Fuzzy Control for Secure TCP Transfer

Abstract

This chapter presents the potential use of fuzzy observance implementation for detecting transmission problems that could appear in the near future. Using quick detection, appropriate action could be taken and the security and reliability of data transfer could be maintained at a high level. As a result the authors present a proposed solution for dividing a data stream between different data links and predicting transmission problems.

1 Introduction

Nowadays many networks require security such as data encryption and reliable transfer to the destination. Health care, rail, and power plant systems are some examples of such systems. When they are used an operator cannot lose a connection between his or her control and management applications and system sensors and actuating equipment. In such a system a lost connection could have tragic consequences. In the case of power plants this could also mean some huge disaster. That is why security regarding reliable transfer is very important. In the case of health systems it could be required for monitoring people but also for execution of medical operations through remote control of medical equipment such as a scalpel. Some problems with rail equipment could cause a train accident. There are also many other systems in which a lost connection would cause real damage. Such systems are called critical infrastructure. For this critical infrastructure more than one connection is usually prepared. For example, those systems can operate using cable and a 3G/4G/LTE connection concurrently. Unfortunately, in most cases, different kinds of used connections are not operated simultaneously. Systems switch between them when the operating connection collapses. When the systems switch connections they can lose some data. The loss of data can be very costly. In such systems there is much effort concerning appropriate data encryption. The systems are usually well protected against unauthorized access to the network [3, 10, 25, 40]. In most cases the data are encrypted before being forwarded to the communication transmission layer. The worst situation is when they lose their connection, as mentioned above. In order to ensure that the data reach their destination, transmission control protocols are used, but it could not be enough. When the connection collapses and the system switches to another one, the transmission of the lost packet has to be repeated [12, 13, 15]. In many cases, the system administrator does not know that use of more than one network connection can increase the transfer rate and security level of the data transfer process mentioned as reliability of the data transfer. How can it be achieved? In the situation when only one connection is used, a hacker can sniff all the packets of data in only one place on the network. Thus he or she could collect all the data and then try to decode them. After some time the real information can be recovered. When there is more than one network connection used, a hacker is forced to work on more spots to sniff the packets. More connection used in a parallel way could improve security because in this scenario, a hacker must be familiar with more than one transfer technology [11, 16, 22]. This chapter presents multipath transmission control protocols (MPTCP), which is currently ready-to-use technology. This technology can be used to achieve the aforementioned functionality. One of the huge advantages of MPTCP is the fact that it works at the operating system level. This makes it possible to use the existing application in a simple manner. MPTCP are presented with the three schedulers: the existing one, some secure proposition, and finally the one using Ordered Fuzzy Numbers (OFNs) for fast prediction problems in the transmission [20, 38, 60]. Such a presentation lets us introduce OFNs as a ready-to-use solution that could also be used in connection with other technology and solve some real problems in IP networks. The chapter is focused on OFN usage in already implemented technology such as MPTCP [26, 57, 62].

2 Multipath TCP

MPTCP uses the concept of transmission control protocols (TCP) [9, 24, 39, 50]. TCP transmission is used for delivering data between applications running on different machines on the network. TCP can be used to send data in both directions between two hosts using an established connection. A unique identifier is used to describe that connection. That identifier consists of two pairs of values (one for each side of the connection), IP and port number [5, 27, 28]. To achieve complete data and their appropriate order, checksums and sequence numbers are used. The mentioned data are shown in the TCP header presented in Fig. 15.1. When the application intends to establish a TCP connection, it has to exchange appropriate signals. This process is called a three-way handshake and is presented in Fig. 15.2. Host A sends a segment with a set SYN flag, then host B confirms the receipt of the packet and sends back SYN and ACK flags as a response. Finally, host A sends an empty segment, with only the ACK flag as a response to the previous message [34,35,36, 50]. One possible problem with TCP is the process of changing network connections which is associated with changing an IP address into another one. When a host switches from an Ethernet cable connection to Wi-Fi, it is assigned a different IP address. This triggers a process of closing the existing TCP connections and resuming them. MPTCP is characterized by a set of extensions to the specification of the existing TCP. These extensions enable the client to establish more than one connection while they each use different network cards, yet they are all used to reach the same destination host. The fact that fault-tolerant and efficient data connections are maintained this way between hosts that are compatible with the already used network infrastructures can be regarded as a big advantage of MPTCP. A possible way of establishing connection using network A and B is presented in Fig. 15.3. Another MPTCP advantage is that it increases the throughput of data transfer. This approach should significantly improve congestion balance between network paths. Simultaneous enabling of MPTCP must not prevent connectivity on a path where regular TCP operates [33, 37, 53, 54]. As already mentioned, MPTCP is located at the transport layer and it is intended to be transparent to other layers: higher and lower ones, as presented in Fig. 15.4. MPTCP can be treated as an additional function of higher layers of the TCP standard.

