Jeongkeun Lee

An experimental study on the capture effect in 802.11a networks

In wireless networks, a frame collision does not necessarily result in all the simultaneously transmitted frames being lost. Depending on the relative signal power and the arrival timing of the involved frames, one frame can survive the collision and be successfully received by the receiver. Using our IEEE 802.11a wireless network testbed, we carry out a measurement study that shows the terms and conditions (timing, power difference, bit rate) under which this capture effect takes place. Recent measurement work on the capture effect in 802.11 networks [10] argues that the stronger frame can be successfully decoded only in two cases: (1) The stronger frame arrives earlier than the weaker frame, or (2) the stronger frame arrives later than the weaker frame but within the preamble time of the weaker frame. However, our measurement shows that the stronger frame can be decoded correctly regardless of the timing relation with the weaker frame. In addition, when the stronger frame arrives later than the weaker frames arrival, the physical layer capture exhibits two very distinct patterns based on whether the receiver has been successfully synchronized to the previous weak frame or not. In explaining the distinct cases we observe that the successful capture of a frame involved in a collision is determined through two stages: preamble detection and the frame body FCS check.

Avoiding multipath to revive inbuilding WiFi localization

Despite of several years of innovative research, indoor localization is still not mainstream. Existing techniques either employ cumbersome fingerprinting, or rely upon the deployment of additional infrastructure. Towards a solution that is easier to adopt, we propose CUPID, which is free from these restrictions, yet is comparable in accuracy. While existing WiFi based solutions are highly susceptible to indoor multipath, CUPID utilizes physical layer (PHY) information to extract the signal strength and the angle of only the direct path, successfully avoiding the effect of multipath reflections. Our main observation is that natural human mobility, when combined with PHY layer information, can help in accurately estimating the angle and distance of a mobile device from an wireless access point (AP). Real-world indoor experiments using off-the-shelf wireless chipsets confirm the feasibility of CUPID. In addition, while previous approaches rely on multiple APs, CUPID is able to localize a device when only a single AP is present. When a few more APs are available, CUPID can improve the median localization error to 2.7m, which is comparable to schemes that rely on expensive fingerprinting or additional infrastructure.

NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems

Cloud security is one of most important issues that has attracted a lot of research and development effort in past few years. Particularly, attackers can explore vulnerabilities of a cloud system and compromise virtual machines to deploy further large-scale Distributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such as multistep exploitation, low-frequency vulnerability scanning, and compromising identified vulnerable virtual machines as zombies, and finally DDoS attacks through the compromised zombies. Within the cloud system, especially the Infrastructure-as-a-Service (IaaS) clouds, the detection of zombie exploration attacks is extremely difficult. This is because cloud users may install vulnerable applications on their virtual machines. To prevent vulnerable virtual machines from being compromised in the cloud, we propose a multiphase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE, which is built on attack graph-based analytical models and reconfigurable virtual network-based countermeasures. The proposed framework leverages OpenFlow network programming APIs to build a monitor and control plane over distributed programmable virtual switches to significantly improve attack detection and mitigate attack consequences. The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution.

SAIL: single access point-based indoor localization

This paper presents SAIL, a Single Access Point Based Indoor Localization system. Although there have been advances in WiFi-based positioning techniques, we find that existing solutions either require a dense deployment of access points (APs), manual fingerprinting, energy hungry WiFi scanning, or sophisticated AP hardware. We design SAIL using a single commodity WiFi AP to avoid these restrictions. SAIL computes the distance between the client and an AP using the propagation delay of the signal traversing between the two, combines the distance with smartphone dead-reckoning techniques, and employs geometric methods to ultimately yield the clients location using a single AP. SAIL combines physical layer (PHY) information and human motion to compute the propagation delay of the direct path by itself, eliminating the adverse effect of multipath and yielding sub-meter distance estimation accuracy. Furthermore, SAIL systematically addresses some of the common challenges towards dead-reckoning using smartphone sensors and achieves 2-5x accuracy improvements over existing techniques. We have implemented SAIL on commodity wireless APs and smartphones. Evaluation in a large-scale enterprise environment with 10 mobile users demonstrates that SAIL can capture the users location with a mean error of 2.3m using just a single AP.

