On Multipath Routing in Multihop Wireless Networks: Security, Performance, and Their Tradeoff

Routing amid malicious attackers in multihop wireless networks with unreliable links is a challenging task. In this paper, we address the fundamental problem of how to choose secure and reliable paths in such environments. We formulate the multipath routing problem as optimization problems and propose algorithms with polynomial complexity to solve them. Game theory is employed to solve and analyze the formulated multipath routing problem. We ﬁrst propose the multipath routing solution minimizing the worst-case security risk (i.e., the percentage of packets captured by attackers in the worst case). While the obtained solution provides the most security routes, it may perform poorly given the unreliability of wireless links. Hence we then investigate the multipath routing solution maximizing the worst-case packet delivery ratio. As a natural extension, to achieve a tradeo ﬀ between the routing security and performance, we derive the multipath routing protocol maximizing the worst-case packet delivery ratio while limiting the worst-case security risk under given threshold. As another contribution, we establish the relationship between the worst-case security risk and packet delivery ratio, which gives the theoretical limit on the security-performance tradeo ﬀ of node-disjoint multipath routing in multihop wireless networks.


Introduction
It is widely recognized that the intrinsic nature of wireless networks, such as the broadcast nature of the wireless channel and the limited resources of network nodes, makes them extremely attractive and vulnerable to attackers.Routing amid malicious attackers in such environments is a challenging task.On one hand, the most secure route(s) should be chosen such that the percentage of packet captured by attackers is as small as possible.On the other hand, given the unreliability of wireless links, the most reliable route(s) should be selected such that the packet delivery ratio at destination is as high as possible.
A natural approach is to use multiple paths to increase the fault tolerance and the resilience to attackers.However, how to choose the secure and reliable paths among exponentially many candidates and how to allocate traffic among them remain a difficult but crucial problem.

Paper Overview.
In this paper, we address the above fundamental routing problem by focusing on two metrics: route security and performance.We start with the singleattacker case and extend our work to the multiple-attacker case in Section 7.
We first study the multipath routing solution minimizing the worst-case security risk; that is, the percentage of packets captured by the attacker under the condition that the attacker makes all its efforts to maximize this percentage.We model such multipath routing problem as a minimaximization problem and formulate it as the maximum flow problem in lossy networks based on which a routing algorithm with polynomial time complexity being derived to solve it.
While the obtained solution provides the most security routes, which is crucial for security sensitive applications, performance is another important issue that definitively cannot be ignored, especially in wireless networks with unreliable links.To this end, we investigate the multipath routing solution maximizing the packet delivery ratio under the condition that the attacker makes all its efforts to minimize this ratio.Noticing that solving this problem requires exponential time complexity, we propose a heuristic algorithm computing the optimal path set with polynomial time complexity.In our study, we also apply game theory as a systematic tool to solve and analyze the formulated multipath routing problems.
Next, we extend our efforts to study a natural problem: how to achieve a tradeoff between the route security and performance.In this perspective, we derive the routing solution maximizing the worst-case packet delivery ratio while limiting the worst-case security risk under given threshold.Furthermore, as a theoretical limit on the securityperformance tradeoff of node-disjoint multipath routing, we establish the relationship between the worst-case packet delivery ratio a * and the security risk r * : where |P nd | is the maximum number of node-disjoint paths in the network.By simulation, we evaluate the performance of the proposed multipath routing protocols.The results show that our solutions show the best worst-case security and performance among the simulated multipath routing protocols.

Background and Motivation.
Multipath routing, as mentioned above, is a promising way to improve route reliability and security.Past work on multipath routing in wireless networks mainly consists of evaluating the possible paths via reputation metrics based on security or reliability and distributing traffic among the routes with the highest reputation ratings.
In [1], Papadimitratos et al. proposed an algorithm, called Disjoint Path-set Selection Protocol (DPSP), to find the maximum number of paths between a source and destination with the highest reliability.DPSP tries to find maximum number of node-disjoint paths based on the reliability metric to improve the reliability of communication by increasing the number of used paths.
In [2], Lou et al. proposed another solution for calculating the maximum number of the most secure paths called Security Protocol for REliable dAta Delivery (SPREAD).Their solution relies on previous knowledge of security level of each node and calculates the link costs according to them.It also exploits secret sharing to spread data over multiple paths and proposes a security-optimized share allocation method.
In [3], Papadimitratos and Haas proposed and analyzed a routing protocol named Secure Message Transmission Protocol (SMT) which improves security and reliability of data transmission through diversity coding of data into multiple symbols and transmitting each symbol over one path by uniform loading.SMT employs a rating mechanism to select the most reliable paths based on end-to-end feedback.
Our work in this paper differs with existing work in that we base our work on the worst-case scenarios and provide multipath routing solutions with guaranteed security and performance properties.Our motivation is twofold: first, in most of the proposed solutions, each path is rated according to its past performance, and the paths with high rate are selected to carry traffic.In such reputation-based mechanism, the computation of the reputation rates is not trivial at all; furthermore, this mechanism may fail to provide good paths when facing strategic attackers.For example, assume that three paths are available and each time the two paths with the highest rates are selected.A strategic attacker can itself do the same rating estimation and attack the two paths with the highest rate.The problem is that the rating mechanism implicitly assumes that there exists correlation between the history and future performance.With this correlation, one can predict the attacker's action to some extent.Unfortunately, a strategic attacker will certainly not take predictable actions.Instead, in some cases it can even take the advantage of the rating mechanism to cause more severe damage to the networks.Motivated by the above observation, we believe that it is crucial to study multipath routing solutions with guaranteed worst-case security and performance properties, which is the focus of our work.
In terms of the underlying methodology, our work is also related to the min-max optimization and routing games [4][5][6][7].In fact, our work can be seen as the application of this tools in hostile wireless networks with unreliable/lossy links absent in classical context which pose significant difficulties in solving the problem, as shown in later sections.

