Lukas Kencl

A Secure Data Deduplication Scheme for Cloud Storage

As more corporate and private users outsource their data to cloud storage providers, recent data breach incidents make end-to-end encryption an increasingly prominent requirement. Unfortunately, semantically secure encryption schemes render various cost-effective storage optimization techniques, such as data deduplication, ineffective. We present a novel idea that differentiates data according to their popularity. Based on this idea, we design an encryption scheme that guarantees semantic security for unpopular data and provides weaker security and better storage and bandwidth benefits for popular data. This way, data deduplication can be effective for popular data, whilst semantically secure encryption protects unpopular content. We show that our scheme is secure under the Symmetric External Decisional Diffie-Hellman Assumption in the random oracle model.

Energy savings for cellular network with evaluation of impact on data traffic performance

We present a concrete methodology for saving energy in future and contemporary cellular networks. It is based on re-arranging the user-cell association so as to allow shutting down under-utilized parts of the network. We consider a hypothetical static case where we have complete knowledge of stationary user locations and thus the results represent an upper bound of potential energy savings. We formulate the problem as a binary integer programming problem, thus it is NP-hard, and we present a heuristic approximation method. We simulate the methodology on an example real cellular network topology with traffic-and user distribution generated according to recently measured patterns. Further, we evaluate the energy savings, using realistic energy profiles, and the impact on the user-perceived network performance, represented by delay and throughput, at various times of day. The general findings conclude that up to 50% energy may be saved in less busy periods, while the performance effects remain limited. We conclude that practical, real-time user-cell re-allocation methodology, taking into account user mobility predictions, may thus be feasible and bring significant energy savings at acceptable performance impact.

Traffic-adaptive packet filtering of denial of service attacks

Traffic-adaptive packet filtering is a mechanism to adjust packet classification methods at run-time to the particular traffic mix a network node is receiving. It has been conjectured previously that such techniques could perform positively when filtering out malicious attack traffic, due to their flow aggregation capabilities. In this work, we present two novel contributions-a first ever working implementation of a traffic adaptive firewall, based on insertion of shortcuts into a search tree, and both a simulated and a real-life performance study of adaptive packet filtering under denial-of-service attack traffic, the outcomes of which support the above conjecture

Creating advanced functions on network processors: experience and perspectives

In this article we present five case studies of advanced networking functions that detail how a network processor (NP) can provide high performance and also the necessary flexibility compared with ASIC. We first review the basic NP system architectures, and describe the IBM PowerNP architecture from the data plane as well as the control plane point of view. We introduce models for the programmers views of NP that facilitate a global understanding of NP software programming. Then, for each case study, we present results from prototypes as well as general considerations that apply to a wider range of system architectures. Specifically, we investigate the suitability of NP for QoS (active queue management and traffic engineering), header processing (GPRS tunneling protocol), intelligent forwarding (load balancing without flow disruption), payload processing (code interpretation and just-in-time compilation in active networks), and protocol stack termination (SCTP). Finally, we summarize the key features as revealed by each case study, and conclude with remarks on the future of NP.

Energy consumption comparison between macro-micro and public femto deployment in a plausible LTE network

We study the energy consumptions of two strategies that increase the capacity of an LTE network: (1) the deployment of redundant macro and micro base stations by the operator at locations where the traffic is high, and (2) the deployment of publicly accessible femto base stations by home users. Previous studies show the deployment of publicly accessible residential femto base stations is considerably more energy efficient; however, the results are proposed using an abstracted model of LTE networks, where the coverage constraint was neglected in the study, as well as some other important physical and traffic layer specifications of LTE networks. We study a realistic scenario where coverage is provided by a set of non-redundant macro-micro base stations and additional capacity is provided by redundant macro-micro base stations or by femto base stations. We quantify the energy consumption of macro-micro and femto deployment strategies by using a simulation of a plausible LTE deployment in a mid-size metropolitan area, based on data obtained from an operator and using detailed models of heterogeneous devices, traffic, and physical layers. The metrics of interest are operator-energy-consumption/total-energy-consumption per unit of network capacity. For the scenarios we studied, we observe the following: (1) There is no significant difference between operator energy consumption of femto and macro-micro deployment strategies. From the point of view of society, i.e. total energy consumption, macro-micro deployment is even more energy efficient in some cases. This differs from the previous findings, which compared the energy consumption of femto and macro-micro deployment strategies, and found that femto deployment is considerably more energy efficient. (2) The deployment of femto base stations has a positive effect on mobile-terminal energy consumption; however, it is not significant compared to the macro-micro deployment strategy. (3) The energy saving that could be obtained by making macro and micro base stations more energy proportional is much higher than that of femto deployment.

