Optimized packet formation in multi-level security wireless data acquisition networks

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2011; 4:1420–1439Published online 7 December 2010 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.273

RESEARCH ARTICLE

Optimized packet formation in multi-level securitywireless data acquisition networksMohamed Younis1∗, Osama Farrag2, Sookyoung Lee1 and William D’Amico2

1 Department of Computer Science and Electrical Engineering, University of Maryland, Baltimore County, Baltimore, MD, U.S.A.2 The Johns Hopkins University, Applied Physics Lab., Laurel, MD, U.S.A.

ABSTRACT

The limited channel capacity and the varying propagation conditions of radio signals have motivated research for boostingthe achievable throughput in wireless networks. Among the effective optimization strategies is to dynamically adjust thepacket size either to better suit the channel conditions or to minimize the number of overhead bits in the individual packets.However, multi-levels of security requirements impose constraints on the data mix in the packet payload and may diminishthe gains achievable by contemporary packet-size optimization schemes. This paper presents a novel bandwidth optimizationalgorithm for wireless data acquisition networks where strict confidentiality requirements and access restriction policieshave to be observed. The algorithm exploits the classification of data in minimizing the number of packet transmissionsas well as the overhead within the individual packets. The idea is to combine the transmission of packets based on thetime sensitivity and security attributes of the data in the payload. The performance of the proposed algorithm is validatedthrough mathematical analysis and through simulation. The simulation results confirm the effectiveness of the algorithm inboosting data throughput in the network. Copyright © 2010 John Wiley & Sons, Ltd.

KEYWORDS

bandwidth optimization; multi-level security; wireless networks

*Correspondence

Mohamed Younis, Department of Computer Science and Electrical Engineering, University of Maryland, Baltimore County, Baltimore,MD, U.S.A.E-mail: [email protected]

1. INTRODUCTION

Recent technological advances have boosted the relianceon wireless communication in many application domains,most notably are those that involve data collection fromdistant or mobile stations such as unattended sensors,unmanned surveillance vehicles, etc. Example applicationsinclude combat field reconnaissance, damage assessmentand disaster recovery, search-and-rescue operations, forestmonitoring, and data acquisition networks at Department ofDefense (DoD) test ranges. These applications are generallycategorized with voluminous data that mostly are generatedperiodically and streamed in a long lasting flow [1].

One of the technical issues that characterize radio com-munication links is the sensitivity to interference. Such anissue affects the channel capacity and has thus receivedattention from the research community. In fact, increasingthe packet throughput under constrained link capacity andvariable channel conditions has been a design goal for allwireless networks. Popular optimization schemes covered

fundamental areas, such as signal processing, modulation,coding and error correction, etc., and spanned all layers ofthe protocol stack. Most of the published approaches haveexploited configuration parameters at the physical, link, andsometimes at the network layer to boost the effective bitrate on the individual links. Among the many optimizationstrategies, the dynamic adjustment of the packet size hasshown promise [2,3].

A packet is composed of the data payload, which reflectsthe part that is important to the recipient, and the headerwhich includes the ID of the receivers, error control bits, anda number of protocol-related fields. For the user and the sys-tem, the header constitutes an overhead and having a highpayload to header ratio is very desirable which makes largepackets attractive. On the other hand, for a noisy channelthe bit error rate is high and thus large packets will be moresusceptible to drops and may need multiple retransmissions.Having small packets in that case would make the probabil-ity of packet retransmission less and would avoid excessivepower and capacity use. Striking a balance between these

1420 Copyright © 2010 John Wiley & Sons, Ltd.

M. Younis et al. Optimized packet formation

two conflicting goals is a system design challenge, and adap-tive strategies for selecting the packet size have been shownto be very effective [3].

One of the issues for increasing the payload size iswhether the combined data can be sent within the samepacket. In networks subject to multi-level security (MLS)requirements, the payload size is usually difficult to increasebecause data from different security classes cannot becombined and sent within the same packet. These MLSconstraints hinder the implementation of the basic packetsize optimization and negatively impact the throughputand the channel utilization. This paper undertakes thepacket optimization problem in MLS wireless data acqui-sition networks where strict confidentiality requirementsand access restriction policies must be observed. Two cate-gories of confidentiality requirements are considered. Thefirst is concerned with restricting access to data based on auser’s certification for a certain security class. The secondapplies to limiting the availability of some data to security-qualified users based on a need-to-know policy. Appropriateencryption methodologies are identified to handle these twoconfidentiality requirements. Then, an algorithm is devel-oped to combine the transmission of packets based on thetime sensitivity and security attributes of the data in thepayload. The proposed approach can be viewed as cross-layer optimization that complements the numerous ideasproposed in the literature at the physical and link layers.

The presentation in the remaining paper assumes a dataacquisition network model in which each node is equippedwith one or multiple sensing elements that report their mea-surements through a radio to a base-station. Each node isassumed to enforce segregation of the data of different secu-rity levels while processing those data. The paper focusesonly handling the transmission of the data to the base-station, particularly when forming the individual packets.Packet losses and retransmission is assumed to be addressedby the network and link layer protocols. The next sectionsurveys related work. Section 3 describes an attribute-basedclassification of the sensor data. The classification is laterused to derive the optimization. Section 4 discusses thehandling of the confidentiality requirements. The proposedoptimization techniques are presented in Section 5. In Sec-tion 6, the performance is mathematically analyzed. Section7 describes the validation experiments and analyzes theperformance results. Section 8 discusses the potential per-formance gains if a trusted kernel is employed to supportMLS. Finally, Section 9 concludes the paper.

2. RELATED WORK

Packet size adjustment has been used in the literature as ameans for optimizing various performance metrics in wire-less communication networks. The bulk of the work hasfocused on the physical and link layer parameters. Some ofthe early works mainly focused on the effect of the packetsize on performance [2] and on how dynamic selection of thepacket size can be beneficial [3]. On the other hand, most of

the recent works target throughput and energy consumptionas metrics for optimization. The main theme of this cate-gory of work factors in the channel conditions in selectingthe best packet size and other physical layer settings, e.g.,the bit rate, in order to achieve maximum throughput and/orto reduce the communication energy.

For example, Sankarasubramaniam et al. [4] have fac-tored in both the error rate and the channel condition sothat the penalty of packet loss is minimized while keep-ing a sufficiently large payload to justify the overhead bitsin the packet header. Assuming a Rayleigh fading channeland modulation using a binary orthogonal non-coherent fre-quency shift keying, the authors have derived formulationsfor finding the optimal packet size with and without the useof error control coding. They have further recommendedadding forward error correction code to limit retransmis-sions. Despite the transmission and encoding/decodingoverhead, it has been shown that the error correction codepays off with benefits that surpass the imposed overhead.Meanwhile, Cheng et al. [5] have considered both the packetsize and bit rate as probes for reducing the communicationenergy. Assuming Multiple Quadrature Amplitude Modu-lation (MQAM) and finite count retransmission AutomaticRepeat-reQuest (ARQ), they have formulated an energyconsumption optimization model to find the best modu-lation order and packet size for minimizing the energyconsumption. On the other hand, Chen et al. [6] try to adjustthe bit rate based on the packet size in order to reduce energy.Multiple queues are employed to group the packets accord-ing to their sizes and every queue is allocated a service andbit rate.

The work of Akyildiz and Joe [7] attempts to maximizethe throughput. Again, dynamic adjustment of the packetsize is pursued while factoring in the channel conditions.The approach is for the receiver node to sense the mediumand provide feedback to the sender to set the packet sizeaccordingly. Modiano [8], on the other hand, relies on thebit-error-rate of the channel estimated by tracking the his-tory of received acknowledgements. A Markov chain basedmodel is proposed to track the channel condition and pre-dict the changes in the bit-error-rate. Choudhury and Gibsonexploited both the transmission bit rate and payload size tomaximize the throughput under varying channel conditionsfrom a single user experience [9] and for the entire network[10]. Yin et al. [11] have also studied optimizing the networkthroughput. However, they have directed their attention tothe IEEE 802.11 distributed channel access (DCA) functionstriving to determine both the optimal packet size and theoptimal minimum contention window under various traf-fic loads and channel conditions. Unlike these single-layerbased approaches, Konsgen et al. [12] have exploited cross-layer optimization to improve the throughput of quality ofservice (QoS) traffic. Their main focus is the physical andMedium Access Control (MAC) layers. Packets are queuedbased on their sensitivity to delivery latency. A physicallayer schedule then picks packets from the queue accordingto their latency-based priority while factoring in the chan-nel conditions to maximize the bit rate. The idea is further

Security Comm. Networks 2011; 4:1420–1439 © 2010 John Wiley & Sons, Ltd. 1421DOI: 10.1002/sec

Optimized packet formation M. Younis et al.