System Model and Assumptions
In our work, we consider a multihop wireless network, modeled as a directed graph G = (V, E ) with n nodes and m edges.For the wireless links, we consider a model in which any link is either "good" (i.e., error-free) or "bad" otherwise.We refer to the probability that link e ∈ E is "good" as the reliability factor of e, denoted by r e .We assume that different links are independent.( This assumption holds in the case where different wireless links use channels that are well separated in time and frequency via the MAC protocol or some channel coordination mechanism.The extension of our analysis to alleviate this assumption to consider the correlated-link case (the correlation between wireless links highly depends on the underlying MAC protocol) is left for future work.) We consider a data session between a single source S and destination T. S routes its packets along path P i ∈ P (let P be the set of paths between S and T) with probability q i .An attacker M attacks the node v ∈ V \ {S, T} with probability p v to disrupt the communication between S and T. ( We assume that S and T are not attacked by M during the communication.Multiple-attacker case is discussed in Section 7.) If node v is attacked, all the traffic passing by it is captured by M during the attack period.
In this paper, we assume that each node knows the link reliability factors {r e }. References [8,9] address the issue of how to estimate and collect this information.We also assume that each node has the knowledge of network topology.This information can be acquired from any secure link-state routing protocol, for example, [10].These assumptions allow us to concentrate on the essential theoretical properties of the multipath routing problem and the resulting solutions.In the case where link reliability factors and network topology change frequently, the update of the multipath set should be performed periodically or triggered by the change.

Multipath Routing with Minimum
Worst-Case Security Risk In this section, we study the multipath routing solution minimizing the worst-case security risk.We quantify the worst-case security risk by the percentage of packets captured by the attackers under the condition that the attackers make all their efforts to maximize this percentage (or equivalently, the probability that a packet is captured by the attackers under the condition that the attackers make all their efforts to maximize this probability).We start with the case of single attacker M. In such a routing problem, the objective of S is to calculate q = {q i } to minimize the maximum security risk caused by M. Mathematically, the multipath routing problem can be formulated as the following minimaximization problem MP 1 : where τ(P, v) = e∈P,e v r e , ϕ(P, v) = b∈P,b v (1 − p b ). a b denotes that packets encounter node/edge a before node/edge b when routed along P. r = v∈V [ v∈P,P∈P q(P)τ(P, v)ϕ(P, v)]p v is the expected probability that the packet is captured by M. Let r = v∈V [ v∈P,P∈P q(P)τ(P, v)]p v .If M attacks at most one node per path, then r = r .In general case, it always holds that r ≤ r .Noticing that MP 1 is a nonlinear optimization problem, we focus on solving MP 1 : which is a linear optimization problem.Later in Section 3.2 we will show that r * = (r ) * .Consider the inner maximization problem of MP 1 for fixed q: Associating a dual variable y, we obtain the following dual optimization problem: min y Subject to y ≥ v∈P,P∈P τ(P, v)q(P), ∀v ∈ V. (5) Substituting this minimization problem in MP 1 leads to the following linear optimization problem LP 1 : min y Subject to v∈P,P∈P τ(P, v)q(P) ≤ y, ∀v ∈ V, P∈P q(P) = 1, q(P) ≥ 0, ∀P ∈ P .(6) The size of LP 1 grows with the number of possible paths between S and T and can be exponentially large.For this reason we reformulate LP 1 as the maximum flow problem in lossy networks which can be solved in a polynomial number of steps.
In LP 1 , we can interpret q(P) as a flow on P and y as the capacity of node v. Thus the constraint v∈P,P∈P τ(P, v)q(P) ≤ y restricts the flow on node v.The constraint P∈P q(P) = 1 states that one unit of flow is sent from S to T. Assume that the capacity of each node v in the network is 1.LP 1 equals to determine the smallest scaling factor y on the network nodes such that one unit of flow can be sent from S to T. In this way LP 1 can be mapped to the maximum flow problem.
Here we would like to emphasize that the maximum flow problem in our context differs from the classical maximum flow problem due to the packet loss factor τ(P, v).Indeed our problem can be seen as the maximum flow problem in lossy networks [11].Each link has unlimited capacity +∞, but has a reliable factor r e .If r e = 1, for all e ∈ V, our problem degenerates to the standard maximum flow problem with node capacity constraint.

