2010.<br />
[8] F.T. Johnsen, T.H. Bloebaum, “Topic discovery for publish/subscribe web services”,<br />
IEEE IWCMC, Limassol, Cyprus, August 2012, in press.
Protected <strong>and</strong> Controlled Communication<br />
Between <strong>Military</strong> <strong>and</strong> Civilian Networks<br />
Anders Fongen<br />
Norwegian Defence Research Establishment, Norway, <strong>and</strong>ers.fongen@ffi.no<br />
Abstract: The controlled <strong>and</strong> protected communication between civilian <strong>and</strong> military computer nodes<br />
is the objective of this paper. The release of unclassified military information to Non-Governmental<br />
Organizations (NGOs) may improve the safety <strong>and</strong> effectiveness of their operations. The information<br />
exchange must meet several requirements though, related to military tactics, the impartial status<br />
of the NGO <strong>and</strong> international jus in bello. The paper proposes a framework that both protects communication<br />
<strong>and</strong> controls the access to information resources. A prototype based on the framework<br />
has been built <strong>and</strong> was evaluated during the CoNSIS experiment in June 2012.<br />
Keywords: CiMi, Identity management, Authentication<br />
I. Introduction<br />
The presence of non-governmental organizations (NGOs) in a war zone<br />
is frequently seen, <strong>and</strong> their operations may be safer <strong>and</strong> more efficient through<br />
communication with military forces. <strong>Military</strong> information about safe routes, road<br />
conditions <strong>and</strong> observations regarding the situation for the population may be sent<br />
to the NGOs. Positions <strong>and</strong> movements of NGO vehicles <strong>and</strong> personnel may be<br />
sent to the military forces in order to avoid inadvertent attacks.[1]<br />
The information exchange must not blur the impartial status of the NGOs<br />
<strong>and</strong> must not weaken the protection of NGOs by international laws of war. NGO<br />
equipment must never convey or relay military information, <strong>and</strong> never provide<br />
information of value for the military operation. The NGO should not possess<br />
military hardware or participate in proprietary military communication protocols.<br />
From these perspectives, the detailed control of the information exchange<br />
becomes an essential property. In this paper, the proposed technical elements<br />
of interconnection, protection <strong>and</strong> control will be described <strong>and</strong> discussed.<br />
The contribution of this paper is a separation <strong>and</strong> control framework for<br />
the “minimal” interconnection of networks, where only selected <strong>and</strong> essential<br />
services are allowed to cross the CiMi interface. The framework relies to a large<br />
extent on the Identity Management system previously presented in [2], but leverages<br />
that system into an enterprise context where additional technologies like
132 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
IPSec <strong>and</strong> the XMPP protocol complements the Identity Management <strong>and</strong> offers<br />
a more “hardened” system. Besides, the discussion of requirements set on behalf<br />
of impartial <strong>and</strong> civilian NGOs has not been observed previously in the context<br />
of computing security research.<br />
The remainder of the paper is organized as follows: The next section articulates<br />
the technical non-functional requirements of the interconnection, followed<br />
by Section III where the proposed system configuration is described. Section IV<br />
gives a general introduction of Identity Management services, which are central to<br />
the proposed solution framework. Sections V-VII present the IdM prototype used<br />
for the evaluation experiment. Section VIII gives a brief presentation of the mechanisms<br />
bridging the IdM service invocation environment with the classified SOA<br />
environment. Section IX presents a set of problems related to the unconventional<br />
use of COTS products. Section X presents the experimental environment in which<br />
the framework was evaluated, <strong>and</strong> the paper finishes with a section containing<br />
some concluding remarks.<br />
II. Technical requirements<br />
The functional requirements for a Civilian-<strong>Military</strong> (CiMi) communication<br />
arrangement may be expressed in the following manner:<br />
A. COTS equipment <strong>and</strong> protocols<br />
The NGO should avoid the use of military communication equipment from reasons<br />
of impartiality <strong>and</strong> cost. A laptop computer or a smartphone is able to communicate<br />
over aWiFi link or a cellphone connection. Where possible, public communication<br />
service should be used, even though the military end of the connection would also<br />
need to link to a similar service. For longer ranges in environments without a communication<br />
service, civilian radio equipment with computer interface may be used.<br />
B. Protection of communication channel<br />
The CiMi connection must be a black network, i.e. it can run through any<br />
unprotected link. This supports the utilization of public network services or private<br />
radio links without any link crypto requirements.<br />
The end-to-end connection (possibly spanning several different links) must<br />
be protected with cryptographic equipment/software which is available for nonmilitary<br />
use, i.e.an IPSec tunnel protected with AES.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
133<br />
C. Robustness of separation (fail-close)<br />
The separation of the NGO <strong>and</strong> the military equipment should have the failclose<br />
property (also called fail-safe). Fail-close means that in the event of a failure,<br />
system security should be preferred before connectivity. Any filtering or control<br />
mechanism should operate in a deny-allow order where the default action is to<br />
deny service.<br />
D. Authentication of participants<br />
Participants in the communication should be fully identified before or during<br />
the service. Authentication is the basis for resource control <strong>and</strong> auditing, <strong>and</strong><br />
normally requires a registry of users <strong>and</strong> services where their identity is associated<br />
with the necessary credentials. Authentication across the CiMi interface should not<br />
require that the identities are registered on both sides: A Cross Domain mechanism<br />
should be in place where a trust relation between the registration authorities should<br />
allow mutual authentication across the interface without the need for multiple<br />
registration of identities.<br />
E. Role-based access control<br />
Since authentication does not require local registration of an identity, (cf.<br />
previous section) the decision to allow or deny participation in the service transaction<br />
cannot rely on the identity, but rather on roles or attributes associated with<br />
the identity. Role Based Access Control [3] should be the basis for the access control<br />
decisions, which enables the owner of a service to reserve its use for clients which<br />
possess certain roles. RBAC preserves the autonomy of domains <strong>and</strong> let them define<br />
<strong>and</strong> enforce their own independent security policies.<br />
F. Confidentiality labeling<br />
In the classification hierarchy found in military information management<br />
there is a need to decide if information kept in classified systems can be released<br />
for use on lower classification levels <strong>and</strong> even released to an NGO. One approach to<br />
achieve this is by means of confidentiality labels. They are cryptographically bound<br />
to the information object <strong>and</strong> can be automatically inspected by a guard. The guard<br />
is situated between networks of different classification levels <strong>and</strong> transfers object<br />
from high to low classification based on the confidentiality label <strong>and</strong> a transfer<br />
policy. The guard provides an isolation between two military networks <strong>and</strong> adds<br />
to the separation between the unclassified military network <strong>and</strong> the NGO.
134 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
III. The prototype configuration<br />
For an experimental evaluation of these principles (cf. Section X) a prototype<br />
was developed with the following services in mind:<br />
A. Protected service invocation<br />
A client in the NGO network should be able to invoke a positioning service<br />
in the classified network, <strong>and</strong> to receive the GPS coordinates of a mobile military<br />
unit. The service requires mutual cross domain authentication across the CiMi<br />
interface, role based access control decisions, <strong>and</strong> data inspection by the guard<br />
in order for the invocation to succeed.<br />
B. Secure chat<br />
The mobile client may write text messages to other users on a chat client<br />
program. The chat messages must be protected in the same manner as service<br />
invocation messages using the same cryptographic mechanisms. There is no need<br />
for end-to-end authentication, <strong>and</strong> a simple authentication mechanism provided<br />
by the chat server is sufficient. The chat message service covers users connected<br />
to the NGO network or the unclassified military network, but the chat server will<br />
reside in the military network.<br />
C. Configuration details<br />
Figure 1 outlines the structure of the prototype. It consists of the following<br />
actors:<br />
• An Android smartphone, acting as an NGO terminal for chat <strong>and</strong> protected<br />
service invocation.<br />
• A chat server for the XMPP chat protocol. This server will forward both<br />
chat messages <strong>and</strong> service invocation messages.<br />
• Two Identity Providers (IdP), one for the NGO domain <strong>and</strong> one for the military<br />
domain. They provide identity information for authentication operations.<br />
The details of the IdP will be explained in Section IV.<br />
• An application server, residing in the military domain, hosts application<br />
services or proxies for Web Services.<br />
• A SOAP guard, which connects the military classified <strong>and</strong> unclassified<br />
networks. It ensures that only correctly labeled data is passed from the classified<br />
to the unclassified part.<br />
• Other chat clients which use the XMPP protocol. They are connected to<br />
the XMPP server.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
135<br />
The XMPP protocol is used for the transport of chat messages as well as messages<br />
for the protected service invocation. Clients or services need to connect (<strong>and</strong><br />
log in to) the server in order to participate in any of the two services. The XMPP<br />
chat server is the only connection between the NGO nodes <strong>and</strong> the military nodes,<br />
<strong>and</strong> there is no IP route between the two networks. The figure also shows that<br />
connections outside the physical control of a wired military network is protected<br />
with IPSec tunnels.<br />
Figure 1. Outline of the experimental prototype for the demonstration of CiMi communication<br />
IV. Introduction to identity management<br />
(Most of the text in the following 4 sections are previously published in [2]).<br />
Identity Management (IdM) are collection of services <strong>and</strong> procedures for maintaining<br />
subject information (key pair, roles) <strong>and</strong> to issue credentials for the purpose<br />
of authentication, message protection <strong>and</strong> access control. From the client perspective,<br />
the credentials issued by the IdM services enables it to access many services<br />
inside a community under the protection of mutual authentication <strong>and</strong> encryption.<br />
From the server perspective, IdM enables it to offer credentials to clients in order<br />
to provide mutual authentication.<br />
The arrangement of an IdM resembles the Public Key Infrastructure (PKI),<br />
in the sense that a Certificate Authority (CA) can issue public key certificates which<br />
binds an identity to a public key in a way that can be validated by a relying party.<br />
The binding is made by the CA’s signature using a well known <strong>and</strong> trusted key.
136 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The role of the CA, called trusted third party, is widely used when making arrangements<br />
between parties that have never met before.<br />
The traditional organization of a PKI is to issue public key certificates with<br />
a long lifetime, typically 1 year. In the event that the key need to be invalidated before<br />
expiration, it need to be revoked. Revocation information needs to be disseminated<br />
to all relying parties in the form of revocation lists or online status providers. There<br />
are two main reasons why a traditional PKI is not a viable solution for identity<br />
management: First, the distribution of revocation information is costly in terms<br />
of b<strong>and</strong>width <strong>and</strong> connectivity requirements, <strong>and</strong> secondly because the public<br />
key certificate does not contain information about the subject necessary to make<br />
access control decisions.<br />
The requirements of an IdM (distinct to the requirements of a PKI) should be:<br />
• The IdM should issue short term credentials so that distribution of revocation<br />
info becomes unnecessary.<br />
• The IdM should include role/attribute information about a subject to support<br />
access control decisions etc.<br />
The decision to avoid distribution of revocation information is based on<br />
a comprehensive study of scalability properties in commercial PKI implementations<br />
[4]. The conclusion of that study is that short lived credentials generate less<br />
network traffic, have less connectivity dem<strong>and</strong>s, scales better <strong>and</strong> make the validation<br />
operation more intuitive.<br />
A. Federated identity management<br />
Several federated IdM schemes have been developed, some of which offer<br />
single sign on (SSO) for web clients [5], [6], [7]. The SSO protocols exploits the redirection<br />
mechanism of HTTP in combination with cookies <strong>and</strong> POST-data so that<br />
an Identity Provider (IdP) can authenticate the client once <strong>and</strong> then repeatedly<br />
issue credentials for services within the federation. This arrangement requires IdP<br />
invocation for each “login” operation, <strong>and</strong> does not offer mutual authentication, i.e.,<br />
no service authentication.<br />
In the situation where the client is an application program (rather than a web<br />
browser), there are more opportunities for the client to take actively part in the protocol<br />
operations, e.g., by checking service credentials, contacting the IdP for<br />
the retrieval of own credentials, caching those credentials etc. The research efforts<br />
presented in this paper assume that the clients enjoy the freedom of custom programming.<br />
The usual meaning of the word “federated” is that several servers share their<br />
trust in a common IdP for subject management <strong>and</strong> authentication. It does not<br />
necessarily imply any trust relationship between independent IdPs so that they<br />
can authenticate each others’ clients. For the following discussion, we will call<br />
the group of clients <strong>and</strong> services which put their trust in the same IdP as a com-
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
137<br />
munity of interest (COI). A trust relation between independent IdPs is called<br />
a cross-COI relation.<br />
B. Mobile <strong>and</strong> federated IdM requirements<br />
An essential property of an IdM is its ability to integrate with other components<br />
for management of personnel <strong>and</strong> equipment.<br />
• An IdM should be able to use resources from the existing PKI (keys, certificates,<br />
revocation info) <strong>and</strong> offer its services to different platforms, with different<br />
presentation syntax <strong>and</strong> for different use cases.<br />
• An IdM should also be able to tie trust relations with other IdMs in order to<br />
provide accommodation for guests <strong>and</strong> roaming clients.<br />
• An IdM should support protocol operations for mutual authentication.<br />
For IdM used in mobile systems, there are requirements related to the resource<br />
constraints found in these systems:<br />
• A IdM for mobile operations must use the minimum number of protocol<br />
operations, use small PDU sizes <strong>and</strong> must allow the use of caches.<br />
C. The relation between IdM <strong>and</strong> access control<br />
Services can enforce access control on the basis of the identity of an authenticated<br />
client, or based on roles or attributes associated with the client. For<br />
the purpose of the accommodation of roaming users, it is absolutely necessary to<br />
make access control decisions based on roles/attributes, not identity. Identity based<br />
access control requires that all roaming clients are registered into the guest IdM,<br />
which is an unscalable solution.<br />
The principles of Role/Attribute Based Access Control (RBAC/ABAC) are well<br />
investigated [3]. The names <strong>and</strong> meaning of the roles/attributes that are used to<br />
make access decisions must be coordinated as a part of an IdM trust relationship.<br />
For that reasons, the number of roles/attributes used for access control needs to<br />
be kept low.<br />
It is the obvious responsibility of an IdM to manage the roles/attributes<br />
of a subject, some of which may enter into access control decisions, others be used<br />
by the service to adapt the user interface etc. The presence of subject attributes<br />
is the main functional difference between IdM credentials <strong>and</strong> X.509 public key<br />
certificates.<br />
V. The GISMO IDM architecture<br />
For the purpose of authenticated service provisioning in military tactical<br />
networks (meaning wireless, mobile, multi-hop, multicarrier networks), an Identity
138 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Management system has been developed under the project name “GISMO” (General<br />
<strong>Information</strong> Security for Mobile Operation). The system has been previously<br />
presented in [8], [9], so its properties are only briefly listed here:<br />
Subject Distinguished Name<br />
Subject Public Key<br />
Subject Attributes<br />
Valid from−to<br />
Issuer Distinguished Name<br />
Issuer Public Key<br />
Issuer’s Signature<br />
Figure 3. The structure of the Identity Statement<br />
• It uses short lived Identity Statements containing the subject’s public key <strong>and</strong><br />
subject attributes. No revocation scheme is necessary. Identity Statements are<br />
issued by an Identity Provider (IdP).<br />
• Cross COI relations are represented by ordinary identity statements issued<br />
from one IdP to another.<br />
• IdPs can issue Guest Identity Statements when presented with an Identity Statement<br />
issued by an IdP with with which it has a Cross COI relation. A guest identity<br />
statement contains the same information, but is signed by a different IdP.<br />
• Authentication takes place either through a signature in the service request,<br />
or through the encryption of the service response.<br />
• It supports Role/Attribute Based Access Control (RBAC/ABAC) through<br />
the subject attributes.<br />
• Employs, but encapsulates an existing PKI. Clients never see X.509 certificates<br />
or revocation info.<br />
• Identity Statements are cached <strong>and</strong> re-used during its lifetime. An IdP is invoked<br />
to issue Identity Statements, not to verify authenticity.<br />
• There is loose coupling between IdP <strong>and</strong> services/clients, <strong>and</strong> between COIs.<br />
Very little redundant registration is necessary.<br />
Figure 2 illustrates the concepts <strong>and</strong> components of the GISMO IdM. Identity<br />
establishment, key generation <strong>and</strong> key certification happens in the (existing) PKI.<br />
Related to a CA (Certificate Authority) domain there are several Communities<br />
of Interest (COI) with one IdP common to all members of that community.<br />
The IdP issues signed Identity Statements. The structure of the Identity Statement<br />
is shown in Figure 3.<br />
Members of a COI only trust the signature of their IdP, so an Identity Statement<br />
(signed by the IdP) is not valid outside the COI unless there exists a cross-COI<br />
Identity Statement which links the signature of the foreign IdP to the trusted IdP.<br />
More on that later.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
139<br />
A. Cross COI relationships<br />
Any client will likely be a member of several COIs, reflecting the diverse tasks<br />
<strong>and</strong> responsibilities of a worker or a soldier. It is not convenient to manage the client’s<br />
key pairs, attributes etc. in every COI. Most of them will naturally belong to<br />
one COI, e.g., their national military unit or the employing department, <strong>and</strong> could<br />
be regarded as “guests” in other COIs.<br />
The ability to authenticate across COI borders is believed to be an essential<br />
requirement for a modern IdM. In the GISMO IdM, this problem has been solved<br />
by the use of Guest Identity Statements. One IdP can issue a Guest Identity Statement<br />
if presented for an Identity Statement issued by an IdP with which it has a trust<br />
relationship. The trust relationship is represented by a pair of cross-COI Identity<br />
Statements issued from one IdP to the other.<br />
During invocation of a service in the foreign COI, the client presents the Guest<br />
Identity Statement as a part of the authentication process.<br />
Figure 4 shows the interaction between the client <strong>and</strong> the IdPs during the issuance<br />
of identity statements. Please observe that the cross-COI identity statements<br />
are issued asynchronously with regard to the client operations, but h<strong>and</strong>ed back<br />
to the client during issuance of a guest identity statement. Abbreviations used<br />
in the figure are explained in Table I.<br />
Figure 2. The functional components of a federated IdM. Observe that the IdP serves one single<br />
COI, <strong>and</strong> the trust relations are formed between COIs, not domains. Key management<br />
is h<strong>and</strong>led by the PKI whereas the attribute management is done by the IdPs on the COI level
140 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Table 1. Abbreviations used in the figures<br />
Figure 4. The identity statement issuing protocol. The IdP of COI A, termed IdP a , issues a “native”<br />
identity statement to the client, which is given to IdP b , which in turn issues a guest identity statement.<br />
The term PKIa denotes a set of certificate validation services in COI a<br />
VI. Service invocation<br />
IdP operations <strong>and</strong> service invocations are using serialized Java objects (called<br />
POJO) as PDUs which opens up interesting opportunities: The client may simply<br />
send a parameter object to the server containing the parameter values, <strong>and</strong> the class<br />
of the object identifies the service method. This arrangement eliminates the need for<br />
a separate scheme for service addressing <strong>and</strong> also eliminates the need for separate<br />
stub/skeleton compilation.<br />
In the server, a single service endpoint hosts all services. This is possible<br />
since we do not address the service through a URL, but through association with<br />
the parameter class. The service point is a “dispatcher” service, <strong>and</strong> the serialized<br />
parameter object included in the request operation controls the dispatching<br />
process. The services are loaded dynamically from a JAR file repository at servlet<br />
startup <strong>and</strong> deployed through class introspection, no configuration file editing<br />
is necessary. Consequently, the deployment of services requires less configuration<br />
than e.g. ordinary Java servlets.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
141<br />
A. Authentication dependent on server state space<br />
The authentication mechanisms assure the identities of the client <strong>and</strong> service<br />
during service invocation. Many different authentication protocols can be incorporated<br />
into GISMO IdM as long as they employ a public key pair corresponding<br />
to the information in the Identity Statement. It is also a requirement that the authentication<br />
can be piggybacked on the service request <strong>and</strong> should not generate<br />
separate PDUs. Two protocols have been implemented in GISMO IdM:<br />
1. In those cases where the request must be authenticated before the service<br />
execution, a replay protection must be in place. Replay protection requires<br />
the server to remember past requests (by their Nonce) for a while, so a clock<br />
synchronization scheme <strong>and</strong> a non-volatile stable storage must be in place<br />
(since past requests must be be remembered also across server incarnations).<br />
These requirements are rather costly.<br />
2. In the case of a stateless service, where the execution of a service request<br />
does not alter the state of the service, replay protection is not necessary.<br />
A request should be signed by the client in order to protect the integrity<br />
of the message, but no Nonce for request replay protection is included.<br />
The response is encrypted with the client’s public key, making it useless for<br />
everyone but the holder of the private key. To a stateless server, replayed<br />
requests are not a threat <strong>and</strong> protection is not needed. Requests still need<br />
a Nonce for reasons of response replay protection, but that does not increase<br />
the state space in the server.<br />
Figures 5 <strong>and</strong> 6 shows the two variants as an interaction diagram. The interactions<br />
shown with dotted lines are related to IdP operations <strong>and</strong> discussed in more<br />
detail in Figure 4.<br />
B. Authentication during Identity Statement Issuance<br />
For privacy protection, authentication also takes place during Identity Statement<br />
issue operations. The client simply signs the request with its private key.<br />
If the requested Identity Statement contains the corresponding public key the client<br />
is regarded as authenticated. For replay attack protection, the response is encrypted<br />
with the public key of the client, which also serve to protect the potential privacy<br />
of the subject attributes.
142 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 5. The authentication protocol for the stateful service. Both the request <strong>and</strong> response are<br />
signed with the sender’s private key as a part of authentication process. A timestamp, a nonce<br />
<strong>and</strong> the server’s name is included for replay protection<br />
Figure 6. The authentication protocol for the stateless service. Requests are not reply protected since<br />
this is not considered as a threat, but the response need to be protected for reasons of response replay<br />
<strong>and</strong> information compromise. For the sake of integrity protection, the request is signed. The encryption<br />
of the response is a part of the authentication scheme, not a privacy measure
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
143<br />
VII. Messaging protocols<br />
In a wired private network where capacity <strong>and</strong> reliability suffice, <strong>and</strong> there exist<br />
IP routes between the nodes that wish to communicate, the HTTP protocol works<br />
just fine for IdP operations <strong>and</strong> service invocations. For mobile networks this is not<br />
necessarily the case: they are slow, unreliable <strong>and</strong> consists of several partitions connected<br />
with application level gateways (from reasons of security <strong>and</strong> traffic control).<br />
In the context of this experimental study of the GISMO IdM, an XMPP (eXtensible<br />
Messaging <strong>and</strong> Presence Protocol) network was already in place for chat<br />
communication. Through the XMPP routers (working as application gateways)<br />
otherwise isolated networks (where no IP route exists between them) can exchange<br />
chat messages.<br />
A. Service provision by mobile units<br />
A messaging system creates reachable endpoints for nodes which are disconnected<br />
at the IP layer. Nodes which reside behind a NAT unit or a firewall are unreachable<br />
from the outside world at the IP layer, yet a messaging system can send them<br />
messages. Through the XMPP protocol a mobile node can receive service requests<br />
just like any other service provider. The prototype system uses a very simple service<br />
container (not a servlet), which is easily portable to a mobile Android based unit.<br />
B. Access to SOAP based web services<br />
The service invocation mechanisms offered by GISMO IdM employs serialized<br />
Java objects (POJO) for its protocol data units. On the other h<strong>and</strong>, there may be<br />
existing Web Services based on SOAP messages that clients wish to invoke.<br />
In order to invoke SOAP services, proxies can be built that translates between<br />
POJO <strong>and</strong> SOAP services. This approach has been studied <strong>and</strong> tested, <strong>and</strong> represents<br />
an attractive approach. A service which takes the parameter values <strong>and</strong> passes them<br />
to a precompiled web services stub (generated by the WSDL compiler). The return<br />
value from the stub is passed back to the caller of the POJO service. Example code<br />
lines required for this function are shown below:<br />
public class MainClass {<br />
public Serializable service(WeatherRequest wr,<br />
Properties props) {<br />
try {<br />
Weather w = new Weather();<br />
String result = w.getWeatherSoap().<br />
getWeather(wr.town);<br />
return result;<br />
} catch (Exception e) { return e; }<br />
}<br />
}
144 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
This option is also attractive since it gives the developer control over service<br />
aggregation <strong>and</strong> orchestration. One service call to a POJO service need not be passed<br />
on as one single web service invocation. Many individual calls may be made, <strong>and</strong><br />
they may be sequenced or tested in any manner. Aggregated operations are useful<br />
because they potentially reduce the network traffic to <strong>and</strong> from the mobile unit,<br />
which is likely to be connected through a disadvantaged link. The proxy can even<br />
cache results for subsequent service calls.<br />
There is a problem related to signature values. Equivalent POJO <strong>and</strong> SOAP<br />
messages will have different signature values, <strong>and</strong> the integrity of the message signature<br />
is broken during a conversion. The proxy can sign the converted object using<br />
its own private key, which would require that the service accepts that the proxy<br />
vouches for the original client in the authentication phase.<br />
VIII. SOAP guard <strong>and</strong> confidentiality labeling<br />
As can be seen in Figure 1, a SOAP guard connects military networks of different<br />
classification levels as an application gateway in the form of an HTTP proxy.<br />
It relies on confidentiality labels that are bound to information object in a form that<br />
can be inspected <strong>and</strong> validated by the guard in order to make decisions whether to<br />
allow objects to be transferred from a high to a low classified network. The transport<br />
may be initiated by a client on the low side as an HTTP operation (e.g. a Web Services<br />
request), in which case the response will need a label in order to pass through.<br />
The request will need to be labeled if it is initiated on the high side.<br />
The format requirements of the label is expressed in a proposed NATO st<strong>and</strong>ard<br />
for information labeling [10], <strong>and</strong> describes the structure of the label, the signature<br />
<strong>and</strong> the binding mechanism.<br />
The proposed st<strong>and</strong>ard does not m<strong>and</strong>ate the validation of labels, but implies<br />
that there must be a PKI-type certificate validation process in order to trust<br />
the validity of a label.<br />
Nor does the NATO st<strong>and</strong>ard set requirements to the labeling process. In order<br />
to provide a trusted label, the process of creating <strong>and</strong> attaching a label must be robust<br />
against attacks from malware etc, <strong>and</strong> should be executed with high assurance.<br />
IX. Challenges <strong>and</strong> potential problems<br />
This section reports some of the technological problems that were observed<br />
during the configuration <strong>and</strong> pre-testing of the experimental set-up:<br />
A. Android client <strong>and</strong> IPSec<br />
The IPSec client on the Android platform is a basic implementation for<br />
connection to Microsoft IPSec services, which means that it only supports IPv4,
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
145<br />
IKEv1 keying protocol <strong>and</strong> relies on the use of L2TP <strong>and</strong> PPP protocols on top<br />
of the IPSec connection. The entire CoNSIS experiment was based on the use<br />
of IPv6, but the Android link required a different configuration. There is general<br />
support for IPv6 in Android, but the kernel is not able to manually set the IPv6<br />
address of an interface, which makes a tunneling arrangement infeasible.<br />
The Android IPSec appeared to to use an inactivity timer to disconnect an idle<br />
link. This was not welcome over an XMPP connection that carried infrequent<br />
messages.<br />
B. XMPP as a messaging service<br />
Although XMPP messages can carry any data <strong>and</strong> connect to any client,<br />
it was not ideal as a message service. The XMPP st<strong>and</strong>ard has chat messages<br />
in mind, <strong>and</strong> mechanisms related to presence, file transfer, avatars, rosters etc.<br />
were prominently implemented in the XMPP server. In particular, the facility to<br />
store messages that could not be delivered due to offline clients were not welcome<br />
in a messaging system used for request/response traffic. The final choice of XMPP<br />
server (OpenFire) offered an option to discard such packet, which improved its<br />
utility greatly. This server also offered centrally managed rosters, which relieved<br />
the client from creating the rosters themselves.<br />
The XMPP st<strong>and</strong>ard offers extensions for PubSub communication (XEP-0060),<br />
which is potentially a good c<strong>and</strong>idate for the transportation of service invocation<br />
messages. OpenFire implements the PubSub extension, but without any administrative<br />
tools (management of nodes <strong>and</strong> subscriptions etc.). Without such tools,<br />
experimentation on PubSub messages becomes very tedious.<br />
The XMPP connections rely on stable IP routes in the network. For purposes<br />
of chat application in tactical networks, studies has been conducted to distribute<br />
message through diffusion or gossip techniques [11]. Future experiments could<br />
possibly pursue those opportunities.<br />
C. Android network routing<br />
Although Android has several networking interfaces (WiFi <strong>and</strong> 3G) <strong>and</strong><br />
contains a Linux kernel, it does not appear to offer routing to these interfaces.<br />
All network traffic is sent to the WiFi adapter if the link is up, otherwise the 3G<br />
service is used. One initial idea was that the Android unit could access NGO resources<br />
(i.e. the Identity Provider) over a 3G connection <strong>and</strong> military resources<br />
over the WiFi/IPSec connection.<br />
Without that option, the NGO resources (the IdP) had to be placed in the military<br />
network (as seen on Figure 1). This was far from an ideal situation <strong>and</strong> was not<br />
intended in the early experiment design.
146 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
X. The CoNSIS evaluation<br />
The background for the efforts presented in this paper is the collaboration<br />
program called “Coalition Network Secure <strong>Information</strong> Sharing” (CoNSIS), with<br />
participation of military <strong>and</strong> industrial scientists from Germany, France, USA <strong>and</strong><br />
Norway. The program was operational from 2010 <strong>and</strong> its objective is “to develop,<br />
implement, test <strong>and</strong> demonstrate technologies <strong>and</strong> methods that will facilitate<br />
the participants’ abilities to share information <strong>and</strong> services securely in ad-hoc<br />
coalitions, <strong>and</strong> between military <strong>and</strong> civil communication systems, within the communications<br />
constraints of mobile tactical forces”.<br />
Another objective of CoNSIS is that “The participants intend to utilize, to<br />
the maximum extent possible, commercial st<strong>and</strong>ards to minimize interoperability<br />
difficulties. Only those elements of the technical architecture which are not available<br />
from the open market will be investigated, <strong>and</strong> potentially developed.”<br />
The main deliverance of the CoNSIS program is a technical test <strong>and</strong> demonstration<br />
which took place in Greding, Germany, during June 2012. During this demonstration,<br />
communication spanned vehicles from several countries <strong>and</strong> a number<br />
of national headquarters, using different radio systems <strong>and</strong> security technologies to<br />
access services <strong>and</strong> to exchange information. The technology experiment presented<br />
in this paper is only one of large set of experiments which took place.<br />
XI. Conclusion<br />
This part of the CoNSIS experiment was conducted with the intention to study<br />
a range of security technologies for the separation of military <strong>and</strong> civilian networks,<br />
<strong>and</strong> to study how commercial mobile units (a waterproof Android smartphone)<br />
could be employed inside that security framework.<br />
Most of the technologies (StrongSwan IPSec, serialized Java objects, homemade<br />
IdM, SOAP Guard) were working well. The use of Android was a bit overambitious,<br />
in the sense that IPv6, IPSec <strong>and</strong> network routing was implemented<br />
in a rather basic fashion.<br />
The Android unit turned out to offer excellent portability of existing Java SE<br />
sources, <strong>and</strong> the XMPP stack was directly ported to Android without the need for<br />
any corrections. The low price, availability of development tools <strong>and</strong> the existence<br />
of waterproof Android units is promising for the future use of mobile COTS units<br />
in tactical networks.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
147<br />
REFERENCES<br />
[1] R.M. Zich, “Warfighters <strong>and</strong> humanitarians: Integrating technology to save lives,”<br />
1997. [Online]. Available: http://www.globalsecurity.org/military/library/report/1997/<br />
Zich.htm [Retrieved Apr 30, 2012]<br />
[2] A. Fongen, “Federated identity management for <strong>and</strong>roid,” in SECURWARE 2011.<br />
Nice, France: IARIA, July 2011.<br />
[3] R. S<strong>and</strong>hu, D. Ferraiolo, R. Kuhn, “The NIST model for role-based access control:<br />
towards a unified st<strong>and</strong>ard,” in RBAC ’00: Proceedings of the fifth ACM workshop<br />
on Role-based access control. New York, NY, USA: ACM, 2000, pp. 47-63.<br />
[4] A. Fongen, “Optimization of a public key infrastructure,” in IEEE MILCOM, Baltimore,<br />
MD, USA, Nov. 2011.<br />
[5] “Shibboleth.”[Online]. Available http://shibboleth.internet2.edu/ [retrieved November 9,<br />
2010]<br />
[6] “OpenID.” [Online]. Available: http://openid.net/ [retrieved November 9, 2010]<br />
[7] “The Libery Alliance.” [Online]. Available: http://www.projectliberty.org/ [retrieved<br />
November 9, 2010]<br />
[8] A. Fongen, “Identity management without revocation,” in SECURWARE 2010. Mestre,<br />
Italy: IARIA, July 2010.<br />
[9] A. Fongen, “Architecture patterns for a ubiquitous identity management system,”<br />
in ICONS 2011. Saint Maartens: IARIA, Jan. 2011.<br />
[10] S. Oudkerk, I. Bryant, A. Eggen, R. Haakseth, “A proposal for an xml confidentiality<br />
label syntax <strong>and</strong> binding of metadata to data obejcts,” in NATO RTO <strong>Information</strong><br />
<strong>Technology</strong> Panel Symposium, <strong>Information</strong> Assurance <strong>and</strong> Cyber Defence, Antalya,<br />
Tyrkia, 2010.<br />
[11] M. Skjegstad, K. Lund, E. Skjervold, F.T. Johnsen, “Distributed chat in dynamic<br />
networks,” in IEEE MILCOM, Baltimore, MD, USA, Nov. 2011.
Use of Cross Domain Guards for CoNSIS<br />
Network Management<br />
Philipp Steinmetz<br />
Cyber Defense, Fraunhofer FKIE, Wachtberg, Germany,<br />
philipp.steinmetz@fkie.fraunhofer.de<br />
Abstract: This paper discusses filtering of messages sent from a classified to an unclassified network<br />
using a cross domain guard. We discuss how we can use such a guard within the network architecture<br />
designed in the CoNSIS (Coalition Networks for Secure <strong>Information</strong> Sharing) project for use<br />
in future coalition operations. A guard design is presented which enforces that only XML messages<br />
conforming to a specific format may pass the guard. It also limits the message rate based on message<br />
size <strong>and</strong> the resulting possible covert channel. We can use this guard design for low data rate<br />
applications which have to communicate across networks of different classification. We also discuss<br />
a proxy device located in the unclassified network to reduce the required amount of communication<br />
between classified <strong>and</strong> unclassified network.<br />
Keywords: <strong>Information</strong> Security; Computer networks<br />
I. Introduction<br />
Protecting confidential information while at the same time reaping the benefits<br />
of networked systems is an important goal. Traditionally military computer<br />
networks containing sensitive data have been protected by physically separating<br />
them from other systems. This complicates or prevents many important applications<br />
for which data has to pass from a classified to an unclassified system. Cross<br />
Domain Guards have been developed to allow a controlled exchange of information<br />
between systems of different classifications while filtering confidential information.<br />
The focus of this paper is on looking into the intended behavior of guards. While<br />
the actual implementation of guards is not the focus of the paper, we keep in mind<br />
that composing them from small building blocks which interact in a simple fashion<br />
is helpful for secure implementation.<br />
II. The CoNSIS project<br />
The CoNSIS (Coalition Networks for Secure <strong>Information</strong> Sharing) project is a joint<br />
effort of France, Germany, Norway <strong>and</strong> USA. The focus is on designing network
150 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
architectures <strong>and</strong> protocols for future coalition operations. The work is distributed<br />
among five tasks. The author participates in Task 3 which is responsible for security.<br />
The overall architecture [3] contains many elements of the Protected Core<br />
Networking (PCN) concept, but it is not identical. In CoNSIS several Colored<br />
Enclaves (CEs) are each connected to a Transport Network (TN) (Figure 1).<br />
The TN consists of several Transport Network Segments (TNSes). The CEs may<br />
contain unencrypted classified data. They are assumed to be physically protected<br />
from unauthorized access. Each one is run by a nation participating in the coalition.<br />
Figure 1. A CoNSIS network<br />
The TNSes are either run by a nation or by the coalition. The TN they form<br />
is an unclassified network with focus on availability without confidentiality protection.<br />
This means that classified data transmitted from one CE to another has to be<br />
encrypted before it reaches the TN. This is achieved by placing IPsec devices between<br />
each CE <strong>and</strong> the TN which encrypt all traffic leaving a CE <strong>and</strong> decrypt the incoming<br />
traffic. Message confidentiality depends on correct installation of the IPsec devices<br />
<strong>and</strong> protecting the CEs from unauthorized physical access.<br />
III. Multilevel security <strong>and</strong> cross domain guards<br />
Protecting classified information from unauthorized disclosure is among the most<br />
important goals in information processing in military applications. Strict separation<br />
of devices h<strong>and</strong>ling information of different degrees of confidentiality is often used to<br />
achieve this. For example, a user employs both a Secret <strong>and</strong> an Unclassified workstation<br />
not connected to each other for h<strong>and</strong>ling data of each classification.<br />
Such complete separation also prevents desirable flows of information between<br />
the systems. Full replication of hardware also means higher weight <strong>and</strong> greater<br />
power consumption, which can be problematic for mobile units.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
151<br />
Multilevel Security deals with h<strong>and</strong>ling data of several classifications on<br />
the same device according to some set of rules. One well-known rule set is Bell-<br />
LaPadula (BLP) [2]. Each information object has a specific classification <strong>and</strong> each<br />
user has a clearance for access to data up to a specific maximum classification.<br />
BLP enforces that no data can be transmitted to a user with insufficient clearance.<br />
This is achieved by two rules. The first rule enforces that a user may not read data<br />
without having sufficient clearance. The second one prevents users from writing<br />
data to objects with a lower classification than their own clearance. This prevents<br />
data leaks by malicious software executed by a user with a high clearance.<br />
This strict rule set does not provide mechanisms for releasing or downgrading<br />
data which is no longer considered confidential or had its confidential parts<br />
removed. Often, some downgrading mechanism has to be implemented <strong>and</strong> exempt<br />
from the BLP rules for practical reasons. In [1] Rushby introduces the concept<br />
of a separation kernel. Such a separation kernel restricts the interaction of processes<br />
on a machine to specifically allowed communication. It allows a system to<br />
behave like a distributed system with specified connections but runs on a single<br />
piece of hardware. The motivation for this is using a separation kernel for providing<br />
reliable separation of processes <strong>and</strong> using specialized code to enforce policy by<br />
message filtering <strong>and</strong> verifying the correct behavior of each individually.<br />
There are several applications such as safety-critical real-time systems which<br />
are required to behave deterministically without being influenced by other processes.<br />
Rushby explicitly names filtering data which has to bypass an encryption<br />
device as an application.<br />
We design a downgrading mechanism based on a separation kernel. One<br />
partition contains the classified data (red), one contains the unclassified data<br />
(black) <strong>and</strong> a third contains the downgrading mechanism filtering the data (Cross<br />
Domain Guard). The separation kernel enforces that no data flows directly from<br />
red to black but has to go through the guard first. This means that only the separation<br />
kernel <strong>and</strong> the guard have to be trusted. Weaknesses in other code cannot be<br />
exploited to circumvent the guard.<br />
IV. Steganography <strong>and</strong> covert channels<br />
The main task of a Cross Domain Guard is to enforce a policy on the traffic<br />
flowing through it. It has to prevent the unwanted release of classified information.<br />
The obvious part of this task is to prevent accidental or malicious<br />
transmission of classified information which is transmitted as application<br />
data <strong>and</strong> properly marked or otherwise recognizable as classified. A guard<br />
identifies the data by searching it for “dirty words” such as “secret”, validation<br />
against an XML schema, which describes the format of messages intended to<br />
pass the guard, or some fails or some other mechanism inspecting the message<br />
payload which may flag the message as classified.
152 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Apart from this more subtle ways of data transmission have to be taken into<br />
account. Steganography is the art of hiding information inside other information<br />
in order to conceal the existence of the hidden message altogether. An overview<br />
of relevant definitions can be found in [5]. A well-known example is replacing<br />
the least significant bit of color information of pixels in an image file with the embedded<br />
message. A human observer is unlikely to notice the difference, but evading<br />
detection through statistical analysis will require more advanced techniques.<br />
Anderson explains several mechanisms in [6].<br />
Covert channels are a related topic. They are used to transmit data from<br />
an object with a high classification (High) to one with a low classification (Low).<br />
In [6] a covert channel is defined as a mechanism not intended for communication<br />
which can be abused to communicate information from High to Low. In [7]<br />
the components of a covert channel, different examples <strong>and</strong> countermeasures are<br />
explained. A covert channel consists of a data variable <strong>and</strong> two synchronization<br />
variables, one sender-receiver (s-r) <strong>and</strong> one receiver-sender (r-s) synchronization<br />
variable. The first two variables are properties of the system which can be set by<br />
High <strong>and</strong> read by Low. The last one can be set by Low <strong>and</strong> read by High (Figure 2).<br />
High sets the data variable to a state representing the information to be transmitted.<br />
In the simplest case one of two states representing either 1 or 0 is set. High then<br />
uses the s-r variable to indicate that data can be received. Low reads the data variable<br />
<strong>and</strong> uses the r-s variable to inform High that it has received data. This process<br />
is repeated until all data has been transmitted.<br />
Figure 2. Covert channel components (see [7])<br />
When a common time reference is used for instead of the synchronization<br />
variables, the channel is called a timing channel otherwise it is called a storage<br />
channel. Properties of shared resources can be used as variables. A simple example<br />
is a hard disk shared by High <strong>and</strong> Low with access control mechanisms in place<br />
to prevent Low from reading files owned by High. High can allocate almost all
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
153<br />
remaining disk space <strong>and</strong> then allocate the rest to represent a 1 or deallocate some<br />
space to represent a 0. Low can now try to allocate space <strong>and</strong> determine whether<br />
it fails or not. They can then repeat this synchronized by the system clock.<br />
Both steganography <strong>and</strong> covert channels can be used by malicious software<br />
in a classified network to send classified data to an unclassified network through<br />
a guard. Guard design has to take limiting covert channels to acceptable values<br />
into account. Acceptable values depend on the environment a guard is used in.<br />
As noted in [7], the risk of espionage by sending classified satellite images via a low<br />
data rate covert channel without being detected is low due to the large file sizes,<br />
while an encryption key vulnerable to transmission by covert channel is a serious<br />
problem unless the covert channel b<strong>and</strong>width is almost nonexistent.<br />
V. A guard for management data<br />
The CoNSIS architecture is designed to prevent unencrypted classified data<br />
from leaking to the TN by encrypting all data which leaves a CE <strong>and</strong> only accepting<br />
data originating from other CEs into a CE. Since the TN is a means to transport<br />
data <strong>and</strong> the users working on classified data operate inside the CEs, the fact that<br />
messages cannot be exchanged between a device in the TN <strong>and</strong> one in a CE does<br />
not pose a problem to regular applications.<br />
If we preclude all exchange of unencrypted data between TN <strong>and</strong> CE, we limit<br />
our options regarding network management. The management has to happen<br />
inside the TN. If instead we allow management data to be exchanged between<br />
TN <strong>and</strong> CE, users inside a CE can receive status information on the transport<br />
network <strong>and</strong> manage transport network segments if they are authorized to. This<br />
provides the users inside the CEs with the ability to adapt their transmission<br />
behavior to the available resources <strong>and</strong> manage the transport network according<br />
to their priorities. While devices connected to the TN could be physically<br />
located in reach of a CE user, this would mean manual control by the user <strong>and</strong><br />
hardware replication.<br />
Passing messages between CE <strong>and</strong> TN means that these messages bypass<br />
the IPsec device <strong>and</strong> pass a filter to remove unwanted messages.<br />
Messages from CE to TN<br />
• must have legitimate management message syntax,<br />
• must not contain classified information <strong>and</strong><br />
• must not allow transmission of classified information through covert<br />
channels.<br />
Messages from TN to CE<br />
• must not introduce malicious code.<br />
One has to balance the degree to which these goals are accomplished <strong>and</strong><br />
the limitations enforced on legitimate traffic. This paper focuses on filtering messages<br />
from CE to TN using a guard.
154 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
VI. Structure of a guard<br />
The guard is designed as a sequence of filters running on a separation kernel.<br />
A message from CE to TN has to pass all filters before being released to the transport<br />
network. Each filter is installed on a partition of its own to minimize the size of each<br />
piece of critical code. We assume that XML is used for the management messages.<br />
The first filter validates the XML messages against a schema of legitimate<br />
messages. The second filter enforces additional constraints to limit the possible<br />
transmission of classified data through a sequence of messages of valid format.<br />
The last filter minimizes covert channels in packet headers. Figure 3 shows the guard<br />
components. We now discuss the properties of these components.<br />
Figure 3. Guard components<br />
The intended behavior of the first filter is specified by a schema file which<br />
is determined by the syntax of the legitimate messages. The last filter needs to<br />
overwrite packet header fields usable for covert channels. Reference [4] contains<br />
an overview of TCP <strong>and</strong> IP header fields usable for covert channels. The last filter<br />
is also responsible for limiting timing channels by forwarding incoming messages<br />
at regular intervals. The next chapter discusses the second filter.<br />
VII. A filter for delaying messages<br />
The second filter forwards <strong>and</strong> in some cases delays messages in an effort to<br />
minimize potential misuse of messages of legitimate format containing classified<br />
information hidden with steganographic mechanisms. While enforcing this security<br />
requirement, legitimate traffic needs to be delayed as little as possible. A simple<br />
version of such a filter limits the message rate by queuing them <strong>and</strong> forwarding<br />
them at fixed intervals. When the legitimate message rate is set, the expected rate<br />
in regular operation <strong>and</strong> the acceptable covert channel capacity have to be taken<br />
into account.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
155<br />
Depending on the application more complex requirements can be enforced by<br />
the filter such as setting individual message rates for each message type depending on<br />
their expected rate. If different message types have varying size, the acceptable message<br />
rate can be replaced with an acceptable payload bit rate. As an example, we<br />
can assume that there are two message types, message type A has no parameters<br />
<strong>and</strong> message type B has a 10 bit parameter. Sending a type A message transmits<br />
1 bit, sending a type B message transmits 11 bits. If we assume a malicious sender<br />
in the enclave, this is the maximum amount of classified information that can be<br />
encoded in the messages themselves. We then define a bit counter which is increased<br />
according to the acceptable bit rate <strong>and</strong> decreased according to the covert<br />
channel capacity (CCcap) when a message is sent. If the counter would be reduced<br />
to less than zero, the message is delayed (Figure 4). We set a maximum value for<br />
the counter to prevent a burst of malicious messages following a long period<br />
of regular operation. This setting has to take the expected bursts in legitimate traffic<br />
into account. The bit counter <strong>and</strong> the filter queue are checked at regular intervals.<br />
If the bit counter value is sufficient for the first message in the queue, the message<br />
is forwarded <strong>and</strong> the bit counter is adjusted.<br />
Figure 4. Bit counter<br />
The advantage of applying a guard containing such a filter is the fact that we do<br />
not need to make assumptions about the validity of messages. We can just assume<br />
that each <strong>and</strong> every message may have been sent by an attacker using every bit to<br />
covertly send messages. Then we enforce a maximum data rate on this covert channel<br />
using the mechanisms above. No knowledge of steganographic mechanisms that<br />
may have been applied is necessary. This only works if the message rate in normal<br />
operation is low. If the message rate is high, we have the choice between two unacceptable<br />
scenarios. We either set a low acceptable covert channel data rate, which<br />
will dramatically slow down legitimate traffic or we set a high acceptable covert<br />
channel data rate <strong>and</strong> thereby give up on covert channel mitigation.<br />
Depending on data available to the guard additional filter rules can be enforced.<br />
If, for example, there is a known set of routers management messages are<br />
sent to, we can keep a list of legitimate IP addresses <strong>and</strong> block messages to other<br />
destinations. If the relevant data is static <strong>and</strong> provided by a trusted mechanism,
156 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
e.g. a protected configuration interface of the guard, it can be considered a configurable<br />
part of the first filter, the XML schema filter.<br />
VIII. Error h<strong>and</strong>ling, audit <strong>and</strong> other mechanisms<br />
We can install an anomaly detection mechanism to detect unusual sequences<br />
of messages. A sequence of messages switching a setting in a router back <strong>and</strong> forth<br />
or similar occurrences may be suspicious. In such cases an alarm can be raised.<br />
In order to prevent additional guard complexity we suggest that such a device is not<br />
integrated in the guard itself, but the guard <strong>and</strong> the anomaly detection mechanism<br />
are installed in sequence. Figure 5 shows the guard <strong>and</strong> the anomaly detection<br />
mechanism.<br />
Figure 5. Guard <strong>and</strong> additional mechanisms<br />
We assume that error messages <strong>and</strong> other logging data are sent from the components<br />
generating them to an audit component within the guard via unidirectional<br />
links (Figure 3). Only authorized administrators may access the component<br />
through a physically protected interface. This simplifies development by minimizing<br />
the information flow.<br />
Unidirectional flow of messages through the filter means that we cannot<br />
explicitly notify a sender, if an internal buffer is full. In order to prevent legitimate<br />
messages from being silently discarded, we can prepend an additional buffer to<br />
the filter. It is not part of the trusted guard device. This external buffer forwards<br />
messages to the filter at the same rate as the guard does. Unlike the buffer inside<br />
the guard it can notify senders when it is full. Figure 5 shows the position of the external<br />
buffer.<br />
IX. Interaction with cryptographic protection mechanisms<br />
In our example, network management, we assume that the management<br />
messages are not particularly confidential <strong>and</strong> may be sent in the clear. If we use<br />
a guard for filtering of encrypted messages, we assume that the guard has access<br />
to the decryption key.<br />
If messages are signed to prove their authenticity to the intended recipient<br />
in the transport network, we have to prevent subliminal channels – data hidden
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
157<br />
in the signature. This can be achieved through choice of signature algorithm.<br />
While for example DSA (Digital Signature Algorithm) allows the signer to choose<br />
a parameter influencing the signature, RSA signatures are deterministic which<br />
prevents a subliminal channel [6].<br />
The text above discusses signatures used by applications to ensure integrity<br />
<strong>and</strong> authenticity. There are concepts in which a signature is applied to a message<br />
by a trusted device to label it as releasable. Then a guard releases the message<br />
if it has been signed by an authorized entity. These concepts are out of scope of this<br />
paper. The focus of this paper is on determining whether to release messages or not<br />
based on their content. A signature by the sender in the enclave is not considered<br />
sufficient for message release to the transport network in our scenario.<br />
X. A management proxy<br />
Minimizing the amount of legitimate messages passing the guard increases<br />
the difficulty of covertly passing classified information through them. If there are<br />
typical patterns in the messages that should pass, it can be helpful to install a proxy<br />
device in the transport network which exp<strong>and</strong>s messages to sets of messages. If, for<br />
example, a message has to be sent to all routers controlled by the administrator<br />
in the enclave, a single message can be sent to the proxy which instructs it to generate<br />
all these messages instead of generating all messages in the enclave.<br />
Depending on the application different “strategy” messages to the proxy <strong>and</strong><br />
its reaction when receiving them can be defined before deploying the system.<br />
The reaction may be more complex than just forwarding the message to multiple<br />
recipients. The goal is to identify the information that needs to be transmitted to<br />
the transport network <strong>and</strong> send the least amount of bits necessary to represent<br />
this information. This way we can set the guard to a low allowed bit rate while<br />
maintaining functionality.<br />
In a scenario without flow of information from the TN to the CE installing<br />
such a proxy basically allows us to compress the messages from the CE to the TN.<br />
If, without a proxy, messages are also sent from the TN to the CE, it can be possible<br />
to reduce the number of messages passing through the guard in both directions.<br />
This is the case when the proxy can take care of message exchanges without further<br />
information from within the CE. If, for example, several devices report their status<br />
<strong>and</strong> receive an acknowledgement (ACK) in return (Figure 6), we can use a proxy.<br />
Instead of each status message passing the guard to the CE <strong>and</strong> each acknowledgement<br />
passing it to the TN, we can do each exchange between device <strong>and</strong> proxy<br />
within the TN <strong>and</strong> send one aggregated status message to the CE (Figure 7). In both<br />
figures “Guard” represents the whole set of mechanisms shown in Figure 5.<br />
For some applications such proxies may exist for efficiency reasons anyway.<br />
In that case we just have to choose where they should be placed to minimize<br />
cross domain traffic. For other applications proxies may not be considered
158 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
advantageous in general because of increased complexity, delay or other reasons.<br />
Here we can analyze whether the expected decrease in cross domain traffic is worth<br />
introducing a proxy or not.<br />
Figure 6. <strong>Information</strong> flow through a guard<br />
Figure 7. <strong>Information</strong> flow through a guard with proxy<br />
XI. Related work<br />
Several products for cross domain filtering exist. One application is controlling<br />
the settings of an integrated radio <strong>and</strong> crypto device which encrypts all user<br />
data before transmitting it. If a computer containing classified data is connected to<br />
the device, comm<strong>and</strong>s sent from the computer to the radio component, e.g. setting<br />
the frequency, have to bypass the encryption component. Filter products are available,<br />
which make sure that only specific comm<strong>and</strong>s may bypass it.<br />
There are also similar guard products for filtering IP network traffic crossing<br />
a boundary between two security domains. They use filters specific to protocol <strong>and</strong><br />
application. Usually they offer customers to define filters according to their needs<br />
without mentioning details in promotional material.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
159<br />
We are not aware of a common format to specify the desired behavior of a guard<br />
beyond definition of the message format for example by an XML schema language.<br />
We intend to look into ways to represent more complex requirements such as message<br />
rate dependent on message properties.<br />
XII. Summary <strong>and</strong> future work<br />
This paper examined how messages can be passed from a classified to an unclassified<br />
network in a CoNSIS network with minimal risk of leaking classified<br />
data. The introduction was followed by an overview of the CoNSIS architecture<br />
<strong>and</strong> general information on Multilevel Security. Then we described a guard for<br />
filtering data sent from a classified to an unclassified network for low message<br />
rate scenarios. It consists of a series of filters running on a separation kernel.<br />
Then we discussed effects of use of cryptographic protection of messages. This<br />
was followed by the concept of a proxy device in the unclassified network to<br />
limit the amount of messages having to pass the guard. Finally we provided some<br />
pointers to related work.<br />
Future work includes defining the behavior of a guard <strong>and</strong> a proxy with respect<br />
to a specific application such as a network management protocol. As mentioned<br />
in the related work section, choosing a clear representation of complex requirements<br />
regarding guard behavior is also a part of future work.<br />
References<br />
[1] J. Rushby, “The Design <strong>and</strong> Verification of Secure Systems,” in Eighth ACM Symposium<br />
on Operating System Principles (SOSP), Asilomar, CA, 1981.<br />
[2] L.J. La Padula <strong>and</strong> D.E. Bell, “Secure Computer Systems: A Mathematical Model,”<br />
The MITRE Corporation, Bedford, MA, USA, 1973.<br />
[3] CoNSIS, “System <strong>and</strong> Experimentation Architectures v1.0,” 2011.<br />
[4] S.J. Murdoch <strong>and</strong> S. Lewis, “Embedding Covert Channels into TCP/IP,” in <strong>Information</strong><br />
Hiding: 7th International Workshop, volume 3727 of LNCS, Barcelona, Spain, Springer,<br />
2005.<br />
[5] B. Pfitzmann, “<strong>Information</strong> Hiding Terminology – Results of an Informal Plenary<br />
Meeting <strong>and</strong> Additional Proposals,” in Proceedings of the First International Workshop<br />
on <strong>Information</strong> Hiding, Springer-Verlag, 1996.<br />
[6] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed<br />
Systems – 2nd ed., Wiley, 2008.<br />
[7] V. Gligor, “A Guide to Underst<strong>and</strong>ing Covert Channel Analysis of <strong>Trusted</strong> Systems,”<br />
National Security Agency, Ft. George G. Meade, MD, USA, 1993.
The CoNSIS Approaches to Network Management<br />
<strong>and</strong> Monitoring<br />
Christoph Barz 1 , Anne Diefenbach 1 , Fatih Abut 1 ,<br />
Matthias Wilmes 1 , Peter Sevenich 1 , Pierre Simon 2 , Norbert Bret 2<br />
1 Communication Systems Group, Fraunhofer FKIE, Wachtberg, Germany,<br />
christoph.barz@fkie.fraunhofer.de<br />
2 Cogisys, Pertuis, France, pierre.simon@cogisys.fr<br />
Abstract: Secure information exchange is a key success factor for military operations. International<br />
coalition missions are especially challenging because of heterogeneous communication <strong>and</strong> C2IS<br />
equipment. The international project CoNSIS is targeted to fill in technical gaps regarding interoperability<br />
which occur in a reference scenario, consisting of a multinational convoy of military<br />
<strong>and</strong> non-governmental vehicles. The convoy forms an ad-hoc radio network <strong>and</strong> shares a common<br />
operational picture with an international headquarter mainly via a satellite link. This paper addresses<br />
network management challenges <strong>and</strong> technical solutions for this federated scenario. Both the core<br />
network interconnecting different national headquarters with an international headquarter as well<br />
as the ad-hoc radio network of the convoy are addressed in a single, seamless concept. In June 2012,<br />
field tests with the convoy were carried out in order to evaluate the different technical solutions.<br />
Keywords: network management; measurement architecture; federation; protected core networking;<br />
service level agreements<br />
I. Introduction<br />
CoNSIS – Coalition Networks for Secure <strong>Information</strong> Sharing – is an international<br />
project with France, Norway, Germany <strong>and</strong> the US currently participating.<br />
Based on the work done in INSC – Interoperable Networks for Secure <strong>Communications</strong><br />
– it aims to work towards Network Enabled Capability (NEC). Heterogeneous<br />
networks from different nations are to be connected <strong>and</strong> form a federated<br />
environment in which to securely share information. CoNSIS concentrates on<br />
wireless networks in the tactical domain, but also considers deployed high speed<br />
networks as well as communication in-between. On the higher network layers,<br />
it places emphasis on a service-oriented architecture as stipulated in the NNEC<br />
Feasibility Study [1].<br />
Work in CoNSIS is performed in five distinct groups. Task 1 is concerned<br />
with communication services. Task 2 is responsible for the integration of the SOA<br />
frameworks of the different nations. Task 3 is concerned with security, <strong>and</strong> task 4
162 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
with network management. Task 5 is responsible for the overall architecture <strong>and</strong><br />
a field test scenario (see below) which serves as golden thread for all technical developments.<br />
The project concludes its first phase with the field tests in June 2012.<br />
This paper will concentrate on the work done in the network management task.<br />
The CoNSIS scenario as depicted in Figure 1 is set in a country torn by civil war.<br />
International coalition troops are deployed in the country to stabilize the situation,<br />
protect the population <strong>and</strong> initiate the peace process. Larger cities are controlled<br />
by coalition forces, but the situation outside the cities is still unstable. Convoys<br />
<strong>and</strong> advanced outposts are constantly at risk of attack. The coalition troops have<br />
established an international headquarter (HQ) which has fixed network connections<br />
to several national headquarters. There are also naval forces from different nations<br />
patrolling the waters around the conflict area. The naval vessels form a wireless<br />
ad-hoc network <strong>and</strong> are connected to the other forces via satellite. There is also<br />
a backup HF radio connection.<br />
In this situation, a natural disaster occurs in a part of the country not controlled<br />
by the coalition forces. The coalition decides to aid in disaster relief efforts<br />
by escorting the vehicles of a Non-Governmental humanitarian Organization<br />
(NGO) to the disaster site <strong>and</strong> secure the area. The military vehicles are connected<br />
by different broadb<strong>and</strong> military radio technologies operating mainly in the UHF<br />
frequency spectrum, forming another ad-hoc network. As with the naval vessels,<br />
communication with the headquarters is ensured via satellite technology installed<br />
on a few specifically equipped vehicles. The NGO vehicles are also connected to<br />
the military convoy by terrestrial radio. Shortly after setting out, the convoy is joined<br />
by a second group of military vehicles from another nation. This group uses radios<br />
not compatible with the convoy’s, but a few vehicles in both groups have radios<br />
with compatible waveforms to bridge the communication between the two groups.<br />
Following a reorganization of the network in the wireless domain, they now form<br />
a comprehensive ad-hoc network.<br />
Figure 1. The CoNSIS network
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
163<br />
Making its way to the disaster area, the radio communication within the newly<br />
combined convoy is suddenly disrupted by a radio jammer. Satellite communication<br />
remains unaffected. The jamming is recognized, reported to the headquarters, <strong>and</strong><br />
finally eliminated by an air strike.<br />
The remainder of this paper is organized as follows. Section II will introduce<br />
related work which has been incorporated in the CoNSIS management concept.<br />
Section III will on this basis describe the CoNSIS management concepts, while<br />
section IV <strong>and</strong> V detail the test setup <strong>and</strong> the network management experiments<br />
performed in the field test.<br />
II. Related work<br />
The CoNSIS reference model consists of a core network to which user domains<br />
are connected via IPsec crypto devices. The core network itself is composed<br />
of a number of interworking networks operated by different administrative authorities.<br />
Figure 2 shows the main elements of the CoNSIS architecture.<br />
Figure 2. Administrative Domains<br />
This architecture is close to the Protected Core Network (PCN) [2] approach.<br />
A. Protected Core Networking<br />
In the PCN concept, secure red networks are represented by the Coloured<br />
Clouds (CCs), while the unprotected black network represents the Protected<br />
Core. PCN now requires the existence of certain distinguished nodes, the E-nodes,<br />
in the black network, which ensure availability <strong>and</strong> offer reliable transport to the CCs.<br />
These routers may be clustered to Protected Core Segments (PCSs) which together<br />
form the PCN. There are certain functionalities like traffic concealment that are
164 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
associated with the E-nodes. In addition, the PCN concept defines interfaces between<br />
different PCS <strong>and</strong> between PCS <strong>and</strong> the Coloured Clouds.<br />
The CoNSIS network architecture is based on this concept, but the two reference<br />
models are not identical. In particular, CoNSIS administrative domains are<br />
not assumed to have exactly the same functions as PCSs regarding e.g. security<br />
protection <strong>and</strong> the management of SLAs. The administrative domains interwork via<br />
interfaces which are not supposed to have the same features as the PCS-1 interface.<br />
Likewise, the generic interface between CoNSIS user domains <strong>and</strong> the core network<br />
is not necessarily compliant with the PCS-2 interface.<br />
In order to reflect the above-mentioned divergence, objects of the CoNSIS<br />
reference model are given names intentionally different from their PCN counterparts<br />
(see Figure 3):<br />
• The core network (counterpart of the PCN protected core) is referred to<br />
as the Transport Network (TN).<br />
• The TN is a collection of interworking Transport Network Segments<br />
(TNS) (counterpart of PCSs), each TNS being defined as a set of network<br />
elements under a single administrative authority. A segment administered<br />
by a national authority is referred to as an N-TNS while a segment administered<br />
by the coalition is a C-TNS.<br />
• User domains are referred to as Coloured Enclaves (CE) (counterparts<br />
of coloured clouds), separated from the TNS by IPSec. A CE can be embedded<br />
within another CE; in that case it is called an Inner Coloured<br />
Enclave (ICE).<br />
Figure 3. Network Segments <strong>and</strong> Colored Enclaves
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
165<br />
B. Federated sharing of management data<br />
The TN with its individually-administered TNSs poses a challenge to management<br />
because there is no single authority to determine how, where <strong>and</strong> when the network<br />
should be monitored, <strong>and</strong> some nations may hesitate to reveal their network structure.<br />
This situation is similar to civil federated networks, such as research networks administered<br />
by different organizations. For these, there is a monitoring framework available.<br />
PerfSONAR [3] is a network performance monitoring framework that is developed<br />
by an international consortium from the research <strong>and</strong> education community.<br />
GÉANT (Europe), ESnet, Internet 2 (USA) <strong>and</strong> RNP (Brazil) offer their customers<br />
advanced inter-domain QoS services. Delivering end-to-end QoS in a hierarchical<br />
multi-provider structure results in challenges similar to the ones occurring in a coalition<br />
network. The perfSONAR framework is an infrastructure for network performance<br />
monitoring, making it easier to solve end-to-end performance problems on<br />
paths crossing several networks.<br />
PerfSONAR uses a service-oriented architecture. The SOAP <strong>and</strong> XML based<br />
messages between the different service types are st<strong>and</strong>ardized by the Network Measurement<br />
Working Group of the Open Grid Forum. There is already a variety of service<br />
implementations available. In addition, the open, st<strong>and</strong>ardized interfaces allow for<br />
an integration of additional measurement tools, including existing solutions like<br />
Cacti [12]. PerfSONAR is already deployed at many National Research <strong>and</strong> Education<br />
Networks (NREN) around the world.<br />
The PerfSONAR multi-domain monitoring (MDM) service allows crossdomain<br />
performance monitoring with st<strong>and</strong>ardized metrics. The perfSONAR<br />
infrastructure consists of a User Interface Layer, a Web Service Layer, <strong>and</strong> a Measurement<br />
Layer. There are already several visualization tool implementations that are<br />
designed for different scenarios. At the Service Layer, the following Web services<br />
have been implemented:<br />
• Lookup WS – allows the discovery of available services <strong>and</strong> information<br />
sources<br />
• Authentication WS – provides authentication for clients <strong>and</strong> protects<br />
privacy<br />
• Measurement Archive WS – is a family of WS that allow access to measurement<br />
data from different sources (e.g. databases, files, etc.)<br />
• Measurement Point WS – allows integration of measurement tools <strong>and</strong><br />
publishing the collected data in Measurement Archives<br />
Depending on the measurement tools used, packet based measurements with<br />
IPv4, IPv6 <strong>and</strong> different QoS configurations are supported. In addition to the WS<br />
presented above, a Transformation WS has been defined but not implemented yet.<br />
For further information, a compact survey of the perfSONAR features is presented<br />
in [4]. An overview of the perfSONAR architecture can be found in [5] <strong>and</strong> [7].
166 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
III. CoNSIS management concepts<br />
As mentioned in section II.B, the concept of a Transport Network consisting<br />
of Transport Network Segments which are managed under the administrative authority<br />
of different countries can be conceived as a multi-provider network. In general,<br />
the challenges of delivering end-to-end inter-provider QoS that were addressed<br />
in the network research community (e.g. [8]) also apply to the context of coalition<br />
networks. In addition to the st<strong>and</strong>ard information hiding requirements of network<br />
providers, special security considerations regarding the Coloured Enclaves have to<br />
be addressed when sharing monitoring data <strong>and</strong> managing the Transport Network<br />
Segments for military use. The general challenges that were identified in [8] are:<br />
• Common service definitions for all administrative domains<br />
• Common performance metrics to support end-to-end SLAs<br />
Common service definitions are already addressed by CoNSIS task 1 in [11]<br />
(DSCP/Application Requirements). Without this st<strong>and</strong>ardisation a meaningful<br />
end-to-end service is hard to obtain.<br />
Common performance metrics must be used if performance information<br />
needs to be concatenated across the different providers. This does not only include<br />
the definition of the metrics themselves, but also the definition of common aggregation<br />
periods for samples <strong>and</strong> the use of reference times. Concatenation of measurements<br />
of different network segments enables a scalable approach to the control<br />
of end-to-end SLAs. This can be achieved by sectioning the network into multiple<br />
measurement segments, allowing the reuse of these measurements for different<br />
end-to-end paths. Note that the segmentation of the Transport Network already<br />
induces measurement segments. A framework for the concatenation of performance<br />
metrics [13][14] has been under development by the IETF.<br />
Multi-provider/multi-segment QoS paths result in the need for mechanisms<br />
to allocate budgets for different network impairments (e.g. delay, jitter, …) that are<br />
defined on an end-to-end basis along the path to the different network segments<br />
which are separate administrative domains. Here, approaches include a static,<br />
a dynamic <strong>and</strong> a hybrid allocation of the acceptable end-to-end impairments.<br />
In the static approach, the maximum number of Transport Network Segments<br />
could be assumed in the path. The impairments are then equally distributed between<br />
these segments. However, this approach is less efficient <strong>and</strong> may rule out<br />
possible inter-TNS paths. The dynamic negotiation approach is most efficient but<br />
requires signalling between the TNSs. In the hybrid approach, all impairments<br />
are shared equally only with segments on the path. Thus, it does not support<br />
situations in which only an unequal distribution of impairments would result<br />
in an acceptable SLA.<br />
This leads to the discussion of provider/segment interconnection models for<br />
dynamic QoS negotiation. Here, a hierarchical third party model (e.g. realized by<br />
the NATO in the form of NATO service classes) can be envisioned, as well as a co-
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
167<br />
operative model. To respect the autonomy of the different countries managing<br />
the Transport Network Segments as well as for resilience reasons, the distributed<br />
cooperative negotiation model in combination with a centralized definition of common<br />
service classes <strong>and</strong> performance metrics seems to be the most appropriate<br />
solution. In addition, a distributed approach may be more resilient to outages.<br />
Here, knowledge of the E-Node topology might be beneficial for assessing the endto-end<br />
connectivity <strong>and</strong> for finding an impairment allocation.<br />
A similar challenge may arise within Transport TNSs if they are also organized<br />
as overlay networks. Links between E-Nodes may be realized by several lower layer<br />
links by one or more independent providers. If these providers do not offer common<br />
NATO service classes the next better national service classes have to be chosen.<br />
As described in section II, the management <strong>and</strong> monitoring architecture<br />
is defined for coalition networks on the basis of TNSs <strong>and</strong> Technical Management<br />
Areas (TMAs) within the TNSs. As depicted in the following sections, the concept<br />
comprises three different interfaces related to monitoring (see Figure 4). Other<br />
management interfaces regarding configuration management are still to be defined<br />
in detail. However, Figure 5 <strong>and</strong> the description MI 4 <strong>and</strong> MI 5 provide first suggestions<br />
regarding a configuration architecture.<br />
Figure 4. Refined Performance Monitoring Architecture<br />
MI 1: The network monitoring interface MI 1 specifies the communication<br />
between measurement points <strong>and</strong> measurement archives <strong>and</strong> is national concern.
168 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
It might be either based on st<strong>and</strong>ard network management protocols like SNMP,<br />
a proprietary solution or based on a st<strong>and</strong>ardized Web service interface. The latter<br />
case should be preferred. For existing tools a wrapper to encapsulate implementation<br />
specific communication has to be implemented.<br />
MI 2 is used to transport monitoring information from measurement archives<br />
in the TMAs to the corresponding measurement archives in the national<br />
CEs. A transformation service can be used to transform raw measurement data<br />
into a format that can be shared between the different CEs. Task 3 will provide<br />
the transfer channel for the national monitoring data. Ways to accomplish this<br />
without compromising the confidentiality of red data are discussed in [6].<br />
MI 3 specifies the communication for distributing measurement <strong>and</strong> monitoring<br />
information between the CEs. A lookup service is responsible for advertising<br />
available measurements <strong>and</strong> to make the results available to search queries. The service<br />
will be based on SOA. Details of the monitoring Web service definitions will<br />
be part of a task 2 document. Task 2 is responsible to provide the monitoring UI.<br />
Figure 5. SLA Negotiation <strong>and</strong> Configuration Architecture<br />
MI 4 specifies an SLA negotiation/agreement interface between an Overall<br />
Coalition Manager <strong>and</strong> the different TNS Managers. This multi-domain QoS negotiation<br />
mechanism will work via bilateral communication between the Overall<br />
Coalition Manager <strong>and</strong> the Local TNS Managers. The communication resources<br />
are under the authority of the local TNS Managers which act as a “management<br />
decision point”. [9] presents a similar approach.<br />
MI 5 specifies a configuration interface between the local TNS Managers <strong>and</strong><br />
the Technical Management Areas under their administration. It is assumed that<br />
each TMA has special configuration management tools that might be proprietary.<br />
The TNS Manager will act as “management enforcement points”. MI 5 should<br />
comprise high level technology agnostic configuration comm<strong>and</strong>s that need to be
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
169<br />
translated into a technology specific configuration by the appropriate configuration<br />
management tools.<br />
IV. CoNSIS field test setup<br />
Experimentation in CoNSIS has a strong focus on the mobile part of the network,<br />
i.e. the convoy. It consists of three parts: NGO vehicles, Norwegian military<br />
vehicles (the original convoy), <strong>and</strong> German military vehicles (which join the convoy<br />
in phase 2). The German vehicles use three different types of radio, HiMoNN (IABG),<br />
FlexNet-4 (Rockwell Collins) <strong>and</strong> Harris radios. The Norwegian part uses Kongsberg<br />
WM600 radios <strong>and</strong> the NGOs commercial WLAN. None of these radio types are<br />
interoperable, which is why one Kongsberg radio is passed to the German convoy<br />
<strong>and</strong> one FlexNet-4 to the Norwegian one. In addition, at least one German <strong>and</strong><br />
one Norwegian vehicle have a satellite connection. All UHF military radios in our<br />
scenario perform ad-hoc routing within their technology domain, which normally<br />
cannot be deactivated <strong>and</strong> provides no information about the internal topology.<br />
In addition, multi topology routing is not supported so far. Thus, these incompatible<br />
technologies need to be tied together in an overlay network with multi topology<br />
routing [10] support to cope for the heterogeneity of the different technologies. To<br />
overcome these limitations, a liaison with COALWND, the interoperable coalition<br />
wideb<strong>and</strong> networking waveform for military radios under development, is planned<br />
to eliminate the need for a second layer of routing.<br />
Jammer detection is usually done by dedicated, strategically placed units.<br />
In CoNSIS, there is an experimental option of the jammed systems doing the detection<br />
themselves. To detect a jamming incident locally, information from different<br />
network layers must be correlated, which requires a cross-layer information<br />
architecture. Besides reporting the incident to the international headquarter, local<br />
measures may be taken to circumvent the jamming, such as changing frequency<br />
or modulation or reconfiguring the routing.<br />
V. CoNSIS management experiments<br />
Not all of the concepts described above can be realized in the CoNSIS field test.<br />
However, there are several experiments which will lay the foundations <strong>and</strong> serve<br />
as proof-of-concept:<br />
A. Core network experiments<br />
1) MA-Basic: Maintain a common network picture<br />
Purpose: Show how monitoring information can be shared between the HQs<br />
of the different nations regarding the network state within the different non-mobile
170 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
ASs <strong>and</strong> on the inter-ASs links/tunnels. The experiment helps to identify problems<br />
within the TNSs <strong>and</strong> the inter-TNS links.<br />
Test setup: PerfSONAR measurement archives collecting SNMP information<br />
from core TNS routers within each AS are installed as depicted in Figure 6.<br />
Figure 6. PerfSONAR SNMP Interface Statistic Queries<br />
In addition, measurement archives collecting Iperf <strong>and</strong> OWAMP measurements<br />
from the inter-TNS links are installed. The information will be<br />
archived so the experiment also supports an offline analysis also regarding<br />
other experiments.<br />
Walkthrough: Deployment <strong>and</strong> activation of the service is performed<br />
prior to the experiment. All nations can access the information via a Web based<br />
client during the whole experiment. All information is stored in local measurement<br />
archives. If necessary, measurement archives have to be cleared before<br />
the experimentation so there is be enough storage capacity. In regular intervals<br />
the archives were backed up.<br />
Prerequisites <strong>and</strong> special requirements: For autonomy reasons, PerfSONAR<br />
Measurement Archives (<strong>and</strong> a Lookup Service) were installed in every AS participating<br />
in the measurements (see Figure 7). Participating nations set up one<br />
or more virtual machines. In addition, an NTP server was needed to synchronize<br />
the measurements.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
171<br />
Findings: Sharing monitoring data between the different TNSs worked well<br />
in general. The performance of intra- <strong>and</strong> inter-TNS links in the non-mobile<br />
part of the network was accessible. Some performance issues querying data from<br />
within the US TNS will be analyzed as future work.<br />
Figure 7. PerfSONAR Measurement Metadata Exchange<br />
2) MA-SOA: Provide access to PerfSONAR data via the SOA architecture<br />
Purpose: Access to OWAMP data stored by PerfSONAR in a MA via<br />
a st<strong>and</strong>ard Web service as utilized in the CoNSIS SOA architecture. One application<br />
is the provision of data for generating technical profiles (see experiment<br />
4) in this section).<br />
Test setup: A SOA service acts as consumer to the PerfSONAR OWAMP<br />
measurement archives of the different nations. In turn, it offers access to the latest<br />
packet loss rate in a queried TNS for a queried class of service.<br />
One particular client application that uses the data is the technical profile<br />
process in one or several TNSs. The communication is based on SOAP messages<br />
(st<strong>and</strong>ard Web service).<br />
Walkthrough: The client process queries the information needed to generate<br />
a technical profile from the SOA service. This will be packet loss rates on various<br />
links <strong>and</strong> tunnels. The SOA service determines the archives holding the relevant
172 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
information <strong>and</strong> retrieves the data. The retrieved data is processed <strong>and</strong> the packet<br />
loss rate is forwarded to the client.<br />
Prerequisites <strong>and</strong> special requirements: The SOA service needs to be available<br />
in the TNS part of the network (not in the CEs). It does not use WS-Discovery<br />
but is statically configured.<br />
3) Measurement Probes: Assess the usability <strong>and</strong> trustworthiness<br />
of various measurement probes<br />
Purpose: Determine how <strong>and</strong> to what extent software probes can be used<br />
in a tactical network to provide measurement information.<br />
Because they require in-depth investigation <strong>and</strong> comprehensive procedures,<br />
tests of this series were actually performed before the field experimentations described<br />
in this article, but on the same testbed <strong>and</strong> with the same technical means.<br />
They paved the way for the use of appropriate measurement tools during the field<br />
tests themselves.<br />
Test setup: A broad array of measurement tools were tested, including Iperf,<br />
Internet2 OWAMP <strong>and</strong> Cisco IP SLAs which turned out to be the best ones.<br />
Software probes have a special interest in a tactical environment for the obvious<br />
reason that they do not imply additional hardware <strong>and</strong> thus have no detrimental<br />
effect on the compactness of deployed assets. Conversely, they have the downside<br />
of providing results with a lower precision, <strong>and</strong> of requiring active test flows<br />
(i.e. specific measurement packets) which may be a source of overhead.<br />
The precision <strong>and</strong> trustworthiness of software probes was assessed whenever<br />
needed by comparing the results they supply with those provided by hardware<br />
measurement tools such as Smartbit or Ipanema whose performances in terms<br />
of accuracy are acknowledged.<br />
Findings: The major lessons learnt through the tests concern the precautions<br />
a network operator should take when using software probes, the precision<br />
that can be expected in measurements, <strong>and</strong> the consistency of results supplied by<br />
probes of different types.<br />
Overall, all three above-mentioned software tools proved to be usable <strong>and</strong><br />
to provide valuable information as long as they are operated in an appropriate<br />
environment <strong>and</strong> within their normal range. It was indeed an important discovery<br />
that each measurement probe has a range (e.g. of data rates, of number of packets<br />
per second) within which it will work properly, but beyond which it may supply<br />
erroneous, incomplete or inconsistent data. The recommendation is thus that<br />
a network operator should only use measurement devices whose range of valid<br />
operation has been duly tested prior to deployment.<br />
It was also shown that, with appropriate procedures, the overhead due to active<br />
measurement flows could be kept under control <strong>and</strong> remains marginal as compared<br />
to user traffic, even in a narrow-b<strong>and</strong>width network.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
173<br />
Finally, special care must be taken when conducting active measurements<br />
in IP systems which implement such mechanisms as weighted fair queuing (WFQ).<br />
As WFQ creates a dissymmetry in the treatment of flows even if they belong to<br />
the same class of service, it may result in active test flows experiencing a different<br />
quality of service than the user flows they are intended to represent, <strong>and</strong> thus lead<br />
to erroneous conclusions in network performance monitoring. This is but one more<br />
illustration of the well known principle that measurements cannot be performed<br />
in total ignorance of the system they apply to.<br />
Another important finding is that a given probe will provide results which<br />
are consistent with themselves, but not always as consistent with those of other<br />
probes. For example, Internet2 OWAMP used in two different segments of a network<br />
will indicate jitter values which can directly be compared together, <strong>and</strong> so<br />
will Iperf, but the measurements supplied by the two tools may not be consistent<br />
with one another. This bias which may exist between two different probes is no<br />
serious hindrance per se since a theoretical study leads to the conclusion that<br />
high precision in the measurements conducted in an IP network is not needed<br />
<strong>and</strong> should not be sought. However, when comparisons are made between measured<br />
values within a network, or when measurements are composed in space or<br />
in time, the same type of tool should be used throughout the system. PerfSO-<br />
NAR <strong>and</strong> its message format provides the means to distinguish measurements<br />
of different tools.<br />
4) Technical Profiles: Use measurement results to automatically update<br />
the description of network capabilities<br />
Purpose: A technical profile is a data set which describes the current capabilities<br />
of a TNS (e.g. the quality of service it is able to support, whether it is subject to<br />
sudden major alterations due to e.g. high mobility, jamming). This data set is intended<br />
to be communicated to users or adjacent networks so they will optimize<br />
the way they use the services of the relevant TNS.<br />
Technical profiles were studied under the task 1 of CoNSIS (communication<br />
services), but an important aspect of their definition is that they should be kept<br />
up to date automatically so as to actually reflect the current transport conditions<br />
prevailing in a TNS. One essential way to update a technical profile is of course to<br />
use the results of measurements conducted according to the methods <strong>and</strong> procedures<br />
recommended by task 4.<br />
Test setup: Host A is a Web server, host B is a web client. They are located<br />
in two different colored enclaves respectively connected to TNS 1 <strong>and</strong> TNS 4.<br />
The technical profiles of these two TNSs are held by their respective Network<br />
Management Systems (NMSs). They are kept up to date thanks to measurements<br />
periodically performed by probes deployed throughout the two networks.
174 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 8. Technical profile repositories <strong>and</strong> user systems which will use these technical profiles<br />
Walkthrough: When technical profile mechanisms are not enabled <strong>and</strong> when<br />
traffic conditions in TNS 4 are adverse, it takes an unacceptable time for host B to<br />
download a HTML page from host A.<br />
When technical profile mechanisms are enabled, measurements permanently<br />
conducted in all TNSs allow the detection of a degradation of transport conditions<br />
(in this case a high packet loss rate in TNS 4), <strong>and</strong> this situation is reflected<br />
in the relevant technical profiles.<br />
Whenever it receives a request from host B, host A first determines which<br />
TNSs will be traversed by the data flow it is about to send to the Web client. Then<br />
it fetches the technical profiles of TNSs 1 <strong>and</strong> 4 <strong>and</strong> composes them to find out that<br />
the path will be affected by a high packet loss rate.<br />
Knowing this information, it decides to send to host B a HTML page with<br />
skimmed contents (i.e. with lower-resolution pictures). The time it takes for host B<br />
to download the page returns to an acceptable value.<br />
At the end of this test, the best compromise has been automatically discovered<br />
to ensure end-to-end quality of service in the presence of degraded transport<br />
conditions detected through measurements.<br />
Prerequisites <strong>and</strong> special requirements: Interface MI 2, as described in section<br />
III of this article, is required to convey to the colored domain information<br />
pertinent to the black networks.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
175<br />
D. Experiments regarding the convoy<br />
1) SNMP-Mob: Extend the common operational picture to the convoy<br />
– SNMP<br />
Purpose: Collect SNMP-based information from the mobile domain.<br />
Test setup: A PerfSONAR SNMP measurement archive is installed on the border<br />
router of the mobile domain. Data about interface/tunnel statistics is requested<br />
from the mobile MTR routers that have a direct SAT connection to the border<br />
router of the mobile domain.<br />
Figure 9. SNMP Interface Statistics Queries in the Wireless Domain<br />
Walkthrough: Periodic queries via SNMP from the measurement archive<br />
co-located with the border router of the mobile domain are performed. This data<br />
can be accessed via the PerfSONAR framework.<br />
Prerequisites <strong>and</strong> special requirements: SNMP data is fetched remotely<br />
via the satellite links. This has to be taken into account by experiments related to<br />
the convoy part of the network. The impact on the satellite links is supposed to be<br />
not relevant.<br />
Findings: Throughput from the mobile domain was extracted without overloading<br />
the mobile links. Because of the full mesh of overlay tunnels for every radio<br />
technology, it was even possible to identify traffic to/from different nodes just using<br />
interface statistics. The results also clearly showed when nodes were isolated.<br />
Follow-up measurement samples need to be interpreted accordingly. However,<br />
identifying the cause (limited transmission range vs. jamming) will only be possible<br />
by correlating this data with cross layer information like the noise level.
176 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
2) OSPF-Topo: Monitoring of the OSPF topology of the mobile domain<br />
Purpose: Providing real time information about the communication status<br />
<strong>and</strong> connectivity within the convoy with minimal/no communication overhead<br />
to the mobile components OSPF domain. This includes the terrestrial radio links<br />
as well as the satellite links to the HQ.<br />
Test setup: The OSPFv2 MIB of the non-mobile MTR located at the Multi<br />
National Deployed HQ is queried via SNMP by a software tool running also<br />
in the HQ. The OSPFv3 MIB is not yet supported by the MTR implementation<br />
based on Vyatta Linux. The information provided consists of a snapshot of the Links<br />
State Database of the MTR <strong>and</strong> thus provides a local view of the OSPFv2 topology<br />
of the mobile domain.<br />
Walkthrough: The OSPFv2 Link State <strong>Information</strong> was shown on a computer<br />
located at the Multi National Deployed HQ <strong>and</strong> continuously provided information<br />
regarding the communication status of the convoy to the other experiments.<br />
In addition, a packet capturing process was started at the MTR in the HQ to<br />
allow for an offline analysis of the Routing Protocol behavior (OSPFv2 <strong>and</strong> OSPFv3)<br />
in the post processing of the experiments.<br />
Prerequisites <strong>and</strong> special requirements: Remote access to the MTR is needed.<br />
3) Jammer-Basic: Cooperative detection of the jammer<br />
Purpose: Show that the detection of a jammer is possible within the convoy<br />
with cross-layer information aggregation of data from the radios.<br />
Test setup: A cross-layer framework called CRAWLER [15][16] was installed<br />
on two dedicated routers equipped with WIFI cards. One of the nodes was located<br />
in a German military vehicle. The other node is located at an NGO vehicle.<br />
Walkthrough: The CRAWLER framework needed to be installed <strong>and</strong> configured<br />
on both ends of the communication. The connection between the German<br />
military vehicle <strong>and</strong> the German NGO vehicle was established. Special jamming<br />
equipment was placed between both nodes. In addition, plausibility checks<br />
of cross-layer information were performed via the CRAWLER framework. Thus,<br />
the presence of a possible jamming incident was detected based on this local information.<br />
Prerequisites <strong>and</strong> special requirements: Jamming equipment for WIFI<br />
as well as a military <strong>and</strong> an NGO vehicle equipped with WIFI devices connected<br />
to the black part of the network <strong>and</strong> as well as the CRAWLER service. No dynamic<br />
routing was performed on this link.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
177<br />
4) Jammer-Notification: Automated notification of the HQ by the<br />
CRAWLER application via the Operational Message Service (OMS)<br />
Purpose: Provided by task 2, the Operational Message Service (OMS) is a notification-based<br />
service intended to distribute comm<strong>and</strong>s, information, warnings<br />
<strong>and</strong> alerts. By using the OMS to raise the alarm about a suspected jamming incident,<br />
two purposes are answered: One, the OMS is notification-enabled <strong>and</strong> allows any<br />
interested party to subscribe to the alerts, without the necessity of setting up any new<br />
information structures or configurations; <strong>and</strong> two, it is a good example of a taskcomprehensive<br />
test. Note: Since the OMS provider <strong>and</strong> the notification broker<br />
are located in the red network <strong>and</strong> CRAWLER in the black, a cross domain guard<br />
was needed to allow for a controlled forwarding of the message.<br />
Test setup: The CRAWLER application includes a WS-Notification client<br />
with a publish method set up for the Operational Message Service to send an alert<br />
about a detected potential jamming attack to a WS-Notification broker. The German<br />
portable Comm<strong>and</strong> <strong>and</strong> Control <strong>Information</strong> System (C2IS) subscribed to<br />
alerts of this kind <strong>and</strong> was capable of displaying the jamming incident at the geographic<br />
location in the GUI.<br />
Walkthrough: Upon the detection of a potential jamming incident an alert<br />
was sent via Operational Message Service. Subscribers, namely the German portable<br />
C2IS system, received the alert <strong>and</strong> processed it. The content eas displayed<br />
in the C2IS GUI.<br />
VI. Conclusions <strong>and</strong> future work<br />
In this paper, we introduce both challenges <strong>and</strong> technical solutions for federated<br />
network management with special requirements regarding security <strong>and</strong> information<br />
hiding, as well as addressing the wireless <strong>and</strong> core domains. Building on the Protected<br />
Core Networking concept, we showed how a well established framework<br />
PerfSONAR for sharing network performance measurements between different<br />
research networks can be extended <strong>and</strong> applied to the CoNSIS scenario. In addition,<br />
we presented the first prototype of an architecture that can use the performance<br />
measurements to adjust SLAs between the different nations of the coalition.<br />
The paper concludes with details about the experiments performed within<br />
the CoNSIS field tests. These tests lay the foundations <strong>and</strong> serve as proof-ofconcept.<br />
The results will set the agenda for the second phase of the CoNSIS project.<br />
Acknowledgment<br />
This work has been performed within the CoNSIS project.
178 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
References<br />
[1] NATO Network Enabled Capability Feasibility Study Executive Summary v. 2.0,<br />
October 2005.<br />
[2] G. Hallingstad <strong>and</strong> S. Oudkerk, “Protected core networking: an architectural<br />
approach to secure <strong>and</strong> flexible communications”, <strong>Communications</strong> Magazine, IEEE,<br />
2008, 46, pp. 35-41.<br />
[3] PerfSONAR Homepage (last accessed May 24, 2012).<br />
[4] perfSONAR MDM release 3.0 – Product Brief.<br />
[5] Instantiating a Global Network Measurement Framework http://acs.lbl.gov/~tierney/<br />
papers/perfsonar-LBNL-report.pdf.<br />
[6] P. Steinmetz, “Use of Cross Domain Guards for CoNSIS network management“,<br />
MCC 2012, Gdansk, Pol<strong>and</strong>, in press.<br />
[7] PerfSONAR: A Service Oriented Architecture for Multi-domain Network Monitoring.<br />
[8] P. Jacobs <strong>and</strong> B. Davie, “Technical challenges in the delivery of interprovider QoS”,<br />
Communication Magazine, IEEE, vol. 43, no. 6, 2005, pp. 112-118.<br />
[9] D. Duda et al., “The QoS Policy Agreement System for Federation of <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> Systems”, MCC 2011, Amsterdam, The Netherl<strong>and</strong>s, Oct. 2011.<br />
[10] M. Hauge, M.A. Brose, J. S<strong>and</strong>er, <strong>and</strong> J. Andersson, “Multi-topology routing<br />
for improved network resource utilization in mobile tactical networks,” <strong>Military</strong><br />
<strong>Communications</strong> Conference, 2010 – MILCOM 2010, pp. 2223-2228, Oct. 31 2010-<br />
Nov. 3 2010.<br />
[11] M. Hauge, CoNSIS Task 1, “QoS-classes for the CoNSIS test <strong>and</strong> demonstration<br />
architecture”.<br />
[12] “Cacti – The Complete RRDTool-based Graphing Solution”, http://www.cacti.net/<br />
(last accessed June 13, 2012).<br />
[13] A. Morton <strong>and</strong> S. Van den Berghe, “Framework for Metric Composition”, December<br />
2009, .<br />
[14] A. Morton <strong>and</strong> E.Stephan, “Spacial Composition of Metrics”, IETF-RFC6049<br />
January 2011.<br />
[15] I. Aktas, J. Otten, F. Schmidt, <strong>and</strong> K. Wehrle, “Towards a Flexible <strong>and</strong> Versatile<br />
Cross-Layer-Coordination Architecture,” Proceedings of the 29th International<br />
Conference on Computer <strong>Communications</strong> (INFOCOM 2010), pp. 1-5, March 2010.<br />
[16] I. Aktas, F. Schmidt, M.H. Alizai, T. Drüner, <strong>and</strong> K. Wehrle, “CRAWLER:<br />
An Experimentation Architecture for System Monitoring <strong>and</strong> Cross-Layer-<br />
Coordination,” Proceedings of the 13th International Symposium on a World<br />
of Wireless, Mobile <strong>and</strong> MultimediaNetworks (WoWMoM ’12), pp. 1-9, June 2012,<br />
in press.
Multi-Topology Routing for QoS Support<br />
in the CoNSIS Convoy MANET<br />
Mariann Hauge 1 , Jon Andersson 2 , Margrete A. Brose 1 , Jostein S<strong>and</strong>er 1<br />
1 Norwegian Defence Research Establishment (FFI), Kjeller, Norway,<br />
{Mariann.Hauge, Margrete-Allern.Brose, Jostein.S<strong>and</strong>er}@ffi.no<br />
2 Thales Norway AS, Oslo, Norway, Jon.Andersson@thalesgroup.com<br />
Abstract: This paper shows how Multi-Topology (MT) routing is used to maintain three different<br />
network topologies in the heterogeneous l<strong>and</strong> mobile network architecture used in the Coalition<br />
Network for Secure <strong>Information</strong> Sharing (CoNSIS) project. The topologies are each associated with<br />
one or more quality of service (QoS) classes to provide differentiated QoS in this disadvantaged grid.<br />
A proposal for how to connect a Multi-Topology routing protocol to adjacent Single-Topology (ST)<br />
interior gateway protocols <strong>and</strong> exterior gateway protocols is also given.<br />
Keywords: multi-topology routing; QoS; admission control; MANET; OSPF; IPv6)<br />
I. Introduction<br />
In a coalition operation the participating nations will typically bring their<br />
national radio equipment into the theater. Usually the equipment will comprise<br />
of a wide selection of br<strong>and</strong>s <strong>and</strong> technologies, depicting the normally long lifetime<br />
of radio systems. These radios will most likely not be compatible on the air,<br />
<strong>and</strong> if they are, they will not have compatible security solutions, management or<br />
services for the end user. The main goal of the multinational Coalition Network<br />
for Secure <strong>Information</strong> Sharing (CoNSIS) project is to solve these interoperability<br />
issues. CoNSIS proposes solutions to improve interoperability in all the above<br />
mentioned areas. This paper presents the Multi-Topology routing concept as used<br />
by CoNSIS to provide differentiated QoS in the l<strong>and</strong> mobile network that utilizes<br />
many different transmission technologies for internal communication as well<br />
as reach-back to the deployed headquarters.<br />
To provide a reliable network for different operation types <strong>and</strong> in varying<br />
terrains, a tactical mobile network infrastructure must consist of a variety of wireless<br />
network types, e.g., long-range communication for reach-back connections<br />
The authors have copy right of all figures in the paper “Multi-Topology Routing for QoS Support in the CoNSIS<br />
Convoy MANET”.
180 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> a higher b<strong>and</strong>width network for local communication. A single transmission<br />
technology, e.g. a VHF network, will not be able to support all communication<br />
types <strong>and</strong> b<strong>and</strong>width requirements. In CoNSIS we assume that the different nations<br />
participating in a coalition operation bring their national tactical networks<br />
to the battlefield. Thus there may be a large number of different, non-compatible<br />
radio systems present in the mission network. The aim of CoNSIS is to be able to<br />
combine all available radio systems in an operation to provide an efficient, common<br />
network for coalition use. This gives the operator a single entry point to the complete<br />
heterogeneous coalition network, the network will be better utilized, <strong>and</strong><br />
multiple transmission technologies <strong>and</strong> routing paths will also improve the network<br />
reliability by providing alternative routing paths during e.g. jamming attempts.<br />
The resulting coalition network will consist of radios which have large variations<br />
in capabilities <strong>and</strong> transmission range. Thus it is challenging to administer, admit,<br />
<strong>and</strong> route traffic flows in these networks.<br />
In a mobile tactical network there will in most cases be limited capacity. It is<br />
therefore crucial to support prioritization of operation critical traffic. It is also<br />
desirable to use the tactical network in the most optimal manner <strong>and</strong> thus make<br />
sure that only traffic that has a high chance of reaching the destination is admitted<br />
into the network. One way to increase the network throughput is to take advantage<br />
of parallel paths in the heterogeneous network <strong>and</strong> efficiently exploit all<br />
b<strong>and</strong>width resources.<br />
Since the transmission means used in tactical networks have large variations<br />
in capabilities, CoNSIS find it advantageous to define multiple routing topologies<br />
in the network to support different QoS-classes. These topologies are then used<br />
to ensure that data packets are only forwarded on topologies with sufficient capabilities<br />
to support the requirements of the dataflow. We combine Multi-Topology<br />
(MT) routing [1-2] <strong>and</strong> traditional DiffServ-like [3-4] mechanisms to utilize all<br />
available transmission means in the tactical network <strong>and</strong> increase the robustness<br />
of the network. In [5] we have presented our findings when using this technique<br />
on an isolated test bed network in our lab. The QoS architecture with MT support<br />
has also been utilized by the Web services admission control broker in [6]. The SW<br />
for the MT-router has been extensively modified for the CoNSIS project, <strong>and</strong> in this<br />
paper we describe how this solution is used in the l<strong>and</strong> mobile CoNSIS network<br />
<strong>and</strong> how we have solved the interaction between a network running MT-routing<br />
<strong>and</strong> adjacent networks running non-MT capable domains.<br />
The rest of the paper is organized as follows: In Section II we give a brief<br />
background presenting the CoNSIS project. We point the reader to related work<br />
in Section III. In Section IV we describe the Multi-Topology routing solution<br />
<strong>and</strong> the mechanisms proposed to connect a Multi-Topology routing domain with<br />
a Single-Topology routing domain. The QoS architecture is explained in Section V.<br />
In Section VI we discuss the use of MT in the l<strong>and</strong> mobile network in the CoNSIS<br />
network architecture, <strong>and</strong> finally we give a short conclusion in Section VII.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
181<br />
II. Background<br />
As stated in the CoNSIS memor<strong>and</strong>um of underst<strong>and</strong>ing (MoU): “The objective<br />
of the project is to design, implement, test <strong>and</strong> demonstrate technologies, methods<br />
<strong>and</strong> architectures for the secure sharing of information <strong>and</strong> services between<br />
nations in ad-hoc coalitions, <strong>and</strong> between military systems <strong>and</strong> civil systems for<br />
Civilian <strong>Military</strong> Cooperation, e.g. with Non-Governmental Organizations (NGOs),<br />
within the communications constraints of mobile tactical forces.”<br />
The work is organized in five tasks:<br />
• Task 1, Communication Services<br />
• Task 2, <strong>Information</strong> <strong>and</strong> Integration Services (SOA)<br />
• Task 3, Security<br />
• Task 4, Management<br />
• Task 5, Architecture, Test <strong>and</strong> Demonstration Coordination<br />
The technique described in this article represents some of the work that<br />
has been performed in Task 1, Communication Services. In this task our concern<br />
has been to provide a transparent network <strong>and</strong> information infrastructure<br />
(NII), based on <strong>and</strong> harmonized with IP technology. The focus of this task is to<br />
demonstrate solutions that will work within the communications constraints <strong>and</strong><br />
dynamic topology imposed by the highly mobile tactical networks. The proposed<br />
mechanisms should support IPv6.<br />
All figures <strong>and</strong> information presented in the remainder of this document<br />
focuses on the challenges as seen by the Communication Services task.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Figure 1. This figure shows all network elements that participate in the CoNSIS scenario.<br />
N/C-TNS st<strong>and</strong> for National/Coalition-Transport Network Segment
182 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
CoNSIS has defined a scenario that takes place in a country torn by civil war.<br />
An international coalition is involved in this conflict to protect civilians <strong>and</strong> initiate<br />
the peace process. The coalition has a l<strong>and</strong> based component, a naval component <strong>and</strong><br />
an air based component. Fig. 1 shows all elements that is included in the CoNSIS<br />
network architecture <strong>and</strong> participates in the scenario.<br />
Task 1 has proposed to use Multi-Topology routing to provide some admission<br />
control <strong>and</strong> differentiated services in the l<strong>and</strong> mobile network component in Fig. 1.<br />
This network segment will be connected to the other segments (including the Multi<br />
National Deployed HQ) via an exterior gateway protocol. In the CoNSIS scenario<br />
the l<strong>and</strong> mobile component represents a military convoy that is tasked to escort<br />
a group of NGO vehicles to an area where there has been a natural disaster. This<br />
convoy will be played in the ongoing CoNSIS field test. The network deployment<br />
planned for the convoy in the field test will be used to exemplify the use of MT<br />
routing in CoNSIS.<br />
III. Related work<br />
During the last 10 years a lot of research has been done to achieve predictable<br />
QoS in mobile ad hoc networks (MANET). This is a difficult task due to the agile<br />
changes in the network topology, <strong>and</strong> the fluctuating channel quality in such<br />
networks. Much focus has been put in the area of QoS-routing. QoS-routing aims<br />
to find a route which provides the required service quality for a specific traffic type.<br />
This can be done using routing metrics based on parameters like delay, data rate,<br />
signal to noise ratio, route stability, etc. These protocols must be combined with<br />
a resource manager <strong>and</strong> a traffic classifier (e.g., DiffServ-like classification) to support<br />
end-to-end QoS in the network. Two survey papers [7-8] give a comprehensive<br />
overview of many of the available QoS-routing proposals.<br />
Most of the QoS protocols covered in the two survey papers discover a single<br />
path that supports a certain QoS requirement. This QoS requirement can be<br />
described by one parameter (e.g., maximum bottle neck data rate), or by several<br />
parameters (e.g., maximum bottle neck data rate <strong>and</strong> lowest end-to-end delay).<br />
Some protocols also maintain multiple paths to the destination for the purpose<br />
of e.g., load balancing, fault tolerance, higher aggregated b<strong>and</strong>width <strong>and</strong> reduced<br />
route discovery latency after link breaks. In [9] important multipath protocols<br />
are covered. In [10-13] multipath is established explicitly for QoS support. Some<br />
of these also make a point of combining DiffServ <strong>and</strong> multipath routing.<br />
However, most of the QoS-routing schemes, <strong>and</strong> all the mentioned multipath<br />
protocols are reactive routing protocols. We believe proactive protocols will be<br />
necessary in tactical MANETs to reduce the routing response time <strong>and</strong> increase<br />
the predictability of the network availability. We also think it is beneficial to store<br />
several routes with different characteristics to support separate QoS requirements.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
183<br />
This is important for a heterogeneous wireless network that is established with<br />
radios that utilize different transmission technologies.<br />
The MT supported QoS architecture is based on the proposal presented<br />
in [14] <strong>and</strong> further studied in [5]. It is a simple but powerful scheme with<br />
a proactive routing protocol that maintains multiple topologies in the routing<br />
domain <strong>and</strong> consequently provides multiple paths from source to destination.<br />
Each topology/path is associated with a single or multiple QoS-class(es). Similar<br />
ideas (based on a very different routing scheme) are presented in [15]. In this<br />
reference, network information is maintained proactively, <strong>and</strong> different paths<br />
for the required QoS-classes can be calculated with different metrics based on<br />
a single routing database.<br />
In [16] MT-routing is combined with a dynamic topology <strong>and</strong> traffic pattern<br />
analysis tool to provide a flexible load balancing solution <strong>and</strong> in [17] MT-routing<br />
is utilized in a satellite network both for fault tolerance <strong>and</strong> for traffic separation<br />
of traffic having different QoS requirements. Both of these papers exploit a similar<br />
technique as the one presented in this paper however our focus is to support<br />
admission control <strong>and</strong> efficient resource utilization in a very heterogeneous<br />
military mobile ad hoc network.<br />
IV. Multi-Topology routing architecture<br />
A. Multi-Topology routing<br />
A traditional link state routing protocol maintains one routing table with<br />
one entry for “the best route” to all destinations in a network domain (or several<br />
of the best routes for load balancing purposes). The best route is calculated based<br />
on the chosen metric (e.g., shortest path first (SPF) or lowest cost, where the cost<br />
parameter can be established based on any set of link parameters).<br />
A Multi-Topology routing (MT-routing) protocol maintains several topologies<br />
within the network domain at the cost of a few extra bytes in the routing packets.<br />
Each topology spans a subset of the physical topology. A shortest path first calculation<br />
(other metrics can be used if available) is performed for each topology<br />
to discover the best routes within the topology. The cost of one link can be set<br />
different for the different topologies. Only the links belonging to the actual topology<br />
are included in the calculation. The results of the SPF calculation are stored<br />
in one forwarding table for each topology. In Fig. 1 we show a network where three<br />
topologies are defined on the physical topology. A number of topologies can be<br />
defined on a single physical link. All the physical links in the domain must be part<br />
of the default topology. The default topology is used for routing traffic <strong>and</strong> ensures<br />
that routing information is flooded to the whole network. All link advertisements<br />
are stored in a link state database. The calculation of the forwarding table for each<br />
topology is based on the information in this database.