Adaptive load sharing for network processors

A novel scheme for processing packets in a router is presented that provides load sharing among multiple network processors distributed within the router. It is complemented by a feedback control mechanism designed to prevent processor overload. Incoming traffic is scheduled to multiple processors based on a deterministic mapping. The mapping formula is derived from the robust hash routing (also known as the highest random weight--HRW) scheme, introduced in K. W. Ross, IEEE Network, 11(6), 1997, and D. G. Thaler et al., IEEE Trans. Networking, 6(1), 1998. No state information on individual flow mapping has to be stored, but for each packet, a mapping function is computed over an identifier vector, a predefined set of fields in the packet. An adaptive extension to the HRW scheme is provided to cope with biased traffic patterns. We prove that our adaptation possesses the minimal disruption property with respect to the mapping and exploit that property to minimize the probability of flow reordering. Simulation results indicate that the scheme achieves significant improvements in processor utilization. A higher number of router interfaces can thus be supported with the same amount of processing power.

Active GSM cell-id tracking: "Where Did You Disappear?"

Location-based services are mobile network applications of growing importance and variability. The space of location technologies and applications has not yet been fully explored, perhaps omitting some important practical uses. In this work we present the prototype SS7Tracker platform, an active, non-intrusive, GSM Cell-ID-based solution to network-based location tracking, and two novel applications of this technique: network diagnostics based on inroamer tracking and human activity research. We demonstrate the usability and performance limits of the platform on practical tests carried out in a live GSM network.

Spatial extension of the Reality Mining Dataset

Data captured from a live cellular network with the real users during their common daily routine help to understand how the users move within the network. Unlike the simulations with limited potential or expensive experimental studies, the research in user-mobility or spatio-temporal user behavior can be conducted on publicly available datasets such as the Reality Mining Dataset. These data have been for many years a source of valuable information about social interconnection between users and user-network associations. However, an important, spatial dimension is missing in this dataset. In this paper, we present a methodology for retrieving geographical locations matching the GSM cell identifiers in the Reality Mining Dataset, an approach base on querying the Google Location API. A statistical analysis of the measure of success of locations retrieval is provided. Further, we present the LAC-clustering method for detecting and removing outliers, a heuristic extension of general agglomerative hierarchical clustering. This methodology enables further, previously impossible analysis of the Reality Mining Dataset, such as studying user mobility patterns, describing spatial trajectories and mining the spatio-temporal data.

Bandwidth allocation for non-responsive flows with active queue management

This paper addresses the problem of configuring active queue management systems (e.g. WRED and RIO) for service level specifications in internetworks. In particular, we focus on assured forwarding (AF) for non-responsive flows in differentiated services networks. The difficulty is to determine the correct queue level thresholds that will result in correct drop rates for various AF precedence levels under any combination of offered loads. A new active queue management scheme based on a control algorithm is proposed that senses not only queue levels but also rates of queue levels changes and per flow bit rates to converge automatically to an optimal set of transmit fractions. The scheme has been implemented and tested on a network processor. Results show that the new active queue management scheme protects assured aggregated flow rates during periods of congestion. For non-responsive traffic the buffer occupancy level remains low during 250% offered load.

SIPp-DD: SIP DDoS Flood-Attack Simulation Tool

With the growing popularity of Voice-over-IP communication and of the SIP protocol, mobile networks including, denial-of-service attacks against the signaling are an increasingly menacing threat. We present SIPp-DD, a tool for generating real-like SIP DDoS flood attacks. SIPp-DD modifies the popular SIPp call generator and offers the option to spoof source IP addresses and ports of the generated messages. For flexibility, any set of source IP addresses and ports can be input, using a text file. To create real-like attacks, we analyze some of the publicly available DDoS flood attacks, derive typical distributions of address and packet populations and employ those in attack generation. We compare the generator outputs with the real analyzed DDoS floods and demonstrate the tool applicability by performing a DDoS attack within a real SIP-server testbed.