Solving the Multipath Routing Problem.
We first give the stretch of the solution.
(i) Perform node splitting to transform the maximum flow problem with node capacity constraint into the maximum flow problem with link capacity constraint.(ii) Calculate the maximum flow f * in the transformed network after the node splitting procedure.Decompose the maximum flow into subflow on paths P 1 , P 2 ,. .., P l from S to T with flow f i on P i , respectively.
(iii) S should route its packets along path P i with probability q i = f i / f * to minimize the security risk.The minimum security risk r * is 1/ f * .(iv) Perform the inverse procedure of node splitting.Map the paths and flows in transformed graph into the correspondent paths and flows in the original graph.
In the following, we detail the core part of the solution.3.1.1.Node Splitting.The objective of node splitting is to transform the maximum flow problem with node capacity constraint into the standard maximum flow problem with link capacity constraint.The key idea is to replace a node with capacity c with two virtual nodes with a link of capacity c between them.The detailed transformation procedure is as follows.
(i) Split each node v ∈ V of capacity c v into two virtual nodes v 1 and v 2 .Add a link (v 1 , v 2 ) with the same capacity c v and the reliable factor 1.
(ii) For each link (v, v ) ∈ E of reliability p, replace (v, v ) by a link (v 2 , v ) with the same reliability p and the capacity +∞.For each link (v , v) ∈ E of reliability p, replace (v , v) by a link (v, v 1 ) with the same reliability p and the capacity +∞.
Figure 1 illustrates the node splitting procedure.After the procedure, node v 1 receives all the input flows of node v; the output flows of node v are sent by the node v 2 ; the added virtual link (v 1 , v 2 ) carries the flow from input to the output which is restricted by its capacity c v .Let G denote the resulting network after applying the node splitting process on the original network G.It is clear that each flow in G is one-to-one mapped into a flow with the same quantity in G .Hence it holds that f * is the maximum flow in G if and only if f * is the maximum flow in G .

Finding Maximum Flow.
Our discussion in this subsection relies on the maximum flow problem in lossy networks.Given a lossy network, the maximum flow problem is to determine the maximum flow that can be sent from a source node S to a sink node T subject to the capacity constraints (i.e., each link has flow bounded by the link capacity) [11].
Such maximum flow problem in lossy networks is a generalized case of the classical maximum flow problem.To solve this generalized problem, we run the most improving augmenting path algorithm described in [11], which generalizes the maximum capacity augmenting path algorithm for the traditional maximum flow problem [12].
In Algorithm 1, the augmenting path has a value, defined as the maximum amount of flow that can reach the sink, while respecting the capacity limits, by sending excess from the first node of the path to the sink.A most improving augmenting path is an augmenting path with the highest value.The algorithm repeatedly sends flow along the most improving augmenting paths.Since these may not be the highest gain augmenting paths, this may creates residual flow-generating cycles.After each augmentation, the algorithm cancels all residual flow-generating cycles in CancelCycles(), so that computing the next most improving Find a most improving augmenting path P in G 7: Augment flow along P and update f * 8: until f * is maximum path can be done efficiently.Intuitively, canceling flowgenerating cycles can be interpreted as rerouting flow from its current paths to the highest-gain paths.
An efficient algorithm for computing a most improving augmenting path based on Dijkstra's shortest path algorithm is proposed in [12] with time complexity O(m+n log n) when implemented using Fibonacci heaps.We refer readers to [11] for detailed algorithm and [13] for a completed survey on the generalized maximum flow problem in lossy networks.

A Game Theoretic Interpretation.
In this subsection, to gain a more in-depth insight of the internal structure of the obtained multipath routing solution, we study the multipath routing problem from a game theoretic perspective by modelling it as a noncooperative game between S and M, denoted as G 1 .The strategy of S and M is q and p, respectively.The objective of S is to determine q to minimize its utility function U s = r, which is the security risk.The objective of M, on the other hand, is to determine p to maximize its utility function U a = r.G 1 is a classical two-person zero-sum game with finite strategy set.Following [14,Proposition 33.1], a Nash equilibrium (mixed strategy) is guaranteed to exist.Based on the result on the two-person zero-sum game [14, Proposition 22.2], we have the following theorem on the NE (Nash equilibrium) of the multipath routing game G 1 .
Theorem 1 shows that the solution of MP 1 is the most secure routing strategy minimizing the security risk.The minimized security risk from S's point is, on the other hand, the upper bound of the payoff that M can get.Hence, at the NE, the two players reach a compromise through selfoptimization such that neither has incentive to deviate.
We now investigate the attacker's strategy at the NE.We consider the maximum flow f * on the lossy network G which is obtained from G applying the node splitting.Let f * e be the flow of f * on the edge e.It follows from [15] that there exists a cut C separating S and T such that e∈S f * e = e∈S C e .In our case, C consists of a subset of virtual links added in the node splitting process with capacity 1.This can be shown by the fact that the capacity of all other links is +∞.These virtual links correspond to a set of nodes in the original network, denoted as V C .As a dual part of the maximum flow problem, at the NE, M attacks every node v ∈ V C with probability 1/|V C | where |V C | denotes the cardinality of V C .At the NE, the probability that a packet passes the node v ∈ V C is 1/ f * ; thus the probability of the packet captured can be computed as which confirms the previous analytical results.Furthermore, it follows that at such NE, M attacks at most one node per path.This leads to r * = (r ) * , which justifies our operation of solving MP 1 instead of MP 1 .

