Epidemic data survivability in Unattended Wireless Sensor Networks: New models and results

Author’s Accepted Manuscript Epidemic Data Survivability in Unattended Wireless Sensor Networks: New Models and Results Giulio Aliberti, Roberto Di Pietro, Stefano Guarino www.elsevier.com/locate/jnca

PII: DOI: Reference:

S1084-8045(17)30299-0 https://doi.org/10.1016/j.jnca.2017.09.008 YJNCA1975

To appear in: Journal of Network and Computer Applications Received date: 17 October 2016 Revised date: 24 March 2017 Accepted date: 14 September 2017 Cite this article as: Giulio Aliberti, Roberto Di Pietro and Stefano Guarino, Epidemic Data Survivability in Unattended Wireless Sensor Networks: New Models and Results, Journal of Network and Computer Applications, https://doi.org/10.1016/j.jnca.2017.09.008 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting galley proof before it is published in its final citable form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Epidemic Data Survivability in Unattended Wireless Sensor Networks: New Models and Results Giulio Alibertia , Roberto Di Pietrob,∗, Stefano Guarinoc a Università

di Roma Tre, Dip.to di Matematica, Roma-Italy Bin Khalifa University (HBKU), Doha, Qatar c Istituto per le Applicazioni del Calcolo “Mauro Picone”, Consiglio Nazionale delle Ricerche, Roma-Italy b Hamad

Abstract Unattended Wireless Sensor Networks (UWSNs), characterized by the intermittent presence of the sink, are exposed to attacks aiming at tampering with the sensors and the data they store. In order to prevent an adversary from erasing any sensed data before the sink collects them, it is common practice to rely on data replication. However, identifying the most suitable replication rate is challenging: data should be redundant enough to avoid data loss, but not so much as to pose an excessive burden on the limited resources of the sensors. As noted before in the literature, this problem is similar to finding the minimum infection rate that makes a disease endemic in a population. Yet, unlike previous attempts to leverage on this parallelism, we argue that model and system parameters must be carefully bound according to conservative and realistic assumptions on the behavior of the network, further taking into account possible statistical fluctuations. In this paper, we therefore refine the connection between the Susceptible, Infected, Susceptible (SIS) epidemic model and the survivability of sensed data in UWSNs. In particular, based on probabilistic data replication and deletion rates, we identify proper conditions to guarantee that sensed information become endemic. In both the full visibility model (i.e. unlimited transmission range) and the geometric one (i.e. limited transmission range), the proposed approach achieves: (i) data survivability, (ii) optimal usage of sensors resources, and (iii) fast collecting time. Building on advanced probabilistic tools, we provide theoretically sound results, that are further supported by an extensive experimental campaign performed on synthetically generated networks. Obtained results show the quality of our model and viability of the proposed solution. Keywords: Unattended Wireless Sensor Network, Epidemic Models, Data Survivability, Security

∗ Corresponding

author. Tel.: +974 4454 0267; fax: +974 4454 1047 Email addresses: [email protected] (Giulio Aliberti), [email protected] (Roberto Di Pietro), [email protected] (Stefano Guarino)

Preprint submitted to Journal of Network and Computer Applications.

September 29, 2017

1. Introduction The so-called Unattended Wireless Sensor Network (UWSN) [1] is an emerging paradigm for unsupervised environmental sensing, attracting more and more attention by the research community due to the challenging security concerns it poses. As all Wireless Sensor Networks (WSNs), a UWSN is composed by a (usually large) number of sensor nodes, organized into a cooperative network, and by a trusted entity that performs data collection, usually referred to as sink. In traditional WSNs, the sink is in constant control of the network and sensor nodes offload all acquired data to the sink as soon as possible to preserve the information even in the occurrence of malfunctions and attacks. In contrast, in UWSNs there is no real-time communication with the sink, which only performs data collection sporadically. There may be several reasons to prefer the use of an intermittent sink, such as sensors being deployed in hostile environments, where even the sink could hardly be protected [2], or the inaccessibility of the monitored area, and the technical problems that arise to connect the sink with the sensors [3]. While transmission from the sink to the monitoring system is usually in realtime, secure and distributed in-network data storage is of primary importance in UWSNs to both avoid data loss, and facilitate the sink in collecting data and receiving alarms. The most realistic threat model in UWSNs is an adversary able to physically compromise a number of sensors and to selectively delete or modify any pieces of information that such sensors store. However, a rational adversary avoids destroying or capturing sensors, in order to hide its activities from the sink while leaving no evidence of its illegal behavior. Without a specific security mechanism in place, the sink, and therefore the monitoring system, will never know that sensed data have been erased or altered by an adversary. Because of the scarce resources of sensor nodes, this must be done without incurring in excessive energy consumption, and limiting data redundancy to the bare minimum necessary. In data centric storage models, network coding techniques have been used to limit both bandwidth usage and power consumption [4, 5, 6, 7]. However, these techniques are mostly motivated by applications where only historical information or digest data, as opposed to (quasi) real-time data, are of interest [7]. In fact, they introduce additional time delays and computational overhead. Solutions based on secret sharing or erasure coding [8, 9, 10], appealing because able to concurrently provide reliability and confidentiality at the physical layer [11], are not suited for networks whose sensors send event driven data that do not need to be secreted, because of the superior effort demanded to the sink to rebuild a single piece of information. A controlled data replication process is the most straightforward approach to achieve fault tolerance and resilience to node capture in most of our envisaged scenarios [12]. While extending our analysis to confidentiality-oriented solutions is a viable direction for future work, in this paper we are interested in achieving a trade-off between three features: data survivability, collecting time, and resources consumption. Epidemic models [13, 14] have been suggested as a viable approach to 2

identify the optimal replication rate that guarantees both data availability and resource saving [15]. An epidemic model is a mathematical model trying to predict the evolution of a disease into a population based on the rates of transition between possible “health statuses” of its individuals. The SIS – Susceptible (S), Infected (I), Susceptible (S) [16] – model conveys a clear parallelism with sensor networks: at any time, individuals (i.e., sensors) can pass from being infected (i.e., possessing some information to be preserved) to being susceptible (i.e., not possessing it), and back; an endemic disease is equivalent to an always available information, and an epidemic outbreak is what guarantees fast data retrieval. If the process is deterministic, the SIS model is characterized by the presence of “endemic states”, i.e., the fraction of infected individuals self stabilizes to a precise value depending on the initial conditions. However, in practice the aforementioned infection and healing rates are rather probabilities of contagion and cure. The evolution of the disease is hence a random process, potentially deviating from predictions, in which the risks related to statistical fluctuations need to be properly considered. Contributions. In this paper, we study the applicability of the SIS model to data survivability in UWSNs. Other than tuning the model to a different scenario, we aim at finding the minimum replication/infection rate that guarantees the desired collecting time (or, at least, data survivability) even in the presence of “unlucky events” [17]. To this end, we provide theoretical results binding the rate at which sensors replicate and diffuse data to the probability that sensed information survive an attack. Similar attempts in the literature [18, 19] considered the SIS epidemic model “as is”, relying on coarse grain assumptions that had an impact on those papers’ findings. We refine the connection between network model and epidemic model providing more accurate theoretical results, other than accommodating for more realistic experiments. Additionally, we present two completely novel contributions that widen the scope of our work, namely: (i) a lower bound for the probability to lose the datum due to statistical fluctuations in T ≥ 1 rounds, whereas previous work only considered T = 1, and (ii) an analysis of the effects of letting the sensors randomly switch on and off their transceivers for a number of rounds to save energy. We consider transmission range constraints, studying both the full visibility and the geometric model, and all the analytical findings are supported by simulation results. Organization of the paper. The remainder of this work is organized as follows. Section 2 introduces our reference models, providing an overview of the SIS model (Section 2.1) and of our system model (Section 2.2), and carefully discussing how the parameters of the two models should be paired together (Section 2.3). The analysis of data survivability and collection with full visibility is reported in Section 3. In detail, we provide a probabilistic bound for the data surviving probability (Section 3.1), an estimate of the expected collecting time (Section 3.2), and a discussion of the trade-off between data availability and resource consumption (Section 3.3). The extension of all the above findings under more realistic geometric hypothesis is reported in Section 4. Section 5 3

describes the aforementioned on/off strategy, able to extend the network lifetime when the resources of the adversary are limited. In Section 6 we analyze the results of an extensive simulation campaign performed on synthetically generated networks, which broadly confirm the quality of our theoretical predictions. Finally, Section 7 surveys related work in the literature, and Section 8 reports some concluding remarks. 2. Reference Models In this section we introduce the models that will be leveraged throughout this paper. 2.1. The SIS Model In 1927, Kermack and Mckendrick proposed a mathematical theory to study the spread of an infectious disease in a community of susceptible individuals [16]. Their theory of epidemics consists in a high level analysis, which does not take into account the details of the infection concerning single individuals, but only the macroscopic dynamics of a large population. At the base of the theory is the definition of a small number of discrete states describing the “health status” of an individual (e.g., infected, susceptible, recovered), and of transition rates between any two such states – fixed, time-varying, or even depending on the current configuration of the population. In theory, these rates should be interpreted as instantaneous probabilities to migrate from one state to another. Yet, it is common practice to assume that the process is deterministic and to use transition rates to predict the evolution of the disease. This habit is justified by the typical size of the population under analysis, which makes similar predictions very accurate. However, we will use the expected evolution of the process only as a benchmark, performing a much deeper analysis to provide the desired data survivability results. Among epidemic models, the SIS model is the one that better describes our scenario. In the SIS model, the population is partitioned into Susceptible individuals, whose set at time t is denoted by S(t), and Infected individuals, denoted by I(t), i.e., individuals are again susceptible of being infected immediately after they recovered from the disease. We respectively denote S(t) = |S(t)| and I(t) = |I(t)| the number of susceptible and infected individuals at time t. AsI(t) suming that the population has fixed size n, we further denote i(t) = n and S(t) s(t) = n the corresponding fraction of infected and susceptible subjects, with s(t) = 1 − i(t), or, equivalently, S(t) = n − I(t). The high-level evolution of such a system is governed by only two parameters: the infection (S → I) probability pinf , and the healing (I → S) probability phea . Particularly interesting for us is the SIS model for viral infections, in which a healthy individual can contract a disease only if she comes into contact with a sick one. Indeed, in UWSNs a node can get the datum only if communication with a node that already possesses it is possible. In these cases, the infection rate is not constant, but depends on the particular configuration, because it 4

is directly proportional to the number I(t) (or, equivalently, to the fraction i(t)) of infected individuals. In other words, we can write pinf = αi(t), where the proportionality constant α combines the frequency of a contact between a susceptible and an infectious individual, and the probability of contracting the disease in such a contact. On the other hand, sick subjects recover from the disease with a rate phea = β, which does not depend on the configuration, but only on how difficult it is to defeat the infection. Summing up, the expected evolution of the system is completely determined by the following two differential equations: i (t) = αs(t)i(t) − βi(t) s (t) = βi(t) − αs(t)i(t)

(1) (2)

Since s (t) = −i (t) and s(t) = 1 − i(t), Eq. (1) and Eq. (2) are equivalent, and the system can be described by a single equation i (t) = (α − β)i(t) − αi2 (t) whose solution is  i(t) =

 −1 1 α α (β−α)t + − e i0 β − α β−α

(3)

where i0 = i(0) is the fraction of infected individuals at time 0. With the terminology of dynamical systems analysis, a condition such that i (t) = 0 is called a steady state. In our case, Eq. (1) admits two steady states: β STEADY0 , when i(t) = 0, and STEADY1 , when i(t) = 1 − α . Yet, since β > α implies STEADY1 < 0 and i(t) cannot be negative, when β ≥ α the only steady state is STEADY0 . We recall that a steady state is asymptotically stable when not only do initial conditions close to the steady state stay close to the steady state (stable), but the trajectory also approaches that state asymptotically, regardless of the initial conditions. Studying the behavior of these two steady states, we observe that their nature is completely determined by the relation between β and α. When β ≥ α, STEADY0 is asymptotically stable: the disease will die regardless of the initial fraction of infected individuals. Contrarily, when β < α, STEADY0 is not even stable, while STEADY1 is asymptotically stable: whenever i(t) > 0, the system is expected to migrate towards STEADY1 , i.e., i(t) β should self-stabilize to i(t) = 1 − α . Summing up, β < α represents a necessary condition for the disease to become endemic. The condition would also be sufficient, if the process was deterministic, but because of its random nature we have to take into account the possibility that all of a sudden all infected individuals get healed, which is more likely to happen the more i(t) is close to zero. Figure 1 shows Eq. (3) with α = 0.3 > β = 0.2, for two different values of i0 . We observe that i(t) approaches β β 1 − α monotonically, and, as long as i(t) > 12 − 2α , the more i(t) deviates from β β 1 − α , the more quickly it tends back to 1 − α . Indeed, i (t) = i(t)(α − β − αi(t)), 5

β

so that i (t) > 0 if i(t) < 1 − α , and i (t) = i(t)(α − β − 2αi(t))(α − β − αi(t)), so β β that 12 − 2α < i(t) < 1 − α implies i (t) < 0. In short, we need to pay particular attention to two conditions, that guarantee that the more time passes the more unlikely it is to see the infection getting defeated: (i) STEADY1 not being too β close to 0, and (ii) quickly getting i(t) > 12 − 2α . i0 = 0.5 i0 = 0.1

0.5 i(t)

0.4 β 1− α 0.25 β 1 − 2 2α 0.1 10

20

30

40

50

t Figure 1: Example showing a system with parameters α = 0.3 > β = 0.2, with i(t) approaching the β steady state 1 − α = 0.33.

