Log In Sign Up

Optimal Secure Multi-Layer IoT Network Design

by   Juntao Chen, et al.
NYU college

With the remarkable growth of the Internet and communication technologies over the past few decades, Internet of Things (IoTs) is enabling the ubiquitous connectivity of heterogeneous physical devices with software, sensors, and actuators. IoT networks are naturally multi-layer with the cloud and cellular networks coexisting with the underlaid device-to-device (D2D) communications. The connectivity of IoTs plays an important role in information dissemination for mission-critical and civilian applications. However, IoT communication networks are vulnerable to cyber attacks including the denial-of-service (DoS) and jamming attacks, resulting in link removals in IoT network. Therefore, it is important to maintain the connectivity of IoT networks and make them secure and resistant to malicious attacks. In this work, we present a heterogeneous IoT network design problem in which a network designer can add links to provide additional communication paths between two nodes or secure links against failures by investing resources. We characterize the optimal strategy of the secure network design problem by first providing a lower bound on the number of links a secure network requires for a given budget of protected links, and then developing a method to construct networks that satisfy the heterogeneous network design specifications. Case studies on the Internet of Battlefield Things (IoBT) are used to corroborate our results.


A Dynamic Game Approach to Designing Secure Interdependent IoT-Enabled Infrastructure Network

The emerging Internet of Things (IoT) applications that leverage ubiquit...

Multi-layer Space Information Networks: Access Design and Softwarization

In this paper, we propose an approach for constructing a multi-layer mul...

Toward Secure Edge Networks: Taming Device-to-Device (D2D) Communication in IoT

Security problems in environments hosting Internet-of-Things (IoT) devic...

A secure home automation prototype built on raspberry-pi

With the development of sensors, wireless mobile communication, embedded...

Nowhere to Hide: Cross-modal Identity Leakage between Biometrics and Devices

Along with the benefits of Internet of Things (IoT) come potential priva...

A DTLS Abstraction Layer for the Recursive Networking Architecture in RIOT

On the Internet of Things (IoT), devices continuously communicate with e...

I Introduction

Internet of Things (IoTs) have witnessed a tremendous development with a variety of applications, such as virtual reality, intelligent supply chain [1] and smart home [2]. In this highly connected world, IoT devices are massively deployed and connected to cellular or cloud networks. For example, in smart grids, wireless sensors are adopted to collect the data of buses and power transmission lines. The collected data can then be sent to a supervisory control and data acquisition (SCADA) center through cellular networks for grid monitoring and decision planning purposes. Smart home is another example of IoT application. Various devices and appliances in a smart home including air conditioner, lights, TV, tablets, refrigerator and smart meter are interconnected through the cloud, improving the quality of the living.

IoT networks can be viewed as multi-layer networks with the existing infrastructure networks (e.g., cloud and cellular networks) and the underlaid device networks. The connections between different objects in the IoT network can be divided into two types. Specifically, the communications between devices themselves are called interlinks, while the devices communicate with the infrastructure through intralinks. The connectivity of IoT networks plays an important role in information dissemination. On the one hand, devices can communicate directly with other devices in the underlaid network for local information. On the other hand, devices can also communicate with the infrastructure networks to maintain a global situational awareness. In addition, for IoT devices with insufficient on-board computational resources such as wearables and drones, they can outsource heavy computations to the data centers through cloud networks, and hence extend the battery lifetime. Vehicular network is an illustrative example for understanding the two-tier feature of IoT networks [3]. In an intelligent transportation network, vehicle-to-vehicle (V2V) communications enable two vehicles to communicate and exchange information, e.g., accidents, speed alerts, notifications. In addition, vehicles can also communicate with roadside infrastructures or units (RSU) that belong to one or several service providers for exchanging various types of data related to different applications including GPS navigation, parking and highway tolls inquiry. In this case, the vehicles form one network while the infrastructure nodes form another network. Due to the interconnections between two networks, vehicles can share information through infrastructure nodes or by direct V2V communications.

