Models, Algorithms, and Architectures for Scalable Packet Classification

The growth and diversification of the Internet imposes increasing demands on the performance and functionality of network infrastructure. Routers, the devices responsible for the switch-ing and directing of traffic in the Internet, are being called upon to not only handle increased volumes of traffic at higher speeds, but also impose tighter security policies and provide support for a richer set of network services. This dissertation addresses the searching tasks performed by Internet routers in order to forward packets and apply network services to packets belonging to defined traffic flows. As these searching tasks must be performed for each packet traversing the router, the speed and scalability of the solutions to the route lookup and packet classification problems largely determine the realizable performance of the router, and hence the Internet as a whole. Despite the energetic attention of the academic and corporate research communities, there remains a need for search engines that scale to support faster communication links, larger route tables and filter sets and increasingly complex filters. The major contributions of this work include the design and analysis of a scalable hardware implementation of a Longest Prefix Matching (LPM) search engine for route lookup, a survey and taxonomy of packet classification techniques, a thorough analysis of packet classification filter sets, the design and analysis of a suite of performance evaluation tools for packet classification algorithms and devices, and a new packet classification algorithm that scales to support high-speed links and large filter sets classifying on additional packet fields

On the security of NoSQL cloud database services

Processing a vast volume of data generated by web, mobile and Internet-enabled devices, necessitates a scalable and flexible data management system. Database-as-a-Service (DBaaS) is a new cloud computing paradigm, promising a cost-effective and scalable, fully-managed database functionality meeting the requirements of online data processing. Although DBaaS offers many benefits it also introduces new threats and vulnerabilities. While many traditional data processing threats remain, DBaaS introduces new challenges such as confidentiality violation and information leakage in the presence of privileged malicious insiders and adds new dimension to the data security. We address the problem of building a secure DBaaS for a public cloud infrastructure where, the Cloud Service Provider (CSP) is not completely trusted by the data owner. We present a high level description of several architectures combining modern cryptographic primitives for achieving this goal. A novel searchable security scheme is proposed to leverage secure query processing in presence of a malicious cloud insider without disclosing sensitive information. A holistic database security scheme comprised of data confidentiality and information leakage prevention is proposed in this dissertation. The main contributions of our work are: (i) A searchable security scheme for non-relational databases of the cloud DBaaS; (ii) Leakage minimization in the untrusted cloud. The analysis of experiments that employ a set of established cryptographic techniques to protect databases and minimize information leakage, proves that the performance of the proposed solution is bounded by communication cost rather than by the cryptographic computational effort

