High performance stride-based network payload inspection

There are two main drivers for network payload inspection: malicious data, attacks, virus detection in Network Intrusion Detection System (NIDS) and content detection in Data Leakage Prevention System (DLPS) or Copyright Infringement Detection System (CIDS). Network attacks are getting more and more prevalent. Traditional network firewalls can only check the packet header, but fail to detect attacks hidden in the packet payload. Therefore, the NIDS with Deep Packet Inspection (DPI) function has been developed and widely deployed. By checking each byte of a packet against the pattern set, which is called pattern matching, NIDS is able to detect the attack codes hidden in the payload. The pattern set is usually organized as a Deterministic Finite Automata (DFA). The processing time of DFA is proportional to the length of the input string, but the memory cost of a DFA is quite large. Meanwhile, the link bandwidth and the traffic of the Internet are rapidly increasing, the size of the attack signature database is also growing larger and larger due to the diversification of the attacks. Consequently, there is a strong demand for high performance and low storage cost NIDS. Traditional softwarebased and hardware-based pattern matching algorithms are have difficulty satisfying the processing speed requirement, thus high performance network payload inspection methods are needed to enable deep packet inspection at line rate. In this thesis, Stride Finite Automata (StriFA), a novel finite automata family to accelerate both string matching and regular expression matching, is presented. Compared with the conventional finite automata, which scan the entire traffic stream to locate malicious information, the StriFA only needs to scan samples of the traffic stream to find the suspicious information, thus increasing the matching speed and reducing memory requirements. Technologies such as instant messaging software (Skype, MSN) or BitTorrent file sharing methods, allow convenient sharing of information between managers, employees, customers, and partners. This, however, leads to two kinds of major security risks when exchanging data between different people: firstly, leakage of sensitive data from a company and, secondly, distribution of copyright infringing products in Peer to Peer (P2P) networks. Traditional DFA-based DPI solutions cannot be used for inspection of file distribution in P2P networks due to the potential out-of-order manner of the data delivery. To address this problem, a hybrid finite automaton called Skip-Stride-Neighbor Finite Automaton (S2NFA) is proposed to solve this problem. It combines benefits of the following three structures: 1) Skip-FA, which is used to solve the out-of-order data scanning problem; 2) Stride-DFA, which is introduced to reduce the memory usage of Skip-FA; 3) Neighbor-DFA which is based on the characteristics of Stride-DFA to get a low false positive rate at the additional cost of a small increase in memory consumption

Approximations fluides pour des modèles stochastiques en télécommunications

When modeling systems for their performance evaluation, one privileged tool is some form of Markov process, because of the rich set of results and associated algorithms. The drawback is that sometimes, the process has a huge number of states, or an infinite state space. In these situations, since analytical results are rare, almost always the solution to analyze the models is simulation. In this thesis we explore another possibility, called fluid limits, where a sequence of models is built with some parameter N associated with the individual model's size, in such a way that the performances of the Nth model gets close to that of the original system when N goes to infinity. We consider three families of systems/models and we explore this approach, obtaining results focused on understanding the meaning of this convergence phenomenon, and on the properties of the limiting models.Lorsqu'on modélise un système pour évaluer ses performances, l'un des outils principaux est le processus de Markov, pour la richesse des résultats et des algorithmes associés. L'inconvénient est que parfois, le modèle résultant a une énorme quantité d'états, voire un espace d'état infini. Dans ces situations, dans la mesure où les résultats analytiques sont rares, presque toujours la seule solution disponible pour l'analysis des modèles est la simulation. Dans cette thèse nous explorons une autre possibilité, appelée limites fluides, où une séquence de modèles est construite, avec un paramètre N relié à la taille de chaque modèle de la séquence, de telle sorte que les performances du Nème modèle sont proches de celles du système d'origine, quand N tends vers l'infini. Nous considérons 3 familles de systèmes/modèles et nous explorons cette approche, en obtenant des résultats focalisés sur la compréhension de ce phénomène de convergence et sur les propriétés des modèles limites

Rational cryptography: novel constructions, automated verification and unified definitions

