Docstoc

International Journal of Computer Science and Information Security October 2009

Document Sample
International Journal of Computer Science and Information Security October 2009 Powered By Docstoc
					IJCSIS Vol. 6, No. 1, October 2009 ISSN 1947-5500

International Journal of Computer Science & Information Security

© IJCSIS PUBLICATION 2009

IJCSIS Editorial
Message from Managing Editor
I am pleased to introduce the Volume 6 No. 1 October 2009 issue of IJCSIS containing 30 papers (Acceptance rate of ~ 37%) that have been selected after undergoing rigorous journal-style review process. The goal is to present more high-quality research results from the world’s top researchers in the area of computer science, networking, emerging technologies and information security. This journal issue again clearly demonstrates that the goal has been achieved. With a continuing open-access policy, I welcome the readers to appreciate this exclusive collection of high quality computer science research works.

Special thanks to our reviewers and sponsors for their valuable service. Available at http://sites.google.com/site/ijcsis/ IJCSIS Vol. 6, No. 1, October 2009 Edition ISSN 1947-5500 © IJCSIS 2009-2010, USA.

Indexed by (among others):

IJCSIS EDITORIAL BOARD
Dr. Gregorio Martinez Perez Associate Professor - Professor Titular de Universidad University of Murcia (UMU), Spain Dr. M. Emre Celebi, Assistant Professor Department of Computer Science Louisiana State University in Shreveport, USA Dr. Yong Li School of Electronic and Information Engineering, Beijing Jiaotong University P.R. China Dr. Sanjay Jasola Professor and Dean School of Information and Communication Technology, Gautam Buddha University, Dr Riktesh Srivastava Assistant Professor, Information Systems Skyline University College, University City of Sharjah, Sharjah, PO 1797, UAE Dr. Siddhivinayak Kulkarni University of Ballarat, Ballarat, Victoria Australia Professor (Dr) Mokhtar Beldjehem Sainte-Anne University Halifax, NS, Canada

TABLE OF CONTENTS
1. A New Fuzzy Approach for Dynamic Load Balancing Algorithm (pp. 001-005) Abbas Karimi1,2,3, Faraneh Zarafshan 1,3, Adznan b. Jantan1,A.R. Ramli1, M. Iqbal b.Saripan1 1 Department of Computer Systems Engineering, Faculty of Engineering, UPM, Malaysia 2 Computer Department, Faculty of Engineering, IAU, Arak, Iran 3 Young Researchers’ Club, IAU, Arak, Iran 2. Knowledge Extraction for Discriminating Male and Female in Logical Reasoning from Student Model (pp. 006-015) A. E. E. ElAlfi, Dept. of Computer Science, Mansoura University, Mansoura Egypt, 35516 M. E. ElAlami, Dept. of Computer Science, Mansoura University, Mansoura Egypt, 35516 Y. M. Asem, Dept. of Computer Science, Taif University, Taif, Saudia Arabia. 3. A Mirroring Theorem and its Application to a New Method of Unsupervised Hierarchical Pattern Classification (pp. 016-025) Dasika Ratna Deepthi, Department of Computer Science, Aurora’s Engineering College, Bhongir, Nalgonda Dist., A.P., India. K. Eswaran, Department of Computer Science, Srinidhi Institute of Science and Technology, Yamnampet, Ghatkesar, Hyderabad, India. 4. Algorithm as Defining Dynamic Systems (pp. 026-028) Keehang Kwon, Department of Computer Engineering, Dong-A University, Busan, Republic of Korea Hong Pyo Ha, Department of Computer Engineering, Dong-A University, Busan, Republic of Korea 5. A Wavelet-Based Digital Watermarking for Video (pp. 029-033) A.Essaouabi and F.regragui, Department of physics, LIMIARF Laboratory, Faculty of Sciences Mohammed V University Rabat, Morocco E.Ibnelhaj, Image laboratory, National Institute of Posts and Telecommunications, Rabat, Morocco 6. A Cost Effective RFID Based Customized DVD-ROM to Thwart Software Piracy (pp. 034-039) Prof. Sudip Dogra, Electronics & Communication Engineering, Meghnad Saha Institute of Technology, Kolkata, India Ritwik Ray, Electronics & Communication Engineering, Meghnad Saha Institute of Technology, Kolkata, India Prof. Subir Kr. Sarkar, Electronics and Telecommunication Engineering, Jadavpur University, Kolkata, India Saustav Ghosh, Electronics & Communication Engineering, Meghnad Saha Institute of Technology, Kolkata, India Debharshi Bhattacharya, Electronics & Communication Engineering, Meghnad Saha Institute of Technology Kolkata, India 7. A O(|E|) Time Shortest Path Algorithm For Non- Negative Weighted Undirected Graphs (pp. 040046) Muhammad Aasim Qureshi, Dr. Fadzil B. Hassan, Sohail Safdar, Rehan Akbar Computer And Information Science Department, University Technologi PETRONAS, Perak, Malaysia 8. Biologically Inspired Execution Framework for Vulnerable Workflow Systems (pp. 047-051) Sohail Safdar, Mohd. Fadzil B. Hassan, Muhammad Aasim Qureshi, Rehan Akbar Department of Computer & Information Sciences,Universiti Teknologi PETRONAS, Malaysia 9. RCFT : Re-Clustering Formation Technique in Hierarchical Sensor Network (pp. 052-055) Boseung Kim, Joohyun Lee, Yongtae Shin, Computing Department, Soongsil University Seoul, South Korea

10. An Alternative To Common Content Management Techniques (pp. 056-060) Rares Vasilescu, Computer Science and Engineering Department, Faculty of Automatic Control and Computers, Politehnica University, Bucharest, Romania 11. Routing Technique Based on Clustering for Data Duplication Prevention in Wireless Sensor Network (pp. 061-065) Boseung Kim, HuiBin Lim, Yongtae Shin, Computing Department, Soongsil University Seoul, South Korea 12. An Optimal Method For Wake Detection In SAR Images Using Radon Transformation Combined With Wavelet Filters (pp. 066-069) Ms. M. Krishnaveni, Lecturer (SG), Department of Computer Science, Avinashilingam University for Women, Coimbatore, India. Mr. Suresh Kumar Thakur, Deputy Director, Naval Research Board-DRDO, New Delhi, India. Dr. P. Subashini, Research Assistant-NRB, Department of Computer Science, Avinashilingam University for Women, Coimbatore, India 13. AES Implementation and Performance Evaluation on 8-bit Microcontrollers (pp. 070-074) Hyubgun Lee, Kyounghwa Lee, Yongtae Shin, Computing Department, Soongsil University Seoul, South Korea 14. GoS Proposal to Improve Trust and Delay of MPLS Flows for MCN Services (pp. 075-082) Francisco J. Rodríguez-Pérez, Computer Science Dept., Area of Telematics Engineering, University of ExtremaduraCáceres, Spain José-Luis González-Sánchez, Computer Science Dept., Area of Telematics Engineering, University of Extremadura, Cáceres, Spain Alfonso Gazo-Cervero, Computer Science Dept., Area of Telematics Engineering, University of Extremadura, Cáceres, Spain 15. Novel Intrusion Detection using Probabilistic Neural Network and Adaptive Boosting (pp. 083091) Tich Phuoc Tran & Longbing Cao, Faculty of Engineering and Information Technology, University of Technology, Sydney, Australia Dat Tran, Faculty of Information Sciences and Engineering University of Canberra, Australia Cuong Duc Nguyen, School of Computer Science and Engineering, International University, HCMC, Vietnam 16. Building a Vietnamese Language Query Processing Framework for e-Library Searching Systems (pp. 092-096) Dang Tuan Nguyen, & Ha Quy-Tinh Luong, Faculty of Computer Science, University of Information Technology, VNU- HCM, Ho Chi Minh city, Vietnam Tuyen Thi-Thanh Do, Faculty of Software Engineering, University of Information Technology, VNU – HCM, Ho Chi Minh city, Vietnam 17. Detecting Botnet Activities Based on Abnormal DNS traffic (pp. 097-104) Ahmed M. Manasrah & Awsan Hasan, National Advanced IPv6 Center of Excellence, Universiti Sains Malaysia, Pulau Pinang, Malaysia Omar Amer Abouabdalla, & Sureswaran Ramadass, National Advanced IPv6 Center of Excellence Universiti Sains Malaysia, Pulau Pinang, Malaysia 18. SOAP Serialization Performance Enhancement - Design And Implementation Of A Middleware (pp. 105-110) Behrouz Minaei, Computer Department, Iran University of Science and Technology, Tehran, Iran Parinaz Saadat, Computer Department, Iran University of Science and Technology, Tehran, Iran

19. Breast Cancer Detection Using Multilevel Thresholding (pp. 111-115) Y.Ireaneus Anna Rejani, Noorul Islam College of Engineering, Kumaracoil,, Tamilnadu, India. Dr.S.Thamarai Selvi, Professor & Head, Department of Information and technology, MIT, Chennai, Tamilnadu, India 20. Energy Efficient Security Architecture for Wireless Bio-Medical Sensor Networks (pp. 116-122) Rajeswari Mukesh, Dept of Computer Science & Engg, Easwari Engineering College, Chennai- 600 089 Dr. A. Damodaram, Vice Principal, JNTU College of Engineering, Hyderabad-500 072 Dr. V. Subbiah Bharathi, Dean Academics, DMI College of engineering, Chennai-601 302 21. Software Security Rules: SDLC Perspective (pp. 123-128) C. Banerjee, S. K. Pandey Department of Information Technology, Board of Studies, The Institute of Chartered Accountants of India, Noida- 201301, INDIA 22. An Entropy Architecture for Defending Distributed Denial-of-service Attacks (pp. 129-136) Meera Gandhi, Research Scholar, Department of CSE, Sathyabama University, Chennai, Tamil Nadu S. K. Srivatsa, Professor, Sathyabama University, ICE, St.Joseph’s College of Engineering, Chennai, Tamil Nadu 23. A Context-based Trust Management Model for Pervasive Computing Systems (pp. 137-142) Negin Razavi, Islamic Azad University, Science and Research Branch, Tehran, Iran Amir Masoud Rahmani, Islamic Azad University, Science and Research Branch, Tehran, Iran Mehran Mohsenzadeh, Islamic Azad University, Science and Research Branch, Tehran, Iran 24. Proposed Platform For Improving Grid Security By Trust Management System (pp. 143-148) Safieh Siadat, Islamic Azad University, Science and Research Branch, Tehran, Iran Amir Masoud Rahmani, Islamic Azad University, Science and Research Branch, Tehran, Iran Mehran Mohsenzadeh, Islamic Azad University, Science and Research Branch, Tehran, Iran 25. An Innovative Scheme For Effectual Fingerprint Data Compression Using Bezier Curve Representations (pp. 149-157) Vani Perumal, Department of Computer Applications, S.A.Engineering College, Chennai – 600 077, India. Dr.Jagannathan Ramaswamy, Deputy Registrar (Education), Vinayaka Missions University, Chennai, India. 26. Exception Agent Detection System for IP Spoofing Over Online Environments (pp. 158-164) Al-Sammarraie Hosam , Center for IT and Multimedia, Universiti Sains Malaysia, Penang, Malaysia Adli Mustafa, School of Mathematical sciences, Universiti Sains Malaysia, Penang, Malaysia Shakeel Ahmad, School of Mathematical sciences, Universiti Sains Malaysia, Institute of Computing and Information Technology, Gomal University, Pakistan, Penang, Malaysia Merza Abbas, Center for IT and Multimedia, Universiti Sains Malaysia, Penang, Malaysia 27. A Trust-Based Cross-Layer Security Protocol for Mobile Ad hoc Networks (pp. 165-172) A.Rajaram, Anna University, Coimbatore, India Dr. S. Palaniswami, Anna University, Coimbatore 28. Generalized Discriminant Analysis algorithm for feature reduction in Cyber Attack Detection System (pp. 173-180) Shailendra Singh, Department of Information Technology, Rajiv Gandhi Technological University Bhopal, India Sanjay Silakari, Department of Computer Science and Engineering, Rajiv Gandhi Technological University Bhopal, India

29. Management of Location Based Advertisement Services using Spatial Triggers in Cellular Networks (pp. 181-185) M. Irfan , M.M. Tahir N. Baig, Furqan H. Khan, Raheel M. Hashmi, Khurram Shehzad, Assad Ali Department of Electrical Engineering, COMSATS Institute of Information Technology, Islamabad, Pakistan 30. A Way to Understand Various Patterns of Data Mining Techniques for Selected Domains (pp. 186-191) Dr. Kanak Saxena, Computer Applications, SATI, Vidisha D.S Rajpoot, UIT, RGPV, Bhopal --------------------

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

A New Fuzzy Approach for Dynamic Load Balancing Algorithm
1

Abbas Karimi1,2,3, Faraneh Zarafshan 1,3, Adznan b. Jantan1, A.R. Ramli1, M. Iqbal b.Saripan1

Department of Computer Systems Engineering, Faculty of Engineering, UPM, Malaysia 2 Computer Department, Faculty of Engineering, IAU, Arak, Iran 3 Young Researchers’ Club, IAU, Arak, Iran .

Abstract— Load balancing is the process of improving the Performance of a parallel and distributed system through is distribution of load among the processors[1-2]. Most of the previous work in load balancing and distributed decision making in general, do not effectively take into account the uncertainty and inconsistency in state information but in fuzzy logic, we have advantage of using crisps inputs. In this paper, we present a new approach for implementing dynamic load balancing algorithm with fuzzy logic, which can face to uncertainty and inconsistency of previous algorithms, further more our algorithm shows better response time than round robin and randomize algorithm respectively 30.84% and 45.45%. Keywords- Load balancing, Fuzzy logic, Distributed systems.

II.

LOAD BALANCING

In computer networking, load balancing is a technique to spread work between two or more computers, network links, CPUs, hard drives, or other resources, in order to get optimal resource utilization, throughput, or response time. Using multiple components with load balancing, instead of a single component, may increase reliability through redundancy. Load balancing attempts to maximize system throughput by keeping all processors busy Load balancing is done by migrating tasks from the overloaded nodes to other lightly loaded nodes to improve the overall system performance. Load balancing algorithms are typically based on a load index, which provides a measure of the workload at a node relative to some global average, and four policies, which govern the actions taken once a load imbalance is detected[6]. The load index is used to detect a load imbalance state. Qualitatively, a load imbalance occurs when the load index at one node is much higher (or lower) than the load index on the other nodes. The length of the CPU queue has been shown to provide a good load index on timeshared workstations when the performance measure of interest is the average response time[7-8]. In the case of multiple resources (disk, memory, etc.), a linear combination of the length of all the resource queues provided an improved measure, as job execution time may be driven by more than CPU cycles[9-10] . The four policies that govern the action of a load-balancing algorithm when a load imbalance is detected deal with information, transfer, location, and selection. The information Policy is responsible for keeping up-to-date load information about each node in the system. A global information policy provides access to the load index of every node, at the cost of additional communication for maintaining accurate information[5, 10]. The transfer policy deals with the dynamic aspects of a system. It uses the nodes’ load information to decide when a node becomes eligible to act as a sender (transfer a job to another node) or as a receiver (retrieve a job from another node). Transfer policies are typically threshold based. Thus,

I.

INTRODUCTION

Distributed computing systems have become a natural setting in many environments for business and academia. This is due to the rapid increase in processor and/or memory hungry applications coupled with the advent of low-cost powerful workstations[3]. In a typical distributed system setting, tasks arrive at the different nodes in a random fashion. This causes a situation of non-uniform loading across the system nodes to occur. Loading imbalance is observed by the existence of nodes that are highly loaded while others are lightly loaded or even idle. Such situations are harmful to the system performance in terms of the mean response time of tasks and resource utilization[3]. A system [4-5] of distributed computers with tens or hundreds of computers connected by high-speed networks has many advantages over a system that has the same standalone computers. A distributed system provide the resource sharing as one of its major advantages, which provide the better performance and reliability than any other traditional system in the same conditions[1]. Section II describes the load balancing and the kinds of its models. In section III, we explain and demonstrate our model, then in section IV, we explain the methodology and fuzzy rules. The evaluation of performance is inspected in section V and finally we describe the conclusion.

1

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

if the load at a node increases beyond a threshold , the node becomes an eligible sender. Likewise, if the load at a node drops below a threshold, the node becomes an eligible receiver The location policy selects a partner node for a job transfer transaction. If the node is an eligible sender, the location policy seeks out a receiver node to receive the job selected by the selection policy (described below). If the node is an eligible receiver, the location policy looks for an eligible sender node[10]. Once a node becomes an eligible sender, a selection policy is used to pick which of the queued jobs is to be transferred to the receiver node. The selection policy uses several criteria to evaluate the queued jobs. Its goal is to select a job that reduces the local load, incurs as little cost as possible in the transfer, and has good affinity to the node to which it is transferred. A common selection policy is latest-job arrived which selects the job which is currently in last place in the work queue[10]. There are two types of load balancing algorithms:
Ts

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

III.

SYSTEM MODEL

We have a distributed network consists of n node which every node may be a complex combination of multiple types of resources (CPUS, memory, disks, switches, and so on) and the physical configurations of resources for each node may be heterogeneous. This heterogeneity can be manifested in two ways[17]. The amount of a given resource at one node site may be quite different from the configuration of a node at another site. Additionally, nodes may have different balance of each resource. For example, one node may have a (relatively) large memory with respect to its number of CPUs while another node may have a large number of CPUs with less memory [18-19]. As in Fig. 1 illustrated, our system model is involved Routing table, Load index, Cost table and a fuzzy controller, which manages Load balancing of system.
Routing table Load index Cost table

A. Static Load-Balancing In this method, the performance of the nodes is determined at the beginning of execution. Then depending upon their performance the workload is distributed in the start by the master node. The slave processors calculate their allocated work and submit their result to the master. A task is always executed on the node to which it is assigned that is static load balancing methods are non-preemptive. A general disadvantage of all static schemes is that the final selection of a host for process allocation is made when the process is created and cannot be changed during process execution to make changes in the system load[1]. Major load balancing algorithms are Round Robin[11] and Randomized Algorithms[12], Central Manager [13]Algorithm and Threshold[1, 14] Algorithm. B. Dynamic Load-Balancing It differs from static algorithms in that the workload is distributed among the nodes at runtime. The master assigns new processes to the slaves based on the new information collected[4, 15]. Unlike static algorithms, dynamic algorithms allocate processes dynamically when one of the processors becomes under loaded. Instead, they are buffered in the queue on the main host and allocated dynamically upon requests from remote hosts[1]. This method is consisted of Central Queue Algorithm and Local Queue Algorithm[16]. Load balancing algorithms work on the principle that in which situation workload is assigned, during compile time or at runtime. Comparison shows that static load balancing algorithms are more stable compare to dynamic. It is also ease to predict the behavior of static, but at the same time, dynamic distributed algorithms are always considered better than static algorithms[1].