IoT communication networks are vulnerable to cyber attacks including the denial-of-service (DoS) and jamming attacks [4]. To compromise the communication between two specific devices, the attacker can adopt the selective jamming attack [5, 6]. More specifically, the attacker selectively targets specific channels and packets which disrupts the communications by transmitting a high-range or high-power interference signal. This adversarial behavior leads to communication link removals in IoT network. Therefore, to maintain the connectivity of devices, IoT networks need to be secure and resistant to malicious attacks. For example, V2V communication links of a car can be jammed, and hence the car loses the real-time traffic information of the road which may further cause traffic delays and accidents especially in the futuristic self-driving applications. Hence, IoT networks should be constructed in a tactic way by anticipating the cyber attacks. Internet of Battlefield Things (IoBT) is another example of mission-critical IoT systems. As depicted in Fig. 1, in IoBT networks, a team of unmanned aerial vehicles (UAVs) serves as one layer of wireless relay nodes for a team of unmanned ground vehicles (UGVs) and soldiers equipped with wearable devices to communicate between themselves or exchange critical information with the command-and-control nodes. The UAV network and the ground network naturally form a two-layer network in a battlefield which can be susceptible to jamming attacks. It is essential to design communication networks that can allow the IoBT networks to be robust to natural failures and secure to cyber attacks in order to keep a high-level situational awareness of agents in a battlefield.

Fig. 1: In IoBT networks, a team of UAVs and a group of soldiers and UGVs execute missions cooperatively. The agents in the battlefield share critical information through D2D communications. The UAV network and ground network form a two-layer network which faces cyber threats, e.g., jamming attacks which can lead to link removals.

Due to heterogeneous and multi-tier features of the IoT networks, the required security levels can vary for different networks. For example, in IoBT networks, the connectivity of UAV networks requires a higher security level than the ground network if the UAVs are more likely to be targeted by the adversary. Similarly, in vehicular networks, the communication links between RSUs need a high-level protection when they anticipate more attacks than the vehicles do. Therefore, it is imperative to design secure IoT networks resistant to link attacks and maintain the two-layer network connectivity with heterogeneous security requirements simultaneously. To this end, we present a heterogeneous IoT network design framework in which network links are vulnerable to malicious attacks. To enhance the security and the robustness of the network, an IoT network designer can add extra links to provide additional communication paths between two nodes or secure links against failures by investing resources to protect the links. To allocate links, note that when the nodes in the IoT network are within a short distance, then the classical wireless communication technologies can be adopted including WiFi, Bluetooth, and Zigbee. In comparison, when the distance is large, then one option that has recently emerged is called ultra narrow band (UNB) [7] that uses the random frequency and time multiple access [8]. The UNB is dedicated for mission-critical IoT systems for providing reliable communication services in long range. The goal of the multi-tier network design is to make the network connectivity resistant to link removal attacks by anticipating the worst attack behaviors. Different from previous works [9, 10] which have focused on the secure design of single-layer networks, in our current work, the network designer needs to take into account the heterogeneous features of the IoT networks by imposing different security requirements on each layer which presents a new set of challenges for network design.

In this paper, we focus on a two-layer IoT network and aim to design each network resistant to different number of link failures with minimum resources. We characterize the optimal strategy of the secure network design problem by first developing a lower bound on the number of links a secure network requires for a given budget of protected links. Then, we provide necessary and sufficient conditions under which the bounds are achieved and present a method to construct an optimal network that satisfies the heterogeneous network design specifications with the minimum cost. Furthermore, we characterize the robust network topologies which optimally satisfy a class of security requirements. These robust optimal networks are applicable to the cases when the cyber threats are not perfectly perceived or change dynamically, typically happening in the mission-critical scenarios when the attacker’s action is partially observable.

Finally, we use IoBT as a case study to illustrate the analytical results and obtain insights in designing secure networks. We consider a mission-critical battlefield scenario in which the UAV network anticipates higher cyber threats than the soldier network, and the number of UAVs is less than the number of soldiers. We observe that as the cost of forming a protected communication link becomes smaller, more secure connections are formed in the optimal IoBT network. In addition, the designed network is resilient to the change of agents in the battlefield. We also study the reconfiguration and resilience of the UAV network as nodes leave and join the battlefield.

The main contributions of this paper are summarized as follows:

  1. We propose a two-layer heterogeneous framework for IoT networks consisting of various devices, where each layer network faces different levels of cyber threats.

  2. By utilizing the tools from graph theory and optimization, we analyze the lower bounds of the number of required links for the IoT network being connected by anticipating the worst case attacks.

  3. We derive optimal strategies for creating secure two-layer IoT networks with heterogeneous security requirements and provide their construction guidelines under different regimes in terms of threat levels and number of nodes. We also identify the robust optimal strategies for the IoT network with dynamic cyber threat levels.

  4. We apply the optimal design principles to crucial IoBT scenarios and provide insights into the design of secure and resilient interdependent UAV and soldier networks in the IoBT.

