No Way Out: Emergency Evacuation with No Internet Access Gokce Gorbil The Problem How can we provide resilient emergency evacuation support when existing communication infrastructure is unavailable? Examples of large-scale evacuation with impaired communication infrastructure: 2011 Japanese tsunami and Fukushima nuclear disaster 2 2012 Hurricane Sandy No Way Out: Emergency Evacuation with No Internet Access Why Evacuation? Evacuation is an important component of emergency response Needs to be fast and safe We need adaptive systems for evacuation support Best (safest and quickest) paths will change over time, so static evacuation strategies are usually inadequate Changing conditions: spreading hazard, mobility of people, etc. Evacuation as a dynamic real-time routing problem Incomplete and/or incorrect information Different capabilities and goals (e.g. evacuees vs. emergency responders) Existing communication infrastructure is usually impaired 3 Failure of infrastructure components Failure of dependent infrastructures (e.g. power) Congestion No Way Out: Emergency Evacuation with No Internet Access Our Contributions Design of an emergency evacuation support system (ESS) based on opportunistic communications (oppcomms) Realistic comparative evaluation of ESS and oppcomms for emergency evacuation using simulation experiments Comparison with other evacuation strategies Indoor and outdoor scenarios Security of oppcomms for emergency evacuation 4 Evaluation of the effect of misbehaviours and attacks on ESS New defense mechanism to improve resilience of ESS to certain attacks No Way Out: Emergency Evacuation with No Internet Access Proposed Solution A resilient emergency evacuation support system (ESS) based on mobile nodes carried by people Exploits human mobility and employs short-range multi-hop wireless communications and opportunistic contacts Sensor nodes for monitoring the environment (embedded or external) Opportunistic communications Communications with intermittent connectivity (due to mobility and short range) No end-to-end paths Store-carry-forward paradigm High message delays, delivery not guaranteed (i.e. best effort) Resilient to disruptions and failures Solution combines the human, physical and cyber (sensing and communications) aspects, forming a human-cyber-physical system 5 No Way Out: Emergency Evacuation with No Internet Access Emergency Evacuation Support System Area represented as a graph Each CN stores a local copy Multiple edge costs Sensor nodes (SNs) for monitoring the environment and indoor localization May not be available in outdoor scenarios Communication nodes (CNs) carried by people 6 Dissemination of information Dynamic calculation of evacuation paths Alerts and step-by-step navigation directions for evacuation No Way Out: Emergency Evacuation with No Internet Access Graph Representation 7 No Way Out: Emergency Evacuation with No Internet Access Graph Representation 8 No Way Out: Emergency Evacuation with No Internet Access Graph Representation Discrete representation of the area (i.e. approximation) Allow calculations based on graph algorithms 9 Multiple costs associated with each edge: Physical length Hazard intensity (e.g. temperature) Effective length: combined metric No Way Out: Emergency Evacuation with No Internet Access Communication Nodes (CNs) Mobile, each person carries a CN Store a local copy of the area graph and edge costs Short range wireless communication Obtaining hazard information With sensor nodes (SNs), CNs opportunistically communicate with SNs to receive hazard information. Emergency information could be supplied or augmented by input from the user. Localization ~10m indoors, ~100m outdoors Indoor: using SNs Outdoor: GPS Form an opportunistic network with other CNs 10 Disseminate emergency information to other CNs using opportunistic contacts, exploiting human mobility Store-forward-carry style communications due to intermittent connectivity No Way Out: Emergency Evacuation with No Internet Access Communication Nodes (CNs) Hazard and other information are disseminated in the form of emergency messages (EMs) using oppcomms between the CNs Initial alarm: informs its user that it’s time to evacuate First indication of hazard / emergency May be due to a received EM or local observation Calculate the best evacuation path for its user Each node updates its graph based on information received from its sensors, user and other CNs Prioritized epidemic routing (smart flooding) Local computation: uses the local area graph and partially known edge costs that include hazard information Best path: shortest and safest path from current location to nearest exit, priority given to safer paths Dynamic calculation: path is updated as new information is received Localized for user’s requirements and capabilities Provide step-by-step navigation directions to its user 11 Directions updated as the evacuation path changes and as the user moves in the area No Way Out: Emergency Evacuation with No Internet Access Evaluation Simulation experiments using the Distributed Building Evacuation Simulator (DBES) Multi agent-based discrete event simulator for evacuation and other emergency support systems Large-scale simulation support Comparison with other evacuation strategies 12 Distributed evacuation system (DES) for indoor areas, based on static decision nodes and sensors Shortest path evacuation (no sharing of information) No Way Out: Emergency Evacuation with No Internet Access Distributed Building Evacuation Simulator 13 No Way Out: Emergency Evacuation with No Internet Access Simulation Scenarios EEE building at Imperial, bottom floor: 24 x 45 m2, others: 24 x 60 m2 Fulham district of London, size 2.6 x 1.8 km2 Movement speed: 5 km/hr (normal), 2.5 km/hr (stairs) Movement speed: 5km/hr Communication range < 100m Communication range < 10m 180-720 people total 30-120 people total Large-scale distributed simulation 14 No Way Out: Emergency Evacuation with No Internet Access Results: Indoor Evacuations ESS improves evacuation outcome: • Oppcomms is a viable approach to disseminate emergency information in the absence of other infrastructure. • Sharing information is good: ESS performs as good as or better than DSP, even when we assume that the alarm has failed in the ESS experiment. • ESS performs as good as or better than DES when connectivity is good, i.e., with many people in the building. • ESS improves evacuation outcome despite a longer evacuation: safer but longer paths are preferable. 