Fuzzy Controller

Load Balancer

Fig.1:System model

The routing table presents the communication links among nodes in the system. Load index indicates the load of its related node, which is used by the policies in section II. In order to determine the node status as a sender, receiver or neutral by using fuzzy controller and based on fuzzy rules, we need a cost table that provides the nodes communication costs and the number of heavy loaded nodes. The cost table is obtained by using load index and routing table while the number of heavy loaded nodes can be extracted from the cost table. IV. METHODOLOGY Load index value based on a given threshold is classified into five categories and is defined between 0 to w and threshold is s. Five Fuzzy sets (Fig.2) are used to describe the load index value: very lightly loaded, lightly loaded, moderate loaded, heavy loaded and very heavy loaded. Variables for load index take grade values of Fuzzy variables are uncertainties and depends on network situation it can be changed.

2

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Secu Vol. 6, No. 1, 2009

p

q

r

s

t

u load <

v w

Fig.2: Fuzzy Index load chart

μmoreequal (N) =

μless (N) =

1 q−N q−p 0

0 N−q r−p 1

p≤N≤q N>q q≤N≤r N>r N<

N<

μverylightlyload (load) = 0

μmoderate load (load) = μveryheavy load (load) =

q−p μlightly load (load) = 1 ⎨ ⎪ s − load

⎧load − p ⎪ ⎩ s−r
0

1 q − load q−p 0

load <

p ≤ load ≤ q load > q< p ≤ load ≤ q r ≤ load ≤ s > < >

Assuming sender initiated load balance algorithm, the proposed knowledge base is as follows: Rule [1]. If (load is very_lightly_load) then (status__loadbalance__node is receiver) Rule [2]. If (load is very_heavey_load) then (status__loadbalance__node is sender) Rule [3]. If (load is heavey_load) and (no__heavy__load___nodes is more) then (status__loadbalance__node is reciver) Rule [4]. If (load is heavey_load) and (no__heavy__load___nodes is less) then (status__loadbalance__node is sender) Rule [5]. If (load is lightly_load) and (no__heavy__load___nodes is less) then (status__loadbalance__node is sender) htly_load) Rule [6]. If (load is lightly_load) and (no__heavy__load___nodes is more) then (status__loadbalance__node is reciver) Rule [7]. If (load is moderate_load) and (no__heavy__load___nodes is more) then (status__loadbalance__node is reciver) and Rule [8]. If (load is moderate_load) an (no__heavy__load___nodes is less) then (status__loadbalance__node is sender) Rule [9] IF the node is sender Then select a receiver as a migration partner Rule [10] IF the node fails to find a migration partner Then the node is neutral Rule [11] IF the node is a sender Then select a suitable task to transfer

⎧ load − r ⎪ ⎨ t − load ⎪ t−s ⎩
0 t−s s−r

load <

r ≤ load ≤ s s ≤ load ≤ t s ≤ load ≤ t < >

⎧ load − s ⎪ ⎨1 ⎪v − load ⎩ v−u

load <

u ≤ load ≤ v v−u 0 load > v for input 2, number of heavy nodes fuzzy sets are define as less and more equal (N is number of heavy nodes).

μheavyload (load) =

1 v − load

load <

t<

u ≤ load ≤ v

p

q

r

Fig.3: Fuzzy Input load put

3

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

Rule [12] IF the node fails to select a suitable task to transfer Then select another migration partner Fuzzy sets for output are shown as Fig.4:

(IJCSIS) International Journal of Computer Science and Information Security, Secu Vol. 6, No. 1, 2009

45 40 35 30 25 20 15 10 5 0

Response time chart

Response time(msec)

randomize round robin fuzzy

6 8 10 2 4 Number of task for 5 nodes Fig.4: Fuzzy output Fig.5: Response Time between Randomize, Round Robin and Fuzzy load balancing algorithm. Table 2: Comparison of improvement Percentage of Fuzzy : purpose algorithm vs. Round Robin & Randomize load loadbalancing algorithm. Performance Of Fuzzy vs. Round Robin %50 %33.3 %33.3 %22.2 %15.4 Performance Of Fuzzy vs. Randomize %66.7 %50 %42.9 %36.4 %31.25

V.

PERFORMANCE EVALUATIO EVALUATION

Simulation was performed in MATLAB and NS2 to verify our approach. We evaluate our fuzzy load balancer in a system with five node using a randomly generated network graph and a random generated load vector-load vector vector consist of the number of task on the node and load index for ode each node. The edge connectivity in the network graph is generated with probability of 0.2 and task allocation with a Uniform distribution U [0, 1]. The generated task is assigned to the node corresponding to the interval of the generated random variable. Inter arrival times are taken rated from the exponential distribution. Processor speeds for all nodes are taken from Uniform distribution. Our fuzzy proposed algorithm in form of real time during updating amount of nodes load refreshes the cost table. Then we generated the cost table according to network graph and load vector. Load of each node is equal to the number of the node tasks. From cost table we can calculate the number of heavy nodes. In fuzzy system according to status of heavy load nodes, amount of node load and base on fuzzy rule oad based base, we can determine status of each node, which can be in one of three states: sender, receiver and neutral. Results of our fuzzy load balancer algorithm are presented in Table 1.
Table 1: Response time of load balancing algorithm for e different number of tasks. Algorithm Randomize Round Robin Fuzzy Number of Task 4 6 8 10 4 7 11 16 3 6 9 13 2 4 7 11

Number Of Task 2 4 6 8 10

In Table 3 total improvement of our fuzzy approach is shown. This table confirms fuzzy load balancing algorithm has better response time and performance in comparison to Round Robin and Randomize load balancing algorithm respectively 30.84% and 45.45%.
Table 3: proportion percentage of improving our novel : algorithm Round Randomize Robin % 30.84 % CONCLUSION 45.45

FuzzyI.

CONCLUSION AND FUTURE WORKS Fuzzy logic systems can make absolute outputs from uncertainties inputs. In this paper, we present a new approach for implementing dynamic load balancing algorithm with fuzzy logic and we have shown its response time is significantly better than round robin and randomize algorithm. In the future works, we will follow the load balancing issue in parallel systems to find out whether the load balancing l action will be quicker than the previous works or not. Moreover, we will present a new load balancing approach for predicting the nodes status as sender, receiver or neutral with less time complexity by usin genetic algorithms and using neurofuzzy techniques.

2 3 2 1

Fig. 5 shows fuzzy approach has significantly better response time. In Table 2 improvement percentage of our algorithm for different number of tasks in Round Robin and Randomize algorithm are shown. This table shows performance of fuzzy algorithm is better than RR and randomize algorithm.

4

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

REFERENCES

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

[1] S. Sharma, S. Singh, and M. Sharma, "Performance Analysis of Load Balancing Algorithms," World Academy of Science, Engineering and Technology, vol. 38, 2008. [2] G. R. Andrews, D. P. Dobkin, and P. J. Downey, "Distributed allocation with pools of servers," in Proceedings of the first ACM SIGACT-SIGOPS symposium on Principles of distributed computing. Ottawa, Canada: ACM, 1982, pp. 73-83. [3] A. E. El-Abd, "Load balancing in distributed computing systems using fuzzy expert systems," presented at International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science (TCSET 2002), Lviv-Slavsko, Ukraine, 2002. [4] S. Malik, "Dynamic Load Balancing in a Network of Workstation," 19 November 2000 2000. [5] D. L. Eager, E. D. Lazowska, and J. Zahorjan, "Adaptive load sharing in homogeneous distributed systems," IEEE Trans. Softw. Eng., vol. 12, pp. 662-675, 1986. [6] N. G. Shivaratri, P. Krueger, and M. Singhal, "Load Distributing for Locally Distributed Systems," Computer, vol. 25, pp. 33-44, 1992. [7] D. L. Eager, E. D. Lazowska, and J. Zahorjan, "A comparison of receiver-initiated and sender-initiated adaptive load sharing (extended abstract)," SIGMETRICS Perform. Eval. Rev., vol. 13, pp. 1-3, 1985. [8] M. Livny and M. Melman, "Load balancing in homogeneous broadcast distributed systems," in Proceedings of the Computer Network Performance Symposium. College Park, Maryland, United States: ACM, 1982, pp. 47-55. [9] D. Ferrari and S. Zhou, "An empirical investigation of load indicies for load balancing applications pages " presented at 12th International Symposium on Computer Performance Modeling, Measurement, and Evaluation, North-Holland, Amsterdam, 1987. [10] W. Leinberger, G. Karypis, and V. Kumar, "Load Balancing Across Near-HomogeneousMulti-Resource Servers," presented at Proceedings. 9thHeterogeneous Computing Workshop (HCW 2000) Cancun, Mexico, 2000. [11] Z. Xu and R. Huang, "Performance Study of Load Balancing Algorithms in Distributed Web Server Systems " CS213 Parallel and Distributed Processing Project Report. [12] R. Motwani and P. Raghavan, "Randomized algorithms," ACM Comput. Surv., vol. 28, pp. 33-37, 1996. [13] P. L. McEntire, J. G. O'Reilly, and R. E. Larson, Distributed Computing: Concepts and Implementations. New York: IEEE Press, 1984. [14] W. I. Kim and C. S. Kang, "An adaptive soft handover algorithm for traffic-load shedding in the WCDMA mobile communication system," presented at WCNC'2003, 2003. [15] n. Y.-T. Wang and A.-R. J. T. Morris, "Load Sharing in Distributed Systems," IEEE Transactions on Computers, vol. 34, pp. 204217, 1985. [16] W. Leinberger, G. Karypis, and V. Kumar, "Load Balancing Across Near-Homogeneous Multi-Resource Servers," presented at s, Cancun, Mexico, 2000. [17] A. Kumar, M. Singhal, and T. L. Ming, "A model for distributed decision making: An expert system for load balancing in distributed systems " presented at 11th Symposium on Operating Systems, 1987. [18] S. Darbha and D. P. Agrawal, "Optimal Scheduling Algorithm for Distributed-Memory Machines," IEEE Transactions on Parallel and Distributed Systems, vol. 9, pp. 87-95, 1998. [19] S. A. Munir, Y. W. Bin, R. Biao, and M. Man, "Fuzzy Logic based Congestion Estimation for QoS in Wireless Sensor Network," in Wireless Communications and Networking Conference, WCNC 2007. IEEE. Kowloon, 2007, pp. 4336-4341.

Abbas Karimi: Received his Bachelor degree in Computer hardware engineering and MS in Computer Software Engineering from Iran. He is PhD candidate in UPM, Malaysia in the field of computer system Engineering. He has been working as a lecturer and faculty member in the Department of computer engineering at IAU-Arak Branch and lecturer in several universities. He was involved in several research projects, authorizing one textbook in Persian, several management posts, etc. His research interests are in load balancing algorithms, real time, distributed, parallel and fault-tolerant systems.

5

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Knowledge Extraction for Discriminating Male and Female in Logical Reasoning from Student Model
A. E. E. ElAlfi
Dept. of Computer Science Mansoura University Mansoura Egypt, 35516 . Abstract:The learning process is a process of communication and interaction between the teacher and his students on one side and between the students and each others on the other side. Interaction of the teacher with his students has a great importance in the process of learning and education. The pattern and style of this interaction is determined by the educational situation, trends and concerns, and educational characteristics. Classroom interaction has an importance and a big role in increasing the efficiency of the learning process and raising the achievement levels of students. Students need to learn skills and habits of study, especially at the university level. The effectiveness of learning is affected by several factors that include the prevailing patterns of interactive behavior in the classroom. These patterns are reflected in the activities of teacher and learners during the learning process. The effectiveness of learning is also influenced by the cognitive and non cognitive characteristics of teacher that help him to succeed, the characteristics of learners, teaching subject, and the teaching methods. This paper presents a machine learning algorithm for extracting knowledge from student model. The proposed algorithm utilizes the inherent characteristic of genetic algorithm and neural network for extracting comprehensible rules from the student database. The knowledge is used for discriminating male and female levels in logical reasoning as a part of an expert system course.
Keywords: Knowledge extraction, Student model, Expert system, Logical reasoning, Classroom interaction, Genetic algorithm, Neural network.

M. E. ElAlami
Dept. of Computer Science Mansoura University Mansoura Egypt, 35516

Y. M . Asem
Dept. of Computer Science Taif University Taif, Saudia Arabia

education and learning process plays an important role in the learners performance, their achievements and their behavioral patterns. Therefore, it is the way to the establishment of ties of understanding between teacher and learners and between learners themselves, and it is the facilitator to understand the goals of education strategies and how to achieve them [2]. The learning skills are indispensable to every student in any area of science. They are inherent in the learner because of its significant impact on his level of collections. This level depends on the quality of the used manner or method in the learning process [3]. Learning skills allow the learner to acquire patterns of behavior that will be associated with him during the course of study. These patterns become study habits and will have a relative stability adjective with respect to the learner[4]. Students in the university have the responsibility to identify their goals and pursue strategies that lead to the achievement of these objectives. Therefore, these strategies should include the study habits, which lead to develop the composition of the student's knowledge [5]. The importance of following good habits of study, which result in reducing students' level of concern for their examination, the high level of self-confidence, and the development of positive attitudes towards the faculty members and the materials was presented by [6]. As a result, the students' achievement will increase as well as their self-satisfaction also [7]. Motivation is also of great importance in raising the tendency towards individual learning. It is one of the basic conditions which achieve the goal of the learning process, the learning ways of thinking, the formation of attitudes and values, the collection of information and the problem solving [8]. The achievement motivation is one of the main factors that may be linked to the objectives of the school system. The students assistance to achieve this motivation will lead to revitalize the level of performance and motivation in order to achieve the most important aspects of school work [9] . Logical Reasoning lets the individuals think logically to solve the problems, which proves the logical ability of

I.

INTRODUCTION

The learning environment is one of the major task variables that has a special concern from researchers for a long time, in order to identify the factors that may affect its efficiency. The process of interaction within the classroom has a large share of their studies, and they have concluded that the classroom interaction is the essence of the learning process[1]. The classroom interaction which is represented by the communication patterns between the parties of the

6

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

each individual. Induction or inductive reasoning, sometimes called inductive logic, is reasoning which takes us beyond the confines of our current evidence or knowledge to conclusions about the unknown [10]. If the variables of the classroom interaction, the learning and studying skills and the motivation are the whole factors affecting learning, is it possible to compensate each other? The current study aims to: 1. Identify the differences between female and male in logical reasoning, learning skills, achievement motivation, and their understanding to the efficiency of classroom interaction. Determine the relation between the learning skills, the achievement motivation and the logical reasoning. Present a method for knowledge extraction from the student module in e-learning system. II. PROBLEM AND OBJECTIVS OF
STUDY

3. 4.

There are statically differences between the female and male degrees in achievement motivation. There are statically differences between the female and male degrees in understanding the efficiency of classroom interaction. There are statically differences between the female and male degrees in learning skills and logical reasoning when the efficiency of classroom interaction is fixed. There are statically differences between the female and male degrees in achievement motivation and logical reasoning when the efficiency of classroom interaction is fixed. Can we provide a machine learning algorithm to extract useful knowledge from the available students data? Can the extracted knowledge from the students data discriminate between the male and female students in the logical reasoning score? III. EFFECTIVE STUDENT ATTRIBUTES

5.

6.

2.

Then, the study discusses the following questions: 1.

3.

2.

Most researchers agree that the classroom interaction is the essence of the quality of teaching process, and its results are often positive. Also, the pattern and quality of this interaction not only determine the learning situation but also the trends, the concerns, and some aspects of the students' personality. In Saudi universities, the educational environment of male and female are different. Male students have successful interaction, because the teacher is allowed to observe students and what they do in the classroom. In female environment it is not permissible to watch what happened in the classroom. Logically, this difference may be considered as an advantage to male students. However, female students achievements showed superiority than the male students. This prompted the following questions: Are there other intermediate variables among the learning environment , the classroom interaction and the student achievement‫ .؟‬Do these variables affect the student achievement and compensate the classroom interaction‫.؟‬ Can we extract knowledge by data mining from student model.? Accordingly, the problem of the current study determines the following hypotheses: 1. There are statically differences between the female and male students in logical reasoning in faculty of information and computer science at Taif university, Saudi Arabia . There are statically differences between the female and male degrees in learning skills.

The student model plays an important role in the process of teaching and learning. If the elements of this model are chosen properly we can get an important students database. This database can provide useful knowledge when using data mining techniques. Learning skills, achievement motivation, classroom interaction and logical reasoning are the main effective dimensions in student model presented in this study. The following section explains these features. A. Learning skills A set of behaviors or practices used by the learner during studying the school material. It is determined by the degree which the student obtained through the measure used in the present study B. Achievement motivation Achievement motivation was looked at as a personality trait that distinguished persons based on their tendency or aspiration to do things well and compete against a standard of excellence [11]. Motivation is the internal condition that activates behavior and gives it direction; energizes and directs goaloriented behavior. Motivation in education can have several effects on how students learn and how they behave towards subject matter [12]. It is composed of several internal and external motives that affect the behavior of students, orientation and activate individual in different positions to achieve excellence.

2.