I-a Related Work

Due to the increasing cyber threats, IoT security becomes a critical concern nowadays [11]. Depending on the potential of cyber attackers, IoT networks face heterogeneous types of attacks [12]. For example, attackers can target the edge computing nodes in IoT, e.g., RFID readers and sensor nodes. Some typical adversarial scenarios include the node replication attack by replicating one node’s identification number [13], DoS by battery draining, sleep deprivation, and outage attacks [14, 15]. The attackers can also launch attacks through the IoT communication networks. Quintessential examples include the eavesdropping attack where the attacker captures the private information over the channel, and utilizes the information to design other tailored attacks [16]. Another example is the data injection attack where the attacker can inject fraudulent packets into IoT communication links through insertion, manipulation, and replay techniques [17]. In our work, we focus on the jamming and DoS attacks which lead to the link removal in IoT communication networks.

To mitigate the cyber threats in IoT, a large number of works have focused on addressing the security issues by using different methodologies [4]. A contract-theoretic approach has been adopted to guarantee the performance of security services in the Internet of controlled things [18, 19] and mitigate the systemic cyber risks [20]. The authors in [21] have proposed a media-aware security architecture for facilitating multimedia applications in the IoT. [22] has proposed a dynamic game model including pre-attack defense and post-attack recovery phases in designing resilient IoT-enabled infrastructure networks. Strategic security investment under bounded rationality in IoT has been studied in [23, 24]. The authors in [25] have developed an interdependent strategic trust mechanism to defend against cyber attacks in IoT.

In this work, we investigate the secure design of IoT network by considering its connectivity measure [9, 10, 26, 27] through the lens of graph theory [28]. Comparing with the previous works [9, 10] that have focused on a single-layer adversarial network design, we model the IoT as a two-layer network and strategically design each layer of the network with heterogeneous security requirements. The current work is also related to the secure and resilient interdependent critical infrastructures [29, 30, 31, 32, 33] in which a holistic design approach is required.

I-B Organization of the Paper

The rest of the paper is organized as follows. Section II formulates the heterogeneous two-layer IoT network design framework. Analytical results including the lower bounds of links and optimal IoT network design strategies are presented in Section III. Case studies of IoBT networks are provided in Section IV, and Section V concludes the paper.

Ii Heterogeneous Two-Layer IoT Network
Design Formulation

In this section, we formulate a two-layer secure IoT network design problem. Due to the heterogeneous features of IoT networks, the devices at each layer face different levels of cyber threats. To maintain the global situational awareness, the designer aims to devise an IoT network with a minimum cost, where each layer of IoT network should remain connected in the presence of a certain level of adversarial attacks.

Specifically, we model the two-layer IoT network with two sets of devices or nodes111Nodes and vertices in the IoT network refer to the devices, and they are used interchangeably. Similar for the terms edges and links. denoted by and . Each set of nodes is of a different type. Specifically, denote by and the number of nodes of type and , respectively, where denotes the cardinality of a set. We unify them to vertices that are numbered from to starting from nodes in . Thus, a node labeled is of type if and only if . Note that each set of nodes forms an IoT subnetwork. Together with the interconnections between two sets of nodes, the subnetworks form a two-layer IoT network. Technically, the communication protocols between nodes within and across different layers can be either the same or heterogeneous depending on the adopted technology by considering the physical distance constraints. Furthermore, the nodes’ functionality can be different in two subnetworks depending on their specific tasks. In this paper, our focus lies in the high-level of network connectivity maintenance.

In standard graph theory, an edge (or a link) is an unordered pair of vertices: , , where is a set including all the pairs of integers between 1 and . We recall that two vertices (nodes) and are said connected in a graph of nodes and a set of edges if there exists a path between them, i.e., a finite alternating sequence of nodes and distinct links: , where and for all .

In our IoT networks, the communication links (edges) are vulnerable to malicious attacks, e.g., jamming and DoS, which result in link removals. To keep the IoT network resistant to cyber attacks, the network designer can either invest (i) in redundancy of the path, i.e., using extra links so that two nodes can communicate through different paths, or (ii) in securing its links against failures where we refer to these special communication edges as protected links. These protected links can be typically designed using moving target defense (MTD) strategies, where the designer randomizes the usage of communication links among multiple created channels between two nodes [34]. More precisely, we consider that for the designer, the cost per non-protected link created is and the cost per protected link created is . It is natural to have since creation of a protected link is more costly than that of a non-protected one. For clarity, we assume that the costs of protected or non-protected links at two different layers are the same. If the costs of creating links are different in two subnetworks, then the network designer needs to capture this link creation difference in his objective [35]. Let be the set of non-protected links and be the set of protected links in the IoT network, and . In this work, we assume that the protection is perfect, i.e., links will not fail under attacks if they are protected. Therefore, an adversary does not have an incentive to attack protected links. Denote the strategy of the attacker by , then it is sufficient to consider attacks on a set of links . Furthermore, we assume that the network designer can allocate links between any nodes in the network. In the scenarios that setting up communication links between some nodes is not possible, then the network designer needs to take into account this factor as constraints when designing networks.

