Fine-Grained Capabilities for Flooding DDoS Defense Using Client Reputations
|
|
- Maria Gordon
- 5 years ago
- Views:
Transcription
1 Fine-Grained Capabilities for Flooding DDoS Defense Using Client Reputations ABSTRACT Maitreya Natu University of Delaware 103 Smith Hall Newark, DE 19716, USA Reently proposed apability mehanisms offer one part of the answer to the DDoS problem. They empower the vitim to ontrol the traffi it reeives by seletively granting aess to well-behaved lients via short-lived tikets. One major question still remains unanswered: how an vitims distinguish between well-behaved and ill-behaved lients during the tiket-granting proess. This paper offers one possible answer to this question, while also refining the basi apability mehanism. We propose the following novel features: (1) Reputationbased tiket-granting long-term behavior of a lient influenes whether future tikets will be granted, (2) Finegrained apabilities, whih authorize aess to the vitim at a speified priority level based on a lient s prior behavior, (3) Destination-based apabilities, granted by the defense loated at the vitim; this redues operational ost, and breaks dependene of tikets on routes. Categories and Subjet Desriptors: K.6.5 Management of Computing and Information Systems: Seurity and Protetion General Terms: Management, Measurement, Seurity. Keywords: Distributed denial of servie defense, Paket apabilities, Dynami paket stamping, Traffi poliing. 1. INTRODUCTION With the inrease in the network usage for business, leisure and time-ritial ativities, distributed denial-of-servie (DDoS) attaks have beome an inreasing threat. Numerous researh and ommerial endeavors to design effetive DDoS defenses have lead to the following insights: (1) A defense needs to be deployed at or near the vitim, where the eonomi inentive lies. Further, a vitim is in the best position to determine if a lient s traffi is maliious or benign, and thus has the most aurate information about what to filter. (2) A vitim-end defense must be lightweight to support fast paket proessing during an attak; otherwise it may Permission to make digital or hard opies of all or part of this work for personal or lassroom use is granted without fee provided that opies are not made or distributed for profit or ommerial advantage and that opies bear this notie and the full itation on the first page. To opy otherwise, to republish, to post on servers or to redistribute to lists, requires prior speifi permission and/or a fee. LSAD 07, August 27, 2007, Kyoto, Japan. Copyright 2007 ACM /07/ $5.00. Jelena Mirkovi University of Delaware 103 Smith Hall Newark, DE 19716, USA sunshine@is.udel.edu beome a target of the attak itself. (3) Beause a vitim may be overwhelmed by a large-sale attak, mehanisms are needed to failitate attak traffi filtering by upstream routers. This means that a vitim must somehow ommuniate to the routers information needed to disriminate between benign and maliious traffi. The disrimination proess must also be lightweight, minimizing router CPU and memory ost. Reently proposed apability mehanisms, suh as SIFF [8] and TVA [9] embody these desirable DDoS defense properties in the following manner. Routers on the path to the vitim build tikets (apabilities) ooperatively by appending a hash of the soure and destination address, and a router seret, to eah paket that does not already arry a tiket. A destination deides to grant the aess to a lient based on some private poliy, and returns tikets to hosen lients. Tikets are granted for a limited period of time (time-based) [8] or for a limited amount of traffi (traffi-based) [9] and arry expiration information. An aepted lient appends the tiket to future pakets, and routers verify tikets and provide high-priority handling to tiketed traffi. Tiket verifiation is lightweight sine a router only needs to realulate the hash and verify that it is equal to the router s portion of the tiket ontained in the paket. Thus routers pay moderate CPU ost. Memory ost is only paid in ase of traffi-based tikets to keep statistis of tiket usage. Timebased tikets inur no memory ost. While urrent apability mehanisms show great promise with regard to defense effetiveness and a reasonable operational ost, they suffer from the following defiienies that we address in this paper: 1. Lak of mehanisms for automated tiket granting: Neither SIFF [8] nor TVA [9] address the question of mehanisms for distinguishing between legitimate and maliious lients. This is a hallenging task in ase of publi servers, where all lients are equal and no prior trust exists between a given lient and the server. The only possible approah in this ase is to grant short-term aess to eah new lient and evaluate its behavior during this time. Well-behaved lients earn right to future tikets, while ill-behaved lients are shunned. We propose one possible approah to reord a long-term lient s behavior and inorporate this knowledge into the tiket-granting proess. We assoiate degrees of trust with the lients by assigning a redit and a penalty to eah lient based on its long-term behavior. Credit is used to identify aggressive attakers; during ongestion, the redit of an a-
2 Figure 1: Components of the proposed defense tive lient is dereased proportionally to the amount of traffi it ontributes to the ongestion. However, redit assignment alone annot deal with distributed attaks where eah maliious lient sends traffi at a very low rate. To handle suh attaks, we assume that a legitimate lient s response to paket drops will be more prominent than the maliious lient s, and we assign penalties to lients that do not respond appropriately to paket drops. Jointly, the lient s redit and the penalty are used for its traffi poliing and to deide whether future tikets should be granted. 2. Binary apabilities: Possession of a tiket grants full aess to the vitim while the tiket is valid, thus all admitted lients have equal priority. This enables sophistiated attaks where maliious lients first obtain tikets and then launh attaks. If attakers send traffi at a low rate, they may even be granted future tikets, perpetuating the attak. We propose fine-grained apabilities that arry a priority label, dependent on a lient s long-term behavior. This enables us to penalize lients for any suspiious behavior, and provide guaranteed high-quality servie to onsistently wellbehaved lients in ase of sophistiated attaks. 3. Route-dependent apabilities: Beause routers on the path partiipate in tiket generation, tikets are route-dependent and will lead to legitimate traffi drops in ase of a route hange or multipath routing, both of whih are frequent in today s Internet. Our tiketgeneration mehanism involves only the traffi destination, making tikets route-independent. Upstream routers remain inative unless expliitly authorized by the attak vitim to aid in traffi filtering. This further redues defense operational ost ompared to [8, 9]. 2. RELATED WORK IP Easy-pass [6] attahes a soure identifier to eah paket and uses it to reliably identify lients. Some existing resoure reservation protool (e.g., RSVP) is assumed for aess ontrol. In the past, work has been done on identifying flows by assigning a unique handle [2], and on reliably and aurately identifying the traffi soure [5]. In this paper, we address the issue of distinguishing a well-behaved lient from an ill-behaved lient during the tiket granting proess, thus our work is orthogonal to work on lient identifiation. Anderson et. al. [1] propose apabilities (tikets) attahed to eah lient paket, that guarantee privileged aess to a resoure. They assume a separate overlay for transmitting tiket requests, whih inurs high setup ost. SIFF [8] refines the apability approah by eliminating the need for a separate overlay hannel. Instead, routers build apabilities ollaboratively using a seret key to hash some paket fields and plaing the output in tiket request pakets. Destination grants aess to lients based on some internal poliy and returns the apability from request pakets to these lients that attah it as a tiket to future pakets. The tikets are time-based. TVA [9] improves the design from SIFF [8] by using traffi-based tikets and by rate limiting and prioritizing tiket-request traffi. As disussed in Setion 1, SIFF and TVA have ertain limitations that we aim to improve. 3. CAPABILITY MECHANISM Figure 1 illustrates steps in a soure s aess to a destination. Communiation between a soure and a destination is preeded with a tiket request. If the soure ommuniated with the destination in reent past, the tiket request will arry the ontext of the old ommuniation inluding the old redit and penalty values. The lient s redit and penalty serve as inputs to the tiket-granting proess, and tikets are returned to aepted lients. Unlike the past work on apabilities [1, 8, 9], a possession of a tiket does not translate into an absolute privilege to aess the destination. Instead we assoiate a degree of trust with eah lient, expressed via its redit and penalty values and attahed to its urrent tiket. We use this trust information to prioritize aess to a ritial resoure (Setion 3.3), thus favoring wellbehaved lients over unknown lients, and favoring unknown over known-maliious lients. 3.1 Tiket Struture A destination generates a lient-tiket for eah lient to whom it wishes to grant aess, and the lient uses this information to generate a paket-tiket attahed to eah future paket sent to this destination. Our generation of lienttikets and paket-tikets has the following properties: Client-tikets are bound to the lient: To prevent tiket falsifiation and stealing, the destination generates the lient-tiket by hashing the lient s redit, penalty and IP address with the destination s seret. Client-tiket struture is shown in Figure 2. Inluding the lient s IP in the hash binds the tiket to the speifi lient, thus ensuring that attakers annot use stolen tikets to buy a passage for their traffi. A similar mehanism exists in TVA [9]. However, the attaker ould use a stolen tiket to generate spoofed traffi with lient s IP address as an alleged soure. To prevent this we must prevent tiket stealing from a destination s reply to the tiket request, and later from pakets with valid tikets. To prevent tiket stealing from a destination s reply we
