I Introduction
Internet of Things (IoTs) have witnessed a tremendous development with a variety of applications, such as virtual reality, intelligent supply chain [1] and smart home [2]. In this highly connected world, IoT devices are massively deployed and connected to cellular or cloud networks. For example, in smart grids, wireless sensors are adopted to collect the data of buses and power transmission lines. The collected data can then be sent to a supervisory control and data acquisition (SCADA) center through cellular networks for grid monitoring and decision planning purposes. Smart home is another example of IoT application. Various devices and appliances in a smart home including air conditioner, lights, TV, tablets, refrigerator and smart meter are interconnected through the cloud, improving the quality of the living.
IoT networks can be viewed as multilayer networks with the existing infrastructure networks (e.g., cloud and cellular networks) and the underlaid device networks. The connections between different objects in the IoT network can be divided into two types. Specifically, the communications between devices themselves are called interlinks, while the devices communicate with the infrastructure through intralinks. The connectivity of IoT networks plays an important role in information dissemination. On the one hand, devices can communicate directly with other devices in the underlaid network for local information. On the other hand, devices can also communicate with the infrastructure networks to maintain a global situational awareness. In addition, for IoT devices with insufficient onboard computational resources such as wearables and drones, they can outsource heavy computations to the data centers through cloud networks, and hence extend the battery lifetime. Vehicular network is an illustrative example for understanding the twotier feature of IoT networks [3]. In an intelligent transportation network, vehicletovehicle (V2V) communications enable two vehicles to communicate and exchange information, e.g., accidents, speed alerts, notifications. In addition, vehicles can also communicate with roadside infrastructures or units (RSU) that belong to one or several service providers for exchanging various types of data related to different applications including GPS navigation, parking and highway tolls inquiry. In this case, the vehicles form one network while the infrastructure nodes form another network. Due to the interconnections between two networks, vehicles can share information through infrastructure nodes or by direct V2V communications.
IoT communication networks are vulnerable to cyber attacks including the denialofservice (DoS) and jamming attacks [4]. To compromise the communication between two specific devices, the attacker can adopt the selective jamming attack [5, 6]. More specifically, the attacker selectively targets specific channels and packets which disrupts the communications by transmitting a highrange or highpower interference signal. This adversarial behavior leads to communication link removals in IoT network. Therefore, to maintain the connectivity of devices, IoT networks need to be secure and resistant to malicious attacks. For example, V2V communication links of a car can be jammed, and hence the car loses the realtime traffic information of the road which may further cause traffic delays and accidents especially in the futuristic selfdriving applications. Hence, IoT networks should be constructed in a tactic way by anticipating the cyber attacks. Internet of Battlefield Things (IoBT) is another example of missioncritical IoT systems. As depicted in Fig. 1, in IoBT networks, a team of unmanned aerial vehicles (UAVs) serves as one layer of wireless relay nodes for a team of unmanned ground vehicles (UGVs) and soldiers equipped with wearable devices to communicate between themselves or exchange critical information with the commandandcontrol nodes. The UAV network and the ground network naturally form a twolayer network in a battlefield which can be susceptible to jamming attacks. It is essential to design communication networks that can allow the IoBT networks to be robust to natural failures and secure to cyber attacks in order to keep a highlevel situational awareness of agents in a battlefield.
Due to heterogeneous and multitier features of the IoT networks, the required security levels can vary for different networks. For example, in IoBT networks, the connectivity of UAV networks requires a higher security level than the ground network if the UAVs are more likely to be targeted by the adversary. Similarly, in vehicular networks, the communication links between RSUs need a highlevel protection when they anticipate more attacks than the vehicles do. Therefore, it is imperative to design secure IoT networks resistant to link attacks and maintain the twolayer network connectivity with heterogeneous security requirements simultaneously. To this end, we present a heterogeneous IoT network design framework in which network links are vulnerable to malicious attacks. To enhance the security and the robustness of the network, an IoT network designer can add extra links to provide additional communication paths between two nodes or secure links against failures by investing resources to protect the links. To allocate links, note that when the nodes in the IoT network are within a short distance, then the classical wireless communication technologies can be adopted including WiFi, Bluetooth, and Zigbee. In comparison, when the distance is large, then one option that has recently emerged is called ultra narrow band (UNB) [7] that uses the random frequency and time multiple access [8]. The UNB is dedicated for missioncritical IoT systems for providing reliable communication services in long range. The goal of the multitier network design is to make the network connectivity resistant to link removal attacks by anticipating the worst attack behaviors. Different from previous works [9, 10] which have focused on the secure design of singlelayer networks, in our current work, the network designer needs to take into account the heterogeneous features of the IoT networks by imposing different security requirements on each layer which presents a new set of challenges for network design.
In this paper, we focus on a twolayer IoT network and aim to design each network resistant to different number of link failures with minimum resources. We characterize the optimal strategy of the secure network design problem by first developing a lower bound on the number of links a secure network requires for a given budget of protected links. Then, we provide necessary and sufficient conditions under which the bounds are achieved and present a method to construct an optimal network that satisfies the heterogeneous network design specifications with the minimum cost. Furthermore, we characterize the robust network topologies which optimally satisfy a class of security requirements. These robust optimal networks are applicable to the cases when the cyber threats are not perfectly perceived or change dynamically, typically happening in the missioncritical scenarios when the attacker’s action is partially observable.
Finally, we use IoBT as a case study to illustrate the analytical results and obtain insights in designing secure networks. We consider a missioncritical battlefield scenario in which the UAV network anticipates higher cyber threats than the soldier network, and the number of UAVs is less than the number of soldiers. We observe that as the cost of forming a protected communication link becomes smaller, more secure connections are formed in the optimal IoBT network. In addition, the designed network is resilient to the change of agents in the battlefield. We also study the reconfiguration and resilience of the UAV network as nodes leave and join the battlefield.
The main contributions of this paper are summarized as follows:

We propose a twolayer heterogeneous framework for IoT networks consisting of various devices, where each layer network faces different levels of cyber threats.

By utilizing the tools from graph theory and optimization, we analyze the lower bounds of the number of required links for the IoT network being connected by anticipating the worst case attacks.

We derive optimal strategies for creating secure twolayer IoT networks with heterogeneous security requirements and provide their construction guidelines under different regimes in terms of threat levels and number of nodes. We also identify the robust optimal strategies for the IoT network with dynamic cyber threat levels.

We apply the optimal design principles to crucial IoBT scenarios and provide insights into the design of secure and resilient interdependent UAV and soldier networks in the IoBT.
Ia Related Work
Due to the increasing cyber threats, IoT security becomes a critical concern nowadays [11]. Depending on the potential of cyber attackers, IoT networks face heterogeneous types of attacks [12]. For example, attackers can target the edge computing nodes in IoT, e.g., RFID readers and sensor nodes. Some typical adversarial scenarios include the node replication attack by replicating one node’s identification number [13], DoS by battery draining, sleep deprivation, and outage attacks [14, 15]. The attackers can also launch attacks through the IoT communication networks. Quintessential examples include the eavesdropping attack where the attacker captures the private information over the channel, and utilizes the information to design other tailored attacks [16]. Another example is the data injection attack where the attacker can inject fraudulent packets into IoT communication links through insertion, manipulation, and replay techniques [17]. In our work, we focus on the jamming and DoS attacks which lead to the link removal in IoT communication networks.
To mitigate the cyber threats in IoT, a large number of works have focused on addressing the security issues by using different methodologies [4]. A contracttheoretic approach has been adopted to guarantee the performance of security services in the Internet of controlled things [18, 19] and mitigate the systemic cyber risks [20]. The authors in [21] have proposed a mediaaware security architecture for facilitating multimedia applications in the IoT. [22] has proposed a dynamic game model including preattack defense and postattack recovery phases in designing resilient IoTenabled infrastructure networks. Strategic security investment under bounded rationality in IoT has been studied in [23, 24]. The authors in [25] have developed an interdependent strategic trust mechanism to defend against cyber attacks in IoT.
In this work, we investigate the secure design of IoT network by considering its connectivity measure [9, 10, 26, 27] through the lens of graph theory [28]. Comparing with the previous works [9, 10] that have focused on a singlelayer adversarial network design, we model the IoT as a twolayer network and strategically design each layer of the network with heterogeneous security requirements. The current work is also related to the secure and resilient interdependent critical infrastructures [29, 30, 31, 32, 33] in which a holistic design approach is required.
IB Organization of the Paper
The rest of the paper is organized as follows. Section II formulates the heterogeneous twolayer IoT network design framework. Analytical results including the lower bounds of links and optimal IoT network design strategies are presented in Section III. Case studies of IoBT networks are provided in Section IV, and Section V concludes the paper.
Ii Heterogeneous TwoLayer IoT Network
Design Formulation
In this section, we formulate a twolayer secure IoT network design problem. Due to the heterogeneous features of IoT networks, the devices at each layer face different levels of cyber threats. To maintain the global situational awareness, the designer aims to devise an IoT network with a minimum cost, where each layer of IoT network should remain connected in the presence of a certain level of adversarial attacks.