The heterogeneous features of IoT networks naturally lead to various security requirements for devices in each subnetwork. Hence, we further consider that the nodes in IoT network have different criticality levels ( and for nodes of type and , respectively, with , where denotes a set of integers between and ). It means that subnetworks 1 and 2 should remain connected after the compromise of any and links in , respectively. Thus, the designer needs to prepare for the worst case of link removal attacks when designing the two-layer IoT network. Our problem is beyond the robust network design where the link communication breakdown is generally caused by nature failures. In this paper, we consider the link removal which is a consequence of cyber attacks, e.g., jamming and DoS attack. Furthermore, in our problem formulation, the network designer can allocate protected links which can be seen as a security practice, and he takes into account the strategic behavior of attackers, and designs the optimal secure networks. Without loss of generality, we have the following two assumptions:

  1. .

  2. , .

Specifically, (A1) indicates that the IoT devices in subnetwork 2 are relatively more important than those in subnetwork 1, and thus subnetwork 2 should be more resistant to cyber attacks. Another interpretation of (A1) can also be that subnetwork 2 faces a higher level of cyber threats, and the network designer needs to prepare a higher security level for subnetwork 2. In addition, (A2) ensures that no IoT subnetwork is empty.

More precisely, consider a set of vertices and edges . The IoT network designer needs to guarantee the following two cases:

  • if , then all nodes remain attainable in the presence of attacks, i.e., , there exists a path in the graph between and .

  • if , nodes of type remain attainable after attacks, i.e., , there exists a path in the graph between and .

Remark: We denote the designed network satisfying (a) and (b) above by , and call such heterogeneous IoT networks -resistant (with ). The proposed -resistant metric provides a flexible network design guideline by specifying various security requirements on different network components. Furthermore, in this work, we care about each node’s degree which requires an explicit agent-level quantification. Then, the -resistant metric is more preferable than measure of the proportion of links in each subnetwork, where the latter metric only gives a macroscopic description of the link allocation over two subnetworks.

Given the system’s parameters , , , and , an optimal strategy for the IoT network designer is the choice of a set of links which solves the optimization problem:


From the above optimization problem, the optimal network design cost directly depends on and . In addition, as we will analyze in Section III, the cost ratio plays a critical role in the optimal strategy design.

Under the optimal design strategy, compromising a node with low degree, i.e., degree in subnetwork 1 and degree in subnetwork 2, is not feasible for the attacker, since the degree of any nodes without protected link in the network is larger than or depending on the nodes’ layers.

Note that the above designer’s constrained optimization problem is not straightforward to solve. First, the size of search space increases exponentially as the number of nodes in the IoT network grows. Therefore, we need to find a scalable method to address the optimal network design. Second, the heterogeneous security requirements make the problem more difficult to solve. On the one hand, two subnetworks are separate since they have their own design standards. On the other hand, we should tackle these two layers of network design in a holistic fashion due to their natural couplings.

Lower bound on the number of non-protected links









Fig. 2: Lower bound on the number of non-protected links as a function on the number of protected links in the IoT network. Note that all the slopes of lines are quantified in their absolute value sense for convenience.

Iii Analytical Results and Optimal IoT Network Design

In this section, we provide an analytical study of the designer’s optimal strategy, i.e., the optimal two-layer IoT network design.

We first develop, for given system parameters , , , , and , and for each possible number of protected links , a lower bound on the number of non-protected links that have any -resistant network with protected links (Section III-A). Then, we study three important cases, namely when takes values , and , and present for each of them sufficient conditions under which the lower bounds are attained (Section III-B). Based on this study, we can obtain the main theoretical results of this paper, which include the optimal strategy for the designer, i.e., a -resistant IoT network with the minimal cost, as well as the robust optimal strategy, and constructive methods of an optimal IoT network (Section III-C).

Iii-a A Lower Bound on the Number of (Non-Protected) Links

Recall that the system parameters are , , , , and (corresponding to the set of nodes of criticality level and , the values of criticality, and the unitary cost of creating protected and non-protected links). We first address the question of a lower bound on the cost for the designer with an additional constraint on the number of protected links in the network. Since the cost is linear with the number of non-protected links, it amounts to finding a lower bound on the number of non-protected links that are required in any -resistant network with protected links.

