Kotagiri Ramamohanarao

Survey of network-based defense mechanisms countering the DoS and DDoS problems

This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service attacks. We review the state-of-art mechanisms for defending against denial of service attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermeasures against each defense mechanism. We conclude by highlighting opportunities for an integrated solution to solve the problem of distributed denial of service attacks.

A taxonomy of Data Grids for distributed data sharing, management, and processing

Data Grids have been adopted as the next generation platform by many scientific communities that need to share, access, transport, process, and manage large data collections distributed worldwide. They combine high-end computing technologies with high-performance networking and wide-area storage management techniques. In this article, we discuss the key concepts behind Data Grids and compare them with other data sharing and distribution paradigms such as content delivery networks, peer-to-peer networks, and distributed databases. We then provide comprehensive taxonomies that cover various aspects of architecture, data transportation, data replication and resource allocation, and scheduling. Finally, we map the proposed taxonomy to various Data Grid systems not only to validate the taxonomy but also to identify areas for future exploration.

Inverted files versus signature files for text indexing

Two well-known indexing methods are inverted files and signature files. We have undertaken a detailed comparison of these two approaches in the context of text indexing, paying particular attention to query evaluation speed and space requirements. We have examined their relative performance using both experimentation and a refined approach to modeling of signature files, and demonstrate that inverted files are distinctly superior to signature files. Not only can inverted files be used to evaluate typical queries in less time than can signature files, but inverted files require less space and provide greater functionality. Our results also show that a synthetic text database can provide a realistic indication of the behavior of an actual text database. The tools used to generate the synthetic database have been made publicly available

Workflow Scheduling Algorithms for Grid Computing

Workflow scheduling is one of the key issues in the management of workflow execution. Scheduling is a process that maps and manages execution of inter-dependent tasks on distributed resources. It introduces allocating suitable resources to workflow tasks so that the execution can be completed to satisfy objective functions specified by users. Proper scheduling can have significant impact on the performance of the system. In this chapter, we investigate existing workflow scheduling algorithms developed and deployed by various Grid projects.

Protection from distributed denial of service attacks using history-based IP filtering

In this paper, we introduce a practical scheme to defend against distributed denial of service (DDoS) attacks based on IP source address filtering. The edge router keeps a history of all the legitimate IP addresses which have previously appeared in the network. When the edge router is overloaded, this history is used to decide whether to admit an incoming Ip packet. Unlike other proposals to defend against DDoS attacks, our scheme works well during highly-distributed DDoS attacks, i.e., from a large number of sources. We present several heuristic methods to make the IP address database accurate and robust, and we present experimental results that demonstrate the effectiveness of our scheme in defending against highly-distributed DDoS attacks.

Making use of the most expressive jumping emerging patterns for classification

Abstract. Classification aims to discover a model from training data that can be used to predict the class of test instances. In this paper, we propose the use of jumping emerging patterns (JEPs) as the basis for a new classifier called the JEP-Classifier. Each JEP can capture some crucial difference between a pair of datasets. Then, aggregating all JEPs of large supports can produce a more potent classification power. Procedurally, the JEP-Classifier learns the pair-wise features (sets of JEPs) contained in the training data, and uses the collective impacts contributed by the most expressive pair-wise features to determine the class labels of the test data. Using only the most expressive JEPs in the JEP-Classifier strengthens its resistance to noise in the training data, and reduces its complexity (as there are usually a very large number of JEPs). We use two algorithms for constructing the JEP-Classifier which are both scalable and efficient. These algorithms make use of the border representation to efficiently store and manipulate JEPs. We also present experimental results which show that the JEP-Classifier achieves much higher testing accuracies than the association-based classifier of (Liu et al, 1998), which was reported to outperform C4.5 in general.

An effective retinal blood vessel segmentation method using multi-scale line detection

Changes in retinal blood vessel features are precursors of serious diseases such as cardiovascular disease and stroke. Therefore, analysis of retinal vascular features can assist in detecting these changes and allow the patient to take action while the disease is still in its early stages. Automation of this process would help to reduce the cost associated with trained graders and remove the issue of inconsistency introduced by manual grading. Among different retinal analysis tasks, retinal blood vessel extraction plays an extremely important role as it is the first essential step before any measurement can be made. In this paper, we present an effective method for automatically extracting blood vessels from colour retinal images. The proposed method is based on the fact that by changing the length of a basic line detector, line detectors at varying scales are achieved. To maintain the strength and eliminate the drawbacks of each individual line detector, the line responses at varying scales are linearly combined to produce the final segmentation for each retinal image. The performance of the proposed method was evaluated both quantitatively and qualitatively on three publicly available DRIVE, STARE, and REVIEW datasets. On DRIVE and STARE datasets, the proposed method achieves high local accuracy (a measure to assess the accuracy at regions around the vessels) while retaining comparable accuracy compared to other existing methods. Visual inspection on the segmentation results shows that the proposed method produces accurate segmentation on central reflex vessels while keeping close vessels well separated. On REVIEW dataset, the vessel width measurements obtained using the segmentations produced by the proposed method are highly accurate and close to the measurements provided by the experts. This has demonstrated the high segmentation accuracy of the proposed method and its applicability for automatic vascular calibre measurement. Other advantages of the proposed method include its efficiency with fast segmentation time, its simplicity and scalability to deal with high resolution retinal images.

Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring

In this paper, we propose a simple but robust scheme to detect denial of service attacks (including distributed denial of service attacks) by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. Furthermore, we show that with the combination of monitoring per flow speed, we can detect all types of DDoS attacks. We demonstrate that we can achieve high detection accuracy on a range of different network packet traces.

Multikey access methods based on superimposed coding techniques

Both single-level and two-level indexed descriptor schemes for multikey retrieval are presented and compared. The descriptors are formed using superimposed coding techniques and stored using a bit-inversion technique. A fast-batch insertion algorithm for which the cost of forming the bit-inverted file is less than one disk access per record is presented. For large data files, it is shown that the two-level implementation is generally more efficient for queries with a small number of matching records. For queries that specify two or more values, there is a potential problem with the two-level implementation in that costs may accrue when blocks of records match the query but individual records within these blocks do not. One approach to overcoming this problem is to set bits in the descriptors based on pairs of indexed terms. This approach is presented and analyzed.

Role engineering using graph optimisation

Role engineering is one of the fundamental phases for migrating existing enterprises to Role Based Access Control. In organisations with a large number of users and permissions, this task can be time consuming and costly if a top down approach is used. Existing bottom up approaches are not sufficient in producing a comprehensive set of roles for hierarchical Role Based Access Control. In this research, we propose a predominately bottom up approach that uses Graph Optimisation to identify appropriate role hierarchies. Additional partial role specifications can be incorporated to produce a hybrid approach. Using rules that reduce administration requirements, roles and their hierarchies are automatically extracted from large numbers of permission assignments. The results of the Graph Optimisation approach are hierarchical Role Based Access Control infrastructures that offer improved access control administration for the system.