3 Figure 2: Struture of the tiket-request, tiket-reply, lient-tiket and paket-tiket deploy the Diffie-Hellman key exhange [3] to generate a session seret between the soure and the destination, and use this seret to enrypt tiket information in the reply. We assume a general knowledge of numbers g and n. In its tiket requests, the soure inludes g S mod n, where S is a random number seleted by the soure. In the tiket reply, the destination returns r = E K(tiket) g D mod n, where E K denotes enryption with key K, using some lightweight symmetri enryption protool, D is a random number seleted by the destination, K = g S D mod n is the shared seret and denotes onatenation. The shared seret an be alulated by the soure and the destination only, beause they possess one part of this seret (the random number S or D). Both parties store the seret and use it for future tiket exhanges. Old serets an be removed after a period of inativity. The struture of the tiket reply is also shown in Figure 2. TVA [9] does not enrypt tiket information in replies and is thus sensitive to tiket stealing. Our urrent design uses IP address of a host as an identifier, whih does not address the presene of NATs in the network, or the dynami addressing. We plan to investigate these issues in our future work. Paket-tikets are bound to pakets: To prevent tiket stealing from pakets, a lient generates paket-tikets by binding the lient-tiket to eah paket. This is done by first alulating the hash of the paket s ontents and immutable header fields, and then hashing this result with the lient-tiket to produe a perpaket pass. This pass, along with the lient s redit and penalty values represents the paket-tiket and is inserted into the IP identifiation field, as shown in Figure 2. SIFF [8] and TVA [9] do not bind tikets to pakets, enabling misuse of stolen tikets to spoof legitimate lient s traffi. Client-tikets are short-lived: If tikets were valid for a long time, a mutable attaker that behaves well to obtain a tiket, and then turns hostile ould inflit muh harm. Short tiket life limits the damage from a mutable attak, and is also employed in SIFF [8], while TVA [9] employs ostly aounting to limit the amount of traffi sent using a single tiket, i.e. it uses traffi-based apabilities. We opted for time-based vs. traffi-based apabilities, to redue the operational ost. Tikets expire periodially when the destination hanges the seret used for tiket generation. We all this interval the tiket-validity interval. Delayed pakets are handled by aepting the pakets with tikets valid during one previous interval. Tiket verifiation is lightweight: All the information needed to verify validity of a tiket (paket or lient) is enoded in the tiket, thus no memory is needed to store lient information at the destination. The destination does pay a small memory ost to reord the blaklist of worst offenders, and to keep behavior statistis for urrently ative lients (Setion 3.2). 3.2 Calulating Credits and Penalties Credits and penalties are used to reflet a lient s behavior by desribing the aggressiveness of its sending pattern. Credit and penalty alulations are performed at the end of eah tiket-validity interval Credit Calulation A lient s redit reflets its ontribution to ongestion during a flooding attak the higher redit represents the lower ontribution, i.e. well-behaved lients will have high redits. The redit is a number ranging from LOW to HIGH. A new lient is assigned a redit value of MID, whih lies in the middle of [LOW, HIGH] range. If no resoure overload is observed during an interval, then an ative lient in that interval is rewarded by an additive inrease in its redit: redit new = min(redit old + α, HIGH) (1) where α is the redit inrease fator. During resoure overload periods, if a lient is identified as non-aggressive, its redit is also alulated using the Eq. 1. The redit of an aggressive lient is dereased multipliatively and proportionally to its ontribution to resoure demand: redit new = max(redit old (1 E Pi Ti ), LOW ) (2) where T i is total traffi sent by the lient i in units that represent a ritial resoure (e.g., bytes for bandwidth, servie requests for server-speifi resoure, pakets for CPU), and E is the exess traffi the lient sent above its fair share, whih we all a quota, and denote with Q. The sum of T i is alulated over all ative lients. Multipliative derease ensures prompt ation to the observed aggressiveness. Values of T i, E i and Q i are alulated for a window of several intervals to avoid overreation to variations in lient traffi. The quota of a lient is alulated as: Q = max(redit penalty, LOW ) R, (3) max(rediti penaltyi, LOW ) Pi where R is the amount of the ritial resoure (e.g., bandwidth, number of pakets or servie requests that an be proessed per seond, et.), the maximum is alulated over the window for a given lient, and the sum is alulated over all ative lients. A lient is onsidered aggressive if
4 it exeeds its quota in an interval, and its redit is dereased using the Eq. 2, where E = T Q. The defense proatively renews tikets of all ative lients at the end of eah tiket-validity interval. A lient that has been inative during an interval must issue a new tiket request. To enable well-behaved lients to benefit from their past good reputation, a new tiket request arries the last reeived redit and penalty values, along with the lient-tiket and the timestamp of the last ativity. Using the timestamp, the server loates the seret, whih was valid at the given time, and uses it to verify the lient-tiket and thus the authentiity of the delared redit and penalty values. Upon suess, it uses the past redit value to alulate starting redit for the lient as: redit new = max(redit old β N, MID), (4) where β is the redit derease fator, and N is the number of intervals sine the lient s last ommuniation. We deploy redit aging to disount stale information beause a longer inativity period inreases the possibility of a lient s ompromise. The lowest redit assigned to an old lient is MID, ensuring that a very old lient is treated the same as a previously unknown lient. The penalty value of an old lient is onservatively set to the past penalty value, delared in its tiket request. A previously unknown lient reeives the lowest penalty value Penalty Calulation Consider a senario when many attakers flood a network, but eah attaker sends traffi at a low rate. In suh senario, a legitimate lient s ontribution to ongestion is larger than that of an attaker, so redit alulation alone annot help us preisely identify maliious lients. To retify this situation, we use an observation that a legitimate lient will redue its sending rate upon a traffi loss, while an automated attaker will not. One soure of rate redution is the TCP s ongestion ontrol mehanism that responds to traffi loss by an exponential derease in the sending rate. If a maliious lient uses modified version of the TCP protool to send aggressively, its response to ongestion will be milder than that of legitimate lients. Even if a maliious lient uses unmodified TCP, it will open multiple onnetions to the destination to send suffiient traffi for servie denial making it more aggressive than an average legitimate lient. We postulate that another soure of rate redution ould be human response to low servie quality a person that does not reeive a response to their servie request is unlikely to maintain or inrease the rate of request generation. Further study with human subjets is needed to verify this hypothesis and is part of our future work. We assign penalties to lients that experiene persistent paket drops in the following manner. Let D be the sum of dropped bytes from lient during the window. If D > δ T, the lient is onsidered maliious and its penalty is inreased as: penalty new = min(penalty old + γ, HIGH), (5) where δ is the estimate of the legitimate lient s aggressiveness in fae of persistent drops, and γ is the penalty inrease fator. If the lient is not identified as maliious its penalty is dereased as: penalty new = max(penalty old γ, LOW ). (6) Aggressive Client Blaklisting To redue the memory ost of the defense, lient redits and penalties are arried in tikets. This opens a potential vulnerability sine a lient with a low redit (or a high penalty) would benefit from posing as a new lient, i.e. it would omit the redit and penalty information from its tiket requests. Legitimate lients would then have to ontend for bandwidth with attakers, just as is the ase in SIFF [8] and TVA [9]. To amend this situation the defense should