Fig. 15.1

TCP header

Fig. 15.2

Three-way handshake

Fig. 15.3

N different TCP connections are represented as a single logical datum

Fig. 15.4

MPTCP in the stack

Fig. 15.5

Establishing connection

When a new connection of MPTCP should be established, a three-way handshake algorithm of TCP is used. This is presented in Fig. 15.5. The protocol is enhanced by a new feature that makes the difference as compared to standard TCP. The MP_CAPABLE option informs both hosts if the MPTCP connection can be established and if the data can be transmitted. The IP networks encompass many routers and switches working as intermediate boxes. Those boxes could complicate the process of establishing connections. For this reason it is insufficient to identify the connection pair (IP address and port number) of the source and destination hosts. MPTCP has extended TCP functionality by adding another option called MP_JOIN. This option is used for generating a new subflow of data. The process of adding a new subflow is presented in Fig. 15.6.

Fig. 15.6

Adding a new subflow into MPTCP

The process of adding a new subflow is done in the following steps.

• In the first step the MP_JOIN option provides a token generated with the key (truncated hash of the key) created during the initial connection.

• In the second step the exchange of HMAC (hash-based message authentication code) takes place.

• In the third step the subflows are established, and MPTCP can use them to exchange data.

Once the connection is established each host can send data over any of the subflows. Furthermore, Fig. 15.7 presents the data transmitted over one subflow. If, for example, a packet numbered 4 and 7 is lost it can be retransmitted to another subflow to recover the loss. Finally all the data packets reach the destination. There is a ‘subflow sequence number’ in standard TCP that supports the reception of a single subflow and ensures detection of any data loss. MPTCP uses “data sequence number” to sort the received data before passing them to the application [23, 51, 52, 55]. The MPTCP header is presented in Fig. 15.8. To inform the destination that the source has no more data to send, the source sends “Data FIN” signals. Its operation is exactly the same as a TCP FIN in standard TCP implementation.

Fig. 15.7

Error control in MPTCP

Fig. 15.8

MPTCP header (simplified diagram)

3 Multipath TCP Schedulers

Three schedulers are presented in the next three subsections: standard, secure, and with OFN usage.

3.1 Multipath TCP Standard Scheduler

In general, ordinary users who are connected to the Internet by their smartphones via Wi-Fi or a 3G network do not use these connections concurrently. They use them in series. The MPTCP is able to use both at the same time as shown in Fig. 15.9. If the standard TCP connection fails for some reason, it must be re-established. With MPTCP such a situation can be avoided by dynamic switching to the link. Therefore the user can avoid wasting time re-establishing connections. It enables the optimum data transfer rate selection.

Fig. 15.9

MPTCP on smartphones

The first mobile system that supports MPTCP [3, 31, 32, 56] is iOS 7. It ensures an uninterrupted transfer in case of failure of one connection or when the connection is aborted. At the moment, MPTCP is used in iOS 7 only for transfer of Siri data. Siri is an intelligent personal assistant for smartphone users. Such a system of scheduling connections was originally proposed by MTCP authors.

3.2 Multipath TCP Secure Scheduler

Another possible MPTCP scheduler is a secure scheduler. As follows from the literature, MPTCP is able to increase the security level of the transmitted data by application of many different links to reach the destination. This solution is contrary to the present methodology, which is based only on network protection and [1, 2, 14, 17, 18, 61] on network access control [7, 8, 29, 30, 58]. This scheduler treats the transmitted IP packets as raw binary data, which can be divided into blocks and then passed to the transmission layer. As regards data protection from being sniffed by a hacker, the scheduling algorithm consists of the steps:

• Step 1. Data are divided into blocks.

• Step 2. Data are assigned a special sequence number, data sequence number (DSN).

