Computer Networks 53 (2009) 1215–1234

Contents lists available at ScienceDirect

Computer Networks
journal homepage: www.elsevier.com/locate/comnet

Network survivability modeling

Poul E. Heegaard a,*, Kishor S. Trivedi b
a
Norwegian University of Science and Technology (NTNU), Department of Telematics, 7491 Trondheim, Norway
b
Pratt School of Engineering, Duke University, Durham, NC, USA

a r t i c l e i n f o a b s t r a c t

Article history: Critical services in a telecommunication network should be continuously provided even
Available online 5 March 2009 when undesirable events like sabotage, natural disasters, or network failures happen. It
is essential to provide virtual connections between peering nodes with certain perfor-
mance guarantees such as minimum throughput, maximum delay or loss. The design, con-
Keywords: struction and management of virtual connections, network infrastructures and service
Survivability platforms aim at meeting such requirements.
End-to-end performance
In this paper we consider the network’s ability to survive major and minor failures in
Analytical models
Simulation
network infrastructure and service platforms that are caused by undesired events that
might be external or internal. Survive means that the services provided comply with the
requirement also in presence of failures. The network survivability is quantified as defined
by the ANSI T1A1.2 committee which is the transient performance from the instant an
undesirable event occurs until steady state with an acceptable performance level is
attained.
The assessment of the survivability of a network with virtual connections exposed to link
or node failures is addressed in this paper. We have developed both simulation and ana-
lytic models to cross-validate our assumptions. In order to avoid state space explosion
while addressing large networks we decompose our models first in space by studying
the nodes independently and then in time by decoupling our analytic performance and
recovery models which gives us a closed form solution. The modeling approaches are
applied to both small and real-sized network examples. Three different scenarios have
been defined, including single link failure, hurricane disaster, and instabilities in a large
block of the system (transient common failure).
The results show very good correspondence between the transient loss and delay perfor-
mance in our simulations and in the analytic approximations.
Ó 2009 Elsevier B.V. All rights reserved.

1. Introduction tolerance and service dependability. Non-critical services

Our society depends on a wide variety of telecommuni-
cation services to support our demands for everything
from pure entertainment to commerce, banking and life
critical services. Critical services such as transport traffic
control systems, and emergency and financial services,
have stringent QoS requirements for both performance
* Corresponding author. Tel./fax: +47 99286858.
E-mail addresses:
like entertainment will typically have less strict require-
ments. Ideally, component or subsystem failures should
be imperceptible to the users, and it should make no differ-
ence whether the service impairment is caused by attacks,
accident or failure. However, it is far too expensive to build
a network that retains unchanged QoS level in case of a
major outage. Then preference should be given to the most
critical services and most users will accept that non-critical
services are temporarily shut down, while critical services
are degraded or at best unaffected.

[email protected] (P.E. Heegaard), kst@ A variety of threats, like attacks, accidents, and failures,
ee.duke.edu (K.S. Trivedi). may cause minor or major service degradations in the tele-

1389-1286/$ - see front matter Ó 2009 Elsevier B.V. All rights reserved.
doi:10.1016/j.comnet.2009.02.014
1216 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
communication services and network. Attack threats have
been given a lot of attention after the terrorist attacks in
New York 2001, Madrid 2004 and London 2005. Countries
consider their telecommunication infrastructure a part of
their national critical infrastructure that needs to be pro-
tected [1]. The protection should also cover natural disas-
ters such as flooding, earthquake, thunderstorms, etc.
that may have huge impact on the infrastructure. Finally,
through regulations and service level agreements (SLA)
the government and customers must give sufficient incen-
tives to the operators and equipment vendors to take all
the necessary precautions to avoid major network outages,
such as the famous AT&T’s frame relay network outage [2]
that lasted for up to 26 hours and included the failure of
mission-critical bank transactions, or the more recent ma-
jor outage in an NTT network in Japan [3], where close to
4000 Cisco routers went down for about seven hours dis-
connecting millions of broadband Internet users across
eastern Japan.
In a telecommunication network it is essential to pro-
vide virtual connections between peering nodes with cer-
tain performance guarantees such as minimum
throughput, maximum delay or loss, and at the same time
ensure an overall good utilisation of the network resources.
Management of paths in virtual connections must be de-
signed to handle (i) slow and quick changes in traffic load
and pattern, (ii) short and long lived minor node, link or
server outages, and (iii) short and long lived major outages
where a large number of nodes or links are simultaneously
down, or a critical server in service platform is down. The
design, construction and management of network infra-
structure and service platforms are very important and ex-
tremely challenging tasks. A combination of different
approaches are taken; (i) prevent the causes of the failures,
(ii) design the network to ensure that sufficient diversity
and spare capacity is built in to partly tolerate loss of
capacity, and (iii) develop and configure proactive and
reactive traffic management techniques and protocols to
enable restoration of services so they continue to provide
the requested service level. A large variety of management
techniques exist and are under development to meet these
requirements. They apply to different network layers, use
pre-planned or reactive techniques, and utilize various set-
up methods with different resource utilization on local or
global operational domain and scope of repair. An excellent
classification of recovery techniques and current state of
the art are given in [4].
Both behavioral as well as the structural aspects of the
system need to be taken into account while modeling the
(transient) performance of the virtual connection manage-
ment. This means that the model must capture how the
performance of the virtual connection is affected by rout-
ing and rerouting, by traffic load variations, by changes in
network capacities, and by different service requirements.
Structural dependability models typically focus on the
probabilities of terminal connectivity, while behavioral
models, e.g. as proposed in [5], take the network dynamics
into account and provide steady state service availability.
Combining structural and behavior aspects is typically
done using Markov models or queuing network models
for performance analysis. Further, combined study of per-
formance and dependability is carried out by Markov re-
ward type models.
In this paper we consider the network’s ability to sur-
vive major and minor failures in network infrastructure
and service platforms that are caused by undesired events
that might be external (environment, natural disasters,
accident, malicious human attacks and electronic attacks),
or internal (traffic congestion, link/node failure and repair,
different failure modes). Survive means that the services
provided comply with the requirements even in the pres-
ence of failures and the term survivability emphasizes that
the network design and evaluation should take all threats
into account and that services must be differentiated with
respect to performance and dependability requirements.
Particular attention is given to the transient behavior after
an undesired event when analyzing the system. In this pa-
per we describe a decomposed analytic model, as intro-
duced in [6], for the transient loss ratio (probability) and
expected number in system, and cross-validate this against
simulations of two small network examples. Furthermore,
the paper describes how the model may quantify the net-
work survivability by the transient one-way delay distribu-
tion of a set of virtual connections in a real-sized network
example. This was first time introduced in [7].
In Section 2 the network survivability is defined and
informally discussed in the context of virtual connection
management. Section 3 provides the steps in network sur-
vivability modeling, including modeling of the recovery
phases after a failure (Section 3.3), performance modeling
of expected loss ratio, throughput, and delay and distribu-
tion (Section 3.2), and the decomposition techniques that
allow us to deal with state explosion in real-sized net-
works (Section 3.4). A series of results are included in Sec-
tion 4 to validate the decomposition techniques, and
demonstrate the applicability on real-sized networks with
various failure scenarios. Finally, some closing remarks are
given in Section 5.
2. Survivability
Management of virtual connections must be designed
to preplan for the expected and react to the unexpected.
Evaluation of different schemes is important. However, it
is not obvious how to evaluate the management schemes,
not only because the size and complexity of the problem is
a huge modeling challenge, but also because the definition,
metrics, and quantification methods of survivability are
anything but clear. Different frameworks have been pro-
posed and applied under different scenarios [8–11].
Survivable system and survivable network have been
designed and evaluated in the literature for many years
[12–14]. The many definitions of survivability can be sum-
marized as
Survivability is the system’s ability to continuously
deliver services in compliance with the given require-
ments in the presence of failures and other undesired
events.
 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
In the literature we find that the services are everything
from unspecified [15,16], very general like ‘‘mission” [14],
to more specific such as ‘‘connected logical links” [17,18].
The requirements are very general like ‘‘fulfill its mission,
in a timely manner” [14], ‘‘complies with its survivability
specification” [12], ‘‘committed QoS continuously” [13],
‘‘provide service continuity” [15], very unclear ‘‘essential
functions are still available” [19], or closely linked to the
application area ‘‘logical links remain connected” [17]. Fi-
nally, the definitions of survivability cover a broad range
of undesired events and their effects. Often the definitions
only refer to failures [15,20] or failure scenarios [18,13]
without any reference to the events that caused it. In
[14] they explicitly indicate that ‘‘attacks, failures, and
accidents” may cause the system failure and the service
degradation.
In this paper our objective is to quantify the survivabil-
ity of virtual connections in telecommunication networks.
For this we define the (i) service to be the virtual connec-
tion between specific peering nodes in the network, (ii)
requirement is the maximum packet loss probability and
end-to-end delay of non-lost packets in the virtual connec-
tions, and (iii) undesired events are link and node failures
caused by attacks, accidents, and software and hardware
failures. To quantify we use the definition given by ANSI
T1A1 [22]:
Survivability quantification. The measure of inter-
est M has the value m0 just before a failure occurs. The
survivability behavior can be depicted by the following
attributes: ma is the value of M just after the failure oc-
curs; mu is the maximum difference between the value
of M and ma after the failure; mr is the restored value of
M after some time t r ; and t R is the relaxation time for
the system to restore the value of M.
These attributes are illustrated in Fig. 1. The measure of
interest M will in this paper be performance metrics like
the loss probability and the delay distribution of non-lost
packets. Specifically, the transient system behavior imme-
diately after the occurrence of a failure can be analyzed un-
der our proposed approach. Early related work can be
found in [23,24] and more recent work in [21,25,26].
3. Network survivability modeling
The network survivability models in this paper consider
networks exposed to undesired events that cause links and
nodes to fail, which are typically followed by a sudden
change in the availability of network resources such as
bandwidth of the transmission links, queuing positions
(memory), and processor capacity. Gradually the resources
are restored through rerouting and by restoration of the
failed links and nodes, which results in restored
performance.
First part of this section outlines the principle of surviv-
ability modeling, followed by details of performance mod-
1217
0.017
0. 0165
0.016
0. 0155 m
Blocking probability
a
0.015 mu
mr
0. 0145
0.014 m0 tr
0. 0135 tR
failure
0.013
0 10 20 30 40 50
Fig. 1. Survivability after first failure [21].
els in Section 3.2, which are constructed to evaluate
expected loss ratio, throughput, and delay (mean and dis-
tribution). In Section 3.3 two approaches are described to
model the phased failure propagation and recovery based
on either knowledge of propagation processes and recov-
ery mechanisms [6] or based on their actual traces [7].
The phased recovery model in Section 3.3.1 captures the
rerouting process while Section 3.3.2 traces the changes
in the routing probabilities observed after a failure. The
composite survivability models suffer from state explosion
when addressing real-sized networks and hence in Section
3.4 efficient time and space model decomposition tech-
niques are introduced. In Section 3.5 the model scalability
and corresponding assumptions are addressed.
3.1. Survivability model approach
The survivability model does not consider the frequency
of undesired events because the focus is: given that an
undesired event has occurred what is the nature of perfor-
mance degradation just after such event until the system
stabilizes again. The survivability models are constructed
by combining continuous time Markov chain (CTMC) per-
formance models with models of the different failure prop-
agation and recovery phases in the system. Fig. 2 illustrates
the modeling principle where the failure propagation and
recovery are modeled as a sequence of phases with each
phase being a state in a CTMC model, and the transitions
are caused by events like failure detection, rerouting com-
pleted, etc. In each state the system is assumed to be in a
performance wise steady-state with unchanged opera-
tional conditions. For a short period immediately after a
state change this is obviously not the case but as will be
demonstrated later this transient effect is negligible under
the assumption made in this paper (see Section 3.5 and the
experiments in Section 4). In each state the performance
metrics expected loss, throughput, and delay (mean and
distribution), are obtained by reward measures from a con-
tinuous time Markov chain (CTMC) model of the resource
utilization.
At time t a (set of) undesired events are assumed to take
place whence the transient period of interest begins. A
1218 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234