Hybrid gateway advertisement scheme for connecting mobile ad hoc networks to the Internet

When a node in a mobile ad hoc network wants to send data packets to the Internet, and therefore outside of its local ad hoc network, it has to obtain information about the available Internet gateways: i.e. which one to use and how to get there. To accomplish this, nodes can utilize either a unsolicited gateway discovery mechanism or relay on unsolicited gateway advertisement packets sent by gateways. Obviously, the effectiveness of periodic and unsolicited advertisement depends entirely on the traffic and mobility patterns. The most important factors involved in sending unsolicited gateway advertisements are the time interval between sending two consecutive advertisements and the TTL value of the advertisement packet, i.e., the gateway should carefully decide when to send advertisements, and the advertisement flooding area should be limited only to nodes that need to update their gateway information and their paths to the gateway. In this paper, two kinds of advertising schemes are proposed, which are based on the observation of traffic and mobility patterns, and are designed to avoid generating unnecessary packets in the MANET (Mobile Ad hoc Network), in addition to giving mobile nodes more opportunity to use the shortest path to the Internet.

Application-driven bandwidth guarantees in datacenters

Providing bandwidth guarantees to specific applications is becoming increasingly important as applications compete for shared cloud network resources. We present CloudMirror, a solution that provides bandwidth guarantees to cloud applications based on a new network abstraction and workload placement algorithm. An effective network abstraction should enable applications to easily and accurately specify their requirements, while simultaneously enabling the infrastructure to provision resources efficiently for deployed applications. Prior research has approached the bandwidth guarantee specification by using abstractions that resemble physical network topologies. We present a contrasting approach of deriving a network abstraction based on application communication structure, called Tenant Application Graph or TAG. CloudMirror also incorporates a new workload placement algorithm that efficiently meets bandwidth requirements specified by TAGs while factoring in high availability considerations. Extensive simulations using real application traces and datacenter topologies show that CloudMirror can handle 40% more bandwidth demand than the state of the art (e.g., the Oktopus system), while improving high availability from 20% to 70%.

PGA: Using Graphs to Express and Automatically Reconcile Network Policies

Software Defined Networking (SDN) and cloud automation enable a large number of diverse parties (network operators, application admins, tenants/end-users) and control programs (SDN Apps, network services) to generate network policies independently and dynamically. Yet existing policy abstractions and frameworks do not support natural expression and automatic composition of high-level policies from diverse sources. We tackle the open problem of automatic, correct and fast composition of multiple independently specified network policies. We first develop a high-level Policy Graph Abstraction (PGA) that allows network policies to be expressed simply and independently, and leverage the graph structure to detect and resolve policy conflicts efficiently. Besides supporting ACL policies, PGA also models and composes service chaining policies, i.e., the sequence of middleboxes to be traversed, by merging multiple service chain requirements into conflict-free composed chains. Our system validation using a large enterprise network policy dataset demonstrates practical composition times even for very large inputs, with only sub-millisecond runtime latencies.

Application-awareness in SDN

We present a framework, Atlas, which incorporates application-awareness into Software-Defined Networking (SDN), which is currently capable of L2/3/4-based policy enforcement but agnostic to higher layers. Atlas enables fine-grained, accurate and scalable application classification in SDN. It employs a machine learning (ML) based traffic classification technique, a crowd-sourcing approach to obtain ground truth data and leverages SDNs data reporting mechanism and centralized control. We prototype Atlas on HP Labs wireless networks and observe 94% accuracy on average, for top 40 Android applications.

Application-driven Bandwidth Guarantees in Datacenters

Providing bandwidth guarantees to specific applications is becoming increasingly important as applications compete for shared cloud network resources. We present CloudMirror, a solution that provides bandwidth guarantees to cloud applications based on a new network abstraction and workload placement algorithm. An effective network abstraction should enable applications to easily and accurately specify their requirements, while simultaneously enabling the infrastructure to provision resources efficiently for deployed applications. Prior research has approached the bandwidth guarantee specification by using abstractions that resemble physical network topologies. We present a contrasting approach of deriving a network abstraction based on application communication structure, called Tenant Application Graph or TAG. CloudMirror also incorporates a new workload placement algorithm that efficiently meets bandwidth requirements specified by TAGs while factoring in high availability considerations. Extensive simulations using real application traces and datacenter topologies show that CloudMirror can handle 40% more bandwidth demand than the state of the art (e.g., the Oktopus system), while improving high availability from 20% to 70%.

Understanding interference and carrier sensing in wireless mesh networks

Wireless mesh networks aim to provide high-speed Internet service without costly network infrastructure deployment and maintenance. The main obstacle in achieving high-capacity wireless mesh networks is interference between the mesh links. In this article, we analyze the carrier sensing and interference relations between two wireless links and measure the impact of these relations on link capacity on an indoor 802.11a mesh network testbed. We show that asymmetric carrier sensing and/or interference relations commonly exist in wireless mesh networks, and we study their impact on the link capacity and fair-channel access. In addition, we investigate the effect of traffic rate on link capacity in the presence of interference.