Complexity Analysis.
In the solution of the previous multipath routing problem, the complexity of the node splitting and the inverse procedure is O(n).We now investigate the complexity of Algorithm 1 in the following theorem.
Theorem 2. Let 0 be the smallest positive number describing all possible values in Algorithm 1; Algorithm 1 terminates within at most log m/(m−1) ( f * / 0 ) + 1 iterations, where n denotes the largest integer not larger than n.
Proof.The key idea of the proof is to notice that the maximum flow in lossy networks can be decomposed into at most m augmenting paths.Algorithm 1 selects the path that generates the maximum amount of excess at the sink.Thus, each iteration captures at least a 1/m fraction of the remaining flow.Please refer to appendix for the detail of the proof.
Note that in Algorithm 1, the time complexity of the CancelCycles subroutine is O(mn 2 log(1/ 0 )) and that of finding the most augmenting path is O(m + n log n).Generally, 0 is sufficiently small.The total time complexity of the algorithm is thus O(mn 2 log(1/ 0 ) log( f * / 0 )).
In reality, it is often more practical for S to find the quasioptimal solution of MP 1 , that is, the flow f * = (1 − ) f * where is sufficiently small.In such cases, the time complexity of finding f * is O(mn 2 log(1/ ) log( f * / )) applying the proof of Theorem 2. As a result, the proposed solution offers the flexibility for the source node to balance between the time complexity of the algorithm and the optimality of the result by tuning the parameter .

Discussion.
The multipath routing problem investigated in this section is related to the work of inspection point deployment in [16] and intrusion detection via sampling in [17] which root from the drug interdiction problem.Our work differs from theirs in the following.Firstly, in [16,17], the strategy of the police and the service provider is to inspect and sample the edges, while in our problem, the attack is on the nodes, which is more efficient from the attacker's point of view.Secondly, in [16,17], the network is lossless, while we work on the lossy network, which is more 0.9 0.9 0 .90.9 0.9 0.9 0.5 adapted for wireless networks where packet loss and link instability is one of the major concerns.Thirdly, since finding the maximum flow in lossy networks is by nature much more complex to solve than in classical lossless networks, we choose a solution providing the flexibility for the source node to balance between the time complexity of the algorithm and the optimality of the result by tuning the parameter .One limitation of the obtained multipath routing solution is that it minimizes the security risk by choosing appropriate multipaths without taking into account the performance of the selected path set. Figure 2 (the number beside the edge is the reliability of the link) provides an illustrative example.Based on the proposed solution, S should select the path SAT and SBDT, but it is clear that the path SCDT is more efficient than SBDT.The problem is that in previous solution, in some cases, the security is obtained at the price of performance (characterized by the packet delivery ratio).This limitation may pose problem for the applications where the performance of the paths is as important as the security or even more, such as ad hoc networks for emergency rescue.In such scenarios, it is more important for S to find the paths of which the packet delivery ratio at T is maximized even at the presence of M. This motivates us to investigate the multipath routing solution maximizing the worst-case packet delivery ratio.In Section 6, we extend our work to derive the multipath routing solution to achieve a tradeoff between route security and performance.

Multipath Routing with Maximum Worst-Case Packet Delivery Ratio
In this section, we study the multipath routing solution to maximize the worst-case packet delivery ratio (or equivalently, the probability that a packet arrives at T under the condition that the attacker makes all its efforts to minimize this probability).In such context, S solves the following maximinimization problem MP 2 : where a = P∈P q(P)τ(P, T) v∈P (1 − p v ) is the expected probability that a packet arrives at T.

Solving the Maximinimization
Problem MP 2 .The maximinimization problems such as MP 2 are usually hard to solve directly.In our study, in order to make the problem more tractable, we apply game theory by modelling the multipath routing problem MP 2 as a game G 2 by following the similar way as in Section 3.2.What differs here is that the objective of S is to maximize its utility function defined as U s = a and that the objective of M is to minimize U a = a.Following the same argument, the following theorem is immediate.
Theorem 3. G 2 admits at least one NE (p * , q * ), at which it holds that Under the game theoretic formulation, solving MP 2 consists of solving the multipath routing game G 2 , more specifically, finding the NE of G 2 .
Before delving into the solution, we prove the following useful theorems on the choice of strategy at the NE for the players S and M. Theorem 4.There exists an NE where the source node S chooses only node-disjoint paths between S and T.
Proof.The proof consists of showing that if there exists an NE where S routes its traffic on the paths with common nodes, we can always construct an NE where the source node S chooses only node-disjoint paths.Please refer to appendix for the detailed proof.
In the following, we focus ourselves on finding the NE with node-disjoint paths.
Theorem 5.At the NE with only node-disjoint paths, the attacker M attacks at most one node per path.
Proof.If at such NE, M attacks node V 1 , . . ., V n on the same path P with probability p 1 , . . ., p n , then the payoff M gets on the path P is If M uses the same resource to attack only one node on P, say V 1 , then the payoff it gets on P is which implies that the strategy of attacking more than one node on the same path cannot be an NE.Now we are ready to solve the NE.We cite the following well-known lemma [14] to conduct further analysis.Lemma 1.Every action in the support of any player's mixed strategy NE yields that player the same payoff.
Let P * denote the multipath set chosen by S at the NE, and q i the probability that S chooses path P i ∈ P * to route its traffic at the NE, p i the probability that M attacks P i at the NE, τ i = τ(P i , T) = e∈Pi r e .Applying Lemma 1 , we have The packet delivery ratio a = Pi∈P * q i τ i (1 where |P * | is the number of paths in P * .Noticing that a is the packet delivery ratio that S wants to maximize, solving the NE consists of finding the multipath set P * such that (|P * |−1)/ Pi∈P * (1/τ i ) is maximized.The maximized value is the solution of MP 2 .The strategy of S and M at the NE can be solved as follows.
(i) S's strategy: route the packet along path P i with probability q * i = 1/τ i Pj ∈P * (1/τ j ).(i) A's strategy: attack path P i with probability p