start from here failure propagation recovery

new
undesired event events reconfigure/ repair/
normal undesired
event detected detected reroute restore
events

Performance model 1 Performance model k

0 1 i i+1 0 1 i i+1

Fig. 2. Sequence of failure propagation and recovery.

X
change in the system state is triggered and the evolution of CðvÞ
i
ðvÞ
¼ ci þ
ðvÞ ðvÞ
rji Cj ð1  pj ðnj ÞÞ; for j ¼ 1; . . . ; n; ð1Þ
the system is followed through stages of failure propaga- j–i
tion, detection, recovery and restoration/repair. Observe ðvÞ
where ci is the arrival rate of external traffic to node i for
that we do not need to know the frequency of undesired
the virtual connection v and pj ðnj Þ is the steady state prob-
events, e.g., the time till failure, because the failure is
ability that node j will reject an incoming packet. In the
forced or triggered (dashed line in the figure).
case of infinite nj the pj ðnj Þ ¼ 0; 8j, and the model is an
open BCMP-type queuing network [28]. A single path vir-
3.2. Performance models
tual connection is modeled as a special case where each
hop has a single link j with rij ¼ 1 and 0 for all other links.
3.2.1. Network performance model
The total external traffic ci to node i is ci ¼ 0 for all i – s
The network is a graph ~ G ¼ ðv; eÞ where v is the set of
and cs ¼ c. The total arrival rate to node i is
nodes and e is the set of links. The single- or multi-path
routing of a virtual connection between source node s X
VC

and destination d reduces ~ G to a directed graph ~G½s;d . The Ci ¼ CðvÞ

network model is Markovian with Poisson external arrivals
and exponential service time distribution with an FCFS ser-
vice discipline at each node and/or link. The routing be-
tween node i and j is stochastic with time-independent
probability r ij . Depending upon whether the node process-
ing or the link transmission is the bottleneck in the packet
forwarding, a node or link centric approach is taken:
 node centric: if the node processing of each packet is the
bottleneck, each node is modeled as an independent
M=M=1 queue.
 link centric: if the link transmission is the bottleneck,
each link (or the corresponding network interface) is
an M=M=n-queue where n is the number of transmission
channels (propagation times are either included in, or
added to, the link service times).
 node and link centric: if the bottleneck is fluctuating
between node processing and link transmission, each
node and link are modeled separately.
In Fig. 3 an illustration of the three possible network
performance model views is given.
Each packet occupies one server or buffer position in
the node or on a transmission interface. The state xi in
the CTMC is the number of packets in state i. The state var-
iable i refers to a unique enumeration of nodes and links
that are included in the model. In the following section
we assume a node centric model view, i.e. the state vari-
able i corresponds to node i. Then the node capacity ni is
the number of buffer positions. With finite ni , the arrival
rate Ci is obtained by solving the linear system of traffic
equations [27]
i : ð2Þ
v¼1
3.2.2. Performance measures: expected values
The measure of interest, M, from Section 2, is obtained
as reward measures from a continuous time Markov chain
(CTMC) model of the resource utilization. Assume that
each node is an M=M=1=ni -queue. With Ci and li indepen-
dent of the state xi and let qi ¼ Ci =li , then the steady state
probability pi ðxi Þ of the state xi in node i has the following
closed form solution [29] (if ni ! 1 then qni ! 0)
1  qi
pi ðxi Þ ¼ qxi : ð3Þ
1  qni þ1 i
The performance metrics are expected loss, throughput,
and delay (mean and distribution). The transient loss rate
is denoted by LðtÞ at time t, the loss ratio (aka probability)
lðtÞ at time t, the number of packets in the system NðtÞ at
time t, and the mean end-to-end delay of packets that
are not lost in the virtual connection, DðtÞ. In the surviv-
ability models in the following sections the composite
CTMC state ðy; ~ xÞ constitutes of the phase y and
~
x ¼ ðx1 ; . . . ; xn Þ, where xi is the number of packets in node
i, see Section 3.3 for definition and modeling of phases.
The reward rates are assigned to node i as follows
1. For computation of the loss rate:

Ci ðyÞ if ðxi ¼ ni Þ at time t;
fLi ðt; y; xi Þ ¼
0 otherwise:
2. For computation of the mean number of packets:
fNi ðt; y; xi Þ ¼ xi ;
 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234 1219

(i) Node centric model (ii) Link centric model

2 [1,2] [2,4]

1 4

3 [1,3] [3,4]

2
[1,2] [2,4]

1 4

[1,3] [3,4]

(iii) Node and Link centric model

[1,2] 2 [2,4]

4
1

[1,3] 3 [3,4]

Fig. 3. Node and/or link centric models of a 4 node example.

where ni is the maximum number of packets and Ci ðyÞ is knowledge of the one-way delay (aka response time in
the arrival rate to node i in phase y. Once the transient [30]) distribution of a single network node to construct a
probabilities, pðt; y; ~
xÞ, are obtained from the composite CTMC where the one-way delay distribution for a virtual
CTMC models then the performance metrics become connection between two peering points is equal to the
time to absorption in this CTMC. The routing of each virtual
n o
ðvÞ
1. Expected total loss rate at time t: connection v is given in a routing matrix, RðvÞ ¼ r ij
ðvÞ
ni where r ij is the probability of routing packets from node
IV X
X n X
E½LðtÞ ¼ fLi ðt; y; xi Þpðt; y; ~
xÞ: ð4Þ i to j for virtual connection v, v ¼ 1; . . . ; VC. In link state
y¼I i¼1 xi ¼0 routing schemes (e.g. IS–IS [31], OSPF [32]) the virtual con-
nection follows shortest path typically according to the
2. Expected total loss probability at time t:
minimum number of hops or least cost based on static
E½lðtÞ ¼ E½LðtÞ=c: ð5Þ metrics. In stochastic routing schemes the virtual connec-
tions are routed along multiple paths which give load shar-
3. Expected total number of packets in the network at
ing. Stochastic routing is not in use in today’s network but
time t:
are under considerations in traffic engineered MPLS [33]
IV X
X ni
n X and swarm-based routing scheme [34,35].
E½NðtÞ ¼ fNi ðt; y; xi Þpðt; y; ~
xÞ: ð6Þ The block approach that is described in this section as-
y¼I i¼1 xi ¼0
sumes an open Markovian network of M=M=1 queues.
4. Expected total delay of non-lost packets at time t: Approximations for other Markovian, and non-Markovian
networks also exist, see [30] for details. In this section
E½DðtÞ ¼ E½NðtÞ=ðcð1  E½lðtÞÞÞ: ð7Þ we extend the block method to apply to network with mul-
tiple virtual connections. The method is presented in four
steps.
3.2.3. Performance measures: delay distribution
To evaluate the one-way delay distribution of packets in 1. Calculate the arrival rates to each node in the queuing
a virtual connection we use the response time block ap- network for virtual connection v by solving the linear
proach described in [29,30]. The basic idea is to use the system of traffic equations in (1).
1220 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234