Specifically, we model the twolayer IoT network with two sets of devices or nodes^{1}^{1}1Nodes and vertices in the IoT network refer to the devices, and they are used interchangeably. Similar for the terms edges and links. denoted by and . Each set of nodes is of a different type. Specifically, denote by and the number of nodes of type and , respectively, where denotes the cardinality of a set. We unify them to vertices that are numbered from to starting from nodes in . Thus, a node labeled is of type if and only if . Note that each set of nodes forms an IoT subnetwork. Together with the interconnections between two sets of nodes, the subnetworks form a twolayer IoT network. Technically, the communication protocols between nodes within and across different layers can be either the same or heterogeneous depending on the adopted technology by considering the physical distance constraints. Furthermore, the nodes’ functionality can be different in two subnetworks depending on their specific tasks. In this paper, our focus lies in the highlevel of network connectivity maintenance.
In standard graph theory, an edge (or a link) is an unordered pair of vertices: , , where is a set including all the pairs of integers between 1 and . We recall that two vertices (nodes) and are said connected in a graph of nodes and a set of edges if there exists a path between them, i.e., a finite alternating sequence of nodes and distinct links: , where and for all .
In our IoT networks, the communication links (edges) are vulnerable to malicious attacks, e.g., jamming and DoS, which result in link removals. To keep the IoT network resistant to cyber attacks, the network designer can either invest (i) in redundancy of the path, i.e., using extra links so that two nodes can communicate through different paths, or (ii) in securing its links against failures where we refer to these special communication edges as protected links. These protected links can be typically designed using moving target defense (MTD) strategies, where the designer randomizes the usage of communication links among multiple created channels between two nodes [34]. More precisely, we consider that for the designer, the cost per nonprotected link created is and the cost per protected link created is . It is natural to have since creation of a protected link is more costly than that of a nonprotected one. For clarity, we assume that the costs of protected or nonprotected links at two different layers are the same. If the costs of creating links are different in two subnetworks, then the network designer needs to capture this link creation difference in his objective [35]. Let be the set of nonprotected links and be the set of protected links in the IoT network, and . In this work, we assume that the protection is perfect, i.e., links will not fail under attacks if they are protected. Therefore, an adversary does not have an incentive to attack protected links. Denote the strategy of the attacker by , then it is sufficient to consider attacks on a set of links . Furthermore, we assume that the network designer can allocate links between any nodes in the network. In the scenarios that setting up communication links between some nodes is not possible, then the network designer needs to take into account this factor as constraints when designing networks.
The heterogeneous features of IoT networks naturally lead to various security requirements for devices in each subnetwork. Hence, we further consider that the nodes in IoT network have different criticality levels ( and for nodes of type and , respectively, with , where denotes a set of integers between and ). It means that subnetworks 1 and 2 should remain connected after the compromise of any and links in , respectively. Thus, the designer needs to prepare for the worst case of link removal attacks when designing the twolayer IoT network. Our problem is beyond the robust network design where the link communication breakdown is generally caused by nature failures. In this paper, we consider the link removal which is a consequence of cyber attacks, e.g., jamming and DoS attack. Furthermore, in our problem formulation, the network designer can allocate protected links which can be seen as a security practice, and he takes into account the strategic behavior of attackers, and designs the optimal secure networks. Without loss of generality, we have the following two assumptions:

.

