Edgard Jamhour

Intrusion detection in virtual machine environments

A virtual machine is a software replica of an underlying real machine. Multiple virtual machines can operate on the same host machine concurrently, without interfere each other. Such concept is becoming valuable in production computing systems, due to its benefits in terms of costs and portability. As they provide a strong isolation between the virtual environment and the underlying real system, virtual machines can also be used to improve the security of a computer system in face of attacks to its network services. This work presents a new approach to achieve this goal, by applying intrusion detection techniques to virtual machine based systems, thus keeping the intrusion detection system out of reach from intruders. The results obtained from a prototype implementation confirm the usefulness of this approach.

Protecting host-based intrusion detectors through virtual machines

Intrusion detection systems continuously watch the activity on a network or computer, looking for attack and intrusion evidences. However, host-based intrusion detectors are particularly vulnerable, as they can be disabled or tampered by successful intruders. This work proposes and implements an architecture model aimed to protect host-based intrusion detectors, through the application of the virtual machine concept. Virtual machine environments are becoming an interesting alternative for several computing systems due to their advantages in terms of cost and portability. The architecture proposed here makes use of the execution spaces separation provided by a virtual machine monitor, in order to separate the intrusion detection system from the system under monitoring. As a consequence, the intrusion detector becomes invisible and inaccessible to intruders. The prototype implementation and the tests performed show the viability of this solution.

Planning smooth trajectories along parametric paths

In this paper we present a flexible method for representing and optimizing smooth trajectories along specified paths for robotic applications. The main idea of this approach consists in defining the geometric path and the kinematics of the trajectory by independent parametric functions. The geometric path in the joint space can be any parametric curve q(u), the only restriction is that q must be twice differentiable with respect to the parameter u. The kinematics of the trajectory is defined by modulating the parameter u with respect to the time by a C2 piecewise cubic spline function. The trajectory is optimized using a non-linear programming approach capable of accommodating various constraints and different optimization criteria.

RSVP policy control using XACML

This work proposes a XML-based framework for distributing and enforcing RSVP access control policies, for RSVP-aware application servers. Policies are represented by extending XACML, the general purpose access control language proposed by OASIS. Because RSVP is a specific application domain, it is not directly supported by the XACML standard. Hence, this work defines the XACML extensions required for representing and transporting the RSVP access control policy information. The XACML-based framework is proposed as an alternative to the IETF PCIM-based approach. Both approaches are compared in this paper.

Substituting COPS-PR: an evaluation of NETCONF and SOAP for policy provisioning

The COPS-PR protocol has been defined by the IETF to provide policy provisioning in networks managed through the policy-based network management approach. Although some network players already ship their devices with proper COPS-PR support, there is a trend in the industry and in the IETF of discontinuing COPS-PR as a policy protocol. Meanwhile, two other protocols, namely NETCONF and SOAP, have been seriously considered in the network management field. This paper proposes and evaluates both NETCONF and SOAP as substitutes for COPS-PR, presenting how these protocols can be used for policy provisioning. The performance evaluation of NETCONF and SOAP against COPS-PR addresses two main aspects: network usage as a result of protocol overhead, and protocol delay as a result of protocol message processing. This study shows that both NETCONF and SOAP are interesting and feasible replacements for COPS-PR, but require appropriate modeling when deployed in networks

An Efficient Distributed Algorithm for Constructing Spanning Trees in Wireless Sensor Networks

Monitoring and data collection are the two main functions in wireless sensor networks (WSNs). Collected data are generally transmitted via multihop communication to a special node, called the sink. While in a typical WSN, nodes have a sink node as the final destination for the data traffic, in an ad hoc network, nodes need to communicate with each other. For this reason, routing protocols for ad hoc networks are inefficient for WSNs. Trees, on the other hand, are classic routing structures explicitly or implicitly used in WSNs. In this work, we implement and evaluate distributed algorithms for constructing routing trees in WSNs described in the literature. After identifying the drawbacks and advantages of these algorithms, we propose a new algorithm for constructing spanning trees in WSNs. The performance of the proposed algorithm and the quality of the constructed tree were evaluated in different network scenarios. The results showed that the proposed algorithm is a more efficient solution. Furthermore, the algorithm provides multiple routes to the sensor nodes to be used as mechanisms for fault tolerance and load balancing.

An XML model for SLA definition with key indicators

This work proposes a XML-based model for the specification of service level agreements (SLA). The model has XML elements to define a semantic to represent key performance indicators (KPI) and key quality indicators (KQI) and the relationship between them. Upper and lower thresholds are associated to the indicators in order to indicate warnings or errors conditions. The relationship between the indicators is expressed by reusable functions which are evoked by the XML-based model. An example of reusable function for calculating the KQI service availability based on KPI indicators is also presented in this paper.

Optimal DiffServ AC Design using Non-Linear Programming

Most DiffServ admission control (AC) algorithms rely on tuning parameters to help in the decision making. Tuning these parameters is a difficult task, especially when one considers the problem of assuring QoS guarantees to individual flows. This paper proposes a method for helping the design of DiffServ AC algorithms based on non-linear programming optimization. It enables to find the values for the AC parameters that permits to satisfy the QoS guarantees for individual VoIP flows, while minimizing a cost function that represents the performance goals of the service provider. This approach is used to compare the performance of some commonly used DiffServ AC techniques and also to design a novel AC algorithm based on queue estimates.

A Policy Based Framework for Access Control

This paper presents a policy-based framework for managing access control in distributed heterogeneous systems. This framework is based on the PDP/PEP approach. The PDP (Policy Decision Point) is a network policy server responsible for supplying policy information for network devices and applications. The PEP (Policy Enforcement Point) is the policy client (usually, a component of the network device/application) responsible for enforcing the policy. The communication between the PDP and the PEP is implemented by the COPS protocol, defined by the IETF. The COPS (Common Open Policy Service) protocol defines two modes of operation: outsourcing and provisioning. The choice between outsourcing and provisioning is supposed to have an important influence on the policy decision time. This paper evaluates the outsourcing model for access control policies based on the RBAC (Role-Based Access Control) model. The paper describes a complete implementation of the PDP/PEP framework, and presents the average response time of PDP under different load conditions.

A Clustered SDN Architecture for Large Scale WSON

Software defined network (SDN) allows the rethinking of traditional approaches to network design and architecture. The distribution of the unified control-plane can be necessary in several SDN scenarios, particularly for large scale inter-domain optical networks. Distribution is necessary in inter-domain networks due to privacy issues, and can be necessary in large networks to improve scalability and management. This paper proposes a new architectural model in which network elements are grouped by proximity (in clusters) around distributed SDN controllers. The Open Flow protocol with wavelength switching extensions is used for intra-cluster control while inter-cluster coordination is performed by a new control application. The proposed model is applied to large-scale wavelength switched optical networks (WSON) and is validated by simulation. The results show that to increase the number of controllers is not justifiable if the only concern is the setup time performance. However, a multi-cluster approach is advantageous when light paths are created more frequently between nearby nodes. Also, the clustered SDN can be successfully used in a multi-administrative domain, because inter-domain light paths can be created while keeping the privacy of the network information within a cluster.