 
2. Create a CTMC with states S ¼ Sf ; Sl ; [ni¼1 Si where Sf is
the absorbing state for any virtual connection, the Sl is
ðvÞ
the loss state where packets are routed if rij > 0 while
the link ½i; j or node j is down, and Si is the state of node
i. The CTMC has n þ 2 states where n is the number of
nodes in the network. In Fig. 4 the CTMC for an eleven
node network example with two virtual connections
is given.
3. The delay distribution in node i can be represented by
an exponential distribution with rate li  Ci given that
Ci < li , where Ci is the net arrival rate over all virtual
connections and li is the service rate to for i. The gen-
erator matrix Q ðvÞ of the CTMC above is constructed by
(a) The routing from node i to j for virtual connection
ðvÞ ðvÞ
v is Q Si Sj ¼ ðli  Ci Þr ij .
(b) The exit from the network at the destination
ðvÞ
i ¼ dv of the virtual connection v is Q Si Sf ¼
ðvÞ
ðli  Ci Þr if
ðvÞ
(c) If rij > 0 and the link ½i; j or node j is down then
the rate of transition to the loss state is
ðvÞ ðvÞ ðvÞ
Q Si Sl ¼ ðli  Ci Þrij and Q Si Sj ¼ 0.
(d) All other entries are 0 except the diagonals,
ðvÞ P ðvÞ
Q Si Si ¼  Sj 2S;Sj – Si Q Si Sj .
4. The cumulative delay distribution function for virtual
connection v is equal to the probability PQ ðvÞ ðSf ; uÞ of
being in the absorbing state Sf at time u under the gen-
erator matrix Q ðvÞ . The probabilities PQ ðvÞ ðs; uÞ, s 2 S are
found by solving (PQ ðvÞ ðuÞ ¼ fPQ ðvÞ ðs; uÞg)
d
P ðvÞ ðuÞ ¼ PQ ðvÞ ðuÞ  Q ðvÞ :
du Q
The initial conditions are PQ ðvÞ ðs; 0Þ ¼ 1 if s ¼ sv is the
source node sv of virtual connection v, and PQ ðvÞ ðs; 0Þ ¼ 0
otherwise. Observe that if packets are lost the packet delay
distribution is defective, i.e. P Q ðvÞ ðSf ; uÞ < 1 because
PQ ðvÞ ðSf ; uÞ > 0 when u ! 1 [29].
The computations above are exact in the case of an open
product form network that is feed-forward, and all paths
are overtake-free [29]. As an example the virtual connec-
tion VC1 in Fig. 4 is overtake-free while VC2 has a recon-
vergent path and hence is not overtake free.
With non-Exponential interarrival or service time
assumptions the approach is approximate. An example is
included in Section 4.2.1 to illustrate the approximation.
More details on this method and generalization to
M=M=c=b-queues and non-Markovian networks are found
in [30].
3.3. Failure propagation and recovery model
This section describes two approaches taken to model
the phased failure propagation and recovery based on
either the knowledge of propagation processes and recov-
ery mechanisms [6], or based on the actual traces [7].
3.3.1. Phased recovery model
In [6] a phased recovery model of the rerouting and res-
toration was introduced. The idea is to describe the se-
quence of events as a CTMC model with four phases
where each phase represents different stages in the routing
matrix update. This requires knowledge of the detection
mechanism and (re)routing process. The phased recovery

Fig. 4. CTMC specification for the delay block approach in a network example with two virtual connection.
 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
start from here
undesired event
normal
event detected
IV
Fig. 5. Phased recovery model of rerouting and restoration.
model describes the ‘‘cycle” starting from an undesired
event that causes one or multiple links or nodes to fail,
and until the system is back to the state just before this
event. This can be modeled by phases where each phase
may have different set of available resources for the virtual
connections, represented by (possibly) phase-dependent
stationary routing probabilities fr ij ðyÞg with corresponding
phase-dependent arrival rates Ci ðyÞ. A similar approach
was taken in [24]. But in the cited paper the recovery
was not considered whereas here we model both rerouting
and restoration of the network resources that brings the
system back to fault free operation. In Fig. 5 the life cycle
of the failure and rerouting is described in four phases,
y ¼ I; . . . ; IV. The dotted1 (blue) lines in the figure illus-
trates which phases of the more general model from
Fig. 2 that are included.
Phase I Immediately after the failure the rerouting is
activated but it takes some time before the
rerouting is effective. Meanwhile, the packets
are routed according to the original routing
scheme, rij ðIÞ ¼ r ij ðIVÞ, except for the failed
node i and link ½i; j where rij ðIÞ ¼ 0, i.e. no pack-
ets are fed forward from these nodes and links.
The rerouting time is assumed to be exponen-
tially distributed with rate ad .
Phase II When the rerouting is effective the link or node
is still failed. The packets are routed according
to a new routing scheme and will avoid these
failed links or nodes (if possible). After the
exponentially distributed repair time with rate
s, the system enters phase III.
Phase III On completion of repair the system returns to
failure free state but the routing is yet to
change. After the exponentially distributed
rerouting time with rate au , the system is back
to normal routing in phase IV. Phase II and III
may have identical routing probabilities with
1
For interpretation of color in Figs. 2 and 20, the reader is referred to the
web version of this article.
1221
failure propagation recovery
new
events reconfigure/ repair/
undesired
detected reroute restore
events
I II III
rij ðIIÞ ¼ r ij ðIIIÞ. In this case the two states can
be lumped together to reduce state space and
the model will be semi-Markovian.
Phase IV After the routing information is restored the
network operates in fault free mode, which is
an absorbing state for the purpose of surviv-
ability analysis [21,26].
This model should not be taken to imply that only one
failure event at a time can occur, since an event can be
any combination of multiple simultaneous node and link
failures. Furthermore, the phased recovery model can eas-
ily be modified to refine the rerouting phases to also model
gradual changes in the routing probabilities or multiple
steps in the virtual connection management scheme (see
tracing of phases in the following section), or to model
other failure modes like intermittent link failures (see
example in Section 4.2.4).
In the phased recovery model in Fig. 5 the system starts
in phase I and steps through all phases before it returns to
phase IV. The transient probabilities pðt; yÞ at time t of the
four phases y ¼ I; . . . ; IV ; can be obtained in a closed-form
by the convolution integration approach [29]
pðt; IÞ ¼ etad ;
ad
pðt; IIÞ ¼ ðets  etad Þ;
ad  s
  ð8Þ
ad s etad  etau etau  ets
pðt; IIIÞ ¼  ;
ad  s ad  au au  s
pðt; IVÞ ¼ 1  pðt; IÞ  pðt; IIÞ  pðt; IIIÞ
under the assumption ad – s – au . For the case ad ¼ au as
in the examples in Section 4.1.1 the solution is even
simpler.
As an example of how performance models related to
the phased recovery model, consider the virtual connec-
tion 1 (VC1) in Fig. 4. In Fig. 6 link [2,10] fails. The failed
link is part of VC1 and will cause 100% packet loss at this
stage. As shown in Fig. 7, after some time, provided that
alternative path exists, the routing protocol has obtained
a new path for VC1 that does not contain the failed link.
The packet loss is then 0% again because buffers are
infinite.
1222 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234

Fig. 6. CTMC of the network example with two virtual connection when link [2,10] has failed and all packets are lost.

Fig. 7. CTMC of the network example with two virtual connection when link [2,10] has failed and packets are rerouted.