, .
Specifically, (A1) indicates that the IoT devices in subnetwork 2 are relatively more important than those in subnetwork 1, and thus subnetwork 2 should be more resistant to cyber attacks. Another interpretation of (A1) can also be that subnetwork 2 faces a higher level of cyber threats, and the network designer needs to prepare a higher security level for subnetwork 2. In addition, (A2) ensures that no IoT subnetwork is empty.
More precisely, consider a set of vertices and edges . The IoT network designer needs to guarantee the following two cases:

if , then all nodes remain attainable in the presence of attacks, i.e., , there exists a path in the graph between and .

if , nodes of type remain attainable after attacks, i.e., , there exists a path in the graph between and .
Remark: We denote the designed network satisfying (a) and (b) above by , and call such heterogeneous IoT networks resistant (with ). The proposed resistant metric provides a flexible network design guideline by specifying various security requirements on different network components. Furthermore, in this work, we care about each node’s degree which requires an explicit agentlevel quantification. Then, the resistant metric is more preferable than measure of the proportion of links in each subnetwork, where the latter metric only gives a macroscopic description of the link allocation over two subnetworks.
Given the system’s parameters , , , and , an optimal strategy for the IoT network designer is the choice of a set of links which solves the optimization problem:
s.t.  
From the above optimization problem, the optimal network design cost directly depends on and . In addition, as we will analyze in Section III, the cost ratio plays a critical role in the optimal strategy design.
Under the optimal design strategy, compromising a node with low degree, i.e., degree in subnetwork 1 and degree in subnetwork 2, is not feasible for the attacker, since the degree of any nodes without protected link in the network is larger than or depending on the nodes’ layers.
Note that the above designer’s constrained optimization problem is not straightforward to solve. First, the size of search space increases exponentially as the number of nodes in the IoT network grows. Therefore, we need to find a scalable method to address the optimal network design. Second, the heterogeneous security requirements make the problem more difficult to solve. On the one hand, two subnetworks are separate since they have their own design standards. On the other hand, we should tackle these two layers of network design in a holistic fashion due to their natural couplings.
Iii Analytical Results and Optimal IoT Network Design
In this section, we provide an analytical study of the designer’s optimal strategy, i.e., the optimal twolayer IoT network design.
We first develop, for given system parameters , , , , and , and for each possible number of protected links , a lower bound on the number of nonprotected links that have any resistant network with protected links (Section IIIA). Then, we study three important cases, namely when takes values , and , and present for each of them sufficient conditions under which the lower bounds are attained (Section IIIB). Based on this study, we can obtain the main theoretical results of this paper, which include the optimal strategy for the designer, i.e., a resistant IoT network with the minimal cost, as well as the robust optimal strategy, and constructive methods of an optimal IoT network (Section IIIC).
Iiia A Lower Bound on the Number of (NonProtected) Links
Recall that the system parameters are , , , , and (corresponding to the set of nodes of criticality level and , the values of criticality, and the unitary cost of creating protected and nonprotected links). We first address the question of a lower bound on the cost for the designer with an additional constraint on the number of protected links in the network. Since the cost is linear with the number of nonprotected links, it amounts to finding a lower bound on the number of nonprotected links that are required in any resistant network with protected links.
Let be a resistant network containing protected links. Then, we have the following proposition on the lower bound .
Proposition 1 (Lower bound on ).
The number of nonprotected links of is at least of

if ,

if ,

if .
Note that takes integer values in each regime. The results are further illustrated in Fig. 2.
Before proving Proposition 1, we first present the notion of network contraction in the following.
Network Contraction: Let be a network. Given a link , the network denoted by refers to the one obtained by contracting the link ; i.e., by merging the two nodes and into a single node (supernode). Note that any node is adjacent to the (new) node in if and only if is adjacent to or in the original network . In other words, all links, other than those incident to neither nor , are links of if and only if they are links of . Then , the contraction of network , is the (uniquely defined) network obtained from by sequences of link contractions for all links in [10].
For clarity, we illustrate the contraction of a network in Fig. 3. This example consists of nodes and protected links (represented in bold lines between nodes and and between nodes and ). The link is contracted and thus both nodes and in are merged into a single node denoted by in . Similarly the link is contracted. The resulting network thus consists of node and supernodes and . Since contains a link between nodes and in , then nodes and are connected through a link in network . Similarly, since nodes and are adjacent in , then supernodes and are adjacent in network .
Based on network contraction, we present the proof of Proposition 1 as follows.
Proof.
Consider an IoT network including protected links, and as its contraction. Let