2.2. System Model Our system model consists of: (i) an unattended network of homogeneous low-cost sensors, (ii) an intermittent sink responsible of collecting sensed data, and (iii) an adversary willing to prevent certain target data from reaching the sink without being detected. To simplify the analysis, we consider the survivability of a single datum initially sensed by a little subset of sensors. The evolution of the network is partitioned into rounds, with round t denoting what happens between time t − 1 and time t. For what concerns in-network communication, we consider two possible scenarios: we first present our results assuming full visibility (Section 3), to then extend them to contemplate geometric constraints (Section 4). Full visibility means that the communication range of each sensor covers the whole monitored area, while the geometric model corresponds to a more realistic multi-hop message passing network, where sensors can communicate only within a limited “neighborhood”. The sensor nodes are randomly deployed over the monitored area, with no constant supervision, and collaborate to securely store all sensed data until the arrival of the sink. We envisage a completely distributed network in which the sensors have no information at all about where other sensors are and what data they store. At the beginning of each round all sensors implement a probabilistic replication mechanism, sending a copy of the data they store to each other sensor of the network with identical probability p. This means that for each pair of nodes a, b, the node b receives data from a with some probability p∗ , independently of all other pairs: in the full visibility model it simply holds p∗ = p, while in the geometric model p∗ also depends on the transmission range 6

of the two sensors, as clarified later in Section 4. However, in both cases the probability that a sensor receives a copy of a specific datum is q = 1 − (1 − p∗ )ni(t) In our network, the sink, that is the only trusted data collection point, is not always available to the sensors. This is one of the peculiarities of the UWSN paradigm, introduced to address scenarios such as: (i) very large scale/coverage WSNs for which an itinerant sink is the only feasible solution; (ii) WSNs deployed in hostile environments in which a constantly exposed sink would represent a single point of failure; (iii) remote applications in which even the sink’s resources need to be preserved, so that it need to be switched off periodically; (iv) scenarios in which physical obstacles or bandwidth constraints prevent the sink from concurrently gaining connection with the whole network. In addition to being intermittently available, we assume that every time the sink accesses the network it can download data only from a subset of all sensors within its reach. Under full visibility, we consider a global intermittent sink whose coverage includes the whole monitored area. In the geometric model, we assume an itinerant intermittent sink, who roams in the network and has a limited communication range. Our adversary model matches the Search-and-erase mobile adversary (μADV) already considered in the literature [2]. A similar adversary aims at deleting all copies of some target data before they reach the sink, without being detected. A typical example is an attacker trying to elude an intrusion detection system. We grant μADV a strong compromising power, assuming that, in each round, μADV can migrate and compromise any subset of sensors, not necessarily clustered or physically contiguous. When we say that μADV compromises a sensor, we mean that it erases some data contained in its memory, but without changing the sensor behavior or destroying it. Indeed, both these actions would be easily detectable [20], and then alarms and recovering mechanisms could be used. The adversary can erase all or just some of the data stored inside the sensor. This is irrelevant for us: our analysis being focused on the survivability of a single target datum, the attack is successful only if it erases that datum. We quantify the corruption capability of the adversary assuming that, in each round, it accesses a number l of nodes of the network, chosen uniformly at random. If a node belongs to the chosen subset and it possesses the datum, the adversary deletes such datum; otherwise, the adversary does nothing. 2.3. Our System Model As A SIS Model As already outlined in the Introduction, when applying epidemic models to UWSNs we associate the population with the network and the disease with a particular sensed datum that we want to protect. Although epidemic models usually describe continuous-time processes, to fit our system model we consider an epidemic process divided into rounds. A node a is infected at time t, formally a ∈ I(t), if it possesses a copy of that datum while it is susceptible otherwise, formally a ∈ S(t). Transitions between the two states are illustrated in Figure 2. 7

αsi S(t): do not have the datum

I(t): do have the datum βi

Figure 2: States and Transitions of the SIS model

Infection As described before, for each pair (a, b), with a ∈ I(t) and b ∈ S(t), we assume that b receives the infection from a with identical probability p∗ , independently of all other pairs. The overall probability that b contracts the disease is therefore q = 1 − (1 − p∗ )ni(t) We stress once more that we conservatively assume that p∗ cannot depend on I(t). Healing As described before, we assume that the adversary chooses a number l of nodes of the network uniformly at random, and heals all infected sensors among them. The probability that a node a ∈ I(t) is healed is the probability that a belongs to the set of nodes chosen by the adversary, namely v = nl . Observe that what happens to two different infected nodes in the same round is not independent, since if we know that a is healed, then the probability that l−1 1−v = v − n−1 . In other words, for any two nodes a is also healed decreases to n−1  a, a infected at time t, the two events E = {a ∈ S(t + 1)} and E = {a ∈ S(t + 1)} are negatively correlated. Remark. Our model is somewhat asymmetric, in that infected sensors generate a random number of replicas, while the adversary compromises a fixed number of sensors. Choosing between a probabilistic and a deterministic infecting strategy is equivalent to choosing between more flexibility and a superior control of communication overhead. In the full visibility model, for instance, if each sensor a ∈ I(t) sends exactly pn messages per round the two strategies are equivalent, but the latter requires pn ∈ N, while the former allows, e.g., p < n1 – a viable solution in many realistic scenarios, since multiple infected sensors contribute to spreading the infection. Conversely, the number of sensors compromised per round must be an integer. Even though this number can slightly vary for different rounds, we can rightfully assume that its worst/average-case value can be determined based on the estimated time to compromise a sensor and the duration of a round. That being said, we remark that this work addresses all possible cases thanks to a couple of precautions: (i) in all proofs of Section 3 and Section 4 we do not assume that sensors are infected/healed independently of each other, so that 8

our security analysis is correct with either mechanism in place, and (ii) in Section 5 we propose a distributed on/off strategy that provides a further probabilistic parameter against which u can be traded-off. Remark. Let us underline that infection and healing occur during the time window Δ from time t to time t + 1, but the evolution of the network is determined by the configuration at time t and t + 1, that is, when the infected nodes act1 . Infections occur instantaneously at time t, and infected sensors remain inactive thereafter until time t + 1, when they come back into action. Here, instantaneously means that the message-transmission time δ is negligible with respect to Δ. In short, contagions happen between t and t + δ, while recoveries between t + δ and t + 1, and the processes of contagion and recovery are mutually independent. However, we conservatively assume that: (i) the adversary, coming into action at time t+δ, can heal all the nodes in I(t+δ), i.e., those in I(t) plus those infected between t and t + δ; (ii) infected nodes are only active before time t + δ, so that healed nodes cannot be infected again before time t + 1. Evolution Of The Network Now, let us discuss more into details the nature of our epidemic process. The number of infected nodes at time t + 1 is given by I(t + 1) = I(t) + |S→I(t + 1)| − |I→S (t + 1)| where S→I(t + 1) ={b ∈ S(t) : b ∈ I(t + 1)} I→S (t + 1) ={a ∈ I(t) : a ∈ S(t + 1)} denote the sets of those nodes that passed, respectively, from state S to state I and from state I to state S, during round t + 1. Let X j (t) ∈ {0, 1} denote the state of node j at time t, with X j (t) = 1 meaning that node j is infected and X j (t) = 0 meaning that it is sane. If we define Z j (t + 1) = X j (t + 1) − X j (t), we have ⎧ ⎪ +1 if X j (t) = 0 and X j (t + 1) = 1 ⎪ ⎪ ⎪ ⎨ Z j (t + 1) = ⎪ 0 if X j (t) = X j (t − 1) ⎪ ⎪ ⎪ ⎩−1 if X j (t) = 1 and X j (t + 1) = 0 Thus, Z j (t + 1) = 1 means that j ∈ S →I (t + 1), Z j (t + 1) = −1 means that j ∈ I→S (t + 1) and Z j (t + 1) = 0 means that the state of node j did not change during round t + 1. 1 We use t and t + 1 to denote the two boundaries of round t + 1 only to ease notation. We do not mean that the duration of a round is necessarily (t + 1) − t = 1. To be more precise, we should use ti and ti+1 to denote the boundaries of round i + 1. That is why, to ensure generality, we say that each round has length Δ.

9

Without loss of generality, we can assume that X j (t) = 1 for all j = 1, . . . , I(t) and X j (t) = 0 for all j = I(t) + 1, . . . , n. Hence, |I→S (t + 1)| = −

I(t)

Z j (t + 1)

j=1 n

|S→I(t + 1)| =

Z j (t + 1)

j=I(t)+1

and I(t + 1) − I(t) =

n

Z j (t + 1)

j=1

By definition, for any node j ≤ I(t) infected at time t, we have Z j (t+1) ∈ {0, −1}. If j is healed during round t+1, then Z j (t+1) = −1 or, equivalently, j ∈ I→S (t+1), and this happens independently of the possibility that j gets another copy of the datum within time t + δ. This means that Pr[Z j (t + 1) = −1] = v, and that Pr[Z j (t + 1) = 0] = 1 − v. Similarly, for any node j > I(t) susceptible at time t, we have Z j (t + 1) ∈ {0, 1}. If j is infected within time t + δ and not re-healed from t + δ to t + 1, then Z j (t + 1) = 1 or, equivalently, j ∈ S→I (t + 1). Since infection and healing are independent processes, we have Pr[Z j (t + 1) = 1] = q(1 − v), and Pr[Z j (t + 1) = 0] = 1 − q(1 − v). Finally, we have E[|I→S (t + 1)| |I(t)] = vI(t) and

E[|S→I(t + 1)| |I(t)] = q(1 − v)(n − I(t))

which yields E[I(t + 1) − I(t) |I(t)] = q(1 − v)(n − I(t)) − vI(t) or, equivalently, E[i(t + 1) − i(t) |i(t)] = q(1 − v)(1 − i(t)) − vi(t)

(4)

To gain a direct relationship between the system parameter p∗ and the model parameter α, prior work [19] used the standard approximation q = 1 − (1 − p∗ )ni(t) ≈ p∗ ni(t) However, the latter is clearly an upper bound, i.e., it actually holds q < p∗ ni(t). Since what we need is a lower bound approximation, we need to Taylor-expand q to the second order and use i2 < i to obtain  u i(t) q = 1 − (1 − p∗ )ni(t) > u 1 − 2

10

where we denoted u = p∗ n. This allows rewriting Eq. (4) as  u (1 − v)i(t)(1 − i(t)) − vi(t). E[i(t + 1) − i(t) |i(t)] > u 1 − 2

(5)

Summing up, we can safely assume that the expected evolution of the infection is governed by the following differential equation    u u (1 − v) − v i(t) − u 1 − (1 − v)i2 (t). i (t) = u 1 − 2 2 which exactly resembles the equation governing the SIS model, with infection and healing rates given by ⎧

 ⎪ u ⎪ ⎨α = α(u, v) = u 1 − 2 (1 − v) (6) ⎪ ⎪ ⎩β = β(u, v) = v To investigate data survivability in the proposed system model, we can therefore study the SIS model with such parameters. 3. Epidemic Data Survivability (full visibility) In this section, we finally show how the replication rate must be set in order to meet all desired goals, that are: (i) avoiding data loss in the presence of an active adversary, (ii) facilitating data recovery by the sink, and (iii) saving energy to the maximum possible extent. Without restrictions on sensors’ resources, we could simply flood the network with the interesting datum. Because of energy, bandwidth and storage constraints characterizing the sensors, it is instead preferable to keep the number of replicas and messages to the bare minimum necessary to meet information availability requirements. The description of the evolution of the network provided by the SIS epidemic model is the first step towards our aim of identifying such a minimal replication rate. However, due to possible statistical fluctuations, the SIS does not capture all conditions required in our settings to assure information survivability. The first purpose of this section is exactly to find out what is the optimal replication rate in the envisaged scenario assuming full visibility. Later in Section 4 we will see how these results can be extended to the more realistic geometric model. Algorithm 1 resumes the behavior of sensors, adversary, and sink in each round as formally described in Section 2.3. In brief: • All infected sensors forward the datum to each other sensor with probability p. With full visibility, this means that each susceptible sensor receives the datum with probability p∗ = p. • The μADV attacker compromises a number l of sensors and deletes all copies of the target datum she finds. • The global intermittent sink retrieves the information from any sensor belonging to the network with probability γ. 11