Figure 1. Categorization of sensor data according to timing and security attributes.

extended in Reference [13] to expedite the packet transmis-sions of fast flows by piggybacking packets according to thechannel condition and the remaining portion of the allottedtime.

Unlike the work discussed above, which focuses on asingle metric, Vuran and Akyildiz [14] pursue a comprehen-sive multi-layer approach for determining the ideal packetsize. Three objective functions are targeted; namely, packetthroughput, energy consumption, and end-to-end delay. Theformulation assumed a channel-aware routing algorithm inwhich the next hop on the data path is picked based onthe signal quality and the proximity to the base-station(receiver). Basically, a link is included on a data path as longas the signal-to-noise ratio (SNR) exceeds a preset thresh-old. The formulation opts to find the packet size and the SNRthreshold for optimizing the objective functions. The keydistinct features of this approach compared to others are:(1) the extended scope since it considers multi-hop pathsrather than a single link and (2) the targeting of multipleobjectives simultaneously. In contrast to previously pub-lished work, our approach mainly exploits application levelcharacteristics and factors in security and latency require-ments. These aspects have not been previously studied. Allprior work that focuses on physical, link, and network layersare complementary to our proposed optimization scheme.

Combining multiple payloads is one of the optimiza-tion methodologies pursued in wireless sensor networks.The value is basically to avoid the transmission of multi-ple packet headers in order to save bandwidth and energy.Unlike the application-based in-network data aggregationwhich eliminates redundant packets on route to the desti-nation based on some data semantic rules [15], combiningpayloads of potentially multiple packets is usually applica-tion independent. Some works, such as AIDA [16], dependon using the medium access delay as a means for determin-ing how many packets can be combined. Other approaches,e.g. [17], exploit opportunities for combining the responseof multiple data queries. Basically, unnecessary packet gen-eration is avoided by sending multiple data samples in one

payload and/or including multiple destination IDs in thesame header. The idea is to associate a deadline to everyquery. If a node receives distinct query requests from multi-ple base-stations with a response to be delivered within thesame duration, the node adds all destinations to the packetheader instead of forming multiple packets. In addition, theresponses for multiple queries from the same requesters arecombined in the payload of one packet if the data latencyrequirements will not be violated. However, no securityissues are considered though. In addition, only data latencyis exploited in the packet size optimization.

3. CLASSIFICATION OF SENSORDATA

The attributes of the sensor data affects not only the securitymeasures to be employed but also the required bandwidthand medium access pattern. Security-related attributes aremainly based on the required level of confidentiality. Mean-while, other attributes, such as data size, can range from onebit to numerous bytes, whether the sensor data are generatedperiodically, or sporadically based on observing a particularevent, and whether the sensor data may be buffered locally,or rushed to operation centers. All these attributes affectthe necessary bandwidth and medium access schedule. Thissection explains these attributes, grouped according to thesecurity requirements and time properties. Figure 1 sum-marizes the classifications of the sensor data.

3.1. Security attributes of the collecteddata

Two categories of security attributes are being contem-plated. The first reflects the restriction on public access todata by individuals cleared at or above the classificationlevel of that data. The second category is related to the sensi-tivity to sharing private data among members of a group that

1422 Security Comm. Networks 2011; 4:1420–1439 © 2010 John Wiley & Sons, Ltd.DOI: 10.1002/sec


are cleared for the same access privilege, or need-to-know.For example, a common concern during system integrationand testing is the safeguarding of classified and proprietarydata collected by the tester when competitors happen to havenodes in the system under test. This category is referred toas ‘same-level privilege limitation.’

• Security-Level Access Restriction: Generally, secu-rity is a qualitative metric. The popular accessclassification includes ‘Unclassified’, ‘Restricted’,‘Confidential’, ‘Secret’, and ‘Top Secret’. Unclassifieddata reflects no concern about public access, and thusno encryption is needed to maintain confidentiality.Meanwhile, Top Secret data are subject to the highestlevel of confidentiality measures. It is worth noting thatthe list can be easily extended and/or reorganized basedon quantitative measures. However, irrespective of thenumber of security levels in the list, it is importantto note that the no-write down and no-read-up accessrestrictions as defined by the Bell-la Padula model [18--20] must be enforced through enforcing access controlfor stored data and employing appropriate confiden-tiality protections for data in transient over a sharednetwork. Without specialized kernel capabilities at thesource and destinations, it would be necessary to seg-regate data for each security level in distinct packets.

• Same-Level Privilege Limitation: This attribute appliesto members of the same security level of accessprivilege. It is a binary attribute, either there is need-to-know/compartments restriction, or there is not wherenon-authorized members are denied access to the data.Again, any members with lower access privilege areprevented from accessing the data by enforcing theaccess restriction measures.

3.2. Time properties of data

3.2.1. Tardiness/time sensitivity.

Time sensitive sensor data simply ought to be rushed.An example of such data is the trajectory track of a mis-sile so that a self-destruct command can be issued in timeif the missile gets off track and becomes a range-safetythreat. Handling time sensitive data requires either a band-width reservation to avoid medium access contention delayor the ability to preempt ongoing medium access in favorof high priority, time-critical data. The former is commonin most time-division based MAC schemes, while the latteris very hard to do in wireless environments. Generally, timesensitivity is captured not only by the data generation ratebut by associating a maximum tardiness bound on the datadelivery.

3.2.2. Rate/pattern.

Based on the periodicity of data generation, two cat-egories exist: namely periodic and sporadic. The latterrepresents event-based data that are sent when a particu-

lar observation is made. For event-based data, a bound onthe inter-arrival time between successive events is assumedto estimate the required bandwidth. On the other hand, thetardiness attribute captures the fact that some data mustbe sent right away, while other data may tolerate somedelay.

The tardiness and rate/pattern time properties enablesome flexibility in combining and preparing the packet pay-load to minimize the number of packet transmissions andavoid bit padding. Padding would be required when encrypt-ing a packet with a block cipher, whose size is not a factorof the packet size, as explained next.

4. HANDLING CONFIDENTIALITYREQUIREMENTS

Confidentially requirements are usually addressed throughencryption. Encryption algorithms can be categorized as:

• Block cipher: The message is sliced into equal-sizedbit strings, called blocks. A larger block size impliesmore protection against leaking information about themessage contents [21]. In several block cipher algo-rithms, the size of the block, often, increases as thekey size grows. If the message length is not a multipleof the block size, some bits are padded. For small-sizeddata, a block cipher will involve excessive padding andthus make the efficiency of the communication channelvery poor.

• Stream cipher: Stream-based encryption works on thebit level and thus avoids the padding overhead. Thename is derived from streamed delay-constrained datawhich makes buffering undesirable. A stream cipherallows data to be transmitted instantaneously withoutincurring any padding overheads.

To address the access restrictions on the data based on thesecurity level, block ciphers are proposed as the underlyingencryption mechanism. Despite their obvious advantages,stream ciphers are not as popular and widely-endorsed asblock ciphers and are being investigated by the researchcommunity [22--24]. Therefore, it is wise to employ blockciphers that have been analyzed extensively and have beenadapted in numerous standards for secure communicationprotocols [22,25--27]. Meanwhile, to enforce a same-levelprivilege limitation, i.e., need-to-know restriction, streamciphers would suffice. The rationale is that there is lowerrisk for an inter-member confidentiality breach compared topublic access restrictions. In addition, the concern is appli-cable only to the data of some of the individual sensors, andthe data size of each individual sensor is typically so smallthat excessive padding will be required if block ciphers arepursued for each sensor. For example, assume that nodeAj has a sensor Si,j whose data should not be available tounauthorized persons, even if they are cleared for the levelof security of such data. If the size of the data is 3 bits, apadding of 125 bits will be required for a block cipher with a



128-bits block size. Obviously this is inefficient, especiallyif many sensors have such restrictions.

5. DATA ATTRIBUTES BASEDBANDWIDTH OPTIMIZATION

This section presents a number of optimization strategiesfor minimizing the bandwidth used by the individual nodesand highlights possible trade-offs that can be exploited toavoid overhead. Before explaining the techniques, the opti-mization problem is formally explained.