.
7 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

C. Classroom Interaction During classroom lessons, teachers promote, direct, and mediate discussions to develop learners’ understandings of the lesson topics. In addition, teachers need to assess the learners’ understanding of the material covered, monitor participation and record progress. Discussions in classrooms are frequently dominated by the more outgoing learners, while others, who may not understand, are silent. The teacher is typically only able to obtain feedback from a few learners before determining the next course of action, possibly resulting in an incomplete assessment of the learners’ grasp of the concepts involved. Learners who are not engaged by the discussion, are not forming opinions or constructing understanding, and may not be learning. Classroom distractions can become the focus of attention unless there is some compelling reason for the learner to participate in the discussion [13]. D. Logical Reasoning Reasoning is the process of using existing knowledge to draw conclusions, make predictions, or construct explanations. Three methods of reasoning are the deductive, inductive, and abductive approaches. Deductive reasoning starts with the assertion of a general rule and proceeds from there to a guaranteed specific conclusion. Inductive reasoning begins with observations that are specific and limited in scope, and proceeds to a generalized conclusion that is likely, but not certain, in light of accumulated evidence. One could say that inductive reasoning moves from the specific to the general. Abductive reasoning typically begins with an incomplete set of observations and proceeds to the likeliest possible explanation for the set [10]. IV. APPLICATIONS
AND

or 1. Psychometric measures of the indicator were calculated as follows; - Criteria Validity This measure was applied on student sample of 40 male and female students in the faculty of computers and information systems, Taif University, Saudi Arabia. The correlation between their total degrees was 0.82. which is statistically significant at 0.01 level. So, it indicates the validity of the measure . - Internal Consistency Validity The correlations between each item and its indicator were calculated. The correlation values vary between 0.37 and 0.65 which are significant at the levels 0.01 and 0.05. Also, the correlation between the total degree and the degrees of each measure are calculated as showin in table I.
TABLE I. Learning skills Management of dispersants Management of the study time Summing and taking notes Preparing for examinations Organization of information Continuation of study The use of computer & Internet
THE CORRELATION COEFFICIENT VALUES

Correlation coefficient 0.76 0.70 0.81 0.69 0.82 0.88 0.79

Significant level

0.05

- Indicator reliability The indicator reliability was measured by two methods as shown in table II.
TABLE II.
THE RELIABILITY VALUES OF LEARNING SKILLS MEASURE

RESULTS

Learning skills Management of dispersants Management of the study time Summing and taking notes Preparing for examinations Organization of information Continuation of study The use of computer & Internet

Re-application
Correlation coefficient 0.77 0.66 0.61 0.71 0.77 0.68 0.81 0.01 Significant level

Cronbach's α 0.75 0.67 0.62 0.70 0.75 0.69 0.79

A. Sample of Study With regard to the population of students participating in the experiment was 95, (47 of them female and 48 male). These students have studied an expert system course using CLIPS language [14]. B. Tools of Study Three measures have been prepared; learning skills, achievement motivation and classroom interaction. 1. Learning skill A set of 47 clauses reflect the learning skills presented to the students during their study. These clauses dealt with 7 skills. The skills are; management of dispersants, management of the study time, summing and taking notes, preparing for examinations, organization of information, continuation of study, the use of computer and Internet. The student has to choose one of three alternatives (always, sometimes, or never). Their evaluations are 3, 2,

This table shows high reliability values of the learning skills measure. 2. Achievement motivation A set of 71 clauses which reflect the achievement motivation were classified into internal and external pivots. The internal achievement motivation includes; challenge, desire to work, ambition, and self-reliance. The external

.
8 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

achievement motivation includes; fear of failure, social motivations, awareness of time importance, and competition. Psychometric measures of the indicator were calculated as follows; : - Criteria Validity This measure was applied on the same student sample (40 male and female students) in the same faculty. The correlation between their total degrees was 0.79. which is statistically significant at 0.01 level. So, it indicates the validity of the measure . - Internal Consistency Validity The correlations between each item and its indicator were calculated. The correlation values varies between 0.37 and 0.74 which are significant at the levels 0.01 and 0.05. Table 3 shows the calculated correlation coefficients.
TABLE III. Achievement motivation Internal achievement motivation External achievement motivation CORRELATION COEFFICIENT AND THEIR SIGNIFICANT
LEVEL

- Criteria Validity This measure was applied on the same student sample (90 male and female students). The principle components method is used for factor analysis. Getman criterion for factor analysis was used to determine the number of factors. Varimax orthogonal rotation was also used. These two methods yield to the extraction of three factors (saturation ≥ ± 3 ). Each new factor has ≥ three factors. Table 5 shows the results of the factor analysis.
TABLE V. Clause No. 1 2 3 4 5 6 7 8 9 10 11 12 13 First 0.45 0.41 0.44 0.61 0.55 0.52 0.63 0.66 0.46 0.44 0.55 0.63 Eigen values Variance
THE RESULTS OF THE FACTOR ANALYSIS.

Factor Second 0.51

Third

The indicator Challenge Desire to work Ambition Self-reliance Fear of failure Social motivations Awareness of time importance Competition

Correlation coefficient 0.68 0.69 0.66 0.56 0.58 0.71 0.64 0.56

Significant level

0.01

Clause No. 14 15 16 17 18 19 20 21 22 23 24 25 26

First 0.35 0.40 0.51 0.38 0.47 0.46 0.45

Factor Second

Third

0.44 0.51 0.61 0.39 0.55 0.59 2.32 8.59

3.84 14.23

3.8 14.08

This table shows that the measure has saturated by 3 factors: The first factor is saturated with 13 individual items. These items revolve around the lecturer's ability to manage the classroom interaction. This factor may be defined as teacher's positivity. The second factor has a saturation of 10 items that revolve around the student's ability to interact with the lecturer on the basis of the lecture theme. This factor may be defined as student's positivity. The third factor has a saturation of 3 items only. It revolves around the potential of the classroom that facilitate the process of interaction between the student and lecturer. This might be called the potential of the classroom. The factor analysis has deleted the factor number 27. - Internal Consistency Validity The correlations between each item and its indicator were calculated. Table 6 shows the calculated correlation coefficients. This table indicates that the individual factors are correlated to their main factors (1st, 2nd and 3rd) which proves internal consistency of the measure.

- Indicator reliability The indicator reliability was measured by two methods as shown in table 4.
TABLE IV.
THE RELIABILITY VALUES OF ACHIEVEMENT MOTIVATION MEASURE

Learning skills Correlation coefficient ρ 0.74 0.81 0.71 0.66 0.73 0.68 0.62 0.59 Significant level

Cronbach's α

challenge Desire to work ambition self-reliance fear of failure social motivations awareness of time importance competition

0.01

0.71 0.78 0.72 0.65 0.70 0.66 0.64 0.61

This table shows high reliability values of the achievement motivation measure. 3. Classroom interaction A set of 27 clauses which measure the level of the classroom interaction were prepared.

.
9 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

TABLE VI. 1 Factor
Fact. No. 1 3 5 9 11 13 14 15 16 17 18 19 20 ρ 0.49 0.61 0.39 0.38 0.45 0.42 0.35 0.61 0.52 0.46 0.59 0.52 0.42 .Sign level
st

THE CORRELATION COEFFICIENTS 2nd Factor
Fact. No. 2 4 6 7 8 10 12 21 22 24 ρ 0.45 0.46 0.44 0.52 0.51 0.59 0.43 0.51 0.60 0.42 Sign. level Fact. No. 23 25 26

3rd Factor
ρ 0.45 0.36 0.35 Sign. level

0.01

0.01

0.01

analysis of variance of the multi-variables (MANOVA) was used. Both the Box test for homogeneity of the matrix and the value of the Levene test of equal contrast were insignificant for all dimensions. Wilks Lambda test value is equal to 0.68 which is significant. The ETA value is equal to 0.32. These results indicate the validity of the test and give an indication of the existence of differences in accordance with the type of learning skills. The following table shows the results of the analysis of variance test.
TABLE IX. THE ANALYSIS OF VARIANCE OF THE MULTI-VARIABLES (MANOVA) IN LEARNING SKILLS Sum of Degree of squares freedom
18.05 114.19 106.23 20.77 43.08 36.03 177.97 3102.3 1177.3 669.36 436.02 199.30 317.29 325.72 1088.9 12041.8 1 1 1 1 1 1 1 1 95 95 95 95 95 95 95 95

Dimensions
Management of dispersants Management of the study time Summing and taking notes, Preparing for examinations Organization of information Continuation of study The use of computer & Internet Total Management of dispersants Management of the study time Summing and taking notes Preparing for examinations Organization of information Continuation of study The use of computer & Internet Total

Mean square
18.045 114.186 106.231 20.716 43.079 36.029 177.968 3102.31 12.393 7.046 4.590 2.098 3.340 3.429 11.462 126.76

F Significant η level
1.46 Insignificant 0.02 16.2 23.2 9.88 12.9 10.5 15.5 24.5 0.01 0.15 0.2 0.1 0.12 0.10 0.14 0.21

- Indicator reliability The indicator reliability was measured by two methods as shown in table 7.
Type

TABLE VII.

THE RELIABILITY VALUES OF THE CLASSROOM INTERACTION MEASURE

Learning skills Teacher's positivity Student's positivity Potential of the classroom

Correlation coefficient ρ 0.79 0.77 0.69

Significant level 0.01

Cronbach's α 0.80 0.75 0.68

So, the above table shows that the measure of the classroom interaction has an acceptable degree of consistency. C. Testing the study hypotheses - The first hypothesis There are statistical differences between the mean scores of the female and male students in logical reasoning in the faculty of information and computer science at Taif university, , Saudi Arabia . To verify this hypothesis the t test was used to measure the differences between the means of the independent groups. The results are shown in the following table.
TABLE VIII. Gender Male Female THE T TEST VALUE FOR THE DIFFERENCES OF MALE AND
FEMALE STUDENTS IN LOGICAL REASONING

The above table shows that there are statistical of differences between males and females in the learning skills in all dimensions except the first dimension (Management of dispersants). To measure the differences, the mean and standard deviation were calculated as shown in table 10. This table shows that there are statistical differences in the learning skills in favor of females. Females are more likely to use the correct methods of learning, more able to manage time and planning to take advantage of it. They are more able to take of observations, notes and summaries. They are more able to prepare well for exams throughout the semester and organize information and use them correctly more than males. Also, they do not delay studying till the end of the year. They use computer and Web to get and exchange information. Females are better in general. The results did not show differences between males and females in management of dispersants, everyone is making effort to overcome them but what is important is what happens after that.

Error

Number 49 48

Mean 11.84 13.73

Standard deviation 2.86 1.67

T 3.99

Significant level 0.01

The above table shows that there are statistical differences between the mean scores of the males and females in the logical reasoning in favor of females. Also, this result indicates the superiority of females in logical reasoning ability to understand the linkage of precondition and conclusion . - The second hypothesis There exist mean differences between female and male degrees in learning skills. To verify this hypothesis the

.
10 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

TABLE X.

THE MEAN AND STANDARD DEVIATION OF DEGREES IN
LEARNING SKILLS

Dimensions Management of dispersants Management of study time Summing and taking notes Preparing for examinations Organization of information Continuation of study Use of computer & Internet Total

Gender M F M F M F M F M F M F M F M F

Number 49 48 49 48 49 48 49 48 49 48 49 48 49 48 49 48

Mean 25.408 26.271 15.163 17.333 14.469 16.563 10.367 11.292 10.980 12.313 9.510 10.729 12.041 14.750 97.939 109.250

Standard deviation 0.503 0.508 0.379 0.383 0.306 0.309 0.207 0.209 0.261 0.264 0.265 0.267 0.484 0.489 1.608 1.625

The above table shows that there are statistical differences between males and females in achievement motivation in five dimensions. To measure the differences, the mean and standard deviation were calculated as shown in the following table.
TABLE XII. Dimensions Challenge Desire to work Ambition Self-reliance Fear of failure Social motivations Awareness of time importance Competition Total THE MEAN AND STANDARD DEVIATION OF DEGREES IN
ACHIEVEMENT MOTIVATION

Gender M F M F M F M F M F M F M F M F M F

Number 49 48 49 48 49 48 49 48 49 48 49 48 49 48 49 48 49 48

Mean 21.306 24.063 24.898 25.812 13.000 14.542 12.735 13.625 17.898 18.667 21.041 23.750 18.449 20.979 21.673 22.229 151.000 163.667

- The third hypothesis There are statistical differences between the mean scores of the female and male students in achievement motivation. To verify this hypothesis the analysis of variance of the multi-variables (MANOVA) test was used. The Box test for homogeneity of the matrix was insignificant. The value of the Levene test of equal contrast, was also insignificant. Wilks Lambda test value is equal to 0.56 which is significant. The value of ETA is 0.44. So, all these results indicate the validity of the test. The following table shows the results of the analysis of variance test and an indicate that the differences are affected by the achievement motivation.
TABLE XI. Dimensions THE ANALYSIS OF VARIANCE OF THE MULTI-VARIABLES (MANOVA) IN ACHIEVEMENT MOTIVATION. F 24.89 1.46 13.1 4.85 1.65 16.5 29.79 0.59 12.37 Significant level 0.01 not 0.01 0.05 not 0.01 0.01 not 0.01 η 0.21 0.02 0.12 0.05 0.02 0.15 0.24 0.06 0.12

Standard deviation 0.389 0.393 0.533 0.538 0.300 0.303 0.285 0.287 0.421 0.425 0.469 0.474 0.326 0.330 0.507 0.512 2.534 2.560

Sum of Degrees of Mean squares freedom square challenge 184.22 1 184.22 Desire to work 20.28 1 20.28 ambition 57.63 1 57.63 self-reliance 19.22 1 19.22 fear of failure 14.33 1 14.33 social 177.97 1 177.97 motivations awareness of 155.23 1 155.23 time importance competition 7.49 1 7.49 Total 3890.4 1 3960.4 challenge 703.22 95 7.4 Desire to work 1321.8 95 13.91 ambition 419.22 95 4.42 self-reliance 376.8 95 3.97 fear of failure 825.18 95 8.69 social 1024.92 95 10.79 motivations awareness of 495.1 95 5.21 time importance competition 1197.26 95 12.6 Total 29880.6 95 314.53

The above table shows that there are statistical differences in achievement motivation in favor of females in all dimensions except the dimensions of the desire to work, the fear of failure, and competition. This means that females have external incentives which lead them to exert effort, such as the motives of the desire to challenge the male society significantly, as if to prove a kind of self-motivation, ambition and self-reliance. Also, it seems that they were in need to change their society's perception that they must rely only on men in everything, and they are motivated by external motivation like satisfaction of parents, acquiring others' admiration and attract their attention, awareness of the importance of time, and they achieve success in running time. - The fourth hypothesis There are statistical differences between the female and male degrees in understanding the efficiency of classroom interaction. To verify this hypothesis the analysis of variance of the multi-variables (MANOVA) test was used. The Box test for homogeneity of the matrix was insignificant. The value of the Levene test of equal contrast, was also insignificant. Wilks Lambda test value is equal to 0.82 which is significant. The value of ETA is 0.18. All these results indicate the validity of the test and prove that the differences are affected by the type of classroom interaction. The following table shows the results of the analysis of variance test.

Type Error

.
11 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

TABLE XIII. Dimensions

THE ANALYSIS OF VARIANCE OF THE MULTI-VARIABLES (MANOVA) IN CLASSROOM INTERACTION Sum of squares 14.937 11.376 127.436 138.786 280.692 1229.08 1842.585 5537.17 Degree of Mean F Significant η freedom square level 1 14.937 5.06 0.05 0.051 1 1 1 95 95 95 95 11.376 0.88 127.44 6.57 138.79 2.38 2.955 12.938 19.396 58.286 not 0.05 not 0.009 0.065 0.024

TABLE XV.

THE CORRELATION BETWEEN THE LEARNING SKILLS AND
LOGICAL REASONING

Potential of the classroom. Student's positivity Teacher's positivity Total Potential of the classroom. Student's positivity Teacher's positivity Total

Dimensions Management of dispersants Management of study time Summing and taking notes Preparing for examinations Organization of information Continuation of study The use of computer & Internet Total

Male Female Correlation Significant Correlation Significant coefficient ρ level coefficient ρ level 0.7 0.01 0.64 0.01 0.45 0.26 0.23 0.35 0.3 0.27 0.57 0.01 Not Not 0.05 0.05 Not 0.01 0.4 0.35 0.24 0.39 0.45 0.31 0.64 0.01 0.01 Not 0.01 0.01 0.05 0.01

The above table shows that the F values are significant in the dimensions of teacher's positivity and the potential of the classroom. To measure the differences, the mean and standard deviation were calculated as shown in the following table.
TABLE XIV. THE MEAN AND STANDARD DEVIATION OF DEGREES IN
CLASSROOM INTERACTION

The above table shows that there are statistical differences in the dimensions of potential of the classroom and teacher's positivity in favor of males. This means that males interact better than females in the classroom, particularly in the dimensions of teacher's positivity and potential of the classroom. This can be attributed to the nature of teaching to the male students as there is direct and face to face interaction. However, in the absence of direct interaction, females feel that the learning environment is not valid, the lecturer does not do his utmost in the commentary. Hence, the problem is not the women from their point of view. - The fifth hypothesis There are statistical differences between the female and male degrees in learning skills and logical reasoning when the efficiency of classroom interaction is fixed. The partial correlation coefficient between the degrees in learning skills and logical reasoning is used to verify this hypothesis while the efficiency of classroom interaction is fixed. The results are shown in the following table.

Type Error

The above table shows the following: For males: There is positive correlation coefficient between the degree of learning skills and levels of logical reasoning in the dimensions of management of dispersants, Management of the study time, the organization of information, Continuation of study, and the total degree. This means that , if the student is more able to focus, manage time, organize information, and study continuously without delay, it is expected to achieve highly in the degree of logical reasoning. This result agrees with the nature of the material needs to get a high degree of focus, organization and effort unlike any other material. As for females: there is a correlation coefficient between the degree of learning skills and the levels of logical reasoning in all dimensions except preparing for examinations. Correlation has appeared in the dimensions of summing and taking notes, the use of computers and the Web to access information. Consequently, the logical reasoning degrees are affected by the same factors as in the male case in addition to the latter two dimensions.