ALGORITHM 1: Behavior of each sensor, the adversary, and the sink at each round, depending on system parameters p, l, and γ, respectively. A single datum of interest d is considered. SENSOR (p) if have datum d then foreach sensor s in neighborhood do select r ← [0, 1] uniformly at random if r < p then send datum d to s end end end ADVERSARY (l) initialize S = ∅ while |S| < l do select a sensor s uniformly at random from network update S = S ∪ {s} end foreach s in S do if s has datum d then delete d end end SINK (γ) foreach sensor s in network do select r ← [0, 1] uniformly at random if r < γ then collect datum d from s end end

As seen in Section 2.3, the whole system – composed by n sensors, one adversary and one sink – behaves (in the worst

case for data survivability) as a SIS epidemic model with parameters α = u 1 − u2 (1 − v) and β = v, where

u = pn and v = nl . Let us recall that this model has two compartments, S and I, respectively containing the sensors susceptible to learn the information, and |I(t)| the sensors already storing a copy of the datum. i(t) = n denotes the fraction |S(t)| of sensors possessing the datum after round t, while s(t) = n denotes the fraction of sensors that do not have it. When the context is clear, we will write i and s instead of i(t) and s(t). We already highlighted in Section 2.1 that in a deterministic SIS process α > β is a sufficient condition for the system to stabilize to an asymptotically β stable steady state characterized by i = 1 − α . This could lead to the erroneous conclusion that imposing α > β is sufficient to guarantee that an approximately

12

β

constant fraction 1 − α of the sensors will always possess the datum, provided that the (maximum) compromising power β of μADV is known. A similar line of reasoning would suggest to choose α in the interval (β, 1] simply based on a trade-off between data accessibility and data replication and diffusion costs. However, in order to really preserve sensed data we need to take into account the possibility that statistical fluctuations (i.e., “unlucky events”) cause β the permanent loss of the datum, which is more likely to happen the more 1 − α is close to 0. In this section we will show that the condition α > β is not actually sufficient to be reasonably secure that data survive an attack. Before going into the maths of the SIS process, let us make a checkpoint by analyzing an experimental simulation of a network composed by 100 sensors – all of them initially having the datum – and by comparing obtained results with theoretical predictions achieved through Eq. (3). Thus, Figure 3 depicts the prediction achieved with both models, namely ours (green dotted line), which makes use of parameters α(u, v) = u(1 − u/2)(1 − v), β(u, v, ) = v, and the plain SIS model [19] (grey dotted line) which uses α(u, v) = u, β(u, v, ) = v. The experimental simulation (crossed dots;) is left running for t = 300 rounds and it is repeated 100 times (the average is depicted by the blue star line), always with parameters u = 0.65 and v that varies in the whole range [0, 1]. Hence, the pictures measures the fraction of infected sensors at the end of each iteration, and the values predicted by Eq. (3). The plot labelled “Prediction”, corresponding to the prediction achieved with the herein proposed parameters, is de facto a tight lower-bound for the experimental outcomes and it provides a useful insight for estimating data survivability (indeed, losing the data is a very unlucky event when our prediction has a positive value). Instead, the estimate achieved tuning the parameters as suggested in prior work [19] significantly differs from real outcomes, being much more optimistic, but wrong. Similarly, Figure 3(b) shows the same result from a different perspective. Here, the healing parameter is fixed as β(u, v) = v = 0.2, and the contagion parameter α(u, v) varies accordingly with u ∈ [0, 1]. Other than confirming previous observations, this figure clearly shows that choosing the minimum α greater than β is not a good strategy for ensuring data survivability. In fact, picking α and β too close, leads to the loss of data. In the reminder of this paper, probabilistic bounds to accurately estimate data survivability in the network will be presented. 3.1. A Probabilistic Analysis of Data Survivability The first step to study the effects of statistical fluctuations is to obtain a concentration bound for the fraction of infected sensors i(t). In this regard, Theorem 1 shows that the probability that i(t + 1) deviates from its expected value E[i(t + 1)] decays exponentially fast. A direct consequence of Theorem 1 is Corollary 1 that proves a lower-bound for i(t + 1), conditioned to the value of i(t), and satisfied with high probability. In turn, this result is used to prove Corollary 2 that extends the bound to the multiple rounds case. In particular, the latter result provides a long-term prediction on the data loss resilience of the system. To ease reading, proofs of this section are deferred to the Appendix. 13

1 Simulation Simulation Average Prediction SIS model

infected sensors

0.8

0.6

0.4

0.2

0 0

0.2

0.4

0.6

0.8

1

healing rate

(a) Network behavior of a network when the healing rate varies. 0.8 Simulation Simulation Average Prediction SIS model

0.7

infected sensors

0.6

0.5

0.4

0.3

0.2

0.1

0 0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

contagion rate

(b) Network behavior of a network when the contagion rate varies. Figure 3: Differences between predictions achieved with the plain SIS model and with the proposed changes.

Theorem 1. Consider a network composed by n sensors. Assuming full visibility among sensors, it holds: 

   n2 n2 Pr [E[i(t + 1)] − i(t + 1) >  |i(t)] ≤ exp − < exp − 2(1 + 3i(t)) 8

(7) 

Proof. In the Appendix.

Theorem 1 is a “one-sided” bound: indeed, Eq. (7) describes the probability that i(t + 1) is smaller than E[i(t + 1)]. The analogous upper-bound is not interesting, since we are focusing on not loosing the datum. Other than showing 14

that i(t + 1) is exponentially concentrated around its expected value, Eq. (7) also shows that the smaller i(t) is, the stronger is the concentration, and unlucky events (which have more serious consequences if i(t) is small) are less likely. It is important to notice that Eq. (7), as all concentration results, strongly depends on n. For instance, let us consider a scenario where β = 0.2 and α = 0.3, so that steady state STEADY1 is reached when i(t) = 13 . If i(t) = 14 , it holds 1 41 E[i(t + 1) |i(t)] = 14 + 160 = 160 . If the network is composed by n = 100 sensors, 9 ] < 0.32. The same event Eq. (7) with  = 0.2 tells us that Pr[i(t + 1) < 160 −3 has probability less than 3.3 × 10 when the number of sensors scales to 500, and less than 1.1 × 10−5 when the number of sensors scales to 1000. Finally, observe that α and β do not appear in the bound. In reality, as the reader could expect, the values of α and β do affect the concentration of i(t + 1), but we omitted such a dependence to obtain a more readable, even if weaker, bound (see the Appendix for more details). However, as the ratio αβ increases, the consequences of Eq. (7) become more appreciable. Consider, for example, a network composed by n = 500 sensors, with α = 0.3, β = 0.2. It holds 1 ≈ 0.175, so Eq. (7) with  = 0.175 gives an E[i(t + 1) |i(t) = 16 ] = 16 + 120 upper bound for the probability to lose the datum during round t + 1. Such probability is indeed less than 6 × 10−3 . Now, if we increase α to α = 0.8, we 7 ≈ 0.245. This time, to bound the probability have E[i(t + 1) |i(t) = 16 ] = 16 + 90 to lose the datum during round t + 1, we can apply Eq. (7), but with  = 0.245. We deduce that the datum is lost with probability less than 4.5 × 10−5 . With 7 , and deduce that the same parameters, we can as well use Eq. (7) with  = 90 Pr[i(t + 1) < i(t)] < 0.36. With a proper choice of the parameters and with a sufficiently large network, Theorem 1 can ensure that the fraction of nodes possessing the datum actually β approaches 1 − α with very high probability. The following corollaries generalize the discussion presented above, to delineate the necessary hypotheses for the datum to survive one round of the process (Corollary 1), and to predict the behavior of the network after several rounds (Corollary 2). Corollary 1. Let α(u, v) and β(u, v) be defined as in Eq. (6), and assume that the hypotheses of Theorem 1 are satisfied. The following results hold: (i) Let c and δ satisfy

√ (1 − β(u, v))2 . d = 2 2δ − c ≤ 4

Then, if αˆ = β(u, v) + 2d +

 4d2 + 4dβ(u, v)

it holds 1 and,  for all u such that αˆ ≤ α(u, v) ≤ 1, there exists an interval

αˆ ≤ b(u,v) A ⊂ 0, 1 − α(u,v) such that i(t) ∈ A implies Pr[i(t + 1) < i(t) − c] ≤ exp(−δn).

15

√ (ii) Let d = 2 2δ. If d < 1 − β(u, v) and iδ ≤ 1 −

β(u,v) α(u,v) ,

β(u,v) 1−d

≤ α(u, v) ≤ 1, there exists a threshold

such that i(t) ≥ iδ entails

Pr[i(t + 1) = 0] ≤ exp(−δn). 

Proof. In the Appendix.

Potentially, in each round the fraction of sensors storing a copy of the datum could decrease from i to i − β(u, v). Corollary 1 states that, in reality, a sufficiently high replication rate ensures that things are going much better with high probability. In particular, under suitable conditions, the probability to lose the datum in a single round is negligible. Studying the evolution of the system in a single round is the first step towards the more challenging intent of bounding the probability to lose the datum in multiple rounds. Corollary 2 provides a preliminary analysis, based on Theorem 1, of the probability to deviate from i(t) in T rounds. Corollary 2. Let α(u, v) and β(u, v) be defined as in Eq. (6), and assume that the hypotheses of Theorem 1 are satisfied. For any μ ∈ (0, 1), the following result holds: Pr[i(t + T) < (1 − μ)T i(t)] ≤

T

p(k, μ, i(t))

k=1

where

 2  n p(k, μ, i(t)) = exp − (μ + α(u, v) − β(u, v))(1 − μ)k−1 i(t) − α(u, v)(1 − μ)2k−2 i(t)2 8 that is:



p(k, μ, i(t)) ∈ O exp(−n(1 − μ)2k−2 i(t)2 ) . 

Proof. In the Appendix.

3.2. Global Intermittent Sink Collecting Time Other than guaranteeing data survivability, replication induces redundancy, thus facilitates the collection of sensed data by the sink. To understand to which extent, the following corollary provides an estimate of the time (expressed in number of rounds) necessary for the sink to find a specific target datum. We consider a UWSN monitored by a global intermittent sink, that, during each round, retrieves the information stored by each node with probability γ. To improve readability, this corollary is also proved in the Appendix. Corollary 3. Let α(u, v) and β(u, v) be defined as in Eq. (6). Assume full visibility among the sensors, and consider a global intermittent sink of parameter γ, accessing the network at time t and trying to recover a specific sensed datum. Let X denote the time before the sink collects a given datum, and E[X] denote its expectation.

16

(i) In general, it holds E[X] ≈ γn

∞

x=1

⎛ ⎞ x−1

⎜⎜ ⎟⎟ ⎜ x · i(t + x) ⎜⎜⎝1 − γn i(t + k)⎟⎟⎟⎠ .

(8)

k=0

(ii) If there exists μ < 1 such that, for all k > 0, the fraction of infected nodes at time t + k can be lower bounded as i(t + k) ≥ (1 − μ)k i(t), Eq. (8) can be turned into the more explicit bound E[X] ≤ γn

∞

  x · i(t + x) 1 − γni(t) · x .

x=1

(iii) Finally, if the process does not suffer from remarkable statistical fluctuation, if u is chosen so that α(u, v) ≥ β(u, v), and at time t the fraction of infected nodes already reached steady state STEADY1 , it holds E[X] ≈

1 γn(1 −

β(u,v) α(u,v) )

=

α(u, v) . γn(α(u, v) − β(u, v)) 

Proof. In the Appendix.

Corollary 3 provides three different estimates for the time needed to retrieve a specific datum, that become more and more explicit, as the process gets more predictable. The experiments presented in Section 6 will provide an even deeper insight about the effort demanded to the sink to collect the datum. 3.3. Trade-off between Energy Consumption, Data Survivability and Collecting time Assuming that the process reached steady state STEADY1 , the following theorem introduces a trade-off between data survivability, bandwidth and power consumption, and collecting time. Observe that a similar result could be stated independently of the fact that the system is in steady state STEADY1 , but it would not be as much expressive. Theorem 2. Let α(u, v) and β(u, v) be defined as in Eq. (6). Assume full visibility among the sensors and the presence of a global intermittent sink of parameter γ. If the system reached steady state STEADY1 at time t, for each u such that α(u, v) > β(u, v), the following three conditions hold:

 β(u,v) (i) The expected number of messages sent per round is nu 1 − α(u,v) ; (ii) The expected collecting time is (approximately)

α(u,v) γn(α(u,v)−β(u,v)) ;

(iii) The evolution of the fraction of infected nodes is governed by Theorem 1, Corollary 1, and Corollary 2; in particular, the probability  to lose the datum in a single round is upper bounded by exp −

(α(u,v)−β(u,v))2 n 8α(u,v)2

17

.

