Vijay K. Gurbani

Network-aware service placement in a distributed cloud environment

We consider a system of compute and storage resources geographically distributed over a large number of locations connected via a wide-area network. By distributing the resources, latency to users can be decreased, bandwidth costs reduced and availablility increased. The challenge is to distribute services with varying characteristics among the data centers optimally. Some services are very latency sensitive, others need vast amounts of storage, and yet others are computationally complex but do not require hard deadlines on execution. We propose efficient algorithms for the placement of services to get the maximum benefit from a distributed cloud systems. The algorithms need input on the status of the network, compute resources and data resources, which are matched to application requirements. This demonstration shows how a network-aware cloud can combine all three resource types - computation, storage, and network connectivity - in distributed cloud environments. Our dynamic service placement algorithm monitors the network and data center resources in real-time. Our prototype uses the information gathered to place or migrate services to provide the best user experience for a service.

A survey of research on the application-layer traffic optimization problem and the need for layer cooperation

A significant part of Internet traffic today is generated by peer-to-peer applications, used traditionally for file sharing, and more recently for real-time communications and live media streaming. Such applications discover a route to each other through an overlay network with little knowledge of the underlying network topology. As a result, they may choose peers based on information deduced from empirical measurements, which can lead to suboptimal choices. We refer to this as the application layer traffic optimization (ALTO) problem and present a survey of existing literature. We summarize and compare existing approaches, identify open research issues, and state the need for layer cooperation as a solution to the ALTO problem.

Abstracting network state in Software Defined Networks (SDN) for rendezvous services

The Software Defined Network (SDN) model depends on abstractions to separate the control plane from the packet forwarding plane. Applications can interact with the control plane to receive a global network view, upon which they can operate. By having access to network topology information, applications can optimize decisions related to service rendezvous, service fulfillment, service placement and service removal. The network is in the best position to provide guidance to a broad class of applications, including peer-to-peer systems, Content Distribution Network (CDN), and datacenter applications. In all these use cases proximity matters as peers need to rendezvous with other peers and users need to rendezvous with the best cloud application or best CDN server. We maintain that a solution for such a rendezvous problem should be an intrinsic component of the emerging SDN model. A specific instance of a protocol that abstracts network topology is the Application Layer Traffic Optimization (ALTO) protocol. ALTO provides applications an abstract view of the network and thus enables applications to leverage a network without exposing the network providers internal details or policies. We argue that ALTO provides a clean, mature, standards-based and powerful abstraction, which can be used by SDNs today to obtain network information for solving the rendezvous problem.

Monitoring and abstraction for networked clouds

We consider the problem of building tightly coupled network and cloud management systems for “carrier clouds” based on an abstract view of the dynamic network state. Optimized resource placement in distributed clouds requires information about the internal network topology and state, in addition to other data center information. We present a distributed cloud system that accesses such data in an abstract way using the Application Layer Traffic Optimization (ALTO) protocol. The demonstration addresses how dynamic networking information can be gathered, how it can be abstracted and coupled with other data such as data center load, how it can be exposed, and how it can be integrated into a cloud management system. Our distributed cloud solution demonstrates that ALTO is well-suited for infrastructure-to-application information exposure.

A Survey and Analysis of Media Keying Techniques in the Session Initiation Protocol (SIP)

Exchanging cryptographic keys to encrypt the media stream in the Session Initiation Protocol ({SIP}) has proven difficult. The challenge is to effectively exchange keys while preserving the features of the protocol (e.g., forking, re-targeting, request recursion, etc.), minimizing key exposure to unintended parties, eliminating voice clipping, maintaining end-to-end key privacy, interfacing with PSTN, etc. In this paper, we survey three key management protocols - SDES, ZRTP and DTLS-SRTP - that have been proposed for media keying, and evaluate them for use with SIP. To aid in the evaluation, we first extract (and justify) a core feature set from SIP. We then survey each key management protocol in detail and proceed to analyze the cores of the three protocols against this feature set to annotate their weaknesses and strengths.