keep a blaklist of worst offenders. Clients with lowest redits or highest penalties would be stored in this list, with their redit and penalty information, and eah new tiket request would be heked against this list. 3.3 Traffi Poliing Previous work on apabilities [1, 8, 9] allowed absolute aess to the destination to all tiket-arrying traffi. As disussed in Setion 1, this approah an inflit large harm to legitimate lients in ase of mutable attakers. To minimize this harm, we use lient redits and penalties to prioritize aess to the ritial resoure. Eah lient is assigned to the lient lass identified as: lientclass = max(redit penalty, LOW ), (7) and eah lass is assigned a ertain share of the resoure. A lient an aess the resoure share assigned to its lass and that assigned to lower lasses. If all suh resoures are depleted, the lient s request is dropped. This failitates good servie to well-behaved lients during an attak that deploys many previously unknown attakers. These attakers fall into the same redit lass as previously unknown legitimate lients, and ompete with them for the resoure, but annot deplete resoures assigned to the higher-redit lasses that ontain known, well-behaved lients. One approah to resoure assignment would be to uniformly distribute the ritial resoure among all redit lasses. However, this design ould lead to under-utilization, in ases when most users lie in low or middle redit ranges. We propose a more sophistiated sheme that estimates future resoure requirements of a lient lass based on the weighted average of its past demand as follows: R new = (1 λ) R old + λ demand, (8) where R old was the estimate at the end of the previous interval, demand is the total resoure usage of this lient lass in the urrent interval and λ is the weight assigned to new observations. Traffi poliing is performed by the defense loated at or near the vitim. If the defense is overwhelmed, whih is likely during high-rate attaks, it an request help from upstream routers for paket filtering. The help request ontains at the minimum the previous and the urrent destination seret, to enable the router to validate tiket information. Future serets ould also be inluded in the help request, or they ould be ommuniated periodially through future help requests. It would further be helpful to inlude the blaklist of reent offenders in the help request, to enable the router to filter new tiket requests from known-maliious lients. Help requests must be authentiated to prevent denial of servie through fake help requests that ontain invalid serets and are sent by a third party. Authentiation assumes an existene of a trust relationship between the de-
5 fense and an upstream router. Sine distributed trust is diffiult to enfore unless there is an existing business relationship, we envision that help requests would only be propagated one hop upstream, to routers of the vitim s ISP. This is a ommon business pratie today, but requests are delivered through human hannels, whih impose large delays, and they ontain impreise filtering information obtained from intrusion detetion systems. The proposed apability mehanism would automate this proess and improve filtering auray and the response time. Parameter Value Tiket-validity interval 3 s Window size 4 intervals α 1 β 0.3 γ 0.4 δ 1 HIGH LOW 20 Table 1: Parameter values 3.4 Parameter Settings We use several parameters to guide the defense operation, whose values are shown in Table 1. We now briefly disuss tradeoffs in setting their values. In real deployment optimal parameter values will greatly depend on legitimate traffi dynamis in a given network, and should be determined through traffi analysis, training and tuning over several days or weeks. Credit range [LOW, HIGH]: A larger range provides a finer granularity for lient differentiation and thus better defense, but will ause additional omputational and memory ost during traffi poliing. Credit and penalty hange fators (α, γ): Large values of α and γ make redits and penalties very sensitive to traffi variations, whih an lead to penalizing normal variations in legitimate traffi. Too small values on the other hand, prolong response time of the defense. Estimate of legitimate lient s aggressiveness (δ): A large value of δ will inrease penalty only for large drop rates, allowing moderately aggressive attakers to evade the defense. A small δ value penalizes small, normal traffi variations of legitimate lients. Sore aging fator (β): A small value of β preserves history of past good behavior for a long time, while a large value rapidly disounts reent good behavior. 4. COST We now summarize the ost of the proposed defense. While issuing and updating tikets, the defense performs Diffie- Hellman key exhange one for every new or reently inative lient, followed by tiket enryption one eah tiket-validity interval. While Diffie-Hellman key exhange is ostly, it is only performed for lients that have not been ative reently. The ost of the exhange an thus be ontrolled by inreasing the memory for storage of shared serets. Symmetri enryption and deryption are moderately ostly, but the frequeny of these operations is low one eah several seonds. An attaker ould attempt to exhaust the defense s resoures by sending a lot of new tiket requests and we disuss this ase in the Setion 5. Tikets are kept small and tiket validation is not ostly. A sender attahes the paket-tiket to eah paket and the defense verifies it. Both require two hash operations per paket and an be done at high speed, as shown in [9]. Note that there should be a signifiant redution in deployment ost between our defense and SIFF [8] or TVA [9] beause our defense is loated at the destination only and the help of upstream routers an be invoked on need basis, while SIFF and TVA require onstant support from upstream routers. Tikets arry the lient information needed for tiket validation and traffi poliing, requiring no additional storage at the defense. Defense inurs a storage ost for storing traffi statistis and the quota of eah ative lient during an interval, for omputing redits and penalties. In ase of a large number of lients, it is suffiient to store statistis only of aggressive senders that dominate the values in sore and penalty omputation. Statistis are also stored for eah lient lass, thus the size of the [LOW, HIGH] range determines the ost of this storage. The defense also inurs a small memory ost for a blaklist of worst offenders. It may pay off to propagate this list to some upstream routers that are lose to destination, when their help is requested, in whih ase the upstream routers will inur the memory ost to store this information. The typial size of botnets today is at most 100,000 hosts [4], making the memory ost for storing a blaklist 3.2 MB. 5. SECURITY We now briefly disuss the seurity of the proposed defense. As our experiments illustrate in the next setion, the defense an suessfully identify large and persistent senders, but its performane degrades in ase of pulsing attaks. If an attaker used a large number of zombies in smaller groups, suh that a single group ats maliiously at a given time and is then replaed by a fresh group, the attak ould ontinuously deny servie. All DDoS defenses to date that use a lient s identity for traffi prioritization will be ineffetive against suh attak. Another possible attak would engage zombies that do respond to ongestion, thus avoiding high penalty values. We believe that in this ase human behavior (rate of request generation) would differ from the behavior of zombies ausing legitimate lient s traffi to derease below maliious lient s traffi. We plan to study this in our future work. Tikets annot be falsified beause seret hash failitates integrity heks. Our defense is resistant to sniffing due to deployment of ryptographi tehniques to protet tikets. It is also resistant to IP spoofing beause it enrypts lienttikets and binds paket-tiket values to the pakets. Cryptographi operations make defense vulnerable to flood of bogus tiket requests, that initiate ostly Diffie-Hellman key exhange. One way to address this problem is to limit the resoures spent for tiket-granting. This ensures that well-behaved and ative lients will reeive good servie, sine their seret information is ahed. New legitimate lients will have to ontend for the aess to tiket-granting mehanism along with attakers. 6. EVALUATION We implemented the proposed apability mehanism in a