It follows from p *
i ≤ 1, for all P i ∈ P * that τ i ≥ (|P * | − 1)/( Pj ∈P * (1/τ j )).This implicates that M only focuses on a subset of routes to minimize a.Interestingly, S also has incentive to only route its packets on these paths even though other paths are attack free due to the fact that the attack-free paths are very poor in terms of performance.In summary, S should solve the following optimization problem MP 2 to find the NE:

Heuristic Path Set Computation Algorithm.
Although solving MP 2 is more tractable than solving MP 2 , yet it requires searching all possible node-disjoint paths between S and T, which leads to exponential time complexity.In the following, we propose a heuristic algorithm computing P * with polynomial time complexity.The goal of the heuristic algorithm is to find the optimal multipath set P * such that a = (|P * | − 1)/ Pi∈P * (1/τ i ) is maximized.We first introduce the two intuitions of the algorithm.Firstly, if we define τ i as the reliability of path P i , then choosing more reliable paths leads to higher global packet delivery ratio.Secondly, if we include more paths in P * , then |P * | increases.However, the denominator of a also increases, especially when τ i is small.Thus, the key point of our heuristic path set computation algorithm is to find as many node-disjoint paths as possible while at the same time as reliable as possible under the condition that the paths in the multipath set satisfy the constraint (C 1 ) such that the global packet delivery ratio a is maximized.
In order to change the path reliability from a multiplicative to an additive form, each edge e ∈ E is assigned 1: Input: network G 2: Output: multipath set P * maximizing a = (|P * | − 1)/ Pi∈P * (1/τ i ) 3: Find the most reliable path P 1 by Dijkstra algorithm, select P 1 ; Set P * (1) = {P 1 }, k = 1, a = 0. 4: for each path P i ∈ P * (k) do 5: Inverse the direction of each edge on P i , and make its length negative of the original link cost.

6:
Split each node v on P i (except S and T) into two nodes v 1 and v 2 ; Add an edge (v 2 , v 1 ) of cost 0. Replace each edge (v , v) ∈ E by the edge (v , v 1 ) without changing its reliability, replace each edge (v, v ) ∈ E by the edge (v 2 , v ) without changing its reliability.7: end for 8: Run the Dijkstra algorithm, find the most reliable path P with reliability τ in the transformed graph.a weight w e = − log p e .Then the conventional shortest path algorithm such as Dijkstra algorithm can be applied to find the most reliable path.
The heuristic path set computation algorithm, shown as above, is based on the K-node-disjoint shortest path algorithm [18].The basic idea of the K-node-disjoint shortest path algorithm is to add a path in each iteration using graph transformation and link interlacing removal such that the total cost is minimized.We refer readers to [18] for a detailed description of the algorithm.
Algorithm 2 is a greedy approach finding the most reliable path at each iteration.The iteration continues as long as: (1) there exist paths in the transformed graph, implying that there exist node-disjoint paths in the original graph; (2) the constraint (C 1 ) is satisfied.At the end of the algorithm, the multipath set P * maximizing a is returned.Once P * is found, S routes its traffic along P i with probability q * i .One point concerning the correctness of the heuristic algorithm is that if the most reliable path found in the transformed graph satisfies the constraint (C 1 ) (in the transformed graph), then after erasing the interlacing edges, all the paths in the newly formed multipath set P * (k + 1) satisfy (C 1 ).This can be shown by recursively applying the following lemma.
Lemma 2. If P 2 is the most reliable path in the transformed graph that satisfies the constraint (C 1 ) (in the transformed graph), then after erasing an interlacing edge with another path P 1 ∈ P * , the resulting path P 1 and P 2 satisfy (C 1 ).
Proof.Please refer to appendix for the detailed proof.
We conclude this subsection by addressing the complexity of Algorithm 2. The worst-case complexity of the heuristic algorithm is O(n 3 ) in that there are at most d s nodedisjoint paths between S and T, where d s is the number of outgoing edges from S. Since d s ≤ n−1, the algorithm iterates n − 1 times in the worst case (S can reach all nodes in the graph in one hop).In each iteration we run a minimum weight node-disjoint paths algorithm whose complexity is O(n 2 ).The result is an overall worst-case complexity of O(n 3 ).