Advance Reservations of Bandwidth in Computer Networks

In dieser Arbeit wurden die unterschiedlichen Aspekte untersucht, die die Leistungsfähigkeit eines Systems zur Vorausreservierung in Computer-Netzwerken bestimmen. Basierend auf einer Architektur, welche den Basisdienst für Vorausreservierungen mittels Multiprotocol Label Switching (MPLS) zur Verfügung stellt, wurden innerhalb eines Netzwerkmanagementsystems unterschiedliche Dienste implementiert und simulativ auf ihre Auswirkungen auf die Leistungsfähigkeit des Netzwerks in Bezug auf Anzahl zugelassener Datenströme sowie transportierte Datenmenge untersucht. Diese Dienste erweitern in entscheidendem Maße auch die Breite des Dienstangebots in Netzwerken im Vergleich zu bisherigen Implementierungen. So ist es möglich bei Angabe einer festen Datenmenge vom Netzwerkmanagement geeignete Übertragungszeiten und raten bestimmen zu lassen. Diese Parameter werden dann, zum Beispiel in Form von Service Level Agreements (SLA), vom Netzwerkmanagement garantiert und sind insbesondere in Umgebungen wichtig, in denen die Übertragung sehr großer Datenmengen notwendig ist, beispielsweise in Grid-Computing- Systemen. Die erweiterten Dienste dienen jedoch nicht nur den Nutzern, sondern sind auch für Betreiber interessant, da sie es ermöglichen die Leistungsfähigkeit des Netzwerkes zu erhöhen. Dies ist insbesondere zusammen mit weiteren Verfahren möglich, die die zusätzlich zur Verfügung stehenden Informationen über zeitliche Aspekte, wie die Dauer von Übertragungen, nutzen. Im Vergleich zu den heute hauptsächlich betrachteten Systemen zur sog. unmittelbaren Reservierung, kann bei geschicktem Einsatz der hier implementierten Dienste und Verfahren eine deutliche Verbesserung der Leistung erzielt werden. Hinzu kommen bei Vorausreservierungen die erheblichen Vorteile für die Nutzer eines Netzwerkes, wie z.B. der oben beschriebene Datentransfer. Die Leistung eines Netzwerkes bemisst sich jedoch nicht nur an der transportierten Datenmenge, sondern auch am Verhalten im Fehlerfall und der Geschwindigkeit des Managementsystems. Dazu wurden im Rahmen dieser Arbeit mögliche Strategien zur Reaktion von Vorausreservierungssystemen im Fall von Link-Ausfällen entwickelt und untersucht. Auch hier kommt dem zeitlichen Aspekt eine wichtige Bedeutung zu. Es erwies sich als erfolgreich, nicht nur unmittelbar betroffene Datenströme sondern auch solche, die zwar bereits bekannt, jedoch noch nicht aktiv waren, in die Fehlerbehandlungsstrategie mit einzubeziehen. Datenstrukturen, die von der Zugangskontrolle des Managementsystems benötigt werden und dort die Geschwindigkeit maßgeblich bestimmen, wurden unter den Aspekten der Zugriffsgeschwindigkeit und des Speicherverbrauchs untersucht. Hierbei wurde gezeigt, dass Arrays erhebliche Vorteile im Hinblick auf beide Aspekte haben und in den meisten Fällen einer Baumstruktur, die speziell für die Aufgabe innerhalb der Zugangskontrolle entwickelt wurde, überlegen sind. Die Nutzung von Vorausreservierungen in Computer-Netzwerken ist damit eine nützliche und wichtige Erweiterung der Funktionalität eines Netzwerkes sowohl in Bezug auf das zur Verfügung stehende Angebot an Diensten, als auch im Hinblick auf die Leistungsfähigkeit des Netzwerkes.In this thesis, the impact of using advance reservations of bandwidth in a computer network on the performance for both clients and operators of the network is examined. Based on an architecture that uses multi-protocol label switching (MPLS) controlled by bandwidth brokers, a number of services that - compared to todays best-effort or immediate reservation networks - provide an enhanced functionality for clients were developed. These services allow clients to specify requests in a less stringent way than currently necessary, for example, it is possible to define only the amount of data to be transmitted between two network endpoints and the management system then determines suitable transmission parameters such as start and stop time and transmission rate. This functionality provides reliable feedback to clients and can serve as a foundation for providing service-level agreements, e.g., guaranteeing deadlines for the transmission of a certain amount of data. The additional services can also be used by network operators to improve the overall utilization of the network. In addition, the various opportunities of using the additional temporal dimension of the advance reservation service are suitable to improve the network performance. It can be shown that the amount of blocked requests and bandwidth can be considerably decreased making use of both services and the additional information available in the given environment. Besides the achievable throughout and amount of admitted requests, the term performance in the context of advance reservation systems also covers other aspects such as failure recovery strategies and the processing time required by the network management system. In the thesis, several strategies to be applied in case of link failures are outlined and examined with respect to their applicability and achievable performance. For example, it can be shown that it is worthwhile to consider not only flows which are active at the time a failure occurs but also to take inactive but already admitted flows into account in order to achieve the best possible performance. In addition to failure recovery, also the processing speed of the management system is of importance. For that purpose, in particular the data structures used to store the current and future network status need to be examined since they dominate the processing time of the management system. Two data structures, arrays and a tree which was especially designed for this purpose were examined, showing that arrays are superior with respect to processing speed and memory consumption in almost any environment

Simulated penetration testing and mitigation analysis

Da Unternehmensnetzwerke und Internetdienste stetig komplexer werden, wird es immer schwieriger, installierte Programme, Schwachstellen und Sicherheitsprotokolle zu überblicken. Die Idee hinter simuliertem Penetrationstesten ist es, Informationen über ein Netzwerk in ein formales Modell zu transferiern und darin einen Angreifer zu simulieren. Diesem Modell fügen wir einen Verteidiger hinzu, der mittels eigener Aktionen versucht, die Fähigkeiten des Angreifers zu minimieren. Dieses zwei-Spieler Handlungsplanungsproblem nennen wir Stackelberg planning. Ziel ist es, Administratoren, Penetrationstestern und der Führungsebene dabei zu helfen, die Schwachstellen großer Netzwerke zu identifizieren und kosteneffiziente Gegenmaßnahmen vorzuschlagen. Wir schaffen in dieser Dissertation erstens die formalen und algorithmischen Grundlagen von Stackelberg planning. Indem wir dabei auf klassischen Planungsproblemen aufbauen, können wir von gut erforschten Heuristiken und anderen Techniken zur Analysebeschleunigung, z.B. symbolischer Suche, profitieren. Zweitens entwerfen wir einen Formalismus für Privilegien-Eskalation und demonstrieren die Anwendbarkeit unserer Simulation auf lokale Computernetzwerke. Drittens wenden wir unsere Simulation auf internetweite Szenarien an und untersuchen die Robustheit sowohl der E-Mail-Infrastruktur als auch von Webseiten. Viertens ermöglichen wir mittels webbasierter Benutzeroberflächen den leichten Zugang zu unseren Tools und Analyseergebnissen.As corporate networks and Internet services are becoming increasingly more complex, it is hard to keep an overview over all deployed software, their potential vulnerabilities, and all existing security protocols. Simulated penetration testing was proposed to extend regular penetration testing by transferring gathered information about a network into a formal model and simulate an attacker in this model. Having a formal model of a network enables us to add a defender trying to mitigate the capabilities of the attacker with their own actions. We name this two-player planning task Stackelberg planning. The goal behind this is to help administrators, penetration testing consultants, and the management level at finding weak spots of large computer infrastructure and suggesting cost-effective mitigations to lower the security risk. In this thesis, we first lay the formal and algorithmic foundations for Stackelberg planning tasks. By building it in a classical planning framework, we can benefit from well-studied heuristics, pruning techniques, and other approaches to speed up the search, for example symbolic search. Second, we design a theory for privilege escalation and demonstrate the applicability of our framework to local computer networks. Third, we apply our framework to Internet-wide scenarios by investigating the robustness of both the email infrastructure and the web. Fourth, we make our findings and our toolchain easily accessible via web-based user interfaces