Proof. Let us prove each one of the three statements independently: (i) By construction, the expected number of messages sent by each infected sensor is u. By the linearity of expectation, the expected number of messages sent in total is just the product of u times the number of infected

 β(u,v) nodes. If the system is in STEADY1 , such number is n 1 − α(u,v) , so we

 β(u,v) expect in total nu 1 − α(u,v) messages (ii) It is a direct consequence of statement (iii) of Corollary 3. (iii) Theorem 1, Corollary 1, and Corollary 2 all have the same, very simple, hy(α(u,v)−β(u,v))2

, potheses, which are satisfied. In particular, if we denote δ = 8α(u,v)2 √ β(u,v) we have d = 2 2δ = 1 − α(u,v) < 1 − β(u, v). The hypotheses of statement (iii) of Corollary 1 are thus satisfied, and the desired bound follows directly from it.  Theorem 2 provides instruments to predict the number of messages sent per round and the number of rounds needed for a datum d to reach the sensor, and this is a fundamental preliminary result to estimate energy costs in real-life implementations. However, since this paper is tailored towards a high-level, technology-independent analysis, a detailed analysis of more practical aspects (e.g., power consumption and network lifetime) is beyond the scope of this paper and it is left for future work. 4. Epidemic Data Survivability (Geometric model) In Section 3, we have shown that a sufficiently high replication rate ensures that the probability to have the datum destroyed by μADV is negligible. In particular, we proved that under suitable conditions (most of all: a large network) the effect of statistical fluctuations is negligible and the evolution of the infection can be fairly predicted using a deterministic SIS model. However, the analysis presented in Section 3 relies on the assumption of full visibility among the n sensors composing the network, while in concrete UWSNs two sensors can communicate only when they are sufficiently close. In this section we extend all results of Section 3 to the more realistic geometric model, whose only difference with the system model considered so far consists in the introduction of an additional parameter: the sensors’ transmission range rn , equal for all sensors, but related to the size of the network to guarantee coverage of the monitored area. More precisely, we assume that sensor nodes are randomly scattered over a unit square, and that two sensors can communicate if and only if their distance is not larger than rn , where rn  1. The main consequence of the adoption of the geometric model is that a susceptible sensor b ∈ S(t) can be infected only by neighboring nodes. Under full visibility, b’s “neighborhood” included all n sensors, but now the expected 18

number of sensors able to reach b is m = πr2n n, and only a i(t) fraction of them are expected to be infected at time t. More precisely, let a ∈ I(t). The probability that a infects b is given by the product of the probabilities that a is in b’s neighborhood and that a selects b as a recipient of the target datum. The former probability is πr2n because sensors are randomly deployed, while the latter probability is p by construction. As a consequence, in the geometric model we have p∗ = πr2n p and b contracts the disease with probability  u i(t). q = 1 − (1 − πr2n p)ni(t) ≥ u 1 − 2 where u = πr2n pn. While the μADV behaves exactly as in the full visibility model, our geometric model assumes the presence of an itinerant intermittent sink. Such a sink moves inside the network according to the random jump mobility model, i.e., its speed is set so that he can reach each point of the network in one round. The sink is intermittent, in the sense that it turns off the transceiver before moving to another point of the network, and it turns the transceiver back on only at its arrival. Additionally, the itinerant sink can communicate only with sensors at distance ≤ rn , and, as for the global sink, it retrieves data stored by each sensor in its communication range independently with probability γ < 1. Summing up, in the geometric model the behavior of sensors, adversary, and sink in each round is the following: • All infected sensors forward the datum to each other sensor with probability p. Since the message is received only if the recipient is at distance ≤ rn from the sender, each susceptible sensor receives the datum with probability p∗ = πrn p. • The μADV attacker compromises a number l of sensors and deletes all copies of the target datum she finds. • The global intermittent sink retrieves the information from any sensor at distance ≤ rn with probability γ. The only difference with respect to the full visibility model resides in the way α depends on our system parameters. In the geometric model, we have ⎧

 ⎪ u   ⎪ ⎨α = α(u , v) = u 1 − 2 (1 − v) (9) ⎪ ⎪ ⎩β = β(u , v) = v but the process evolves identically, with two steady states, STEADY0 reached β when i(t) = 0, and STEADY1 reached when i(t) = 1 − α . Analogously, all our results (Theorem 1, Corollary 1, Corollary 2, and Corollary 3) can be restated for the geometric model, with only a few adjustments, reported in the following for the sake of clarity.

19

4.1. Data Survivability Under the Geometric Model In this section, we will discuss data survivability under the more realistic geometric model, with a sequence of results analogous to those presented in Section 3.1. First, Theorem 3, identical to Theorem 1 for the full visibility model, shows that the probability that i(t+1) deviates from its expected value E[i(t+1)] decays exponentially fast. Then, Corollary 4, analogously to Corollary 1, shows how to leverage Theorem 3 to lower bound i(t + 1) with high probability, based on the value of i(t). Finally, Corollary 5, similarly to Corollary 2, extends the probabilistic lower bound to consider the process behavior over a number T of rounds. Theorem 3. Consider a network composed by n sensors, where each sensor’s transmission range is rn . Assuming that the local and overall density coincide, it holds:  Pr [E[i(t + 1)] − i(t + 1) >  |i(t)] ≤ exp −

   n2 n2 < exp − 2(1 + 3i(t)) 8

Proof. The theorem can be proved replicating entirely the proof of Theorem 1  (reported in the Appendix), by simply replacing u with u = πr2n pn. Corollary 4. Let α(u , v) and β(u , v) be defined as in Eq. (9), and assume that the hypotheses of Theorem 3 are satisfied. The following results hold: (i) Let c and δ satisfy

√ (1 − β(u , v))2 . d = 2 2δ − c ≤ 4

Then, if αˆ = β(u , v) + 2d +

 4d2 + 4dβ(u , v)

it holds 1 and, for all u such that αˆ ≤ α(u , v) ≤ 1, there exists an interval

αˆ ≤ β(u  ,v) A ⊂ 0, 1 − α(u ,v) such that i(t) ∈ A implies Pr[i(t + 1) < i(t) − c] ≤ exp(−δn). √ (ii) Let d = 2 2δ. If d < 1 − β(u , v) and α(u , v) ≥ iδ ≤ 1 −

β(u ,v) α(u ,v) ,

such that i(t) ≥ iδ entails

β(u ,v) 1−d ,

there exists a threshold

Pr[i(t + 1) = 0] ≤ exp(−δn). Proof. The proof is completely analogous to the proof of Corollary 1 reported in the Appendix, by just considering α = α(u , v) as in Eq. (9), instead of α = α(u, v) as in Eq. (6). 

20

Corollary 5. Let α(u , v) and β(u , v) be defined as in Eq. (9), and assume that the hypotheses of Theorem 3 are satisfied. For any μ ∈ (0, 1), the following result holds: Pr[i(t + T) < (1 − μ)T i(t)] ≤

T

p(k, μ, i(t))

k=1

where

 2  n p(k, μ, i(t)) = exp − (μ + α(u , v)πr2n − β(u , v))(1 − μ)k−1 i(t) − α(u v)πr2n (1 − μ)2k−2 i(t)2 8 that is: 

p(k, μ, i(t)) ∈ O exp(−n(1 − μ)2k−2 i(t)2 ) . Proof. Once again, the proof is completely analogous to the proof of Corollary 2 reported in the Appendix, by just considering α = α(u , v) as in Eq. (9), instead of α = α(u, v) as in Eq. (6).  4.2. Itinerant Intermittent Sink Collecting Time To complete the characterization of the geometric model, we now consider the activity of an itinerant intermittent sink, who moves around the network collecting data from the sensors that are within its communication range. As described before, the itinerant intermittent sink is parametrized by a constant γ < 1, which is the probability to retrieve data stored by each sensor at distance ≤ rn , independently of the other nodes. Corollary 6. Let α(u , v) and β(u , v) be defined as in Eq. (9) Further, assume that the sink can communicate with a sensor only if their distance is ≤ rn . Consider an itinerant intermittent sink of parameter γ, accessing the network at time t and trying to recover a specific sensed datum. Let X denote the time before the sink collects a given datum, and E[X] denote its expectation. (i) In general, it holds E[X] ≈ γn

∞

x=1

⎛ ⎞ x−1

⎜⎜ ⎟⎟ ⎜ x · i(t + x) ⎜⎜⎝1 − γn i(t + k)⎟⎟⎟⎠

(10)

k=0

(ii) If there exists μ < 1 such that, for all k > 0, the fraction of infected nodes at time t + k can be lower bounded as i(t + k) ≥ (1 − μ)k i(t), Eq. (10) can be turned into the more explicit bound E[X] ≤ γn

∞

  x · i(t + x) 1 − γni(t) · x

x=1

(iii) Finally, if the process does not suffer from remarkable statistical fluctuation, if u is chosen so that α(u , v) > β(u , v), and at time t the fraction of infected nodes already reached steady state STEADY1 , it holds E[X] ≈

1

γn 1 −

β(u ,v) α(u ,v)

=

21

α(u , v) γn(α(u , v) − β(u , v))

Proof. Statements (i) and (ii) are identical to the corresponding statements of Corollary 3 (proved in the Appendix), and the same holds for their proofs. The proof of statement (iii) is completely analogous to the proof of the corresponding statement of Corollary 3, by just substituting α = α(u , v) as in Eq. (9) instead of to α = α(u, v) as in Eq. (6).  4.3. Trade-off between Energy Consumption, Data Survivability and Collecting time Similarly to the full visibility case, let us finally identify a trade off between data survivability, bandwidth and power consumption, and collecting time valid in the geometric model. Theorem 4. Assume that communication among sensors and between a sensor and the sink can only take place within a transmission range rn , and consider the presence of a global intermittent sink of parameter γ. If the system reached steady state STEADY1 at time t, for each u such that α(u , v) > β(u , v), the following three conditions hold:

 β(u v) (i) The expected number of messages sent per round is nu 1 − α(u v , where u = pn is defined as in full visibility. (ii) The expected collecting time is (approximately)

α(u ,v) γn(α(u ,v)−β(u ,v)) .

(iii) The evolution of the fraction of infected nodes is governed by Theorem 3, Corollary 4, and Corollary 5; in particular, the probability to  lose the datum in a single round is upper bounded by exp −

(α(u ,v)πr2n −β(u ,v))2 n 8α(u ,v)2 π2 r4n

.

Proof. The proof is completely analogous to the proof of Theorem 2, by just  substituting α = α(u , v) as in Eq. (9) instead of α = α(u, v) as in Eq. (6). 5. Distributed On/Off Strategy In the previous sections, we have seen that the effort demanded to the sensors to ensure data survivability strongly depends on the power of the adversary, quantified by the parameter v, and on the size n of the network. On the one hand, we know that it is necessary to set u (u in the geometric model) so that α(u, v) is larger than β(u, v). On the other hand, how much larger depends on n, since the probability to lose the datum due to statistical fluctuations is exponentially small in n. In this section, we aim at showing that in some circumstances it is even possible to let the sensors turn off their transceivers for some time. The idea is that when the adversary’s compromising power v is particularly small, or if n is large enough to make statistical fluctuations negligible, we can limit useless standby and on/off energy consumption by letting the sensors switch between silent intervals and replication intervals (possibly at a slightly larger rate). In the following, we will only focus on the SIS model parameters α and β to provide a general discussion that fits both models considered. We analyze how a distributed on/off strategy can be implemented in the network and what 22

are its consequences. Once a suitable strategy has been identified in terms of α and β, it is easy to find the necessary u or u relying respectively on Eq. (6) and Eq. (9). Different strategies are possible when designing a distributed scheme for information handling and diffusion. The most important characteristic of the scheme is how much interaction is required to the nodes. Since the purpose of letting some nodes turn off the transceiver is energy saving, it does not make sense to design a scheme where specific communication between sensors is required to schedule a cooperative behavior. As a consequence, we focus on designing a strategy that avoids any kind of communication between the nodes and that, once defined at setup time, can be followed by each node independently of all others. 5.1. Maximum Off Interval Length The first thing we need to do is to understand for how much time a node can be continuously off. Since sensors act independently of each other, sooner or later it will happen that all nodes go simultaneously off. The maximum length of the off interval must be set taking into account this unlucky circumstance. Thereof, suppose all nodes are off, while the attacker uses all its power to compromise the sensors. The fraction of infected nodes varies as i (t) = −βi(t)

(11)

The differential equation Eq. (11) has the following solution: i(t) = i0 exp(−βt) where i0 is the fraction of nodes storing a copy of the datum in the moment all the nodes turn the transceiver off. If we want to estimate how much time can pass before the infected fraction of the network falls below a threshold  < i0 , we need to impose the condition i(t) = i0 exp(−βt) ≥  that is satisfied for

  1 t ≤ t (β) = − ln β i0

(12)

Eq. (12) exhibits a necessary condition for the survival of the sensed information: once  is fixed (e.g., based on the probability to lose the datum, as discussed in Section 3.1), sensors cannot be off for an interval longer than t (β), depending both on  and on the capability of the adversary β. Observe that i0 can vary according to what happened until the moment the sensors turned off. However, in Section 5.2 we will see that the number of active nodes at any time t can be accurately predicted. Based on the number of active nodes, and on the (fixed) length of the activity interval, it is therefore possible to probabilistically lower bound i0 , as a function of the initial conditions and of the threshold . 23