Dimensions Potential of the classroom Student's positivity Teacher's positivity Total

Gender M F M F M F M F

Number 49 48 49 48 49 48 49 48

Mean 5.327 4.542 22.878 23.563 29.959 27.667 58.163 55.771

Standard deviation 0.246 0.248 0.514 0.519 0.629 0.636 1.091 1.102

- The sixth hypothesis
There are statistical differences between female and male degrees in achievement motivation and logical reasoning when the efficiency of classroom interaction is fixed. To verify this hypothesis the partial correlation coefficient test between the degrees of achievement motivation and logical reasoning while the classroom interaction is fixed was used. This was done due to the presence of differences among the achievement motivation, logical reasoning and understanding of the efficiency of classroom interaction. The results are shown in the following table.

.
12 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

TABLE XVI.

THE CORRELATION COEFFICIENT VALUES AND THE SIGNIFICANCE BETWEEN ACHIEVEMENT MOTIVATION AND LOGICAL REASONING. Male Correlation Significant coefficient ρ level 0.52 0.54 0.40 0.41 0.44 0.01 0.53 0.47 0.56 0.61 Female Correlation Significant coefficient ρ level 0.66 0.63 0.52 0.75 0.55 0.01 0.60 0.63 0.61 0.79

Dimensions Challenge Desire to work Ambition Self-reliance Fear of failure Social motivations Awareness of time importance Competition Total

The above table shows a correlation between the degree of achievement motivation and levels of logical reasoning for both male and female. This is very important, since the nature of the course requires large student's motivation to deal with. They need to exert an effort, regardless of what is behind this effort, and this result agrees with the majority of studies that proved a positive relationship between achievement motivation and achievement. D. Knowledge Extraction This section well illustrate the students database description in addition to discussing the study questions. - Students database description A student model database used for knowledge extraction is composed of four main predictive measures and one target measure. The first measure is the learning skills which includes 7 attributes namely: management of dispersants, management of the study time, summing and taking notes, preparing for examinations, organization of information, continuation of study, and the use of computer & internet. The second measure is achievement motivation which is divided into internal and external motivations. Internal motivations includes 4 attributes; challenge, the desire to work, ambition, and self-reliance. External motivations includes 4 attributes; fear of failure, social motivations, awareness of time importance, and competition. The third measure is classroom interaction which includes potential of the classroom, student's positivity, and teacher's positivity. The final measure is student score in the expert system course which is divided into 5 test units. In deed, the target measure is logical reasoning . - The first question: Can we provide a machine learning algorithm to extract useful knowledge from the available students data ? Data mining (DM) or in other words "the extraction of hidden predictive information from data" is a powerful new technology with great potential to help users focus on

the most important information in large data sets. The general goal of DM is to discover knowledge that is not only correct, but also comprehensible and interesting for the user. Among the various DM algorithms, such as clustering, association rule finding, data generalization and summarization, classification is gaining significant attention [ 15]. Classification is the process of finding a set of models or functions which describe and distinguish data classes or concepts, for the purpose of being able to use the model to predict the class of objects whose class label is unknown. In classification, a rule generally represents discovered knowledge in the form of IF-THEN rules. The classification methods can be categorized into two groups, non-rule-based and rule-based classification groups [16]. Non-rule-based classification methods are such as artificial neural network (ANN) [17-18] and support vector machines [19]. Rule-based classification methods are such as C4.5 [20], and decision table [21]. Rule-based classification methods directly extract hidden knowledge from the data. However, non-rule-based classification methods are generally more accurate than rule-based classification methods. This section presents the proposed algorithm for extracting a set of accurate and comprehensible rules from the input database via trained ANN using genetic algorithm (GA). The details of the proposed algorithms is explained in previous work [22]. A concise algorithm for extracting a set of accurate rules is shown in the following steps: 1. Assume that; 1.1 The input database has N predictive attributes plus one target attribute. 1.2 Each predictive attribute has a number of values, and can be encoded into binary sub-string of fixed length. 1.3 Each element of a binary sub-string equals one if its corresponding attribute value exists, while all the other elements are equal to zero. 1.4 Repeat the steps (1.2) and (1.3) for each predictive attribute, in order to construct the encoded input attributes’ vectors. 1.5 The target attribute has a number of different classes, and can be encoded as a bit vector of a fixed length as explained in step (1.3). 2. The ANN is trained on the encoded vectors of the input attributes and the corresponding vectors of the output classes until the convergence rate between the actual and the desired output will be achieved. 3. The exponential function of each output node of ANN can be constructed as a function of the values of the input attributes and the extracted weights between the layers.

.
13 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

4. To find the rule belongs to a certain class, GA is used to find the optimal chromosome (values of input attributes), which maximizes the output function of the corresponding node (class) of the ANN. 5. The extracted chromosome must be decoded to find the corresponding rule as follows; 5.1 The optimal chromosome is divided into N segments. 5.2 Each segment represents one attribute, and has a corresponding bits length represent their values. 5.3 The attribute values are existed if the corresponding bits in the optimal chromosome are equal to one and vice versa. 5.4 The operators “OR” and “AND” are used to correlate the existing values of the same attribute and the different attributes, respectively. 5.5 The extracted rules must be refined to cancel the redundant attributes. - The second question: Can the extracted knowledge from the students data discriminate between the male and female students in the logical reasoning score ? This question will be dealt with through the following rules extraction and their interpretations. Assume the following abbreviations: F : Fail, P : Pass, G : Good, V.G : Very Good, L : Low, M : Medium, H : High , Ma : Male, Fe : Female. Unit 1 = F Then Reasoning = F. Unit 2 = F Then Reasoning = F. Unit 5 = F Then Reasoning = F. Unit 1= V.G or Unit 2 = V.G and Maintaining learning = H Then Reasoning = V.G. 5. If Unit 1 = V.G or Unit 2 = V.G and Fear of failure = H Then Reasoning = V.G. From the above rules one can conclude that units number 1, 2, and 5 are the most effective attributes in the final results. This is because they include the principles, the inductive reasoning and the object oriented programming in CLIPS respectively. 6. If Unit 1 = P and Unit 3 = F or Unit 4 = F Reasoning = P. 7. If Ambition = H and Unit 3 = F or Unit 4 = F Reasoning = P. 8. If Self-reliance = M and Unit 3 or Unit 4 = F Reasoning = P. Then Then Then 1. 2. 3. 4. If If If If

9. If Gender = Ma and Ambition = L Then Reasoning = F. 10. If Gender = Fe and Ambition = L Then Reasoning = P. 11. If Gender = Ma and Management of dispersants = L Then Reasoning = F. 12. If Gender = Fe and Management of dispersants = L Then Reasoning = P. 13. If Gender = Ma and Self-reliance = L Then Reasoning = F. 14. If Gender = Fe and Self-reliance = L Then Reasoning = P. 15. If Gender = Fe and The desire to work = M and organization of information = H Then Reasoning = G. 16. If Gender = Fe and Fear of failure = M and Selfreliance = H Then Reasoning = Good. 17. If Gender = Fe and organization of information = H and Maintaining learning = M Then Reasoning =G. 18. If Gender = Fe and The potential class = L and Unit 2 = P Then Reasoning = G. 19. If Gender = Fe and Time management = H and organization of information = H and unit 3 = V.G Then Reasoning = V.G The previous rules clarify the attributes effect on the reasoning results taking into consideration the effect of the gender attribute. V.
CONCLUSIONS

It is our intent to explore how data mining is being used in education services at Taif University in Saudi Arabia. Educational data mining is the process of converting raw data from educational systems to useful information that can be used to inform design decisions and answer research questions. The importance of the study can be stated as follows: It is dealing with the learning environment of Saudi Arabia, that has a special nature in the education of females and the factors affecting it . The study combines the variables related to personality, mental and environmental aspects in order to reach an integrated view of the learning nature process and the factors affecting it. It addresses the subject of study habits and achievement motivations, which are important issues that affect the educational process. Good study habits will help students in the collection of knowledge, the achievement motivation and push them to the challenge of the obstacles to achieve their goals. The study presents an efficient technique that utilizes artificial neural network and genetic algorithm for extracting comprehensive rules from student database. The extracted

The rules numbers 6, 7, and 8 indicate that units number 3 and 4 are not effective. The high ambition and medium self-reliance lead to passing in reasoning although the fail score in unit 3 or unit 4.

14

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

.

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

knowledge supports the effective attributes that are most effective in the final score of the logical reasoning. VI. FUTURE WORKS E-learning represents a great challenge in education, that large amounts of information are continuously generated and available. Using data mining to extract knowledge from information is the best approach to process the obtained knowledge in order to identify the student needs. Tracking student behavior in virtual e-learning environment makes the web mining of the resulting databases possible, which encourages the educationalists and curricula designers to create learning contents. So, we aim at introducing a novel rule extraction method that depends on Fuzzy Inductive Reasoning methodology. This method has been driven from a data set obtained from a virtual campus e-learning environment. Hence, to gain the best benefit from this knowledge, the results should be described in terms of a set of logical rules that trace the different level of the student performance. References [1] Kudret Ozkal, Ceren Tekkaya, Jale Cakiroglu, Semra Sungur, "A conceptual model of relationships among constructivist learning environment perceptions, epistemological beliefs, and learning approaches", Learning and Individual Differences, Volume 19, Issue 1, 1st Quarter, Pages 71-79, 2009. [2] Shun Lau, Youyan Nie, "Interplay Between Personal Goals and Classroom Goal Structures in Predicting Student Outcomes: A Multilevel Analysis of Person–Context Interactions", Journal of Educational Psychology, Volume 100, Issue 1, Pages 15-29, February 2008. [3] Karin Tweddell Levinsen, "Qualifying online teachersCommunicative skills and their impact on e-learning quality", Education and Information Technologies, Volume 12, Number 1 / March 2007. [4] Richards, L.G, " Further studies of study habits and study skills", Frontiers in Education Conference, 31st Annual, Volume 3, Page(s):S3D - S13, 10-13 Oct. 2001. [5] Nneji, L . M, "Study habits of Nigerian University Students", Nigerian Educational Research, Development Council , Abuja , Nigeria , Pages 490 – 495, 2002. [6] Okapala. A, Okapala. C, Ellis. R, "Academic Efforts and study habits among students in a principles of macroeconomics course", Journal of Education for Business , 75 (4), Pages 219 – 224, 2000.
[7] Marcus Credé, Nathan R. Kuncel, " Study Habits, Skills, and Attitudes: The Third Pillar Supporting Collegiate Academic Performance", Perspectives on Psychological Science, Volume 3, Issue 6, Pages: 425-453, November 2008,

and Individual Differences, Volume 19, Issue 1, Pages 8090, 1st Quarter 2009. [10] Yuichi Goto, Takahiro Koh, Jingde Cheng, "A General Forward Reasoning Algorithm for Various Logic Systems with Different Formalizations", 12th International Conference, Knowledge-Based Intelligent Information & Engineering Systems, Proceedings Part II, Pages 526-535, September 3-5, 2008. [11] Wigfield, A, & Eccles, J.S, "Development of achievement motivation", San Diego, San Francisco, New York, Boston, London, Sydney, Tokyo: Academic Press, 2002. [12] David C, McClelland, "Methods of Measuring Human Motivation", in John W. Atkinson, ed., Motives in Fantasy, Action and Society (Princeton, N.J.: D. Van Nos-trand, Pages 12-13, 1958. [13]Timothy W. Pelton & Leslee Francis Pelton, "The Classroom Interaction System", (CIS): Neo-Slates for the Classroom" W.-M. Roth (ed.), CONNECTIONS ‘03, Pages 101–110, 2003. [14] Joseph C. Giarratano, "CLIPS User's Guide", Version 6.2, March 31st 2002.
[15] Li Liu, Murat Kantarcioglu, Bhavani Thuraisingham, "The applicability of the perturbation based privacy preserving data mining for real-world data", Data & Knowledge Engineering, Volume 65, Issue 1, Pages 5-2, April 2008.

[8] Weiqiao Fan, Li-Fang Zhang, " Are achievement motivation and thinking styles related? A visit among Chinese university students", Learning and Individual Differences, Volume 19, Issue 2, Pages 299-303, June 2009. [9] Ricarda Steinmayr, Birgit Spinath, "The importance of motivation as a predictor of school achievement", Learning

[16] Tan, C., Yu, Q., & Ang, J. H., "A dual-objective evolutionary algorithm for rules extraction in data mining", Computational Optimization and Applications, 34, Pages 273–294, 2006. [17] Humar Kahramanli and Novruz Allahverdi, "Rule extraction from trained adaptive neural networks using artificial immune systems", Expert Systems with Applications 36, Pages 1513–1522, 2009. [18] Richi Nayak, "Generating rules with predicates, terms and variables from the pruned neural networks", Neural Networks 22, Pages 405-414, 2009. [19] J.L. Castro, L.D. Flores-Hidalgo, C.J. Mantas and J.M. Puche, "Extraction of fuzzy rules from support vector machines", Fuzzy Sets and Systems, Volume 158, Issue 18, Pages 2057-2077, 16 September 2007. [20] Kemal Polat and Salih Güneş, "A novel hybrid intelligent method based on C4.5 decision tree classifier and one-against-all approach for multi-class classification problems", Expert Systems with Applications, Volume 36, Issue 2, Part 1, Pages 1587-1592, March 2009. [21] Yuhua Qian, Jiye Liang and Chuangyin Dang, "Converse approximation and rule extraction from decision tables in rough set theory", Computers & Mathematics with Applications, Volume 55, Issue 8, Pages 1754-1765, April 2008. [22] A. Ebrahim ELAlfi, M. Esmail ELAlami, R. Haque, "Extracting Rules From Trained Neural Network Using GA For Managing E- Business", Applied Soft Computing 4, Pages 65-77, 2004.

.
15 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

A Mirroring Theorem and its application to a New method of Unsupervised Hierarchical Pattern Classification
Dasika Ratna Deepthi
Department of Computer Science, Aurora’s Engineering College, Bhongir, Nalgonda Dist., A.P., India

K. Eswaran
Department of Computer Science, Srinidhi Institute of Science and Technology, Yamnampet, Ghatkesar, Hyderabad, India.

Abstract— In this paper, we prove a crucial theorem called “Mirroring Theorem” which affirms that given a collection of samples with enough information in it such that it can be classified into classes and sub-classes then (i) There exists a mapping which classifies and subclassifies these samples (ii) There exists a hierarchical classifier which can be constructed by using Mirroring Neural Networks (MNNs) in combination with a clustering algorithm that can approximate this mapping. Thus, the proof of the Mirroring theorem provides a theoretical basis for the existence and a practical feasibility of constructing hierarchical classifiers, given the maps. Our proposed Mirroring Theorem can also be considered as an extension to Kolmogrov’s theorem in providing a realistic solution for unsupervised classification. The techniques we develop, are general in nature and have led to the construction of learning machines which are (i) tree like in structure, (ii) modular (iii) with each module running on a common algorithm (tandem algorithm) and (iv) self-supervised. We have actually built the architecture, developed the tandem algorithm of such a hierarchical classifier and demonstrated it on an example problem. Keywords-Hierarchical Unsupervised Pattern Recognition; Mirroring theorem; classifier; Mirroring Neural Networks; feature extraction; Tandem Algorithm; self-supervised learning.

I. INTRODUCTION There have been various ways in which the fields of artificial intelligence and machine learning have been furthered: starting with experimentation [1], abstraction [2], [3] and the study of locomotion [4]. Many techniques have been developed to learn patterns [5] & [6] as well as to reduce large dimensional data [7] & [8] so that relevant information can be used for classification of patterns [9] & [10]. Investigators have tackled, to varying degrees of success, pattern recognition problems like face detection [11], gender classification [12], human expression recognition [13], object learning [14] & [15], unsupervised learning of new tasks [16] and also have studied complex neuronal properties of higher cortical areas [17], naming but a few. However, most of the above techniques did not require automatic feature extraction as a pre-processing step to pattern classification. In our

approach, we developed a self-learning machine (based on our proposed Mirroring Theorem) which performs feature extraction and pattern learning simultaneously to recognize/classify the patterns in an unsupervised mode. This automatic feature extraction step, prior to unsupervised classification fulfills one more additional crucial requirement called dimensional reduction. Furthermore, by proving our stated mirroring theorem, we actually demonstrate that such unsupervised hierarchical classifiers mathematically exist. It is also proved that the hierarchical classifiers that do perform a level-by-level unsupervised classification can be approximated by a network of “nodes” forming a tree-like architecture. What we term as a “node”, in this architecture, is actually an abstraction of an entity which executes two procedures: the “Mirroring Neural Network” (MNN) algorithm coupled with a clustering algorithm. The MNN performs automatic data reduction and feature extraction (see [18] for more details on MNN) and clustering does the subsequent step called unsupervised classification (of the extracted features of the MNN); these two steps are performed in tandem - hence our term Tandem Algorithm. The Mirroring Theorem provides a proof that this technique will always work provided sufficient information is contained in the ensemble of samples for it to be classified and sub-classified and certain continuity conditions for the mappings are satisfied. The Mirroring Theorem, we prove in this paper may be considered as an extension to Kolmogrov’s theorem [19] in providing a practical method for unsupervised classification. The details of the theorem and how it can be used for developing an unsupervised hierarchical classifier are discussed in the next sections. Our main contribution in this paper, is that we propose and prove a theorem called “Mirroring Theorem” which provides a mathematical base for constructing a new kind of architecture that performs an unsupervised hierarchical classification of its inputs by implementing a single common algorithm (which we call as the “Tandem Algorithm”) and this is demonstrated on an example set of image patterns. That is, the proposed hierarchical classifier is mathematically proved to exist, for which we develop a new common algorithm that does the two machine steps, namely, automatic feature extraction and clustering to execute a level-by-level unsupervised