Dynamic VPN Optimization by ALTO Guidance

Virtual Private Networks (VPNs) are a key component of cloud computing systems, since they provide isolated connectivity between geographically separated users. The elasticity in cloud computing and new usage patterns such as cloud bursting require VPNs to be more dynamic than traditional solutions used by network service providers. Managing and optimizing the topology of VPNs requires insight into the underlying wide area network topology and benefits from new network interfaces currently discussed for Software Defined Networks (SDN). This paper presents the use of the Application-Layer Traffic Optimization (ALTO) protocol for VPN optimization. ALTO is a standardized solution for exposure of abstract topology information to a variety of applications, including cloud management systems. We demonstrate the use of ALTO in determining how to scale-out a VPN on demand. We also present a prototype of an ALTO-based dynamic VPN management, which is based on a carrier-grade network management system. Our results show that ALTO is a powerful topology abstraction approach that enables informed VPN scale-out decisions by applications.

Phishwish: a simple and stateless phishing filter

We define phishing as the practice of directing unsuspecting users to fraudulent websites with the intent of obtaining personal information to be used for illicit purpose by a spammer. We introduce a new anti-phishing filter, phishwish, that has a number of advantages over existing phishing filters: it does not need to be trained, as is the case with Bayesian filters, nor does it consult centralized white or blacklists to determine whether an email is suspect. Phishwish uses a set of only 11 rules to determine the veracity of an incoming email; the results can be used to quarantine the email or to alert the user. We compare the performance of phishwish to SpamAssassin, a popular open source filter, as well as the Google phishing filters accessed from the Firefox browser. Our results indicate that phishwish outperforms existing filters in identifying phishing emails, even identifying those originated by the ‘rock phish’ gang, and that it aids in detection of zero-day attacks that were not caught by existing filters. Copyright

Phishwish: A Stateless Phishing Filter Using Minimal Rules

We introduce phishwish, a phishing filter that offers advantages over existing filters: It does not need any training and does not consult centralized white or black lists. Furthermore, it is simple to configure, requiring only 11 rules to determine the veracity of an incoming email. We compare the performance of phishwish to SpamAssassin and to Googles browser-based phishing filter. Our results indicate that phishwish outperforms these filters and identifies zero days attacks that went undetected by existing filters.

On the inefficacy of Euclidean classifiers for detecting self-similar Session Initiation Protocol (SIP) messages

The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. Due to the nature and deployment realities of the protocol (ASCII message representation, most deployments over UDP, limited use of message encryption), it becomes relatively easy to attack the protocol at the message level. To mitigate this, self-learning systems have been proposed to counteract new threats. However the efficacy of existing machine learning algorithms must be studied on varied data sets before they can be successfully used. Existing literature indicates that Euclidean distance based classifiers work well to detect anomalous messages. Our work suggests that such classifiers do not produce adequate results for well-crafted malicious messages that differ very slightly from normal messages. To demonstrate this, we gather SIP traffic and minimally perturb it using 13 generic transforms to create malicious SIP messages. We use the Levenshtein distance, L, as a measure of similarity between normal and malicious SIP messages. We subject our dataset — consisting of malicious and normal SIP messages — to Euclidean distance-based classifiers as well as four standard classifiers. Our results show vast differences for Euclidean distance-based classifiers on our dataset than reported in current literature. We further see that the standard classifiers are better able to classify an anomalous message when L is small.

Cryptographically Transparent Session Initiation Protocol (SIP) Proxies

Proxies provide important rendezvous service in the session initiation protocol (SIP), but it comes at a cost to privacy. A SIP proxy is privy to all of the signaling exchanged between two user agents, even if that signaling is performed over a secure channel (e.g., a Transport Layer Security channel.) This paper proposes and evaluates a mechanism that allows the proxies to create an overlay network between the user agents for rendezvous, and once that is done, the proxies become transparent traffic forwarders. From then onwards, user agents can authenticate each other directly and exchange cryptographically secure signaling traffic over the overlay network created by the proxies. This mechanism is applicable to traditional client/server SIP as well as Peer-to-Peer SIP.