Yoohwan Kim

Packetscore: statistics-based overload control against distributed denial-of-service attacks

Distributed denial of service (DDoS) attack is a critical threat to the Internet. Currently, most ISPs merely rely on manual detection of DDoS attacks after which offline fine-grain traffic analysis is performed and new filtering rules are installed manually to the routers. The need of human intervention results in poor response time and fails to protect the victim before severe damages are realized. The expressiveness of existing filtering rules is also too limited and rigid when compared to the ever-evolving characteristics of the attacking packets. Recently, we have proposed a DDoS defense architecture that supports distributed detection and automated on-line attack characterization. We focus on the design and evaluation of the automated attack characterization, selective packet discarding and overload control portion of the proposed architecture. Our key idea is to prioritize packets based on a per-packet score which estimates the legitimacy of a packet given the attribute values it carries. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation. Once the score of a packet is computed, we perform score-based selective packet discarding where the dropping threshold is dynamically adjusted based on (1) the score distribution of recent incoming packets and (2) the current level of overload of the system.

PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks

Distributed denial-of-service (DDoS) attacks are a critical threat to the Internet. This paper introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a packet based on a score which estimates its legitimacy given the attribute values it carries. Once the score of a packet is computed, this scheme performs score-based selective packet discarding where the dropping threshold is dynamically adjusted based on the score distribution of recent incoming packets and the current level of system overload. This paper describes the design and evaluation of automated attack characterizations, selective packet discarding, and an overload control process. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation through scorebook generation and pipeline processing. A simulation study indicates that packetscore is very effective in blocking several different attack types under many different conditions

EEMC: An energy-efficient multi-level clustering algorithm for large-scale wireless sensor networks

Wireless sensor networks can be used to collect surrounding data by multi-hop. As sensor networks have the limited and not rechargeable energy resource, energy efficiency is an important design issue for its topology. In this paper, we propose a distributed algorithm, EEMC (energy-efficient multi-tier clustering), that generates multi-tier clusters for long-lived sensor networks. EEMC terminates in O(log logN) iterations given N nodes, incurs low energy consumption and latency across the network. Simulation results demonstrate that our proposed algorithm is effective in prolonging the large-scale network lifetime and achieving more power reductions

Performance Analysis of Error Control Codes for Wireless Sensor Networks

In wireless sensor networks, the data transmitted from the sensor nodes are vulnerable to corruption by errors induced by noisy channels and other factors. Hence it is necessary to provide a proper error control scheme to reduce the bit error rate (BER). Due to the stringent energy constraint in sensor networks, it is vital to use energy efficient error control scheme. In this paper, we focus our study on the performance analysis of various error control codes in terms of their BER performance and power consumption on different platforms. In detail, error control codes with different constraints are implemented and simulated using VHDL. Implementation on FPGA and ASIC design is carried out and the energy consumption is measured. The error control performance of these codes is evaluated in terms of bit error rate (BER) by transmitting randomly generated data through a Gaussian channel. Based on the study and comparison of the three different error control codes, we identify that binary-BCH codes with ASIC implementation are best suitable for wireless sensor networks

An agile manufacturing workcell design

This paper introduces a design for agile manufacturing workcells intended for light mechanical assembly of products made from similar components (i.e., parts families). We define agile manufacturing as the ability to accomplish rapid changeover from the assembly of one product to the assembly of a different product. Rapid hardware changeover is made possible through the use of robots, flexible part feeders, modular grippers, and modular assembly hardware. The division of assembly, feeding, and unloading tasks between multiple robots is examined with prioritization based upon assembly time. Rapid software changeover will be facilitated by the use of a real-time, object-oriented software environment utilizing graphical simulations for off-line software development. An innovative dual VMEbus controller architecture permits an open software environment while accommodating the closed nature of most commercial robot controllers. These agile features permit new products to be introduced with minimal downtime and system reconfiguration.

Advances in agile manufacturing

An agile workcell has been developed for light mechanical assembly in collaboration with industrial sponsors. The workcell includes multiple Adept robots, a Bosch conveyor system, multiple flexible parts feeders at each robots workstation, CCD cameras for parts feeding and hardware registration, and a dual VMEbus control system. Our flexible pairs feeder design uses multiple conveyors to singulate the parts and machine vision to locate them. Specialized hardware is encapsulated on modular grippers and modular worktables which can be quickly interchanged for assembly of different products. Object-oriented software (C++) running under VxWorks, a real-time operating system, is used for workcell control. An agile software architecture was developed for rapid introduction of new assemblies through code re-use. A simulation of the workcell was developed so that controller software could be written and tested off-line, enabling the rapid introduction of new products.