6 Linux software router as a loadable kernel module. Our tests onsist of live-traffi experiments in the Emulab testbed [7]. We used the topology shown in Figure 3. Vitim node V is onneted to the rest of the topology via a bottlenek link of 100 Kbps, whih represents our ritial resoure. All other links in the topology have 100 Mbps bandwidth. There are two legitimate lients L1 and L2 and seven attakers A1 A7. Legitimate traffi is generated by invoking a harater generator program at the lient nodes, and tunneling its output to the vitim node via SSH. The harater generator emulates Telnet traffi it generates one message per seond, whose length is randomly hosen in a predetermined range. A message an be split into several pakets. We all the average rate of the harater generator the legitimate lient s nominal rate. Depending on the TCP s ongestion ontrol mehanism, legitimate lient s traffi will flow into the network at, above or below the nominal rate. As explained in Setion 5, to use a real TCP traffi for attak, the attakers would need a large number of zombies due to the ongestion responsive nature of TCP. Hene, attak traffi is generated using raw sokets to send TCP pakets at a speified rate. The attak rate may vary in some test senarios in an attempt to trik the defense. We do not show a simple senario where the attak traffi does not arry a tiket all suh traffi will be orretly dropped sine only tiket-arrying traffi is allowed to reah the vitim. We also omit a senario where a mutable attaker aquires a tiket and then inreases its sending rate to a large value. Suh attaker will be quikly identified as aggressive and its redit is dereased, providing effetive defense. We fous instead on sophistiated attaks involving mutable attakers that send at a relatively low rate to maintain impression of a good behavior and ensure reeipt of future tikets. of legitimate TCP lient dereases briefly after the attak s onset, beause the traffi omputations are performed over statistis olleted in a sliding window. One the TCP s ongestion ontrol redues the sending rate, several intervals are needed for this to suffiiently impat the average rate value in the window. Similarly, Figure 5 shows a legitimate lient s and an attaker s penalty. While a legitimate lient s penalty remains low throughout the attak, an attaker s penalty quikly reahes the maximum value due to the absene of ongestion response in attak traffi. Figure 4: Credits of legitimate and attak lients Figure 3: Network topology used for evaluation 6.1 Balaned Attak To blend in with legitimate lients, eah attaker first aquires the highest redit by sending traffi at a low rate (800 bps) for a long time this behavior does not reate resoure overload. Afterwards, attakers turn maliious and send at the legitimate lient s nominal rate (24 Kbps). Figure 4 shows the redits of one legitimate lient and of one attaker; redits of other lients follow the same trend. Before the attak, redits of legitimate and attak lients are at the HIGH value. Soon after the attak starts, an attaker s redit is dereased, thanks to our aggressive sender identifiation and the multipliative redit derease. The redit Figure 5: Penalties of legitimate and attak lients Figure 6 shows the aeptane ratio the perentage of bytes sent by a lient that suessfully reah the vitim. Note that this is different than bandwidth alloation between lients. An aeptane ratio of 100% means that no traffi from this lient was dropped, either due to ongestion or by defense. The aeptane ratio gives no information about the bandwidth division between the legitimate and the attak traffi. A legitimate lient s aeptane ratio is temporarily lowered when the attak starts, but quikly onverges to 100%, while an attaker s aeptane ratio is redued to around 5%. For omparison, Figure 7 shows the aeptane ratio
7 without the defense all traffi drops our due to the ongestion. A legitimate lient s aeptane ratio flutuates, and frequently reahes zero, as the legitimate traffi s sending rate flutuates due to TCP s ongestion ontrol. The attaker s aeptane ratio is around 40% beause the bottlenek link bandwidth is 40% of the total traffi arriving at the link. The legitimate traffi is seriously damaged during the attak without the defense, while it is effiiently proteted when the defense is present. For spae reasons we will only show the aeptane ratio for the following tests. of servie, our defense identifies these attakers via their inreased penalties, sine their traffi does not exhibit ongestion response. The aeptane ratio graph resembles the one in the balaned attak ase. After the first 20 intervals, all legitimate traffi reahes the vitim. An attaker s aeptane ratio is quikly redued to 10%. A lower maliious lient rate leads to penalties that take longer time to inrease, thus the attak interferes with the legitimate traffi longer. An even lower-rate, more distributed attak would inflit damage to legitimate traffi for a longer period of time, but the defense will eventually onverge and protet legitimate traffi. Figure 6: Aeptane ratio during the balaned attak Figure 7: Aeptane ratio during the balaned attak without defense 6.2 Low-rate Attak In this test eah attaker sends at 80% of the legitimate lient s nominal rate (19.2 Kbps), thus attempting to avoid being identified as an aggressive sender. Our results, shown in Figure 8, demonstrate that even when a large number of attakers send at a low individual rate to reate a denial Figure 8: Aeptane ratio during the low-rate attak 6.3 Pulsing Attak We next test the pulsing attak in whih the attaker periodially sends heavy traffi (legitimate lient s nominal rate=24 Kbps), and then sends low traffi (800 bps) to build up the trust until the next pulse. The aeptane ratio is shown in Figure 9. While the attakers redits inrease during low-rate periods, the defense quikly identifies attakers as aggressive during high-rate periods and suppresses their traffi. For the legitimate lient, the aeptane ratio drops at the onset of high-rate periods (labeled as High in the graph) but then returns to 100% where it remains for the rest of the period, and during low-rate periods. The attaker s aeptane ratio is high during low-rate periods beause no overload is reated. During high-rate periods the aeptane ratio quikly drops to about 5%, whih is onsistent with our results for the balaned attak. 6.4 Binary Capabilities We motivated our design of apabilities with multiple degrees of trust by arguing that binary apabilities annot protet legitimate traffi during mutable attaks. We now support this laim by repeating the balaned attak experiment with binary apabilities. We keep our alulation of redits and penalties the same, but the lient s fair share of the resoure is obtained by dividing the resoure equally among all ative lients, regardless of their redit or penalty. Traffi poliing omponent aepts all traffi with the redit greater
8 show that our defense provides exellent protetion to the legitimate traffi, whose throughput is very lose to 100%. Experiment Throughput (%) Balaned attak w defense Balaned attak w/o defense 2.91 Low-rate attak w defense Pulsing attak w defense Balaned attak w binary ap Table 2: Legitimate traffi throughput during attak Figure 9: Aeptane ratio during the pulsing attak or equal to MID/2. Figure 10 shows the aeptane ratio for this experiment. While the attaker s aeptane ratio eventually drops to zero, the legitimate lient s traffi experienes signifiant drops and its aeptane ratio exhibits large variations, frequently reahing 0%. Comparing the Figures 6 and 10, the protetion offered to legitimate traffi by binary apabilities is muh worse than the protetion offered by our proposed defense. In the absene of a sophistiated traffi poliing, the legitimate lient reeives the same bandwidth share as the attaker, ausing the lient s redit to flutuate between high and low redit values based on its traffi variations in response to ongestion. This leads to large variations in the legitimate lient s aeptane ratio. Figure 10: Aeptane ratio during the balaned attak with binary apabilities Table 2 summarizes experiment results showing the perentage of legitimate traffi throughput during an attak ompared to the throughput without an attak. The results 7. CONCLUSIONS We proposed several improvements to the original apability design that failitate automati tiket-granting and improve seurity and ost of the defense. Our experiments show that the proposed defense suessfully handles sophistiated attaks, offering a onsistent good protetion to legitimate traffi and quikly identifying and penalizing attak traffi. In our future work we plan to investigate human response to low servie quality, and improve our penalty alulation with models derived from this researh. We also plan to explore a dynami setting of parameter values based on the pereived attak severity, and to engage in larger-sale experimentation to validate our proposed defense. Finally, we plan to address remaining seurity issues related to use of ryptography during tiket issue. 8. REFERENCES [1] T. Anderson, T. Rosoe, and D. Wetherall. Preventing Internet Denial of Servie with Capabilities. In Pro. of HotNets-II, [2] M. Casado, A. Akella, P. Cao, N. Provos, and S. Shenker. Cookies Along Trust-boundaries (CAT): Aurate and Deployable Flood Protetion. In Pro. of 2nd Conferene on Steps To Reduing Unwanted Traffi on the Internet, [3] W. Diffie and M. E. Hellman. New Diretions in Cryptography. IEEE Transations on Information Theory, 22(6): , [4] Honeynet Projet and Researh Alliane. Know your enemy: Traking botnets. [5] D.R. Simon, S. Agarwal, and D. A. Maltz. AS-Based Aountability as a Cost-Effetive DDoS Defense. In Winter International Symposium on Information and Communiation Tehnologies, [6] H. Wang, A. Bose, M.A. El-Gendy, and K. G. Shin. IP Easy-pass: A Light-Weight Network-Edge Resoure Aess Control. IEEE/ACM Transations on Networking, 13(6): , [7] B. White, J. Lepreau, L. Stoller, R. Rii, S. Guruprasad, M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An integrated experimental environment for distributed systems and networks. In Pro. of OSDI, pages , Deember [8] A. Yaar, A. Perrig, and D. X. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attaks. In Pro. of IEEE Symposium on Seurity and Privay, [9] X. Yang, D. Wetherall, and T. Anderson. A DoS-limiting network arhiteture. In Pro. of ACM SIGCOMM, pages , 2005.