16

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

classification of the given inputs. Hence, we can say that this paper proposes a new method to build a hierarchical classifier, (with a mathematical basis) a new kind of common algorithm (which is implemented throughout the hierarchy of the classifier) and it is demonstration on an example problem. We find it necessary to discuss a few points about the MNN before moving on to the details of the proposed Theorem and the Tandem Algorithm. An MNN is nothing but a neural network (NN) with converging-diverging architecture which is trained to produce an output which equals its input as closely as possible (i.e. mirror the input at its output layer). And this training process proceeds through repeated presentations of all the input samples and it stops when the MNN could mirror at least above 95% of its input samples. Then the MNN said to be successfully trained with the given input samples. Now, the best possible extracted features of the inputs are automatically obtained at the MNN’s least dimensional hidden layer and these features are used for unsupervised input classification by a clustering algorithm. See Figure 1 for illustration of an MNN architecture wherein input given to it is ‘X’ of dimension ‘n’ which is reduced to ‘Y’ of dimension ‘m’ (m is much less than n). Since Y is capable of mirroring X at the output, Y contains as much information as X, even though it has a lesser dimension, the components of Y can then be thought of as features that contains the patterns in X, hence, the Y can be used for classification. More details on MNN architecture can be referred from [20] & [21]. Before, proceeding to proving the main theorem and the presentation of actual computer simulation, it is perhaps appropriate to write a few lines on the ideas that motivated this paper. It is presently well known that the neural architecture in the human neocortex is hierarchical [22], [23], [24] & [25] and constituted by neurons at different levels and information is exchanged between these levels via these neurons [26], [27], [28] & [29] when initiated by the receipt of data coming in from sensory receptors in the eyes, ears, etc. The organization of the various regions within each level of the neo-cortical system, are not completely understood, but there is much evidence that regions of neurons in one level are connected with regions of neurons in another level thus forming many tree like structures [25] & [30] (also see [31]). Various intelligent tasks, for example “image recognition”, are performed by numerous neurons firing and sending signals back and forth these levels [32]. Many researchers working in the field of artificial intelligence have sought to imitate the human brain in their attempt to build learning machines [33] & [34] and have employed a tree like architecture at different levels for performing recognition tasks [35]. As described above, our attempt here is to demonstrate that a hierarchical classifier which addresses the tasks of feature extraction (/data reduction) and recognition can be constructed and such architecture can perform intelligent recognition tasks in an unsupervised manner. The plan of the paper is as follows: In the next section we prove the proposed Mirroring Theorem of Pattern Recognition. In section 3, based on the proof of the mirroring

theorem, we show how to build pattern classifiers which possess the ability to automatically extract features, have a tree-like architecture and can be used to develop the proposed architecture for unsupervised pattern learning and classification (including the proposed tandem algorithm). In section 4, we report the results of the demonstration of such a classifier when applied an unsupervised pattern recognition problem wherein real images of faces, flowers and furniture are automatically classified and sub-classified in an unsupervised manner. Section 5, we discuss the future possibilities of this kind of architecture. II. MIRRORING THEOREM We now prove what we term as the mirroring theorem of pattern recognition, Statement of the Theorem: If a hierarchical invertible map exists that (i) maps a set  of n-dimensional from X-space into a mdimensional data in Y-space (m ≤ n) which fall into j distinct classes, and, (ii) if for each of the above j classes, in turn, maps exist which map each class in Y-space to a r-dimensional Z-space into t subclasses, then such a map can be approximated by a set of j + 1 nodes (each of which are MNNs with an associated clustering algorithm) forming a treelike structure. Proof: The very fact that invertible maps exist indicate that there exist j ‘vector’ functions which map the points (x1, x2, x3,…xn) falling into some d different regions Rd in Y-space. These ‘vector’ functions may be denoted as: F1, F2,...., Fj . We clarify our notation here by cautioning that F1, F2,...., Fj, should not be treated as the vectoral components of F. What we mean by F1 are the maps that carry those points in X-space to the set of points contained in S1, hence F1 can be thought of as a collection of ‘rays’, where each ‘ray’ denotes a map starting from some point in X-space and culminating in a point belonging to S1 in Y -space. Similarly, F2 is the collection of ‘rays’ each of which starts from some point in X-space and culminates in a point belonging to S2 in Y -space. Thus we define the map F as F ≡ F1 U F2 U……U Fj. Now we argue as follows: since the first map F1 takes Xspace into an image in Y -space, say a set of points S1 and similarly F2 takes X-space into an image in Y -space, say a set of points S2 and so to the set Sj and since, by assumption, the target (image) region in Y -space contains j distinct classes, we could conclude that the set of points S1, S2, …, Sj are distinct and non overlapping, (for otherwise the assumption of there being j distinct classes is violated). These regions are separable are distinct from one another and there also exist maps that are all distinct, and we can renumber the regions Rd in such a manner that the union of the first k1 sets belong to S1 i.e., S1 = R1UR2U….URk1 and the union of the next k2 sets belong to S2 ….. and similarly S2 = Rk1+1URk1+2U.....URk1+k2 , e.t.c., till Sj = Rd-kj+1URd-kj+2U….URd. It also implies, since each

17

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

of the image sets can be again reclassified into k patterns (by assumption), that there exists a ‘vector’ function set G11, G12, G13 , ..., G1t which take S1 to t distinct regions in z-space, these t distinct sets are denoted by c11, c12, c13, ...., c1t. Again, here G11, G12, G13 , ..., G1t can be thought of a collection of ‘rays’ denoting maps from points in S1 in Y -space to points in the sets c11, c12, c13, ...., c1t in Z-space. Thus G11 is the collection of ‘rays’ leading to the set c11 from S1 and G12 is the collection of ‘rays’ from S1 to the set c12. Hence, similar to the definition of F we can denote the map G1 as G1 ≡ G11 U G12 U G13 U ..... U G1t. In order not to clutter the diagram the possible sub-regions within each of the sets c11, c12, c13, ...., c1t have not been drawn in Figure 2 and we assume, without prejudicing the theorems generality, that the number of subsets t are the same in all maps. Similarly G21, G22, G23, ..., G2t take S2 to distinct t sets c21, c22, c23, ..., c2t and so on to the function set Gj1 , Gj2, Gj3 , ..., Gjt which map Sj to respective cj1, cj2, cj3,..., cjt in Z-space. The existence of the function maps F1, F2,...., Fj which map points from the set  in the n dimensional space to j distinct classes implies that the set of points in  are separable to j distinct classes in Y-space which is of m dimensions. (Strictly speaking it is necessary to assume that these functions Fi, i = 1, 2, …., j have the property of being invertible (i.e., are bijective) in order to exclude many-to-one maps; also this property is necessary to prove that the function such as F can be approximated by an MNN along with a clustering algorithm. Further, it is also being implicitly assumed that all maps considered in this theorem are at least continuous up to first order, points which are close to one another are expected to have their images close to one another). To proceed with the proof we will first show that it is possible to approximate the set of maps that take X-space to Y - space by a single MNN. To do this we will show an MNN can explicitly be constructed and trained to perform this map. We will assume that sufficient samples are available for training. Now consider the MNN to have a converging set of layers of adalines (PE's), the converging set consists of ‘n’ inputs in the first layer and ends with a layer of ‘m’ adalines, shown in Figure 1(a). This set from ‘n’ to ‘m’ can be thought as a simple NN which can be trained such that if X = (x1, x2, x3,…xn) is the input then Y = (y1, y2, y3,…ym) is the output, the weights of this network can be obtained by using the back propagation algorithm to impose the following conditions on the output: Y = Fk (x1, x2, x3,…xn) where k is the class to which the input vector (x1, x2, x3,…xn) belongs obviously k is known before hand because the F’s are known. Thus we can train this converging part of the NN. Similarly, we can now assume that there exists a diverging NN (depicted in Figure 1 (b)) to exist starting from ‘m’ adalines and ending in ‘n’ adalines, to this second neural network we will assume that the input will be the set (y1, y2, y3,…ym) and the output of this would be the original point in X dimension space whose image is Y. So by imposing the latter condition the second (diverging neural network) can be trained

with sufficient samples and then the weights obtained. At this stage we have a diverging neural network which takes as input Y and outputs the corresponding X. Now by combining the two converging and diverging so that the first leads to the second (without changing the weights) we have nothing but an MNN (pictorially represented by Figure 1(c)), this MNN mirrors the input vector X and outputs Y from the middle layer of ‘m’ adalines. So, we have thus proved the existence of an MNN which maps points from the n-dimensional X space to the mdimensional Y space and then back to the original points in ndimensional X space. Then the points in Y space can be classified into j classes using a suitable clustering algorithm. Thus, we have proved that a node of the hierarchical classifier is approximated by the combination of an MNN and a clustering algorithm. The proof that the second set of maps from m space to r space exists, uses similar arguments. We can immediately see that there will be j maps because there are j classes in Y space, hence there will be j nodes for each class each of which constructed by using a similar procedure. So we see that the set of maps assumed can be approximated by j + 1 nodes, whose existence we have just proved, all of which forming a treelike structure, shown in Figure 3 QED. It may be noted that each node in our architecture is depicted in Figure 4. We will now illustrate, the use of the mirroring theorem to develop a hierarchical classifier which performs the task of unsupervised pattern recognition. III. UNSUPERVISED HIERARCHICAL PATTERN RECOGNITION This section describes the architecture of a self-learning engine and the next section, we report its application to an example problem, wherein a set of input images are automatically classified and then sub-classified. Our intent is to build a learning engine which has the following characteristics: It is (i) hierarchical (ii) modular (iii) unsupervised and (iv) runs on a single common algorithm (MNN associated with clustering). The advantage of developing a recognition system with these 4 characteristics is that the learning method does not depend on the problem size and the learning network can be simply extended as the recognition task becomes more complex. It has been surmised by investigators that the architecture of human neo-cortex does, loosely speaking, possess the above 4 characteristics (except that instead of (iv) there is some kind of analog classification process (procedure) performed by sets of neurons, which seemingly behave in a similar manner). We are also reinforced by the conviction, since our architecture imitates the neural architecture (though admittedly in a crude manner), it is reasonable to expect that we would meet with greater successes as we make improvements in our techniques and as we deal with problems of larger size using increasingly powerful computers. In fact, it is this prospect that has been the prime motive force behind our work.

18

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Adaline (PE) Input X(x 1 , x2 , .…x n) o o o o o o o o o o o o (a) X(x 1, x2, .…xn) o o o o o o o o o o o o o o o o o Output Input Y(y 1, y 2, .…ym) o o o o o (b) o o o o o o o Output X(x1 , x2 , .…x n)

o o o o o

o o o Y(y1 , y2 , .…y m) (c)

o o o o o

X(x 1, x2, .…xn)

Figure 1. (a) Convergning NN (b) Diverging NN (c) Mirroring Neural Network (combining (a) and (b))

Figure 2. An Illustration of the hierarchical invertible map

19

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
Node-M X Y Le vel I

Node-1 Z

Node-2 ……. Z

Node-j Le vel II Z

C 11

C 12

C 1t

C 21

C 22

C 2t

C j1

C j2

C jt

…

…

...

.…

Le vel III

Figure 3. Organized collection of Nodes (blocks) containing MNN’s and their corresponding Forgy’s algorithm – Forming a treelike hierarchical structure

Node X X
Y Forgy MNN

X

Y

Figure 4. A Node (block) of the Hierarchical Classifier constructed with MNN and Forgy’s clustering

The Tandem Algorithm which we devised in this paper for pattern recognition tasks using a hierarchical tree-like architecture (depicted in Figure 3). It may be noted that each block in the hierarchical architecture is trained through the implementation of a single common algorithm (tandem algorithm). This tandem process is done (at each node) in two steps. The 1st step being the data reduction and feature extraction by an MNN and the 2nd step is the classification of the extracted features (outputs of the MNN) using a clustering algorithm. The MNN at the first level trains itself to extract the features through repeated presentations of the data samples, after which the extracted features of the data are sent to the clustering procedure for classification. The modules in the second level again undergo this tandem process of feature extraction and classification (/sub-classification). This is how a single common algorithm is implemented throughout the hierarchy (at each module), resulting a level-by-level unsupervised classification. In section 4, we show that our method actually works: we apply our classifier on a collage of images of flowers, faces and furniture, this collection is automatically classified and sub classified. We will now develop the tandem algorithm and actually implement it by writing a computer program by which such a learning engine can be used to classify the patterns by itself and report the results. The technique used for the development of this algorithm is based upon the application of the two procedures (i) mirroring for automatic feature extraction and (ii) unsupervised classification, in a tandem manner as described by the following algorithm, at each module (block) of the hierarchy, level-by-level. (In our computer program we have used it on a two level hierarchy). Continuing the discussion of the Tandem Algorithm, consider Figure 3 which

is a pictorial representation of the hierarchical architecture, the details of each block or node is shown in Figure 4 and the structure of a MNN in Figure 1. The tandem Algorithm proceeds block (node) by block (node) at each level starting from the 1st level (see Figure 3). The Tandem Algorithm for a hierarchical classifier: 1. Train the MNN of the topmost block, i.e. Node-M (of the hierarchy, see Figure 3) with an ensemble of samples such that the inputs given to the MNN are mirrored at its output with minimum loss of information (for which a suitable threshold is fixed). And mark the topmost node as the “present node”. This is an iterative step and stops when the output of Figure 1c, almost equals the input, that is able to reconstruct the input. 2. After due training of the MNN of the present node (i.e., the MNN could accurately reconstruct above 95% of its inputs within the specified threshold limit), the collection of outputs of the MNN’s least dimensional hidden layer (the extracted number of features is equal to the dimension of Y of the MNN see Figure 1c) is considered for classifying the input of the present node. 3. The features extracted in step 2 are given as “input data set” to the Forgy’s clustering algorithm (subroutine) of the present node for unsupervised classification, explained in step 4. 4. The steps involved in clustering procedure are: a. Select initial seed points (as many in number as the no. of classes the inputs to be divided into) from “input data set”.

20

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

b. For all the data samples in the input dataset repeat this step b. (i) Calculate distance between each sample in the input data set and the each of the seed points representing a cluster. (ii) Place the input data sample into the group associated with the seed point which is closest (least of the distances in step 4 b (i)). c. When all the samples are clustered, the centroids of each of the clusters are considered as new seed points. d. Repeat step 4 b, 4 c as long as the data sets leave one cluster to join another in step 4 b (ii). 5. To proceed further for sub-classification, repeat step 6 for all the nodes in the next below level of the hierarchy. 6. Mark one of nodes as the “present node” and train the MNN of the present node with the samples (extracted features of the immediate above level) belong to a particular cluster of step 4 such that the samples given to the MNN are mirrored at its output with minimum loss of information (for which a threshold is fixed by trail and error). Repeat steps 2, 3 and 4. 7. Repeat steps 5 and 6 till there is no enough data present in the samples to be further sub-classified (at the immediate below level). In this tandem algorithm, the feature extraction (concurrent with data reduction) is through steps 1, 2 and 3 and the automatic data classification (based on the reduced units of data) is by step 4. This tandem process of data reduction and classification is extended to next lower levels of the hierarchy for sub-classifying the ensemble through steps 5 and 6 till the stated condition is met in step 7. More details on the MNN architecture and MNN’s training through self-learning are given in [20] & [21]. We now, illustrate this concept of hierarchical architecture for unsupervised classification using Figure 3. If we assume, for the purpose of illustration, that there are only 4 categories of images; say faces, flowers, furniture and trees (j = 4), then at its broadest level, the MNN-M at Node-M is trained with these 4 categories of images. On successful training, MNN-M can reduce the amount of its input data; and based on the reduced units of data, Node-M categorizes the pattern into one of the classes using Forgy’s algorithm. The reduced units (which represent the input data) of the pattern from the present node (Node-M) are fed to one of the next level (Level II) nodes. (Alternatively, the input vector could be fed to the appropriate MNN in next level (Level II), instead of the reduced vector, in cases where too large an amount of data reduction done at the present level (Level I), is expected to have loss of information required for the finer classification at Level II). Selection of a node (module) from next level depends upon the classification of the input pattern at the present level. For example, Node-1 is selected if Node-M classifies the input as a face, else Node-2 is selected if NodeM classifies the same input as a flower and so on for Node-3 (furniture) or Node-4 (tree). Then, the respective node

(module) at Level II reduces its input and does a subclassification (we denote it as Level II classification) based only on its reduced units (at Level II). The gender classification which distinguishes a male face from a female face is a typical Level II classification by Node-1. In the pictorial representation, Level II classification contains ’t’ subcategories in each of j categories. Assuming that there are some more lower levels (identical to Level I and/or Level II) containing the nodes to further classify the patterns, so, for instance, the reduced units at Level II are given as input to one of the appropriate modules at Level III for more detailed classification which, an example case, sub-categorizes ‘k’ different persons in male/female face group. This tandem procedure of (i) mirroring followed by (ii) classification, performed at each level, can be extended to other lower levels, say, level IV, V and so on. That is how; the proposed architecture does level-by-level unsupervised pattern learning and recognition. As explained earlier, the hierarchical architecture implements a common algorithm for data reduction and extracted feature classification at its each node. And as the data reduction precedes the classification, the accuracy of classification is dependent on the efficiency of the data reduction algorithm. So there is a need to evaluate the performance of the MNN’s data reduction. The fact that the MNN dimensional reduction technique is an efficient method to reduce the irrelevant parts of the data was amply demonstrated over extensive trials (details are in [20] & [21]). It is because of this that we used the MNN (along with clustering algorithm) as a data reduction and feature extraction tool for the hierarchical pattern classification. For our demonstration, we use the Forgy’s algorithm for clustering the reduced units (of the input, at each module), wherein the number of clusters for the classification/sub-classification is provided by the user. Instead, without prejudice to the generality of our technique, one could use a more sophisticated clustering algorithm wherein the number of classes (clusters) is determined by the algorithm. We leave this work as a part of future enhancement which would then result in a completely automated unsupervised classification algorithm. IV. DEMONSTRATION AND RESULTS

We now show by explicit construction that a hierarchical architecture can actually be built and used for classification and sub-classification of images, giving an example case. Example: Here we took a collection of 360 images for training with an equal no. of faces (See databases Feret [36], Manchester [37], Jaffe [38] in references), tables and flowers. We build a two level classifier constructed out of MNNs (associated with Forgy’s clustering); which at the first level automatically classifies the 360 images of the training set into three classes one of them would be a “face class” and the other two belong to the “table class” and “flower class”. The automatic procedure which does this is as follows: A 4 layer MNN (676-60-47-676) consisting an input layer of 676 inputs representing a 26 X 26 image, with the 60 processing elements in the first layer and 47 and 676 processing elements in the

