Weibo Gong

Fluid-based analysis of a network of AQM routers supporting TCP flows with an application to RED

In this paper we use jump process driven Stochastic Differential Equations to model the interactions of a set of TCP flows and Active Queue Management routers in a network setting. We show how the SDEs can be transformed into a set of Ordinary Differential Equations which can be easily solved numerically. Our solution methodology scales well to a large number of flows. As an application, we model and solve a system where RED is the AQM policy. Our results show excellent agreement with those of similar networks simulated using the well known ns simulator. Our model enables us to get an in-depth understanding of the RED algorithm. Using the tools developed in this paper, we present a critical analysis of the RED algorithm. We explain the role played by the RED configuration parameters on the behavior of the algorithm in a network. We point out a flaw in the RED averaging mechanism which we believe is a cause of tuning problems for RED. We believe this modeling/solution methodology has a great potential in analyzing and understanding various network congestion control algorithms.

On designing improved controllers for AQM routers supporting TCP flows

In this paper we study a previously developed linearized model of TCP and active queue management (AQM). We use classical control system techniques to develop controllers well suited for the application. The controllers are shown to have better theoretical properties than the well known RED controller. We present guidelines for designing stable controllers subject to network parameters like load level propagation delay etc. We also present simple implementation techniques which require a minimal change to RED implementations. The performance of the controllers are verified and compared with RED using ns simulations. The second of our designs, the proportional integral (PI) controller is shown to outperform RED significantly.

A control theoretic analysis of RED

We use a previously developed nonlinear dynamic model of TCP to analyze and design active queue management (AQM) control systems using random early detection (RED). First, we linearize the interconnection of TCP and a bottlenecked queue and discuss its feedback properties in terms of network parameters such as link capacity, load and round-trip time. Using this model, we next design an AQM control system using the RED scheme by relating its free parameters such as the low-pass filter break point and loss probability profile to the network parameters. We present guidelines for designing linearly stable systems subject to network parameters like propagation delay and load level. Robustness to variations in system loads is a prime objective. We present no simulations to support our analysis.

Analysis and design of controllers for AQM routers supporting TCP flows

In active queue management (AQM), core routers signal transmission control protocol (TCP) sources with the objective of managing queue utilization and delay. It is essentially a feedback control problem. Based on a recently developed dynamic model of TCP congestion-avoidance mode, this paper does three things: 1) it relates key network parameters such as the number of TCP sessions, link capacity and round-trip time to the underlying feedback control problem; 2) it analyzes the present de facto AQM standard: random early detection (RED) and determines that REDs queue-averaging is not beneficial; and 3) it recommends alternative AQM schemes which amount to classical proportional and proportional-integral control. We illustrate our results using ns simulations and demonstrate the practical impact of proportional-integral control on managing queue utilization and delay.

Code red worm propagation modeling and analysis

The Code Red worm incident of July 2001 has stimulated activities to model and analyze Internet worm propagation. In this paper we provide a careful analysis of Code Red propagation by accounting for two factors: one is the dynamic countermeasures taken by ISPs and users; the other is the slowed down worm infection rate because Code Red rampant propagation caused congestion and troubles to some routers. Based on the classical epidemic Kermack-Mckendrick model, we derive a general Internet worm model called the two-factor worm model. Simulations and numerical solutions of the two-factor worm model match the observed data of Code Red worm better than previous models do. This model leads to a better understanding and prediction of the scale and speed of Internet worm spreading.

Anomaly detection using call stack information

The call stack of a program execution can be a very good information source for intrusion detection. There is no prior work on dynamically extracting information from the call stack and effectively using it to detect exploits. In this paper we propose a new method to do anomaly detection using call stack information. The basic idea is to extract return addresses from the call stack, and generate an abstract execution path between two program execution points. Experiments show that our method can detect some attacks that cannot be detected by other approaches, while its convergence and false positive performance is comparable to or better than the other approaches. We compare our method with other approaches by analyzing their underlying principles and thus achieve a better characterization of their performance, in particular on what and why attacks will be missed by the various approaches.

On the performance of internet worm scanning strategies

In recent years, fast spreading worms, such as Code Red, Slammer, Blaster and Sasser, have become one of the major threats to the security of the Internet. In order to defend against future worms, it is important to first understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In this paper, we systematically model and analyze worm propagation under various scanning strategies, such as uniform scan, routing scan, hit-list scan, cooperative scan, local preference scan, sequential scan, divide-and-conquer scan, target scan, etc. We also provide an analytical model to accurately model Witty worms destructive behavior. By using the same modeling framework, we reveal the underlying similarity and relationship between different worm scanning strategies. In addition, based on our simulation and analysis of Blaster worm propagation and monitoring, we provide a guideline for building a better worm monitoring infrastructure.

Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms

As many people rely on e-mail communications for business and everyday life, Internet e-mail worms constitute one of the major security threats for our society. Unlike scanning worms such as Code Red or Slammer, e-mail worms spread over a logical network defined by e-mail address relationships, making traditional epidemic models invalid for modeling the propagation of e-mail worms. In addition, we show that the topological epidemic models presented by M. Boguna, et al. (2000) largely overestimate epidemic spreading speed in topological networks due to their implicit homogeneous mixing assumption. For this reason, we rely on simulations to study e-mail worm propagation in this paper. We present an e-mail worm simulation model that accounts for the behaviors of e-mail users, including e-mail checking time and the probability of opening an e-mail attachment. Our observations of e-mail lists suggest that an Internet e-mail network follows a heavy-tailed distribution in terms of node degrees, and we model it as a power-law network. To study the topological impact, we compare e-mail worm propagation on power-law topology with worm propagation on two other topologies: small-world topology and random-graph topology. The impact of the power-law topology on the spread of e-mail worms is mixed: E-mail worms spread more quickly on a power-law topology than on a small-world topology or a random-graph topology, but immunization defense is more effective on a power-law topology.

Dynamic resource allocation for shared data centers using online measurements

Since web workloads are known to vary dynamically with time, in this paper, we argue that dynamic resource allocation techniques are necessary to provide guarantees to web applications running on shared data centers. To address this issue, we use a system architecture that combines online measurements with prediction and resource allocation techniques. To perform resource allocation, we model a server resource that services multiple applications as a generalized processor sharing (GPS) server. We use a time-domain description of the server to model transient system states and use a constrained non-linear optimization technique to dynamically allocate the server resources. The parameters of this model are continuously updated using an online monitoring and prediction framework. Our prediction technique is based on an autoregressive stochastic process model. The main goal of our techniques is to react to changing workloads by dynamically varying the resource shares of applications. In addition, these techniques can also handle nonlinearity in system behavior unlike some prior techniques. We evaluate our techniques using simulations with synthetic as well as real-world web workloads. Our results show that these techniques can judiciously allocate system resources, especially under transient overload conditions.

Email worm modeling and defense

Email worms constitute one of the major Internet security problems. In this paper, we present an email worm model that accounts for the behaviors of email users by considering email checking time and the probability of opening email attachments. Email worms spread over a logical network defined by email address relationship, which plays an important role in determining the spreading dynamics of an email worm. Our observations suggest that the node degrees of an email network are heavy-tailed distributed. We compare email worm propagation on three topologies: power law, small world and random graph topologies; and then study how the topology affects immunization defense on email worms. The impact of the power law topology on the spread of email worms is mixed: email worms spread more quickly on a power law topology than on a small world topology or a random graph topology, but immunization defense is more effective on a power law topology than on the other two