184 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 2. This figure shows a network with three different topologies<br />
During network configuration, topologies can be tailored to represent many<br />
different purposes. MT is used for the following cases in CoNSIS:<br />
• Topologies can be created that has sufficient (maximum) resources to support<br />
a certain QoS-class, or multiple QoS-classes.<br />
• A specific topology can be created to be used for transit traffic through<br />
the network.<br />
MT-routing is a very useful tool that can be used to solve many situations<br />
where a certain end-to-end behavior is needed in tactical networks. This comes at<br />
the cost of a more complex network configuration. For more details about the MTrouting<br />
operation, please consult [5].<br />
B. Interaction between a multi-topology routing domain <strong>and</strong> a single<br />
topology routing domain<br />
The MT-routing draft <strong>and</strong> RFC [1-2] both describe interaction with Single-<br />
Topology (ST) routers through the default topology (designated table 0 in MT).<br />
We do not view this approach as suitable for a mobile military network. The main reasons<br />
are:<br />
• The default topology covers the entire network <strong>and</strong> does not take into account<br />
transmission characteristics for the respective links.<br />
• For IPv6 the routing protocol load would be close to doubled, since the layout<br />
structure of the MT Link state advertisements (LSAs) are incompatible<br />
with st<strong>and</strong>ard IPv6 OSPF. In order to obtain compatibility with ST routers,<br />
the MT capable router has to transmit both encodings.<br />
Furthermore is it not described how to import routing information from an adjacent<br />
ST-routing protocol into the MT-routing protocol, without using the default
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
185<br />
topology. This can be regarded as a weakness in the specification, since it will only<br />
be the high capacity topologies of the MT domain that are usable for connection<br />
with external ST networks. The default topology normally does not have the ability<br />
to differentiate on traffic. In the CoNSIS project we wanted to have the interaction<br />
both between the MT-routing protocol <strong>and</strong> an exterior gateway protocol (EGP)<br />
as well as an interior gateway protocol (IGP).<br />
First we consider the task of importing <strong>and</strong> redistributing routing information<br />
from an adjacent ST-routing protocol into the MT-routing protocol. Most ST-routing<br />
protocols maintain routing information in the main forwarding table (known as table<br />
0 or default topology in MT). To avoid conflicts the default topology should not<br />
be used by the MT-routing protocol when MT-routing is used for QoS purposes.<br />
According to RFC [2] tables 32 to 127 are reserved for development, experimental<br />
<strong>and</strong> proprietary features <strong>and</strong> can be used for our purposes.<br />
The adjacent network information that we want to redistribute in the<br />
MT-network can have very different characteristics, it can be a homogeneous radio<br />
network with a certain characteristics or it can be a deployed network with a different<br />
typical characteristic. The radio network we might want to import into one<br />
or more specific topologies, whereas the deployed network should be imported<br />
into all topologies. For this reason we wanted to make a very flexible solution that<br />
allowed us to specify network import into (none or) any number of topologies. This<br />
involves both redistribution of the adjacent ST protocol information into the different<br />
topologies, <strong>and</strong> a copy of the ST routing information made available to the MT<br />
forwarding tables. Since redistribution only provides the routing information to<br />
neighboring nodes <strong>and</strong> not to the unit itself, this has to be a copy.<br />
If several networks are connected to the same gateway router <strong>and</strong> we do not<br />
want to redistribute the information from these protocols to the same topologies,<br />
then these networks must use different routing protocols, if not the router will not<br />
be able to identify the routes made available from the one network from the routes<br />
made available from the other network. It should be possible to use route-maps<br />
for each topology to limit the visibility when using the same routing protocol. 1<br />
Next we consider the task of making routing information from<br />
the MT-routing protocol available for adjacent networks. Here we would also like<br />
to have the same flexible solution of providing information from (none or) any<br />
number of topologies to the ST-routing protocol. In practice this means to provide<br />
the union of the routes available in the relevant MT topologies to the ST-routing<br />
protocol. This was not straight forward to implement (partly because of overlapping<br />
routes) in the open source routing environment used for the implementation<br />
(the SW platform is described in chapter VI). Thus the solution we implemented<br />
1<br />
In the case of interfacing BGP, route-maps could possibly use e.g. “match peer x.x.x.x” or “match as-path”.<br />
This has not been investigated further.
186 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
was to provide routing information from 0 or 1 (any of the available topologies)<br />
topologies to the adjacent network. 2<br />
One should be careful not to import routing information into different topologies<br />
than the one that is exported to the same network. If this is the case there<br />
will be asymmetry in the network information <strong>and</strong> some traffic will only be able to<br />
flow one way. In a QoS architecture this could be solved with a policy saying for<br />
example that the non MT-networks should be given the same, or more routing<br />
information than what is available in the MT-network. Traffic with QoS-tag that<br />
cannot be supported by the current MT-network topology will then be dropped<br />
at the entry point to the disadvantaged mobile MT-network.<br />
As a special case we gave the interaction between the MT-routing protocol<br />
<strong>and</strong> BGP [18] some extra thought. Providing the routing information in one topology<br />
for redistribution in BGP limits the visibility of the MT-network for BGP<br />
connected networks. Thus this method can be used to provide a topology for<br />
transit traffic through the MT-network <strong>and</strong> make the complete MT-network only<br />
available for local traffic.<br />
V. QoS architecture<br />
The CoNSIS QoS architecture for the network layer divides the QoS operations<br />
in two functional entities:<br />
• One entity that supervises the resource management. This mechanism<br />
is needed at the ingress of the network.<br />
• One entity that h<strong>and</strong>les network congestion, packet forwarding <strong>and</strong> packet<br />
prioritizing required by the different dataflows. This mechanism is needed<br />
in all forwarding elements in the network.<br />
The resource management entity decides if a new traffic flow can be supported<br />
by the network. This mechanism must identify the network resources required by<br />
the flow associated with a specific QoS-class. If there are enough network resources<br />
available, the session will be admitted. Thus, there is a need for a resource management<br />
mechanism that attempts to estimate the available capacity of the network.<br />
If mechanisms are available to support resource reservation, this will be done by<br />
the resource manager.<br />
The prerequisites for admittance of a session may change after a session is admitted.<br />
A session of very high importance may try to access a fully loaded network.<br />
Then, pre-emption of a low importance session may be required. Similarly, due to<br />
node mobility, jamming, etc., the network capacity may change over time. This must<br />
be acted on by the resource manager.<br />
Short term network congestion due to fluctuations in the radio channel capacities<br />
<strong>and</strong> temporary overload of the network must be h<strong>and</strong>led by the forwarding<br />
2<br />
Changes would be required to OSPF/ZEBRA in order to support multiple topologies to the adjacent networks.<br />
This is left for future work.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
187<br />
component of the network routers. This component must also tailor packet queues<br />
<strong>and</strong> packet scheduling to effectuate the delay requirements of the packet’s QoSclass,<br />
<strong>and</strong> the military priority of the packet. In overload situations this mechanism<br />
makes sure that the important traffic is prioritized by the network at the expense<br />
of less important traffic which might then experience a very high packet loss due<br />
to queue overflow.<br />
For this architecture a set of QoS-classes must be defined that describe the network<br />
requirements (in terms of data rate, jitter, delay, reliability, etc.) needed by<br />
the dataflow labeled with the specific QoS-class. The traffic flows must be tagged<br />
with this information.<br />
In CoNSIS we propose to use MT routing to support the entity that supervises<br />
the resource management of the network. In the MT supported QoS architecture,<br />
we configure <strong>and</strong> maintain several network topologies that each spans a subset<br />
of the physical topology. Each topology has its own forwarding table that is used<br />
to forward packets classified as belonging to that specific topology. If a destination<br />
address is not available in the forwarding table associated with the QoS-class, then<br />
no path exists in the network where the specific QoS-class is allowed to be transported.<br />
Thus the flow should not be admitted to the network. Traffic is stopped at<br />
the network edge <strong>and</strong> not (in a worst-case scenario) forwarded through the entire<br />
network just to find that the last hop to the destination is a link not able to support<br />
the flow’s QoS requirements.<br />
When there is a route to the destination in the correct topology <strong>and</strong> the traffic<br />
flow is admitted to the network, the DiffServ mechanisms come into play. A queue<br />
hierarchy <strong>and</strong> packet scheduling mechanism prioritizes the sequence of transmitted<br />
packets on each interface. For each network interface we also define a traffic shaper,<br />
whose purpose is to keep the traffic transmitted on e.g. the wireless network below<br />
a certain threshold, to avoid network congestion. We use queue <strong>and</strong> scheduling<br />
tools to tailor the queue to the requirements of the associated QoS-class, <strong>and</strong> to<br />
implement packet scheduling for traffic priorities. Queue length, head/tail drop<br />
<strong>and</strong> drop-precedence are important queue parameters, while the packet scheduler<br />
could be designed for a strict priority scheme or a situation with more fairness<br />
in the scheduling process.<br />
It should be noted that in the current version of the MT-routing protocol we<br />
build topologies based on static predefined network/link characteristics. In future<br />
work we want to investigate if dynamic parameters representing the real time resource<br />
situation for the links can be incorporated efficiently with the MT-routing<br />
protocol to better support the resource management mechanism in the mobile<br />
tactical network. Alternatively, a possible solution could be to use the proactive<br />
MT-mechanisms as a first check if a flow can be admitted to the network <strong>and</strong> use<br />
a reactive probing technique to check the real-time resource situation on the MT path<br />
before the flow is actually admitted.
188 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
VI. CoNSIS convoy test network<br />
A. Multi-Topology routing SW<br />
We have implemented 3 the Multi-Topology support for OSPFv3 <strong>and</strong> OSPFv2,<br />
as well as MANET OSPFv3 (MDR) [19] into the Vyatta [20] Linux distribution.<br />
This is based on the Quagga [21] open source routing application running on<br />
a Debian system with Linux kernel 2.6.37 (ATOW). The MANET OSPFv3 base<br />
protocol was fetched from [22]. The router implementation allows easy configuration<br />
of OSPFv2-MT <strong>and</strong> OSPFv3-MT information. Metrics can be setup for each<br />
topology on each interface. The Linux platform is set up to utilize multiple forwarding<br />
tables <strong>and</strong> Quagga’s interface towards forwarding tables in Linux has been<br />
adjusted to allow the use of multiple routing tables. In addition to OSPFv2-MT <strong>and</strong><br />
OSPFv3-MT routing, the implementation also supports configuration of static MTroutes.<br />
A flexible import <strong>and</strong> redistribution of routes from other routing protocols<br />
is supported, as well as customized export of MT-routes to the main routing table to<br />
make the routes available to other routing protocols.<br />
Due to experienced instabilities in the MANET OSPFv3-MT protocol we will<br />
use OSPFv3-MT in the CoNSIS field experiment.<br />
It should also be noted that the exp<strong>and</strong>ed encoding of the OSPF Options described<br />
in the draft [1] is in conflict with bits allocated by OSPF Link-Local signaling<br />
[23]. Link-Local Signaling is also part of the MANET OSPFv3 implementation.<br />
B. The CoNSIS convoy platforms<br />
The l<strong>and</strong> mobile network component in the CoNSIS network architecture<br />
is represented by a multinational convoy in the scenario <strong>and</strong> in the field test.<br />
The network consists of a German (Nation 1) <strong>and</strong> a Norwegian (Nation 2) convoy<br />
segment. Each segment consists of four mobile nodes. The convoy network is connected<br />
to a multi-national deployed headquarter (Fig. 3). The NGO vehicles also<br />
have a network connection to the military convoy, however this connection is not<br />
visible in Fig. 3 since this network is not allowed to be part of the unprotected coalition<br />
transport network. Traffic is sent to/from the NGO segment via application<br />
gateways h<strong>and</strong>led by other CoNSIS task groups.<br />
The Convoy network consists of five different radio networks. It is therefore<br />
a highly heterogeneous MANET. Table I give some details of the radios that will<br />
be utilized in the planned CoNSIS experiment. The network is used for internal<br />
convoy communication <strong>and</strong> reach-back to the deployed headquarters.<br />
3<br />
The implementation is done by Thales Norway AS
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
189<br />
Table I. Radios used in the CoNSIS Convoy test network<br />
Nation 1<br />
SatCom<br />
Nation 1<br />
UHF Network1<br />
Nation 1<br />
VHF Network<br />
Nation 1<br />
UHF Network2<br />
Nation 2<br />
UHF Network<br />
Radio Type<br />
Thrane &Thrane<br />
BGAN Ex. 727<br />
IABG<br />
HiMoNN<br />
Harris<br />
RF-7800S<br />
Rockwell Collins<br />
FlexNet-Four<br />
Kongsberg<br />
WM600<br />
a) The data rates are approximate values<br />
Number of radios<br />
in the network<br />
unknown<br />
Shared channel<br />
data rate a<br />
384 kb/s<br />
6 11 Mb/s<br />
5 64 kb/s<br />
3 1 Mb/s<br />
6 920 kb/s<br />
The different transmission technologies present in the planned experimental<br />
network have substantially different characteristics when it comes to e.g., transmission<br />
delay, transmission range <strong>and</strong> data rate. Given the heterogeneous network<br />
as described above, the end-to-end network capacity could change from a relatively<br />
high data rate of several Mb/s to a few tens of Kb/s when a node moves from<br />
UHF coverage to a path that includes one or more VHF <strong>and</strong>/or SatCom on the move<br />
links. This large variation in available data rate is difficult to h<strong>and</strong>le for the resource<br />
management entity. In such a scenario it is also important that the network is able to<br />
prioritize the mission critical data traffic in overload situations.<br />
Figure 3. The l<strong>and</strong> mobile network in CoNSIS
190 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In the CoNSIS network architecture for the l<strong>and</strong> mobile network we interconnect<br />
the different links <strong>and</strong> networks present in the network with an OSPFv3-MT<br />
routing protocol in one flat routing domain. This allows full dynamics in the network.<br />
To demonstrate the use of multiple topologies for QoS purposes we define<br />
three topologies in the CoNSIS convoy network:<br />
• A high data rate topology<br />
• A low data rate topology<br />
• A low delay topology<br />
Table II shows how the different radio networks in the CoNSIS convoy network<br />
are associated with the three defined topologies. All radio networks also participate<br />
in the default topology.<br />
Radio Type<br />
Table II. The use of the radio networks in the topologies<br />
Low data<br />
rate topology<br />
High data<br />
rate topology<br />
Low delay<br />
topology<br />
Nation 1 SatCom X – –<br />
Nation 1 UHF Network1 X X X<br />
Nation 1 VHF Network X – X<br />
Nation 1 UHF Network2 X X X<br />
Nation 2 UHF Network X X X<br />
The low data rate topology includes all links. The high data rate links are also<br />
included in this topology to increase connectivity <strong>and</strong> network robustness; however,<br />
the topology cannot guarantee more than a low data rate capacity. The best<br />
path within each topology is calculated based on the MT-cost parameter for each<br />
link between source <strong>and</strong> destination. The UHF networks are given low cost whereas<br />
the SatCom <strong>and</strong> the VHF networks are given a very high cost. We set the same<br />
cost for all topologies but acknowledge that it could be beneficial in some cases<br />
to use different cost for different topologies <strong>and</strong> thereby prioritize the utilization<br />
of the network types differently for different traffic types.<br />
Fig. 4 exemplifies a radio topology where Nation2’s portion of the convoy<br />
is driving into a terrain with difficult channel propagation conditions for Nation2’s<br />
UHF radio. Table III shows the routing table for the three topologies for all the vehicles<br />
in Nation2 for the radio connectivity represented in the figure.<br />
In the MT supported QoS architecture we require that all traffic in the network<br />
is tagged with the appropriate QoS-tag. We choose to use the traffic<br />
class field in the IPv6 header, to mark the packets. We use this field to encode<br />
the QoS-class (named Service-based Class (SBC) in [24]), <strong>and</strong> traffic priority<br />
(IP <strong>Military</strong> Precedence Level (IP MPL)) as suggested in [24]. Fig. 5 shows<br />
the chosen format.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
191<br />
Figure 4. Network connectivity in terrain with difficult radio propagation<br />
for Nation 2’s UHF network<br />
Table III. Routes a available in the three different routing tables in the vehicles<br />
of Nation 2 in Fig. 4<br />
Nation 2 vehicle no. Low data rate topology High data rate topology Low delay topology<br />
1 All vehicles All Nation 1 vehicles All except Nation2:3<br />
2 All vehicles Nation2:4 All except Nation2:3<br />
3 All vehicles – –<br />
4 All vehicles Nation2:2 All except Nation2:3<br />
a) The destinations are represented as follows in the table: Vehicle no. 3 in Nation2 is written<br />
as Nation2:3.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Figure 5. Suggested use of the IPv6 traffic class field<br />
For the CoNSIS QoS architecture we decided that there should not be a fixed<br />
association between a traffic type <strong>and</strong> a SBC <strong>and</strong> IP MPL. We believe that it is wise to<br />
allow network planners of an operation to define the SBC for a service. E.g., in some<br />
operations it might be important to provide frequent high resolution images, while
192 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
other operations would rather spend the data-rate on other services. In such a setting,<br />
an application (service) can be tagged with one SBC in one operation <strong>and</strong><br />
another SBC in the next. Nevertheless we created an example list of services <strong>and</strong><br />
signaling traffic for the CoNSIS experiment <strong>and</strong> associated these with the SBC <strong>and</strong><br />
IP MPL as shown in table IV. Table V then shows how some selected services from<br />
table IV are associated with the topologies created for the experiment.<br />
NETR<br />
SBC<br />
Service<br />
Network<br />
Infrastructure<br />
Table IV. CoNSIS services mapped to SBCs<br />
One example of mapping between<br />
CoNSIS services <strong>and</strong> the SBC<br />
– Routing (e.g. OSPFv3-MT, BGP, OLSR)<br />
– Management, ICMP Error Messages<br />
– TIBER Auto detection of classified enclaves<br />
DSCP<br />
CS6 110000<br />
OAM<br />
Network<br />
Management<br />
– Security management CS2 010000<br />
SIG-T Call Signaling<br />
– VoIP signaling<br />
– Notification Management Service<br />
CS5 101000<br />
– Service Discovery Service<br />
F 101010<br />
VOICE Voice<br />
P 101100<br />
– MELPe R EF 101110<br />
F AF41 100010<br />
VIDEO VTC<br />
P AF42 100100<br />
R AF43 100110<br />
STREAMING<br />
F AF31 011010<br />
Streaming<br />
P AF32 011100<br />
media<br />
R AF33 011110<br />
– Operational Alarm Messages<br />
F AF21 010010<br />
Low latency – NFFI Blue Force Tracking Service<br />
LDELAY<br />
data<br />
– Chat Application P AF22 010100<br />
– Network Services (e.g. DNS, DHCP) R AF23 010110<br />
– Image messaging service F AF11 001010<br />
BULK Bulk<br />
P AF12 001100<br />
R AF13 001110<br />
NORM Best effort Other applications BE 000000<br />
For the low data rate interfaces we choose to configure a strict priority queue<br />
with no fairness in the packet scheduling. This ensures that the highest priority<br />
traffic types are given enough resources. For the high data rate interfaces we use<br />
the hierarchical token bucket (HTB) queuing structure for Linux, <strong>and</strong> associate<br />
a share of the shaping b<strong>and</strong>width to each of the QoS-classes. This supports traffic
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
193<br />
priority but also provides some fairness in the packet scheduling. QoS-classes that<br />
need low delay are set up with short queues, as are QoS-classes with periodic traffic<br />
where it is important to always get the most recent message.<br />
Table V. The link between selected services <strong>and</strong> the defined network topologies<br />
CoNSIS service<br />
Low data<br />
rate topology<br />
High data<br />
rate topology<br />
Low delay<br />
topology<br />
NFFI Service (AF21) X – –<br />
Chat application (AF22) X – –<br />
VoIP (MELPe 2400) (EF) – – X<br />
Image msg. service (AF11) – X –<br />
The ip6tables functionality in Linux is used to mark MT-routing traffic<br />
with the correct QoS-class. All user traffic in the CoNSIS network is encrypted<br />
by IPSec solutions, thus the user traffic must be marked with the correct QoS-class<br />
by the source. This marking is also used to associate the QoS-classes with the forwarding<br />
table for the correct topology. The Linux traffic control (tc) tool is used to<br />
setup the queuing <strong>and</strong> scheduling mechanisms.<br />
E. Tests to be performed during the CoNSIS experiment<br />
To further explain the use of MT-routing in the CoNSIS convoy network we<br />
will here briefly describe the three tests we plan to perform during the CoNSIS<br />
experiment to demonstrate the functionality of the MT supported QoS architecture.<br />
The experiment is being performed at the time of writing, thus results are not yet<br />
available. All vehicles referred to by number belong to Nation2 unless otherwise<br />
specified.<br />
1) Demonstrate seamless mobility in a heterogeneous wireless network<br />
In this test we show how link breaks in a mobile military network can be overcome<br />
via routes utilizing the different radio networks/link technologies in a coalition<br />
tactical network. The test starts with full connectivity (Fig. 3) <strong>and</strong> traffic among<br />
all Nation2 nodes. Vehicles 2 <strong>and</strong> 4 then move together such that these no longer<br />
have Nation2 UHF connectivity with the remaining Nation2’s vehicles. The internal<br />
traffic for Nation2 will still be flowing among all nodes, but now via the Nation1’s<br />
UHF <strong>and</strong> VHF networks. Next vehicle 3 moves so that it loses all Nation2 UHF<br />
connectivity, but since it has a Nation1 SatCom terminal, the internal traffic will<br />
still be flowing among all Nation2 vehicles. See Fig. 4 for the final network connectivity<br />
situation.
194 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
2) Test the use of multiple topologies for QoS purposes<br />
In this test we want to show how topologies can be used to provide different<br />
paths for different traffic classes, <strong>and</strong> also to block traffic at the source for flows that<br />
cannot be supported by the current network. The test will be run both for the high<br />
data rate topology <strong>and</strong> for the low delay topology. The test for the high data rate<br />
topologi is explained here. The test starts with full connectivity (Fig. 3) <strong>and</strong> traffic<br />
flow from vehicle 1 on both the low data rate topology <strong>and</strong> the high data rate<br />
topology to all other Nation2 vehicles, <strong>and</strong> traffic flow on both the low data rate<br />
topology <strong>and</strong> the high data rate topology from vehicle 2 to vehicles 3 <strong>and</strong> 4. Vehicle<br />
3 then moves away to lose Nation2 UHF connection, but it still has a Nation1<br />
SatCom connection (Fig. 6). Vehicle 3 will now only receive traffic from vehicle<br />
1 <strong>and</strong> vehicle 2 on the low data rate topology. Next, vehicle 2 <strong>and</strong> vehicle 4 move<br />
together to lose Nation2’s UHF connectivity to the remaining Nation2’s vehicles.<br />
Vehicle 4 will now only receive traffic on the low data rate topology from Vehicle<br />
1, but it will still receiver traffic on both topologies from Vehicle 2. See Fig. 6 for<br />
the final network connectivity situation. The faded (grey) network links does not<br />
participate in the high data rate topology.<br />
Figure 6. Network connectivity for the final stage of the “MT for QoS purposes” test.<br />
The grey network links does not participate in the high data rate topology<br />
3) Limiting convoy network visibility for adjacent networks<br />
In this test we demonstrate how multiple routing topologies can be used to<br />
control the routes that are advertized in adjacent networks. A topology can be<br />
created that holds links/routes that can be made available for transit traffic or for<br />
external traffic. Only these routes will then be made available for an exterior gate-
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
195<br />
way protocol to provide to adjacent networks. For simplicity we will use the high<br />
data rate topology to represent this transit topology. A separate topology could<br />
very well have been created for this purpose. Also since we have only one gateway<br />
between the convoy <strong>and</strong> the deployed HQ we cannot support transit traffic. Instead<br />
we show how traffic from external networks is only allowed to use the chosen topology.<br />
We start with full connectivity (Fig. 3) <strong>and</strong> traffic flowing from vehicle 1<br />
to all other Nation2 vehicles <strong>and</strong> from the Deployed HQ to all Nation2 vehicles.<br />
Vehicle 3 then moves away to lose Nation2 UHF connectivity, but still has Nation1<br />
SatCom connection (Fig. 6). Vehicle 3 will now still receive traffic from vehicle 1,<br />
but no longer from the Deployed HQ, since there is no longer a route to vehicle 3<br />
in the topology made available for the exterior gateway protocol. Vehicle 3 will not<br />
be visible in the routing tables in the Deployed HQ. All other Nation2 vehicles will<br />
still receive traffic from the HQ.<br />
VII. Conclusion<br />
In this paper we show how Multi-Topology (MT) routing can aid the design<br />
of end-to-end QoS support in the l<strong>and</strong> mobile network defined in the CoNSIS<br />
network architecture. The MT-routing protocol builds topologies based on static<br />
link characteristics that are valid at all times. We see the use of multiple topologies<br />
paired with a DiffServ-like architecture as a simple but powerful tool to dynamically<br />
block traffic at the source for flows that cannot be supported by the current network<br />
topology, <strong>and</strong> thereby improve the QoS <strong>and</strong> available capacity for admitted traffic.<br />
We have also suggested a very flexible interaction between MT supported<br />
network domains <strong>and</strong> Single-Topology (ST) routing domains.<br />
Multiple topologies can also be used to support load balancing on a QoS-class<br />
basis (i.e., different QoS-classes are transmitted on partly or fully disjoint paths).<br />
Since this QoS architecture operates based on the code in the IPv6 traffic class<br />
field, the only requirement to the IP encryption device placed between the issuing<br />
application <strong>and</strong> the wireless transport network is that the encrypted tunnel must<br />
inherit the QoS tag of the data packet.<br />
Additional resource management mechanisms based on e.g., polling techniques<br />
[25] can be combined with the MT supported QoS architecture to incorporate<br />
dynamic changes in e.g., channel quality <strong>and</strong> traffic load to further improve<br />
the scheme for admission control purposes. The resource mechanism must be executed<br />
for all defined topologies.<br />
Acknowledgment<br />
We would like to acknowledge the Norwegian Army’s weapon school represented<br />
by LtCol. A.B. Enger <strong>and</strong> Maj. M. Gjellerud for the initiative to develop<br />
a router demonstrator for QoS experimentation in tactical networks.
196 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
We also want to acknowledge all CoNSIS Task 1 participants, <strong>and</strong> especially<br />
Maximilian List <strong>and</strong> Martin Zeller from IABG mbH for fruitful discussions <strong>and</strong><br />
very skilled network configuration.<br />
References<br />
[1] S. Mirtorabi <strong>and</strong> A. Roy, “Multi-Topology routing in OSPFv3 (MT-OSPFv3).”<br />
draft-ietf-ospf-mt-ospfv3-03.txt (work in progress), July 2007.<br />
[2] P. Psenak, S. Mirtorabi, A. Roy, L. Nguyen, <strong>and</strong> P. Pillay-Esnault, “Multi-<br />
-Topology (MT) routing in OSPF.” RFC 4915, June 2007.<br />
[3] S. Blake et al., “An architecture for differentiated serv.” RFC2475, 1998.<br />
[4] D. Grossman, “New terminology <strong>and</strong> clarifications for diffserv.” RFC 3260, 2002.<br />
[5] M. Hauge, J. Andersson, M.A. Brose, <strong>and</strong> J. S<strong>and</strong>er, “Multi-topologyrouting<br />
for improved network resource utilization in mobile tactical networks,” MILCOM,<br />
San Jose, CA, USA, 2010.<br />
[6] F.T. Johnsen, T. Hafsoe, M. Hauge, O. Kolbu, “Cross-layer Quality of Service based<br />
admission control for Web services,” HeterWMN, pp. 315-320, Houston, TX, USA,<br />
Dec. 2011.<br />
[7] L. Hanzo-II <strong>and</strong> R. Tafazolli, “A survey of QoS routing solutions for mobile as hoc<br />
networks.” COMST, vol. 9, no. 2, pp. 50-70, 2007.<br />
[8] R. Asokan, “A review of Quality of Service (QoS) routing protocols for mobile Ad<br />
hoc networks.” ICWCSC, Chennai, India, 2010.<br />
[9] N.S. Kulkarni, I. Gupta, <strong>and</strong> B. Raman, “On dem<strong>and</strong> routing protocols for mobile<br />
ad hoc networks: A review.” IACC, Patiala, India, 2009.<br />
[10] P. Jeon <strong>and</strong> G. Kesidis, “Pheromone-aided robust multipath <strong>and</strong> multipriority routing<br />
in wireless MANETs.” PE-WASUN, pp. 106-113, Montreal, Quebec, Canada, 2005.<br />
[11] L. Xuefei <strong>and</strong> L. Cuthbert, “Multipath QoS routing of supporting DiffServ in mobile<br />
ad hoc networks.” SNPD/SAWN, pp. 308-313, Baltimore, MD, USA, 2005.<br />
[12] S. Venkatasubramanian <strong>and</strong> N.P. Gopalan, “A QoS-based robust multipath routing<br />
protocol for mobile ad hoc networks.” AH-ICI, pp. 1-7, Kathm<strong>and</strong>u, Nepal, 2009.<br />
[13] L. Chengyong, L. Kezhong, <strong>and</strong> L. Layuan, “Research of QoS-aware routing<br />
protocol with load balancing for mobile ad hoc networks.” WiCOM, pp. 1-5, Dalian,<br />
China, 2008.<br />
[14] A.F. Hansen, T. Cicic, <strong>and</strong> P.E. Engelstad, “Profiles <strong>and</strong> Multi-Topology Routing<br />
in Highly Heterogeneous Ad Hoc Networks,” INFOCOM, Poster <strong>and</strong> Demo session,<br />
Barcelona, Spain, April 2006.<br />
[15] J.A. Stine <strong>and</strong> G. de Veciana, “A paradigm for quality-of-service in wireless<br />
ad hoc networks using synchronous signaling <strong>and</strong> node states.” J-SAC, vol. 22, no. 7,<br />
pp. 1301-1321, Sept. 2004.<br />
[16] S. Bae <strong>and</strong> T.R. Henderson, “Traffic Engineering with OSPF Multi-Topology<br />
Routing,” MILCOM, Orl<strong>and</strong>o, FL, USA, October 2007.
Chapter 2: <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> for <strong>Trusted</strong>...<br />
197<br />
[17] X. Gou, H. Yan, F. Yi, G. Long, <strong>and</strong> Q. Wu, “Modeling <strong>and</strong> simulation of small<br />
satellite constellation networking using multi-topology routing,” ICCASM, vol. 12,<br />
pp. 143-147, Taiyuan Shanxi, China, October 2010.<br />
[18] Y. Rekhter, T. Li <strong>and</strong> S. Hares (Ed.’s). “A Border Gateway Protocol 4 (BGP-4)” RFC<br />
4271, Jan. 2006.<br />
[19] R. Ogier <strong>and</strong> P. Spagnolo, “Mobile ad hoc network (MANET) extension of OSPF<br />
using CDS flooding.” RFC 5614, Aug. 2009.<br />
[20] Vyatta, http://www.vyatta.com<br />
[21] Quagga Routing Suite, http://www.quagga.net<br />
[22] OSPFv3 MANET MDR, Boeing, http://cs.itd.nrl.navy.mil/work/ospf-manet/<br />
[23] A. Zinin, A. Roy, L. Nguyen, B. Friedman <strong>and</strong> D. Yeung, “Ospf Link-Local Signaling”<br />
RFC 5613, Aug. 2009.<br />
[24] R.M. van Selm, G. Szabo, R. van Engelshoven, <strong>and</strong> R. Goode, Ip QoS st<strong>and</strong>ardisation<br />
fo the NII, RD-2933, NC3A,(Nato Unclassified), Apr. 2010.<br />
[25] A. Mohammad, O. Brewer, <strong>and</strong> A. Ayyagari, “B<strong>and</strong>width estimation for network<br />
quality of service management.” MILCOM, Orl<strong>and</strong>o, FL, USA, 2007.
Chapter 3<br />
<strong>Information</strong> <strong>Technology</strong><br />
for Interoperability <strong>and</strong> Decision<br />
Support Enhancement
Mathematical Foundations of Interoperability<br />
<strong>and</strong> Composability<br />
Andreas Tolk<br />
Old Dominion University, Norfolk, Virginia, USA, atolk@odu.edu<br />
Abstract: Based on the success stories of many engineering solutions, interoperability is often seen<br />
as something that can be worked into a system after the fact. If two systems shall exchange information<br />
with each other, system <strong>and</strong> software engineers are engaged to make these systems interoperable, often<br />
using interface <strong>and</strong> protocol st<strong>and</strong>ards. Recent research results in relevant domains of mathematics,<br />
in particular model theory <strong>and</strong> algorithmic information theory, show that such bottom-up engineering<br />
approaches are limited for model-based applications. Such applications do not only require<br />
the interoperability of implementations but also the composability of underlying conceptualizations.<br />
As more <strong>and</strong> more applications in the <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems domains<br />
are model-based applications, such as decision support systems <strong>and</strong> alternative course of action<br />
analyses tools, these topics become increasingly relevant <strong>and</strong> may lead to a paradigm shift how we<br />
look at federating our systems in support of international operations.<br />
Introduction<br />
The paper shares lessons-learned from interoperability work conducted in support<br />
of integrating comm<strong>and</strong> <strong>and</strong> control systems with modeling <strong>and</strong> simulation<br />
systems. It introduces the Levels of Conceptual Interoperability Model (LCIM)<br />
as the current support method for interoperability engineering. It proposes the use<br />
of more formal approaches utilizing the mathematical foundations of Model Theory<br />
for future system developments based on interoperability design.<br />
The underlying idea of most military interoperability efforts – even if new<br />
forms of st<strong>and</strong>ards like those developed for the sematic web are applied – is still<br />
to connect two already developed <strong>and</strong> often operational systems by engineering<br />
interoperability. We are enabling information exchange solutions after the fact by<br />
defining interfaces <strong>and</strong> protocols. This is the same idea that already supported<br />
message exchange mechanisms as well as data replication mechanism: the participating<br />
two systems exchange information via pre-defined interfaces. The systems<br />
themselves don’t have to be modified as long as they are able to support the st<strong>and</strong>ard<br />
interfaces. The underlying interoperability definition is captured by the IEEE as follows:<br />
“Interoperability is the ability of two or more systems or components to exchange
202 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
information <strong>and</strong> to use the information that has been exchanged.” In many cases,<br />
this approach works quite well, in particular for database driven system. If these<br />
systems can exchange information <strong>and</strong> integrate the data into the databases, we are<br />
successful <strong>and</strong> interoperable. Many other information technology systems follow<br />
the same paradigm: if we can exchange information <strong>and</strong> use it, we can support<br />
a common task in real operations, but is this enough for model-based systems<br />
This raises the follow-up questions “What are model-based systems” <strong>and</strong><br />
“Why should the Comm<strong>and</strong> <strong>and</strong> Control (C2) community care” Model-based<br />
systems are systems that do not use the real systems as there referent but conceptualizations<br />
thereof as the basis for their specification or the representation<br />
of the specification. They use models that are formal representations of task-driven<br />
purposeful simplifications of abstractions of a perception of reality. In this sense,<br />
many tools the C2 community is interested in turn out to be model-based systems.<br />
In particular simulation systems are model-based, as they are executing models<br />
over time. The C2 community utilizes simulation systems for training, for testing,<br />
<strong>and</strong> increasingly for operational support. Simulation systems provide an emerging<br />
training environment, that can provide a realistic testing environment, <strong>and</strong> they<br />
can help to evaluate alternative course of action <strong>and</strong> provide the means for mission<br />
rehearsal. The importance of model-based C2 support is increasing, so it becomes<br />
pivotal to underst<strong>and</strong> what makes them special. We will show that these systems<br />
require not only agreeing on format <strong>and</strong> meaning, but also on the use of data to<br />
be exchanged. As such, we need to agree on all three elements of semiotics: syntax,<br />
semantics, <strong>and</strong> pragmatics.<br />
To make the necessary points, this white paper is divided into two parts.<br />
The first part describes lessons-learned from interoperability work conducted by<br />
the research team leading to the LCIM. The second part recommends the application<br />
of formal methods grounded in mathematical model theory.<br />
This white paper has been written to complement the keynote for the symposium<br />
in magazine style. For more information, the interested reader is referred<br />
to the academic publications listed at the end of this paper.<br />
Lessons learned from interoperability projects:<br />
The levels of conceptual interoperability model<br />
The current paradigm regarding interoperability can be best characterised<br />
as interoperability engineering. Two systems that were developed independently from<br />
each other but that share a common application case are presented to the engineer<br />
with the requirement to make them interoperable. This can be systems provided<br />
by two military services that shall conduct a joint operation as well as two nations<br />
that conduct a combined operation.<br />
The main assumption behind this paradigm is that as both systems are developed<br />
in support of a common view of reality, namely the common operation they
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
203<br />
shall support, the systems are both based on the same part of reality. Following<br />
the definition giving in the introduction, the models the systems are using are purposeful<br />
abstractions <strong>and</strong> simplification of their perception of this common reality.<br />
The resulting implementations should therefore be similar enough to be alignable by<br />
designing a common technical infrastructure that supports mediation between<br />
the different viewpoints. This view is also supported by the IEEE definition cited<br />
earlier in this white paper: two systems can be made interoperable if we can mediate<br />
the data used in both systems to each other to use them in the respective system.<br />
In order to gain a better underst<strong>and</strong>ing of the theoretical underpinnings<br />
of interoperation between two federate simulation systems the Levels of Conceptual<br />
Interoperability Model (LCIM) was developed. This model <strong>and</strong> its layers allow<br />
clearly distinguishing between the three governing concepts of interoperation:<br />
• Integratability contends with the physical/technical realms of connections<br />
between systems, which include hardware <strong>and</strong> firmware, protocols, networks,<br />
etc.<br />
• Interoperability contends with the software <strong>and</strong> implementation details of interoperations;<br />
this includes exchange of data elements via interfaces, the use<br />
of middleware, mapping to common information exchange models, etc.<br />
• Composability contends with the alignment of issues on the modelling<br />
level. The underlying models are purposeful abstractions of reality used<br />
for the conceptualization being implemented by the resulting systems.<br />
For meaningful interoperation of two systems, all three governing concepts<br />
are necessary: we need compatible infrastructures, interoperable implementations,<br />
<strong>and</strong> composable models. In particular the third concept of composability has been<br />
neglected by interoperability st<strong>and</strong>ards so far. The LCIM defines several layers<br />
of interoperation to address particular challenges. It can be used descriptively (what<br />
has been accomplished) as well as prescriptively (what needs to be accomplished).<br />
These levels are defined as follows:<br />
• If systems are st<strong>and</strong>-alone applications with no interconnection, there<br />
is obviously no interoperability.<br />
• The technical layer deals with infrastructure <strong>and</strong> network challenges, enabling<br />
systems to exchange carriers of information. This is the domain of integratability;<br />
a communication protocol to exchange signals exists.<br />
• The syntactic layer deals with challenges to interpret <strong>and</strong> structure the information<br />
to form symbols within protocols. This layer belongs to the domain<br />
of interoperability; common symbols – like the use of Unicode or ANSI<br />
code – are identified.<br />
• The semantic layer provides a common underst<strong>and</strong>ing of the information<br />
exchange. On this level, the pieces of information that can be composed to<br />
objects, messages, <strong>and</strong> other higher structures are identified. This level also<br />
support interoperability: it introduces common terms to tag structures that<br />
represent tags that are used to name functions, variables, <strong>and</strong> constants.
204 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• The pragmatic layer recognizes the patterns in which data are organized for<br />
the information exchange, which are in particular the inputs <strong>and</strong> outputs<br />
of procedures <strong>and</strong> methods to be called. This is the context in which data<br />
are exchanged as applicable information. These groups are often referred<br />
to as (business) objects. This is the highest level still supporting the realm<br />
interoperability; the relations between functions <strong>and</strong> there input <strong>and</strong> output<br />
parameters are captured.<br />
• The dynamic layer recognizes various system states, including the possibility<br />
for agile <strong>and</strong> adaptive systems. The same business object exchanged with<br />
different systems can trigger very different reactions. It is also possible that<br />
the same information sent to the same system at different times can trigger<br />
different responses. This level is the first level in the realm of composability,<br />
as it requires the alignment of assumptions <strong>and</strong> constraints.<br />
• Finally, general assumptions, constraints, <strong>and</strong> simplifications need to be captured.<br />
This happens in the conceptual layer. Here, we capture the abstractions<br />
<strong>and</strong> simplifications of the perception of reality that constraint the model.<br />
The following figure shows the levels <strong>and</strong> their relation to the governing<br />
interoperation concepts.<br />
Figure 1. Levels of Conceptual Interoperability Model<br />
This model already implies that more than data mediation is needed to support<br />
composability. The context needed to support meaningful use of information to be<br />
exchanged must address the higher levels of interoperation as well.<br />
Interoperability design<br />
The main idea behind most interoperability engineering approaches was the requirement<br />
that the original systems that shall contribute to a distributed application
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
205<br />
shall not be modified. This also explains the focus on data mediation <strong>and</strong> providing<br />
middleware solutions to integrate such systems in support of a common operation.<br />
However, the LCIM shows that this cannot be sufficient. The context of the information<br />
exchange setting the intended use is as important as the information itself.<br />
While the LCIM already shows the need for better aligned of the systems holistically,<br />
model theory can be used to proof the necessity.<br />
Model theory is a branch of mathematics that deals with the interpretation<br />
of formal languages using set-theoretic structures. The topic of research is the equivalency<br />
of interpretations in different formal languages. In other words, model<br />
theory is the study of the interpretation of languages <strong>and</strong> how truth is interpreted<br />
within the language. The underlying questions are: How can we ensure that truth<br />
is consistently represented, <strong>and</strong> what does this mean for the formal languages<br />
It seems to be logical to think about formal languages when talking about<br />
implementations, as programs are written in computer languages, <strong>and</strong> computer<br />
languages are formal languages. However, we use artifacts such as the Unified Modeling<br />
Language (UML) or the System Modeling Language (SysML) for the modeling<br />
phase, <strong>and</strong> they can be interpreted as formal languages as well. Collections<br />
like the NATO Architecture Framework that are based on a common repository<br />
storing all artifacts <strong>and</strong> diagrams are formal languages as well. In order for requirements<br />
to make sense, they need to be verifiable, which normally happens in form<br />
of measuring something. SysML defines the requirement diagram <strong>and</strong> the parametrics<br />
diagram to deal with these tasks systematically; architecture framework tools<br />
support the annotation of functions with acceptance test metrics as well. However,<br />
if we can measure it, we can express it in a formal language. Finally, validation <strong>and</strong><br />
verification ensure the equivalency of transformations between different views<br />
of the model, which can be expressed formally. If we therefore can show the applicability<br />
of model theory to the tasks of semantic interoperability, we can hope for<br />
a new unifying approach that embraces requirements, modeling, implementation,<br />
<strong>and</strong> validation <strong>and</strong> verification. Therefore, model theory becomes the unifying<br />
theory that brings systems engineering, modeling <strong>and</strong> simulation, <strong>and</strong> validation<br />
<strong>and</strong> verification together <strong>and</strong> builds a formal basis to meaningfully <strong>and</strong> unambiguously<br />
discuss interoperability.<br />
In order to underst<strong>and</strong> the applicability of model theory as the foundation<br />
for a common interoperability theory, several definitions are necessary. We start<br />
with definitions for a language, universe <strong>and</strong> interpretation building the structure<br />
of the language, <strong>and</strong> finally sentences built <strong>and</strong> understood in this language.<br />
• Definition 1: A language L is a set consisting of logical symbols including<br />
constant symbols, function symbols, <strong>and</strong> relational symbols.<br />
• Definition 2: A structure for a language L is an ordered pair .<br />
A is a set of symbols. Rn is a relation defined over A such that (a 1 , …, a n )Rn<br />
if <strong>and</strong> only if a function f exists that fulfills f(a 1 , …, a n-1 ) = a n . The set part<br />
A is called the universe of a language, as they describe everything that can be
206 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
evaluated. The relation Rn is the interpretation. Combining universe <strong>and</strong><br />
interpretation results in the model of the language.<br />
• Definition 3: A sentence σ is an assertion that can be assigned the Boolean value<br />
true or false. A language is generated by a set of its elementary sentences<br />
<strong>and</strong> using its logical operators.<br />
These three initial definitions give us the tools to underst<strong>and</strong> what an interpretation<br />
of truth is in model theory. Clearly distinguishing between the language,<br />
the model of the language, <strong>and</strong> the interpretation of truth within the model of the languages<br />
helps to better address interoperability challenges. The next set of definitions<br />
allows for an unambiguous representation of truth using these constructs.<br />
• Definition 4: Let Σ be a set of sentences. U is a model of Σ whenever U⊩σ<br />
for each σΣ. This is written as U⊩Σ. Σ is satisfiable if <strong>and</strong> only if there<br />
is a structure U for which U⊩Σ.<br />
• Definition 5: A theory T is a set of sentences. If T is a theory <strong>and</strong> σ is a sentence<br />
then we write T⊩σ whenever we have that for all U we can show that<br />
if U⊩T then U⊩σ. We define σ to be a consequence of T. A theory is defined<br />
to be closed whenever it contains all consequences.<br />
• Definition 6: If U is a model of L then we define the theory of the model<br />
U, named ThU, as the set of all sentences of L which are true in U, or<br />
ThU={σL: U⊩σ}.<br />
• Definition 7: If ΣT fulfills that Σ⊩σ for every σT, in other words Σ⊩T,<br />
then Σ is a set of axioms of the theory T.<br />
Requirement sets, models, <strong>and</strong> simulation are all formal languages that shall<br />
express the same truth. Using model theory, this can now be captured that sentences<br />
of each model must be satisfiable under all other models, or we have different<br />
versions of truth at the same time in our distributed application. In order for two<br />
systems to be interoperable they have represent the same theory of the common<br />
model. What is true in one interpretation shall be true in an alternative interpretation.<br />
If something is wrong in one interpretation, it shall be wrong in the others<br />
as well. If this is not the case, we will run in mistakes <strong>and</strong> ambiguities when such<br />
systems are executed side by side.<br />
We need to significantly broaden our underst<strong>and</strong>ing of data: in model theory,<br />
everything in the universe of a language is a datum. As such, all of them need to be<br />
taken into consideration as metadata within the future interoperability theory. This<br />
vision of interoperability as enabling the consistent representation of truth in two<br />
interoperable systems cannot be reached by the current st<strong>and</strong>ards, as they only<br />
address syntactic <strong>and</strong> semantic issues, but they do not even touch the pragmatic<br />
domain of interoperation.<br />
As a first step, the research team described the LCIM formally to allow for addressing<br />
all aspects of semiotics in a consistent way. This actually allows extending<br />
the LCIM towards <strong>and</strong> Interoperability Maturity Model. Using symbols <strong>and</strong> the interpretation<br />
of these symbols mapping them to appropriate domains, the following
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
207<br />
table shows the formal definition of the LCIM levels. We define domains with sets<br />
of labels for input <strong>and</strong> output data defining the semantic context, <strong>and</strong> domains<br />
of sets of function names <strong>and</strong> sets of system state names to provide the pragmatic<br />
context. The conceptual domain is represented as constraints over all sets.<br />
Table 1. Formal definition of the LCIM<br />
LCIM Level Formal Representation Required 1<br />
Technical Level<br />
No formal representation<br />
Syntactical Level<br />
Σ* Set of Symbols<br />
I* Set of Inputs<br />
Semantic Level<br />
O* Set of Outputs<br />
Δ* Set of Domains (I,O)<br />
Pragmatic Level<br />
F* Set of Functions<br />
Δ* Set of Domains (F)<br />
Dynamic Level<br />
S* Set of States<br />
Δ* Set of Domains (S)<br />
Conceptual Level<br />
Constraints on (Σ*, Δ*, I*, O*, F*, S*)<br />
1 LCIM levels accumulate the formal representation required<br />
Summary<br />
The application of mathematical principles shows that we reached the limits<br />
of interoperability engineering. Whenever two systems have been developed<br />
independently from each other, they are likely based on different abstractions<br />
<strong>and</strong> simplifications of different perceptions of reality designed to answer different<br />
questions <strong>and</strong> support different tasks. As such, their scope, resolution, <strong>and</strong> structure<br />
of resulting concepts differ. This results in different interpretations of truth<br />
in both systems. The alignment challenges for the concepts <strong>and</strong> the harmonization<br />
challenges for the processes reside on the conceptual level <strong>and</strong> cannot be solved by<br />
technical means. No infrastructure can make two conceptually different systems<br />
interoperable. However, interoperability maturity matrixes can provide metrics<br />
that help to engineer context specific solutions which can be applied for intelligent<br />
agents support such tasks as well.<br />
To address this problem in the future, new approaches <strong>and</strong> a paradigm shift<br />
are needed. Interoperability design based on solid mathematical foundations<br />
is the future. First applications have proven the feasibility <strong>and</strong> applicability of this<br />
approach, but we are just at the beginning to underst<strong>and</strong> the deeper implications<br />
for interoperability of our operational systems.
208 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Acknowledgment<br />
This work is based on the foundational contributions in the domain of interoperability<br />
<strong>and</strong> model theory by Dr Saikou Y. Diallo, Dr Robert D. King, Dr Jose J.<br />
Padilla, Dr Charles D. Turnitsa, <strong>and</strong> Dr Heber Herencia-Zapana.<br />
References<br />
[1] A. Tolk, “Interoperability <strong>and</strong> Composability,” in J.A. Sokolowski <strong>and</strong> C.M. Banks<br />
(Eds): Modeling <strong>and</strong> Simulation Fundamentals: Theoretical Underpinnings <strong>and</strong> Practical<br />
Domains, John Wiley, pp. 403-433, 2010.<br />
[2] A. Tolk, “St<strong>and</strong>ards for Distributed Simulation,” in A. Tolk (Ed.): Engineering Principles<br />
of Combat Modeling <strong>and</strong> Distributed Simulation, John Wiley, pp. 209-241, 2012.<br />
[3] A. Tolk, L.J. Bair, S.Y. Diallo, “Supporting Network Enabled Capability by Extending<br />
the Levels of Conceptual Interoperability Model to an Interoperability Maturity<br />
Model,” Journal of Defense Modeling <strong>and</strong> Simulation (JDMS), doi:10.1177/<br />
1548512911428457, 2011.<br />
[4] A. Tolk, S.Y. Diallo, C.D. Turnitsa, L.S. Winters, “Composable M&S Web Services<br />
for Net-centric Applications,” Journal for Defense Modeling & Simulation (JDMS), 3(1)<br />
27-44, 2006.<br />
[5] S.Y. Diallo, A. Tolk, J. Graff, A. Barraco, “Using the Levels of Conceptual<br />
Interoperability Model <strong>and</strong> Model-based Data Engineering to develop a Modular<br />
Interoperability Framework,” Winter Simulation Conference, Phoenix, AZ, pp. 2571-2581,<br />
December 2012.<br />
[6] S.Y. Diallo, H. Herencia-Zapana, J.J. Padilla, A. Tolk, “Underst<strong>and</strong>ing<br />
Interoperability,” Spring Simulation Multi-Conference, Emerging M&S Applications<br />
in Industry <strong>and</strong> Academia (EAIA’11), SCS, Boston, MA, April 2011, pp. 84-91.<br />
[7] A. Tolk, S.Y. Diallo, J.J. Padilla, <strong>and</strong> C.D. Turnitsa, “How is M&S Interoperability<br />
different from other Interoperability Domains” Spring Simulation Interoperability<br />
Workshop, Boston, MA, pp. 12-20, April 2011.<br />
[8] A. Tolk, Saikou Y. Diallo, Jose J. Padilla, “Semiotics, Entropy, <strong>and</strong> Interoperability<br />
of Simulation Systems – Mathematical Foundations of M&S St<strong>and</strong>ardization,” Winter<br />
Simulation Conference, Berlin, Germany, December 2012.
Semantic Interoperability by Means<br />
of Computer Languages<br />
Ľubomír Dedera<br />
Department of Informatics, Armed Forces Academy of Gen. M.R. Štefánik,<br />
Liptovský Mikuláš, Slovakia, Lubomir.Dedera@aos.sk<br />
Abstract: In this paper we introduce computer language syntax <strong>and</strong> semantic processing techniques<br />
as a means to achieve semantic interoperability in the selected areas of comm<strong>and</strong> <strong>and</strong> control systems.<br />
Specifically we focus on the topic of domain-specific languages in the area of military comm<strong>and</strong> <strong>and</strong><br />
control systems, where we present how separation of concrete <strong>and</strong> abstract syntax <strong>and</strong> semantics<br />
can help design languages with multilingual support that are exploitable in integration of national<br />
comm<strong>and</strong> <strong>and</strong> control systems <strong>and</strong> deployment in multinational environment.<br />
Keywords: computer languages; domain-specific languages; syntax; semantics; comm<strong>and</strong> <strong>and</strong> control<br />
system<br />
I. Introduction<br />
In order to bring the idea of computer languages (CLs) in comm<strong>and</strong> <strong>and</strong><br />
control (C2) systems closer, first let us look at probably the best known group<br />
of CLs – “classical” programming languages.<br />
The role of high-level programming languages (PLs) (like C, Java, Lisp, Prolog)<br />
is widely known not only in the technical community. They play inevitable role<br />
in the process of software development. A programming language is an artificial<br />
computer language designated to express computations that can be performed by<br />
a machine. PLs can be used to create programs that control the behavior of a machine,<br />
to express algorithms precisely, or as a mode of human communication [1].<br />
Most PLs describe computation in an imperative style, i.e. as a sequence of comm<strong>and</strong>s<br />
<strong>and</strong> support object-oriented paradigm of programming (OOP). However,<br />
there are PLs supporting declarative programming paradigms such as functional<br />
(Lisp) or logical (Prolog) paradigms.<br />
Most PLs belong to the group of general-purpose programming languages.<br />
It means that they can be used to code software applications for many various application<br />
domains. Typically they are Turing-complete; loosely speaking, according<br />
to the Church-Turing Thesis it means that they are capable of describing solutions<br />
of all algorithmically solvable problems.
210 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Another family of computer languages, which will be in focus of our attention,<br />
is the family of domain-specific languages. Domain-specific languages (DSLs) are<br />
computer languages designed for a specific class of problems <strong>and</strong> for particular application<br />
domains [2], [3]. They can be dedicated to a particular problem domain,<br />
a particular problem representation technique or a particular solution technique.<br />
The basic idea behind DSLs is to offer means which would allow expressing solutions<br />
in the idioms <strong>and</strong> at the abstraction level of the problem domain. The consequence<br />
is that domain experts (or qualified users) can express, validate or modify<br />
solutions described in a particular DSL. They might be designed with the intention<br />
to be [3], [4]:<br />
• Programming languages dedicated for a particular problem domain, or<br />
• Specification languages dedicated for a particular problem domain.<br />
DSLs can have both textual <strong>and</strong> graphical (visual diagrams) forms. The latter<br />
one is popular due to an increasing number of supporting tools for its creation (e.g.<br />
Generic Eclipse Modeling System, or Microsoft Visual Studio DSL); the former<br />
one usually brings higher productivity. DSLs can be classified as either internal or<br />
external. Internal DSLs are only extensions of existing general-purpose computer<br />
languages. They are sets of functions, data structures, <strong>and</strong> conventions applied to<br />
existing languages, such as C++ or Java. On the contrary, external DSLs are independent<br />
languages that have been entirely designed for their specific purpose.<br />
Generally, a DSL “program” can be viewed as a text file, which is then interpreted<br />
(or compiled) by the corresponding engine or subsystem. The great advantage<br />
of properly-designed DSLs is that they are both:<br />
• Human-readable <strong>and</strong> underst<strong>and</strong>able (in comparison with, for example,<br />
XML-based languages, which are also sometimes considered to be humanreadable),<br />
<strong>and</strong><br />
• Machine-processible, since they have formally defined syntax <strong>and</strong> semantics.<br />
DSLs are primarily used in software engineering where they can help overcome<br />
the gap between the worlds of domain experts <strong>and</strong> implementers of software<br />
systems. Their design <strong>and</strong> implementation are challenging tasks since they require<br />
expert knowledge of both the problem domain <strong>and</strong> the area of computer languages,<br />
language processors, compilers, <strong>and</strong> interpreters.<br />
CLs (DSLs) have promising potential to be utilized within modern C2 systems.<br />
This potential comes from the fact that military application domains have established<br />
their own terminology with quite formal syntax <strong>and</strong> semantics [5] as well<br />
as a st<strong>and</strong>ardized way of information exchange [6]. Currently probably the most<br />
significant initiative within NATO connected with the utilization of artificial CLs<br />
is a series of projects <strong>and</strong> activities connected with the development of the Coalition<br />
Battle Management Language (C-BML) [7], [8], [9], [10]. The objective was to “define<br />
an unambiguous language to describe a comm<strong>and</strong>er’s intent, to be understood by<br />
both live forces <strong>and</strong> automated systems, for simulated <strong>and</strong> real world operations.<br />
The resulting language is intended to be applicable not only to simulation systems,
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
211<br />
but also to operational comm<strong>and</strong> <strong>and</strong> control systems, <strong>and</strong> robotic systems” [7].<br />
The language developed on the basis of Comm<strong>and</strong> <strong>and</strong> Control Lexical Grammar<br />
(C2LG) with a GUI editor [8], [9] is an XML-based one <strong>and</strong> a series of experiments<br />
<strong>and</strong> demonstrations has been undergone with the aim to prove that C-BML<br />
is a promising tool for the exchange of orders <strong>and</strong> reports between individual C2<br />
systems <strong>and</strong> constructive simulators [10]. Since the author of this contribution<br />
has not been involved in the aforementioned projects, in the rest of the paper we<br />
will try for an “independent” view of the topic.<br />
We consider DSLs to be a supplementary technology that could be used together<br />
with the mainstream ontology <strong>and</strong> semantic web technologies. In the case<br />
of C2 systems we see the following areas of utilization of DSLs:<br />
• Specification <strong>and</strong> modeling tools in the process of development of C2<br />
systems, <strong>and</strong><br />
• Subsystems of C2 systems themselves.<br />
In this paper we will consider the latter possibility of utilization. A DSL subsystem<br />
can be incorporated into the architecture of a C2 system (Fig. 1). The DSL<br />
subsystem is used by the User Interface <strong>and</strong>/or System Integration Interface subsystems<br />
<strong>and</strong> its role is to process inputs in the form of documents prepared in the DSL.<br />
These documents can have both textual <strong>and</strong> graphic forms containing, for example,<br />
observed <strong>and</strong> human-processed information about the battlespace awareness <strong>and</strong><br />
knowledge that can influence the Common Operational Picture (COP), or they<br />
could also contain direct comm<strong>and</strong>s that could be processed by the Executive<br />
Control Subsystem, which could disseminate them to the appropriate entities.<br />
Figure 1. Elements of an architecture of a C2 system that are interesting from a DSLs point of view<br />
212 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Multinational character of military units <strong>and</strong> operations as well as C2 systems<br />
integration challenges leads us to the idea of DSLs with multilingual support. With<br />
multilingual support we mean DSLs with different syntax, but with mutually related<br />
semantic processing [11], [12]: At first sight, a language used e.g. in a U.S. system<br />
would seem to be different than that in a Slovak system, but the tasks that can be<br />
described by language constructions in both systems would probably be very similar.<br />
Similarly, in the case of C2 system integration an XML-based language would<br />
be preferred (as in the case of [10]). On the other h<strong>and</strong>, analogically as the great<br />
majority of programming languages is not XML-based, when the primary target<br />
of the language is a human, an XML-based language probably would not be<br />
the preferred choice.<br />
Now let us look at the syntactical <strong>and</strong> semantic aspects of CLs, bearing in mind<br />
multilingual character of DSLs.<br />
II. Syntax, semantics, <strong>and</strong> processing of computer languages<br />
In order to be able to be processed by machines CLs need to have exactly<br />
<strong>and</strong> unambiguously specified their syntax <strong>and</strong> semantics. Syntax of CLs is usually<br />
specified by means of context-free grammars (CFGs) or from CFGs derived<br />
Backus-Naur forms (BNFs) [2], [13], [14], [15].<br />
A context-free grammar is a 4-tuple<br />
G = (N, T, P, S), (1)<br />
where N is a finite set of non-terminal characters (or variables), T is a finite set<br />
of terminal characters (or terminals), S, SÎN is the starting symbol of the grammar<br />
from which each derivation starts, <strong>and</strong> P is a finite set of productions (or rewriting<br />
rules) of the form<br />
B → α, (2)<br />
where BÎN is the left-h<strong>and</strong> side <strong>and</strong> αÎ(NÈT) * is the right-h<strong>and</strong> side of the production.<br />
When designing a DSL with multilingual support, it seems to be rational to<br />
separate its abstract syntax from its concrete syntaxes. For example, if we need two<br />
language representations, we will use a common abstract syntax <strong>and</strong> two concrete<br />
syntaxes. Both abstract <strong>and</strong> concrete syntaxes can be expressed using CFGs (1) <strong>and</strong><br />
in both cases syntax of individual productions has to be designed with respect to<br />
semantic processing of the productions.<br />
The grammar expressing abstract syntax is not intended to be directly used<br />
by the parser, therefore it does not have to be unambiguous nor deterministic<br />
context-free of a specified type. It should define elements, or concepts, that make<br />
up a language (regardless of the concrete form of the language) <strong>and</strong> the rules for<br />
composition of these elements [12]. When designing an abstract syntax of a lan-
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
213<br />
guage, a good starting point is to create a domain model of the language [2], [16].<br />
The grammar expressing concrete syntax should come out of the one describing<br />
abstract syntax <strong>and</strong> should mainly populate it with concrete lexical elements <strong>and</strong><br />
specifics of the concrete language representation. Lexical elements (i.e. terminal<br />
symbols of the CFG) are usually simple enough to be described by means of regular<br />
expressions <strong>and</strong> recognized by finite-state automata [13], [15]. The grammar<br />
describing the concrete syntax is directly used by the parser. Therefore, when designing<br />
concrete syntax of a particular CL, it is necessary to cope with the following<br />
challenges at the same time:<br />
• The concrete syntax should be based on natural language constructions<br />
commonly used in the particular context in the problem domain; otherwise<br />
there would be a high risk that the users would refuse to use the DSL.<br />
For that reason, the knowledge of the problem domain is very important.<br />
• In order to be parseable, the CFG should be a deterministic context-free<br />
grammar of a type corresponding to the particular type of parser used (most<br />
often, LL(1) or LALR(1)). This requirement is connected with the unambiguousness<br />
of the language generated by the CFG (although there are<br />
parsing techniques that are able to cope with “controlled ambiguousness”<br />
of the language being processed [13]) as well as the computational complexity<br />
of the process of parsing: an arbitrary context-free language can be<br />
parsed in O(n 3 ) time [15], but in the case of above mentioned deterministic<br />
context-free grammars this time-complexity can be reduced to O(n), where<br />
n represents the length of the language sentence being parsed.<br />
Generally, there are two main strategies of parsing CLs – top-down, where<br />
the parse tree of the given input is constructed from the root towards the leaves<br />
<strong>and</strong> bottom-up, where the parse tree is constructed in the opposite direction<br />
[2], [13], [17]. A typical type of top-down parser is a LL(1) parser, which<br />
is supported by the ANTLR (ANother Tool for Language Recognition) or JavaCC<br />
parser generators. Most commonly-used bottom-up parsers are LALR(1) parsers,<br />
which are supported by Yacc/Bison parser generators. In general, bottom-up parsing<br />
techniques are more powerful than the top-down ones in the sense of the class<br />
of recognized languages [13].<br />
For the reason of semantic processing we can populate the right-h<strong>and</strong> sides<br />
of the productions (2) with semantic action symbols. Semantic action symbols play<br />
an important role in the CL subsystem architecture (Fig. 2). The parser component<br />
(e.g. of LALR(1) type) is the central controlling unit of the whole CL subsystem.<br />
It uses the lexical analyzer to recognize lexical elements from the input. When<br />
the parser comes across a semantic action symbol (while processing a particular<br />
production or its part), it calls the corresponding semantic routine. Mutual communication<br />
among semantic routines can be implemented by means of a semantic<br />
stack maintained by the parser. Concrete techniques for implementing a semantic<br />
stack depend on the type of parser [13].
214 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 2. Component architecture of the CL subsystem <br />
III. Example of utilization of abstract <strong>and</strong> concrete syntax<br />
<strong>and</strong> semantics<br />
To demonstrate the concepts of DSLs with multilingual support in the environment<br />
of C2 systems, let us consider a simple DSL, in which we want to express<br />
the following (abstract) concepts:<br />
• Sequence of comm<strong>and</strong>s, where each comm<strong>and</strong> could be either move or<br />
destroy comm<strong>and</strong>;<br />
• Move comm<strong>and</strong> – instructing a particular object to move its location to<br />
particular coordinates;<br />
• Destroy comm<strong>and</strong> – instructing a particular weapon system to destroy<br />
a target at particular coordinates;<br />
• An object could be either a weapon system or a (military) unit;<br />
• Unit, weapon system <strong>and</strong> coordinates could be lexical elements (depicted<br />
in bold).<br />
The domain model of the language (Fig. 3) can be expressed using a UML<br />
class diagram with generalization <strong>and</strong> aggregation relationships.<br />
Consecutively the abstract syntax of the language can be expressed with<br />
a CFG with the following productions (including semantic action symbols – their<br />
identifiers start with #):<br />
1. → <br />
2. → ε<br />
3. → <br />
4. → <br />
5. → #process_move<br />
6. → #process_destroy<br />
7. → <br />
8. → <br />
9. → unit #process_unit
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
215<br />
10. → weapon_system #process_weapon_system<br />
11. → coordinates #process_coordinates<br />
Figure 3. Domain model of the DSL (Source: Author)<br />
Now let us turn to the concrete syntaxes. In Language Representation 1<br />
(e.g. U.S.) we require:<br />
• Comm<strong>and</strong>s finished with semicolons (;);<br />
• Concrete syntax of the move comm<strong>and</strong> is move to ;<br />
• Concrete syntax of the destroy comm<strong>and</strong> is destroy by<br />
.<br />
These concrete language requirements can be fulfilled using the following<br />
productions:<br />
1. → ; <br />
5. → move to #process_move<br />
6. → destroy by <br />
#process_destroy
216 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In Language Representation 2 (Slovak) we require:<br />
• Comm<strong>and</strong>s finished with dots (.);<br />
• Concrete syntax of the move comm<strong>and</strong> is Presuň do ;<br />
• Concrete syntax of the destroy comm<strong>and</strong> is Znič zbraňou <br />
cieľ .<br />
Similarly, these concrete language requirements can be fulfilled using the following<br />
productions:<br />
1. → . <br />
5. → Presuň do #process_<br />
move<br />
6. → Znič zbraňou cieľ <br />
#process_destroy<br />
The aim of semantic processing is to properly interpret language constructs<br />
that are recognized by the parser. Of course, semantic meaning of the corresponding<br />
language constructs in both language representations should be the same <strong>and</strong><br />
the aim is also to utilize language-independently as much of the semantic processing<br />
as possible. Lexical elements (in our example, key words, identifiers of military<br />
units <strong>and</strong> weapon systems <strong>and</strong> GPS coordinates) might be language-dependent<br />
<strong>and</strong> that is why a separate lexical analyzer has to be constructed for each language<br />
representation. Another aspect that must be taken into account during lexical as well<br />
as semantic processing comes from different naming conventions, measurement<br />
units, data formats <strong>and</strong> representations, etc.<br />
For example, in our grammars describing concrete syntaxes we can derive<br />
the following semantically equivalent language constructs:<br />
• move Platoon 1 to N49˚4'1,21'' E19˚35'53,62''; destroy N49˚5'3,2''<br />
E19˚34'33,12'' by Tank 1;<br />
• Presuň Čata 1 do 49˚4‘1,21‘‘N 19˚35‘53,62‘‘E. Znič zbraňou Tank 1 cieľ<br />
49˚5‘3,2‘‘N 19˚34‘33,12‘‘E.<br />
For the majority of the semantic routines it is necessary to pass some data<br />
(called semantic attributes) to other semantic routines. For example, the semantic<br />
routine #process_coordinates needs to pass the GPS coordinates recognized<br />
by the lexical analyzer to the semantic routines #process_move or<br />
#process_destroy. This task can be accomplished using a semantic stack [13].<br />
A semantic stack is a second stack maintained by the parser which contains semantic<br />
records associated with the terminals <strong>and</strong> variables of productions being<br />
parsed. Each semantic record can contain arbitrary information (semantic attributes)<br />
that needs to be passed between individual semantic routines. The semantic<br />
records associated with the variables of individual productions are depicted<br />
in the pseudocode of semantic routines in the same way as the corresponding<br />
, but using the Courier font. Next follows the description<br />
of semantic routines:
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
217<br />
#process_move<br />
{<br />
Call the Executive Control Subsystem<br />
to process the move comm<strong>and</strong><br />
instructing the object to<br />
move to the coordinates<br />
;<br />
}<br />
#process_destroy<br />
{<br />
Call the Executive Control Subsystem<br />
to process the destroy comm<strong>and</strong><br />
instructing the weapon system<br />
to<br />
destroy the target at the<br />
coordinates ;<br />
}<br />
#process_unit<br />
{<br />
← unit recognized by the<br />
lexical analyzer;<br />
}<br />
#process_weapon_system<br />
{<br />
← weapon system<br />
recognized by the<br />
lexical analyzer;<br />
}<br />
#process_coordinates<br />
{<br />
← coordinates<br />
recognized by the lexical analyzer;<br />
}<br />
The common abstract syntax tree of the above mentioned language constructs<br />
(i.e. independent of a concrete language representation) is depicted<br />
in Fig. 4, the parse tree for the Language Representation 1 is in Fig. 5. In both<br />
figures the flow of semantic attributes during semantic processing is depicted.<br />
We would like to point out that the semantic information contained in the semantic<br />
attributes (.object_type, .unit_type, .coordinates, etc.)<br />
is in a unified (canonical) form regardless of the concrete language representation<br />
used. To demonstrate the power of the presented language processing techniques<br />
we intentionally used different formats of GPS coordinates <strong>and</strong> different order<br />
of “weapon system” <strong>and</strong> “target” clauses in the individual language representations<br />
in the examples of language constructs.
218 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 4. Abstract syntax tree, with the flow of semantic attributes<br />
Figure 5. Parse tree for a concrete language representation, with the flow of semantic attributes<br />
IV. Conclusion<br />
The aim of this paper was to introduce computer language syntax <strong>and</strong> semantic<br />
processing techniques as a means to achieve semantic interoperability in the selected<br />
areas of C2 systems. We tried to point out the parallels between PLs <strong>and</strong> DSLs exploitable<br />
in military information systems regarding their syntactical <strong>and</strong> semantic<br />
processing. The role of a trained military comm<strong>and</strong>er in relation to a DSL can be<br />
analogical to the role of a computer programmer in relation to a programming<br />
language. Other aspects of utilizing CLs within the military domain are connected<br />
with the NNEC <strong>and</strong> system integration challenges [18], [19], [20]. In this paper we<br />
also tried to introduce the notion of DSLs with multilingual support in the context<br />
of C2 systems. Due to national information systems integration <strong>and</strong> interoperability
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
219<br />
challenges we find it interesting to study <strong>and</strong> design DSLs with different concrete<br />
syntaxes, but with mutually related semantic processing; from this point of view,<br />
C-BML [10] can be viewed as one language representation suitable for a particular<br />
purpose (system integration) <strong>and</strong> JC3IEDM [6] as a basis for structure of the semantic<br />
information being processed. The principles of language design <strong>and</strong> processing<br />
presented in this paper could lead to the design of the whole family of “BMLs”, each<br />
tailored for particular audience or purpose, together with their language processors.<br />
Considering the principles C-BML has been designed on (e.g. 5 Ws concepts [8]) this<br />
goal seems to be achievable. The goal can be accomplished by utilizing an abstract<br />
syntax of the language <strong>and</strong> defining the great majority of semantic processing on it:<br />
this approach can lead to faster development of DSL subsystems within information<br />
systems. We have tried to give a simple example of designing a DSL with an abstract<br />
syntax <strong>and</strong> two concrete syntaxes based on the domain model of the language.<br />
The grammar described in the example was designed for demonstration purposes<br />
only <strong>and</strong> should not be considered as a result of deeper research in this area.<br />
References<br />
[1] R.W. Sebesta, Concepts of Programming Languages (9th Edition), Addison Wesley,<br />
Boston, 2009.<br />
[2] M. Fowler, Domain-Specific Languages, Addison-Wesley Professional, Boston, 2010.<br />
[3] A. Deursen, P. Klint, <strong>and</strong> J. Visser, “Domain-specific languages: an annotated<br />
bibliography,” SIGPLAN Notices, vol. 35, no. 6, 2000, pp. 26-36.<br />
[4] A. Kleppe, Software Language Engineering: Creating Domain-Specific Languages<br />
using Metamodels, Addison-Wesley Professional, Boston, 2008.<br />
[5] NATO STANAG 2014: Formats for Orders <strong>and</strong> Designation of Timings, Locations<br />
<strong>and</strong> Boundaries, North Atlantic Treaty Organisation, 2000.<br />
[6] NATO STANAG 5525: Joint C3 <strong>Information</strong> Exchange Data Model – JC3IEDM,<br />
North Atlantic Treaty Organisation, 2007.<br />
[7] C. Blais, M.R. Hieb, <strong>and</strong> K. Galvin, “Coalition battle management language (C-BML)<br />
study group report,” 05F-SIW-041, Fall Simulation Interoperability Workshop 2005,<br />
Orl<strong>and</strong>o, FL, September 2005.<br />
[8] U. Schade <strong>and</strong> M.R. Hieb, “Formalizing battle management language: A Grammar<br />
for Specifying Orders,” Spring Simulation Interoperability Workshop, Huntsville,<br />
Alabama, April 2006.<br />
[9] K. Rein, U. Schade, <strong>and</strong> M.R. Hieb, “Battle management language (BML) as an enabler,”<br />
IEEE International Conference on <strong>Communications</strong>, ICC 2009, Dresden, Germany,<br />
June 2009.<br />
[10] K. Heffner, A. Brook, N. de Reus, L. Khimeche, O.M. Mevassvik, M. Pullen,<br />
U. Schade, J. Simonsen, <strong>and</strong> R. Gomez-Veiga, “NATO MSG-048 C-BML final report<br />
summary,” 2010 Fall Simulation Interoperability Workshop (Paper 10F-SIW-039),<br />
September 2010, Orl<strong>and</strong>o, FL.
220 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[11] Ľ. Dedera, “Domain-specific languages for comm<strong>and</strong> <strong>and</strong> control systems,” Science<br />
& <strong>Military</strong>, no. 1, vol. 5, 2010, pp. 40-46.<br />
[12] J. Porubän, M. Sabo, J. Kollár, <strong>and</strong> M. Mernik, “Abstract syntax driven language<br />
development: defining language semantics through aspects,” FML ‘10: Proceedings<br />
of the International Workshop on Formalization of Modeling Languages, Maribor,<br />
Slovenija, 2010.<br />
[13] J. Fisher <strong>and</strong> R.J. LeBlanc, Crafting a Compiler with C, Benjamin – Cummings<br />
Publishing Co., New York, 1992.<br />
[14] N. Chomsky, Aspects of the Theory of Syntax, The Massachusetts Institute<br />
of <strong>Technology</strong>, 1965.<br />
[15] M. Sipser, Introduction to the Theory of Computation, Thomson Course <strong>Technology</strong>,<br />
2nd edition, 2006.<br />
[16] M. Fowler, Patterns of Enterprise Application Architecture, Addison-Wesley, Boston,<br />
2003.<br />
[17] D. Jurafsky <strong>and</strong> J.H. Martin, Speech <strong>and</strong> Language Processing, Upper Saddle River,<br />
NJ: Pearson Education, 2nd Edition, Chapter 13 “Syntactic Parsing”, 2009.<br />
[18] D.S. Alberts, J.J. Garstka, <strong>and</strong> F.P. Stein, Network Centric Warfare: Developing<br />
<strong>and</strong> Leveraging <strong>Information</strong> Superiority, CCRP, 2000.<br />
[19] J. Baráth <strong>and</strong> M. Harakaľ, “Nové prístupy v hodnotení systémov riadenia a velenia<br />
v prostredí NNEC = New approaches to evaluating comm<strong>and</strong> <strong>and</strong> control systems<br />
in NNEC environment,” Science & <strong>Military</strong>, no. 2, vol. 3, 2008, pp. 40-43, in Slovak.<br />
[20] M. Turčaník, “New trends in modeling <strong>and</strong> simulation in military applications,” KIT<br />
2011 – Communication <strong>and</strong> <strong>Information</strong> Technologies: 6th International Scientific<br />
Conference, October 2011, Tatranské Zruby, Slovakia.
Semantic Model for Context – Aware Service<br />
Provision in Disadvantaged Network Environment<br />
Joanna Śliwa<br />
C4I Systems Department, <strong>Military</strong> Communication Institute, Zegrze, Pol<strong>and</strong>,<br />
j.sliwa@wil.waw.pl<br />
Abstract: The use of ontologies can facilitate many processes in C4I systems. They can be used<br />
to provide unambiguous description of data sent among systems as well as automate realization<br />
of services in dynamic NEC environment. The use of ontologies has been also proposed in the area<br />
of mobile computing, where the ability to react to dynamic changes of the environment with minimal<br />
human intervention is a fundamental requirement. A common element in the architecture of ubiquitous<br />
applications is a proxy, an element in charge of executing a number of content adaptations on<br />
behalf of one or several client applications running on mobile devices. These adaptations are triggered<br />
by specific conditions involving the mobile devices on which the applications execute. The article<br />
describes proposal of the semantic model for context – aware service provision in disadvantaged<br />
environment that is used to dynamically select adaptation actions performed on SOAP messages<br />
flowing from the service to the client entity.<br />
Keywords: adaptation, AFRO, ontology<br />
I. Introduction<br />
Modern coalition operations are conducted in a dynamic environment, usually<br />
with unanticipated partners <strong>and</strong> irregular adversaries. In order to act successfully<br />
they need technical support that gives modularity <strong>and</strong> flexibility in connecting heterogeneous<br />
systems of cooperating allies. To support such co-operation in the NATO<br />
community, the Service Oriented Architectures (SOAs) [1] are recommended<br />
as the crucial Network Enabled Capability (NEC) enabler [2-4].<br />
The most mature implementation of SOA, recommended by NATO <strong>and</strong> widely<br />
applied in the commercial sector, are Web Services (WS) [5]. WSs are described by<br />
a wide range of st<strong>and</strong>ards that deal with different aspects of their realization, transport,<br />
orchestration, semantics, etc. They provide the means to build a very flexible<br />
environment that is able to dynamically link different system components to each<br />
other. These st<strong>and</strong>ards are based on the eXtensible Markup Language (XML) <strong>and</strong><br />
have been designed to operate in high b<strong>and</strong>width links. XML gained wide acceptance<br />
<strong>and</strong> became very popular for the reason that it solves many interoperability
222 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
problems, is human- <strong>and</strong> machine-readable <strong>and</strong> facilitates the development of frameworks<br />
for software integration, independent of the programming language. Nevertheless<br />
it undoubtedly adds significant overhead, both in terms of necessary<br />
computation power <strong>and</strong> consumption of network resources while being transported.<br />
In the military domain the challenge is therefore to apply SOA in low b<strong>and</strong>width<br />
tactical communications systems, which usually cope with high error rates <strong>and</strong><br />
frequent disruptions. Such networks are usually referred to as disadvantaged ones.<br />
Figure 1. Client – server relations in military network<br />
The services at the first stage of the Networking <strong>and</strong> <strong>Information</strong> Infrastructure<br />
(NII) [2] development are mainly located on high echelons of comm<strong>and</strong> –<br />
strategic <strong>and</strong> operational. They are used for planning purposes <strong>and</strong> provide good<br />
basis for creating situational awareness <strong>and</strong> self–synchronization of cooperating<br />
forces. However information in the system is being exchanged vertically <strong>and</strong><br />
horizontally among mission participants in order to fulfil their tasks, act faster<br />
<strong>and</strong> make reliable decisions (see Figure 1). Users at the lowest comm<strong>and</strong> levels<br />
need in particular information about the location <strong>and</strong> status of their <strong>and</strong> allied<br />
forces as well as about the enemy ones. This information from the Force Tracking<br />
Systems is available at the operational level but not always accessible for the lower<br />
level comm<strong>and</strong>ers. They are usually located in tactical communication systems<br />
that use radio communications with scarce network resources in terms of high<br />
delay, error rate, <strong>and</strong> limited b<strong>and</strong>width. What is more, they are equipped with<br />
mobile terminals that have limited computational <strong>and</strong> software resources as well<br />
as limited battery power. That makes it difficult to provide the user with the same<br />
service functionality as provided to the users at operational <strong>and</strong> strategic comm<strong>and</strong><br />
levels. The tactical user is very often not able to receive nor process a big amount<br />
of data. The solution that this article focuses on is therefore to enable the client to<br />
use the service in a limited way (with limited number of information provided or<br />
provided by a different mechanism) <strong>and</strong> adapt the service provision mechanism<br />
to the client’s software <strong>and</strong> hardware possibilities.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
223<br />
II. Context-aware service provision<br />
Context – aware applications refer to a general class of mobile systems that<br />
can sense their physical environment, <strong>and</strong> adapt their behaviour accordingly. They<br />
derive from the ubiquitous (or pervasive) computing concept that was presented<br />
in 1991 by Mark Weiser [7] who set its foundation. This concept developed for<br />
the commercial applications began the new field of interest of many researchers<br />
where the area of context-aware applications became an important part.<br />
In context – aware service provision it is generally important where the client<br />
is, what are his actions/duties, what terminal is he using, what resources are nearby,<br />
etc. [8]. In many applications the most important aspect is location but this can be<br />
extended to include different characteristics (user actions, device, surrounding environment,<br />
etc.). Context recognition allows users to take full advantage of the local<br />
capabilities within a given environment, <strong>and</strong> be able to seamlessly roam between<br />
several environments, choose different services, even as the defined context change.<br />
The idea of context – aware service provision was used in the development<br />
of the Adaptation Framework for Web Service provision in disadvantaged environment<br />
(AFRO). It is aimed at improving successability of SOAP web services<br />
invocation in tactical environment, which is characterized by dynamic changes<br />
in throughput, error rate <strong>and</strong> delay. Successful service invocation in this case<br />
is understood as the possibility to deliver response message requested by the client<br />
from the target service.<br />
AFRO follows the assumption that in order for a web service to function<br />
more efficiently it is necessary to minimize the amount of data transmitted to<br />
the user. The actual traffic flow related to web services’ interactions is burdened<br />
with the XML overhead which greatly limits communication link goodput. It is<br />
highly recommended therefore:<br />
• to improve encoding efficiency, i.e. enhancing the ratio of the user data to<br />
the management data in the SOAP message, <strong>and</strong><br />
• to reduce the number of unnecessary data (or data that cannot be consumed)<br />
to the users of degraded networks.<br />
Limiting the size of traffic flow to the users of wireless networks will improve<br />
the successability of web service calls <strong>and</strong> will support users with information<br />
crucial for their operation in the battlefield.<br />
Message adaptation actions can be therefore twofold:<br />
• lossless – e.g. actions that improve message encoding enabling the consumer’s<br />
side to decode it without losing any of the data <strong>and</strong> without the transport<br />
protocol change (e.g. HTTP to MMHS), <strong>and</strong><br />
• lossy – cutting out information that the user agrees to be filtered out.<br />
Selection of appropriate adaptation action is not a trivial task <strong>and</strong> needs to be<br />
based on several types of information. First of all, adaptation does not have to be<br />
performed when the connections are stable, network has high b<strong>and</strong>width, acceptable
224 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
delay, no losses, <strong>and</strong> therefore, does not provide limitations for web service provision.<br />
The information about the network state is important in order not to spoil<br />
time on unnecessary actions.<br />
The second important aspect is necessity to take into account users’ preferences<br />
in terms of adaptation. They will be included in, so called, user profile,<br />
within which the user will state his adaptation preferences, <strong>and</strong> device profile, which<br />
defines his terminal’s software <strong>and</strong> hardware possibilities. This set of information<br />
is necessary for selecting the actions that would meet the user intentions <strong>and</strong>, at<br />
the same time, would not make it impossible for the user terminal to receive <strong>and</strong><br />
decode the message. This results from the fact that when the message is received<br />
at the user terminal it is firstly processed by the software libraries installed on it.<br />
Existence of particular software libraries implies therefore possibility of particular<br />
message encoding actions. Additionally, terminal information can help in parameterizing<br />
images <strong>and</strong> video streams that would be directed to the user working<br />
on a particular device.<br />
Such an approach makes it necessary to provide a mechanism for provisioning<br />
<strong>and</strong> then efficiently using information about the user, his terminal, the network <strong>and</strong><br />
service invoked. This problem has been defined as the need to identify the context<br />
of the service call. It has been proposed in the form of ontology that allows to clearly<br />
define parameters of entities taking part in the information distribution process <strong>and</strong><br />
then, on the basis of the set of rules <strong>and</strong> the rule engine, efficiently support the decision<br />
process enabling to take adaptation actions improving service successability.<br />
On the basis of previous considerations the architecture of the Adaptation<br />
Framework for Web Service Provision (AFRO) has been proposed (see Figure 2).<br />
It bases on the Decision Support Engine that uses information about the context<br />
of the service call as the input data, <strong>and</strong>, on the basis of ontology rules, defines<br />
the adaptation actions to be triggered on the SOAP body <strong>and</strong> SOAP attachments by<br />
the Adaptation engine. Such a modified SOAP message has smaller size than the original<br />
one <strong>and</strong> as such, is sent to the requester.<br />
The ontology proposed <strong>and</strong> the rule engine strongly support dynamic selection<br />
of adaptation actions appropriate for the user. They are used by the Decision<br />
Support Engine that returns in response a set of actions. These actions derive from<br />
the Proxy functionality. They can be embedded (e.g. take the form of the Adaptation<br />
engine, see Figure 2) or, taking different approach, distributed. The latter one can be<br />
implemented using SOA services orchestration. After the Proxy selects appropriate<br />
actions for the user, it searches for the services that will provide appropriate<br />
mediation (will carry out the action).<br />
Whatever approach to Proxy implementation one can take, the application<br />
of the Decision Support Algorithm <strong>and</strong> the proposed adaptation ontology (AAO)<br />
will supply him with the dynamic selection of actions to be taken.<br />
It is also assumed that the Proxy will make use of information provided by<br />
external element – Network Monitoring Element that will support it with informa-
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
225<br />
tion about currently observed network performance on the link to the user. This<br />
performance information (in terms of throughput, delay <strong>and</strong> error rate) will be<br />
used by the decision support algorithm. In case the network is categorized as disadvantaged,<br />
the Proxy will make the modifications stronger, decreasing the amount<br />
of information that is sent to the user (in terms of image modifications), however<br />
making it more probable to be transferred to the consumer.<br />
Figure 2. AFRO architecture framework<br />
A. Reflecting user requirements<br />
One of the elements of the proposed Method is context of the service call.<br />
In case of the AFRO proxy it is perceived as a collection of information:<br />
• about the user: What modifications of the SOAP messages’ content is the user<br />
willing to accept What device is he using as his end terminal What access<br />
network is he using<br />
• the device: What are the characteristics of the device hardware (resolution<br />
of the screen, CPU frequency) What are the characteristics of the device<br />
software (operating system, supported libraries)<br />
• the service: What is the service description<br />
• <strong>and</strong> underlining network: What is the network type What is the current<br />
link performance<br />
The reason for the dynamic adaptation to be based on the pre-distributed<br />
information is that the user – from the point of view of his activities – may not<br />
wish the mechanism to modify contents of the message <strong>and</strong> modify the attachment<br />
(resize, compress, decrease colour depth). In order for the non-st<strong>and</strong>ard XML<br />
encoding to be used at the receiver, the device must be equipped with appropriate<br />
libraries. It is very often an issue in mobile devices that use limited operating systems
226 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> limited set of libraries <strong>and</strong> do not support software implementations regularly<br />
used in laptops or PCs. The environment the adaptation framework is to be used<br />
in assumes utilization of mobile h<strong>and</strong>-held devices the configuration of which<br />
(software <strong>and</strong> hardware) is important in terms of successful web services adaptation.<br />
The context of the service call has been modelled semantically with the Web<br />
Ontology Language (OWL DL [9]), which is the most powerful ontology description<br />
language <strong>and</strong> promising in terms of further processing, rule enforcement <strong>and</strong><br />
inference [10].<br />
The context information has static <strong>and</strong> dynamic elements. It generally consists<br />
of: user context (adaptation preferences – static), device profile (static), service<br />
context (QoS profile – static), network context (Link performance – dynamic).<br />
B. Application of rules<br />
For the purpose of selecting the adaptation actions the decision engine uses<br />
the AFRO Adaptation Ontology (AAO) describing all the actions that can be taken<br />
by the proxy, reflecting the user preferences. In order to make use of the adaptation<br />
ontology a set of rules has been defined. Rules are important in OWL to state facts<br />
about instances of classes.<br />
The rules in AFRO define requirements for particular actions based on information<br />
that are provided in the context of the service call. They have been defined<br />
using the Semantic Web Rule Language (SWRL) [11], combining sublanguages<br />
of the OWL DL <strong>and</strong> Lite with those of the Rule Markup Language. OWL Full constructs,<br />
such as classes, property values, are not supported by this language so that<br />
it does not support direct reasoning about classes or properties. It is not possible<br />
to write a rule that, for example, deduces some new knowledge based on the fact<br />
that one class is a direct subclass of another. For the same reason, RDF (Resource<br />
Description Framework) [12], RDFS (RDF Schema), or OWL constructs such<br />
as owl:Class or owl:DatatypeProperty, cannot be used in rules.<br />
Figure 3. Entering instances to AAO
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
227<br />
Figure Labels: Use 8 point Times New Roman for Figure labels. This is because<br />
the OWL is based on the Open World Assumption (OWA) that states that anything<br />
might be true unless it can be proven false. Open World Assumption states therefore<br />
that everything we don’t know is undefined. This is contradictory to the Closed<br />
World Assumption that refers to “everything we don’t know is false”. That is why<br />
according to OWA we cannot specify that a fact f(x,y) can be true when x <strong>and</strong> y<br />
are instances <strong>and</strong> there are other properties or facts defined. In order to provide<br />
additional facts to ontology, that will add e.g. available actions to be performed for<br />
particular call, the rules are proposed.<br />
C. Gathering context data<br />
AFRO proxy can work in the request – response mode which resembles<br />
the situation when the user invokes the target service through the AFRO proxy <strong>and</strong><br />
publish – subscribe mode – when the user subscribes to data flowing from the target<br />
service. In both cases before the actual service data will be distributed, the static<br />
context information should be pre-distributed to the AFRO proxy (see Figure 3).<br />
The dynamic elements of the context should be gathered at run time by agent<br />
entities <strong>and</strong> forwarded to the proxy. In this case they relate to the current link<br />
performance.<br />
The architecture of the AFRO Proxy assumes support for dynamically selecting<br />
web service adaptation actions in run time. It assumes the SOAP body <strong>and</strong><br />
SOAP attachment adaptations that limit the size of SOAP messages. The actions<br />
taken by the Proxy can be internally implemented, or can be served according to<br />
SOA concept, by external entities. AFRO Proxy architecture enables to add additional<br />
plugins that can be used for further actions. What is more, since the “heart”<br />
of the method is the decision support engine that bases on ontology, a set of rules<br />
<strong>and</strong> the rule engine, it can be easily used in the process of services composition,<br />
that would make use of particular services as adaptation actions, <strong>and</strong> would send<br />
adapted messages in return.<br />
Figure 4. AFRO upper ontology
228 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
III. AFRO adaptation ontology (AAO)<br />
Semantic model of the service call context is the main subject of this article.<br />
It should reflect all the elements of the web service call, which can be used in the decision-making<br />
process to select appropriate adaptations. It must characterize static<br />
elements that can be defined before service call is executed, as well as dynamic elements<br />
that depend on the type of request, type of response <strong>and</strong> temporary network<br />
performance parameters.<br />
Among many known methods of context modelling, semantic description using<br />
ontologies gives the most satisfactory results [10]. In general, ontology describes<br />
formally a domain of discourse. In the computer engineering, ontologies are usually<br />
employed to provide semantic interoperability among cooperating systems <strong>and</strong><br />
increase the level of automatic reaction to events (e.g. sent/received information).<br />
In this article, ontology is used to define the context of the service call, making<br />
it possible to further process it <strong>and</strong> make decisions about the adaptation actions.<br />
For the purpose of the AFRO proxy the context has been defined using the most<br />
well-known <strong>and</strong> semantically rich languages, i.e. RDF, RDFS <strong>and</strong> OWL (Web<br />
Ontology Language). The context is created based on User profile, Device profile,<br />
Network profile <strong>and</strong> Service profile. AAO was developed according to the IOEM<br />
ontology engineering ontology [14].<br />
These four entities are connected by the AAO upper ontology (see Figure 4).<br />
According to this ontology the User is connected to the infrastructure by particular<br />
Network <strong>and</strong> uses as its end terminal particular Device. It invokes the Service. These<br />
four entities form the context of the service call. Every User has a set of prohibited<br />
<strong>and</strong> preferred Actions. They can be set at the initial stage of gathering user data<br />
(the user may indicate them directly) or automatically selected by the ontology<br />
rules on the basis of information about the Device.<br />
This upper ontology presents relationships among the main entities of the model.<br />
Behind the User, Network <strong>and</strong> Device there are defined profiles that describe<br />
their main characteristics.<br />
The information about the User <strong>and</strong> his device, received by the AFRO Proxy,<br />
after being analysed, is saved in the AFRO Adaptation Ontology (AAO) instances.<br />
The User <strong>and</strong> Device profiles are therefore used to unambiguously express user preferences<br />
in terms of adaptation actions <strong>and</strong> express his device limitations. AAO enables<br />
to express the Display limitations, CPU frequency limitations, list unsupported MIME<br />
types [13] (e.g. particular formats of images or video) <strong>and</strong> encoding mechanisms.<br />
After the user logs in, his every request is perceived as a Service call. On<br />
the basis of rules defined in the Proxy, appropriate adaptation actions are selected.<br />
An exemplary rule defining the ChangeResolutionAction as preferred for<br />
the user when his device has low CPU is as follows:<br />
uses(x, y)^hasHWlimitations(y, z)^LowCPU(z) -><br />
hasPreferredAction(x, ChangeResolutionAction)
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
229<br />
The Action class is divided into two subclasses: SOAPAdaptationAction<br />
<strong>and</strong> AttachmentAdaptationAction. They allow for creating different actions that<br />
the Proxy can provide (or can invoke in an external entity).<br />
A. Network state determination<br />
Network state is determined on the basis of information received from external<br />
entity – Network Monitoring Element. It is assumed that this element will monitor<br />
the link to the user at supply the AFRO Proxy with information about the current<br />
link performance in terms of currently observed Throughput, Packet Error Rate<br />
(PER) <strong>and</strong> Delay of packets transmission. This information will be checked whenever<br />
the decision process is to be performed.<br />
Preliminary researches that have been carried out in [16] proved that web<br />
services efficiency is decreased in particular ranges of values of these three QoS<br />
parameters. On the basis of obtained results there have been defined three levels<br />
of the network state, i.e. “very good”, “constrained” <strong>and</strong> “degraded” network state<br />
defined in the following way:<br />
• Degraded network state level is when PER ≥ 10% or delay ≥ 300 ms or<br />
throughput
230 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• Class: DecreaseColourDepth, superclass: AttachementAdaptation, individuals:<br />
DecreaseColourDepthAction, comment: Decreases colour depth<br />
of the images,<br />
• Class: DecreaseQuality, superclass: AttachementAdaptation, individuals:<br />
DecreaseQualityAction, comment: Changes quality of the JPEG images<br />
increasing their compression ratio,<br />
• Class: DiscardAttachment, superclass: AttachementAdaptation, individuals:<br />
DiscardAttachmentAction, comment: Discards attachment from the message.<br />
The adaptation actions can be LosselessAdaptationActions <strong>and</strong><br />
LossyAdaptationActions. The lossless are e.g. compression or binary<br />
coding of SOAP messages. Lossy would be e.g. filtering of SOAP messages <strong>and</strong> all<br />
Attachment Adaptation Actions.<br />
The AttachmentAdaptationActions are the actions that can manipulate<br />
the SOAP attachments. In this article there has been considered example<br />
of JPEG image modifications, but other actions can be defined for further purpose<br />
of using the AAO. In the image adaptation actions one can find therefore decrease<br />
colour depth action, compression action <strong>and</strong> decrease image quality action. These<br />
are all lossy adaptations that result in decreasing the level of information that is then<br />
transferred to the client.<br />
The adaptation ontology can be further exp<strong>and</strong>ed as additional components<br />
reflecting actions available in the AFRO proxy will be introduced.<br />
C. Rules supporting the decision process<br />
The TBox statements define properties about entities, however they cannot<br />
define conditional statements, e.g. If a Student studies Maths then he is a Maths<br />
Student. For this purpose it is recommended to use rules <strong>and</strong> rule engine that allow<br />
for adding certain facts to the knowledge base on the basis of existing axioms.<br />
Rules are of the form of an implication between an antecedent (body) <strong>and</strong><br />
consequent (head). Their meaning can be read as: whenever the conditions specified<br />
in the antecedent hold, then the conditions specified in the consequent must<br />
also hold. In relatively informal “human readable” format:<br />
antecedent (body) → consequent (head).<br />
Both the antecedent (body) <strong>and</strong> consequent (head) may consist of zero or more<br />
atoms. An empty antecedent is treated as trivially true (i.e. satisfied by every interpretation),<br />
so the consequent must also be satisfied by every interpretation.<br />
When a consequent is empty, it is treated as trivially false (i.e. not satisfied by any<br />
interpretation), so the antecedent must also not be satisfied by any interpretation.<br />
When both antecedent <strong>and</strong> consequent are conjunctions of 1 – n atoms the rule<br />
takes the following form: a1 ^ ... ^ an. Variables are indicated using the st<strong>and</strong>ard
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
231<br />
convention of prefixing them with a question mark (e.g. x). Using this syntax, there<br />
can be defines a rule asserting that if a parent (x2) has a child (x1) <strong>and</strong> a brother<br />
(x3), the brother is an uncle to the child, i.e.:<br />
hasParent(x1,x2) ^ hasBrother(x2,x3) → hasUncle(x1,x3)<br />
The rules can be defined using a few formal languages, e.g. Jess rule language,<br />
JessML, RuleML (Rule Markup Language), SWRL (Semantic Web Rule Language).<br />
Due to the easiness of defining <strong>and</strong> processing rules in SWRL, this language has been<br />
selected to be used in the article. It uses the human-readable syntax as presented<br />
above together with the abstract <strong>and</strong> XML syntax.<br />
The AAO ontology has been enriched with the set of rules that enable to define<br />
actions that can be performed by the Proxy. The use of rules automates the decision<br />
process. Moreover, since the rules are not hard-coded, the semantic programming<br />
tools enable to easily define additional rules or modify existing ones.<br />
Practical tests of the adaptation actions proposed for the AFRO proof of concept<br />
[16] was the basis for defining decision rules for adaptation decision support<br />
algorithm that would match user preferences <strong>and</strong> suit best to available network<br />
resources. On the basis of the context of the service call <strong>and</strong> the set of rules additional<br />
axioms of available adaptation actions are added to the Knowledge Base.<br />
For instance, if the user’s device has limited display properties, the Proxy should<br />
decrease Colour depth of the image attachment:<br />
uses(x, y)^hasDisplayProperties(y, z)^Limited(z)-><br />
hasPreferredAction(x, DecreaseColourDepthAction)<br />
Taking into account user device limitations there have been defined the following<br />
adaptation rules:<br />
Rule 1 – Discard PDF; Description: If the user device does not support<br />
particular format of the MIME attachment (e.g. PDF), the attachment should be<br />
discarded. Rule content:<br />
uses(x, y)^hasMIMETypeUnsupported(y, z)^ UnSupportedApplication-<br />
PDF (z) -> hasPreferredAction(x, DiscardPDF)<br />
Rule 2 – Discard GIF; Description: If the user device does not support particular<br />
format of the MIME attachment (e.g. GIF image), the attachment should<br />
be discarded. Rule content:<br />
uses(x, y)^hasMIMETypeUnsupported(y, z)^ UnSupportedImageGIF (z)<br />
-> hasPreferredAction(x, DiscardGIF)<br />
Rule 3 – Discard JPEG; Description: If the user device does not support particular<br />
format of the MIME attachment (e.g. JPEG image), the attachment should<br />
be discarded. Rule content:<br />
uses(x, y)^hasMIMETypeUnsupported(y, z)^ UnSupportedImageJPEG<br />
(z) -> hasPreferredAction(x, DiscardJPEG)
232 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Rule 4 – Discard PNG; Description: If the user device does not support particular<br />
format of the MIME attachment (e.g. PNG image), the attachment should<br />
be discarded. Rule content:<br />
uses(x, y)^hasMIMETypeUnsupported(y, z)^ UnSupportedImagePNG (z)<br />
-> hasPreferredAction(x, DiscardPNG)<br />
Rule 5 – Discard TIFF; Description: If the user device does not support particular<br />
format of the MIME attachment (e.g. TIFF image), the attachment should<br />
be discarded. Rule content:<br />
uses(x, y)^hasMIMETypeUnsupported(y, z)^ UnSupportedImageTIFF<br />
(z) -> hasPreferredAction(x, DiscardTIFF)<br />
Rule 6 – lowCPU; Description: If the user device has CPU with frequency<br />
lower than 1000 MHz it is a low performance CPU, utilization of which will result<br />
in high image processing times. If the image attachment has higher resolution<br />
than the device display, it should be resized. Rule content:<br />
uses(x, y)^hasHWlimitations(y, z)^LowCPU(z) -><br />
hasPreferredAction(x, ChangeResolutionAction)<br />
Rule 7 – Binary; Description: If the user device has display unit that enables<br />
to visualize only binary colours (e.g. black-white), the attached image will be displayed<br />
only in binary colour depth. The image attachment, before being sent should<br />
therefore have the colour depth set to binary. Rule content:<br />
uses(x, y)^hasDisplayLimitations(y, z)^Binary(z) -><br />
hasPreferredAction(x, DecreaseColourDepthAction)<br />
Rule 8 – GreyColour; Description: If the user device has display unit that enables<br />
to visualize only grey scale, the attached image will be displayed only in grey<br />
scale. The image attachment, before being sent should therefore have the colour<br />
depth set to grey scale. Rule content:<br />
uses(x, y)^hasDisplayLimitations(y, z)^Grayscale(z)-><br />
hasPreferredAction(x, DecreaseColourDepthAction)<br />
Rule 9 – LimitedColour; Description: If the user device has display unit that<br />
enables to visualize only limited amount of colours, the image attachment, before<br />
being sent should therefore have the colour depth decreased appropriately. Rule<br />
content:<br />
uses(x, y)^hasDisplayLimitations(y, z)^Limited(z)-><br />
hasPreferredAction(x, DecreaseColourDepthAction)<br />
Rule 10 – DecreaseQuality; Description: The images, when compressed appropriately,<br />
do not decrease their readability significantly. When sent to mobile<br />
devices’ users they should be compressed. Rule content:<br />
User(x)->hasPreferredAction(x, DecreaseQualityAction)
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
233<br />
Rule 11 – GZIP; Description: If the user terminal has the GZIP compression<br />
support, the GZIP compression is possible to be performed. Rule content:<br />
uses(x, y)^supportsEncoding(y, z)^SupportsGZIP(z)-><br />
hasPreferredAction(x, GZIPcompressAction)<br />
Rule 12 – EXI; Description: If the user terminal has the EXI encoding support,<br />
the EXI encoding is possible to be performed. Rule content:<br />
uses(x, y)^supportsEncoding(y, z)^SupportsEXI(z) -><br />
hasPreferredAction(x, EXIencodeAction)<br />
Rule 13 – FI; Description: If the user terminal has the FI encoding support,<br />
the FI encoding is possible to be performed. Rule content:<br />
uses(x, y)^supportsEncoding(y, z)^SupportsFI(z)-><br />
hasPreferredAction(x, FIencodeAction)<br />
IV. Validation<br />
Ontology evaluation is a process aimed at validation <strong>and</strong> verification of an ontology<br />
in terms of its scope, consistency <strong>and</strong> expressiveness [14].<br />
The scope of the AFRO adaptation ontology (AAO) has been set up by<br />
the problem it was designed to solve. It is aimed at supporting the dynamic selection<br />
of adaptation actions taken on the SOAP messages exchanged between the web<br />
service client <strong>and</strong> server. It defines:<br />
• entities that take part in the service invocation as classes (User, Device,<br />
Network, Service, Action class),<br />
• relationships among entities as object properties (connects isConnectedBy,<br />
hasAdaptationPreferences, hasDeviceProperties, hasPreferredAction,<br />
hasProhibitedAction, usedBy uses, hasNetworkType, isInvokedBy <br />
invokes),<br />
• characteristics of entities as data type properties (userName, deviceName,<br />
qualityValue, resolutionValue, colourDepthValue).<br />
The TBox ontology model describes relationships among defined entities.<br />
On its basis knowledge about the service call context (defined in ABox entries)<br />
is collected. After each user registers to the proxy, the knowledge about the user<br />
preferred, prohibited actions <strong>and</strong> his device properties are saved in ABox entries.<br />
This allows to set the Initial Service Call Context (ISCC). After the network state<br />
is checked, the final AFRO defined actions set (ADA) is created.<br />
The AAO is the basis for running the decision support algorithm <strong>and</strong> setting<br />
the actions that should be performed by the AFRO Proxy.<br />
Ontology rules defined for the purpose of selecting the actions take into account<br />
the following cases:<br />
• the terminal does not support particular file format → the attachment<br />
is discarded (rule 1-5),
234 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• the terminal supports particular encoding techniques → the encoding actions<br />
is added to the list of preferred (rule 11-13),<br />
• the terminal has too low CPU frequency (processing power) → big images<br />
will be difficult to be processed – change image resolution (rule 6),<br />
• the terminal has limited colour display – decrease colour depth (rule 7-9),<br />
• the terminal is connected by disadvantaged network link (general rule –<br />
true for all cases) – decrease quality (rule 10).<br />
Moreover, the preferred <strong>and</strong> prohibited actions that the user defined are also<br />
taken into account. They may derive from the role of the user <strong>and</strong> his duties at<br />
the battlefield.<br />
The AAO defines all entities that are necessary to take appropriate adaptation<br />
decision <strong>and</strong> enables to automatically select appropriate adaptation actions. Its<br />
scope covers the required level of detail in describing the entities <strong>and</strong> relationships<br />
among them taken in the initial phase of ontology development. It covers so called<br />
competency questions [14] defined for the purpose of AAO. Additionally, the set<br />
of rules monitor all basic terminal characteristics that may influence usability<br />
of messages delivered to the user.<br />
The second ontology evaluation step consists in checking the ontology consistency.<br />
According to [17] ontology is consistent (also called satisfiable) when it does<br />
not contain a contradiction. The lack of contradiction can be defined in either<br />
semantic or syntactic terms. The syntactic definition states that a theory is consistent<br />
if there is no formula P such that both P <strong>and</strong> its negation are provable from<br />
the axioms of the theory under its associated deductive system.<br />
The ontology model that contains formal definitions of classes, properties<br />
<strong>and</strong> individuals allows inferring new knowledge from knowledge that is already<br />
present. The fact that it is based on formal description logic makes it prone to<br />
logical reasoning <strong>and</strong> enables to infer knowledge from existing facts 1 <strong>and</strong> axioms 2 .<br />
The aao.owl model has been verified in the Protegè 3.4.6 using the Pellet 1.5.2<br />
reasoner for consistency on the machine with following configuration: Processor:<br />
Intel Core i7 (2 cores 2,8 GHz each); RAM: 6 GB; Operating System: Windows 7<br />
(64 bit). The consistency check on this machine was successful. AAO has been<br />
proven consistent.<br />
V. Summary<br />
This article presents semantic description of the service call context defined<br />
for the purpose of the Adaptation Framework For Web Services Provision (AFRO).<br />
1<br />
2<br />
“Fact states information about a particular individual, in the form of classes that the individual belongs to<br />
plus properties <strong>and</strong> values of that individual” [18].<br />
“Axioms are used to associate class <strong>and</strong> property identifiers with either partial or complete specifications<br />
of their characteristics, <strong>and</strong> to give other information about classes <strong>and</strong> properties. Axioms used to be called<br />
definitions, but they are not all definitions in the common sense of the term <strong>and</strong> thus a more neutral name<br />
has been chosen.”[18].
