Cristina L. Abad

An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks

The address resolution protocol (ARP) is used by computers to map network addresses (IP) to physical addresses (MAC). The protocol has proved to work well under regular circumstances, but it was not designed to cope with malicious hosts. By performing ARP cache poisoning or ARP spoofing attacks, an intruder can impersonate another host (man-in-the-middle attack) and gain access to sensitive information. Several schemes to mitigate, detect and prevent these attacks have been proposed, but each has its limitations. In this paper we analyze each of these schemes, identify their strengths and weaknesses, and propose guidelines for the design of an alternative and (arguably) better solution to the problem of ARP cache poisoning.

Log correlation for intrusion detection: a proof of concept

Intrusion detection is an important part of networked-systems security protection. Although commercial products exist, finding intrusions has proven to be a difficult task with limitations under current techniques. Therefore, improved techniques are needed. We argue the need for correlating data among different logs to improve intrusion detection systems accuracy. We show how different attacks are reflected in different logs and argue that some attacks are not evident when a single log is analyzed. We present experimental results using anomaly detection for the virus Yaha. Through the use of data mining tools (RIPPER) and correlation among logs we improve the effectiveness of an intrusion detection system while reducing false positives.

DARE: Adaptive Data Replication for Efficient Cluster Scheduling

Placing data as close as possible to computation is a common practice of data intensive systems, commonly referred to as the data locality problem. By analyzing existing production systems, we confirm the benefit of data locality and find that data have different popularity and varying correlation of accesses. We propose DARE, a distributed adaptive data replication algorithm that aids the scheduler to achieve better data locality. DARE solves two problems, how many replicas to allocate for each file and where to place them, using probabilistic sampling and a competitive aging algorithm independently at each node. It takes advantage of existing remote data accesses in the system and incurs no extra network usage. Using two mixed workload traces from Face book, we show that DARE improves data locality by more than 7 times with the FIFO scheduler in Hadoop and achieves more than 85% data locality for the FAIR scheduler with delay scheduling. Turnaround time and job slowdown are reduced by 19% and 25\%, respectively.

A storage-centric analysis of MapReduce workloads: File popularity, temporal locality and arrival patterns

A huge increase in data storage and processing requirements has lead to Big Data, for which next generation storage systems are being designed and implemented. However, we have a limited understanding of the workloads of Big Data storage systems. We consider the case of one common type of Big Data storage cluster: a cluster dedicated to supporting a mix of MapReduce jobs. We analyze 6-month traces from two large Hadoop clusters at Yahoo! and characterize the file popularity, temporal locality, and arrival patterns of the workloads. We identify several interesting properties and compare them with previous observations from web and media server workloads. To the best of our knowledge, this is the first study of how MapReduce workloads interact with the storage layer.

Natjam: design and evaluation of eviction policies for supporting priorities and deadlines in mapreduce clusters

This paper presents Natjam, a system that supports arbitrary job priorities, hard real-time scheduling, and efficient preemption for Mapreduce clusters that are resource-constrained. Our contributions include: i) exploration and evaluation of smart eviction policies for jobs and for tasks, based on resource usage, task runtime, and job deadlines; and ii) a work-conserving task preemption mechanism for Mapreduce. We incorporated Natjam into the Hadoop YARN scheduler framework (in Hadoop 0.23). We present experiments from deployments on a test cluster, Emulab and a Yahoo! Inc. commercial cluster, using both synthetic workloads as well as Hadoop cluster traces from Yahoo!. Our results reveal that Natjam incurs overheads as low as 7%, and is preferable to existing approaches.

A survey and comparison of end-system overlay multicast solutions suitable for network-centric warfare

Multicasting at the IP layer has not been widely adopted due to a combination of technical and non-technical issues. End-system multicast (also called application-layer multicast) is an attractive alternative to IP layer multicast for reasons of user management (set-up and control) and attack avoidance. Sessions can be established on demand such that there are no static points of failure to target in advance. In end-system multicast, an overlay network is built on top of available network services and packets are multicasted at the application layer. The overlay is organized such that each end host participating in a multicast communication re-sendsmulticasted messages to some of its peers, but not all of them. Thus end-system multicast allows users to manage multicast sessions under varying network conditions without being dependent on specific network conditions or specific network equipment maintaining multicast state information. In this paper we describe a variety of proposed end-system multicast solutions and classify them according to characteristics such as overlay building technique, management, and scalability. Comparing these characteristics across different end-system multicast solutions is a step toward understanding which solutions are appropriate for different battlespace requirements and where further research is needed.

Preventing ARP cache poisoning attacks: A proof of concept using OpenWrt

The Address Resolution Protocol (ARP) is used by computers to map network addresses (IP) to physical addresses (MAC). The protocol has proved to work well under regular circumstances, but it was not designed to cope with malicious hosts. By performing ARP cache poisoning or ARP spoofing attacks, an intruder can impersonate another host (man-in-the-middle attack) and gain access to sensitive information. Several schemes to mitigate, detect and prevent these attacks have been proposed, but each has its limitations. In this paper we propose a solution to the problem that can be implemented in SOHOs using low-end networking equipment running the OpenWrt firmware. The solution proposed is effective and inexpensive and presents several advantages over other existing prevention methods.

Adding confidentiality to application-level multicast by leveraging the multicast overlay

While scalability, routing and performance are core issues for application-level multicast (ALM) protocols, an important but less studied problem is security. In particular, confidentiality (i.e. data secrecy, achieved through data encryption) in ALM protocols is needed. Key management schemes must be simple, scalable, and must not degrade the performance of the ALM protocol. We explore three key management schemes that leverage the underlying overlay to distribute the key(s) and secure ALM. We evaluate their impact on three well-known ALM protocols: ESM, ALMI and NICE. Through analysis and simulations, we show that utilizing the ALM overlay to distribute key(s) is feasible. For a given ALM protocol, choice of the best key management scheme depends on the application needs: minimizing rekeying latency or minimizing data multicasting latency.

Metadata Traces and Workload Models for Evaluating Big Storage Systems

Efficient namespace metadata management is increasingly important as next-generation file systems are designed for peta and exascales. New schemes have been proposed, however, their evaluation has been insufficient due to a lack of appropriate namespace metadata traces. Specifically, no Big Data storage system metadata trace is publicly available and existing ones are a poor replacement. We studied publicly available traces and one Big Data trace from Yahoo! and note some of the differences and their implications to metadata management studies. We discuss the insufficiency of existing evaluation approaches and present a first step towards a statistical metadata workload model that can capture the relevant characteristics of a workload and is suitable for synthetic workload generation. We describe Mimesis, a synthetic workload generator, and evaluate its usefulness through a case study in a least recently used metadata cache for the Hadoop Distributed File System. Simulation results show that the traces generated by Mimesis mimic the original workload and can be used in place of the real trace providing accurate results.

Learning through creating learning objects: experiences with a class project in a distributed systems course

An alternative to a final programming project in a Distributed Systems course is presented. The alternative project, which can easily be adapted to several Computer Science courses, consists in assigning different course topics to pairs of students, for them to develop an interactive learning object to help their classmates and future students of the class understand the subject. The project was well received by the students of the class, and their comments and survey results suggest that their knowledge on the subject improved both by using the learning objects of their peers and by working in developing their own.