5.2. On/Off Strategy Details The best way to save energy and be resilient to a wide range of attacks is designing a scheme that allows each node to behave in a predetermined way, which does not depend on the collaboration with other nodes nor on any type of central control. However, a completely predetermined scheme can rarely provide optimal solutions. The purpose of this section is to analyze how the parameters of the scheme can be set so as to provide the best possible solution in terms of a trade off between data survivability and energy saving. The rationale behind the following predetermined strategy is that it should ensure that the number of active nodes is always sufficiently large to avoid data loss, but not so large to incur in useless energy consumption. According to this idea, we design the scheme as follows. Let TON denote the predetermined activity time: every time a node turns on, it stays on for time TON . Similarly, let TOFF denote the inactivity time, which, however, must be considered as the maximum time a node can spend being inactive. For instance, TOFF can be set as the value t (β) defined in Section 5.1. Each sensor behaves as follows: • at time 0, it turns on and stays active for time TON ; • at time TON , the node randomly selects an inactivity time t1 ∈ [0, TOFF ] and stays off until time TON + t1 ; • at time TON +t1 , the node turns back on and stays active for a time interval of length TON ; • at time 2TON + t1 , the node picks another time interval t2 ∈ [0, TOFF ] and turns off until time 2TON + t1 + t2 ; j • in general, for all j ∈ N, the node is active from time jTON + k=1 tk till j j time ( j + 1)TON + k=1 tk , and is inactive from time (j + 1)TON + k=1 tk till  j+1 time (j + 1)TON + k=1 tk . Observe that a similar behavior is well suited for our scenario for a number of reasons, firstly: (i) by letting all nodes start in "on" state, the infection is expected to initially propagate quickly; (ii) if the time a sensor is active is fixed, we prevent the possibility that sensors turn back off right after having turned on, which would make the evolution of the process much more difficult to predict, with possibly serious consequences; (iii) if, on the other hand, the length of the inactivity interval is a random variable, the more time passes, the more legitimate it is to expect that some sensors are on and others are off, even if they were all on at the beginning. For a more precise description of the behavior of each sensor, for all j ∈ N, j we can define the variable T j = jTON + k=1 tk (with T0 = 0), and denote 1ON(t) =

∞

1{T j ≤t
j=0

24

the characteristic function of the event “the node is active at time t”. The probability that the sensor is active at time t can be denoted as Pt = Pr[1ON(t) = 1], and is given by Pt =

∞

Pr[T j ≤ t < T j + TON ] =

∞

j=0

=

∞

Pr[ jTON +

j=0

Pr[t − ( j + 1)TON <

j

j=0

j

tk ≤ t < (j + 1)TON +

k=1

j

tk ]

k=1

tk ≤ t − jTON ]

k=1

The probability is computed as a sum over all j ≥ 0, but, for a fixed t, only a finite number of terms give a positive contribution. Since tk ≥ 0, we must impose t − jTON ≥ 0, that is, j ≤ t/TON . At the same time, if we assume that (at least with high probability) tk ≤ TOFF , we have t − ( j + 1)TON ≤ jTOFF , that is, j j ≥ (t − TON )/(TON + TOFF ). Summing up, if we denote t( j) = k=1 tk , we have t

TON

Pt =

 j=

t−TON TON +TOFF



Pr[t − ( j + 1)TON < t( j) ≤ t − jTON ].

(13)

The probability expressed by Eq. (13) depends on the distribution of the variables tk . A very natural assumption, for instance, is that tk is exponentially distributed. The parameter λ of the distribution is found by imposing Pr[tk > TOFF ] = exp(−M), for a sufficiently large M, which corresponds to λ = M/TOFF . In this case, t( j) is distributed as a Erlang( j, λ) variable, which is nothing else but a special case of the Gamma distribution when j is an integer. t(j) has cumulative distribution function (CDF) given by F(x) = Pr[t( j) ≤ x] = 1 −

j−1 −λx

e (λx)k k=0

k!

= Poiλx ([ j, +∞)),

where Poiλx denotes the CDF of a Poisson variable of mean λx. Finally, we can define pt ( j) = Pr[t − ( j + 1)TON < t( j) ≤ t − jTON ] = Pr[t(j) ≤ t − jTON ] − Pr[t( j) ≤ t − ( j + 1)TON ] = Poiλ(t−jTON ) ([ j, +∞)) − Poiλ(t−(j+1)TON ) ([ j, +∞)) and we have

t

TON

Pt =

 j=

t−TON TON +TOFF



pt ( j).

Let Xt be the number of active sensors at time t. By the linearity of expectation, we have E[Xt ] = nPt . Further, since sensors behave independently of each 25

other, Xt is a binomial of parameters Pt and n. Using the well know Chernoff Bound, we obtain   nδ2 Pr[Xt > n(Pt + δ)] ≤ exp − 2Pt (1 − Pt )   nδ2 Pr[Xt < n(Pt − δ)] ≤ exp − 2Pt (1 − Pt )

In other words, the probability to deviate from the expected value decays exponentially fast with n. 5.3. Summary of the Scheme and Consequences In Section 5.1, we showed how to fix the maximum time a node can continuously be inactive, as a function of the minimum fraction  of infected nodes we can tolerate, and of the corruption capability of the adversary. Then, in Section 5.2, we described the proposed distributed on/off strategy, showing that, especially when the network is very large, the number of simultaneously active nodes is highly predictable, as a function of the parameters of the scheme. Therefore, let us assume that the number of active nodes at time t is nPt , or, equivalently, that the fraction of active nodes is Pt . Since, as for on/off strategy, we did not assume any difference in the behavior of infected and susceptible nodes, we can assume that the fraction of infected and active nodes is Pt i(t) and that the fraction of susceptible and active nodes is Pt (1 − i(t)). This means that the evolution of the network is now described by the following differential equation: i (t) = αPt (1 − i(t))Pt i(t) − βPt i(t) = (αP2t − βPt )i(t) − αP2t i2 (t) 6. Experimental Results The purpose of this section is to confirm via experiments most of the theoretical findings presented in this paper. All the experimental results have been obtained with an ad-hoc simulator developed in Java language. In all figures, synthetically generated data are compared with our analytical predictions/bounds, in order to provide a practical proof of the validity of the latter. Confident that Figure 3 suffices to clarify that the proposed model better fits real systems with respect to the plain SIS model presented in [19], in this section we do not include any further reference to previous work. In Section 7 we will better motivate why a direct comparison with other papers would be impossible, or at least meaningless. In Section 3.1, we proved the core Theorem 1 that describes the evolution of the network. Figure 4 confirms via experiments the validity of this work by showing that the predictions are close to the simulation outcome. In more detail, the simulator is used to build two networks having respectively n = 26

100 (Figure4(a)) and n = 10000 (Figure4(b)) sensors with full visibility. The remaining parameters are identical for both networks: α = 0.45, β = 0.1, I(0) = 30, and t = 50 rounds (x axis). For both networks, starting from t = 0, at each round t we counted the fraction of infected sensors i(t) = I(t)/n; then, we simulated a round 100 times preserving only the minimum observed value for i(t+1). In other words, the value i(t+1) reported on the y-axis in correspondence of value t + 1 on the x-axis (red crossed line) is the worst-case scenario for data survivability over the outcomes of 100 independent trials. This means that our simulation is biased on purpose towards losing the datum. However, the networks parameters do not allow to completely lose the datum since α >> β and the network eventually reaches a stable state where the datum survives. In the meantime, at the start of each round t + 1 we computed and depicted in both sub-figures both the lower-bound for E[i(t + 1)|i(t)] induced by Eq. (4) (green circled line), and the same bound shifted by − = −0.05 (blue squared line squares). The idea is to compare the aforementioned simulated worst-case scenario not only with a lower bound for the expectation of i(t+1), but also with a prediction that accounts for unlucky statistical fluctuations. The result of the experiment is that simulated data are (almost) always in between the lowerbound for E[i(t + 1)] and its shifted version in the small network, and always over the lower-bound in the large network. Since the lower-bound is directly affected by the network size, it is not surprising to observe higher accuracy in the estimation made for the large network; in this case the prediction well describes the system. In the small network, the lower-bound provides a tight description of the system but if fails at bounding from below the worst simulation outcome at each round. However, Theorem 1 admits an  precision factor. In particular, we observe that by taking  = 0.05 also worst-case simulations go below the shifted lower-bound only once in 50 rounds. Thus, even in the small network, Theorem 1 is an efficient tool for predicting the evolution of the network. We have already shown in Figure 4 that the effect of statistical fluctuations vanish as the size of the network increases (see also Theorem 1). In Figure 5 we better highlighted this aspect. To this aim, we used the simulator for generating three networks of n = 100 (red crossed line), n = 200 (blue starry line), and n = 500 (yellow squared line) sensors with full visibility and using parameters β = 0.2, α varying in the range [0, 0.4], and t = 300 rounds. For each of these networks, we plotted the fraction of infected sensors i(t) at the end of the rounds averaging on 100 iterations of the experiment, and the predicted value obtained through the application of Eq. (3). We can observe that networks with a larger number of sensors are less likely to lose the datum at early rounds compared to small networks and that the prediction provides a good lower-bound for data survivability in critical configurations (e.g., small networks with low contagion rates). For higher contagion rates, the difference between the prediction and the simulation average increases, but this is justified by the fact that the prediction catches the worst case scenario (see also Figure 3). In Figure 6, we want to experimentally evaluate Corollary 3 that estimates the collecting time of a global intermittent sink. Thus, we generated a UWSN made of 100 sensors with full visibility, and a global intermittent sink that 27

0.75 0.7 0.65

infected sensors

0.6 0.55 0.5 0.45 0.4 0.35 0.3

Simulation Prediction -0.05 Prediction

0.25 0

10

20

30

40

50

rounds

(a) Network of 100 sensors. 0.9 0.8 0.7

infected sensors

0.6 0.5 0.4 0.3 0.2 0.1 0

Simulation Prediction -0.05 Prediction

-0.1 0

10

20

30

40

50

rounds

(b) Network of 10000 sensors. Figure 4: Experimental evaluation of Theorem 1. At each round, the expected value E[i(t + 1) − i(t)|i(t)] is computed, accordingly to the theorem, and compared with the simulation outcomes.

28

0.7 n = 40 n = 80 n = 120 Prediction

0.6

infected sensors

0.5

0.4

0.3

0.2

0.1

0 0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

contagion rate

Figure 5: The size of the network affects data survivability for low contagion rates.

1000

rounds

Simulation Average Prediction

100

10 0

0.1

0.2

0.3

0.4

0.5

contagion rate

Figure 6: Collecting time of a Global Intermittent Sink and full visibility among sensors.

29

collects information with a rate γ set to 0.001. The parameter β is set to 0.2, while the contagion rate varies. The figure compares the expected collecting time computed accordingly with Corollary 3 (green dotted line), and the outcomes of the simulation (red crossed line). The prediction is very accurate on the whole spectrum. Previous simulations focused on the full visibility model that assumes unlimited transmission range for sensors. Instead, the following experiments are focused on evaluating the theory developed in Section 4 for the geometric model. Their result is depicted in Figure 7. We used the simulator for generating a network made of n = 100 sensors with transmission range rn = 0.2 and uniformly distributed. To obtain Figure 7(a), we fixed α = 0.2 using different values for β, and we let the simulation run for t = 300 rounds. Similarly, Figure 7(b) is achieved fixing β = 0.1 with α varying, running the simulation for t = 300 rounds. And, finally, Figure 7(c) has been made using β = 0.1, varying α, using the rate γ = 0.001 for the local intermittent sink. All these sub-figures show that the geometric model behaves similarly to the full visibility model with the exception that there is a scaling factor that depends on the transmission range rn . This result is coherent with the theory that we developed. 7. Related Work Since the seminal work of Kermack and Mckendrick [16], mathematical models have been extensively used to predict the spreading of a disease within a given population. However, their application is not limited to biological systems: already in 1987, Demers et al. [21] successfully applied epidemic theory to develop an algorithm for replicating data at many sites. Later, similar approaches were used to address problems related to the unique security and efficiency requirements of Wireless Ad-Hoc Networks [22], with particular attention to the Wireless Sensor Network (WSN) paradigm. Based on the rationale that the way in which a gossip, a message, or a computer virus is propagated in a network directly resembles the spreading process of a disease in a biological population, epidemic theory was successfully applied to gossip spreading [23, 24], efficient broadcasting [25, 26, 27], or resilience to computer viruses [28, 29, 30]. The more common issues encountered when developing epidemic-based applications and models for WSN are: broadcast (i.e., all sensors reached), flooding (i.e., redundant transmissions between sensors) and survivability (i.e., interrupted transmissions) of the datum (e.g., gossip, message, or computer virus depending on the application). The reason is simply that data dissemination on the network is a critical property for WSN applications. In this paper, we do not aim at broadcasting the datum to all sensors, although this could incidentally happen. Instead, we focus on ensuring the survivability of the datum in UWSNs aiming to reduce as much as possible wastes of resources (e.g., power consumption, communication bandwidth) among sensors. In fact, as long as the datum survives the sink is able to retrieve it. The problem is not new, and it has been addressed in the literature with a diverse range of 30

1 Simulation Simulation Average Prediction

infected sensors

0.8

0.6

0.4

0.2

0 0

0.2

0.4

0.6

0.8

1

healing rate

(a) Data survivability in the geometric model when the healing rate varies. 0.9 Simulation Simulation Average Prediction

0.8

0.7

infected sensors

0.6

0.5

0.4

0.3

0.2

0.1

0 0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

contagion rate

(b) Data survivability in the geometric model when the contagion rate varies. 1000

rounds

Simulation Average Prediction

100

10 0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

contagion rate

(c) Collecting time considering a Local Intermittent Sink.