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
235<br />
AFRO defines a mechanism for effective web services invocation in tactical<br />
networks that are considered disadvantaged in terms of available throughput,<br />
delay <strong>and</strong> error rate. Its implementation, in the form of AFRO Proxy, performs<br />
so called adaptation actions, which are modifications of the SOAP XML messages<br />
by changing their encoding to more efficient or cutting out information<br />
that are accepted to be removed by the service requester. With these actions,<br />
the sizes of messages are significantly diminished making them better tailored<br />
to the tactical networks.<br />
AFRO provides dynamic selection of adaptation actions to be triggered by<br />
the Proxy on the basis of user preferences <strong>and</strong> his terminal limitations. It takes<br />
advantage of the fact that limited capabilities of the user’s device makes it impossible<br />
to receive by or process some pieces of data. It is therefore necessary to<br />
conserve network resources not sending the data that is not going to be consumed<br />
by the user.<br />
The AFRO Adaptation Ontology (AAO) semantically models the user preferences<br />
in terms of the adaptation actions, his device possibilities <strong>and</strong> limitations<br />
as well as current network connection performance. This allows to unambiguously<br />
describe the service call context <strong>and</strong>, on the basis of ontology rules, provide<br />
adaptation actions tailored to particular user, his device <strong>and</strong> current network<br />
performance.<br />
It is assumed that the AFRO Proxy will cooperate with an external element<br />
that is able to assess the current network performance on the link that the user<br />
employs to invoke web service. This link will be the bottleneck for communications<br />
with the user. On the basis of information about currently available throughput,<br />
delay <strong>and</strong> packet error rate on that link the proposed in the article network<br />
state classification algorithm classifies the network as very good, constrained or<br />
degraded.<br />
The proposed AFRO architecture can be exemplified by the implementation<br />
in the web service Proxy that has a web service interface <strong>and</strong> follows SOA fundamental<br />
assumption of loosely – coupled entities. The user can therefore discover<br />
the existence of the AFRO Proxy in the service registry, <strong>and</strong> subscribe to it, when<br />
necessary. Additionally, the modular architecture of the Proxy enables it to be<br />
enhanced with service orchestration module.<br />
AFRO adaptation ontology (AAO) defines all entities that are necessary to<br />
take appropriate adaptation decision <strong>and</strong> enables to automatically select appropriate<br />
adaptation actions. Its scope covers the required level of detail in describing<br />
the entities <strong>and</strong> relationships among them. Additionally, the set of rules reflects all<br />
basic terminal characteristics that may influence usability of messages delivered to<br />
the user. It is used to build Knowledge Base about the users, their terminals <strong>and</strong><br />
networks they are connected by in order to dynamically <strong>and</strong> automatically define<br />
the actions that the AFRO Proxy needs to take in particular network performance<br />
conditions. For the purpose of network state classification there has been proposed
236 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
an algorithm that bases on information that would be received from an external<br />
Network Monitoring Element.<br />
There has been proven that the proposed AAO model is semantically <strong>and</strong><br />
syntactically correct <strong>and</strong> consistent. Reasoning over it provides the possibility to<br />
support the adaptation actions decisions taking into account the user preferences<br />
deriving from his role <strong>and</strong> limitations of his terminal. The SWRL rules defined for<br />
AFRO strongly support the automatic process of defining the preferred actions.<br />
The proposed adaptation mechanism gives promising effects for low level<br />
comm<strong>and</strong>ers located at the battlefield, which can be supplied with information<br />
generally available on high comm<strong>and</strong> levels which, up to now, were very rarely<br />
distributed to tactical networks.<br />
References<br />
[1] J.A. Estefan, K. Laskey, F.G. McCabe, D. Thornton, Reference Architecture<br />
Foundation for Service Oriented Architecture, Version 1.0, OASIS Committee Draft<br />
02, 14 October 2009.<br />
[2] M. Booth, T. Buckman et al, NATO Network Enabled Feasibility Study Volume II:<br />
Detailed Report Covering a Strategy <strong>and</strong> Roadmap for Realizing an NNEC Networking<br />
<strong>and</strong> <strong>Information</strong> Infrastructure, version 2.0”, NATO C3 Agency, June 2005.<br />
[3] NATO Architecture Framework (NAF) version 3.0, June 2007.<br />
[4] NATO C3 System Interoperability Directive (NID), AC/322-D(2004)0001(INV)<br />
Annex C.<br />
[5] J. Busch, An investigation into deploying web services, TN – 1229, NC3A, December<br />
2007.<br />
[6] R. Faucher, R. Ladysz, D. Miller, S. Musman, S. Raparla, D. Smith, Guidance on<br />
Proxy Servers for the Tactical Edge, The MITRE Corporation, MITRE TECHNICAL<br />
REPORT no. 060175, September 2006.<br />
[7] M. Weiser, The computer for the 21st century, Scientific American, (1991), 265(3):<br />
94-104.<br />
[8] J.P. Sousa <strong>and</strong> D. Garlan, (2002). Aura: An architectural framework for user mobility<br />
in ubiquitous computing environments, In Proceedings of 3rd IEEE/IFIP Conference<br />
on Software Architecture.<br />
[9] P.F. Patel-Schneider, I. Horrocks, OWL Web Ontology Language Semantics <strong>and</strong><br />
Abstract Syntax Section 2. Abstract Syntax, http://www.w3.org/TR/owl-semantics/<br />
syntax.html<br />
[10] Strang et al., A context modelling survey, Workshop On Advanced Context<br />
Modelling, Reasoning And Management Associated With The Sixth International<br />
Conference On Ubiquitous Computing (Ubicomp4), Nottingham/UK.<br />
[11] I. Horrocks et al., SWRL: A Semantic Web Rule Language. Combining OWL <strong>and</strong><br />
RuleML, W3C Member Submission 21 May 2004, http://www.w3.org/Submission/<br />
SWRL/
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
237<br />
[12] O. Lassila, R.R. Swic, Resource Description Framework (RDF) Model <strong>and</strong> Syntax<br />
Specification, W3C Proposed Recommendation 5 January 1999, http://www.w3.org/<br />
TR/PR-rdf-syntax.<br />
[13] N. Freed, N. Borenstein, RFC2046 Multipurpose Internet Mail Extensions (MIME)<br />
Part Two: Media Types, http://www.ietf.org/rfc/rfc2046.txtnumber=2046.<br />
[14] J. Sliwa, K. Gleba, W. Chmiel, P. Szwed, A. Glowacz, IOEM – ontology engineering<br />
methodology for large systems, Lecture Notes in Computer Science, vol. 6922.<br />
[15] C. Kiss, Composite Capability/Preference Profiles (CC/PP): Structure <strong>and</strong> Vocabularies 2.0,<br />
W3C Working Draft 30 April 2007, http://www.w3.org/TR/2007/WD-CCPP-<br />
-struct-vocab2-20070430/<br />
[16] J. Śliwa, T. Podlasek, M. Amanowicz, Web Services Efficiency in Disadvantaged<br />
Environment, JTIT 2010.<br />
[17] A. Tarski, Introduction to Logic <strong>and</strong> to the Methodology of Deductive Sciences,<br />
Second Edition, Dover Publications, Inc., New York 1946, ISBN 0-486-28462-X.<br />
[18] P.F. Patel-Schneider, I. Horrocks, OWL Web Ontology Language Semantics <strong>and</strong><br />
Abstract Syntax Section 2. Abstract Syntax, http://www.w3.org/TR/owl-semantics/<br />
syntax.html
Run-Time Ontology on the Basis of Event<br />
Notification Service<br />
Kamil Gleba, Joanna Śliwa, Damian Duda,<br />
Joanna Głowacka, Piotr Pyda<br />
C4I Systems Department, <strong>Military</strong> Communication Institute, Zegrze, Pol<strong>and</strong>,<br />
{k.gleba, j.sliwa, d.duda, j.glowacka, p.pyda}@wil.waw.pl<br />
Abstract: Ontology is a term deriving from philosophy but lately very often used in the context<br />
of knowledge management. Ontologies help to provide unambiguous definitions of terms, relationships<br />
among them <strong>and</strong> deliver human-like underst<strong>and</strong>ing of knowledge to IT systems. Going even further,<br />
they can automate some of the processes giving the opportunity to get rid of “the man in the loop”.<br />
The paper presents the INSIGMA event run-time ontology that is used by the Event Notification<br />
Service (ENS) to automate the process of notifying public safety services about the dangers related<br />
to the traffic <strong>and</strong> accidents on the roads. Special attention is paid to the ontology content, event notification<br />
service <strong>and</strong> the reasoning module that is responsible for inferring knowledge on the basis<br />
of the T-Box <strong>and</strong> A-box ontology statements.<br />
Keywords: ontology; run-time ontology; event notification service; OWL; reasoning; domain model<br />
I. Introduction<br />
Ontologies [1,2] are mainly well–formed hierarchical descriptions of the domain<br />
of knowledge that have their roots in philosophy. While very much appreciated<br />
in the knowledge management <strong>and</strong> logics, they are also getting more <strong>and</strong> more<br />
important in the information systems domain where they are used to perform<br />
certain tasks in the system. In this case they are called run-time ontologies.<br />
Run-time ontology is applied during the system operation <strong>and</strong> usually<br />
helps to deliver certain functionality. It is not only developed to describe the domain<br />
of knowledge in the philosophical manner but to build a model enabling<br />
to derive additional information <strong>and</strong> perform reasoning. This was also the case<br />
in the INSIGMA project that is supported by the funds from European Ministry<br />
of Regional Development within one the Polish National Strategic Reference Frameworks<br />
– Innovative Economy. It is carried out by four Polish academic, research<br />
<strong>and</strong> commercial bodies: AGH – consortium leader, MCI, MUT <strong>and</strong> WSTKT.<br />
Work has been co-financed by the European Regional Development Fund under the Innovative Economy<br />
Operational Programme, INSIGMA project no.POIG.01.01.0200-062/09.
240 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
INSIGMA st<strong>and</strong>s for Intelligent System for Global Monitoring Detection <strong>and</strong><br />
Identification of Threats. The main objective of the project is to develop a complex<br />
monitoring system that will allow to identify objects in the monitored environment<br />
<strong>and</strong>, based on the stored information <strong>and</strong> advanced algorithms, identify threats<br />
related to both the traffic <strong>and</strong> suspicious behaviour of people. The system can be<br />
also used for traffic management <strong>and</strong> route planning for individual users <strong>and</strong> for<br />
the public safety services. The route planning will take into account also dynamic<br />
complex parameters that provide the possibility to select the route in special circumstances,<br />
e.g. after a road accident or a natural disaster, in difficult weather<br />
conditions, etc.<br />
One of the major novelties of the INSIGMA project is application of ontologies.<br />
They are used to describe all the elements of the system, model entities<br />
describing logical <strong>and</strong> physical elements, data collected by sensors, as well as dependencies<br />
among them. This all is to support efficiency of information retrieval<br />
in such a complex information system. However provision of a set of well-formed<br />
ontologies has additional advantage. It allows to deliver knowledge on the basis<br />
of the reasoning process that bases on information that are flowing from the monitoring<br />
subsystem. That is why in the INSIGMA project there has been also defined<br />
run-time ontology used for automatic identification of threats <strong>and</strong> dangers related<br />
to the traffic <strong>and</strong>, in case of emergency, for automatic generation of the notification<br />
to public safety services (like police, ambulance services, fire brigade) – so called<br />
INSIGMA Event Ontology (IEO).<br />
The remainder of this paper is as follows: in section 2 we describe motivation<br />
for our work, in section 3 – ENS that is the implementation of the run-time<br />
ontology application engine, in section 4 – the INSIGMA event ontology itself, in<br />
section 5 presents the RM that infers knowledge from the information collected.<br />
Section 6 presents results of testing the reasoning module. In section 7 we identified<br />
further work in the area of run-time ontologies that we are planning to perform<br />
in the INSIGMA project. The article is finalised by the summary <strong>and</strong> conclusions.<br />
II. Motivation<br />
INSIGMA project will be finished with the development of the prototype<br />
system. Currently the system is being developed component by component. One<br />
of the most important services that INSIGMA will provide is ENS. It enables creation,<br />
delivery <strong>and</strong> processing of short formalised messages about events of certain type.<br />
<strong>Information</strong> about events will be stored in Events Repository (ER) <strong>and</strong> made available<br />
to the other functional modules of the INSIGMA system [3].<br />
ENS consists of two elements – reporting module located at the client device<br />
<strong>and</strong> notification module (including the reasoning module) located at the server<br />
side. The reporting module was proposed as a complementary to the fixed road<br />
traffic monitoring infrastructure composed of intelligent video cameras <strong>and</strong> sen-
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
241<br />
sors. It allows reporting of accidents <strong>and</strong> other events directly from users located<br />
outside the monitoring area.<br />
The idea of ENS was to apply the IEO for automatic classification of events<br />
<strong>and</strong> threats. On the basis of the A-Box ontology model <strong>and</strong> description of the event<br />
delivered by the reporting module, the server module is able to automatically<br />
classify the event to a certain type <strong>and</strong> generate notification for necessary public<br />
safety services. ENS is also useful as a source of dynamic data that, further on,<br />
can be presented on the road map as potential traffic difficulties or obstacles (e.g.<br />
information about the accidents) <strong>and</strong> used to compute routes taking into account<br />
threats <strong>and</strong> dangers <strong>and</strong> alerting of INSIGMA users.<br />
Application of the IEO in the ENS is well suited to the system exploitation<br />
phase when ontology is used to provide reasoning <strong>and</strong> automation of the processes.<br />
It is very important to get rid of “the man in the loop” <strong>and</strong> support decision process<br />
in terms of defining necessary actions in case of an accident or other dangerous<br />
situation. On the basis of the event description the reasoning module defines threats<br />
related to the observed situation <strong>and</strong> necessary actions to be taken by emergence<br />
services (e.g. calling the ambulance, calling the fire brigade, etc.).<br />
III. Event Notification Service<br />
The ENS was implemented as a set of functional software modules in the C<br />
ommunications&<strong>Information</strong> Infrastructure Laboratory of <strong>Military</strong> Communication<br />
Institute. The ENS allows creation, relaying <strong>and</strong> processing of short messages<br />
containing formatted information about events spotted by a user. The results<br />
of processing the messages is stored in Events Repository (ER) for further use [3].<br />
The ENS infrastructure is composed of the notification module <strong>and</strong> reporting<br />
module (see Fig. 1). Notification module is used to collect <strong>and</strong> process messages from<br />
users, extract appropriate information <strong>and</strong> pass it to the Reasoning Module (RM).<br />
The output from RM is then fed into Message Dispatcher (MD) which notifies users<br />
specified in the subscription list. The client modules provide graphical user interface<br />
with formatted fields to fill in information about an event. The client module also<br />
allows creating of structured messages <strong>and</strong> it h<strong>and</strong>les authentication of the user.<br />
The high level view of ENS model is presented in the Figure 1. The implementation<br />
of ENS is based on the Session Initiation Protocol enhancements for Instant<br />
Messaging – SIMPLE [4]. The SIMPLE messages are used as an application level<br />
transport protocol for relaying user generated information about observed <strong>and</strong><br />
reported events. The information is structured according to high-level ontology<br />
dedicated for INSIGMA system [5]. The main reason behind the use of SIMPLE were<br />
requirements for identification, registration <strong>and</strong> authentication of users. The SIP<br />
Uniform Resource Identifier are used as an identification whereas mechanisms<br />
for registration <strong>and</strong> authentication are defined in the SIP RFC [6]. Localisation<br />
of a user is an additional benefit from using SIP architecture.
242 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 1. Model of the notification service components. Abbreviations:<br />
CM – <strong>Communications</strong> Module, SAS – SIP Application Server, ER – Events Repository<br />
The detailed structure of message was defined in [3] <strong>and</strong> consists of:<br />
• type of event (based on high level ontology),<br />
• time of event (based on real-time clock in the user terminal or manually<br />
entered by a user),<br />
• geo-localisation of event (acquired from embedded GPS receiver or set<br />
manually by a user on the touchable background map),<br />
• optional information about the event, such as a number of injured persons,<br />
• optional information about observed results of event,<br />
• the user or equipment identifier.<br />
The message with event information is encoded using eXtensible Markup<br />
Language (XML). The XML data is then put into the SIP MESSAGE protocol data<br />
unit as a payload. The encoding of information has a following structure:<br />
<br />
<br />
<br />
<br />
<br />
. . .<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The notification module (server part) consists of the SIP proxy server used<br />
to receive messages from the client, <strong>Communications</strong> Module (CM) that invokes
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
243<br />
the RM responsible for reasoning about the event <strong>and</strong> MD that forwards the notifications<br />
to subscribed public safety services.<br />
The implementation of SIP server for ENS is based on the SIP Express Router<br />
software (SER) [7] <strong>and</strong> its capability to interface with external software modules<br />
through the inter-process communication mechanisms. The SER was used because<br />
of its flexibility due to its high modularization <strong>and</strong> programmability of core functions.<br />
The developed CM provides the interface between SER <strong>and</strong> RM. It basically<br />
works as a translator of SIMPLE messages to the remote procedure calls based<br />
on Web Service technology. The translator was needed because of requirements<br />
of RM software, which provides Web Service interface only. Additionally the CM<br />
processes data about events <strong>and</strong> feeds them to the ER. The CM was implemented<br />
as a st<strong>and</strong>alone program linked with “libpq” library available in the PostgreSQL<br />
package [8]. ER uses PostgreSQL 8.4.1 relational database system. The system environment<br />
for notification module is provided by Slackware Linux 12.0 operating<br />
system. The more detailed description of ENS service can be found in [3].<br />
Event reports are prepared on a mobile terminal running dedicated client<br />
application. The client software provides graphical user interface (see Fig. 2) which<br />
helps to describe the event by assigning observed circumstances to the predefined<br />
types (e.g. event results like leakage of dangerous substance, person jammed<br />
in the vehicle, etc.).<br />
Figure 2. Graphical user interface view<br />
ENS client was created as an application dedicated for the Android platform. User<br />
with the graphical interface indicates: event location, its type <strong>and</strong> time of occurrence.
244 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The event location is determined on the basis of data received from the GPS module<br />
or by indicating the exact place of the event on an embedded map. Selected<br />
events are grouped into three categories: traffic incidents, traffic difficulties <strong>and</strong><br />
weather difficulties. For events of the first category there is also an opportunity to<br />
submit information about injured people <strong>and</strong> event results.<br />
The application is written in Java, based on the following libraries: Android<br />
SDK, Jain-SIP – SIP protocol implementation for Android [9], Google APIs Addon<br />
[10]– APIs providing the possibility of identify the events location on the builtin<br />
Google map.<br />
The DM receives messages about events from the CM <strong>and</strong> passes them to<br />
suitable subscribed customers. These are public safety services (i.e. the police,<br />
fire brigade, ambulance, etc.) that are called in emergency situations to minimize<br />
the risk of the danger that has been reported.<br />
For the purpose of subscription management the endpoints of the customers<br />
will be stored in a database. They are divided into notification groups which<br />
consist of customers interested in particular event types. For example, information<br />
about the traffic accident with injured persons will be passed to the police, disposer<br />
of rescue ambulance service or emergency call center. When the reported event<br />
is a factory fire <strong>and</strong> the terrain contamination, notification will be passed to the fire<br />
brigade, police, disposer of rescue ambulance <strong>and</strong> sanitary <strong>and</strong> epidemiological<br />
station. The message coming from the CM contains the event description as well<br />
as the name of notification group. This allows the dispatcher to send notification<br />
to group members. The notification message also includes the geographical coordinates<br />
of the event as well as essential information about it.<br />
IV. INSIGMA event ontology<br />
Ontologies at the run-time are used in the situations where the domain model<br />
cannot be fully elaborated during the system development (some domain aspects<br />
are unknown or uncertain) or a kind of reasoning is required. In case of ENS<br />
there is a need to reason about threats <strong>and</strong> dangers related to the traffic detected<br />
in the INSIGMA monitoring subsystem on the basis of the event description. In case<br />
of ENS IEO is used in the RM.<br />
IEO is typical example of run-time ontology model describes specific domain<br />
of knowledge: road events (like car collision, knocking down a pedestrian,<br />
damaged road surface, leakage of dangerous substance, etc.), weather events (like<br />
rain, snow, below freezing temperature) <strong>and</strong> threats related to occurred incident on<br />
traffic (like wet surface danger in case of rain precipitation). On the basis of the event<br />
description (provided by the reporting module) the reasoning mechanism supported<br />
by the event ontology <strong>and</strong> a set of rules enables to classify the event, define required<br />
action of the system <strong>and</strong> then generate notification to public safety services.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
245<br />
IEO has the form of hierarchical descriptions of the domain of knowledge about<br />
traffic monitored by INSIGMA subsystem. The main class of the ontology model<br />
is InsigmaEvent. Together with its subclasses it describes road <strong>and</strong> weather<br />
events (see Fig. 3). Each class in the ontology has its own description expressed by<br />
using relations, attributes <strong>and</strong> restrictions which allows to create complex definitions<br />
of particular domain of knowledge<br />
Developed for the purpose of INSIGMA the event domain model includes<br />
formal model in Ontology Web Language (OWL) <strong>and</strong> rules created in Semantic<br />
Web Rule Language (SWRL).<br />
The formal ontology model consists of:<br />
• taxonomy of classes which describes concepts (T-Box) (see Fig. 3),<br />
• relations describe relationships between classes <strong>and</strong> instances (see Fig. 4),<br />
• individuals which are instances, specific objects of classes (A-Box),<br />
• attributes describe properties or parameters that classes or its instances<br />
can have,<br />
• restrictions – formally stated descriptions of what must be true in order<br />
for some assertion to be accepted as input,<br />
• axioms – assertions (including rules) in a logical form that together comprise<br />
the overall theory that the ontology describes in its domain of applications.<br />
Figure 3. Taxonomy of INSIGMA Event Ontology<br />
Rules are statements in the form of if-then (antecedent-consequent) sentences<br />
that describe the logical inferences that can be drawn from an assertion in a particular<br />
form.
246 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 4 Properties of InsigmaEvent class<br />
IEO, based on T-Box <strong>and</strong> A-Box statements, classifies event source to one<br />
of the following types of event:<br />
• Road Accident,<br />
• Traffic Collision,<br />
• Traffic Difficulties,<br />
• Weather Difficulties.<br />
Classifying <strong>and</strong> inferring knowledge is provided by the RM described<br />
in the next chapter.<br />
V. Reasoning Module<br />
A. Architecture<br />
The RM is one of the parts of ENS. It holds whole “logic” <strong>and</strong> decides about<br />
the type of event <strong>and</strong> necessary actions to be triggered. The knowledge inferred on<br />
the basis of the T-Box <strong>and</strong> A-Box ontology statements is used by the ENS dispatching<br />
module to send appropriate notifications.<br />
RM was implemented in Java as a Web Service. This implementation uses<br />
the following tools <strong>and</strong> libraries:<br />
• Protege-owl-3.4.6 – ontology development <strong>and</strong> modeling tool,<br />
• Pellet 2.2.2 –OWL reasoner provides reasoning services for OWL ontologies<br />
[11],<br />
• Jess71p2 – rule engine for the Java platform [12],<br />
• Glassfish 2.x – application server for the Java EE platform.<br />
Ontology development was done using Protégé 3.6.4 with OWL 1.0. We decided<br />
to use the older version of Protégé due to the fact that the newest version (4.2) did
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
247<br />
not support some of the libraries that were important in the process of ontology<br />
application like e.g. Protégé OWL API. This library has an important plugin which<br />
enables to generate java code form OWL classes which is useful while exploiting<br />
ontologies at run-time.<br />
Figure 5. Reasoning module interface to the Communication Module of ENS<br />
In general, existing implementation of the reasoning engine performs a set<br />
of operations on the ontology, e.g.:<br />
• filling in the domain model with event descriptions,<br />
• extending an ontology with SWRL rules,<br />
• reasoning <strong>and</strong> classifying knowledge,<br />
• querying an ontology about knowledge contained into the domain model<br />
by using the queries described in Semantic Query-Enhanced Web Rule<br />
Language (SQWRL).<br />
The RM after being invoked creates an object of the OWLModel class on<br />
the basis of event.owl ontology ; creates an object of the MyFactory class to<br />
fill in the ontology with instances; creates an instance of Protégé Pellet Reasoner;<br />
checks consistency of the created OWL model; classifies ontology; loads SWRL rules<br />
<strong>and</strong> invokes Jess rule engine; creates an SQWRL queries <strong>and</strong> returns the response.<br />
InsigmaEventOntology service implements Web Method called send-<br />
EventDescription used to invoke reasoning engine. Event description is used<br />
by the RM to infer knowledge. These are the following information (A-Box statements):<br />
kind of event, injured person in the event <strong>and</strong> result of the event (see<br />
example of simple SOAP request in Fig. 6).<br />
For the reasoning purposes we decided to use Pellet reasoning engine. The reasoner<br />
provides classification that compute complete class hierarchy, consistency<br />
checking (checking possibility for a class to have any instances) <strong>and</strong> finding the most<br />
specific classes that an individual belongs to.
248 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/<br />
envelope/” xmlns:ns=”http://my.org/ns/”><br />
<br />
<br />
<br />
CarCollision<br />
YES<br />
roadblock<br />
<br />
<br />
<br />
Figure 6. Sample InsigmaEventOntology request sent by CM<br />
B. Rules<br />
In order to extend a domain knowledge about additional semantic relations<br />
between OWL classes we defined several SWRL rules. SWRL [13] language is used to<br />
enhance expression of OWL language. It is based on a combination of the OWL DL<br />
<strong>and</strong> OWL Lite sublanguages of the OWL Web Ontology Language with the Unary/<br />
Binary Datalog RuleML sublanguages of the Rule Markup Language. SWRL enables<br />
extending the set of OWL axioms to include rules.<br />
SWRL rules are of the form of an implication between an antecedent (body) <strong>and</strong><br />
consequent (head). The intended meaning can be read as: whenever the conditions<br />
specified in the antecedent hold, then the conditions specified in the consequent<br />
must also hold. Both the antecedent <strong>and</strong> consequent consist of zero or more atoms.<br />
An empty antecedent is treated as trivially true (i.e. satisfied by every interpretation),<br />
so the consequent must also be satisfied by every interpretation; an empty<br />
consequent is treated as trivially false (i.e. not satisfied by any interpretation),<br />
so the antecedent must also not be satisfied by any interpretation.<br />
Atoms in these rules can be of the form of simple assertions: C(x), P(x, y),<br />
or functions: sameAs(x, y) or differentFrom(x, y), where C is an OWL description, P is<br />
an OWL property, <strong>and</strong> x, y are either variables, OWL individuals or OWL data values.<br />
SWRL rules can be extended by using some built-in functions which are<br />
the limitations expressing in SWRLB (Semantic Web Rule Language Built-in)<br />
language. These limitations may be put into values occurrence in rules <strong>and</strong> express<br />
relationships between them, for example x>y.<br />
When defining the IEO model we considered different approaches. They all<br />
resulted in different possibilities in defining <strong>and</strong> automatically processing rules.<br />
The best choice for us was to define three classes as enumerated ones with strictly<br />
defined set of individuals: Result describes results of event, Threat which define<br />
dangers <strong>and</strong> Actions describes set of public safety services organization. These<br />
classes are used by SWRL rules that enhance semantic relationships in IEO. Some<br />
examples of SWRL rules are depicted in Fig. 7.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
249<br />
RoadEvent(x) ^ hasResult(x, leakageOfDangerousSubstance) -><br />
hasAction(x, CallingTheFireBrigade)<br />
RoadEvent(x) ∧ hasInjured(x, y) ∧ swrlb:containsIgnoreCase(y,<br />
\”YES\”) → RoadAccident(x)<br />
RoadEvent(x) ^ hasResult(x, fire) -> hasAction(x, CallingTheFire-<br />
Brigade)<br />
Figure 7. Examples of IEO SWRL rules<br />
In order to execute SWRL rules we used Jess engine. It is a Java-based rule<br />
engine that provides an opportunity for constructing a software with some peace<br />
of artificial intelligence contained in facts <strong>and</strong> rules. This tools is free to use for<br />
two years for research purposes. Jess rule engine supports execution of SWRL rules<br />
<strong>and</strong> is used in many expert systems which require some reasoning mechanism.<br />
InsigmaEvent(x) ^ has_action(x, y)→ sqwrl:select(y)<br />
Figure 8. Example of SQWRL query<br />
The knowledge inferred on the basis of ontology model <strong>and</strong> rules exists<br />
in working memory. It is not set in the OWL model. In order to retrieve this<br />
knowledge we can use Semantic Query-enhanced Web Rule Language (SQWRL)<br />
which is built on the basis of SWRL [14]. SQWRL takes a st<strong>and</strong>ard SWRL rule<br />
antecedent <strong>and</strong> effectively treats it as a pattern specification for a query. Figure 8<br />
depicts an SQWRL query for public safety services which should be notified about<br />
existing event detected in INSIGMA system.<br />
<br />
<br />
<br />
<br />
CallingTheAmbulance<br />
CallingTheFireBrigade<br />
CallingThePolice<br />
RoadAccident<br />
TrafficDifficulties<br />
CarCollision<br />
Fire<br />
PoorVisibilityDanger<br />
<br />
<br />
<br />
<br />
Figure 9. Example of the reasoning module SOAP response
250 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
C. Reasoning Module response<br />
The response from the RM provides the following information about the reported<br />
event (see Fig. 9):<br />
• classes that an individual belongs to ( <strong>and</strong> ),<br />
• threats which are results of reported event (),<br />
• public safety services, which should be informed about the reported accident<br />
(.<br />
VI. Results of testing the Reasoning Module<br />
It is well-known that reasoning on an ontology is time consuming. Long execution<br />
time for programs based on ontologies result from the time necessary for<br />
classification of the concepts in the ontology, checking the consistency of ontology,<br />
inferring knowledge <strong>and</strong> executing SWRL rules.<br />
In order to check efficiency of the RM <strong>and</strong> possibility to apply it for a number<br />
of users in the INSIGMA project there have been carried out performance tests<br />
in SOAP UI. We analyzed how a number of SOAP requests affect the reasoning<br />
module response time. The results of test are depicted in the table below. It is visible<br />
that the invocation time depends on a number of subsequent requests.<br />
Table I<br />
Number of requests Min time [s] Max time [s] Avg time [s]<br />
1 7,4 10,4 8,3<br />
2 9,1 11,2 10,6<br />
5 17,2 37,6 24,7<br />
10 20,7 52,8 37,1<br />
20 22 69,1 39,5<br />
hardware: Intel(R)Core(TM)i7 CPU 2.67 GHz; 8 GB RAM; Windows 7 64-bit;<br />
Java version 1.7.1_01<br />
Average time for one request is above 8 s, but when we invoked service ten<br />
times at the same time, the response time increased to 39,5 s. Results of the analysis<br />
indicate that if we want to use run-time ontology in a large system like INSIGMA<br />
with many end-users, we have to use correspondingly high computational power<br />
systems or develop reasoning modules on the basis of more efficient reasoning<br />
frameworks.<br />
VII. Future work<br />
We are planning to apply the proof of concept of ENS as test deployment<br />
in the city of Legionowo. The remarks from users of the report <strong>and</strong> server modules
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
251<br />
will be crucial for further development of ENS, especially in terms of ENS reporting<br />
module GUI <strong>and</strong> rules supporting RM. Moreover the service will be integrated with<br />
the rest of INSIGMA system, as one of the sensors providing information about<br />
accidents <strong>and</strong> emergency situations on the roads.<br />
In case of research area we are planning to make parallel implementation<br />
of the RM using other ontology processing tools, like e.g. CLIPS, which is a tool<br />
for building expert systems. We expect better performance results than the one we<br />
collected in our tests. After that we would be able to compare performance of these<br />
two implementations with multiple clients invocations.<br />
ENS has an authorization function incorporated with the SIP protocol, however<br />
we are planning to develop a mechanism supporting confirmation of reported<br />
events by authorized users.<br />
VIII. Summary<br />
The INSIGMA run-time ontology <strong>and</strong> the RM in ENS are used to infer knowledge<br />
about threats related to traffic <strong>and</strong> accidents on the roads. This is an introductory<br />
level to expert application on the basis of run-time ontology. It can be a support for<br />
emergency centers’ operators <strong>and</strong> automate the process of calling appropriate public<br />
safety services. When enhanced, it can also help to select appropriate equipment<br />
of the vehicles. However application of services based on semantic engines must<br />
be always tested against performance in target environment.<br />
References<br />
[1] G. Antoniou, F. van Harmelen, A Semantic Web Primer, Massachusetts Institute<br />
of <strong>Technology</strong>, 2003.<br />
[2] L. Yu, Introduction to the Semantic Web <strong>and</strong> Semantic Web Services, Taylor & Francis<br />
Group, LLC, 2007.<br />
[3] D. Duda, J. Głowacka, P. Pyda, A. Stańczak, The concept <strong>and</strong> model of Event<br />
Notification Service for INSIGMA system, KSTiT, Łódź 2011 (in Polish).<br />
[4] B. Campbell, J. Rosenberg, H. Schulzrinne, C. Huitema, D. Gurle, Session<br />
Initiation Protocol (SIP) Extension for Instant Messaging, IETF Request for Comments<br />
3428, December 2002.<br />
[5] J. Śliwa, W. Chmiel, K. Gleba, T. Podlasek, P. Caban, P. Szwed, Requirements<br />
for ontology in INSIGMA system, INSIGMA Consortium Report, D2.1, December<br />
2010 (in Polish).<br />
[6] J. Rosenberg et al., SIP: Session Initiation Protocol, IETF Request for Comments<br />
3261, 2002.<br />
[7] SIP Express Router project page, http://www.iptel.org/ser
252 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[8] libpq–PostgreSQL C Library, http://www.postgresql.org/docs/8.4/static/libpq.html,<br />
2012.<br />
[9] JAVA API for SIP Signaling http://jsip.java.net/<br />
[10] Google Projects for Android, http://code.google.com/intl/pl/<strong>and</strong>roid/<br />
[11] E. Friedman-Hill, Jess in Action, Manning Publications Co., 2003.<br />
[12] http://clarkparsia.com/pellet/<br />
[13] I. Horrocks, P.F. Patel-Schneider, H. Boley, Said Tabet, B. Grosof, M. Dean,<br />
SWRL: A Semantic Web Rule Language Combining OWL <strong>and</strong> RuleML.<br />
[14] M. O’Connor, A. Das, SQWRL: a Query Language for OWL.
A Robust <strong>and</strong> Scalable Peer-to-Peer<br />
Publish/Subscribe Mechanism<br />
Tobias Ginzler<br />
Communication Systems Fraunhofer FKIE Wachtberg, Germany,<br />
tobias.ginzler@fkie.fraunhofer.de<br />
Abstract: In this work a publish/subscribe peer-to-peer mechanism is presented. The purpose<br />
of KadScribe is to enable a subscription-based message dissemination mechanism for a large number<br />
of participants. The mechanism is intended as a building block for other protocols <strong>and</strong> applications.<br />
Possible applications include SOA messaging, weather information or an instant messaging presence<br />
service. The focus is on best-effort, low data rate services. The special challenges of disadvantaged<br />
networks such as volatile user behavior, low transmission capacity <strong>and</strong> faulty network connections are<br />
respected. Mechanisms to deal with these challenges in the publish/subscribe system are presented<br />
<strong>and</strong> evaluated in a simulated network environment.<br />
Keywords: peer-to-peer, publish/subscribe, computer networks<br />
I. Introduction<br />
Peer-to-peer overlay networks first appeared in the late 1990ies <strong>and</strong> rapidly<br />
gained popularity in the following years. The typical usage scenario was sharing<br />
<strong>and</strong> downloading of music files in the mp3 file format. File sharing over peer- topeer<br />
– or P2P – networks soon came to notorious fame, because it was mainly used<br />
to exchange copyright protected content. Ongoing legal disputes led to the end<br />
of the most popular file sharing network of that time, Napster, in 2001. The new<br />
feature of Napster was to enable users worldwide to share content <strong>and</strong> publish information<br />
without the effort of setting up hardware or writing code. The philosophy<br />
of P2P networks was <strong>and</strong> still is today, that every participant may be consumer of information<br />
as well as a publisher of information. Tim Berners-Lee had the concept<br />
of sharing in mind, “That was what it was designed to be as a collaborative space<br />
where people can interact.” [3]. The need for interaction <strong>and</strong> collaboration was unbroken<br />
by the end of Napster. Soon the gap left by Napster was filled by numerous<br />
P2P networks, built to overcome the fragile design of the first generation of peerto-peer<br />
networks. A nearly uncountable variety of protocols <strong>and</strong> P2P applications<br />
exist today. P2P technology is used to distribute software updates or to find persons<br />
for remote software support. Instant messaging relies on P2P overlays [1] as well
254 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
as IPTV solutions [15]. The reasons to use P2P instead of a centralized architecture<br />
are always the same: The first <strong>and</strong> most important is load balancing. The second<br />
reason is resilience against failures.<br />
Many emerging applications such as social networks are based on an eventdriven<br />
publish/subscribe model. In contrast to the traditional client/server model,<br />
publish/subscribe is a one-to-many communication scheme <strong>and</strong> complements<br />
the traditional one-to-one web communication. Publish/subscribe services <strong>and</strong><br />
applications are popular <strong>and</strong> work smoothly as they relieve the user from acquiring<br />
information himself. The right information comes automatically to the user.<br />
This work aims to contribute in bringing the two promising innovations<br />
in network technology together: Peer-to-peer networks <strong>and</strong> publish/subscribe.<br />
Not only has the way of information exchange changed in the last decade<br />
but also the way how people communicate. Nowadays ubiquitous computing<br />
becomes reality. Mobile computers have the size of a mobile phone while still<br />
being able to use the full potential of online services. These new ways of information<br />
exchange face new challenges. The cellular networks or wireless local area<br />
networks do not offer the same quality of service for data transmission as wired<br />
communication. User mobility, wireless transmission <strong>and</strong> battery lifetime pose<br />
new challenges in terms of connection disruptions <strong>and</strong> device failures. From<br />
the application’s point of view users disconnect <strong>and</strong> connect again. This process<br />
of coming <strong>and</strong> going is called churn. Protocols developed for the Internet may<br />
perform badly when faced with churn.<br />
Peer-to-peer networks were originally designed to interconnect users in wired<br />
networks. Surprisingly, some P2P systems cope quite well with the new challenges<br />
because they already anticipate volatile user behavior <strong>and</strong> low data rate links.<br />
The new challenges in mobile wireless networks are the main constraints to be<br />
respected when considering publish/subscribe P2P systems.<br />
II. Publish/subscribe in disadvantaged networks<br />
The Publish/subscribe communication scheme has much in common with<br />
multicast. While multicasting describes the process of information delivery to<br />
the receivers, often the membership or group management is also considered a part<br />
of it. The multicast management provides a method to start <strong>and</strong> stop the reception<br />
of multicast messages. The receivers of multicast information form a multicast group.<br />
The members of a multicast group are called the subscribers. Users can choose what<br />
information they are interested in by subscribing to topics. This reduces the transmission<br />
of undesired messages.<br />
A multicast system with membership management is called a publish/subscribe<br />
system in the following. Groups <strong>and</strong> topics form the very basic concepts in a publish/subscribe<br />
system. Advanced concepts include group authorization, source<br />
specific multicast, multi-stream multicast [4] as well as filtering <strong>and</strong> aggregation.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
255<br />
Multicast can be realized at different layers according to the ISO/OSI model.<br />
Multicast functionality may be realized at the physical layer by radio broadcasts.<br />
This is a straightforward <strong>and</strong> cheap method to offer one-to-many communication.<br />
It is widely used in voice communication. The data radio systems communication<br />
st<strong>and</strong>ards are vendor-specific. Multicast implementations on Ethernet are widely<br />
available <strong>and</strong> used in private networks. Outside of closed circuit networks Ethernet<br />
cannot be used as a common technology across autonomous system boundaries.<br />
The IP’s multicast extension is used for example as service discovery in local networks[6].<br />
Outside of local networks it has not gained acceptance except in niches<br />
like research networks or company networks. Challenges regarding how to do<br />
billing in IP multicast prevents commercial success while scalability issues are still<br />
unanswered. A relatively new approach is to offer multicast at the application layer.<br />
The multicast functionality is not restricted to a certain network infrastructure <strong>and</strong><br />
a large number of participants is possible. Also the responsibility of nodes to duplicate<br />
<strong>and</strong> distribute messages may change dynamically according to the network<br />
conditions. The disadvantage is that application layer multicast is more resource<br />
consuming than realizations at lower layers.<br />
The higher in the ISO/OSI model multicast is realized<br />
• the easier it is to cover a large number of participants,<br />
• the more network resources are consumed,<br />
• the more features are offered.<br />
In a disadvantaged network, publish/subscribe at lower layers are most suitable<br />
because of their efficiency. The proposed mechanism is understood as a besteffort<br />
service with high latency <strong>and</strong> minimal impact on existing network utilization<br />
for a large number of participants. A realization at the application layer then fits<br />
best. It now has to be proved that such a solution is able to perform in disadvantaged<br />
networks.<br />
III. P2P publish/subscribe with KadScribe<br />
KadScribe [8] is a novel publish/subscribe system based on the Kademlia [14]<br />
<strong>and</strong> the Scribe [5] protocol. The functionality of KadScribe will be described in this<br />
section. Scribe is based on Pastry [18], a structured peer-to-peer protocol which<br />
has been identified to be susceptible to churn [12].<br />
Pastry uses recursive routing which makes it slow in unreliable networks [17].<br />
Also it seems Pastry’s development has been transferred to proprietary custody [10]<br />
or ceased [7].<br />
For these reasons it is imperative to look for an alternative routing beneath<br />
the publish/subscribe layer.<br />
The novelty is that KadScribe uses Kademlia’s routing algorithm instead<br />
of Pastry’s because of its robustness, efficiency <strong>and</strong> simplicity. Subscription<br />
<strong>and</strong> publishing are done in similar way to Scribe. By replacing the routing
256 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
mechanism, a more robust <strong>and</strong> more reliable publish/subscribe functionality<br />
is possible. In contrast to Pastry there are millions of active Kademlia nodes <strong>and</strong><br />
three major implementations which are actively developed <strong>and</strong> researched [11].<br />
A performance analysis of KadScribe is presented in section IV. A description<br />
of KadScribe follows.<br />
Kademlia defines a distance metric <strong>and</strong> a mechanism to route to a position –<br />
or equivalently – a key in the P2P network. The identifier is a key in the Kademlia<br />
key space. The routing table of a Kademlia node is a binary tree (Fig. 1). Each<br />
leaf contains a list of nodes, the so called buckets. A bucket holds a fixed number<br />
k of references to reach other nodes. As the network may contain up to n nodes,<br />
the routing table size has to be limited. In Kademlia the memory requirement<br />
for the routing table is O(k . b), with b as the number of bits of an identifier.<br />
A node carries a tag which defines which identifiers are contained in its subtree.<br />
In the figure, b <strong>and</strong> k are assumed to be 4, the st<strong>and</strong>ard key length of Kademlia<br />
is 160. A tag of 1xxx means that the most significant bit is 1 for the whole subtree<br />
<strong>and</strong> the other bits are unknown. The right subtree of the root carries this tag.<br />
The local node identifier is assumed to be 0000 in the depicted tree. If the local<br />
identifier is not 0000 the local node may do an XOR operation with its own<br />
identifier on all identifiers in the routing table. The table then looks exactly<br />
as in the example. The transformation can to be undone by applying the XOR<br />
operation again as the XOR operation is involutary. In comparison to the original<br />
description of Kademlia where the tree is built according to the local identifier,<br />
this transformation may simplify the implementation.<br />
Figure 1. The Kademlia routing table<br />
Routing to destination keys is done in Kademlia by iteratively querying nodes<br />
which are increasingly closer to the final destination. To do so, responses from<br />
queried nodes contain the k closest nodes to the destination they are aware of.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
257<br />
The queried node looks up the bucket which shares the longest matching prefix with<br />
the destination key. If there are less than k entries in the bucket, buckets with shorter<br />
matching prefix length are searched. The k entries are returned to the querying<br />
node. The newly learned nodes are then queried until no closer nodes are found.<br />
The distance to the final destination is halved in each routing step if the tables<br />
are reasonably filled. Routing to a node can be seen as increasing the matching prefix<br />
length to the destination hop at least by one bit in each hop. The number of routing<br />
hops in Kademlia is within O(log(n)). In existing implementations the number<br />
of hops seldom exceeds 5. Routing to destination keys is used for publishing <strong>and</strong><br />
in a slightly modified form also for subscribing.<br />
When a user of KadScribe wants to subscribe to a topic, it first generates<br />
an identifier of the topic. The node which is closest to the topic location according<br />
to Kademlia’s routing metric is called Rendezvous Point (RP). The subscriber,<br />
the topic location, the RP <strong>and</strong> the P2P connectivity are shown in figure 2(a).<br />
The edges depicted in the diagram are connections at the transport layer, e.g. UDP<br />
connectivity. The underlying technologies like MANET hops or wireless connection<br />
are abstracted. One hop in the P2P network may include multiple hops on lower<br />
layers. As the P2P network is on top of other network technologies it is also called<br />
an overlay network. The same mechanisms to derive the identifier as in a Distributed<br />
Hash Table may be used, e.g. hashing a textual topic description with a hash<br />
function. The method of generating a topic description is shared by all nodes. By<br />
doing so, a range query or a search which searches for similar topics is not possible.<br />
Other schemes ([16], [9], [19]) to determine topic identifiers or enable range<br />
queries or more detailed search requests exist. After the key of the topic has been<br />
calculated, a node is able to subscribe to a topic. The Kademlia routing table is<br />
searched <strong>and</strong> the known nodes closest to the RP are returned. No messages have<br />
been sent over the network so far. The subscriber then sends a subscribe message<br />
to the nearest node of the topic. The contacted node becomes a forwarder <strong>and</strong> adds<br />
the requesting node to a list. The forwarder sends a subscribe ack as an acknowledgment<br />
back to the subscriber. The forwarder then uses the same procedure to<br />
subscribe to the topic if it is not already subscribed. If a node is not able to send<br />
a subscribe to a node which is closer to the topic than itself the algorithm terminates<br />
<strong>and</strong> the node becomes RP for this topic. Any successive subscription from<br />
a different node terminates at the first forwarder (Fig. 2(c)). The constructed tree<br />
is a rooted tree with directed edges. The subscribers form the leaves of the tree.<br />
For each topic a separate tree is built. For simplification purposes, only a single<br />
topic is considered. When updated information is available for the topic, the publisher<br />
first finds the RP by means of the Kademlia routing. The topic identifier<br />
is used as the destination key. The root <strong>and</strong> the forwarders replicate the message<br />
<strong>and</strong> send out copies to all their successors in the tree until all subscribers have<br />
received the topic update.
258 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
(a) P2P connectivity <strong>and</strong> RP<br />
subscriber<br />
forwarder<br />
(b) Subscription with resulting multicast tree<br />
(c) Another subscription<br />
(d) A publish<br />
Figure 2. Subscribe <strong>and</strong> publish in KadScribe<br />
The messages used in KadScribe are called subscribe, subscribe ack,<br />
unsubscribe, publish, publish ack <strong>and</strong> multicast. KadScribe in contrast to<br />
Scribe has no create message to create a topic. The functionality of this message<br />
is integrated in the subscribe message as a topic is created as soon as the first node<br />
subscribes to it. In contrast to Scribe, publish <strong>and</strong> multicast are realized in two<br />
separate messages to be able to acknowledge the publishing. This contributes to<br />
the resilience of the protocol. Multicast messages are not acknowledged not to<br />
overwhelm the sender with acknowledgements.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
259<br />
Success ratio<br />
1<br />
0.9<br />
0.8<br />
0.7<br />
0.6<br />
0.5<br />
0.4<br />
0.3<br />
0.2<br />
0.1<br />
0<br />
No errors PER churn PER, churn<br />
(a) Success ratio<br />
14<br />
Byte sent node -1 s -1<br />
12<br />
10<br />
8<br />
6<br />
4<br />
2<br />
0<br />
No error PER churn PER, churn<br />
(b) Traffic per node<br />
Figure 3. KadScribe in the simulated environment<br />
IV. Evaluation<br />
The OMNeT++ simulation framework [21] with the OverSim framework [2]<br />
was used to simulate the network <strong>and</strong> to analyze the protocol. The implementation<br />
of KadScribe was done within the simulator as a separate module. The network<br />
consists of 1024 peer-to-peer nodes <strong>and</strong> all peers are directly interconnected.<br />
The simulation features the IP <strong>and</strong> UDP protocol, the lower layers are abstracted<br />
by an error <strong>and</strong> churn model. The reasons to do so is the complexity of a wireless<br />
simulation <strong>and</strong> the loss of generality of the results. The use of a churn <strong>and</strong> error model<br />
also simplifies the comparison of the results with other publications. The churn<br />
process was modeled as Weibull-distributed as described in [20] with a reduced<br />
mean lifetime of 60 minutes. The churn model is supposed to cover all the cases<br />
where user equipment drops the connection against the will of the user, e.g. because<br />
of mobility or low battery. The connections between each peer have a constant
260 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
bit error rate of 2 . 10 −5 to reflect unreliable connections <strong>and</strong> media overload.<br />
If a message contains a bit error it invalidates the UDP checksum of that packet.<br />
The packet is then discarded by the network stack of the receiver.<br />
Table I. Kademlia parameters within KadScribe<br />
Kademlia<br />
n tell 8<br />
k 8<br />
α 3<br />
t stab 10 000<br />
weight 0, 0.5<br />
A considerably higher success ratio can be achieved by increasing the redundancy<br />
of the multicast tree by allowing multiple predecessors. The multicast<br />
tree then becomes a directed acyclic graph without a designated root (Fig. 4). It is<br />
then possible for a publish message to reach a subscriber by an alternate path even<br />
if the direct path to the subscriber is broken due to churn (Fig. 5). This behavior<br />
is much more robust than the previously shown tree dissemination scheme<br />
in Fig. 2(d). The success ratio can be increased from 0.7, to 0.9 subscribers do not<br />
get the publish.<br />
Figure 4. Subscription <strong>and</strong> multicast dissemination structure with p max = 2<br />
This simulation feature can be switched on <strong>and</strong> off <strong>and</strong> is marked as PER<br />
(Packet error rate feature) in the figures. The publish/subscribe success ratio<br />
is defined as the ratio of successful receptions per publish. Initially half of the nodes<br />
subscribe to a topic. Every new node which arrived through churn immediately<br />
subscribes with a probability of 50%. Every node in the simulation produces<br />
publish messages about the topic by an equally distributed probability function<br />
with a mean of 10 000 s (≈2:40 h). The most important parameters are shown
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
261<br />
in Table I <strong>and</strong> II. The Kademlia parameters are the churn-optimized parameters<br />
from [13] to facilitate a limited degree of comparability. The parentTimeout <strong>and</strong><br />
childTimeout parameters determine when a predecessor or successor is considered<br />
gone after no messages have been received for the given timeout. Message<br />
receptions fail due to bit errors or churn.<br />
In Fig. 3(a) the publish/success ratio is shown. The leftmost labeled with ”No error”<br />
shows the result for a perfect network without churn <strong>and</strong> network transmission<br />
errors, consequently resulting in a success ratio of 1. All publish/subscribes were<br />
successful. When bit errors are simulated (bar labeled ”PER”) or churn is added<br />
to the simulation (bar labeled ”churn”) or both (”PER, churn”), the success rate<br />
drops due to outdated routing tables <strong>and</strong> packet loss. The unmodified protocol<br />
suffers a significant degradation of service when encountered with harsh conditions<br />
as shown in this figure.<br />
When faced with the churn the success ratio was 0.75 with additional bit errors,<br />
the ratio of successful receptions per publish dropped to 0.6 (rightmost bar<br />
in Fig. 3(a)). While it can be considered sufficient for some applications, a higher<br />
success rate is desirable. If a packet loss occurs or a node in the multicast tree<br />
leaves, the multicast messages get lost. Depending on the location of the loss<br />
in the tree, more or less (with p max = 2) <strong>and</strong> up to 0.92 when the number of maximum<br />
predecessors are increased to 3 (Fig. 6). A further increase of the p max<br />
parameter increases the success ratio only slightly <strong>and</strong> results in much higher<br />
traffic load.<br />
Figure 5. Publish circumvents a broken node, p max = 2<br />
Figure 6. Success ratio with different values of p max <strong>and</strong> c max with churn
262 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In a manner similar to how the number of parent nodes may be controlled<br />
through the p max parameter, the number of children may be controlled by a parameter<br />
c max . This allows for more control over the structure of the tree <strong>and</strong> has two<br />
advantages.<br />
• A node is less prone to be overloaded by multicast forwards. The more outgoing<br />
edges a forwarder has the more messages are to be sent. In environments<br />
without native multicast support every inbound message causes the same<br />
number of transmissions as there are children of this forwarder.<br />
• Subscription storms are avoided. As a consequence of a parent node failure, all<br />
former child nodes try to resubscribe to other nodes in a short time frame, resulting<br />
in a subscription burst. This is undesirable in terms of network utilization.<br />
The c max value was set to unlimited, 25 <strong>and</strong> 10. In Fig. 7 the effects on<br />
the path length are shown. The effects on the success ratio in Fig. 6 are a direct<br />
consequence of the increased path length. The impact of a c max = 25 can be seen<br />
as a compromise between the disadvantage of reduced resilience against churn<br />
<strong>and</strong> the advantage of improved balance of the dissemination structure. A value<br />
of c max = 10 shows a more grave impact on the performance of the system. When<br />
c max is too low, it becomes more likely that nodes are unable to subscribe because<br />
all parent c<strong>and</strong>idates have already reached their maximum child count. The c max<br />
value should be chosen according to the expected churn, the network transfer<br />
rates <strong>and</strong> the number of subscribers.<br />
Table II. KadScribe parameters<br />
KadScribe<br />
p max 1, 2, 3<br />
c max ∞, 25, 10<br />
parentTimeout<br />
45 s<br />
childTimeout<br />
45 s<br />
4<br />
3.5<br />
3<br />
path length<br />
2.5<br />
2<br />
1.5<br />
1<br />
0.5<br />
0<br />
inf 25 10<br />
c max<br />
Figure 7. Effect of c max on the path length
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
263<br />
V. Summary <strong>and</strong> conclusion<br />
The presented peer-to-peer publish/subscribe mechanism is an approach to<br />
combine the advantages of application based multicast – scalability <strong>and</strong> usability –<br />
with the challenging nature of disadvantaged networks. The result is a scalable <strong>and</strong><br />
robust publish/subscribe system capable of working in disadvantaged networks.<br />
For the future it is envisioned to integrate the publish/subscribe mechanism into<br />
a system which provides access control, group management <strong>and</strong> a unified messaging<br />
interface. Such a system could be a service-oriented architecture framework. Also<br />
the publish/subscribe mechanism of KadScribe will be improved. The research<br />
on KadScribe will focus on a further reduction of the required transmission<br />
b<strong>and</strong>width <strong>and</strong> increased robustness. Dynamically determined timeouts could<br />
be used in the future to adapt to changing network conditions. Opportunistic<br />
listening <strong>and</strong> multicasting are techniques which may be useful to further reduce<br />
the required transmission b<strong>and</strong>width <strong>and</strong> it can speed up bootstrapping. The collection<br />
of packets <strong>and</strong> sending them in a burst is a promising approach to react<br />
to the constraints of data radios.<br />
REFERENCES<br />
[1] S.A. Baset <strong>and</strong> H.G. Schulzrinne, An analysis of the skype peer-to-peer internet<br />
telephony protocol. INFOCOM 2006. 25th IEEE International Conference on Computer<br />
<strong>Communications</strong>. Proceedings, 25:1-11, 2006.<br />
[2] I. Baumgart, B. Heep, <strong>and</strong> S. Krause, OverSim: A Flexible Overlay Network<br />
Simulation Framework. In Proceedings of 10th IEEE Global Internet Symposium (GI ’07)<br />
in conjunction with IEEE INFOCOM 2007, Anchorage, AK, USA, pp. 79-84, May 2007.<br />
[3] T. Berners-Lee, Originator of the web <strong>and</strong> director of the world wide web consortium<br />
talks about where we’ve come, <strong>and</strong> about the challenges <strong>and</strong> opportunities ahead. IBM<br />
developerWorks Interviews, July 2006.<br />
[4] M. Castro, P. Druschel, A.-M. Kermarrec, A. N<strong>and</strong>i, A. Rowstron, <strong>and</strong> A. Singh,<br />
Splitstream: High-b<strong>and</strong>width content distribution in a cooperative environment.<br />
In IPTPS’03, February 2003.<br />
[5] M. Castro, P. Druschel, A.-M. Kermarrec, A. N<strong>and</strong>i, <strong>and</strong> A. Rowstron, Scribe:<br />
A large-scale <strong>and</strong> decentralized application-level multicast infrastructure. IEEE Journal<br />
on Selected Areas in Communication (JSAC), 20(8):1489-1499, October 2002.<br />
[6] S. Cheshire <strong>and</strong> M. Krochmal, Multicast dns. RFC draft-cheshire-dnsextmulticastdns-15,<br />
IETF, Dec 2011.<br />
[7] P. Druschel, A. Haeberlen, <strong>and</strong> J. Hoye et al., Freepastry. Technical report, Rice<br />
University, 2009. accessed on 2011-02-13.<br />
[8] T. Ginzler, A robust <strong>and</strong> scalable publish/subscribe mechanism for peer-to-peer networks.<br />
PhD thesis, <strong>Military</strong> University of <strong>Technology</strong>, Warsaw, Pol<strong>and</strong>, 2011.
264 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[9] M. Harren, J.M. Hellerstein, R. Huebsch, Boon Thau Loo, S. Shenker, <strong>and</strong><br />
I. Stoica, Complex queries in dht-based peer-to-peer networks. In Revised Papers<br />
from the First International Workshop on Peer-to-Peer Systems, IPTPS ’01, pp. 242-259,<br />
London, UK, 2002. Springer-Verlag.<br />
[10] A. Herbert, What happened to pastry. SIGOPS Oper. Syst. Rev., 41:10-16, April 2007.<br />
[11] R. Jimenez, F. Osmani, <strong>and</strong> B. Knutsson, Sub-second lookups on a large-scale<br />
kademlia-based overlay. In Peer-to-Peer Computing (P2P), 2011 IEEE International<br />
Conference on, pp. 82-91, September 2011.<br />
[12] D. Kato <strong>and</strong> T. Kamiya, Evaluating DHT implementations in complex environments<br />
by network emulator. In International Workshop on Peer-to-Peer Systems (IPTPS ’07),<br />
February 2007.<br />
[13] J. Li, J. Stribling, R. Morris, M. Frans Kaashoek, <strong>and</strong> T.M. Gil, A performance<br />
vs. cost framework for evaluating DHT design tradeoffs under churn. In INFOCOM,<br />
pp. 225-236. IEEE, 2005.<br />
[14] Maymounkov <strong>and</strong> Mazieres, Kademlia: A peer-to-peer information system based<br />
on the XOR metric. In International Workshop on Peer-to-Peer Systems (IPTPS), LNCS,<br />
vol. 1, 2002.<br />
[15] PPLive. PPTV. http://www.pptv.com. accessed on 2011-03-11.<br />
[16] S. Ratnasamy, J.M. Hellerstein, <strong>and</strong> S. Shenker, Range queries over DHTs.<br />
Technical report, Intel Corporation, 2003.<br />
[17] S. Rhea, B.-G. Chun, J. Kubiatowicz, <strong>and</strong> S. Shenker, Fixing the embarrassing<br />
slowness of opendht on planetlab. In WORLDS ’05: Proceedings of the 2nd conference<br />
on Real, Large Distributed Systems, pp. 25-30, Berkeley, CA, USA, 2005. USENIX<br />
Association.<br />
[18] A. Rowstron, P. Druschel, Pastry: Scalable, distributed object location <strong>and</strong> routing for<br />
large-scale peer-to-peer systems. In IFIP/ACM International Conference on Distributed<br />
Systems Platforms (Middleware), pp. 329-350, November 2001.<br />
[19] C. Schmidt, M. Parashar, Enabling flexible queries with guarantees in p2p systems.<br />
IEEE Internet Computing, 8:19-26, 2004.<br />
[20] D. Stutzbach, R. Rejaie, Underst<strong>and</strong>ing churn in peer-to-peer networks. In Jussara<br />
M. Almeida, Virg´ılio A.F. Almeida, <strong>and</strong> Paul Barford, editors, Internet Measurement<br />
Conference, pages 189-202. ACM, 2006.<br />
[21] A. Varga, OMNeT++ discrete event simulation system. http://www.omnetpp.org,<br />
April 2009.
Automatic Exploitation of Multilingual <strong>Information</strong><br />
for <strong>Military</strong> Intelligence Purposes<br />
S<strong>and</strong>ra Noubours, Matthias Hecking<br />
Fraunhofer Institute for Communication, <strong>Information</strong> Processing <strong>and</strong> Ergonomics FKIE,<br />
D-53343Wachtberg, Germany, {s<strong>and</strong>ra.noubours, matthias.hecking}@fkie.fraunhofer.de<br />
Abstract: Intelligence plays an important role in supporting military operations. In the course<br />
of military intelligence a vast amount of textual data in different languages needs to be analyzed.<br />
In addition to information provided by traditional military intelligence, nowadays the internet offers<br />
important resources of potential militarily relevant information. However, we are not able to manually<br />
h<strong>and</strong>le this vast amount of data. The science of natural language processing (NLP) provides technology<br />
to efficiently h<strong>and</strong>le this task, in particular by means of machine translation <strong>and</strong> text mining.<br />
In our research project ISAF-MT we created a statistical machine translation (SMT) system for Dari<br />
to German. In this paper we describe how NLP technologies <strong>and</strong> in particular SMT can be applied<br />
to different intelligence processes. We therefore argue that multilingual NLP technology can strongly<br />
support military operations.<br />
Keywords: Statistical machine translation, natural language processing, open source intelligence,<br />
military intelligence<br />
I. Introduction<br />
<strong>Military</strong> operations strongly depend on up-to-date information. This is necessary<br />
to be able to act in the most effective <strong>and</strong> coordinated way possible at any given<br />
time. Therefore relevant information must be provided by military intelligence cells<br />
operating according to a specific process. This process includes collection, processing<br />
<strong>and</strong> analysis of information. <strong>Information</strong> which is important for military purposes<br />
can come in a variety of forms, e.g., signals, geospatial data, audio <strong>and</strong> video files<br />
or textual data. In this paper we will focus on the processing of text.<br />
In addition to intelligence provided by humans (HUMINT), nowadays open<br />
source intelligence (OSINT), particularly in terms of exploiting the internet, has become<br />
an essential source of potentially relevant information [1]. Live information<br />
from global news sites <strong>and</strong> user-generated content can now provide us with important<br />
knowledge. Terrorist organizations present in the web make the internet<br />
even more interesting from a military point of view. Consequently, we have access<br />
to a vast amount of data, which imposes great challenges to information processing
266 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> analysis. In the course of the intelligence process, collected raw data must be<br />
processed to extract <strong>and</strong> analyze relevant information [2], [3]. In order to do this,<br />
in current operations, military analysts must read the source data <strong>and</strong> process its<br />
content. Only then can the results of the evaluation be incorporated into the comm<strong>and</strong><br />
<strong>and</strong> control process.<br />
Due to capacity issues, information overload represents a serious intelligence<br />
problem, which not only applies to OSINT but often is also true for every kind<br />
of data, e.g., HUMINT data. This means that we have access to various sources<br />
of potentially relevant data but may miss critical information as we are not able to<br />
process it. Processing capacities become further limited if we deal with texts<br />
in foreign languages that need to be translated. In particular, with respect to less<br />
common languages not enough or no human translators might be available. For<br />
example, in the case of the Afghanistan mission, Dari is one such language that<br />
causes our forces different kinds of translation problems. In any case, it is clear that<br />
intelligence tools for efficient processing of data are required.<br />
The science of natural language processing (NLP) provides technology to assist<br />
military intelligence. There are different NLP applications to support the intelligence<br />
process on different levels, i.e., finding relevant documents, document classification,<br />
extraction of document content or specific information <strong>and</strong> even sentiment<br />
analysis. To meet the challenge of multilingual document processing, machine<br />
translation (MT) can be used. In our research project ISAF-MT [4] we have created<br />
a machine translation system for Dari to German. We proved that the approach<br />
of statistical machine translation (SMT) makes it possible to rapidly construct new<br />
translation systems. We argue that the generated output of such a system, a rough<br />
translation, even if usually not of high quality, can be used to assist military intelligence<br />
at different levels. Therefore, SMT can be applied for intelligence purposes<br />
to efficiently process large amounts of data.<br />
II. The significance of web information<br />
The modern connected world has significant impact on open source intelligence.<br />
Nowadays, global news sites as well as social media provide us with live information<br />
of different kinds, i.e., about events, public opinion, etc. As web technologies<br />
develop rapidly they become integrated into our lives. Therefore, the information<br />
content of the web will become increasingly relevant, also for military applications.<br />
An example for this is the role that social media played in the revolutions<br />
of the Arab world starting on December 18, 2010 in Tunisia. Here, social networks<br />
played as a critical function in sharing information <strong>and</strong> organizing protests [5].<br />
Statistics mirror the importance of the internet in our world (visualized by<br />
Figure 1): with a world population of 7 billion, more than 2 billion people use<br />
the internet. Due to the recent development of mobile devices, i.e., smart phones<br />
<strong>and</strong> tablets, the use of the internet is no longer restricted to access locations. Over
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
267<br />
80% of the world’s population now has a mobile phone <strong>and</strong> the share of smartphones<br />
is increasing. Here internet usage shows a rapid development trend. During<br />
the last 5 years the total number of internet users has increased from 18% in 2006<br />
to 35% in 2011. This trend is not only present in the developed countries but also<br />
applies to the developing world [6]. Likewise, the rise of social networks can be<br />
seen in numbers: For example, Facebook, which launched in 2004, today has 845<br />
million monthly active users [7]. Twitter, that started two years later, has 140 million<br />
users now <strong>and</strong> sees 340 million tweets per day [8]. This immense use of internet<br />
technologies results in an increasingly vast quantity of textual online data.<br />
Figure 1. Share of Internet users in the total population<br />
Along with the rise of modern web technologies, the use of the internet for<br />
criminal purposes has grown. Focusing on military issues, the internet holds many<br />
possibilities for terrorist purposes, e.g., ease of access, lack of regulation, vast potential<br />
audiences, fast flow of information, etc. It is utilized by terrorists in different<br />
ways, i.e., psychological warfare, publicity <strong>and</strong> propag<strong>and</strong>a, fundraising, recruiting<br />
<strong>and</strong> mobilization, networking, information sharing <strong>and</strong> planning <strong>and</strong> coordination<br />
[9]. In an 8-year-long monitoring of terrorist presence on the Internet from<br />
1998 to 2007 a study by [10] found more than 5,000 terrorist web sites. All active<br />
terrorist groups had established at least one form of presence on the internet, i.e.,<br />
web sites, online forums, <strong>and</strong> chat rooms serving terrorists <strong>and</strong> their supporters.<br />
Recent results showed that today about 90% of organized terrorism on the Internet
268 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
is being carried out through the social media [11]. The large involvement of terrorist<br />
activities in the internet indicates the urgency to monitor internet data for<br />
security <strong>and</strong> defense issues.<br />
As the use of web technologies is growing its information content is growing,<br />
too. Therefore, the probability that information relevant for military purpose<br />
is present in the internet is increasing, too. Hence, it is essential to be able to extract<br />
information not only from traditional intelligence sources but also from the internet.<br />
Due to the vast quantity of possibly important documents, intelligence tools<br />
are needed [1]. These tools must help analysts to efficiently <strong>and</strong> rapidly receive<br />
relevant documents from the internet <strong>and</strong> collected data sources, translate them<br />
if necessary, extract critical information <strong>and</strong> analyze them.<br />
III. Natural language processing for intelligence purposes<br />
Natural language processing (NLP) is an active research field that combines<br />
computer science with linguistics. Through the application of different techniques<br />
from computer science, natural language text or speech is processed. As this paper<br />
focuses on the processing of text, in the rest of this paper only “text” will be used,<br />
although in all cases, NLP research exists that also looks into the corresponding<br />
processing of speech.<br />
In general, NLP approaches are either based on rules or on machine learning.<br />
Rule-based approaches apply a set of h<strong>and</strong>-written rules that indicate how to<br />
process the input text. Machine learning is a technique from the field of artificial<br />
intelligence (AI). NLP approaches that are based on machine learning usually apply<br />
statistical models to analyze the input. Such models are automatically learned (or<br />
trained) based on example data (training data). After training, the system is able to<br />
analyze new input. This means, the system derives the most probable analysis based<br />
upon the trained statistical model. For example, in the course of statistical machine<br />
translation (SMT), translations are generated according to the translation model. This<br />
model is trained on a parallel corpus, a collection of texts that represent translations<br />
of each other in both languages of interest. During training the system learns how<br />
to translate source language text into target language text based on the probability<br />
distribution of the training data. The trained SMT system is then able to find the most<br />
probable translation in the target language given the source language input text.<br />
Both rule-based <strong>and</strong> statistical NLP techniques have different advantages <strong>and</strong><br />
disadvantages. Rule-based NLP technology is usually more accurate than statistical<br />
approaches, as it processes everything based on rules. Statistical systems always<br />
output the most probable result which is not necessarily the correct result. Statistical<br />
approaches, however, also have different advantages especially with respect to military<br />
applications: in general, statistical systems have a higher coverage, they tend to<br />
be more robust, <strong>and</strong> they can be produced rapidly <strong>and</strong> more cost efficiently. Language<br />
is highly irregular <strong>and</strong> dynamic. This leads to the fact that it is almost impossible to
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
269<br />
formulate rules for every specification or exception. And rule-based systems can only<br />
process the input if corresponding rules exist. Furthermore, the formulation of rules<br />
for linguistic phenomena usually results in a large amount of rules that might then<br />
interfere with each other in a highly complex way that is difficult to predict. A statistical<br />
system learns linguistic regularities as well as irregularities when being trained on<br />
representative data. This results in statistical NLP generally having a higher coverage.<br />
Hence, such NLP systems can usually process more different input. Therefore, they are<br />
also usually more robust. In general, statistical NLP systems always process the input<br />
<strong>and</strong> give you some result, namely, the most probable output based on the model. This<br />
might also be advantageous if the input is erroneous. Statistical NLP tools usually<br />
can be produced much faster (<strong>and</strong> often more cost efficiently) as no h<strong>and</strong>-written<br />
rules are needed but models are applied that are learned automatically. Whether<br />
NLP tools for military purposes perform best when being based on rules, statistical<br />
or hybrid depends on the specific application context.<br />
An approach for applying NLP to intelligence processing<br />
The intelligence process usually includes the following tasks: planning <strong>and</strong><br />
direction, collection, processing <strong>and</strong> exploitation, analysis <strong>and</strong> production, <strong>and</strong><br />
dissemination <strong>and</strong> integration. The intelligence cycle is visualized in Figure 2. During<br />
planning <strong>and</strong> direction the mission-specific intelligence needs are identified.<br />
According to these needs, relevant data are then collected from different sources.<br />
The raw data collected must be processed <strong>and</strong> exploited so that they can be used<br />
by the analyst, i.e., relevant information must be extracted <strong>and</strong> converted into<br />
a usable form. Analysis <strong>and</strong> production involves integrating, evaluating, analyzing,<br />
<strong>and</strong> interpreting information into a finished report. The results can then be<br />
incorporated into the comm<strong>and</strong> <strong>and</strong> control process. The intelligence steps relevant<br />
in the context of this paper are those that involve text processing, i.e., collection,<br />
processing <strong>and</strong> exploitation, <strong>and</strong> analysis <strong>and</strong> production.<br />
Figure 2. NLP <strong>Technology</strong> for Intelligence
270 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
There are various NLP technologies that can support intelligence with the processing<br />
of text. A selection of those is presented below:<br />
• <strong>Information</strong> retrieval (IR): <strong>Information</strong> retrieval is the technology underlying<br />
modern search engines, i.e., it is concerned with efficiently <strong>and</strong> effectively<br />
searching for documents. By the application of professional search methods<br />
we are able to find specific texts from document collections like databases<br />
or the World Wide Web.<br />
• Document classification: Document classification (or text categorization)<br />
is an NLP method to assign documents to one or more classes or categories.<br />
This may also mean the classification of documents relevance. As document<br />
classification is usually used to enhance information retrieval, it is<br />
sometimes regarded as a sub-field of IR.<br />
• <strong>Information</strong> extraction (IE): <strong>Information</strong> extraction describes the extraction<br />
of specifically defined information from text. For this, different text<br />
processing is performed. Critical information is identified <strong>and</strong> extracted<br />
<strong>and</strong> may also be structured <strong>and</strong> combined.<br />
• Text mining: Text mining refers to the process of deriving text content. The aim<br />
is to discover previously unknown information that is relevant for a particular<br />
purpose. In the course of text mining different NLP technology may be applied<br />
such as, for example, the related task of IE to extract specific items.<br />
• Opinion mining: Opinion mining, which is also called sentiment analysis,<br />
involves the analysis of subjective information from text. It is used to try to<br />
determine the attitude of a writer with respect to some topic or the overall<br />
contextual polarity of a document.<br />
• Machine translation (MT): The automatic translation of text is done by<br />
machine translation. There are different approaches to generate a target<br />
language translation from a source language text. Which approach is best<br />
depends on the application <strong>and</strong> various circumstances. Most modern research<br />
is performed in the area of statistical machine translation (SMT).<br />
In section 4, SMT is described in more detail.<br />
The technologies presented can be applied to assist the human intelligence<br />
analyst. Through automatic document processing, the intelligence process can be<br />
improved in terms of efficiency as well as effectiveness. The computational processing<br />
of text is much faster than human processing. This means that time-critical information<br />
will reach the mission’s comm<strong>and</strong> <strong>and</strong> control in a much shorter time. Many<br />
intelligence tasks cannot possibly be performed by humans (such as the manual<br />
search for information in the web). Only by the use of technology are we able to<br />
fully exploit the information that we have access to nowadays. In the following, we<br />
illuminate one possible approach of supporting the intelligence process by the application<br />
of NLP technology (Figure 2).<br />
a) Collection: Intelligence involves the collection of data that are relevant for<br />
the mission. There are different sources of relevant textual data. For example,
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
271<br />
data can be provided by HUMINT, or found on the internet (i.e., OSINT).<br />
Nowadays, media monitoring systems <strong>and</strong> real time search tools provide<br />
technology to rapidly access data on the internet. From available data sources,<br />
i.e., intelligence document collections or the internet, the specific texts that<br />
may include important information must be extracted. <strong>Information</strong> retrieval<br />
provides efficient <strong>and</strong> effective search technology to find the specific documents<br />
that meet the missions identified needs. These documents may be further<br />
filtered according to their relevance. Here, document classification can be<br />
used to determine the documents’ relevance with respect to the mission.<br />
b) Processing <strong>and</strong> exploitation, <strong>and</strong> analysis: The documents collected must be processed<br />
to identify <strong>and</strong> extract information that are important for the mission.<br />
This is an extremely time-consuming <strong>and</strong> labor-intensive task. For example,<br />
the human analyst has to manually read every document, identify <strong>and</strong> extract<br />
important information <strong>and</strong> analyse it with respect to the mission. <strong>Information</strong><br />
extraction, text mining <strong>and</strong> opinion mining are examples of NLP technology<br />
that can assist the intelligence analyst with these tasks. <strong>Information</strong> extraction<br />
<strong>and</strong> text mining are related NLP approaches for content analysis. They include<br />
tools for tagging, identification <strong>and</strong> extraction of specific or mission relevant<br />
information. For example, systems that perform information extraction for<br />
military purposes are described in [12] <strong>and</strong> [13] as well in [14]. There are also<br />
techniques for the combination of information <strong>and</strong> for automatic reasoning.<br />
See [15] for an example of such a system. Furthermore, tools for opinion<br />
mining can provide the analyst with information about writers’ attitudes or<br />
sentiments.<br />
NLP can provide the analyst with tools for all intelligence steps that involve<br />
the processing of text. The analyst does not need to read through the documents<br />
manually but can utilize the NLP processing results. To what extent the processing<br />
can be performed automatically by the application of NLP technology depends<br />
on the nature <strong>and</strong> complexity of the data that needs to be processed, as well as on<br />
the nature <strong>and</strong> complexity of the NLP task. In any case NLP tools can improve intelligence<br />
processing in terms of speed, of efficiency, <strong>and</strong> of effectiveness. Moreover<br />
new opportunities will arise as NLP is an active, quickly developing research field.<br />
IV. Statistical machine translation for intelligence purposes<br />
To fully exploit the power of a vast global intelligence source such as the internet<br />
<strong>and</strong>, in order to access international information in general, documents in different<br />
languages need to be processed. As texts in different languages are relevant not only<br />
in the context of foreign military operations but also for internal security issues,<br />
the translation of text is of fundamental importance for intelligence purposes. In this<br />
context, machine translation (MT) is highly useful. Machine translation denotes<br />
the fully automatic translation of text (or speech).
272 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
There are different machine translation approaches, from simple word-toword<br />
translation, to rule-based approaches to statistical machine translation, <strong>and</strong><br />
hybrid approaches. Word-to-word translations operate on the basis of dictionaries.<br />
Rule-based approaches apply a set of h<strong>and</strong>written linguistic rules that describe how<br />
to translate one specific source language into one specific target language. In contrast,<br />
SMT is based on machine learning. Most modern MT research is performed<br />
in statistical machine translation.<br />
The objective of SMT is to find the most probable translation for a given<br />
sentence. SMT uses machine learning techniques which means that the system<br />
learns how to translate source language texts into target language texts, based on<br />
training data <strong>and</strong> by the application of learning algorithms. The focus thereby is not<br />
on generating a perfect word-to-word translation but on transferring the meaning<br />
of the source language text into the target language.<br />
Figure 3. Excerpt of the Dari-German Corpus<br />
To build an SMT system, it has to be trained by the application of machine<br />
learning techniques. The training data are parallel corpora, i.e., large collections<br />
of texts in the source as well as in the target language that represent translations<br />
of each other (see Figure 3 for an example). During the training stage, the system<br />
statistically analyses the training corpus in order to learn a so-called translation<br />
model. For this, different learning algorithms may be applied. The model assigns diverse<br />
probabilities to co-occurrences of textual segments (e.g., phrases) in the source<br />
language <strong>and</strong> in the target language. The model then contains phrases in the source<br />
language together with possible translations in the target languages <strong>and</strong> different<br />
probabilities for each specific phrase pair. Figure 4 shows an excerpt of a translation<br />
model that has been generated by our ISAF-MT SMT system. The purpose<br />
of the translation model is to generate a reasonable translation. In addition to<br />
the translation model, a language model is trained using a monolingual text corpus<br />
in the target language. The language model contains n-gram probabilities for word<br />
sequences of the target language. Based on the language model the system is designed<br />
to derive good target language expressions in terms of naturalness. After<br />
training on the training corpus, the SMT system is able to translate new input text.<br />
It will generate the translation of highest probability based on the trained models.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
273<br />
Figure 4. Excerpt of a Translation Model generated by the ISAF-MT SMT System<br />
Different factors can influence the performance of an SMT system, e.g., the size<br />
<strong>and</strong> quality of the training corpus (as described below), the integration of linguistic<br />
knowledge or the different machine learning implementations. Training data are<br />
highly essential for SMT performance. There are certain requirements that, the more<br />
satisfied, can lead to better translation quality:<br />
• Size of the training data: In general, the larger a training corpus is the more<br />
expressions in terms of vocabulary <strong>and</strong> word combinations it will cover.<br />
Therefore, corpus size is significant for the training of the system <strong>and</strong> system<br />
performance will improve when more training data are provided.<br />
• Translation quality of the training data: The translation quality of the training<br />
corpus directly corresponds to the correctness of the translation model. This<br />
means the more correct translations the training corpus contains the better<br />
the system will be able to learn how to produce correct translations.<br />
• Domain adaption of the training data: Language is highly ambiguous, i.e.,<br />
a word, phrase or sentence can have different meanings <strong>and</strong> therefore<br />
may also have different translations. The meaning of a text segment may<br />
depend on its contextual domain. If a system has been trained for a specific<br />
domain it will choose translations appropriate for that domain. The more<br />
domain-specific a training corpus is, the better the translation performance<br />
for texts from this domain will be.<br />
Linguistic expertise can be applied to adapt SMT technology to the specific<br />
language pair of interest, thus improving translation quality. Also, different SMT<br />
approaches <strong>and</strong> machine learning algorithms can be applied to modify a system<br />
in terms of translation quality as well as efficiency. As SMT is an active research<br />
field, better <strong>and</strong> faster approaches are constantly being implemented.<br />
The advantages that SMT holds over other machine translation approaches<br />
are, for example, the same that statistical NLP technology in general holds over<br />
rule-based approaches, i.e.:
274 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
i) Higher coverage <strong>and</strong> robustness: Generally, SMT systems have a higher coverage<br />
than rule based system. As language is highly irregular <strong>and</strong> dynamic<br />
it is nearly impossible to formulate a rule for every specification or excetion.<br />
Therefore there will be textual segments that cannot be translated by rulebased<br />
machine translation because no explicit rule has been defined for that<br />
case. If the training corpus is representative <strong>and</strong> of sufficient size even irregular<br />
or new segment can been seen in the data. The SMT system can then learn<br />
the linguistic phenomena during training <strong>and</strong> the input can be statistically<br />
translated. Higher coverage also leads to more robustness with respect to<br />
linguistically new or irregular input.<br />
ii)<br />
Rapid <strong>and</strong> efficient production of SMT systems: SMT systems can be produced<br />
rapidly <strong>and</strong> efficiently because no manually implemented rules are needed.<br />
Instead, the system automatically learns how to generate translations. Many<br />
tools are ready available to built an SMT system many tools are ready available.<br />
Linguistic expertise may be applied to improve translation quality by<br />
adapting system components to the specific language pair. A parallel corpus<br />
needs to be provided for training. Parallel corpora may be either generated<br />
manually by translators, or, if language resources are available, can be extracted<br />
semi- or fully-automatically. Due to the large amount of multilingual data on<br />
the internet it is usually utilized as a resource to extract parallel corpora. For<br />
automatic corpus extraction web crawlers <strong>and</strong> automatic aligners can be applied.<br />
If not enough data for the language pair in question are available there<br />
are also approaches to use pivot languages. For example, English, may be<br />
used as pivot language if there are enough online documents for the source<br />
language <strong>and</strong> English as well as the target language <strong>and</strong> English. Apart from<br />
that, crowdsourcing has been used to generate corpora. A very interesting<br />
example of creating a translation system very fast is the Haitian Creole to/from<br />
English system [16], [17]. After the disaster in Haiti, researchers from Microsoft<br />
Research built a first version of this SMT translation system for texts within four<br />
<strong>and</strong> a half days. The idea was to have a system for translating emergency relief<br />
documents, medical documents, SMS text messages, <strong>and</strong> common phrases<br />
<strong>and</strong> expressions. The incident showed that SMT systems can be developed<br />
by putting together data from a variety of sources <strong>and</strong> by engaging native<br />
speakers <strong>and</strong> a broader community (crowdsourcing) to assist in the effort.<br />
The authors conclude that MT might be a crucial component in crisis situations<br />
<strong>and</strong> can be developed rapidly.<br />
In general, machine translation represents an essential step for efficient analysis<br />
of foreign language documents. It can therefore be applied for a variety of task. That<br />
MT is valuable for military purposes can be seen from the fact that currently major<br />
funding for MT research comes from the US Defense Department [18].
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
275<br />
ISAF-MT<br />
In our research project Machine Translation for ISAF Forces (ISAF-MT) [4]<br />
we have built a Dari-German translation system. As the project takes place in a German<br />
– U.S. cooperation, research in SMT for Dari <strong>and</strong> English is also being<br />
conducted. The objective of our project is the application of statistical machine<br />
translation technology for the construction of a Dari-German translation system<br />
in a military context.<br />
The software framework we used for the ISAF-MT project is Moses [19].<br />
Moses is the most widely used toolbox for constructing SMT systems. It is an opensource<br />
project <strong>and</strong> has a very large user <strong>and</strong> developer community. This ensures<br />
that the latest concepts <strong>and</strong> techniques are available for developers of SMT systems.<br />
In the course of our project we built a parallel German-Dari corpus because no<br />
corpus for this language pair was available. We have built a text corpus that consists<br />
mainly of news texts focusing on OSINT terrorism topics. To find a compromise<br />
between size of training data <strong>and</strong> quality of translation, we applied a multilevel<br />
approach for corpus creation. On the one h<strong>and</strong>, we efficiently extracted parallel<br />
texts from the internet to meet the requirement of corpus size. On the other<br />
h<strong>and</strong>, high quality translations were generated by native speakers <strong>and</strong> professional<br />
translators. Our current corpus contains about 27 000 lines. 13 000 lines are web<br />
extracted news text <strong>and</strong> about 4500 lines are high quality translations. About 9500<br />
corpus lines consist of diverse text material, such as open source subtitles, public<br />
translation examples, the Dari constitution <strong>and</strong> texts of common information.<br />
We further improved the system by integrating a Dari-German dictionary of about<br />
80 000 entries that also contains some military terms.<br />
In the course of our project we ran different experiments for the improvement<br />
of system performance. In the following, we will describe some of the objects<br />
of the experiments that significantly influenced SMT performance.<br />
• Quality of the training corpus: We ran experiments with different subsets<br />
of the corpus, focusing on different translation quality or type of text. We also<br />
looked into various ways of integrating dictionaries into our training data<br />
in the most beneficial way.<br />
• Corpus preparation: System performance improved by the normalization<br />
of the training corpus, e.g., in terms of different Unicode normalizations<br />
<strong>and</strong> normalization that were done specifically for the language Dari.<br />
• Software experiments: To build our SMT system we tried different available<br />
software, e.g., for training of translation model or language model.<br />
• Training configuration: The Moses framework provides different possible<br />
approaches <strong>and</strong> configurations for SMT. We looked into various settings<br />
(e.g. maximum length of trained phrases) as well as into the integration<br />
of linguistic knowledge (e.g., lemmas) into the translation model.
276 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Our project proved the usefulness of SMT for military purposes in terms<br />
of fast system production <strong>and</strong> applicability of translation results. We showed that,<br />
after building up the SMT infrastructure (computer cluster, procedures for building<br />
corpora, etc.), a translation system for rough translation can be produced<br />
rapidly [4]. We also argue that the system outputs translations that can support<br />
military operations. This means that the translations generated by our SMT system<br />
are of a quality that is good enough to capture the meaning of the input text, i.e. are<br />
rough translations. This already applies to a system trained on only a few thous<strong>and</strong><br />
lines, for example, on the 4000 lines of high quality translations of our training<br />
corpus. System performance improved with size of corpus data. Apart from that,<br />
the integration of dictionaries significantly improved translation quality especially<br />
when the system was trained on small data.<br />
In our project we showed that SMT systems that can support military intelligence<br />
can be produced rapidly. In order to build a translation system, training<br />
data can be obtained from the internet. In case of insufficient amount of data<br />
resources, as it is often the case for rarely spoken languages, the training corpus<br />
can be produced by human translators. Additionally, available linguistic resources<br />
can be usefully integrated, <strong>and</strong>, on the basis of linguistic expertise, system components<br />
can be modified to adapt to the specific language pair. Such a system could<br />
already support military intelligence. After more corpus development, as translation<br />
quality increases with corpus size, the system could be applied for tasks of higher<br />
complexity or difficulty. For a more detailed description on the fast production<br />
of SMT systems in the context of military missions, see [4].<br />
The ISAF-MT SMT system outputs translations of different quality, i.e.,<br />
translation quality can vary from very bad to very good translations. In Figure 5<br />
you can see an example translation of a newspaper article generated by a current<br />
version of our ISAF-MT system. Bad translations can be caused by words or<br />
phrases that have not been translated from Dari to German. Furthermore, words or<br />
phrases can occur that have been translated into wrong German words or phrases.<br />
Translations that are useful for military purposes can be sentences that are not<br />
good in terms of naturalness or correctness of the target language but that bring<br />
across the semantic content of the source sentences. There are also translations that<br />
capture the right semantic content of the Dari sentences <strong>and</strong> that are correct <strong>and</strong><br />
natural German sentences. Overall, we argue that a translated document consisting<br />
of translations of different quality (like in Figure 5) can bring across the meaning<br />
of the source document. Thus, even a translation system that has been trained on<br />
only a small number of sentences, like our system, can be useful in the context<br />
of military intelligence.<br />
Though machine translation is an active research area, to our knowledge, there<br />
are not many systems for translating Dari to/from German. We have compared our<br />
SMT system to Google Translate [20]. We ran Google’s Persian to German translation<br />
on a r<strong>and</strong>om test set that has been extracted from our Dari-German Corpus.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
277<br />
We got a BLEU-Score [21] of 8.06 for Google’s output <strong>and</strong> a BLEU-Score of 9.69<br />
for the ISAF-MT translation. To our knowledge, there is no rule-based translation<br />
system for Dari <strong>and</strong> German publicly available. For further reports on evaluation<br />
results regarding the ISAF-MT (e.g., BLUE-Scores) system see [4].<br />
Figure 5. Excerpt of Translation Ouput generated by the ISAF-MT SMT System<br />
An approach for applying SMT to intelligence processing<br />
Translations produced by SMT can be of different quality, depending on<br />
the complexity of the input text, on the SMT system, the available training data,<br />
the language pair, etc. In any case, to bring across the meaning, translation does<br />
not have to be perfect. We therefore argue that the output of SMT systems, even<br />
though of varying quality, can support the intelligence process in different ways.<br />
This concept is presented in Figure 2, <strong>and</strong> will be discussed in the following.<br />
a) First impression / idea of text content for the human analyst: On the basis<br />
of a translation produced by SMT, even if not of perfect quality, the human analyst<br />
can infer the document’s content. Such a broad translation can serve<br />
the human analyst in a first screening of the documents to decide whether<br />
the document is of any relevance <strong>and</strong> should be passed on for proper (human)<br />
translation or a different further analysis. Apart from that, under the dogma<br />
“any translation is better than no translation” this rough translation can help<br />
the analyst with the different intelligence tasks, where texts in different languages<br />
need to be processed. This would apply if no translator is available, or,<br />
for efficiency reasons.<br />
b) Automatic collection: A rough translation can also serve as input for automatic<br />
information retrieval <strong>and</strong> for automatic classification. To automatically search<br />
for relevant documents in different languages, it is usually sufficient if the broad<br />
content of the documents is provided. The same applies to automatic classification<br />
of the relevance of documents according to the mission’s needs.