5.1. Bandwidth optimization problem

The following notation is used in the problem formulation:

Aj Node that has multiple sensorsSi,j The ith sensor of node Aj

Geni,j The data generation rate for Si,j

Slow Deli,j Slowest tolerable delivery delay for a readingfrom Si,j

Sizei,j The size of the data generated by Si,j

Sec Classi,j The security level requirement that must beapplied to the data generated by Si,j whentransmitted over a wireless channel

Blocksec class The size of the encryption block for aparticular security level. It often growswith increased levels of confidentiality

In general, a packet is composed of a data payload anda header. The header is usually of a fixed size. In a multi-hop environment the physical, link, and network portions ofthe header should not be encrypted so that the packet can bestored and forwarded. Alternatively, the header informationcan be encrypted by a common network wide header-specific key. For a direct communication link, the headercan be encrypted using a shared key for each individualnode, if desired. For simplicity the following discussionassumes that the header is not encrypted with the payload,however, header encryption will not impact the proposedapproach or the derived conclusions.

Equation (1) provides packet payload size assuming thatblock ciphers are used for packet encryption and that themessage size is multiple ‘M’ of the size of the block asso-ciated with the particular security class.

Packet payload size =M × |Blocksec class|,where M= 1, 2, 3, . . . (1)

If the payload composition in terms of the mix of sen-sors varies, then some markers are usually added to enableparsing of the data payload by the receiver and finding ofthe individual fields. It is assumed that this information isincluded in the packet payload. In addition, a packet oftenhas a maximum length, imposed by the wireless transport

link conditions and/or the system designer. This indirectlyimplies that there is a bound on the payload. The maximumallowable packet payload is as Max Payload.

The goal of the optimization is to find for every securityclass ‘s’ of data generated on node Aj the largest value ofMj that minimizes:

Padding overhead =Mj × |Blocks|−|Payloadj| ≥ 0 (2)

Subject to the data delivery latency constraints of theindividual sensors (i.e., Si,j ∈ Aj , ∀i) and such that Pay-load ≤ Max Payload.

The largest value of M is targeted to increase the sizeof the packet and to lower the medium access and packetheader overhead. It is worth noting that the minimal band-width required to transmit data collected by all sensors onAj is:

Minimum channel bandwidth =∑

∀i

Sizei,j × Geni,j

(3)

For fixed value of Mj , the optimization can be reducedto the bin packing problem, which is known to be NP-Hard[28]. The bin packing problem is concerned with putting themost objects, i.e., data sample, in the least number of fixed-size bins, i.e., blocks. Obviously, the problem becomes morecomplex with Mj being a variable. Therefore, heuristics willbe explored as a solution for such an optimization problem.

5.2. Bandwidth reduction strategies

To achieve the optimization outlined above, the followingtechniques are pursued:

1. Schedule data transmission based on the data gener-ation frequency: The idea is simply to exploit the timesensitivity attributes to combine the transmission ofthe data of multiple sensors. Before explaining theoptimization, it is important to discuss how peri-odic data acquisition is scheduled. Figure 2 shows anexample of data of three sensors, S1,1, S2,1 and S3,1

aboard one node where data are generated at time τ1,τ2, and τ3, respectively. For illustration purposes, it isassumed that τ3 = 2τ1 and τ2 = 1.5τ1. The schedul-ing of such periodic data transmission forms the leastcommon multiple (LCM) of all periods and estab-lishes an order for sending the individual data withinthe LCM. That scheduling pattern within the LCMwill be repeated thereafter. Please note that some ofthe packets that carry the data of S1,1 can includethe data of S2,1 and S3,1 as well. For the particularexample in Figure 3, 16 transmissions are neededper LCM.

If the delivery of the data collected by S2,1 has sometolerable tardiness, it may be possible to reduce the



Figure 2. An example of scheduling the transmission of data from three sensors. Since �3 = 2�1 the data of S1,3 can be sent with thatof S1,1. In addition, every other transmission of S1,2 data can share the same packet with the data of S1,1.

Figure 3. Exploiting the data delivery tardiness attribute allows avoiding small packet transmission and unnecessary competition ofmedium access. Some of the samples collected by S1,2 will be delayed in order to be part of the payload of a packet that has the data

of S1,1 and sometimes S1,3 as well.

required number of packet transmissions and enablethe formation of larger packets and lower the headeroverhead. Figure 4 shows an example of how allow-ing a reading from S2,1 to be sent as late as ½ τ1

after the sample is made can reduce the number ofpackets sent by A1 from 16 to 12 per LCM. The sam-pling instance for which a packet is to be formed willbe referred to hereafter as Pl,k , marking the timefor transmitting a packet, where l is the time, with0 < l ≤ LCM, and k being the security class of thesensor data. In other words, there will be a distinctPl,k at every sample time for every security class.Such distinction maintains the segregation of databased on their security level properties

2. Minimize cipher block sizes: Block ciphers are usedfor imposing the desired access restrictions, persecurity-level classification, where the block size is

determined based on the security classification level.The smaller the cipher block size is, the smaller theworst-case padding overhead becomes. Therefore,the encryption block sizes are used according to thesecurity class of the data so that the lengthy blocksare avoided unless absolutely required. The effectof a decreased block size on the robustness of theencryption can be compensated with longer keys ifneeded.

3. Exploit delay tolerance: As indicated earlier the read-ings of some sensors may not need to be rushed andthe application can tolerate some tardiness. Such datacan enable optimization of the payload so that thepadding overhead is minimized. For example, some-times decreasing the size of the payload by 1 bytemay reduce the value of Mj as shown in Equation(2), which significantly decreases the padding over-



Figure 4. Exploiting the features of smart sensors, it may be possible to remove unnecessary data samples and optimize the size ofthe packet by removing undesired padding bits.

head. If |Keys | = 64 bits and |Payloadj | = 132 bits,Mj would have to be 3, resulting in 60 padded bits.Reducing the payload size by 8 bits, i.e., those allo-cated to delay tolerant data, will reduce the valueof Mj to 2 and the number of padded bits to just 4.Figure 4 illustrates this example.

5.3. Optimization algorithms

Figure 5 shows the pseudo code for the procedure describedabove that consolidates packets by exploiting the tolerabletardiness for delivering the data. Basically, this procedure isexecuted by every node Aj while considering every securityclass k of data on that node. As discussed earlier, LCM timeduration is considered a frame. The optimization starts withthe first sampling event P0,d and continues on until the endof the frame. Line 1 establishes a point in time before theframe starts so that executing line 3 will yield P0,d , whichis the earliest sample event for any security class of data (dindicates any value in this context). In each iteration, thecorresponding sample event is checked for the feasibility ofshifting it forward in time. The feasibility is mainly basedon the tardiness attribute of the individual sensors that gen-erate data at this point in time. Again, only data that are ofthe same security classification are considered since datasamples that are subject to different access restrictions arenot mixed in the same packet. The loop in lines 4--17 iteratesover every security level checking the samples generated atthe particular packet formation event. The ‘Move’ flag is setin line 5 and stays on if all samples of the same security levelcan be sent at later point in time. The shift will be deter-mined by the minimal allowed tardiness so that the datacan be combined with other packets, i.e., move to anotherpacket formation events of the same security level at a latertime. If the shift is permitted, the packet formation eventwill be delayed (lines 15--21). The procedure terminates atthe end of the frame (line 18).

Figure 5. Pseudo code for the optimization procedure to con-solidate the packet formation instances for the generated datawithin the LCM. The procedure is repeated by every node Aj for

every distinct security class k.



Figure 6. Pseudo code for the optimization procedure for mini-mizing the padding embedded in a particular packet.

The algorithm for optimizing the formation of the indi-vidual packets is outlined in Figure 6. This algorithm is runby every node Aj . Like the procedure in Figure 5, the algo-rithm checks every packet formation event within a frameand starts with the first sampling event P0,d for any secu-rity level d. In other words, the algorithm proceeds within

the frame based on the time of the packet formation events.The variable Mmax, calculated in line 2, denotes the maxi-mum number of blocks within a packet, corresponding tothe maximum size of the payload, Max Payload. The latteris derived from any restriction on the packet size imposedby the wireless transport, link conditions, or the systemdesigner.

The main loop, lines 3--30, sequentially checks the packetformation events within the frame. In line 4, the next eventis picked for optimization. The optimization loop, lines 5--29, attempts to form for every security class the longestpacket that has the least padding overhead. Data samples aredistinguished based on the access restriction requirementsthat must be satisfied. The sensor readings at time t fora particular security class ‘k’ are grouped in line 6 in a‘Sample Setj,k’ list.

