Dhananjay S. Phatak

Preemptive routing in Ad Hoc networks

Existing on-demand ad-hoc routing algorithms initiate route discovery only after a path breaks, incurring a significant cost in detecting the disconnection and establishing a new route. In this work, we investigate adding proactive route selection and maintenance to on-demand ad-hoc routing algorithms. More specifically, when a path is likely to be broken, a warning is sent to the source indicating the likelihood of a disconnection. The source can then initiate path discovery early, potentially avoiding the disconnection altogether. A path is considered likely to break when the received packet power becomes close to the minimum detectable power (other approaches are possible). Care must be taken to avoid initiating false route warnings due to fluctuations in received power caused by fading, multipath effects and similar random transient phenomena. Experiments demonstrate that adding proactive route selection and maintenance to DSR and AODV (on-demand ad hoc routing protocols) significantly reduces the number of broken paths, with a small increase in protocol overhead. Packet latency and jitter also goes down in most cases. We also show some experimental results obtained by running TCP on top of the proactive routing schemes proposed. Several improvements and extensions are also discussed. Pro-active route selection and maintenance is general and can be used with other routing algorithms and optimizations to them.

A novel mechanism for data streaming across multiple IP links for improving throughput and reliability in mobile environments

With ubiquitous computing and network access, multiple network conduits are becoming available to mobile as well as static hosts. Selection of the preferred mode of data transfer is a dynamic optimization problem depending on the type of application, its bandwidth/latency/jitter requirements, current network status, cost, power consumption, battery life, and so on. Furthermore, since wireless bandwidth is likely to remain a scarce resource, we foresee scenarios wherein mobile hosts require simultaneous data transfer across multiple IP interfaces to obtain higher overall bandwidth. We present a brief overview of related work identifying schemes that might be applicable to the problem, along with their feasibility, and pros and cons. We then propose a new mechanism to aggregate the bandwidth of multiple IP links by splitting a data flow across multiple network interfaces at the IP level. Our method is transparent to transport (TCP/UDP) and higher layers. We have analyzed the performance characteristics of the aggregation scheme and demonstrated significant gain when the links being aggregated have similar bandwidth and latency. The use of multiple interfaces also enhances reliability. Our analysis identifies the conditions under which the proposed scheme, or any other scheme that stripes a single TCP connection across multiple IP links, can be used to enhance throughput. Several interesting directions for future work have also been identified.

Introducing the trusted virtual environment module: a new mechanism for rooting trust in cloud computing

We introduce a new mechanism for rooting trust in a cloud computing environment called the Trusted Virtual Environment Module (TVEM). The TVEM helps solve the core security challenge of cloud computing by enabling parties to establish trust relationships where an information owner creates and runs a virtual environment on a platform owned by a separate service provider. The TVEM is a software appliance that provides enhanced features for cloud virtual environments over existing Trusted Platform Module virtualization techniques, which includes an improved application program interface, cryptographic algorithm flexibility, and a configurable modular architecture. We define a unique Trusted Environment Key that combines trust from the information owner and the service provider to create a dual root of trust for the TVEM that is distinct for every virtual environment and separate from the platforms trust. This paper presents the requirements, design, and architecture of our approach.

Preemptive routing in ad hoc networks

Routing in ad hoc networks is a challenging problem because nodes are mobile and links are continuously being created and broken. Existing on-demand ad hoc routing algorithms initiate route discovery only after a path breaks, incurring a significant cost in detecting the disconnection and establishing a new route. In this work, we investigate adding proactive route selection and maintenance to on-demand ad hoc routing algorithms. More specifically, when a path is likely to be broken, a warning is sent to the source indicating the likelihood of a disconnection. The source can then initiate path discovery early, potentially avoiding the disconnection altogether. A path is considered likely to break when the received packet power becomes close to the minimum detectable power (other approaches are possible). Care must be taken to avoid initiating false route warnings due to fluctuations in received power caused by fading, multipath effects and similar random transient phenomena. Experiments demonstrate that adding proactive route selection and maintenance to DSR and AODV (on-demand ad hoc routing protocols) significantly reduces the number of broken paths, with a small increase in protocol overhead. Packet latency and jitter go down in most cases. Because preemptive routing reduces the number of broken paths, it also has a secondary effect on TCP performance--unnecessary congestion handling measures are avoided. This is observed for TCP traffic under different traffic patterns (telnet, ftp and http). Additionally, we outline some problems in TCP performance in ad hoc environments.