Rational cryptography has recently emerged as a very promising field of research by combining notions and techniques from cryptography and game theory, because it offers an alternative to the rather inflexible traditional cryptographic model. In contrast to the classical view of cryptography where protocol participants are considered either honest or arbitrarily malicious, rational cryptography models participants as rational players that try to maximize their benefit and thus deviate from the protocol only if they gain an advantage by doing so. The main research goals for rational cryptography are the design of more efficient protocols when players adhere to a rational model, the design and implementation of automated proofs for rational security notions and the study of the intrinsic connections between game theoretic and cryptographic notions. In this thesis, we address all these issues. First we present the mathematical model and the design for a new rational file sharing protocol which we call RatFish. Next, we develop a general method for automated verification for rational cryptographic protocols and we show how to apply our technique in order to automatically derive the rational security property for RatFish. Finally, we study the intrinsic connections between game theory and cryptography by defining a new game theoretic notion, which we call game universal implementation, and by showing its equivalence with the notion of weak stand-alone security.Rationale Kryptographie ist kürzlich als ein vielversprechender Bereich der Forschung durch die Kombination von Begriffen und Techniken aus der Kryptographie und der Spieltheorie entstanden, weil es eine Alternative zu dem eher unflexiblen traditionellen kryptographischen Modell bietet. Im Gegensatz zur klassischen Ansicht der Kryptographie, nach der Protokollteilnehmer entweder als ehrlich oder willkürlich bösartig angesehen werden, modelliert rationale Kryptografie die Protokollteilnehmer als rationale Akteure, die versuchen ihren Vorteil zu maximieren und damit nur vom Protokoll abweichen, wenn sie dadurch einen Vorteil erlangen. Die wichtigsten Forschungsziele rationaler Kryptographie sind: das Design effizienterer Protokolle, wenn die Spieler ein rationale Modell folgen, das Design und die Implementierung von automatisierten Beweisen rationaler Sicherheitsbegriffe und die Untersuchung der intrinsischen Verbindungen zwischen spieltheoretischen und kryptographischen Begriffen. In dieser Arbeit beschäftigen wir uns mit all diesen Fragen. Zunächst präsentieren wir das mathematische Modell und das Design für RatFish, ein neues rationales Filesharing-Protokoll. Dann entwickeln wir eine allgemeine Methode zur automatischen Verifikation rationaler kryptographischer Protokolle und wir zeigen, wie man unsere Technik nutzen kann, um die rationale Sicherheitseigenschaft von RatFish automatisch abzuleiten. Abschließend untersuchen wir die intrinsische Verbindungen zwischen Spieltheorie und Kryptographie durch die Definition von game universal implementation, einem neuen spieltheoretischen Begriff, und wir zeigen die Äquivalenz von game universal implementation und weak stand-alone security

Pricing and Equilibrium Analysis of Network Market Systems

Markets have been the most successful method of identifying value of goods and services. Both large and small scale markets have gradually been moving into the Internet domain, with increasingly large numbers of diverse participants. In this dissertation, we consider several problems pertaining to equilibria in networked marketplaces under different application scenarios and market sizes. We approach the question of pricing and market design from two perspectives. On the one hand, we desire to understand how self-interested market participants would set prices and respond to prices resulting in certain allocations. On the other hand, we wish to evaluate how best to allocate resources so as to attain efficient equilibria. There might be a gap between these viewpoints, and characterizing this gap is desirable. Our technical approaches follow the number of market participants, and the nature of trades happening in the market. In our first problem, we consider a market of providing communication services at the level of providing Internet transit. Here, the transit Internet Service Provider (ISP) must determine billing volumes and set prices for its customers who are _rms that are content providers, sinks, or subsidiary ISPs. Demand from these customers is variable, and they have different impacts on the resources that the transit ISP needs to provision. Using measured data from several networks, we design a fair and flexible billing scheme that correctly identifies the impact of each customer on the amount of provisioning needed. While the customer set in the first problem is finite, many marketplaces deal with a very large number of agents that each have ephemeral lifetimes. Here, agents arrive, participate in the market for some time, and then vanish. We consider two such markets in such a regime. The first is one of apps on mobile devices that compete against each other for cellular data service, while the second is on service marketplaces wherein many providers compete with each other for jobs that consider both prices and provider reputations while making choices between them. Our goal is to show that a Mean Field Game can be used to accurately approximate these systems, determine how prices are set, and characterize the nature of equilibria in such markets. Finally, we consider efficiency metrics in large scale resource sharing networks in which bilateral exchange of resources is the norm. In particular, we consider peer-to-peer (P2P) file sharing under which peers obtain chunks of a file from each other. Here, contrary to the intuition that chunks must be shared whenever one peer has one of value to another, we show that a measure of suppression is needed to utilize resources efficiently. In particular, we propose a simple and stable algorithm entitled Mode suppression that attains near optimal file sharing times by disallowing the sharing of the most frequent chunks in the system