• Step 3. Blocks are collected in a random sequence.

• Step 4. Data are encoded.

• Step 5. Blocks of data are passed to the MPTCP socket, which will transmit them to their destination.

• Step 6. Receiver side collects the blocks of data.

• Step 7. Data are decrypted.

• Step 8. Receiver side connects the blocks of data in an appropriate order.

The process of dividing the data into blocks, assigning a special DSN (data sequence number) to it, and putting it in a random sequence (Steps 2 and 3), is shown in Fig. 15.10. Step 5 of the proposed algorithm is presented in Fig. 15.11. The data passed to the MPTCP socket is transmitted using different data connections in a parallel way. In the vulnerable spots, where the data can be sniffed, a hacker is able to get only a portion of transmitted data. These data do not carry any clue as to what part of the original data they are [4, 6, 41].

Fig. 15.10

Mixing data process

The process of mixing the original data blocks uses random sequence and is performed on the sender’s side, whereas the information about the appropriate sequence is passed to the receiver’s side using the DSN.

Fig. 15.11

Transmission process

3.3 Multipath TCP Scheduler with OFN Usage

As already mentioned above, MPTCP can increase network security regarding such parameters as a destination reachability and network reliability [42, 43, 48]. For any mentioned scheduler, a transmission error can occur at the used channel. The error can cause a need for data retransmission over the same channel, or if the number of errors grows, the channel can be closed and another connection used. Use of OFNs can increase the time of the data transmission link change or can decrease the number of retransmissions. OFNs can be used for predicting data loss in the used channel and may accelerate the decision on some changes such as quicker retransmission of packets or use of a different channel [45,46,47].

3.4 OFN for Problem Detection

An algorithm has been proposed for OFN use for detecting future problems in the used connection [19, 21, 44, 49, 59]. For this purpose the algorithm should measure a TCP retransmission in all used channels during the transmission as a percentage value of transmitted packets (during the given timeslot). This measurement should be continuous and statistics should be taken for specific timeslots. Four timeslots of a continuous measurement can be defined as follows.

$$\begin{aligned} t_{i}, t_{(i-1)}, t_{(i-2)}, t_{(i-3)} \end{aligned}$$

(15.1)

where \(t_{i}\) is a current timeslot.

All four measurements together make up a fuzzy number in OFN notation where

• \(f_A (0)\) corresponds to \(t_{(i-3)}\).

• \(f_A (1)\) corresponds to \(t_{(i-2})\).

• \(g_A (1)\) corresponds to \(t_{(i-1)}\).

• \(g_A (0)\) corresponds to \(t_{i}\).

That fuzzy number in OFN notation is presented in Fig. 15.12. This is a definition of a fuzzy observance of a connection.

Fig. 15.12

Fuzzy number in OFN notation

Definition 1

Fuzzy observance of C router in time \(t_{i}\) is a set

$$\begin{aligned} C/t_{i}=\lbrace f_{C}(0)/t_{i-3} ,f_{C}(1)/t_{i-2} ,g_{C}(1)/t_{i-1} ,g_{C}(0))/t_{i }\rbrace \end{aligned}$$

(15.2)

where

$$\begin{aligned} \begin{array}{c} t_{i}>t_{i-1}>t_{i-2}>t_{3-1}\\ |t_{i}-t_{i-1} |=|t_{i-1}-t_{i-2} |=|t_{i-2}-t_{i-3} |=t_{n}, \mathrm{timeslot\, of \,the\, measurement} \\ f_{C} (0)\le f_{C} (1)\le g_{C} (1)\le g_{C} (0) \end{array} \end{aligned}$$

This provides Lemma 1.

Lemma 1

$$\begin{aligned} C_{positive}= \left\{ \begin{array}{lcl} f_C (0)<f_C (1)<g_C (1)\\ or\\ f_C (1)<g_C (1)<g_C (0)\\ \end{array} \right. \end{aligned}$$

(15.3)

In other situations \(C_{negative}\).

According to this definition, during observance of connections the counters should give:

• Positive order of OFN when the packet retransmission count increases

• Negative order of OFN when the packet retransmission count decreases

Fig. 15.13

Order interpretation in OFN notation

The interpretations of those orders are presented in Fig. 15.13. Then the statistics collected at each connection provide results for fuzzy number preparation. Fuzzy observance of the MPTCP connections can also be defined. Fuzzy observance of the MPTCP connections is defined as follows.