Investigating the Fault Tolerance of Neural Networks

Particular levels of partial fault tolerance (PFT) in feedforward artificial neural networks of a given size can be obtained by redundancy (replicating a smaller normally trained network), by design (training specifically to increase PFT), and by a combination of the two (replicating a smaller PFT-trained network). This letter investigates the method of achieving the highest PFT per network size (total number of units and connections) for classification problems. It concludes that for nontoy problems, there exists a normally trained network of optimal size that produces the smallest fully fault-tolerant network when replicated. In addition, it shows that for particular network sizes, the best level of PFT is achieved by training a network of that size for fault tolerance. The results and discussion demonstrate how the outcome depends on the levels of saturation of the network nodes when classifying data points. With simple training tasks, where the complexity of the problem and the size of the network are well within the ability of the training method, the hidden-layer nodes operate close to their saturation points, and classification is clean. Under such circumstances, replicating the smallest normally trained correct network yields the highest PFT for any given network size. For hard training tasks (difficult classification problems or network sizes close to the minimum), normal training obtains networks that do not operate close to their saturation points, and outputs are not as close to their targets. In this case, training a larger network for fault tolerance yields better PFT than replicating a smaller, normally trained network. However, since fault-tolerant training on its own produces networks that operate closer to their linear areas than normal training, replicating normally trained networks ultimately leads to better PFT than replicating fault-tolerant networks of the same initial size.

Clustering for personalized mobile Web usage

Web access from mobile devices presents its own unique challenges because of severe resource constraints on the mobile devices (power, form factor, bandwidth, etc.). Hence, instead of reacting to a users requests, it would be better to try and predict a users actions. This would allow time for the server (on the fixed-wired side) to pre-fetch data and pre-process it into a wireless-friendly format (such as the PQA format required by Palm Pilots). Information that flows on the wireless link should be tailored to match what the user wants (rather than making the user wander through Web, which wastes bandwidth and increases latency experienced by the user). Adaptive user clustering and profiling is essential to be able to accurately predict user actions. In this paper we present results of our clustering and personalization project. We compare several distance measures used in clustering. We introduce a new measure to assess the quality of clustering independent of the distance measure used in the clustering-algorithm. We also compare different strategies.

IP-in-IP tunneling to enable the simultaneous use of multiple IP interfaces for network level connection striping

With ubiquitous computing and network access now a reality, multiple network conduits are become widely available to mobile as well as static hosts: for instance wired connections, 802.11 style wireless LANs, Bluetooth, and cellular phone modems. Selection of the preferred mode of data transfer is a dynamic optimization problem which depends on the type of application, its bandwidth/latency/jitter requirements, current network conditions (such as congestion or traffic patterns), cost, power consumption, battery life, and so on. Furthermore, since wireless bandwidth is likely to remain a scarce resource, we foresee scenarios wherein mobile hosts will require simultaneous data transfer across multiple IP interfaces to obtain higher overall bandwidth.We present a brief overview of existing work which enables the simultaneous use of multiple network interfaces and identify the applicability as well as strengths and weaknesses of these related approaches. We then propose a new mechanism to aggregate the bandwidth of multiple IP paths by splitting a data flow across multiple network interfaces at the IP level. We have analyzed the performance characteristics of our aggregation scheme and demonstrate significant gains when the network paths being aggregated have similar bandwidth and latency characteristics. In addition, our method is transparent to transport (TCP/UDP) and higher layers, and allows the use of multiple network interfaces to enhance reliability. Our analysis identifies the conditions under which the proposed scheme, or any other scheme that stripes a single TCP connection across multiple IP paths, can be used to increase throughput.