278 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
c) Automatic processing <strong>and</strong> exploitation, <strong>and</strong> analysis: Translation output of higher<br />
quality can serve as input for automatic document processing <strong>and</strong> content<br />
analysis. If it is important to efficiently or to fully automatically process documents,<br />
e.g. where a vast amount of data needs to be analyzed, automatic translation<br />
might be the only way to exploit the whole data. In this case, the documents<br />
collected can be translated by an SMT system <strong>and</strong> the translations serve<br />
as the input for further NLP processing such as information extraction, text<br />
mining or opinion mining. The quality of the final NLP output then highly<br />
depends on the translation quality.<br />
Our approach claims that machine translation is highly useful for the optimal<br />
analysis of large amounts of foreign material. It can be applied to assist the human<br />
analyst <strong>and</strong> can generate translations that can serve as input for further automatic<br />
NLP processing. As regards the latter, the quality of the generated translations<br />
will determine what kind of further automatic analysis can be deployed. Therefore,<br />
the extent to that text in different languages can be processed automatically by<br />
NLP applications depends on the quality of the generated translations as well as on<br />
the nature <strong>and</strong> difficulty of the further NLP tasks. And, if a vast amount of textual<br />
data in different languages needs to be processed, i.e., on the internet or from<br />
other document collections, the application of MT tools might be the only way to<br />
process the data.<br />
V. Conclustions<br />
This paper discussed that NLP technology can strongly support military intelligence<br />
with the processing of information. Textual data that needs to be analyzed<br />
for intelligence purpose includes not only documents collected by human intelligence<br />
but also open source documents. Especially, the internet today carries a lot<br />
of information that may be relevant in the context of military operations. Overall,<br />
the amount of documents that needs to be processed for intelligence purposes<br />
is extremely large. The manual analysis of textual data is very labor-intensive <strong>and</strong><br />
time-consuming <strong>and</strong> in some cases not even practicable. This problem is even worse<br />
if documents in different languages have to be processed as there may be only few or<br />
no translators available. This work argued that NLP intelligence tools can be applied<br />
for the efficient <strong>and</strong> effective content analysis of documents in different languages.<br />
We described how NLP technology can be applied to support the intelligence<br />
process on tasks that involve the processing of text. For the collection of relevant<br />
documents from intelligence document collections or open source databases, such<br />
as the internet, NLP tools for automatic information retrieval <strong>and</strong> document classification<br />
can be utilized. Texts can be processed <strong>and</strong> information can be identified,<br />
extracted <strong>and</strong> analyzed by NLP technologies such as information extraction, text<br />
mining <strong>and</strong> opinion mining. For the processing of documents in foreign languages
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
279<br />
machine translation can be applied. In particular, the approach of statistical machine<br />
translation holds various advantages in the context of military applications.<br />
In our research project ISAF-MT we have created a statistical machine translation<br />
system for Dari <strong>and</strong> German. By our work we proved i) that SMT systems can be<br />
built rapidly <strong>and</strong> ii) that the generated translations can be of sufficient quality to<br />
bring across the meaning of the source text. We therefore argued that translations<br />
generated by such an SMT system can assist intelligence processing in different ways:<br />
a) to give the human analyst a broad idea of the documents’ content, b) as input for<br />
automatic document collection, <strong>and</strong> c) (if of sufficient quality) as input for automatic<br />
processing, exploitation <strong>and</strong> analysis of information from texts.<br />
NLP technology may be applied to assist the human intelligence analyst at different<br />
levels. In general, NLP processing does not reach 100% accuracy. Therefore,<br />
the extent to that processing can be performed automatically depends on different<br />
factors, e.g., the nature <strong>and</strong> complexity of the input data as well as on the nature <strong>and</strong><br />
difficulty of the NLP processing task. As NLP is an active <strong>and</strong> quickly developing<br />
research field, technologies will improve. We argued that NLP tools can support<br />
military intelligence today, <strong>and</strong> due to the increasing importance of the internet <strong>and</strong><br />
the development of NLP technology, will become even more essential in the future.<br />
Consequently, NLP technology for multilingual content analysis is needed to fully<br />
exploit the information that is provided to us by different intelligence sources.<br />
References<br />
[1] C. Best, “Challenges in Open Source Intelligence,” in Proceedings of the European<br />
Intelligence <strong>and</strong> Security Informatics Conference (EISIC), pp. 58-62, Athens, Greece,<br />
September 2011.<br />
[2] Joint Publication, “2-0: Joint Intelligence,” 2007. [Online]. Available: http://www.dtic.<br />
mil/doctrine/new_pubs/jp2_0.pdf<br />
[3] Joint Publication, “2-01: Joint <strong>and</strong> national intelligence support to military operations,”<br />
2012. [Online]. Available: http://www.dtic.mil/doctrine/new_pubs/jp2_01.pdf<br />
[4] M. Hecking, <strong>and</strong> S. Noubours, “Fast Realization of Automatic Translation Systems<br />
for New Mission-Relevant Languages,” in Proceedings of the 17th International<br />
Comm<strong>and</strong> <strong>and</strong> Control Research <strong>and</strong> Technolgy Symposium (ICCRTS), Fairfax, VA,<br />
USA, June 2012.<br />
[5] T.M. Chen, “How networks changed the world,” Network, IEEE, vol. 25, no. 6, pp. 2-3,<br />
November 2011.<br />
[6] International Telecommunication Union, “The World in 2011: ICT Facts <strong>and</strong><br />
Figures,” 2011. [Online]. Available: http://www.itu.int/ITU-D/ict/facts/2011/material/<br />
ICTFactsFigures2011.pdf<br />
[7] Facebook, “Facebook’s latest news, announcements <strong>and</strong> media resources: Fact Sheet –<br />
Facebook,” Internet: http://newsroom.fb.com/content/default.aspxNewsAreaId=22,<br />
December 2012 [Mar. 30, 2012].
280 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[8] Twitter, “Twitter Blog: Twitter Turns Six,” Internet: http://blog.twitter.com/2012/03/<br />
twitter-turns-six.html, March 2012 [Mar. 30, 2012].<br />
[9] G. Weimann, <strong>and</strong> United States Institute of Peace, “www.terror.net: How<br />
Modern Terrorism Uses the Internet,” 2004. [Online]. Available: http://www.usip.<br />
org/publications/wwwterrornet-how-modern-terrorism-uses-internet.<br />
[10] G. Weimann, “The Psychology of Mass-Mediated Terrorism,” American Behavioral<br />
Scientist, vol. 52, no. 1, pp. 69-86, September 2008.<br />
[11] R. Feldman, “‘Friend’ request from Al-Qaeda,” University of Haifa: <strong>Communications</strong><br />
<strong>and</strong> Media Relations, March 29, 2004. [Online]. Available: http://newmedia-eng.haifa.<br />
ac.il/p=5680. [Apr. 2, 2012].<br />
[12] M. Hecking, <strong>and</strong> C. Schwerdt, “Multilingual <strong>Information</strong> Extraction for Intelligence<br />
Purposes,” in Proceedings of the 13th International Comm<strong>and</strong> <strong>and</strong> Control Research<br />
<strong>and</strong> Technolgy Symposium (ICCRTS), Bellevue, WA, USA., June 2008.<br />
[13] S. Noubours, <strong>and</strong> M. Hecking, “Semantic Analysis of <strong>Military</strong> Relevant Texts for<br />
Intelligence Purposes,,” in Proceedings of the 16th International Comm<strong>and</strong> <strong>and</strong><br />
Control Research <strong>and</strong> <strong>Technology</strong> Symposium (ICCRTS), Québec City, Québec,<br />
Canada, June2011.<br />
[14] B. Haarmann, L. Sikorski, <strong>and</strong> U. Schade, “Text Analysis beyond Keyword Spotting,”<br />
in Proceedings of the <strong>Military</strong> <strong>Communications</strong> & <strong>Information</strong> Systems Conference<br />
(MCC), Amsterdam, The Netherl<strong>and</strong>s, October 2011.<br />
[15] M. Hecking, A. Wotzlaw, <strong>and</strong> R. Coote, “Multilingual Content Extraction Extended<br />
with Background Knowledge for <strong>Military</strong> Intelligence,” in Proceedings of the 16th<br />
International Comm<strong>and</strong> <strong>and</strong> Control Research <strong>and</strong> <strong>Technology</strong> Symposium (ICCRTS),<br />
Québec City, Québec, Canada, June 2011.<br />
[16] W.D. Lewis, “Haitian Creole: How to Build <strong>and</strong> Ship an MT Engine from Scratch<br />
in 4 days, 17 hours, & 30 minutes,” in Proceedings of the 14th Annual Conference<br />
of the European Association for Machine Translation (EAMT), St Raphael, France,<br />
May 2010.<br />
[17] W.D. Lewis, R. Munro, <strong>and</strong> S. Vogel, “Crisis MT: Developing a Cookbook for MT<br />
in Crisis Situations,” in Proceedings of the Sixth Workshop on Statistical Machine<br />
Translation (WMT-11), located at EMNLP, Edinburgh, United Kingdom, July 2011.<br />
[18] P. Koehn, Statistical Machine Translation. Cambridge, UK: University Press, 2010.<br />
[19] P. Koehn, H. Hoang, A. Birch, C. Callison-Burch, M. Federico, N. Bertoldi,<br />
B. Cowan, W. Shen, C. Moran, R. Zens, C. Dyer, O. Bojar, A. Constantin,<br />
<strong>and</strong> E. Herbst, “Moses: Open Source Toolkit for Statistical Machine Translation,”<br />
in Proceedings of the Annual Meeting of the Association for Computational Linguistics<br />
(ACL), Prague, Czech Republic, June 2007.<br />
[20] Google Translate, http://translate.google.com/<br />
[21] K. Papineni, S. Roukos, T. Ward, <strong>and</strong> W.-J. Zhu, “BLEU: a method for automatic<br />
evaluation of machine translation,” in Proceedings of the 40th Annual Meeting on<br />
Association for Computational Linguistics (ACL 2002). Association for Computational<br />
Linguistics, Stroudsburg, PA, USA, July 2002.
<strong>Information</strong> Fusion Under Network Constraints<br />
Felix Govaers, Alex<strong>and</strong>er Charlish, Wolfgang Koch<br />
Department of Sensor Data <strong>and</strong> <strong>Information</strong> Fusion,<br />
Fraunhofer FKIE, Wachtberg, Germany,<br />
{felix.govaers, alex<strong>and</strong>er.charlish, wolfgang.koch}@fkie.fraunhofer.de<br />
Abstract: In this paper, various techniques for information fusion in distributed sensor applications are<br />
presented. In the considered scenarios a number of challenges exist due to limitations on the communication<br />
between sensor nodes. Firstly, the challenge of delayed data processing is addressed in order<br />
to present solutions for optimal state estimation when out of sequence data is received at the fusion<br />
center. Secondly, solutions for Measurement Fusion <strong>and</strong> Track-to-Track Fusion in distributed sensor<br />
applications with the challenge of constrained communication are summarised. In a simulative evaluation<br />
the behaviour of several approaches under conditions of a reduced probability of successful<br />
communication is investigated. It is found that decorrelated distributed tracking performs better<br />
than a central Kalman filter when communication is constrained.<br />
Keywords: Track-to-Track Fusion, Distributed Kalman Filter, Communication Constraints<br />
I. Introduction<br />
The increasing trend in ubiquitous communication technologies coupled<br />
with decreasing costs for electronic components <strong>and</strong> hardware is leading to sensor<br />
systems producing large quantities of data. As a branch of applied computer<br />
sciences sensor data fusion addresses the ability to process this vast quantity<br />
of information, generated by potentially multiple heterogeneous sources, in an effective<br />
<strong>and</strong> timely manner. Both methods <strong>and</strong> results of sensor data fusion are<br />
focused towards obtaining cognition, whereby information is intelligently processed<br />
to obtain situation awareness, which can provide the basis for informed<br />
decisions <strong>and</strong> actions.<br />
The objective of sensor data fusion is best described by a situational awareness<br />
emerging from combining partial information. Efficient algorithms support<br />
the user in order to enable decision making in critical situations. Through these<br />
high-performance algorithms, sensor data fusion is able to utilize both data correlations<br />
in time as well as complementary information gained by different sensors.<br />
To this end, both the measurement noise <strong>and</strong> the process evolution are described<br />
as a stochastic model. Combining these models one is able to fuse sensor data accumulated<br />
over time <strong>and</strong> to derive estimates. By means of computer implementations
282 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> highly sensitive sensors, it is possible to estimate the state of one or multiple<br />
objects with a high accuracy even if they are spatially remote. Furthermore, the fusion<br />
process may integrate context information or expert knowledge in order to<br />
improve the results.<br />
There are various challenges which must be tackled for effective sensor data<br />
fusion. Fluctuations in the signal within the circuit board of a sensor leads to<br />
noisy, imprecise data. Interference from the environment or poor sensor calibrations<br />
directly imply a systematic bias. Furthermore, challenges can result from<br />
a mathematically under-determined relationship between observation <strong>and</strong> state<br />
space. This inevitably results in “ghost measurements”, which contradict the real<br />
solution. In many applications, the objects of interest cannot be separated from<br />
the environment. Consequently, algorithms for sensor data fusion often have to<br />
cope with clutter generated by additional objects, which are not of interest.<br />
Practical needs from both civilian <strong>and</strong> military applications as well as the rapid<br />
development of information <strong>and</strong> communications technology are driving factors<br />
behind multiple sensor applications. In such scenarios, one faces additional<br />
challenges if the sensors are located at spatially distributed positions <strong>and</strong> the data<br />
communication possibly involves heterogenous network links. For example, coordinate<br />
systems for local data processing can be displaced with respect to a central<br />
fusion center. Moreover, it is common that local clocks in distributed systems are<br />
unsynchronized, which must be considered by the information fusion scheme.<br />
Furthermore, local data caching as well as varying communication delays give<br />
rise to outdated measurements, which requires sophisticated treatment because<br />
reprocessing schemes are usually not feasible due to time limitations.<br />
Generally, tracking refers to estimating a state of an object in terms of selected<br />
parameters, like its position <strong>and</strong> velocity. The resulting tracks consist of both<br />
the estimate <strong>and</strong> an associated measure of uncertainty. In this paper, we describe<br />
challenges of tracking in communication-constrained distributed sensor applications,<br />
i.e. a statistical parameter estimation conditioned on sensor data obtained<br />
by multiple sensors, which are connected to one or more fusion centers. Such<br />
a scheme is depicted in Figure 1.<br />
This scheme is hindered in real implementations as the communication<br />
channels have time varying properties. Therefore, it is of crucial importance to<br />
find proper fusion algorithms, which take into account the imperfect nature<br />
of the communication links. Imperfect communication implies that information<br />
packages can get lost, change their order of arrival, or link breakdowns may appear.<br />
This specific topic has received little attention for many years in literature. In order<br />
to cover a great variety of network scenarios, we will present solutions at different<br />
levels of data preprocessing in this paper.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
283<br />
Figure 1. An example of a distributed sensor application. A heterogenous communication network<br />
including reliable high b<strong>and</strong>width links for stationary sensors on the ground, time slot based satellite<br />
communication for far distance transmissions, maritime network techniques using VHF/UHF<br />
frequencies, <strong>and</strong> underwater links with very unpredictable properties illustrate the variety of challenges<br />
in such a scenario<br />
II. Formulation of the problem<br />
Let us assume, state vector describes the parameters of interest of an object<br />
observed by one or multiple sensors at time . In the classical tracking scenario,<br />
this state usually includes the position, velocity, <strong>and</strong> acceleration, but other properties<br />
such as classification might also be included. The observation process is modeled<br />
as a function of the state. For the sake of simplicity, the measuring function<br />
is assumed to be linear <strong>and</strong> might therefore be written as a matrix . Moreover,<br />
the measuring process includes some noise 1 , which is modeled as an additive<br />
Gaussian white noise with a covariance Matrix Therefore, the measurement<br />
of the object at time can be expressed as<br />
z Hx ,<br />
(1)<br />
l l l l<br />
where vl<br />
Rl<br />
In order to fuse the following measurement at time to the estimate of time<br />
<br />
P ,<br />
kk |<br />
Pkk | 1 Wkk | 1 SW<br />
k kk | 1 the evolution of the state is modeled as a Markov<br />
chain as follows. Similar to the sensor model, a linear transition function Fl<br />
1| l<br />
is introduced <strong>and</strong> a Gaussian distributed process noise is added. We have<br />
xl 1 Fl 1| l<br />
xl wl,<br />
(2)<br />
where wl ~ Ql 1| l.<br />
The optimal, iterative solution to the problem of estimating the expected<br />
state x<br />
kk<br />
<strong>and</strong> its estimation error covariance P<br />
kk<br />
considering all sensor data up to<br />
1<br />
Noise of the measurement process is usually caused by thermal fluctuations or by unintended interplay<br />
with the surrounding environment.
284 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
time with respect to the minimum mean squared error (MMSE) yields the Kalman<br />
filter [1] The Kalman filter consists of the two steps prediction:<br />
x F x<br />
(3)<br />
,<br />
kk | 1 kk | 1 k1| k1 <strong>and</strong> filtering:<br />
P F P F Q<br />
<br />
kk | 1 kk | 1 k1| k1 kk | 1 kk | 1<br />
(4)<br />
x x W<br />
(5)<br />
kk | kk | 1 kk | 1 k,<br />
(6)<br />
,<br />
k<br />
zk Hx<br />
k kk | 1<br />
W P H S <br />
<br />
kk | 1 <br />
kk | 1 k k<br />
,<br />
(7)<br />
S HP H R<br />
(8)<br />
k<br />
k kk | 1 k<br />
<br />
k,<br />
P P W SW<br />
<br />
.<br />
kk |<br />
<br />
kk | 1 <br />
kk | 1 k kk | 1 (9)<br />
However, in network constrained scenarios Kalman filter assumptions are<br />
often not satisfied. In particular, imperfect communication leads to:<br />
a) measurements, which arrive in a timely disordered way,<br />
b) insufficient b<strong>and</strong>width such that not all measurements can be transmitted,<br />
<strong>and</strong><br />
c) synchronization <strong>and</strong> sensor registration errors.<br />
As a consequence, there is a need for sophisticated algorithms which are<br />
suited to multi-sensor scenarios <strong>and</strong> robust against significant communication<br />
constraints. In this paper, we present two state-of-the-art Kalman filters for tracking<br />
object parameters in such scenarios.<br />
III. Kalman filter processing for delayed measurements<br />
In most target tracking algorithms, the characteristics of conditional probability<br />
k<br />
densities p( xl<br />
| Z ) of target states are calculated, which describe the available<br />
knowledge of the target properties at a certain instant of time given a time<br />
series of imperfect sensor data accumulated up to time In certain applications,<br />
however, the kinematic target states xk<br />
, , xn,<br />
n k,<br />
accumulated over a certain time<br />
window from a past instant of time up to the present time is of interest.<br />
The statistical properties of the accumulated state vectors are completely described<br />
by the joint probability density function conditioned on the measurement data,<br />
k<br />
p( xk, , xn<br />
| Z ). These densities are called Accumulated State Densities (ASDs).<br />
By marginalizing them, the st<strong>and</strong>ard filtering <strong>and</strong> retrodiction densities directly<br />
result; in other words, ASDs provide a unified description of filtering <strong>and</strong> retrodic-
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
285<br />
tion. In addition, ASDs fully describe the correlations between the state estimates<br />
at different instants of time.<br />
All information on the target states accumulated over a time window<br />
tk, tk , , tn<br />
of length kn<br />
1,<br />
xkn ( xk, , xn)<br />
(10)<br />
that can be extracted from the time series of accumulated sensor data up to<br />
k<br />
<strong>and</strong> including time is contained in a joint density function p( x<br />
kn| Z ), which<br />
is called a ASD.<br />
Iterative ASD<br />
ASD posterior<br />
z z z z z z z z z<br />
0<br />
time t<br />
Figure 2. Schematic illustration of an iterative ASD filter <strong>and</strong> the ASD posterior. The iterative filtering<br />
scheme includes the calculation of a prior ASD density using a fixed window size. It is based<br />
on an ASD posterior, which yields the joint density conditioned on the entire set of measurements<br />
Given the full posterior ASD [2], one can calculate the exact cross-covariance<br />
to timely delayed measurements. To this end, let us consider a measurement<br />
produced at time with t n<br />
m t k<br />
i.e. possibly before the `present’ time<br />
where the time series is available <strong>and</strong> has been exploited. We would like to<br />
underst<strong>and</strong> the impact this new, but late sensor information has on the present<br />
<strong>and</strong> the past target states xl , l n, , k,<br />
i.e. on the accumulated state x<br />
kn<br />
Let<br />
be a measurement of the observed object state at time characterized by<br />
a Gaussian likelihood function, which is defined by a measurement matrix <strong>and</strong><br />
a corresponding measurement error covariance matrix We further renumber<br />
the target states xk, , xn<br />
such that xk, , xm, , xn : xkmn<br />
: :<br />
are consistent with<br />
their time stamps ( tl) lk, , m, ,<br />
n.<br />
By an application of continuous time retrodiction (see [3], e.g., for a detailed<br />
discussion), it is well possible to extend the posterior density of the state x<br />
kn<br />
to<br />
a prior density of the extended state x<br />
kmn : :<br />
[4]. One obtains a single Gaussian density<br />
with a joint expectation vector including the estimates for all single states:<br />
k<br />
px ( | Z) N ( x ; x , P ),<br />
(11)<br />
kmn : : kmn : : kmnk : : | kmnk : : |<br />
where the expectation vector accumulates the target estimates for each state within<br />
the time window:<br />
x ( x , , x , , x ).<br />
(12)<br />
k: mnk : | kk | mk | nk |
286 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The single state covariances are the block-diagonal entries of P<br />
k: mnk : |<br />
<strong>and</strong><br />
the off-diagonal entries correspond to the respective cross-correlations in time [2].<br />
If one introduces a projection matrix defined by mxkmn : :<br />
xm,<br />
which<br />
extracts the target state from the accumulated state vector x<br />
kmn : :. The likelihood<br />
function of the out-of-sequence measurement with respect to the accumulated<br />
target state is thus given by:<br />
pz (<br />
m<br />
| xkmn : :)<br />
N ( zm; Hm mxkmn : :, Rm)<br />
.<br />
(13)<br />
St<strong>and</strong>ard reasoning for the Kalman filter directly yields for the accumulated<br />
state density:<br />
pz ( | x ) px ( | Z)<br />
px ( | z, Z)<br />
(14)<br />
( | ) ( | )<br />
k<br />
k m kmn : : kmn : :<br />
kmn : : m k<br />
dxkmn : :<br />
pzm xkmn : :<br />
pxkmn<br />
: :<br />
Z<br />
N ( x ; x , P )<br />
(15)<br />
kmn : : kmnk : : | , m kmnk : : | , m<br />
with parameters obtained by a version of the Kalman update equations:<br />
x x W ( z H x )<br />
(16)<br />
kmnk : : | , m kmnk : : | kmn : : m m m kmnk : : |<br />
<br />
Pkmnk : : | , m<br />
Pkmnk : : |<br />
Wkmn : :<br />
Skmn : :<br />
Wkmn<br />
: :,<br />
(17)<br />
where the corresponding Kalman gain <strong>and</strong> innovation matrices are given by:<br />
S H P H R<br />
<br />
kmn : : m m kmnk : : | m m m<br />
(18)<br />
Wkmn : :<br />
Pkmnk : : |<br />
mH mS <br />
kmn : :.<br />
(19)<br />
Note that the matrix S<br />
kmn : :, which has to be inverted when calculating the Kalman<br />
gain matrix, has the same dimension as the measurement vector i.e.<br />
is low-dimensional matrix, just as in st<strong>and</strong>ard Kalman filtering. Moreover, it is<br />
easy to see that it is equivalent to the st<strong>and</strong>ard innovation covariance, as we have<br />
mPk : mnk : |<br />
mPmk<br />
|.<br />
(20)<br />
Nevertheless, the processing of an out-of-sequence measurement has impact<br />
on all state estimates <strong>and</strong> the related error covariance matrices in the time window<br />
considered. Accumulated state densities are therefore well suited to quantitatively<br />
discuss the question to what extent a delayed measurement is still useful or not,<br />
a phenomenon that is sometimes called “information aging”.<br />
IV. Fusion schemes for distributed tracking<br />
This section presents a modified Kalman filter processing scheme for distributed<br />
tracking applications such that the locally produced tracks can easily be<br />
fused. The basic idea of this scheme is to remove parts of the track maintenance
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
287<br />
in the fusion center. In particular, it is possible to modify all local tracks such that<br />
they become decorrelated. The cross-correlations occur because of a common evolution<br />
covariance in every prediction step [5]. This is due to the fact that all sensors<br />
sites observe the same target. In [6] it is shown that a central Kalman filter can be<br />
calculated in a distributed manner by decorrelating the local tracks. This is achieved<br />
by calculating the global estimation error covariance of the system. The proposed<br />
distributed Kalman-type processing scheme makes essentially use of the fact that<br />
the sensor measurements do not enter into the update equation for the estimation<br />
error covariance matrices. In particular, the covariance matrices of all sensors<br />
can be calculated at each individual sensor site without any further communication<br />
(provided the relevant parameters of all sensors are known at each sensor site).<br />
For the sake of notational simplicity, let all S sensors be equally aligned <strong>and</strong><br />
synchronized with the same data update rate. However, these assumptions are not<br />
essential <strong>and</strong> can well be relaxed. Furthermore, we assume the measurement error<br />
covariance matrices { R<br />
s }<br />
S<br />
k s <br />
of all individual sensors to be known to each local sensor<br />
processor. As mentioned above, the proposed distributed processing scheme aims at<br />
establishing decorrelated local tracks, such that fusing them yields exactly the result<br />
of central Kalman filter processing. Let us assume, a set of decorrelated local tracks<br />
at time are given which have processed all sensor data up to time Then, as all<br />
densities involved are Gaussians, we can write the fused track as the following product:<br />
S<br />
k s s<br />
l lk |<br />
N (<br />
l; xlk |<br />
,<br />
lk |<br />
s1<br />
px ( | Z) c x P)<br />
,.<br />
(21)<br />
In the sequel, as well as in most applications, it is unnecessary to calculate<br />
the normalization constant c<br />
lk<br />
explicitly. By virtue of the factorization lemma for<br />
Gaussians, this product representation can be transformed into a single Gaussian:<br />
S<br />
k s s<br />
l lk |<br />
N<br />
l; lk |<br />
,<br />
lk |<br />
s1<br />
px ( | Z) c ( x x P)<br />
(22)<br />
N ( x ; x , P ),<br />
(23)<br />
l lk | lk |<br />
with an expectation vector x<br />
lk<br />
<strong>and</strong> a covariance matrix P<br />
lk<br />
obtained by fusing x<br />
lk<br />
<strong>and</strong> P s , s1, , S,<br />
according to following equations:<br />
lk<br />
S<br />
1 s 1<br />
lk |<br />
Plk<br />
|<br />
s1<br />
P<br />
(24)<br />
S<br />
s<br />
s<br />
lk | lk | lk | lk |<br />
s1<br />
x P ( P x ).<br />
(25)<br />
Convex combinations of this type are fundamental in almost all data fusion<br />
applications (see e.g. [7]). As previously stated, under conditions where Kalman
modeled by a linear Gaussian central Kalman Markovian Kalman filtering transition filter. is applicable, density i.e. in case of wellseparated<br />
targets, assuming perfect detection, k|x k−1) = N xscheme <strong>and</strong> in absence k; F directly calculated:<br />
k|k−1 x k−1, Dto an arbitrary<br />
local posterior density is introduced in the following way. By<br />
p(x apply the proposed<br />
<br />
exploiting k|k−1 For the number sake<br />
x<br />
processing given that l|k = P<br />
Kalman l|k<br />
p(x apply the proposed scheme directly to an arbitrary number<br />
x l|k = P l|k P s −1<br />
l|k x s k|x k−1) = N in [2], the result is equivalent to a central<br />
l|k fil<br />
In 2008 <strong>and</strong> 2009, first T2TF the product formula for Gaussians, we replace all<br />
of of simplicity, sensors. schemeInfor we 2010, arbitrary<br />
here the assume generalized conditions solution where was . measurement<br />
x k; F<br />
derived st<strong>and</strong>ard<br />
(3)<br />
k|k−1 x k−1, D k|k−1 . For the sake processing given that Kalman filter assumptions hold s=1<br />
of false measurements. For notational simplicity let us assume<br />
all sensor covariances are known.<br />
instants of time, which is equivalent local covariances by a one:<br />
Kalman presented to a<br />
filtering in Kalman [2]. filter<br />
is applicable, i.e. in the<br />
P<br />
case −1<br />
l|k<br />
S synchronized sensors produce measurements the same<br />
= S <strong>and</strong><br />
of sensors. In 2010, the generalized solution was derived <strong>and</strong><br />
s=1<br />
of simplicity, we here assume conditions where st<strong>and</strong>ard all sensor covariances are known. To this end, a globalized<br />
of wellseparated<br />
Notational center, posterior combinations<br />
P s −1<br />
l|k local Convex posterior combinations density is of (2)<br />
introduce this type<br />
Kalman presentedfiltering in [2]. is applicable, processing i.e. inallthe measurements case of wellseparated<br />
Notational targets, Preliminaries:<br />
assuming perfect Let<br />
in a fusion local Convex<br />
was density<br />
targets, Preliminaries:<br />
presented is ofintroduced this type are<br />
assuming<br />
instants of time t l, l =1,...,k denoted by Z l = {z s perfect Letin detection, all the fundamental<br />
time-varying following in<br />
s=1 way. almost<br />
<strong>and</strong> in absence S<br />
target By<br />
exploiting all data fusion<br />
l }S s=1.<br />
p(x k|Z k ) ∝ N x k; x s k|k<br />
The proposed methodology can be directly extended to asynchronous<br />
<strong>Military</strong> sensors. <strong>Communications</strong> The accumulation of <strong>and</strong> the sensor <strong>Information</strong> data Z l up <strong>Technology</strong>... same<br />
all P<br />
, the product applications formula (seefor<br />
e<br />
by Koch detection, all time-varying<br />
in [14] <strong>and</strong> <strong>and</strong> in[15]. absence target<br />
However, exploiting all<br />
of properties data<br />
was<br />
fusion the<br />
false measurements. of notinterest product possible<br />
applications<br />
For at formula to<br />
(see<br />
anotational given for e.g.<br />
time Gaussians, [16, Chapter<br />
simplicity t l be collected we replace 12]).<br />
let us assume by all<br />
S a<br />
local Note covariances Ps that k|k this type by aofglobalized T2TF (4) requ<br />
of properties false measurements. of interest For at anotational given time o<br />
apply the simplicity t<br />
proposed l be collected letscheme us assume by a<br />
directly local<br />
Sstate to<br />
Note covariances<br />
synchronized vector an<br />
that<br />
arbitrary<br />
this type<br />
x l, sensors whose by number aofglobalized T2TF requires<br />
produce posterior one: a decentralized<br />
measurements density conditioned x l|k = Pdecorre-<br />
lation, <br />
at the s=1 l|k on<br />
288<br />
lation, s −1<br />
l|k x s l|k<br />
because .<br />
all sensors (3)<br />
observe<br />
Sstate synchronized vector x l, sensors whose produce posterior<br />
of sensors. measurements density conditioned<br />
In 2010, the the on<br />
generalized same all<br />
instants data solution<br />
because<br />
upoftotime the t<br />
to <strong>and</strong> including the time t k, typically the present l, current l =1,...,k time t k denoted is givenbyby Z<br />
time, is<br />
l<br />
the = {z Gaussian s<br />
= N x 1 S<br />
k; ˜x s<br />
a time series recursively defined by Z k = {Z k, Z k−1 k|k<br />
}. The<br />
S<br />
, 1 S <br />
l }S s=1.<br />
The N was derived<br />
all sensors<br />
<strong>and</strong><br />
observe the same target. Therefore, s=1<br />
the local tracks<br />
p(x k|Z<br />
S ˜P k x s l|k are not opti<br />
instants data up to the current time t<br />
presented k is given by the Gaussian<br />
[2].<br />
) ∝ k|k , N(5)<br />
x k; x<br />
N of time t l, l =1,...,k denoted by Z the local tracks x s l = {z s S<br />
proposed x l; x l|k , Pmethodology l|k with l|k are not<br />
<br />
optimal in a local<br />
<br />
sense, if (1)<br />
l<br />
x expectation can Convex be directly vector combinations xl|k extended <strong>and</strong> covariance of to this asynchronous<br />
matrix all time-varying Psensors. l|k . The The mechanical target s=1 accumulation alldynamics dataoffusion the of sensor applications the data system Z (see<br />
type are holds. fundamental However, inif almost<br />
l; x l|k , P l|k with expectation vector xl|k <strong>and</strong> covariance<br />
}S s=1.<br />
p(x<br />
holds. However, k|Z k ) ∝ N x<br />
if all of them k; x<br />
are s k|k all of them<br />
The proposed methodology can beNotational directly extended Preliminaries: to asynchronous<br />
matrix Psensors. l|k . The The mechanical accumulation dynamics<br />
, fused Ps k|k<br />
(4)<br />
according to (2)<br />
Let s=1<br />
s=1<br />
time series produced by the measurements of an individual<br />
l up are e.g. <strong>and</strong> [16, (3), Chaptera globally 12]). optimal estim<br />
properties of the of<br />
of interest sensor the data system aZ l given up are <strong>and</strong> (3), a globally optimal estimate is obtained. As shown<br />
to<br />
time modeled <strong>and</strong><br />
t l including<br />
bebycollected a linear S<br />
filtering is appropriate sensor s ∈ {1,...,S} for tracking, only denoted the by covariance Zs k the time Gaussian t<br />
. The statistical matrices P<br />
lk<br />
can = be Ncalculated<br />
x k; ˜x s<br />
properties of an individual sensor measurement z<br />
locally for all sensors without exchanging sensor s k|k , ˜P<br />
<br />
k, typically Markovian the transition present time, density is<br />
k|k , = N (6) x 1 S<br />
ap(x k;<br />
time k|xseries k−1) = recursively N by a Note that this type<br />
<br />
of T2TF requires in a[2], decentralized the resultdecorre-<br />
lation, xby k−1, Zbecause l is described<br />
k D= k|k−1 {Zall k, . sensors Z For k−1 the }. observe The sake the processing same target. givenTherefore,<br />
k|x k−1) = N time t k, typically the present time, is in [2], the result<br />
is equivalent<br />
tomodeled <strong>and</strong> including by a linear the Gaussian Markovian transition density<br />
state vector x l, whose posterior density conditioned xon k; all<br />
p(x Fdefined k|k−1 = N<br />
equivalent<br />
x 1 S<br />
to a central measurement<br />
x k; F k|k−1 x that Kalman S fi<br />
s=1<br />
s=<br />
data k−1, D<br />
up to k|k−1 . For the sake<br />
k; ˜x s<br />
a time series recursively defined the current time t k time<br />
is of given simplicity,<br />
by a probability density function p(z data, provided the measurement<br />
s series<br />
by<br />
produced<br />
theweGaussian<br />
here by the assume measurements conditionsofwhere an individual st<strong>and</strong>ard all sensor covariances are<br />
l |xl), also called sensor<br />
S<br />
sensor s ∈ {1,...,S} only is denoted where the by Zglobalized local parameters ˜x<br />
error covariance likelihood matrices function, of which each needsindividual to be known up tosensor a constantare known, k or if they can be<br />
s known<br />
N by Z k = {Z k, Z k−1 k|k<br />
}. The processing given that Kalman S filter assumptions , 1 S ˜P k|k , (5)<br />
the local tracks x s hold <strong>and</strong><br />
s=1<br />
l|k are not optimal in a local sense, if (1)<br />
time of simplicity, series produced we here by the assume measurements conditions<br />
x l; x l|k , P ofwhere an l|k with individual st<strong>and</strong>ard all sensor covariances are known. To this end, a globalized<br />
expectation Kalman vector xl|k filtering <strong>and</strong> covariance is applicable,<br />
S holds. i.e. However, in the k|k <strong>and</strong> covariance<br />
s . The case if all statistical of of wellseparated<br />
of<br />
them are local fused posterior according density =<br />
to is (2)<br />
Nintroduc<br />
sensor Kalman s ∈ filtering {1,...,S} is applicable, only is x k; ˜x<br />
matrix denoted i.e.<br />
P by in<br />
l|k . Zthe case of wellseparatedof<br />
targets, an individual assuming sensor perfect<br />
local posterior density is introduced in the following way. By<br />
The s k . The mechanical statisticaldynamics factor only: p(z<br />
reconstructed each node s<br />
l |xl) ∝ of s l (xl; properties<br />
the zs l ). of targets, the<br />
an individual<br />
system assuming = areN<br />
x<br />
sensor perfect <strong>and</strong> k; ˜P measurement k|k<br />
(3), ˜x s detection, area given globally z<strong>and</strong> by: s l isoptimal in described absence estimate exploiting is obtained. the product As shown<br />
s=1formula fo<br />
properties modeled measurement detection,<br />
by a linear z<strong>and</strong> s k|k<br />
in absence<br />
Gaussian Markovian<br />
by of afalse probability measurements. transition<br />
density<br />
density For function notational p(z<br />
Structure: This paper is organized sensor as follows. network. The next If the locally s l |xl), simplicity also called let us<br />
produced ˜x tracks<br />
s k|k = sensor assume<br />
likelihood function, which needs to be known up to a constant ˜P<br />
local covariances by a globalized<br />
p(x k|x k−1) = N exploiting the product formula for Gaussians, , ˜P<br />
<br />
k|k , (6)<br />
we replace all<br />
l is described<br />
s=1<br />
in [2], the result is equivalent to a central measurement<br />
by of afalse probability measurements. density For function notational p(z s simplicity let us assume local covariances by a globalized one:<br />
l |xl), also called x k; Fsensor<br />
k|k P s where −1<br />
k|k xs the globalized local<br />
k|k (7) param<br />
k|k−1 x k−1, where S synchronized D k|k−1 the globalized . For sensors the sake local produce parameters processing measurements ˜x<br />
S synchronized sensors produce measurements at the same<br />
given s k|k <strong>and</strong> that covariance the Kalman same filter assumptions hold <strong>and</strong><br />
likelihood function, which needs ofsection to simplicity, be known states the we upproblem to here a constant assume addressed conditions this paper. In particular,<br />
<br />
x<br />
lk<br />
are sent at<br />
we<br />
some<br />
introduce<br />
arbitrary<br />
the productinstant representation<br />
of<br />
for<br />
time<br />
the fused<br />
to<br />
posterior<br />
a fusion node, they can be S<br />
<br />
factor instants only: ofwhere p(z time s fused −1<br />
l |xl) t l, st<strong>and</strong>ard l =1,...,k s l (xl; zs l ). denoted by Z l = {z s ˜P k|k are given by:<br />
S <br />
instants of time t<br />
all sensor covariances arel }S known. s=1. To this end, a<br />
p(x k|Z k globalized<br />
l, l =1,...,k denoted by Z ) ∝<br />
TheStructure: proposed methodology This kpaper iscan organized be directly as follows. extended ˜P<br />
according to (25), densityyielding which was the the key element density in [2] px for( exact<br />
k<br />
| Zsolution<br />
) N ( xl; xlk |<br />
, Plk<br />
|<br />
)<br />
k|k The = to Sasyn-<br />
chronous detection, sensors. <strong>and</strong> in˜x The s k|k absence accumulation of sensor data Z l up<br />
<br />
next P<br />
. According s −1<br />
k|k . ˜x (8)<br />
section states the problem addressed in this paper. In particular, s=1 to<br />
s k|k = s=1 ˜P<br />
N x<br />
Kalman filtering is l = {z s S <br />
<br />
factor only: p(z s l applicable, }S s=1.<br />
l i.e. in the case of wellseparated<br />
organizedtargets, as follows. assuming The next perfect s −1<br />
k|k<br />
k;<br />
The proposed methodology |xl) ∝ s l (xl; can zs l ).<br />
˜P k|k are given by:<br />
p(x k|Z k ) ∝ N local x k; xposterior s k|k<br />
be directly extended to asynchronous<br />
sensors. The accumulation of the sensor data Z<br />
, Ps k|kdensity is introduced (4) in the following way. By<br />
Structure: This paper is k|k P<br />
exploiting the product formula for Gaussians, we replace all<br />
of T2TF. Based on the results of the cited preliminary paper,<br />
<br />
of false measurements. For notational l up<br />
= s=1 ˜P k|k P s −1<br />
k|k<br />
S<br />
the approach of a globalized [6], it is likelihood not required<br />
we to simplicity<br />
introduce <strong>and</strong> including let us<br />
function is derived to update<br />
the product the assume time<br />
in sectionthe representation t<br />
III. Its global k, typically<br />
Note that track<br />
forthe the<br />
thepresent globalized<br />
fused<br />
at each<br />
posterior time, is<br />
covariance scan time ˜P = N x 1 <br />
to <strong>and</strong> including the time t<br />
local covariances by a globalized one:<br />
k|k does not ˜P depend on k;<br />
S k, typically the present time, is<br />
synchronized sensors produce measurements<br />
density a time which series was recursively the= same N x 1 S<br />
xs k|k <br />
(7)<br />
section states the problem addressed in this paper. In particular,<br />
S<br />
−1<br />
we introduce the product representation for the fused posterior<br />
the key defined k; ˜x<br />
elementby impact on practical implementations is discussed in section<br />
in<br />
local<br />
[2] Z k s for = {Z<br />
sensor<br />
an k, exact Z k−1<br />
index<br />
solution }. The<br />
k|k = S SP<br />
a time series recursively defined by Z s<br />
instants of time t s anymore. This two-stage prediction s=1<br />
in order to obtain an k = {Z k, Z<br />
optimal k−1 k|k<br />
}. The<br />
S<br />
, 1 S ˜P k|k , (5)<br />
˜P<br />
density which was the key element [2] for an l, exact l =1,...,k solution<br />
k|k = S P s −1<br />
denoted<br />
result. of time<br />
Furthermore, T2TF. series by Z<br />
Based produced l = {z<br />
on s l }S s=1 k|k . S (8)<br />
<br />
time series produced by the measurements of an individual<br />
s=1. by<br />
it results is<br />
thenot s=1 measurements of necessary to send the fusion<br />
result x<br />
IV. We close the with a conclusion given in section V. (globalization<br />
the cited preliminary of an individual<br />
<strong>and</strong> application<br />
paper,<br />
of the evolution model)<br />
S <br />
of T2TF. Based on the resultsThe of the proposed cited preliminary methodologypaper,<br />
can be was<br />
asensor directly<br />
globalized s extended ∈ {1,...,S} to asynchronous<br />
sensors. The accumulation tracking<br />
likelihood only<br />
S<br />
p(x k|Z k ) ∝ N x k; x s<br />
function is denoted<br />
kk<br />
<strong>and</strong> P<br />
kk<br />
to any node. Therefore,<br />
necessary<br />
is derived by Z<br />
this<br />
to<br />
ins distributed k k|k<br />
.<br />
reveal<br />
section The statistical<br />
, Ps k|k<br />
(4)<br />
sensor s ∈ {1,...,S} only is denoted by Z<br />
a general<br />
III. Its Note that the globalized = covariance N x<br />
s k . The statistical<br />
= N<br />
x k;<br />
scheme for decorrelated tracks:<br />
II. FORMULATION OF impact properties of the sensor<br />
THE PROBLEM on of practical an data individual Z<br />
implementations l up k; ˜x s sensor measurement<br />
We obtain discussed z s s=1<br />
l updates<br />
indescribed<br />
<br />
<br />
properties of an individual sensor measurement z s k|k , ˜P<br />
<br />
a globalized likelihood function is derived in section III. Its Note that the globalized covariance ˜P k|k does k|k not , depend on (6)<br />
of<br />
section the local sensor indexs=1<br />
s anymore.<br />
impact on practical implementations to <strong>and</strong> including is discussed l is<br />
the indescribed<br />
time section t local track estimates using the global<br />
scheme is well suited for applications<br />
k, typically the local<br />
IV. by We a probability the sensor presentindex s=1<br />
where<br />
close the<br />
reduced<br />
paper density time, sisanymore. This<br />
with function aor conclusion p(z<br />
covariance arbitrary s two-stage prediction<br />
l |xl), given also<br />
instead<br />
in = called<br />
communication<br />
of<br />
section N sensor x k;<br />
the local<br />
V.<br />
1 S<br />
(globalization <strong>and</strong> application of<br />
one.<br />
where ˜x s In other<br />
the<br />
words,<br />
globalized<br />
we engage<br />
local param<br />
time In series this paper, recursively we address definedthe bylikelihood problem Z k = {Zof function, k, optimal Z k−1 k|k<br />
}. which T2TF Theneeds to be known up to a constant S<br />
, 1 S ˜P k|k , (5)<br />
IV. by We a probability close the paper densitywith function a conclusion p(z s l |xl), given alsoincalled section sensor V. (globalization where the globalized <strong>and</strong> application local parameters of the evolution ˜x s k|k <strong>and</strong>model) covariance was<br />
likelihood function, which needs to be known up to a constant<br />
s=1 necessary to reveal a general schem<br />
time a modified likelihood function in order to keep the tracks<br />
rates are to be taken at arbitrary series produced<br />
into instants by<br />
account. of the time. measurements<br />
The Asfactor discussed schematic<br />
only: of<br />
II. in p(z an<br />
FORMULATION [2], s individual<br />
l |xl) idea this ∝ s can l to (xl; the zs OF l THE<br />
decorrelated. ).<br />
˜P k|k are given by:<br />
factor only: p(z s distributed PROBLEM S<br />
In this paper,<br />
Kalman We<br />
we derive<br />
filter obtain updates of local track<br />
sensor a closed formula for<br />
be achieved, s ∈ {1,...,S} if all measurement only is denoted errorby Structure: covariances Zs k . TheThis statistical are paper knownis organized as follows. = The N next<br />
x k; ˜x covariance s instead˜x of the local one.<br />
is illustrated in atFigure the sensor 3.<br />
s k|k In this paper, we address the thisproblem likelihood of function. optimal T2TF<br />
= ˜P k|k P s −<br />
k|k<br />
properties of an individual sites. To sensor this end, measurement section we states achieved z s k|k , ˜P<br />
<br />
l |xl) ∝ s l (xl; zs l ).<br />
necessary ˜P k|k are to given reveal by: a general scheme for decorrelated tracks:<br />
II. FORMULATION OF THE PROBLEM<br />
We obtain updates of local k|k , (6)<br />
Structure: This paper is organized as follows. The next<br />
lthe is problem described<br />
˜x s k|k<br />
a product<br />
= addressed ˜P<br />
track estimates using the global<br />
covariance instead of the local k|k Pone. s −1<br />
k|k In<br />
in xs k|k other words, we engage (7)<br />
this paper. Ins=1<br />
section<br />
In this<br />
states<br />
paper,<br />
the<br />
we<br />
problem<br />
address<br />
addressed<br />
the problem<br />
in this paper.<br />
of optimal<br />
In particular,<br />
T2TF<br />
particular, a modified likelihood function in<br />
by at arbitrary instants of time. As discussed in [2], this can<br />
S<br />
representation a probability of density the functiondensity p(z a<br />
we s modified<br />
introduce of the state the product x l,l ≤ k: representation III. forGLOBALIZED the fused posterior<br />
<br />
l |xl), alsolikelihood called sensor function <br />
we introduce the product representation for the fused posterior<br />
where S in order −1 to keep the tracks<br />
at arbitrary instants of time. As discussed in [2], this can<br />
the globalized localLIKELIHOOD parameters decorrelated. ˜x FUNCTION In this FORpaper, we de<br />
likelihood function, which needs tobe decorrelated.<br />
density beachieved, known which upifIn to was<br />
all athis measurement constant the key element<br />
error<br />
in<br />
covariances<br />
[2] for<br />
are known<br />
s k|k <strong>and</strong> covariance<br />
˜P paper, ˜P<br />
S DISTRIBUTED an exact solution<br />
k|k = S P<br />
density which was the key element in [2] for KALMAN this PROCESSING<br />
likelihood function.<br />
atthe sensor sites. To this end, we achieved a product<br />
s=1<br />
factor only: p(z s an<br />
l<br />
p(x |xl) exact<br />
l|Z k of T2TF.<br />
)=c ∝ solution<br />
k|k = S we derive P s l (xl; zs l ).<br />
˜P s −1 a closed<br />
k|k are k|k . formula for<br />
be achieved, if all measurement error covariances are known<br />
(8)<br />
this likelihood function.<br />
given by:<br />
at<br />
of<br />
the<br />
T2TF.<br />
sensor<br />
Based<br />
sites.<br />
on the<br />
To<br />
results<br />
this end,<br />
of the<br />
we<br />
cited<br />
achieved<br />
preliminary<br />
a product<br />
l|k<br />
paper, Nrepresentation x l; x s Based<br />
l|k , on the resultss=1<br />
of the cited preliminary paper,<br />
Structure: This paper is organized Ps l|k of the posterior (1)<br />
representation density Firstof ofthe all, state we xintroduce l,l ≤ k: a new notation. III. GLOBALIZED The globalized<br />
a globalized as follows. likelihood The next function is derived in ˜x section s III. Its Note that the globalized LIKELIHO<br />
k|k covarianc<br />
a globalized likelihood<br />
of the posterior<br />
function<br />
density<br />
is derived<br />
of the<br />
in<br />
state<br />
section<br />
x l,l ≤<br />
III.<br />
k:<br />
s=1 Its Note III. that GLOBALIZED the globalized LIKELIHOOD covariance<br />
section states the problem addressed local posterior ˜P for the = state ˜P k|k P s −1<br />
k|k x k at xs k|k FUNCTION does notFOR<br />
depend on k|k (7)<br />
sensor s will be denoted by<br />
impact in this paper. on practical In particular, implementations <br />
Sensor<br />
S DISTRIBUTED KALMA<br />
<br />
discussed in section S<br />
the local −1 sensor index s anymore<br />
impact on practical implementations S is discussed in section the local sensor DISTRIBUTED index s KALMAN anymore. This PROCESSING<br />
<br />
two-stage prediction<br />
we introduce<br />
<br />
the product<br />
<br />
representation IV. We for close the p(x fused l|Z the k paper posterior )=c l|k with Nconclusion x l; x s given l|k , <br />
Ps in section l|k (1) V. (globalization First of all, we <strong>and</strong>introduce application a new of<br />
IV. We close p(x l|Z the k paper )=c with a conclusion given in section V. (globalization <strong>and</strong> application of the evolution ˜P<br />
density which was the key element in [2] for an exact solution<br />
k|k model) = S wasP s −1<br />
l|k N x l; x s l|k , Ps l|k (1) First of all, we introduce a new notation. The globalized<br />
s=1<br />
local necessary k|k . (8)<br />
necessary to reveal a general scheme for decorrelated tracks: posterior to reveal for thea state general x k<br />
sche<br />
s=1<br />
local posterior for the state x s=1<br />
at s<br />
II.<br />
of T2TF. Based on the results of the cited preliminary II. FORMULATION paper, k at sensor s will be denoted by<br />
FORMULATION OF THE PROBLEM<br />
OF THE PROBLEM<br />
We obtain updates of local track We obtain updates of local track<br />
a globalized likelihood function is derived in section III. Its Note that Sensor estimates using the global<br />
Sensor<br />
the globalized covariance covariance instead of the local one<br />
In this paper, we address the problem of optimal T2TF<br />
˜P k|k does not depend on<br />
covariance instead of the local one. In other words, we engage<br />
In this paper, we addressimpact the problem on practical of optimal implementations T2TF is discussed in section the local sensor index s anymore. aThis modified two-stage likelihood prediction function i<br />
at arbitrary instants of time. at a arbitrary modified instants likelihood of function time. Asindiscussed order toin keep [2], the thistracks<br />
can<br />
IV. As Wediscussed close thein paper [2], with this acan<br />
conclusion given in section V. (globalization <strong>and</strong> application of the decorrelated. evolution In model) this paper, was we d<br />
be achieved, if all measurement error covariances are known be decorrelated. achieved, ifInallthis measurement paper, we<br />
necessary<br />
error derive covariances a closed formula<br />
to reveal a<br />
are<br />
general<br />
known for<br />
scheme thisfor likelihood decorrelated function. tracks:<br />
at the sensor sites. To this end, we II. achieved at this thelikelihood sensor sites. function. To this end, we achieved a product<br />
FORMULATION a product OF THE PROBLEM<br />
We obtain updates of local track estimates using the global<br />
representation of the posterior density of the state x representation Fusion of the posterior<br />
covariance<br />
density of<br />
instead<br />
the state<br />
of the<br />
x l,l<br />
local<br />
≤ k:<br />
one. In other III. words, GLOBALIZED we engageLIKELIH<br />
In this paper, we address l,l ≤ k:<br />
the problem<br />
III. GLOBALIZED LIKELIHOOD FUNCTION FOR<br />
of optimal T2TF<br />
Center<br />
S a modified DISTRIBUTED KALMA<br />
at S DISTRIBUTED KALMAN<br />
arbitrary instants of time. As discussed in [2],<br />
PROCESSING likelihood function in order to keep the tracks<br />
<br />
<br />
p(x l|Z k this can<br />
p(x )=c l|k decorrelated. N x l; x s l|k In , Ps this l|k paper, we (1) derive<br />
be achieved, if all measurement error covariances are known<br />
First a closed of all, formula we introduce for<br />
l|Z k )=c a ne<br />
l|k N x l; x s l|k , Ps l|k (1) First of all, we introduce a new notation. The globalized<br />
s=1 this likelihood function.<br />
s=1 at the sensor sites. To this end, local we achieved posterior for a product the state x local posterior for the state x k at<br />
k at sensor s will be denoted by<br />
representation Sensor of the posterior density of the state x l,l ≤ k: III. Sensor GLOBALIZED LIKELIHOOD FUNCTION FOR<br />
S DISTRIBUTED KALMAN PROCESSING<br />
<br />
<br />
p(x l|Z k )=c l|k N x l; x s l|k , Ps l|k (1) First of all, we introduce a new notation. The globalized<br />
s=1<br />
local posterior for the state x k at sensor s will be denoted by<br />
Sensor<br />
Figure 3. Schematic illustration of a distributed Kalman filter. The sensor nodes process the data<br />
to local auxiliary tracking parameters. When communication is successful, these can be fused<br />
at the fusion center in order to obtain the estimated track. When applying exact Track-to-Track fusion,<br />
the result is equivalent to a central Kalman filter receiving all sensor data<br />
In the following the most common <strong>and</strong> state-of-the-art schemes for target tracking<br />
using multiple sensors are listed. The performance of all of them will be compared<br />
in the next section. These variable approaches can roughly be divided in the categories<br />
Measurement-to-Track Fusion (M2TF) <strong>and</strong> Track-to-Track Fusion (T2TF).<br />
• Central Kalman Filter (CKF): A Kalman filter at the fusion center is processing<br />
the measurements of all sensors. This scheme results in an optimal<br />
solution with respect to the mean squared error metric.<br />
• Single Kalman Filter (SKF): Each sensor node in the scenario performs M2TF<br />
using its local data. The tracking algorithm is a Kalman filter processing<br />
the linearised measurements. At each time step, the node sends its current<br />
estimate <strong>and</strong> estimation error covariance to the fusion center, which in turn
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
289<br />
selects the track having the smallest trace of the covariance. This scheme<br />
is included in the evaluation as a benchmark of the worst performance<br />
achieved when no fusion is performed.<br />
• Naive Fusion: In this scheme, each sensor node performs its own local<br />
Kalman filter resulting in local optimal tracks, which are sent to the fusion<br />
center. In the fusion center the tracks are fused to a global estimate as if they<br />
were decorrelated. Given a set of local tracks {( x s |<br />
, s |<br />
)}<br />
S<br />
kk<br />
Pkk s 1<br />
the fused parameters<br />
are obtained via the decorrelated fusion equations (24) <strong>and</strong> (25).<br />
As the local optimal tracks are correlated to each other if process noise<br />
is assumed, this fusion scheme ignores these cross-correlations.<br />
• Distributed Kalman Filter (DKF): Our approach to T2TF is the decorrelated<br />
DKF, which was proven to be exact under perfect data association<br />
conditions previously. It is based on a product representation for the global<br />
posterior density:<br />
S<br />
k<br />
s s<br />
k1 Z N( xk 1; xk 1| k1 , Pk 1| k1<br />
s1<br />
px ( |<br />
) ).<br />
(26)<br />
The decorrelated DKF described in [6] uses a covariance globalisation step.<br />
For known posterior covariance matrices P s<br />
1| 1<br />
, the globalised prediction<br />
k k s 1, , S<br />
parameters are given by<br />
<br />
1<br />
<br />
<br />
<br />
s1<br />
<br />
Pkk | 1 SF <br />
kk | 1<br />
P <br />
k1| k1 Fkk | 1 Q<br />
<br />
kk | 1 ,<br />
(27)<br />
<br />
s <br />
<br />
<br />
x SF P P x<br />
(28)<br />
s s1 s1<br />
s<br />
.<br />
k| k1 <br />
k| k1 k1| k1 k1| k1 k1| k1 s <br />
In the scenario considered in this paper the posterior covariances of the remote<br />
sensors are known at each node. However, when the sensor measurement characteristic<br />
is geometry dependent, as with radar, the posterior covariances of the remote<br />
sensor nodes are not known as they are dependent on the target-sensor geometry,<br />
<strong>and</strong> there are no data transmissions between the sensors. In this case, it is possible to<br />
replace the exact remote covariances by approximations based on the local estimate<br />
<strong>and</strong> a radar model applied to known parameters of other sensors.<br />
• Distributed Kalman Filter with Feedback (DKF-FB): For the DKF with FB,<br />
we assume that the fusion center transmits the fused track to all sensors at<br />
each time step. With the global covariance Pk<br />
1| k 1<br />
for time available,<br />
the globalised prediction is given by the following lines.<br />
<br />
P S P F Q<br />
<br />
kk | 1 Fkk | 1 k1| k1 kk | 1 <br />
kk | 1 ,<br />
x SF P P x<br />
s s<br />
s<br />
.<br />
k| k1 <br />
k| k1 k1| k1 k1| k1 k1| k1
290 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• Distributed Kalman Filter using Relaxed Evolution (DKF-RE): The relaxed<br />
evolution model describes the transition kernel with an increased process<br />
noise covariance by a factor of S. The prediction is therefore given by<br />
s<br />
s <br />
kk | 1 <br />
,<br />
kk | 1 k1| k1 kk | 1 S<br />
kk | 1 P F P F Q<br />
(29)<br />
s<br />
s<br />
x .<br />
kk | 1 Fkk | 1xk1| k1 (30)<br />
This approach spares out the decorrelation by remote covariance matrices.<br />
Instead, an approximation which relies only on local parameters <strong>and</strong> the constant<br />
number of sensors is used.<br />
x 10 4<br />
Target state estimates<br />
3<br />
2<br />
1<br />
Y<br />
0<br />
−1<br />
−2<br />
−3<br />
−3 −2 −1 0 1 2 3<br />
X<br />
x 10 4<br />
Figure 4. Example trajectory of the simulated target in the field of view of 20 sensors<br />
V. Evaluation<br />
In this section the previous fusion schemes are assessed through simulation.<br />
In a single simulation run each algorithm uses the same measurement data.<br />
The trajectory is sampled accordingly to the Discrete White Noise Acceleration Model<br />
(DWNAM) [1] <strong>and</strong> all filters use perfectly matched models for the dynamics <strong>and</strong><br />
the sensors, respectively. A Gaussian distributed zero-mean measurement noise<br />
is simulated for each sensor measuring the position of a single target with a variance<br />
of 500 m 2 in x- <strong>and</strong> y-direction. Figure 4 shows an example trajectory of the target.<br />
Packet losses by network effects such as congestion <strong>and</strong> buffer overflows or<br />
unreliable Layer-2-Links are simulated by r<strong>and</strong>omly discarding data, which is sent<br />
over the connecting network. Figure 5 (a) – (d) shows the Root Mean Squared Er-
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
291<br />
ror (RMSE) of the aforementioned multi sensor fusion schemes at different levels<br />
of communication losses. The probability of a successful transmission was set to<br />
(a) 100% (full communication) <strong>and</strong> (b) 60%, (c) 30% or (d) 10% respectively.<br />
It can be seen with full communication, which is shown in Figure 5 (a),<br />
the CKF, DKF-GP <strong>and</strong> DKF-RE have identical performance. This is in agreement<br />
with the established assertion in the literature that optimal track to track fusion,<br />
in terms of the MSE metric, can be achieved under full communication.<br />
It can also be seen that there is a significant improvement in performance by<br />
adopting a fusion scheme in comparison to just a single Kalman filter. However,<br />
the performance of the Naive fusion scheme is worse than the optimal achieved by<br />
CKF, DKF-GP <strong>and</strong> DKF-RE, as Naive fusion maintains an inconsistent covariance<br />
due to ignoring the cross correlations.<br />
CKF<br />
Single KF<br />
DKF_Gp<br />
DKF_Relaxed_Evolution<br />
Naive_Fusion<br />
CKF<br />
Single KF<br />
DKF_Gp<br />
DKF_Relaxed_Evolution<br />
Naive_Fusion<br />
RMSE<br />
RMSE<br />
10 1 0 20 40 60 80 100 120 140 160 180 200<br />
Time (s)<br />
10 1 0 20 40 60 80 100 120 140 160 180 200<br />
Time (s)<br />
(a) 100% (full communication) (b) 60%<br />
CKF<br />
Single KF<br />
DKF_Gp<br />
DKF_Relaxed_Evolution<br />
Naive_Fusion<br />
RMSE<br />
RMSE<br />
CKF<br />
Single KF<br />
DKF_Gp<br />
DKF_Relaxed_Evolution<br />
Naive_Fusion<br />
10 1 0 20 40 60 80 100 120 140 160 180 200<br />
Time (s)<br />
0 20 40 60 80 100 120 140 160 180 200<br />
10 1 Time (s)<br />
(c) 30% (d) 10%<br />
Figure 5. Log-scaled plots of the Root Mean Squared Error for 200 Monte Carlo simulations.<br />
The probability of a successful transmission was set to (a) 100% (full communication), (b) 60%,<br />
(c) 30% or (d) 10% respectively<br />
Figure 5 (b) shows the RMSE when the communication capability is reduced<br />
<strong>and</strong> only 60% of the transmissions are successful. As the complete information<br />
can no longer be transmitted to the fusion center, the RMSE of the fused esti-
292 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
mate deteriorates for the fusion schemes. In this case the DKF-GP <strong>and</strong> DKF-RE<br />
perform the best as they are designed to operate at arbitrary communications rates.<br />
The CKF however, which is optimal under full communication, performs worse<br />
due to the fact that the fusion equations (24) <strong>and</strong> (25) for a central T2TF assumes<br />
that all sensors had a successful transmission of parameters at this time step. This<br />
can further be seen as the probability of successful transmission is reduced to 30%,<br />
which is shown in Figure 5 (c). When the communication is most severely constrained,<br />
to 10% in Figure 5 (d), it can be seen that although DKF-GP <strong>and</strong> DKF-RE<br />
still perform the best, there is no longer a significant improvement over just using<br />
a single Kalman filter. This confirms what may be intuitive, that information fusion<br />
cannot be achieved when communication is severely constrained.<br />
It can be seen in Figures 5 (a) – (d) that DKF-GP <strong>and</strong> DKF-RE have equivalent<br />
performance, <strong>and</strong> so the DKF-RE is suitable as an approximation to DKF-GP, but<br />
with lower computation. However, this equivalence in performance will not hold<br />
when the sensor exhibits geometry dependent measurement characteristics which<br />
is not considered in these simulations.<br />
VI. Conclusions <strong>and</strong> future work<br />
In this paper, an overview of state-of-the-art algorithms for object tracking<br />
in communication constrained scenarios is given. For the challenge of delayed<br />
measurements, which arises because of unsynchronized sensors or varying communication<br />
delays, the Accumulated State Density (ASD) filter gives the optimal<br />
solution with respect to the mean squared error. If communication links offer<br />
only small b<strong>and</strong>widths, local tracking should be performed. If multiple sensors<br />
send their preprocessed tracks to a fusion node, the problem of track-to-track<br />
fusion (T2TF) arises due to cross-correlations between the local tracks. Through<br />
simulation it has been shown that when communication is constrained, distributed,<br />
decorrelated tracking outperforms a central Kalman filter, which is optimal under<br />
full communication.<br />
References<br />
[1] Y. Bar-Shalom, X. Li, <strong>and</strong> T. Kirubarajan, Estimation with Applications to Tracking<br />
<strong>and</strong> Navigation. Wiley-Interscience, 2001.<br />
[2] W. Koch, F. Govaers, “On Accumulated State Densities with Applications to Out-of-<br />
-Sequence Measurement Processing,” IEEE Transactions on Aerospace <strong>and</strong> Electronic<br />
Systems, vol. 47, no. 4, pp. 2766-2778, October 2011.<br />
[3] W. Koch, J. Koller, <strong>and</strong> M. Ulmke, “Ground target tracking <strong>and</strong> road map extraction,”<br />
ISPRS Journal of Photogrammetry <strong>and</strong> Remote Sensing, vol. 61, no. 3-4, pp. 197-208,<br />
2006, theme Issue: Airborne <strong>and</strong> Spaceborne Traffic Monitoring. [Online]. Available:
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
293<br />
http://www.sciencedirect.com/science/article/B6VF4-4MBCBFF-1/2/0da6734be33f<br />
666f433986401ecfb7c2<br />
[4] F. Govaers, W. Koch, “Out-of-Sequence Processing of Cluttered Sensor Data using<br />
Multiple Evolution Models,” in Proceedings of the 13th International Confernece on<br />
<strong>Information</strong> Fusion, 2010.<br />
[5] Y. Bar-Shalom, “On the track-to-track correlation problem,” IEEE Transactions on<br />
Automatic Control, vol. 26, no. 2, pp. 571-572, Apr. 1981.<br />
[6] F. Govaers, W. Koch, “Distributed Kalman Filter Fusion at Arbitrary Instants of Time,”<br />
in Proceedings of the 13th International Confernece on <strong>Information</strong> Fusion, 2010.<br />
[7] D. Hall, J. Llinas, Eds., H<strong>and</strong>book of Multisensor Data Fusion. CRC Press, 2001.
Examination of Combination Rules for the Purpose<br />
of <strong>Information</strong> Fusion in C2 Systems<br />
Ksawery Krenc<br />
C4I R&D Department, OBR CTM S.A., Gdynia, Pol<strong>and</strong>,<br />
ksawery.krenc@ctm.gdynia.pl<br />
Abstract: This paper presents an analysis of known rules of combination as well as a new method<br />
of combining uncertain evidence.<br />
The author concentrates on examination of the rules with accordance to target threat models. The examination<br />
have been taken with usage of the predefined measuring scenarios applied to information sources.<br />
Keywords: attribute fusion, Theory of Evidence, DSmT, rules of combination, threat models, Comm<strong>and</strong><br />
& Control systems<br />
I. Introduction<br />
Contemporary Comm<strong>and</strong> & Control systems should be prepared for integration<br />
of information gathered from diverse sources. It is obvious that together with<br />
technological progress new generation sensors need to be plugged-in in order to<br />
keep the defence <strong>and</strong> security up-to-date on the required level. On the other h<strong>and</strong>,<br />
the existing verified <strong>and</strong> certified sources do not become useless, <strong>and</strong> still provide<br />
valuable information. This variety of information sources, diversified ontologically,<br />
causes that specific processing (including lexical translations) needs to be performed<br />
in order to keep particular subsystems compatible. This in turn often generates<br />
errors, <strong>and</strong> in the consequence raises uncertainty of the elaborated final decisions.<br />
During last three decades many solutions for dealing with the above mentioned<br />
uncertainty have been proposed. Omnipresence of the uncertainty, even while determining<br />
technical parameters of the sources, had made many researchers found<br />
Theory of Evidence (Dempster-Shafer Theory) very attractive. Dezert-Smar<strong>and</strong>ache<br />
Theory (DSmT) performs an extension of the original Theory of Evidence by<br />
Shafer, <strong>and</strong> proposes several modification of attributes model construction <strong>and</strong><br />
hypotheses conflict distribution. As the result of these modification there are many<br />
fusion formulas in Theory of Evidence, called combination rules.<br />
This work was supported by the National Centre for Research <strong>and</strong> Development for the years 2009-2011 under<br />
Commissioned Research Project MNiSW-OR00007509.
296 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Diversity of the existing combination rules bears testimony to the fact that<br />
there is no universal combination rule, adequate in every fusion case, <strong>and</strong> in every<br />
condition.<br />
Combination rules perform tools for integration of so called basic belief assignments<br />
(bbas) i.e. substitutes of probability distributions in Evidence Theory,<br />
which are obtained based on qualitative parameters of the sources (constant <strong>and</strong><br />
variable), observation distances <strong>and</strong> many other factors that influence on the process<br />
of observation.<br />
In the preliminary stage of the research, not presented in this paper, the author<br />
had selected certain rules of combination based on their mathematical properties<br />
<strong>and</strong> relevance for C2 systems applications. This had been performed in order to<br />
distinguish rules which have potential to be applied in C2 systems.<br />
However, the actual choice of the particular rule should not be made without<br />
regarding target attribute models <strong>and</strong> structures of bbas. The closer to reality<br />
the model is the more precise fusion result may be expected. On the other h<strong>and</strong>:<br />
the more extensive bba is the more precise fusion result.<br />
The problem of target threat assessment in C2 systems seems to be especially<br />
suitable to be solved within the DSmT framework for the matter the attribute of target<br />
threat according to st<strong>and</strong>ards like [7] <strong>and</strong> [10] consists of values that are in large<br />
degree mutually dependent (e.g. FRIEND <strong>and</strong> ASSUMED FRIEND). Additionally,<br />
hierarchy of these values is quite easy to be revealed, distinguishing primary<br />
hypotheses: {FRIEND, HOSTILE, <strong>and</strong> UNKNOWN} <strong>and</strong> secondary hypotheses<br />
{ASSUMED FRIEND, SUSPECT, JOKER, <strong>and</strong> FAKER}.<br />
Nevertheless, not all (but selected) target threat values known in military<br />
literature are taken into account in order to avoid the blackout the idea of the paper<br />
which is the examination of combination rules with accordance to particular<br />
threat model.<br />
II. Threat models<br />
In order to compare combination rules it is necessary to define the model<br />
of the considered attribute. In the next stages of the research works the following<br />
models of the target threat attribute are going to be taken into account:<br />
DSmT free model, where the subsequent secondary hypotheses (ASSUMED<br />
FRIEND, SUSPECT, FAKER, <strong>and</strong> JOKER) perform subsets of the main classes<br />
(primary hypotheses: FRIEND, HOSTILE, UKNOWN).<br />
DSmT hybrid model, where the classes FRIEND <strong>and</strong> HOSTILE are assumed<br />
to be disjoint. The rest of the hypotheses is defined in the same manner<br />
as in the free model.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
297<br />
Figure 1. Venn’s diagram for the threat attribute – the free model<br />
Figure 2. Venn’s diagram for the threat attribute – the hybrid model<br />
III. Numerical experiments<br />
The classic rule of combination works with the free model Figure 1. If not all<br />
of the hypotheses conjunctions exist in the reality the authors of DSmT suggest to<br />
use the hybrid rule of combination or any of proportional conflict redistribution<br />
PCR rules.<br />
During the research works another evolving mechanism for resolving evidence<br />
conflicts has also been verified. The mechanism, called decomposition<br />
of the conflicting hypothesis, is based on separation of the total mass referring to<br />
conflict for two components: strictly conflicting <strong>and</strong> supporting primary hypotheses.<br />
The fundamental difference between this mechanism <strong>and</strong> PCR resides in fact<br />
that PCR rules operate on bba level, where the conflicting mass is transferred with<br />
respect to normalization. On the contrary, the decomposition mechanism operates<br />
on the belief function level. That means the particular masses are not subject<br />
to normalization <strong>and</strong> they support the respective primary hypotheses according<br />
to the belief function calculation procedure.
298 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Due to the fact that the mechanisms of proportional conflict redistribution<br />
<strong>and</strong> decomposition of conflicting hypothesis do not operate on the same level<br />
of information processing the research works have been based on comparison<br />
of the respective belief function changeability for these two methods.<br />
Particularly, PCR5 <strong>and</strong> DSmC with two-element decomposition were subject<br />
to the comparison. The result of the ‘pure’ DSmC has also been presented<br />
as the reference.<br />
In the examination, two sensor fusion scenario was under consideration.<br />
It was assumed the first sensor provides a constant bba, defined as follows:<br />
m 1 (F) = 0.275 m 1 (H) = 0.275 m 1 (U) = 0.05<br />
m 1 (J) = 0.1 m 1 (K) = 0.1 m 1 (AF) = 0.1<br />
m 1 (S) = 0.1<br />
The second sensor was assumed to provide the following constant bba:<br />
m 2 (U) = 0.03 m 2 (J) = 0.1 m 2 (K) = 0.1<br />
m 2 (AF) = 0.1 m 2 (S) = 0.1<br />
Additionally, the mass corresponding to FRIEND hypothesis was gradually<br />
increased within with a step of 0.02 <strong>and</strong> simultaneous reduction<br />
of HOSTILE hypothesis, which may be defined as follows:<br />
m 2 (F) = 0.01 : 0.41 m 2 (H) = 0.56 : 0.16<br />
Application of the free DSmT model (see Figure 1) with the classic rule of combination<br />
DSmC leads to the following belief function changeability<br />
Figure 3. presents changeability of belief functions for two the most dominant<br />
hypotheses: FRIEND <strong>and</strong> HOSTILE. Due to the fact that the bba obtained from<br />
the first sensor does not show any predominance of one of the mentioned hypotheses<br />
over the other, the result of the combination strongly depends on the preset<br />
masses of FRIEND <strong>and</strong> HOSTILE for the second sensor. Based on Figure 3. it is<br />
clearly seen that for the mass of m 2 (F) residing within HOSTILE<br />
hypothesis should be accepted. Exceeding the value of 0.275 causes a decision<br />
change from HOSITLE to FRIEND, which according to the definition of bba for<br />
the first sensor is intuitive.<br />
Figure 4. presents changeability of belief functions for the hybrid model with<br />
PCR5 applied. Similarly, as in case of application of the classic rule the decision<br />
change is observable for m 2 (F) @ 0.275. It is important to notice that maximal<br />
values of the respective belief functions paradoxically have lower values than for<br />
the classic rule. Given the fact that in PCR rules transfer the conflicting mass to<br />
the corresponding primary hypotheses it is intuitive to expect relatively higher<br />
values of the belief functions. However, the opposite happens as the belief function<br />
calculation performs the decisive factor. In case of PCR5 the primary hypotheses<br />
are supplied by relatively lower masses of the secondary hypotheses even though
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
299<br />
in normalized bbas the primary hypotheses of FRIEND <strong>and</strong> HOSTILE take higher<br />
values than for the classic rule.<br />
Figure 3. Changeability of belief functions for DSmC<br />
Figure 4. Changeability of belief functions for PCR5<br />
Figure 5. presents the changeability of belief functions for the hybrid model<br />
(see Figure 2) with application of the classic DSmC rule <strong>and</strong> two-element conflicting<br />
hypothesis decomposition mechanism. In the considered case the conflicting<br />
hypothesis is FH, which causes the necessity of two secondary hypotheses:<br />
FAKER <strong>and</strong> JOKER.
300 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 5. Changeability of belief functions for DSmC with two-element FAKER decomposition<br />
The two-element decomposition of FAKER hypothesis is defined as follows:<br />
K = K CONF + K SPEC (1)<br />
where:<br />
K CONF – ‘conflicting’ FAKER i.e. FH,<br />
K SPEC – ‘specific’ FAKER i.e. {KK, FK, KH}<br />
Analogically, the two-element JOKER decomposition may be performed<br />
in the same manner:<br />
J = J CONF + J SPEC (2)<br />
where:<br />
J CONF – ‘conflicting’ JOKER i.e. {FS, AFH }<br />
J SPEC – ‘specific’ JOKER i.e. {JJ, FJ, JH, JU, KJ, JS, JAF }<br />
Thus the corresponding belief functions may be calculated as follows:<br />
Bel(F) = m 12 (F) + m 12 (AF) + m 12 (K) + m 12 (J) (3)<br />
Bel(H) = m 12 (H) + m 12 (S) + m 12 (K CONF ) + m 12 (J CONF ) (4)<br />
where:<br />
m 12 (.) – the resulting mass as a combination of evidence from the first sensor <strong>and</strong><br />
second sensor.<br />
From Figure 5. it can be seen that the decision change from FAKER to FRIEND<br />
takes place at m 2 (F) @ 0.06. A relatively fast increase of FRIEND hypothesis is observable<br />
comparing to slow decrease of HOSTILE hypothesis, which in the considered<br />
case is never accepted. This disproportion is due to the fact that FRIEND<br />
hypothesis is supplied by conflicting masses <strong>and</strong> specific masses, corresponding<br />
to decomposed training classes while HOSTILE hypothesis is supplied only by<br />
the conflicting masses.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
301<br />
Figure 6. presents the changeability of belief functions for the hybrid model<br />
(see Figure 2) with application of the classic DSmC rule <strong>and</strong> three-element conflicting<br />
hypothesis decomposition mechanism. Similarly as in the previous experiment<br />
two secondary hypotheses: FAKER <strong>and</strong> JOKER are subject to decomposition.<br />
Figure 6. Changeability of belief functions for DSmC with three-element FAKER decomposition<br />
The tree-element decomposition of FAKER hypothesis is defined as follows:<br />
K = K CONF + K KK + K KF + K KH (5)<br />
where:<br />
K CONF – ‘conflicting’ FAKER i.e. FH,<br />
K KK – ‘pure’ FAKER i.e. KK<br />
K KF – ‘friendly’ FAKER i.e. FK<br />
K KH – ‘hostile’ FAKER i.e. KH<br />
Analogically, the three-element JOKER decomposition may be performed<br />
in the same manner:<br />
J = J CONF + J JJ + J JF + J JH (6)<br />
where:<br />
J CONF – ‘conflicting’ JOKER i.e. {FS, AFH }<br />
J JJ – ‘pure’ JOKER i.e. JJ<br />
J JF – ‘friendly’ JOKER {FJ, AFJ, KJ, UJ}<br />
J JH – ‘hostile’ JOKER {JH, JS, KS}<br />
Thus the corresponding belief function may be calculated as follows:<br />
Bel(F) = m 12 (F) + m 12 (AF) + m 12 (K CONF ) + m 12 (K KK ) + m 12 (K KF )<br />
+ m 12 (J CONF ) + m 12 (J JJ ) + m 12 (J JF ) (7)
302 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Bel(H) = m 12 (H) + m 12 (S) + m 12 (K CONF ) + m 12 (K KH )<br />
+ m 12 (J CONF ) + m 12 (J KH ) (8)<br />
where:<br />
m 12 (.) – the resulting mass as a combination of evidence from the first sensor <strong>and</strong><br />
second sensor.<br />
From Figure 6. it can be seen that the decision change from HOSTILE to<br />
FRIEND takes place at m 2 (F) @ 0.21 which is insignificantly lower than in case<br />
of applying PCR5 <strong>and</strong> the classic rule of combination without the decomposition<br />
mechanism. The observed increase of mass corresponding to FRIEND hypothesis<br />
is equal to decrease of HOSTILE hypothesis.<br />
IV. Summary of the research works<br />
The results presented herein indicate significant differences in changeability<br />
of the belief functions corresponding to particular rules of combination. Taking<br />
the changeability of belief functions for DSmC as the baseline it is important to<br />
notice that for the next of the examined rules: PCR5 <strong>and</strong> DSmC + decomposition<br />
lower maximum values of the belief functions were observed. In particular, for<br />
DSmC + decomposition (equally for two-element <strong>and</strong> three-element decomposition)<br />
maximal belief function values were below 0.8.<br />
The mechanism of two-element decomposition of the conflicting hypothesis<br />
does not seem to very useful in practical applications due to significant values<br />
of so called decision deviation i.e. a measure of the symmetry of the decision for<br />
all possible fusion scenarios (see [9]). It was presented mainly as the reference for<br />
three-element decomposition mechanism.<br />
Application of DSmC with three-element conflicting hypothesis decomposition<br />
mechanism provides similar results as PCR5. However, the intersection<br />
of straight lines of maximal belief functions, <strong>and</strong> thus the decision change, occurs<br />
with slightly lower value than for the examined conflict redistribution rule. It is<br />
worth of consideration which of these results better fits reality. With given bba<br />
for the first sensor the masses of the contradictory hypotheses of FRIEND <strong>and</strong><br />
HOSTILE are equal to 0.275. The decision change at 0.275 seems to be intuitive.<br />
It is important that the rest of the hypotheses included in bba i.e. SUSPECT, AS-<br />
SUMED FRIEND, JOKER, <strong>and</strong> FAKER supplies the primary hypotheses in diverse<br />
degree. Even though they are equally distributed FRIEND hypothesis is supported<br />
by larger number of secondary hypotheses i.e. ASSUMED FRIEND, JOKER, <strong>and</strong><br />
FAKER than HOSTILE hypothesis (supplied only by SUSPECT). Thus application<br />
of DSmC with three-element conflicting hypothesis decomposition mechanism<br />
may be more adequate in the considered fusion case.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
303<br />
V. Conclusions<br />
In this paper an analysis of known rules of combination as well as a new<br />
method of combining uncertain evidence has been presented. The examination<br />
have been taken with usage of the predefined measuring scenarios applied to information<br />
sources.<br />
After preliminary comparative analysis <strong>and</strong> numerical experiments there have<br />
been selected rules which may be useful in C2 systems. However the results are not<br />
satisfactory for unambiguous appointment of the optimal rule for the considered<br />
fusion case. In the author’s opinion the final decision should be taken after scrutiny<br />
with usage of simulators, which enable to establish the necessary statistics, <strong>and</strong> also<br />
to compare the elaborated fusion results with the ground truth.<br />
References<br />
[1] G. Shafer, A mathematical theory of evidence, Princeton U.P., Princeton, NJ, 1976.<br />
[2] F. Smar<strong>and</strong>ache, J. Dezert, Advances <strong>and</strong> Applications of DSmT for <strong>Information</strong><br />
Fusion, vol. 1, American Research Press Rehoboth, 2004.<br />
[3] F. Smar<strong>and</strong>ache, J. Dezert, Advances <strong>and</strong> Applications of DSmT for <strong>Information</strong><br />
Fusion, vol. 2, American Research Press Rehoboth, 2006.<br />
[4] F. Smar<strong>and</strong>ache, J. Dezert, Advances <strong>and</strong> Applications of DSmT for <strong>Information</strong><br />
Fusion, vol. 3, American Research Press Rehoboth, 2009.<br />
[5] T. Inagaki, Independence between safety-control policy <strong>and</strong> multiple-sensor schemes<br />
via Dempster-Shafer theory, IEEE Trans. On reliability, vol. 40, no. 2 pp. 182-188, 1991.<br />
[6] K. Sentz, S. Ferson, Combination of Evidence in Dempster-Shafer Theory, SAND<br />
2002-0835.<br />
[7] NATO St<strong>and</strong>ardization Agency, Tactical Data Exchange – Link 16, STANAG no. 5516,<br />
Ed. 3.<br />
[8] K. Krenc, A. Kawalec, An evaluation of the attribute information for the purpose<br />
of DSmT fusion in C&C systems, Fusion2008, Cologne, ISBN 978-3-00-024883-2, 2008.<br />
[9] K. Krenc, A. Kawalec, T. Pietkiewicz, Does Basic Belief Assignments definition affect<br />
<strong>Information</strong> Fusion quality, <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>:<br />
A Comprehensive Approach Enabler, Warszawa 2011, ISBN 978-83-62954-20-9.<br />
[10] The Joint C3 <strong>Information</strong> Exchange Data Model, Edition 3.1b, 2007.
Comm<strong>and</strong>ing Multi-Robot Systems<br />
with Robot Operating System<br />
Using Battle Management Language<br />
Thomas Remmersmann 1 , Alex<strong>and</strong>er Tiderko 1 ,<br />
Marco Langerwisch 2 , Stefan Thamke 3 , Markus Ax 3<br />
1 Fraunhofer Institute for Communication, <strong>Information</strong>, Processing <strong>and</strong> Ergonomics FKIE,<br />
D-53343 Wachtberg, Germany, {thomas.remmersmann, alex<strong>and</strong>er.tiderko}@fkie.fraunhofer.de<br />
2 Leibniz Universität Hannover, Real Time Systems Group (RTS),<br />
D-30167 Hannover, Germany, langerwisch@rts.uni-hannover.de<br />
3 University of Siegen, Institute of Real-Time Learning Systems (EZLS),<br />
D-57068 Siegen, Germany, {stefan.thamke, markus.ax}@uni-siegen.de<br />
Abstract: Multi-Robot Systems have become an important research topic. One of the main questions,<br />
when looking at usability of a MRS, is how it can be controlled. In this paper we describe an approach<br />
were the comm<strong>and</strong>ing is done by using an artificial language very similar to English, the Battle<br />
Management Language (BML). The orders can thus be created intuitively <strong>and</strong> on a high abstraction<br />
level. We developed a GUI to allow fast <strong>and</strong> efficient creating of orders for the robots system. On<br />
the robots we used the Robot Operating System (ROS). The interpretation <strong>and</strong> execution of the orders<br />
are controlled by ROS nodes. We created control nodes for every robot which h<strong>and</strong>le the execution<br />
of a task for a single robot. We also created intelligent nodes for groups of robots. These nodes h<strong>and</strong>le<br />
comm<strong>and</strong>s directed to a group of robots <strong>and</strong> split that BML order into BML orders for each robot.<br />
These orders are sent to the control nodes <strong>and</strong> executed by the robots. ROS provides numerous<br />
of libraries <strong>and</strong> tools which helps to create new robot applications. We mainly used the publish<br />
subscriber based communication capabilities. In this paper we concentrated on the architecture <strong>and</strong><br />
how the translation of BML orders into basic ROS comm<strong>and</strong> is done <strong>and</strong> how feedback messages<br />
were sent back to the C2 System. This presented work is the result of cooperation between the Real<br />
Time Systems Group (RTS), Leibniz Universität Hannover, the Institute of Real-Time Learning<br />
Systems (EZLS), University of Siegen <strong>and</strong> the Fraunhofer Institute for Communication, <strong>Information</strong><br />
Processing <strong>and</strong> Ergonomics.<br />
Keywords: natural language, BML, multi-robot systems, C2 systems, ROS<br />
I. Introduction<br />
There are many reasons to use a multi-robot system instead of a single robot.<br />
Multiple robots can do some jobs more cheaply, faster or more reliably, e.g., a group<br />
of different robots can reconnoiter an area towards different aspects. UAVs might
306 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
produce aerial photo <strong>and</strong> UGV can produce a 3D grid using laser scanners. Another<br />
example is a group of drones that must be coordinated to scan the corridor<br />
ahead of a convoy. This task can’t be done by a single robot <strong>and</strong> the group should<br />
be automatically fly in formation in a predefined distance from the first truck.<br />
In this paper we show an approach how a single user can control an MRS<br />
in similar situations using BML. The goal of our project was to demonstrate that<br />
the robots of MRS can be coordinated quickly <strong>and</strong> efficiently by using BML as a comm<strong>and</strong><br />
<strong>and</strong> report language <strong>and</strong> using ROS as a communication st<strong>and</strong>ard between<br />
different robot systems. We defined a set of comm<strong>and</strong>s that should be supported<br />
by the MRS <strong>and</strong> how they should be implemented to test our approach.<br />
We use a simple hierarchical approach with intelligent node representing groups<br />
of robots <strong>and</strong> the control nodes for each robot. This means that one intelligent node<br />
receives the comm<strong>and</strong> from the user <strong>and</strong> this node is capable of breaking the comm<strong>and</strong><br />
up into subcomm<strong>and</strong>s for all subordinate robots. This allows less coupling<br />
between the robots. Each node must only know how to interpret a comm<strong>and</strong> <strong>and</strong><br />
what comm<strong>and</strong>s are supported by it subordinate units. Having the intelligent nodes<br />
on the robots makes it possible for the robots to be reactive to new situations even<br />
if the connection to the C2-Central is not available.<br />
The paper is structured as the following. In Section 2 some background information<br />
is given about supervisory control, BML <strong>and</strong> ROS. Section 3 describes<br />
the systems that are used in the project. This includes the graphical user interface<br />
<strong>and</strong> the robot systems of the Leibniz Universität Hannover <strong>and</strong> University of Siegen.<br />
Section 4 describes the challenges <strong>and</strong> benefits using ROS on the robots. The implementation<br />
of comm<strong>and</strong>s is described in section 5. A conclusion <strong>and</strong> an outlook<br />
are given in section 6.<br />
II. Background<br />
A. Supervisory control of Multi-Robot Systems<br />
The goal of our work is to provide supervisory control of Multi-Robot<br />
Systems without excessive human workload. Related work on controlling UAV<br />
Multi-Robot System was done by Cummings <strong>and</strong> Mitchell [1] <strong>and</strong> Nehme et<br />
al. [2]. The workload of controlling a UAV Multi-Robot System was analyzed by<br />
Dixon et al. [3].<br />
Quite similar to the supervisory control of Multi-Robot Systems is the supervisory<br />
control of multi-agent systems (MAS) [4]. For that area different approaches<br />
are known. The first one is “control-by-behavior.” In this approach, different<br />
behaviors for each agent are defined <strong>and</strong> the operator selects one of them.<br />
However, this approach does not scale with larger groups of agents, more behaviors<br />
or more complex behaviors as mentioned by Wilson et al. [5]. Another approach<br />
is the “control-by-policy” approach. Here, the operator can define constraints or
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
307<br />
advices in a limited natural language <strong>and</strong> the agent plans corresponding actions.<br />
This is e.g., used by Myers [6].<br />
B. BML<br />
To express comm<strong>and</strong>s that are pushed from the user (C2 System) to the intelligent<br />
node on the lead robot <strong>and</strong> from there to the other robots we use Battle<br />
Management Language (BML) [7], because it is human readable, unambiguous,<br />
already used in military context, <strong>and</strong> in st<strong>and</strong>ardisation process of SISO. BML<br />
can be used to express orders, reports <strong>and</strong> requests between comm<strong>and</strong> <strong>and</strong> control<br />
systems (C2 systems), simulation systems <strong>and</strong> real units. In addition, BML also may<br />
be used to interact with robotic forces. Thus, it allows C2 systems <strong>and</strong> their users<br />
to interact with robot systems in the same way as with real units or units simulated<br />
in simulation systems. It is also possible to control robots with this language because<br />
it unambiguous <strong>and</strong> follows a formal grammar. We described in [8-9] how<br />
to control robots running our own middleware RoSe [10] by using BML.<br />
BML must be unambiguous to allow automatic processing. This unambiguousness<br />
is not self-evident for a language. For example, in natural English, the lexical<br />
term bark can refer to the sound a dog produces or to the skin of a tree. The interpretation<br />
of such ambiguous terms depends on the situational context <strong>and</strong> on<br />
the world knowledge of the listener.<br />
In order to be unambiguous, BML has been designed as a formal language.<br />
A formal language is the set of all sentences generated by a formal grammar. A formal<br />
grammar consists of a lexicon (the words of the language) <strong>and</strong> a set of rules<br />
(how to combine the words). In the case of BML, this grammar is the Comm<strong>and</strong><br />
<strong>and</strong> Control Lexical Grammar (C2LG) [11]. To be more precise, the lexicon contains<br />
the attributes <strong>and</strong> values provided by the Joint Consultation Comm<strong>and</strong> <strong>and</strong><br />
Control <strong>Information</strong> Exchange Data Model (JC3IEDM) (see http://www.mip-site.<br />
org or [12]). This set of rules has been developed based upon the doctrines of comm<strong>and</strong>ing<br />
<strong>and</strong> reporting, e.g., STANAG 2014, <strong>and</strong> incorporates the idea of the 5Ws<br />
(Who, What, Where, When, Why) for individual BML expressions.<br />
C. ROS<br />
We are running Robot Operating System (ROS) on the robots because it contains<br />
many useful capabilities <strong>and</strong> is the most widely used operating system for robots.<br />
ROS is developed <strong>and</strong> maintained by Willow Garage. It provides a centralized<br />
architecture with publish / subscribe semantics. A central instance, the ROSCore,<br />
provides lookup information about topics, services <strong>and</strong> nodes. Each node reports<br />
its register information <strong>and</strong> can receive information about other nodes. A node<br />
that subscribes to a topic requests connection information through ROSCore <strong>and</strong><br />
connects directly to publisher node. In order to accomplish this, an agreed-upon
308 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
connection protocol will be used. Although TCP is the most common protocol<br />
used in an ROS, a UDP can also be used. The data exchange between nodes will<br />
create a peer-to-peer network.<br />
III. Systems in use<br />
A. C2LG GUI<br />
We use a graphical user interface, the C2LG GUI, to enter the orders for our<br />
robot system. C2LG GUI is used in other projects to test interoperability with<br />
simulation systems, e.g., with French <strong>and</strong> German systems [13]. The GUI supports<br />
the user generating the orders. It allows selecting objects from a list or to pick<br />
them from the integrated map. Geographical features like areas can be created on<br />
the map as well. These features then can be referenced. The GUI also visualizes<br />
the robots’ reports. In particular, the robots themselves are shown the map due to<br />
their periodic position reports.<br />
Figure 1. The GUI we used to create BML orders. First the action “move” was selected.<br />
Then the taskee “robot_group_1” was selcted <strong>and</strong> route “routeA” was created on the map<br />
<strong>and</strong> given as a paremter to the order 1<br />
The initialization of the GUI was done using the <strong>Military</strong> Scenario Description<br />
Language (MSDL) [14]. We created an MSDL File which includes the units,<br />
the associated symbols, the order of battle, <strong>and</strong> also some geographical objects e.g.,<br />
where the base is.<br />
1<br />
Map data (c) ῾OpenStreetMap’ (<strong>and</strong>) contributors (http://www.openstreetmap.org/), CC-BY-SA<br />
(http://creativecommons.org/licenses/by-sa/2.0/)
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
309<br />
B. UGV RTS-HANNA<br />
Our multi-robot system consisted of a ground vehicle <strong>and</strong> two UAVs. This<br />
section provides information about the ground vehicle. The following section will<br />
cover the UAVs.<br />
The unmanned ground vehicle is called RTS-HANNA (see Fig. 2). It is based<br />
on an off-the-shelf Kawasaki Mule 3010 Diesel chassis which has been retrofitted<br />
with a drive-by-wire interface (by PARAVAN GmbH). That interface enables<br />
manual as well as full computer control of the vehicle. Due to the manual control,<br />
HANNA is fully street-licensed. Its maximum velocity is 40 km/h, <strong>and</strong> its maximum<br />
payload is 600 kg.<br />
HANNA can be equipped with a multitude of sensors. For environmental<br />
perception, two continuously rotating 3D laser rangefinders RTS-ScanDriveDuo<br />
with an update rate of 0.8 Hz each for close range, one Velodyne HDL-64E with<br />
an update rate of 15 Hz for long range, one Ibeo Lux for fast obstacle detection<br />
within the main driving direction, <strong>and</strong> a Microsoft Kinect are mounted. For<br />
the navigation, odometry, a gyroscope, <strong>and</strong> two GPS receivers are available. HANNA<br />
communicates either by WiFi, or a serial link in the unlicensed industrial, scientific<br />
<strong>and</strong> medical (ISM) radio b<strong>and</strong>, or by GSM/UMTS.<br />
HANNA has five embedded PCs at her disposal, used for processing the sensor<br />
data, for navigation <strong>and</strong> to control her, in our case by BML orders, cf. [15] for more<br />
details. Software for those PCs is developed using the robotic framework RACK<br />
(Robotics Application Construction Kit). To make the PCs capable for executing<br />
ROS components, we, in general, cross-compiled ROS <strong>and</strong> made the ROS libraries<br />
<strong>and</strong> API available to our middleware RACK. In particular, a kind of gateway<br />
module has been implemented. That module is part of the RACK communication<br />
system, but is also able to publish <strong>and</strong> subscribe to ROS topics. It receives the BML<br />
tasks <strong>and</strong> organizes their execution by publishing corresponding tasks for the UAVs<br />
as ROS topics. It also publishes sensor data for the BML-GUI. In short, HANNA<br />
is running the ROSCore <strong>and</strong> the BMLConnector in the ROS context, the gateway<br />
module to connect both worlds, <strong>and</strong> the rest of the software components in RACK.<br />
HANNA navigates on a known road network available in OpenStreetMap<br />
(OSM) format. To navigate to a certain point of destination, a simple A* search<br />
for a shortest path in the OSM geodata is initiated, cf. [16] for details. To follow<br />
the planned path, a hybrid feedback controller, introduced in [17], is applied. This<br />
service uses reactive obstacle avoidance <strong>and</strong> local path re-planning.
310 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 2. The unmaned ground vehicle HANNA from the RTS, Leibniz Universität Hannover<br />
C. UAV PSYCHE 1000<br />
The multi-robot system’s two UAVs are Psyche 1000 (see Fig. 3) modified drones<br />
MD4-1000 which originally were built by Microdrones. The UAVs are electronically<br />
driven helicopters with four rotors, so called quadrocopters that provide a maximum<br />
flying weight of 6 kg. Running four rotors means that such a UAV is controlled only<br />
by changes in rotational speed of each rotor. Every one of this rotors is driven by its<br />
own brushless engine, so that the UAVs are almost maintenance free. In comparison<br />
to a conventional helicopter design with a lot of moving parts like a swash plate,<br />
the possibility for technical failures is reduced significantly.<br />
Figure 3. The unmaned airial vehicle PSYCHE 1000 from EZLS, University of Siegen
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
311<br />
The UAVs have high precision position stabilization as well as a location estimation<br />
system. As in most localization systems a GPS receiver provides information<br />
about the absolute position which is fused with measurements from accelerometers,<br />
gyroscopes, a magnetometer, <strong>and</strong> a barometer. For communication, a special chip<br />
running a specialized embedded Linux distribution is added. It supports both<br />
the communication channel with the base station <strong>and</strong> with the other robots, as well<br />
as autonomous flight control. Our control module utilizes the position <strong>and</strong> attitude<br />
estimations from the UAV, as provided by the manufacturer, <strong>and</strong> generates signals<br />
that are fed back into the proprietary control software of the drone. The interface<br />
we use is identical to the original radio control connection. This allows us to make<br />
use of all position stabilization functionalities provided by the manufacturer, as we<br />
electronically simulate a human operator. By the flick of a switch a real operator<br />
can obtain control over the UAVs at any given time.<br />
Communication from <strong>and</strong> to the UAV is realized with two wireless connections.<br />
The original radio control device is connected over a bi-directional low-b<strong>and</strong>width,<br />
but high distance 2.4 GHz channel. It sends control comm<strong>and</strong>s to the UAV <strong>and</strong> receives<br />
information about the height, attitude <strong>and</strong> the state of the battery. The second<br />
channel is a 5 GHz Wireless LAN connection used to transmit data with high bit rates.<br />
Since the project is mainly focused on reconnaissance, each UAV is equipped<br />
each with a 14.7 MP zoom camera. However, as the UAVs have to alter their attitude<br />
to make changes in movement, a fixed mounting of the cameras would result<br />
in blurry images. To prevent this, the cameras are mounted within a moveable frame,<br />
which is deflected by two servos. The angle control input is taken from the attitude<br />
estimation made by Microdrones. Pictures are accessible in two versions. One<br />
is the live video preview used on the camera display as default. Respective pictures<br />
have a resolution of 320 x 240 pixels, an average file size of 9 kB, <strong>and</strong> are available at<br />
25 Hz. The second is the single picture mode by which high resolution pictures<br />
can be taken. High resolution pictures have a resolution of up to 4416 x 3312 pixels<br />
<strong>and</strong> an average file size of 4 MB.<br />
IV. Challenges using ROS<br />
The requirements of robot control software for MRS are a) the control<br />
of the MRS as one unit, <strong>and</strong> b) the separate control of specific robots. This dem<strong>and</strong>s<br />
self-sufficient control software on each robot but also communication between<br />
the robots. To be able to use the communication interface of ROS it must be<br />
compiled for the specific processor structure <strong>and</strong> operating systems of the robots.<br />
We used one ROSCore for all robots, which allows communication over<br />
ROS topics. For each robot there is a ROS node which listens to specific topics<br />
<strong>and</strong> controls the robots according to the given comm<strong>and</strong>s. Those comm<strong>and</strong>s are<br />
defined in BML. The robots communicate not only with the C2 system over BML<br />
but also with each other. This means an intelligent node, h<strong>and</strong>ling the comm<strong>and</strong>s
312 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
which are given to a robot group, splits that comm<strong>and</strong>s up into BML comm<strong>and</strong>s<br />
for specific robots. Internally we used a newly defined ROS-BML message type,<br />
which includes the same information as BML comm<strong>and</strong> given by the C2 System.<br />
Using the internal format allows direct access to the values, while the XML-BML<br />
format given by the C2 System must be parsed to access the information. We used<br />
the ROS-BML format for communication between robots only to avoid additional<br />
converting.<br />
The exchange of data between the robots <strong>and</strong> the C2 System is done sending<br />
XML-BML over TCP/IP. We implemented an ROS node called BMLConnector<br />
for this reason. It h<strong>and</strong>les the translation between XML-BML <strong>and</strong> ROS-BML<br />
<strong>and</strong> transfers the data between a simple TCP/IP connection to the C2 system <strong>and</strong><br />
the ROS internal publish subscriber system.<br />
Some data that cannot be expressed in BML because either there is no construct<br />
for this kind of data, or it is data that cannot be expressed in human-readable<br />
sentences, e.g., pictures or video streams. Whenever this is the case, we encode<br />
the ROS message in based64 <strong>and</strong> include it in a small XML structure. We called<br />
this the sensor data return channel (SDRC). If the st<strong>and</strong>ard is adjusted in the future<br />
we can change the encoding of a message from base64 to BML.<br />
Some robot status information will always be transferred to the C2 system.<br />
This can be BML reports about several things like positions of units or the current<br />
status of a task. As not all data need to be reported to C2 system or to other robots,<br />
at least not all the time, the data transferred must be specified via a configuration.<br />
The configuration can be done by a script or via XML Remote Procedure Call<br />
(XML-RPC) at runtime. It is especially useful if new nodes are running on one<br />
of the robots or if a robot is added or removed from the group. Additionally it is<br />
possible to request pictures or videos from the robots using BML comm<strong>and</strong>s.<br />
V. Challenges in using BML<br />
The main problem of using BML is that the high level comm<strong>and</strong>s must be<br />
transformed into basic orders for the robots. This is done by so called intelligent<br />
nodes which break a BML comm<strong>and</strong> down into several smaller orders until only<br />
elemental orders remain which can be executed directly. The structure is visualized<br />
in Fig. 4.<br />
These intelligent nodes are connected to the BMLConnector <strong>and</strong> as a result,<br />
they are able to receive orders <strong>and</strong> to forward orders to other robots or to intelligent<br />
nodes on other robots. Because the input <strong>and</strong> output of the intelligent nodes<br />
is st<strong>and</strong>ardized by BML, orders can easily be exchanged.<br />
In case of a situation in which a BML comm<strong>and</strong> can not longer be executed<br />
in the default way for any reason, first the control nodes on the robots try to find<br />
a way to continue the task. For example, a UGV might move back <strong>and</strong> than move<br />
around an obstacle. Second, if a control node is not able to continue the task, it re-
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
313<br />
ports this problem back to the intelligent node which then can try to reschedule.<br />
If this also fails, it can report back to the C2 System. If the connection to the C2<br />
System is lost, it can react in a predefined way, e. g., all robots return to base.<br />
Figure 4. Structure of the comm<strong>and</strong> flow. A BML comm<strong>and</strong> for a robot group is send from the<br />
C2 System to the intelligent node on the UGV <strong>and</strong> is split up into BML comm<strong>and</strong>s for all robots<br />
In our test case the MRS consisting of a UGV (HANNA) <strong>and</strong> two UAVs<br />
(PSYCHE 1000). We implemented several BML comm<strong>and</strong>s, e.g., reconnaissance,<br />
patrol, distribute, guard, <strong>and</strong> observe.<br />
To comm<strong>and</strong> this MRS a reconnaissance mission the user enters the BML<br />
expression “reconnaissance C2 Robot_Group1 at Area_1 start at now” in the GUI.<br />
The user is supported by dropdown boxes which show him which values are allowed<br />
for a given part of the expression <strong>and</strong> he also can choose targets, routes <strong>and</strong> areas on<br />
a map. The intelligent node that receives that mission orders the UGV to move<br />
along the roads to report about any obstacles <strong>and</strong> also assigns a part of the area to<br />
each UAV to reconnoitre it. The control node of the UGV only receives waypoints<br />
on the roads which should be reached <strong>and</strong> does its way planning <strong>and</strong> collision<br />
avoidance on its own. The control nodes on the UAVs split their reconnoitre orders<br />
into move orders inside the area assigned to them. During execution the robots<br />
of course report their position but the UGV also reports a map. The map shows<br />
obstacles that were detected <strong>and</strong> which ways the robot can take. An example of this<br />
can be seen in Fig. 5.<br />
If the patrol comm<strong>and</strong> is given it is split up in a move order along the given<br />
patrol points for the UGV <strong>and</strong> the UAVs get a comm<strong>and</strong> to orbit the UGV.<br />
The distribute comm<strong>and</strong> is implemented by giving a move comm<strong>and</strong> to<br />
the center of the area. The area is split into 2 pieces <strong>and</strong> each of the UAV receives<br />
a move comm<strong>and</strong> to the center of one them.