Definition 2

Fuzzy observance of the MPTCP connections is defined by the formula:

$$\begin{aligned} S_{m}= \sum _{i=1}^{n} \left\{ \begin{array}{ll} R_{positive}\vert R_{negative}\\ R_i*w_i \vert -R_i*w_i\\ \end{array} \right\} . \end{aligned}$$

(15.4)

where \(w_i\in \{w_i,...,w_n\}\) describes an impact on all connections.

This makes it possible to define the MPTCP scheduler with OFNs.

4 OFN Scheduler Algorithm

An algorithm proposed as OFNs used for transmission error anticipation consists of the following steps.

Step 1. Administrator declares \( w_i \) and \( L_i \) for all used connections, where \( w_i \) describes an impact on all connections, and \( L_i \) describes the load of all data that should be sent by those connections when the transmission starts. \( L_i \) should be provided as a percentage value.

Step 2. The amount of packets \( P_i \) that will be transferred over each connection for each timeslot is calculated using the formula:

$$\begin{aligned} P_i=\frac{L_i}{\sum _{i=1}^{n}}*Data \end{aligned}$$

(15.5)

Step 3. During the transmission \( C_i \) is calculated for each connection according to data retransmissions and \( S_i \) is calculated according to the given definition.

Step 4. When the calculated \( S_i \) is positive and exceeds the acceptance level AL, there is an error increase detected on this connection. In this situation \( L_i \) for a given connection will be changed according to the formula:

$$\begin{aligned} L_i=\frac{L_i}{ErrorCorector} \end{aligned}$$

(15.6)

When the calculated \( S_i \) is negative, there is an error decrease detected on this connection. In this situation \( L_i \) for a given connection will be changed according to the formula:

$$\begin{aligned} L_i=L_i*ErrorCorector \end{aligned}$$

(15.7)

The ErrorCorector is a value that describes how quickly the system should stop using a given connection in which the amount of errors has increased. This value should also be provided by the network administrator.

5 Simulation Test Results

To check a MPTCP scheduler with OFNs, some simulations were made. The system has got two connection links. Connection 1, labeled C1, was a Wi-Fi connection with maximum rate of 11 Mbit/s. The second connection used, labeled C2, was an LTE connection with the maximum rate of 5 Mbit/s. The parameters of the algorithm were:

• Corrector for the links \( ErrorCorector = 2 \).

• Acceptance level \( AL = 3 \).

• Load balance at the start for the connection C1 was \( L_1 = 66 \).

• Load balance at the start for the connection C2 was \( L_2 = 34 \).

• 60-second timeslots were used.

The results obtained by the applied algorithm according to load balancing between connections during data transfer are presented in Table 15.1. There were errors on measured data links and the OFN was calculated according to the presented algorithm. The number of packets transferred over each link was modified according to the level of errors and OFN order. When the percentage of errors increased, the number of packets passed to the link with problems (C2) was decreased. Obviously, the OFN was calculated after four timeslots.

Table 15.1 Normalized packets count on routers during test

Table 15.2 shows the number of packets passed to the connections and the number of packets that had to be retransmitted due to an error on the link when the MPTCP with and without the OFN algorithm was used. Note that the percentage of errors on the C2 link decreased. That is why there were fewer packets transferred during the network problems. The number of errors on the C1 connection increased because there were more packets transferred through this link. The most important column is a sum of errors in both links. When the algorithm decreased the number of packets passed through the C2 link, the sum of errors decreased even if the number of errors on the C2 link increased. The final results prove that the number of errors in the transmission can be decreased using OFNs in the MPTCP scheduler.

Table 15.2 Number of packets and errors during the transmission

6 Conclusions

The new concept of an MPTCP scheduler using OFNs presented herein was tested during a data transfer simulation. As shown in the previous section, with the proposed algorithm it is possible to decrease the retransmission count. This could be achieved because there were fewer packets transferred over the connection link where some problems were detected. This is a potential use of OFNs in a simple way intended to improve existing solutions such as MPTCP without complicated algorithms that require a great deal of processor capacity. The other advantages of using an OFN scheduler are that it could be connected with the presented secure scheduler and coexist on the transmissions. Such solutions present the huge potential of OFNs.