Let be a -resistant network containing protected links. Then, we have the following proposition on the lower bound .

Proposition 1 (Lower bound on ).

The number of non-protected links of is at least of

  • if ,

  • if ,

  • if .

Note that takes integer values in each regime. The results are further illustrated in Fig. 2.

Before proving Proposition 1, we first present the notion of network contraction in the following.

Network Contraction: Let be a network. Given a link , the network denoted by refers to the one obtained by contracting the link ; i.e., by merging the two nodes and into a single node (supernode). Note that any node is adjacent to the (new) node in if and only if is adjacent to or in the original network . In other words, all links, other than those incident to neither nor , are links of if and only if they are links of . Then , the contraction of network , is the (uniquely defined) network obtained from by sequences of link contractions for all links in [10].

For clarity, we illustrate the contraction of a network in Fig. 3. This example consists of nodes and protected links (represented in bold lines between nodes and and between nodes and ). The link is contracted and thus both nodes and in are merged into a single node denoted by in . Similarly the link is contracted. The resulting network thus consists of node and supernodes and . Since contains a link between nodes and in , then nodes and are connected through a link in network . Similarly, since nodes and are adjacent in , then supernodes and are adjacent in network .

aa aa

(a) Network


(b) Contraction network
Fig. 3: Illustration of network contraction. The protected links and in network are contracted in network .

Based on network contraction, we present the proof of Proposition 1 as follows.


Consider an IoT network including protected links, and as its contraction. Let

  • be the number of nodes of type in (and supernodes containing only nodes of type ),

  • be the number of nodes of type in (and supernodes containing only nodes of type ),

  • be the number of supernodes in that contains nodes of both type and .

Note that if , (i.e., if there is a unique supernode containing all nodes of the network), then no non-protected link is needed to ensure any level of -resistancy. Otherwise, for the IoT network to be -resistant, each element of , and must have a degree of (at least) . Further, if there exist more than one element not in ; i.e., if , then each of them should have a degree of (at least) .

Thus, a lower bound on the number of non-protected links in is

Next, we focus on the study of parameters , and . If no protected link is used, i.e., , then , and and . Adding any protection allows to decrease the total number of elements by (or to remain constant if the link induce a loop in a protected component of ). Thus . Similarly, for each subnetwork, we have and . Further, the number of elements of and are upper bounded by the number of nodes of type and type 2 , respectively, i.e., and . Finally, since then , and since then . Thus, for any , a lower bound on the number of non-protected links in can be obtained by solving the following optimization problem:


To solve this optimization problem, we consider three cases.

Case 1: First, assume that . From , we obtain that . Thus, (1) reduces to with the same constraints as in (1) except .

Since , then the minimum of the objective is obtained when is minimized, i.e., when all protections involve nodes of type . Then, . Thus, the lower bound is equal to . This result is illustrated by the line joining points A and B in Fig. 2.

Case 2: Assume that . Then . Therefore, for a given , i.e., for a given minimal value of , we can have either or . Then, the lower bound of the number of non-protected links is . Recall that , and therefore the lower bound achieves at . This observation is illustrated by the line in Fig. 2 joining points C and D.

Case 3: Finally, when , , and thus no non-protected link is needed, which is represented by point E in Fig. 2. ∎

Based on Proposition 1, we further comment on the locations where protected and non-protected links are placed in the two-layer IoT networks.

Corollary 1.

When , the protected links purely exist in subnetwork 2. When , subnetwork 2 only contains protected links, and non-protected links appear in subnetwork 1 or between two layers. When , then all nodes in the two-layer IoT network are connected with protected links.

Corollary 1 has a natural interpretation that the protected link resources are prior to be allocated to a subnetwork facing higher cyber threats, i.e., subnetwork 2 in our setting.

Iii-B Networks with Special Values of Protected Links

In the previous Section III-A, we have studied for each potential number of protected links , a lower bound on the minimum number of non-protected links for an IoT network with sets of nodes and being -resistant. Then, the cost associated with such networks is

where . Since the goal of the designer is to minimize its cost, we need to investigate the value of minimizing such function .

In Fig. 2, we note that the plot of a network of equal cost (iso-cost) is a line of equation . It is thus a line of (negative) slope that crosses the -axis at point . Recall also that the graph that shows as a function of is on the upper-right quadrant of its lower bound. Thus, the optimal value of corresponds to the point where an iso-cost line meets the graph for the minimal value . From the shape of the lower bound drawn in Fig. 2, the points A, C and E are selected candidates leading to the optimal network construction cost. We thus investigate in the following the condition under which the lower bounds are reached at these critical points as well as the corresponding configuration of the optimal two-layer IoT networks.