314 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Execution of the guard comm<strong>and</strong> is done very similar; the UGV is ordered<br />
again to move to the center of the area <strong>and</strong> each UAV receives an order to patrol<br />
in one half of the area.<br />
The observe comm<strong>and</strong> is performed by moving the UGV to the target position<br />
<strong>and</strong> let the UAVs orbit around that position.<br />
We also added two emergency buttons. The first is “Emergency Stop” which<br />
cancels all previously given comm<strong>and</strong>s <strong>and</strong> lets all robots stop. The second is “Return<br />
to Base” which gives each robot a “move to base” task. The base must have<br />
been defined previously in the C2LG GUI.<br />
We tested <strong>and</strong> demonstrated all that functionality on our test side in Wachtberg,<br />
next to the Fraunhofer FKIE. It showed that our approach works. Due to the st<strong>and</strong>ardization<br />
of BML <strong>and</strong> ROS the interaction between the components of the three<br />
different institutes was no problem.<br />
Figure 5. Map returned by the UGV during the reconnaisance mission. White represents free area,<br />
black represents obstacles <strong>and</strong> gray is undiscovered area. The blue lines are predefined roads<br />
VI. Conclusion <strong>and</strong> outlook<br />
We presented a system that allows comm<strong>and</strong>ing an MRS with BML. Giving<br />
the orders in restricted normal English is an intuitive way but requires complex<br />
intelligent nodes. The BML exchange format makes it possible to develop the intelligent<br />
nodes independent of each other because of the st<strong>and</strong>ardization. But BML<br />
does not always allow giving orders at a level of the detail which might be desirable.<br />
Adjusting BML to the special needs of a multi-robot system is one of the work<br />
items for the future. The intelligent nodes often have similar structures <strong>and</strong> we are<br />
planning to generate them from scripts or rules. This would allow faster integration<br />
of new comm<strong>and</strong>s or adjusting behavior to new robots. Reporting position <strong>and</strong>
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
315<br />
task status was no problem using BML. Pictures <strong>and</strong> videos cannot be encoded<br />
in BML, for this reason we used the SDRC.<br />
In future work it must be proven if this approach scales for lager MRS. Another<br />
interesting point is how the system must be adjusted to be able to add <strong>and</strong> remove<br />
new robots to the MRS at any time.<br />
REFERENCES<br />
[1] M.L. Cummings, <strong>and</strong> P.J. Mitchell, “Operator scheduling strategies in supervisory<br />
control of multiple UAVs,” Aerosp. Sci. Technol., vol. 11, no. 4, 2007, pp. 339-348.<br />
[2] C. Nehme, B. Mekdeci, J.W. Cr<strong>and</strong>all, <strong>and</strong> M.L. Cummings, “The impact<br />
of heterogeneity on operator performance in futuristic unmanned vehicle systems,”<br />
Int. Comm<strong>and</strong> Control J., vol. 2, no. 2, 2008.<br />
[3] S.R. Dixon, C.D. Wickens, <strong>and</strong> D. Chang, “Mission control of multiple unmanned<br />
aerial vehicles: A workload analysis,“ Human Factors, vol. 47, no. 3, 2005, pp. 479-487.<br />
[4] G. Coppin, <strong>and</strong> F. Legras, “Autonomy Spectrum <strong>and</strong> Performance Perception Issues<br />
in Swarm Supervisory Control,” Proceedings of the IEEE vol. 100, no. 3, 2012.<br />
[5] M.S. Wilson, <strong>and</strong> M.J. Neal, “Diminishing return of engineering effort in telerobotic<br />
systems,” IEEE Trans. Syst. Man Cybern. A, Syst. Humans, vol. 31, Special Issue on<br />
Socially Intelligent Agents–The Human in the Loop, no. 5, 2001, pp. 459-465.<br />
[6] K.L. Myers, “Advisable planning systems in Advanced Planning <strong>Technology</strong>,” A. Tate,<br />
Ed. Menlo Park, CA: AAAI, 1996.<br />
[7] K. Heffner, A. Brook, N. de Reus, L. Khimeche, O.M. Mevassvik, M. Pullen,<br />
U. Schade, J. Simonsen, <strong>and</strong> R. Gomez-Veiga, “NATO MSG-048 C-BML Final Report<br />
Summary,” 2010 Fall Simulation Interoperability Workshop (Paper 10F-SIW-039),<br />
Orl<strong>and</strong>o, FL., 2010.<br />
[8] T. Remmersmann, B. Brüggemann, U. Schade, <strong>and</strong> D. Schulz, „Roboterinteraktion<br />
mittels Battle Management Language,“ Technical Report FKIE-ITF/2010/01. Wachtberg:<br />
Fraunhofer FKIE, 2010.<br />
[9] T. Remmersmann, B. Brüggemann, <strong>and</strong> M. Frey, “Robots to the Ground.” in Concepts<br />
<strong>and</strong> Implementations for Innovative <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong><br />
Technologies, <strong>Military</strong> University of <strong>Technology</strong>, ISBN 978-83-61486-70-1, 2010,<br />
pp. 61-68.<br />
[10] A. Tiderko, T. Bachran, F. Hoeller, <strong>and</strong> D. Schulz, “RoSe – A framework for<br />
multicast communication via unreliable networks in multi-robot systems,” Robotics<br />
<strong>and</strong> Autonomous Systems, vol. 56, 2008, pp. 1017-1026.<br />
[11] U. Schade, M.R. Hieb, M. Frey, <strong>and</strong> K. Rein, “Comm<strong>and</strong> <strong>and</strong> Control Lexical<br />
Grammar (C2LG) Specification”, Technical Report FKIE-ITF/2010/02. Wachtberg:<br />
Fraunhofer FKIE, 2010.<br />
[12] M. Gerz, <strong>and</strong> U. Schade, “Das Joint Consultation Comm<strong>and</strong> <strong>and</strong> Control<br />
<strong>Information</strong> Exchange Data Model”, in J. Grosche, <strong>and</strong> M. Wunder, (Eds.), Verteilte<br />
Führungsinformationssysteme. Heidelberg, Germany: Springer, 2009, pp. 219-234.
316 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[13] T. Remmersmann, U. Schade, L. Khimeche, B. Gautreau, <strong>and</strong> R. El Abdouni<br />
Khayari, “Lessons Recognized: How to Combine BML <strong>and</strong> MSDL,” 2012 Spring<br />
Interoperability Workshop, Orl<strong>and</strong>o, FL, 2012.<br />
[14] J. Surdu, R. Wittman, <strong>and</strong> J. Abbott, “<strong>Military</strong> Scenario Definition Language<br />
Study Group Final Report,” 2005 Fall Simulation Interoperability Workshop, Orl<strong>and</strong>o,<br />
FL, 2005.<br />
[15] J. Kiszka, <strong>and</strong> B. Wagner, “RTnet – a flexible hard real-time networking framework,”<br />
10th IEEE Conference on Emerging Technologies <strong>and</strong> Factory Automation, vol. 1,<br />
2005, pp. 449-456.<br />
[16] M. Hentschel, <strong>and</strong> B. Wagner, “Autonomous robot navigation based on<br />
OpenStreetMap geodata,” 13th International IEEE Conference on Intelligent<br />
Transportation Systems, 2010, pp. 1645-1650.<br />
[17] M. Hentschel, O. Wulf, B. Wagner, A hybrid feedback controller for car-like robots<br />
– combining reactive obstacle avoidance <strong>and</strong> global replanning,” Integr. Comput.<br />
– Aided Eng., vol. 14, Amsterdam, The Netherl<strong>and</strong>s, 2007, pp. 3-14.
Application of CID Server in Decision Support<br />
for Comm<strong>and</strong> <strong>and</strong> Control<br />
Krzysztof Muchewicz, Marek Piotrowski,<br />
Henryk Kruszyński, Robert Palka<br />
Research & Development Department,<br />
TELDAT Sp. J., 85-640 Bydgoszcz, Pol<strong>and</strong>,<br />
{kmuchewicz, mpiotrowski, hkruszynski, rpalka}@teldat.com.pl<br />
Abstract: In brief, Combat Identification (CID) is the capability to differentiate entities in a combatant’s<br />
area. Effective CID is a crucial factor for minimizing casualties <strong>and</strong> improving performance of military<br />
forces. A lot of solutions have been already created <strong>and</strong> applied on various military scenarios.<br />
Two of them are NFFI <strong>and</strong> Link 16. Although they prove to be useful on ground <strong>and</strong> air respectively,<br />
it has been identified that one cannot use information from both systems on air to ground arena.<br />
From this scenario the idea of CID Server has grown. First implementations have been created.<br />
Also NATO recognized the need for st<strong>and</strong>ardization <strong>and</strong> has started development of corresponding<br />
STANAG document.<br />
This article organizes knowledge about CID Server <strong>and</strong> presents CID JASMINE, which is a realization<br />
of CID Server concept.<br />
The main idea of CID JASMINE is to provide effective solution that will satisfy all requirements for<br />
CID Server both in national <strong>and</strong> multinational environment. To make it possible, the topic of CID<br />
has been deeply analyzed. Also existing CID solutions <strong>and</strong> capabilities have been studied. After that,<br />
advanced programming techniques <strong>and</strong> patterns have been applied to achieve goal.<br />
The final CID JASMINE will be a leading product in its category. Its first beta version was tested<br />
during CWIX exercise <strong>and</strong> first official release is planned at the end of 2012.<br />
Keywords: Combat Identification; Friendly Force <strong>Information</strong>; CID Server; JASMINE System;<br />
CID JASMINE<br />
I. Introduction<br />
“In combat, the only thing worse than enemy fire is incoming friendly fire.”<br />
The above statement from Marine Corps Sgt. Aldo Wong best describes<br />
the importance of the subject of Combat Identification (CID). Developing solutions<br />
for identification of objects on battlefield is crucial to minimize casualties <strong>and</strong><br />
improve performance of military forces. In brief, definition of CID is as follows:<br />
Combat Identification (CID) is the process of attaining an accurate characterization<br />
of entities in a combatant’s area of responsibility to the extent that high-confidence,<br />
real-time application of tactical options <strong>and</strong> weapon resources can occur.
318 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
CID capability consists of following elements:<br />
Combat Identification (CID) = Situation Awareness (SA) + Target Identification<br />
(TI) + Non-materiel alternatives.<br />
A lot of CID solutions have been already created <strong>and</strong> applied on various military<br />
arenas. This includes: non materiel solutions like doctrine, training <strong>and</strong> materiel<br />
solutions e.g. sensors <strong>and</strong> C2 Systems. Two of them that should be mentioned are<br />
NFFI <strong>and</strong> Link 16. They have been already deployed <strong>and</strong> well tested, among others<br />
in Afghanistan. Although they prove to be useful on ground <strong>and</strong> air arenas respectively,<br />
it has been identified that one cannot use information from both systems<br />
on air to ground scenario. From that the need of CID Server has grown. The CID<br />
Server is one of CID solutions that improve combat identification process by collecting<br />
CID data from different sources <strong>and</strong> providing it on dem<strong>and</strong> to consumers.<br />
First implementation of CID Server has been created by USA (BAE Systems,<br />
[1]) <strong>and</strong> Germany (CIGAR from ESG, [2]). Also NATO recognized the need<br />
for st<strong>and</strong>ardization <strong>and</strong> has started development of STANAG document [3][4]. Since<br />
the idea of CID Server is still young, there is only slight knowledge about possible<br />
features <strong>and</strong> its applications. The minimum is to provide Friendly Force <strong>Information</strong><br />
from ground units to fighter aircraft. However, possible applications could be<br />
much wider <strong>and</strong> include all scenarios when the decision of engagement is weighed.<br />
Also TELDAT, an innovative company from Pol<strong>and</strong>, has started development<br />
of its own CID Server product – CID JASMINE. The main goal of this article is to<br />
present concept of CID JASMINE <strong>and</strong> to show its main features according to existing<br />
CID <strong>and</strong> CID Server solutions.<br />
The CID JASMINE product will be based on existing components of JASMINE<br />
System, both software <strong>and</strong> hardware. As a hardware component CID JASMINE<br />
will use Server Box V.3, which is an efficient <strong>and</strong> powerful military Server station.<br />
Dedicated CID JASMINE software will work on Microsoft Windows 2008 Server<br />
operating system. All software elements are based on the SOA architecture <strong>and</strong><br />
build upon MessageBus. Position Location <strong>Information</strong> (PLI) will be received<br />
using NFFI IP1, IP2 (NATO Friendly Force <strong>Information</strong>, Interoperability Profile<br />
1 <strong>and</strong> 2) <strong>and</strong> Link 16. It will be provided using Link 16 <strong>and</strong> NFFI SIP 3 (Service<br />
Interoperability Profile 3). CID Server capabilities will be successively extended<br />
to all available CID solutions, like VMF (Variable Message Format) <strong>and</strong> BRM<br />
(Battlefield Replication Mechanism). CID JASMINE will also provide operational<br />
picture <strong>and</strong> expose it using NVG (NATO Vector Graphics) protocol <strong>and</strong> web client<br />
application. This will enable to use CID information created by Server directly<br />
from Web Browser user interface. Therefore CID JASMINE will not only be a set<br />
of functional services but it will also provide operational picture on tactical level.<br />
The architecture <strong>and</strong> implementation of CID JASMINE will be focused on quality<br />
parameters of product.<br />
The article is organized as follows. Section 2 presents general definition <strong>and</strong><br />
information concerning Combat Identification. Section 3 gives short overview
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
319<br />
of selected CID solutions. Section 4 presents general CID Server concept. Section 5<br />
describes the main ideas, features, architecture of CID JASMINE.<br />
II. Combat identification<br />
In this section the main facts concerning Combat Identification (CID) are<br />
introduced. The general definition is given below:<br />
Combat Identification (CID) is the process of attaining an accurate characterization<br />
of entities in a combatant’s area of responsibility to the extent that high-confidence,<br />
real-time application of tactical options <strong>and</strong> weapon resources can occur. The objective<br />
of CID is to maximize combat/mission effectiveness while reducing total casualties<br />
(due to enemy action <strong>and</strong> fratricide) [5].<br />
Another definition is as follows:<br />
Combat Identification (CID) is the capability to differentiate potential targets<br />
mobile <strong>and</strong> fixed, over large areas with corresponding long distances as friend, foe, or<br />
neutral in sufficient time, with high confidence, <strong>and</strong> at the requisite range to support<br />
engagement decisions <strong>and</strong> weapon release [6].<br />
It can be seen from above definitions that CID is a very general term that<br />
touches various operational <strong>and</strong> functional topics. The main motivation to develop<br />
CID in military forces is to minimize friendly fire accidents <strong>and</strong> to help prevent<br />
unnecessary combat losses. However CID is required also for other reasons. It is<br />
needed among others to:<br />
• effectively field fighting forces,<br />
• support to rapidly <strong>and</strong> positively identify enemies, friends, <strong>and</strong> neutrals<br />
in the battlespace,<br />
• manage <strong>and</strong> control the battle area,<br />
• optimally employ weapons <strong>and</strong> forces,<br />
• minimize casualties.<br />
The importance of CID has grown in the modern times since there is much<br />
more attention about personnel loss than, for example, in the beginning of 20 th<br />
century.<br />
Below some aspects of CID are shown. First operational <strong>and</strong> functional<br />
capabilities are presented then description of system-of-systems concept is given<br />
in accordance to CID.<br />
A. Operational capabilities<br />
CID is applicable in the following areas:<br />
• Air to air,<br />
• Air to surface,<br />
• Surface to Surface,<br />
• Surface to air.
320 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Surface area includes l<strong>and</strong> <strong>and</strong> sea. The subsurface is known as ground <strong>and</strong><br />
maritime. In each of the these CID need is essential for comm<strong>and</strong>ers. CID capability<br />
is required for all mission scenarios. However, in different ones it can be implemented<br />
differently. The next picture presents various actors on various mission areas.<br />
Figure 1. CID Application on mission areas, source [5]<br />
To deliver CID capability, it is required to provide solutions that implement it.<br />
The CID concept can be implemented with two main types of solutions: materiel<br />
<strong>and</strong> non-material.<br />
Non-materiel solutions contain:<br />
• doctrine;<br />
• tactics, techniques, <strong>and</strong> procedures (TTP);<br />
• training.<br />
Non-materiel solutions often need to be augmented by materiel solutions.<br />
Materiel solutions can be characterized as:<br />
• sensor systems – cooperative <strong>and</strong> non-cooperative (like radar signal modulation,<br />
high-range resolution radar, electronic support measures),<br />
• comm<strong>and</strong>, control, <strong>and</strong> communications (C3) systems, in particular these<br />
could be digital data links <strong>and</strong> radios, each of which contributes a portion<br />
to the CID solution.<br />
One can see that, in the given description, CID is viewed as capability rather<br />
than a single program or system. This is the approach of “system-of-systems”. CID
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
321<br />
is a result of a process that appropriately <strong>and</strong> accurately characterizes the entities<br />
present in a combatant’s area of responsibility. Effective CID can vary depending<br />
on the conditions of the battlespace. The following scenarios can be identified:<br />
• In some cases the required identification is used only to rapidly distinguish<br />
among friendly, neutral, <strong>and</strong> enemy forces with confidence high enough<br />
to support weapon employment decisions.<br />
• At other times, identification of target class (e.g., cruise missile, fighter, or<br />
bomber) or target recognition (e.g., target vs. decoy) is required to select<br />
the correct defensive or offensive tactical weapon response.<br />
• In other cases, a more precise characterization that identifies specific target<br />
parameters, such as platform type (e.g., MiG–29 vs. MiG–21) <strong>and</strong> intent (e.g.,<br />
an active interceptor vs. a defector), is required to select optimal defensive<br />
weapons <strong>and</strong> to support weapon release decisions.<br />
In all cases, the goal for CID is to provide the level of identification that<br />
is necessary for Weapon Delivery Assets to make correct decisions.<br />
B. Functional capabilities<br />
The functional capabilities for CID include:<br />
• foe identification (including platform type, class, nationality, allegiance, <strong>and</strong><br />
intent information),<br />
• friend identification,<br />
• neutral identification,<br />
• interoperability.<br />
From the above one should put special attention on interoperability, since<br />
it is crucial for CID System to operate in multinational environment. To achieve<br />
interoperability, CID solutions have to be build upon st<strong>and</strong>ards, in particular NATO<br />
st<strong>and</strong>ards. Different solutions can be applied to obtain described above functionalities,<br />
both materiel <strong>and</strong> non-materiel.<br />
C. CID system-of-systems<br />
From presented earlier classification, CID can be seen as a capability, not<br />
a single system or program. Therefore CID implementation can be described<br />
as “system-of-systems”. It can be seen as collection of task-oriented or dedicated<br />
systems that pool their resources <strong>and</strong> capabilities together to create a new more<br />
complex system which offers broader functionality. All of these systems are critical<br />
contributors to a system-of-systems approach in providing both situational awareness<br />
<strong>and</strong> identification to use lethal weapons in the battlespace. The functional<br />
capabilities of all CID systems must work synergistically to provide a robust,<br />
high-confidence.
322 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
III. Overview of selected CID solutions<br />
Below selected CID solutions are presented. All of them belong to the group<br />
of materiel, C3 solutions. First two solutions are well known <strong>and</strong> broadly used<br />
NATO st<strong>and</strong>ards. The third is a radio replication mechanism that is an element<br />
of JASMINE System. All this mechanisms will be adopted in CID JASMINE.<br />
A. Friendly Force <strong>Information</strong> – NFFI<br />
NFFI st<strong>and</strong>ard was created in 2005 <strong>and</strong> has been developed until today by<br />
NATO Consultation Comm<strong>and</strong> <strong>and</strong> Control Agency (NC3A). It has been created<br />
to improve <strong>and</strong> simplify Real-time Friendly Force Tracking in the multinational<br />
environment. It enables tracing <strong>and</strong> identifying friendly forces in near-real time.<br />
NFFI is divided into three parts:<br />
• Interface Protocol 1 (IP1 – TCP);<br />
• Interface Protocol 2 (IP2 – UDP);<br />
• Service Interoperability Profile 3 (SIP3 – WebServices).<br />
<strong>Information</strong> is exchanged via IP1 <strong>and</strong> IP2 using formal messages that contain basic<br />
track information like identifier, system parameters, position <strong>and</strong> report time.<br />
Development of SIP3 protocol was started in 2006. SIP3 is based on Web<br />
services. More information about NFFI can be found in [7][8].<br />
B. Tactical Data Link – Link 16<br />
Link 16 is a military tactical data exchange network created <strong>and</strong> used by<br />
the United States <strong>and</strong> adopted by some of its Allies <strong>and</strong> by NATO. Its specification<br />
is part of the family of Tactical Data Links. It uses the transmission characteristics<br />
<strong>and</strong> protocols, conventions, <strong>and</strong> fixed-length or variable length message formats<br />
defined by MIL-STD 6016, STANAG 5516. Link 16 information is primarily coded<br />
in so called J-series messages. This messages are binary data words with well-defined<br />
meanings. In particular, Link 16 can be used to report <strong>and</strong> to pull CID information.<br />
More details about Link 16 can be found in [9][10].<br />
C. National solutions – BRM<br />
BRM data exchange mechanism has been created to enable exchange of operational<br />
information on tactical comm<strong>and</strong> level, mainly in the low-b<strong>and</strong>width radio<br />
networks. It has been developed by TELDAT Company <strong>and</strong> is applied in JASMINE<br />
System. BRM is based on UDP protocol <strong>and</strong> it combines high performance with<br />
flexibility <strong>and</strong> great capacity to exchange operational information. It supports exchange<br />
of data according to MIP C2IEDM <strong>and</strong> JC3IEDM data models.<br />
BRM mechanism is used in C3IS JASMINE System on tactical <strong>and</strong> dismounted<br />
soldier level, therefore this system can be used to exchange <strong>and</strong> provide CID information.<br />
More information about BRM can be found in [11].
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
323<br />
IV. CID server concept<br />
In Section III we have presented various systems that provide <strong>and</strong> exchange CID<br />
information. NFFI <strong>and</strong> Link 16 have been adopted in NATO <strong>and</strong> are used also in Afghanistan.<br />
Although being very useful, they are limited to specific areas <strong>and</strong> scenarios.<br />
As a way to improve CID, especially in ground to air scenarios, CID Server concept<br />
has been created. CID Server collects information from different l<strong>and</strong> CID sources:<br />
• CID Sensors,<br />
• BFT systems,<br />
• Situation Awareness systems (SA).<br />
CID Server provides this information on dem<strong>and</strong>, for specific area.<br />
Figure 2. CID Server application, source [3]<br />
The primary goal of CID Server is to support non-engagement decisions, whenever<br />
a risk of exposing own forces exists. This is because FFT, cooperative CID <strong>and</strong><br />
SA systems might only provide near real-time situation awareness information.<br />
CID Server will use various communication protocols for receiving <strong>and</strong><br />
providing information. In modern military operations, interoperability will be<br />
one of the most important features of CID Server. Therefore it should support<br />
international st<strong>and</strong>ards. To satisfy this, the service should be agnostic on:<br />
• data source/system (friendly force tracking [FFT], combat identification<br />
[CID], situational awareness [SA] system),<br />
• receiving platform/system (aircraft, ship, artillery battery, fire support cell, etc.),<br />
• communication means (tactical data link, local area network [LAN], etc.).
324 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Server should support existing data exchange st<strong>and</strong>ards, therefore NFFI <strong>and</strong><br />
Link 16 shall be supported. Following protocols have been identified as applicable<br />
for CID Server:<br />
• Link 16,<br />
• NFFI IP1, IP2,<br />
• NFFI SIP3,<br />
• VMF,<br />
• Cooperative sensors,<br />
• National st<strong>and</strong>ards for exchanging PLI (Position Location <strong>Information</strong>)<br />
from SA systems.<br />
A. CID server NATO st<strong>and</strong>ardization<br />
The lack of a system of this type has been identified in NATO, <strong>and</strong> work on<br />
the st<strong>and</strong>ardization has been started. Draft version of STANAG was created: “NATO<br />
STANDARD FOR SERVICES TO FORWARD FRIENDLY FORCE INFORMA-<br />
TION TO WEAPON DELIVERY ASSETS” [3][4].<br />
This STANAG provides guidance for implementation of existing interoperability<br />
<strong>and</strong> data exchange st<strong>and</strong>ards, interface profiles, <strong>and</strong> both business rules <strong>and</strong> forwarding<br />
rules for collecting PLI <strong>and</strong> forwarding it to users in the appropriate systems.<br />
Currently there are no fielded CID systems capable of providing friendly PLI to<br />
the service for forwarding to weapon delivery platforms. For the foreseeable future, only<br />
FFT <strong>and</strong> SA systems are capable of providing the necessary information. The service<br />
is primarily based on conveying friendly PLI to weapon delivery platforms through<br />
Link 16, the only NATO-wide, st<strong>and</strong>ardized tactical data link (STANAG 5516).<br />
The service is planned to be based on an open architecture to provide connectivity<br />
of all FFT, CID, <strong>and</strong> SA technologies <strong>and</strong> as much as possible:<br />
• use existing ground <strong>and</strong> air systems <strong>and</strong> infrastructure,<br />
• require no modification of existing systems,<br />
• be exp<strong>and</strong>able/adaptable to emerging PLI Sources (e.g. MMW, RBCI),<br />
• be NATO <strong>and</strong> Coalition interoperable.<br />
The work on STANAG for CID Server will last at least until the end of 2012.<br />
B. CID server usage scenarios<br />
Below some of the usage scenarios for CID Server are listed:<br />
• Air-to-surface – in this scenario CID data from ground actors is pushed into<br />
CID Server <strong>and</strong> exposed to fighter aircrafts. Aircrafts use CID information<br />
to identify targets <strong>and</strong> to support engagement decision.<br />
• Ground-to-ground – in this scenario CID data from CID Server is consumed<br />
by Weapon Delivery Assets on battlefield. CID information supports<br />
decision about weapon usage.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
325<br />
• Multinational – in this scenario CID Servers from different countries <strong>and</strong><br />
systems can exchange information with each other <strong>and</strong> enable CID when<br />
forces from various countries cooperate on battlefield.<br />
The use cases described above are presented on the next picture.<br />
Figure 3. CID Server use cases<br />
C. CID server application in NATO operations<br />
Since the idea of CID Server has grown during Afghanistan mission, its usability<br />
in NATO operations is the main motivation for its development. Different<br />
nations have various CID capabilities, both cooperative <strong>and</strong> non-cooperative,<br />
that are specific <strong>and</strong> not based on NATO st<strong>and</strong>ards. This capabilities cannot be<br />
used in multinational environment. It would be very non-efficient to replace this<br />
national solutions <strong>and</strong> create new ones dedicated for NATO missions. Therefore<br />
creation of one solution – CID Server – that will mediate between different solutions<br />
from different vendors <strong>and</strong> countries, will simplify the goal of unification<br />
<strong>and</strong> cooperation of NATO forces. Such an application of CID Server might be<br />
a goal in a long term.<br />
In a short term CID Server will use already proven solutions like NFFI <strong>and</strong><br />
Link 16. This will be still very valuable for improving CID capabilities of joint<br />
forces NATO operations.<br />
Another important capability is an ability to exchange information between<br />
different CID Servers. This can be made using already existing NATO st<strong>and</strong>ards<br />
<strong>and</strong> protocols (like NFFI) however STANAG document can simplify this task.
326 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
V. CID JASMINE concept <strong>and</strong> implementation<br />
CID JASMINE is an implementation of the concept of CID Server from<br />
TELDAT Company. CID JASMINE is a part of JASMINE System.<br />
According to NNEC concept elements of JASMINE system was designed<br />
to be able to work at all military levels, starting from the highest to the brigade<br />
level or even at the mobile battlefield unit. The system consists of hardware <strong>and</strong><br />
software. The main advantage of the JASMINE system is its high flexibility <strong>and</strong><br />
easy way of configuration, which shortens the time needed for achieving operational<br />
condition. JASMINE system equipment <strong>and</strong> its interoperability have<br />
been tested during the national <strong>and</strong> international exercises, where wide range<br />
of provided services were presented. More information about JASMINE System<br />
can be found in [12].<br />
The CID JASMINE product is based on existing components of JASMINE<br />
System, both software <strong>and</strong> hardware. As a hardware component CID JASMINE<br />
uses Server Box V.3, which is efficient <strong>and</strong> powerful military Server station.<br />
Dedicated CID JASMINE software works on Microsoft Windows 2008 Server<br />
operating system.<br />
All software elements are based on the SOA architecture that is build upon<br />
MessageBus. The next picture presents functional features of CID JASMINE.<br />
Figure 4. Functional capabilities of CID JASMINE<br />
PLI information is received using:<br />
• NFFI IP1, IP2 – l<strong>and</strong> tracks is send to CID JASMINE using UDP or TCP<br />
protocol;<br />
• Link 16 – messages containing information about paths of different types<br />
of objects can be provided to CID JASMINE. Some of the possible messages<br />
are J3.5, J3.2.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
327<br />
The information is provided for consumers using:<br />
• Link 16 – there are dedicated Link 16 messages that enable to provide<br />
information on dem<strong>and</strong>, according to given area;<br />
• NFFI SIP 3 – based on Web Services this protocol allows to pool for tracks<br />
information for specified area.<br />
CID Server capabilities will be successively extended to all available CID solutions,<br />
(like VMF <strong>and</strong> BRM). Link 16 communication will be implemented over<br />
JREAP C protocol. The timeline for CID Server is presented on the next diagram.<br />
Figure 5. CID JASMINE Timeline<br />
CID JASMINE provides also operational picture <strong>and</strong> exposes it using NVG<br />
protocol <strong>and</strong> Web Client application. This enables to use CID information created<br />
by Server directly from Web Browser user interface. Therefore CID JASMINE<br />
is not only a set of functional services but it also provides operational picture on<br />
tactical level.<br />
The architecture <strong>and</strong> implementation of CID JASMINE is focused on quality<br />
parameters of product, in particular:<br />
• Performance – Server process a lot of real time data.<br />
• Scalability – it is possible to scale CID JASMINE to multiple computer<br />
stations. This is achieved using MessageBus infrastructure <strong>and</strong> SOA architecture.<br />
• Reliability – Server Box V.3 is a military server that satisfies all quality <strong>and</strong><br />
reliability parameters for military equipment. Also development of CID<br />
JASMINE software has been focused on reliability.<br />
CID JASMINE is developed in connection with STANAG for CID Server.<br />
The development of STANAG will be observed <strong>and</strong> all important conclusions will<br />
be implemented.<br />
The first official release is planned at the end of 2012.
328 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
A. CWIX 2012<br />
First tests of the product has taken place during CWIX 2012 exercise. Link 16<br />
Gateway, which is a part of CID JASMINE has been extensively tested with systems<br />
from various countries <strong>and</strong> vendors. Below there is a list of CWIX capabilities that<br />
where test partners for CID JASMINE:<br />
• 2012-DEU – CIGAR3;<br />
• 2012-FRA – COCCA;<br />
• 2012-FIN – JADEC2;<br />
• 2012-ITA – AF AC2IS BladeRunner;<br />
• 2012-DNK – C-Flex;<br />
• 2012-NATO – ACCS LOC1 ARS;<br />
• 2012-POL – PAFLINK16;<br />
• 2012-NATO – NC3A-IETV-NIRIS;<br />
• 2012-NATO – TEDS JCTD/CWP;<br />
• 2012-NATO – NLVC (FLAMES), including JTLS.<br />
All test where successful. Performed tests covered exchanging Link 16 messages<br />
over JREAP protocol <strong>and</strong> visualization of exchanged information.<br />
B. Unification of identifiers<br />
CID Server uses various protocols <strong>and</strong> each of them use its own identifiers<br />
for battlefield objects. CID JASMINE will solve this issue in the following way:<br />
• For all types of information received by CID JASMINE the original information<br />
will be preserved.<br />
• If it will be necessary to map information between different protocols <strong>and</strong><br />
it will be impossible to translate identifiers, then new identifiers will be<br />
generated according to configuration.<br />
• Once created mappings for identifiers will be stored for future use, to guarantee<br />
that each piece of information will be mapped in one way.<br />
• System will provide user interface for configuring <strong>and</strong> manually manipulating<br />
all mappings.<br />
Presented above strategy will be used not only for identifiers mappings but<br />
for all parameters of battlefield objects that require mappings.<br />
C. Performance <strong>and</strong> reliability<br />
The quality of CID Server depends mainly on the two factors:<br />
• Quality of Data Services, i.e. the services that are responsible for storing<br />
<strong>and</strong> providing data.<br />
• Quality of internal communication infrastructure.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
329<br />
This two elements will be supported in CID JASMINE in the following way:<br />
• Data Store will be based on relational database, however it will be supported<br />
with object oriented database <strong>and</strong> additional caching mechanism. On this<br />
area TELDAT engineers has broad experience gained during developing<br />
Data Services for tactical comm<strong>and</strong> systems (BMS JASMINE).<br />
• Communication <strong>and</strong> messaging infrastructure will be provided by Message<br />
Bus, the TELDAT middleware solution that provide robust, scalable <strong>and</strong><br />
reliable infrastructure for interconnecting system services.<br />
Provided mechanisms will guarantee proper quality:<br />
• The performance of system will be based on scalability of data services <strong>and</strong><br />
Message Bus. It will be possible to add new physical servers that will work<br />
as cluster for CID JASMINE during mission, without interrupting the server.<br />
• Reliability will be assured by reliable-messaging that is part of TELDAT<br />
Message Bus solution.<br />
VI. Summary<br />
As has been presented in the article, Combat Identification is a basic capability<br />
for modern forces. CID Server is one of the solutions that extend CID capabilities<br />
<strong>and</strong> in some scenarios it is essential. The importance of CID Server has been noticed<br />
by NATO nations <strong>and</strong> also by NATO itself. First solutions have been implemented<br />
<strong>and</strong> STANAG development has been started.<br />
CID JASMINE is an implementation of CID Server from TELDAT company.<br />
The main advantages of CID JASMINE will be:<br />
• Interoperability – it supports all required interfaces <strong>and</strong> protocols;<br />
• Performance <strong>and</strong> quality – based on the proven components of JASMINE<br />
System <strong>and</strong> SOA architecture it provides powerful platform for CID data<br />
exchange.<br />
CID JASMINE is a net-centric product <strong>and</strong> an element of NNEC compliant architecture<br />
of JASMINE System. It consists of hardware <strong>and</strong> software elements <strong>and</strong> therefore<br />
it is a complete product ready to use on the field, in particular in NATO operations.<br />
References<br />
[1] http://www.baesystems.com/capability/BAES_034933/combat-identification-iff<br />
[2] http://www.esg.de/<br />
[3] “NATO St<strong>and</strong>ard for Services to Forward Friendly Force <strong>Information</strong> to Weapon<br />
Delivery Assets”, Draft, January 2011, NATO St<strong>and</strong>ardization Agency.<br />
[4] “NATO St<strong>and</strong>ard for Services to Forward Friendly Force <strong>Information</strong> to Weapon<br />
Delivery Assets”, Draft, August 2011, NATO St<strong>and</strong>ardization Agency.
330 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[5] Join Warfighting Science <strong>and</strong> <strong>Technology</strong> Plan, February 2000, Department of Defence,<br />
http://www.wslfweb.org/docs/dstp2000/jwstppdf/00-title.pdf<br />
[6] Join Warfighting Science <strong>and</strong> <strong>Technology</strong> Plan, 1997, Deparment Of Defence, http://<br />
www.fas.org/spp/military/docops/defense/97_jwstp/jw4c.htm<br />
[7] V. de Sortis, NFFI Service Interoperability Profile 3 (SIP3) Technical Specifications<br />
(VERSION 1.1.5).<br />
[8] STANAG 5527 NATO Friendly Force <strong>Information</strong> St<strong>and</strong>ard for Interoperability<br />
of Force Tracking Systems.<br />
[9] STANAG 5516, Edition 6, TACTICAL DATA EXCHANGE – Link 16.<br />
[10] “Departament of Defence Interface St<strong>and</strong>ard for the Joint Range Extension Application<br />
Protocol (JREAP)” MIL-STD 3011.<br />
[11] “Means for operational data exchange in JASMINE System”, <strong>Military</strong> <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> Systems Conference MCC 2009, 29-30 September 2009, Prague,<br />
Czech Republic.<br />
[12] T.Z. Kosowski, Ł. Apiecionek, “JASMINE system: network centric concept <strong>and</strong><br />
practical solution”, <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems Conference<br />
MCC 2009, 29-30 September 2009, Prague, Czech Republic.<br />
[13] W. Zawadzki, „JASMIN wkracza do armii”, Nowa Technika Wojskowa nr 5/2007.<br />
[14] H. Kruszynski, „Zastosowanie systemu JASMIN”, Nowa Technika Wojskowa nr 9/2006.<br />
[15] H. Kruszynski, L. Apiecionek, M. Dziamski, „JASMIN w warsztatach Combined<br />
Endeavor 2008”, RAPORT nr 06/2008.<br />
[16] Multilateral Interoperability Programme, The Joint C3 <strong>Information</strong> Exchange Data<br />
Model (JC3IEDM Main), 2007.<br />
[17] „Sposoby wymiany danych operacyjnych w systemie JAŚMIN”, XVII Konferencja<br />
Naukowa Automatyzacji Dowodzenia w Gdyni, czerwiec 2009 r.<br />
[18] „Practical Solution”, Nowa Technika Wojskowa – Future Soldier, 2010 r.<br />
[19] „Comm<strong>and</strong> <strong>and</strong> Control Portal as a unified way of collaboration of different staff cells<br />
in army headquarters on operational level as well as cooperation with external civil<br />
organisations”, proceedings of the <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
Conference MCC 2011, 17-18 October 2011, Amsterdam, Netherl<strong>and</strong>s, p. 53-68.<br />
[20] „Reliable <strong>and</strong> effective management of hardware <strong>and</strong> software in battlefield<br />
environment”, proceedings of the <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Systems<br />
Conference MCC 2011, 17-18 October 2011, Amsterdam, Netherl<strong>and</strong>s, p. 169-180.<br />
[21] “Portal systemu wspomagania dowodzenia, jako sposób współpracy różnych komórek<br />
sztabu szczebla operacyjnego oraz kooperacji z zewnętrznymi organizacjami cywilnymi”,<br />
XIX Konferencja Naukowa „Automatyzacji Dowodzenia”, 2011 r., współautor.<br />
[22] D.J. Bryant, D.G. Smith, “Impact of Uncertain Cues on Combat Identification<br />
Judgments”, Defence R&D Canada, Technical Report.<br />
[23] Joint Center For Lessons Learned, Rethinking Combat Identification, vol. IV, Issue 3,<br />
June 2002.<br />
[24] Combat Identification Systems, Strengthened Management Efforts Needed to Ensure<br />
Required Capabilities, United States General Accounting Office, June 2001.<br />
[25] “Technologia Web Portali we wspomaganiu pracy komórek sztabu z uwzględnieniem<br />
procesu tworzenia obrazu z rozpoznania”, Seminarium w AON, 2011 r.
Managing Lessons Learnt from Daily Missions<br />
– Methodology <strong>and</strong> Tool<br />
Witold Hołubowicz, Wojciech Dymowski, Tomasz Springer<br />
ITTI Ltd., Adam Mickiewicz University, Poznań, Pol<strong>and</strong>,<br />
{holub, wojciech.dymowski, tomasz.springer}@itti.com.pl<br />
Abstract: The paper is aimed to present an approach to managing military experience <strong>and</strong> the software<br />
tool dedicated for this purpose. This approach (SIMS Lesson Learnt methodology) <strong>and</strong><br />
the tool (SIMS Lesson Learnt tool) are some of the results of the European Defence Agency (EDA)<br />
funded SIMS project, which-focus on force protection issues. The developed methodology is based<br />
on a recurrent <strong>and</strong> continuous lesson learnt process where phases of acquiring, analyzing <strong>and</strong><br />
applying experience can be distinguished. In order to improve dissemination of knowledge, each<br />
phase off the LL process is reached as soon as possible. Additionally, new information resulting<br />
from each phase is available for the widest possible range of all those concerned. To support lesson<br />
learnt process activities, a dedicated IT tool – SIMS LL – has been developed. The SIMS LL tool uses<br />
various methods of interactive, visual representation of the lesson learnt related data to enhance<br />
the operator cognition. The analysis of the data in terms of the SIMS LL tool refers mostly to identification<br />
of correlations between particular data entities (e.g. events, human terrain information)<br />
<strong>and</strong> drawing conclusions from such correlations. As a result of the analysis, a lesson learnt related<br />
data entity with relevant correlations is being created (e.g. an observation with correlated events,<br />
lessons identified). In the end a recommendation which is a key product of analysing lesson learnt<br />
related data can be defined. Such recommendations may be a proposition of a certain change in regulations,<br />
the system of training <strong>and</strong> doctrines, based on the analysed experiences <strong>and</strong> affecting<br />
directly safety <strong>and</strong> effectiveness of future military missions.<br />
Keywords: lesson learnt, military, experience, daily mission, SIMS, EDA, PDT, methodology, process,<br />
DOTMPLF, recommendation, observation<br />
I. Introduction<br />
Conducting recent military operations (e.g. Desert Storm, Iraq Freedom,<br />
Enduring Freedom) has emphasized the need for fast acquiring, analyzing <strong>and</strong><br />
disseminating new information from the battlefield. This includes also soldiers<br />
experience, which is the most valuable source of information especially in terms<br />
of dynamically planned daily missions (e.g. convoys, patrols) in an asymmetrical<br />
environment. Therefore, as a part of EDA SIMS project, a structured approach<br />
to managing military experience <strong>and</strong> a dedicated for this purpose, have been<br />
developed.
332 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The paper is aimed to present this approach (SIMS Lesson Learnt methodology)<br />
<strong>and</strong> the latest knowledge of the SIMS Lesson Learnt tool (SIMS LL tool)<br />
design <strong>and</strong> functional scope.<br />
During the SIMS project, the knowledge of military officers with substantial<br />
operational experience acquired during missions e.g. in the Balkan region,<br />
in Iraq <strong>and</strong> Afghanistan has been explored. On that basis, a coherent methodology<br />
that may be used for effective collection of lessons learnt based on experience<br />
of soldiers <strong>and</strong> civilians coming back from current <strong>and</strong> future missions has been<br />
prepared. A crucial aspect of this methodology is to enhance the information available<br />
in the process of mission planning <strong>and</strong> mission execution. Initially it focuses<br />
on gathering more <strong>and</strong> better information in order to finally allow SIMS system<br />
to provide “smarter” information. Apart from direct use of information in mission<br />
planning <strong>and</strong> execution processes, this methodology addresses also the concept<br />
of improving pre-deployment training <strong>and</strong> other aspects of DOTMLPF (Doctrine,<br />
Organization, Training, Materiel, Leadership <strong>and</strong> education, Personnel, <strong>and</strong> Facilities).<br />
The “smarter” information can be used for increase the effectiveness of training<br />
soldiers, planning <strong>and</strong> executing missions in a certain environment; <strong>and</strong> can also be<br />
used to verify <strong>and</strong> improve the concept of operations (CONOPS) e.g. operational<br />
procedures <strong>and</strong> even doctrinal documents.<br />
The SIMS LL tool supports the proposed methodology, especially the LL process<br />
closing the whole information loop <strong>and</strong> focusing on three levels: daily missions,<br />
pre-deployment training <strong>and</strong> procedures <strong>and</strong> doctrine.<br />
II. Lessons learnt methodology based on experience<br />
from daily missions<br />
The term Lessons Learnt was initially derived from the field of knowledge<br />
management, which comprises several theories on how to retrieve knowledge gained<br />
by experience in organizations. As far as the military point of view is concerned,<br />
there are two main institutions dealing with Lessons Learnt systems, which are<br />
The Centre for Army Lessons Learnt (CALL) <strong>and</strong> Joint Analysis Lessons Learnt<br />
Centre (JALLC), the latter representing NATO. The CALL LL approach 1 takes into<br />
account the idea of Lessons Learnt in the military which is the following: individuals<br />
<strong>and</strong> the organization itself can reduce the risk of making mistakes <strong>and</strong> improve<br />
chances of success. While the NATO LL states that lessons learnt are “results from<br />
the implementation of a remedial action that produced an improved performance or<br />
increased capability” [2]. Both approaches share the same idea which is to gather<br />
1<br />
[1] “Lessons Learnt are validated knowledge <strong>and</strong> experience derived from observations <strong>and</strong> the historical<br />
study of military training, exercises, <strong>and</strong> combat operations that lead to a change in behavior at either the tactical<br />
(st<strong>and</strong>ing operating procedures [SOP]), TTP, etc.), operational, or strategic level or in one or more<br />
of the Army’s DOTMLPF (doctrine, organization, training, materiel, leadership <strong>and</strong> education, personnel,<br />
<strong>and</strong> facilities) domains.”
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
333<br />
experiences in military operations that lead to identification of new methods,<br />
strategies, etc., validate them <strong>and</strong> distribute them across the army.<br />
In the LL field, a LL methodology is usually described as a set of processes,<br />
methods, techniques <strong>and</strong> tools that are employed as part of the common LL process.<br />
The methodology describes several processes that need to be followed to<br />
obtain a LL, <strong>and</strong> establishes the general aim of those processes. In the LL area,<br />
these processes are broken down into several sub-processes, involving a process<br />
for gathering data for possible LL, validating the data as a possible lesson, storing<br />
the LL <strong>and</strong> distributing it. For the purpose of developing SIMS LL methodology<br />
<strong>and</strong> supporting tool, various approaches, both military <strong>and</strong> civilian have been analyzed<br />
(e.g. SECI Model, Generic LL Process, AAR, NATO LL collection method).<br />
However this analyse does not provide a clear <strong>and</strong> common set of definitions. For<br />
that reason, the following definitions were introduced <strong>and</strong> used in order to describe<br />
SIMS LL process within the methodology:<br />
• Lessons Learnt process (LL process): the process in which the experience<br />
of a military organisation is used in order to enrich its knowledge, which<br />
is then used to improve the effectiveness of actions that are undertaken,<br />
• Observations: the information describing the events which are associated<br />
with the mission that has been executed. Observations can be gathered by<br />
using an IT system.<br />
• Lesson Identified (LI): an ordered set of observations <strong>and</strong> additional elements<br />
such as generalisations, recognised patterns, recommended actions<br />
<strong>and</strong> reactions.<br />
• Lesson Learnt (LL): any set of observations, LI <strong>and</strong> recommended actions<br />
that proved effective in practice. The knowledge based on LL is continuously<br />
used in the organization to ensure the success of the mission.<br />
• Lesson Learnt Officer (LLO): a person who processes the observations.<br />
LL Officer’s tasks can embrace all aspects of the process, starting from<br />
the analysis of observations up to preparation of recommendation.<br />
• Pre Deployment Training (PDT): the part of military training which is focused<br />
on preparation of soldiers for a specific operation e.g. ISAF operation<br />
in Afghanistan.<br />
• DOTMPLF: abbrev. Doctrine, Organization, Training, Materiel, Leadership<br />
<strong>and</strong> Education, Personnel <strong>and</strong> Facilities.<br />
The analysis of existing approaches to lessons learnt <strong>and</strong> military needs, allowed<br />
to identify key elements <strong>and</strong> characteristics which should be used in the defining<br />
the Lessons Learnt process for SIMS. Due to the nature of the SIMS project <strong>and</strong><br />
its military purpose, the military methodologies are treated as more meaningful,<br />
<strong>and</strong> thus more important.<br />
The defined SIMS LL Process is a recurrent <strong>and</strong> continuous process. In relation<br />
to military organizations, the following phases of this process can be distinguished:
334 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• Acquiring experience – the phase in which missions are conducted based<br />
on the mission plan. The LL process should begin with gathering all the raw<br />
data derived from observations made during the mission as well as from<br />
other possible sources <strong>and</strong> sensors. At this stage it comes down to mining<br />
the entire knowledge in possession of organisation, both explicit <strong>and</strong><br />
tacit. In the military context, it is collecting all the observations made by<br />
individual soldiers during the mission <strong>and</strong> the data recorded by different<br />
sensors. Data collection should include all the available sources, if only<br />
the data might be potentially useful.<br />
• Gathering <strong>and</strong> analyzing experience – the phase where the information<br />
is gathered, analysing <strong>and</strong> processed. LI <strong>and</strong>/or LL are results of processing<br />
observations. Analytical operations will cover collecting, structuring,<br />
filtering <strong>and</strong> analyzing data, so that one can develop information on<br />
certain events <strong>and</strong> situations. This group of actions will develop certain<br />
patterns of behaviour/procedures, saying what should be done when<br />
certain circumstances occur. This means that collected observations <strong>and</strong><br />
data are compiled <strong>and</strong> converted into information on certain situations,<br />
phenomena <strong>and</strong> objects. On the basis of this information, conclusions<br />
are drawn, <strong>and</strong> from the conclusions appropriate behaviour patterns <strong>and</strong><br />
reaction models can be developed. An analysis can be carried out either<br />
by the LLO or other experts, at different levels of decision making. They<br />
can recommend changes in the relevant aspects of DOTMPLF. The LLO<br />
or another expert has access to information related to missions on each<br />
step of observations or LI analysis. Collected observations, LI <strong>and</strong> LL are<br />
available for planners (according to relevant procedures defining access<br />
to information). Recommendations prepared are related to either PDT<br />
or DOTMPLF.<br />
• Applying experience – the phase of taking advantage of the knowledge<br />
gained from experience by applying it to core activities performed by<br />
the military organisation (e.g. planning <strong>and</strong> executing daily missions).<br />
All respective LI should be taken into account during the training <strong>and</strong><br />
preparation of soldiers for the next missions, but also when planning<br />
new missions <strong>and</strong> creating military doctrines. A LI is checked <strong>and</strong> tested<br />
in the operational environment during the training process. After being<br />
tested in the operational environment, the LI is further analysed. Then<br />
a detailed description is created, which contains all the elements like inputs,<br />
outputs, roles <strong>and</strong> responsibilities. Structured LI should be further<br />
tested in the live environment, either a combat mission or training. After<br />
being tested in the live environment, LI obtains the status of Lesson Learnt.<br />
The changes derive from LL, LI <strong>and</strong> regulations in PDT <strong>and</strong> DOTMPLF.<br />
The knowledge spreads faster in small organisations in contrast with more<br />
complex organisational structures like military ones. The formal process of data
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
335<br />
<strong>and</strong> knowledge updating on the basis of new experience is relatively long in military<br />
organisations. In order to improve this situation, one of the possibilities is to<br />
enable each phase of LL process to be reached as soon as possible. Additionally,<br />
new information resulting from each phase should be available for (but not necessarily<br />
distributed directly among) the widest possible range of all those concerned.<br />
The diagram below presents the implementation of the LL process which considers<br />
fast circulation of the information.<br />
Figure 1. The Lessons Learnt process in military organization<br />
The level of experience in the military organization increases within every<br />
iteration of the process. The level of experience could be estimated e.g. by the amount<br />
of observations identified <strong>and</strong> described. In the LL process the availability of information<br />
gives the opportunity to share the gained experience straightaway, even at<br />
the time of gathering the information. Thanks to this quick access, even to the information<br />
that has not passed the analysis step, the LL process especially supports<br />
the implementation of daily missions connected with asymmetric threats, where<br />
every piece of information can influence the success of the mission. Moreover<br />
mission planning <strong>and</strong> execution in an asymmetric threats environment is much<br />
more difficult because of unexpected actions of the opponents. In such a situation<br />
the most required ability is to learn the organization by itself to avoid making further<br />
mistakes <strong>and</strong> draw conclusions from the short-term history of the opponents actions.<br />
The most important thing, therefore, is the implementation of the LL process<br />
in military structures according to the presented model.<br />
III. Recommending – the output of the process<br />
Recommendations are one of the key products of the LL process. Recommend<br />
(in addition to collecting information about the observations <strong>and</strong> their analysis)
336 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
should be seen as one of the three main stages of the LL process. The recommending<br />
process involves three main stages:<br />
• preparation of recommendations,<br />
• implementation of recommendations,<br />
• monitoring <strong>and</strong> updating of the recommendations (recommendations<br />
management).<br />
Recommendations propose changes in regulations, the system of training<br />
<strong>and</strong> doctrines, based on the analyzed experiences (which are obtained as daily<br />
observations of the daily missions). The quality of recommendations is largely<br />
determined both by the competent collecting of information about events <strong>and</strong><br />
the results obtained in a complete analysis of the collected observations. The development<br />
of appropriate recommendations to a large extent determines their use<br />
in theory <strong>and</strong>/or military practice. Each phase of this process is dependent on each<br />
other. Therefore, it is worth noting, that the major determinants of the generation<br />
of added value in the LL process is the interdependence of particular LL phases.<br />
Interdependence is manifested primarily through the presence of many couplings,<br />
mainly between phases. The results obtained from the preceding phase are the base<br />
point (input data) to implement the next phase.<br />
The primary objective is to produce a recommendation during the recommendation<br />
process. The intermediate objectives of this process are consistent with<br />
the objectives of the SIMS, project, i.e. improvement of the following processes:<br />
• mission planning,<br />
• <strong>and</strong> execution of missions.<br />
Achieving these objectives implies the development of a formalized document<br />
that contains a parametrised recommendation. This means that such a document<br />
(Recommendation) should include, among others the following content:<br />
• defined <strong>and</strong> measurable goal of recommendations,<br />
• tasks to be executed,<br />
• boundary conditions of these tasks.<br />
Expected results of implementatin of this phase of the LL process allow to:<br />
• increase the effectiveness of the mission,<br />
• increase the level of situational awareness in the daily missions,<br />
• verify <strong>and</strong> improve the methodology referring to the interpretation of documents<br />
concerning the operations of the army – in particular for recommending<br />
changes which will enhance soldiers capabilities:<br />
✓ tactical (following Rules of Combat ROC)<br />
✓ operational-tactical (the development of mission plans/planning process)<br />
✓ strategic (improving doctrine),<br />
• increase the effectiveness of training (for example, new content will be<br />
introduced in training programs, there will be more case-s, <strong>and</strong> many<br />
diverse instances of their use will be discussed).
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
337<br />
A recommendation shall be a formal document <strong>and</strong> should be composed<br />
of three main sections:<br />
• header,<br />
• body (appropriate recommendation),<br />
• signature/authorization.<br />
In the header section the following fields should appear:<br />
• name of the recommendation (e.g. streamlining procedures for the identification<br />
of ID),<br />
• reference of the recommendation (e.g.: Rec/14/2011/F2,F3,F4)<br />
✓ Rec – recommendation,<br />
✓ number of recommendation,<br />
✓ YYYY year in which the recommendation was developed,<br />
✓ a phase (phase) of the mission recommendation (optional):<br />
■ F1 – prior to the planning phase of the mission,<br />
■ F2 – the planning phase,<br />
■ F3 – the training phase,<br />
■ F4 – the execution phase,<br />
■ F5 – the mission evaluation phase,<br />
• the recommendations creation date, writens in a suitable format (e.g. YYYY.<br />
MM.DD/2011.04.18),<br />
• place of issue (e.g. Pol<strong>and</strong>, Poznan),<br />
• originator of the recommendation,<br />
✓ rank, name <strong>and</strong> surname (e.g. Sgt. John Doe),<br />
✓ originating institution / organisational unit (e.g., the General Staff<br />
of Army / Department of Strategy <strong>and</strong> Defence Planning),<br />
• recipient (recipients) of recommendations:<br />
✓ Country / unit name (e.g. Afghanistan / 6 Logistic Base),<br />
✓ An institution / organisational unit (e.g., the General Staff of Army /<br />
Department of Strategy <strong>and</strong> Defence Planning),<br />
• a concise description (a few sentences of description what the recommendation<br />
refers to).<br />
General knowledge of the recommendation phase in the process of constnt<br />
learning at the stage of implementation manifests itself with specific problems<br />
which have a very complex structure <strong>and</strong> form an immense intellectual challenge.<br />
It seems obvious that organisations should benefit from processing the knowledge<br />
related to historical events. Such events should be well-documented <strong>and</strong> include<br />
both positive <strong>and</strong> negative aspects.<br />
IV. LL tool functions <strong>and</strong> architecture<br />
The SIMS LL tool is assumed to be used for effective gathering of observations,<br />
processing them <strong>and</strong> applying the results of this process within military structures.
338 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The LL tool supports the SIMS Lesson Learnt process in the following way:<br />
• gives an instant access to the most recent information concerning planned<br />
missions, missions in progress <strong>and</strong> executed missions (e.g. information<br />
about the incidents, socio-cultural events, soldiers personal remarks, mission<br />
plans, debriefing notes). This access can be accomplished by the use<br />
of common information storage, database;<br />
• enables gathering of observations based on the information acquired from<br />
the common database. Centralization of the lesson learnt related data allows<br />
sharing the most recent knowledge <strong>and</strong> improves its management. By<br />
providing a set of predefined data filters, SIMS LL tool enables effective<br />
gathering <strong>and</strong> processing of only relevant data;<br />
• enables tracing the causes <strong>and</strong> effects of observations, lessons identified,<br />
lessons learnt <strong>and</strong> recommendations. Providing an easy way to indicate<br />
a cause (e.g. particular incidents) of the effect (e.g. observation) through<br />
the use of various tools <strong>and</strong> methods, supports the stage of analysis<br />
of the SIMS LL process. SIMS LL tool is capable of using different analysis<br />
methods available through additional plug-ins (additional LL related data<br />
visualisation methods);<br />
• enhances the process of recommending changes in regulations, the system<br />
of training <strong>and</strong> doctrines through the cause-effect analysis of observations<br />
<strong>and</strong> lessons identified. The SIMS LL tool enables creating correlations<br />
between lesson learnt related data;<br />
• enhances the process of dissemination of the lesson learnt related data<br />
among mission planning cells, unit comm<strong>and</strong>ers <strong>and</strong> soldiers through<br />
the centralization <strong>and</strong> flexible access to the data;<br />
• enables organising of the lesson learnt related data in hierarchical structures<br />
of dependencies;<br />
• provides a structured way of managing the lesson learnt data according to<br />
the SIMS LL process. The SIMS LL tool will guide a user through the process<br />
of creating such data, taking care of their completeness <strong>and</strong> consistency.<br />
• enables formalisation of recording lesson learnt related data. The SIMS<br />
LL tool provides templates for observations, lessons identified, lessons<br />
learnt <strong>and</strong> recommendations documents.<br />
• enables generating of formal electronic LL reports (in common file formats<br />
e.g. doc, rtf, pdf).<br />
The SIMS LL tool can support the analysis stage of the SIMS LL process.<br />
In order to provide such a support, SIMS LL tool uses interactive methods of visual<br />
representation of the LL related data to enhance the LLO cognition. The analysis<br />
of the LL related data in terms of the SIMS LL tool consists mainly in creating correlations<br />
between particular data entities (e.g. events) <strong>and</strong> drawing conclusions<br />
from such correlations. As a result of such analysis the LL related data entity with<br />
relevant correlations is created (e.g. an observation with correlated events). An ex-
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
339<br />
ample of a dependency tree graph analytical plug-in for SIMS LL tool is included<br />
in current version of the tool.<br />
The effectiveness of using the SIMS LL tool for the purposes of the analysis<br />
of lesson learnt related data, depends on the quantity <strong>and</strong> quality of the available<br />
source data for the LL process. The higher amount of input data (e.g. incidents,<br />
human terrain data) for the SIMS LL process might increase the total number<br />
of observations, <strong>and</strong> as a consequence the number of recommendations incresase<br />
as well, while the better quality of the input data (e.g. in terms of number of possible<br />
correlations, <strong>and</strong> completeness) might improve the observation <strong>and</strong> recommendation<br />
accuracy.<br />
The SIMS LL tool is a multiplatform st<strong>and</strong>alone pure Java client application.<br />
The Java Swing components together with external Flamingo <strong>and</strong> Substance packages<br />
were used for implementing SIMS LL tool graphical user interface (GUI). In order<br />
to ease future development <strong>and</strong> tool upgrades, common design patterns were used<br />
while implementation (e.g. MVC). The tool is intended to be used together with<br />
PostgreSQL database as a data storage. However, the SIMS LL tool is open for the integration<br />
with other database types or even web-services technologies.<br />
V. The potential of the tool in mission planning, execution<br />
<strong>and</strong> training<br />
The SIMS project results are delivered in the form of a prototype which is far<br />
from being an operational tool guaranteeing reliability in the real world. Nevertheless<br />
SIMS LL tool currently could be used for historical data analysis <strong>and</strong> for training<br />
purposes – as an application used to collect <strong>and</strong> analyse information available from<br />
the past operations, missions.<br />
The main area of operation of the SIMS LL tool:<br />
• for debriefing purposes or Post Action Review, the tool provides the officers<br />
responsible for the LL the possibility to fill in data from the mission<br />
together with their comments <strong>and</strong> observations.<br />
• in the analysis stage the tool allows to:<br />
✓ browse the contents of the knowledge database using filters (filters are<br />
predefined, but users can configure them as well),<br />
✓ browse information on the analysed missions <strong>and</strong> other historic missions,<br />
✓ search missions <strong>and</strong> similar events (e.g. associated with the same area<br />
or type)<br />
✓ correlate events (e.g. incidents) <strong>and</strong> other information from the knowledge<br />
database <strong>and</strong> create observations from them, based on their similarity<br />
(e.g. the participation of soldiers in firing at a distance that is shorter<br />
than the one covered by the st<strong>and</strong>ard used during mission training, or a new<br />
kind of threat, like IEDs placed in a new location – behind the posters.<br />
✓ visualise the correlations between the objects (e.g. incidents, observations),
340 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• at the recommendation stage to develop recommendations based on the collected<br />
observations <strong>and</strong> define the entity responsible for the approval or<br />
implementation of recommendations,<br />
• after preparing the recommendations the tool allows to browse them, <strong>and</strong><br />
to easily find <strong>and</strong> view the observations <strong>and</strong> events (e.g. Incidents) that<br />
originated them; this feature can be used for example to update the training<br />
for future changes or as a support for introducing changes in procedures<br />
<strong>and</strong> doctrines.<br />
The following are considered potential uses of the developed methods <strong>and</strong><br />
SIMS LL tool by polish military lesson learnt dedicated:<br />
• to develop <strong>and</strong> maintain LL training adapted to specific needs of polish<br />
military.<br />
✓ SIMS LL methods can be used to carry out the theoretical part of the training<br />
for officers, who may have the role of a LL officer, <strong>and</strong> who executes<br />
selected tasks from LL area at different stages of the LL process.<br />
✓ to use the LL tool to conduct LL workshops involving completing<br />
the information, their analysis <strong>and</strong> preparation.<br />
✓ to prepare the training which is similar to the course “Lessons Learnt<br />
Staff Officers Course” like e.g. training as an introduction to that course,<br />
or courses extending under specific local conditions.<br />
• to introduce modifications in the debriefing process or Post Action Review<br />
aiming at improving the information collection system to make a better<br />
use of the experience (LL)<br />
• to collect experience from operations <strong>and</strong> missions conducted by polish<br />
military <strong>and</strong> analyse them by combining different types of information.<br />
• to make use of the observation database as a basis for preparing recommendations,<br />
procedural <strong>and</strong> doctrinal changes.<br />
The implementation of the features mentioned above require to update the tool<br />
to the appropriate technological level in order to allow a stable operation in the real<br />
world, or operational training.<br />
VI. The use of LL tool<br />
The SIMS LL tool GUI consist of three main sections:<br />
• toolbar, where all the basic tools for managing lesson learnt data are placed.<br />
Additional plug-ins (e.g. analytical tools) as well as settings are also available<br />
in this section;<br />
• LL related data, where input (e.g. incidents, human terrain information)<br />
<strong>and</strong> output (e.g. observations, recommendations) data for the LL process<br />
are available for browsing <strong>and</strong> filtering. Data are organised in hierarchical<br />
structures <strong>and</strong> can be stored in the remote or local databases;
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
341<br />
• LLO workspace, where lesson learnt related data are being browsed, created<br />
or updated.<br />
The following pictures presents basic the LL tool GUI sections.<br />
Figure 2. Main LL tool window<br />
Figure 3. Lesson learnt related data trees section<br />
SIMS LL tool supports multi monitor display in order to provide bigger<br />
workspace for the LLO. Therefore it is possible to view LL related data in separate<br />
or detached windows (instead of internal LL tool tabs), <strong>and</strong> organised them<br />
in the preferable manner.
342 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 4. Lesson learnt related data correlations visualization – dependency tree<br />
graph plug-in in detached window mode<br />
VII. Future development<br />
SIMS LL tool is being constantly improved thanks to the extensive testing<br />
<strong>and</strong> evaluation. Due to the modular design, it is easy to add new functionalities<br />
in the future, or to adjust the tool to the needs of a particular army or even civil<br />
organisation.<br />
Currently, ITTI is working on extending LL tool capabilities to georeferenced<br />
data visualisation <strong>and</strong> analysis, using GIS components. Such functionality, will provide<br />
additional lesson learnt spatial analysis capabilities (e.g. analysis of events, incidents,<br />
observations etc. related to the places in a given radius around a certain point on<br />
the map). Moreover, improvements in the dependency tree graph visualization plugin<br />
will be made. Creating dependency graphs interactively (e.g. using drag <strong>and</strong> drop<br />
features), together with automatic nodes ordering into pattern groups might bring<br />
significant benefits to the process of lesson learnt related data analysis.<br />
In order to provide fast lesson learnt related data dissemination among soldiers<br />
in the battlefield, there is a need to adjust SIMS LL tool to the capabilities of modern<br />
mobile devices (PDA, tablet, smartphone etc.). Therefore, to make an effort<br />
to meet military expectations, SIMS LL tool lite version for Android compatible<br />
multi-touch devices is begin prepared.<br />
One of the very important aspects of the further development of Lessons<br />
Learnt methodology <strong>and</strong> tool is to focus on other specific application areas. Cyber<br />
Crime is one of many subjects not to be left out nowadays. An example of approach<br />
related to gathering factual material (<strong>and</strong> thus part of an lessons learnt ideology)<br />
in the area of cyber threats is the work on a software tool (Cyber Tool) that has been<br />
developed as part of EDA ATHENA project in the workpackage devoted to modelling<br />
physical threats. In this work authors have identified a need of defining a unifying<br />
methodology for gathering factual material on cyber threats. Following such<br />
approach will help gather <strong>and</strong> in turn analyse incidents in cyber layer in order to<br />
identify possible risks related to security of daily missions.
Chapter 3: <strong>Information</strong> <strong>Technology</strong> for Interoperability <strong>and</strong> Decision...<br />
343<br />
References<br />
[1] CALL (Centre for Army Lessons Learnt), March 2009. Comm<strong>and</strong>er’s guide to<br />
operational records <strong>and</strong> Data Collection. H<strong>and</strong>book 09-22. Chapter 4. Collection<br />
priorities. Available at: http://www.globalsecurity.org/military/library/report/call/<br />
call_09-22-ch04.htm<br />
[2] NATO. NATO Lessons Learnt H<strong>and</strong>book. First edition, October 2010. Joint Analysis<br />
<strong>and</strong> Lessons Learnt Centre Lisbon, Portugal. Available at: http://www.jallc.nato.int/<br />
Documents/
Chapter 4<br />
<strong>Information</strong> Assurance & Cyber Defence
Federated Cyber Defence System<br />
– Applied Methods <strong>and</strong> Techniques 1<br />
Bartosz Jasiul 1 , Rafał Piotrowski 1 , Przemysław Bereziński 1 ,<br />
Michał Choraś 2, 3 , Rafał Kozik 2, 3 , Juliusz Brzostek 4<br />
1 <strong>Military</strong> Communication Institute, Zegrze, Pol<strong>and</strong>,<br />
{b.jasiul, r.piotrowski, p.berezinski}@wil.waw.pl<br />
2 ITTI Sp. z o.o., Poznań, michal.choras@itti.com.pl<br />
3 University of <strong>Technology</strong> <strong>and</strong> Life Sciences, Bydgoszcz, Pol<strong>and</strong>, chorasm@utp.edu.pl<br />
4 NASK, Warszawa, Pol<strong>and</strong>, juliusz.brzostek@nask.pl<br />
Abstract: In this paper implementation details of the Federated Cyber Defence System (FCDS) are<br />
presented. The main system components are described including their architecture, used protocols<br />
<strong>and</strong> security mechanisms. Moreover the benefits of the system are highlighted as well as recommendations<br />
<strong>and</strong> future work are proposed.<br />
Keywords: Cyber defence, cyber security, attack detection, Federation of Systems, Intrusion Prevention<br />
System, Intrusion Detection System<br />
I. Introduction<br />
Nowadays information exchange between companies as well as among common<br />
network users is natural. Internet as a global communication medium is used for<br />
business, social, personal but also criminal purposes. Cyber terrorism has become<br />
one of the most significant threats to public institutions using the Internet in everyday<br />
communication. Potential threats for a wide range of various networks <strong>and</strong> critical<br />
public infrastructures may be generated by both domestic <strong>and</strong> foreign users. Harmful<br />
activities cover broad spectrum of cyber threats <strong>and</strong> potential cyber attacks. They<br />
can influence communication links, data resources, their integrity, confidentiality<br />
<strong>and</strong> availability. According to the Open Web Application Project [1] nowadays top<br />
ten security risks in the Internet are: 1) Injection, 2) Cross-Site Scripting (XSS),<br />
3) Broken Authentication <strong>and</strong> Session Management, 4) Insecure Direct Object<br />
References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration,<br />
7) Insecure Cryptographic Storage, 8) Failure to Restrict URL Access, 9) Insufficient<br />
Transport Layer Protection, 10) Unvalidated Redirects <strong>and</strong> Forwards.<br />
Prototype of Federated Cyber Defence System (FCDS) is a developed to minimize<br />
number of threats <strong>and</strong> attacks that may affect the domain connected to the open
348 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
network. FCDS is the system that cooperates in Federation of Systems (FoS) in order<br />
to gain advantage over adversaries. FoS is an association of loosely coupled countries,<br />
states, companies, societies, or organizations, each retaining control of its own<br />
network. Domains in FoS are so connected or related as to produce results beyond<br />
those achievable by the individual systems alone. Recently, the concept of federated<br />
networks <strong>and</strong> systems has gained much attention in the context of military<br />
networks <strong>and</strong> NATO Network Enabled Capabilities (NNEC) [2].<br />
Typical security solutions to prevent data <strong>and</strong> network infrastructures are<br />
firewalls, antivirus software, etc. They should be systematically updated according<br />
to the recommendations provided by vendors. Every network domain acts according<br />
to its own autonomous security policy which treats reaction to detected attacks<br />
as its internal activity. The lack of synchronization among network administrators<br />
causes that network security level depends on employed solutions <strong>and</strong> system<br />
administrator awareness <strong>and</strong> skills.<br />
Presented FCDS offers exchange of information related to security aspects<br />
(e.g. detected attacks <strong>and</strong> recommended reaction). This enables to achieve an effect<br />
of synergy where common reaction to identified malicious actions is more<br />
effective than many uncoordinated reactions realized by single domain. Exchange<br />
of information on threats, detected attacks <strong>and</strong> verified security metrics improves<br />
situational awareness in federated domains. Similarly, coordinated detection <strong>and</strong><br />
reaction to attacks is more accurate, precise <strong>and</strong> adopted in timely manner. In this<br />
manner the federated networks resistance to attacks is increased.<br />
The advantage of FCDS is a capability to collect <strong>and</strong> correlate events aroused<br />
by various sensors spread in own <strong>and</strong> federated domains. In comparison, typical<br />
defense systems use only data provided by proprietary sensors. Heterogeneity<br />
of accepted events from various networks layers <strong>and</strong> domains allows to detect attacks<br />
<strong>and</strong> malicious actions faster that it was possible before joining the federation.<br />
In FCDS a response is prepared <strong>and</strong> applied to reactions elements of protected<br />
domain as fast as an attack is detected.<br />
II. System architecture<br />
FCDS is a system prototype designed for improvement of federated network<br />
cyber security. It consists of autonomous subsystems which are deployed in protected<br />
networks /domains (Figure 1). Each domain consists of FCDS elements: a number<br />
of sensors (S), one decision module (DM) <strong>and</strong> a number of reaction elements (RE).<br />
Sensors supply decision module with alarms about events observed in the network.<br />
Decision module performs reasoning <strong>and</strong> makes decision if the observed action<br />
is an attack <strong>and</strong> produces appropriate rules applicable to reaction elements. These<br />
rules include information how to respond to detected attack in order to minimize<br />
its undesirable effects. Decision modules deployed in autonomous networks share<br />
information about detected attacks <strong>and</strong> recommended reactions. It is assumed that
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
349<br />
information exchange between them is voluntary as well as the use of recommended<br />
reactions depends on internal domain security policy <strong>and</strong> administrator decision.<br />
This approach enables to achieve synergy effect, when set of domains functioning<br />
together is able to produce a result not independently obtainable.<br />
Figure 1. FCDS architecture<br />
Proposed architecture consists of separated communication channels for<br />
the exchange of information between FoS partners. An advantage of this approach<br />
is the ability to decide which kind of information can be exchanged with a specific<br />
coalition partner. In contrast, the management of this structure is complex <strong>and</strong><br />
error-prone. In case of a change in coalition membership, all domains have to update<br />
their communication relations. Thus, there is a huge management overhead<br />
for a large amount of 1-to-1 communication links [3].<br />
III. Prototype implementation – applied methods <strong>and</strong> techniques<br />
Architecture described in previous paragraph was implemented in Java environment.<br />
For the purpose of testing there were created 3 domains, where functional<br />
elements are deployed.<br />
A. Sensors<br />
For every domain, a different set of sensors was used. Some of them are proprietary<br />
<strong>and</strong> some are widely used open source or commercial solutions. Each of them is deployed<br />
in a specific location (e.g. a network segment, a server) <strong>and</strong> acts in a different way.<br />
SNORT [4] is the most popular open source Network Intrusion Detection<br />
<strong>and</strong> Prevention System (NIDS/NIPS). It has the ability to carry out real-time traffic
350 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
analysis <strong>and</strong> packet logging on IP networks. SNORT performs protocol analysis, content<br />
searching, <strong>and</strong> matching. Detection mechanisms relay on signatures of known<br />
attacks. Both built-in <strong>and</strong> proprietary signatures for scanning, fingerprinting, reverse<br />
shell code execution etc. were used. SNORT was configured a bit differently in each<br />
domain, i.e., a different set of rules <strong>and</strong> modules was applied.<br />
OSSEC [5] is a widely used open source Host Intrusion Detection System<br />
(HIDS) <strong>and</strong> Security <strong>Information</strong> Event Management (SIEM) system. It performs<br />
log analysis, integrity checking, policy monitoring. In SOPAS, it was used mainly<br />
for log analysis. Both built-in <strong>and</strong> proprietary OSSEC log file decoders <strong>and</strong> rules<br />
for FTP (proFTPD, vsFTP) <strong>and</strong> WWW (Apache) servers were applied.<br />
ARAKIS [6] is a commercial system developed by NASK (FCDS project<br />
partner). It is an early warning system detecting novel network threats. ARAKIS<br />
uses low interaction server side honeypots <strong>and</strong> simulates a set of servers exposing<br />
most popular services, passively waiting for an attack. The system uses novel<br />
technologies to detect anomalies <strong>and</strong> generate on-the-fly accurate SNORT attacks<br />
signatures. It was installed in one of the SOPAS domains <strong>and</strong> it shares information<br />
with other domains. Dedicated Syslog [7] <strong>and</strong> WAPI [8] interface between ARAKIS<br />
<strong>and</strong> Decision Module was implemented <strong>and</strong> new methods of visualization were<br />
designed <strong>and</strong> applied.<br />
HoneySpider Network (HSN) [9] is another commercial system developed by<br />
NASK. It focuses on attacks involving the use of web browsers <strong>and</strong> it is based on<br />
client-side honeypots. HSN actively interacts with servers <strong>and</strong> processes malicious<br />
data. It engages a client honeypot solutions <strong>and</strong> a novel crawler application specially<br />
tailored for the bulk processing of URLs. Dedicated Syslog <strong>and</strong> WAPI interface to<br />
Decision Module was implemented.<br />
Proprietary Anomaly Detectors (AD) which address the problem of finding<br />
patterns in data that do not conform an expected behavior, were also deployed.<br />
First AD is a database traffic anomaly detector based on genetic algorithms. It learns<br />
normal (proper) database traffic e.g. SQL queries, saves its pattern in the form of best<br />
matching regular expressions <strong>and</strong> alerts as anomalous every query which does<br />
not match this pattern. Another AD is a network volume anomaly detector. It sets<br />
the threshold for normal traffic, e.g., FTP control connection traffic volume, <strong>and</strong><br />
alerts as anomalous every traffic exceeding this threshold. For the above-mentioned<br />
FTP example, exceeding a threshold may indicate an FTP brute force or dictionary<br />
attack. Another AD examples are dedicated log file analyzers which are based on<br />
the knowledge what is normal <strong>and</strong> what is anomalous.<br />
Syslog [7] was chosen as an event exchange mechanism between Sensors <strong>and</strong><br />
their local Decision Module. Syslog is st<strong>and</strong>ardized by IETF (RFC 3164, RFC 5424).<br />
It is supported by a wide variety of devices <strong>and</strong> applications across multiple platforms.<br />
St<strong>and</strong>ard Syslog provides a transport via UDP, to allow a device to send event<br />
notification messages across IP networks to event message collectors. There is no<br />
confirmation of an event reception. The Syslog packet size is limited to 1024 bytes
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
351<br />
<strong>and</strong> carries the following information: categorized source called facility, severity<br />
(from debug to emergency), host or interface name, timestamp <strong>and</strong> message<br />
(unst<strong>and</strong>ardized description of event). Syslog supports hierarchical network architecture.<br />
Lack of reliable transfer of events from Sensors to local Decision Modules<br />
was unacceptable in SOPAS; thus decision about using Syslog-ng [7] implementation<br />
which support transport using TCP was made. To make the communication<br />
secure, a built in TLS mechanism based on X.509 certificates provides encryption<br />
<strong>and</strong> mutual authentication between the host <strong>and</strong> the server.<br />
B. Decision Module<br />
Each DM is responsible for acquiring <strong>and</strong> processing network events coming<br />
from sensors distributed over the domain. If the attack or its symptoms are detected<br />
in one domain, the relevant information are disseminated to other cooperating<br />
domains so that appropriate countermeasures can be applied.<br />
Decision module in the proposed federated system is responsible for correlating<br />
network events in order to detect <strong>and</strong> recognize malicious events in the network.<br />
DM consists of the following components [10]:<br />
• Correlation Engine (e.g. based on the Borealis system),<br />
• CLIPS rule engine,<br />
• Ontology (in OWL format),<br />
• Graphical User Interface.<br />
The Decision Module components are presented in Figure 2, while the UML<br />
diagram is shown in Figure 3.<br />
Figure 2. Decision Module architecture <strong>and</strong> components [10]<br />
Borealis is a distributed stream processing engine <strong>and</strong> is responsible for<br />
gathering information generated by the network sensors [11]. Correlation engine
352 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
has mechanism that allows the Decision Module to efficiently execute multiple<br />
queries over the data streams in order to perform event correlation. The result<br />
of a correlation process is an intermediate event that is further processed by<br />
CLIPS rule engine [12]. CLIPS uses ontology that describes broad range of network<br />
security aspects (we use ‘’FCDS ontology’’ developed in our project). CLIPS<br />
engine identifies whenever some attacks or malicious network events have been<br />
discovered. The information describing the network incident <strong>and</strong> reconfiguration<br />
procedures (Common Decision Rule – CDR) are sent to Translator. Moreover,<br />
detailed information in human readable format are generated <strong>and</strong> visualized to<br />
network administrators via DM GUI.<br />
Figure 3. UML diagram of DM<br />
Data received from network sensors is arranged in streams. Each stream is built<br />
of multiple tuples (events). Each tuple, depending on sensor type, may have different<br />
schema. Borealis allows to process streams in order to correlate information<br />
coming from different sources <strong>and</strong> to detect network incidents more efficiently.<br />
The query that is executed over the multiple streams consists of operators. There<br />
are different kinds of operators provided by the Borealis engine that allow for aggregation,<br />
filtering <strong>and</strong> joining data coming from different streams.<br />
According to Figure 2. only intermediate events are matched with the knowledge<br />
stored in the ontology. The intermediate events are obtained via the Borealis<br />
query that is executed over the streams of a network events. Their names, types<br />
<strong>and</strong> schemas are maintained in the ontology. Each intermediate event received by<br />
CLIPS rule engine is considered as attack symptom <strong>and</strong> as such is matched with<br />
knowledge in the ontology in order infer the most probable attack [13].<br />
The example of symptom matching is graphically presented in Figure 4.<br />
When the symptoms are received by CLIPS rule engine the most probable attacks<br />
are inferred. However one symptom could match several attacks, therefore CLIPS<br />
is responsible for computing the probability score <strong>and</strong> alerting about these attacks,<br />
for which the calculated score exceeds the detection threshold.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
353<br />
Figure 4. Matching sensor events (symptoms) with knowledge in ontology [13]<br />
If the attack is detected it may have accompanying (described in ontology)<br />
general decision rule that will minimize consequences. There are several pre-defined<br />
general reactions such as blocking, traffic redirection (e.g. to a trap or back to<br />
the attacker), administrator notification or service disabling.<br />
The ontology defines different security policies (what reactions are recommended/allowed<br />
in the particular domain) for different domains, therefore CLIPS<br />
additionally matches this knowledge with appropriate general reaction rule to avoid<br />
policy violation.<br />
Each Decision Module can react to network events <strong>and</strong> attacks by sending<br />
information (CDR) to the Translator element <strong>and</strong> then to RE. The output information<br />
from DMs is the CDR describing attack symptoms (information about network<br />
events) <strong>and</strong> particular reaction rule to be applied by reaction elements. Translator<br />
has the knowledge about its subnet capabilities <strong>and</strong> can access the necessary reaction<br />
elements (e.g. firewalls, filters or IDS). Reaction elements can be reconfigured<br />
by Translator in order to apply comm<strong>and</strong>s sent by the Decision Module.<br />
All Decision Modules within the federation can also interact with each other<br />
<strong>and</strong> exchange security information. Particularly information about network incidents,<br />
like attack in one domain, may be sent to different Decisions Modules in order<br />
to block the attacker before the consequent attack takes place on another domain.<br />
Communication between domains <strong>and</strong> Decision Modules is based on P2P (Peerto-Peer)<br />
in order to increase communication resiliency <strong>and</strong> enable data replication.<br />
Moreover, P2P approach allows the proposed system to overcome IP addressing<br />
issues <strong>and</strong> minimize the configuration cost.<br />
The proposed approach allows the system to have redundant communication<br />
channels between Decision Modules. Particularly, when a physical connection<br />
is under attack or is congested, the communication packets still have an opportunity<br />
to reach the destination DM using a different path.<br />
The used communication channels are encrypted using the SSL algorithm.<br />
This allows to protect the communication against the packet sniffing (by third
354 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
persons). Additionally, payload is encrypted with different keys <strong>and</strong> it can be only<br />
decrypted by domains that belong to the same distribution group (nodes relaying<br />
the message can not read the payload).<br />
The visualization methods <strong>and</strong> Decision Module GUI will allow the administrator<br />
of the proposed system to increase the situational awareness. The goal<br />
of the Decision Module GUI is to visualize the network status <strong>and</strong> provide information<br />
about historical <strong>and</strong> current network events <strong>and</strong> security incidents. DM will use<br />
data about historical network performance, information from the underlying online<br />
system <strong>and</strong> reported network events. The tool will analyze <strong>and</strong> present the threats,<br />
provide support <strong>and</strong> guidance to the operator <strong>and</strong> will evaluate potential actions<br />
to be taken as well as decisions made by the administrator.<br />
One of the visualization examples is shown in Figure 5.<br />
Figure 5. GUI visualization<br />
Furthermore, GUI allows the administrator to visualize the network events<br />
currently processed by the Decision Module, manage the communication between<br />
different DMs <strong>and</strong> decide what types of decisions rules can be distributed <strong>and</strong><br />
shared with other domains.<br />
Very important functionality of FCDS is the possibility of semi-automate prevention/reaction<br />
to attacks. Full CDR describes how RE should react to detected attack.<br />
This CDR is transformed by translator (Figure 3) into comm<strong>and</strong>s underst<strong>and</strong>able by<br />
response elements (e.g. firewalls). Then translator sends them to selected RE.<br />
C. Reaction elements<br />
The FCDS architecture includes reaction elements. They are responsible<br />
for actions, which enable prevention, limitation or cut down hostile actions. It is<br />
obvious that response to certain attacks may be difficult <strong>and</strong> sometimes impos-
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
355<br />
sible (e.g. DDOS attack). Some reactions may be harmful from the point of view<br />
of protected domain business.<br />
In FCDS prototype there are implemented following open source reaction<br />
elements:<br />
• Firewall – iptabeles;<br />
• DNS blackholing – Bind;<br />
• Web Proxy – Squid.<br />
They were chosen after requirements definition for developed system.<br />
First of them iptables [14] is an application used to manage packet filtering.<br />
It enables creating Linux firewalls (stateful firewall) or NAT (Network<br />
Address Translation). System administrator defines chains including set of rules<br />
e.g. ACCEPT, DROP, REJECT (Figure 6).<br />
Figure 6. Definition of rules for iptables<br />
Each rule in a chain contains the specification of which packets it matches.<br />
Packets are processed by sequentially traversing the rules in chains. In FCDS iptables<br />
is used for dropping IP packets when source/destination address is recognized<br />
as intrusive.<br />
Second implemented RE is also open source software for DNS blackholing<br />
– Bind [15]. Bind publishes the Blacklist of IP addresses of zombie computers<br />
or other machines being used to send spam, listing the addresses of ISPs who<br />
willingly host spammers, or listing addresses which have sent spam to a honeypot<br />
system. In FCDS system the blacklist is created basing on HSN sensor (system<br />
Honey Spider Network [9] working as a sensor). In the case of FoS environment<br />
DNS blackholing is destined for user computer protection against visiting infected<br />
www portals. It requires proper user terminal configuration to enforce utilization<br />
of appropriate DNS server.<br />
As the Web Proxy as RE in developed system is used Squid [16]. Squid<br />
is a proxy which offers a rich access control, authorization <strong>and</strong> logging environment<br />
to develop web proxy <strong>and</strong> content serving applications. Squid is a highperformance<br />
proxy caching server for web clients, supporting FTP, <strong>and</strong> HTTP
356 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
data objects. Squid h<strong>and</strong>les all requests in a single, non-blocking, I/O-driven<br />
process over IPv4 or IPv6. Squid supports SSL, extensive access controls, <strong>and</strong> full<br />
request logging. By using the lightweight Internet Cache Protocol, Squid caches<br />
can be arranged in a hierarchy or mesh for additional b<strong>and</strong>width savings. For<br />
the project purposes it acts as an intermediary for requests from clients seeking<br />
resources from other servers. As RE in FCDS system it is used for blocking access to<br />
a dangerous/infected web services <strong>and</strong> informing the invoker that the page/resource<br />
consists of harmful content.<br />
All described RE are deployed on the edge of each protected domain. Such<br />
solution enables total separation from other domains in extraordinary situation.<br />
Moreover it enables immediate reaction. In more sophisticated scenario it is feasible<br />
to place these reaction elements in front of each computer in the network.<br />
Such solution would enable precise reaction in the case when internal terminal<br />
within the domain is infected (eg. broadcasts spam) or the user starts unauthorized<br />
actions. Common reaction in the federation is also possible in order to counteract<br />
external attacks (from outside the FoS). In this case all incoming network connections<br />
should be filtered.<br />
It is worth noticing, that not for all detected attacks will be possible preparation<br />
of full CDR (with reaction). In such situation experienced administrators will<br />
be able to prepare the CDR manually <strong>and</strong> send it to RE. CDRs may be prepared<br />
for limited time interval as well as they may be deactivated when they are obsolete.<br />
IV. Recemmendations <strong>and</strong> future work<br />
Presented FCDS enables information exchange between cooperating domains<br />
<strong>and</strong> reaction against cyber attacks. In reality such cooperation requires high level<br />
of trust between network owners. The paper describes implementation details<br />
of FCDS system which enables security measures improvement by multi-sensor<br />
attack detection <strong>and</strong> joint reaction. Cooperation among federated domains <strong>and</strong><br />
cyber information sharing is crucial to enable detection of distributed attacks.<br />
Reliable <strong>and</strong> secure communication is required for sensor data collection, CDR<br />
distribution <strong>and</strong> Reaction element remote control.<br />
Future work will cover continuous development of ontology, machine learning<br />
techniques <strong>and</strong> statistical anomaly based approach. These techniques will improve<br />
DM capabilities in the area of precise attack detection <strong>and</strong> possible response to<br />
minimize the attack effects. In order to provide cyber information sharing capability<br />
with other systems FCDS must employ commonly accepted format. Some proposals<br />
are decrscribed in [3] which should be considered in the future. Moreover, trust<br />
management aspects shall be studied.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
357<br />
References<br />
[1] https://www.owasp.org/<br />
[2] Network Centric Warfare: Developing <strong>and</strong> Leveraging <strong>Information</strong> Superiority,<br />
by Alberts, Garstka, <strong>and</strong> Stein, CCRP Press, 1999.<br />
[3] L. Beaudoin at all, Coalition Network Defence Common Operational Picture,<br />
NATO <strong>Information</strong> Systems <strong>and</strong> <strong>Technology</strong> Panel Symposium, Tallinn, Estonia,<br />
November 2010 http://ftp.rta.nato.int/public/PubFullText/RTO/MP/RTO-MP-IST-091/<br />
MP-IST-091-P03.doc.<br />
[4] www.snort.org<br />
[5] www.ossec.net<br />
[6] www.arakis.pl<br />
[7] http://www.syslog.org/<br />
[8] www.wombat-project.eu<br />
[9] http://www.honeyspider.org/<br />
[10] M. Choraś, R. Kozik, R. Piotrowski, J. Brzostek, W. Holubowicz, Network<br />
Events Correlation for Federated Networks Protection System, In Abramowicz W. et al.<br />
(Eds).: Towards a Service Based Internet, LNCS, Springer-Verlag, 2011.<br />
[11] Borealis project homepage: http://www.cs.brown.edu/research/borealis/public/<br />
[12] CLIPS project homepage: http://clipsrules.sourceforge.net/<br />
[13] M. Choraś, R. Kozik, Network Event Correlation <strong>and</strong> Semantic Reasoning for<br />
Federated Networks Protection System, In Chaki N. et al. (Eds.): Computer <strong>Information</strong><br />
Systems – Analysis <strong>and</strong> Technologies, <strong>Communications</strong> in Computer <strong>and</strong> <strong>Information</strong><br />
Science CCIS, 48-54, Springer, 2011.<br />
[14] www.netfilter.org/<br />
[15] http://www.bind9.net/<br />
[16] http://www.squid-cache.org/<br />
[17] www.balabit.com<br />
[18] www.cee.mitre.org
Identity <strong>and</strong> Access Services in NATO<br />
Federation Scenarios<br />
Robert Malewicz, Rui Fiske, Graeme Lunt<br />
Core Enterprise Services, NATO C3 Agency, The Hague, The Netherl<strong>and</strong>s,<br />
robert.malewicz@ncia.nato.int<br />
Abstract: This paper describes an approach for the effective implementation of a st<strong>and</strong>ards-based<br />
solution for authentication <strong>and</strong> authorization services across user realms in NATO.<br />
Keywords: component: identity <strong>and</strong> access management, federation, SAML, XACML<br />
I. Introduction<br />
A. Background<br />
Identity <strong>and</strong> Access Management (I&AM) has gained a significant attention<br />
in NATO recently. NATO engages in missions that involve different types of partners<br />
ranging from NATO <strong>and</strong> Non-NATO nations through to international organizations<br />
<strong>and</strong> industry.<br />
The diversity of data sharing scenarios makes the boundaries of user <strong>and</strong> asset<br />
governance realms less obvious. Therefore, much more stress is put nowadays on<br />
trusted mechanisms to control access authorization, going beyond “local” domains,<br />
<strong>and</strong> even beyond the enterprise. The simultaneous application, in a balanced way,<br />
of two contradictory (by nature) concepts is required on a large scale in a multisecurity<br />
classification information processing environment, i.e. the Need-to-Share<br />
operational requirement <strong>and</strong> the Need-to-Know security principle.<br />
The problem itself is not new in classified computing environments. The Biba<br />
Model (from 70s), the Bell-LaPadula Model (from 90s) are just two examples of existing<br />
access control enforcement mechanisms. However, the scale of the required<br />
integration in the NATO scenario is what poses a new challenge for communities<br />
of <strong>Information</strong> Assurance (IA), <strong>Information</strong> Services (IS) <strong>and</strong> <strong>Information</strong> <strong>and</strong><br />
Knowledge Management (IKM).<br />
In this context, a NATO-wide I&AM framework, coherent across both network<br />
<strong>and</strong> organizational boundaries, becomes a key enabler for extensive information<br />
sharing in different NATO federation scenarios.