be the number of nodes of type in (and supernodes containing only nodes of type ),

be the number of nodes of type in (and supernodes containing only nodes of type ),

be the number of supernodes in that contains nodes of both type and .
Note that if , (i.e., if there is a unique supernode containing all nodes of the network), then no nonprotected link is needed to ensure any level of resistancy. Otherwise, for the IoT network to be resistant, each element of , and must have a degree of (at least) . Further, if there exist more than one element not in ; i.e., if , then each of them should have a degree of (at least) .
Thus, a lower bound on the number of nonprotected links in is
Next, we focus on the study of parameters , and . If no protected link is used, i.e., , then , and and . Adding any protection allows to decrease the total number of elements by (or to remain constant if the link induce a loop in a protected component of ). Thus . Similarly, for each subnetwork, we have and . Further, the number of elements of and are upper bounded by the number of nodes of type and type 2 , respectively, i.e., and . Finally, since then , and since then . Thus, for any , a lower bound on the number of nonprotected links in can be obtained by solving the following optimization problem:
(1) 
To solve this optimization problem, we consider three cases.
Case 1: First, assume that . From , we obtain that . Thus, (1) reduces to with the same constraints as in (1) except .
Since , then the minimum of the objective is obtained when is minimized, i.e., when all protections involve nodes of type . Then, . Thus, the lower bound is equal to . This result is illustrated by the line joining points A and B in Fig. 2.
Case 2: Assume that . Then . Therefore, for a given , i.e., for a given minimal value of , we can have either or . Then, the lower bound of the number of nonprotected links is . Recall that , and therefore the lower bound achieves at . This observation is illustrated by the line in Fig. 2 joining points C and D.
Case 3: Finally, when , , and thus no nonprotected link is needed, which is represented by point E in Fig. 2. ∎
Based on Proposition 1, we further comment on the locations where protected and nonprotected links are placed in the twolayer IoT networks.
Corollary 1.
When , the protected links purely exist in subnetwork 2. When , subnetwork 2 only contains protected links, and nonprotected links appear in subnetwork 1 or between two layers. When , then all nodes in the twolayer IoT network are connected with protected links.
Corollary 1 has a natural interpretation that the protected link resources are prior to be allocated to a subnetwork facing higher cyber threats, i.e., subnetwork 2 in our setting.
IiiB Networks with Special Values of Protected Links
In the previous Section IIIA, we have studied for each potential number of protected links , a lower bound on the minimum number of nonprotected links for an IoT network with sets of nodes and being resistant. Then, the cost associated with such networks is
where . Since the goal of the designer is to minimize its cost, we need to investigate the value of minimizing such function .
In Fig. 2, we note that the plot of a network of equal cost (isocost) is a line of equation . It is thus a line of (negative) slope that crosses the axis at point . Recall also that the graph that shows as a function of is on the upperright quadrant of its lower bound. Thus, the optimal value of corresponds to the point where an isocost line meets the graph for the minimal value . From the shape of the lower bound drawn in Fig. 2, the points A, C and E are selected candidates leading to the optimal network construction cost. We thus investigate in the following the condition under which the lower bounds are reached at these critical points as well as the corresponding configuration of the optimal twolayer IoT networks.
Remark: Denote by a (, )resistant IoT network with protected links and the minimum number of nonprotected links.
Before presenting the result, we first present the definition of Harary network in the following. Recall that for a network containing nodes being resistant to link attacks, one necessary condition is that each node should have a degree of at least , yielding the total number of links more than . Here, denotes the ceiling operator. Harary network below can achieve this bound.
Definition 1 (Harary Network [36]).
In a network containing nodes, Harary network is the optimal design that uses the minimum number of links equaling for the network still being connected after removing any links.
The constructive method of general Harary network can be described with cycles as follows. It first creates the links between node and node such that , and then
, etc. When the number of nodes is odd, then the last cycle of link creation is slightly different since
is not an integer. However, the bound can be still be achieved. For clarity, we illustrate three cases in Fig. 4 with under different security levels . Since Harary network achieves the bound , its computational cost of the construction is linear in both the number of nodes and the security level .Then, we obtain the following result.
Proposition 2.
For the number of protected links taking values of , and , we successively have:

each contains exactly nonprotected link.

