Sungwon Yi

A control theoretic approach for designing adaptive AQM schemes

In this paper, we use a control theoretic approach to develop a generic framework for analyzing various active queue management (AQM) schemes as proportional-integral-derivative (PID) controllers. Based on this PID model, we propose an adaptive control mechanism to improve the system stability and performance under changing network conditions. We then present a generic implementation of the PID controller by introducing a derivative control into a PI controller. In addition, we propose an improved adaptive virtual queue (AVQ) scheme with explicit queue length control. A simulation study under a wide range of traffic conditions suggests that the proposed algorithms outperform the existing AQM schemes in achieving better system performance and stability.

Proxy-RED: an AQM scheme for wireless local area networks

Wireless access points act as bridges between wired and wireless networks. Since the actually available bandwidth in wireless networks is much smaller than the bandwidth in wired networks, there is a disparity in channel capacity which makes the access point a significant network congestion point in the downstream direction. A current architectural trend in wireless local area networks (WLAN) is to move functionality from access points to a centralized gateway in order to reduce cost and improve features. In this paper, we study the use of RED, a well known active queue management (AQM) scheme, and explicit congestion notification (ECN) to handle bandwidth disparity between the wired and the wireless interface of an access point Then, we propose the proxy-RED scheme, as a solution for reducing the AQM overhead from the access point. Simulations-based performance analysis indicates that the proposed proxy-RED scheme improves overall performance of the network. In particular, the proxy-RED scheme significantly reduces packet loss rate and improves goodput for a small buffer, and minimizes delay for a large buffer size

Memory-efficient content filtering hardware for high-speed intrusion detection systems

Content filtering-based Intrusion Detection Systems have been widely deployed in enterprise networks, and have become a standard measure to protect networks and network users from cyber attacks. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we present a novel content filtering technique called Table-driven Bottom-up Tree (TBT), which was designed i) to fully exploit hardware parallelism to achieve real-time packet inspection, ii) to require a small memory for storing signatures, iii) to be flexible in modifying the signature database, and iv) to support complex signature representation such as regular expressions. We configured TBT considering the hardware specifications and limitations, and implemented it using a FPGA. Simulation based performance evaluations showed that the proposed technique used only 350 Kilobytes of memory for storing the latest version of SNORT rule consisting of 2770 signatures. In addition, unlike many other hardware-based solutions, modification to signature database does not require hardware re-compilation in TBT.

Providing fairness in DiffServ architecture

The Differentiated Service (DiffServ) architecture does not specify any priority scheme between assured forwarding (AF) out-profile packets and best-effort (BE) packets. Therefore, a misbehaving AF flow can penalize many BE flows unless a fair bandwidth sharing mechanism is employed in the routers. In this paper, we propose two different techniques for solving the inter- and intra-class fairness problems at the core and edge routers, respectively. For the core routers, we propose a fair weighted round robin (FWRR) scheduler that protects BE packets from monopolizing AF out-profile packets by dynamically adjusting the service weights and buffer spaces according to the traffic changes. For the edge routers, we propose a scheme, called fair dropper (FD), that provides intra-class fairness by penalizing the greedy flows. Simulation results indicate that both these techniques are quite effective in providing inter- and intra-class fairness, while maintaining a low packet loss rate.

A dynamic quarantine scheme for controlling unresponsive TCP sessions

In addition to unresponsive UDP traffic, aggressive TCP flows pose a serious challenge to congestion control and stability of the future Internet. This paper considers the problem of dealing with such unresponsive TCP sessions that can be considered to collectively constitute a Denial-of-Service (DoS) attack on conforming TCP sessions. The proposed policing scheme, called HaDQ (HaTCh-based Dynamic Quarantine), is based on a recently proposed HaTCh mechanism, which accurately estimates the number of active flows without maintenance of per-flow states in a router. We augment HaTCh with a small Content Addressable Memory (CAM), called quarantine memory, to dynamically quarantine and penalize the unresponsive TCP flows. We exploit the advantage of the smaller, first-level cache of HaTCh for isolating and detecting the aggressive flows. The aggressive flows from the smaller cache are then moved to the quarantine memory and are precisely monitored for taking appropriate punitive action. While the proposed HaDQ technique is quite generic in that it can work with or without any AQM scheme, in this paper we have integrated HaDQ and an AQM scheme to compare it against some of the existing techniques. For this, we extend the HaTCh scheme to develop a complete AQM mechanism, called HRED.Simulation-based performance analysis indicates that by using a proper configuration of the monitoring period and the detection threshold, the proposed HaDQ scheme can achieve a low false drop rate (false positives) of less than 0.1%. Comparison with two AQM schemes (CHOKe and FRED), which were proposed for handling unresponsive UDP flows, shows that HaDQ is more effective in penalizing the bandwidth attackers and enforcing fairness between conforming and aggressive TCP flows.

