Gaurav Somani

Policy based resource allocation in IaaS cloud

In present scenario, most of the Infrastructure as a Service (IaaS) clouds use simple resource allocation policies like immediate and best effort. Immediate allocation policy allocates the resources if available, otherwise the request is rejected. Best-effort policy also allocates the requested resources if available otherwise the request is placed in a FIFO queue. It is not possible for a cloud provider to satisfy all the requests due to finite resources at a time. Haizea is a resource lease manager that tries to address these issues by introducing complex resource allocation policies. Haizea uses resource leases as resource allocation abstraction and implements these leases by allocating Virtual Machines (VMs). Haizea supports four kinds of resource allocation policies: immediate, best effort, advanced reservation and deadline sensitive. This work provides a better way to support deadline sensitive leases in Haizea while minimizing the total number of leases rejected by it. Proposed dynamic planning based scheduling algorithm is implemented in Haizea that can admit new leases and prepare the schedule whenever a new lease can be accommodated. Experiments results show that it maximizes resource utilization and acceptance of leases compared to the existing algorithm of Haizea.

Application Performance Isolation in Virtualization

Modern data centers use virtual machine based implementation for numerous advantages like resource isolation, hardware utilization, security and easy management. Applications are generally hosted on different virtual machines on a same physical machine. Virtual machine monitor like Xen is a popular tool to manage virtual machines by scheduling them to use resources such as CPU, memory and network. Performance isolation is the desirable thing in virtual machine based infrastructure to meet Service Level Objectives. Many experiments in this area measure the performance of applications while running the applications in different domains, which gives an insight into the problem of isolation. In this paper we run different kind of benchmarks simultaneously in Xen environment to evaluate the isolation strategy provided by Xen. Results are presented and discussed for different combinations and a case of I/O intensive applications with low response latency has been presented.

DDoS attacks in cloud computing

The effects of distributed denial-of-service (DDoS) attacks on cloud computing are not very similar to those in traditional fixed on-premise infrastructure. In the context of DDoS attacks in multi-tenant clouds, we argue that, instead of just the victim server, multiple other stakeholders are also involved. Some of these important stakeholders are co-hosted virtual servers, physical servers, network resources, and cloud service providers. In this paper, we show through system analysis, experiments, and simulations that these stakeholders are collaterally affected, even though they are not the real targets of the attack. Damages/effects to these stakeholders include performance interference, web service performance, resource race, indirect EDoS (economic denial of sustainability), service downtime, and business losses. The result of our cloud-scale experiment revealed that overall energy consumption and the number of VM migrations are adversely affected owing to DDoS/EDoS attacks. To the best of our knowledge, this work is the first novel contribution in regard to the effect characterization on non-targets in the cloud computing space. We make an effort to identify the targets of these effects and their origins, such as auto-scaling, multi-tenancy, and accounting in the cloud. We argue that there is an immense need to relook at the DDoS solutions in the cloud space where efforts are needed to minimize these effects. Finally, we have identified the detailed requirements of mitigation solutions to DDoS attacks in the cloud with an aim to minimize these effects. We provide an ideal solution design by taking characterization outcomes as important building blocks.

DDoS/EDoS attack in cloud: affecting everyone out there!

DDoS attacks have become fatal attacks in recent times. There are large number of incidents which have been reported recently and caused heavy downtime and economic losses. Evolution of utility computing models like cloud computing and its adoption across enterprises is visible due to many promising features. Effects of DDoS attacks in cloud are no more similar to what they were in traditional fixed or on premise infrastructure. In addition to effects on the service, economic or sustainability effects are significant in the form of Economic Denial of Sustainability (EDoS) attacks. We argue that in a multi-tenant public cloud, multiple stakeholders are involved other than the victim server. Some of these important stakeholders are co-hosted virtual servers, physical server(s), network and, cloud service providers. We have shown through system analysis, experiments and simulations that these stakeholders are indeed affected though they are not the actual targets. Effects to other stakeholders include performance interference, web service performance, resource race, indirect EDoS, downtime and, business losses. Cloud scale simulations have revealed that overall energy consumption and no. of VM migrations are adversely affected due to DDoS/EDoS attacks. Losses to these stakeholders should be properly accounted and there is a need to devise methods to isolate these components well.

Index Page Based EDoS Attacks in Infrastructure Cloud

One of the prominent attribute of cloud is pay-per-use, which can draw in the attackers to detriment the cloud users economically by an attack known as EDoS (Economic Denial of Sustainability) attack. This work identifies a novel class of attack in the area of EDoS attacks. Our focus is on defending the first page of any website i.e. Index Page. One of the important fact about index page attack, is that the index page of any website in this universe is available freely and even without any authentication credentials. To mitigate this attack and substantiate the difference between the legitimate and non-legitimate user, we have analyzed human behaviour of browsing and DARPA DDoS dataset. This analysis has helped us to design various models, ranging from strict to weak index page prevention models. The proposed schemes are implemented as a utility IPA-Defender (Index Page Attack Defender), which works well with minimal overhead and do not affect the legitimate users at all.