The Sample Set is then sorted in descending orderaccording to the tardiness tolerance attribute (line 10). Thesorted list is later used in inserting the data samples in thepacket based on an earliest deadline first basis. In line 11,the time for the next packet generation event is identified. Adata sample is allowed to be delayed only if the deadline fortransmission matches or exceeds the time of the next packetformation event for the same security class. The rationaleis that the delay should not introduce a new packet forma-tion event for the same security class; otherwise the valueof the optimization diminishes. Lines 12--14 identify thesamples that do not meet the minimal acceptable delay cri-terion and calculate the number of required blocks Mcut−off .Those samples are easily determined since the Sample Setbuffer is sorted based on the tardiness. In other words, itsuffices to find the cut-off mark in the buffer for whichthe value of the tardiness attribute equals or exceeds thedeadline.

Now, if the size of the must-go data is larger than themaximum payload of a packet (line 15), those fully loadedpackets are formed and the number of blocks is adjustedaccordingly (lines 16--18). The optimization metric for thepacket formation is to minimize the ratio of overhead to pay-load on a packet. The overhead here includes both the packetheader and the padding bits. The variable LEAST OR isinitialized to the worst overhead to payload ratio, whichcorrespond to a packet of just 1 bit of data. The loop inlines 21--28 considers all possible values between Mcut−off

and Mmax and calculates the padding overhead for each. Foreach value between Mcut−off and Mj , the packet includesthe must-send data, i.e., Payloadcut−off , the best fit amongthe remaining data in the Sample Setj,k is found to fill theremaining space in the packet, and finally the padding bitsare calculated based on the block size for the security class.As discussed earlier optimal packet formation is reducibleto the bin packing problem. The best fit heuristic is oneof the most popular approaches for solving the bin pack-ing problem. The loop terminates after finding the optimalnumber of blocks for the payload. Unselected samples cantolerate some tardiness and are thus kept for considerationin the next packet formation event for the same securitylevel.



6. ALGORITHM ANALYSIS

This section analyzes the performance of the proposedalgorithm. Assume that the maximum packet payloadmax payload is determined by the channel conditions, errorrate, effective capacity, etc. To simplify the analysis, weassume that max payload is sufficiently large and the sen-sor readings are small in size such that the collective sizeof samples of all sensors will not exceed max payloadand thus will not warrant the use of multiple packets, i.e.,∑∀Sj∈Ai

Sizei,j ≤ max payload

The following analysis focuses on the advantage ofseparating access restriction from same-level privilege lim-itations. In that context, all sensor data are assumed tohave the same security classification level. Moreover, weconsider the worst-case scenario where the periods for gen-erating data, i.e., τ1, τ2, τ3, . . . , etc., are assumed to be allprime numbers which makes it possible only to combinedata from a maximum of two sensors within a LCM, exceptat the end of the LCM. For example, for time τ1, τ2, and τ3

being 3, 4, and 5, respectively, the LCM is 60; there is nopoint in the period [1,60] for which more than two sensorswould have data ready except at time equals 60.

The above assumptions restrict the applicability of theproposed packet optimization algorithm and would yieldthe worst-case performance. The goal is to show the leastperformance gain achieved by our approach in comparisonto a baseline that reflects the contemporary practice of seg-regating sensor samples and sending the individual samplesin distinct packets.

Baseline Performance: The current practice is to sendevery sample in a distinct packet. Thus, the required band-width overhead for a system of N nodes, where each nodewith a set of sensors that transmit directly to the base-stations, is:

BW Overheadbaseline

=∑∀nodes

∑∀sensors/node

(per sensor padding + packet header)

=∑∀i≤N

∑∀Sj∈Ai

LCMi

τi,j

[(⌈Sizei,j

Block

⌉× Block−Sizei,j

)

+ header] (1)

Proposed Approach: Given the restricting assumptionabove, the bandwidth saving is made when the data of mul-tiple sensors are combined in a single packet. Assume thatall sensors are of the same secrecy level. Since the peri-ods are assumed to be prime numbers, all opportunities forcombing data on a particular node involve only two sensors,except the last packet in the frame. The bandwidth overheadin that case will be:

BW Overhead2 sensors =(⌈

Sizei,j + Sizei,j+1

Block

⌉

× Block − (Sizei,j + Sizei,j+1

))+ header (2)

BW Saving2 sensors = BW overhead for onesensor/packet---BW overhead for two sensors/packet

=[(⌈

Sizei,j

Block

⌉× Block−Sizei,j

)+ header

]

+[(⌈

Sizei,l

Block

⌉× Block−Sizei,l

)+ header

]

−[(⌈

Sizei,j + Sizei,l

Block

⌉× Block−(

Sizei,j + Sizei,l

))

+ header

]

=(⌈

Sizei,j

Block

⌉+

⌈Sizei,j+1

Block

⌉−

⌈Sizei,j + Sizei,j+1

Block

⌉)×Block + header (3)

The cumulative bandwidth saving for all possible com-binations of two sensors on a node Ai is:

Total BW Saving2 sensors

=|Ai|−1∑j=1

|Ai|∑l=j+1

(LCMi

τi,jτi,l

−1

)

×[(⌈

Sizei,j

Block

⌉+

⌈Sizei,j+1

Block

⌉−

⌈Sizei,j + Sizei,j+1

Block

⌉)× Block + header] (4)

where |Ai| denotes the number of sensors on node Ai.Excluded from Equation (4) is the packet formed at time

equal to LCMi, which combines the data samples from allsensors on node Ai. For that packet, the bandwidth savingis:

BW Savinglast packet

=[( |Ai|∑

j=1

⌈Sizei,j

Block

⌉)−

⌈1

Block

|Ai|∑j=1

Sizei,j

⌉]

×Block − (|Ai|−1)header (5)

Thus, total bandwidth saving for a node is the sum ofEquations (4) and (5). Summing for all nodes, the bandwidthsaving would constitute the least performance gain that the



proposed approach can achieve.

Performance gain =∑∀nodes

Total bandwidth saving per node

(6)

7. VALIDATION EXPERIMENTS

The previous section analyzed the worst-case performance.This section presents average-case performance and studiesthe impact of the various parameters through simulation.The goal of the validation experiments is to provide aquantitative assessment of the performance advantage thatthe proposed optimization algorithm provides to the sys-tem. The simulation environment, performance metrics, andexperimental results are discussed in following subsections.

7.1. Experiment setup and performancemetrics

The simulation experiments focus on measuring the channelefficiency in terms of the wasted bandwidth consumed fordelivering packet overhead and the total number of requiredpackets for forwarding the data. The overhead includes apacket header, a sensor data tag associated with each datasample, and the padding in a packet, whose size is deter-mined by the block size used for encrypting the packet.The experiments categorize the performance of the algo-rithm under varying parameters. The following lists theparameters and how they are varied:

• Number of Access Restriction security Levels Narl: Thehigher the number of levels that the system has, themore packet transmissions will be required and theless effective the optimization becomes when security-based segregation is performed. A typical upper boundis 5, for ‘Unclassified’, ‘Restricted’, ‘Confidential’,‘Secret’, and ‘Top secret’. The cipher block size forencrypting a packet is determined by the selectedvalue of Narl based on Table 1. Therefore, the blocksize grows with the stringency of the confidentialityrequirement. As we mentioned in subsection 5.2, weexploit the size of the block size by making it pro-portional to the security level in order to reduce the

Table 1. Block sizes corresponding to various Narl values.

Narl Cipher block size (bits)

1 82 323 644 965 1286 2567 512

padding overhead. It is worth noting that the Rijan-dael’s block cipher supports block sizes of 128, 194,and 256. Nonetheless, the Advanced Encryption Stan-dard (AES) uses only a 128-bit block version ofRijandael’s algorithm for all security-levels and allowslonger keys for higher security data [29]. While none ofthe popular encryption schemes uses a block size big-ger than 128 bits, we study the effect of using blocksizes of 256 and 512 bits. We argue that potentially newencryption scheme may need to be developed to offerstronger defense and this study provides insight on theimpact of longer encryption block sizes on efficientuse of the channel capacity.

• Number of sensors (Ns): A high sensor count wouldallow assessing the effectiveness of the optimizationunder heavy load. The number of sensors varies among5, 10, 15, and 20.

For each of the Ns sensors, the following attributes areselected:

• The level of access restriction (AR): a random valuein the range [1,Narl], where Narl cannot exceed 7. Inexperiments that do not study the effect of Narl on per-formance, the value of Narl is set to 5, which implies the128-bit block size used by widely-used block cipherschemes such as AES.