TOWARDS PRIVACY-PRESERVING AND ROBUST WEB OVERLAYS

Ph.DDOCTOR OF PHILOSOPH

Parallel and Distributed Computing

The 14 chapters presented in this book cover a wide variety of representative works ranging from hardware design to application development. Particularly, the topics that are addressed are programmable and reconfigurable devices and systems, dependability of GPUs (General Purpose Units), network topologies, cache coherence protocols, resource allocation, scheduling algorithms, peertopeer networks, largescale network simulation, and parallel routines and algorithms. In this way, the articles included in this book constitute an excellent reference for engineers and researchers who have particular interests in each of these topics in parallel and distributed computing

Scalable download protocols

Scalable on-demand content delivery systems, designed to effectively handle increasing request rates, typically use service aggregation or content replication techniques. Service aggregation relies on one-to-many communication techniques, such as multicast, to efficiently deliver content from a single sender to multiple receivers. With replication, multiple geographically distributed replicas of the service or content share the load of processing client requests and enable delivery from a nearby server.Previous scalable protocols for downloading large, popular files from a single server include batching and cyclic multicast. Analytic lower bounds developed in this thesis show that neither of these protocols consistently yields performance close to optimal. New hybrid protocols are proposed that achieve within 20% of the optimal delay in homogeneous systems, as well as within 25% of the optimal maximum client delay in all heterogeneous scenarios considered.In systems utilizing both service aggregation and replication, well-designed policies determining which replica serves each request must balance the objectives of achieving high locality of service, and high efficiency of service aggregation. By comparing classes of policies, using both analysis and simulations, this thesis shows that there are significant performance advantages in using current system state information (rather than only proximities and average loads) and in deferring selection decisions when possible. Most of these performance gains can be achieved using only “local” (rather than global) request information.Finally, this thesis proposes adaptations of already proposed peer-assisted download techniques to support a streaming (rather than download) service, enabling playback to begin well before the entire media file is received. These protocols split each file into pieces, which can be downloaded from multiple sources, including other clients downloading the same file. Using simulations, a candidate protocol is presented and evaluated. The protocol includes both a piece selection technique that effectively mediates the conflict between achieving high piece diversity and the in-order requirements of media file playback, as well as a simple on-line rule for deciding when playback can safely commence

Pricing and Equilibrium Analysis of Network Market Systems

Markets have been the most successful method of identifying value of goods and services. Both large and small scale markets have gradually been moving into the Internet domain, with increasingly large numbers of diverse participants. In this dissertation, we consider several problems pertaining to equilibria in networked marketplaces under different application scenarios and market sizes. We approach the question of pricing and market design from two perspectives. On the one hand, we desire to understand how self-interested market participants would set prices and respond to prices resulting in certain allocations. On the other hand, we wish to evaluate how best to allocate resources so as to attain efficient equilibria. There might be a gap between these viewpoints, and characterizing this gap is desirable. Our technical approaches follow the number of market participants, and the nature of trades happening in the market. In our first problem, we consider a market of providing communication services at the level of providing Internet transit. Here, the transit Internet Service Provider (ISP) must determine billing volumes and set prices for its customers who are _rms that are content providers, sinks, or subsidiary ISPs. Demand from these customers is variable, and they have different impacts on the resources that the transit ISP needs to provision. Using measured data from several networks, we design a fair and flexible billing scheme that correctly identifies the impact of each customer on the amount of provisioning needed. While the customer set in the first problem is finite, many marketplaces deal with a very large number of agents that each have ephemeral lifetimes. Here, agents arrive, participate in the market for some time, and then vanish. We consider two such markets in such a regime. The first is one of apps on mobile devices that compete against each other for cellular data service, while the second is on service marketplaces wherein many providers compete with each other for jobs that consider both prices and provider reputations while making choices between them. Our goal is to show that a Mean Field Game can be used to accurately approximate these systems, determine how prices are set, and characterize the nature of equilibria in such markets. Finally, we consider efficiency metrics in large scale resource sharing networks in which bilateral exchange of resources is the norm. In particular, we consider peer-to-peer (P2P) file sharing under which peers obtain chunks of a file from each other. Here, contrary to the intuition that chunks must be shared whenever one peer has one of value to another, we show that a measure of suppression is needed to utilize resources efficiently. In particular, we propose a simple and stable algorithm entitled Mode suppression that attains near optimal file sharing times by disallowing the sharing of the most frequent chunks in the system