Fast modular reduction for large wordlengths via one linear and one cyclic convolution

Modular reduction is a fundamental operation in cryptographic systems. Most well known modular reduction methods including Barretts and Montgomerys algorithms leverage some-pre computations to avoid divisions so that the main complexity of these methods lies in a sequence of two long multiplications. For large wordlengths a multiplication which is tantamount to a linear convolution is performed via the fast Fourier transform (FFT) or other transform-based techniques as in the Schonhage-Strassen multiplication algorithm. We show a fundamental property (the separation principle): in a modular reduction based on long multiplications, the linear convolution required by one of the two long multiplications can be replaced by a cyclic convolution, and the halves can be separated using other information available due to the intrinsic redundancy of the operations. This reduces the number of operations by about 25%. We demonstrate that both Barretts and Montgomerys methods can be sped up by using the aforementioned fundamental principle. It is shown that a direct application of this algorithm to modular exponentiation (either using Barretts or Montgomerys methods) can be expected to yield about about 17% speedup.

Location authentication through Power Line Communication: Design, protocol, and analysis of a new out-of-band strategy

We propose using Power Line Communication (PLC) as a second channel for data origin authentication, and we present a system architecture and protocol for doing so taking advantage of existing infrastructure for communicating over power lines. Our system connects a users computer to a secure electric meter in his building via a secure Human Authorization Detector (HAD). The electric meter, which has a unique secret identifier and encryption key, communicates securely with the trusted Power Grid Server (PG) through PLC. Upon request from an Internet Application Server (AS), the user sends a location certificate to the AS, obtained via PLC from the PG and signed by the PG. Because PLC requires physical access to the electric meter, our system offers fine-grain location authentication. Unlike movable modems and dongles, the meter is permanently attached to the users building. The user authorizes or denies certificate requests and deliveries by reading the HADs display and pushing a button on the HAD, thus protecting against the possible threat of malware on the users computer maliciously requesting or forwarding location certificates unauthorized by the user. Our system provides strong location authentication useful to many online applications, such as banking and SCADA systems. PLC offers finer-grain location authentication than do cellular telephones. Furthermore, the power grid is deployed widely and is highly reliable, even in many places where cellular telephone and GPS signals are obstructed or unavailable. We present our architecture and Power line Location Authentication Protocol (PLAP) in sufficient detail to permit further implementation and analysis.

Spread-Identity mechanisms for DOS resilience and Security.

The explosive growth in wireless (and wired) networking technologies and services indicates that multiple means of network connectivity will become available in the near future. For example, stationary and mobile hosts currently support Internet access via wired LANs, Wireless LANs/PANs (e.g., 802.11x, 802.15) or wide area wireless cellular phone and data networks (like GSM). In essence, heterogeneous multi-homing is now a necessity for all hosts (mobile or non-mobile). In order to tap the full potential of such heterogeneous multi-homing, we introduce the novel “Spread Identity (SI)” communications paradigm. Therein, the concept of multi-homing is extended to allow each interface to simultaneously assume multiple addresses and dynamically acquire and release them as needed which is tantamount to “Spreading Identity” at the network( IP) level and has fundamental implications for security. In this paper we show how the spread Identity mechanisms can effectively (1) Mitigate DDOS attacks by rate-limiting the number of name-resolution responses. (2) Quickly detect and neutralize resource-overload type DDOS attacks that cannot be prevented by rate-limiting (3) Enable surviving the remaining types of DDOS attacks by quenching destination addresses they target (in essence by changing the Identity) (4) and preventing future attack flows by returning NULL addresses, and re-directing the attackers against one-another. We demonstrate that Spread Identity mechanisms can also be leveraged to bolster the security of single sourceto- destination flows. SI mechanisms can attain the same level of security as that of a single link with Strong Security Infrastructure (SSI) at a lower cost (in terms of the infrastructure required and the encryption effort needed). The fundamental concept of Spreading-Identity revealed herein is more general and potentially applicable to other scenarios beyond Internet/Electronic communications.