21

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

other two layers is used to train the MNN to mirror the input data on to itself. The training is done automatically and stops when the output vector of 676 dimensions closely matches the corresponding input vector for each image, at this point, the MNN can said to be satisfactorily mirror all the 360 input images. Then the output of the layer with the least number of processing elements (in this case 47) is taken as a reduced feature vector for the corresponding input image. We would have a set of 360 vectors (each of 47 dimensions) representing the input data of 360 images. This set of 360 vectors (of reduced dimensions) is then classified into three classes by using Forgy’s Algorithm (see [39] & [40]). The actual classification varies somewhat on the choice of the initial seed points which are randomly chosen. The program chooses three distinct initial random seed points and uses Forgy’s algorithm to cluster the reduced vectors of the input images. This clustering is done over many iterations till convergence and the classes are then frozen; after this the data is clustered a second time (starting from the second set of seed points) again using Forgy's algorithm till another set of three classes are obtained. After this the average of the resulting two nearest sets of cluster centroids is considered as the new cluster centroid, based on which the reduced feature vectors are once again classified to obtain three distinct classes, these classes are then treated as the final three classes (if everything works out well one of them would be the face class and the other remaining two would be the table class and flower class). After this first level classification, the program proceeds to the next level for sub-classifying the three classes identified at level I. The procedure of reduction and classification at this Level II, is similar to that carried out at Level I, except that now three MNNs have to be trained, one receiving inputs form the Face class, another from Table class and the other from the Flower class. These MNNs at Level II use the architecture (47-37-30-47). After the two MNNs are suitably trained to mirror their respective inputs, to an acceptable accuracy, the program proceeds to classify the inputs into sub categories for each of the MNNs separately. Of course, this time the feature vector (reduced vectors) has 30 dimensions. Once again, Forgy's Algorithm is used, following a similar procedure as described above for level I, except that this time the classification is done on the reduced vectors of the MNN-1 at Node-1 which would render the sub categories male face and female face, a classification of the reduced vectors of the MNN-2 at Node-2 obtaining the subcategories centrally supported table and four legged table and a classification of the reduced vectors of the MNN-3 at Node-3 obtaining the subcategories flower bud and open flower. Because the MNNs are initiated with random weights (chosen initially), and again by choosing random seed points while executing the Forgys Algorithm, it is our intention to demonstrate that the classification is not overly dependent on these random choices. So, we ran the program over and over again each time starting ab initio. We have taken 10 trials, meaning, 10 different training and classification sessions at level I followed by level II. On an average of these 10 trails, considering the training and test sets, the error at level I is 7% and an average error of the three nodes at level II (for

subcategorizing a “face” as “male” or “female”, a “table” as “centrally supported” or “four-legged” and a “flower” as “flower bud” or “open flower”) is an additional 7%. Actually, this is not too bad at all because the whole exercise is unsupervised and the errors made in the 1st level classification remain undiscovered and are actually uncorrected by the classifier which indiscriminately feeds all the data into the second level as inputs. See the sample illustration for the Example in Figure 5. The summary of the results for Example is given in Table I. The various parameters used in the MNN training and classification are given in Table II. The brute force (obvious procedure) of training the MNN at each node of the hierarchical classifier by using a NewtonRaphston is beyond the capability of the PCs available with us and was not tried. Instead, we adopted an approximate procedure and trained the MNNs by using the Back Propagation algorithm ([41] & [42]) which actually tries to determine the best MNN by changing the weights at each presentation of an image; ideally a “best MNN” should be obtained for the entire ensemble of input images (or reduced units of images) at each MNN of a node, which again would involve a Newton-Raphston and was avoided. The techniques used and reported here were very efficient in terms of time and space taken for execution and they were all performed on a PC. V. SIGNIFICANCE OF OUR WORK & CONCLUSIONS In this paper we have proved a crucial theorem called “Mirroring Theorem”; based on the mathematical proof of the theorem we developed an architecture for a hierarchical classifier which implements our proposed Tandem Algorithm to perform an unsupervised pattern recognition. We have also specifically written a computer code to demonstrate the technique of building such a self-supervising classifier and applied it for an example. These classifiers have the characteristics of being hierarchical, modular, unsupervised and they run on a single common algorithm and therefore, they mimic (admittedly in a crude manner), the collective behavior of neurons in the neo-cortex. It is expected that they can be expanded to analyze much more complex data, such “super classifiers” could employ many structures, (each being of the type shown in Figure 3), working in parallel. In our experimentation, (within the available resources) we have found that it is not possible to have too many classes at the first level (Figure 3), i.e. j cannot be too large a value (at best j = 4). Therefore, for large problems involving many classes, we need to have a network of “structures” (each being of the type shown in Figure 3 but with j limited to 2, 3 or 4) working in parallel, each structure trained to recognize its own set of classes (eg. face classes, alphabet classes etc.). Thus a binary or tertiary “super- tree” with each “node” itself being a structure of type shown in Figure 3, can be envisaged for the construction of a “super classifier”.

22

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

MNN-M using Forgy’s algorithm (with 676 input variables)

S1

S2

S3

MNN-1 using Forgy
(47 re duce d dimensional units as inpu t)

MNN-2 using Forgy
(47 re duce d dimensional units as input)

MNN-3 using Forgy
(47 re duce d dimensional units as input)

c11

c 12

c21

c22

c31

c 32

Figure 5 Pictorial representation of Hierarchical classifier implemented using Example images; (S1 (face), S2 (flower), S3 (table): classification at level I based on 47 reduced dimensional vectors of the input image; c11 (male face), c12 (female face), c21 (flower bud), c22 (open flower), c31 (centrally supported table), c32 (four-legged table): sub-classification at level II based on 30 reduced dimensional vectors of the image).

TABLE I. Input type Dimension of the input

RESULTS OF THE HIERARCHICAL CLASSIFIER FOR EXAMPLE IMAGES No. of samples for training No. of samples for testing No. of categories Success rate (averaged over 10 trails) of clustering on reduced units
Training samples Average of Training & Test sets

Dimension of the reduced units

Image

676 (26 X 26 )

47

360

150

3(face, table & flower)

94.0% (Efficiency of the Level I Node) 88.5%(Average efficiency of the level II Nodes)

93.4% (Efficiency of the Level I Node) 86.3%(Average efficiency of the level II Nodes)

Reduced units of image

47

30

≈ 120 (for each category)

≈ 50 (for each category)

2 (sub-categories for each category)

TABLE II. Type of MNN architecture Level I MNN (676-60-47-676) Level II MNNs (47-37-30-47)

VARIOUS PARAMETERS USED FOR THE MNN AND FORGY’S ALGORITHM Seed points for Forgy’s algorithm Threshold of 1.0, between the random seed points Threshold of 0.8, between any two random seed points Learning rate parameter 0.025 Weights& bias terms

Distance between input and output 0.8

-0.25 to +0.25 (random selection) -0.25 to +0.25 (random selection)

0.8

0.01

23

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

It is expected that the techniques that we have developed and presented in this paper will be implemented by many future researchers for building advanced and highly sophisticated pattern classifiers. Further it is also hoped that these procedures will also be used for building models for associative memories [43] where, say a voice signal (eg. “Mary”: a spoken word) can be associated with a picture (image of Mary). These developments could, in the near future, lead to very versatile machine learning systems which can possibly ape the human brain in at least its elemental functions. ACKNOWLEDGMENT We thank the managements of Srinidhi and the group of Aurora Educational Institutions for their encouragement and Altech Imaging and Computing for providing the facilities for research. REFERENCES
[1] B. G. Buchanan, “The role of experimentation in A.I”, Phil. Trans. R. Soc. A, Vol. 349, pp. 153-166, 1994. [2] J. D. Zucker, “A grounded theory of abstraction in artificial intelligence”, Phil. Trans. R. Soc. B, Vol. 358, pp. 193-1309, 2003. [3] R. C. Holte, & B.Y. Choueiry, “Abstraction & reformulation in A.I.”, Phil. Trans. Roy. Soc.B, Vol. 358, pp. 1197-1204, 2003. [4] H. Cruze, V. Durr, & J. Schmitz, “Insect walking is based on a deetralized architecture revealing a simple and robust controller”, Phil. Tran. R. Soc. A, 365, pp. 221-250, 2007. [5] Y. Freund, & R. E. Schapire, “Experiments with a new boosting algorithm”, Proc. 13th International Conference on Machine Learning, pp. 148-156, 1996. [6] P. Viola & M. Jones, “Rapid object detection using a boosted cascade of simple features”, Proc. IEEE Computer Society Conference on Computer Vision and Pattern Recognition Vol. 1, pp. I-511-I-518, 2001. [7] G.E. Hinton & R.R Salakhutdinov, “Reducing the Dimensionality of Data with Neural Networks”, Science Vol. 313, pp. 504-507, 2006. [8] H.C. Law, “Clustering, Dimensionality Reduction and Side Information”, Ph. D. Thesis, Michigan State University, 2006. [9] T. Joachims, “Text categorization with support vector machines: learning with many relevant features”, Proc. 10th European Conference on Machine Learning, pp. 137-142, 1998. [10] M. Craven, D. DiPasquo, D. Freitag, A.K. McCallum & T.M. Mitchell, “Learning to construct knowledge bases from the World Wide Web.”, Artificial Intelligence Vol 118, pp. 69-113, 2000. [11] C. Garcia & M.Delakis, “Convolutional face finder: A neural architecture for fast and robust face detection”, IEEE Trans. Pattern Anal. Mach. Intell. Vol. 26, pp. 1408-1423, 2004. [12] S.M. Phung, & A. Bouzerdoum, “A Pyramidal Neural Network For Visual Pattern Recognition”, IEEE Transactions on Neural Networks Vol. 18, pp. 329-343, 2007. [13] M. Rosenblum, Y. Yacoob & L.S. Davis, “Human expression recognition from motion using a radial basis function network architecture” IEEE Trans. Neural Networks Vol. 7, pp. 1121-1138, 1996.

[14] P. Baldi & K. Harnik, “Neural networks and principal component analysis:learning from examples without local minima”, In Neural Networks Vol. 2, pp. 53-58, 1989. [15] D. DeMers & G. Cottrell, “Non-linear dimensionality reduction”, Advances in Neural Information Processing Systems Vol. 5, Morgan Kaufmann, pp. 580-587, 1993. [16] J.J Hopfield & C.D. Brody, “Learning rules and network repair in spiketiming-based computation networks”, Proc. Natl. Acad. Sci. U. S. A., Vol. 101, pp. 337-342, 2004. [17] B. Lau, G.B. Stanley & Y. Dan, “Computational subunits of visual cortical neurons revealed by artificial neural networks”, Proc. Nat. Acad. Sci. USA, Vol. 99, pp. 8974-79, 2002. [18] K. Eswaran, System and method of identifying patterns. Patents filed in Indian Patent Office on 20/7/06 and 19/03/07 and also in U.S. Patent and Trade Mark Office vide Nos. 20080019595 and 20080232682 respectively, 2006. [19] A.N. Kolmogorov, “On the representation of continuous functions of several variables by superposition of continuous functions of one variable and addition”, Doklady Akademia Nauk SSSR 114(5), pp. 953956, 1957. [20] D.R. Deepthi, S. Kuchibhotla, & K. Eswaran, “Dimensionality reduction and reconstruction using mirroring neural networks and object recognition based on reduced dimension characteristic vector”, IEEE International Conference on Advances in Computer Vision and Information Technology (IEEE, ACVIT-07), pp. 348-353, 2007. [21] D.R. Deepthi, Automatic pattern recognition for applications in image processing and robotics, Ph. D. Thesis, Osmania University, Hyderabad, India, 2009. [22] D.O. Creutzfeldt, “Generality of the functional structure of the Neocortex”, Naturwissenschaften, Vol. 64, 507-517, 1977. [23] B.V. Mountcastle, An organizing principle for cerebral function: The unit model and the distributed system In The Mindful Brain, Edelman,G.M, and V.B. Mountcastle,V.B. Eds., Cambridge, Mass.: MIT Press, 1978. [24] D.J. Felleman, & D.C. Van Essen, “Distributed hierarchical processing in the primate cerebral cortex”, Cerebral Cortex Vol. 1, pp. 1-47, 1991. [25] R.P. Rao & D.H. Ballard, “Predictive coding in the visual cortex: A functional interpretation of some extra-classical-receptive-field effects”, Nature Neuroscience Vol. 2, pp. 79-87, 1999. [26] S.M. Sherman & R.W. Guillery, “The role of the thalamus in the ow of information to the cortex”, Phil. Trans. Roy. Soc. London Vol. 357, pp. 1695-708, 2002. [27] M. Kaiser, “Brain architecture: A design for natural computation”, Phil. Trans. Roy. Soc. A, Vol. 365, pp. 3033-3045, 2007. [28] G. Buzsaki, C. Geisler, D.A. Henze & X.J. Wang, “Interneuron diversity series: Circuit complexity and axon wiring economy of cortical interneurons”, Trends Neurosci. Vol. 27, pp. 186-193, 2004. [29] J. D. Johnsen, V. Santhakumar, R. J. Morgan, R. Huerta, L. Tsimring and I. Soltesz, “Topological determinants of epileptogenesis in largescale structural and functional models of the dentate gyrus derived from experimental data”, J. Neuro-physiol. Vol. 97, 1566-1587, 2007. [30] D. C. Van Essen, C. H. Anderson & D. J. Felleman, “Information processing in the primate visual system: an integrated systems perspective”, Science Vol. 255, 419-423, 1992. [31] J. Hawkins, On intelligence, Owl Books, Henry Holt & Co., New York, pp. 110-125, 2005. [32] B.G. Bell, “Levels & loops: the future of artificial intelligence & neuroscience”, Phil. Trans. R. Soc. B, Vol. 354, 2013-2030, 1994.

24

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
[33] J. Hawkins & D. George, “Hierarchical Temporal Memory, Concepts, Theory, and Terminology”, Numenta (Numenta Inc), pp. 1-20, 2007, www.numenta.com. [34] D. George, How the brain might work: A hierarchical and temporal model for learning and recognition, Ph. D. Thesis, Stanford University, 2008. [35] J. Herrero, A. Valencia & J. Dopazo, “A hierarchical unsupervised growing neural network for clustering gene expression patterns”, Bioinformatics, Vol. 17, pp. 126-136, 2001. [36] FERET database:www.frvt.org/FERET/. [37] MANCHESTER database: www.ecse.rpi.edu/ cvrl/database/. [38] JAFFE database:www.kasrl.org/jaffe.html [39] E. Gose, R. Johnsonbaugh & S. Jost, Pattern Recognition and Image Analysis, Prentice Hall of India, New Delhi, pp 211-213, 2000. [40] D. R. Deepthi, G.R.A. Krishna & K. Eswaran, “Automatic pattern classification by unsupervised learning using dimensionality reduction of data with mirroring neural networks”, IEEE International Conference on Advances in Computer Vision and Information Technology (IEEE, ACVIT-07), 354-360, 2007. [41] D. E. Rumelhart, G.E. Hinton & R.J. Williams, “Learning Representations by back-propagating Errors”, Nature Vol. 323, 533-536, 1986. [42] B. Widrow, & M.A. Lehr, 30 Years of Adaptive Neural Networks: Perceptron, Madaline, and Backpropagation, Proceedings of the IEEE 78 (9), 1990. [43] D.R. Deepthi & K. Eswaran, “Pattern recognition and memory mapping using mirroring neural networks”, IEEE International Conference on Emerging Trends in Computing (IEEE, ICETiC 2009), India, 317-321, 2009. AUTHORS PROFILE Author 1: Working as an Associate Professor (CSE Dept.), Aurora’s Engineering College. Submitted Ph. D.(CSE) Thesis on “Automatic pattern recognition for applications in image processing and robotics” to Osmania University, Hyderabad in Feb. 2009. M. Tech. (Software Engineering) from J. N. T. University, Hyderabad. Author 2: Working as a Professor (CSE Dept.), Srinidhi Institute of Science Technology. Ph. D. (Mathematical Physics) on “On Phase and Coherence in Quantum Systems” from University of Madras, Jan. 1973. 36 years of research experience in the application of Computers in the areas of Industrial Image Processing, Pattern Recognition, Neural Networks, Electromagnetics, Fluid Mechanics, Structural Mechanics and Artificial Intelligence. He has more than 40 papers in international journals and international conferences on the above subjects.

25

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, `Vol. 6, No. 1, 2009

Algorithm as Defining Dynamic Systems
Keehang Kwon Department of Computer Engineering Dong-A University Busan, Republic of Korea Hong Pyo Ha Department of Computer Engineering Dong-A University Busan, Republic of Korea

Abstract—This paper proposes a new view to algorithms: Algorithms as defining dynamic systems. This view extends the traditional, deterministic view that an algorithm is a step-by-step procedure with nondeterminism. As a dynamic system can be designed by a set of its defining laws, it is also desirable to design an algorithm by a (possibly nondeterministic) set of defining laws. This observation requires some changes to algorithm development. We propose a two-step approach: the first step is to design an algorithm via a set of defining laws of dynamic system. The second step is to translate these laws (written in a natural language) into a formal language such as linear logic. key words: dynamic, systems, algorithm, nondeterminisim, linear logic.