Accommodations of QoS DiffServ Over IP and MPLS Networks
Aommodations of QoS DiffServ Over IP and MPLS Networks Abdullah AlWehaibi, Anjali Agarwal, Mihael Kadoh and Ahmed ElHakeem Department of Eletrial and Computer Department de Genie Eletrique Engineering
More informationDoS-Resistant Broadcast Authentication Protocol with Low End-to-end Delay
DoS-Resistant Broadast Authentiation Protool with Low End-to-end Delay Ying Huang, Wenbo He and Klara Nahrstedt {huang, wenbohe, klara}@s.uiu.edu Department of Computer Siene University of Illinois at
More information- 1 - S 21. Directory-based Administration of Virtual Private Networks: Policy & Configuration. Charles A Kunzinger.
- 1 - S 21 Diretory-based Administration of Virtual Private Networks: Poliy & Configuration Charles A Kunzinger kunzinge@us.ibm.om - 2 - Clik here Agenda to type page title What is a VPN? What is VPN Poliy?
More informationWhat are Cycle-Stealing Systems Good For? A Detailed Performance Model Case Study
What are Cyle-Stealing Systems Good For? A Detailed Performane Model Case Study Wayne Kelly and Jiro Sumitomo Queensland University of Tehnology, Australia {w.kelly, j.sumitomo}@qut.edu.au Abstrat The
More informationA DYNAMIC ACCESS CONTROL WITH BINARY KEY-PAIR
Malaysian Journal of Computer Siene, Vol 10 No 1, June 1997, pp 36-41 A DYNAMIC ACCESS CONTROL WITH BINARY KEY-PAIR Md Rafiqul Islam, Harihodin Selamat and Mohd Noor Md Sap Faulty of Computer Siene and
More informationEstablishing Secure Ethernet LANs Using Intelligent Switching Hubs in Internet Environments
Establishing Seure Ethernet LANs Using Intelligent Swithing Hubs in Internet Environments WOEIJIUNN TSAUR AND SHIJINN HORNG Department of Eletrial Engineering, National Taiwan University of Siene and Tehnology,
More informationDETECTION METHOD FOR NETWORK PENETRATING BEHAVIOR BASED ON COMMUNICATION FINGERPRINT
DETECTION METHOD FOR NETWORK PENETRATING BEHAVIOR BASED ON COMMUNICATION FINGERPRINT 1 ZHANGGUO TANG, 2 HUANZHOU LI, 3 MINGQUAN ZHONG, 4 JIAN ZHANG 1 Institute of Computer Network and Communiation Tehnology,
More informationUplink Channel Allocation Scheme and QoS Management Mechanism for Cognitive Cellular- Femtocell Networks
62 Uplink Channel Alloation Sheme and QoS Management Mehanism for Cognitive Cellular- Femtoell Networks Kien Du Nguyen 1, Hoang Nam Nguyen 1, Hiroaki Morino 2 and Iwao Sasase 3 1 University of Engineering
More informationarxiv:cs/ v1 [cs.ni] 12 Dec 2006
Optimal Filtering for DDoS Attaks Karim El Defrawy ICS Dept. UC Irvine keldefra@ui.edu Athina Markopoulou EECS Dept. UC Irvine athina@ui.edu Katerina Argyraki EE Dept. Stanford Univ. argyraki@stanford.edu
More informationMulti-Channel Wireless Networks: Capacity and Protocols
Multi-Channel Wireless Networks: Capaity and Protools Tehnial Report April 2005 Pradeep Kyasanur Dept. of Computer Siene, and Coordinated Siene Laboratory, University of Illinois at Urbana-Champaign Email:
More informationBatch Auditing for Multiclient Data in Multicloud Storage
Advaned Siene and Tehnology Letters, pp.67-73 http://dx.doi.org/0.4257/astl.204.50. Bath Auditing for Multilient Data in Multiloud Storage Zhihua Xia, Xinhui Wang, Xingming Sun, Yafeng Zhu, Peng Ji and
More informationLearning Convention Propagation in BeerAdvocate Reviews from a etwork Perspective. Abstract
CS 9 Projet Final Report: Learning Convention Propagation in BeerAdvoate Reviews from a etwork Perspetive Abstrat We look at the way onventions propagate between reviews on the BeerAdvoate dataset, and
More informationOn - Line Path Delay Fault Testing of Omega MINs M. Bellos 1, E. Kalligeros 1, D. Nikolos 1,2 & H. T. Vergos 1,2
On - Line Path Delay Fault Testing of Omega MINs M. Bellos, E. Kalligeros, D. Nikolos,2 & H. T. Vergos,2 Dept. of Computer Engineering and Informatis 2 Computer Tehnology Institute University of Patras,
More informationOutline: Software Design
Outline: Software Design. Goals History of software design ideas Design priniples Design methods Life belt or leg iron? (Budgen) Copyright Nany Leveson, Sept. 1999 A Little History... At first, struggling
More informationPipelined Multipliers for Reconfigurable Hardware
Pipelined Multipliers for Reonfigurable Hardware Mithell J. Myjak and José G. Delgado-Frias Shool of Eletrial Engineering and Computer Siene, Washington State University Pullman, WA 99164-2752 USA {mmyjak,
More informationSVC-DASH-M: Scalable Video Coding Dynamic Adaptive Streaming Over HTTP Using Multiple Connections
SVC-DASH-M: Salable Video Coding Dynami Adaptive Streaming Over HTTP Using Multiple Connetions Samar Ibrahim, Ahmed H. Zahran and Mahmoud H. Ismail Department of Eletronis and Eletrial Communiations, Faulty
More informationRAC 2 E: Novel Rendezvous Protocol for Asynchronous Cognitive Radios in Cooperative Environments
21st Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communiations 1 RAC 2 E: Novel Rendezvous Protool for Asynhronous Cognitive Radios in Cooperative Environments Valentina Pavlovska,
More informationAutomatic Physical Design Tuning: Workload as a Sequence Sanjay Agrawal Microsoft Research One Microsoft Way Redmond, WA, USA +1-(425)
Automati Physial Design Tuning: Workload as a Sequene Sanjay Agrawal Mirosoft Researh One Mirosoft Way Redmond, WA, USA +1-(425) 75-357 sagrawal@mirosoft.om Eri Chu * Computer Sienes Department University
More informationAnnouncements. Lecture Caching Issues for Multi-core Processors. Shared Vs. Private Caches for Small-scale Multi-core
Announements Your fous should be on the lass projet now Leture 17: Cahing Issues for Multi-ore Proessors This week: status update and meeting A short presentation on: projet desription (problem, importane,
More informationAcoustic Links. Maximizing Channel Utilization for Underwater
Maximizing Channel Utilization for Underwater Aousti Links Albert F Hairris III Davide G. B. Meneghetti Adihele Zorzi Department of Information Engineering University of Padova, Italy Email: {harris,davide.meneghetti,zorzi}@dei.unipd.it
More informationPerformance Benchmarks for an Interactive Video-on-Demand System
Performane Benhmarks for an Interative Video-on-Demand System. Guo,P.G.Taylor,E.W.M.Wong,S.Chan,M.Zukerman andk.s.tang ARC Speial Researh Centre for Ultra-Broadband Information Networks (CUBIN) Department
More informationMulti-hop Fast Conflict Resolution Algorithm for Ad Hoc Networks
Multi-hop Fast Conflit Resolution Algorithm for Ad Ho Networks Shengwei Wang 1, Jun Liu 2,*, Wei Cai 2, Minghao Yin 2, Lingyun Zhou 2, and Hui Hao 3 1 Power Emergeny Center, Sihuan Eletri Power Corporation,
More informationPartial Character Decoding for Improved Regular Expression Matching in FPGAs
Partial Charater Deoding for Improved Regular Expression Mathing in FPGAs Peter Sutton Shool of Information Tehnology and Eletrial Engineering The University of Queensland Brisbane, Queensland, 4072, Australia
More informationOn Dynamic Server Provisioning in Multi-channel P2P Live Streaming
On Dynami Server Provisioning in Multi-hannel P2P Live Streaming Chuan Wu Baohun Li Shuqiao Zhao Department of Computer Siene Department of Eletrial Multimedia Development Group The University of Hong
More informationRobust Dynamic Provable Data Possession
Robust Dynami Provable Data Possession Bo Chen Reza Curtmola Department of Computer Siene New Jersey Institute of Tehnology Newark, USA Email: b47@njit.edu, rix@njit.edu Abstrat Remote Data Cheking (RDC)
More informationA Load-Balanced Clustering Protocol for Hierarchical Wireless Sensor Networks
International Journal of Advanes in Computer Networks and Its Seurity IJCNS A Load-Balaned Clustering Protool for Hierarhial Wireless Sensor Networks Mehdi Tarhani, Yousef S. Kavian, Saman Siavoshi, Ali
More informationDisplacement-based Route Update Strategies for Proactive Routing Protocols in Mobile Ad Hoc Networks
Displaement-based Route Update Strategies for Proative Routing Protools in Mobile Ad Ho Networks Mehran Abolhasan 1 and Tadeusz Wysoki 1 1 University of Wollongong, NSW 2522, Australia E-mail: mehran@titr.uow.edu.au,
More informationEpisode 12: TCP/IP & UbiComp