Numerical Modeling in Civil and Mining Geotechnical Engineering

This Special Issue (SI) collects fourteen articles published by leading scholars of numerical modeling in civil and mining geotechnical engineering. There is a good balance in the number of published articles, with seven in civil engineering and seven in mining engineering. The software used in the numerical modeling of these article varies from numerical codes based on continuum mechanics to those based on distinct element methods or mesh-free methods. The studied materials vary from rock, soil, and backfill to tailings. The investigations vary from mechanical behavior to hydraulic and thermal responses of infrastructures varying from pile foundations to tailings dams and underground openings. The SI thus collected a diversity of articles, reflecting the state-of-the-art of numerical modeling applied in civil and mining geotechnical engineering

Methods for Efficient and Accurate Discovery of Services

With an increasing number of services developed and offered in an enterprise setting or the Web, users can hardly verify their requirements manually in order to find appropriate services. In this thesis, we develop a method to discover semantically described services. We exploit comprehensive service and request descriptions such that a wide variety of use cases can be supported. In our discovery method, we compute the matchmaking decision by employing an efficient model checking technique

Virtual Reality Games for Motor Rehabilitation

This paper presents a fuzzy logic based method to track user satisfaction without the need for devices to monitor users physiological conditions. User satisfaction is the key to any product’s acceptance; computer applications and video games provide a unique opportunity to provide a tailored environment for each user to better suit their needs. We have implemented a non-adaptive fuzzy logic model of emotion, based on the emotional component of the Fuzzy Logic Adaptive Model of Emotion (FLAME) proposed by El-Nasr, to estimate player emotion in UnrealTournament 2004. In this paper we describe the implementation of this system and present the results of one of several play tests. Our research contradicts the current literature that suggests physiological measurements are needed. We show that it is possible to use a software only method to estimate user emotion

Optimised meta-clustering approach for clustering Time Series Matrices

The prognostics (health state) of multiple components represented as time series data stored in vectors and matrices were processed and clustered more effectively and efficiently using the newly devised ‘Meta-Clustering’ approach. These time series data gathered from large applications and systems in diverse fields such as communication, medicine, data mining, audio, visual applications, and sensors. The reason time series data was used as the domain of this research is that meaningful information could be extracted regarding the characteristics of systems and components found in large applications. Also when it came to clustering, only time series data would allow us to group these data according to their life cycle, i.e. from the time which they were healthy until the time which they start to develop faults and ultimately fail. Therefore by proposing a technique that can better process extracted time series data would significantly cut down on space and time consumption which are both crucial factors in data mining. This approach will, as a result, improve the current state of the art pattern recognition algorithms such as K-NM as the clusters will be identified faster while consuming less space. The project also has application implications in the sense that by calculating the distance between the similar components faster while also consuming less space means that the prognostics of multiple components clustered can be realised and understood more efficiently. This was achieved by using the Meta-Clustering approach to process and cluster the time series data by first extracting and storing the time series data as a two-dimensional matrix. Then implementing an enhance K-NM clustering algorithm based on the notion of Meta-Clustering and using the Euclidean distance tool to measure the similarity between the different set of failure patterns in space. This approach would initially classify and organise each component within its own refined individual cluster. This would provide the most relevant set of failure patterns that show the highest level of similarity and would also get rid of any unnecessary data that adds no value towards better understating the failure/health state of the component. Then during the second stage, once these clusters were effectively obtained, the following inner clusters initially formed are thereby grouped into one general cluster that now represents the prognostics of all the processed components. The approach was tested on multivariate time series data extracted from IGBT components within Matlab and the results achieved from this experiment showed that the optimised Meta-Clustering approach proposed does indeed consume less time and space to cluster the prognostics of IGBT components as compared to existing data mining techniques