An attractive feature of this view is that it enhances the readability and modifiability of the algorithm for nondeterministic problems. The remainder of this paper is structured as follows. We discuss a new way of describing algorithms in the next section. In Section 3, we present some examples. Section 4 concludes the paper. II. ALGORITHMS AS DEFINING DYNAMIC SYSTEMS Our interest is in a process for developing algorithms based on the observation describe in the previous section. The traditional, sequential algorithm process models provide a useful structure for such a process, but some changes are needed. The first problem arises from the machinedependent, deterministic view for algorithms. A standard definition is that an algorithm is a sequence of instructions. This definition requires algorithms to be deterministic. However, it is easily observed that this deterministic view makes an algorithm to be (sequential) machine-dependent and extra complicated. In algorithm design, nondeterministic algorithms are desirable quite often. This natural when there are multiple ways to get there and we simply don’t know in advance which of them is chosen. Such examples include graph algorithms, backtracking algorithms, and AI planning problems. In ensuring that algorithms are described as simple and machine-independent as possible, it is desirable to express an algorithm via a set of governing laws- in natural language – in the form of initial resources and transition rules. In fact, the above approach to defining algorithms has been used for centries in other fields such as physic and mechanics. The second problem arises from the specification languages to translate these laws. In choosing a language, there is an aspect that requires a special attention. First, we observe that translating the laws into a sequential pseudo code makes the resulting description much bigger, leading to extra complications. An acceptable language should not expand the resulting description too much, rather support a reasonable translation of the laws. An ideal language would support an optimal translation of the laws. Unfortunately, it is a never-ending task to develop this ideal language, as there are too many dynamic systems with too many different features: autonomous systems, open systems with

I.

INTRODUCTION

Designing an algorithm is central to the development of software. For this reason, many algorithms have been developed. However, no guidelines for designing an algorithm have been provide so far: this deficiency is mainly due to the lacking this understanding, algorithm are being designed in an ad-hoc fashion. As a consequence, designing algorithms has been quite cumbersome and error-prone. What is software/algorithm? Computer science is still looking for an answer to this question. One attempt is based on the view that software is a function and an algorithm is a sequence of instruction for implementing the function. This view has been popular and adopted in many algorithm textbook[6]. Despite some popularity, this view of sequential algorithms stands for a deterministic computation and lack devices for handling nondeterminism. Lacking such devices as nondeterministic transitions, dealing with nondeterminism in this view is really difficult and relies on extra devices such as stacks(for DFS) and queues (for BFS). Those extra devices greatly reduce the readability and modifiability of the algorithm. This paper proposes another view of software/algorithms, i.e., software as (possibly nondeterministic) dynamic systems and algorithms as defining dynamic systems. This paper also considers its effects on the algorithms development process. To be precise, we consider here algorithm design to be the process of finding a set of defining laws of dynamic system.

26

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

interactions, stochastic systems, etc. We argue that a reasonable, high-level translation of the laws can be achieved via linear logic[3]. An attractive feature of linear logic over other formalisms such as nondeterministic Turing machines, recursive functions, sequential pseudo code, etc, is that it can optimally encode a number of essential characteristics of dynamic system: nondeterminism, updates (also called state change), etc. Hence, the main advantage of linear logic over other formalisms is the minimum (linear) size of the encoding of governing laws of most dynamic systems. The basic operator in linear logic is the linear implication of the form a⊸b. This expression means that the resource A can be transformed to another resource B. The expression A⊗B means two resources A and B. The expression !A means the resources A is reusable. We point the reader to [3] to find out more about the whole calculus of linear logic. We sum up our observation in the following equation: software = dynamic system. algorithm design = a set of defining laws. algorithm writing = translation of defining laws. into linear logic. III. EXAMPLES

(IJCSIS) International Journal of Computer Science and Information Security, `Vol. 6, No. 1, 2009

9, 2. The standard algorithm creates a new directory max where it keeps track of the maximum value of the elements .An alternative, more dynamic algorithm is shown below: (1) Initial resources: 4 elements consisting of 5,10,9,2. (2) Transitions: pick two elements p and q, and discard the smaller one.

This algorithm produces the desired output by repeatedly discarding the smaller input resources. The following is a linear logic translation of the above algorithm. i(5)⊗i(10)⊗i(9)⊗i(2). !((i(X)⊗i(Y)⊗<(X,Y))⊸i(Y)). !((i(X)⊗i(Y)⊗≥(X,Y))⊸i(X)). Note that the fact that 3 is an item is encoded as the proposition i(3), i.e., there is a file whose name is 3 under directory i. We assume that, in dealing with < (X,Y), each file(X,Y) such that X is smaller than Y will be created dynamically under the directory <. A final state is a state where there is only one element remaining. Hence, solving the query i(X) will produce i(10) – after deleting i(5), i(9) and i(2) – using the second law three times. It is observed that this kind of algorithm is not easily translated into a sequential pseudo code, as the pseudo code has no construct for discarding the input resources. A good motivation for introducing the nondeterminism might be graph algorithms. An example of nondeterministic problems is provided by the following which computes connectivity over an infinite, directed graph. Now we try to determine whether the string miuiuiu can be produced from mi with the following four rules: (a) If you possess a string of the form Xi, you can replace it by Xiu. (b) Suppose you have mX. Then you can replace it by mXX. (c) A string of the form XiiY can be replaced by XuY. (d) A string of the form XuuY can be replaced by XY. This problem requires both nondeterminism (There are multiple paths from a node) and updates (An old node is replaced by a new one). For example, the string mi can become either miu or mii. An algorithm for this problem based on functions would be awkward, as functions are too weak, i.e., they support neither nondeterminism nor updates. On the other hand, an algorithm for this problem can be easily formulated as a nondeterministic dynamic system with the following five laws: (1) Initial resource: mi. (2) Transition: if Xi, you can replace it by Xiu. (3) Transition: if mX, you can replace it by mXX. (4) Transition: if XiiY, you can replace it by XY. (5) Transition: if XuuY, you can replace it by XY. Note that this algorithm does not concern whether it will use DFS or BFS when it explores the graph. The following is a linear logic translation of the above algorithm.

The view of “software-as-dynamic-systems” makes algorithms simpler and versatile compared to traditional approach. As an example, we present the factorial algorithm to help understand this notion. The factorial algorithm can be seen as a dynamic system consisting of two laws described below in English: (1) Initial resource (0, 1). (2) Transition: (X, Y) can be replaced by (X+1, XY+Y). This algorithm discards the old resource to produce the new resource and is, therefore, more efficient in term of space usage than its Prolog counterpart. It is shown below that the above laws can be translated into linear logic formulas of the same size. A state is described by a collection of resources. A resource a is represented by a linear logic formula of the form d(a) is represented by a linear logic formula of the form(d) where a is a resource under a directory d. For example, fact(0,1) represents the fact that there exist a resource (0,1) under the directory fact. The following is a linear logic translation of the above algorithm, where the reusable action is preceded with!. fact(0,1). ! (fact(X,Y) ⊸fact(X+1,XY+Y)). A final state is typically given by a user in the form of a query. Computation tries to solve the query. As an example, solving the query fact(5,X) would result in the initial resource fact (0,1) being transformed to fact (1,1), then to fact (2,2), and so on. It will finally produce the desired result fact(5,120) using the second law five times. We now consider the problem of finding the maximum value of the n elements. Suppose they are 5, 10,

27

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, `Vol. 6, No. 1, 2009

s(mi). !∀X(s(Xi)⊸s(Xiu)). !∀X(s(mX)⊸s(XX)). !∀X(s(XiiiY)⊸s(XuY)). !∀X(s(XuuY)⊸s(XY)). Now solving the query s(miuiuiu) would decide whether miuiuiu can be produced in the above puzzle. Another example of nondeterministic problem is provided by the following menu at a fast-food restaurant. Now we try to determine what can be obtained for four dollars. (a) three dollars for a hamburger set consisting of a hamburger and a coke, (b) four dollars for a fish burger set consisting of a fishburger and a coke, (c) three dollars for a hamburger, four dollars for a fish burger, one dollar for a coke (with unlimited refills), and one dollar for a fry. The following is a linear logic translation of the above algorithm. p(4). !∀X(p(X )⊗ ≥(X,3)⊸ p(h) ⊗ p(c ) ⊗ p(X-3)). !∀X(p(X) ⊗ ≥(X,4)⊸ p(fi) ⊗ p(c ) ⊗ p(X-4)). !∀X(p(X) ⊗ ≥(X,3)⊸ p(h) ⊗ p(X-3)). !∀X(p(X )⊗ ≥(X,4)⊸ p(fi) ⊗ p(X-4)). !∀X(p(X) ⊗ ≥(X,1)⊸ p(c) ⊗ !p(c)⊗p(X-1)). !∀X(p(X) ⊗ ≥(X,1)⊸ p(f) ⊗ p(X-1)). The proposition p(4) represents that a person has four dollars. Now solving the query p(h) ⊗ p(c) ⊗ p(f) would succeed as we can obtain a hamburger and a coke for three dollars, and a fry for a dollar. Solving the query p(h) ⊗ p(c)⊗ p(c) would also succeed as we can obtain a hamburger for three dollars, a coke and a (refilled) coke for one dollar. The examples presented here have been of a simple nature. They are, however, sufficient for appreciating the attractiveness of the algorithm

development process proposed here. We point the reader to [1],[4],[5] for more examples. CONCLUSION A proposal for designing algorithms is given. It is based on the view that softwares are dynamic systems simulated on a machine and an algorithm is a constructive definition of a dynamic system. The advantage of our approach is that is simplifies the process of designing and writing algorithms for the problems that require nondeterministic updates. Our ultimate interest is in a procedure for carrying out computations of the kind described above. Hence it is important to realize this linear logic this interpreter in an efficient way, as discussed in [2][4]. In the future, we are also interested in choosing an extension to linear logic, computability logic [7, 8] to express algorithms.
ACKNOWLEDGMENT

This paper was supported by Dong-A University Research Fund in 2009.

REFERENCES
[1] [2] M.Banbara.Design and implementation of linear logic programming languages. Ph.D Disseration , Kobe University .2002. Iliano Cervesato,Joshua S. Hodas,and Frank Pfenning.Efficient resource management for linear logic proof search .In Programming of the 1996 Workshop on Extensions of Logic Programming,LNAI 1050,pages 67~81. Jean-Yves Girard.Linear Logic. Theretical Computer Science,50:1102 ,1987. Joshus Hodas and Dale Miller.Logic programming in a fragment of intuitionistic linear logic.Journal of Information and Computation,1994 Invited to a special issue of submission to the 1991 LICS conference . P.Kungas.Linear Logic Programming for AI Planning Master. Thesis,Tallin Technical University,2002. R.Neapolitan and K.Naimipour.Foundation of Algorithms Health, Amsterdam,1997. G.Japaridze, The logic of tasks, Ann.Pure Appl. Logic 117(2002)263-295. G.Japaridze, Introduction to computability logic, Ann. Pure Appl. Logic 123(2003) 1-99.

[3] [4]

[5] [6] [7] [8]

28

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

A Wavelet-Based Digital Watermarking for Video

A.Essaouabi and F.regragui
Department of physics, LIMIARF Laboratory, Faculty of Sciences Mohammed V University Rabat, Morocco

E.Ibnelhaj
Image laboratory National Institute of Posts and Telecommunications Rabat, Morocco

Abstract— A novel video watermarking system operating in the three-dimensional wavelet transform is here presented. Specifically the video sequence is partitioned into spatio-temporal units and the single shots are projected onto the 3D wavelet domain. First a gray- scale watermark image is decomposed into a series of bitplanes that are preprocessed with a random location matrix. After that the preprocessed bitplanes are adaptively spread spectrum and added in 3D wavelet coefficients of the video shot. Our video watermarking algorithm is robust against the attacks of frame dropping, averaging and swapping. Furthermore, it allows blind retrieval of embedded watermark which does not need the original video and the watermark is perceptually invisible. The algorithm design, evaluation, and experimentation of the proposed scheme are described in this paper. Keywords-component; video watermarking; copyright protection; wavelet transform security;

I.

INTRODUCTION

We have seen an explosion of data change in the Internet and the extensive use of digital media. Consequently, digital data owners can transfer multimedia documents across the Internet easily. Therefore, there is an increase in the concern over copyright protection of digital content [1, 2, 3]. In the early days, encryption and control access techniques were employed to protect the ownership of media. They do not, however protect against unauthorized copying after the media have been successfully transmitted and decrypted. Recently, the watermark techniques are utilized to maintain the copyright [4, 5, 6]. Digital watermarking, one of the popular approaches considered as a tool for providing the copyright protection, is a technique based on embedding a specific mark or signature into the digital products, it has focused on still images for a long time but nowadays this trend seems to vanish. More and more watermarking algorithms are proposed for other multimedia data and in particular for video content. However, even if watermarking still images and video is a similar problem, it is not identical. New problems, new challenges show up and have to be addressed. Watermarking digital video introduces some issues that generally do not have a counterpart in images and audio. Due to large amounts of data and inherent redundancy between frames, video signals are highly susceptible to pirate attacks, including frame averaging, frame dropping, frame swapping, collusion, statistical analysis, etc. Many of these attacks may

be accomplished with little or no damage to the video signal. However, the watermark may be adversely affected. Scenes must be embedded with a consistent and reliable watermark that survives such pirate attacks. Applying an identical watermark to each frame in the video leads to problems of maintaining statistical invisibility. Applying independent watermarks to each frame also is a problem. Regions in each video frame with little or no motion remain the same frame after frame. Motionless regions in successive video frames may be statistically compared or averaged to remove independent watermarks [7][8]. In order to solve such problems, many algorithms based on 3D wavelet have been adopted but most of them use the binary image as watermark. In this paper we propose a new blind watermarking scheme based on 3D wavelet transform and video scene segmentation [8][9]. First By still image decomposition technique a gray- scale watermark image is decomposed into a series of bitplanes which are correlative with each other and preprocessed with a random location matrix. After that the preprocessed bitplanes are adaptively spread spectrum and added in 3D wavelet coefficients of the video shot. As the 1-D multiresolution temporal representation of the video is only for the temporal axis of the video, each frame along spatial axis is decomposed into 2D discrete wavelet multiresolution representations for watermarking the spatial detail of the frame as well as the motion and motionless regions of the video. Experimental results show that the proposed techniques are robust enough against frame dropping, averaging and MPEG lossy compression. The rest of this paper is organized as follows: in section II we will explain the decomposition procedure of watermark image and video. Section III will describe the basic functionalities of watermarking embedding and extraction procedure. Finally, section IV will give the simulations results and section V will give the conclusion. II.
DECOMPOSITION OF THE WATERMARK IMAGE AND VIDEO

A. Watermark process The watermark gray scale image W(i,j) is decomposed into 8 bitplanes for watermarking [10]. For robustness to the common picture-cropping processing, a fast two dimensional

29

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

pseudo-random number traversing method is used to permute each bitplane of the watermark image to disperse its spatial location for the sake of spreading the watermarking information (first key). Finally each bitplane is changed into a pseudo random matrix Wdk by the disorder processing (second key). Wdk is a serie of binary image with value 1 and -1. B. Decomposition of video. For watermarking the motion content of video, we decompose the video sequence into multiresolution temporal representation with a 2-band or 3-band perfect reconstruction filter bank by 1-D Discrete Wavelet Transform (DWT) along the temporal axis of the video. To enhance the robustness against the attack on the identical watermark for each frame, the video sequence is broken into scenes and the length of the 1-D DWT depends on the length of each scene. Let N be the length of a video scene, Fk be the k-th frame in a video scene and WFk be the k-th wavelet coefficient frame. The Wavelet frames are ordered from lowest frequency to highest frequency i.e, WF0 is a DC frame. The procedure of multiresolution temporal representation is shown in Fig.1.

III.

VIDEO EMBEDDING AND EXTRACTING PROCEDURE

Fig.3 shows the watermarking embedding procedure. Assume that original video is a series of gray-level images of size (352x288) and the watermark image is a 8-bitgrayscale image of size 42x42.

Figure 3. Digital watermarking embedding scheme diagram

A. Watermark embedding procedure
Figure 1. Procedure of multiresolution temporal representation

The main steps of the digital watermark embedding process are given as follows: 1) Video segmentation: the host video is segmented into scene shots, and then some shots are selected by randomly for embedding watermark, then for each scene selected scene shots, the following steps are repeated. 2) The shot is projected by 1-D DWT and 2-D DWT into multiresolution representation of three levels. Denote Rk the 3D wavelet coefficient frames. 3) Each bitplane is adaptively spread spectrum and embedded in each original wavelet coefficient frame (subband LH3). Hence there are 8 original wavelet coefficient frames are watermarked. For each pixel (i,j) of the selected area in RK (k=1,2,..8), the value is compared with the max of its eight neighbors, t denote the max of its neighbours. Watermark is embedded by changing the corresponding coefficient value as shown Eq 1. R’K(i,j)= RK(i,j)+α WK(i,j). RK(i,j) (1)

The multiresolution temporal representation mentioned above is only along the temporal axis of the video. The robustness of spatial watermarking for each frame (especially for I-frame) should be considered in addition for the sake of surviving MPEG video lossy compression. Hence, the wavelet coefficient frame WFk is decomposed into multiresolution representation by the 2D discrete Wavelet transform 2DDWT. Fig.2 shows the three-scale discrete wavelet transform with 3 levels using Haar filter. Rk denote the 3D wavelet coefficient frames.

Figure 2. Three-scale wavelet decomposition with three levels of the k-th wavelet coefficient frame in a video

Where α is an intensity factor, R’K is the watermarked 3DDWT coefficient frames, WK (k=1,2…8) is the spread

30

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

spectrum watermark image sequence which is the third key of our video watermarking scheme as shown in Eq 2 and Fig.4. Wk(i,j) = 1 if t>Rk(i,j) and Wdk(i,j)=1 Or t<Rk(i, j) and Wdk(i,j)=-1 -1 else

3) The preprocessing and the pseudo-random permutation is reversed according to the predefined pseudo-random order for these bitplanes 4) By composing these bitplanes into the gray-level image G0 the extracted watermark is reconstructed IV. EXPERIMENTAL RESULTS

(2)

Figure 4. The detail of the watermark embedding

The “foreman” and “Stefan” sequences with 100 frame long (about 4 seconds) and 352x288 pixels per frame as shown in (Fig 6-a et b) were used in our experiments. The image tire (watermark) 42x42 that we used in our experiments is shown in (Fig 6-c). The corresponding experiment results for various possible attacks such as frame dropping, frame averaging, frame swapping, and MPEG compression are shown as follow section , in the other hand a similarity measurement of the extracted and the referenced watermarks is used for objective judgment of the extraction fidelity and it is defined as:

4) By inversing the watermarked 2D-DWT and 1-D DWT wavelet coefficient frames, we obtain the watermarked video. B. Watermark extracting procedure 1) We first parse the watermarked video into shots with the same algorithm as watermark embedding, and then the 3D wavelet transform is performed on each selected test video shot, for each wavelet coefficient frame R’K(k=1,2,…n). 2) For each pixel in R’K(i,j), its value is compared with max of its eight neighbors. t’ denotes the max value of its eight neighbors to extract the corresponding bitplane. As shown in Fig.5 and Eq.3

∑ ∑ W (i, j )W ' (i, j ) NC = ∑ ∑ [W (i, j )]
i j 2 i j

(4)

which is the cross-correlation normalized by the reference watermark energy to give unity as the peak correlation. We will use this measurement to evaluate our scheme in our experiment. Peak signal-to-noise ratio (PSNR), a common image quality metric, is defined as:

 PSNR = 20 log 255   SNR  

(5)

The signal-to-noise ratio (SNR) is computed between the original and watermarked frame.