Performance isolation and scheduler behavior

Performance isolation is desirable in virtual machine based infrastructures to meet S̲ervice L̲evel O̲bjectives (SLO). In performance isolation, ideally, no virtual machine should affect performance of other co hosted virtual machine. Virtual machine scheduler is the key in allocating resources among virtual machines. This fact attracts attention towards scheduling, as fairness and resource isolation are the key requirements for which any user virtualizes the servers. I/O models are the main bottlenecks in sharing resources among virtual machines. This work aims to evaluate the performance isolation achieved by Xen hypervisor in different scheduler configurations with different kind of resource intensive applications. Experiment results show that isolation is critical when we run I/O application in conjunction with CPU intensive applications.

Access Control and Authentication in the Internet of Things Environment

This chapter focuses on access control, authentication techniques, and their related aspects with respect to the Internet of Things (IoT). Access control is for managing interaction and communication between users and systems. Authentication is a way of proving the identity of an entity and implemented on various layers of the IoT framework, e.g., physical or perception layer, transportation, and application layer. In the context of IoT, access control and authentication must address the issues of heterogeneity and scalability in addition to the energy and efficiency issues. The primary focus of this chapter is to target the connectivity of IoT devices. We start with the description of communication architecture of IoT, keeping security concerns in mind. For detailed comprehension, security aspects are discussed for each layer of IoT including RFID and sensor networks to traditional server-based computing. To understand the requirements of IoT systems, we compare the IoT paradigm with traditional ubiquitous computing models. Focusing on the connectivity between devices and connectivity with fixed server/cloud-based servers is the main aim of this chapter. In this context, the emphasis is on detailing and evaluating the state of the art of access and control mechanisms. To help the reader to address the significant research problems in the area, we have included open research directions related to authentication and access control mechanisms in the IoT.

Dynamic resource allocation using auto-negotiation in Haizea

Higher hardware utilization and SLA fulfillment are two main objectives of any infrastructure cloud, thus, making resource allocation to virtual machines as one of the most critical aspect. Haizea is a popular cloud lease manager which supports a variety of resource leases according to the application requirements. These leases are: Immediate, Best-Effort, Deadline Sensitive and Advance Reservation (AR). But all these leases are static in nature viz. once resources are allocated to a lease, these resources cannot be altered during the complete lifetime of the lease. This contradicts with the philosophy and implementation of a pure on-demand elastic cloud where resources of a lease are continuously monitored against the utilization and altered based on the requirements. Our work aims at the inclusion of three important features to mitigate this shortcoming in Haizea. First, it introduces a new class of lease: Dynamic lease to accommodate resource changes. Second, it examines virtual machine resource utilization to decide about the demand and need of allocation change and third, it accommodates the expected changes in resource allocation by introducing two new sub-leases which allow dynamic resource allocation in the schedule. Lease experiments are performed on Haizea to validate the introduced features.

Service resizing for quick DDoS mitigation in cloud computing environment

Current trends in distributed denial of service (DDoS) attacks show variations in terms of attack motivation, planning, infrastructure, and scale. “DDoS-for-Hire” and “DDoS mitigation as a Service” are the two services, which are available to attackers and victims, respectively. In this work, we provide a fundamental difference between a “regular” DDoS attack and an “extreme” DDoS attack. We conduct DDoS attacks on cloud services, where having the same attack features, two different services show completely different consequences, due to the difference in the resource utilization per request. We study various aspects of these attacks and find out that the DDoS mitigation service’s performance is dependent on two factors. One factor is related to the severity of the “resource-race” with the victim web-service. Second factor is “attack cooling down period” which is the time taken to bring the service availability post detection of the attack. Utilizing these two important factors, we propose a supporting framework for the DDoS mitigation services, by assisting in reducing the attack mitigation time and the overall downtime. This novel framework comprises of an affinity-based victim-service resizing algorithm to provide performance isolation, and a TCP tuning technique to quickly free the attack connections, hence minimizing the attack cooling down period. We evaluate the proposed novel techniques with real attack instances and compare various attack metrics. Results show a significant improvement to the performance of DDoS mitigation service, providing quick attack mitigation. The presence of proposed DDoS mitigation support framework demonstrated a major reduction of more than 50% in the service downtime.

Allocation of slotted deadline sensitive leases in infrastructure cloud

Resource allocation is an important aspect in cloud computing. In Cloud Computing environment, the user can access required resources in the form of a service. The resource may be a platform, a software or infrastructure. In an IaaS (Infrastructure as a Service) Cloud, users send requests to the cloud-provider in the form of a lease; The cloud-provider makes a scheduling plan for leases in order to maximize the number of leases it can accommodate. A lease stores information about the required resources, including the time at which the resources are required. Haizea is a popular resource lease manager which handles the scheduling of such leases. An algorithm for deadline sensitive leases is presented which accepts more number of leases by dividing a lease into multiple slots and by backfilling already accommodated leases. Experimental results show that our scheduling algorithm gives better performance than existing algorithms in Haizea.