3.3.2. Tracing of recovery phases d

In [7] the phased recovery is modeled by simply moni-
toring and recording the routing matrix, Rðv;pÞ , for virtual
connection v (v ¼ 1; . . . ; VC), at phase p (p ¼ 1; . . . ; PH)
at different time instances starting from the time t ¼ 0 of
the undesired event. The routing matrices can be recorded
either from an operational network or from simulations. In
Section 4 we use Rðv;pÞ obtained from ns-2 simulation stud-
ies of a swarm-based path management system [36] as an
example. The recovery model consists of PH phases
where each phase represents a network condition. Let
Sp ¼ f1; . . . ; PHg be the state in the phased recovery mod-
el. The transient solution PðSp ; tÞ, p ¼ 1; . . . ; PH, is ob-
tained by solving the following equations
PðSp ; tÞ ¼ ap PðSp ; tÞ þ ap1 PðSp1 ; tÞ; ð9Þ
dt
where each phase time is exponentially distributed with
rate ap (a0 ¼ 0), and initial condition PðS1 ; 0Þ ¼ 1 and
PðSp ; 0Þ ¼ 0 for all p > 1.
3.4. Decomposed survivability models
3.4.1. Space decomposed model
It is challenging to obtain the transient probabilities,
pðt; y; ~
xÞ because the state space becomes huge as the net-
work size increases. We apply a space decomposition
approximation and model the transient behavior in each
node separately. The global probabilities are approximated
 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
by the product pðt; y; ~ xÞ ¼ p1 ðt; y; x1 Þ    pn ðt; y; xn Þ where
pi ðt; y; xi Þ is the transient probability of xi packets in node
i at time t in phase y. This is akin to a product-form solu-
tion of Jackson [27] or BCMP networks [28] as described
in Section 3.2.1. The space decomposition splits the surviv-
ability model into independent node (and/or link) models
and obtains the arrival rates Ci to node i by solving the
set of traffic equations in (1). The node dynamics depends
on whether a link connected to this node, or the node itself,
has failed or not. To give an example consider the 4 node
case in Fig. 9 where node j ¼ 2 has failed. For this the fol-
lowing two CTMC models describe the failed node (j ¼ 2)
and the non-failed nodes (i ¼ 1; 3; 4);
1. CTMC model for the node that has failed (see Fig. 8b).
Immediately after the undesired event all the packets
that are sent to node j are lost, hence all transitions lead
to state to node j are lost, hence all transitions lead to
state ðI; nj Þ where all resources are unavailable and no
packets will be served.
2. CTMC model for the non-failed nodes (see Fig. 8a).
Immediately after the undesired event the network
state is changed from ðIV; xi Þ to ðI; xi Þ. This means that
no packets are lost but the arrival rates Ci ðIVÞ are chan-
ged to Ci ðIÞ. For some nodes the arrival rates are
unchanged, but for the nodes that used to receive pack-
ets from node j the arrival rate is reduced. In phase II the
rerouting is completed and the arrival rate is changed to
Ci ðIIÞ depending on the position of i relative to j and on
the routing probabilities given by Eq. (1).
Fig. 8. CTMCs in failure state.
1223
In the CTMC model of the failed node j the pj ðt; y; xj Þ is
obtained with the initial condition pj ð0; I; nj Þ ¼ 1 while for
the non-failed nodes (i – j) the pi ðt; y; xi Þ is obtained with
the initial condition pi ð0; I; xi Þ ¼ pi ðxi Þ. The pi ðxi Þ are the
steady state probabilities in (3) from Section 3.2.1. Finally,
the global state probabilities are obtained by product form
approximation
Y
n
pðt; y; ~
xÞ  pi ðt; y; xi Þ: ð10Þ
i¼1
There is no easy way to obtain closed form solutions of
pi ðt; y; xi Þ from the models in Fig. 8a and b. But, numerical
solutions can be obtained by means of tools like SHARPE
[37,38] and SPNP [39] for rather large systems. However,
as the size of the network node model increases, caused
either by a more sophisticated recovery model or increas-
ing the number of buffers ni , the solution becomes very re-
source demanding and slow.
3.4.2. Time–space decomposed model
The space decomposition improves the model scalability
significantly. However, even the CTMC model of a single
node (link) might be too complex for a symbolic closed
form solution, and too large for a numerical solution. This
section proposes time decomposition [40,41] where we as-
sume steady-state performance in each state which re-
quires only transient solution of the phased recovery
model.
The time decomposition is a decoupling of the perfor-
mance and recovery models. This means that the steady-
1224 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
state probabilities in the performance models and the
transient solution of the phased recovery model are ob-
tained separately and independently of each other, and
pi ðt; y; xi Þ  pðt; yÞ  pi ðxi ; yÞ. The transient probabilities
pðt; yÞ are from (8) while the steady-state probabilities
pi ðxi ; yÞ are the pi ðxi Þ from (3) for different phase-depen-
dent arrival rates Ci ðyÞ and phase-dependent routing
matrix. Observe that we assume steady state performance
in each phase. The approximation is good when upon a
phase change, the steady-state performance in the new
phase is reached quickly compared to the duration of the
phase. This is the case in our network models when
ðCi ; li Þ  ðad ; s; au Þ. The quality of the time decomposed
Markov model approximation depends on the degree of
coupling between the ‘‘performance block” and ‘‘phase
block” in our Markov matrix [40,42,43] as justified by dis-
cussion of typical system parameters in Section 3.5 and
validated by numerical results in Section 4.1.1. Then, the
global state probabilities are obtained by approximation
using both space decomposition from (10) and the time
and space decomposition
Y
n Y
n we may make a phase type model of the updates of the
pðt; y; ~
xÞ  pi ðt; y; xi Þ  pðt; yÞ  pi ðxi ; yÞ:
i¼1 i¼1
When the phased recovery model is as simple as the
example in Fig. 5 or is based on actual traces in Section
3.3.2 we have a closed form solution. This enables efficient
evaluation of very large networks with large, and even
infinite, server and buffer capacities, ni . With a much more
complex phased recovery model where a closed form
transient solution is hard or impossible, the time decompo-
sition approach is still advantageous since the numerical
solution is significantly faster compared to the node
model in Section 3.4.1 because the number of states is
reduced.
The time-decomposition allows the performance met-
rics to be obtained by independent determination of the
performance P Q ðv;pÞ ðS; uÞ of each virtual connection at each
phase, with the generator matrix Q ðv;pÞ from Section 3.2.3,
and the transient probabilities PðSp ; tÞ from (9). This re-
duces the computational complexity significantly and al-
lows more phases to be included in the recovery model,
and at the same time you may increase the number of
nodes and links in the network.
3.5. Model scalability and assumptions
The main purpose of the approximations proposed in
this paper is to reduce the computational effort of obtain-
ing transient solutions in large network models without an
undue loss in the accuracy. The assumptions made are dis-
cussed below and the accuracy is demonstrated by two
small network models in Section 4.1.1.
The underlying CTMC model of the exact stochastic re-
ward net has a state space that is proportional to
Qn
i¼1 ni  np where np is the number of phases and n is the
number of network components, i.e. nodes and/or links.
The space decomposed CTMC model will reduce the state
Pn
space of the transient solution to i¼1 ni  np while for
the time–space decomposed model a transient model with
only np states needs to be solved.
The simulation model is considered to be attractive
when the analytical model fails due to too restrictive
modeling assumptions or intractable or inefficient solu-
tions. The strong side of the simulation approach is that
an arbitrary level of detail applies that suits the study
of interest. In many cases it is easy to change the model-
ing assumptions and to make the model as close to reality
as required. However, it is important to point out that the
efficiency of the simulation approach depends on the net-
work size and the stiffness of the model, i.e., the ratio be-
tween the packet arrival and departure rates, and the
repair and rerouting rates [44]. In addition, simulations
become inefficient when the events of importance to
the metrics of interest are infrequent, e.g., the packet
losses are very rare. Then, numerical solutions might
become less computer intensive compared to simulation
unless some rare event simulation technique like impor-
tance sampling, RESTART or importance splitting [45]
can be applied.
The routing probabilities in the examples are taken
from ns-2 simulations but might be from real routers, or
ð11Þ routing probabilities.
In the network models in this paper we have assumed
that external packet arrivals to the source of a virtual con-
nection is a Poisson process. If a bursty arrival process is
required we may use an MMPP or MAP type process [29]
which will produce larger CTMC models. The packet ser-
vice time distribution is assumed to be an exponential dis-
tribution. The service time distribution is influenced by a
combination of the packet size distribution, the aggrega-
tion level, and the header processing time. Non-exponen-
tial empirical distributions are observed, for instance in
[46] where the empirical distribution of single router ser-
vice time was fitted to a Weibull distribution. A phase-type
for Weibull distribution will once again give larger CTMC
models.
In our space decomposition model we assume indepen-
dence between the network nodes. Independence is not a
fully realistic assumption but a good approximation in net-
works with low loss probability and with high aggregation,
i.e., with multiplexing of a large number of connections.
We have decoupled the performance and recovery
models. We assume that in each phase we have steady-
state performance. This approximation is good when the
steady-state performance in a phase is reached quickly
after the change of phase compared to the expected dura-
tion of the phase. As a rule of the thumb, the approxima-
tion is good if there is at least two order of magnitude
difference between the time granularity of the events in
the performance model and in the recovery model. E.g. in
medium loaded (30–50%) high capacity networks
(100 Mbit/s–10 Gbit/s) you will observe 3–300 packets/
ms, while the routing, rerouting and repair (at IP level)
time is in the order of 100 s of ms. This means a few hun-
dred to several thousand packets are expected in each
phase.
The phase time distribution in the recovery model is for
simplicity assumed to be exponentially distributed but any
phase type distribution applies. General distribution can be
accommodated using semi-Markov models [37].
 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234 1225

The simulation model assumptions are the same as the

assumptions in SRN model to cross-validate and to validate
the following model decomposition approximations. The
assumptions in the simulation model are easily relaxed,
e.g., to change to general arrival process or general service
time distributions.