31

Figure 7: Comparison between predictions and simulations in the geometric model.

assumptions and techniques. In [31, 32], the authors consider a network model in which dead/compromised nodes cannot be restored, and they consequently ground their analysis on the SIR epidemic model (in contrast to the SIS model considered here). As a consequence, the (expected) evolution of the network in [31, 32] is governed by a set of equations different from those considered in our paper. In [33], the authors consider a more general scenario, with three possible statuses (“has info”, “No info”, “Dead”) and additional parameters (active link probability, death rate, resurrection rate), with the purpose of identifying the circumstances that prevent an exponentially fast extinction of the datum of interest. In short, they generalize the threshold condition β ≥ α – that, as reminded in Section 2.1, causes information loss in the SIS model – to their envisaged scenario (and, in fact, they mention the SIS model as a special case). Additionally, the authors of [31, 32, 33] only focus on gaining a “deterministic” predictive model able to capture the expected behavior of their networks. Any direct comparison between our findings and the conclusions drawn in there would therefore be meaningless even if the system model coincided: the purpose of our paper is exactly to show that the expected behavior of the network is not the correct metric to be used to tune the replication rate for data survivability. To the best of our knowledge, the only previous works trying to minimize replication rate subject to data survivability requirements in the considered threat/system model are [18, 19]. However, in Section 2.3 we provided theoretical arguments against some coarse grained assumptions made in [18, 19], while in Section 3 we experimentally verified (see Figure 3) that our theoretical findings are significantly more reliable than those obtained in [19]. Ours is a seminal paper that reworks the analysis done in [19], fixing a few modeling issues and providing the first closed results for the problem considered. The UWSNs have been introduced and further refined by Di Pietro et al. [1, 34] leading to a new branch in the WSN literature (see [35, 36, 37] for recent examples of application). The original idea [1] was to present a defence against a mobile adversary threatening to erase specific data from a sensor. This work has been extended to the case of a more powerful adversary capable to indiscriminately erase all the data from a sensor [34]. Data survivability in UWSNs has been investigated from different standpoints and using different techniques of defence, such as data obfuscation through cryptography [38, 39], sensor cooperation [40, 41, 37], secret sharing [10, 9], network coding [7], or a combination of the former [42]. All these approaches are, at least to some extent, confidentiality-oriented, and impose significant practical constraints. Even when the solution aims at addressing limited bandwidth and sensor buffers [7], time delays and computational overheads discourage real-time applications. The proposed replication scheme avoids such inconveniences and it is suited for scenarios in which secrecy is not a requirement, guaranteeing data survivability, fast and predictable collecting time of the sink, and optimization of sensor resources. Using replication as a basis for light-weight solutions for data survivability in a UWSN is a possibility already explored in the literature. The general rele32

vance of this approach is confirmed by many very application-oriented papers, that just use (instead of investigating) replication for data security in mobile sensor networks [43], but also for MANETs in general [44]. In [1, 34], as well as in [39], the impact of adding replication on top of the considered technique is evaluated. However, in all cases the authors simply show how the probability to lose a datum d changes when the original source of d generates n replicas, describing the qualitative impact of n by plotting these probabilities as n takes a few small integer values. They do not consider the possibility that further replicas are generated in subsequent rounds, nor they identify the minimum n that guarantees survivability of d. Replication is considered more directly in [45, 46, 47]. The authors of [45] propose a direct comparison between n-fold replication and (k, n) secret sharing, with respect to several security requirements. Yet, no minimal data survivability conditions are identified, and the impact of different parameters is only shown experimentally. In [46, 47] two specific schemes based on replication are presented, and their performances are evaluated. The novelty with respect to previously mentioned work is that replication is used iteratively, but instead of finding optimally efficient conditions for probabilistic data survivability, both schemes are conceived against a deterministic adversary and use a deterministic approach to guarantee that sensed data are not lost. In particular, in [46] the authors assume that the number of sensors compromised by the adversary at each round is ≤ k, with k being fixed and known in advance, and that sensors exchange information about their respective stored data at each round. Every time a sensor realizes that one of the replicas it generated was deleted by the adversary at another compromised node, it generates another k + 1 replicas. It is self evident that efficiency is not their primary goal, although the authors try to understand how the limitations of their scheme can be mitigated. In [47], instead, replication occurs on an on-demand basis, but assumptions and limitations are very similar to those in [46]: the compromising power of the adversary is bounded, and intensive communication between sensors is required. 8. Concluding remarks As often done in the literature, in this paper we suggested the use of replication to assure data survivability in UWSNs. However, analyzing the process by means of a combination of epidemic and probability theory, we provided a novel insight on how to optimize data replication based on system parameters and security requirements. Our novel probabilistic analysis for the SIS model in fact permits to identify the minimum replication rate that guarantees data survivability even in the presence of reasonable statistical fluctuations, additionally describing how to trade-off resource consumption against fast data collection. All results were obtained in both the full visibility and geometric model, with extensive simulations confirming all of our findings. A side effect of our work is showing that using the original deterministic SIS model leads to inaccurate predictions that, if strictly followed, may expose the

33

network to data loss, contrarily to previous results from the literature. Therefore, not only our definitive results concerning data replication in UWSN do pave the way for further investigations in this domain, but our novel analysis should be a reference for researchers of all fields studying processes that, despite being fairly described by epidemic models at a high level, are subject to unpredictable fluctuations. As for future work, we highlight two main directions. The first one is the analysis of different strategies for the sensors and for the adversary. In fact, the infection and the healing processes of typical epidemic models assume uniform and independent probability distributions, and we stuck to these assumptions when characterizing our system model, without analysing possible alternatives. To model different strategies, we would first need to introduce a novel epidemic model that allows us to set different distributions other than the uniform one; then, and succeeding at building this model could lead to other work in the literature. The second main research direction lies in performing a detailed analysis on the power consumption of the network in real and practical settings. In this paper, we provided preliminary results in this direction without extending their application in contexts where the adopted technology in known; thus, we can aim at estimating numerically the power consumption of the sensors, and thus the network lifetime, in respect to the key parameters that characterize the hardware and the technology employed. Acknowledgement This work has been partially supported by: 1) the EU FP7-ICT project NESSoS (Network of Excellence on Engineering Secure Future Internet Software Services and Systems) under the grant agreement n.256980; and, 2) the Prevention, Preparedness and Consequence Management of Terrorism and other Securityrelated Risks Programme - European Commission - Directorate-General Home Affairs, under the ExTraBIRE project, HOME/2009/CIPS/AG/C2-065. We would like to thank the anonymous reviewers for their comments, that helped improving the quality of the manuscript. References [1] R. Di Pietro, L. V. Mancini, C. Soriente, A. Spognardi, G. Tsudik, Catch Me (If You Can): Data Survival in Unattended Sensor Networks, 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom) (2008) 185–194. [2] D. Ma, C. Soriente, G. Tsudik, New adversary and new threats: security in unattended sensor networks, IEEE Network 23 (2) (2009) 43–48. [3] M. Albano, S. Chessa, R. Di Pietro, A model with applications for data survivability in critical infrastructures, Journal of Information Assurance and Security 4 (6) (2009) 629–639. 34

[4] A. G. Dimakis, V. Prabhakaran, K. Ramchandran, Decentralized erasure codes for distributed networked storage, IEEE/ACM Trans. Netw. 14 (2006) 2809–2816. [5] B. Krishnamachari, D. Estrin, S. Wicker, Modelling data-centric routing in wireless sensor networks, in: Proceedings of IEEE INFOCOM, 2002. [6] Y. Lin, B. Li, B. Liang, Stochastic analysis of network coding in epidemic routing, IEEE Journal on Selected Areas in Communications 26 (5) (2008) 794–808. [7] W. Ren, J. Zhao, Y. Ren, Network coding based dependable and efficient data survival in unattended wireless sensor networks, JCM 4 (11) (2009) 894–901. [8] R. Z., X. Sun, W. Liang, D. Sun, Z. Xia, Cads: Co-operative anti-fraud data storage scheme for unattended wireless sensor networks, Inform. Technol. J. 9 (7) (2010) 1361–1368. [9] R. Di Pietro, S. Guarino, Data confidentiality and availability via secret sharing and node mobility in UWSN, in: Proceedings of the IEEE INFOCOM 2013, Turin, Italy, April 14-19, 2013, 2013, pp. 205–209. [10] R. Di Pietro, S. Guarino, Confidentiality and availability issues in mobile unattended wireless sensor networks, in: World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2013 IEEE 14th International Symposium and Workshops on a, IEEE, 2013, pp. 1–6. [11] G. Aliberti, R. Di Pietro, S. Guarino, Reliable and perfectly secret communication over the generalized ozarow-wyner’s wire-tap channel, Computer Networks. [12] C. Zhu, L. Shu, T. Hara, L. Wang, S. Nishio, L. T. Yang, A survey on communication and data management issues in mobile sensor networks., Wireless Communications and Mobile Computing 14 (1) (2014) 19–36. [13] H. W. Hethcote, Epidemic models: Their structure and relation to data, Bulletin of Mathematical Biology 58 (5) (1996) 1019–1022. [14] M. J. Keeling, K. T. D. Eames, Networks and epidemic models, J. R. Soc. Interface 2 (2005) 295. [15] P. De, Y. Liu, S. K. Das, Modeling Node Compromise Spread in Wireless Sensor Networks Using Epidemic Theory, in: WOWMOM ’06: Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, IEEE Computer Society, Washington, DC, USA, 2006, pp. 237–243. [16] W. O. Kermack, A. G. Mckendrick, A Contribution to the Mathematical Theory of Epidemics, Royal Society of London Proceedings Series A 115 (1927) 700–721. 35

[17] R. Di Pietro, N. V. Verde, Epidemic theory and data survivability in unattended wireless sensor networks: Models and gaps, Pervasive and Mobile Computing 9 (4) (2013) 588 – 597. [18] R. Di Pietro, N. V. Verde, Introducing epidemic models for data survivability in unattended wireless sensor networks, in: 12th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, WOWMOM 2011, Lucca, Italy, 20-24 June, 2011, 2011, pp. 1–6. [19] R. Di Pietro, N. V. Verde, Epidemic data survivability in unattended wireless sensor networks, in: Proceedings of the Fourth ACM Conference on Wireless Network Security, WISEC 2011, Hamburg, Germany, June 14-17, 2011, 2011, pp. 11–22. [20] A. Seshadri, M. Luk, A. Perrig, L. van Doorn, P. K. Khosla, Scuba: Secure code update by attestation in sensor networks., in: Workshop on Wireless Security’06, 2006, pp. 85–94. [21] A. Demers, D. Greene, C. Hauser, W. Irish, J. Larson, S. Shenker, H. Sturgis, D. Swinehart, D. Terry, Epidemic algorithms for replicated database maintenance, in: PODC ’87: Proceedings of the sixth annual ACM Symposium on Principles of distributed computing, ACM, New York, NY, USA, 1987, pp. 1–12. [22] R. Di Pietro, S. Guarino, N. V. Verde, J. Domingo-Ferrer, Security in wireless ad-hoc networks–a survey, Computer Communications 51 (2014) 1–20. [23] G. Williamson, D. Cellai, S. Dobson, P. Nixon, Modelling periodic data dissemination in wireless sensor networks, in: Computer Modeling and Simulation, 2009. EMS ’09. Third UKSim European Symposium on, 2009, pp. 499–504. [24] S.-M. Cheng, V. Karyotis, P.-Y. Chen, K.-C. Chen, S. Papavassiliou, Diffusion models for information dissemination dynamics in wireless complex communication networks, Journal of Complex Systems. [25] M. Akdere, C. Bilgin, O. Gerdaneri, I. Korpeoglu, O. Ulusoy, U. Cetintemel, A comparison of epidemic algorithms in wireless sensor networks, Computer Communications 29 (13-14) (2006) 2450–2457. [26] N. Sharma, A. K. Sharma, Comparative analysis of sir and sid in wireless sensor networks using temporal correlation, in: Computing, Communication Automation (ICCCA), 2015 International Conference on, 2015, pp. 464–468. [27] H. Byun, J. So, Node scheduling control inspired by epidemic theory for data dissemination in wireless sensor-actuator networks with delay constraints, IEEE Trans. Wireless Communications 15 (3) (2016) 1794–1807.