360 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
B. NATO initiatives in the area of I&AM<br />
To date, following initiatives have been of significance in NATO within<br />
the I&AM area:<br />
• NATO Identity Management (NIDM) Workshop (2008-2009) – a combined<br />
effort of NATO Consultation, Comm<strong>and</strong> <strong>and</strong> Control Board (NC3B)<br />
<strong>Information</strong> Assurance Subcommittee (SC/4) <strong>and</strong> <strong>Information</strong> Systems<br />
Subcommittee (SC/5). As a result of this initiative, a NIDM Strawman [1]<br />
paper was published in 2009. The level of ambition for this document was to<br />
provide a framework for future work on NATO-wide Identity Management<br />
(IdM) concept, considering the federated nature on the NATO infrastructure;<br />
• NC3B SC/4 Security Management Infrastructure Ad Hoc Working Group<br />
addressed the IA view on different aspects related to identity, privilege, <strong>and</strong><br />
access management. In 2010, this group produced a paper, aimed to provide<br />
a strategic plan for Identity Management developments in NATO [2]<br />
as well as Security Management Infrastructure Directive [3], currently<br />
being the only document where some identity <strong>and</strong> access management<br />
aspects are regulated in NATO;<br />
• The Alliance Comm<strong>and</strong> Operations (ACO) identified the issue of missing<br />
NATO-wide I&AM mechanism in the operational NATO Network<br />
<strong>and</strong> <strong>Information</strong> Infrastructure (NII) that would be adequate to support<br />
future Alliance Operations <strong>and</strong> Missions (AOM). As a result, a document<br />
was released in June 2011, describing a strategy to provide a capability<br />
of AOM Federated Identity <strong>and</strong> Access Management (AIDAM) [4];<br />
• Anticipating the requirement to support NATO operations in federation<br />
scenarios, the Allied Comm<strong>and</strong> Transformation (ACT) supported a series<br />
of research programs in the area of I&AM, aimed to analyse possible solutions.<br />
Details can be found in [5].<br />
C. AIDAM capability strategy<br />
Published by ACO in June 2011, the so called AIDAM is an excellent source<br />
of operational requirements <strong>and</strong> a vision for utilization of identity <strong>and</strong> access<br />
control services in the NATO federations. It also provides some recommendations<br />
on the solutions that should be adopted. The AIDAM view is in line with<br />
the recommendations provided through the ACT research programs, clearly indicating<br />
the most promising direction to achieve the information sharing capability<br />
in the environment of heterogeneous NII.<br />
The AIDAM makes the following statements:<br />
• I&AM are key to cross-domain protection <strong>and</strong> sharing of sensitive Comm<strong>and</strong><br />
<strong>and</strong> Control (C2) information within federated Communities of Interest<br />
(CoI);
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
361<br />
• In the near term, the aim for web-based I&AM will pursue a claims-based<br />
I&AM;<br />
• In the mid-term IAM is to be arrived at by means of federated identity <strong>and</strong><br />
rights translation;<br />
• In the long-term AIDAM is to be obtained through st<strong>and</strong>ardization of all<br />
I&AM capabilities.<br />
II. NATO-specific architectural constrains<br />
A. NATO Bi-SC AIS network topology<br />
The current (<strong>and</strong> evolving) Bi-Strategic Comm<strong>and</strong> (Bi-SC) network topology<br />
is summarized <strong>and</strong> visualized in Figure 1.<br />
Figure 1. NATO NII Interconnection Visualization<br />
Detailed analysis of the Bi-SC Automated <strong>Information</strong> System (AIS) NII topology,<br />
as in [6], confirms a significant complexity in terms of possible network<br />
interconnection scenarios. The current situation can be summarized in the following<br />
way:<br />
• In the NATO Secret (NS) segment of the NATO NII, the domain integration<br />
approach allowed the achievement of a good level of consolidation.<br />
Still, fully centralized management of the entire NS segment will not be<br />
possible; in some cases only limited (unidirectional) trust relationship<br />
can be enabled between domains;
362 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• At the NU/NR level, the NATO NII is much more fragmented than NS.<br />
A concept of the NATO Enterprise Business Network (EBN) at the NR<br />
level is aimed to change this situation. The Public Access Network (PAN)<br />
network, currently operating on the NU level, will be promoted to the NR<br />
level, constituting the core of the future EBN. It will not be done overnight<br />
however.<br />
B. Two-dimensional NATO view<br />
Considering the governance realm aspect, which is particularly relevant<br />
when considering different federation scenarios, NATO can be seen in a twodimensional<br />
view [7]:<br />
• “NATO as an Enterprise” – consisting of NATO Headquarters (HQs), agencies,<br />
<strong>and</strong> other internal bodies, all together constituting a NATO enterprise;<br />
• “NATO as an Alliance” – understood as a federation of (currently) 28 NATO<br />
member nations, NATO partners (nations/international organizations/<br />
industry), <strong>and</strong> the NATO enterprise itself.<br />
Depending on which NATO view is being considered, there are different<br />
requirements for the NATO identity <strong>and</strong> access services, having impact on the ultimate<br />
solution.<br />
III. Federated I&Am architecture decision points<br />
Taking into account the complex structure of the NATO NII in both the NU/NR<br />
<strong>and</strong> NS environments, it is proposed to use a Web-based federated approach for<br />
development of the NATO I&AM architecture. Typically, there are eight decision<br />
filters that are followed to decide how to implement federation in a way that meets<br />
the organization’s requirements [8]. These decision points are:<br />
• Identity Production <strong>and</strong> Consumption,<br />
• Federation Topology,<br />
• User Identification,<br />
• Operational Security,<br />
• Trust Relationships,<br />
• Attributes,<br />
• Compliance,<br />
• St<strong>and</strong>ards.<br />
A. Identity production <strong>and</strong> consumption<br />
As in [8], after the federation scenario applicability validation, two key identity<br />
roles can be identified in the federated identity environment, <strong>and</strong> requires at least<br />
one of them to be applied to the domain:
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
363<br />
• Identity Producer, known as an Identity Provider (IdP) – if domain’s user<br />
identities must be asserted to other domains for access to “foreign” resources;<br />
• Identity Consumer, known as a Relying Party (RP) – if applications in a domain<br />
must identify users from other domains.<br />
The NATO Bi-SC AIS domains in both, NU/NR <strong>and</strong> NS, security zones will act<br />
as both an IdP <strong>and</strong> RP simultaneously. The decision about roles of other domains,<br />
federated with Bi‐SC AIS, will be determined at the implementation stage, after<br />
a thorough analysis of the business model of the domain joining the federation.<br />
B. Federation topology<br />
There are three basic topology models, applicable for a Web-based federation<br />
[8]:<br />
• Point-to-point,<br />
• Hub,<br />
• Network topology (shared federation services).<br />
The federation topology has a significant impact on the overall governance<br />
posture of the identity <strong>and</strong> access services. Therefore the options have to be analysed<br />
very thoroughly.<br />
Federation between NS <strong>and</strong> NU/NR is not achievable nowadays whilst policy<br />
restrictions limit the possible interconnection between those security domains<br />
to data-diode based solutions (Figure 1). Therefore, NS federation with NU/NR<br />
networks is not considered as a valid scenario in this study. However, the tendency<br />
can be currently observed to launch integration processes at all levels of the NII.<br />
It is an indication of the evolution path in long term, giving solid foundations to<br />
anticipate federation scenarios including enhanced forms of interactions between<br />
NS <strong>and</strong> NU/NR environments as well.<br />
1) Federation Topology for NS Bi-SC AIS: a Two (+One) “trust broker topology”<br />
is the recommended approach (Figure 2). Normally, it is applied in scenarios<br />
with a more centralized infrastructure, such as the one that can be found<br />
in the Secret environment.<br />
For a federation within the NATO as an Alliance” scenario, it is not recommended<br />
to directly federate the NATO Trust Broker with components from domains<br />
that operate under a governance realm different from NATO, as it might<br />
raise security issues.<br />
In such a case a federation should be established through a component located<br />
in the NATO Enterprise NS Gateway Zone. From the NATO as an Enterprise point<br />
of view, this component would operate as<br />
• NS Federation Shadow for scenarios including direct interactions of the NA-<br />
TO-external partners (e.g. national, mission domains) with NATO enterprise<br />
NS domains;
364 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• NS Federation Proxy, to control the policy compliant flow of the identity<br />
<strong>and</strong> access attributes. It should be noted that identity <strong>and</strong> access data<br />
processing is not explicitly addressed in the current NATO policy, which<br />
should be noted as a potential problem when defining policy rules at<br />
the Proxy.<br />
Figure 2. Federation Topology at the NS Level<br />
From the NATO as an Alliance point of view, the federation component<br />
in the Gateway Zone would operate as the Alliance Federation Broker, enabling<br />
federation services in the NATO Alliance.<br />
2) Federation Topology for NU/NR networks: taking into account a significant<br />
defragmentation in the NU/NR environment, the “Point-to-Point” option<br />
seems to be more accurate. A consequence of this approach will be an overall<br />
mesh-topology (Figure 3). Although more flexible, this topology is more<br />
difficult to manage <strong>and</strong> control. Accountability for the establishment <strong>and</strong><br />
maintenance of trust relationships with external parties is pushed down to<br />
the level of a single domain.<br />
The mesh topology should be adopted as an interim solution. It is anticipated<br />
that with implementation of the EBN concept at the NU/NR level, NATO will follow<br />
the same evolution path as the one delimited by the NS environment. When<br />
it happens, the “trust broker topology”, as proposed for the Bi-SC AIS NS area<br />
(Figure 2), would be more appropriate at the NU/NR level.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
365<br />
Figure 3. Federation Topology at the NU/NR Level<br />
C. Public key operations <strong>and</strong> infrastructure<br />
In the Web-based federation solutions, asymmetric cryptography techniques<br />
are used to underpin trustful identity <strong>and</strong> access data flows. This implies the use<br />
of public-key operations. In sensitive, classified, policy-driven environments, like<br />
the NATO organization, the requirement to utilize public-key operations has to<br />
be translated into the requirement to deploy a Public Key infrastructure (PKI).<br />
In NATO, it means a use of the NATO Public Key Infrastructure (NPKI), providing<br />
an assured foundation on top of which the NATO federation trust topology<br />
can be built. Without integrating with the existing NPKI, the federation services<br />
in NATO environment may not be considered as a valid solution.<br />
Currently, NATO is planning to deploy NPKI on two separate PKI branches,<br />
one on NS domain <strong>and</strong> the other one in support of NU/NR services. This structure<br />
reflects directly the NATO Security Policy identified sensitiveness levels of information<br />
assets as well as, in a sense, the current NATO network topology logic.<br />
From the federation services point of view, there are a number of challenges<br />
the NPKI needs to meet:<br />
• the management <strong>and</strong> distribution of certificates <strong>and</strong> private keys, which<br />
will be solved by the NPKI itself;<br />
• the validation of certificates. There are a number of approaches to this<br />
problem, e.g.:
366 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
✓ Certificate Revocation List (CRL) – from a distribution point that<br />
is specified in the certificate. This places a fair amount of work on<br />
the validating machine, <strong>and</strong> can involve the distribution of CRLs that<br />
are many megabytes in size.<br />
✓ Online Certificate Status Protocol (OSCP) responder, which can validate<br />
an individual certificate, <strong>and</strong> return a response without having to return<br />
the entire CRL.<br />
✓ XML Key Management Specification (XKMS) service that provides<br />
a mechanism for validating certificates through a Simple Object Access<br />
Protocol (SOAP) web service interface;<br />
• the distribution of the certificates themselves, particularly the public key<br />
associated with a certificate that is used for digital signatures, <strong>and</strong> – where<br />
necessary – encryption. Again, these can be retrieved from a directory,<br />
or may be manually distributed to entities that rely on them, so that certificates<br />
are held in a local certificate store on the machine.<br />
It should be noted that XKMS supports the validation of digital signatures<br />
<strong>and</strong> X.509 certificates as well as the distribution of public keys to relying parties.<br />
It also supports the registration <strong>and</strong> renewal of private keys for entities, <strong>and</strong> so<br />
should be considered as an integral part of any NPKI deployment.<br />
D. SAML token claims for entity identification<br />
In a federated system, such as is being described in this paper, attributes, also<br />
known as “claims” in Security Assertion Markup Language (SAML) terminology,<br />
describe an entity within a system. It is envisioned that the collection of claims will<br />
be represented in a digitally signed Security Token, which can be passed across<br />
organizational boundaries, <strong>and</strong> will have originated from an IdP. Other federation<br />
components can add further claims to the token from different sources, can map<br />
one attribute to another by changing the attribute’s Uniform Resource Identifier<br />
(URI) or even modify the value of the claim to one that can be processed by<br />
the target system.<br />
The collection of claims about an entity (either a user or a component of the system)<br />
in a security token represent entity’s identity in a specific context, <strong>and</strong> are<br />
used to make authorization decisions about what actions an actor is able to make<br />
on a particular resource.<br />
In order to achieve interoperability at the federation level, or even within<br />
a single domain, it is essential that the claims are unambiguously specified <strong>and</strong><br />
st<strong>and</strong>ardized, implying necessity of a st<strong>and</strong>ardization effort. It is recommended to<br />
utilize SAML st<strong>and</strong>ard. It is not only a st<strong>and</strong>ard protocol for stating assertions but<br />
also is widely accepted <strong>and</strong> used in diverse scenarios, demonstrating its suitability<br />
for federated environments.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
367<br />
In addition to that, claims st<strong>and</strong>ardization will also be required, including<br />
definitions of claims. It is because the semantic relationship between domains needs<br />
to be agreed, so claims mapping <strong>and</strong> processing rules can be effectively implemented<br />
on the claim receiving side for authorization decisions.<br />
This process of “Identity Mapping” is probably the most complex <strong>and</strong> expensive<br />
aspect of federation. It is recommended to development a Federation Profile<br />
that can be used by all partners in the federation, which specifies the metadata,<br />
attribute usage, <strong>and</strong> constraints on protocol option use as required [8]. Although<br />
NATO has started to develop “Service Interface Profiles” (SIP) for service interaction,<br />
the federation profile has not yet been issued. An analysis of the federation<br />
profile specified by the Transglobal Secure Collaboration Program (TSCP) [11] for<br />
adoption in NATO is a recommended approach.<br />
1) Management of claims:<br />
In order to successfully use claims for the identity of the actor within the system,<br />
<strong>and</strong> to ensure that they are unambiguous, each attribute has a unique identifier<br />
assigned to it, in a form of URI. These URIs must therefore be managed, to<br />
ensure that duplicate identifiers are not assigned for attributes that are not identical.<br />
Many common attributes, such as email address, CommonName, <strong>and</strong> Surname<br />
have already been defined by xmlsoap.org, an industry body that proposed many<br />
of the original SOAP <strong>and</strong> Web Services (WS)-* st<strong>and</strong>ards, <strong>and</strong> these are widely<br />
understood by Security Token Service (STS) implementations from many different<br />
suppliers. However, in case of attributes specific for a classified environment,<br />
such as Clearance, URIs must be registered with the appropriate body, e.g. NATO’s<br />
Naming <strong>and</strong> Addressing Registration Authority.<br />
2) Distribution of claims:<br />
Claims contain information about the entity which is to be shared with federation<br />
partners, <strong>and</strong> some consideration needs to be given to which attributes<br />
can be distributed outside NATO. Certain claims may be too sensitive to share with<br />
partners, <strong>and</strong> in some cases privacy issues must be respected to prevent personal<br />
information being distributed beyond organizational boundaries. One way to<br />
protect this information in transit is to encrypt the security tokens, <strong>and</strong> STSs must<br />
therefore be able to h<strong>and</strong>le encrypted tokens, but the scope of individual claims also<br />
needs to be specified. It is proposed, for example, that a user’s group membership<br />
at the domain level is not distributed outside NATO.<br />
In this context it is worth noting that the control of personal data <strong>and</strong> the protection<br />
of privacy are better guaranteed through the use of assertions rather than allowing<br />
shared access to identity information between domains.
368 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
3) Types of claims:<br />
Two key classes of claims have been identified concerning entities within<br />
the system:<br />
• Organizational claims, described as “Custodial Identity” in [8], are issued by<br />
the IdP of the entities, <strong>and</strong> represent their organizational role independent<br />
of the applications to be accessed. This includes common attributes such<br />
as nationality, clearance, email address, etc. A unique identifier should be also<br />
included, for which a common format has to be agreed. NATO unique identifiers<br />
will be generated by the NATO Enterprise Directory Service (NEDS),<br />
when deployed in the operational environment (mid 2013);<br />
• Application specific claims, described as “Contextual Identity” in [8], are<br />
issued by the relying party STSs <strong>and</strong> contain application-specific attributes<br />
to support authorization, <strong>and</strong> have little or no validity outside the scope<br />
of the application or service being consumed. These attributes are most likely<br />
to be retrieved from local attribute stores, such as directories or databases,<br />
<strong>and</strong> contain data about the roles of the actor in the application.<br />
In addition, Context claims describe the environment in which the entity is acting,<br />
<strong>and</strong> may be used as further parameters for evaluating authorization decisions.<br />
4) Modality of claims:<br />
When categorizing the requirement to include a claim in a token, modality<br />
values are proposed as follows:<br />
• M<strong>and</strong>atory – only the Unique Identifying Claim should be m<strong>and</strong>ated;<br />
• Recommended;<br />
• Optional;<br />
• Not Recommended;<br />
• Forbidden.<br />
5) Unique Identifying Claim:<br />
The Unique Identifying Claim should be used to identify the source of an entity<br />
as well uniquely identify the entity in all application-specific attribute stores.<br />
Therefore this unique identifier will be an organizational, rather than application<br />
claim. There is still some debate as to what the format of this attribute should be,<br />
though some requirements have been identified:<br />
• it will uniquely identify all entities (users, services, devices, etc.);<br />
• it will allow the identification of the source domain;<br />
• it will be semantically abstracted from the underlying data through the use<br />
of a NATO-specific URI. i.e. even though it may be the user’s email address,<br />
it will have a URI that identifies it as a unique identifier (ID) rather<br />
than email address;<br />
• it may be multi-valued, i.e. it may contain more than one attribute value.<br />
This will allow the use of other values (then e.g. an e-mail address) like
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
369<br />
the NATO Enterprise Identifier (NEDS terminology). Where multiple<br />
values are used for the identifying claim, then each value should be verified<br />
(at least by the federation broker) to ensure that it has been issued by<br />
the correct STS;<br />
• it will be a primitive data-type, i.e. a string value.<br />
E. Operational security<br />
This decision point covers the following areas:<br />
• Assertion-Based Authentication <strong>and</strong> Authorization Assurance – it is imperative<br />
that in a classified environment, such as the NATO enterprise,<br />
the identity of the subject is cryptographically bound to the message that<br />
is being sent. Therefore, when for example consuming or providing web<br />
services, it is required that some sort of proof of possession mechanism<br />
is used, such as one of the WS-Security Token Profiles;<br />
• Secure <strong>Communications</strong> – the aim of secure communications is to “provide<br />
mutual authentication <strong>and</strong> protect the integrity <strong>and</strong> confidentiality<br />
of communications channels”. In the case of browser-based sessions, it recommends<br />
the use of mutual authentication using client certificates over<br />
Hypertext Transfer Protocol Secure (HTTPS). However, within a NATO<br />
environment, confidentiality is provided at the lower levels of the stack,<br />
<strong>and</strong> the use of HTTPS, while not forbidden, is not preferred, in order to<br />
allow real-time monitoring by Intrusion Detection Systems;<br />
• Assertion-Level Security – assertions issued by the STS MUST be digitally<br />
signed to ensure that they are trusted by the relying parties. Although<br />
the confidentiality of the token in the NATO environment is again provided<br />
by the lower layers of the stack, Encrypted Assertions MAY be used<br />
to further protect the contents of SAML assertions that are distributed by<br />
the STS. Therefore, any STS MUST be able to issue both encrypted <strong>and</strong><br />
unencrypted tokens, <strong>and</strong> any Policy Enforcement Point (PEP) MUST be<br />
able to process both encrypted <strong>and</strong> unencrypted security tokens;<br />
• Audit <strong>and</strong> Forensics – regardless of the NATO dimension being considered<br />
(“NATO as an Enterprise” vs. “NATO as an Alliance”), the NATO applications<br />
require tight controls within the domains where they are used.<br />
It implies a requirement to use strong detective controls, not just the preventive<br />
ones. Currently, NATO is executing the NATO Computer Incident<br />
Response Capability (NCIRC) project, aimed to deploy the cyber defence<br />
capabilities (including audit <strong>and</strong> forensic functions) in both NS <strong>and</strong> NU/<br />
NR environments. In the context of the “NATO as an Enterprise” scenario,<br />
the task would be to identify the interfaces <strong>and</strong> mechanisms through which<br />
the federation services can be controlled <strong>and</strong> secured by the operational<br />
security infrastructure provided with the NCIRC project. The situation
370 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
is more difficult in the context of the “NATO as an Alliance” scenario, implying<br />
operations across governance realms. Apart from st<strong>and</strong>ard technical<br />
solution <strong>and</strong> internally developed procedures, it is necessary to develop<br />
templates for business agreements <strong>and</strong> processes for cross-domain forensic<br />
measures in order to facilitate auditing <strong>and</strong> ensure that investigative authorities<br />
have access to necessary information <strong>and</strong> can correlate information<br />
across domains as part of a detective control or for incident response.<br />
F. Trust relationships<br />
This decision point should determine the terms on which a domain may<br />
establish federations with partners. Depending on the federation scenario, trust<br />
relationships require agreements at a subset or at all the three levels as follows:<br />
• technical, proving technical framework of security specifications that can be<br />
derived from specifications defined in operational security,<br />
• business, describing functional aspects derived from the business case<br />
of the federation as well as the governance framework,<br />
• legal, proving the legal framework for the federation.<br />
Detailed analysis of the business <strong>and</strong> legal aspects are out of scope of this investigation.<br />
They seem, however, to be more relevant in the context of the “NATO<br />
as an Alliance” scenario. Specific regulations should address at least:<br />
• purpose of the federation,<br />
• required assurance levels,<br />
• use cases,<br />
• required security practices,<br />
• identity data usage limitations,<br />
• audit or assessment criteria for compliance with the federation regulations.<br />
Compliance validation with the federation rules is addressed in section H.<br />
G. Authorization <strong>and</strong> attribution<br />
This decision point is aimed to provide an answer to the following questions:<br />
• What attributes are going to be used for authorization decisions<br />
• How should attributes be exchanged between domains<br />
1) Federated authorization position:<br />
The current approach in NATO for authorization services is either to rely<br />
on Microsoft Active Directory (AD) capabilities or to utilize application specific<br />
authorization modules. As a result, NATO has to deal with highly decentralized<br />
(<strong>and</strong> often internally incoherent) policy infrastructures. It does not seem to be<br />
possible to easily change this approach. However, the upcoming service-oriented<br />
business processing pattern in NATO will pose new security challenges. Therefore,
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
371<br />
it is necessary to build the foundations for a future security policy infrastructure,<br />
capable of protecting efficiently the service-based interactions. If the centralized<br />
authorization service approach, as described below, is not followed in the “NATO<br />
as an Enterprise” scenario, it will not be possible to efficiently perform authorization<br />
actions in the “NATO as an Alliance” scenarios.<br />
The eXtensible Access Control Markup Language (XACML) specifications [10]<br />
identify key components of the policy infrastructure in support of the authorization<br />
decisions:<br />
• Policy Enforcement Point – gathers all the relevant data from the request,<br />
the request context or environment, <strong>and</strong> the state of the service,<br />
before submitting an authorization decision request to Policy Decision<br />
Point (PDP);<br />
• Policy Decision Point –responsible for authorising a particular entity (or<br />
“identity”) to perform an action on a resource. Once an authorization<br />
request is received from the PEP, then the matching policy is retrieved<br />
from the Policy Administration Point (PAP), where it may be cached, <strong>and</strong><br />
evaluated against the request. This results in a decision that is returned to<br />
the PEP, which may be “permit”, “deny”, or “unresolved”;<br />
• Policy Administration Point – supports the management of policies as well<br />
as the retrieval of policies for use by the PDPs;<br />
• Policy <strong>Information</strong> Point (PIP) – allows the further retrieval of attributes<br />
about entities within the system for use by the PDP, if required. The PIP<br />
will essentially be an interface to a repository (NEDS in the NATO NII),<br />
which stores attributes about all users, or to the local application-specific<br />
attribute store, either directly through Lightweight Directory Access Protocol<br />
(LDAP), or wrapped using a web services interface.<br />
2) Identity <strong>and</strong> access data repositories:<br />
Currently in NATO, there is no coherent approach applied to address the issue<br />
of identity <strong>and</strong> access data processing throughout its whole life-cycle. As a result,<br />
there are many identity repositories in NATO, maintaining pieces of identity data <strong>and</strong><br />
access data independently from each other. This situation causes serious problems<br />
in daily business operations but it also introduces a security flaw (e.g. uncontrollable<br />
privilege escalation, inactive accounts, etc.).<br />
The on-going deployment of NEDS, scheduled to be fully operational by<br />
mid-2013, will provide a meta-directory capability, aimed to synchronize the portions<br />
of identity <strong>and</strong> access data shared by different repositories <strong>and</strong> applications<br />
in the NS NII. In the mid/long term vision, NEDS would constitute a cornerstone<br />
of NATO-wide identity management processing. As such, it is anticipated to play<br />
a critical role also in the utilization of the federated identity capability.<br />
Identity <strong>and</strong> access data synchronization in the Secret space will be organized<br />
based on NEDS capabilities, as presented in Figure 4.
372 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 4. Directory Services Topology in Secret Environment<br />
NEDS is not meant to interconnect with any identity store operating in a different<br />
security zone <strong>and</strong>/or governance realm. In the NEDS project, the role of directory<br />
data synchronization repository for external parties is assigned to a (not<br />
yet deployed) Alliance Replication Hub (ARH). It will be deployed in the NS<br />
demilitarized zone (DMZ).<br />
It is recommended to use the ARH as an identity data store for the federation<br />
proxy component (Figure 2) in support of SAML-token issuance processes <strong>and</strong><br />
controlling functions.<br />
An option of the NEDS project will be executed in the future, aimed to deploy<br />
the directory data synchronization mechanism at the NU/NR level.<br />
3) Data (Attribute) types:<br />
Identity data can be categorized in the following way:<br />
• Biometrics,<br />
• Personally Identifiable <strong>Information</strong>,<br />
• Qualifications,<br />
• Tokens,<br />
• Roles,<br />
• Privileges.<br />
NATO specified the Allied <strong>Communications</strong> Publications (ACP) 133 directory<br />
services st<strong>and</strong>ard. It provides foundations for NEDS directory schema definition.<br />
However, ACP 133 is not capable to support all the categories listed above. Therefore,<br />
extensions of the ACP 133 st<strong>and</strong>ard may be required.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
373<br />
4) Attribute processing – implementation considerations:<br />
Two approaches are considered for utilization of SAML token claims in the authorization<br />
process:<br />
• A SAML token includes only a unique identifier of an entity (e.g. user,<br />
service). In this case, utilizing the ID extracted from the token, the RP<br />
local identity store has to be queried for other identity attributes required<br />
at the authorization process,<br />
• Apart from a unique identifier of an entity, additional claims are provided<br />
in a SAML token, required to perform the authorization. The additional<br />
attributes can be provided either by the IdP, or can be derived<br />
from the identity store in the DMZ area (if the “NATO as an Alliance”<br />
scenario is in a consideration), or from the local identity store of the RP<br />
(like in the previous case).<br />
The first option would be the recommended one. However, there might be<br />
cases when the other option, requiring additional attributes in tokens, will be<br />
more appropriate. This might be the case e.g. when the authorization component<br />
in the RP domain is not able to query the identity store, or the identity store is not<br />
available in RP’s domain.<br />
H. Compliance<br />
Federation trust relationships have to be verified in order to maintain the agreed<br />
(in a federation) business scope <strong>and</strong> level of protection.<br />
The compliance aspects should be considered separately in both NATO scenarios<br />
(NATO Enterprise vs. Alliance) as the means to ensure the compliance will<br />
differ for both scenarios.<br />
Normally, for low-risk <strong>and</strong> some medium risk applications, self-assessment<br />
<strong>and</strong> certification by a domain’s internal audit function may be sufficient.<br />
For some medium-risk <strong>and</strong> all high-risk scenarios, a periodic external audit will<br />
be necessary. In the “NATO as an Alliance” scenario, the federation agreement<br />
should clearly specify the following:<br />
• roles,<br />
• responsibilities,<br />
• procedures <strong>and</strong> st<strong>and</strong>ards,<br />
• liabilities in contracts<br />
I. St<strong>and</strong>ards<br />
The wide variety of federation use cases imply a variety of st<strong>and</strong>ards <strong>and</strong><br />
specifications that can be utilized. For the architecture proposed in this document,
374 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
it is recommended for NATO to address the following categories of the federation<br />
st<strong>and</strong>ardization aspects:<br />
• Federated authentication st<strong>and</strong>ards, to provide an input on which st<strong>and</strong>ards<br />
should be used for authentication among federated domains;<br />
• Attribute exchange st<strong>and</strong>ards, to provide an input on which st<strong>and</strong>ards<br />
should be used to conduct <strong>and</strong> control attribute exchange among federated<br />
domains;<br />
• Security st<strong>and</strong>ards, to provide an input on the coherent protection mechanisms<br />
to be applied in order to achieve the same protection level in the whole<br />
federation;<br />
• Federation-specific profiles, to provide an input on what a federation profile<br />
should specify;<br />
Depending on which NATO scenario is considered (NATO Enterprise vs.<br />
Alliance), the specific decisions in all the four identified areas may vary.<br />
Under the ACT Program of Work, several service interface profiles (SIP) have<br />
been proposed that should be utilized in the NATO federated identity <strong>and</strong> access<br />
service architecture specification.<br />
IV. Conclusions<br />
Achieving a successful implementation of the federation capability is strongly<br />
dependent on the IdM governance, currently missing in NATO, so that centralized<br />
administration of I&AM will be capable to overcome a lot of ad hoc solutions on<br />
the present. The IdM governance must include rigidly defined processes, supported<br />
by appropriate regulations in the NATO policy.<br />
The approach for cross-organizational authentication <strong>and</strong> authorization solution,<br />
proposed in this paper, provides foundations for a technical implementation<br />
of federation capabilities in NATO NII. It is not meant to replace the main authentication<br />
mechanism, based on Kerberos, being in use in NATO systems currently.<br />
Federation solutions are only meant to enhance a local authentication mechanism<br />
in user’s governance realm in support of information sharing capability across<br />
network <strong>and</strong> organizational boundaries.<br />
This enhancement aspect (instead of replacement) is very important to properly<br />
underst<strong>and</strong> how the federation capability should be utilized in NATO. In this<br />
context, it should be also noted that the authentication method used in a user<br />
“local” environment does not have any impact on the overall approach presented<br />
in this paper. Therefore, there is no contradiction between having the federation<br />
capability built-in the NATO systems core functionality package <strong>and</strong> for example<br />
the strong authentication capability required by the IA community through the Cyber<br />
Defence Action Plan [9].<br />
It should be noted that the strong authentication capability in the NATO<br />
Enterprise is desired but insufficient to meet collaboration requirements in com-
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
375<br />
plex user <strong>and</strong> information assets environment. The federation capability adds user<br />
authentication provisioning functionality, utilizing component-to-component<br />
authentication with the use of asymmetric cryptography techniques (X.509 certificates)<br />
<strong>and</strong> therefore it should be considered as an integral part of the future NATO<br />
I&AM framework.<br />
Finally, there are two sides of the “information asset protection coin”, i.e. information<br />
asset “Access” <strong>and</strong> “Release”. Both are equally important in more challenging<br />
scenarios, like operations across security domains. In this paper, providing<br />
the full capability to address the “Access” to an information asset is addressed.<br />
This is what is expected from the colloquially understood Identity Management.<br />
At the moment the “Access” capability is in place, however, it becomes apparent that<br />
it is insufficient to support the conduct of operations in a complex collaboration<br />
environment, as the “Release” aspect of information assets has to be also covered.<br />
Therefore, research should also be directed into the challenges of information object<br />
tagging, normally provided through labelling mechanisms.<br />
References<br />
[1] NC3B, “The NATO Identity Management Framework”, EAPC(AC/322-SC/4)<br />
N(2009)0002, March 2009.<br />
[2] NC3B, “NATO Identity Management Strategic Plan”, AC/322-D(2010)0054, December<br />
2010.<br />
[3] NC3B, “<strong>Information</strong> Assurance Technical <strong>and</strong> Implementation Directive on Security<br />
Management Infrastructure (SMI)”, AC/322-D(2010)0055-AS1, January 2011.<br />
[4] ACO, “Alliance Operations <strong>and</strong> Missions (AOM) Federated Identity <strong>and</strong> Access<br />
Management (AIDAM) Capability Strategy”, 3800/SPTCIS/CFOISM/2011/94<br />
– TT280649, June 2011.<br />
[5] R. Malewicz, M. Lehmann, “A Coherent Approach Towards NATO-Wide Identity<br />
<strong>and</strong> Access Management Concept”, NC3A RD 3266, July, 2011.<br />
[6] R.B. Arkis, M.J. Diepstraten, “Operational View <strong>and</strong> System View for an Alliance<br />
<strong>Information</strong> Infrastructure at NATO Restricted Classification Level”, NC3A RD 2659,<br />
July 2008.<br />
[7] M. Lehmann, R. Malewicz, “Concept And Architecture For Identity Management<br />
Test Campaign”, NC3A RD 2909, December 2009.<br />
[8] Burton Group, “Federated Identity – Reference Architecture Decision Point”,<br />
G00206782, December 2010.<br />
[9] NATO Security Committee, “NATO Cyber Defence Action Plan”, AC/35-N(2011)0003,<br />
August 2011.<br />
[10] OASIS, “eXtensible Access Control Markup Language (XACML) Version 2.0”, February<br />
2005.<br />
[11] TSCP, “Identity Federation Assertion Profile v.1.2”, 27 March 2012.
Development of High Assurance Guards for NATO<br />
Konrad Wrona, Geir Hallingstad<br />
Cyber Defence <strong>and</strong> Assured <strong>Information</strong> Sharing,<br />
NATO <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> Agency, The Hague, The Netherl<strong>and</strong>s<br />
{Konrad.Wrona, Geir.Hallingstad}@ncia.nato.int<br />
Abstract: High assurance guards are central to the ability to exchange information between federated<br />
partners, both in the battlefield <strong>and</strong> between strategic comm<strong>and</strong>s. The guards play important role<br />
in development of the NATO Network Enabled Capability <strong>and</strong> the NATO Future Mission Network.<br />
In this paper we present current activities within NATO related to the development of High Assurance<br />
Automated Guards <strong>and</strong> discuss possible use cases, evolution, <strong>and</strong> underlying design principles.<br />
Keywords: high assurance design; information sharing; multi-domain security<br />
I. Introduction<br />
The effective <strong>and</strong> efficient conduct of modern joint military missions increasingly<br />
relies on network-centric operations. The NATO Network-Enabled Capability<br />
requires eliminating air-gap <strong>and</strong> swivel-chair solutions in a coalition environment.<br />
The Alliance <strong>Information</strong> Exchange Capability is an on-going set of activities within<br />
NATO, which focuses specifically on the information exchange across security<br />
boundaries. The objective of an <strong>Information</strong> Exchange Gateway (IEG) is to provide<br />
a solution for mediation of cross-domain information exchange. In particular,<br />
the so-called IEG Scenario D (IEG-D) focuses on information exchange between<br />
NATO <strong>and</strong> non-NATO partners involved in a mission.<br />
The High Assurance Automated Guard, or HAAG in short, is a critical element<br />
of the IEG in the scenarios involving connection from NATO systems to mission<br />
systems, so-called IEG Scenario C (IEG-C), <strong>and</strong> between NATO <strong>and</strong> non-NATO<br />
nations or international organizations (IEG-D). The HAAG is an interim solution<br />
on a path towards a fully integrated <strong>and</strong> distributed High Assurance Separation<br />
Service (HASS). The HAAG is a cross-domain gateway, which relies on the use<br />
of XML-based metadata describing content properties for making decisions about<br />
release of information. Its intended function is to enable automated information<br />
sharing between different information security domains <strong>and</strong> to provide a strong<br />
separation between different communities of interest <strong>and</strong> to support dynamic <strong>and</strong><br />
flexible enforcement of need-to-know principles.
378 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>Information</strong> security domains can be implemented as both physically separated<br />
network domains or as virtual domains, using same network infrastructure<br />
<strong>and</strong> relying on cryptographic separation. Cryptographic separation means here<br />
encryption of all information belonging to particular information domain, making<br />
it inaccessible from other information security domains. In a simple scenario, which<br />
is analogous to the scenario addressed in [1], the guard separates two information<br />
security domains located in two physically separated network domains. In such<br />
scenario, one network enclave is typically denoted as high <strong>and</strong> the other as low. It is<br />
important to stress that in some of the HAAG usage scenarios the concepts of high<br />
<strong>and</strong> low information security domain may not mean high <strong>and</strong> low classification<br />
levels, as in many cases no order function can easily be defined between the classification<br />
levels (<strong>and</strong> thus information security domains) belonging to different<br />
organizations or nations.<br />
In a simple HAAG implementation scenario it can be further assumed that<br />
the guard is connected to the low <strong>and</strong> the high information security domains (<strong>and</strong><br />
thus low <strong>and</strong> high network enclaves) using separate physical network interfaces.<br />
However, this limiting assumption will not be necessary true in a more general<br />
case, where the information security domains can be virtualized.<br />
The HAAG limits the data flow between information security domains through<br />
enforcement of m<strong>and</strong>atory security policies. These security policies include information<br />
flow control policy, access control policy, <strong>and</strong> information protection<br />
policy. The set of these security policies is collectively called as Content-based<br />
Protection <strong>and</strong> Release (CPR) policy [2]. The CPR policy is being currently specified<br />
at the NCIA as a part of 2012 Allied Comm<strong>and</strong> Transformation (ACT) Scientific<br />
Program of Work (SPoW).<br />
A cross-domain information exchange introduces two major threats to security<br />
of involved information security domains: (1) leakage of confidential information<br />
from one information security domain to another information security domain;<br />
<strong>and</strong> (2) degradation of the integrity or availability of resources in one information<br />
security domain as a result of actions originating from another information security<br />
domain. The purpose of the HAAG is to enable, together with other components<br />
in the IEG, an effective <strong>and</strong> efficient cross-domain information exchange, while<br />
offering sufficient protection against the threats mentioned above <strong>and</strong> enforcing<br />
an appropriate information flow control policy.<br />
II. Use cases<br />
Classical use cases for information sharing between NATO Secret systems<br />
<strong>and</strong> non-NATO partners <strong>and</strong> unclassified networks involve document <strong>and</strong> email<br />
release. The capability to reliably <strong>and</strong> timely share information across the security<br />
domains is one of the desirable operational requirement in the current NATO operations,<br />
e.g., need for information sharing between NATO forces <strong>and</strong> non-NATO
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
379<br />
nations including Government of the Islamic Republic of Afghanistan (GIRoA),<br />
as well as between NATO forces <strong>and</strong> international organizations such as the United<br />
Nations World Food Programme.<br />
These classical use cases are expected to constitute the main source of traffic<br />
mediated by the HAAG in the NATO Future Mission Networks (FMN) <strong>and</strong><br />
of the NATO Network Enabled Capability (NNEC). However, future networks will<br />
also likely need to support real-time sharing of information between functional<br />
services running in different security domains. Two examples of such emerging<br />
use cases, i.e. cyber defence information exchange <strong>and</strong> civilian-military cooperation<br />
(CIMIC) in passive missile defence applications, are discussed in more<br />
details below.<br />
A. Cyber defence information exchange infrastructure<br />
Cyber defence is quickly becoming one of the critical tasks as the military<br />
operations rely more <strong>and</strong> more on capabilities provided by the <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> Systems (CIS). Not only must the CIS be protected before going<br />
into operation but there must also be a capability to respond <strong>and</strong> recover from attacks<br />
targeting these systems during their operation. In federated environments,<br />
where no one has control over the entire system, collaboration between different<br />
parties is critical in order to ensure effective cyber defence. However, exchange<br />
of the relevant information is often sensitive, <strong>and</strong> requires careful control of release.<br />
At the same time relevant information from public sources should be automatically<br />
imported.<br />
Therefore, the cyber defence information exchange infrastructure (CDXI)<br />
must support both the ability to import information from public sources as well<br />
as partners, <strong>and</strong> also ability to selectively share information. This requires a strict<br />
control of boundary such as the one provided by the HAAG. Further, the ability<br />
to automatically release information based on the associated metadata is critical<br />
in order to support the strict timeliness requirements in cyber defence. An example<br />
of CDXI architecture is shown in Figure 1.<br />
As shown in the Figure 1, the control barrier is needed in order to ensure that<br />
only authorized data is shared, <strong>and</strong> that only quality assured information is imported<br />
into the organizational domain. As some of the data sources on the low side typically<br />
will be public sources, the assurance level of the control barrier must be high.<br />
The type of information exchanges can include vulnerability <strong>and</strong> exploit information,<br />
incidence information, as well as a number of other types of information<br />
that potentially could be very useful in federated incidence h<strong>and</strong>ling. The format<br />
of the information should allow automated processing, as manual processing is not<br />
time effective when trying to combat cyber-attacks.<br />
The actual format depends on the type of information, <strong>and</strong> a number of st<strong>and</strong>ardization<br />
efforts are currently underway to support such information sharing
380 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
formats, including the Incident Object Description Exchange Format (IODEF) [3],<br />
OVAL [4], as well as some open source formats such as Snort rules [5]. The HAAG<br />
may not need to underst<strong>and</strong> all these formats – the only requirement is that they<br />
can be labelled using the signed NATO XML labelling format [6, 7]. The NATO<br />
XML labelling can be applied even in the case when the format itself is not XML,<br />
although XML formats would allow better granularity of release control <strong>and</strong> would<br />
allow the HAAG to automatically redact the information to be released.<br />
Figure 1. Cyber Defence <strong>Information</strong> Exchange Infrastructure<br />
Without the HAAG, the information sharing will be limited as it will be difficult<br />
to combine all sources in an effective manner. Public information would likely<br />
have to pass an air-gap, which is both labour intensive, slow, <strong>and</strong> introduces itself<br />
a number of security problems.<br />
B. Civilian-military collaboration in passive missile defence<br />
The passive ballistic missile defence (BMD) scenario is illustrated in Figure 2.<br />
The geographic coordinates of the predicted missile impact area are calculated by<br />
the BMD system located in the NATO Secret domain <strong>and</strong> shared in the Keyhole<br />
Markup Language (KML) format with a GIS system installed in the information<br />
system belonging to a civilian authority. Open Geospatial Consortium (OGC)<br />
KML [8] is used to display geographic data in GIS such as Google Earth. This<br />
information can be used for crises response planning <strong>and</strong> disaster preparation.<br />
As KML is XML-based, it can be easily integrated with the NATO XML-Labelling<br />
specification.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
381<br />
Figure 2. Passive missile defence information exchange scenario<br />
III. Security requirements<br />
The security requirements introduced by the HAAG have been captured<br />
in a form of protection profile (PP) compliant with the Common Criteria (CC)<br />
Version 3.1 Release 3 framework [9]. This approach has been taken by the authors<br />
already earlier, when designing the medium assurance XML-Labelling Guard<br />
(XLG) [1].<br />
Although the HAAG PP is based on the XLG PP, the HAAG introduces<br />
several new functional <strong>and</strong> assurance requirements when compared to the XLG.<br />
New functional security requirements are related, e.g., to need for authentication<br />
of originators or requestors of mediated information flows, in order to provide<br />
stronger accountability when compared to XLG. Other new security functional<br />
requirements are related to integration with the cyber defence framework <strong>and</strong> to<br />
use of more complex CPR security policies.<br />
When compared to [1], most of the new security assurance requirements<br />
(SARs) are related to the need to assure secure lifecycle for the HAAG. The approach<br />
taken in the HAAG PP in order to assure the trustworthiness of the HAAG throughout<br />
its lifecycle is largely compatible with the U.S. Government Protection Profile<br />
for Separation Kernels in Environments Requiring High Robustness (SKPP) [10].<br />
The main conceptual difference is that SKPP focuses on operating system <strong>and</strong> does<br />
not address trustworthiness of the application software running on top of the operating<br />
system. The HAAG PP applies the paradigms adapted from the SKPP to<br />
the application layer. In the HAAG PP, the assumption is that underlying operating<br />
system can be trusted (e.g., because it was evaluated according to the SKPP) <strong>and</strong><br />
the focus is on providing sufficient evidence that functionality implemented on top<br />
of the OS, i.e. the HAAG application, configuration <strong>and</strong> other TOE components,<br />
can be also trusted to a level commensurate with the value of protected resources.<br />
In addition to this conceptual difference, the formal differences are related mainly<br />
to the fact that SKPP v 1.03 was based on the CC v. 2.3 <strong>and</strong> the HAAG PP is based<br />
on the CC v. 3.1 R3. Some of the SARs, which were predefined in the CC v. 2.3 <strong>and</strong><br />
used within the SKPP, were removed in the CC v. 3.1 [9].
382 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
IV. Evolutionary approach<br />
The phased approach has been proposed to implementation <strong>and</strong> deployment<br />
of the HAAG in order to address both urgent operational requirements <strong>and</strong> provide<br />
a robust <strong>and</strong> flexible solution to cross-domain information sharing for the NNEC<br />
<strong>and</strong> FMN infrastructure.<br />
The approach consists of 3 phases that incrementally improve information<br />
sharing capability. Phase 0 is a cascading design that provides an immediate response<br />
to the urgent requirements for information sharing between NATO <strong>and</strong> international<br />
organizations / non-NATO nations. Phase 1 uses the HAAG as a gateway<br />
that enforces authentication, authorization, <strong>and</strong> accountability of all end-users.<br />
Phase 2 uses the HAAG to provide a service where information is released based<br />
on security <strong>and</strong> protection requirements derived from a dynamic policy.<br />
A. Phase 0: Cascading design using XLG<br />
Phase 0 represents an incremental development path for the existing NCIA medium<br />
assurance XML-Labelling Guard (XLG). The proposed solution, applicability<br />
of which shall be confirmed case by case through an extensive security risk assessment,<br />
attempts to partially compensate lower security assurance level of the XLG<br />
by introducing an intermediate, NATO Restricted (NR), security domain between<br />
IO/NNN <strong>and</strong> the NATO Secret (NS) system. The XLG is located between the NR<br />
<strong>and</strong> the NS domain. Several reactive security services, such as intrusion detection<br />
<strong>and</strong> malware protection are redundantly deployed in the NR <strong>and</strong> NS domains<br />
in order to provide increased security assurance via a cascading architecture.<br />
Figure 3. Example of a cascading design for IEG-D Phase 0 implementation
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
383<br />
B. Phase 1: High assurance automated guard as a gateway<br />
A logical evolution of the Phase 0 design is to replace the cascade with a single<br />
high assurance guard used as a gateway, an architecture shown in Figure 4.<br />
Figure 4. High assurance automated guard (HAAG) as a gateway<br />
This architecture uses the HAAG as a dedicated information flow control<br />
device between the domain with a lower <strong>and</strong> a higher trustworthiness. In addition,<br />
the HAAG must be accompanied by, <strong>and</strong> usually collocated with, additional<br />
security tools, such as firewalls <strong>and</strong> malware detection software.<br />
Compared to the Phase 0 architecture, there are two important differences. First,<br />
the HAAG authenticates users from both low <strong>and</strong> high domains, whereas only network<br />
interfaces were authenticated in Phase 0. The authentication is mainly for auditing <strong>and</strong><br />
accountability purposes, but can also constitute an input for an authorization of access<br />
to the data (e.g. basic enforcement of need-to-know principle). Second, the required<br />
assurance level for the HAAG design <strong>and</strong> implementation is significantly higher.<br />
Phase 1 improves the assurance <strong>and</strong> information flow capabilities in a short<br />
to medium time-frame. It relies on support for cross-domain authentication, e.g.<br />
by implementing a claims-based identity <strong>and</strong> access control [11]. This architecture<br />
allows also a gradual introduction of elements of the CPR security policies. The CPR<br />
security model is envisaged to replace in the long term an inflexible Bell-LaPadula<br />
security model, which is not suitable for a modern dynamic <strong>and</strong> federated coalition<br />
environment.<br />
C. Phase 2: High assurance automated guard as a separation service<br />
In Phase 2 of the HAAG development a more radical approach is taken toward<br />
solving the information sharing challenges. This approach is based on a complete<br />
rethinking of the security model used within NATO <strong>and</strong> utilizing implementation<br />
of advanced cryptographic mechanisms. In this architecture, depicted in Figure 5,<br />
the concept of security domains is ab<strong>and</strong>oned, <strong>and</strong> the information flow is controlled<br />
through a HAAG service implemented in a distributed fashion.
384 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 5. HAAG as a separation service<br />
The HAAG service is responsible for enforcing access control based on advanced<br />
security policies, taking into account the properties of users (e.g. clearance<br />
level <strong>and</strong> his role in the organization), properties of devices (e.g. hardware cryptographic<br />
modules, trusted computing platform), <strong>and</strong> properties of the information<br />
(e.g. its validity time, sensitivity <strong>and</strong> area of application).<br />
In this phase, the traditional characterization of information through simple<br />
metadata (or so-called security label e.g. NATO Secret releasable to Australia),<br />
is replaced by a more detailed (<strong>and</strong> complex) metadata describing the information<br />
(e.g. logistic data relevant to transport of goods to Australian troops based<br />
in Afghanistan). Similarly, instead of being characterized only by a clearance level,<br />
the end-user would be characterized by metadata describing his role, affiliation, <strong>and</strong><br />
trustworthiness. The terminal would also have to be characterized by additional<br />
metadata describing its trustworthiness, such as none, basic, normal, enhanced <strong>and</strong><br />
high, instead of being just characterized by the network domain in which it is located.<br />
The required separation of information flows in Phase 2 can only be achieved<br />
by using advanced cryptography, including encryption of both data at rest <strong>and</strong> data<br />
in transfer. Recently, several relevant new cryptographic techniques have been<br />
developed, including homomorphic encryption enabling processing of encrypted<br />
data [12] <strong>and</strong> wild-carded identity-based encryption [13], potentially enabling<br />
encryption of data for groups of user, e.g., users playing the same role within organization,<br />
<strong>and</strong> effective key management.<br />
V. High level design<br />
One of the current activities coordinated by the NCIA is development of high<br />
level design (HLD) for the HAAG. The target of the HLD is Phase 1 <strong>and</strong> Phase 2<br />
of the HAAG as described in the previous section.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
385<br />
The purpose of the HLD is twofold. First of all, the HLD shall enable evaluation<br />
of completeness <strong>and</strong> appropriateness of the functional <strong>and</strong> security capabilities<br />
of the HAAG by all stakeholders, i.e. NATO bodies, NATO nations, <strong>and</strong> prospect<br />
non-NATO partners in the information sharing scenarios to be supported by<br />
the HAAG. Secondly, the HLD is to be used as guidance for the industry during<br />
the implementation of the HAAG solution for NATO.<br />
During the design study several dependencies with information assurance<br />
services offered by the external components have been identified. The basic design<br />
of the HAAG substantially extends architecture <strong>and</strong> functionality implemented<br />
within the NCIA Medium Assurance XML-Labelling Guard (MAXLG) [1].<br />
In order to ensure proper integration with the NATO infrastructure, the HLD<br />
is described in terms of the NATO Architecture Framework (NAF) version 3 [14].<br />
The HLD describes a subset of various possible views defined in the NAF v.3,<br />
including Capability, Operational, Service Oriented, System, Technical, <strong>and</strong> Programme<br />
Views.<br />
A. System overview<br />
The design of the HAAG introduces five main concepts, as depicted in Figure 6:<br />
Figure 6. Design principles for the HAAG
386 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
1. An information object container, including meta-data describing content<br />
properties<br />
2. Set of security policies, including information flow policy <strong>and</strong> access control<br />
policy<br />
3. Cyber defence system, monitoring system <strong>and</strong> users’ activities <strong>and</strong> providing<br />
responsive security measures.<br />
4. Release decision <strong>and</strong> enforcement service, which is the central component<br />
for enforcing security requirements for exchange of information between<br />
different information security domains. It is a custom-developed software<br />
application that enforces the information flow control <strong>and</strong> the access control<br />
policies.<br />
5. End user interface, enabling end users or services to submit information<br />
access request to the HAAG. The request contains meta-data describing<br />
user’s <strong>and</strong> end terminal properties.<br />
B. Service-Oriented Architecture<br />
The HAAG design is based on a service oriented architecture. The main services<br />
included in the HAAG Target of Evaluation (TOE) as well as services required from<br />
the operational environment of the HAAG are depicted in Figure 7.<br />
Figure 7. HAAG service environment
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
387<br />
C. HAAG services<br />
The services described in this section belong to the HAAG TOE <strong>and</strong> are to<br />
be implemented <strong>and</strong> evaluated as a part of the HAAG development. The Content<br />
Inspection Policy Enforcement (CIPE) Service represents a special case, where<br />
the CIPE framework is a part of the TOE <strong>and</strong> the individual Content Filters constitute<br />
part of the Operational Environment. The rationale behind this division<br />
is the effort to reuse content filters developed <strong>and</strong> maintained by the third party<br />
providers, such as antivirus <strong>and</strong> malware scanners.<br />
1) HAAG Core Services<br />
The HAAG Core Services, describe below, provide core functionality<br />
of the HAAG.<br />
a) NATO Metadata Binding Service<br />
From the HAAG perspective, the most important service provided by<br />
the NATO Metadata Binding Service (NMBS) is the Bind Service. The Bind Service<br />
is responsible for verifying the binding between metadata <strong>and</strong> the data object.<br />
The HAAG relies on the Bind Service in order to validate integrity of the binding<br />
<strong>and</strong> thus ensure that the metadata can be safely used in decision process related to<br />
information release. The NMBS is also a required as an external service, enabling<br />
binding of metadata to information.<br />
b) Policy Reasoning <strong>and</strong> Rules Analysis Service<br />
The aim of Policy Reasoning <strong>and</strong> Rules Analysis Service is to perform logical<br />
reasoning about fulfilment of the requirements stated in the security policies.<br />
As the CPR policies can be potentially complex <strong>and</strong> involve semantically reach<br />
metadata, the proper reasoning process is critical for ensuring proper enforcement<br />
of security policies.<br />
c) CPR <strong>Information</strong> Flow Policy Enforcement Service<br />
The CPR <strong>Information</strong> Flow Policy (IFP) Enforcement Service ensures enforcement<br />
of the security policy governing the information release between the security<br />
domains mediated by the HAAG. This service make use of Policy Reasoning <strong>and</strong><br />
Rules Analysis Service, takes a decision about potential release or denial of the release,<br />
<strong>and</strong> configures content filters <strong>and</strong> content sanitization rules which have to<br />
be applied prior to the release.<br />
d) Access Control Policy Enforcement Service<br />
The role of the Access Control Policy (ACP) Enforcement Service is similar<br />
to the CRP IFP Enforcement Service; however the ACP focuses on enforcement<br />
of the security policy governing the user’s access to the HAAG. This service uses
388 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Policy Reasoning <strong>and</strong> Rules Analysis Service in order to make a decision about<br />
potential granting or denial of the access.<br />
2) <strong>Trusted</strong> Platform Services<br />
Several TOE services play a role in establishing the initial secure state for<br />
the TOE Security Functionality (TSF). After secure initialization, the TSF enforces<br />
the configured security policy. The non-TSF functions playing role in establishing<br />
the initial secure state of the TSF include <strong>Trusted</strong> Delivery, <strong>Trusted</strong> Load, <strong>Trusted</strong><br />
Initialization, <strong>and</strong> <strong>Trusted</strong> Configuration.<br />
3) Content Inspection <strong>and</strong> Policy Enforcement (CIPE)<br />
Content Inspection Policy Enforcement (CIPE) is a capability that enables<br />
the inspection of structured data that is to be mediated by the HAAG. The goal<br />
is to identify <strong>and</strong> remove malicious software (such as viruses, network worms<br />
<strong>and</strong> Trojan horses) <strong>and</strong> active content, combined with a verification of file format<br />
type <strong>and</strong> a white list of allowed file formats. The CIPE capability is to be provided<br />
as a component of the HAAG in order to improve the protection for confidentiality,<br />
integrity <strong>and</strong> availability of NATO CIS against malicious software <strong>and</strong> active<br />
content that may be imported from other information systems.<br />
Figure 8. Relationship between the Content Inspection Policy Enforcement <strong>and</strong> the HAAG PP<br />
The CIPE capability is provided by the CIPE Service which is one of the components<br />
of the <strong>Information</strong> Exchange Architecture. The CIPE Service consists<br />
of the following components, which are illustrated in Figure 8:<br />
• Content Inspection Policy Enforcement Framework (CIPEF)<br />
• Content Filters for supported data format content types<br />
• Content Filter Rules for each content filter
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
389<br />
• Interfaces between the CIPEF <strong>and</strong> the content filters<br />
• Proxy Interfaces<br />
The main element of the CIPE Service included in the HAAG TOE is the CI-<br />
PEF. The CIPEF is responsible for the management <strong>and</strong> scheduling of data objects<br />
as they are routed through the content filters. The route through the content filters<br />
depends on the identified data object(s) <strong>and</strong> any embedded data objects <strong>and</strong> is adjusted<br />
dynamically. The CIPEF provides interfaces for data objects to be input into<br />
the CIPEF <strong>and</strong> output from the CIPEF. Any suspect, malicious or unsupported<br />
data objects are quarantined for further investigation <strong>and</strong> appropriate authorised<br />
h<strong>and</strong>ling.<br />
The Identification, Verification <strong>and</strong> Transformation capabilities are implemented<br />
in CIPE Service by means of the Content Filters. The Content Filters constitute<br />
a part of the HAAG operational environment <strong>and</strong> are discussed in section<br />
dealing with external supporting services.<br />
A Proxy Interface is the boundary between the CIPE Service <strong>and</strong> the HAAG <strong>and</strong><br />
can h<strong>and</strong>le protocol <strong>and</strong> content mediation between the data source <strong>and</strong> the CIPEF.<br />
4) Local Security Policy Repository Service<br />
The Local Security Policy Repository Service provides access to all security<br />
policies, which are enforced within the HAAG. It provides a management interface<br />
enabling configuration of the policies, including possible synchronization with<br />
centralized security policy repository. The policies stored within the local repository<br />
include both IFP enforced by the HAAG on the mediated data <strong>and</strong> an access<br />
control policy for the HAAG users. The IFP is provided by so-called Content-based<br />
Protection <strong>and</strong> Release Policy (CPR). The CPR policy consists of two specific policies:<br />
Content-based Protection Policy <strong>and</strong> Content-based Release Policy. The Contentbased<br />
Protection Policy defines the technical protection measures, which have to<br />
be enforced by the user’s operational environment (i.e. network <strong>and</strong> user’s host)<br />
in order for the information to be securely released. The Content-based Release<br />
Policy defines the required user’s attributes, such as security clearance <strong>and</strong> associated<br />
security domain for allowing an information release.<br />
D. External Supporting Services<br />
This section briefly introduces the services, which are provided by the operational<br />
environment in support of the HAAG capability. These services are not part<br />
of the HAAG target of evaluation, <strong>and</strong> as such their assurance level <strong>and</strong> functionality<br />
will not be evaluated during the HAAG evaluation. However, it is recommended<br />
that their implementation should provide a level of assurance equal or higher to<br />
the level provided by the HAAG.
390 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
1) Security Management Infrastructure <strong>and</strong> <strong>Information</strong> Assurance<br />
Services<br />
The NATO security management infrastructure (SMI) services <strong>and</strong> information<br />
assurance (IA) services are described in [15] as depicted in Figure 9.<br />
Figure 9. NATO security management infrastructure services <strong>and</strong> information<br />
assurance services as defined in [15]<br />
Both types of services typically require the use of the other for their own functionality.<br />
A security management service might use an IA service to ensure the secure<br />
h<strong>and</strong>ling of its own information, e.g. the Digital Policy Management Service<br />
might use a confidentiality service <strong>and</strong> an integrity service to secure the renewal<br />
of policy for system-wide access rights (its own function). An IA service might<br />
rely on a security management service for proper continuation of its own function,<br />
e.g. a confidentiality service might use the Crypto Key Management Service<br />
for policy-m<strong>and</strong>ated periodic keying material changes.<br />
The Identity Management <strong>and</strong> Credential Management Services rely on<br />
the NATO Public Key Infrastructure (NPKI) [16]. The exchange of the relevant<br />
PKI information between NATO <strong>and</strong> Nations during NATO operations <strong>and</strong> missions<br />
is discussed in [17].<br />
2) Secure Transport Layer Services<br />
Secure transport layer services might be required in some scenarios to provide<br />
a secure (i.e. cryptographically protected) communication channel between the user<br />
<strong>and</strong> the HAAG. A typical example of scenario where such channel is required<br />
is remote management of the HAAG. However, also in the case of end-users using<br />
the HAAG for data transfer, a secure communication channel might be required<br />
in order to both protect privacy of the end user <strong>and</strong> provide additional layer<br />
of confidentiality <strong>and</strong> integrity protection for the exchanged information. The use
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
391<br />
of the secure transport layer services can also provide additional protection for<br />
availability of the HAAG by introducing additional controls for allowed connections<br />
<strong>and</strong> resource consumption.<br />
3) Cryptographic Services<br />
The main Cryptographic Services required by the HAAG are related to integrity<br />
protection <strong>and</strong> authentication. The public key encryption module provides<br />
functionality required to verify digital signatures of the XML security labels. This<br />
functionality includes implementation of appropriate public-key cryptographic<br />
algorithms, hash functions, <strong>and</strong> certificate validation mechanisms. It can be also<br />
used in order to provide PKI-based authentication of the HAAG users.<br />
Additional Cryptographic Services might be required for authentication<br />
of the users <strong>and</strong> securing the communication channel between the HAAG <strong>and</strong><br />
the user (if applicable). These additional cryptographic services include message authentication<br />
codes (e.g. keyed hash function) <strong>and</strong> symmetric encryption algorithms.<br />
4) Cyber defence component<br />
In order to provide an adequate security <strong>and</strong> assurance level for information<br />
exchange between security domains, the HAAG relies on preventive <strong>and</strong> reactive<br />
services provided by the NATO cyber defence infrastructure. The NATO Cyber<br />
Defence Services of particular relevance to the HAAG include monitoring, data<br />
fusion, dynamic risk assessment <strong>and</strong> alert generation.<br />
The feedback from the Cyber Defence Services can be used to influence <strong>and</strong><br />
reconfigure the security policies enforced by the HAAG. The possibility of dynamic<br />
update of system security policy based on the identified threat level has been<br />
studied in [18]. In [19] an approach for integration of alerts, generated based on<br />
information received from various cyber sensors, with contextual security policies<br />
has been investigated. The alerts, received in the Intrusion Detection Message<br />
Exchange Format (IDMEF) [20], are mapped to contexts <strong>and</strong> response strategies<br />
involving changes to the enforced security policy.<br />
5) CIPE Content Filters<br />
The CIPE Content Filters are separate modules of the CIPE architecture, which<br />
can be provided by the third party. As opposed to the CIPE Framework, which<br />
is part of the HAAG TOE, the Content Filters are therefore treated as external<br />
services provided by the HAAG Operating Environment.<br />
The CIPE Service provides for separation of the CIPEF from the Content<br />
Filters. The Content Filters, the only CIPE Service component that directly h<strong>and</strong>les<br />
the contents of a data object, must be separated <strong>and</strong> managed outside of the other<br />
components of the CIPE Service due to the potential threats <strong>and</strong> vulnerabilities<br />
that may be exposed by the h<strong>and</strong>ling of data objects. The CIPEF communicates<br />
with the Content Filters via the Content Filter Interface.
392 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Within the CIPE Service each individual Content Filter is explicitly identifiable<br />
by its type. A Content Filter may be of an Identification, Verification or Transformation<br />
type, or any combination of the three:<br />
1. Identification Content Filter is responsible for correct identification<br />
of the type(s) of a data object.<br />
2. Verification Content Filter is responsible for enforcing that the data object<br />
conforms to the claimed type <strong>and</strong> that no malicious or confidential content<br />
is present in the data object. This Content Filter also performs as a content<br />
exploder <strong>and</strong> a content flattener for data objects which contain embedded<br />
data object(s).<br />
3. Transformation Content Filter is responsible for mitigating the potential<br />
threat of malicious content by either removing the active content that<br />
was found by the Verification Filter, or by transforming the content to another<br />
format. This Content Filter can also transform content by obfuscating<br />
or removing data attributes or values that should not be released across<br />
the information system boundary.<br />
The types of data formats that are allowed for import or release across the HAAG<br />
are specific to a CIPE Profile. Each data format type has its own set of Content Filter<br />
Rules. A set of Content Filter Rules represents a subset of the CIPE Profile security<br />
<strong>and</strong> assurance requirements specified for a given data format type. The Content<br />
Filter Rules are asserted by the Content Filter(s).<br />
E. <strong>Trusted</strong> Base Platform<br />
<strong>Trusted</strong> Base Platform consists of the operating system (OS) kernel, the tools<br />
<strong>and</strong> applications, which are part of the OS, <strong>and</strong> the hardware, on which the OS runs.<br />
Security requirements related to user roles <strong>and</strong> user authentication are implemented<br />
in the OS. The base OS <strong>and</strong> hardware also provide the isolation of the security<br />
components from other components of the HAAG.<br />
VI. Conclusions <strong>and</strong> future work<br />
The development of the high level design <strong>and</strong> the protection profile for<br />
the HAAG is the first step on a path to achieve effective information sharing between<br />
NATO <strong>and</strong> its external partners.<br />
One of the important aspects of the future work is the development of a formal<br />
model for the CPR security policies. We are aiming at specifying a basic CPR policy<br />
in a natural language, translating it into a formal representation <strong>and</strong> validating<br />
it using some well-known tools, such as Isabelle [21].<br />
The recently established the NATO Science <strong>and</strong> <strong>Technology</strong> Organization<br />
(STO) <strong>Information</strong> Systems <strong>Technology</strong> (IST) Task Group on <strong>Trusted</strong> <strong>Information</strong><br />
Sharing for Partnerships (IST-114) aims at advancing the IEG Scenario D
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
393<br />
<strong>and</strong> the Object Level Protection concepts. The focus of the group includes high<br />
assurance guards, as well as extensions to the existing security labelling specifications.<br />
The results of IST-114 can potentially influence the requirements <strong>and</strong> design<br />
of the HAAG.<br />
Acknowledgment<br />
This research has been sponsored by the NATO Allied Comm<strong>and</strong> Transformation<br />
Scientific Programme of Work 2011/2012.<br />
References<br />
[1] K. Wrona, S. Oudkerk, <strong>and</strong> G. Hallingstad, “Designing medium assurance<br />
XML-labelling guards for NATO,” in Proceedings of the <strong>Military</strong> <strong>Communications</strong><br />
Conference (MILCOM), San Jose, CA, USA, 2010.<br />
[2] K. Wrona <strong>and</strong> G. Hallingstad, “Controlled <strong>Information</strong> Sharing in NATO<br />
Operations,” in Proceedings of the IEEE <strong>Military</strong> <strong>Communications</strong> Conference<br />
(MILCOM), Baltimore, 2011.<br />
[3] R. Danyliw, J. Meijer, <strong>and</strong> Y. Demchenko, “The Incident Object Description<br />
Exchange Format,” Request for Comments RFC 5070, 2007.<br />
[4] J. Baker, M. Hansbury, <strong>and</strong> D. Haynes, “The OVAL Language Specification Version<br />
5.10.1,” The MITRE Corporation, 2012.<br />
[5] L. Ward, “Improving your custom Snort rules,” Sourcefire, 2010.<br />
[6] S. Oudkerk, “NATO Profile for the ‘Binding of Metadata to Data Objects’ – version 1.0,”<br />
The Hague, Technical Note TN-1455, 2011.<br />
[7] S. Oudkerk, “NATO Profile for the ‘XML Confidentiality Label Syntax’ – version<br />
1.0,” The Hague, Technical Note TN-1456, 2011.<br />
[8] T. Wilson, “OGC KML Version 2.2.0,” Open Geospatial Consortium Inc., OGC<br />
St<strong>and</strong>ard OGC 07-147r2, 2008.<br />
[9] Common Criteria, “Common Criteria for <strong>Information</strong> <strong>Technology</strong> Security Evaluation<br />
Version 3.1 Revision 3,” CCMB-2009-07-001, 2009.<br />
[10] IAD, “U.S. Government Protection Profile for Separation Kernels in Environments<br />
Requiring High Robustness, Version 1.03,” 2007.<br />
[11] D. Baier et al., A Guide to Claims-Based Identity <strong>and</strong> Access Control – Authentication<br />
<strong>and</strong> Authorization for Services <strong>and</strong> the Web.: Microsoft Corporation, 2010.<br />
[12] Nigel P. Smart <strong>and</strong> Frederik Vercauteren, “Fully Homomorphic Encryption with<br />
Relatively Small Key <strong>and</strong> Ciphertext Sizes,” in Public Key Cryptography, 2010,<br />
pp. 420-443.<br />
[13] M. Abdalla et al., “Wildcarded Identity-Based Encryption,” Journal of Cryptology,<br />
vol. 24, no. 1, pp. 42-82, 2011.<br />
[14] NC3B, “NATO Architecture Framework v3,” Brussels, Belgium, ANNEX 1 TO<br />
AC/322-D(2007)0048, 2007.
394 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[15] NC3B SC/4, “<strong>Information</strong> Assurance Technical <strong>and</strong> Implementation Directive on<br />
Security Management Infrastructure (SMI),” AC/322(SC/4)WP(2010)0008, 2010.<br />
[16] NAC, “NATO Policy for the Implementation of a PKI for NATO Communication<br />
<strong>and</strong> <strong>Information</strong> Systems,” Brussels, Belgium, AC/322-D(2003)005, 2003.<br />
[17] NAC, “Directive for NATO Public Key Infrastructure (NPKI) Interoperability with<br />
the Nations,” Brussels, Belgium, AC/322-D(2005)0025-REV1, 2010.<br />
[18] K. Wrona, G. Hallingstad, <strong>and</strong> S. Oudkerk, “Risk-aware <strong>and</strong> policy-compliant<br />
approach to network configuration,” in Proceedings of the 12th <strong>Military</strong> <strong>Communications</strong><br />
<strong>and</strong> <strong>Information</strong> Systems Conference (MCC), Wroclaw, Pol<strong>and</strong>, 2010.<br />
[19] H. Debar, Y. Thomas, N. Boulahia-Cuppens, <strong>and</strong> F. Cuppens, “Using Contextual<br />
Security Policies for Threat Response,” in Proceedings of the DIMVA, vol. LNCS 4064,<br />
2006, pp. 109-128.<br />
[20] H. Debar, D. Curry, <strong>and</strong> B. Feinstein, “The Intrusion Detection Message Exchange<br />
Format (IDMEF),” IETF, RFC 4765, 2007.<br />
[21] T. Nipkow, L. Paulson, <strong>and</strong> M. Wenzel, A Proof Assistant for Higher-Order Logic.:<br />
Springer-Verlag, 2011.
Network Traffic Characteristics<br />
for Detecting Future Botnets<br />
Jonathan P. Chapman 1 , Felix Govaers 2<br />
1 Elmar Gerhards-Padilla, Research Group Cyber Defense, Fraunhofer FKIE,<br />
Friedrich-Ebert-Allee 144, 53113 Bonn, Germany, chapman@cs.uni-bonn.de<br />
2 Department for Sensor Data <strong>and</strong> <strong>Information</strong> Fusion, Fraunhofer FKIE,<br />
Neuenahrer Str. 20, 53343 Wachtberg, Germany, felix.govaers@fkie.fraunhofer.de<br />
Abstract: Botnets are <strong>and</strong> are likely to remain the main vehicle for online crime for the foreseeable future.<br />
To protect their business models, botnet operators constantly improve their protocols <strong>and</strong><br />
applications to harden them against detection, analysis <strong>and</strong> takedown efforts. Our analysis suggest<br />
that future botnets will use proper encryption for their protocol messages, rendering them invisible<br />
to most deployed network intrusion detection systems. Therefore, we identify properties of botnet<br />
communications that will not be obscured by these measures. This allows us to design features which<br />
can be derived by measuring these properties <strong>and</strong> used as input to an approach for detecting systems infected<br />
with a botnet client. First measurements on network traffic generated by legitimate applications<br />
<strong>and</strong> a botnet client suggest that our features are capable of reliably discriminating between the two.<br />
Keywords: botnet; intrusion detection; netflow<br />
I. Introduction<br />
Over recent years, botnets have reached an increasing degree of attention<br />
of both general <strong>and</strong> academic public. Their versatility proved to be an enabler for<br />
a wide range of criminal business models ranging from spam delivery to phishing,<br />
blackmail <strong>and</strong> espionage, triggering counteractions by those operating networks<br />
or responsible for securing information infrastructures. Since infected machines<br />
participating in botnets are often owned by a large <strong>and</strong> diverse group of individuals<br />
<strong>and</strong> organisations, scattered over a large number of jurisdictions, their efforts were<br />
often focused on denying the operator control over its botnet, usually by shutting<br />
down their comm<strong>and</strong> <strong>and</strong> control servers [1].<br />
Early botnets relied on simple centralised mechanisms for comm<strong>and</strong> <strong>and</strong> control,<br />
such as an IRC channel that botnet clients would join, rendering the technical<br />
part of shutting a botnet down rather simple. However, botnet operators learned<br />
that losing control over their botnets would prevent them from executing their<br />
business models. Thus, we are observing a constant evolution of their protocols<br />
<strong>and</strong> methods, trying to complicate detection, mitigation <strong>and</strong> takedown efforts.
396 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In this paper, we identify cornerstones of the protocol design for future botnets.<br />
Besides using peer-to-peer-based mechanisms to avoid a single point of failure, they<br />
will employ cryptographic methods that are also used in many legitimate applications.<br />
Particularly, their comm<strong>and</strong> <strong>and</strong> control channel will use strong encryption<br />
<strong>and</strong> integrity checks to prevent reading or altering messages in transit <strong>and</strong> authentication<br />
for comm<strong>and</strong>s <strong>and</strong> updates. As a side effect, messages will no longer be<br />
available to network intrusion detection systems that rely on deep packet inspection,<br />
i.e. analyse packet payloads to detect the presence of malicious applications. Since<br />
this is the main mode of operation for most deployed network intrusion detection<br />
systems, we also analyse which properties cannot be obscured by these methods <strong>and</strong><br />
explore how they can be used to achieve botnet detection in the future.<br />
The rest of this paper is organised as follows. In section II, we provide the definitions<br />
for netflows <strong>and</strong> botnets as a base for the following elaboration. The next<br />
section briefly discusses related approaches, followed by our analysis of future botnet<br />
designs in section IV. Section V provides the background for the detection of botnets<br />
by measuring features described in section VI. We then briefly summarise the host<br />
models required for our projected approach <strong>and</strong> provide measurement results for<br />
the named features. In sections IX <strong>and</strong> X, we provide an outlook on future work<br />
<strong>and</strong> summarise the conclusions derived in this paper.<br />
II. Background<br />
A. Netflows<br />
Typically, network protocols are developed following the OSI layer model,<br />
encapsulating higher level protocols in the payload section of the next lower layer’s<br />
protocol. In inter-networking, OSI layers 3 <strong>and</strong> 4 are of particular concern, where<br />
the former is responsible for transferring data between hosts in different networks<br />
<strong>and</strong> the latter provides services such as error correction or packet reordering to<br />
applications on those hosts. Nowadays, the only wide-spread implementations for<br />
layer 3 are the IP protocol versions 4 <strong>and</strong> <strong>and</strong> 6 (IPv4 <strong>and</strong> IPv6, respectively) <strong>and</strong><br />
layer 4 is dominated by the TCP <strong>and</strong> UDP protocols.<br />
Applications using the latter protocols are identified by a 16 bit integer (or port),<br />
i.e. a tuple (IP address, type, port) identifies an endpoint that a particular application<br />
instance on a particular host may send or receive data at. Given two applications<br />
A <strong>and</strong> B communicating through a network, the conversation can be identified<br />
by a combined tuple (IP A , port A , type, port B , IP B ). Such a conversation is called<br />
a “netflow” or a flow for short.<br />
B. Botnets<br />
For the purpose of this paper, we define a botnet as a malware with access<br />
to a comm<strong>and</strong> <strong>and</strong> control (C 2 ) channel allowing a group or an individual to is-
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
397<br />
sue comm<strong>and</strong>s to an infected system. While such a channel could use a different<br />
medium in theory, we further narrow this definition down to such botnets where<br />
the C 2 channel is implemented using the Internet or a similar wide area network.<br />
This is the case for all botnets deployed for commercial purposes <strong>and</strong>, while apparently<br />
designed to bridge an air-gapped system, even the Stuxnet malware provided<br />
an Internet-based C 2 channel [2]. We will use the term bot herder when referring<br />
to the group or individual controlling a botnet, without any further implications<br />
on how or why the herder acquired control over the botnet.<br />
III. Related literature<br />
Detecting botnets can be considered a special case of network-based intrusion<br />
detection. The most prominent examples in that field are Bro, first presented<br />
in [3], <strong>and</strong> Snort [4]. While allowing different levels of complexity for defining<br />
signatures, both are focused on discovering known malicious packet payloads<br />
described by the user. To some extent, an administrator with deep insight into<br />
the environment <strong>and</strong> applications she or he supervises may define signatures that<br />
describe abusive behaviour but generally this technique can only be used when<br />
the payload generated by a particular piece of malicious software is known to<br />
the user. [5] alleviates this requirement by introducing a system that is able to<br />
generate signatures from malware communication patterns learned from repeatedly<br />
executing a sample in a secure environment. However, in order to be able to<br />
generate a signature, an infection has to be detected <strong>and</strong> a sample of the malware<br />
be obtained first.<br />
Gu et al. follow a different approach [6], collecting data for each system in two<br />
domains, one for netflow data <strong>and</strong> another one for malicious activities. They then<br />
cluster data in each of these domains individually <strong>and</strong> treat co-occurrences of hosts<br />
in activity <strong>and</strong> netflow clusters as an indicator for those hosts being part of a botnet.<br />
While this eliminates the requirement for obtaining a sample for a malware, obtaining<br />
data for malicious activity requires the ability to detect such activity. I.e. while<br />
their approach shifts the focus, it will still work only when the attacks a botnet will<br />
carry out have been analysed <strong>and</strong> described appropriately before.<br />
The authors of [7] introduce an approach which measures several features<br />
for each observed flow. Based on their assumption that these features are normally<br />
distributed, they are able to assign an anomaly score to a measurement <strong>and</strong> visualise<br />
the expectation <strong>and</strong> actual measurement for a system. In contrast to the approaches<br />
described above, this does not require any knowledge of a malware that<br />
should be detected, but requires that both the distribution for an observed feature<br />
is Gaussian <strong>and</strong> that it will be affected by the malware’s traffic. Thus, feature selection<br />
is a critical element, as underlined by the author’s statement that for features<br />
with a distribution not fit well by a Gaussian curve, the accuracy of their approach<br />
was not satisfying.
398 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
At this point, we want to leave the field of traditional intrusion detection<br />
<strong>and</strong> take a look at a small set of approaches from the field of traffic classification.<br />
The first is BLINC [8], which tries to infer the applications running on a particular<br />
host only from basic properties of netflows, describing the behaviour of applications<br />
with graphlets. These graphs describe for a specific IP address the volume<br />
of destination IP addresses, source <strong>and</strong> destination ports <strong>and</strong> transport protocol<br />
expected for a given type of application. Graphlets can also be combined to characterise<br />
a host running several applications at the same time. While the authors<br />
present examples for some attacks, they do not provide general models for malicious<br />
activities. Also, often the graphlets provided refer to a coarse class of application<br />
rather than a specific protocol, indicating that the feature set may be too small to<br />
provide more accurate discrimination.<br />
Bernaille et al. [9] demonstrated that with only considering the size <strong>and</strong> direction<br />
of the first few packets of a flow with application payload, you can achieve<br />
a significant level of accuracy with regard to which protocol the flow’s payload<br />
belongs to. A similar approach by Crotti et al. [10] uses a superset of features that<br />
do not require access to the payload <strong>and</strong> are aggregated for a complete flow to<br />
reliably assign one of four classes, including an “other” class, to a particular flow.<br />
They later extended their method to detect tunnelling through other protocols [11].<br />
Instead of manually designed application signatures, these approaches rely on<br />
correctly preclassified training sets that allow them to determine the distribution<br />
functions of the observed features for each of the applications they are designed<br />
to discriminate.<br />
The selection of features to observe is a critical part in some of the above but<br />
also our own approach. An essential part of identifying the most promising features<br />
is to analyse the behaviour of the applications we want to detect <strong>and</strong> how it will<br />
differ from other applications. Thus, our starting point is the bot herder’s intent<br />
of hiding <strong>and</strong> securing their botnets’ C 2 channel <strong>and</strong> we explore the design which<br />
is likely to emerge from this intent in section IV. This, together with an analysis<br />
of the relation between observations on the network layer <strong>and</strong> the application that<br />
generated it in section V, provides a background for identifying the features we<br />
want to observe for detecting future botnets.<br />
IV. Future botnets<br />
Bot herders generally aim for improving the resilience of their botnets against<br />
takedown, takeover <strong>and</strong> detection efforts. Thus, we expect more sophisticated approaches<br />
for protection <strong>and</strong> obfuscation, in particular in regard to the C 2 channel.<br />
These approaches may include measures in the three domains we discuss in this<br />
section, custom protocols or protocol implementations (section IV.A), steganography<br />
<strong>and</strong> cryptography (sections IV.B <strong>and</strong> IV.C <strong>and</strong>, respectively). Section IV.D<br />
summarises the conclusions implied by our analysis.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
399<br />
A. Custom network or transport layer implementations<br />
Bot herders may <strong>and</strong> have in fact already written their own implementations<br />
for network or transport layer protocols (cf. e.g. [12]) to avoid detection.<br />
Since packets sent by these implementations have to traverse networks consisting<br />
mostly or only of non-infected systems, the design space for these implementations<br />
is however strongly limited. With IPv4 <strong>and</strong> IPv6 dominating wide area networking,<br />
a layer 3 implementation has to be compatible with these protocols, where IPv4<br />
is predominant in most regions <strong>and</strong> end-user systems are often not configured to<br />
permit using IPv6 in a second stack.<br />
This comes with a second side-effect, a non-representative study [13] revealed<br />
that 90% of a large European carrier’s DSL users were connected to the Internet via<br />
a NAT gateway. NAT rewrites transport layer headers to provide Internet access<br />
for several hosts which have to share a single public IPv4 address. Thus, unless<br />
a bot herder considers the inability of a significant portion of potential clients<br />
to access the C 2 channel acceptable, a custom transport layer protocol has to<br />
survive forward <strong>and</strong> backward translation by a NAT gateway. Effectively, this<br />
leaves little options other than tweaking the TCP or UDP protocols at this time.<br />
In fact, the malware described in [12] used a st<strong>and</strong>ard-conform implementation<br />
of the TCP protocol only to bypass firewalls <strong>and</strong> intrusion detection mechanisms<br />
installed on the infected host.<br />
A manipulation not yet addressed above is the spoofing of layer 3 addresses.<br />
Spoofing destination addresses makes little sense unless the sender does not care<br />
whether the recipient will actually receive a packet or can ensure that the intended<br />
destination can be reached through a given address – which would however no<br />
longer meet our underst<strong>and</strong>ing of the term “spoofed”. Spoofed source addresses<br />
have on the other h<strong>and</strong> been observed in the wild <strong>and</strong> may actually hinder attribution<br />
efforts. However, the analysis presented in [14], the only wide-scale effort to<br />
detect filtering of spoofed addresses we are aware of, concluded that only about one<br />
quarter of the autonomous systems observed in 2005 were vulnerable to spoofing.<br />
Thus, relying solely on a communication mechanism that uses spoofed addresses<br />
may again deny a bot herder access to a significant fraction of its infected systems.<br />
In addition to that, when an infected system is behind a NAT gateway, the gateway<br />
will simply follow its mode of operation <strong>and</strong> translate the packet, writing the legitimate<br />
address to the packet sent through the wide area network.<br />
B. Steganography<br />
Steganography is the art of hiding communication channels. Since the observation<br />
of C 2 channels is a prominent part of detection <strong>and</strong> takedown efforts,<br />
a bot herder may be tempted to use techniques developed in this field to hide<br />
its botnet’s C 2 channel. Approaches such as the one described in [15] use fields
400 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
in the IP header that are left unchanged by intermediate systems to hide a few, 28<br />
in the named approach, bits in otherwise legitimate IP packets. Similar approaches<br />
are conceivable for transport layer protocols, but we do not expect these to provide<br />
a significantly larger count of bits per packet.<br />
For IPv4 or TCP, the header length can be adjusted to allow adding additional<br />
options. In principle, a bot herder could use the extra space obtainable by adjusting<br />
the length field to increase the b<strong>and</strong>width of a steganographic approach. This<br />
highlights however an issue which also appears, though with a different nature,<br />
in the approach described in the previous paragraph. The use of additional options<br />
is very rare for both TCP <strong>and</strong> IPv4, i.e. while the attacker is free to choose<br />
an unsuspicious payload, using oversized headers may attract even more attention<br />
than simply transferring the steganographic payload in the application layer section<br />
of the packet. For the approaches that do not inflate the size of the header, the minuscule<br />
steganographic payload will require that a significant number of packets<br />
is transferred for any significant botnet protocol payload. Thus, differences in communication<br />
patterns may again be similarly or even more striking than without<br />
such an attempt to obfuscate the C 2 channel using these techniques.<br />
C. Use of cryptography<br />
Cryptographic protocols are designed to provide three core properties:<br />
• Confidentiality<br />
• Integrity<br />
• Authenticity<br />
Confidentiality ensures that messages cannot be read in transit. Integrity allows<br />
a peer to verify that messages have not been modified in transit <strong>and</strong> authenticity<br />
provides proof of identification or approval by a verified entity.<br />
The Storm botnet employed a custom encryption algorithm, its supposed<br />
successor, the Waledac botnet, the st<strong>and</strong>ardised AES algorithm but both implementations<br />
employed static keys [16]. When a static key is used, a network intrusion<br />
detection system may either decrypt an observed payload with the known<br />
key <strong>and</strong> then apply its pattern matching algorithm or sometimes it may even be<br />
enough to match on the encrypted message.<br />
Duqu could be considered an example for correct use of cryptography<br />
in that it can connect to its C 2 server through a legitimate HTTPS connection,<br />
however the C 2 server uses a frequently replaced self-signed certificate, rendering<br />
the connection subject to man-in-the-middle attacks. This appears to be<br />
acceptable from the malware author’s point of view since the actual payload<br />
is encrypted with a symmetric key stored in its binary, illustrated also by that<br />
a second method for establishing a C 2 channel exchanges the same data but<br />
using plain HTTP [17].
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
401<br />
Finally, bot herders can use digital signatures on updates <strong>and</strong> C 2 messages<br />
to ensure that only the owner of a specific private key, i.e. the bot herder itself,<br />
can assert control or roll out applications in the botnet. Without authentication,<br />
an attacker with an underst<strong>and</strong>ing of the botnet’s protocol may issue comm<strong>and</strong>s<br />
or roll out updates on a bot, e.g. to install a software it would otherwise have to pay<br />
the bot herder to run on infected machines, thwarting the bot herder’s business<br />
model. Authenticated messages <strong>and</strong>/or updates have are used by several botnets<br />
at this time, including Duqu, but also Sality [18] or Miner [19].<br />
D. Conclusions<br />
Our analysis suggests that while changes to protocols below the application<br />
layer are labour intensive, they provide little potential for benefit to a bot herder<br />
with regard to avoiding network intrusion detection. Steganographic approaches<br />
that require changes in these layers suffer from the same drawback given that obfuscation<br />
in one domain results in anomalies in a different domain <strong>and</strong> are thus<br />
equally unlikely to prevail. We do however expect steganography in the sense that<br />
botnet protocol messages will resemble or be encapsulated in legitimate protocol<br />
messages. This is already the case with both Miner <strong>and</strong> Duqu, which encapsulate<br />
their messages in an apparent HTTP-session.<br />
Cryptography will play a major role in both rendering a botnet’s traffic invisible<br />
<strong>and</strong> asserting the bot herder’s control over it. Most botnets we are aware<br />
of encrypt their protocol messages, obstructing payload based network intrusion<br />
detection, <strong>and</strong> at least some use digital signatures to prevent unauthorised access<br />
to their comm<strong>and</strong> <strong>and</strong> control channels. Concepts <strong>and</strong> implementations however<br />
display weaknesses that reduce the effectiveness of these safeguards. Symmetric<br />
encryption often uses custom algorithms <strong>and</strong> fixed shared keys without any initialisation<br />
vector instead of generating session keys. While the RSA algorithm<br />
often used for generating signatures is considered secure, implementation details<br />
such as key lengths, selected hash functions or data to authenticate limit their<br />
effectiveness.<br />
We can only guess why malware authors prefer custom but often imperfect<br />
designs over st<strong>and</strong>ardised approaches, but botnet operators have proven that they<br />
are capable of evolving their designs, particularly when their botnet’s vulnerabilities<br />
have been exploited to interfere with their businesses. Thus, botnets will not only<br />
increasingly rely on tunnelling all of their C 2 traffic through legitimate protocols such<br />
as HTTP <strong>and</strong> HTTPS, but will also make a better use of cryptography. The payload<br />
of packets transmitted or received by these botnet clients will therefore no longer<br />
carry any features that could be exploited for deep packet inspection, motivating<br />
a need for approaches that can detect botnet communication without relying on<br />
any immediate properties of the payload.
402 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
V. Network layer observation of future botnets<br />
In this section, we analyse the properties that will remain observable given<br />
the expected design of future botnets discussed in section IV. We start with describing<br />
the properties that remain directly observable in section V.A, followed by<br />
an analysis of how the behaviour of applications correlates with them. Finally, we<br />
motivate a granularity below traditional netflows as the base for further analysis<br />
<strong>and</strong> ultimately detection in section V.C.<br />
A. Observable features<br />
While OSI layer 2 is persistent in local networks only, i.e. its header does not<br />
contain any information written by the source of a layer 3 packet unless the point<br />
of observation is within the very same local network, we can learn the size of its<br />
payload <strong>and</strong> the observation time from it. The former will be equal to the size<br />
of the layer 3 packet transmitted by the source unless layer 3 fragmentation occurs.<br />
We suggest however to disregard this special case <strong>and</strong> treat fragments of a packet<br />
as if they were individual packets sent with the observed size.<br />
For the latter, i.e. the observation time, a simple relation to the timestamp t source<br />
at which an observed packet was transmitted by the source holds. With m denoting<br />
the mean time needed for traversing the links until reaching the observation point<br />
<strong>and</strong> j the jitter introduced by differences in network load <strong>and</strong> routes, we can characterise<br />
an observation timestamp t as:<br />
t = t source + m + j<br />
Thus, while we cannot determine t source exactly without knowing m <strong>and</strong> j, we<br />
can infer that the delay between two consecutive observations differs from the delay<br />
at the source only by the differences of the jitter applied to these observations. I.e.<br />
the smaller j in the equation given above, the better we can approximate that delay<br />
by observing the delay at our observation point.<br />
Based on the analysis provided in section IV, we assume that headers at layer 3<br />
<strong>and</strong> 4 will generally be genuine, but at least allow associating observed packets with<br />
a particular flow. Note that forged source addresses, where possible, may serve to<br />
complicate attribution but would not impede with gathering <strong>and</strong> attributing data<br />
for the destination system.<br />
Our analysis further suggests that while OSI layer 5 <strong>and</strong> up data may be available<br />
technically, it will not contain exploitable features due to the combination<br />
of proper encryption <strong>and</strong> tunnelling through legitimate protocols. Note that with<br />
what we would call “not proper encryption”, using payload signatures may still be<br />
possible, as pointed out in [5].
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
403<br />
B. Relations between application behaviour <strong>and</strong> observations<br />
on the network layer<br />
Typically, when a server application receives a request from a system running<br />
a client application, it processes the request, generates the answer <strong>and</strong> then transmits<br />
it to the client. Generating <strong>and</strong> transmitting an answer can be interleaved or<br />
executed in parallel. Thus, when an application generates data at the same speed or<br />
a higher speed than the capacity of the link that must be traversed when sending<br />
the data through the network, the respective packets will be as large as possible <strong>and</strong><br />
emitted at a constant rate, i.e. the maximum rate permitted b y that link.<br />
On the other extreme end, an application may need considerably more time<br />
to generate a particular chunk of data than for transmitting it through the network.<br />
Therefore, a delay occurs between a request <strong>and</strong> the transmission of the answer.<br />
Finally, an application generating a fixed amount of data in each timestep, such<br />
as a voice over IP application, can be considered a special case of the latter type<br />
of application. We suggest however to consider this a class of behaviour on its own,<br />
leaving us with a total of three classes of observable behaviour:<br />
• Data transfer<br />
• Computationally expensive/varying data rate<br />
• Constant bitrate<br />
Figure 1 visualises the network layer observation of these features. Each box<br />
refers to a packet sent by an application, where the size of a box corresponds to<br />
the size of the respective packet <strong>and</strong> white spaces between boxes indicate that no data<br />
was sent by the application in the respective time frame. In this example, the first five<br />
packets fall into the data transfer class, saturating each except the very last packet.<br />
Following that, five packets are generated by a mechanism which generates data at<br />
a varying rate, observable through the variation of packet sizes <strong>and</strong> inter-arrivaltimes.<br />
Finally, the last five packets in figure 1 are generated at a constant rate <strong>and</strong><br />
carry the same amount of payload.<br />
Time →<br />
Application behaviour<br />
Data transfer Computationally expensive answer Constant rate<br />
Figure 1. Packets observed for different kinds of application behaviour. Wider boxes indicate<br />
larger packet size, requiring more time for transmission<br />
While the varying data rate mode can easily be identified since it will result<br />
in a large variance of either packet sizes, inter-arrival-times or both, the other two<br />
classes will both result in a small variance for each of these properties. Thus, to<br />
be able to distinguish between them, we have to introduce a third metric. Such<br />
a metric should relate to properties of the link traversed in order to reveal whether
404 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
it appears to be saturated, indicating a data transfer, or not, implying that data<br />
is being generated at a constant rate.<br />
We suggest estimating the maximum size of a packet for the respective<br />
link, e.g. by observing maximum packet sizes for flows between two systems, <strong>and</strong><br />
check whether the mean packet size of a given flow converges towards it. This<br />
would indicate saturated packets as we expect to observe for a data transfer. While<br />
estimating the maximum capacity available to the flow for each attached system<br />
would be another valid metric, mismeasurements may occur due to several reasons.<br />
First, a system may communicate outside our field of view, i.e. its network connection<br />
may be saturated but we may not be able to observe that. Secondly, even<br />
though the effect may be questioned, many applications introduce rate limiting to<br />
improve quality of service, thus the observed flow could fail to saturate a correct<br />
estimate for the capacity of each system's network connection even when we are<br />
able to observe all flows for both systems.<br />
C. Multiple types of behaviour in a single flow<br />
The behaviour described in the previous section will provide a classification<br />
into data transfer, fixed rate data <strong>and</strong> varying rate data for a single direction<br />
of a network flow. Obviously, a flow, including a single direction of a flow, may carry<br />
data generated through different kinds of mechanisms. Consider e.g. an HTTPS<br />
connection where the first packets are used to establish a shared secret key, i.e. by<br />
a computationally expensive mechanism generating data at varying rates, followed<br />
by a or even several data transfers when HTTP pipelining is used. Thus, using<br />
a single label for the whole flow may misrepresent the nature of the flow.<br />
To correctly represent the nature of such flows, we introduce the notion of a subflow,<br />
i.e. a portion of a single direction of a netflow that fits into one of the above<br />
categories. We explicitly allow two succeeding subflows to belong to the same<br />
category, given that their nature changes in a way suggesting they were generated<br />
by a different mechanism or another instantiation of the same mechanism. This<br />
would apply for instance to the HTTP pipelining case mentioned above, where<br />
a time gap between two file transfers occurs, caused by the client-server interaction<br />
<strong>and</strong> the need for additional processing by the server for providing the second file.<br />
VI. Observations for botnet detection<br />
We want to exploit features that can be observed or derived from observations<br />
described in section V. Since the described feature space is very limited <strong>and</strong> reveals<br />
only basic properties of the communicating applications, we cannot expect a single<br />
observable feature to reveal the presence of a botnet client, nor do we expect that<br />
a single observation for a given feature will provide sufficient evidence for such<br />
a conclusion.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
405<br />
To sidestep this issue, we want to employ statistical methods developed<br />
in the field of sensor data fusion for analysing measurements from physical sensors.<br />
These methods require that we can not only define features that we expect to<br />
distinguish botnet traffic from other traffic, but also that we are able to describe<br />
<strong>and</strong> formalise the difference between the two. In this section, we describe three<br />
features that both provide evidence of botnet activity <strong>and</strong> can be described in regard<br />
to how the presence of a botnet client will affect the measurement for a given<br />
system. We expect that this list is not exhaustive, i.e. additional features exist which<br />
have the desired properties <strong>and</strong> can be used to discriminate between benign <strong>and</strong><br />
infected systems. Identifying these will be part of our future work.<br />
First, we introduce a feature based on measuring the delay between two<br />
consecutive flows supposedly initiated by the same application. Following that, we<br />
discuss the failed flow count as an indicator for peer-to-peer based botnets in section<br />
VI.B <strong>and</strong> finally we describe how to interpret the volume of bytes transferred<br />
in a flow for our purposes in section VI.C.<br />
A. Inter-flow-initiation delay<br />
A given type of client application usually interacts with another class of applications,<br />
using an appropriate transport layer protocol. Typically, the latter application<br />
would be called the server counterpart for the application but may be<br />
identical in the case of peer-to-peer applications. Internet traffic is dominated by<br />
st<strong>and</strong>ardised protocols many of which use a registered TCP or UDP port for their<br />
server application. Thus, a given application usually interacts with servers listening<br />
on the same port. When adding the assumption that a system usually runs only one<br />
application for a given protocol, this becomes “two flow initiations with a given<br />
destination port <strong>and</strong> originating from a given IP address are usually generated<br />
by the same application running on the system identified by the address.” While<br />
this conclusion may not hold in some cases, particularly when several hosts that<br />
run a popular application share an IP address through NAT, the loose association<br />
provided may already be enough for our purpose.<br />
Based on the assumption described in the previous paragraph, we can measure<br />
the delay between two successive attempts of an application to contact another<br />
application. Again, we analyse the distribution function for the measured delays,<br />
if an application tries to initiate a flow in regular intervals, the distribution function<br />
will exhibit a local maximum at the configured interval value, i.e. the existence<br />
of a local maximum can be treated as an indicator for an automated process<br />
initiating flows. Note that we may not be able to measure the conspicuous intervals,<br />
if the malware’s flow initiations are mixed with a legitimate user’s. However, once<br />
the user ceases interaction with the application disguising the malware traffic for<br />
a sufficiently long time span, the interval can be observed. We would also like to<br />
point out that when only considering traditional netflows, this mechanism would
406 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
fail once a system would initiate <strong>and</strong> maintain a single C 2 flow over a prolonged<br />
time, even if that flow would carry periodic requests for updates or status reports.<br />
Using subflows, as suggested in V.C, allows us to distinguish between idle times <strong>and</strong><br />
message exchanges, particularly to reveal the periodic nature of subflow initiation<br />
in the described case.<br />
B. Failed flow count<br />
Botnets with peer-to-peer functionality such as Storm or Miner use a list of addresses<br />
hard coded in the malware or distributed as a separate file to allow infected<br />
hosts to connect to other peers. Since keeping such a list up to date is a hard problem,<br />
a significant fraction of the addresses in the list will no longer be available at<br />
the time the malware initiates operations. Research conducted at our institute [19]<br />
revealed that on average only about 23% of the addresses advertised in the Miner<br />
botnet’s peer lists would respond to connection requests, i.e. a client will usually<br />
have to initiate flows to a significant number of addresses before finding one that<br />
would respond to its request. We want to exploit this by taking failed connection<br />
attempts into consideration for detecting botnets with peer-to-peer functionality.<br />
Observing an explicit failure of a flow initiation attempt is only possible<br />
if the contacted system signals a rejection through ICMP. Otherwise, e.g. if the packets<br />
initiating the flow are filtered by a firewall, we have to infer the failure from<br />
what we can observe. Since few Internet protocols use strictly unidirectional<br />
communication, we interpret flows for which we did not observe any packet from<br />
the responding to the initiating system as failed. This will however also be the case<br />
when a system sends packets to a multicast address, since such an address does not<br />
represent a single system that could generate a response. Multicast transmissions<br />
are however often filtered by ISPs <strong>and</strong> thus we do not expect them to have any<br />
significant effect regarding this feature. Besides that, treating multicast addresses<br />
differently regarding this feature would be a valid option if significant changes<br />
in usage patterns would render it useless otherwise.<br />
C. Flow volume<br />
For a typical protocol providing users with access to data stored at a central<br />
location such as HTTP, the client to server direction of the flow will consist<br />
of a small or series of small requests <strong>and</strong> one or several large responses. Following<br />
the methodology introduced in sections V.B <strong>and</strong> V.C, each request <strong>and</strong> response<br />
would correspond to a single subflow.<br />
We do not expect that this will be fundamentally different for a botnet protocol,<br />
however we want to exploit one feature that distincts regular <strong>and</strong> botnet client<br />
behaviour. A botnet client will usually request a few pieces of data, either using<br />
fixed requests or building them from a template. While live users’ requests may
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
407<br />
be dominated by a static part, users will access a larger variety of resources from<br />
a given server, usually resulting in varying lengths for the respective requests <strong>and</strong><br />
responses. A bot requesting data in the described manner will however generate<br />
evenly lengthed requests <strong>and</strong> a system answering such requests will exhibit little<br />
variation in the size of its responses.<br />
Thus, we want to analyse the payload byte counts of subflows for an unusual<br />
distribution function, more particularly one with very distinct local maxima. For<br />
a botnet client, these will correspond to the length of requests for updates or comm<strong>and</strong>s,<br />
when considering a system serving those to infected hosts, they will reveal<br />
the sizes of the comm<strong>and</strong>s or updates provided through peaks in their distribution<br />
function. While the total count of bytes transferred in a flow is strongly correlated<br />
with the length of the transferred application payload, the measured values may<br />
differ between flows that traverse different links, if the smallest maximum payload<br />
size for the layer 2 protocols for those links differ. Thus, we suggest measuring<br />
the payload size directly.<br />
VII. Host models<br />
Our projected system will use the features described above to classify observed<br />
systems as belonging to a given host model, describing the behaviour patterns<br />
expected from a system fitting that model. The models we describe here include<br />
legitimate clients <strong>and</strong> servers, indicating that the system is benign, <strong>and</strong> a model for<br />
systems that may have been infected with a botnet client. In the following sections,<br />
we describe our current definitions for these models in that order.<br />
A. Client model<br />
Non-infected clients as part of a network system mostly behave in a noisy<br />
manner. Though timely regular activities such as checks for new email <strong>and</strong> updates<br />
of the operating system are part of our client model, we assume that these are superimposed<br />
by user activities such as web browsing. This infers a wide spectrum<br />
in measurements of the features given above. For example, the inter-flow-initiation<br />
delay of activities that come from a user is modelled to have a wide b<strong>and</strong>width<br />
in the frequency domain. The same holds for the flow volume as the down-stream<br />
to the client underlies a great variety of requested data objects. Failed flows on<br />
the other h<strong>and</strong> may occur but are rare since users reject applications that frequently<br />
fail to provide their service.<br />
B. Server model<br />
A system providing services for clients is strongly affected by user actions.<br />
More particularly, the noisy patterns of diverse user interaction propagates to
408 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
the measurements for our features concerning legitimate servers. To distinguish<br />
between servers <strong>and</strong> clients, we can also exploit their sinkhole structure in terms<br />
of the network flow direction.<br />
C. Infected<br />
The malicious behaviour of an infected host can possibly only be observed<br />
in interference with benign user actions. However, we assume that the malware<br />
activities have a significant impact on the features described above. As the malicious<br />
activities are machine-controlled, they might be assumed to occur in timely<br />
regular patterns [20]. This implies needle-like b<strong>and</strong>withs in the frequency domain.<br />
Again, the same holds for the flow volume. This is due to the fact that the number<br />
of possible actions of a malware is very limited [19].<br />
VIII. First results<br />
In the preceding sections, we described the foundations for a system that distinguishes<br />
between regular client or server systems <strong>and</strong> systems that have been infected<br />
with a botnet client. Our prototype implementation does not cover all of these concepts<br />
yet but provides a base for estimating whether our assumptions were correct.<br />
The Waikato traces briefly described in section VIII.A provide our baseline for<br />
network traffic predominantly generated by benign systems. In the section thereafter<br />
we describe our method for obtaining a network trace from a live botnet client by<br />
executing it in a secure environment. Finally, we discuss the feature distributions<br />
observed for these traces in section VIII.C.<br />
A. Waikato<br />
We use network traces provided by the Waikato Internet Traffic Storage<br />
(WITS) of the University of Waikato, New Zeal<strong>and</strong> as a baseline for “normal” traffic.<br />
The traces were captured at the university’s Internet exchange, between June<br />
<strong>and</strong> September 2007. They do not include layer 4 payloads <strong>and</strong> IP addresses have<br />
been anonymised by XOR’ing them with a key which would be changed once every<br />
week. Please refer to the WITS website [21] for additional details on the trace files.<br />
Since considering the whole dataset would be unlikely to provide any insight<br />
beyond that provided by a well-chosen sample, we selected two trace files from<br />
consecutive weekdays, the 4th <strong>and</strong> 5th of September 2007 for this evaluation. We<br />
could not use traces from different weeks since the anonymisation may result<br />
in systems with different roles being mapped to the same address, possibly distorting<br />
measurements.<br />
Also, anonymisation prevents the use of legacy methods for detecting malicious<br />
traffic. Thus, we cannot ensure that the traffic observed in these traces does
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
409<br />
not include any traffic generated by malware. To select a subset which should at least<br />
be clearly dominated by user interaction, we only consider flows initiated towards<br />
a server listening on TCP port 80 (HTTP). While some of the respective flows<br />
may have been initiated by a malware, we suspect that a very dominant majority<br />
corresponds to legitimate use of the HTTP protocol.<br />
When analysing this subset, we noticed that a single IP address (anonymised<br />
to 249.5.77.77) would contribute almost 57% of the respective measurements. Our<br />
best guess is that this address refers to a proxy server, i.e. a system relaying HTTP<br />
requests for an unknown number of end users. While the respective measurements<br />
neatly fit our expectations for the features described earlier, we decided to exclude<br />
them from the results presented in section VIII.C to avoid introducing the skew<br />
of the distribution caused by such a system, particularly with respect to the interflow-initiation<br />
feature.<br />
B. Miner<br />
Evaluating our feature set for actual malware turned out to be a difficult task.<br />
To achieve an acceptable level of significance, we would have to run a malware for<br />
a prolonged time span. Doing so while giving the malware full access to the Internet<br />
would be unethical <strong>and</strong> could result in liability for damages. We thus use a setup<br />
where a malware runs in a virtual machine without access to the Internet.<br />
To be able to observe C 2 traffic, we had to provide the malware with a peer or peers<br />
that it can interact with. This implied reverse-engineering the malware’s C 2 protocol,<br />
a very labour- <strong>and</strong> thus time-consuming task on its own. Therefore, we rely on our<br />
colleagues’ implementation of the reverse engineered Miner botnet C 2 protocol. In our<br />
setup, this implementation would run in one virtual machine, providing the interfaces<br />
described in [19] to a second virtual machine infected with the Miner botnet client.<br />
The Miner uses a list of bootstrapping IPs <strong>and</strong> an additional list of peers for<br />
a peer-to-peer component. For our setup, we ensured that each address in the first<br />
list would be available, providing data to the botnet client, including a modified<br />
version of the second list. We generated the latter list such that each entry would<br />
be selected from a pool of reachable addresses with probability 1 / 3 <strong>and</strong> from another<br />
pool of unreachable addresses otherwise. This is a significant improvement<br />
over the 23% of responding hosts in Miner peer lists determined in the wild. Since<br />
the Miner client scans the peer list linearly, we r<strong>and</strong>omised the order of addresses<br />
in the peer list to avoid any bias.<br />
The results we present below were obtained by sniffing on the virtual network<br />
link between the two virtual machines for 24 hours. We started with an uninfected<br />
system but initiated an infection right after starting to listen on the virtual link.<br />
Other than for the infection, no user interaction occurred.<br />
With just a single malware to verify our observations against, we cannot derive<br />
conclusions regarding the generality of our approach, yet. However, it allows us to
410 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
test whether our hypothesis’ hold for a particular malware indicating whether or<br />
not investing further research in the area may be feasible.<br />
Fraction of All Observed Delays<br />
0.00 0.02 0.04 0.06 0.08<br />
Waikato<br />
Miner<br />
0 1 2 3 4<br />
Delay Between Flows Initiated to the Same Port<br />
Fraction of All Observed Hosts (logscale)<br />
5e−07 2e−06 5e−06 2e−05 5e−05<br />
Waikato<br />
Miner<br />
0 500 1000 1500 2000 2500 3000 3500<br />
Failed Flow Initiations Per Hour<br />
Figure 2. Inter-flow-initation delay for flows to<br />
the same destination port<br />
Figure 3. Mean of failed flow initiations per hour<br />
<strong>and</strong> host. A red vertical line indicates the value<br />
for the Miner botnet client. Note that the y-axis<br />
is logarithmically scaled<br />
Fraction of All Observed Flows<br />
0.0 0.1 0.2 0.3 0.4 0.5<br />
Waikato<br />
Miner<br />
0 200 400 600 800 1000<br />
Count of Bytes Transfered in a Flow, from the Responder to its Initiator<br />
Fraction of All Observed Flows<br />
0.00 0.05 0.10 0.15 0.20 0.25 0.30<br />
Waikato<br />
Miner<br />
0 200 400 600 800 1000<br />
Count of Bytes Transfered in a Flow, from its Initiator to the Responder<br />
Figure 4. Payload byte count of the initiator<br />
to responder direction of a flow. Values larger<br />
than 1000 were cut off with respect to the long<br />
tailed distribution<br />
Figure 5. Payload byte count of the responder to<br />
initiator direction of a flow. Again, values larger<br />
than 1000 have been omitted<br />
C. Results<br />
Figure 2 shows a Gaussian kernel based approximation of the probability<br />
density function for the delays observed according to the description given in section<br />
VI.A. The black line corresponds to the measurements for the Waikato traces,<br />
a thick red line indicates the results for the Miner trace obtained as described above.<br />
While the distributions share a spike very close to 0 <strong>and</strong> a very long tail, which<br />
we left out for clearness of the presentation, the Miner trace’s distribution exhibits<br />
a very distinct spike at about 3 seconds. This reflects the Miner botnet client’s waiting<br />
period of 3 seconds between consecutive executions of an online check <strong>and</strong><br />
confirms that this feature is able to reveal such periodic events.<br />
We provide a plot of the probability density for a given mean of failed flows per<br />
host <strong>and</strong> hour in figure 3. To provide some level of detail for lower values, the figure<br />
uses a logarithmically scaled y-axis. The numbers for the Waikato traces include<br />
a total of 570 hosts for which the first <strong>and</strong> last connections initiated to TCP port
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
411<br />
80 were at least one hour apart. Only 46.2% of these hosts achieved a rate of more<br />
than one failed connection per hour, 30 hosts had a rate of 10 or higher with two<br />
hosts exhibiting about 105 failed TCP connections to port 80 per hour. The Miner<br />
on the other h<strong>and</strong> initiated well above 3500 failed flows per hour, st<strong>and</strong>ing out very<br />
clearly as a red line on the right h<strong>and</strong> side of figure 3.<br />
In figures 4 <strong>and</strong> 5, we provide the probability density for the count of payload<br />
bytes transferred from an initiator to the responder of a flow <strong>and</strong> vice versa.<br />
A function will not produce a plot in the figure, if its value is exactly zero. Again,<br />
results for the Miner botnet client are indicated by a thick red line, Waikato trace<br />
results by a thin black line <strong>and</strong> we cut of the distributions’ long tails at 1000 bytes.<br />
While the Waikato traces do exhibit some spikes in both distributions, they are far<br />
less distinctive than those of the Miner bot. Also, only a rather limited set of values<br />
actually occurs for the Miner botnet client, while the clients in the Waikato traces<br />
produced almost any value in the whole spectrum.<br />
Since the Miner bot creates a significant count of failed flows but also successfully<br />
established connections answered by a zero-lengthed reply, its distributions are dominated<br />
by flows with zero lengthed payload in each direction. The size of the request<br />
<strong>and</strong> replies generated by Miner or the tool mentioned in VIII.B are clearly visible<br />
as spikes or a group of similar values where their size varied. Some of these connections<br />
are attempts to determine whether the bot has Internet access by requesting<br />
the home page of some major websites. Since the Miner does not verify the result<br />
in any way, our tool simply returns a static reply, visible as a very distinct spike just<br />
below 200 bytes in figure 5. We would like to point out that a legitimate website may<br />
however serve different content over time or even for each request, i.e. the feature<br />
might produce less distinctive measurements in the wild. Nevertheless, we consider<br />
our results as a clear indication that the feature achieves its goal of revealing significant<br />
volumes of identical or nearly identical requests <strong>and</strong> replies.<br />
IX. Future work<br />
A. Model-based host classification<br />
This paper presents selected features to measure for future botnet detection<br />
<strong>and</strong> experimental results. These features shall be used for host classification using<br />
the models described in section VII. To this end, an expected behaviour for each<br />
model in terms of measurements of the features as a state has to be determined.<br />
Then, an iterative likelihood ratio test will be used to classify flows observed for<br />
particular systems. This iterative update scheme has been used widely for hypothesis<br />
testing of any kind. The critical task will be to define well suited transition models<br />
of the state in time. As a first step, the aforementioned data traces of Waikato <strong>and</strong><br />
the Miner bot will be used to examine the consistency <strong>and</strong> performance of this approach.<br />
However, we are convinced that this scheme has the potential to succeed
412 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
in higher level fusion of multiple information sources for a general detection of bot<br />
behaviour in network traffic.<br />
B. Guide railing features<br />
In section IV, we discussed the expected design for future botnets, focusing on<br />
the most promising approaches from a bot herder’s point of view <strong>and</strong> then described<br />
an approach for detecting botnets following the implied design principles. We are<br />
aware however, that a protocol may be designed particularly to evade approaches<br />
as the one presented in this publication, e.g. by using oversized transport headers<br />
for messaging to simulate packets without any application payload. As pointed<br />
out in section IV.B, this would constitute a more striking anomaly than the ones<br />
we aim to detect with the described features, but could nevertheless reach the goal<br />
of evading detection in the described feature space. For a practical deployment, our<br />
model should thus include additional features that indicate such evasive behaviour,<br />
i.e. provide strong evidence of malicious activity.<br />
C. Signatures<br />
As pointed out in section VII, legitimate applications may to some degree<br />
exhibit the behaviour associated with botnet clients. To avoid false alarms without<br />
allowing botnets with a loose C 2 channel to go undetected, it may be helpful to allow<br />
incorporating signatures matching the behaviour of these applications regarding<br />
our feature space so that the measurements they generate can be filtered.<br />
X. Conclusions<br />
In this paper, we discussed key elements of the botnet design which is likely to<br />
emerge from their ongoing evolution. Our analysis suggests that future botnets will<br />
use proper encryption <strong>and</strong> integrity checks for their protocol messages <strong>and</strong> authentication<br />
for comm<strong>and</strong>s <strong>and</strong> updates. Those measures, potentially complemented by<br />
tunnelling through legitimate protocols, would render them invisible to payload based<br />
approaches currently dominant in network intrusion detection. Based on careful<br />
analysis of the relationship between properties that remain observable to a network<br />
intrusion detection system under these circumstances <strong>and</strong> the behaviour of applications<br />
communicating through a network, we suggested to observe the delay between<br />
flow initiations to a similar protocol endpoint, the count of failed flow initiations<br />
<strong>and</strong> the count of payload bytes transferred for botnet detection. We drafted a system<br />
which exploits the measurement of these <strong>and</strong> possibly additional features as an input<br />
to an iterative likelihood ratio test for assigning one of three classes of hosts to each<br />
observed system. These classes include a model for hosts that have been infected<br />
with a botnet client, i.e. the classification reveals a malware infection.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
413<br />
While our prototype implementation does not cover all aspects of our approach<br />
yet <strong>and</strong> some issues remain open for further research, we were able to verify<br />
that the suggested features were affected by the Miner botnet client in the predicted<br />
manner. Single measurements will however not provide the level of certainty traditional<br />
payload signatures can provide for today’s botnets. Thus, detection has to<br />
be carried out as an iterative process, taking into account a series of measurements<br />
for each observed system. Similar problems have been studied in the field<br />
of sensor data fusion <strong>and</strong> thus our current <strong>and</strong> future research is part of a joint<br />
effort to migrate the methods <strong>and</strong> algorithms developed in that field into network<br />
intrusion detection.<br />
Acknowledgment<br />
We would like to thank our colleagues at the FKIE Cyber Defense <strong>and</strong> Sensor<br />
Data <strong>and</strong> <strong>Information</strong> Fusion departments, the University of Bonn Computer Science<br />
Department 4 <strong>and</strong> the Singapore DSO National Laboratories for our fruitful<br />
discussions <strong>and</strong> their advice. Our special thanks go to Daniel Plohmann of FKIE<br />
Cyber Defense for providing a reverse engineered implementation of the Miner C 2<br />
protocol <strong>and</strong> his support in setting up our evaluation environment.<br />
References<br />
[1] D. Plohmann, E. Gerhards-Padilla, <strong>and</strong> F. Leder, “Botnets: Measurement, detection,<br />
disinfection <strong>and</strong> defence.” Technical Report published by the European Network <strong>and</strong><br />
<strong>Information</strong> Security Agency (ENISA). Editor: Giles Hogben, 2011.<br />
[2] N. Falliere, L.O. Murchu, <strong>and</strong> E. Chien, “W.32 Stuxnet dossier,” Technical Report<br />
published by Symantec, 2011.<br />
[3] V. Paxson, “Bro: A system for detecting network intruders in real-time,” in Proceedings<br />
of the 7 th USENIX Security Symposium, 1998.<br />
[4] “Snort Official Website.” Available: www.snort.org<br />
[5] K. Rieck, G. Schwenk, T. Limmer, T. Holz, <strong>and</strong> P. Laskov, “Botzilla: Detecting<br />
the ‘phoning home’ of malicious software,” in Proceedings of the 2010 ACM Symposium<br />
on Applied Computing, 2012.<br />
[6] G. Gu, R. Perdisci, J. Zhang, <strong>and</strong> W. Lee, “BotMiner: Clustering analysis of network<br />
traffic for protocol- <strong>and</strong> structure-independent botnet detection,” in Proceedings<br />
of the 17 th USENIX Security Symposium, 2008.<br />
[7] M. Celenk, T. Conley, J. Willis, <strong>and</strong> J. Graham, “Predictive network anomaly<br />
detection <strong>and</strong> visualization,” in IEEE Transactions on <strong>Information</strong> Forensics <strong>and</strong><br />
Security, vol. 5, no. 2, 2010.<br />
[8] T. Karagiannis, K. Papagiannaki, <strong>and</strong> M. Faloutsos, “BLINC: Multilevel traffic<br />
classification in the dark,” in Proceedings of the 2005 ACM Conference on Applications,<br />
Technologies, Architectures, <strong>and</strong> Protocols for Computer <strong>Communications</strong>, 2005.