15 • DES: Distributed evacuation system (sensor-based system) • DSP: Dynamic shortest path evacuation Results: Outdoor Evacuations ESS improves evacuation outcome: • Oppcomms is a viable approach to disseminate emergency information in the absence of other infrastructure. • Connectivity is important for good performance: oppcomms is not suited for sparsely populated areas, although it is better than nothing. • Sharing information is good. 16 • DSP: Dynamic shortest path evacuation Security of Opportunistic Communications Misbehaving nodes in the network Selfish behaviour: receiving information, but not disseminating it, i.e., dropping packets Disrupting local communications Could be deliberate or due to misconfigured devices Disseminating false information Could be deliberate or unintentional Evaluate the effect of misbehaviours on evacuation performance Propose and evaluate a distributed collective defense mechanism to mitigate the effects of false information 17 Identity-based signatures Content-based message verification Blacklisting No Way Out: Emergency Evacuation with No Internet Access Collective Defense Against Incorrect Information Identity-based signatures Each message is signed by its creator using its private key. Asymmetric public key cryptosystem Any node can generate the public key for any node based on its well-know unique identifier, e.g., MAC or IP address. Removes the need for public key delivery systems Ensures authenticity and integrity of messages Nodes can detect spoofed addresses and messages modified in transit. Any message that fails verification is dropped and ignored. In addition, the content of messages are compared and verified against other messages and self-observations. 18 No Way Out: Emergency Evacuation with No Internet Access Collective Defense Against Incorrect Information Nodes may need to gather sufficient evidence in order to reliably decide which messages are incorrect. The defense mechanism does not guarantee that all incorrect messages are identified. This may take some time due to the disconnected nature of the opportunistic network. False positives are possible. False negatives are possible and common in sparse networks. Nodes that are consistently generating false messages are blacklisted. 19 Blacklists are shared among nodes. Blacklists include the evidence for including a node in the list in order to address misbehaving nodes deliberately poisoning the blacklists. No Way Out: Emergency Evacuation with No Internet Access Effect of Misbehaviours on Evacuation Misbehaviours impact evacuation outcome, but we can mitigate against them: • Oppcomms is fairly resilient to message dropping and local disruptions. • Disseminating incorrect information has the most significant effect on evacuation outcome. • The proposed defense mechanism improves evacuation outcome, but no-attack performance is still not attained. 20 Performance of the Detection Mechanism The proposed detection mechanism improves evacuation outcome, but there is still room for improvement: • Detection ratio is good, but could be improved. • False positive ratio is low, but shows high variance due to the disconnected nature of the oppnet. 21 Conclusions (1/2) Opportunistic communications can enable emergency evacuation support in urban areas when existing communication systems are disrupted. ESS performs comparable to or better than static-node based methods (e.g., DES), subject to connectivity. Evacuation performance is dependent on network connectivity, i.e., node (population) density and communication range Most suited for densely populated areas Mobile node based infrastructures are viable alternatives as standalone solutions or as back-up ESS (almost always) performs better than shortest path evacuation. 22 Sharing information with oppcomms significantly improves evacuation. No Way Out: Emergency Evacuation with No Internet Access Conclusions (2/2) Spatial characteristics of the area have significant effect on evacuation outcome. ESS is highly resilient to network-only attacks and misbehaviours. Dropping packets, injection of extra packets, etc. ESS is greatly affected by targeted attacks on the application (i.e., on the evacuation). Indoor vs. outdoor scenarios Likewise for the hazard Falsifying emergency information Proposed defense mechanism significantly improves evacuation. 23 No-attack performance is unattainable given limitations on communications No Way Out: Emergency Evacuation with No Internet Access Open Issues and Future Work Service differentiation in evacuation More sophisticated attacks Entities with different capabilities and goals Collaborating attackers Graph theoretical and analytical models for fast performance evaluation and exploration of the parameter space More accurate modeling of wireless communication Dynamic range adjustment for connectivity and energy trade-offs 24 No Way Out: Emergency Evacuation with No Internet Access For more information Stochastic agents at ISN http://sa.ee.ic.ac.uk/ Self-aware networks at ISN http://san.ee.ic.ac.uk/ Intelligent Systems and Networks (ISN) Group http://www3.imperial.ac.uk/IntelliSysNetworks 25 No Way Out: Emergency Evacuation with No Internet Access
© Copyright 2025