Remark: Denote by a (, )-resistant IoT network with protected links and the minimum number of non-protected links.

Before presenting the result, we first present the definition of Harary network in the following. Recall that for a network containing nodes being resistant to link attacks, one necessary condition is that each node should have a degree of at least , yielding the total number of links more than . Here, denotes the ceiling operator. Harary network below can achieve this bound.

Definition 1 (Harary Network [36]).

In a network containing nodes, Harary network is the optimal design that uses the minimum number of links equaling for the network still being connected after removing any links.

The constructive method of general Harary network can be described with cycles as follows. It first creates the links between node and node such that , and then

, etc. When the number of nodes is odd, then the last cycle of link creation is slightly different since

is not an integer. However, the bound can be still be achieved. For clarity, we illustrate three cases in Fig. 4 with under different security levels . Since Harary network achieves the bound , its computational cost of the construction is linear in both the number of nodes and the security level .

Fig. 4: Illustration of Harary networks with different number of nodes and security levels.

Then, we obtain the following result.

Proposition 2.

For the number of protected links taking values of , and , we successively have:

  • each contains exactly non-protected link.

  • each contains exactly non-protected links if and only if .

  • if we have the following asumptions: (i) , where denotes the modulus operator, (ii) and (iii) , then each contains exactly non-protected links.


We successively prove the three items in the proposition in the following.

(i) Note that contains exactly protected links. It is thus possible to construct a tree network among the set of nodes that consists of only protected links. Thus, no non-protected link is required, and the lower bound (point E in Fig. 2) can be reached.

(ii) Suppose that . If , we can construct any tree protected network on the nodes of . Further, construct a -Harary network on the nodes of , that is the nodes of type 1 and one node of type 2. Such construction is possible since . The total number of non-protected links is then exactly (point C in Fig. 2). Therefore, each node in is connected to other nodes, and the IoT network cannot be disconnected after removing non-protected links. In addition, the subnetwork 2 is resistant to any number of attack since it is constructed using all protected links. Note that the constructed Harary network here is optimal, in the sense that its configuration uses the least number of links for the IoT network being (, )-resistant.

Next, if , then suppose that a network achieves the lower bound . Consider its associated contracted network . Since contains protected links, then is such that . From the shape of the lower bound in the proof of Proposition 1, then necessarily and . Thus, all nodes in need to be connected together by protected links. Since , then it requires at least protected links, which equals . Thus, there cannot be any protected link involving nodes in set . In addition, each node in needs to be connected to at least other nodes in the IoT network. Since , then every node in should connect to at least number of nodes in . Recall that in a complete network of nodes, each node has a degree of , and the total number of links is . Hence, our IoT network admits a completed graph in with some extra non-protected links between two subnetworks, and in total at least non-protected links. Then, comparing with the lower bound, the extra number of links required is Thus, does not achieve the lower bound (point C in Fig. 2) when .

(iii) Finally, suppose that . We renumber the nodes in the network according to the following sequence: Intuitively, we interpose one node in after every nodes in . Then, we first build a -Harary network among all the nodes in and . Note that since , then the last indices of the sequence only contain nodes of type . Thus, by construction, there are no links between any two nodes in . Then, we can further construct a -Harary network on the nodes in , which is possible since . Thus, the constructed IoT network is (, )-resistant, and it is also optimal since it uses the minimum number of non-protected links. ∎

Proposition 2 and Fig. 2 indicate that depending on the system parameters () and for a given budget, the optimal IoT network can achieve at either point A, C or E with protected links, respectively. Notice that when , is not optimal at point C and the lower bound on the number of non-protected links is not attained. Instead, in this case, requires non-protected links in which are allocated between two subnetworks, introducing protection redundancy for nodes in . For the IoT network containing 0 protected link, it reaches the lower bound (point A) if we can construct a -Harary network for all nodes and an additional -Harary network for nodes only in . As mentioned before, the Harary network admits an optimal configuration with the maximum connectivity given a number of links [36].

Iii-C Optimal Strategy and Construction of IoT Networks

We investigate the optimal strategy and the corresponding construction for the IoT network designer in this section.

Iii-C1 Optimal Strategy

Before presenting the main result, we comment on the scenarios that we aim to study regarding the IoT networks.

  • First, the number of nodes is relatively large comparing with the link failure risks, i.e., and . Indeed, these two conditions indicate that the designer can create a secure two-layer IoT network solely using non-protected links.