36

[28] C. Griffin, R. Brooks, A note on the spread of worms in scale-free networks, Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on 36 (1) (2006) 198–202. [29] S. Tang, W. Li, An epidemic model with adaptive virus spread control for wireless sensor networks, Int. J. Secur. Netw. 6 (4) (2011) 201–210. [30] P. K. Nayak, D. Mishra, S. Ram, Dynamic e-epidemic model for active infectious nodes in computer network, Journal of Statistics and Management Systems 19 (2) (2016) 247–257. [31] J. M. Bahi, C. Guyeux, M. Hakem, A. Makhoul, Epidemiological approach for data survivability in unattended wireless sensor networks, J. Netw. Comput. Appl. 46 (C) (2014) 374–383. [32] A. Makhoul, C. Guyeux, M. Hakem, J. M. Bahi, Using an epidemiological approach to maximize data survival in the internet of things, ACM Trans. Internet Technol. 16 (1) (2016) 5:1–5:15. [33] D. Chakrabarti, J. Leskovec, C. Faloutsos, S. Madden, C. Guestrin, M. Faloutsos, Information Survival Threshold in Sensor and P2P Networks, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications (2007) 1316–1324. [34] R. Di Pietro, L. V. Mancini, C. Soriente, A. Spognardi, G. Tsudik, Data Security in Unattended Wireless Sensor Networks, IEEE Transactions on Computers 58 (11) (2009) 1500–1511. [35] A. A. Yavuz, P. Ning, Self-sustaining, efficient and forward-secure cryptographic constructions for unattended wireless sensor networks, Ad Hoc Netw. 10 (7) (2012) 1204–1220. [36] S. K. V. L. Reddy, S. Ruj, A. Nayak, Data authentication scheme for unattended wireless sensor networks against a mobile adversary, in: 2013 IEEE Wireless Communications and Networking Conference (WCNC), 2013, pp. 1836–1841. [37] A. S. Elsafrawey, E. S. Hassan, M. I. Dessouky, Cooperative hybrid selfhealing scheme for secure and data reliability in unattended wireless sensor networks., IET Information Security 9 (4) (2015) 223–233. [38] R. Di Pietro, L. V. Mancini, C. Soriente, A. Spognardi, G. Tsudik, Playing hide-and-seek with a focused mobile adversary in unattended wireless sensor networks, Ad Hoc Networks 7 (8) (2009) 1463–1475. [39] A. Sen, S. Ghosh, A. Basak, H. P. Puria, S. Ruj, Achieving data survivability and confidentiality in unattended wireless sensor networks, in: Advanced Information Networking and Applications (AINA), 2015 IEEE 29th International Conference on, IEEE, 2015, pp. 239–246.

37

[40] R. Di Pietro, D. Ma, C. Soriente, G. Tsudik, POSH: Proactive co-Operative Self-Healing in Unattended Wireless Sensor Networks, in: SRDS ’08: Proceedings of the 2008 Symposium on Reliable Distributed Systems, IEEE Computer Society, Washington, DC, USA, 2008, pp. 185–194. [41] D. Ma, G. Tsudik, DISH: Distributed Self-Healing, in: SSS ’08: Proceedings of the 10th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Springer-Verlag, Detroit, MI, 2008, pp. 47–62. [42] M. A. S. Santos, C. B. Margi, Design and implementation of data survival in unattended wireless sensor networks, in: 30th IEEE International Performance Computing and Communications Conference, 2011, pp. 1–6. [43] P. Andreou, D. Zeinalipour-Yazti, M. Andreou, P. K. Chrysanthis, G. Samaras, Perimeter-based data replication in mobile sensor networks, in: Mobile Data Management: Systems, Services and Middleware, 2009. MDM’09. Tenth International Conference on, IEEE, 2009, pp. 244–251. [44] C. Chandrakala, K. Prema, K. Hareesha, Improved data availability and fault tolerance in manet by replication, in: Advance Computing Conference (IACC), 2013 IEEE 3rd International, IEEE, 2013, pp. 324–329. [45] W. Ren, Y. Ren, H. Zhang, Secure, dependable and publicly verifiable distributed data storage in unattended wireless sensor networks, Science China Information Sciences 53 (5) (2010) 964–979. [46] D. Vitali, A. Spognardi, L. V. Mancini, Replication schemes in unattended wireless sensor networks, in: New Technologies, Mobility and Security (NTMS), 2011 4th IFIP International Conference on, IEEE, 2011, pp. 1–5. [47] M. M. Hammood, K. Yoshigoe, Efficient data replication mechanism to maximize data survivability in unattended wireless sensor networks, in: Signal Processing and Communication Systems (ICSPCS), 2011 5th International Conference on, IEEE, 2011, pp. 1–6. [48] D. P. Dubhashi, A. Panconesi, Concentration of Measure for the Analysis of Randomized Algorithms, Cambridge University Press, Cambridge, 2009.

APPENDIX Proof of Theorem 1 For the sake of clarity, let us restate (in a slightly different way) the main result of the theorem that we are going to prove. [Theorem 1]: Let Z(t + 1) =

1 (|S→I(t + 1)| − |I→S (t + 1)|) = i(t + 1) − i(t) n 38

be the increment of the fraction of infected nodes during round t+1. Z(t+1) satisfies the following concentration bound:     n2 n2 Pr [E[Z(t + 1)] − Z(t + 1) > ] ≤ exp − ≤ exp − 2(1 + 3i(t)) 8 In the proof, we use the Method of Averaged Bounded Differences, a very powerful and useful generalization of the Chernoff Bound [48]: [Method of Averaged Bounded Differences]. Let Z be a random variable which satisfies the Averaged Lipschitz Condition with respect to the random variables Z1 , . . . , Zn , with constants c1 , . . . , cn . Then  2  Pr[E[Z] − Z ≥ ] ≤ exp − 2c  2  Pr[Z − E[ f ] ≥ ] ≤ exp − 2c  where c = nw=1 c2w . This method yields a two-sided bound, but we only care for the former condition, as clarified in Section 3.1. We recall that Z satisfies the Averaged Lipschitz Condition with respect to Z1 , . . . , Zn with constants c1 , . . . , cn , if |E[Z |Z1 , . . . , Zw−1 , Zw = z] − E[Z |Z1 , . . . , Zw−1 , Zw = z ]| ≤ cw for all w = 1, . . . , n. The reader that is not familiar with these tools can refer to [48] for more details. Proof. Theorem 1 follows directly from the Method of Averaged Bounded Differences, applied to Z(t + 1) with respect to the variables Z j (t + 1) defined in Section 2.1. All we have to prove is that Z(t + 1) satisfies the Averaged Lipschitz Condition with respect to Z1 (t + 1), . . . , Zn (t + 1), with constants cw such that  c = nw=1 c2w = (1 + 3i(t))/n. To ease notation, in the following let Z j = Z j (t + 1) and Z = Z(t + 1) in all contexts where there is no ambiguity about the round we are referring to. First of all, let us see what information we get about what happened to node j at round t + 1 from the knowledge of Z j . If j ≤ I(t), we know that j was already infected at time t, i.e., that X j (t) = 1. As a consequence, regardless of whether j got another copy of the datum, we know that j ∈ I(t + δ), hence the value of Z j univocally determines whether j was among the nodes compromised by the attacker or not: ⎧ ⎪ ⎪ ⎨Pr[ j compromised |Z j = 0] = 0 (A.1) j ≤ I(t) : ⎪ ⎪ ⎩Pr[ j compromised |Z j = −1] = 1 On the other hand, if j > I(t), we know that j was susceptible at time t, i.e., that X j (t) = 0. If Z j = 1 we are sure that j got a copy of the datum within time t + δ 39

and was not re-healed thereafter. If Z j = 0, we do not know whether j was infected and re-healed, or not infected at all. However, we can decompose the probability of j being compromised based on its status at time t + δ. Summing up: ⎧ ⎪ ⎪ ⎨Pr[ j compromised |Z j = +1] = 0 j > I(t) : ⎪ ⎪ ⎩Pr[ j compromised |Z j = 0] = ui(t) + (1 − ui(t))v = u(1 − v)i(t) + v (A.2) From here on, let Z¯ w = (Z1 , . . . , Zw ). Thanks to Eq. (A.1) and Eq. (A.2), we can assert that • w < j ≤ I(t) implies Pr[Z j = −1 |Z¯ w ] =

 vn + w k=1 Zk ; n−w

• w ≤ I(t) < j implies   vn + w Zk k=1 Pr[Z j = 1 |Z¯ w ] = ui(t) 1 − ; n−w 

• I(t) < w < j implies ⎤ ⎡ I(t)  ⎢⎢ vn + k=1 Zk + (u(1 − v)i(t) + v) w ⎥⎥ k=I(t)+1 (Zk − 1) ⎥ ⎢ ⎥⎥ . Pr[Z j = 1 |Z¯ w ] = ui(t) ⎢⎢⎣1 − ⎦ n−w It directly follows that • w < j ≤ I(t) implies  vn + w k=1 Zk E[Z j |Z¯ w ] = − ; n−w • w ≤ I(t) < j implies    vn + w k=1 Zk ¯ E[Z j |Zw ] = ui(t) 1 − ; n−w • I(t) < w < j implies ⎤ ⎡ I(t)  ⎢⎢ vn + k=1 Zk + (u(1 − v)i(t) + v) w (Zk − 1) ⎥⎥ k=I(t)+1 ⎥⎥ . E[Z j |Z¯ w ] = ui(t) ⎢⎢⎢⎣1 − ⎥⎦ n−w Now, recalling that we defined Z = 1/n expectation we have 40

n

j=1

Z j , from the linearity of the

• w ≤ I(t) implies E[nZ |Z¯ w−1 , Zw = z] =

⎤ ⎡  ⎢⎢ vn + w−1 z ⎥⎥⎥ k=1 Zk ⎢ = + Zk + z + (I(t) − w) ⎢⎣ ⎥+ n−w n − w⎦ k=1 ⎡ ⎤  ⎢⎢ vn + w−1 z ⎥⎥⎥ k=1 Zk ⎢ + S(t)ui(t) ⎣⎢1 − − ⎥ n−w n − w⎦   I(t) − w − ui(t)S(t) = G1 (Z¯ w−1 ) + z 1 + n−w w−1

where G1 (Z¯ w−1 ) only depends on Z¯ w−1 (apart from the other parameters) and not on z. • w > I(t) implies E[nZ |Z¯ w−1 , Zw = z] = =

w−1

Zk + z + (n − w)ui(t)·

k=1

⎤ ⎡ I(t)  ⎢⎢ vn + k=1 Zk + (u(1 − v)i(t) + v) w−1 ⎥⎥ k=I(t)+1 (Zk − 1) − (u(1 − v)i(t) + v)(z − 1) ⎥ ⎢ ⎥⎥ · ⎢⎢⎣1 − ⎦ n−w $  = G2 (Z¯ w−1 ) + z 1 − uvi(t) − u2 (1 − v)i2 (t) where G2 (Z¯ w−1 ) only depends on Z¯ w−1 (apart from the other parameters) and not on z. Finally, we can conclude that • w ≤ I(t) implies   I(t) − w − ui(t)S(t) 1   ¯ ¯ |E[Z |Zw−1 , Zw = z] − E[Z |Zw−1 , Zw = z ]| = |z − z | 1 + ≤ n n−w ≤

1 (1 − u)i(t) + ui2 (t) − w/n 2 + ≤ n n−w n

because |z − z | ≤ 1 by definition of the Z j ’s. • w > I(t) implies $  1 |E[Z |Z¯ w−1 , Zw = z] − E[Z |Z¯ w−1 , Zw = z ]| = |z − z | 1 − uvi(t) − u2 (1 − v)i2 (t) ≤ n 1 uvi(t) + u2 (1 − v)i2 (t) 1 ≤ ≤ − n n n again, because |z − z | ≤ 1 by definition of the Z j ’s. 41

Summing up, we have shown that ⎧ ⎪ 2 ⎪ ⎨n |E[Z |Z¯ w−1 , Zw = z] − E[Z |Z¯ w−1 , Zw = z ]| ≤ ⎪ ⎪ ⎩ n1 

if w ≤ I(t), if w > I(t).

i.e., Z satisfies the Averaged Lipschitz Condition with respect to Z1 , . . . , Zn , with parameters cw given by ⎧ ⎪ 2 ⎪ if w ≤ I(t), ⎨n cw = ⎪ 1 ⎪ ⎩n if w > I(t). Since c=

n

c2w =

w=1

we have

4 1 1 I(t) + 2 (n − I(t)) = (1 + 3i(t)), n n2 n 

−n2 Pr[E[Z(t)] − Z[t] ≥ ] ≤ exp 2(1 + 3i(t))



as desired. The very last inequality follows immediately using i(t) ≤ 1.