4. Experimental results

In this section several communication networks with a

set of virtual connections are used to demonstrate the use
of the survivability quantification approach outlined in
previous sections. The analytic evaluations of the stochas- Fig. 9. Network example with 4 nodes.
tic reward net are conducted both in SHARPE [38,37] and
SPNP [39], while the CTMC models are numerically solved
in SHARPE and the closed form solution is proof-checked in Table 1
Mathematica.2 Parameters in network with 4 nodes.
There are two simulations models, one process-oriented i ni li Ci ðIVÞ Ci ðIÞ Ci ðIIÞ Ci ðIIIÞ
model implemented using the programming language
1 10 100.0 80.0 80.0 80.0 80.0
SIMULA [47] with the DEMOS (discrete event simulation 2 8 100.0 46.9 0.0 0.0 0.0
on SIMULA [48]) class library, and another model imple- 3 10 100.0 31.2 31.2 78.1 78.1
mented in network simulator (ns-2) [49]. The DEMOS sim- 4 4 100.0 77.9 31.0 69.1 69.1
ulator is customized to validate the decomposition
assumptions by implementing the survivability models
without the node independence assumptions and includ- Table 1. The parameters in the phased recovery model
ing all details in the transient period under changing con- are ad ¼ au ¼ 0:01 and s ¼ 0:001.
ditions. The ns-2 simulator is used for validating the Ten node network. The second example is a network
analytic model against a real-sized network model with with n ¼ 10 nodes. The directed graph ~ G½1;10 for routing
detailed protocol behaviors. E.g. it includes detailed virtual connections between s ¼ 1 and d ¼ 10 is depicted
description of IP packet forwarding and link state and in Fig. 10. The performance of the virtual connection is
swarm routing, and with non-exponential service times evaluated after the failure of node 4 at time t ¼ 500. Again
since each packet has a fixed size that is unchanged each node is an M=M=1=ni system with the parameters gi-
through the network ven in Table 2. The parameters in the phased recovery
In this paper, the overall packet load in the network is model are ad ¼ au ¼ 0:01 and s ¼ 0:001.
not increased after a failure, only increased on selected
nodes and links due to re-routing of packets. The overall 4.1.2. Exact network survivability models
increase of packet load is relevant for transport and link Two different modeling approaches have been applied
protocols with retransmission and can easily be added to to determine the exact transient probabilities, pðt; y; ~ xÞ,
the performance models of each phase. What is more diffi- and the four performance metrics from Section 3.2.2. Both
cult is to model the congestion aware protocols that will the simulation and stochastic reward net (SRN) models as-
decrease the packet load (observed in TCP). This can be sume exponentially distributed inter-event times and
done in the same manner as the load increase as long as time-independent but phase-dependent routing probabili-
we can average the decrease over many connections and ties. This allows cross-validation and comparison of their
slow-start window cycles. solution efficiency. The reason for the use of SRN is to sim-
plify the tedious and error-prone task of CTMC
4.1. Validation of decomposition construction.

4.1.1. Network examples

The decomposition of the analytical model presented in
the previous sections is cross-validated with a comprehen-
sive analytical model without decomposition, and with a
simulation model. Two small networks with 4 and 10
nodes have been defined for this purpose.
Four node network. The first example is a network with
n ¼ 4 nodes as depicted in Fig. 9. The performance of the
virtual connection between s ¼ 1 and d ¼ 4 is evaluated
after the failure of node 2 at time t ¼ 500. Each node i
is an M=M=1=ni system with the parameters given in

2
http://reference.wolfram.com/mathematica/guide/Mathematica.html Fig. 10. Network example with 10 nodes.
1226 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234

Table 2 nodes. A similar approach is taken as the first step in Sec-

Parameters in network with 10 nodes. tion 3.4.1 to avoid the largeness problem.
i ni li Ci ðIVÞ Ci ðIÞ Ci ðIIÞ Ci ðIIIÞ
1 50 100.0 80.0 80.0 80.0 80.0 4.1.2.2. Simulation model. The process-oriented discrete
2 50 100.0 33.6 33.6 62.2 62.2 event simulation model is shown in Fig. 11b. The source
3 50 100.0 26.5 26.5 49.2 49.2 process is generating packets at the ingress router. The
4 50 100.0 47.8 0.0 0.0 0.0 handling of a packet in a node is modeled as a node process
5 50 100.0 7.1 7.1 13.1 13.1
6 50 100.0 16.7 16.7 30.8 30.8
that describes the packet life cycle which may be inter-
7 50 100.0 4.5 4.5 14.3 14.3 rupted by a failure process at instances of undesired events.
8 50 100.0 35.0 21.1 45.1 45.1 In each node, when the ‘‘InBuffer” contains at least one
9 50 100.0 11.0 11.0 34.9 34.9 packet (token) the node proceeds to the next step and
10 50 100.0 80.0 32.2 80.0 80.0
checks if the number of tokens exceeds the maximum buf-
fer size and if the node is currently working. Then the pack-
et is served and sent to the next node by a random
selection among the currently available buffers. If no buf-
4.1.2.1. Stochastic reward net (SRN) model. This is a power-
fers are available due to failure and all routing probabilities
ful paradigm for modeling and evaluation of the perfor-
are 0, then the packet is counted as lost. The failure is mod-
mance of networks. Fig. 11a shows the SRN model of the
eled to the right in the figure. At the instant of a failure
4 node network of Fig. 9 that is used as a case study in Sec-
(phase I) the ‘‘working” attribute of the ‘‘Node j” process
tion 4.1.3. The packets are tokens that are generated by the
is set to ‘‘false”. After the rerouting time (indicated as dou-
timed transition ‘‘arrival” into the place ‘‘InQ1”. If there are
ble lined rectangle) all routing probabilities into the failed
less than n1 tokens in place ‘‘Node1” the immediate transi-
node are set to 0 (phase II). After repair and rerouting
tion ‘‘Q1” is enabled. If not, the ‘‘loss1” transition is enabled
(phase III), the routing probabilities are restored back to
upon its firing, the token is removed and a packet loss is
their initial values and the ‘‘working” attribute id is set to
counted. The same structure is replicated for each node.
‘‘true” again (phase IV).
The routing is determined by probabilities on the immedi-
The performance metrics in the simulator are obtained
ate transitions out of the place ‘‘OutQ1”. The rerouting, fail-
by a measurement process that reads counters at regular
ure and repair cycle is modeled at the top of the SRN model
time intervals Dt. Let cr;i;t be the value of the counter in
in Fig. 11a where the tokens in the ‘‘phase y” places will
node i at time t in simulation replication r. The average
constrain the token passing of the failed node (Node 2 in
at time t over R transient simulation replications is esti-
this example) through guard function or inhibitor arcs as
mated by
illustrated in the figure.
The performance metrics in the SRN model are obtained XR X n
t ¼ 1
C
cr;i;t  cr;i;tDt
: ð12Þ
by assigning reward rates that depend on the markings in R Dt
r¼0 i¼1
different places. However, to obtain the analytical tran-
sient probabilities pðt; y; ~
xÞ from the SRN model a complete The average packet loss rate  Lt and number of packets N t
multidimensional CTMC model is generated and solved. are obtained by (12) where the counter cr;i;t is the number
This is computationally demanding and increases expo- of losses and the number of packets in node i, respectively.
nentially both with the number of buffer positions and The packet loss probability is estimated by lt ¼ Lt =c and the
with the number of places. Decomposition of the SRN mod- average delay of served packets by D t ¼ N t =cð1  lt Þ. The
el as proposed in [50] utilizes near-independence between latter is biased because it is the ratio of two estimators.

Fig. 11. Complete model.

 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234 1227

Confidence intervals are also computed using well known in a single node this decomposed, product form approxi-
methods. mation is a viable approach.

4.1.3. Four node network 4.1.4. Ten node network

The 4 node network example is studied by simulations
and all three analytical approaches. The estimated perfor-
mance metrics from R ¼ 90 simulation replica (Simula-
tions) are compared against the analytical values of the
stochastic reward net model solved by SPNP (SRN model).
The loss probability and the average number of packets
in the system at different time t are shown in Fig. 12a
and b, respectively. The space and time–space decomposed
models are indistinguishable so they are represented by
only one curve (Decomposed CTMC model).
The main observations from the experiments are that
the simulations and SRN models show perfect fit as ex-
pected since the modeling assumptions are identical
although the modeling approaches are different, and that
the decomposed CTMC models capture the transient per-
formance very well. The time–space decomposed model
with the closed form solution are a significant simplifica-
tion that enables studies of large networks with many,
and even infinite, buffers. The results show that when
the transient performance is dominated by impairments
The 10 node network example is studied by simula-
tions and one analytic approach. The estimated perfor-
mance metrics from 90 simulation replica (Simulations)
are compared with the analytical values of the time–
space decomposed model (Decomposed CTMC model). The
results are given in Fig. 13a and b, for the loss probability
and average number of packets in the system at different
t, respectively. The results show that the closed form
solution from Section 3.4.2 captures the transient perfor-
mance very well.
Fig. 13a also includes a ‘‘rerouting model” which is
rðtÞ ¼ qð1; 4Þead t , i.e. the probability that a packet is lost
in the failed node at time t after the instant of failure.
The qð1; 4Þ ¼ r14 þ r12 r 23 r34 is the probability of visiting
node 4 when starting from node 1 in the directed graph
~
G½1;10 in Fig. 10. The r ij is the routing probability, i.e. the
probability of sending a packet from state i to j, given that
the packet leaves node i. The results in Fig. 13a show al-
most perfect overlap between rðtÞ and lðtÞ from (5) which
means that with very low steady-state packet loss proba-

0.7 7.5
Decomposed CTMC model Decomposed CTMC model
m =m Simulations
a u SRN model t =t
Simulations m =m r R
0.6 0 u

6.5
0.5

6
0.4
5.5
0.3
5
0.2
4.5

0.1
4
m t =t m
0 r R a
0 3.5
0 200 400 600 800 1000 1200 1400 0 500 1000 1500 2000 2500 3000 3500 4000
undesired event undesired event

Fig. 12. Performance in 4 node network.