Achieving Security-Performance Tradeoff
In Sections 3 and 4, we focus on the multipath routing solution minimizing the worst-case security risk and maximizing the worst-case packet delivery ratio.In fact, security and performance are two important aspects, of which neither should be ignored.Unfortunately, these two aspects sometimes lead to divergent routing solutions.Hence a natural next step is to investigate the multipath routing solution for multihop wireless networks that achieves a good tradeoff between the route security and performance.We formulated the routing problem in such context as the following maximinimization problem MP 3 : max q min p P∈P v∈P q(P)τ(P, T) v∈P In MP 3 , S wants to maximize the worst-case packet delivery ratio in the presence of attacker M, while limiting the worst-case security risk at most r 0 .Directly solving MP 3 needs an algorithm of exponential time complexity.In this section, we propose a heuristic solution based on Algorithm 2 to solve MP 3 .As discussed in Section 4, maximizing the worst-case packet delivery ratio equals to solve max P * (|P * | − 1)/ Pi∈P * (1/τ i ) under the constraint (C 1 ).The routing strategy for S is to route the packets along path P i with probability q * i = 1/τ i Pj ∈P * (1/τ j ).In such context, it is easy to compute the worst-case security risk as r = max Pi∈P * (r e i 1 /τ i Pj ∈P (1/τ j )) where r e i 1 is the reliability of the first edge of P i , since max p min q r = min q max p r, and the first constraint of MP 3 on the security risk can be transformed into Our heuristic solution is extended form Algorithm 2. The key idea is to include enough number of reliable paths in P * to limit the security risk.The intuition behind is that distributing the traffic among more paths helps limit the security risk.With this in mind, we modify Algorithm 2 such that the iteration stops until the constraints (C 1 ) and (C 2 ) are both satisfied or there is no more node-disjoint path available.In the latter case, the heuristic algorithm fails to find the multipath routing solution to MP 3 .This failure may due to the fact that the constraint on the security risk is too stringent such that no possible multipath set can meet the constraint, or alternatively, the heuristic algorithm itself cannot find the solution though it does exist.In such cases, possible solutions include secret sharing and information dispersion in which the key idea is to divide the packet to N parts, and the recovery of the packet is possible only with at least T parts.These techniques can further decrease the security risk and improve the performance.We refer readers to [3,19] since they are out of the scope of our work.

Theoretical Security-Performance Limit of Node-Disjoint Multipath Routing
In this section, we establish the relationship between the worst-case packet delivery ratio a * and the worst-case security risk r * in node-disjoint multipath routing.The relationship gives one important security-performance limit of the node-disjoint multipath routing with the presence of an attacker in the sense that we cannot find better routing solutions with node-disjoint paths whose security and performance can go beyond the limit.Let P nd be the node-disjoint multipath set selected by S to route traffic; we have shown in Section 4 that On the other hand, let q 0 k = 1/τ k Pj ∈P nd (1/P j ).We have Pk∈P nd q 0 k = 1 = Pk∈P nd q k , where q k is the probability of routing packets along P k .From the Pigeon Hole Principle, there exists at least one path P m ∈ P nd such that q m ≥ q 0 m .It follows that where r e m 1 is the reliability of the first edge on P m .As a result, we get where |P nd | max is the maximum number of node-disjoint path between S and T.
As a limit of node-disjoint multipath routing, the above relationship shows the intrinsic constraint of minimizing r and maximizing a at the same time.More specifically, if we want to limit the worst-case security risk as low as r, it is impossible to achieve a > (|P nd | max − 1)r; if we want to guarantee the worst-case packet delivery ratio as high as a, then we should expect the worst-case security risk of at least r/(|P nd | max − 1).Moreover, given the requirement on the route security and performance, one can check if it is realizable or too stringent by using the above formula before searching for the routing solution.

Multipath Routing with Multiple Attackers
In this section, we extend our efforts to investigate the case where there are n (n > 1) attackers in the network.

Minimizing Worst-Case Security Risk.
There are various formulations of the multipath routing problem under n attackers to minimize the worst-case security risk, among which we are interested in two typical formulations.In the first formulation, let r i be the probability that a packet is captured by attacker i, and S wants to minimize r i .This case can be regarded as the case where S plays the multipath routing game G 1 with each of the attackers.Hence, the solution of MP 1 can be applied here.The only difference is that the resulting minimum worst-case security risk is nr * .However, this does not influence routing strategy of S; in other words, no matter how many attackers are there, the routing strategy of MP 1 provides the most secure routing strategy minimizing the worst-case security risk in this case.
In the second formulation, the security risk is defined as the probability that a packet is captured by at least one attacker.In this context, the attackers will arrange their attacks such that no more than one attacker will attack the same node simultaneously; that is, they try to coverage the most nodes possible to maximize the probability of capturing the packet.Similar as in Section 3.2, we can show that the attackers attack at most one node per path to maximize the security risk.For S, to minimize the worst-case security risk is to solve the following optimization problem MP 4 : where p v is the probability that a node v is attacked by any of the n attackers.
MP 4 is a linear optimization problem and can be solved by classical linear programming techniques.However, due to additional constraints p v ≤ 1, MP 4 cannot be transformed into maximum flow problem in lossy networks as MP 1 that can be solved in polynomial time.As a result, solving MP 4 may require an algorithm with exponential time complexity.
In the following, we give the upper bound of the worstcase security risk under n attackers.To this end, we relax the constraint p v ≤ 1 and perform variable transformation by letting p v = p v /n.MP 4 after the transformation becomes MP 4 : MP 4 is identical to MP 1 except for a constant coefficient n.It follows immediately that its solution is n/ f * where 1/ f * is the maximum flow in MP 1 .Let r be the worst-case security risk under n attackers; following the fact that MP 4 is obtained by relaxing the constraint p v ≤ 1 in MP 4 , it holds that r ≤ n/ f * .In summary, by increasing the number of attackers from 1 to n, the worst-case security risk increases at most n times.