Stabilized virtual buffer (SVB) - an active queue management scheme for Internet quality-of-service

We present a virtual queue-based active queue management (AQM) scheme, called stabilized virtual buffer (SVB). The SVB scheme uses the packet arrival rate and queue length information to drop/mark packets probabilistically in a congested Internet router. System goodput, packet loss rate, average queue length, and stability of the queue are used to compare the proposed SVB scheme with prior AQM schemes (RED - random early detection; REM - random exponential marking; AVQ - adaptive virtual queue). Simulation results indicate that the SVB algorithm can provide better goodput and lower loss rate than the other three AQMs. The most striking feature of the proposed scheme is its robustness to workload fluctuations in maintaining a stable queue for different workload mixes (short and long flows) and parameter settings.

PTL: PRAM translation layer

In this paper, we attempt to replace NAND Flash memory with PRAM, while PRAM initially targets replacing NOR Flash memory. To achieve it, we need to handle wear-leveling issue of PRAM since the maximum number of writes in PRAM is only 10^6. Thus, we have proposed PRAM Translation Layer (PTL) to resolve endurance problem for a PRAM-based storage system. We modified FlashSim to support both PRAM and NAND Flash memory and measured the performance by using real workloads from PC and server. In our experiment, PRAM shows up to 300% performance improvement compared to NAND Flash memory. Moreover, our results revealed that the PRAMs endurance is improved up to 25% compared to NAND Flash memory due to no erase operation. All these results suggest that PRAM is a viable candidate to replace NAND Flash memory.

A Modified Multi-Resolution Approach for Port Scan Detection

Although port scan detection techniques have been widely adopted by the modern network based security systems, the effectiveness of these techniques can significantly be limited since the detection performance heavily relies on the statically determined detection threshold. To tackle the problem, a multi-resolution approach called MRDS, maintaining multiple monitoring windows with the corresponding detection thresholds, has been proposed. However, deploying such technique in a high speed network is not easy due to the time and space complexity required for calculating the number of unique destination addresses contacted in the multiple monitoring windows. In this paper, we present a novel failed flow dispersion estimation technique, called Multi-Window State Map (MWSM), which requires a small amount of memory and a constant number of memory access for implementing the multi-resolution concept. We then extend the proposed MWSM into a complete port scan detector. Simulation results with real world traffic traces indicate that the proposed estimation technique manages the expected relative error and average standard error of less than 0.8% and 9% respectively and thus the MWSM based detection scheme reduces false positives by 60% compared to MRDS.

A Multi-resolution Port Scan Detection Technique for High-speed Networks

In this paper, we present a novel failed flow dispersion estimation technique, called multi-window state map (MWSM), which requires a small amount of memory and a constant number of memory accesses for implementing the multi-resolution concept (e.g., MRDS). We then extended the proposed MWSM scheme into a complete port scan detector. The simulation results with real-world traffic traces indicate that the proposed estimation technique manages the expected relative error and average standard error of less than 0.8% and 9%, respectively, while limiting the memory consumption to less than 60% of MRDS. In addition, the number of false positives decreases by 61% compared to a scan detector based on MRDS when it is extended to a complete scan detector. Owing to its simple mechanism and architecture, the proposed technique is well suited to hardware implementation. Therefore, we believe that the proposed technique is practically viable in modern high-speed intrusion detection systems.

HaTCh: a two-level caching scheme for estimating the number of active flows

In this paper, we present a Markov model to examine the capability of SRED in estimating the number of active flows. We show that the SRED cache hit rate can be used to quantify the number of active flows. We then propose a modified SRED scheme, called HaTCh (hash-based two-level caching), that uses hashing and a two-level caching mechanism to accurately estimate the number of active flows under various workloads. We formulate a preliminary Markov model of the proposed scheme to show its effectiveness in preventing the monopoly of misbehaving flows. Simulation results indicate that the proposed scheme provides better estimation of the number of active flows compared to SRED, stabilizes the estimation with respect to workload fluctuations, and prevents performance degradation by efficiently isolating the misbehaving flows.