Errin W. Fulp

Paying for QoS: an optimal distributed algorithm for pricing network resources

Network applications require certain individual performance guarantees that can be provided if enough network resources are available. Consequently, contention for the limited network resources may occur. For this reason, networks use flow control to manage network resources fairly and efficiently. This paper presents a distributed microeconomic flow control technique that models the network as competitive markets. In these markets, switches price their link bandwidth based on supply and demand, and users purchase bandwidth so as to maximize their individual quality of service (QoS). This yields a decentralized flow control method that provides a Pareto optimal bandwidth distribution and high utilization (over 90% in simulation results). Discussions about stability and the Pareto optimal distribution are given, as well as simulation results using actual MPEG-compressed video traffic.

Bandwidth provisioning and pricing for networks with multiple classes of service

Network service providers purchase large point-to-point connections from network owners, then offer individual users network access at a price. Appropriately provisioning (purchasing) and allocating (pricing) connections remains a difficult problem due to increasing demands and network dynamics. However, connection management is more complex with the deployment of Quality of Service (QoS). This paper describes a scalable connection management strategy for QoS-enabled networks. The management technique maximizes profit, while reducing blocking experienced by users. Important issues regarding demand estimation, connection duration, and pricing intervals, are addressed and analyzed. Simulation results are also provided to demonstrate the viability of the proposed system.

Trie-based policy representations for network firewalls

Network firewalls remain the forefront defense for most computer systems. These critical devices filter traffic by comparing arriving packets to a list of rules, or security policy, in a sequential manner. Unfortunately packet filtering in this fashion can result in significant traffic delays, which is problematic for applications that require strict quality of service (QoS) guarantees. Given this demanding environment, new methods are needed to increase network firewall performance. This paper introduces a new technique for representing a security policy that maintains policy integrity and provides more efficient processing. The policy is represented as an n-ary retrieval tree, also referred to as a trie. The worst case processing requirement for the policy trie is a fraction compared a list representation, which only considers rules individually (1/5 the processing for TCP/IP networks). Furthermore unlike other representations, the n-ary trie developed in this paper can be proven to maintain policy integrity. The creation of policy trie structures is discussed in detail and their performance benefits are described theoretically and validated empirically.

On-line dynamic bandwidth allocation

Network multimedia applications require certain performance guarantees that can be provided through proper resource allocation. Allocation techniques are needed to provide these guarantees as efficiently as possible since resources are limited. This paper presents an allocation method called Dynamic Search Algorithm (DSA+). DSA+ is an on-line algorithm that dynamically adjusts the resource allocation based upon the measured quality of service. Advantages of DSA+ include efficient use of resources, reasonable implementation cost and stringent quality of service control. In this paper we demonstrate how DSA+ dynamically allocates bandwidth to achieve a given loss rate for actual variable bit rate MPEG videos. Performance and cost advantages over other allocation methods are presented, as well as allocation for multiple hop connections.

Analysis of network address shuffling as a moving target defense

Address shuffling is a type of moving target defense that prevents an attacker from reliably contacting a system by periodically remapping network addresses. Although limited testing has demonstrated it to be effective, little research has been conducted to examine the theoretical limits of address shuffling. As a result, it is difficult to understand how effective shuffling is and under what circumstances it is a viable moving target defense. This paper introduces probabilistic models that can provide insight into the performance of address shuffling. These models quantify the probability of attacker success in terms of network size, quantity of addresses scanned, quantity of vulnerable systems, and the frequency of shuffling. Theoretical analysis shows that shuffling is an acceptable defense if there is a small population of vulnerable systems within a large network address space, however shuffling has a cost for legitimate users. These results will also be shown empirically using simulation and actual traffic traces.

Parallel Firewall Designs for High-Speed Networks

In a high-speed environment (e.g. Gigabit Ethernet), a single network firewall is a potential bottleneck and increasingly susceptible to denial of service (DoS) attacks. Although creating a faster single firewall is possible, the performance benefits are only temporary as network speeds continue to increase. Therefore new firewall architectures are needed to meet the demands of high-speed networks. This paper reviews different parallel firewall architectures that have the ability to process packets at high speeds. Each design uses an array of firewalls to enforce a security policy, but will differ on how the array is used. Data-parallel distributes arriving packets across the array allowing greater throughput, while function-parallel distributes the rules which reduces processing delay. In general, the parallel designs are more scalable and significantly faster than a traditional single firewall. Simulation will demonstrate the performance benefits of the parallel designs under realistic conditions.

Optimal Provisioning and Pricing of Internet Differentiated Services in Hierarchical Markets

Network service providers contract with network owners for connection rights, then offer individual users network access at a price. Within this hierarchy, the service provider must carefully provision and allocate (price) network resources (e.g. bandwidth). However, determining the appropriate amount to provision and allocate is problematic due to the unpredictable nature of users and market interactions. This paper introduces methods for optimally provisioning and pricing differentiated services. These methods maximizes profit, while maintaining a low blocking probability for each service class. The analytical results are validated using simulation under variable conditions. Furthermore, experimental results will demonstrate that higher profits can be obtained through shorter connection contracts.

Distributed network flow control based on dynamic competitive markets

Network applications require a certain level of network performance for their proper operation. These individual guarantees can be provided if sufficient amounts of network resources are available; however, contention for the limited network resources may occur. For this reason, networks use flow control to manage network resources fairly and efficiently. This paper presents a distributed microeconomic flow control technique, that models the network as competitive markets. In these markets switches price their link bandwidth based on supply and demand, and users purchase bandwidth so as to maximize their individual quality of service (QoS). This decentralized flow control method provides a Pareto optimal and equitable (QoS-fair) bandwidth distribution. Simulation results using actual MPEG-compressed video traffic show utilization over 95% and better QoS control than max-min.

A taxonomy of parallel techniques for intrusion detection

Intrusion detection systems (IDS) have become a key component in ensuring the safety of systems and networks. These systems enforce a security policy by inspecting arriving packets for known signatures (patterns). This process actually involves several tasks that collectively incur a significant delay. As network line speeds continue to increase, it is crucial that efficient scalable approaches, such as parallelization, are developed for IDS. In this paper we develop a framework which may be used to classify various approaches to parallelizing intrusion detection systems. Parallelization of IDS can occur at three general levels: node (entire system), component (specific task), and sub-component (function within a specific task). We categorize existing and proposed parallel solutions using our framework, discuss the advantages and disadvantages of each, and provide empirical evaluation of one form of parallelism. Additionally, we introduce the notion of functional parallelism for intrusion detection.

Ant-Based Cyber Security

We describe a swarming-agent-based, mixed initiative approach to infrastructure defense where teams of humans and software agents defend cooperating organizations in tandem by sharing insights and solutions without violating proprietary boundaries. The system places human administrators at the appropriate level: where they provide system guidance while lower-level agents carry out tasks humans are unable to perform quickly enough to mitigatetodays security threats. Cooperative Infrastructure Defense, or CID, uses our ant-based approach to enable dialogue between humans and agents to foster a collaborative problem solving environment, to increase human situational awareness and to influence using visualization and shared control. We discuss theoretical implementation characteristics along with results from recent proof-of-concept implementations.