  • We further have the condition , indicating that the type nodes with higher criticality levels in constitute a relatively small portion in the IoT network comparing with these in . This condition also aligns with the practice that the attacker has preferences on the nodes to compromise in the IoT which generally only contain a small subset of the entire network.

  • Finally, we have constraints and which are only used to simplify the presentation of the paper (whether the number of nodes and attacks is odd or even). However, they do not affect the results significantly. Note that different cases corresponding to or can be studied in a similar fashion as in our current context. The only difference is that for certain system parameters, is not an optimal strategy comparing with by following a similar analysis in [10].

Therefore, based on the above conditions, the scenarios that we analyze are quite general and conform with the situations in the adversarial IoT networks. Based on Proposition 2, we then obtain the following result on the optimal design of secure two-layer IoT networks. Note that the solution in Proposition 3 is optimal to the original optimization problem presented in Section II under the considered scenarios.

Proposition 3.

Under the conditions that , , , and , we have the following results:

  • Regime I: if , then:

    • if , then are optimal strategies.

    • if , then are optimal strategies.

    • if , then are optimal strategies.

  • Regime II: if , then:

    • when , the optimal IoT network design strategies are the same as those in regime I.

    • otherwise, i.e., , we obtain

      • if , then are optimal strategies.

      • if , then are optimal strategies.

      Thus, cannot be optimal in this scenario.


From Proposition 2 and under the assumptions in the current proposition, , and achieve the lower bounds of the number of links for the network being -resistant. In Fig. 2, note that the slope of the line between points A and C is , and between points C and E is , where we quantify the slopes in their absolute value sense.

In regime I, i.e., , we obtain , yielding that the line connecting points A and C has a higher slope than the one joining points C and E. Thus, if the lines of iso-costs have a slope higher than the slope of the line A-C, then the minimum cost is obtained at point A. Similarly, if the slope is less than that of line C-E, then the minimum cost is obtained at point E. Otherwise, the minimum is obtained at point C. Recall that the slope of the lines of iso-costs is equal to which leading to the result.

In the other regime II, i.e., , the slope of line A-C is not always greater than that of line C-E. Specifically, we obtain a threshold over which the slop of line C-E is greater than line A-C. Therefore, if , the optimal network design is the same as those in regime I. In addition, when , and if the slop of iso-costs lines, i.e., , is larger than the slope of the line connecting points A and E, the minimum cost is achieved at point A. Otherwise, if is smaller than the slop of line A-E, the optimal network configuration is obtained at point E. ∎

From Proposition 3, we can conclude that in regime I, i.e., , when the unit cost of protected links is relatively larger than the non-protected ones, then the secure IoT networks admit an strategy using all non-protected links. In comparison, the secure IoT networks are constructed with solely protected links when the cost per protected link is relatively small satisfying . Note that the optimal network design strategy in this regime can be achieved by protecting the minimum spanning tree for a connected network. Equivalently speaking, finding a spanning tree method provides an algorithmic approach to construct the optimal network in this regime. Finally, when the cost per protected link is intermediate, the network designer allocates protected links connecting those critical nodes in set while uses non-protected links to connect the nodes in . In addition, the intralinks between two subnetworks are non-protected ones.

Note that the specific configuration of the optimal IoT network is not unique according to Proposition 3. To enhance the system reliability and efficiency, the network designer can choose the one among all the optimal topology that minimize the communication distance between devices.

Since the cyber threat in subnetwork 2 is more severe than that in subnetwork 1, i.e., , thus the condition of regime II in Proposition 3 () is not generally satisfied. We further have the following Corollary refining the result of optimal IoT network design in regime II.

Corollary 2.

Only when two subnetworks facing the same level of cyber threats, i.e., , the optimal IoT network design follows the strategies in regime II. Moreover, cannot be an optimal network design in regime II.


Based on the condition , we obtain . Thus, when , the condition of regime II () cannot be satisfied. Since , then only yields . Therefore, always holds which leads to the result. ∎

We then simplify the conditions leading to regime I and II as follows.

Corollary 3.

The IoT network design can be divided into two regimes according to the cyber threat levels. Specifically, when , the optimal design strategy follows the one in regime I in Proposition 3, and otherwise () follows the one in regime II.

We illustrate the optimal design strategies in Fig. 5 according to the heterogeneous security requirements and link creation costs ratio.

Fig. 5: Optimal design of two-layer IoT networks in two regimes in terms of system parameters. When , the optimal network design follows from the strategies in regime I which can be in any , or depending on the value of . When , the IoT network designer chooses strategies from regime II, either of or in term of the link cost ratio .