• Sensor sample size (Size): a value chosen randomlyin the set {20, 21, 22, . . . , Max sample size} andreflects the sensor sample size in bits. The defaultMax sample size is 25 (32 bits). However, it will beincreased up to 210 bits in some experiments to studythe implication of varying the sample size on the per-formance.

• Data generation interval (DGI): a random number inthe range [1,Max interval] reflecting the sensor sam-pling rate/time in seconds. Low value implies highsampling rate. The default Max interval is 10. Thisallows assessing the effectiveness of the optimizationalgorithms under varying load.

• Maximum tolerable tardiness (MTT): a randomlypicked value from {0, 1, 2} corresponding to zero,finite, and unrestricted tardiness, respectively. Forfinite tardiness, the delay value is set to (2 × DGI × p),where p is randomly selected fraction in [0.01, 1]. Thevalue for unrestricted tardiness is set to the simulationending time which corresponds to the LCM of the DGIvalues of all sensors in the experiment. Intuitively, thedelay (deadline) is relative to the sample generationtime.

The following performance metrics are pursued to assessthe effectiveness of our proposed approaches:

• Ratio of packet overhead to generated data: Thismetric shows the effectiveness of the optimizationalgorithm for maximizing packet payload and mini-mizing the header and padding overhead. The metric



is calculated by dividing the total number of overheadbits by the sum of all generated data bits during theentire simulation time. The packet overhead includesthe tags that mark the sensor data within the payload,the packet header and the padding bits. In the exper-iments, the data tags include a 5-bit sensor ID and a6-bit pointer to mark where the corresponding datasample is within the payload. In addition, a packet willinclude sequence number, node ID, etc., accountingfor a total of 224 bits in the header. The packet headeris a total of 512 bits (64 bytes), which equals 36 byte,for an 802.11 MAC header with a 4-byte CRC and 28byte UDP/IP header [30]. The number of padding bitsis determined by the packet formation methods. Themaximum transfer unit (MTU), which corresponds tothe maximum packet size, is set to 2 kbytes, i.e., 16 384bits.

• Total number of packets sent: Like the ratio of overheadto data, the total number of delivered packets will showthe impact on the channel efficiency. The number ofpackets actually delivered would be mainly affected byhow the security requirements are handled and the sizeof the sensor samples. In addition, the number of accessrestriction levels has an influence on this performancemetric if the security-based segregation is applied.

7.2. Baseline approaches

The proposed optimization algorithm, which is referredto in the experiments as Single Security Level Optimiza-tion (SSL-OPT), is compared to four baseline approachesthat have different combination of segregation policies andaccess restriction levels. The first baseline approach rep-resents current common practice, and then we selectedadditional baseline approaches that improve on currentcommon practice by incorporating a specific optimizationstrategy from our proposed heuristics solution in order toquantify the impact of each component in our solution. Allbaseline approaches send sensor data samples as soon asthey are available, i.e., no delivery tardiness is exploitedfor optimization. The tardiness property is exploited onlyby the proposed SSL-OPT approach to minimize the countof transmitted packets and reduce padding associated withblock cipher encryption.

1. One Sensor Per Packet encrypted at the HighestSecurity Level (1SPP-HSL): In this approach, eachsensor’s data are immediately delivered using its ownpacket without delay. No optimization for the packetsize is performed. With respect to the selection of ablock size, 1SPP-HSL uses the highest security level(seven in the simulation) for all packets.

2. One Sensor Per Packet encrypted Based on theSecurity Level of the sensor (1SPP-PSL): Like 1SPP-HSL, this approach sends each data sample in aseparate packet without delay. However, each packetis encrypted based on the security requirement asso-

ciated with data sent in the packet. For example,having three sensor samples with confidentiality lev-els of 1, 5, and 7 implies that three packets will be sentseparately, each of which is encrypted based on Table1 using blocks of 8, 128, and 512 bits, respectively.

3. Combine Single Security Level data generated at thesame time in one packet when all of these sensorshave identical access restrictions and encrypt thepacket at Highest Security Level (SSL-HSL): In thisapproach sensor data samples which belong to thesame access restriction are grouped and sent in thesame packet when they are produced at the sametime. SSL-HSL encrypts every packet at the high-est overall security level irrespective of the actualsecurity level of sensors data at each packet. Unlikeour approach, the SSL-HSL baseline does not exploitthe delay-tolerant properties of sensors data in orderto reduce the number of transmitted packets or theamount of block-cipher padding.

4. Combine Single Security Level data generated at thesame time in one packet when all these sensors haveidentical access restrictions and encrypt the Packetaccording to the highest Security Level in its payload(SSL-PSL): Like SSL-HSL, this approach combinessensor data of the same access level restriction inthe same packet. However, in this baseline approach,the packet is encrypted using the block whose sizeis determined by the highest security level of thecombined data samples in the packet. No other opti-mization is performed.

In all baseline approaches, more than one packet canbe formed at a particular time depending on the amountof sensor data which are supposed to be sent in the samepacket based on the algorithm. In particular, 1SPP-PSL and1SPP-HSL deliver each data sample in a separate packet.Therefore, multiple packets per node may be formed regard-less of the data size as long as the available samples belongto different sensors. Since in our simulation experimentsthe largest data size allowed for any sensor is 210 bits, thesize of any packet generated by the 1SPP baseline meth-ods will always be less than the MTU for a packet whichis 16 384 bits and thus 1SPP-PSL and 1SPP-HSL wouldsend the same number of packets in all simulation experi-ments regardless of the block size. In addition, SSL-PSL andSSL-HSL form multiple packets per node if the availablesamples are subject to distinct confidentiality requirements.SSL-PSL and SSL-HSL send the same number of packetsand the difference between them will be mostly the paddingoverhead determined by the data size delivered in a packetand the block size used to encrypt the packet.

7.3. Simulation results

In order to analyze and assess the performance of our pro-posed packet formation approach, simulations experimentsunder varying parameter values have been conducted. The



Figure 7. Simulation setup for Narl ∈ {5, 6, 7} with Ns = 5, Size = 25, and DGI = 5. The experiments for each value of Narl have the sameset of (Size, DGI, and MTT) for each of sensors.

experiments attempt to capture the effect of Ns, Narl, Sizeand DGI on performance. The results of each experimentare averaged over 20 runs. All results are subjected to 90per cent confidence interval analysis and stay within 10 percent of the sample mean. In each run, different combina-tions of Ns, Narl, Size, DGI, and MTT sensor attributes havebeen used. For example, in order to study the effect of Ns,20 experiments with five sensors per node have been made,where in each of the 20 runs five random values for Narl

are generated. Size, DGI, and MTT for each sensor are set,then, the 20 different configurations are computed to mea-sure performance for all approaches. The process is repeatedwith the sensors count per node raised to 10 by producingfor each of the 20 runs five more random values for the Narl,Size, DGI, and MTT attributes for the additional five sensorsinstalled in a node. In each of the 20 runs, the five additionalattribute values are combined with the five values used inthe previous matching run to provide unique configurationsfor each of the 10 sensors. For Ns = 15, new five randomsensor configurations are produced.

To illustrate, Figure 7 shows how the experiment parame-ters are generated to study the effect of Narl on performance.The value of Narl is varied between 5, 6, and 7, while thesensors count per node Ns is fixed at 5, and the maximumSize and DGI are set to 25 and 5, respectively. Again, theresults of the individual experiments are averaged over 20runs. We generate 20 random configurations for five sensorswhere the attributes of each sensor are randomly selected,for Size from {20 21, 22, 23, 24, 25}, DGI in the range [1,5],and MTT from {0, 1, 2}. When MTT = 2, the data trans-mission is not constrained and is noted in Figure 7 as ‘INF’for infinite. A value for MTT of 1 implies a tardiness that

is calculated as a function of DGI, as explained earlier, andthe deadline is listed in Figure 7. The value of AR is ran-domly picked from {3, 4, . . . , Narl}. For the various Narl

values, we reuse the same (Size, DGI, and MTT) values foreach sensor in the corresponding runs. In other words, thecorresponding runs for Narl = 5, 6, and 7, differs only in thevalues used for AR.

7.3.1. Effect of varying the number of sensors

(N).