Maximizing Worst-Case Packet Delivery
Ratio.We consider the multipath routing game between S and the attacker side consisting of n attackers.S tries to maximize the packet delivery ratio and the attacker side tries to minimize it.It can be shown that at the NE of the game, no more than one attacker attacks the same node at the same time.This is because attacking the same node at the same time gives the attacker side the same payoff as the case where only one attacker attacks the node, which gives the attacker side less payoff than the case where the attacker side arranges the attack to cover the most number of nodes possible.With this in mind, by conducting the similar analysis as in Section 4.1, the optimization problem S should solve in multiple-attacker case MP 5 max where P * consists of node-disjoint paths.The extension of Algorithm 2 to solve MP 5 is straightforward.We now investigate the case where S also wants to limit the worst-case security risk as low as r 0 at the same time, as in Section 5. Recall that r e i 1 denotes the reliability of the first edge of P i , and we sort the path by r e i 1 /τ i , that is, r e i 1 /τ i ≤ r e 1 j /τ j ⇔ i ≤ j.The worst-case security risk in multiple-attacker case is n i=1 (r e 1 i /τ i Pj ∈P (1/τ j )), which is achieved when the n attackers attack the n most profitable paths.To limit the worst-case security risk, the constraint n i=1 (r e 1 i /τ i Pj ∈P (1/τ j )) ≤ r 0 should be added to MP 5 .Algorithm 2 can be extended in a similar way as Section 5

Performance Evaluation
In this section, we evaluate the performance of proposed multipath routing solutions through simulation using Network Simulator (NS 2).Table 1 shows the simulation setting.
The link reliability of each link is generated from a normal distribution σ(0.7, 0.2) trunked in [0, 1] interval.
8.1.Single-Attacker Case.We start with single-attacker case.Two scenarios are simulated: the attacker launches its attack to maximize the packet capture probability (scenario 1) or minimize the packet delivery ratio (scenario 2).In both scenarios, we assume that the attacker knows the routing strategy of S. We compare our solutions with SMT [3] and DPSP [1].To focus on the multipath routing solution itself and perform a fair comparison, we do not implement the message dispersion in SMT.Since SMT and DPSP do not specify how to balance traffic among the paths, we let S chose randomly in the multipath set when having a packet to send.
Let MinSR denote the multipath routing algorithm minimizing the worst-case security risk, MaxDR denote the heuristic multipath routing algorithm maximizing the worst-case packet delivery ratio, and MaxDR-SR denote the heuristic multipath routing algorithm maximizing the worst-case packet delivery ratio while limiting the worst-case security risk under certain threshold (the threshold is set to 16% in out simulation).In MinSR, to balance the complexity of the algorithm and the solution optimality, we set = 0.05.Table 2 shows the simulation results.
The simulation results show that SMT performs poorly in both scenarios.This is due to the fact that in our simulation, different from the scenarios simulated in literatures [3,20], we simulate the worst-case scenarios where the attacker launches its attack in the unpredictable way which is not correlated with the history rating.In such context, the attacker can actually take the advantage of the path rating mechanism to cause more severe damage.DSDP performs almost the same in two scenarios in that it selects the most reliable multipath set without taking into consideration of attackers.The resilience to attacks of DPSP is purely due to its multipath nature.For our solution MinSR, it achieves the minimum security risk in scenario 2, which confirms the analytical result in that the upper bound of the security risk r * is achieved in scenario 1.However, the packet delivery ratio in MinSR is less than that in MaxDR.This is due to the limitation of MinSR discussed in Section 3.4.From the simulation, we can see that the suboptimality of MinSR in terms of performance can be rather important compared to MaxDR, which achieves the best performance among all the simulated multipath routing solutions.MaxDR-SR, on the other hand, achieves a tradeoff between the route security and performance, which is shown by the simulation results that MaxDR-SR lies between MinSR and MaxDR in terms of route security and performance.Furthermore, we observe the fact that the number of maximum node-disjoint paths in our simulation is around 6. From this observation, we can verify the relation between the route security and performance using the formula derived in Section 6 on the theoretical limit of node-disjoint multipath routing.

Multiple-Attacker Case.
We then evaluate the performance of MaxDR and MaxDR-SR (the security risk threshold r 0 is set to 0.55) in cooperative multiple-attacker case where the attacker side arranges their attacks on a subset of paths so as to maximize the security risk in scenario 1 and to minimize the packet delivery ratio in scenario 2. Figures 3  and 4 plot a and r as a function of the number of attackers.SMT is not plotted here since the worst-case packet delivery ratio of SMT drops below 20% even with 2 attackers.MinSR is not simulated here in that according to our analysis in Section 7.1, the first formulation is simply the aggregated case of the single-attacker case; in the second formulation, no polynomial routing algorithm exists minimizing the worstcase security risk.
The results show that the performance degrades significantly with the increase of the number of attackers.The communication is almost paralyzed with 5 attackers.At the presence of 6 attackers, MaxDR-SR cannot find routing solution whose security risk is not more than 0.55.Once again, our results seem very different from those obtained from literatures.This is because we focus on the worstcase scenarios throughout this paper.Unlike the traditional simulation where a percentage of nodes is assumed to be compromised, we implement much more powerful attackers with perfect knowledge of the network and the routing strategies.These attackers are able to launch the most severe attacks which are not predictable nor correlated in time or space.In such context, our results reflect the lower bound of performance of the simulated routing solutions.We argue that maximizing this lower bound, as discussed in our work, is of great importance since the attackers cannot be underestimated in any case.Meanwhile, we can see from the results that our solutions perform substantially better than DPSP in terms of both route security and performance.
In summary, the simulations show that the proposed multipath routing solutions achieve the design objective of providing the best security and/or performance in the worstcase scenarios.