Iii-C2 Robust Optimal Strategy

One interesting phenomenon is that some strategies are optimal for a class of security requirements. Thus, these strategies are robust in spite of the dynamics of cyber threat levels. We summarize the results in the following Corollary.

Corollary 4.

Consider to design a -resistant IoT network. If is the optimal strategy, then it is robust and optimal to security requirement for the network being -resistant, for all and all . If is the optimal strategy, then it is robust and optimal to cyber threat levels , for all . Furthermore, the optimal strategy is not robust to any other security standards , for and .

Corollary 4 has a natural understanding on the selection of robust strategies. When the cyber threat level increases, then the optimal network remains to be optimal since the network construction cost does not increase under . Under the optimal , subnetwork 2 is connected with all protected links and the rest is connected by a Harary network with the minimum cost. If subnetwork 2 faces more attacks, ( becomes larger), then is robust and optimal in the sense that subnetwork 2 remains secure and no other non-protected link is required.

Iii-C3 Construction of the Optimal Secure IoT Networks

We present the constructive methods of optimal IoT networks with parameters in different regimes based on Proposition 3.

Specifically, the optimal can be constructed by any tree network using protected links. In addition, the optimal networks can be constructed in two steps as follows. First, we create a tree protected network on the nodes of . Then, we construct a -Harary network on the nodes of , i.e., all nodes of type 1 and one node of type 2, where a constructive method of Harary network can be found in [36].

Finally, regarding the optimal network , we build it with the following procedure. First, we renumber the nodes according to the sequence:

Recall that this renumbering sequence can be achieved by interpolating one node in

after every nodes in . Then, we build a -Harary network among all the nodes in and . Finally, we construct a -Harary network on the nodes in .

Iii-C4 Consideration of Random Link Failures

In the considered model so far, the non-protected communication link between nodes is removed with probability 1 by the attack and remains connected without attack. In general, the non-protected links face random natural failures. If we consider this random failure factor, then there is a probability that the designed optimal network will be disconnected under the joint cyber attacks and failures. We assume perfect connection of protected links and denote the random failure probability of a non-protected link by

. Therefore, in the regime that the optimal network design is of Harary network where all links are non-protected, then under the anticipated level of cyber attacks, a single link failure of non-protected link will result in the network disconnection. Thus, the probability of network connection, i.e., mean connectivity, is equal to which is of order . Similarly, under the regime that the optimal network admits protected links and non-protected links, the probability of network connection under link failure is which is of order . We can see that in the above two regimes, when the security requirement is not relatively high and the size of the network is not large, the current designed optimal strategy gives a relatively high mean network connectivity. In the regime that the optimal network is constructed with all protected links, then the mean network connectivity is 1 where the random failure effect is removed.

Iv Case Studies

In this section, we use case studies of IoBT to illustrate the optimal design principals of secure networks with heterogeneous components. The results in this section are also applicable to other mission-critical IoT network applications.

The IoBT network designer determines the optimal strategy on creating links with/without protection between agents in the battlefield. The ground layer and aerial layer in IoBT generally face different levels of cyber threats which aim to disrupt the network communications. Since UAVs become more powerful in the military tasks, they are the primal targets of the attackers, and hence the UAV network faces an increasing number of cyber threats. In the following case studies, we investigate the scenario that the IoBT network designer anticipates more cyber attacks on the UAV network than the soldier and UGV networks. The cost ratio between forming a protected link and a unprotected link is critical in designing the optimal IoBT network. This ratio depends on the number of channels used in creating a safe link though MTD. We will analyze various cases in the following studies.

Iv-a Optimal IoBT Network Design

Consider an IoBT network consisting of soldiers and UAVs (). The designer aims to design the ground network and the UAV network resistant to and attacks, respectively. Hence the global IoBT network is -resistant. Based on Proposition 3, the system parameters satisfy the condition of regime I. Further, we have two critical points and , at which the topology of optimal IoBT network encounters a switching. For example, when a protected link adopts 3 channels to prevent from attacks, i.e., , the optimal IoBT network is an graph as shown in Fig. 6LABEL:sub@case_A_1. When a protected link requires 5 channels to be perfectly secure, i.e., , then the optimal IoBT network is of configuration which is depicted in Fig. 6LABEL:sub@case_A_2. In addition, if the cyber attacks are difficult to defend against (e.g., require 7 channels to keep a link safe, i.e., ), the optimal IoBT network becomes an graph as shown in F