14
m =m Decomposed CTMC model
a u Rerouting model Simulations
Decomposed CTMC model
Simulations 13
0.5 m
u
12
0.4
11
m t =t
0 r R
0.3
10

0.2
9

0.1
8

m 0 t =t 7
0 r R

m
-0.1 a
0 200 400 600 800 1000 1200 1400 0 500 1000 1500 2000 2500 3000 3500 4000
undesired event undesired event

Fig. 13. Performance in 10 node network.

1228 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234

bility, the transient loss probability is dominated by qð1; 4Þ commercial Internet in Norway, which is provided and
with the decay rate equal to the reciprocal of the expected operated by Uninett (www.uninett.no). The network
rerouting time 1=ad . The same is not observed in the 4 topology with 58 nodes and 81 duplex links is shown in
node network because here steady-state loss probability Fig. 14. The following failure scenarios are defined (see
is not negligible. Fig. 14 for reference).

4.2. Real-sized network cases
In order to demonstrate the feasibility of the survivabil-
ity quantification approach outlined in previous section,
the performance of 20 virtual connections in a real-sized
network with three different failure scenarios are
considered.
4.2.1. Network and failure scenarios
The network scenario used in our experiments is a fic-
titious research intranet between five hospitals located in
five major Norwegian cities, Oslo, Bergen, Trondheim,
Stavanger and Troms. The intranet provides a transport
service for high definition audio and video streaming to
support cooperative surgical procedures. A fully meshed
network between the five cities requires ten bi-directional
or 20 uni-directional virtual connections. The research
network is supposed to be implemented over the non-
1. Single link failure: the link [4,5] fails and the traffic is
rerouted via node 33 or 19 and 46.
2. Hurricane: 6 nodes and nine links fail as a result of a
hurricane on the coastline and a significant rerouting
needs to take place for all but three VCs.
3. Transient common failure: 60 network interfaces, i.e., 30
links, are affected by a common transient failure that
takes down and brings up the interfaces on average
every 0.5 s.
The routing matrices Rðv;pÞ used in the comparisons are
obtained from ns-2 simulations of the failure scenarios. The
routing matrix is sampled at different stages in the failure,
rerouting and restoration process represented by phases.
The first phase is immediately after the link failure, fol-
lowed by five phases where the routing matrix changes
as rerouting and link restoration takes place. The stochastic
routing scheme applied in the experiments is a distributed,

28

hamar kongsberg
16 24
gjovik
pil52
13 drammen
36
8 honefo
22
veths aho
56 0
elverum seilduk
9 40
rena stolavspl
38 45 kjeller
23
stjordal
levanger
44
27 oslo-gw1
34 kristiansand
evenstad 25
sarpsborg oslo-gw2
10 grimstad
mo 39 35
29 14
halden as
trd-real
15 2
50
bodo namsos steinkjer fredrikstad
31 43 12
7 tynset arendal
hitos
tromso-gw porsgrunn 3
20 hist 55 bo
54 37
21 6 bergen-BT
trd-hvd kristiansund 4
teknobyen stavanger
tromso-gw2 51 26 molde
49 42
52 30
arstad-gw tromso-gw3
17 53
nygardsgt
33
lbard-gw haugesund
alesund bergen-HTS
47 narvik 19
1 5
32
harstad-gw3
svalbard-gw218
stord
48
46

sogndal
(i) single link failure
volda forde 41
57 11

(iii) common transient failure

(ii) hurricane

Fig. 14. Simulated network with 58 nodes and 20 virtual connections. Three different failure scenarios are considered.
 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234 1229

autonomous, swarm-based approach called cross entropy a simplified simulation implemented in DEMOS/Simula
ant system (CEAS) [6,51]. The routing matrix was fed into and in the analytic approach described in this paper.

0.25

0.20

0.15

0.10

0.05

0.10 0.20 0.30 0.40

Fig. 15. Loss probability LðtÞ at time t after the failure.

1.0
1.0

0.8 0.8

0.6 0.6

0.4 0.4

0.2 0.2

u
0.0001 0.0002 0.0003 0.0004 0.0005 0.0001 0.0002 0.0003 0.0004 0.0005

Fig. 16. Delay distribution at time t after the failure; all exponential.

1.0 1.0

0.8 0.8

0.6 0.6

0.4 0.4

0.2 0.2

0.0001 0.0002 0.0003 0.0004 0.0005 0.0001 0.0002 0.0003 0.0004 0.0005

Fig. 17. Delay distribution at t ¼ 0:1 after the failure; non-exponential.

1230 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234

4.2.2. Single link failure
4.2.2.1. Simulation and analytical results. The results in
Fig. 15 show the simulated and analytical loss probabilities
using routing matrices Rðv;pÞ with CEAS routing. The simu-
lation results from 90 replications are plotted for different
times t from the undesired event occurred, with the aver-
age and standard error. The loss probabilities LðtÞ from
the simulations and the analytical solution show very good
correspondence.
In Fig. 16 the delay distribution Dðt; uÞ of non-lost pack-
ets is given at t ¼ 0:1 and 50 comparing 30 simulation rep-
0.30
0.25 u
0.20
link state routing
lications with analytic results assuming all exponential
distributions. The delay distribution obtained from the
simulations and the analytic model show very good corre-
spondence for this case. This means that the scenario are
close to meet the assumptions given in Section 3.2.3, in
particular that the virtual connections are approximately
overtake-free. In Fig. 17a the service time is Pareto and in
Fig. 17b the interarrival time is Pareto. By changing the ser-
vice and interarrival times it is observed that the approxi-
mation is less accurate and that we should consider non-
Markovian approximations.
Solving the analytic model is rather efficient. As an
example, the scenario in this paper was implemented in
Mathematica and solved in less than ten seconds, while
the simulation took almost four minutes per replication,
or almost two hours to produce 30 replications. The simu-
lation cost will increase rapidly as the number of simulated
packets increases unless we take recourse to fluid-flow
approximations.

0.15 4.2.2.2. Comparisons of two path management methods. To

swarm based
demonstrate the applicability of the method presented in
0.10 routing this paper, link state (LS) routing and cross entropy ant sys-
tem (CEAS) are compared. In Fig. 18 the loss probabilities
0.05 are compared. Observe that the loss probability is higher
just after a failure for LS because temporarily six out of
0.1 0.2 0.3 0.4 20 virtual connections are disconnected and all packets
are lost until rerouting takes effect, while for the stochastic
Fig. 18. Comparison between link state routing and swarm-base routing routing scheme in CEAS alternative paths typically exists
of loss probabilities.

1.0 1.0

0.8 0.8

0.6 0.6

0.4 link state routing 0.4

0.2 0.2
swarm base routing

0.0 0.0
0.0000 0.0001 0.0002 0.0003 0.0004 0.0005 0.0000 0.0001 0.0002 0.0003 0.0004 0.0005

1.0 1.0

0.8 0.8

0.6 0.6

swarm based
0.4 0.4
routing

0.2 0.2
link state
routing
0.0 0.0
0.0000 0.0001 0.0002 0.0003 0.0004 0.0005 0.0000 0.0001 0.0002 0.0003 0.0004 0.0005

Fig. 19. Link state routing versus swarm-based routing.

 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234 1231

so even though the performance is significantly reduced,
neither of the virtual connections have 100% loss probabil-
ity in the critical period but are still connected.
In Fig. 19 the complementary delay distributions Dðt;  uÞ
in LS and CEAS are compared. The relation between LS and
CEAS changes as the time t since the undesired event
elapses. Just after the failure CEAS is clearly better for the
reasons explained above, while as the network is restored
the delay of LS with shortest path routing is shorter than of
CEAS with stochastic routing, as can be noticed by
comparing the two complementary delay distributions,
D  CEAS ðt; uÞ for all u at some time t after the fail-
 LS ðt; uÞ 6 D
ure. In the example the network is lightly loaded, while
in a heavily loaded network the delay of the shortest path
routing will increase more than the stochastic routing,
which will have alternative paths for load sharing.
4.2.3. Hurricane
In the hurricane failure scenario a large block of links
and nodes fails. In Fig. 14 this is indicated as case (ii). When
the failure occurs, all but three virtual connections need to
be rerouted, and most of them will experience a significant
increase in the delay after rerouting is completed. In Fig. 20
the average delay as a function of time for a selection of
four VCs is shown. The failure occurs at time t ¼ 40 and
is repaired at time t ¼ 80. The dotted (blue) are results
from ns-2 simulations, while the solid line (green) is the
delay obtained by the analytical model with the routing
probabilities from the simulations as input.
The average delay values obtained by simulation and
analytical model match well for all VCs even though they
are differently influenced by the failures. The analytical
model takes routing probabilities from the simulator as in-
put, which means that the network conditions are the
same in the simulator and the analytical model at the time
instant when the routing probabilities are sampled. The
simulation and analytical results show very good corre-
spondence, which demonstrates that the transient effect
after changes in conditions is short-lived compared to the
phase sojourn times. This means that the time decomposi-
tion is a good approximation. Furthermore, it also means
that the node independence assumption taken in the space
decomposition in the analytical model works well.
4.2.4. Transient common failure
In the transient common failure scenario a large block
of network interfaces (and corresponding links) are af-
fected by high frequency and short-lived failures. In
Fig. 14 this is indicated as case (iii). When the failure per-
iod starts (at t ¼ 40), all but three virtual connections are
affected and a large number of reroutings takes place
(every 0.5 s) until the failure period is ended at time
t ¼ 80. In Fig. 21 the average delay as a function of time
for a selection of four VCs is shown.
Again, the average values obtained by simulation and
analytical model match fairly well and confirms the valid-
ity of the time and space decomposition in the analytical
model.