each contains exactly nonprotected links if and only if .

if we have the following asumptions: (i) , where denotes the modulus operator, (ii) and (iii) , then each contains exactly nonprotected links.
Proof.
We successively prove the three items in the proposition in the following.
(i) Note that contains exactly protected links. It is thus possible to construct a tree network among the set of nodes that consists of only protected links. Thus, no nonprotected link is required, and the lower bound (point E in Fig. 2) can be reached.
(ii) Suppose that . If , we can construct any tree protected network on the nodes of . Further, construct a Harary network on the nodes of , that is the nodes of type 1 and one node of type 2. Such construction is possible since . The total number of nonprotected links is then exactly (point C in Fig. 2). Therefore, each node in is connected to other nodes, and the IoT network cannot be disconnected after removing nonprotected links. In addition, the subnetwork 2 is resistant to any number of attack since it is constructed using all protected links. Note that the constructed Harary network here is optimal, in the sense that its configuration uses the least number of links for the IoT network being (, )resistant.
Next, if , then suppose that a network achieves the lower bound . Consider its associated contracted network . Since contains protected links, then is such that . From the shape of the lower bound in the proof of Proposition 1, then necessarily and . Thus, all nodes in need to be connected together by protected links. Since , then it requires at least protected links, which equals . Thus, there cannot be any protected link involving nodes in set . In addition, each node in needs to be connected to at least other nodes in the IoT network. Since , then every node in should connect to at least number of nodes in . Recall that in a complete network of nodes, each node has a degree of , and the total number of links is . Hence, our IoT network admits a completed graph in with some extra nonprotected links between two subnetworks, and in total at least nonprotected links. Then, comparing with the lower bound, the extra number of links required is Thus, does not achieve the lower bound (point C in Fig. 2) when .
(iii) Finally, suppose that . We renumber the nodes in the network according to the following sequence: Intuitively, we interpose one node in after every nodes in . Then, we first build a Harary network among all the nodes in and . Note that since , then the last indices of the sequence only contain nodes of type . Thus, by construction, there are no links between any two nodes in . Then, we can further construct a Harary network on the nodes in , which is possible since . Thus, the constructed IoT network is (, )resistant, and it is also optimal since it uses the minimum number of nonprotected links. ∎
Proposition 2 and Fig. 2 indicate that depending on the system parameters () and for a given budget, the optimal IoT network can achieve at either point A, C or E with protected links, respectively. Notice that when , is not optimal at point C and the lower bound on the number of nonprotected links is not attained. Instead, in this case, requires nonprotected links in which are allocated between two subnetworks, introducing protection redundancy for nodes in . For the IoT network containing 0 protected link, it reaches the lower bound (point A) if we can construct a Harary network for all nodes and an additional Harary network for nodes only in . As mentioned before, the Harary network admits an optimal configuration with the maximum connectivity given a number of links [36].
IiiC Optimal Strategy and Construction of IoT Networks
We investigate the optimal strategy and the corresponding construction for the IoT network designer in this section.
IiiC1 Optimal Strategy
Before presenting the main result, we comment on the scenarios that we aim to study regarding the IoT networks.

First, the number of nodes is relatively large comparing with the link failure risks, i.e., and . Indeed, these two conditions indicate that the designer can create a secure twolayer IoT network solely using nonprotected links.

We further have the condition , indicating that the type nodes with higher criticality levels in constitute a relatively small portion in the IoT network comparing with these in . This condition also aligns with the practice that the attacker has preferences on the nodes to compromise in the IoT which generally only contain a small subset of the entire network.