414 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[9] L. Bernaille, R. Teixeira, <strong>and</strong> K. Salamatian, “Early application identification,”<br />
in Proceedings of the 2006 ACM Conference on emerging Networking eXperiments <strong>and</strong><br />
Technologies, 2006.<br />
[10] M. Crotti, M. Dusi, F. Gringoli, <strong>and</strong> L. Salgarelli, “Traffic Classification Through<br />
Simple Statistical Fingerprinting,” in ACM SIGCOMM Computer Communication<br />
Review, 2007.<br />
[11] M. Dusi, M. Crotti, F. Gringoli, <strong>and</strong> L. Salgarelli, “Detection of Encrypted<br />
Tunnels Across Network Boundaries,” in Proceedings of the 2008 IEEE International<br />
Conference on <strong>Communications</strong>, 2008.<br />
[12] H. Stern, “The rise <strong>and</strong> fall of Reactor Mailer,” in Proceedings of the 2009 MIT Spam<br />
Conference, 2009.<br />
[13] G. Maier, F. Schneider, <strong>and</strong> A. Feldmann, “NAT Usage in Residential Broadb<strong>and</strong><br />
Networks,” in Passive <strong>and</strong> Active Measurement, ser. Lecture Notes in Computer Science,<br />
N. Spring <strong>and</strong> G. Riley, Eds., vol. 6579, 2011.<br />
[14] R. Beverly <strong>and</strong> S. Bauer, “The Spoofer Project: Inferring the extent of source address<br />
filtering on the Internet,” in Proceedings of the 2005 USENIX Workshop on Steps to<br />
Reducing Unwanted Traffic on the Internet, 2005.<br />
[15] E. Cauich, R. Gómez Cárdenas, <strong>and</strong> R. Watanabe, “Data Hiding in Identification<br />
<strong>and</strong> Offset IP Fields,” in Advanced Distributed Systems, ser. Lecture Notes in Computer<br />
Science, F. Ramos, V. Larios Rosillo, <strong>and</strong> H. Unger, Eds, vol. 3563, 2005.<br />
[16] J. Calvet, C.R. Davis, <strong>and</strong> P.-M. Bureau, “Malware authors don’t learn, <strong>and</strong> that’s<br />
good!” in Proceedings of the 2009 International Conference on Malicious <strong>and</strong> Unwanted<br />
Software (MALWARE), 2009.<br />
[17] “W32.Duqu: The precursor to the next Stuxnet, Version 1.4,” Technical Report<br />
published by Symantec, 2011.<br />
[18] N. Falliere, “Sality: Story of a peer-to-peer viral network,” Technical Report published<br />
by Symantec, 2011.<br />
[19] D. Plohmann <strong>and</strong> E. Gerhards-Padilla, “Case Study of the Miner Botnet,”<br />
in Proceedings of the 4th International Conference on Cyber Conflict, 2012 (in press).<br />
[20] C. Zhang <strong>and</strong> V. Paxson, “Detecting <strong>and</strong> Analyzing Automated Activity on Twitter,”<br />
in Passive <strong>and</strong> Active Measurement, ser. Lecture Notes in Computer Science, N. Spring<br />
<strong>and</strong> G. Riley, Eds., vol. 6579, 2011.<br />
[21] “Waikato Internet Traffic Storage Website.” Available: www.w<strong>and</strong>.net.nz/wits
Methodology for Gathering Data Concerning<br />
Incidents in Cyberspace<br />
Adam Flizikowski 1, 2 , Jan Zych 2 , Witold Hołubowicz 2<br />
1 University of <strong>Technology</strong> <strong>and</strong> Life Sciences, Bydgoszcz, Pol<strong>and</strong>, adamfli@utp.edu.pl<br />
2 ITTI Sp. z o. o., Poznań, Pol<strong>and</strong>, {holub, jan.zych}@itti.com.pl<br />
Abstract: This paper introduces a cyber incident observation sheet. It is meant to support the process<br />
of gathering cyber incident data from attacks targeted against military missions. An effective method<br />
of gathering factual data is in the authors’ opinion one of the biggest challenges <strong>and</strong> show-stoppers<br />
in the process of learning adhering to a lessons learnt paradigm (especially considering negative<br />
experiences).<br />
While developing Cyber Tool with the aim of cyber threats modeling in the frame of EDA (Europe<br />
Defense Agency) Athena project, authors have identified a serious need to introduce a well shaped<br />
<strong>and</strong> structured observation form in order to enable <strong>and</strong> foster data analysis <strong>and</strong> automated processing<br />
in subsequent steps. In contrary to civil world, cyber incidents against military systems are not reported<br />
publically, nor traced back to unveil the actual vulnerabilities that have been exploited by an attack.<br />
Authors describe a formal point of view in the area of factual data collection in the area of cyber-<br />
-attacks on communication resources. The proposed method (<strong>and</strong> recommendations) of collecting<br />
information about incidents can be a valuable input into the process of continuous improvement<br />
of security level in the cyberspace.<br />
Keywords: EDA, Athena project, factual data, data acquisition, sensors, cyber threats, asymmetric<br />
threats 1 , cyber attacks<br />
I. Introduction<br />
The EDA ATHENA project is a research project responding to the JIP-FP<br />
(Joint Investment Programme on Force Protection) call in the area of mission<br />
planning <strong>and</strong> modeling of asymmetric threats. Aside from ITTI (Pol<strong>and</strong>) there<br />
are five other participants from four member countries of the European Union:<br />
TNO – the leader (Netherl<strong>and</strong>s), FFI (Finl<strong>and</strong>), Cassidian (France), TUT (Estonia)<br />
<strong>and</strong> WAT (<strong>Military</strong> University of <strong>Technology</strong>) (Pol<strong>and</strong>). Undoubtedly such<br />
composition of consortium partners with great research potential, experience<br />
1<br />
“Asymmetry” – this term describes different forms of disproportion, differentiation <strong>and</strong> disharmony, which<br />
are naturally or intentionally coexist in the environment of opposite realities. In the area of military conflicts,<br />
asymmetric operations appear in t<strong>and</strong>em with terrorists attacks. Today’s military systems are equipped with<br />
electronics <strong>and</strong> information technologies to such an extent, that cyber attacks seem to pose significant threats<br />
to military missions’ success.
416 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> domain knowledge, is expected to gain significant results while working on<br />
the project. The project is preparing – among other models/tools for enhanced<br />
mission planning/training in asymmetric conflicts – the Athena IT (<strong>Information</strong><br />
technology) tool (the Cyber Tool) for intelligence analysts.<br />
The availability of knowledge about past incidents in military cyberspace<br />
(particularly identification <strong>and</strong> extraction of related incidents from the factual data<br />
available) is crucial requirement for further processing of factual data. In subsequent<br />
steps of processing, it provides an important input for analysis <strong>and</strong> preparation<br />
of cyber-defense models in order to successfully prevent future threats.<br />
The paper focuses on describing cyber-attacks against military resources<br />
<strong>and</strong> especially highlights selected issues of the process of factual data acquisition<br />
(related to these attacks, events).<br />
Tools such as the Cyber Tool developed for cyber threats identification <strong>and</strong><br />
ranking (based on vulnerability assessment) strictly depend on the availability<br />
of suitable input data (e.g. vulnerabilities repository). The problem of the lack of such<br />
data causes serious complications: on the military IT systems vulnerabilities causes<br />
any decision support system or training tool low suitability.<br />
Figure 1. Extraction of cyber incidents from repository of past incidents<br />
Validated <strong>and</strong> well recognized good/best practices, which are developed by<br />
information science are strongly considered in this study. These practices include<br />
(but are not limited to):<br />
• gathering information about incidents in cyberspace using a formal observation<br />
sheet (unified way of collecting information about incidents);<br />
• on-the-fly validation – which prevents introducing the data that is not valid,<br />
i.e. for bit rate parameter, only specified, numerical digits can be entered,<br />
from the minimal <strong>and</strong> maximal value range, values out of the defined scope<br />
will be rejected;<br />
• usage of “dictionaries” – all the data being introduced should be picked-up<br />
from within the dataset of well-defined set of dictionaries;<br />
• exploitation of dynamic/contextual observation sheet for introducing<br />
the data sequentially (with contextual hints).
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
417<br />
In this article, the formalised sheet for collecting factual data related to cyberspace<br />
is introduced. The data from such a sheet would in turn constitute one<br />
record in a repository of past incidents from cyberspace (Figure 1). Some number<br />
of incidents collected in a repository will evidence information about security<br />
breaches in telecommunication <strong>and</strong> IT systems – namely cyber security incidents.<br />
For sake of clarifying nomenclature used in this article the following concepts<br />
definitions are given:<br />
• factual data – is a set of facts <strong>and</strong>/or activities in the area of: collection, selection<br />
<strong>and</strong> assessment of usability of information being stored <strong>and</strong> further<br />
used in respect of reflecting past incidents in an overall picture;<br />
• cyber security incident – this notion should be understood as an overall set<br />
of events that threatens network security, that is each activity that results<br />
in a direct threat to security level.<br />
Especially the following list of events is considered here:<br />
• threats to the availability of networked services (e.g. DoS attacks),<br />
• intrusion <strong>and</strong>/or attempt of intrusion to telecommunication <strong>and</strong> information<br />
technology system,<br />
• spamming,<br />
• spreading of malicious codes, viruses.<br />
It is important to notice that only limited set of (carefully processed) past cyber<br />
events registered in a repository will eventually get the status of security incidents.<br />
This paper is structured as follows – first authors introduce motivation that<br />
has led them towards publication of this paper. In chapter III the subject of “cyber<br />
incidents collection” for military is introduced. Eventually the collection process<br />
of factual data is proposed in chapter IV. Methodology of collecting information<br />
about cyber incidents is introduced in Chapter V. Finally conclusions are drawn <strong>and</strong><br />
a sample cyber observation sheet is delivered filled with exemplary information.<br />
II. Motivation<br />
In the process of designing the Cyber Tool software component in the EDA<br />
Athena project authors have faced serious exploitation-oriented challenges related<br />
to the lack of data about vulnerabilities required as an input for the tool. In order<br />
to be able to deliver expected benefits attributed to the tool, the following showstoppers<br />
need to be resolved:<br />
• lack of (ready-to use) repositories containing verified knowledge about<br />
vulnerabilities of IT systems used in military. On the other h<strong>and</strong>, existing<br />
civil repositories of vulnerabilities (e.g. SCADA systems – Supervisory<br />
Control And Data Acquisition) are publicly available. However, it is difficult<br />
to determine their relevance to the military domain<br />
• unavailability of knowledge (or lack thereof) about existing methodology,<br />
that would allow gathering of information about cyber threats in the mili-
418 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
tary domain, as well as analyzing such information. Such methodology<br />
should cover following aspects: gathering an information / data; structuring,<br />
analysis (filtering, finding the correlations, etc.) <strong>and</strong> building the new<br />
knowledge (rules)<br />
• challenging definition of realistic scenario that could show impact of cyber<br />
security issues on training, in the area of asymmetric threats.<br />
Unavailability of above mentioned items could limit the benefits of using<br />
the ATHENA Cyber Tool in the context of:<br />
• identification of networks’ <strong>and</strong> systems’ threats,<br />
• training, including an identification of given network topology vulnerabilities,<br />
• decision support capabilities.<br />
III. Cyber threats in military missions<br />
One must realize the fact that security is indivisible. With respect to e.g.<br />
network centric warfare concept it is sometimes said that the cumulative impact<br />
of new relationships among war fighting organizations (due to existence of new<br />
network connections) is the source of increased combat power as suggested in [1].<br />
In situations where people lives <strong>and</strong> health are threatened (military missions fall<br />
into this group) this assumption is significant. Identification of incidents/events,<br />
which can cause disruption or termination of military mission is one of the key<br />
problems in present military asymmetric conflicts. The new NATO Cyber Defense<br />
Policy, treats cyber security with a high priority [2]. It is related to known,<br />
but still unsolved problems in acquiring, collecting <strong>and</strong> exploiting factual data<br />
in cyber defense domain, including effective usage of sensors (both people <strong>and</strong><br />
specialized devices).<br />
There is a great amount of well known (<strong>and</strong> unknown) groups of incidents,<br />
which may lead to a disruption <strong>and</strong>/or prevent military mission from completion.<br />
Appearance of such an incident during execution of a military mission may lead to<br />
severe consequences (ultimately losses of people’s life or health). Thus the ultimate<br />
goal of collecting information about incidents in cyberspace is achieving increased<br />
level of cyber security, which in turn takes effect in an increase of military security.<br />
It is of key importance to consider the following set of information:<br />
1. Identification of information sources.<br />
2. Definition of the means used for data collection.<br />
3. Preparation of the information gathering method.<br />
4. Preparation of the concept for storing information about incidents.<br />
The points 1-4 above provide a fundament for the stage of collecting factual<br />
data about incidents in cyberspace. Elementary goals of military missions can be<br />
achieved in many ways. While defining this process we should focus on:
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
419<br />
• recording of any information about incidents, both positive (i.e.: Best <strong>and</strong><br />
Good Practices) <strong>and</strong> negative (Lessons Learned),<br />
• ordering recorded items according to some predefined criteria (e.g. ranking).<br />
The results which should be delivered at the end of the process after collecting<br />
an appropriate amount of complete data about incidents, on one h<strong>and</strong> lead directly<br />
to an increase in analysis quality <strong>and</strong> on the other (indirectly) to:<br />
• increase in the training effectiveness (for e.g. through updated syllabuses<br />
of training programs, discussing more comprehensive cases in the area<br />
of cyber security, etc.);<br />
• wider use of observations <strong>and</strong> experiences from mission (e.g. through visualization<br />
of cyber risk on the map, predicting the threat levels for a given<br />
region <strong>and</strong> period of time, ...);<br />
• cross-validation <strong>and</strong> improvement of the methodological documents<br />
fundamental for military service (recommending changes that aim at<br />
improving soldiers’ performance) on a tactical level (in warfare rules),<br />
operational-tactical level (mission plans), to a strategic level (improvement<br />
of doctrines).<br />
A successful execution of a process of gathering factual data (information<br />
about incidents) is a necessary condition to be able to apply advanced methods<br />
of analysis of data in subsequent steps e.g. to identify relevant:<br />
• correlations (mutual qualitative <strong>and</strong> quantitative relations);<br />
• coincidences (simultaneous occurrence of incidents, which are not related<br />
to each other by the root cause);<br />
• associations (association, combining facts pairwise <strong>and</strong> identifying relations<br />
between them);<br />
• cause-effect relations (direct <strong>and</strong> indirect).<br />
An interesting case study on the analysis of communication networks reliability<br />
in crisis management <strong>and</strong> military missions is presented by authors in [3].<br />
The way to identify <strong>and</strong> analyse the critical resources, search for the optimum<br />
communications network layout (relative to the adopted criterion) <strong>and</strong> identifying<br />
cause-effect relationships of objects <strong>and</strong> processes in the area of communications<br />
is presented there with use of game theory approach.<br />
IV. Factographic data collection process<br />
The proposed method of collecting factual material in cyberspace is specific<br />
<strong>and</strong> as such can be characterized by:<br />
• underlying goal of inferring information from data <strong>and</strong> further turning<br />
it into explicit knowledge;<br />
• multi-staged approach (gaining experience e.g. from daily missions, collecting,<br />
analysing <strong>and</strong> then applying it in a given context);
420 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• permanence <strong>and</strong> periodicity (every daily mission, which is realized usually<br />
during one combat day (24 hours) is focused on new experiences, every<br />
completed cycle of processing creates a foundation for next iterations);<br />
• incremental construction (every cycle generates added value in the form<br />
of extended/qualitative <strong>and</strong> quantitative changes in repository of experiences<br />
gained) <strong>and</strong> exploiting new experiences (experiences gained can be<br />
used as a request for change of warfare regulations, add new content to<br />
training program/syllabuses <strong>and</strong> eventually justify changes in doctrines).<br />
A. Classification of factual data<br />
Classification of factual data <strong>and</strong> especially of the extracted incidents in cyber<br />
defence domain is necessary to perform a statistical analysis of the data. Rules/<br />
guidelines/methods for classifying factual data (especially incidents) in cyber defence<br />
domain are presented in this subsection. Proper taxonomy should be created<br />
considering rules below e.g.:<br />
• Ockham's razor – reduce additional duplicable entities;<br />
• divisibility of categories – entity classified to one category cannot be classified<br />
elsewhere;<br />
• completeness – all categories comprise entire set of possible categories;<br />
• unequivocal – classification criteria should be precise enough so that<br />
the result of classification is always the same, no matter who is responsible<br />
for performing it;<br />
• repeatability – classification process is repeatable, no matter how many<br />
times it will be repeated;<br />
• acceptability – target taxonomy is commonly accepted;<br />
• usability – has high informative value.<br />
Statistical analysis of particular incidents occurrence is helpful in determination<br />
of appropriate defense system against cyber attacks. Factual data collected<br />
should be starting point for identification of e.g.:<br />
• the weakest elements in military network topology,<br />
• vulnerabilities of these networks on cyber attacks,<br />
• trends,<br />
• cycles,<br />
• regularities,<br />
• deviations,<br />
• anomalies.<br />
B. Aims of collecting factual data in cyberspace<br />
Cyber terrorist attack can manifest itself in the intrusion on target’s software<br />
or information technology systems <strong>and</strong> hardware. There is plenty of methods to
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
421<br />
implement this kind of activities. It results in lack of one, unified classification,<br />
because different authors use different criteria of cyber terrorist attack description.<br />
Applying the above mentioned Ockham’s razor rule, the following classification,<br />
according to CERT Pol<strong>and</strong> (Computer Emergency Response Team), is proposed<br />
(in alphabetical order):<br />
• attack on email subsystem,<br />
• attack on operational system,<br />
• attack on a server (for e.g.: WWW, DNS – Domain Name System),<br />
• illegal software,<br />
• denial of service,<br />
• dissemination of illegal <strong>and</strong> insulting, abusive content,<br />
• scanning,<br />
• social engineering,<br />
• spamming.<br />
It can also be h<strong>and</strong>ful to differentiate attacks <strong>and</strong> intrusions following categories:<br />
• reconnaissance activities before an attack (intrusion)<br />
• passwords cracking methods<br />
• exploiting vulnerabilities <strong>and</strong> security holes (using characteristics of applications,<br />
operating systems <strong>and</strong> protocols)<br />
• malicious code attacks (Trojans, viruses, worms) [4].<br />
V. Methodology of collecting information about cyber incidents<br />
A. Characteristic of data sources <strong>and</strong> registration process<br />
Among variety of events identified during military missions some can be<br />
registered <strong>and</strong> observed by human senses (soldiers’ <strong>and</strong> civilians’ participating<br />
in mission) <strong>and</strong> some other only by means technical devices (Figure 2).<br />
Considering the scope of the ATHENA project <strong>and</strong> the characteristics of typical<br />
military mission, which are among all:<br />
• occurrence of asymmetric threats,<br />
• occurrence of sudden events,<br />
• time deficit,<br />
• incomplete <strong>and</strong> unsure information,<br />
• high pressure for completion of the tasks assigned <strong>and</strong> the overall goal<br />
achievement,<br />
it is difficult to perform a comprehensive (<strong>and</strong> complete) observations by soldiers<br />
<strong>and</strong> civilians (e.g. the main sources of information about incidents) in the timeframe<br />
of a mission. As a result a factual data about incidents is usually limited <strong>and</strong><br />
fragmentary. Thus some auxiliary sources of information should be considered:<br />
• correctly constructed models – simulation environments, (e.g. simulation<br />
models, war games, battlefield simulators)
422 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• information distributed through mass media, (e.g. TV, radio, press, Internet)<br />
• information resulting from the initial analysis of factual data (at the stage<br />
of processing – before <strong>and</strong> during their storage in the repository).<br />
Main sources of information can be identified with respect to the following<br />
stages of military mission:<br />
• mission planning stage (produces mission plan),<br />
• mission execution stage (reports <strong>and</strong> notification from the battlefield),<br />
• directly after the end of the mission (report generated during debriefing).<br />
It can be reasonable to discern different sources of information about incidents<br />
between primary <strong>and</strong> secondary ones:<br />
Figure 2. Mission execution stages <strong>and</strong> relevant types of sensors<br />
• primary sources of information (observations of people directly participating<br />
in mission; technical sensors (devices))<br />
• secondary sources of information (observations made by personnel who<br />
acquires the information about incidents, initial analysis of the information<br />
about incidents that is stored in repository).<br />
This distinction seems relevant because it presents a potential for reducing<br />
information processing overhead (number of stages). A primary information<br />
is more reliable, it is directly authorized by the source. Secondary information<br />
is pre-processed already. At every stage of processing an information is improved,<br />
validated, completed etc. However every activity of this kind (during process-
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
423<br />
ing) is also potential source of information changes (corruption). In example<br />
the missile guidance systems rely only on primary information, which proves how<br />
important primary information can be considered. Within the process of cyber<br />
incidents data acquisition a multiple limitations (boundary conditions) have to<br />
be considered:<br />
• this process relies on a very formal set of (field) documents, e.g: OPORD<br />
(OPerational ORDer, operational order), FRAGO (FRAGmentary Order,<br />
more specific, fragmentary OPORD),<br />
• incorrect (inappropriate) training of personnel responsible for implementation<br />
of an observation process (for e.g. too high/low sensitivity threshold),<br />
• time limitation during debriefing,<br />
• presence of typical psychological barriers of a soldier/civilian during<br />
the AAR (After Action Review) stage<br />
• lack of contextual knowledge, needed to associate events to each other,<br />
• most of the factual data is rather plain text than reach multimedia content.<br />
The example of typical psychological barriers of a soldier during AAR stage<br />
can be among all:<br />
• details, which can negatively influence opinion, assessment of activities<br />
of other soldiers,<br />
• observations, which seem to be irrelevant, infantile,<br />
• emotional states, which may indicate weaknesses of soldiers <strong>and</strong> result<br />
in lack of acceptance or ridiculousness (abnormal, excessive fear, caution,<br />
tendency to recklessness, taking excessive risk),<br />
B. Formalization of the process of collecting information about cyber<br />
incidents in cyberspace<br />
The incident observation control sheet, which is an integral part of the method<br />
of collecting information about incidents consists of four main sections: start, event/<br />
incident itself, status of the observer <strong>and</strong> the end (Figure 3).<br />
The following information should be included in particular sections of such<br />
sheet:<br />
1. Indication of the starting point of the observation (location, time)<br />
2. Event/incident itself, description of observation with parameters<br />
3. The status of an observer (data, which could be combined for the purpose<br />
of identification of a person, who formalizes observation materials <strong>and</strong><br />
information, which makes possible to assess the level of competence of this<br />
person);<br />
4. The endpoint of the observation (location, time).<br />
Proposed methodology covers both – the AAR (After Action Review), debriefing<br />
<strong>and</strong> other materials acquired automatically through technical devices (both<br />
civilian <strong>and</strong> military).
424 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 3. Division of the incident observation sheet onto two basic parts: observed incident<br />
<strong>and</strong> status of the observer<br />
The universal character of proposed methodology stems from the fact that<br />
particular sections of the incident observation sheet are also valid for describing<br />
parameters with observations from every other sources of information both civilian<br />
<strong>and</strong> military (from mission plans <strong>and</strong> mission reports) <strong>and</strong> technical devices<br />
used for collecting factual data. The stage of collecting cyber incidents ends by filling<br />
particular sections of the observation sheet with content. Underlying information<br />
sources consist of a set of:<br />
• factual data about incidents in civilian security domain (registered for e.g.<br />
by NASK – Research <strong>and</strong> Academic Computer Network).<br />
• military documents about planning, execution <strong>and</strong> debriefing of a mission<br />
• factual data reported by ICT systems, which covers e.g. network traffic,<br />
reports from port scanning, number <strong>and</strong> size of transferred batches.<br />
Every single entry inserted into incident database can be packaged as paper or/<br />
<strong>and</strong> an electronic form. Proposed information structure (parameters) of database<br />
records is presented in the following sub-section. All information which will not<br />
be selected for inclusion into the observation sheet are considered to be irrelevant.<br />
This way information from the data sources about single cyber incident is carefully<br />
selected (Figure 4).<br />
C. Recommendations for the gathering process<br />
Every role involved in the process of cyberspace data gathering should obey<br />
a well-defined set of rules in order to assure reliability of results. These rules concern<br />
among all:<br />
• focusing on particular objects (e.g. central, base station, access to active<br />
network elements, type of software) <strong>and</strong> processes (e.g. way of communication,<br />
activities coordination),<br />
• omitting irrelevant details (they are defined separately for every mission<br />
<strong>and</strong> type of event),<br />
• using one or a well-defined set of recording techniques (paper notes, photos,<br />
videos, mind mapping, other)
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
425<br />
Figure 4. Factual data processing<br />
The issues of an “Analysis” <strong>and</strong> “Recommendations” will be described in a separate<br />
publication of the authors.<br />
• in the case auxiliary technical equipment/devices are concerned for recording,<br />
appropriate procedure of event registration should be obeyed,<br />
• level of details of registered events<br />
• structure (common structure/template should be applied for every event),<br />
• parameterization (specified parameters in every section of observation<br />
sheet),<br />
• accountability (every section of observation sheet should be described by<br />
attributes).<br />
In order to cover key items related to an incident the following levels of elementary<br />
objects should be included:<br />
• system (name of the system),<br />
• sub-system (name of the sub-system),<br />
• object (name of the object),<br />
• sub-component (name of the sub-component),<br />
• unit (name of the unit),<br />
• fragment of the unit/process.<br />
D. Time <strong>and</strong> place (location) of collecting information about incidents<br />
in cyberspace<br />
The proposed methodology is thought for particular tasks aligned in certain<br />
time frame <strong>and</strong> location:<br />
• during mission planning in headquarters (mission plan specification),<br />
• during mission execution (reports from battlefield), mission location<br />
<strong>and</strong> comm<strong>and</strong> <strong>and</strong> control centres,
426 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
• immediately after the end of the mission (e.g. during debriefing),<br />
• debriefing session in briefing hall/in headquarters,<br />
• at any time by querying/processing factual data repositories gathered by<br />
sensors/IT systems,<br />
• at any time based on the open source intelligence (OSINT – Open Source<br />
Intelligence) data acquired from civilian system (e.g. NASK), which can considered<br />
a source of information about incidents from the cyberspace.<br />
E. Methodology of information gathering<br />
Direct benefits of applying proposed methodology are as follows:<br />
• common structure for data retrieved from various sources of information<br />
• identification of structural incompleteness within particular observation<br />
sheet, in order to assure updated information h<strong>and</strong>ling in the future,<br />
• preliminary validation of the collected information about incidents<br />
in order to:<br />
▷ protect from improper values (<strong>and</strong> e.g. dates out of range),<br />
▷ account for inertia <strong>and</strong> physics of the registered phenomenas/processes<br />
(e.g. the time required to power on/off a device, initiate/terminate given<br />
process),<br />
▷ process the source information to structure it into the form required<br />
for later storage in a database, e.g.: divide all the information into types<br />
(digital, text, graphical, other).<br />
Regarding the structure for data from various sources of information, data<br />
from respective reports <strong>and</strong> notifications will be parameterized <strong>and</strong> classified into<br />
particular blocks/sections in observation sheet. Thanks to such ordering it will<br />
be possible to assign attributes to data contained in particular blocks/sections<br />
of the observation sheet:<br />
• status of the mission concerned by the collected observation (date, type<br />
of the mission, cryptonym, code name, composition of the unit, final assessment<br />
of the mission, other),<br />
• type of incident (good practice, negative experience),<br />
• every single incident should be described related to its location (geographical<br />
coordinates with the highest possible accuracy, according to different<br />
notations: WGS – World Geodetic System, NATO, ...), time (operational<br />
time, calendar time),<br />
• does the information directly influences soldiers’ health/life (yes/no),<br />
• information about the mission (currently executed, mission planned to<br />
execution, accomplished mission),<br />
• is information confirmed/not confirmed by other soldier participating<br />
in a given mission,<br />
• information status: up-to-date/out-of-date (specify this date),
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
427<br />
Figure 5. Main stages of populating data base of invents<br />
• information related to stationary/mobile object,<br />
• means by which an information was captured – human senses / additional<br />
sensors,<br />
• should the information be public/ or restricted, read only, or possible to<br />
modify,<br />
• quantity <strong>and</strong> quality of information sources (including personal information)<br />
that have confirmed particular elements of information about incident,<br />
• is the information new in repository or it is an update of existing one.<br />
To summarize above structure of an observation sheet a sample has been<br />
provided in the annex to this paper.<br />
VI. Conclusions<br />
The proposed methodology of collecting information about incidents in cyberspace<br />
mapped into a particular group of military activities should enable answering<br />
questions about (risk of) certain threats existing in today’s battlefield (especially<br />
incidents in the area of cyber security). Such method (of collecting information<br />
about cyber incidents) introduces its own identity.<br />
In this paper authors propose a comprehensive method that can be applied to<br />
collecting information about incidents based on the incidents observation sheet.<br />
An effective method of gathering factual data is in the authors’ opinion one<br />
of the biggest challenges <strong>and</strong> show-stoppers in the process of learning adhering<br />
to a lessons learnt paradigm (especially considering negative experiences). Thus<br />
the authors believe that the proposed method (<strong>and</strong> recommendations) of collecting<br />
information about incidents can be a valuable input into the process of continuous<br />
improvement of security level in the cyberspace.
428 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Acknowledgment<br />
Authors would like to acknowledge the funding received from the R&T Joint<br />
Investment Programme on Force Protection (JIP FP) which focuses on technologies<br />
for protecting EU armed forces against threats. The programme has been launched<br />
under the umbrella of the European Defence Agency <strong>and</strong> is financed by twenty<br />
European governments: Pol<strong>and</strong>, Austria, Belgium, Cyprus, Czech Republic, Estonia,<br />
Finl<strong>and</strong>, France, Germany, Greece, Hungary, Irel<strong>and</strong>, Italy, the Netherl<strong>and</strong>s, Norway,<br />
Portugal, Slovakia, Slovenia, Spain <strong>and</strong> Sweden.<br />
REFERENCES<br />
[1] D. Alberts, J. Garstka <strong>and</strong> F. Stein, Network Centric Warfare, 2nd Edition ed.,<br />
CCRP, 2000.<br />
[2] NATO, “NATO Policy on Cyber Defence,” NATO, 2011.<br />
[3] A. Flizikowski, J. Zych, “Using game theory to reliability research for communication<br />
systems in crisis management <strong>and</strong> military operations (case study),” in The functioning<br />
of the company during the crisis, P. Bartkowiak, Ed., Poznań, Scientific Society for<br />
Organization <strong>and</strong> Management, 2011, pp. 50-60.<br />
[4] D.L. Shinder, Cyberprzestępczość: jak walczyć z łamaniem prawa w Sieci<br />
(ang. Cybersecurity – how to fight against breaking the law in Internet), Gliwice:<br />
Wydawnictwo Helion, 2004.<br />
ANNEX – Observation sheet (Cyber Space)<br />
Observation sheet duly completed to facilitate the gathering of factual data<br />
in the repository. The essence of fulfillment of this worksheet is to: facilitate<br />
dealing with parameterized observation process. An observation sheet should<br />
be filled to be aware of the fact that each of the fields in the spreadsheet is usually<br />
filled with a parameter in the record in the database / repository. Please<br />
endeavor to do so would not generate. garbage at the entrance. It I not necessary<br />
that all the fields in the observation sheet were filled. The completed observation<br />
sheet contains the sample data. Below it is presented how the most important<br />
fields can be filled.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
429<br />
Mission Name (codename): TANGO – 01<br />
Observed phase of the mission<br />
planning<br />
execution<br />
debrifing<br />
(before the mission)<br />
(after the mission)<br />
☑<br />
☐<br />
☐<br />
Date of observation (YYYY.MM.DD) 2012.04.16<br />
place of observation<br />
KABUL<br />
A concise description of the mission, the essence of the mission (a few sentences)<br />
PREPARATION FOR SUPPLYING AMMUNITION AND EQUIPEMENT FOR MILITARY<br />
BASE IN KABUL<br />
Characteristics of cyber events <strong>and</strong> consequences:<br />
System:<br />
1. system (system name) AFGAN-WAN<br />
2. subsystem (subsystem name) LOG<br />
3. the object (object name) SERVER, ACCESS POINT IN MILITARY BASE<br />
Categories of information:<br />
1) information confirmed / unconfirmed by another soldier: CONFIRMED<br />
2) the information current / out of date (the date of obsolescence): CURRENT OBSERVATION<br />
3) associated with the object of a stationary / mobile: MOBILE<br />
4) identified human senses / sensors technical: TWO SOLDIERS WITH MOBILE EQUIPE-<br />
MENT, PROBABLY PERFORMING WI-FI SCANNING<br />
5) will be available for all peoples / only for selected people: SELECTED PEOPLE<br />
6) categories of accessibility (read only, modify, delete): POSSIBLE ALL CATEGORIES<br />
7) how many <strong>and</strong> which sources (who) confirmed a piece of information about the event: SEN-<br />
TRY IN FRONT OF BASE, PATROL<br />
8) The category of information in the repository (new or additional Supplementary): NEW<br />
Direct impact on the health / lives of soldiers<br />
Yes<br />
No<br />
I cannot define<br />
Type of cyber event:<br />
positive<br />
negative<br />
neutral
Problems of Detecting Unauthorized Satellite<br />
Transmissions from the VSAT Terminals<br />
Przemysław Bibik 1 , Stanisław Gradolewski 1 , Wojciech Zawiślak 2 ,<br />
Jacek Zbudniewek 2 , Radoslav Darakchiev 3 , Jerzy Krężel 3 ,<br />
Mateusz Michalski 4 , Krzysztof Strzelczyk 4<br />
1 The Institute of Aeronautics <strong>and</strong> Applied Mechanics,<br />
Warsaw University of <strong>Technology</strong>, Warsaw, Pol<strong>and</strong>,<br />
{pbibik, sgrado}@meil.pw.edu.pl<br />
2 WOOD System Integrator, Warsaw, Pol<strong>and</strong>,<br />
{wojciech.zawislak, jacek.zbudniewek}@wood.com.pl<br />
3 Astri Polska Sp. z o.o., Warsaw, Pol<strong>and</strong>,<br />
{Jerzy.Krezel, Radoslav.Darakchiev}@astripolska.pl<br />
4 <strong>Military</strong> Communication Institute, Zegrze Płd., Pol<strong>and</strong>,<br />
{m. michalski, k.strzelczyk}@wil.waw.pl<br />
Abstract: This paper presents a project proposal aimed at developing a set of components in the form<br />
of methods <strong>and</strong> tools supporting the process of detecting unauthorized satellite transmissions, realized<br />
with the VSAT (Very Small Aperture Terminal). With its help it will be possible to draw radio<br />
(spectral) maps of the existing satellite system, both for the design of new satellite system as well as for<br />
identifying unauthorized changes to the radio spectrum showing the appearance of unauthorized<br />
emissions. The results of the project may be interesting for governmental offices or security services,<br />
that deal with detection of illegal emissions, as well as manufacturers <strong>and</strong> global integrators.<br />
Keywords: component; satellites; VSAT; detection<br />
I. Introduction<br />
Commonly observed development of information technology also applies to<br />
satellite services sector, both in the two-way communication systems <strong>and</strong> broadcast<br />
systems – mainly television <strong>and</strong> radio broadcasting. While the information<br />
transmission systems develop very rapidly, whereas in the systems to safeguard<br />
the proper use of satellite transmission resources no development is being practically<br />
observed. Current status of satellite information technology security resembles<br />
a situation of the early stages of the dynamic development of the Internet, when<br />
all network systems operated on the principle of mutual trust. There were no actions<br />
aimed at stealing confidential data, or taking control of servers <strong>and</strong> portals.<br />
Over time the situation has radically changed, <strong>and</strong> today much attention is given
432 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
to the protection of information resources. Experience gained with development<br />
of the Internet shows that it is reasonable to take dynamic action to develop methods<br />
<strong>and</strong> tools to protect satellite information resources.<br />
Services responsible for monitoring the proper usage of radio spectrum <strong>and</strong><br />
the services responsible for national security, have tools to monitor the terrestrial<br />
radio, but currently they are not in the possession of any system supporting detection<br />
of law violations in the field of satellite techniques.<br />
Developing a set of components in the form of methods <strong>and</strong> tools supporting<br />
a detection process of unauthorized satellite transmissions sent using VSAT<br />
terminals has become the object <strong>and</strong> purpose of the project TransSat proposed by<br />
a consortium composed of <strong>Military</strong> Communication Institute, Institute of Aeronautics<br />
<strong>and</strong> Applied Mechanics Warsaw University of <strong>Technology</strong> (ITLiMS),<br />
Astri Pol<strong>and</strong> (APL), WOOD System Integrator (WOOD).<br />
II. Activities affecting safety of the satellite communications<br />
Unauthorized activities, affecting the security of satellite communication are<br />
meant as any action whose effects are inadequate in terms of relevant legislation,<br />
both Polish <strong>and</strong> international. Unauthorized activities can be classified into two<br />
main groups:<br />
• intentional actions – involving the aware crossing of the law <strong>and</strong> acting to<br />
the detriment of other persons or institutions,<br />
• accidental (unintentional) activities – as a result of mistake of human,<br />
equipment or software that controls devices.<br />
For unauthorized activities in the area of TransSat project interest there are<br />
included following types of events:<br />
• intentional actions like:<br />
✓ interfering with legitimate transmissions by broadcasting on the same<br />
uplink frequency,<br />
✓ interfering with the official communication channels of satellites waiting<br />
for a comm<strong>and</strong> from the control center to continue the mission,<br />
✓ activities similar to "hacking" ones, to take control over portal – e.g.<br />
taking control over TV channel,<br />
✓ transmission realization on free frequency b<strong>and</strong>s, without the consent<br />
of the satellite operator,<br />
✓ transmissions to the detriment of national security: civilian (jurisdiction<br />
of the Internal Security Agency) <strong>and</strong> military (jurisdiction of <strong>Military</strong><br />
Counterintelligence Services).<br />
• unintentional activities like:<br />
✓ entry into occupied by another user uplink frequency, as a result of an error<br />
in h<strong>and</strong>ling VSAT satellite terminal or as a result of Coordination<br />
Center employee error,
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
433<br />
✓ increasing the broadcast power by VSAT terminal over fixed level, causing<br />
distortion of the transponder receiving circuits,<br />
✓ VSAT antenna azimuth change, resulting in disrupted work of a satellite<br />
neighbouring to other satellite, with which communication is established.<br />
III. Proposed methodology for detecting unauthorized satellite<br />
transmissions<br />
Detection of unauthorized transmission using VSAT terminals, especially<br />
in the case of deliberate acts, require secrecy, <strong>and</strong> so to carry out an imperceptible<br />
procedure of monitoring <strong>and</strong> in general it is a multistage operation.<br />
The first step will be an identification <strong>and</strong> selection of active transmitters<br />
among observed VSAT transmitting terminals <strong>and</strong> transceivers. Initial selection<br />
of broadcasting VSAT terminals will be conducted by an experienced observer,<br />
based on remote viewing. This observation will be assisted with photography <strong>and</strong><br />
thermography data analysis procedures. As a result of the identification there will<br />
be determined not only the antenna that has transmission capabilities, but also<br />
the antenna, which is currently active. The next step will be to obtain information<br />
leading to the detection of the satellite, to which it was connected, in order to<br />
identify potential recipients. Determination of the satellite, which was connected<br />
to the terminal, will be possible by determining the geographic location <strong>and</strong> azimuth<br />
of the terminal. The proposed method of azimuth determination is to analyze<br />
the VSAT terminal images taken from different directions, with knowledge<br />
of the position <strong>and</strong> orientation of the imaging system, as well as to determine its<br />
distance from the observer using for example range-finder.<br />
In the next stage there will be an important task: to determine the approximate<br />
geometry of the antenna, in particular the shape <strong>and</strong> profile of the antenna system<br />
mirror <strong>and</strong> the position of the radiator brackets, which will allow to determine<br />
the approximate characteristics of the radiation. The determination of this characteristic<br />
will enable to determine the optimum listening point, <strong>and</strong> thus determine<br />
the optimal location of the observer, which may be Unmanned Aerial Vehicle or<br />
a man with a measuring equipment, <strong>and</strong> the directions of the wave emitted by<br />
VSAT terminal. A crucial element of this stage is to apply the methods of increasing<br />
the energy of compromising radiation by unstable modification of radiator<br />
set, e.g. by a local change of temperature using the laser beam, in order to enhance<br />
its detection.<br />
The last stage of detecting unauthorized satellite transmissions will be radiation<br />
detection <strong>and</strong> listening conduction.
434 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
IV. Methods <strong>and</strong> tools used to detect unauthorized satellite<br />
transmissions<br />
An important components used in procedures for detecting unauthorized<br />
satellite transmissions will be:<br />
• algorithms for automatic image analysis in both visible <strong>and</strong> infrared light.<br />
Method of image analysis used in the project will enable:<br />
✓ VSAT terminal activity detection <strong>and</strong> pre-determination whether in a period<br />
of time this activity was legal or not;<br />
✓ designation of the satellite, which a terminal is directed to;<br />
• numerical modeling allowing the determination of the approximate geometry<br />
of the antenna (Figure 1). Determination of this parameter will allow<br />
to calculate the distribution of the emitted radiation (Figure 2), which will<br />
be required for:<br />
✓ analysis of the possibility of radiator parameters remote modification,<br />
waveguide <strong>and</strong> waveguide connectors to increase the compromising<br />
radiation energy;<br />
✓ determination of optimal location of observation points to carry out<br />
listening.<br />
• algorithms for the calculation of the emitted radiation distribution, which<br />
is required to determine the best observation points to carry out listening.<br />
Figure 1. Example of numeric model of monitored<br />
object<br />
Figure 2. Example of VSAT antenna radiation<br />
characteristic. <br />
Due to the assumed location discretion of monitored VSAT terminals (terrestrial<br />
stations, on the roofs of cars or buildings) in the project is expected to use<br />
an Unmanned Aerial Vehicle (UAV), acting as a remote observer. The most common<br />
structures are vertical take-off UAV quadrotor or octocopter (Fig. 3a <strong>and</strong> 3b),<br />
in which lift force is generated by turning propellers on four, six or eight arms.<br />
These devices are controlled only by varying speed of motors driving propellers.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
435<br />
This approach excludes the need for other mechanical elements for the flight control.<br />
This type of UAV will permit to move closer to the test object <strong>and</strong> the “flotation”<br />
in the air for the time needed for data acquisition.<br />
The project also examined analogous to planes flying ships (Fig. 3c), for which<br />
the data acquisition will have to take place during movement, from a significant<br />
distance from the object. In this case it will be possible to collect multiple images<br />
(photography <strong>and</strong> thermography) during the approach to the VSAT antenna <strong>and</strong><br />
the circulation, while in the middle there is a monitored object.<br />
a) b)<br />
c)<br />
Figure 3. Examples of Unmanned Aerial Vehicles: (a) Quadrotor TARKUS (WB Electronics),<br />
(b) Octocopter SKYJIB (DROIDWORX), (c) Unmanned Plane FlyEye (WB Electronics)<br />
UAV used within the TransSat project will require a implementation <strong>and</strong><br />
integration of the following equipment/components:<br />
• measuring head,<br />
• video recorder/camera,<br />
• thermographic video recorder,<br />
• radiation detector in the b<strong>and</strong>s used in VSAT terminals,<br />
• GPS receiver,<br />
• UAV remote control systems, detection <strong>and</strong> navigation devices.<br />
The use of UAV as a remote observer requires the development of:<br />
• positioning methods of a thermographic camera, camcorder/camera,<br />
listening device <strong>and</strong> navigational equipment;<br />
• platform to record <strong>and</strong> store information in different phases of VSAT<br />
terminal monitoring;<br />
• data acquisition system of the observation unit to the operator.
436 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
V. The possibilities of using the methods <strong>and</strong> tools in other projects<br />
Developed in the TransSat project automatic image analysis algorithms in both<br />
the visible <strong>and</strong> infrared light can be used in other areas, such as mine protection<br />
of routes, where move patrols <strong>and</strong> convoys during a realization of peace missions<br />
abroad. The images obtained from the daily “test flight” route by an unmanned aircraft<br />
will be taken automatically, based on the algorithm developed in the TransSat<br />
project, compared with the reference image of the area recorded in the database.<br />
In case of discovering of disturbing differences, in the suspected place will be sent<br />
an engineer patrol to conduct a detailed reconnaissance.<br />
Another purpose of the project will be to develop numerical models of the socalled<br />
radiated emissions interference, emitted by the complete VSAT systems. Currently,<br />
manufacturers of VSAT systems provide information about the directional<br />
characteristics of the mirror of the VSAT antenna. Rarely there are information about<br />
radiation characteristics of the complete antenna with tie parts to hold the radiator,<br />
<strong>and</strong> the exceptions may include directional characteristics of complete VSAT<br />
systems, taking into account the impact of installation of all elements of the signal<br />
path, on the radiated interference emissions by the VSAT system. The lack of such<br />
information generates problems with the so-called co-located compatibility, appearing<br />
in the case of having to install several VSAT systems in close proximity<br />
to each other, such as satellite centers (called teleport, hub), or the work of several<br />
informational agencies in the given location. Developed in the TransSat project<br />
radiated noise emission models in VSAT systems, will allow to analyze in advance<br />
the possibility of appearing interference of several co-located VSAT terminals.<br />
TransSat will be applied with methods <strong>and</strong> tools supporting the process of detecting<br />
unauthorized satellite transmissions, <strong>and</strong> thus the radio emission in the frequency<br />
range 7-38 GHz can be successfully used in the preparation or updating<br />
of maps of the radio <strong>and</strong> radiolines installations. Screenshot of part of such a map<br />
was shown in Figure 4.<br />
Figure 4. Example of radiolines map
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
437<br />
VI. Summary<br />
Currently it is not possible to effectively detect unauthorized emissions of satellite<br />
signals, <strong>and</strong> the more its overhearing or recording. There are measurement<br />
stations in the market, but they operate in a very limited b<strong>and</strong>width. For example,<br />
Mobile Measuring Station made by KenBIT company operates in 20 MHz–3 GHz,<br />
while the signals are transmitted by satellite also at higher frequencies, such as DVB-S<br />
takes the b<strong>and</strong> from 10.7 GHz to 14.5 GHz, or Teledesit that works at about 29 GHz.<br />
The result of this project will be a unique solution to examine the full range<br />
of satellite frequencies – from a few hundred MHz to 32 GHz. Owing to this it will<br />
be possible to draw radio (spectral) maps of existing satellite system, both for<br />
the design of new satellite system as well as for identifying unauthorized changes<br />
to the radio spectrum, indicating the appearance of unauthorized emissions.<br />
For the purpose of the project it is expected to call TransSat consortium,<br />
that will be composed of research units (<strong>Military</strong> Communication Institute<br />
<strong>and</strong> the Institute of Aeronautics <strong>and</strong> Applied Mechanics of Warsaw University<br />
of <strong>Technology</strong>), <strong>and</strong> the companies involved in the subject of converging with<br />
the problems of the project, namely: Astri Polska (APL) <strong>and</strong> WOOD System<br />
Integrator (WOOD).<br />
In the results of the project may be interested: Office of Electronic <strong>Communications</strong>,<br />
which deals with the detection <strong>and</strong> analysis of radio signals <strong>and</strong><br />
the detection of illegal emissions, the state security services such as The Internal<br />
Security Agency <strong>and</strong> the <strong>Military</strong> Counterintelligence Services, as well as manufacturers<br />
<strong>and</strong> global integrators such solutions for the detection <strong>and</strong> interception<br />
of unauthorized satellite emissions.<br />
References<br />
[1] http://www.kenbit.pl/kenbit/rsp.php<br />
[2] http://www.antenna-theory.com<br />
[3] http://www.wb.com.pl/pl,Rozwiazania,Systemy-C4ISR,Systemy-rozpoznania/Fly-<br />
Eye,46.html<br />
[4] http://www.wb.com.pl/pl,Rozwiazania,Systemy-C4ISR,Systemy-rozpoznania/<br />
Tarkus,3.html<br />
[5] http://aerobot.com.au/octocopter.html<br />
[6] http://www.aerodes.pl/samonit.htm<br />
[7] http://mapasieci.pl/<br />
[8] http://www.skw.gov.pl/<br />
[9] http://www.uke.gov.pl/<br />
[10] http://www.abw.gov.pl/
On Multi-Level Secure Structured Content:<br />
A Cryptographic Key Management<br />
– Independent XML Schema for MLS Content<br />
Mikko Kiviharju<br />
Electronics <strong>and</strong> <strong>Information</strong> <strong>Technology</strong> Division,<br />
Finnish Defence Forces Technical Research Centre, Riihimäki, Finl<strong>and</strong>,<br />
mikko.kiviharju@mil.fi<br />
Abstract: Multi-Level Security, MLS, refers to h<strong>and</strong>ling information from different levels of security<br />
classification securely by people from different levels of clearance. We propose a structured document<br />
format to host data from different classification levels (e.g. RESTRICTED <strong>and</strong> SECRET) in the same,<br />
modifiable document. The document access control is enforced cryptographically – content <strong>and</strong> access<br />
control information is encrypted <strong>and</strong> digitally signed, but the document structure itself is independent<br />
of the adjoining key management architecture. We detail the different security-related metadata <strong>and</strong><br />
sanitization procedures needed for passing data from a common storage to a user with lower clearance.<br />
Keywords: MLS; CBIS; XML; cryptography; key management<br />
I. Introduction<br />
H<strong>and</strong>ling classified information in today’s networked world with conflicting<br />
needs to hide <strong>and</strong> to share both in homel<strong>and</strong> <strong>and</strong> in coalitions with dynamically<br />
shifting boundaries is becoming increasingly more cumbersome.<br />
Large information leaks from classified networks (e.g. the one described in [22])<br />
are partly possible only because the concept of system-high networks has been<br />
stretched to its limits: it makes no sense to classify data (to e.g. MISSION SECRET),<br />
if most of the personnel are cleared to the highest level anyway. This is, however,<br />
currently the only economical solution dictated by the existing technology in use.<br />
Technologies that take full use of the security classification spectrum without<br />
trivial physical separation (<strong>and</strong> duplication) in hardware are called Multi-Level Secure<br />
(MLS). There have been a number of solutions aspiring to be MLS in the past,<br />
<strong>and</strong> the work is still ongoing.<br />
Our work concerns the cryptographic approach to enforce MLS. We envision<br />
structured documents (i.e. XML), with content from multiple different classifications,<br />
which is then encrypted, signed, <strong>and</strong> eventually filtered from the most<br />
sensitive items before given to the end user. We propose an XML schema based on
440 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
the cryptographic access control paradigm to canonize this structure, <strong>and</strong> elaborate<br />
how the different aspects of permissions <strong>and</strong> eventual MLS sanitization affect<br />
the structure <strong>and</strong> can be realized in our setting.<br />
This paper is structured as follows: in chapter II we introduce the necessary<br />
background <strong>and</strong> review the related work; in the third chapter we view the setting<br />
more carefully in the format of environment assumptions; the fourth chapter lists<br />
the design principles <strong>and</strong> some of the operational details; chapter V is reserved<br />
for the schema itself <strong>and</strong> finally chapter VI concludes the paper.<br />
II. Background <strong>and</strong> related work<br />
A. Multi-Level Security (MLS)<br />
Multi-Level Security (MLS) refers to a concept, where information from different<br />
levels of security classification is allowed to coexist <strong>and</strong> be processed securely<br />
by personnel not necessarily cleared to the highest level. The term stems from<br />
a formalization of DoD security policy [3] <strong>and</strong> related risk analysis [16]. However,<br />
detailed definitions vary widely. In military vocabulary the most common definition<br />
binds MLS to a “security mode” <strong>and</strong> the access rights of end users. The defining<br />
part here is the user clearance, or right-to-know (RTK).<br />
RTK is more formally defined than need-to-know (NTK), as RTK is most<br />
often defined on the legislature level. Due to the m<strong>and</strong>atory nature of RTK <strong>and</strong><br />
the high-risk scenarios with which the MLS concept is endowed, the assurance<br />
level for “true MLS” components is often very high.<br />
MLS employs a multitude of functions. Our main concern here is the information<br />
flow separation, or the isolation of information from different classification<br />
levels: generally it is desired to keep data (flows) from e.g. SECRET separate from<br />
data (flows) from RESTRICTED. Due to the high assurance levels required for this<br />
isolation, only two types have been used: physical (galvanic) <strong>and</strong> cryptographic<br />
separation. High-assurance virtualization techniques are also making their way to<br />
selected MLS sub-areas [9].<br />
Enforcing the isolation with cryptography has been used <strong>and</strong> tried in multitude<br />
of systems <strong>and</strong> models, such as CBIS discussed in ch. II-B, but the main problem<br />
in these systems is key management: encrypted data itself is considered to be sufficiently<br />
well protected for the purpose of MLS isolation, but there are no formal<br />
models for key management, nor even satisfactory heuristic implementations<br />
suitable for large scale cryptographically enforced MLS systems.<br />
B. Content-Based <strong>Information</strong> Security (CBIS)<br />
The CBIS-concept (Content-Based <strong>Information</strong> Security) experimented by<br />
US DoD between 2000 <strong>and</strong> 2005 as an Advanced Concept <strong>and</strong> <strong>Technology</strong> Dem-
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
441<br />
onstrator [15, 18] was aimed at the cryptographic solution of MLS. In CBIS, all<br />
the information is encrypted <strong>and</strong> signed, protecting the confidentiality <strong>and</strong> integrity<br />
of the document.<br />
The original CBIS effort was, however, ab<strong>and</strong>oned as too expensive, possibly<br />
due to the constraints <strong>and</strong> difficulties in key management [1] <strong>and</strong> user authentication.<br />
The concept was revived in (at least) the Finnish military [12], where a different<br />
public-key management architecture (PKMA) was substituted for the PKI.<br />
The PKMA substituted in [12] was called identity-based cryptography<br />
(IBC, [6]). In IBC the identity itself acts as the public key, removing the need for<br />
certificates, enabling natural hierarchies <strong>and</strong> delayed creation for the private key.<br />
With IBC extensions, such as attribute-based encryption (ABE), it is possible to<br />
encode access structures directly to the ciphertexts.<br />
In the later CBIS concept, the actual content is endowed with different levels<br />
of metadata that can be used to embed security related information to the document<br />
itself, distributing the protection information from the reference monitor to<br />
the data itself.<br />
Adding metadata to the protected data blob implies the need to protect<br />
the metadata as well, <strong>and</strong> thus further levels of metadata. An obvious framework<br />
for dealing with intergrated data <strong>and</strong> metadata is eXtensible Markup Language<br />
(XML) framework.<br />
The work in [12] laid out several steps from moving traditional referencemonitor-based<br />
access control to cryptographically enforced, MLS-capable access<br />
control. These are depicted in Fig. 1.<br />
Figure 1. Moving from traditional access control to CBIS ([12])<br />
In Fig. 1, the steps are not wholly sequential: e.g. attribute-based cryptography<br />
access control is trialled already as such ([17]), but it was deemed infeasible to leap<br />
to mostly academic technologies straight away. As can be seen, there will be a change<br />
of public-key cryptography paradigms, or key management architectures at some<br />
point. This alone places restrictions on how the actual hierarchical data should be<br />
structured, but it is also otherwise prudent to (functionally) separate content from<br />
security, <strong>and</strong> cryptographic key management from the rest of security functions<br />
as separate modules.
442 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
When we experiment with technologies in Fig. 1. from the third step onward,<br />
it is a prerequisite to fix essential parts of the actual structure of the content. This<br />
was our main motivation in creating an XML-schema for a CBIS document.<br />
C. The XML-framework<br />
The XML-framework refers here to set of st<strong>and</strong>ards <strong>and</strong> best practices of h<strong>and</strong>ling<br />
structured content based on the W3C st<strong>and</strong>ards around eXtensible Markup<br />
Language (XML, [19]). XML itself is a markup language using user-defined tags<br />
representing rules to encode documents [19].<br />
XML schemas [7] represent a sort of grammar for certain types of documents,<br />
<strong>and</strong> can be used to check, whether a certain document conforms to a pre-specified<br />
rule-set (in this context: check if the document contains sufficient information to<br />
enforce <strong>and</strong> transmit parts of a security policy).<br />
XML encryption, XML signatures <strong>and</strong> XML key management ([11], [2]<br />
<strong>and</strong> [8]) are W3C st<strong>and</strong>ards to embed encrypted data blobs <strong>and</strong> digital signatures<br />
into an XML document, with the associated key management.<br />
Reference [5] presents an infrastructure <strong>and</strong> technologies for a similar trust<br />
model we are using. Basically, the model in [5] assumes several distinct roles,<br />
Owner, Publisher <strong>and</strong> Subject (producer, storage <strong>and</strong> reference monitor, <strong>and</strong> consumer<br />
of documents, respectively). The Publisher enforces access control of XMLdocuments<br />
with respect to the Subjects according to security policies provided<br />
by the Owner. The subject is able to verify that the documents are complete <strong>and</strong><br />
unforged. The construction uses Merkle hash trees to compute per-element- <strong>and</strong><br />
per-attribute hashes attached to the “security-enhanced” document.<br />
We use a similar construction to enforce integrity, however the approach<br />
is purely cryptographic. The approach in [5] involves filtering of documents based<br />
on the policies, such that the Subject is only delivered those parts of the document(s)<br />
she is entitled to. However, to be able to check the authentication values, the Subject<br />
needs to recompute the combined hash of all the nodes, whether or not she has access<br />
to them. This is enabled by providing the user with the structure of the immediate<br />
neighbourhood of her stripped subtree. The neighbourhood information<br />
not covered by the Subject policy is hidden with a hash-function.<br />
This approach is applicable for static, publish-only documents, where the Publisher<br />
does not have a data custodian role <strong>and</strong> there is no need to authenticate<br />
sub-document parts. In our setting, it is required to be able to revoke rights to<br />
the XML-document by editing the metadata containing symmetric cryptographic<br />
keys, change the document (<strong>and</strong> trace the changes), all of which in turn change<br />
the metadata-related hashes. We thus use the authentication model in [5] for content,<br />
but choose a different setup for the administration metadata.<br />
The approach in [5] also involves describing the subject policy in a separate<br />
structure obtained from the data owner <strong>and</strong> enforced with attribute certificates.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
443<br />
In our approach, the subject policy is assumed to be encoded in the cryptographic<br />
metadata <strong>and</strong> h<strong>and</strong>led by key management, without the need of a separate subjectowner<br />
negotiation.<br />
Embedding access control information in the XML-document itself has a number<br />
of possibilities, such as the policy-tag in [5] <strong>and</strong> specific XML-derivative languages<br />
[4]. The responsibility to enforce this information lies, however, with the data<br />
storage, <strong>and</strong> is usually insufficient with MLS. Of the XML-derivative languages it is<br />
stated in [21] that the whole concept of RBAC for XML is still immature.<br />
The XML framework is originally not designed to be used for MLS [20]. MLS<br />
in XML is somewhat tied to the data management systems available, but our work<br />
is independent from this.<br />
III. Environment assumptions<br />
A. Cryptographic Access Control<br />
Our work attempts to solve parts of the cryptographic access control (CAC)<br />
paradigm, in which traditional access control enforcement method with (implicitly<br />
trusted) reference monitors are replaced by cryptography. This shift is motivated<br />
by the high assurance dem<strong>and</strong>s on the enforcement method <strong>and</strong> the inherent lack<br />
of high assurance in the majority of the real-life reference monitors (such as commercial<br />
OSs) as well as by cloud computing.<br />
The CAC-paradigm benefits include more solid theory (<strong>and</strong> thus assurance)<br />
behind the actual implementations, <strong>and</strong> easier distributability of encrypted content<br />
into the cloud. Especially from the perspective of MLS, st<strong>and</strong>ardized encryption<br />
algorithms provide an accepted means of protecting classified data [10] <strong>and</strong> enforcing<br />
the isolation of different classes.<br />
Enforcing access control cryptographically requires a shift in the mindset<br />
as well: cryptography is not by itself able to enforce much anything. It has mainly<br />
two premises (in this context):<br />
• Cryptography can disable the READ-permission by making the material<br />
incomprehensible (it can not permit viewing per sé)<br />
• Cryptography can disable WRITE-permission by making it possible to<br />
detect unauthorized changes; it can not prevent bit-flips or deletions /<br />
insertions as such.<br />
Thus anything enforcable cryptographically should be able to be reduced to<br />
a set of read- <strong>and</strong> write-operations.<br />
B. Publish-Subscribe model<br />
We adopt the model depicted in [5] for third-party distribution of XMLdocuments,<br />
<strong>and</strong> introduce a “smart edge” acting in between the user <strong>and</strong> the cloud.<br />
The architecture is shown in Fig. 2.
444 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The data is assumed to be stored in the “cloud”, i.e. somewhere else than where<br />
the actual creators, modifiers, viewers <strong>and</strong> removers of the data reside. This cloud<br />
has several storage providers, which collectively are assumed to have the following<br />
properties:<br />
The cloud focuses on availability, <strong>and</strong> there is always one “clean” copy of a desired<br />
document available (after some time or a number of checks). The cloud is not<br />
able to discern between clean <strong>and</strong> corrupted documents. The cloud is also able to<br />
push authorized changes to a document eventually to other copies throughout its<br />
sphere of influence<br />
Figure 2. Environment for the CBIS documents<br />
The roles related to h<strong>and</strong>ling of data are as follows:<br />
• Data Owner is responsible for the data <strong>and</strong> decides the access control policy<br />
<strong>and</strong> approves its change policy. Each document has a unique owner, who<br />
controls all the sub-elements of the document.<br />
• Users are the “consumers” of the data blob. A User has READ- <strong>and</strong>/or<br />
WRITE-permissions to a set of element. If the user has READ-permissions,<br />
she is able to decrypt the content; if she has WRITE-permissions, her edits<br />
can be considered valid via her digital signature. Some users can act on<br />
the behalf of the Owner, <strong>and</strong> have ADMIN-permissions (permissions to<br />
order changes to the permissions from the Filter)<br />
• Storage is one element in the cloud where the documents physically may<br />
reside. Storage servers are not trusted to view or modify (including filtering<br />
<strong>and</strong> other reference monitor duties) content, but they are trusted to h<strong>and</strong>le
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
445<br />
versioning <strong>and</strong> storage functions. Storage does not perform high-assurance<br />
authentication of document requests, so it is assumed to be easy to bypass<br />
the Filter-edge of the cloud.<br />
• Filters form the “smart edge” of the cloud. They relay the functions between<br />
Users, Owners <strong>and</strong> Storage. Filters are semi-trusted in that they are<br />
allowed to perform administrative functions inside a document, but they<br />
are not trusted to see or alter the actual content or the security policy. Filters’<br />
primary objective is to exercise RTK-level control to the content, <strong>and</strong><br />
remove those parts of the document the User is not cleared to. User must<br />
be able to check the completeness of the document, so Filter must provide<br />
her with sufficient verification information.<br />
IV. Schema design principles<br />
A. Previous work<br />
The definition work on CBIS, [12], identified some necessary elements <strong>and</strong> their<br />
interrelations on the structured document. However, these were purely motivated<br />
from the CBIS needs, <strong>and</strong> not very detailed or st<strong>and</strong>ard-oriented.<br />
The actual structured format was canonized <strong>and</strong> integrated into other data<br />
models in an internal work together with Finnish defence industry [14]. This<br />
resulted in an actual schema, but too heavily tied to existing PKI <strong>and</strong> referencemonitor-based<br />
thinking (it could not enforce actual CAC). Furthermore, the first<br />
version of the schema did not elaborate the effect of dynamic compound signatures<br />
resulting from the need to restructure the document passing an MLS-filter (which<br />
removes classified parts exceeding the User’s clearance).<br />
B. Design principles: key managent architecture independency<br />
The main motivation for this work was to establish a concrete <strong>and</strong> canonized<br />
specification for the CBIS document structure that would last over the different<br />
developmental phases <strong>and</strong> public-key management architectures. Thus there<br />
is a type of cryptographic interface the schema should comply to. This interface<br />
is constructed based on the least common denominator (of the PKMAs):<br />
• Content is enciphered with a block cipher <strong>and</strong> the block cipher key (block<br />
key) itself is encrypted. The schema should not make more reservations<br />
than this to the key management.<br />
• Content can be represented by the output of a secure hash-function<br />
• The content integrity is enforced by signatures (but their exact type is not<br />
specified)<br />
• If the permission type is WRITE, the space occupied by the block key is used<br />
to host the public key needed for verification. Note that the User Agent
446 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
may or may not use this key – this depends on the exact trust model tied<br />
to the PKMA.<br />
• If the PKMA m<strong>and</strong>ates the use of certificates, these are included in the signature-element.<br />
Certification information required for delegation are<br />
an exception for this rule (discussed below).<br />
• The schema may make provisions to embrace extensions of a certain PKMA<br />
type, provided they do not exclude other PKMAs from the same function.<br />
In practice, these include:<br />
✓ The block key may be encrypted several times by different public keys,<br />
<strong>and</strong> these listed independently. The encrypted data blob should not give<br />
preference to any of these.<br />
✓ The role information may be a single identifying string, a list of roles,<br />
or a (propositional) logic expression involving roles, activities <strong>and</strong> other<br />
restrictions.<br />
C. Design principles: signing<br />
The construction of our CBIS schema follows the principles outlined<br />
in [12], with one major distinction about the signatures. The distinction concerns<br />
the signatory role: whereas in [12] this role was always equated with the key<br />
management center, we implement three different roles: Owner/ADMIN-User,<br />
WRITE-User <strong>and</strong> Filter. In the structured document itself this is reflected<br />
as content-signatures <strong>and</strong> metadata signatures, which must thus be independent<br />
of each other.<br />
The trust model used here dictates that the administrative restructuring<br />
of the document should not reveal or modify the actual content, thus the content<br />
<strong>and</strong> administrative signatures (data vs. metadata) should be independent. However,<br />
in [12] it was not clear how to automatically compute compound signatures for<br />
restructured content with the authority of the Owner. The book suggested using<br />
delegation with attribute certificates.<br />
The work in [5] presents a brilliant solution to retain the compound signatures<br />
constant throughout the whole tree-structure of an XML document. Using this<br />
approach, we are able to keep the content signatures unmodified (by administrative<br />
components).<br />
In addition to the Owner, WRITE-Users are allowed to legally modify the data.<br />
This is accomplished through a list of users with WRITE-permission on an element.<br />
Technically this means that upon opening a document, the User Agent<br />
checks at least the content signatures, <strong>and</strong> if the signatory is either the Owner<br />
(the only completely trusted party) or another user with WRITE-permissions<br />
listed in the metadata, the signature is accepted as valid.<br />
To enforce the WRITE-permissions list, the whole element containing the list<br />
(cbis:securityAttribute) is signed by an ADMIN-user.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
447<br />
The Filter signs parts of the document security metadata (History-related).<br />
As the Filter is only semi-trusted, <strong>and</strong> ADMIN-users may have conflicts of interests,<br />
different public keys need a validity certification from the Owner.<br />
The Filter validity certification is required irrespective of the PKMA. We assume<br />
for simplicity that the correspondence between Owner <strong>and</strong> a document is oneto-many<br />
(instead of many-to-many). Thus the validity certification can be placed<br />
in the per-document metadata element. Furthermore, the schema doesn’t specify<br />
the form of the certification – it could be a PKI certificate, IBC-based delegation (e.g.<br />
with a public key of the type “Owner X grants admin privileges to<br />
Filter Y”, which is verifiable with the Owner X public parameters <strong>and</strong> the claimed<br />
string only), or something else, as long as it contains sufficient cryptographic strength.<br />
In order to separate the administration <strong>and</strong> content, some cryptographic<br />
conventions need to be observed:<br />
• The need to separate non-repudiation <strong>and</strong> basic integrity signatures<br />
is PKMA-dependent, so the number of signatures is left open here, <strong>and</strong><br />
the types of signatures are listed as widely as needed.<br />
• Layered encryption (super-encryption, encrypting already enciphered content)<br />
is not used. Opening administrative metadata would require additional<br />
layers of filters <strong>and</strong>/or key management. In [12] <strong>and</strong> [11] super-encryption<br />
is defined – the purpose here could be embedding other documents or hiding<br />
the access control information – but we leave it out here for simplicity.<br />
D. Design principles: versioning<br />
The main document is assumed to be modifiable. There are two types of modification<br />
possibilities: content modification <strong>and</strong> permission type modification.<br />
In each case, the CAC paradigm entails that since the actual modifications cannot<br />
be prevented (only detected), there should be a possibility of rollback <strong>and</strong> attribution<br />
(finding the perpetrator).<br />
Rollback requires versioning <strong>and</strong> storage of the previous versions. Content<br />
versioning is considered to be outside the scope of this paper – it can be done<br />
by creating a separate document per committed modification <strong>and</strong> transferring<br />
the versioning burden to the Storage (as it should be optimized for availability).<br />
Per-element versioning does affect the CBIS schema itself, <strong>and</strong> this is considered<br />
more of a document management than a security issue. Per-element versioning<br />
should bind the content signature together with the content – thus we do not consider<br />
content signature versioning either here.<br />
Attribution has two facets: illegal modifiers of content <strong>and</strong> security policy.<br />
If content is modified meaningfully, it implies than legal keys of some user are<br />
used. This in turn can be traced back to the user identity by comparing different<br />
versions <strong>and</strong> signature information. Thus content modification attribution is built<br />
in to the signatures (enforcing non-repudiation) <strong>and</strong> versioning.
448 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Attribution in the context of security policy breaks requires keeping a log<br />
of the changes made to the permissions. A security policy break translates into<br />
unauthorized insertion, removal or modification of security metadata. This can include<br />
(but are not limited to): Insertion of additional block keys (to leak information);<br />
Insertion of additional public keys (to enable modification); Downgrading<br />
the (MLS-related) classification labels; Changing or adding administrator information<br />
<strong>and</strong> certification.<br />
To enforce attribution <strong>and</strong> rollback of the security metadata, we introduce<br />
per-element metadata-history to the schema. Rollback cannot naturally be fully<br />
realized, if the whole history-information is deleted from the document, but this<br />
is left for the availability-function of the Storage (cloud), <strong>and</strong> outside the scope<br />
of the schema.<br />
The metadata history is always signed as a whole by the Filter itself. This is because<br />
of the principle of separation of duties: roles administering security policy<br />
should not also track the changes made by themselves.<br />
Metadata history contains copies of the security metadata appended with<br />
a timestamp <strong>and</strong> identity of the original signatory of that particular instance<br />
(an ADMIN-User or the Owner).<br />
The ADMIN-user or (originally) the Owner is responsible for creating <strong>and</strong><br />
changing the security policy reflected in the security metadata. The principle<br />
in the modification is to create a new copy based on the old metadata <strong>and</strong> move<br />
the old copy to the history. The responsibility for the metadata is reflected in a subelement<br />
of the security metadata structure, containing the list of the administrator<br />
roles, <strong>and</strong> finally a signature by one of these administrators. Administrator role<br />
information must include a PKMA-dependent certification from the Owner.<br />
E. Design principles: MLS considerations<br />
Multi-level security is considered here from the document perspective only.<br />
The CBIS-schema presented here does not account for the User clearance – if IBCbased<br />
PKMA is used, the user clearance can be encoded in the encrypted block<br />
key, but for other PKMAs this is left for the application. (Which is why we recommend<br />
using IBC to achieve a fuller cryptographic enforcement of the security levels<br />
than just key management.)<br />
The security label exists in the document metadata. Its correctness is enforced<br />
by an ADMIN-user’s signature (together with a delegation certification from<br />
the Owner) <strong>and</strong> it is bound to the content by the compound signatures of the content<br />
<strong>and</strong> metadata. (Signed by the Filter, as this is an administrative function).<br />
The security label presents a performance issue in the XML-document tree<br />
hierarchy, if the structure is very fine-grained ([12, 14]): in order to establish<br />
if a user has clearance to the lowest levels of the hierarchy, all of the nodes need<br />
to be traversed. To enable more efficient processing, two strategies are possible:
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
449<br />
• Structure the document according to the security labels, leaving the natural<br />
structuring to be automated “somehow” or,<br />
• Include additionals elements for informational purposes, which declare<br />
the highest <strong>and</strong> lowest classification levels of the subelements. If the User’s<br />
clearance is higher (or equal) than the highest classification of the subelements,<br />
the whole subtree can be copied to the filtered document. However,<br />
if the user’s clearance is lower than the lowest element, the whole subtree<br />
can be pruned. If these are left unspecified or user clearance lies in between<br />
these two, the subtree needs to be traversed at least one level further.<br />
The first alternative provides simpler bookkeeping on the security levels, but<br />
would likely result in a nightmare in recreating the original document. Thus we<br />
chose the latter alternative, even though it requires some bookkeeping in the document<br />
creation <strong>and</strong> modification phase.<br />
The correct enforcement of MLS is checking that information does not leak<br />
from “high” to “low” domains, which in this context means:<br />
• Labels are correctly bound to their content: this is partly the responsibility<br />
of the original document creator; after that it is enforced by a per-element<br />
compount signature by the Filter <strong>and</strong> the per-security attribute signature<br />
by an ADMIN-user<br />
• No highly classified information can be viewed by persons with lower<br />
clearance: the contents are cryptographically separated, <strong>and</strong> if the lower<br />
clearance user is not allowed the keys of the content out-of-her-bounds,<br />
the probability of leaks reduces to that of breaking the cryptographic primitives<br />
or incorrect key management.<br />
F. Design principles: hierarchy<br />
As the CBIS document includes multiple types of signatures, their characteristics<br />
may become blurred, if the signature types <strong>and</strong> their targets are not pinned<br />
down in the XML document tree hierarchy. We then make the following hierarchical<br />
conventions (Fig. 3):<br />
• There is one main element type hosting the main body of CBIS-related<br />
information (cbis:element), <strong>and</strong> another type hosting all the security<br />
metadata (cbis:securityMetadata).<br />
• The content is an immediate child of cbis:element<br />
• Security metadata is an immediate child of cbis:element<br />
• The content-related signatures are immediate children<br />
of cbis:securityMetadata.<br />
• The compound signature of all the subelements of an cbis:element<br />
is an immediate child of that element’s cbis:securityMetadata.<br />
The signed subelements include also possible children of the type<br />
cbis:element.
450 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 3. Hierarchical conventions of the CBIS schema<br />
If super-encryption would be used, it would also make sense to define access<br />
control lists for the first-order access control information (metadata of metadata,<br />
or meta-metadata). Even in more theoretical work ([12]), the metalevels are recommended<br />
to be restricted to at most two, <strong>and</strong> we are using only one level.<br />
For versioning purposes, it is not necessary to archive all security metadata.<br />
More specifically, if signatures concern the content as well, they were considered to be<br />
out of scope. Thus we introduce yet another level, cbis:securityAttribute,<br />
which hosts all the data meant to be archived.<br />
The XML-document <strong>and</strong> architecture model [5] consider only hashes of the elements,<br />
<strong>and</strong> only the hash of the document whole is eventually signed. Our<br />
model considers a more interactive setting, <strong>and</strong> allows the document to be more<br />
fine-grained. We then sign each level (certain types of elements) individually, <strong>and</strong><br />
the compound sub-documents hierarchically.<br />
V. The CBIS schema<br />
The actual schema is presented here with Fig. 4. for brevity. The Figure depicts<br />
what an XML-formatted CBIS-document would look like, but with element <strong>and</strong><br />
type names, enumerations <strong>and</strong> type definitions.<br />
Legend for Fig. 4 is as follows:<br />
• Multiple labels “behind” the first one indicate that multiple instances are<br />
allowed<br />
• Dashed line round the label indicate a set of optional elements. If there are<br />
multiple dashed-line labels, there can be more than one optional element<br />
• ENUM labels represent XML schema restriction on a specific type<br />
• TYPE labels represents inheritance from another type, depicted the way<br />
a C-language structure would: the parent type is included in the child type
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
451<br />
Although we do not consider them here, the possible additional levels of metadata<br />
are easily added as another (recursive) children of cbis:securityMetadata.<br />
The new type cbis:Signature is inherited from W3C XML-signatures<br />
type ds:Signature by adding a type qualifier. It should be noted that while<br />
ds:SignatureMethod requires fixed m<strong>and</strong>atory <strong>and</strong> a number of optional<br />
implementations, user-specified algorithms may be used as well, <strong>and</strong> this allows<br />
also n-tuple signature-values (though under one identifier only).<br />
The following (extra) namespaces are used:<br />
• xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”,<br />
the XML-signature types (specifically, ds:Signature). This is the base<br />
type of cbis:Signature, <strong>and</strong> is used mainly to differentiate between<br />
different versions of integrity, if the public key management architecture<br />
so requires (in addition to containing the actual signature value).<br />
• xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”,<br />
the XML-encryption types (specifically, xenc:encryptedData <strong>and</strong><br />
xenc:encryptedKey). It should be noted that we use one-to-many<br />
relation from the encrypted data blob to the encrypted key, which may not<br />
directly be supported by st<strong>and</strong>ard implementations. Thus we leave the link<br />
from the encrypted key to the actual element one-way only, <strong>and</strong> leave it to<br />
the application (here: the user agent or filter) to decide which key to use<br />
based on the related information in cbis:AccessSet.<br />
• wsml=”http://www.wsmo.org/wsml/wsml-syntax#”<br />
the cbis:roleExpression is extended from a single role-identifier<br />
to a propositional logic formula (to support more expressive PKMAs).<br />
Actually, the wsml:logicalExpression – schema checks for first<br />
order logic, but the application-level function should ignore any quantifiers<br />
it finds.<br />
In the application space, the decrypting / verifying component (most commonly<br />
the User Agent) must interpret the cbis:permission to mean how to<br />
use the associated cryptographic key:<br />
• If the permission is READ, that particular role’s (or a logical expression<br />
involving roles <strong>and</strong> activities) private key is able to open the block key.<br />
• If the permission is WRITE, the encryptedKey-structure contains<br />
information about the public key related to the role or logical expression<br />
involving roles <strong>and</strong> activities, or the public key itself (in unencrypted<br />
form). In either case, the public key indicated by the role is only one<br />
of the possibilities used to verify the element’s content signature. There may<br />
be only one such, but in general case it could be anyone’s who is granted<br />
the write-permissions to this particular element. The verifier should try<br />
to verify the signature with all those public keys, which have a permission<br />
of type WRITE. If any one of them passes, the element should be<br />
accepted as valid.
452 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 4. The CBIS XML schema structure<br />
Filtering means the process of stripping the document clean from those<br />
elements to which the user’s clearance does not entitle her. This is performed on<br />
the element-granularity level, <strong>and</strong> based on the cbis:elementClassification<br />
element (<strong>and</strong> derivatives). If a cbis:element does not pass the Filter-component,<br />
it is first checked if the cbis:element lies on a direct path from the document<br />
root to an allowed element or is a sibling of such a cbis:element.<br />
In such a case, the cbis:element is included, but it is stripped of all optional<br />
fields <strong>and</strong> m<strong>and</strong>atory fields are set to empty, NULL or default values. The content-<br />
Signature-element of the type UNSIGNED CONTENT HASH, is however included.<br />
This signature type is assumed to contain the compound hash of the element <strong>and</strong> its<br />
subelements in the form of Merkle hash tree nodes (see [5] for details).<br />
According to [5], the compound hashes can then be used on the documentlevel<br />
to calculate the original signature, <strong>and</strong> compare that to the cbis:docume<br />
ntIntegritySignature of type CONTENT INTEGRITY. This way the User<br />
Agent can first verify that the content in general is complete <strong>and</strong> valid, <strong>and</strong> after<br />
that check individual elements’ validity.<br />
Writing changes to a partial document <strong>and</strong> integrating them back to the original<br />
is partially versioning a document, but mainly requires a reasonable amount of book-
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
453<br />
keeping from the Filter, which needs to 1) Fetch a latest version of the whole document<br />
from the Storage (cloud); 2) Identify changed elements by their UNSIGNED<br />
HASH CONTENT signature-elements <strong>and</strong> their correct location in the tree – it is<br />
assumed the User Agent makes use of the tree structure it received from the Filter<br />
(it cannot, for example, remove or relocate parts that contain subelements inaccessible<br />
to it); 3) Replace contents, <strong>and</strong> their respective WRITE-User <strong>and</strong> ADMIN-user<br />
signatures; 4) Update security attribute history (recompute the signature as well);<br />
5) Create a new document version (if versioning is in use); <strong>and</strong> 6) Recompute<br />
the compound element integrity signatures, where elements are merged; recompute<br />
all compound hash values.<br />
VI. Conclusion<br />
In this paper we introduced <strong>and</strong> canonized a structured content format complying<br />
to multi-level security practices <strong>and</strong> the cryptographic access control paradigm.<br />
The format was aligned with the XML-st<strong>and</strong>ard. We explored the motivation<br />
behind different types of elements <strong>and</strong> their relatios, as well as the operation with<br />
such a structured document. Our approach was independent of the keying architecture.<br />
Future work includes e.g. many open questions from the re-construction<br />
of a modified document. On a different track, there is also the task to implement<br />
a schema validator <strong>and</strong> appropriate Filter components for the document.<br />
References<br />
[1] E. Barker, W. Barker, W. Burr, W. Polk, <strong>and</strong> M. Smid, “Recommendation for Key<br />
Management – Part 1: General (Revised)”, NIST Special Publication 800-57, NIST,<br />
March 2007.<br />
[2] M. Bartel, J. Boyer, B. Fox, B. LaMacchia, <strong>and</strong> E. Simon, “XML-Signature Syntax<br />
<strong>and</strong> Processing, W3C Recommendation 12.2.2002”, in http://www.w3.org/TR/2002/<br />
REC-xmldsig-core-20020212/Overview.html, World Wide Web Consortium, 2002<br />
(retrieved 23.4.2012).<br />
[3] D. Bell, L. LaPadula, “Secure Computer Systems: Mathematical Foundations”,<br />
MITRE Technical Report 2547, vol. I, 1.3.1973.<br />
[4] E. Bertino, S. Castano, <strong>and</strong> E. Ferrari, “On Specifying Security Policies for Web<br />
Documents with an XML-Based Language,” in Proc. Sixth ACM Symp. Access Control<br />
Models <strong>and</strong> Technologies, pp. 57-65, 2001.<br />
[5] E. Bertino, B. Carminati, E. Ferrari, B. Thuraisingham, <strong>and</strong> A. Gupta, “Selective<br />
<strong>and</strong> Authentic Third-Party Distribution of XML Documents”, in IEEE Transactions<br />
on Knowledge <strong>and</strong> Data Engineering, vol. 16, no 10, pp. 1263-1278, October 2004.<br />
[6] D. Boneh, M. Franklin, “Identity based encryption from the Weil pairing, extended<br />
version”, in SIAM J. of Computing, vol. 32, no. 3, pp. 586-615, 2003.
454 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[7] D. Ezell et al. “XML Schema”, in http://www.w3.org/XML/Schema, World Wide<br />
Web Consortium, 2004 (retrieved 23.4.2012).<br />
[8] W. Ford, et al., ”XML Key Management Specification (XKMS), W3C Note 13.3.2001”,<br />
in http://www.w3.org/TR/xkms/ World Wide Web Consortium, 2002 (retrieved<br />
23.4.2012).<br />
[9] W. Harrison, N. Hanebutte, P. Oman <strong>and</strong> J. Alves-Foss, “The MILS Architecture<br />
for a Secure Global <strong>Information</strong> Grid”. in CrossTalk 18 (10): pp. 20-24. http://www.<br />
crosstalkonline.org/storage/issue-archives/2005/200510/200510-Harrison.pdf,<br />
October 2005 (retrieved 23.4.2012).<br />
[10] L. Hathaway, “National Policy on the Use of the Advanced Encryption St<strong>and</strong>ard<br />
(AES) to Protect National Security Systems <strong>and</strong> National Security <strong>Information</strong>”, http://<br />
csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf, June 2003 (retrieved<br />
23.4.2012).<br />
[11] T. Imamura, B. Dillaway, <strong>and</strong> E. Simon, “XML Encryption Syntax <strong>and</strong> Processing,<br />
W3C Recommendation 10.12.2002”, in http://www.w3.org/TR/xmlenc-core/, World<br />
Wide Web Consortium, 2002 (retrieved 23.4.2012).<br />
[12] M. Kiviharju, Content-Based <strong>Information</strong> Security (CBIS): Definitions, Requirements<br />
<strong>and</strong> Cryptographic Architecture, Riihimäki: Defence Forces Technical Research<br />
Centre, 2010.<br />
[13] M. Kiviharju, “Towards Pervasive Cryptographic Access Control Models”, in Proc.<br />
SECRYPT 2012, in press.<br />
[14] J. Lamminmäki, “DR201R01: CBIS-skeema, Loppuraportti.” Final Report for Finnish<br />
Defence Forces, Insta DefSec, 8.12.2010.<br />
[15] S. McGovern, “<strong>Information</strong> Security Requirements for a Coalition Wide Area<br />
Network”, Thesis in Naval Postgraduate School, Monterey, California (June 2001),<br />
http://cisr.nps.edu/downloads/theses/01thesis_mcgovern.pdf, NPS/CISR, 2001,<br />
(retrieved 23.4.2012).<br />
[16] NIST-CSRC, “CSC-STD-004-85, Technical Rational Behind CSC-STD-003-85:<br />
Computer Security Requirements (Yellow Book)”, in http://csrc.nist.gov/publications/<br />
secpubs/rainbow/std004.txt, CSRC, NIST, pp. 9-13, 25.6.1985 (retrieved 23.4.2012).<br />
[17] M. Pirretti, P. Traynor, P. McDaniel, <strong>and</strong> B. Waters, “Secure Attribute-Based<br />
Systems”, in Proc. Of CCS 2006, pp. 99-111, ACM, 2006.<br />
[18] J. Savoie, “A Strong three-factor authentication device: <strong>Trusted</strong>DAVE <strong>and</strong> the new<br />
Generic Content-Based <strong>Information</strong> Security (CBIS) architecture”, Technical<br />
Memor<strong>and</strong>um TM 2004-198, DRDC Ottawa, http://pubs.drdc.gc.ca/PDFS/unc32/<br />
p522843.pdf, DRDC Canada, November 2004 (retrieved 23.4.2012).<br />
[19] C. Sperberg-McQueen et al., “Extensible Markup Language (XML)”, in http://<br />
www.w3.org/XML/Overview.html, World Wide Web Consortium, September 2006<br />
(retrieved 23.4.2012).<br />
[20] B. Thuraisingham, Building Trustworthy Semantic Webs, Boca Raton, FL: Auerbach<br />
Publications, 2008.<br />
[21] ibid. p. 118.<br />
[22] K. Poulsen, K. Zetter, “U.S. Intelligence Analyst Arrested in Wikileaks Video<br />
Probe”, in ‘Threat Level’ blog, http://www.wired.com/threatlevel/2010/06/leak/, Wired,<br />
6.6.2010 (retrieved 23.4.2010).
Generation of Nonlinear Feedback Shift Registers<br />
with Special-Purpose Hardware<br />
Tomasz Rachwalik, Janusz Szmidt, Robert Wicik, Janusz Zabłocki<br />
Cryptology Division, <strong>Military</strong> Communication Institute, Zegrze, Pol<strong>and</strong>,<br />
t.rachwalik@wil.waw.pl<br />
Abstract: The nonlinear feedback shift registers (NLFSR) are used as primitives in cryptographic<br />
algorithms. Their theory is not so complete as that of the linear feedback shift registers (LFSR).<br />
In general, it is not known how to construct NLFSRs with maximum period. The direct method is to<br />
search for such registers with suitable properties. We used the implementation of NLFSRs in Field<br />
Programmable Gate Arrays (FPGA) to perform a corresponding search. We also investigated local<br />
statistical properties of the binary sequences generated by NLFSRs of order 25 <strong>and</strong> 27.<br />
Keywords: Nonlinear feedback shift registers. Maximum period. Linear complexity. Hardware implementation.<br />
R<strong>and</strong>omness properties<br />
I. Introduction<br />
Feedback shift registers (FSR) sequences have been widely used in many<br />
areas of communication theory, as key stream generators in stream ciphers cryptosystems,<br />
pseudor<strong>and</strong>om number generators in many cryptographic primitive<br />
algorithms, <strong>and</strong> testing vectors in hardware design. Golomb’s book [5] is a pioneering<br />
one that discusses this type of sequences. A modern treatment of the subject<br />
is contained in Golomb <strong>and</strong> Gong [6].<br />
The theory of linear feedback shift registers (LFSR) is understood quite well.<br />
In particular, it is known how to construct the LFSRs with maximum period;<br />
they correspond to primitive minimal polynomials over the binary field GF(2).<br />
The primitive LFSRs have a drawback as their linear complexity is equal to their<br />
order. In recent years, nonlinear feedback shift registers (NLFSR) have received much<br />
attention in designing numerous cryptographic algorithms such as stream ciphers<br />
<strong>and</strong> lightweight block ciphers to provide security in communication systems. In most<br />
cases, NLFSRs have much bigger linear complexity than LFSRs of the same order.<br />
However, not much is known about cyclic structures of NLFSRs; most of the known<br />
results are collected in Golomb’s fundamental book [5].<br />
We used the implementation of NLFSRs in Field Programmable Gate Arrays<br />
(FPGA) to perform a search of NLFSRs of the order up to n = 27, the maximum
456 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
period equal to 2 n − 1 <strong>and</strong> a possibly simple algebraic structure of the feedback<br />
function. We also investigated local statistical properties of the binary sequences<br />
generated by NLFSRs of order 25 <strong>and</strong> 27. We hope to continue this research further.<br />
II. Feedback Shift Registers<br />
In this section, we give definitions <strong>and</strong> basic facts about feedback shift registers<br />
(FSR). We use GF(2) to denote the binary finite field. GF(2)[x] denotes the ring<br />
of polynomials in the indeterminate x <strong>and</strong> with coefficients from GF(2). Let V n<br />
be the n-dimensional vector space over GF(2) consisting of the n-tuples of elements<br />
of GF(2). Any function from V n to GF(2) is referred to as a Boolean function<br />
on n variables. A sequence of elements s = (s 0 , s 1 , ...) of GF(2) is called a binary<br />
sequence. A sequence s = ( s i<br />
)<br />
i <br />
is called periodic if there is a positive integer p<br />
such that s i+p = s i for all i ≥ 0. The least positive integer with this property is called<br />
a period.<br />
A binary n-stage feedback shift register is a mapping F from V n into<br />
V n of the form<br />
F : (x 0 , x 1 , ..., x n−1 ) → (x 1 , x 2 , ..., x n−1 , f(x 0 , x 1 , …, x n−1 ),<br />
where f is a Boolean function on n-variables which is called the feedback function.<br />
The shift register is called a linear feedback shift register (LFSR) if F is a linear transformation<br />
from the vector space V n into itself. Otherwise, the shift register is called<br />
a nonlinear feedback shift register (NLFSR). The shift register is called nonsingular<br />
if the mapping F is a bijection. Further, we will consider only nonsingular <strong>and</strong> mostly<br />
nonlinear feedback shift registers. It can be proved (see e.g. [5]) that the feedback<br />
function of a nonsingular feedback shift register has the form<br />
f(x 0 , x 1 , …, x n−1 ) = x 0 + g(x 1 , ..., x n−1 ), (1)<br />
where g is a Boolean function on n − 1 variables.<br />
Consider a binary sequence s = ( s i<br />
)<br />
whose first n terms s i 0, s 1 , ..., s n−1 are<br />
given <strong>and</strong> whose remaining terms are uniquely determined by the recurrence relation<br />
s i+n = f(s i , s i+1 , ..., s i+n−1 ) for all i ≥ 0. (2)<br />
We call s an output sequence of the feedback shift register given by (1).<br />
The binary n-tuple (s 0 , s 1 , ..., s n−1 ) is called the initial state vector of the sequence<br />
s or the initial state of the feedback shift register. The recurrence relation (2)<br />
can be implemented in hardware as a special electronic switching circuit consisting<br />
of n memory cells which is controlled by an external clock to generate the sequence<br />
s (see Figure 1).