SFRIC: A Secure Fast Roaming Scheme in Wireless LAN Using ID-Based Cryptography

In a wireless network composed of multiple access points, a long delay during roaming from one access point to another may cause a disruption for streaming traffic. Roaming in wireless LAN is generally composed of two parts, 1) searching for a new access point and 2) performing authentication at the new access point. To reduce the second part delay, we propose an innovative lightweight authentication scheme called SFRIC (secure fast /foaming using ID-based cryptography). SFRIC employs ID-based cryptography to simplify the authentication process. It performs mutual authentication for the mobile client and AP with a 3-way handshake, then generates a PTK (pairwise transient key) directly without pre-distributing PMK (pairwise master key). It does not require contacting an authentication server or exchanging certificates. SFRIC is composed of two phases. In the first phase (the preparation phase), each mobile client obtains a temporary private key from the PKG (private key generator). In the second phase (the roaming authentication phase), mutual authentication and key distribution are performed. Our preliminary analysis indicates that SFRIC can complete the roaming authentication within a period much less than the critical 20 ms threshold, required for maintaining streaming traffic, when the cryptographic operations are performed in hardware.

Defeating distributed denial-of-service attack with deterministic bit marking

Distributed denial-of-service (DDoS) attack is a serious threat in Internet. We propose a bit marking concept to identify and drop the DDoS attack packets. Bit marking is a variation of the packet marking technique that modifies packet headers at each router. However instead of storing the router information in the packets, bit marking alters one or more bits in the marking field. The bit marking process discussed in this paper is performed to all the packets and at all the routers along the path; hence it is called deterministic bit marking (DBM). DBM creates a common path signature for all the packets originating from the same location upon arriving at a destination. Since different source networks generate virtually unique path signatures, DBM makes it possible to isolate and discard DDoS attack traffic. From the Internet topology of autonomous systems we observe that the source networks are quite uniformly distributed over the path signature space. In our simulation over 99% of the attack traffic is blocked using DBM while up to 99% of the legitimate traffic passes. DBM can also be used for source traceback using reverse bit marking. DBM can be independently deployed for each ISP and the DBM-based networks can be protected from the attacks coming from nonDBM networks.

Internet traffic load balancing using dynamic hashing with flow volume

Sending IP packets over multiple parallel links is in extensive use in todays Internet and its use is growing due to its scalability, reliability and cost-effectiveness. To maximize the efficiency of parallel links, load balancing is necessary among the links, but it may cause the problem of packet reordering. Since packet reordering impairs TCP performance, it is important to reduce the amount of reordering. Hashing offers a simple solution to keep the packet order by sending a flow over a unique link, but static hashing does not guarantee an even distribution of the traffic amount among the links, which could lead to packet loss under heavy load. Dynamic hashing offers some degree of load balancing but suffers from load fluctuations and excessive packet reordering. To overcome these shortcomings, we have enhanced the dynamic hashing algorithm to utilize the flow volume information in order to reassign only the appropriate flows. This new method, called dynamic hashing with flow volume (DHFV), eliminates unnecessary flow reassignments of small flows and achieves load balancing very quickly without load fluctuation by accurately predicting the amount of transferred load between the links. In this paper we provide the general framework of DHFV and address the challenges in implementing DHFV. We then introduce two algorithms of DHFV with different flow selection strategies and show their performances through simulation.

Design of an agile manufacturing workcell for light mechanical applications

This paper introduces a design for agile manufacturing workcells intended for light mechanical assembly of products made from similar components (i.e. parts families). We define agile manufacturing as the ability to accomplish rapid changeover from the assembly of one product to the assembly of another product. Rapid hardware changeover is made possible through the use of robots, flexible part feeders, modular grippers and modular assembly hardware. The flexible feeders rely on belt feeding and binary computer vision for Dose estimation. This has a distinct advantage over non-flexible feeding schemes such as bowl feeders which require considerable adjustment to changeover from one part to another. Rapid software changeover is being facilitated by the use of a real-time, object-oriented software environment, modular software, graphical simulations for off-line software development, and an innovative dual VMEbus controller architecture. These agile features permit new products to be introduced with minimal downtime and system reconfiguration.