Finally, we have constraints and which are only used to simplify the presentation of the paper (whether the number of nodes and attacks is odd or even). However, they do not affect the results significantly. Note that different cases corresponding to or can be studied in a similar fashion as in our current context. The only difference is that for certain system parameters, is not an optimal strategy comparing with by following a similar analysis in [10].
Therefore, based on the above conditions, the scenarios that we analyze are quite general and conform with the situations in the adversarial IoT networks. Based on Proposition 2, we then obtain the following result on the optimal design of secure twolayer IoT networks. Note that the solution in Proposition 3 is optimal to the original optimization problem presented in Section II under the considered scenarios.
Proposition 3.
Under the conditions that , , , and , we have the following results:

Regime I: if , then:

if , then are optimal strategies.

if , then are optimal strategies.

if , then are optimal strategies.


Regime II: if , then:

when , the optimal IoT network design strategies are the same as those in regime I.

otherwise, i.e., , we obtain

if , then are optimal strategies.

if , then are optimal strategies.
Thus, cannot be optimal in this scenario.


Proof.
From Proposition 2 and under the assumptions in the current proposition, , and achieve the lower bounds of the number of links for the network being resistant. In Fig. 2, note that the slope of the line between points A and C is , and between points C and E is , where we quantify the slopes in their absolute value sense.
In regime I, i.e., , we obtain , yielding that the line connecting points A and C has a higher slope than the one joining points C and E. Thus, if the lines of isocosts have a slope higher than the slope of the line AC, then the minimum cost is obtained at point A. Similarly, if the slope is less than that of line CE, then the minimum cost is obtained at point E. Otherwise, the minimum is obtained at point C. Recall that the slope of the lines of isocosts is equal to which leading to the result.
In the other regime II, i.e., , the slope of line AC is not always greater than that of line CE. Specifically, we obtain a threshold over which the slop of line CE is greater than line AC. Therefore, if , the optimal network design is the same as those in regime I. In addition, when , and if the slop of isocosts lines, i.e., , is larger than the slope of the line connecting points A and E, the minimum cost is achieved at point A. Otherwise, if is smaller than the slop of line AE, the optimal network configuration is obtained at point E. ∎
From Proposition 3, we can conclude that in regime I, i.e., , when the unit cost of protected links is relatively larger than the nonprotected ones, then the secure IoT networks admit an strategy using all nonprotected links. In comparison, the secure IoT networks are constructed with solely protected links when the cost per protected link is relatively small satisfying . Note that the optimal network design strategy in this regime can be achieved by protecting the minimum spanning tree for a connected network. Equivalently speaking, finding a spanning tree method provides an algorithmic approach to construct the optimal network in this regime. Finally, when the cost per protected link is intermediate, the network designer allocates protected links connecting those critical nodes in set while uses nonprotected links to connect the nodes in . In addition, the intralinks between two subnetworks are nonprotected ones.
Note that the specific configuration of the optimal IoT network is not unique according to Proposition 3. To enhance the system reliability and efficiency, the network designer can choose the one among all the optimal topology that minimize the communication distance between devices.
Since the cyber threat in subnetwork 2 is more severe than that in subnetwork 1, i.e., , thus the condition of regime II in Proposition 3 () is not generally satisfied. We further have the following Corollary refining the result of optimal IoT network design in regime II.
Corollary 2.
Only when two subnetworks facing the same level of cyber threats, i.e., , the optimal IoT network design follows the strategies in regime II. Moreover, cannot be an optimal network design in regime II.
Proof.
Based on the condition , we obtain . Thus, when , the condition of regime II () cannot be satisfied. Since , then only yields . Therefore, always holds which leads to the result. ∎
We then simplify the conditions leading to regime I and II as follows.
Corollary 3.
The IoT network design can be divided into two regimes according to the cyber threat levels. Specifically, when , the optimal design strategy follows the one in regime I in Proposition 3, and otherwise () follows the one in regime II.
We illustrate the optimal design strategies in Fig. 5 according to the heterogeneous security requirements and link creation costs ratio.
IiiC2 Robust Optimal Strategy
One interesting phenomenon is that some strategies are optimal for a class of security requirements. Thus, these strategies are robust in spite of the dynamics of cyber threat levels. We summarize the results in the following Corollary.
Corollary 4.