Episode 12: TCP/IP & UbiComp Hannes Frey and Peter Sturm University of Trier Outline Introdution Mobile IP TCP and Mobility Conlusion Referenes [1] James D. Solomon, Mobile IP: The Unplugged, Prentie Hall,
More informationNew Channel Allocation Techniques for Power Efficient WiFi Networks
ew Channel Alloation Tehniques for Power Effiient WiFi etworks V. Miliotis, A. Apostolaras, T. Korakis, Z. Tao and L. Tassiulas Computer & Communiations Engineering Dept. University of Thessaly Centre
More informationPerformance Improvement of TCP on Wireless Cellular Networks by Adaptive FEC Combined with Explicit Loss Notification
erformane Improvement of TC on Wireless Cellular Networks by Adaptive Combined with Expliit Loss tifiation Masahiro Miyoshi, Masashi Sugano, Masayuki Murata Department of Infomatis and Mathematial Siene,
More informationTackling IPv6 Address Scalability from the Root
Takling IPv6 Address Salability from the Root Mei Wang Ashish Goel Balaji Prabhakar Stanford University {wmei, ashishg, balaji}@stanford.edu ABSTRACT Internet address alloation shemes have a huge impat
More informationHEXA: Compact Data Structures for Faster Packet Processing
Washington University in St. Louis Washington University Open Sholarship All Computer Siene and Engineering Researh Computer Siene and Engineering Report Number: 27-26 27 HEXA: Compat Data Strutures for
More informationCluster-based Cooperative Communication with Network Coding in Wireless Networks
Cluster-based Cooperative Communiation with Network Coding in Wireless Networks Zygmunt J. Haas Shool of Eletrial and Computer Engineering Cornell University Ithaa, NY 4850, U.S.A. Email: haas@ee.ornell.edu
More informationCross-layer Resource Allocation on Broadband Power Line Based on Novel QoS-priority Scheduling Function in MAC Layer
Communiations and Networ, 2013, 5, 69-73 http://dx.doi.org/10.4236/n.2013.53b2014 Published Online September 2013 (http://www.sirp.org/journal/n) Cross-layer Resoure Alloation on Broadband Power Line Based
More informationIN structured P2P overlay networks, each node and file key
242 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 2, FEBRUARY 2010 Elasti Routing Table with Provable Performane for Congestion Control in DHT Networks Haiying Shen, Member, IEEE,
More informationFast Distribution of Replicated Content to Multi- Homed Clients Mohammad Malli Arab Open University, Beirut, Lebanon
ACEEE Int. J. on Information Tehnology, Vol. 3, No. 2, June 2013 Fast Distribution of Repliated Content to Multi- Homed Clients Mohammad Malli Arab Open University, Beirut, Lebanon Email: mmalli@aou.edu.lb
More informationCA Privileged Identity Manager r12.x (CA ControlMinder) Implementation Proven Professional Exam (CAT-480) Study Guide Version 1.5
Proven Professional Exam (CAT-480) Study Guide Version 1.5 PROPRIETARY AND CONFIDENTIAL INFORMATION 2016 CA. All rights reserved. CA onfidential & proprietary information. For CA, CA Partner and CA Customer
More informationAustralian Journal of Basic and Applied Sciences. A new Divide and Shuffle Based algorithm of Encryption for Text Message
ISSN:1991-8178 Australian Journal of Basi and Applied Sienes Journal home page: www.ajbasweb.om A new Divide and Shuffle Based algorithm of Enryption for Text Message Dr. S. Muthusundari R.M.D. Engineering
More informationA {k, n}-secret Sharing Scheme for Color Images
A {k, n}-seret Sharing Sheme for Color Images Rastislav Luka, Konstantinos N. Plataniotis, and Anastasios N. Venetsanopoulos The Edward S. Rogers Sr. Dept. of Eletrial and Computer Engineering, University
More informationCapturing Large Intra-class Variations of Biometric Data by Template Co-updating
Capturing Large Intra-lass Variations of Biometri Data by Template Co-updating Ajita Rattani University of Cagliari Piazza d'armi, Cagliari, Italy ajita.rattani@diee.unia.it Gian Lua Marialis University
More informationExtracting Partition Statistics from Semistructured Data
Extrating Partition Statistis from Semistrutured Data John N. Wilson Rihard Gourlay Robert Japp Mathias Neumüller Department of Computer and Information Sienes University of Strathlyde, Glasgow, UK {jnw,rsg,rpj,mathias}@is.strath.a.uk
More informationUser-level Fairness Delivered: Network Resource Allocation for Adaptive Video Streaming
User-level Fairness Delivered: Network Resoure Alloation for Adaptive Video Streaming Mu Mu, Steven Simpson, Arsham Farshad, Qiang Ni, Niholas Rae Shool of Computing and Communiations, Lanaster University
More informationA Lightweight Intrusion-Tolerant Overlay Network
A Lightweight Intrusion-Tolerant Overlay Network Rafael R. Obelheiro and Joni da Silva Fraga Department of Automation and Systems Federal University of Santa Catarina, Brazil Email: rro@das.ufs.br, fraga@das.ufs.br
More informationVolume 3, Issue 9, September 2013 International Journal of Advanced Research in Computer Science and Software Engineering
Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advaned Researh in Computer Siene and Software Engineering Researh Paper Available online at: www.ijarsse.om A New-Fangled Algorithm
More informationCrowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS Spoofing Attacks
Crowd-GPS-Se: Leveraging Crowdsouring to Detet and Loalize GPS Spoofing Attaks Kai Jansen, Matthias Shäfer, Daniel Moser, Vinent Lenders, Christina Pöpper and Jens Shmitt Ruhr-University Bohum, Germany,
More informationFlow Demands Oriented Node Placement in Multi-Hop Wireless Networks
Flow Demands Oriented Node Plaement in Multi-Hop Wireless Networks Zimu Yuan Institute of Computing Tehnology, CAS, China {zimu.yuan}@gmail.om arxiv:153.8396v1 [s.ni] 29 Mar 215 Abstrat In multi-hop wireless
More informationSystem-Level Parallelism and Throughput Optimization in Designing Reconfigurable Computing Applications
System-Level Parallelism and hroughput Optimization in Designing Reonfigurable Computing Appliations Esam El-Araby 1, Mohamed aher 1, Kris Gaj 2, arek El-Ghazawi 1, David Caliga 3, and Nikitas Alexandridis
More informationA Multi-Head Clustering Algorithm in Vehicular Ad Hoc Networks
International Journal of Computer Theory and Engineering, Vol. 5, No. 2, April 213 A Multi-Head Clustering Algorithm in Vehiular Ad Ho Networks Shou-Chih Lo, Yi-Jen Lin, and Jhih-Siao Gao Abstrat Clustering
More informationCA Privileged Access Manager 3.x Proven Implementation Professional Exam (CAT-661) Study Guide Version 1.0
Exam (CAT-661) Study Guide Version 1.0 PROPRIETARY AND CONFIDENTIAL INFMATION 2018 CA. All rights reserved. CA onfidential & proprietary information. For CA, CA Partner and CA Customer use only. No unauthorized
More informationMultiple-Criteria Decision Analysis: A Novel Rank Aggregation Method
3537 Multiple-Criteria Deision Analysis: A Novel Rank Aggregation Method Derya Yiltas-Kaplan Department of Computer Engineering, Istanbul University, 34320, Avilar, Istanbul, Turkey Email: dyiltas@ istanbul.edu.tr
More informationPROJECT PERIODIC REPORT
FP7-ICT-2007-1 Contrat no.: 215040 www.ative-projet.eu PROJECT PERIODIC REPORT Publishable Summary Grant Agreement number: ICT-215040 Projet aronym: Projet title: Enabling the Knowledge Powered Enterprise
More informationASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY
Assoiation for Information Systems AIS Eletroni Library (AISeL) AMCIS 00 Proeedings Amerias Conferene on Information Systems (AMCIS) Deember 00 ASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY Huseyin
More informationUsing Game Theory and Bayesian Networks to Optimize Cooperation in Ad Hoc Wireless Networks
Using Game Theory and Bayesian Networks to Optimize Cooperation in Ad Ho Wireless Networks Giorgio Quer, Federio Librino, Lua Canzian, Leonardo Badia, Mihele Zorzi, University of California San Diego La
More informationKERNEL SPARSE REPRESENTATION WITH LOCAL PATTERNS FOR FACE RECOGNITION
KERNEL SPARSE REPRESENTATION WITH LOCAL PATTERNS FOR FACE RECOGNITION Cuiui Kang 1, Shengai Liao, Shiming Xiang 1, Chunhong Pan 1 1 National Laboratory of Pattern Reognition, Institute of Automation, Chinese
More informationAbstract. Key Words: Image Filters, Fuzzy Filters, Order Statistics Filters, Rank Ordered Mean Filters, Channel Noise. 1.