Conclusion
In this paper, we address the fundamental problem of how to choose secure and reliable paths in wireless networks.We formulate the multipath routing problem as optimization problems and propose algorithms with polynomial complexity to solve them.Three multipath routing solutions are proposed: MinSR minimizes the worst-case security risk, MaxDR maximizes the worst-case packet delivery ratio, and MaxDR-SR achieves a tradeoff between them by maximizing the worst-case packet delivery ratio while limiting the worstcase security risk under given threshold.We also establish the relationship between the worst-case security risk and packet delivery ratio, which gives the theoretical securityperformance limit of node-disjoint multipath routing.The analytical and simulation results in the paper lead us to the following conclusion.
(i) Solutions based on path rating which work well in the presence of time or location correlated attacks may fail to provide secure and reliable paths facing strategic attackers with unpredictable attack patterns.
(ii) Two issues are crucial in multipath routing.Firstly, both the security and performance should be taken into account when choosing the optimal paths, as in [2] and our work.Secondly, the traffic should be balanced among paths such that they are equally "attractive" to attackers.
(iii) Among the proposed multipath solutions, MaxDR-SR achieves good security-performance tradeoff by choosing sufficient number of mutually disjoint paths with high reliability and balancing the traffic in the optimal way.

A. Proof of Theorem 2
By [11, Corollary 2.3.4], the maximum flow in lossy networks can be decomposed into at most m augmenting paths.Algorithm 1 selects the path that generates the maximum amount of excess at the sink.Thus, each iteration captures at least a 1/m fraction of the remaining flow.Let f k be the flow after iteration k, and we have Injecting f k−1 , . . ., f 2 , f 1 into f k , we have

B. Proof of Theorem 4
We have shown that there exists at least one NE in G 2 .We now show that if the NE consists of overlapped paths with common nodes, we can construct another NE with nodedisjoint paths.
We first give some definitions.For two paths sharing nodes A, B with (A, B) / = (S, T), let Q 1 and Q 2 be the node sequence of the two paths between A and B. Q 1 , Q 2 can be empty, but they cannot both be empty.Let l(Q) denote the number of nodes in the sequence Q, we call the node sequence AQ 1 BQ 2 A a cycle, and define the diameter of the cycle AQ 1 BQ 2 A as min{l(Q 1 ), l(Q 2 )}.
Assume that at the NE, there exists paths with common nodes.We now study the cycle containing S with the common nodes S and V with the smallest diameter.Suppose that this cycle is formed by paths P 1 and P 2 with the node sequence L 1 ∈ P 1 and L 2 ∈ P 2 between S and V , as shown in Figure 5 .Without loss of generality, we assume that l(L 1 ) ≤ l(L 2 ).It follows that at the NE, any node V n ∈ L 1 does not belong to the multipath set chosen by the source except P 1 ; otherwise we find a cycle with smaller diameter, which contradicts our assumption.It then holds that, at the NE, the attacker has no incentive to attack any nodes on L 1 because if it attacks any node on L 1 with probability p, it gets less payoff if it uses the same resource attacking V .From the definition of NE, routing the packets on L 1 gives S the same payoff as routing them on L 2 .Hence, we can switch all the traffic from L 1 to L 2 without changing the payoff of S.Moreover, since the attacker does not attack any node on L 1 at the NE, this operation does not change the payoff of the attacker, either.Therefore, it is easy to verify that the multipath set after the above operation is also an NE of G 2 .However, the number of cycles decreases by one.As a result, by recursively repeating the above process, we can transfer any NE to an NE where the number of cycles is 0. Such NE consists of only node-disjoint paths between S and T.

C. Proof of Lemma 2
The lemma holds evidently if P 2 does not intercross P 1 .In the following we prove the case where P 2 intercrosses with P 1 .As illustrated in Figure 6 , P 1 is composed of L 1  1 , e, L 2 1 , and P 2 is composed of L 1  2 , e, L 2 2 before erasing the interlacing edge e.Here L j i (i, j = 1, 2) denotes a sequence of edges.Since P 2 satisfies the constraint (C 1 ), we have where Γ = Pj ∈P * (k),Pj / = P1 (1/τ j ) and r j i = e∈L j i r e (i, j = 1, 2).At this moment, P 2 has not been added into P * (k) yet, and so the numerator of the above inequality and that in step 7 in Algorithm 2 is |P * (k)|, not |P * (k)| − 1.Note that the cost of e is − log(r e ) in P 1 and log(r e ) in P 2 in the transformed graph.
Since the Dijkstra algorithm is applied on the graph with link cost w e = − log r e , it follows that r 1  1 r e ≥ r 1 2 and r e r 2 1 ≥ r 2 2 .Hence, we have In the same way, we can show that τ 2 = r 1 2 r 2 1 ≥ |P * (k)|/(1/r 1 1 r 2 2 + 1/r 1 2 r 2 1 + Γ).Noticing that P 1 , P 2 consist of r 1 1 r 2 2 and r 1 2 r 2 1 , respectively, it follows that both P 1 and P 2 satisfy (C 1 ), which concludes our proof.

Figure 5 :
Figure 5: Two paths forms a cycle.

Table 2 :
Simulation results: single-attacker case.In the multiple-attacker case, if |P nd | max ≤ n, the communication between S and T is paralyzed by the attackers.