0.010 0.010
VC1

0.008 0.008

0.006 0.006

VC7
0.004 0.004

0.002 0.002

0 20 40 60 80 100 120 0 20 40 60 80 100 120

0.010 0.010
VC13 VC17

0.008 0.008

0.006 0.006

0.004 0.004

0.002 0.002

0 20 40 60 80 100 120 0 20 40 60 80 100 120

Fig. 20. Delay for a selection of virtual connections in the hurricane case.
1232 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
0.010
VC1
0.008
0.006
0.004
0.002
0 20 40 60 80 100 120
0.010
VC13
0.008
0.006
0.004
0.002
0 20 40 60 80 100 120
Fig. 21. Delay for a selection of virtual connections in the common transient failure case.
5. Closing remarks
The time–space decomposed analytical model for net-
work survivability quantification that is outlined in this
paper is a significant simplification that enables us to mod-
el huge networks with large and even infinite buffers. The
model is applied to estimate the expected loss ratio,
throughput, delay (mean and distribution) in virtual con-
nection in a communication network. This quantifies the
survivability in a network exposed to different failure sce-
narios. We have cross-validated our analytical and simula-
tion models, and checked the approximations of the
decomposed analytical models. The results from the sur-
vivability studies show that when the transient perfor-
mance impairment is dominated by a failure event the
decomposed, product form approximation is a viable ap-
proach. The analytical model is cross-validated against
simulations of real-sized networks too, where the routing
probabilities are imported from ns-2 simulations before
and after a failure, rerouting and repair. The routing prob-
abilities can also be obtained from operational networks.
The simulations and analytical results shows very good
correspondence when the times in the network are expo-
nentially distributed. In case of non-exponential times a
semi-Markov approach should be taken to improve the
approximation.
In addition, the comparison between shortest path
routing (link state) and stochastic routing (here repre-
sented by swarm-based routing) should be extended, e.g.,
to investigate how they compare when the traffic load in-
creases and when overload might occur and cause rerout-
ing, or with traffic differentiation with priority. The
0.010
VC7
0.008
0.006
0.004
0.002
0 20 40 60 80 100 120
0.010
VC17
0.008
0.006
0.004
0.002
0 20 40 60 80 100 120
outlined failure and repair cycle in this paper was consid-
ered to be a natural first approach but extensions like e.g.
cascading effects, failure propagation, imperfect coverage
and repair will be considered. In addition, in real-sized net-
work there are a huge combination of outages dependent
on the cause of failure (the treat modeled). A series of more
extensive failure scenarios with major outages are also in-
cluded which confirms the applicability of the time and
space decomposition in the analytical model.
Future work includes extensions of the analytical model
to improve correspondence in case with non-exponential
interarrival and service times through semi-Markov
modeling.
In the phased recovery model this is relatively easy as it
will generally be an acyclic model. SHARPE can easily solve
such models (assuming that state sojourn time distribu-
tions are Coxian) [37]. Non-exp interarrival and service
time distributions can be modeled by extended queuing
network analyzer (QNA) [52] for steady state analysis,
and to compute the distribution of end-to-end delay use
the extension outlined in [30]. Modeling of complex rero-
uting and recovery strategy descriptions will be developed
as an alternative to import routing probabilities from the
simulations. Extensive simulations are ongoing and
planned with different network topologies, new failure
scenarios with inclusion of failure propagation, and
MPLS-TE traffic differentiation.
Acknowledgements
The authors would like to thank Dr. Otto J. Wittner at
the Q2S center, Norwegian University of Science and Tech-
 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
nology (NTNU), for providing the ns-2 simulation results
that have been used to compare the analytical survivability
models with simulations. Trivedi’s research was supported
in by the US National Science Foundation under grant NSF-
CNS-08-31325.
References
[1] National strategy for the physical protection of critical
infrastructures and key assets (Online). Available from: <http://
www.dhs.gov/xlibrary/assets/Physical_Strategy.pdf> (Accessed
16.2.2009).
[2] The risks digest, vol. 19(72), May 1998.
[3] J. Duffy, Cisco routers caused major outage in japan: report (Online).
Available from: <http://www.networkworld.com/news/2007/
051607-cisco-routers-major-outage-japan.html> (Accessed
16.2.2009).
[4] P. Cholda, A. Mykkeltveit, B. Helvik, O. Wittner, A. Jajszczyk, A survey
of resilience differentiation frameworks in communication
networks, Communication Surveys Tutorials 9 (4) (2007) 2–30.
[5] Q. Gan, B.E. Helvik, Dependability modelling and analysis of
networks as taking routing and traffic into account, in: Proceedings
of the Second EuroNGI Conference on Next Generation Internet
Design and Engineering, IEEE, Valencia, Spain, 2006 (3–5 April).
[6] P.E. Heegaard, K.S. Trivedi, Survivability quantification of
communication services, in: The 38th Annual IEEE/IFIP
International Conference on Dependable Systems and Networks,
Anchorage, Alaska, USA, 2008 (June 24–27).
[7] P.E. Heegaard, K.S. Trivedi, Survivability quantification of real-sized
networks including end-to-end delay distributions, in: The Third
International Conference on Systems and Networks Communications
(ICSNC), Sliema, Malta, 2008 (October 26–31).
[8] R.J. Ellison, D.A. Fischer, R.C. Linger, H.F. Lipson, T. Longstaff, N.R.
Mead, Survivable network systems: an emerging discipline, CMU/
SEI, Tech. Rep. CMU/SEI-97-TR-013, 1997 (November ).
[9] J. Knight, K. Sullivan, On the definition of survivability, Department
of Computer Science, University of Virginia, Tech. Rep. CS-00- 33,
2000 (December).
[10] S.C. Liew, K.W. Lu, A framework for characterizing disaster-based
network survivability, IEEE Journal on Selected Areas in
Communications 12 (1) (1994) 52–58.
[11] A. Zolfaghari, F.J. Kaudel, Framework for network survivability
performance, IEEE Journal on Selected Areas in Communications
12 (1) (1994) 46–51.
[12] J. Knight, E.A. Strunk, K.J. Sullivan, Towards a rigorous definition of
information system survivability, in: DISCEX, Washington DC, 2003.
[13] B. Jäger, J. Doucette, D. Tipper, Network survivability, in: Y. Qian, J.
Joshi, D. Tipper, P. Krishnamurthy (Eds.), Information Assurance
Dependability and Security in Networked Systems, Elsevier, 2007.
[14] N.R. Mead, R.J. Ellison, R.C. Linger, T. Longstaff, J. McHugh, Survivable
Network Analysis Method, CMU/SEI, Tech. Rep. 013, 2000.
[15] M. Pioro, D. Medhi, Routing, Flow and Capacity Design in
Communication and Computer Networks, Ser. ISBN 0125571895.
Morgan Kaufmann Publishers, 2004.
[16] L. Guo, A new and improved algorithm for dynamic survivable
routing in optical WDM networks, Computer Communications 30 (6)
(2007) 1419–1423.
[17] E. Modiano, A. Narula-Tam, Designing survivable networks using
effective routing and wavelength assignment (rwa), Optical Fiber
Communication Conference and Exhibit, OFC 2001, vol. 2 (2001)
TuG5-1–TuG5-3.
[18] Y. Zhu, R. Lin, Dynamic survivable routing in wdm networks with
shared risk link groups, in: Network Architectures, Management,
and Applications III, Shanghai, China, 2005 (7–10 November).
[19] M.S. Deutsch, R.R. Willis, Software quality engineering: a total
technical and management approach, Prentice-Hall, Inc., Upper
Saddle River, NJ, USA, 1988.
[20] E. Mannie, D. Papadimitriou, Recovery (protection and restoration)
Terminology for Generalized Multi-protocol Label Switching, IETF,
Tech. Rep. IETF RFC-4427, 2006 (March).
[21] Y. Liu, K.S. Trivedi, Survivability quantification: the analytical
modeling approach, International Journal of Performability
Engineering 2 (1) (2006) 29–44. http://www.ee.duke.edu/kst/surv/
IoJP.pdf.
[22] ANSI T1A1.2 Working Group on Network Survivability Performance,
Technical Report on Enhanced Network Survivability Performance,
ANSI, Tech. Rep. TR No. 68, 2001 (February).
1233