Fuzzy Weighted Rank Ordered Mean (FWROM) Filters for Mixed Noise Suppression from Images S. Meher, G. Panda, B. Majhi 3, M.R. Meher 4,,4 Department of Eletronis and I.E., National Institute of Tehnology,
More informationMake your process world
Automation platforms Modion Quantum Safety System Make your proess world a safer plae You are faing omplex hallenges... Safety is at the heart of your proess In order to maintain and inrease your ompetitiveness,
More informationRouting Protocols for Wireless Ad Hoc Networks Hybrid routing protocols Theofanis Kilinkaridis
Routing Protools for Wireless Ad Ho Networks Hyrid routing protools Theofanis Kilinkaridis tkilinka@.hut.fi Astrat This paper presents a partiular group of routing protools that aim to omine the advantages
More informationDistributed Resource Allocation Strategies for Achieving Quality of Service in Server Clusters
Proeedings of the 45th IEEE Conferene on Deision & Control Manhester Grand Hyatt Hotel an Diego, CA, UA, Deember 13-15, 2006 Distributed Resoure Alloation trategies for Ahieving Quality of ervie in erver
More informationDiscovery and Verification of Neighbor Positions in Mobile Ad Hoc Networks
IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY 2013 289 Disovery and Verifiation of Neighbor Positions in Mobile Ad Ho Networks Maro Fiore, Member, IEEE, Claudio Ettore Casetti, Member,
More informationPath Diversity for Overlay Multicast Streaming
Path Diversity for Overlay Multiast Streaming Matulya Bansal and Avideh Zakhor Department of Eletrial Engineering and Computer Siene University of California, Berkeley Berkeley, CA 9472 {matulya, avz}@ees.berkeley.edu
More informationA Dictionary based Efficient Text Compression Technique using Replacement Strategy
A based Effiient Text Compression Tehnique using Replaement Strategy Debashis Chakraborty Assistant Professor, Department of CSE, St. Thomas College of Engineering and Tehnology, Kolkata, 700023, India
More informationAlgorithms, Mechanisms and Procedures for the Computer-aided Project Generation System
Algorithms, Mehanisms and Proedures for the Computer-aided Projet Generation System Anton O. Butko 1*, Aleksandr P. Briukhovetskii 2, Dmitry E. Grigoriev 2# and Konstantin S. Kalashnikov 3 1 Department
More informationDECT Module Installation Manual
DECT Module Installation Manual Rev. 2.0 This manual desribes the DECT module registration method to the HUB and fan airflow settings. In order for the HUB to ommuniate with a ompatible fan, the DECT module
More informationTHROUGHPUT EVALUATION OF AN ASYMMETRICAL FDDI TOKEN RING NETWORK WITH MULTIPLE CLASSES OF TRAFFIC
THROUGHPUT EVALUATION OF AN ASYMMETRICAL FDDI TOKEN RING NETWORK WITH MULTIPLE CLASSES OF TRAFFIC Priya N. Werahera and Anura P. Jayasumana Department of Eletrial Engineering Colorado State University
More informationMethods for Multi-Dimensional Robustness Optimization in Complex Embedded Systems
Methods for Multi-Dimensional Robustness Optimization in Complex Embedded Systems Arne Hamann, Razvan Rau, Rolf Ernst Institute of Computer and Communiation Network Engineering Tehnial University of Braunshweig,
More informationFacility Location: Distributed Approximation
Faility Loation: Distributed Approximation Thomas Mosibroda Roger Wattenhofer Distributed Computing Group PODC 2005 Where to plae ahes in the Internet? A distributed appliation that has to dynamially plae
More informationAutomated System for the Study of Environmental Loads Applied to Production Risers Dustin M. Brandt 1, Celso K. Morooka 2, Ivan R.
EngOpt 2008 - International Conferene on Engineering Optimization Rio de Janeiro, Brazil, 01-05 June 2008. Automated System for the Study of Environmental Loads Applied to Prodution Risers Dustin M. Brandt
More informationA Partial Sorting Algorithm in Multi-Hop Wireless Sensor Networks
A Partial Sorting Algorithm in Multi-Hop Wireless Sensor Networks Abouberine Ould Cheikhna Department of Computer Siene University of Piardie Jules Verne 80039 Amiens Frane Ould.heikhna.abouberine @u-piardie.fr
More informationImproved Vehicle Classification in Long Traffic Video by Cooperating Tracker and Classifier Modules
Improved Vehile Classifiation in Long Traffi Video by Cooperating Traker and Classifier Modules Brendan Morris and Mohan Trivedi University of California, San Diego San Diego, CA 92093 {b1morris, trivedi}@usd.edu
More information3-D IMAGE MODELS AND COMPRESSION - SYNTHETIC HYBRID OR NATURAL FIT?
3-D IMAGE MODELS AND COMPRESSION - SYNTHETIC HYBRID OR NATURAL FIT? Bernd Girod, Peter Eisert, Marus Magnor, Ekehard Steinbah, Thomas Wiegand Te {girod eommuniations Laboratory, University of Erlangen-Nuremberg
More informationPBFT: A Byzantine Renaissance. The Setup. What could possibly go wrong? The General Idea. Practical Byzantine Fault-Tolerance (CL99, CL00)
PBFT: A Byzantine Renaissane Pratial Byzantine Fault-Tolerane (CL99, CL00) first to be safe in asynhronous systems live under weak synhrony assumptions -Byzantine Paos! The Setup Crypto System Model Asynhronous
More informationReferences. December 1992, pp. 71 { 81. pp.457{467. Magazine, June for very large high throughput database systems,"
the overall working time for other appliations. In ase, data ltering was the only appliation being run, then using distributed indexing, we an serve 00 times as many requests. 6 Conlusion We have explored
More informationCalculation of typical running time of a branch-and-bound algorithm for the vertex-cover problem
Calulation of typial running time of a branh-and-bound algorithm for the vertex-over problem Joni Pajarinen, Joni.Pajarinen@iki.fi Otober 21, 2007 1 Introdution The vertex-over problem is one of a olletion
More informationDirect-Mapped Caches
A Case for Diret-Mapped Cahes Mark D. Hill University of Wisonsin ahe is a small, fast buffer in whih a system keeps those parts, of the ontents of a larger, slower memory that are likely to be used soon.