Proof of Corollary 1 Corollary 1 shows how Theorem 1 can be used to obtain two probabilistic bounds on the distance between i(t + 1) and i(t). With α and β in place of α(u, v) and β(u, v), the corollary can be restated as follows: [Corollary 1]: Theorem 1 implies the two following bounds: (i) Let c and δ satisfy √ (1 − β)2 . d = 2 2δ − c ≤ 4 Then, if αˆ = β + 2d +



4d2 + 4dβ

it holds αˆ ≤ 1 and, for all u such that αˆ ≤ α ≤ 1, there exists an interval A ⊂ (0, 1 − β/α] such that i(t) ∈ A implies Pr[i(t + 1) < i(t) − c] ≤ exp(−δn). √ (ii) Let d = 2 2δ. If d < 1 − β and β/(1 − d) ≤ α ≤ 1, there exists a threshold iδ ≤ 1 − β/α, such that i(t) ≥ iδ entails Pr[i(t + 1) = 0] ≤ exp(−δn).

42

Proof. To ease notation, let us omit the dependence on time t, denoting i = i(t) and Z = Z(t). Theorem 1 ensures that   n2 Pr[E[Z] − Z > ] ≤ exp − 2(1 + 3i) For any non-negative, fixed, c, we want to verify under which conditions the increment Z is at least −c, with high probability. We have   n(E[Z] + c)2 Pr[Z < −c] = Pr[E[Z] − Z > E[Z] + c] ≤ exp − 2(1 + 3i) and we can impose

(E[Z] + c)2 ≥δ 2(1 + 3i) for a proper δ < 1, to obtain Pr[Z < −c] ≤ exp(−δn). Since we are only interested in what happens for i ∈ (0, 1 − β/α], we have (E[Z] + c)2 E[Z]2 E[Z]2 ≥ ≥ 2(1 + 3i) 8 − 6β/α 8 so, to ease the computation, we impose the weaker condition (E[Z] + c)2 ≥ 8δ, which, since we are only interested in the context where E[Z] ≥ 0, can be rewritten as √ (A.3) E[Z] + c ≥ 2 2δ. We start by solving the associated equation √ E[Z] + c = 2 2δ

(A.4)

Recalling the definition of E[Z], where α and β are defined as in Eq. (6), and √ using d = d(δ, c) = 2 2δ − c and x instead of i for the sake of clearness, Eq. (A.4) becomes (A.5) αx2 − (α − β)x + d = 0 The solutions to Eq. (A.5) are given by % α − β − (α − β)2 − 4dα x1 = 2α % α − β + (α − β)2 − 4dα x2 = 2α Inequality (A.3) can now be rewritten as −αx2 + (α − β)x − d ≥ 0

(A.6)

which is clearly satisfied for all x1 ≤ x ≤ x2 , if x1 and x2 exist. If we denote Δ(α) = (α − β)2 − 4dα, we know that x1 and x2 exist if and only if Δ(α) ≥ 0. At the same time, it is clear that Δ(α) < (α − β)2 , so, if x1 and x2 exist, then they are both necessarily in (0, 1 − β/α]. Summing up: 43

• if Δ(α) ≥ 0, we can define the set A = [x1 , x2 ] ⊂ (0, 1 − β/α], and, once i(t) ∈ A, we have Pr[i(t + 1) < i(t) − c] ≤ exp(−δn); • if Δ(α) < 0, Eq. (A.4) does not admit any solution, then Inequality (A.3) (as well as (Inequality A.6)) is never satisfied. In other words, Δ(α) ≥ 0 is a sufficient condition to ensure that statement (i) of the corollary is satisfied, and it is not a strictly necessary condition, only because of some lower bounds we used at the beginning of the proof. What remains to prove is that Δ(α) ≥ 0 requires √ (1 − β)2 . d = 2 2δ − c ≤ 4 We can write Δ(α) = α2 − 2(β + 2d)α + β2 , so the two solutions of the associated equation Δ(α) = 0 can be expressed as  α1 = β + 2d − 4d2 + 4dβ  α2 = β + 2d + 4d2 + 4dβ and Δ(α) ≥ 0 is satisfied for all α ≤ α1 or α %≥ α2 . We recall that we need β < α ≤ 1. Since we can write α1 = β + 2d(1 − 1 + β/d), it holds α1 < β, so all the solutions for α ≤ α1 are of no interest for us. To the contrary, it is obvious that α2 > β. On the other hand, to have α2 ≤ 1, we need  4d2 + 4dβ ≤ 1 − β − 2d that requires d < (1 − β)/2 to admit solutions. Under the latter condition, we can square both sides and simplify, to obtain the stronger condition d≤

(1 − β)2 4

(A.7)

Altogether, provided that Inequality (A.7) is satisfied, we can define  αˆ = β + 2d + 4d2 + 4dβ (that is, what we called α2 before) and, for all αˆ ≤ α ≤ 1, we have Δ(α) ≥ 0. To prove statement (ii) of the corollary, we proceed in a very similar way. This time, we observe that, by Theorem 1, it holds   n(E[Z] + i(t))2 Pr[i(t+1) = 0] = Pr[Z = −i(t)] ≤ Pr[E[Z]−Z ≥ E[Z]+i(t)] ≤ exp − 8 To obtain Pr[i(t + 1) = 0] ≤ exp(−δn), we impose (E[Z] + i(t))2 ≥ 8δ, which can be rewritten as √ (A.8) E[Z] + i(t) ≥ 2 2δ 44

√ Recalling the definition of E[Z], using d = d(δ, c) = 2 2δ and x instead of i for the sake of clearness, Inequality (A.3) can be rewritten as αx2 − (1 + α − β)x + d ≤ 0

(A.9)

Solving the associated equation, we find that the two solutions % 1 + α − β − (1 + α − β)2 − 4dα x1 = 2α % 1 + α − β + (1 + α − β)2 − 4dα x2 = 2α exist if and only if it holds Δ(α) = (1 + α − β)2 − 4dα ≥ 0. In particular, if d < 1 − β, that is, if δ < (1 − β)2 /8, it holds Δ(α) ≥ 0 for all α and β. This means that, under condition δ < (1 − β)2 /8, we know that x1 and x2 exist, and we know that Inequality (A.9) is satisfied for all x ∈ [x1 , x2 ], or that, equivalently, Inequality (A.8) is satisfied provided that i(t) ∈ [x1 , x2 ]. What remains to verify is if x1 and/or x2 are in (0, 1 − β/α]. Since Δ(α) < (1 + β − a)2 , it is easy to check that x1 > 0. On the other hand, x1 ≤ 1 − β/α is equivalent to    β 2 (1 + α − β) − 4dα ≥ 1 + α − β − 2α 1 − =1−α+β α which, doing the math, can be rewritten as 4α − 4β − 4dα ≥ 0, yielding α≥

β . 1−d

(A.10)

Since d < 1 − β implies β/(1 − d) < 1, we know that Inequality (A.10) expresses a feasible condition on α. For what concerns x2 , condition x2 < 1 − β/α is equivalent to    β 2 (1 + α − β) − 4dα < 2α 1 − −1−α+β=α−β−1<0 α which is clearly impossible. As a consequence, x2 is always outside of the interesting interval. Summing up, we proved that d < 1 − β and β/(1 − d) ≤ α ≤ 1 imply x1 ∈ (0, 1 − β/α], while x2  (0, 1 − β/α]. By denoting iδ = x1 , we finally obtain that i(t) ≥ iδ entails Pr[i(t + 1) = 0] ≤ exp(−δn) 

as desired. Proof of Corollary 2

Again, let α = α(u, v) and β = β(u, v) be defined as in Eq. (6). Corollary 2 provides a bound for the probability that i(t + T) diverges from i(t). Due to the memoryless nature of the process, the corollary can equivalently be formulated as: 45

[Corollary 2]: For any μ ∈ (0, 1), it holds Pr[i(T) < (1 − μ)T i(0)] ≤

T

p(t, μ, i(0))

t=1

where

 2  n p(t, μ, i(0)) = exp − (μ + α − β)(1 − μ)t−1 i(0) − α(1 − μ)2t−2 i(0)2 8

that is:

 p(t, μ, i(0)) ∈ O exp(−n(1 − μ)2t−2 i(0)2 ) .

We will prove the corollary in this slightly different version, just because it allows to somewhat simplify the notation. Proof. First of all, let X and Y be two non-independent random variables on R, such that Pr[X < a |Y = y] is non increasing in y, for all a ∈ R. Then, for all b ∈ R, it holds & ∞ Pr[X < a] = Pr[Y = y] Pr[X < a |Y = y]dy &

0 b

=

& Pr[Y = y] Pr[X < a |Y = y]dy +

0

& ≤

b

&

Pr[Y = y] Pr[X < a |Y = y]dy

b ∞

Pr[Y = y]dy + Pr[X < a |Y = b]

0

∞

Pr[Y = y]dy

b

≤ Pr[Y < b] + Pr[X < a |Y = b]. Now, for all t, it clearly holds that Pr[i(t) < a |i(t − 1) = y] is non increasing in y, since the larger is i(t − 1), the less probable is that the fraction i(t) of infected nodes after round t falls below a, for any fixed a. Consequently, it holds Pr[i(t) < a] ≤ Pr[i(t − 1) < b] + Pr[i(t) < a |i(t − 1) = b] for all b ∈ R. If we take a = (1 − μ)t i(0) and b = (1 − μ)t−1 i(0), and we observe that (thanks to Theorem 1) Pr[i(t) < (1 − μ)t i(0) |i(t − 1) = (1 − μ)t−1 i(0)] = = Pr[i(t) < i(t − 1) · (1 − μ) |i(t − 1) = (1 − μ)t−1 i(0)] = Pr[Z(t) < −μ |i(t − 1) = (1 − μ)t−1 i(0)] ≤ p(t, μ) we obtain Pr[i(t) < (1 − μ)t i(0)] ≤ Pr[i(t − 1) < (1 − μ)t−1 i(0)] + p(t, μ) Starting from t = T and by induction on t, we finally obtain the desired bound.  46

Proof of Corollary 3 Once again, in the following let α(u, v) and β(u, v) be defined as in Eq. (6). Let us recall the three statements of the corollary: [Corollary 3]: Let X denote the time needed by the sink to collect a particular datum, then (i) In general, it holds E[X] ≈ γn

∞

x=1

⎛ ⎞ x−1

⎜⎜ ⎟⎟ ⎜ x · i(t + x) ⎜⎜⎝1 − γn i(t + k)⎟⎟⎟⎠ . k=0

(ii) If, for all k > 0, the fraction of infected nodes at time t + k can be lower bounded as i(t + k) ≥ (1 − μ)k i(t), it holds E[X] ≤ γn

∞

  x · i(t + x) 1 − γni(t) · x .

x=1

(iii) Finally, if at time t the fraction of infected nodes already reached steady state STEADY1 , it holds E[X] ≈

α 1 = . γn(1 − β/α) γn(α − β)

Proof. As in the statement of the corollary, let X be the number of rounds needed to collect a specific sensed datum: we want to evaluate E[X]. We assume that the sink accesses the network at time t and, for the sake of simplicity, that the fraction of infected nodes is constantly equal to i(t) during all round t + 1. The probability that the sink does not collect the datum during round t + 1 is (1 − γ)ni(t) . Indeed, the sink fails in retrieving the datum if it cannot access the information stored by any of the ni(t) sensors possessing that datum. This means that Pr[X = 1] = 1 − (1 − γ)ni(t) ≈ γni(t)

 Pr[X = 2] = 1 − (1 − γ)ni(t+1) (1 − γ)ni(t) ≈ γni(t + 1)(1 − γni(t)) .. .

.. .

=

Pr[X = x] = 1 − (1 − γ)ni(t+x)

x−1 '

(1 − γ)ni(t+k)

k=0

⎛ ⎞ x−1

⎜⎜ ⎟⎟ ≈ γni(t + x) ⎜⎜⎜⎝1 − γn i(t + k)⎟⎟⎟⎠ . k=0

Consequently, it holds E[X] =

∞

x=1

x · Pr[X = x] ≈ γn

∞

x=1

47

⎛ ⎞ x−1

⎜⎜ ⎟⎟ ⎜ x · i(t + x) ⎜⎜⎝1 − γn i(t + k)⎟⎟⎟⎠ . k=0

Now, if, for all k > 0, i(t + k) ≥ (1 − μ)k i(t), it holds x−1

i(t + k) ≥ i(t)

k=0

x−1

(1 − μ)k = i(t)

k=0

1 − (1 − μ)x ≥ i(t) · x μ

and consequently E[X] ≤ γn

∞

  x · i(t + x) 1 − γni(t) · x .

x=1

Finally, assume at time t the fraction of infected nodes already reached steady state STEADY1 . If the process does not suffer from remarkable statistical fluctuation, we can assume that i(t+k) ≈ 1−β/α, for all k ≥ 0. In this case, X is approximately distributed as a Geometric of parameter 1 − (1 − γ)n(1−β/α) ≈ γn(1 − β/α), and its expectation is E[X] ≈

α 1 = . γn(1 − β/α) γn(α − β) 

48