Consider to design a resistant IoT network. If is the optimal strategy, then it is robust and optimal to security requirement for the network being resistant, for all and all . If is the optimal strategy, then it is robust and optimal to cyber threat levels , for all . Furthermore, the optimal strategy is not robust to any other security standards , for and .
Corollary 4 has a natural understanding on the selection of robust strategies. When the cyber threat level increases, then the optimal network remains to be optimal since the network construction cost does not increase under . Under the optimal , subnetwork 2 is connected with all protected links and the rest is connected by a Harary network with the minimum cost. If subnetwork 2 faces more attacks, ( becomes larger), then is robust and optimal in the sense that subnetwork 2 remains secure and no other nonprotected link is required.
IiiC3 Construction of the Optimal Secure IoT Networks
We present the constructive methods of optimal IoT networks with parameters in different regimes based on Proposition 3.
Specifically, the optimal can be constructed by any tree network using protected links. In addition, the optimal networks can be constructed in two steps as follows. First, we create a tree protected network on the nodes of . Then, we construct a Harary network on the nodes of , i.e., all nodes of type 1 and one node of type 2, where a constructive method of Harary network can be found in [36].
Finally, regarding the optimal network , we build it with the following procedure. First, we renumber the nodes according to the sequence:
Recall that this renumbering sequence can be achieved by interpolating one node in
after every nodes in . Then, we build a Harary network among all the nodes in and . Finally, we construct a Harary network on the nodes in .IiiC4 Consideration of Random Link Failures
In the considered model so far, the nonprotected communication link between nodes is removed with probability 1 by the attack and remains connected without attack. In general, the nonprotected links face random natural failures. If we consider this random failure factor, then there is a probability that the designed optimal network will be disconnected under the joint cyber attacks and failures. We assume perfect connection of protected links and denote the random failure probability of a nonprotected link by
. Therefore, in the regime that the optimal network design is of Harary network where all links are nonprotected, then under the anticipated level of cyber attacks, a single link failure of nonprotected link will result in the network disconnection. Thus, the probability of network connection, i.e., mean connectivity, is equal to which is of order . Similarly, under the regime that the optimal network admits protected links and nonprotected links, the probability of network connection under link failure is which is of order . We can see that in the above two regimes, when the security requirement is not relatively high and the size of the network is not large, the current designed optimal strategy gives a relatively high mean network connectivity. In the regime that the optimal network is constructed with all protected links, then the mean network connectivity is 1 where the random failure effect is removed.Iv Case Studies
In this section, we use case studies of IoBT to illustrate the optimal design principals of secure networks with heterogeneous components. The results in this section are also applicable to other missioncritical IoT network applications.
The IoBT network designer determines the optimal strategy on creating links with/without protection between agents in the battlefield. The ground layer and aerial layer in IoBT generally face different levels of cyber threats which aim to disrupt the network communications. Since UAVs become more powerful in the military tasks, they are the primal targets of the attackers, and hence the UAV network faces an increasing number of cyber threats. In the following case studies, we investigate the scenario that the IoBT network designer anticipates more cyber attacks on the UAV network than the soldier and UGV networks. The cost ratio between forming a protected link and a unprotected link is critical in designing the optimal IoBT network. This ratio depends on the number of channels used in creating a safe link though MTD. We will analyze various cases in the following studies.
Iva Optimal IoBT Network Design
Consider an IoBT network consisting of soldiers and UAVs (). The designer aims to design the ground network and the UAV network resistant to and attacks, respectively. Hence the global IoBT network is resistant. Based on Proposition 3, the system parameters satisfy the condition of regime I. Further, we have two critical points and , at which the topology of optimal IoBT network encounters a switching. For example, when a protected link adopts 3 channels to prevent from attacks, i.e., , the optimal IoBT network is an graph as shown in Fig. 6LABEL:sub@case_A_1. When a protected link requires 5 channels to be perfectly secure, i.e., , then the optimal IoBT network is of configuration which is depicted in Fig. 6LABEL:sub@case_A_2. In addition, if the cyber attacks are difficult to defend against (e.g., require 7 channels to keep a link safe, i.e., ), the optimal IoBT network becomes an graph as shown in F