Figure 8 shows the performance of the packet size opti-mization in comparison to the four baseline approaches asthe number of sensors (Ns) varies. The maximum values forSize, DGI, and Narl are fixed at 25, 10, and 5, respectively.The results indicate that our optimization algorithm SSL-OPT yields superior performance regardless of the value ofNs since it minimizes the number of transmitted packets andoptimizes the payload size of each packet by exploiting thedelay tolerance attribute of data and strives to reduce thepadding overhead.

Figure 8(a) shows that the overhead ratio for 1SPP-HSLand 1SPP-PSL on the average stays flat regardless of thevalue of Ns. This is expected since only one sample isshipped in a packet. Meanwhile, all approaches that includemultiple samples per packet, i.e., SSL-OPT, SSL-PSL, andSSL-HSL, benefit from the increased sensor population anddemonstrate higher efficiency since it is possible to reducethe number of transmitted packets and grow their data pay-load. As expected, encrypting the packets at the highestsecurity level boosts the padding overhead and thus SSL-PSL and 1SPP-PSL outperform SSL-HSL and 1SPP-HSL,



Figure 8. The ratio of packet overhead to generated data bits and the number of sent packets for various network sizes (Ns).

respectively. This is confirmed by Figure 8(b) which cap-tures the contribution of padding to the overall overhead.In addition, for a small sensors count (Ns < 15), Figure 8(a)shows that SSL-HSL performs worse than 1SPP-PSL whichsends each data sample separately in its own packet. Thereason as hinted by Figure 8(b) is that SSL-HSL uses thelargest block size which implies the largest padding over-head (511 bits) in the worst case, while 1SPP-PSL involvesat most 127 bits padding (recall that the maximum Narl is 5in these experiments). However, as the number of sensorsincreases, the probability of combining more than one sen-sor on a packet increases which allows SSL-HSL to reducenumber of transmitted packets, as seen in Figure 8(c), thusreducing the packet’s header overhead that is much largerthan padding overhead.

With respect to the total number of packets sent duringthe entire simulation experiment, Figure 8(c) demonstratesthat SSL-OPT yields the best performance for all values ofNs in comparison to all other approaches. This is becauseSSL-OPT strives to pack as much data as possible in eachpacket using the best-fit bin-packing algorithm. In addition,exploiting the tolerable delivery tardiness attribute allowsSSL-OPT to reduce the number of required packets forsending the same amount of data. In fact, examining allcharts in Figure 8 indicates that the performance advan-tage of SSL-OPT is mostly attributed to the reduction ofpacket header related overhead. It is worth noting that allapproaches send more packets with larger Ns since thereis an increased probability for a higher count for sensorswithout any delay tolerance. In addition, 1SPP-PSL and1SPP-HSL always send a number of packets that equals thenumber of data samples generated during the entire simu-lation time since in these baseline methods each sample issent in a distinct packet.

7.3.2. Effect of varying the size of data

samples (Size).

Figure 9 compares the performance with various datasizes. As indicated in Figure 9(a), the number of packetssent stays the same regardless of the data size (Size) in allof the packet formation methods. The reason is that the com-

Figure 9. The effect of data size of a sensor on the number offormed packets and the ratio of packet overhead to generated

data bits.

bined size of data that may be generated at the same timeequals at most 10 862 bits, (512 bit-packet header + 10 sen-sors × (11 bit-header + 1024 bit-data)) which is less thanMTU (16 384bits). Therefore, any combination of 10 (=Ns)random values of Size selected from [1,2, 4, 8, 16, 32, 64,128, 256, 1024] bits can fit in a single packet regardless



Figure 10. Ratio of packet overhead to generated data bits (a) and the number of packets sent (b) depending on various Narl. Thegraphs of (c) and (d) are based on fixed access restriction value (that equals Narl).

of the packet formation approach. As expected, 1SPP-PSLand 1SPP-HSL both send the largest number of packets. Asnoted about Figure 8, SSL-OPT forms the least number ofpackets due to the optimized packing of samples in a packetand to the effective use of the tolerable delivery tardinessattribute.

Meanwhile, the overhead yielded when encrypting datavaries depending on the data size and volume as seen in Fig-ure 9(b). The overhead decreases for large data samples inall approaches. The explanation is similar to the number ofpackets performance. Basically, all samples generated at aparticular time instance would fit in a single packet. There-fore, large data sizes help in filling the payload, and thusreduce the ratio of packet headers and padding overhead topayload size in general. However, the amount of payloadto overhead efficiency margin depends on the individualpacket formation algorithms.

On average, SSL-OPT yields less transmitted packets andpadding overhead per packet than other baseline approachesfor all data sizes. However, the performance advantagediminishes as the data size grows. This is because whenthe data samples are large, it becomes harder to find a closeto perfect fit with few padding bits during the execution

of the bin-packing algorithm. It is worth noting that 1SPP-HSL and SSL-HSL both rapidly overcome their algorithmdisadvantage with large data size. This is because the largepadding overhead introduced due to the large block size,which is 511 bits in the worst case, would be reduced asdata gets larger and closer to 512 bits (or its multiples).In addition, SSL-HSL, which combines data based on thesecurity level and sample generation rate attributes, showslower efficiency than 1SPP-PSL, which sends the individualdata separately regardless of data size. This is mainly dueto the lack of sufficient sensors at the node to allow SSL-HSL to have sufficient opportunity to combine sensors ofidentical security level to significantly reduce number oftransmitted packets.

7.3.3. Effect of varying access restriction

requirements (Narl).

Figure 10 shows the performance while varying theaccess restriction levels. The performance of SSL-OPT isconsistently superior to the four alternatives. Unless a uni-fied access restriction is imposed, the packing efficiencygenerally worsens for the large cipher block sizes that are



associated with high confidentiality requirements (512 bitsfor Narl = 7). This is because the worst-case padding over-head grows to 511 bits compared to 63 bits for Narl = 3.

As seen in Figure 10(a), 1SPP-HSL yields a constantratio of overhead to data bits regardless of the confiden-tiality level since it puts data in packets as being generatedand uses the same block size, which corresponds to thehighest access restriction (7) for encrypting the payload.Meanwhile, the performance of 1SPP-PSL depends on theblock size associated with the access restriction level ofthe sensor in the payload and thus the padding overheadgrows as Narl increases from 3 to 7. In addition, Figure 10(a)shows that the gap between SSL-OPT and SSL-PSL widenswhen Narl grows, while their performances worsen. This isbecause lower access restriction levels increase the prob-ability of combining sensors samples in the same packetfor both methods while meeting the security segregationgoal. However, with Narl = 7, opportunities for combiningdata are reduced which increases the number of packetssent separately due to the data segregation requirement.Nonetheless, exploiting delay tolerant data limits the impacton SSL-OPT compared to SSL-PSL.

In addition, SSL-HSL, SSL-PSL, and SSL-OPT showa fluctuated ratio as Narl varies among 5, 6, and 7. Thisis because these approaches segregate data based on theaccess restriction level associated with each data sampleand the experiment used random values of access restrictionbetween 1 and 5, 6, or 7 for Narl = 5, 6, and 7, respectively.Therefore, the ratio of padding per data bits for Narl = 6 maybe worse than that for Narl = 5 or 7 since the combination ofdata belonging to the same security level may require morepackets to be sent, as seen in Figure 10(b). When the accessrestriction levels (ARL) are fixed per experiment, i.e., ARLequals Narl, the fluctuations shown in Figure 10(a) and (b)were mitigated, as shown in Figure 10(c) and (d). Moreover,unlike Figure 10(a), the effectiveness of 1SPP-PSL in Fig-ure 10(c) rapidly degrades as Narl increases. Since in Figure10(c) all samples in a particular experiment have the sameaccess restriction requirement and the data volume remainsthe same, 1SPP-PSL yields degraded channel bandwidthefficiency as Narl grows and matches the performance of1SPP-HSL when Narl assumes the highest value of 7.

In both Figure 10(b) and (d), SSL-OPT forms the leastpacket count regardless of the value of Narl. Additionally, asseen in Figure 10(b), SSL-OPT, SSL-PSL, and SSL-HSLdo not send a constant number of packets as Narl increases.This is due to the variability of access restriction assignedto data samples and to the fact that the maximum amount ofdata generated at particular point in time would not exceedthe payload of an MTU and, thus, the number of packetsformed by the individual algorithms is influenced only bythe Narl variability.