More informationChapter 2: Introduction to Maple V
Chapter 2: Introdution to Maple V 2-1 Working with Maple Worksheets Try It! (p. 15) Start a Maple session with an empty worksheet. The name of the worksheet should be Untitled (1). Use one of the standard
More informationAnalysis of input and output configurations for use in four-valued CCD programmable logic arrays
nalysis of input and output onfigurations for use in four-valued D programmable logi arrays J.T. utler H.G. Kerkhoff ndexing terms: Logi, iruit theory and design, harge-oupled devies bstrat: s in binary,
More informationCA Single Sign-On 12.x Proven Implementation Professional Exam (CAT-140) Study Guide Version 1.5
Study Guide Version 1.5 PROPRIETARY AND CONFIDENTIAL INFORMATION 2018 CA. All rights reserved. CA onfidential & proprietary information. For CA, CA Partner and CA Customer use only. No unauthorized use,
More informationReducing Runtime Complexity of Long-Running Application Services via Dynamic Profiling and Dynamic Bytecode Adaptation for Improved Quality of Service
Reduing Runtime Complexity of Long-Running Appliation Servies via Dynami Profiling and Dynami Byteode Adaptation for Improved Quality of Servie ABSTRACT John Bergin Performane Engineering Laboratory University
More informationReading Object Code. A Visible/Z Lesson
Reading Objet Code A Visible/Z Lesson The Idea: When programming in a high-level language, we rarely have to think about the speifi ode that is generated for eah instrution by a ompiler. But as an assembly
More information! g!gj. Observing TCP Dynamics in Real Networks. Abstract ,..
Observing TCP Dynamis in Real Networks Jeffrey C. Mogul mogul@ dewrl.de.om Digital Equipment Corporation Western Researh Laboratory 25 University Avenue Palo Alto, California, 9431 Abstrat 1. ntrodution
More informationAnonymity Trilemma: Strong Anonymity, Low Bandwidth, Low Latency Choose Two
Anonymity Trilemma: Strong Anonymity, Low Bandwidth, Low Lateny Choose Two Debajyoti Das Purdue University, USA das48@purdue.edu Sebastian Meiser University College London, U s.meiser@ul.a.uk Esfandiar
More informationSmooth Trajectory Planning Along Bezier Curve for Mobile Robots with Velocity Constraints
Smooth Trajetory Planning Along Bezier Curve for Mobile Robots with Veloity Constraints Gil Jin Yang and Byoung Wook Choi Department of Eletrial and Information Engineering Seoul National University of
More informationCA Unified Infrastructure Management 8.x Implementation Proven Professional Exam (CAT-540) Study Guide Version 1.1
Management 8.x Implementation Proven Professional Exam (CAT-540) Study Guide Version 1.1 PROPRIETARY AND CONFIDENTIAL INFORMATION 2017 CA. All rights reserved. CA onfidential & proprietary information.
More informationDesign Implications for Enterprise Storage Systems via Multi-Dimensional Trace Analysis
Design Impliations for Enterprise Storage Systems via Multi-Dimensional Trae Analysis Yanpei Chen, Kiran Srinivasan, Garth Goodson, Randy Katz University of California, Berkeley, NetApp In. {yhen2, randy}@ees.berkeley.edu,
More informationCooperative Coverage Extension for Relay-Union Networks
1.119/TPDS.214.23821, IEEE Transations on Parallel and Distributed Systems IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 1 Cooperative Coverage Extension for Relay-Union Networks Yong Cui, Xiao
More informationDesign and Evaluation of Automatic Workflow Scaling Algorithms for Multi-Tenant SaaS
Design and Evaluation of Automati Workflow Saling Algorithms for Multi-Tenant SaaS Ankita Atrey 1, Hendrik Moens 1, Gregory Van Seghbroek 1, Bruno Volkaert 1, and Filip De Turk 1 1 INTEC-IBCN-iMinds, Ghent
More informationZyzzyva: Speculative Byzantine Fault Tolerance By Ramakrishna Kotla,* Allen Clement, Edmund Wong, Lorenzo Alvisi, and Mike Dahlin
: Speulative Byzantine Fault Tolerane By Ramakrishna Kotla,* Allen Clement, Edmund Wong, Lorenzo Alvisi, and Mike Dahlin doi:10.1145/1400214.1400236 Abstrat A longstanding vision in distributed systems
More informationCA Service Desk Manager 14.x Implementation Proven Professional Exam (CAT-181) Study Guide Version 1.3
Exam (CAT-181) Study Guide Version 1.3 PROPRIETARY AND CONFIDENTIAL INFORMATION 2017 CA. All rights reserved. CA onfidential & proprietary information. For CA, CA Partner and CA Customer use only. No unauthorized
More informationDetecting Outliers in High-Dimensional Datasets with Mixed Attributes
Deteting Outliers in High-Dimensional Datasets with Mixed Attributes A. Koufakou, M. Georgiopoulos, and G.C. Anagnostopoulos 2 Shool of EECS, University of Central Florida, Orlando, FL, USA 2 Dept. of
More informationLRED: A Robust and Responsive AQM Algorithm Using Packet Loss Ratio Measurement
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, TPDS-179-5 1 LRED: A Robust and Responsive AQM Algorithm Using Paket Loss Ratio Measurement Chonggang Wang, Member, IEEE, Jianghuan Liu, Member, IEEE,
More informationPerformance of Histogram-Based Skin Colour Segmentation for Arms Detection in Human Motion Analysis Application
World Aademy of Siene, Engineering and Tehnology 8 009 Performane of Histogram-Based Skin Colour Segmentation for Arms Detetion in Human Motion Analysis Appliation Rosalyn R. Porle, Ali Chekima, Farrah
More informationCA Test Data Manager 4.x Implementation Proven Professional Exam (CAT-681) Study Guide Version 1.0
Implementation Proven Professional Study Guide Version 1.0 PROPRIETARY AND CONFIDENTIAL INFORMATION 2017 CA. All rights reserved. CA onfidential & proprietary information. For CA, CA Partner and CA Customer
More informationWe don t need no generation - a practical approach to sliding window RLNC
We don t need no generation - a pratial approah to sliding window RLNC Simon Wunderlih, Frank Gabriel, Sreekrishna Pandi, Frank H.P. Fitzek Deutshe Telekom Chair of Communiation Networks, TU Dresden, Dresden,
More informationCreating Adaptive Web Sites Through Usage-Based Clustering of URLs
Creating Adaptive Web Sites Through Usage-Based Clustering of URLs Bamshad Mobasher Dept. of Computer Siene, DePaul University, Chiago, IL mobasher@s.depaul.edu Robert Cooley, Jaideep Srivastava Dept.
More informationAllocating Rotating Registers by Scheduling
Alloating Rotating Registers by Sheduling Hongbo Rong Hyunhul Park Cheng Wang Youfeng Wu Programming Systems Lab Intel Labs {hongbo.rong,hyunhul.park,heng..wang,youfeng.wu}@intel.om ABSTRACT A rotating
More informationCA Identity Suite 14.x Implementation Proven Professional Exam (CAT-760) Study Guide Version 1.1
Study Guide Version 1.1 PROPRIETARY AND CONFIDENTIAL INFORMATION 2018 CA. All rights reserved. CA onfidential & proprietary information. For CA, CA Partner and CA Customer use only. No unauthorized use,
More informationVideo Data and Sonar Data: Real World Data Fusion Example
14th International Conferene on Information Fusion Chiago, Illinois, USA, July 5-8, 2011 Video Data and Sonar Data: Real World Data Fusion Example David W. Krout Applied Physis Lab dkrout@apl.washington.edu
More informationConstructing Transaction Serialization Order for Incremental. Data Warehouse Refresh. Ming-Ling Lo and Hui-I Hsiao. IBM T. J. Watson Research Center
Construting Transation Serialization Order for Inremental Data Warehouse Refresh Ming-Ling Lo and Hui-I Hsiao IBM T. J. Watson Researh Center July 11, 1997 Abstrat In typial pratie of data warehouse, the
More informationDynamic Backlight Adaptation for Low Power Handheld Devices 1
Dynami Baklight Adaptation for ow Power Handheld Devies 1 Sudeep Pasriha, Manev uthra, Shivajit Mohapatra, Nikil Dutt and Nalini Venkatasubramanian 444, Computer Siene Building, Shool of Information &
More informationA Comparison of Hard-state and Soft-state Signaling Protocols
University of Massahusetts Amherst SholarWorks@UMass Amherst Computer Siene Department Faulty Publiation Series Computer Siene 2003 A Comparison of Hard-state and Soft-state Signaling Protools Ping Ji
More information