[23] D.-Y. Chen, S. Garg, K.S. Trivedi, Network survivability performance
evaluation: a quantitative approach with applications in wireless
ad-hoc networks, in: ACM International Workshop on Modeling,
Analysis and Simulation of Wireless and Mobile Systems (MSWiM’
02), ACM, Atlanta, GA, 2002 (September).
[24] C.-Y. Wang, D. Logothetis, K.S. Trivedi, I. Viniotis, Transient behavior
of ATM networks under overloads, in: IEEE INFOCOM’ 96, IEEE, San
Francisco, CA, 1996, pp. 978–985 (March).
[25] L. Cloth, B.R. Haverkort, Model checking for survivability, in:
Proceedings of the Second International Conference on the
Quantitative Evaluation of Systems (QEST’05) on The Quantitative
Evaluation of Systems, IEEE Computer Society, Washington, DC, USA,
2005, pp. 145–154.
[26] Y. Liu, V.B. Mendiratta, K.S. Trivedi, Survivability Analysis of
Telephone Access Network, in: ISSRE ’04: Proceedings of the 15th
International Symposium on Software Reliability Engineering, IEEE
Computer Society, Washington, DC, USA, 2004, pp. 367–378.
[27] J.R. Jackson, Networks of waiting lines, Operations Research 5 (4)
(1957) 518–521 (August).
[28] F. Baskett, K.M. Chandy, R.R. Muntz, F.G. Palacios, Open, closed, and
mixed networks of queues with different classes of customers,
Journal of ACM 22 (2) (1975) 248–260.
[29] K. Trivedi, Probability and Statistics with Reliability, Queuing, and
Computer Science Applications, second ed., John Wiley and Sons,
2001. ISBN Number 0-471-33341-7.
[30] M. Grottke, V. Mainkar, K.S. Trivedi, S. Woolet, Response time
distributions in networks of queues, in: R. Boucherie, N.V. Dijk (Eds.),
Queueing Networks: A Fundamental Approach, Springer-Verlag, in
press.
[31] R. Callon, Use of OSI IS–IS for Routing in TCP/IP and Dual
Environments, Tech. Rep. IETF RFC-1195, 1990 (December).
[32] J. Moy, OSPF version 2, IETF, Tech. Rep. IETF RFC-2328, 1998 (April).
[33] D. Awduche, J. Malcolm, J. Agogbua, M. O’Dell, J. McManus,
Requirements for Traffic Engineering over MPLS,” IETF, Tech. Rep.
IETF RFC-2702, September 1999.
[34] G.D. Caro, F. Ducatelle, L.M. Gambardella, AntHocNet: an adaptive
nature-inspired algorithm for routing in mobile ad hoc networks,
European Transactions on Telecommunications; Special Issue on Self
Organization in Mobile Networking 16 (5) (2005) 443–455.
[35] P.E. Heegaard, O. Wittner, B.E. Helvik, Self-managed virtual path
management in dynamic networks, in: O. Babaoglu, M. Jelasity, A.
Montresor, A. van Moorsel, M. van Steen (Eds.), Self-* Properties in
Complex Information Systems, Ser. Lecture Notes in Computer
Science, LNCS, vol. 3460, Springer-Verlag, 2005, pp. 417–432.
[36] P.E. Heegaard, B.E. Helvik, O.J. Wittner, The cross entropy ant system
for network path management, Telektronikk 104 (1) (2008) 19–
40.
[37] R.A. Sahner, K.S. Trivedi, A. Puliafito, Performance and Reliability
Analysis of Computer System: An Example-Based Approach Using
the SHARPE Software Package, Kluwer Academic Publishers, 1996.
[38] C. Hirel, R.A. Sahner, X. Zang, K.S. Trivedi, Reliability and
Performability Modeling Using SHARPE 2000, in: TOOLS ’00:
Proceedings of the 11th International Conference on Computer
Performance Evaluation: Modelling Techniques and Tools, Springer-
Verlag, 2000, pp. 345–349.
[39] G. Ciardo, A. Blakemore, P.F. Chimento, J.K. Muppala, K.S. Trivedi,
Automated generation and analysis of Markov reward models using
stochastic reward nets, in: C. Meyer, R. Plemmons (Eds.), Linear
Algebra, Markov Chains and Queuing Models, vol. 48, Springer, 1996,
pp. 145–191.
[40] J. Meyer, On evaluating the performability of degradable computing
systems, IEEE Transactions on Computers C-29 (8) (1980) 720–731
(August).
[41] B.R. Haverkort, R. Marie, G. Rubino, K. Trivedi, Performability
Modelling, Wiley, 2001.
[42] P.J. Courtois, Decomposability: Queueing and Computer System
Applications, Academic Press, New York, 1977.
[43] A. Bobbio, K.S. Trivedi, An aggregation technique for the transient
analysis of Stiff Markov chains, IEEE Transaction of Computer 35 (9)
(1986) 803–814.
[44] V. Paxson, S. Floyd, Why we do not know how to simulate the
internet, in: WSC ’97: Proceedings of the 29th Conference on Winter
Simulation, IEEE Computer Society, Washington, DC, USA, 1997, pp.
1037–1044.
[45] S. Juneja, P. Shahabuddin, Rare event simulation techniques: an
introduction and recent advances, in: S.G. Henderson, B.L. Nelson
(Eds.), Simulation, Ser. Handbooks in Operations Research and
Management Science, Elsevier, Amsterdam, The Netherlands, 2006,
pp. 291–350 (Chapter 11).
1234 P.E. Heegaard, K.S. Trivedi / Computer Networks 53 (2009) 1215–1234
[46] D. Papagiannaki, S. Moon, C. Fraleigh, P. Thiran, F. Tobagi, C. Diot,
Analysis of measured single-hop delay from an operational
backbone network, in: IEEE Infocom, 2002.
[47] B. Kirkerud, Object-Oriented Programming with SIMULA, Addison
Wesley, 1989.
[48] G. Birtwistle, Demos – A System for Discrete event Modelling on
Simulation, 1997 (Online). Available from: <http://
www.dcs.shef.ac.uk/graham/research/demos.pdf> (Accessed
16.2.2009).
[49] DARPA:VINT project, UCB/LBNL/VINT Network Simulator – ns
(version 2), <http://www.isi.edu/nsnam/ns/>.
[50] G. Ciardo, K.S. Trivedi, A Decomposition Approach for Stochastic
Reward Net Models, Performance Evaluation 18 (1) (1993) 37–59.
[51] B.E. Helvik, O. Wittner, Using the cross entropy method to guide/
govern mobile agent’s path finding in networks, in: Proceedings of
Third International Workshop on Mobile Agents for
Telecommunication Applications, Springer-Verlag, 2001 (August
14–16).
[52] W. Witt, The queueing network analyzer, Bell System Technical
Journal 62 (9) (1983) 2817–2843 (November).
Poul E. Heegaard received his Siv.ing.
(M.S.E.E. in ‘89) and his Dr. Ing. (Ph.D. in ‘98)
degrees from the University of Trondheim
(now NTNU). His research interests cover
performance, dependability and survivability
evaluation of communication systems. Special
interests are rare event simulation tech-
niques, IP network monitoring and modeling,
and distributed, autonomous and adaptive
management and routing in communication
networks and services. Heegaard was a
Research Scientist and Senior Scientist at
SINTEF Telecom and Informatics (1989–1999) and has been a Senior
Research Scientist at Telenor R&I since 1999 where he currently holds a
20% position. Since 2006 Heegaard has been an Associate Professor at
Department of Telematics, Norwegian University of Science and Tech-
nology (NTNU) where he is the coordinator of the Network Research area.
In the academic year 2007/08 he was a visiting professor at Duke Uni-
versity, Durham, NC.
Kishor S. Trivedi holds the Hudson Chair in
the Department of Electrical and Computer
Engineering at Duke University, Durham, NC.
He has been on the Duke faculty since 1975.
He is the author of a well known text entitled,
Probability and Statistics with Reliability,
Queuing and Computer Science Applications,
published by Prentice-Hall; a thoroughly
revised second edition (including its Indian
edition) of this book has been published by
John Wiley. He has also published two other
books entitled, Performance and Reliability
Analysis of Computer Systems, published by Kluwer Academic Publishers
and Queueing Networks and Markov Chains, John Wiley. He is a Fellow of
the Institute of Electrical and Electronics Engineers. He is a Golden Core
Member of IEEE Computer Society. He has published over 420 articles and
has supervised 42 Ph.D. dissertations. He is on the editorial boards of IEEE
Transactions on dependable and secure computing, Journal of risk and
reliability, international journal of performability engineering and inter-
national journal of quality and safety engineering. He is the recipient of
IEEE Computer Society Technical Achievement Award for his research on
Software Aging and Rejuvenation. His research interests in are in reli-
ability, availability, performance, performability and survivability mod-
eling of computer and communication systems. He works closely with
industry in carrying our reliability/availability analysis, providing short
courses on reliability, availability, performability modeling and in the
development and dissemination of software packages such as SHARPE
and SPNP.