7.3.4. Effect of varying DGI.

Figure 11 demonstrates the efficiency of the differ-ent formation approaches while varying DGI. As seenin Figure 11(a), SSL-PSL and SSL-HSL take advantage

Figure 11. The effect of sampling rate on the ratio of packet countand padding overhead to generated data bits.

of the increased data samples for small DGI values ingrowing the payload of packets to reduce the paddingoverhead. Nonetheless, SSL-OPT still outperforms all base-line approaches. However, such a performance advantagediminishes for lower DGI values, i.e., higher sampling rate.While this may seem to contradict the results in Figure 8,where the increased data availability has a positive impacton the overhead, the effect of DGI on data availability isdifferent from increasing Ns. Basically, a higher sensorcount per node, i.e., larger Ns, introduces more diversityto the requirements of the data samples, including tolera-ble delays. On the other hand, low DGI values make theMTT small as well and limit the flexibility that SSL-OPTmay exploit. Recall that in the experiments, MTT is a linearfunction of DGI. Therefore, SSL-PSL seems to close theperformance gap with SSL-OPT for DGI < 4, as tolerabletardiness becomes less influential in the optimization.

As expected, the performance of 1SPP-PSL and 1SPP-HSL is not affected by the DGI values since they forma separate packet for each data sample. Moreover, since1SPP-PSL encrypts each sample using the block size asso-ciated with its own access restriction, which is at most fivein this experiment, 1SPP-PSL shows a lower ratio of over-head to data for large DGI (low data generation rate) thanSSL-HSL, which uses the largest block size (512 bits) all the



times. However, with the availability of many samples withsmall DGI, SSL-HSL overcomes the effect of the block sizeby having more opportunities for combining sensors dataand reducing total transmitted packets while achieving thesecurity segregation goal.

Figure 11(b) shows the ratio of the number of packets tothe data payload as DGI varies. Unlike previous graphs thatreported the number of packets, relating the packet count tothe data fits better here given the radical impact of DGI onthe packet count and number of data samples. In general,since the data size is small relative to the MTU, fewer pack-ets would be sent when sensors generate data infrequently(large DGI). Yet, for SSL-PSL and SSL-HSL the number ofpackets relative to the data volume grows. This is attributedto the fact that less data are available for combining in thepayload of the individual packets. On the other hand, SSL-OP sustains its efficiency through the flexible incorporationof delay-tolerant data. As the data generation rate increases(smaller DGI) the performance advantage over SSL-PSLbecomes less significant as noted above.

8. SUPPORT FOR MULIT-LEVELSECURITY

Security segregation at the level of the individual packetsis not generally hard to achieve. The use of cryptographyand robust key management conceivably can ensure thatdata are protected on route to the destination. The mainchallenge lies at the operating system and software envi-ronment levels. Basically, the runtime environment mustenforce the no-write down and no-read-up access restric-tion as defined by Bell-la Padula model [18--20]. Almostall commercial-off-the-shelf software tools and runtimesystems do not support such security model forcing the han-dling of ‘MLS’ data to be over multiple single-level securitycommunication channels. This section studies the potentialof the proposed optimization if an MLS runtime system isemployed. The objective of this section is two-fold. The firstis to compare the performance of our approach under single-level and multi-level software environments and study thepossible gain that could be achieved in a true MLS envi-ronment. The second objective is to provide quantitativemeasures of performance to help designers and systemarchitects in conducting a trade-off between the expensesand efforts required to develop trusted MLS kernels and theincreased bandwidth efficiency that can be achieved throughthat system.

8.1. Compared approaches

This section considers a Multi Security Level Optimization(MSL-OPT) version. MSL-OPT implements all optimiza-tion techniques discussed earlier, i.e., combine data in thesame packet payload and exploit delay tolerance. UnlikeSSL-OPT, MSL-OPT is not required to segregate dataaccording to their security requirements, rather it can mul-

tiplex data from different security levels in a single packet.The performance of MSL-OPT is compared to SSL-OPT aswell as the following two baseline approaches that employdifferent policies for enforcing access restrictions and donot exploit delivery tardiness as a means of optimization:

1. Combine Multi Security Level data generated atthe same time in the same packet(s) encrypted ata predefined security level that matches the High-est Security Level in the system (MSL-HSL): Thisbaseline approach groups sensor data that are gen-erated at the same time regardless of their accessrestriction and sends them immediately. Therefore,no delay is involved and packet size optimizationis not performed. The cipher block size is based onhighest security level in the system, i.e., the securitylevel is fixed at 7 for all packets and block size is setto 512 bits as indicated in Table 1.

2. Combine Multi Security Level data generated at thesame time and encrypt the Packet according to thehighest Security Level in its payload (MSL-PSL):This approach works like MSL-HSL, except thatthe cipher block size is based on the highest accessrestriction of the data in a packet. For example, sup-pose some data samples are generated at time t0

from four sensors which have different confidential-ity requirements, e.g., 1, 3, 5, and 2, respectively.The packet would be then encrypted using a blockcorresponding to level 5 (i.e., 128 bits according toTable 1).

8.2. Performance experiments and results

The results presented in this section are based on the samesimulation setup discussed in Section 7, studying the perfor-mance by varying Ns, Narl, and DGI. The parameters valuesare generated in the way discussed in Section 7. In fact, theresults in this section are captured during the same experi-ments used for the graphs in Figures 8--11. In other words,the reported statistics for SSL-OPT are exactly what areshown in Figures 8--11.

8.2.1. Effect of the number of sensors per

node (Ns).

Figure 12 shows the performance of the multi-level-security packet optimization in comparison to SSL-OPTand the two other baseline approaches while varying theNs. Figure 12(a) indicates that MSL-OPT consistently out-performs SSL-OPT by about 80 per cent since it does notforce segregation of the data samples based on the securityattribute. The decreased overhead makes the utilization ofthe available channel bandwidth more effective and makesMSL-OPT an attractive choice that is worthy to supportthrough the investment in an MLS trusted kernel. Theperformance advantage of MSL-OPT over MSL-PSL andMSL-HSL is similar to their single level security versions



Figure 12. The effect of supporting multi-level security on theoverhead under varying number of sensors per node.

shown in Figure 8, i.e., SSL-PSL and SSL-HSL, and canbe mostly attributed to delay tolerance based optimization.However, it is worth noting that MSL-PSL and MSL-HSLare becoming more efficient as the number of sensors pernode increases and are closing the gap with MSL-OPTat a higher rate than SSL-PSL and SSL-HSL do withSSL-OPT (when comparing Figure 12(a) and Figure 8(a)).This observation further highlights the major performancegain that could be attained by supporting an MLS com-munication stack and network interface through a trustedkernel.

Figure 12(b) shows that combining data of multi-securitylevels enables all MSL-based approaches to pack the data infewer packets than SSL-OPT. Looking back at Figure 12(a),while the low packet count allows MSL-PSL to make up forthe lack of delay tolerance based optimization and yields abetter overhead to data ratio than SSL-OPT, the reduction

in packet count is not sufficient for MSL-HSL to achievethe same. Figure 12(a) shows that MSL-HSL still under-performs SSL-OPT for relatively low sensor counts sincethe effect of large padding dominates the savings achievedby combining data. However, as Ns grows, additional databecomes available allowing MSL-HSL to pack more sam-ples per packet and to limit the need for padding bits, finallyexceeding the performance of SSL-OPT.

8.2.2. Effect of access restriction requirements

(Narl).

Figure 13 shows the effect of Narl on the performance withand without MLS. The performance gap between the SSL-OPT and MSL-OPT clearly shows the effect of increaseddiversity in security requirements on the inflicted overhead.As the maximum number of security levels increases, SSL-

Figure 13. Average overhead to data ratio when supporting multi-level security varying the maximum security access restriction

levels.



OPT becomes more constrained and both the number offormed packets (Figure 13(b)) and the overhead to dataratio (Figure 13(a)) grow. The support of multi-security lev-els mutes the impact of the increase in Narl on the packetcount. However, the overhead for MSL-OPT and MSL-PSLslightly grows due to the increase in the block sizes that isnecessary to support the higher security levels. The perfor-mance of MSL-HSL stays flat since it employs the largestblock size regardless of the value of Narl.

8.2.3. Effect of data generation intervals (DGI).

Figure 14 compares the performance of the single-leveland MLS implementation of our optimization algorithm.As shown in Figure 14(a), the performance gap betweenSSL-OPT and MSL-OPT widens with the increase in datageneration rate (when DGI decreases), and the advantageof MSL-OPT grows from 100 to 150 per cent. This is con-sistent with the observation made in Figure 12(a), and it

Figure 14. Average overhead to data ratio when supporting multi-level security varying the maximum security access restriction

levels.

is attributed to the increased availability of data. WhileSSL-OPT becomes constrained, as we pointed out whendiscussing Figure 12(a), MSL-OPT scales well since it doesnot segregate data based on access restriction requirements.