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
457<br />
Figure 1. A block diagram of a Feedback Shift Register<br />
The period of an output sequence of a binary n-stage nonsingular FSR is at<br />
most 2 n . There are some sequences with maximum period.<br />
Definition 1. The de Bruijn sequence of order n ( , ..., a n<br />
2 <br />
) of elements<br />
1<br />
from the binary field GF(2) is a sequence of period 2 n in which all different n-tuples<br />
appear exactly once.<br />
It was proved by Flye Sainte-Marie [3] in 1894 <strong>and</strong> independently by de<br />
Bruijn [1] in 1946 that the number of classes of cyclically equivalent sequences<br />
satisfying the Definition 1 is equal to<br />
n<br />
2 n<br />
.<br />
(3)<br />
B n<br />
Definition 2. The modified de Bruijn sequence of order n ( , ..., a n<br />
2 <br />
)<br />
2<br />
is a sequence of period 2 n − 1 obtained from the de Bruijn sequence of order n by<br />
removing one zero from the tuple of n consecutive zeros.<br />
In 1990 Mayhew <strong>and</strong> Golomb [10] investigated sequences satisfying the Definition<br />
2 <strong>and</strong> their linear complexity. These sequences were called by Gammel<br />
et al. [4] the primitive sequences. In the case of linear feedback shift registers these<br />
sequences are generated by primitive polynomials <strong>and</strong> their theory is understood<br />
quite well [8]. The primitive sequences are very important in cryptographic applications<br />
since:<br />
1. They exist. There are B n primitive sequences altogether (the linear <strong>and</strong> nonlinear<br />
ones). The number of primitive LFSRs is equal to<br />
n<br />
(2 1) ,<br />
n<br />
where φ denotes the Euler phi function, hence there are much more NLFSRs<br />
than LFSRs.<br />
2. The primitive sequences have good statistical properties. They satisfy Golomb’s<br />
main postulates. The linear complexity of a NLFSR (the order of a LFSR generating<br />
the same sequence) is much bigger than 2 n−1 <strong>and</strong> many of them have<br />
the most possible linear complexity equal to 2 n – 2. Let us recall that the linear<br />
complexity of a primitive LFSR of order n is just equal to n.
458 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
3. There are primitive NLFSRs for which the Algebraic Normal Form<br />
of the Boolean function g in formula (1) is quite simple; it has low algebraic<br />
degree <strong>and</strong> a possibly small number of terms. Since there are 2 2n−1 different<br />
Boolean functions on n – 1 variables, hence the probability that a r<strong>and</strong>omly<br />
chosen function of the form (1) is a primitive NLFSR is equal to<br />
n1<br />
2 n<br />
<strong>and</strong> as n grows it becomes smaller.<br />
2 1<br />
n1<br />
<br />
2<br />
n<br />
2 2<br />
The task is to find primitive NLFSRs with a possibly simple algebraic form <strong>and</strong><br />
this is much more difficult. A method how to construct such primitive NLFSRs is not<br />
known <strong>and</strong> we have to search for them. Gammel et al. [4] found simple primitive<br />
NLFSRs up to the order 33 <strong>and</strong> they used them in the design of the stream cipher<br />
Achterbahn, but neither the method of searching nor the average time needed to<br />
find such good NLFSRs have been revealed.<br />
It is also an open problem to prove lower bounds of the linear complexity<br />
of NLFSRs. Mayhew <strong>and</strong> Golomb [10] investigated all modified de Bruijn sequences<br />
of order 5 <strong>and</strong> 6; there are 2 11 = 2048 <strong>and</strong> 2 26 of them, respectively. It appears that<br />
there is a very small number of such sequences with low linear complexity. In the case<br />
of n = 5, there are no NLFRSs with linear complexity equal to 10 <strong>and</strong> there are only<br />
10 sequences with linear complexity equal to 15. One can form a conjecture that for<br />
the order n of NLFSR being a prime number the lower bound of the corresponding<br />
linear complexity is equal to 3n. It is implied by a more general conjecture formed<br />
in Kyureghyan’s paper [7] <strong>and</strong> the results of [10]. The upper bound of the linear<br />
complexity of NLFSRs is 2 n – 2 <strong>and</strong> this bound is tight. We calculated the linear<br />
complexity of the NLFSRs no 1÷4 given in section V <strong>and</strong> it is equal to 2 25 – 2 for<br />
all of them. There is a recent interest in searching for <strong>and</strong> constructing primitive<br />
NLFSRs suitable for cryptographic applications, see [2], [9], [13].<br />
III. The FPGA implementation<br />
We implemented an algorithm for searching nonlinear feedback shift registers<br />
of order n having maximum period 2 n − 1 using hardware devices from our previous<br />
projects. They were equipped with Altera EP3C80 Field Programmable Gate<br />
Arrays. We used Altera Quartus II v.9.0. design software to simulate <strong>and</strong> compile<br />
the current project.<br />
The r<strong>and</strong>om NLFSR searching module (RNSM) consists of a r<strong>and</strong>om number<br />
generator (RNG), a coefficients selector (CS), a coefficients buffer (CB), multiplexers<br />
<strong>and</strong> XOR block (M&X), a shift register (SR), <strong>and</strong> a verification machine (VM).<br />
R<strong>and</strong>om numbers are taken from the RNG. Coefficients are downloaded byte by<br />
byte into the CS, where their values <strong>and</strong> repetitions are controlled. Then the bytes
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
459<br />
go to the CB, whose task is to store combinations of coefficients during the test.<br />
The multiplexers define the feedback function of NLFSR according to the data<br />
buffered in the CB. Their outputs are connected to the XOR gate. Next, the output<br />
of the XOR function feeds the SR. The SR is set with a seed value at the beginning<br />
of a searching process by the VM <strong>and</strong> it starts to shift. After the first repetition<br />
of the seed the test is finished. A positive result is sent to the Ethernet Interface (EI),<br />
which is the same for all implemented modules. A negative result starts a new<br />
process of r<strong>and</strong>om generation <strong>and</strong> testing.<br />
Figure 2. A single module of the searching machine<br />
The attempts to find NLFSR were made by drawing 32 taps. Four of them<br />
feed a four-input AND gate. There are also two three-input AND gates <strong>and</strong> four<br />
two-input AND gates. We also implemented a version with 40 taps but there are<br />
not any results up to now.<br />
Figure 3. The structure used to generate NLFSR<br />
A single RNSM provides a superior search compared to the application<br />
of the same functionality embedded in a fairly efficient PC. For example, to obtain<br />
NLFSRs of order 15 with period 2 15 – 1, we had to wait on average 3 seconds<br />
using the RNSM, whereas working on a PC it took 5 minutes. During our search for<br />
NLFSRs of order 25 <strong>and</strong> 27 with maximum periods 128 RNSMs were implemented<br />
in four physical devices. The 32 modules implemented in a single device worked
460 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
<strong>and</strong> stored results independently. The four devices were connected to a hub <strong>and</strong><br />
a personal computer (PC) with the Wireshark sniffer. The FPGA was clocked with<br />
65.536 MHz, although the maximum possible clocking is 128 MHz. The average<br />
time to find one NLFSR of order 25 was 4 hours <strong>and</strong> the average time to find one<br />
NLFSR of order 27 was 21 hours, respectively.<br />
IV. R<strong>and</strong>omness properties<br />
The purpose of this section is to check experimentally the r<strong>and</strong>omness properties<br />
of subsequences of the sequences generated by NLFSRs of section V. The modified<br />
de Bruijn sequences of order n have period 2 n −1 <strong>and</strong> all different n-tuples appear<br />
only once, except the all-zero tuple. The whole sequence generated by NLFSR<br />
should have good statistical properties; since there is a nonlinear feedback, we also<br />
decided to check the statistical properties locally, for subsequences generated by<br />
NLFSR starting from r<strong>and</strong>omly chosen initial state vectors. Let s = (s 0 , s 1 , ..., s m−1 )<br />
be a binary sequence of length m. We test the r<strong>and</strong>omness using seven basic statistical<br />
tests from [11], [14]. These are:<br />
1. Frequency test – the purpose of this test is to determine whether the number<br />
of 0’s <strong>and</strong> the number of 1’s in the investigated sequence s are approximate<br />
the same, as it would be expected for a r<strong>and</strong>om sequence.<br />
2. Serial test – the purpose of this test is to determine whether the number<br />
of occurrences of 00, 01, 10, 11 as subsequences of s are approximate<br />
the same, where the subsequences are allowed to overlap.<br />
3. Two bit test – it verifies whether the number of occurrences of subsequences<br />
00, 01, 10, 11 are approximate the same, where the subsequences are not<br />
overlapping.<br />
4. 8-bit poker test – it verifies whether bytes of each possible value appear<br />
approximate the same number of times in the sequence s.<br />
5. 16-bit poker test – it verifies whether 16-bit words of each possible value<br />
appear approximate the same number of times.<br />
6. Runs test – the purpose of this test is to determine whether the number<br />
of runs of either zeros or ones of various lengths (here from 1 to 22 bits)<br />
in the sequence s are as expected for a r<strong>and</strong>om sequence.<br />
7. Autocorrelation test – the purpose of this test is to check for correlations<br />
between the sequence s <strong>and</strong> shifted versions of it (here by 1,2, ..., up to 8 bits).<br />
The tests 1÷6 use as a reference distribution the chi-square distribution<br />
with suitable number of degree of freedom <strong>and</strong> the seventh test uses the st<strong>and</strong>ard<br />
normal distribution. The observed frequencies of events are compared with their<br />
expected frequencies. We do not use hypothesis testing in a classical manner,<br />
where the hypothesis H 0 is verified using the calculated statistics. All events are<br />
possible, so we split the calculated statistics into 8 classes from A to H according<br />
to the range of significance level. The class A identifies a group of the best statistics
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
461<br />
<strong>and</strong> the class H identifies the worst case in terms of r<strong>and</strong>omness, but all cases are<br />
possible with suitable probabilities as it is shown in the Table I.<br />
Table I. Percentages of appearances of classes<br />
Classes A+B+C A B C D E F G H<br />
% 95 80 10 5 2.5 1.5 0.5 0.4 0.1<br />
We tested subsequences produced by NLFSRs of section V starting from<br />
r<strong>and</strong>omly selected initial states. First, we generated the full period sequences <strong>and</strong><br />
then each sequence was divided into subsequences of 2 20 bits each:<br />
• 4 . 2 5 = 128 binary subsequences for NLFSRs of order 25 (NLFSRs no 1÷4)<br />
• 3 . 2 7 = 384 binary subsequences for NLFSRs of order 27 (NLFSRs no 5÷7)<br />
The obtained results of experiments are given in Table II. The column<br />
No contains numbers of NLFSR from section V. Columns % of classes contain<br />
percentages of appearances of classes A÷H of statistics for examined subsequences<br />
taken from 7 NLFSRs. It shows that the percentages of classes for<br />
1 Mbit subsequences are similar to the expected appearances of classes for r<strong>and</strong>om<br />
sequences (see Table I). These results indicate that the examined NLFSRs<br />
have good statistical properties.<br />
Table II. Percentages of appearances of classes of subsequences<br />
% of classes<br />
No<br />
A+B+C A B C D E F G H<br />
1 94.64 81.70 8.04 4.91 1.79 2.23 0.89 0.45 0.00<br />
2 94.20 81.25 8.04 4.91 3.13 1.34 0.45 0.89 0.00<br />
3 95.98 86.61 5.80 3.57 1.34 2.68 0.00 0.00 0.00<br />
4 96.43 82.14 8.93 3.36 2.23 1.34 0.00 0.00 0.00<br />
5 94.64 78.79 10.16 5.69 2.68 1.23 1.00 0.33 0.11<br />
6 95.98 80.25 11.94 3.79 2.23 0.67 0.78 0.33 0.00<br />
7 95.20 82.59 8.71 3.91 3.01 1.00 0.22 0.22 0.33<br />
V. Examples of NLFSRs<br />
The NLFSRs of order 25:<br />
1 : x 0 + x 8 + x 9 + x 10 + x 11 + x 19 + x 20 + x 21 + x 23 + x 6 x 21 + x 10 x 14 + x 12 x 20 +<br />
+ x 19 x 20 + x 4 x 18 x 21 + x 11 x 18 x 22 + x 1 x 5 x 7 x 23<br />
2 : x 0 + x 6 + x 7 + x 8 + x 11 + x 14 + x 15 + x 18 + x 19 + x 5 x 10 + x 7 x 21 + x 11 x 16 + x 12 x 17 +<br />
+ x 1 x 10 x 18 + x 15 x 17 x 22 + x 8 x 10 x 15 x 18
462 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
3 : x 0 + x 6 + x 12 + x 13 + x 16 + x 20 + x 21 + x 22 + x 3 x 18 + x 13 x 19 + x 13 x 20 + x 5 x 12 x 20 +<br />
+ x 8 x 18 x 22 + x 12 x 15 x 21<br />
4 : x 0 + x 6 + x 11 + x 14 + x 16 + x 17 + x 18 + x 19 + x 23 + x 4 x 19 + x 4 x 21 + x 5 x 22 + x 9 x 19 +<br />
+ x 1 x 17 x 23 + x 5 x 7 x 18 + x 5 x 12 x 19<br />
The NLFSRs of order 27:<br />
5 : x 0 + x 4 + x 8 + x 9 + x 11 + x 12 + x 15 + x 16 + x 23 + x 12 x 22 + x 13 x 23 + x 13 x 25 +<br />
+ x 22 x 23 + x 7 x 8 x 24 + x 12 x 14 x 26 + x 6 x 11 x 19 x 22<br />
6 : x 0 + x 1 + x 8 + x 10 + x 11 + x 12 + x 17 + x 19 + x 21 + x 22 + x 23 + x 6 x 25 + x 9 x 15 +<br />
+ x 18 x 23 + x 23 x 26 + x 2 x 20 x 21 + x 13 x 21 x 23 + x 5 x 18 x 19 x 23<br />
7 : x 0 + x 1 + x 2 + x 5 + x 10 + x 13 + x 15 + x 24 + x 26 + x 7 x 22 + x 11 x 18 + x 13 x 19 +<br />
+ x 16 x 25 + x 24 x 25 + x 15 x 25 x 26 + x 8 x 10 x 25 x 26<br />
VI. Conclusions<br />
We used the implementation of Nonlinear Feedback Shift Registers in Field<br />
Programmable Gate Arrays to perform a search of NLFSRs of the order up to<br />
n = 27, the maximum period equal to 2 n – 1 <strong>and</strong> a possibly simple algebraic form<br />
of the feedback function. The structure of the Algebraic Normal Form of the feedback<br />
function was fixed in our search. We put the algebraic degree of ANF equal to four<br />
<strong>and</strong> r<strong>and</strong>omly chose linear <strong>and</strong> higher order terms. The hardware implementation<br />
of NLFSRs <strong>and</strong> verification modules enabled to speed our search about 100 times<br />
up comparing to software implementation on current PCs. The future task would<br />
be to find NLFSRs with bigger number of stages n. This requires an improvement<br />
of searching methods <strong>and</strong> the use more hardware resources.<br />
References<br />
[1] N.G. deBruijn, A combinatorial problem. Indag. Math., 8(1946), pp. 461-467.<br />
[2] E. Dubrova, A list of maximum period NLFSRs. Cryptology ePrint Archive, 2012/166.<br />
www.iacr.org<br />
[3] C. Flye Sainte-Marie, Solution to question nr. 48. L’Intermédiaire des Mathématiciens<br />
1(1894). pp. 107-110.<br />
[4] B.M. Gammel, R. Goetffert, O. Kniffler, Achterbahn 128/80. The eSTREAM<br />
project, www.ecrypt.eu.org/stream/, www.matpack.de/achterbahn<br />
[5] S.W. Golomb, Shift Register Sequences. San Francisco, Holden-Day, 1967, revised<br />
edition, Laguna Hills, CA, Aegean Park Press, 1982.<br />
[6] S.W. Golomb, G. Gong, Signal Design for Good Correlation. For Wireless<br />
Communication, Cryptography, <strong>and</strong> Radar. Cambridge University Press, 2005.<br />
[7] G.M. Kyureghyan, Minimal polynomials of the modified de Bruijn sequences.<br />
Discrete Applied Math., 156(2008), pp. 1549-1553.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
463<br />
[8] R. Lidl, H. Niederreiter, Introduction to Finite Fields <strong>and</strong> their Applications<br />
(Revisited Edition). Cambridge University Press, Cambridge, 1994.<br />
[9] K. M<strong>and</strong>al, G. Gong, Probabilistic generation of good span n sequences from<br />
nonlinear feedback shift registers. University of Waterloo, preprint, 2012.<br />
[10] G.L. Mayhew, S.W. Golomb, Linear spans of modified de Bruijn sequences. IEEE<br />
Trans. Inform. Theory, 36(5)(1990), pp. 1166-1167.<br />
[11] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, H<strong>and</strong>book of applied cryptography.<br />
CRC Press, 1997.<br />
[12] T. Rachwalik, J. Szmidt, R. Wicik, J. Zabłocki, Generation of Nonlinear Feedback<br />
Shift Registers with special-purpose hardware. Cryptology ePrint Archive, 2012/314.<br />
www.iacr.org<br />
[13] J. Szmidt, On Kyureghyan’s Conjecture. In preparation.<br />
[14] M.S. Turan, On the nonlinearity properties of maximum-length NFSR feedbacks.<br />
Cryptology ePrint Archive, 2012/112. www.iacr.org<br />
[15] R. Wicik, M. Borowski, R<strong>and</strong>omness testing of some r<strong>and</strong>om <strong>and</strong> pseudor<strong>and</strong>om<br />
sequences. <strong>Military</strong> Communication Conference, Prague, 2008.
Effective Generation of Cryptographic Material<br />
for Large Hierarchical Communication Networks<br />
Marcin Grzonkowski 1 , Jacek Jarmakiewicz 2 , Wojciech Oszywa 2<br />
1 Cryptography Division, MCI, Zegrze, Pol<strong>and</strong>,<br />
m.grzonkowski@wil.waw.pl<br />
2 Communication Systems Division, C4I Systems, MUT – MCI, Warszawa, Pol<strong>and</strong>,<br />
jjarmakiewicz@wat.edu.pl, j.jarmakiewicz@wil.waw.pl<br />
Abstract: In this paper, the problem of increasing the efficiency of cryptographic material generation<br />
for communication networks of large IT systems is presented. As it results from the conducted<br />
tests, it is possible to improve the performance of the cryptographic data generation several times,<br />
after multi-core/multi-process computer systems are applied <strong>and</strong> appropriate parallel cryptographic<br />
data generation system is designed. The IT network class described in the paper corresponds to, e.g.<br />
a system for the public administration purposes, where numerous IT relations between the system<br />
components within the superior-subordinate relationship are present.<br />
Keywords: electronic key management systems, parallel key generation<br />
I. Introduction<br />
Experiences related to cyber-attacks on information systems of various countries<br />
(Georgia, Estonia, Germany, Great Britain) indicate that the destabilization<br />
of information services has a real impact on national security <strong>and</strong> the public [1-7].<br />
Organized cyber-attacks are often stimulated by political forces which transfer<br />
international policy to cyber space which is characterized by not precisely defined<br />
aspects of responsibility for unauthorized operations [8]. The attacks resemble typical<br />
spy activities for the technical, military, political <strong>and</strong> economic spheres, which<br />
leads to real <strong>and</strong> critical national security threats. The examples of unauthorized<br />
operation sources include cyber-spy organizations such as GostNet, Zeus, SpyEye [7].<br />
Therefore, the security within the IT systems, in particular those that provide<br />
services to citizens, is very important. <strong>Information</strong> services of public administration<br />
authorities (PA) are particularly important in the context of public life <strong>and</strong> security<br />
of citizens, which is why actions aimed at ensuring the security of information flow<br />
in organized networks for the PA are necessary [6].<br />
One of the effective manners for avoiding unauthorized information flow is to<br />
organize the data encryption in PA networks, thus eliminating the possibility of un-
466 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
controlled movement of data streams from inside <strong>and</strong> outside of the PA networks.<br />
The organization of large networks protection mechanism through encryption is not<br />
easy. Effective cryptographic tools <strong>and</strong> a number of organizational operations that<br />
allow safe <strong>and</strong> punctual distribution of cryptographic data are necessary for this<br />
purpose [9]. Cryptographic tools should not impact the deterioration of the communication<br />
services of an IT system. In order for these devices to work correctly,<br />
it is necessary to regularly deliver the cryptographic data (symmetric/asymmetric<br />
keys, r<strong>and</strong>om sequences <strong>and</strong> other) [10].<br />
Modern communication networks consisting of several hundred or even several<br />
thous<strong>and</strong> devices require huge amounts of cryptographic data. The generation<br />
of cryptographic data entails the performance of large amount of time-consuming<br />
calculations <strong>and</strong> does not only relate to the problem of generation of cryptographic<br />
keys, but also to their appropriate protection against errors, disclosure, labeling<br />
<strong>and</strong> storage.<br />
The currently applied systems <strong>and</strong> tools for generating cryptographic data<br />
are not very efficient for large communication networks, where symmetric keys<br />
are used. For every information relation, appropriate cryptographic data should<br />
be assumed, e.g. if there is n=100 stations, at least n*(n-1)/2, i.e. nearly 5 thous<strong>and</strong><br />
cryptographic data for the “peer-to-peer” information relation model should be<br />
prepared. The planning, generation <strong>and</strong> distribution of cryptographic data for such<br />
a large network is a technically complicated system.<br />
II. Architecture of an information system<br />
Let us consider the example PA system environment. The primary basis<br />
for determining the structure of an information system is the territorial division<br />
of the country. Within the division, the voivodeships along with the administration<br />
authorities that report to governmental institutions are important. The country<br />
is divided into 16 voivodeships which are created by poviats.<br />
We assume that the information system in question comprises management<br />
centers (MC) that may be duplicated given the need to achieve sufficiently high<br />
survival level. The composition of an example voivodeship MC is presented in Table<br />
1. In accordance with the administrative division of the country, 16 such MCs<br />
are present within the Republic of Pol<strong>and</strong>.<br />
The central element of the state management is the president of the Republic<br />
of Pol<strong>and</strong> (PRP), however, the majority of information processes will be addressed<br />
to the Prime Minister <strong>and</strong> the PM MC.<br />
It was assumed that information reports from the authorities subordinate<br />
to the PM will deliver information to the PM MC. Only the information already<br />
edited <strong>and</strong> aggregated will be delivered to the PM MC.<br />
An exemption may constitute the information reports delivered by the Ministry<br />
of Interior <strong>and</strong> Administration <strong>and</strong> Ministry of National Defense. Depending
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
467<br />
on the situation, information reports from the ministries of interior <strong>and</strong> defense<br />
might be provided both to the PM <strong>and</strong> PRP. It was proposed to classify the elements<br />
directly subordinate to the relevant ministries as internal elements. These<br />
are central authorities not belonging to the GA (Governmental Administration)<br />
<strong>and</strong> central authorities of the GA that will be joined through information relations<br />
with the relevant ministries.<br />
Figure 1. Architecture of the PA <strong>Information</strong> System<br />
As a result of the above analyses, the architecture of the PA system can be<br />
identified. It is graphically shown in Figure 1. The total number of the MCs for that<br />
particular information system equals 867 nodes. Probably there will be as many<br />
nodes in an communication network that will transfer information streams within<br />
the system. Not all nodes will exchange information between themselves, thus,
468 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
the information relations will be less in number than it results from the simple<br />
calculation being 867*866/2 = 375 411.<br />
Unfortunately, the amount of cryptographic data needed to ensure the system<br />
security will be equal to the number of information relations (assuming<br />
the symmetric encryption methods). The calculation of information relations<br />
is presented in Table 1. The number of information relations is not as dramatically<br />
high as for the “peer-to-peer” system, nevertheless their number amounts<br />
to nearly 20 thous<strong>and</strong>.<br />
Table I. Estimation of information relations in a system<br />
No. Relations Calculations Subtotal<br />
1 Central (57*56)/2 +(57*15)/2 + (15*14)/2 2128<br />
2 Including voivodeship level 2128*16 17024<br />
3 Voivodeship relations (11+15)*16 208<br />
4 Between voivodeships (16*15)/2 120<br />
5 Voivodeship-poviat relations 16*24/2 193<br />
Total 19673<br />
III. Generation of cryptographic data for large IT systems<br />
The cryptographic information generation subsystem for special networks<br />
consists of one or several combined computer station. These center perform various<br />
functions within a system:<br />
• Center for Special Network Planning <strong>and</strong> Cryptographic Data Distribution.<br />
Proper functioning of a secret data information system requires designing<br />
of a network made up of encryption devices <strong>and</strong> software as well as providing<br />
cryptographic data to every device <strong>and</strong> user (keys, passwords). This<br />
operation is carried out regularly at certain time intervals (every few/<br />
several months). When planning, the need to immediately generate data<br />
in particular emergency situations should be taken into account. Once<br />
generated, the cryptographic data should be combined into sets <strong>and</strong> distributed<br />
to loading st<strong>and</strong>s or directly to the devices. The data ought to be<br />
delivered in a safe manner, so as to preclude its disclosure <strong>and</strong> unauthorized<br />
modification.<br />
• Cryptographic Data Generation Center (CDGC). The station serves<br />
the cryptographic data generation for every cryptographic device operating<br />
within a communication network. The data is secured within the distribution<br />
period.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
469<br />
Figure 2. Cryptographic Data Generation Model<br />
The Cryptographic <strong>Information</strong> Generation Center is most often built based<br />
on a personal computer with attached external devices such as the hardware<br />
r<strong>and</strong>om sequence generator, order station <strong>and</strong> data preparation for distribution<br />
in the system (Fig. 2).<br />
Cryptographic Data Generation Center should generate data necessary for<br />
the operation of various cryptographic algorithms such as coding, message signing<br />
<strong>and</strong> different passwords for cryptographic devices <strong>and</strong> systems.<br />
IV. Types of cryptographic data generation testbeds<br />
Cryptographic data sequential generation station<br />
In presently applied implementations, cryptographic data is generated sequentially,<br />
which results in a relatively long period of its generation for the entire<br />
network (Fig. 3). In a sequential model, it is necessary to perform r<strong>and</strong>om sequence<br />
generation processes. It is also needed to test it in terms of statistics, cryptographic<br />
key generation for information relations, relation keys protection <strong>and</strong> secure storage<br />
of the keys on data carriers. Many of these operations may be executed parallel.<br />
Figure 3. Components of a Data Sequential Generation Testbed Cryptographic data parallel<br />
generation station
470 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The generation of the appropriate amount of cryptographic data for the particular<br />
system components for presently used large communication networks often<br />
requires several days.<br />
The time needed to generate data in emergency situations is too long, which<br />
may lead to a system downtime. Most of the currently used applications have been<br />
developed for single-core processors. The conducted tests show that the start-up<br />
of these applications on multi-core systems does not proportionally improve their<br />
performance.<br />
A simple transfer of data generation algorithms to multi-core systems does<br />
not improve their performance, despite the fact that these applications require high<br />
processing capacity systems. Therefore, it is necessary to design, for the purposes<br />
of cryptographic data generation, new effective tools that will operate in multiprocess<br />
<strong>and</strong> multi-core systems, ensuring the implementation of tasks in parallel<br />
<strong>and</strong> allowing for delivering <strong>and</strong> equipping the communication networks in a short<br />
time (Fig. 4.)<br />
Due to safety reasons, the data should be generated at the CDGC as a singlestation.<br />
Distributed generation of data is difficult, as there is a need to exchange<br />
information between the generation processes. Additionally, at a distributed station,<br />
cryptographic data that occur in an overt form cannot be sufficiently protected.<br />
Figure 4. Components of a Parallel Data Generation Testbed<br />
When designing, the cryptographic data generation process at the CDGC<br />
should be disintegrated <strong>and</strong> adapted to the parallel generation using multiple<br />
processors <strong>and</strong> cores at the same time. The parallel generation method should use<br />
the properties of the hardware platform on which it is implemented.<br />
At the proposed CDGC, the data is generated simultaneously on the particular<br />
cores (processors) which allows for reducing the overall time of the data generation<br />
(Fig. 5). At the CDGC, the problem of cryptographic data parallel generation
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
471<br />
for large communication systems has been solved <strong>and</strong> data was designed so as to<br />
be prepared concurrently <strong>and</strong> efficiently in terms of time.<br />
In order to illustrate the efficiency of the proposed mechanism, the time of selected<br />
cryptographic data generation depending on the number of processes (which<br />
it was generated by) was tested. The results enabled the preparation of evaluation<br />
of the mechanism efficiency.<br />
Figure 5. Model of the built Cryptographic Data Generation Center<br />
V. Results of the implemented CDGC efficiency<br />
Additionally, at the built CDGC, the mechanism for measurements of selected<br />
cryptographic data generation time was implemented. The system enables<br />
the generation of:<br />
• linear registers longer than 500 bits;<br />
• protected symmetrical keys (generation, integrity execution, encryption,<br />
saving to a disk);<br />
• pseudo-r<strong>and</strong>om files encryption (generating files from the pseudo-r<strong>and</strong>om<br />
generator, integrity execution, encryption <strong>and</strong> saving to a disk);<br />
• large prime numbers (1024 bits).<br />
The results of the selected performance metrics of the CDGC efficiency<br />
as the number of cryptographic data generation threads are presented in the graphics<br />
below (Diagram 1, 2).<br />
Long registers are necessary for the stream ciphers operation. As shown<br />
in Diagram 1, parallel generation increases the station efficiency. The set of registers<br />
was generated on a single core in less than 4 minutes, whereas the average time<br />
of data generation for registers on a 4-core processor is approximately 1 minute.
472 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Diagram 1. Average time of non-linear register <strong>and</strong> 10 prime numbers generation<br />
Diagram 2. Generation time for a set of 10 devices, 100 keys each <strong>and</strong> encryption<br />
of 10 files with pseudo-r<strong>and</strong>om numbers, 10 KB each<br />
The performance metric of generating large prime numbers necessary for<br />
the proper operations of public key systems is presented on Diagram 1. The efficiency<br />
of prime numbers generation depends on the number of generation threads.<br />
The best results were achieved with four generation threads. The generation of prime<br />
numbers is a complex process in terms of calculation <strong>and</strong> does not require using<br />
disk resources. Therefore, it can perfectly enable increasing the number of generated<br />
numbers while increasing the number of threads.<br />
Symmetric keys are necessary for the operations of block ciphers. The generation<br />
of symmetric keys is not a complicated process in terms of calculation because<br />
they constitute r<strong>and</strong>om sequences. However, in the process of keys generation,<br />
their integrity should be secured by calculating the abbreviation <strong>and</strong> ensuring<br />
confidentiality through encryption. Once generated <strong>and</strong> secured, the keys are<br />
saved to the st<strong>and</strong> disk. The generation of symmetrical keys is not as susceptible<br />
to turning parallel as the disk generation, although their generation efficiency may
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
473<br />
be increased twofold. The time of data generation using a single thread amounts<br />
to ca. 1.5 minutes, whereas the average time of a set generation using 2 threads<br />
is reduced by half.<br />
Afterwards, the encryption performance <strong>and</strong> shortening of files containing<br />
sequences of pseudo-r<strong>and</strong>om numbers was tested. In the encryption time, the files<br />
are saved in blocks of a few hundred bytes on the disk. As the main problem<br />
consists in the saving time of a large number of short blocks to a disk, the increase<br />
in the generation threads number does not improve the generation station<br />
performance.<br />
VI. Conclusions<br />
Although the test comprised merely a few performance metrics, it was sufficient<br />
to confirm that the processes complicated in terms of calculation are prone<br />
to turning parallel <strong>and</strong> improving the generation time. Poorer results were obtained<br />
for operations that required saving of large amount of data to a disk. It seems<br />
that it will be possible to eliminate the restriction through the use of its buffering<br />
in the operational memory.<br />
The CDGC st<strong>and</strong> was installed on a multi-core computer using the parallel<br />
cryptographic material generation method. This solution is well suited to be used<br />
in cryptographic data generation systems for the currently operated <strong>and</strong> future<br />
communication networks. This will allow for increasing their performance several<br />
times. At the same time, this method will not deteriorate the security of the generated<br />
data, what is more, it will improve it by being able to perform additional<br />
procedures to verify this data, e.g. constant testing of the r<strong>and</strong>om sequence quality<br />
derived from the r<strong>and</strong>om generator.<br />
References<br />
[1] J. Kirk, Estonia recovers from Massie denial of service attack, IDG News Service,<br />
Inforworld, http://www.infoworld.com/article/07/05/17/estonia-denial-of-serviceattack_1.html,<br />
May 17, 2007.<br />
[2] C. Wilson, Computer Attack <strong>and</strong> Cyberterrorism: Vulnerabilities <strong>and</strong> Policy Issues<br />
for Congress, CRS Report RL32114, Updated April 1, 2005, p. 18.<br />
[3] N. Granado, G. White, Cyber security <strong>and</strong> government fusion center, Center for<br />
Infrastructure Assurance <strong>and</strong> Security, The University of Texas at San Antonio, 41st<br />
International Conference on System Science, Hawaii 2008.<br />
[4] October Cyberattacks on Pol<strong>and</strong>, www.rp.pl/artykul/2,375962_Cyberatak_ na_Polske.<br />
html, 2009.<br />
[5] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Applied cryptography, WNT 2005.
474 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
[6] B. Schneier, Applied Cryptography: Protocols, Algorithms, <strong>and</strong> Source Code in C,<br />
Second Edition, J. Wiley & Sons, 1996.<br />
[7] A. Grama, G. Karypis, V. Kumar, A. Gupta, Introduction to Parallel Computing<br />
(2nd Edition), PEARSON, Addison Wesley 2003.<br />
[8] T. Mattson, B. S<strong>and</strong>ers, B. Massingill, Patterns for parallel programming, Addison-<br />
Wesley Professional, 2004.
Improving the Efficiency of Cryptographic<br />
Data Management by Using an Adaptive<br />
Method of Planning<br />
Tomasz Czajka, Wojciech Oszywa, Michał Gawroński, Rafał Gliwa<br />
Cryptology Department, <strong>Military</strong> Communication Institute, Zegrze, Pol<strong>and</strong>,<br />
{t.czajka, w.oszywa, m.gawronski, r.gliwa}@wil.waw.pl<br />
Abstract: The Electronic Cryptographic Data Management System (ECDMS) is designed for secure<br />
<strong>and</strong> correct preparation of cryptographic data. The process of preparation consists of three stages<br />
generally: planning of secure connections, generation of required keys <strong>and</strong> distribution of produced<br />
data to points of exploitation. These steps have to be perform sequentially. The planning can be realized<br />
by “according to needs” or “each to each” method. First method is inconvenient in use while<br />
second one extends time of data generation significantly. However the distribution process takes still<br />
the most of time. Till now distribution was realized by couriers. Nowadays, thanks to available secure<br />
telecommunication infrastructure, distribution can be realized in electronic way. A replacement<br />
of courier distribution with electronic one enables to improve efficiency <strong>and</strong> flexibility of ECDMS.<br />
Time of delivery data to devices is negligibly short <strong>and</strong>, in consequence, processes of planning <strong>and</strong><br />
generation became a bottle neck in this case. In the article we will prove that in extreme situations<br />
method “according to needs” is impracticable <strong>and</strong> use of “each to each” method causes that time of data<br />
generation is unacceptably long. In answer to these difficulties we propose new method of secure<br />
connections planning called adaptive method. It combines advantages of two previous methods <strong>and</strong><br />
eliminates disadvantages. One, crucial requirement for using this method is availability of communication<br />
infrastructure that will allow ECDMS to monitor work of supported devices.<br />
Keywords: Cryptographic data management, key generation, adaptive method<br />
I. Introduction<br />
A correct operation of data protection systems depends on an appropriate<br />
preparation of cryptographic data. There are special dedicated systems, called<br />
Electronic Cryptographic Data Management Systems (ECDMS), which are responsible<br />
for realization of this goal. An example of such system is commonly<br />
known American EKMS i.e. Electronic Key Management System. The specific tasks<br />
of the ECDMS can be very different <strong>and</strong> depend on the requirements of the concrete<br />
data protection system. Additionally, development of data protection systems<br />
implies the need of increasing an efficiency of ECDMS.
476 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
In the article we present the way of modification of management process<br />
which allows to improve the efficiency of ECDMS.<br />
II. Characteristics of special data protection systems<br />
<strong>and</strong> cryptographic data management systems<br />
in our considerations we take into account the special systems of data protection.<br />
The term “special systems” is quite general. For the purpose of our article we<br />
assume term “special systems” means systems processing classified information,<br />
that is information particularly important <strong>and</strong> sensitive. The priority is the security<br />
of their data, sometimes with cost of processing speed or ease of use. Below<br />
we will discuss the main features of the special systems, which directly determine<br />
the requirements for ECDMS.<br />
1. Communication between any two elements of the system (users, devices)<br />
is protected by encryption with a unique key, called the session key. Session<br />
can be a single conversation. It can also be defined by the unit of time or<br />
the size of transmitted data.<br />
2. <strong>Information</strong> must be protected not only currently but also a long time<br />
after use. The more sensitive information the longer period of protection<br />
is required. Implemented cryptographic mechanisms must therefore be<br />
strong enough to ensure the security now <strong>and</strong> in the future.<br />
3. The conclusion above applies also to the protocol of the session key agreement.<br />
In many solutions the key is agreed using the Diffie-Hellman protocol.<br />
It can be considered sufficiently secure today, but there is no guarantee that<br />
it will be quite secure in the future. For this reason, such key agreement<br />
protocols can not be used in special systems.<br />
4. Not all connections between system’s users are allowed e.g. in the army,<br />
where every person on any comm<strong>and</strong> level should be provided with communication<br />
with their immediate superiors, subordinates <strong>and</strong> people with<br />
the same level.<br />
5. Development of the system that is adding new users (devices) must be<br />
strictly controlled.<br />
Taking above requirements into account the following principles of cryptographic<br />
data management can be specified:<br />
– session keys, instead of agreeing, should be derived from the base key;<br />
– base keys (relations keys) should be different for each pair of communicating<br />
devices;<br />
– establishing who with who can communicate in secret mode must be possible;<br />
the set of established relations determines the configuration of communication<br />
system;<br />
– relations key are being prepared for a fixed period, called the period<br />
of validity; after that period, they should be replaced by new keys; periodic
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
477<br />
keys exchange enhances security <strong>and</strong> it is an opportunity to reconfigure<br />
the system;<br />
– cryptographic relations are established according to the needs known<br />
at the time of planning. In the moment keys comes to use or during<br />
the validity period, these needs may change. It must be possible to<br />
join the system devices that were not included in the communication<br />
plan. For this purpose, sets of spare data are prepared. Spare data, after<br />
uploading the devices, enable secret communication with all other devices:<br />
working or spare;<br />
– relations key should be supplied to the operation places in a reliable <strong>and</strong><br />
secure way before beginning of validity period, which they have been<br />
prepared for, starts.<br />
From above assumptions it follows that ECDMS performs the tasks associated<br />
with planning, generation <strong>and</strong> distribution of cryptographic data. These processes<br />
must be executed sequentially. Result of one stage constitutes the input for<br />
the next stage. But the entire life cycle of the key includes the following key stages:<br />
needs analysis, preparation, waiting for entry to use, activation, work: session<br />
keys generation, deactivation, archiving or destruction. The process of preparing<br />
the data can be presented in a transparent way on the timeline. The essential<br />
points are: the beginning <strong>and</strong> end of the validity period (B <strong>and</strong> E), the beginning<br />
<strong>and</strong> end of the data preparation process (Bp <strong>and</strong> Ep). The period between Bp <strong>and</strong><br />
B is designed to analyze the needs for secure communications to the next period.<br />
The period between Ep <strong>and</strong> E is the reserved time required against unexpected<br />
events. The shorter time of data preparation compared to the length of the validity<br />
period, the management is more flexible. During validity period the following<br />
steps are held simultaneously: data preparation for a future, using current data <strong>and</strong><br />
destruction of the previous keys.<br />
III. Efficiency<br />
Speed of processing can be regarded as the measure of efficiency. The speed<br />
is connected with the time of the processing. Because of planning, generation<br />
<strong>and</strong> distribution are realized sequentially the time of date preparation is equal to<br />
total time of component processes. Time of planning depends on the planning<br />
method one applies: “according to the needs” or “each to each”. Time of generation<br />
depends on the number of established relations <strong>and</strong> the throughput of the source<br />
of keys – usually hardware r<strong>and</strong>om generator. Time of distribution depends<br />
on the kind of the distribution method, which can be courier (traditional) or<br />
electronic one.<br />
The kind of distribution is very essential for future conside-rations. In the case<br />
of the courier distribution, cryptographic data are delivered to the points of exploitation<br />
by persons (couriers). This process can last from several days to several
478 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
weeks depending on number of couriers, number of served devices <strong>and</strong> devices<br />
network topology. In the case of the electronic distribution, secure communication<br />
infrastructure used to transfer of the data is available. So the time of the distribution<br />
can be treat as negligible in this case.<br />
The graphs presented in Fig. 2 show the example of timing dependencies<br />
of the whole process of the data preparation in case of courier (1) <strong>and</strong> electronic<br />
distribution (2).<br />
The mutual proportions of the time of planning <strong>and</strong> time of generation can be<br />
different depending on the applied method of the planning. However in the first<br />
case their total time will certainly be much smaller than the time of courier distribution.<br />
The efficiency of planning <strong>and</strong> generation have no bigger meaning, because<br />
the distribution is the bottleneck.<br />
In second case, the whole process of the data preparation become significantly<br />
shorter. In this situation new profitable possibilities appear (presented<br />
in Fig. 3): giving more time for analysis process <strong>and</strong> shortening the validity period.<br />
The second solution increases security for data protection system. In both<br />
solutions the planning is more effective because the needs for cryptographic<br />
relations known at the beginning of planning are more adequate to real needs<br />
existing in the moment of introducing the keys to use. In this case the planning<br />
<strong>and</strong> generation become bottleneck.<br />
It is necessary to determine if optimization of planning time <strong>and</strong> generation<br />
time is possible. Let’s begin from generation process. The total time of generation<br />
is equal to the product of generation time of single key <strong>and</strong> number of required<br />
keys. The time of generation of single key follows from the property of r<strong>and</strong>om<br />
generator <strong>and</strong>, for concrete solutions, is a fixed value. Let’s assume that generation<br />
of one key lasts 1 second.<br />
Figure 1. Life cycle of cryptographic data<br />
Figure 2. Timing dependencies in process of data preparation
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
479<br />
Figure 3. Timing dependencies in case of electronic distribution<br />
The number of keys is equal to the number of cryptographic relations established<br />
in planning process. The number of relations depends not only on real needs<br />
but also on applied method of planning: “each to each” or “according to needs”.<br />
IV. Each to each method<br />
In the method each to each all possible cryptographic relations are set, which<br />
means that each device can communicate with any other in secret mode. Assume<br />
that R is the number of relations <strong>and</strong> the N – the number of users. Then:<br />
R = ½ * N * (N-1).<br />
In this case, the planning process is reduced to producing the order for<br />
the cryptographic data. Basing on the order, the generation subsystem will produce<br />
the required keys. The table 1 gives the total generation time for different numbers<br />
of devices (assuming that the generation of a single key takes 1 second).<br />
Advantages: The planning process is very easy to implement <strong>and</strong> its execution<br />
time is negligibly short.<br />
Disadvantages: Generation of a large number of keys (many of them will<br />
probably never be used). Too long generation time, in some cases unacceptable.<br />
V. Pareto principle<br />
The alternative for “each to each” method is “according to needs” method.<br />
However, can we expect significant shorte-ning of generation time, when a concrete<br />
system <strong>and</strong> its needs in range of cryptographic relations are unknown<br />
At the beginning we can refer to our own life experiences. Probably each<br />
user of mail or mobile phone can find in his address book a few such contacts<br />
which added long time ago <strong>and</strong> were never used after. From second side the same<br />
user could mention a few such contacts which are used definitely more often then<br />
the others. As confirmation of this what follows from experiences it is worth to<br />
quote the conclusions of Italian economist Pareto. Vilfredo Pareto observed in 1906<br />
that 80% of the l<strong>and</strong> in Italy was owned by 20% of the population. This rule called<br />
Pareto principle (also known as rule 80-20), has many expressions concerning
480 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
economy, business, daily life etc. But generally it states that roughly 80% of the effects<br />
come from 20% of the causes.<br />
Table I. Time of generation in each to each method<br />
Number of devices Time of data generation<br />
100 1 h 22 min.<br />
200 5, 5 h<br />
500 34 h 40 min.<br />
1000 5 days 8 h<br />
2000 23 days<br />
5000 145 days<br />
Applying this rule to communication system we can assume, that from point<br />
of view of single user, 80% realized connections are addressed to only 20% of other<br />
users. For the simplification of further considerations let’s assume that each user<br />
communicates with only 20% of other users. It lets us for applying “according to<br />
needs” method.<br />
VI. According to needs method<br />
In this method, only the required relations are established. In this case,<br />
the number of relations satisfies the condition:<br />
½ * N ≤ R < ½ * N * (N – 1).<br />
Examples of generation times for different numbers of devices <strong>and</strong> for the case,<br />
which is consistent with our assumption (arising from the Pareto principle) are<br />
given in the table 2 in column 2. For comparison, column 1 shows the generation<br />
times using the each to each method. Column 3 presents generation times, assuming<br />
that each user communicates with at most 100 other users. In practice, the relations<br />
are defined manually, using a symmetric table whose rows <strong>and</strong> columns are<br />
identified by numbers of devices. Table entries on the diagonal are unavailable,<br />
because establishing relation with the device itself has no practical meaning. Placing<br />
the symbol X in a cell at the intersection of row i <strong>and</strong> column j means establishing<br />
a relation between devices i <strong>and</strong> j.<br />
The efficiency of this method depends on the ability of perception of the operator.<br />
To imagine the scale of difficulty one can compare this process to lay the puzzle,<br />
where the number of elements corresponds to the number of devices. If the image<br />
consists of 1000 items such task seems not feasible in a short time. Suppose that<br />
a large screen monitor (e.g. 21’’) can fit a part of table with the dimension 40 x 40<br />
devices. If 1000 devices in the system works, such a part is just one of 625 parts.<br />
Advantages: Number of relations adapted to real needs. The relatively short generation<br />
time. Adequate for the institution, where some connections are not allowed.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
481<br />
Disadvantages: Complicated <strong>and</strong> time consuming planning. Too large risk<br />
of doing mistake (no necessary relations). For a large number of devices, error-free<br />
planning is practically impossible.<br />
Table II. Time of generation for different methods of planning<br />
Number<br />
of devices<br />
Generation time<br />
Case 1 Case 2 Case 3<br />
100 1 h 22 min. 16 min. 1 h 22 min.<br />
200 5, 5 h 1h 6 min 5,5 h<br />
500 34 h 40 min. 7 h 15 h 53 min.<br />
1000 5 days 8 h 27 h 36 min. 31 h 46 min<br />
2000 23 days 4 days 15 h 2 days 15 h<br />
5000 145 days 29 days 6 days 14 h<br />
In conclusion, it should be noted that in extreme situations (large networks)<br />
both methods in its pure form are not acceptable. Therefore, our solution is in some<br />
sense a combination of both methods of planning.<br />
VII. Adaptive method<br />
General idea<br />
This method is iterative. Iteration is single validity period. The method starts<br />
from a network set up on each to each. The method is called adaptive, because<br />
in subsequent iterations the network connections are modified in such a way, as to<br />
adapt to the real needs for connections. The aim of this method is to obtain such a<br />
set of cryptographic relations that will not require further modification (of course<br />
apart from the modifications related to exceptional situations, such as the introduction<br />
of new user).<br />
Additional requirements<br />
The method requires all active connections to be registered by devices<br />
of the management system. Thanks to this, the planning subsystem will know<br />
which relations are necessary. In a minimum variant, to record only the first call<br />
within a relation is sufficient. For this purpose, an existing electronic distribution<br />
channel can be used.<br />
Initial conditions<br />
Before the first iteration, the relations are established on each to each. Prior<br />
to initiating the system there is not time regime yet, so it does not matter that
482 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
the data preparation process can be long-term. Each to each method will be used<br />
just this one time only.<br />
First iteration<br />
During operation of the system, achieved connection are registered. For<br />
the next validity period, only those relations that have been registered are established.<br />
Additionally, one should prepare adequate number of spare data sets. Determining<br />
the adequate number is crucial to the success of the method. If the number of spare<br />
data sets is too small, the algorithm will fail <strong>and</strong> the data protection system will be<br />
unable to perform their tasks. Too large number of spare data sets has no meaning<br />
for the speed of progress, but it prolongs the time of data generation.<br />
Next iteration<br />
If it turns out that the device needs to realize the connection for which<br />
the key has not been prepared, the data loaded into the device will be replaced<br />
with spare data. One should then re-addressed the device <strong>and</strong> from this moment<br />
the device is identified by a number of spare data set. <strong>Information</strong> about the change<br />
of the number must be sent out to other devices. Set of relations is updated by<br />
adding the missing relation.<br />
Evaluation criterion<br />
If in a given iteration, all spare data sets are used, it means the negative result<br />
of the algorithm. If in subsequent iterations the number of used spare data sets<br />
is similar, it means that the method is not effective. If the number of used spare<br />
data sets becomes smaller <strong>and</strong> smaller, it means the positive result of the method.<br />
Probably the number of used spare data never reaches zero, but it is obvious, because<br />
unexpected situations occur always.<br />
VIII. Summary<br />
The proposed adaptive method of cryptographic relations planning combines<br />
advantages of two methods discussed earlier: each to each <strong>and</strong> according<br />
to needs. The first planning is realized with using each to each method. In subsequent<br />
iterations the set of relations is updated i.e. unnecessary relations are<br />
omitted <strong>and</strong> necessary ones are included. As the result, the final set of relations<br />
is established, which is realization of “according to needs” conception. The adaptive<br />
method enables to avoid main difficulties connected with previous methods<br />
i.e. manual planning of relations <strong>and</strong>/or too long time of key generation for all<br />
possible connections.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
483<br />
The proper selection of number of spare data sets for next iterations seems<br />
to be crucial for the success of the method. This is the drawback of the method<br />
that its result can be known just after several iterations. Here, the single iteration<br />
is one validity period (lasting from 3 to 6 months typically). That is why the time<br />
of expectation for the result is not acceptable. Therefore, it is necessary to apply<br />
simulation to evaluate the progress of the method as quickly as possible.<br />
The next stage of our work will be a choice of a simulating environment. It is<br />
very important to correctly specify the parameters of simulation, so the simulation<br />
task imitates the work of the real system faithfully. Particularly interesting is such<br />
feature of system which describe a size <strong>and</strong> a changeability of sets of users with<br />
whom the chosen user communicates in safe mode. According to such criterion we<br />
can distinguish a few types of systems. The simulation enables evaluation of usefulness<br />
of adaptive method for each of these types of systems. Alternatively, result<br />
of simulation will help to establish an optimum values of method’s parameters<br />
(such as: number of spare data sets, length of validity term).<br />
References<br />
[1] B. Schneier, “Applied cryptography”, John Wiley & Sons, 1994.<br />
[2] A. Menezes, P.C. van Oorschot, S.A. Vanstone, “H<strong>and</strong>book of Applied<br />
Cryptography”, CRC Press LCC, 1997.<br />
[3] N. Ferguson, B. Schneier, “Practical Cryptogaphy”, John Wiley & Sons, 2003.
Modern Usage of “Old” One-Time Pad<br />
Mariusz Borowski, Marek Leśniewicz<br />
Cryptology Division, <strong>Military</strong> Communication Institute, Zegrze, Pol<strong>and</strong>,<br />
{m.borowski, m.lesniewicz}@wil.waw.pl<br />
Abstract: Top comm<strong>and</strong>s of the arm forces <strong>and</strong> some special military <strong>and</strong> government institutions<br />
need perfect security for exchanging between them “TOP SECRET” information. Security of such<br />
information is not limited by time. Only the one-time pad (perfect) cipher may be used to fulfill<br />
the requirements. Realization of OTP cipher machines has changed for decades. Now capability<br />
to hardware generation of binary r<strong>and</strong>om sequences with the potential output rate 100 Mbit/s<br />
eliminates the restriction connected with availability of very long one-time keys. Continuously<br />
generating the sequence (or one-time keys) with a bit rate 100 Mbit/s <strong>and</strong> its direct, lossless<br />
recording to mass storage, the new hardware generator will be able to produce a little more<br />
than 1 TB per day. OTP cipher machines have to be supported by a trusted data management<br />
<strong>and</strong> couriering system.<br />
Keywords: a one-time pad, a hardware r<strong>and</strong>om bit generator, entropy, r<strong>and</strong>omness, Markow chains<br />
I. Introduction<br />
Diplomacy, military top comm<strong>and</strong>s <strong>and</strong> some special government agencies<br />
need ever lasting absolute security <strong>and</strong> privacy. Interception of some<br />
“TOP SECRET” plaintext by hostile state or organization can prove destructive<br />
in two months as wall as in a hundred years. The requirement of the perfect cipher<br />
usage is obvious for the institutions. It is important to recall that messages that<br />
were encrypted in the 1950’s with ‘state of the art’ imperfect cipher machines, <strong>and</strong><br />
were kept archived by the adversary (which actually happened) are now generally<br />
broken within a few seconds, minutes or some hours at the most. On the other h<strong>and</strong><br />
the messages that were sent 60 years ago with any realization of perfect ciphering<br />
will stay unbreakable for ever if the keys have been destroyed.<br />
Methods of realizating the perfect ciphering have changed by decades from<br />
a pencil-<strong>and</strong>-paper version to a today’s PC computer system equipped with modern<br />
software <strong>and</strong> provided other then confidentiality cryptographic services. It is<br />
interesting that all the methods of realizating the perfect ciphering have the same<br />
perfect security. Obviously perfect security is not for free. The perfect cipher requires<br />
r<strong>and</strong>om keys as long as the plaintext, a data management system <strong>and</strong> a robust,<br />
trusted key distribution system. Shown in chapter 4 the possibility for hardware
486 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
generation of binary r<strong>and</strong>om sequences with the potential bit rate 100 Mbit/s<br />
eliminates the restriction connected with availability of very long one-time keys<br />
for the perfect ciphering. Unfortunately, other than the trusted couriering key<br />
distribution system still requires an effective <strong>and</strong> reasonably priced solution.<br />
II. Vernam cipher or One-Time Pad<br />
The one-time pad (OTP), also called Vernam-cipher or the perfect cipher,<br />
is a crypto algorithm where plaintext is combined with a r<strong>and</strong>om key. The one-time<br />
pad was developed in 1917 by Gilbert Vernam for the use in telex machines. Each<br />
transmitted 5-bit Baudot code was mixed with a r<strong>and</strong>om 5-bit code on a paper<br />
tape. Such tapes contained a large number of these r<strong>and</strong>om 5-bit codes <strong>and</strong> were<br />
called one-time-tape. The one-time tape ran synchronously on both the sender’s<br />
<strong>and</strong> the receiver’s telex. Vernam’s invention was the basis for several pencil-<strong>and</strong>paper<br />
versions. The name one-time pad refers to the notepads on which the keys are<br />
printed as shown in Fig. 1. In general, these pads are small booklets or microfilms<br />
with groups of five numbers or letters.<br />
Figure 1. Example of one time keys in a paper form <br />
A. One-Time Pad in practice<br />
We can only talk about OTP if four important rules are followed. When rules<br />
are applied correctly, the one-time pad can be prove unbreakable (see Claude Shannon’s<br />
“Communication Theory of Secrecy Systems”). However, if only one of these<br />
rules is disregarded, the cipher is no longer unbreakable.<br />
1. The key is as long as the plaintext.<br />
2. The key is truly r<strong>and</strong>om (not generated by simple computer Rnd functions<br />
or whatever!).
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
487<br />
3. There should only be two copies of the key: one for the sender <strong>and</strong> one for<br />
the receiver (some exceptions exist for multiple receivers).<br />
4. The keys are used only once, <strong>and</strong> both sender <strong>and</strong> receiver must destroy<br />
their key after use.<br />
III. Advancement of OTP cipher machines<br />
Electro-mechanical OTP cipher machines were manufactured in the fifties <strong>and</strong><br />
the seventieth <strong>and</strong> widely used in diplomacy <strong>and</strong> army on the highest levels of comm<strong>and</strong>.<br />
A famous example of one-time pad’s security is the Washington/Moscow<br />
hotline with the ETCRRM II (Fig. 2) installed in 1963, a st<strong>and</strong>ard commercial<br />
one-time tape mixer for telex. Although simple <strong>and</strong> cheap, it provided absolute<br />
security <strong>and</strong> unbreakable communications between Washington <strong>and</strong> the Kremlin,<br />
without disclosing any crypto technology secret.<br />
Figure 2. Electronic Teleprinter Cryptographic Regenerative Repeater Mixer (ETCRRM)<br />
<br />
Some other cipher machines that used the principle of one-time pad are<br />
the American TELEKRYPTON, B-2 PYTHON <strong>and</strong> SIGTOT, the British BID-590<br />
NOREEN <strong>and</strong> 5-UCO, the Canadian ROCKEX, the Dutch ECOLEX series,<br />
the Swiss Hagelin CD-57 RT, the German Siemens T-37-ICA <strong>and</strong> M-190, the East<br />
German T-304 LEGUAN, the Czech SD1, the Russian M-100 SMARAGD <strong>and</strong><br />
M-105 N AGAT <strong>and</strong> the Polish T-352/T-353 DUDEK. There were also many teletype<br />
or ciphering device configurations in combination with a tape reader, for one-time<br />
tape encryption or superencipherement [12].
488 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Until the 1980’s, one-time-tapes were widely used to secure Telex communications.<br />
The Telex machines used Vernam’s original one-time pad principle. The system<br />
was simple but solid. Russian M-100 SMARAGD is an example of one-time pad<br />
crypto machine for telex communications. The key was perforated on a paper wire, <strong>and</strong><br />
a plaintext was also perforated on a paper wire. The machine summed mod 2 information<br />
with the key from the two wires <strong>and</strong> transmitted the ciphertext to the line. When<br />
transmission had ended, the wires with the keys <strong>and</strong> the plaintext were automatically<br />
cut. The machine M-100 SMARAGD was widely used in diplomacy <strong>and</strong> in Soviet Army<br />
on the highest levels of comm<strong>and</strong> to the end of the nineties. The machine ensured perfect<br />
confidentiality of information. Other cryptographic services were not supported.<br />
Wide usage of microprocessor, personal computers, magnetic data storage<br />
made it possible to replace electro-mechanical crypto machines in the nineties.<br />
Newly designed OTP cipher machine invariable application should ensure unconditional<br />
information confidentiality by the use of the OTP cipher. Moreover,<br />
it should provide additional cryptographic services:<br />
• integrity of messages;<br />
• cryptographic confidentiality of one-time keys;<br />
• integrity of one-time keys;<br />
• secret sharing of keys needed to use the machine;<br />
• authentication of correspondent machines;<br />
• authentication of the key generation station;<br />
• authentication of operators<br />
• an automatic key generation <strong>and</strong> a secure connection planning station.<br />
The newly designed OTP cipher machine should also support:<br />
• compression of data to be ciphered;<br />
• electronic accountability;<br />
• electromagnetic emanation protection;<br />
• wide usage of COTS electronic parts <strong>and</strong> applications.<br />
An example of realization of the OTP cipher machine in today’s PC technology<br />
is shown in Fig. 3.<br />
Figure 3. Today’s realization of the OTP cipher machine
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
489<br />
IV. Development of the 100 Mbit/s hardware generator<br />
as “infinite” source of one-time keys<br />
Binary r<strong>and</strong>om sequences have numerous applications in many fields of science<br />
<strong>and</strong> security (military) usage. Due to the lack of trusted sources of truly r<strong>and</strong>om<br />
sequences <strong>Military</strong> Communication Institute (MCI) researched, implemented <strong>and</strong><br />
developed a family of hardware r<strong>and</strong>om bit generators. The generators can generate<br />
r<strong>and</strong>om sequences with an output rate 115.2 kbit/s up to 8 Mbit/s <strong>and</strong> they were<br />
certified by the Polish national security authority according to “The Protection<br />
of Classified <strong>Information</strong> Act” <strong>and</strong> can be used in cryptographic systems up to<br />
“TOP SECRET” level [6].<br />
In 2012 MIT decided to start the project of 100 Mbit/s hardware generator.<br />
The theoretical goal of the project is to developing mathematical <strong>and</strong> technical<br />
methods of generation, giving rise to the physical structure of the generator, implementing<br />
the hardware generation of binary r<strong>and</strong>om sequences with the potential<br />
throughput (amount of data per unit time) 100 Mbit/s, supported by a mathematical<br />
proof of their r<strong>and</strong>omness, which guarantees a set of sequences with required<br />
probabilistic characteristics <strong>and</strong> parameters, confirmed by statistical research [1].<br />
The generator (a practical part of the project) will have a “certificate of type” issued<br />
by the national security authority according to “The Protection of Classified<br />
<strong>Information</strong> Act” issued 05-th of August 2010. After obtaining the certificate it will<br />
be allowed to be used in cryptographic systems up to “TOP SECRET” level. It will<br />
also be able to be used in any scientific <strong>and</strong> technical applications.<br />
A. The SGCL-100M generator as a scientific tool<br />
Binary r<strong>and</strong>om sequences have numerous applications in many fields<br />
of science <strong>and</strong> technology. The most important ones are applied in such fields<br />
as cryptography, statistics, numerical computation, stochastic simulations using<br />
the Monte Carlo method, <strong>and</strong> many others. Unfortunately, due to the lack<br />
of sources of truly r<strong>and</strong>om sequences in above applications, pseudo-r<strong>and</strong>om<br />
algorithmically generated sequences are used routinely, which often leads to<br />
bad results of the applications, because such sequences do not have even mathematically<br />
proven statistical properties <strong>and</strong> parameters, <strong>and</strong> their probabilistic<br />
characteristics are usually unknown.<br />
As a scientific tool the SGCL-100M generator will be used in advanced<br />
researches in the field of probability theory, the theory of stochastic signals <strong>and</strong><br />
information theory. Assumptions of such high bit-rate output of the generator<br />
is caused by the fact, that in the most modern applications very large samples<br />
of r<strong>and</strong>om sequences are required, reaching gigabytes on one calculation or<br />
simulation. At the rate 100 Mbit/s a sample of 1 GB size is generated in approximately<br />
90 seconds.
490 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
B. The SGCL-100M generator as “infinite” source of one-time keys<br />
OTP cipher machines use one-time keys as long as a plaintext (<strong>and</strong> only once) so<br />
key accessibility is critical [4]. Possibility for hardware generation of binary r<strong>and</strong>om<br />
sequences with the potential bit rate 100 Mbit/s eliminates the restriction connected<br />
with availability of very long one-time keys for the OTP cipher. The SGCL-100M will<br />
be able to generate continuously the one-time keys with bit rate 100 Mbit/s. The keys<br />
can be recorded by a data management system for OTP cipher machines to mass<br />
storage. The generator will be able to produce a little more than 1 TB one-time keys<br />
per day <strong>and</strong> act as a practically “infinite” source of one-time keys.<br />
The prototype of the generator <strong>and</strong> the necessary documentation will be forwarded<br />
to the certification in accordance with the Polish “The Protection of Classified<br />
<strong>Information</strong> Act” issued 05-th of August 2010. The generator will have to<br />
possess a “certificate of type” issued by the national security authority according<br />
to “The Protection of Classified <strong>Information</strong> Act”. After obtaining the certificate<br />
it will be allowed to be used in cryptographic systems up to “TOP SECRET”<br />
level. Data management system for OTP cipher machines is a perfect place to use<br />
the SGCL-100M generator.<br />
C. Theory of hardware generation of binary r<strong>and</strong>om sequences with very<br />
high throughput<br />
<strong>Military</strong> Communication Institute has already an outline of theory of hardware<br />
generation of binary r<strong>and</strong>om sequences, which involves generation of many binary<br />
imperfectly r<strong>and</strong>om component sequences <strong>and</strong> their post-processing using XOR<br />
sum to the form of perfectly r<strong>and</strong>om output sequences, then their superposition<br />
into one sequence. MIT has published reviewed monograph [3]. The monograph<br />
describes the problem of generating sequences of 8 Mbit/s rate.<br />
An introduction to the work will be dedicated the analysis <strong>and</strong> synthesis<br />
of the mathematical basis of the theory of perfect <strong>and</strong> imperfect binary r<strong>and</strong>om<br />
sequences <strong>and</strong> impaction of requirements for generated sequences. Further work<br />
will be devoted to the analysis of selecting a source of r<strong>and</strong>omness, conducted<br />
on the basis of analytical investigations <strong>and</strong> results of the author’s experience<br />
in the practical generation of r<strong>and</strong>om sequences. Theoretical support of the analysis<br />
is the theory of analog <strong>and</strong> binary stochastic noise signals. As a result of these<br />
studies, conditions for selection of potential sources of r<strong>and</strong>omness will be indicated,<br />
leading to a physical source of r<strong>and</strong>omness in the form of avalanche diodes<br />
batteries, which generate Poisson signals with controlled r<strong>and</strong>omness. The target<br />
theory of generation, however, there will be formulated on the basis of the author’s<br />
approach, using the original theory, based on integrated considerations, resulting<br />
from the above experiences. Experimental support for the scientific tools will be<br />
resulted from the experiments <strong>and</strong> statistical measurement.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
491<br />
Proof of r<strong>and</strong>omness of generated sequences will be based on the analysis<br />
<strong>and</strong> synthesis of Poisson signals, modeled as stochastic, binary Markov chains.<br />
The methodology of the proof will be based on the probabilistic-signal risk analysis<br />
of imperfectly r<strong>and</strong>om sequences generation [1]. In addition to assessing the quality<br />
of sequences in the above sense, the security analysis of the generator operation will<br />
be made from the viewpoint of electromagnetic compatibility <strong>and</strong> electromagnetic<br />
leakage of information.<br />
Theoretical part of the work also requires to formalize the mathematical description<br />
<strong>and</strong> to show what properties <strong>and</strong> parameters will have such a sequence.<br />
Then, the prototypes of three generators will be constructed, which will be used<br />
for the practical verification of the theory.<br />
D. Hardware <strong>and</strong> software realization of the SGCL-100M generator<br />
Technical design problems connected with the SGCL-100M generator are encountered<br />
on two levels – the electronics <strong>and</strong> the programming. The electronic board<br />
of the generator will consist of 48 generators (Fig. 4), which must be calibrated to<br />
generation state consistent with the Poisson signal theory. The stability of the properties<br />
<strong>and</strong> parameters of such a signal as a function of time <strong>and</strong> climate-mechanical<br />
exposures must be tested. The electronic system will also consist of a programmable<br />
chip, in which all post-processing operations will be performed, including<br />
formatting of the sequence before its sending. Transmission of the sequence from<br />
the generator to the computer will take place through a st<strong>and</strong>ard 100Base-TX<br />
Ethernet. As h<strong>and</strong>ling of this interface with full throughput is a very difficult task,<br />
the dedicated Ethernet interface controller will be used <strong>and</strong> it will be controlled<br />
by RISC microprocessor that will perform the data transfer between the programmable<br />
chip <strong>and</strong> a controller in DMA (Direct Memory Access) mode. In practice,<br />
only such solution allows to achieve full throughput of 100 Mbit/s.<br />
Figure 4. The model of 100 Mbit/s hardware generator SGCL-100M<br />
492 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
The generator, even though its hardwareness is a very complex object, requires<br />
software. The software is generally required by two circuits – a programmable chip<br />
(a program in AHDL, a VHDL language in the corporate version of Altera) <strong>and</strong><br />
RISC microprocessor (programs in C/C++ with “inserts” in the assembler). The both<br />
softwares must be optimized due to the efficiency of data transfer, to avoid a conflict<br />
with the essential functions of a r<strong>and</strong>om sequence generation. The correctness<br />
of theoretical assumptions <strong>and</strong> the correctness of technical solutions – including<br />
software – will be confirmed experimentally by statistical testing of generators<br />
in any case at all stages of the development.<br />
Since the generator is a quite complex <strong>and</strong> costly device with a very high output<br />
rate it can be assumed that it could be used as a source for r<strong>and</strong>om sequence<br />
servers in R&D centers.<br />
V. Data management for OTP crypto machines<br />
Data management systems have been subject to big changes over the time<br />
of cryptographic systems development. At the beginning they were simple elements<br />
producing only keys in open (not encrypted) form – key generators. The other<br />
operations connected with data processing (i.e. protecting, storing) were carried<br />
out by a person. Such kind of the key management system was used by the OTP<br />
cipher machines in the seventieth [7].<br />
In the next stages tasks of system development generators were widened to recording<br />
results, protection (ciphering), <strong>and</strong> authentication. Such extended systems are<br />
called generation systems. As a result of a rising number of cryptographic devices <strong>and</strong><br />
development of computer systems, generation systems were equipped with mechanisms<br />
of planning secure connections <strong>and</strong> an element responsible for distribution. Only<br />
such systems can be called cryptographic data management systems. These complex<br />
management systems has been built since the middle of the nineties. They raised efficiency<br />
of data processing <strong>and</strong> security. The data management systems are intended<br />
to deliver correct <strong>and</strong> reliable key data to proper cryptographic devices. OTP cipher<br />
machines dem<strong>and</strong> a data management system [4]. The system consists of: a secure<br />
connecting planning station <strong>and</strong> a key generation station. OTP cipher machines machine<br />
can work in two modes: ”in a direction way” <strong>and</strong> “in a circular way” These two<br />
modes of operation should be introduced by the secure connecting planning station.<br />
A. The secure planning connection station<br />
The main aim of the secure planning connection station is to implement only<br />
really necessary connections in an OTP cipher machines net. The OTP cipher<br />
machine uses one-time keys <strong>and</strong> time of generating keys is an important factor<br />
of a key generating process. “In a direction way” mode needs generation of unique<br />
keys for each direction therefore an automatic making connection “each to each”
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
493<br />
is disabled in the planning station. “In a circular way” mode needs only generation<br />
of unique keys for a whole circular. The information about the OTP cipher machine<br />
planned networks includes the number of OTP cipher machines, types of directions,<br />
number of one-time keys. Then the information goes to the key generation station.<br />
The secure connecting planning station should be built with the use of a hardened,<br />
electromagnetic emanation leakage resistant computer set.<br />
B. The key generation station<br />
The key generation station generates keys on the basis of the information<br />
obtained from the secure connecting planning station. The keys are generated<br />
for all algorithms used by the OTP cipher machine. Of course the longest time<br />
is needed for generating one-time keys. One-time keys are automatically generated,<br />
ciphered <strong>and</strong> signed by the key generation station. Cryptographic keys do not<br />
leave the station unprotected: ciphered one-time keys are copied on One-Time Key<br />
(OTK) modules <strong>and</strong> symmetric <strong>and</strong> asymmetric keys needed to fulfill additional<br />
cryptographic services of OTP cipher machines are transferred to temper-resistant<br />
smart cryptographic modules.<br />
The quality of keys generated by the key generation station depends on<br />
a r<strong>and</strong>om keys generator. The key generation station uses a hardware r<strong>and</strong>om<br />
bit generator. Basic characteristics <strong>and</strong> parameter of the generator:<br />
• generation of r<strong>and</strong>om binary streams with speed up to 100 Mbit/s;<br />
• good statistical quality of generated binary r<strong>and</strong>om streams confirmed by<br />
appropriate statistical tests [5, 8, 9, 10];<br />
• user-friendly utilisation <strong>and</strong> maintenance of generated bit streams quality;<br />
alarm activation while statistical defects are detected [6];<br />
• full electromagnetic emanation safety – lack of penetration.<br />
The r<strong>and</strong>om bit generator will have the “certificate of type” issued by the national<br />
security authority. The certificate must determinate that generator is suitable<br />
for generating data for usage in cryptosystems up to “TOP SECRET” level.<br />
VI. One-Time Pads in today’s world<br />
In the PC computer era, modern algorithms such as symmetric block ciphers<br />
<strong>and</strong> asymmetric public key algorithms replaced one-time pads because of practical<br />
considerations <strong>and</strong> solutions to key distribution problems. Modern crypto algorithms<br />
provide practical (not proved) security <strong>and</strong> privacy, essential to our economy <strong>and</strong><br />
everyday life. However, top comm<strong>and</strong>s of the arm forces <strong>and</strong> some special military<br />
<strong>and</strong> government institutions need ever lasting absolute security <strong>and</strong> privacy, <strong>and</strong><br />
that is only possible with one-time encryption.<br />
Some experts argue that the distribution of large quantities of one-time pads<br />
or keys is impractical. This was indeed the limitation in the era of paper tapes on
494 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
reels <strong>and</strong> paper pads (Fig. 1). However, today’s electronics, as the SGCL-100M<br />
generator shown in Fig. 4 <strong>and</strong> described in chapter 4 of the article will be able to<br />
act as a practically “infinite” source of one-time keys. Capability to one-time keys<br />
generation will be no limitation any longer. Today’s realization of OTP cipher machines<br />
(Fig. 3) with embedded current one-time encryption software can process<br />
large quantities of data at high speed.<br />
Current data storage technology such as USB sticks, DVD’s, external hard<br />
disks, solid-state drives or dedicated OTK modules to enable the physical transport<br />
of enormous quantities of truly r<strong>and</strong>om keys. Actual sensitive communications<br />
are often limited to a small number of important users. In such cases, one-on-one<br />
communications with the associated key distribution, possibly in configuration with<br />
a star topology, is no longer a practical problem, especially considering the security<br />
benefits. By using a so-called sneakernet (transferring data on removable media by<br />
physical couriering), you can reach a throughput of one-time keys that is greater<br />
than what a network can process on encrypted data. In other words, it could take<br />
a few hours to drive a terabyte of key material, stored on an external drive, by car<br />
to someone, but it will take days or even weeks to consume that amount of keys on<br />
a broadb<strong>and</strong> network. A terabyte sized key can easily encrypt e-mail traffic of special<br />
(military or diplomacy users) for a year, including attachments.<br />
Therefore, one-time key encryption is still well-suited in specific circumstances<br />
where absolute security is preferable to practical considerations, regardless<br />
of the cost of secure physical transport of keys by couriering.<br />
In the future quantum key distribution (QKD) may be helpful as an alternative<br />
for secure physical transport of keys by couriering. The security of quantum<br />
key distribution relies on the foundations of quantum mechanics, in contrast to<br />
a traditional key distribution protocol which relies on the computational difficulty<br />
of certain mathematical functions. An interesting <strong>and</strong> promising method<br />
of QKD was presented in [2] with usage of Professor Artur Ekert type of QKD [11].<br />
But at present the ability of efficient QKD usage is still an open question.<br />
References<br />
[1] M. Leśniewicz, “Sprzętowa generacja ciągów losowych z przepływnością 100 Mbit/s.<br />
Hardware generation of binary sequences with throughput 100 Mbit/s,” Przegląd<br />
Telekomunikacyjny nr 11/2011.<br />
[2] W. Nowakowski, “O kryptografii kwantowej. About quantum cryptography,”<br />
Elektronika, nr 2, Warszawa 2010.<br />
[3] M. Leśniewicz, Sprzętowa generacja losowych ciągów binarnych. Hardware generation<br />
of binary r<strong>and</strong>om sequences, WAT, Warszawa 2009, ISBN 978-83-61486-31-2.<br />
[4] M. Borowski, R. Wicik, “A one-time cipher machine for Polish Army,” <strong>Military</strong><br />
Communication Conference,” Prague, 2008.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
495<br />
[5] R. Wicik, M. Borowski, “R<strong>and</strong>omness testing of some r<strong>and</strong>om <strong>and</strong> pseudor<strong>and</strong>om<br />
sequences,” <strong>Military</strong> Communication Conference, Prague, 2008.<br />
[6] P. Komorowski, M. Leśniewicz, “Sprzętowy generator binarnych ciągów losowych<br />
o wyjściowej przepływności 1 MB/s. A hardware binary genertaor with output<br />
throughput 1 MB/s,” X Krajowa Konferencja Zastosowań Kryptografii ENIGMA 2006.<br />
[7] W. Oszywa, M. Gawroński, T. Czajka, “Hierarchic cryptographic data management<br />
system,” Bulletin of <strong>Military</strong> Communication Institute, 2005.<br />
[8] R. Gliwa, M. Leśniewicz, R. Wicik, “Testing of hardware-based r<strong>and</strong>om bit generators<br />
utilized in cryptography”, National Telecommunication Symposium, Bydgoszcz, 2002.<br />
[9] W. Schindler, W. Killmann, “Evaluation Criteria for True (Physical) R<strong>and</strong>om<br />
Number Generators Used in Cryptographic Applications,” Workshop on Cryptographic<br />
Hardware <strong>and</strong> Embedded Systems CHES,2002, Springer-Verlag Berlin Heidelberg 2003.<br />
[10] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, H<strong>and</strong>book of applied cryptography,<br />
CRC Press, 1997.<br />
[11] A.K. Ekert, “Quantum cryptography based on Bell’s theorem,” Physical. Review<br />
Letters, 1991.<br />
[12] D. Rijmenants’, Cipher Machines <strong>and</strong> Cryptology, Historical <strong>and</strong> Technical <strong>Information</strong><br />
about Crypto Machines, Cryptology <strong>and</strong> Free Software Simulations, http://users.telenet.<br />
be/d.rijmenants/index.htm
Acoustic Steganographic Transmission Algorithm,<br />
Using Signal Coherent Averaging<br />
Krzysztof Wodecki, Zbigniew Piotrowski, Jarosław Wojtuń<br />
<strong>Military</strong> University of <strong>Technology</strong>, Faculty of Electronics, Warsaw, Pol<strong>and</strong>,<br />
{kwodecki, zpiotrowski, jwojtun}@wat.edu.pl<br />
Abstract: The paper discusses the algorithm of hidden data transmission, using acoustic signal<br />
as carrier. The perceptive transparency of hidden data was obtained with the use of psychoacoustic<br />
model of the Human Auditory System (HAS). Spectrum differential coding of binary patterns<br />
was used to add the hidden data to the host signal. The synchronous data decoding is enabled by<br />
the use of signal spectrum coherent averaging procedure <strong>and</strong> drift correction procedure for frequency<br />
<strong>and</strong> time. The diagrams present the efficiency of the algorithm both in terms of accuracy of hidden<br />
transmission synchronization, its robustness against degradation by noise <strong>and</strong> the efficiency of hidden<br />
data extraction.<br />
Keywords: steganography, audio watermarking, data hiding, drift correction modulation, Human<br />
Auditory System<br />
I. Introduction<br />
Steganographic systems allow for transmitting data in the host signal with<br />
specific binary bitrate. The host signal carrying additional, hidden data, can be<br />
the TV signal, video stream, radio music or speech transmitted by the telephone<br />
line. One of the requirements of such systems is the imperceptibility (inaudibility or<br />
invisibility) of hidden data within the host signal. The robustness against degrading<br />
factors in the telecommunications chain: additive white Gaussian noise (AWGN),<br />
resampling, lossy compression, etc. is less important than in the watermarking<br />
systems. Also in use are acoustic steganography systems utilizing the wavelet<br />
transform <strong>and</strong> LSB coding to hide the additional data [1][2]. LSB coding has also<br />
been used to hide compressed data in audio signals [3]. Audio steganography<br />
uses spread spectrum methods, which utilize statistical moments <strong>and</strong> distance<br />
metrics [4]. Steganography also faces the issue of ensuring synchronous data<br />
decoding. In terms of frequency, the phenomenon of signal carrier frequency<br />
drift occurs, as well as sampling frequency drift on the receiving side [5][6][7][8].<br />
The algorithm in question uses spectrum coherent averaging to establish the correction<br />
factor for the undesirable angle phase drift, as well as to determine the signal
498 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
shift against the start of data decoding. In the described steganographic system<br />
data are modulated with the use of differential coding of binary patterns in the host<br />
signal spectrum.<br />
II. Description of algorithm<br />
A. Watermark embedder – principle of operation<br />
The schematic of the watermark embedder is provided in Fig. 1.<br />
Figure 1. The watermark embedder<br />
Embedding the watermark in the background of the host audio signal<br />
takes place on the level of frequency. The binary symbols (0 or 1) generated<br />
in the Binary Signature (BS) unit are assigned specific patterns, dividing<br />
the host signal spectrum into 5 subspectra. Depending on the specific pattern,<br />
the spectral line values of the host signal in particular subspectra increase or<br />
drop. In terms of the robustness of steganographic signal against blurring it is<br />
desirable for the spectrum amplitude modification to be as high as possible. On<br />
the other h<strong>and</strong>, in order to ensure the transparency of the watermark signal<br />
in the background of the host signal, the modification of spectral line values<br />
cannot take place indiscriminately. This problem has been solved by correcting<br />
the host signal spectrum amplitude to the level of Just Noticeable Difference (JND).<br />
In psychoacoustics the JND level is defined as the distortion level noticed in audio<br />
tests by 50% of listeners with normal hearing. In the presented algorithm,<br />
the JND level is determined with the use of the Human Auditory System (HAS)<br />
model by establishing the minimum masking threshold for the host signal LT min ,<br />
using the MPEG psychoacoustic algorithm. Establishing the masking threshold<br />
for the host signal was carried out on the basis of an 8-stage signal processing procedure,<br />
compliant with ISO CD 11172-3 (MPEG–1) st<strong>and</strong>ard, <strong>and</strong> a single-stage<br />
correction process, compliant with the description in [10]. Detailed descriptions<br />
of the stages of establishing the masking threshold are provided in table 1.
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
499<br />
Table I. Signal processing stages in MPEG psychoacoustic algorithm<br />
Step I<br />
Step II<br />
Step III<br />
Step IV<br />
Step V<br />
Step VI<br />
Step VII<br />
Step VIII<br />
Calculation of the FFT for time to frequency conversion<br />
Determination of the sound pressure level for each subb<strong>and</strong><br />
Determination of the threshold in quiet (absolute threshold)<br />
Finding of the tonal <strong>and</strong> non-tonal components of the audio signal<br />
Decimation of the maskers, to obtain only the relevant maskers<br />
Calculation of the individual masking thresholds<br />
Determination of the global masking threshold<br />
Determination of the minimum masking threshold in each subb<strong>and</strong><br />
Fig. 2 presents the method of correction of spectral lines of the host signal<br />
for hiding bit ‘0’.<br />
Figure 2. Watermark embedder – principle of operation<br />
Clearly visible is the binary pattern corresponding to bit ‘0’. In this case, it is<br />
the alternating sequence of the {1 0 1 0 1} pattern, where {1} st<strong>and</strong>s for the increase<br />
of the spectral line amplitude <strong>and</strong> {0} st<strong>and</strong>s for the reduction. For the sequence<br />
of the ‘0’ pattern <strong>and</strong> in the case of the spectral line value being lower than LT min level,<br />
the host signal is clearly damped.<br />
As previously mentioned, the correction of spectral lines is determined by<br />
the value of the LT min level. However, such manner of correction would not include<br />
all spectral lines in the analyzed subspectra. In the proposed algorithm the values<br />
of spectral line amplitudes that cannot be corrected against the LT min level are increased/reduced<br />
by the experimentally established value of 0.4 dB.<br />
The signal generated in the Orthogonal Frequency Division Multiplexing<br />
(OFDM) is a composite of 14 harmonics. A single harmonic is generated in accordance<br />
with:
500 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
j 2<br />
<br />
i t i j ft<br />
x t Ae Ae<br />
i <br />
i<br />
(1)<br />
i i i<br />
where:<br />
A i – amplitude of i – harmonic,<br />
f i – frequency of i – harmonic,<br />
φ i – starting phase of i – harmonic.<br />
In order to ensure the imperceptibility of the OFDM signal in the background<br />
of the audio signal, the amplitude value of each harmonic is determined by the corresponding<br />
LT min level.<br />
Fig. 3 presents the amplitude <strong>and</strong> phase spectrum of the OFDM signal.<br />
The values of the 0 rad/s angle phase are assigned to spectral levels with indexes<br />
of (1,4,7,8,11,14). Amplitudes of lines in fig. 3 are marked in red.<br />
Figure 3. Amplitude <strong>and</strong> phase spectrum of the OFDM signal<br />
Of 14 harmonics presented in fig. 3, 6 harmonics (marked in red) are utilized<br />
on the receiver side to determine the correction values of the angle phase drift.<br />
The necessity to determine the correction of the angle phase drift arises from<br />
the differing stability of clocks tacking the sampling circuits in the transmitter<br />
<strong>and</strong> the receiver. The remaining 8 harmonics (marked in blue) are utilized on<br />
the receiver side to reproduce the time synchronization. The harmonics used for<br />
determining the correction of the angle phase drift are assigned the angle phase<br />
value of 0 [rad/s], whereas the lines responsible for time synchronization are assigned<br />
the angle phase values of π/2 <strong>and</strong> –π/2.<br />
Furthermore, in order to improve the efficiency of watermark signal extraction,<br />
the embedder utilizes the differential coding mechanism [9]. The principle<br />
of the mechanism is that the coding of the same bit takes place in two adjacent frames<br />
(subframes) of the host signal, but using opposing patterns. The manner of pattern<br />
selection is provided in fig. 4. Assuming that the subframes contain 512 samples each,
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
501<br />
the coding of a single bit will require 1024 signal samples which, given the sampling<br />
frequency of f s = 44 100 Hz, allows for creating a hidden transmission channel with<br />
the bitrate of 43 bps. In particular the data bit rate of the proposed algorithm:<br />
where:<br />
f s – sampling frequency,<br />
N – number of samples.<br />
f s<br />
bit rate [ bps]<br />
(2)<br />
N<br />
B. Watermark extractor – principle of operation<br />
The schematic of the watermark extractor is provided in Fig. 5. The extraction<br />
mechanism of binary signature belongs to the class of algorithms using the socalled<br />
blind decoding method, i.e. the receiver side does not require the host signal.<br />
The watermarked signal first encounters the angle phase drift scanner, which corrects<br />
the angle phase drift for the pilot samples (cf. red-marked lines in fig. 3). The angle<br />
phase drift is caused by differing stability of clocks tacking the sampling circuits<br />
in the transmitter <strong>and</strong> the receiver of the watermark (e.g. in the case of a watermark<br />
signal transmission in a VHF circuit). As previously mentioned, the watermark<br />
embedder has 6 pilot spectral lines with the assigned angle phase value of 0[rad/s].<br />
The same angle phase value is expected on the receiver side. The angle phase scanner<br />
allows for reproducing the drift value of the angle phase by analyzing the values<br />
of the virtual line module, which is the sum of pilot line modules. In the proposed<br />
algorithm the individual increment of the angle phase Δφ 1 is Δφ 1 = 0.000767 [rad/s].<br />
Figure 4. Pattern selection method for differential coding
502 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 5. The watermark decoder (extractor)<br />
The angle phase scanner searches for the drift values in the following set:<br />
1<br />
rad<br />
<br />
1: : 1 100 <br />
s<br />
(3)<br />
<br />
Let us mark the number of watermark signal frames fed to the extractor input<br />
as M. Then, we can formulate the expression for the collective value of F iΔφ of i –<br />
pilot line after M of iterations (averagings):<br />
M<br />
F ReF <br />
ImF<br />
<br />
i<br />
ik ik<br />
k1 k1<br />
M<br />
(4)<br />
The averaging occurs separately for the real <strong>and</strong> the imaginary part, with<br />
the established value of correction of Δφ angle phase, whereby the value of Δφ<br />
is constant for the entire set of M of iterations. The value of the virtual line module<br />
is derived from the following correlation:<br />
F<br />
v<br />
6<br />
F<br />
(5)<br />
i1<br />
Having the information on the value of Δφ by which the current angle phase<br />
is corrected, we can read the value of the F vΔφ virtual line module from M iterations.<br />
i
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
503<br />
The obtained maximum value of this line for set (3) enables us to determine the angle<br />
phase by which the phase has shifted against the host signal. After establishing<br />
the drift correction for frequency, the pilot samples used for reproducing the time<br />
synchronization undergo coherent averaging. Meeting the coherence requirement<br />
results in an increase of the spectral line amplitudes by reducing the noise deviation<br />
(of the host signal) for each iteration. Therefore, it can be demonstrated that,<br />
with the coherence requirement met, the value of the signal/noise ratio depends<br />
on the number of iterations (M) <strong>and</strong> is expressed by the following correlation:<br />
SNR dB 20log SNR 10log M<br />
<br />
(6)<br />
coh<br />
10 coh<br />
10<br />
In order to correctly extract the binary signature on the receiver side it is necessary<br />
to divide the assayed signal frame into two subframes, whereby the moment<br />
of division should conform to the moment of division of the frame in the transmitter.<br />
Therefore, the receiver side requires time synchronization. The synchronization<br />
mechanisms used 8 pilot lines presented in fig. 3 (marked in blue). According to<br />
the proposed algorithm of time synchronization [9], in order to determine the time<br />
shift between the transmitter <strong>and</strong> the receiver of the watermark, two adjacent spectral<br />
lines are used (e.g. lines 16 <strong>and</strong> 17). In order to improve the accuracy of time shift<br />
determination, the synchronization procedure is repeated 4 times <strong>and</strong> the results<br />
undergo averaging. Assuming that the analyzed frame contains N = 1024 samples<br />
<strong>and</strong> the time shift between the transmitter <strong>and</strong> the receiver is m samples, the phase<br />
of the two adjacent linear samples will change by:<br />
2 km 2<br />
1<br />
k<br />
,<br />
k <br />
m<br />
k1<br />
(7)<br />
N<br />
N<br />
while the difference between those phases will be:<br />
2m<br />
k<br />
1 k<br />
(8)<br />
N<br />
Measuring the value of Δχ we can precisely determine the value of the time<br />
shift m between the transmitter <strong>and</strong> the receiver. Assuming that one signal period<br />
per signal frame with the established cardinality N is required to reproduce synchronization,<br />
then, in theory, the time shift value can be determined using only<br />
one harmonic – the first harmonic in the DFT spectrum. However, with N = 1024<br />
<strong>and</strong> f s = 44 100 Hz, the first harmonic in the spectrum has the frequency of 43 Hz.<br />
With such low frequency value the signal degrades in the telecommunications<br />
channel; therefore, it is recommended to use two adjacent harmonics with higher<br />
frequencies, as explained in [9]. Furthermore, as pointed out in [9], the relative<br />
frequency difference between two adjacent spectral lines is exactly 2π; therefore,<br />
we can unequivocally assign the length of the N frame to this value. Fig. 6 presents<br />
the phase vectors for two adjacent harmonics (lines 16 <strong>and</strong> 17) in the transmitter<br />
<strong>and</strong> the receiver with the time shift m = 16 samples.
504 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Figure 6. Time synchronization mechanism<br />
After completing the time <strong>and</strong> frequency synchronization, the proper procedure<br />
of binary signature extraction takes place. Since the same bit is embedded in two<br />
adjacent frames (subframes) of the host signal, on the receiver side each assayed<br />
signal frame is divided into two further frames. The next step (9) is the determination<br />
of the scalar product value between the difference of amplitude spectra for<br />
two adjacent frames <strong>and</strong> the following formulation:<br />
where:<br />
R <br />
N1<br />
2 1<br />
Xi Xi Pi<br />
(9)<br />
i0<br />
10<br />
<br />
<br />
<br />
<br />
k<br />
k<br />
X 10log DFT x<br />
(10)<br />
P i – pattern.<br />
On the basis of the scalar product value (9) the value of the bit hidden in the given<br />
portion of the signal is determined:<br />
0, R 0<br />
BS<br />
(11)<br />
1, R 0<br />
III. Results of the analysis<br />
The first analysis concerned the efficiency of operation of the synchronization<br />
algorithm. Figs. 7 <strong>and</strong> 8 present the accuracy of synchronization in the function of drift
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
505<br />
<strong>and</strong> time of the analyzed signal on the receiver side. The principle of the synchronization<br />
algorithm is based on the measurement of the value of angle phase difference between<br />
two adjacent harmonics (8). For low values of drift m (or high, approaching N) the phase<br />
difference value approaches 0 (or 2π). Therefore, the determined drift is encumbered<br />
with high error. The best results are obtained for drift falling within 50-950 samples.<br />
Synchronization accuracy can be improved by extending the time of the analyzed<br />
signal on the receiver side or increasing the pilot line power (increasing the power<br />
by 3 dB above the LT min level does not deteriorate the audio signal).<br />
Figure 7. Synchronization accuracy in the function of drift<br />
Figure 8. Synchronization accuracy in the function of signal analysis time<br />
The results for extraction efficiency in the function of signal analysis time<br />
on the receiver side are provided in Fig. 9. The analysis was carried out for drift<br />
m = 10 samples <strong>and</strong> m = 300 samples, for two watermark signal power correction
506 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
variants – correction to LT min level <strong>and</strong> LT min + 3 dB level. In the case of watermark<br />
signal power correction to LT min + 3 dB level, the bit error rate is approximately<br />
2.5%, regardless of the signal analysis time. This value can be corrected with the use<br />
of detection <strong>and</strong> correction codes.<br />
Figure 9. Extraction efficiency in the function of signal analysis time<br />
As previously mentioned, the present algorithm allows for creating a hidden<br />
transmission channel with the bitrate of 43 bps (with the division of the 1024-sample<br />
frame into two subframes of 512 samples). Algorithm modification in the form<br />
of dividing the frame into subframes allows for increasing the transmission rate.<br />
Fig. 10 presents the results for signature extraction efficiency after increasing<br />
the bitrate to 86 bps <strong>and</strong> 172 bps. The watermark power was corrected to the level<br />
of LT min + 3 dB. In both cases the bit error rate is below 10%.<br />
Figure 10. Comparison of extraction efficiency for different transmission rates
Chapter 4: <strong>Information</strong> Assurance & Cyber Defence<br />
507<br />
The final test was the verification of extraction efficiency after prior addition<br />
of white Gaussian noise with specific power to the assayed signal. Fig. 11 presents<br />
the signature extraction efficiency results in the function of the assayed signal power<br />
to noise power ratio. With the reduction of the noise power (increase of the SNR<br />
factor value) added to the signal, the signature extraction efficiency increases.<br />
Figure 11. Signature extraction efficiency results in the function of the assayed signal power<br />
to noise power ratio<br />
IV. Conclusions<br />
The article discusses the algorithm for creating a hidden transmission channel<br />
in audio signals. Depending on the selected variant, the achievable bitrates are<br />
43 bps to 172 bps. Also discussed was the angle phase correction algorithm, based<br />
on coherent averaging, <strong>and</strong> time synchronization mechanism. The experimental<br />
results are satisfactory. Further studies of the subject should focus on implementing<br />
the detecting-corrective embedding module <strong>and</strong> performing a number of experiments<br />
on the extraction efficiency during signal transmission in various telecommunications<br />
links (VoIP, VHF).<br />
Acknowledgment<br />
This paper has been financed from science funds granted within the years 2010-<br />
2012 as a research project of the Polish National Centre for Research <strong>and</strong> Development<br />
No. 0181/R/T00/2010/12.
508 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
References<br />
[1] H.I. Shahadi, R. Jidin, High capacity <strong>and</strong> inaudibility audio steganography scheme,<br />
Proceedings of the 2011 7th International Conference on <strong>Information</strong> Assurance <strong>and</strong><br />
Security, IAS 2011, 2011, Article number 6122803, pp. 104-109.<br />
[2] D.M.L. Ballesteros, J.M.A. Moreno, Highly transparent steganography model<br />
of speech signals using Efficient Wavelet Masking, Expert Systems with Applications,<br />
vol. 39, Issue 10, 2012, pp. 9141-9149.<br />
[3] M. Baritha Begum, Y. Venkataramani, LSB based audio steganography based on<br />
text compression, Procedia Engineering, vol. 30, 2012, pp. 702-710.<br />
[4] W. Zeng, R. Hu, H. Ai, Audio steganalysis of spread spectrum information hiding<br />
based on statistical moment <strong>and</strong> distance metric, Multimedia Tools <strong>and</strong> Applications,<br />
vol. 55, Issue 3, December 2011, pp. 525-556.<br />
[5] M. Sliskovic, Sampling frequency offset estimation <strong>and</strong> correction in OFDM systems”,<br />
Proceedings of the IEEE International Conference on Electronics, Circuits, <strong>and</strong><br />
Systems, vol. 1, 2001, Article number 957773, pp. 437-440.<br />
[6] P.H. Moose, Technique for orthogonal frequency division multiplexing frequency<br />
offset correction, IEEE Transactions on <strong>Communications</strong>, vol. 42, Issue 10, October<br />
1994, pp. 2908-2914.<br />
[7] P. Gajewski, J. Łopatka, Z. Piotrowski, A New method of frequency correction<br />
using coherent averaging, Journal of Telecommunications <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>,<br />
1/2005, pp. 142-146.<br />
[8] Z. Piotrowski, Drift correction modulation scheme for digital audio watermarking,<br />
Proceedings – 2010 2nd International Conference on Multimedia <strong>Information</strong><br />
Networking <strong>and</strong> Security, MINES 2010, 2010, Article number 5670982, pp. 392-397.<br />
[9] P. Dymarski, R. Markiewicz, Time <strong>and</strong> sampling frequency offset correction in audio<br />
watermarking, International Conference on Systems, Signals, <strong>and</strong> Image Processing,<br />
2011, Article number 5977417, pp. 291-294.<br />
[10] Z. Piotrowski, Precise psychoacoustic correction method based on calculation<br />
of JND level, Acta Physica Polonica A, vol. 116, Issue 3, September 2009, pp. 375-379.
Index
A<br />
Abut Fatih 161<br />
Akcaoglu Ismail 11<br />
Andersson Jon 179<br />
Apiecionek Łukasz 49<br />
Ax Markus 305<br />
B<br />
Baranowski G. 71<br />
Barz Christoph 161<br />
Bereziński Przemysław 83, 347<br />
Bibik Przemysław 431<br />
Bloebaum Trude H. 117<br />
Borowski Mariusz 485<br />
Bret Norbert 161<br />
Brose Margrete A. 179<br />
Brzostek Juliusz 347<br />
Bystricky Radek 93<br />
C<br />
Cetinkaya Orhan 11<br />
Chambers Dale 37<br />
Chapman Jonathan P. 395<br />
Charlish Alex<strong>and</strong>er 281<br />
Choraś Michał 347<br />
Connah Jessica 37<br />
Czajka Tomasz 475<br />
D<br />
Dalecki Tomasz 83<br />
Darakchiev Radoslav 431<br />
Dedera Ľubomír 209<br />
Diefenbach Anne 105, 161<br />
Duda Damian 239<br />
Dymowski Wojciech 331<br />
F<br />
Fiske Rui 359<br />
Flizikowski Adam 415<br />
Fongen Anders 131<br />
Franke Markus 105<br />
G<br />
Gawroński Michał 475<br />
Ginzler Tobias 253<br />
Gleba Kamil 239<br />
Gliwa Rafał 475<br />
Głowacka Joanna 239<br />
Goode Rob 61<br />
Govaers Felix 281, 395<br />
Gradolewski Stanisław 431<br />
Grądzki P. 71<br />
Grzonkowski Marcin 465<br />
H<br />
Hallingstad Geir 377<br />
Harmsen Edgar 61<br />
Hauge Mariann 179<br />
Hecking Matthias 265<br />
Hołubowicz Witold 331, 415<br />
J<br />
Janu Premysl 93<br />
Jarmakiewicz Jacek 465<br />
Jasiul Bartosz 347<br />
Jordan Fred 61<br />
K<br />
Kiviharju Mikko 439<br />
Koch Wolfgang 281<br />
Kosowski Tomasz 49<br />
Kozik Rafał 347<br />
Krenc Ksawery 295<br />
Krężel Jerzy 431<br />
Kruszyński Henryk 49, 317<br />
L<br />
Langerwisch Marco 305
512 <strong>Military</strong> <strong>Communications</strong> <strong>and</strong> <strong>Information</strong> <strong>Technology</strong>...<br />
Leśniewicz Marek 485<br />
Lund Ketil 117<br />
Lunt Graeme 359<br />
M<br />
Maesel Syvert 61<br />
Malas Atilla 11<br />
Malewicz Robert 359<br />
Małowidzki Marek 83<br />
Mazur Michał 83<br />
McInnes John 37<br />
Michalski Mateusz 431<br />
Muchewicz Krzysztof 317<br />
N<br />
Noubours S<strong>and</strong>ra 265<br />
O<br />
Okur Yavuz 11<br />
Oszywa Wojciech 465, 475<br />
P<br />
Palka Robert 49, 317<br />
Piotrowski Marek 49, 317<br />
Piotrowski Rafał 347<br />
Piotrowski Zbigniew 497<br />
Pyda Piotr 239<br />
R<br />
Rachwalik Tomasz 455<br />
Remmersmann Thomas 305<br />
S<br />
S<strong>and</strong>er Jostein 179<br />
Seifert Hartmut 105<br />
Sevenich Peter 105, 161<br />
Simon Pierre 161<br />
Skarżyński Paweł 71<br />
Smaal Jan-Willem 61<br />
Solomon Abigail 37<br />
Springer Tomasz 331<br />
Steinmetz Philipp 149<br />
Strzelczyk Krzysztof 431<br />
Szmidt Janusz 455<br />
Ś<br />
Śliwa Joanna 221, 239<br />
T<br />
Thamke Stefan 305<br />
Thorsen Einar 61<br />
Tiderko Alex<strong>and</strong>er 305<br />
Tolk Andreas 201<br />
Turksoy Hasan 11<br />
U<br />
Urban R. 71<br />
Uysal Mutlu 11<br />
W<br />
Wicik Robert 455<br />
Wilgucki Kamil 71<br />
Wilmes Matthias 161<br />
Wodecki Krzysztof 497<br />
Wojtuń Jarosław 497<br />
Worthington Olwen 37<br />
Wrona Konrad 377<br />
Wrzosk Arkadiusz 21<br />
Z<br />
Zabłocki Janusz 455<br />
Zawiślak Wojciech 431<br />
Zbudniewek Jacek 431<br />
Zych Jan 415