The performance of MSL-PSL and MSL-HSL confirmsour earlier observation that the support of multiple securitylevels would increase the efficiency of the channel utiliza-tion and make delay tolerance optimization less influential,especially when data are generated at high rates. Figure14(b) reports the difference in formed packets with the gapbetween the MSL-based approaches diminishing with theincrease in the data generation rate.

To conclude, supporting MLS can boost the performancedramatically. We envision that for a bandwidth limited wire-less channels, it is wise to employ a trusted kernel in orderto loosen the constraints on the system designer in meetingthe application goals. We recommend the same for systemsthat evolve rapidly and scale overtime.

9. CONCLUSION

Wireless networks have become a part of many data acqui-sition systems. One of the key design challenges in thesenetworks is to boost the effective data throughput undervarying signal propagation conditions and constrained linkcapacity. One of the prominent optimization strategies is topick a suitable packet size by factoring in the bit error rateand the per-packet overhead. However, most of the pub-lished schemes do not consider security requirements thatrestrict the data mix in the packet payload and introduceadditional padding overhead during encryption. This paperhas investigated ways to effectively support MLS in wirelessdata acquisition networks. A novel packet size optimizationscheme has been proposed that exploits the security and tim-ing attributes of the data in determining the packet payloadso that fewer packets are transmitted with an improved ratioof overhead to actual data. The proposed approach lever-ages contemporary physical and link layer based schemesand enables ample opportunities for cross-layer fine-grainedperformance tuning. The performance of our approach hasbeen validated mathematically and through extensive sim-ulation experiments. The simulation results have confirmedthe effectiveness of the proposed optimization and demon-strated its advantage, especially when a large pool of data areinvolved. We have also studied the potential performancegain that our approach can achieve if a trusted kernel isemployed to support MLS.

ACKNOWLEDGEMENTS

The authors would like to thank the Test Resource Man-agement Center (TRMC) Test and Evaluation/Science andTechnology (T&E/S&T) Program for their support. Thiswork is funded by the T&E/S&T Program through the NavalAir Warfare Center Weapons Division, China Lake, CA,contract N68936-09-C-0001.



REFERENCES

1. Chong C-Y, Kumar SP. Sensor networks: evolution,opportunities, and challenges. Proceedings of the IEEE

2003; 91(8): 1247--1256.2. Siew CK, Goodman DJ. Packet data transmission over

mobile radio channels. IEEE Transactions on Vehicular

Technology 1989; 38(2): 95--101.3. Letteri P, Srivastava MB. Adaptive frame length control

for improving wireless link throughput range, and energyefficiency. In The Proceedings of IEEE INFOCOM’98,San Francisco, USA, March 1998; 564--571.

4. Sankarasubramaniam Y, Akyildiz IF, McLaughlin SW.Energy efficiency based packet size optimization in wire-less sensor networks. In The Proceedings of the 1st IEEE

International Workshop on Sensor Network Protocols

and Applications (SNPA’03), Anchorage, Alaska, May2003.

5. Cheng H, Yao Y-D, Quoraishee S. Optimization ofenergy consumption in sensor networks. In The Pro-

ceedings of the 26th Army Science Conference, Orlando,Florida, December 2008.

6. Chen R-C, Chang C-S. Energy cost optimization byadequate transmission rate dividing in wireless commu-nication system. Informatica 2008; 19(2): 191--200.

7. Akyildiz IF, Joe I. A new ARQ protocol for wirelessATM networks. In The Proceedings of the IEEE Confer-

ence on Communications (ICC’98), Vol. 2, Atlanta, GA,June, 1998; 1109--1113.

8. Modiano E. An adaptive algorithm far optimizing thepacket size used in wireless ARQ protocols. ACM-

Bolrtzer Journal of Wireless Networks 1999; 5: 279--286.

9. Choudhury S, Gibson JD. Payload length and rate adap-tation for multimedia communications in wireless LANs.IEEE Journal on Selected Areas Communication (spe-cial issue on cross-layer optimized wireless multimediacommunications). 2007; 25(4): 796--807.

10. Choudhury S, Gibson JD. Throughput optimization forwireless LANs in the presence of packet error rateconstraints. IEEE Communications Letters 2008; 12(1):11--13.

11. Yin J, Wang X, Agrawal DP. Performance issues ofwireless LANs, PANs and ad hoc networks. Computer

Communications 2005; 28(10): 1204--1213.12. Konsgen A, Herdt W, Timm-Giel A, Wang H, Gorg C.

An enhanced crosslayer two-stage scheduler for wire-less LANs. In The Proceedings of the 18th International

Symposium on Personal and Indoor Wireless Com-

munications (PIMRC’07), Athens, Greece, September2007.

13. Konsgen A, Islam Md. S, Timm-Giel A, Gorg C.Optimization of a QoS aware cross-layer scheduler by

packet aggregation. In The Proceedings of the IFIP Joint

Conference on Mobile and Wireless Communications

Networks (MWCN’2008) and Personal Wireless Com-

munications (PWC’2008), Vol. 284/2008, Toulouse,France, September 2008; 149--160.

14. Vuran MC, Akyildiz IF. Cross-layer packet sizeoptimization for wireless terrestrial, underwater, andunderground sensor networks. In The Proceedings of the

27th IEEE Conference on Computer Communications

(INFOCOM’08), Phoenix, AZ, March 2008.15. Intanagonwiwat C, Estrin D, Govindan R, Heidemann J.

Impact of network density on data aggregation in wire-less sensor networks. In The Proceedings of the 22nd

International Conference on Distributed Computing Sys-

tems (ICDCS’02), Vienna, Austria, July 2002.16. He T, Blum BM, Stankovic JA, Abdelzaher T.

AIDA: adaptive application-independent data aggrega-tion in wireless sensor networks. ACM Transactions

on Embedded Computing Systems 2004; 3(2): 426--457.

17. Sun J-Z. Using packet combination in multi-query opti-mization for data collection in sensor networks. In The

Proceedings of the 3rd International Conference on

Mobile Ad-Hoc and Sensor Networks (MSN’07), LNCSVolume 4864/2007, Beijing, China, December 2007;645--656.

18. Bell-La Padula model. Avialable at: en.wikipedia.org/wiki/Bell-La Padula model#cite note-0

19. La Padula LJ, Bell DE. Secure computer systems: amathematical model. In MTR--2547, Vol. II, The MITRECorporation, Bedford, MA, 31 May 1973. (ESD--TR--73-278--II).

20. Bell DE. Looking Back at the Bell-La Padula Model. InThe Proceedings of the 21st Annual Computer Security

Applications Conference, Tucson, Arizona, December2005; 337--351.

21. Menezes A, van Oorschot P, Vanstone S. Handbook of

Applied Cryptography (5th edn). CRC Press: Washing-ton D.C., 2001.

22. Henk C, van Tilborg A. Encyclopedia of Cryptography

and Security. Springer: Netherland, 2005.23. Biryukov A. Block ciphers and stream ciphers: the state

of the art. In State of the Art and Evolution of Computer

Security and Industrial Cryptography, Lecture Notes

in Computer Science, Preneel B (ed.). Springer-Verlag:New York, 2004.

24. The eSTREAM Project. Available at: www.ecrypt.eu.org/stream

25. Advanced Encryption Standard. NIST FIPS-197. InNational Institute of Standards and Technology, Novem-ber 2001. Available at: csrc.nist.gov/encryption

26. NESSIE security report, Version 2.0. In Final project

report for New European Schemes for Signatures,



Integrity and Encryption (NESSIE), 19 February2003. Available at: https://www.cosic.esat.kuleuven.be/nessie

27. Encryption algorithm trade survey: report concern-ing space data system standards. In Informational

Report CCSDS 350.2-G-1, Consultative Committee forSpace Data Systems (CCSDS). March 2008. Avail-able at: public.ccsds.org/publications/GreenBooks.aspx

28. Baase S, Van Gelder A. Computer Algorithms: Introduc-

tion to Design and Analysis (3rd edn). Addison-Wesley:New York, 2000.

29. Daemen J, Rijmen V. The Design of Rijndael: AES---

The Advanced Encryption Standard. Springer-Verlag:Netherland, 2002.

30. 802.11 IEEE standard specification document. In Insti-

tute of Electrical and Electronics Engineering, June2007.


Documents

Optimized packet formation in multi-level security wireless data acquisition networks