(a) Foreman scene

(b) Stefan scene

Figure 5. The detail of the watermark detecting

(c) Original watermark

W k(i,j) = 1 if t>R k(i,j) and Wk(i,j) = 1 Or t<R’k(i, j) and Wk(i,j)= -1 -1 else

d

’

(3)

Figure 6. Two scenes original and the watermark image in the experiment

31

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

watermarked so in our experiment we use the average of current frame and its two nearest neighbors to replace the currenk=2,3,4,……n-1, the corresponding results are presented in Fig.10

(a) Watermarked video (PSNR=36.8211db)

(b) Watermarked video (PSNR= 35.4263db)

Figure 7. The watermarked scenes

The number of frame averaging (a)The effect of the frame averaging from foreman scene

(a) Extracted watermark from foreman scene NC(0.9736)

(b) Extracted watermark from stefan scene NC(0.9587)
Figure 8. The extracted watermark from each scene

A. Frame dropping attack There is a little change between frames in shot .so the frame dropping which are some frames (even index frame)are removed from the video shot and replaced by corresponding original frames is used as an effective video watermark attack. The experimental result is plotted in Fig.9

The number of frame averaging (b)The effect of the frame averaging from stefan scene Figure 10. NC values under statistical averaging. It is found that the proposed scheme can resist to statistical averaging quite well.

B. Frame swapping attack Frame swapping can also destroy some dynamic composition of the video watermark. We define the following swapping mode by FK(i,j)= Fk-1(i,j) k=1,3,5…….n-1 the corresponding results are presented in Fig.11

The number of frame dropping (a)The effect of the frame dropping from foreman scene The number of frame swapping (a)The effect of the frame swapping from foreman scene

The number of frame dropping (b)The effect of the frame dropping from stefan scene Figure 9. NC values under frame dropping. From the experiment, we found that our scheme achieves better performance The number of frame swapping (b)The effect of the frame swapping from stefan scene Figure 11. NC values under frame swapping. From the experiment, we found that our scheme achieves better performance.

Frame averaging is also a significant video watermarking attack that will remove dynamic composition of the video

32

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

C. MPEG compression MPEG compression is one of the basic attacks to video watermark. The video watermarking scheme should robust against it.fig.12 shows the extracted watermark from foreman scene after MPEG2 compression.

Figure 12. Extracted watermark after MPEG2 compression

V.

CONCLUSION

This paper proposes an innovative blind video watermarking scheme in the 3D wavelet transform using a gray scale image as a watermark. The process of this video watermarking scheme, including watermark preprocessing, video preprocessing, watermark embedding, and watermark detection, is described in detail. Experiments are performed to demonstrate that our scheme is robust against attacks by frame dropping, frame averaging, and lossy compression. REFERENCES
[1] A. Piva, F. Bartolini, and M. Barni: Managing copyright in open networks. IEEE Internet Computing, Volume 6, Issue: 3, pp: 18 -26, May-June 2002

Chun-Shien Lu, Hong-Yuan, and Mark Liao: Multipurpose Watermarking for Image Authentication and Protection. IEEE Transactions on Image Processing, Volume: 10 Issue: 10, Oct 2001 Page(s): 1579 –1592 [3] C. S. Lu, S. K. Huang, C. J. Sze, and H. Y. M. Liao: Cocktail watermarking for digital image protection. IEEE Transactions Multimedia, Volume 2, pp. 209–224, Dec. 2000. [4] Joo Lee and Sung-Hwan Jung: A survey of watermarking techniques applied to multimedia. Proceedings 2001 IEEE International Symposium on Industrial Electronics (ISIE2001), Volume. 1, pp: 272 -277, 2001. [5] M. Barni, F. Bartolini, R. Caldelli, A. De Rosa, and A. Piva: A Robust Watermarking Approach for Raw Video. Proceedings 10th International Packet Video Workshop PV2000,Cagliari, Italy, 1-2 May 2000 [6] M. Eskicioglu and J. Delp: An overview of multimedia content protection in consumer electronics devices. Signal Processing Image Communication 16 (2001), pp: 681-699, 2001. [7] Gwenaël Doërr , Jean-Luc Dugelay “ Video watermarking overview and challenges” Chapter in the book :Handbook of Video Databases: Design and Applications by Borko Furht, ISBN :084937006X, Publisher: CRC Press; (September 2003). [8] M. D.Swanson, B. Zhu and A. H. Tewfik, Multiresolution SceneBased Video Watermarking Using Perceptual Models, IEEE Journal on Selected Areas in Communications, Vol.16, No.4, May 1998, pp.540-550. [9] Xiamu Niu, Shenghe Sun “ A New Wavelet-Based Digital Watermarking for Video”, 9th IEEE Digital Signal Processing Workshop[C].Texas,USA:IEEE,2000. [10] Xiamu Niu, Zheming Lu and Shenghe Sun, “Digital Watermarking of Still Images with Gray-Level Digital Watermarks”, IEEE Trans. on Consumer Electronics, Vol.46, No.1, Feb. 2000, pp137-145.

[2]

33

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

A Cost Effective RFID Based Customized DVDROM to Thwart Software Piracy
Prof. Sudip Dogra
Electronics & Communication Engineering Meghnad Saha Institute of Technology Kolkata, India

Prof. Subir Kr. Sarkar
Electronics and Telecommunication Engineering Jadavpur University Kolkata, India

Ritwik Ray
Student Electronics & Communication Engineering Meghnad Saha Institute of Technology Kolkata, India

Saustav Ghosh
Student Electronics & Communication Engineering Meghnad Saha Institute of Technology Kolkata, India

Debharshi Bhattacharya
Student Electronics & Communication Engineering Meghnad Saha Institute of Technology Kolkata, India

Abstract—Software piracy has been a very perilous adversary of the software-based industry, from the very beginning of the development of the latter into a significant business. There has been no developed foolproof system that has been developed to appropriately tackle this vile issue. We have in our scheme tried to develop a way to embark upon this problem using a very recently developed technology of RFID. Keywords- DVD, DVD-ROM, Piracy, RFID, Reader, Software, Tag

discussed about RFID and the functioning of a DVD-ROM in sections II and III respectively. Following which, a brief discussion about software piracy has been done in sections IV and V. After this, we have described our scheme and listed the advantages in sections VI and VII respectively. II. RFID: RADIO FREQUENCY IDENTIFICATION RFID stands for Radio Frequency IDentification, a term that describes any system of identification wherein an electronic device that uses radio frequency or magnetic field variations to communicate is attached to an item. The two most talked-about components of an RFID system are the tag, which is the identification device attached to the item we want to track, and the reader, which is a device that can recognize the presence of RFID tags and read the information stored on them. The reader can then inform another system about the presence of the tagged items. The system with which the reader communicates usually runs software that stands between readers and applications. This software is called RFID middleware. In a typical RFID system [2], passive tags are attached to an object such as goods, vehicles, humans, animals, and shipments, while a vertical/circular polarization antenna is connected to the RFID reader. The RFID reader and tag can radio-communicate with each other using a number of different frequencies, and currently most RFID systems use unlicensed spectrum. The common frequencies used are low

I.

INTRODUCTION

into OVER the years, the software industryithas developed wingsa multi-billion dollars business, with spreading its throughout the world. Not only in the commercial field, but softwares are now being applied in almost all spheres of our life. Ranging from defense activities to health monitoring, there are softwares for every purpose. As a result, these softwares come with varying price tags. Softwares used in scholarly, medical or defense activities are generally highly priced because of their significance. The utmost peril that has been menacing this exceptionally vital industry is the act of software piracy. In our present work, we have tried to develop a DVDROM which will be capable of reading only the authorized DVDs containing softwares, and will be used only for the purpose of storing costly sensitive data. For this purpose, we have taken the help of the latest RFID technology. We have

34

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

frequency (125 KHz), high frequency (13.56 MHz), ultra high frequency (860–960 MHz), and microwave frequency (2.4 GHz). The typical RFID readers are able to read (or detect) the tags of only a single frequency but multimode readers are becoming cheaper and popular which are capable of reading the tags of different frequencies [3]. III. OPERATION OF A DVD-ROM A DVD ROM is very similar to a CD ROM. It has a laser assembly that shines the laser beam onto the surface of the disc to read the pattern of bumps. The DVD player decodes the encoded Data, turning it into a standard composite digital signal. The DVD player has the job of finding and reading the data stored as bumps on the DVD. Considering how small the bumps are, the DVD player has to be an exceptionally precise piece of equipment. The drive consists of three fundamental components: • A drive motor to spin the disc - The drive motor is precisely controlled to rotate between 200 and 500 rpm, depending on which track is being read. A laser and a lens system to focus in on the bumps and read them - The light from this laser has a smaller wavelength (640 nanometers) than the light from the laser in a CD player (780 nanometers), which allows the DVD laser to focus on the smaller DVD pits. A tracking mechanism that can move the laser assembly so the laser beam can follow the spiral track - The tracking system has to be able to move the laser at micron resolutions.

fundamental job of the DVD player is to focus the laser on the track of bumps. The laser can focus either on the semi-transparent reflective material behind the closest layer, or, in the case of a double-layer disc, through this layer and onto the reflective material behind the inner layer. The laser beam passes through the polycarbonate layer, bounces off the reflective layer behind it and hits an opto-electronic device, which detects changes in light. The bumps reflect light differently than the "lands," the flat areas of the disc, and the opto-electronic sensor detects that change in reflectivity. The electronics in the drive interpret the changes in reflectivity in order to read the bits that make up the bytes. IV. SOFTWARE PIRACY: A MODERN MENACE

•

•

Over the years, the software industry has developed into a multi-billion dollars business, with it spreading its wings throughout the world. Not only in the commercial field, but softwares are now being applied in almost all spheres of our life. Ranging from defense activities to health monitoring, there are softwares for every purpose. As a result, these softwares come with varying price tags. Softwares used in scholarly, medical or defense activities are generally highly priced because of their significance. The utmost peril that has been menacing this exceptionally vital industry is the act of software piracy. The copyright infringement of software (often referred to as software piracy) refers to several practices which involve the unauthorized copying of computer software. Copyright infringement of this kind is extremely common. Most countries have copyright laws which apply to software, but degree of enforcement varies. After a dispute over membership between Iran and USA led to the legalization in Iran of the unconstrained distribution of software (see Iran and copyright issues), there have been fears that world governments might use copyright politically. When software is pirated, customers, software developers, and resellers are harmed. Software piracy increases the risk consumer's computers will be corrupted by malfunctioning software and infected with viruses. Those who supply defective and illegal software do not tend to provide sales and technical support. Pirated software usually has insufficient documentation, which prevents consumers from enjoying the full benefits of the software package. In addition, consumers are not capable to take advantage of technical support and product upgrades, which are typically available to legitimate registered users of the software. Pirated software can cost consumers lost time and additional money.

Fig. 1. Functional Diagram of a DVD-ROM

Inside the DVD player, there is a good bit of computer technology involved in forming the data into understandable data blocks, and sending them either to the DAC, in the case of audio or video data, or directly to another component in digital format, in the case of digital video or data. The

35

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

or reseller, or is improperly using a trademark or trade name. . Indications of reseller piracy are multiple users with the same serial number, lack of original documentation or an incomplete set, and non-matching documentation. D. BBS/Internet Piracy BBS/ Internet Piracy occur when there is an electronic transfer of copyrighted software. If system operators and/or users upload or download copyrighted software and materials onto or from bulletin boards or the Internet for others to copy and use without the proper license. Often hackers will distribute or sell the hacked software or cracked keys. The developer does not receive any money for the software the hacker distributed. This is an infringement on the developer's copyright. Another technique used by software pirates is to illegally obtain a registered copy of software. Pirates acquire the software once and use it on multiple computers. Purchasing software with a stolen credit card is another form of software piracy. Usually, the softwares are sold in the market in secondary memory devices like CDs and DVDs. Necessary measures are taken so that, the disks are copy protected and there are no likelihood of replicating the valuable software stored in it. Table I enlists some of the present technologies available for this purpose.
TABLE I Various existing Technologies used in the prevention of Software piracy Serial No. 1. 2. 3. Name. Alkatraz CD-Cops CDShield Description Copy protection for CD and DVD based on a "watermark" system CD-Cops is a envelope protection which is added to the CD’s main executable. CDSHiELD protect your CD (before burning it) with putting voluntary sectors-errors to prevent copying from third unauthorized persons. HexaLock CD-RX media are specially made CD-R's that contain a pre-compiled session, which includes security elements that make the discs copy protectable. LaserLock uses a combination of encryption software and a unique laser marking a "physical signature" on the CD surface made during the special LaserLock glass mastering procedure, in order to make copying virtually impossible. Roxxe CD protection is a brand new combination of hardware and software protection that makes it impossible to run software from illegally copied CDs. Software publishers and developers need an effective and comprehensive antipiracy solution to protect their intellectual property from copying, hacking and Internet distribution, while still ensuring a high quality experience for consumers. Smarte Solutions ("Smarte") is the leading provider of next generation Piracy Management solutions that secure and control the use of software and digital information while enhancing the

Fig.2. Rate of Software Piracy across the countries (Cortesy:IDC)

Developers lose revenue from pirated software, from current products as well as from future programs. When software is sold most developers invest a portion of the revenue into future development and superior software packages. When software is pirated, software developers lose revenue from the sale of their products, which hinders development of new software and stifles the growth of the software company. V. SOFTWARE PIRACY: TYPES AND PREVENTIVE MEASURES

There are numerous kinds of software piracy. The bottom line is once software is pirated, the developer does not receive reparation for their toil. We have mentioned a few methods, which have been used contemporarily to check this despicable practice A. End User Piracy Using multiple copies of a single software package on several different systems or distributing registered or licensed copies of software to others. Another common form of end user piracy is when a cracked version of the software is used. Hacking into the software and disabling the copy protection or illegally generating key codes that unlocks the trial version making the software a registered version creates a cracked version. B. Reseller Piracy Reseller piracy occurs when an unscrupulous reseller distributes multiple copies of a single software package to different customers this includes preloading systems with software without providing original manuals & diskettes. Reseller piracy also occurs when resellers knowingly sell counterfeit versions of software to unsuspecting customers. C. Trademark/Trade Name Infringement Infringement occurs when an individual or dealer claims to be authorized either as a technician, support provider

4.

HexaLock

5.

Laser Lock

6.

Roxxe

7.

SafeDisc

8.

SmarteCD

36

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
9. StarForce distribution and marketing-related capabilities of those products. StarForce Technologies is well known to the games and software world for its outstanding and hacker-proof copy protection systems for applications distributed on CD, DVD and CD-R.

VI. A.

DESCRIPTION OF OUR PROPOSED SCHEME Our Consideration

In our scheme, we have proposed a modified DVD drive, in which only modified DVDs can be read. The Basic architecture of both the devices has been kept nearly the same. Only we have changed the working of the devices. The List of items used for our scheme is given in Table II.
TABLE II Components used in our scheme Serial No. 1. 2. 3. 4. 5. 6. Name. DVD-ROM short range RFID reader RFID passive tag Computer DVD Basic Stamp Microcontroller Number 1 1 4 1 4 1 Fig. 3. Schematic Diagram of our arrangement

Each of the DVDs will be fitted with a RFID Tag on the non-readable surface The Reader will be connected with the DVD-ROM. The interfacing will be done using a Basic Stamp Microcontroller. The power supply will provide the necessary power to run the reader, microcontroller and the DVD-ROM at the same time. B. Functioning of our Scheme The basic principle underlying the mechanism of this scheme is that of authentication of two parties before the transfer of information actually begins. In our case the authentication process is carried out using the RFID technology. Each of the DVDs will be provided with a set of two serial numbers. One will be written on the DVD which will be visible to the user. The second code will be stored inside that of the RFID tag and can be read only by the reader. This code will have to be stored in a database inside the computer. If the process is carried out by a software company, then the second code will be given out in the internet in an encrypted form along with the serial number written on the DVD. The user will have to get this code first before he can run the DVD. A schematic diagram of the arrangement has been shown in Fig.3.

When this DVD is inserted into the drive the reader antenna will first read the code stored in the tag and send it to the microcontroller. Here the microcontroller will match this code with the ones existing in the computer’s database. If the code does not match any of the previously existing codes, it will eject the DVD, and no data transfer will take place. It will send the signal to run the DVD only if it finds a match. Hence, the DVD-ROM won’t be able to read no other DVDs other than the one having the authenticated RFID tags. The flowchart of the working has been shown in Fig.4.
Start Read the code from the DVD and store it in C

N

Is the code present in the database? Y

Send the signals for ejecting the DVD

Send the signals for running the DVD

Start Fig. 4. Flowchart of the working of our scheme

Moreover, the DVD will be suitably encrypted so that it cannot be run on any other DVD-ROM, as well as the material stored in it wont be copied even by the modified DVD-ROM. We have simulated the signals that would be sent by the microprocessor using Verilog HDL, in Micro Sim. The simulations are showed in Fig. 5.

37

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

VIII.

ACKNOWLEDGEMENT

Fig. 5. Simulation of the various signals, used in our scheme, made in Verilog

As shown in the simulation, the codes stored in the 4 DVDs were 1000, 1001, 1010 and 1011. Whenever, a DVD having a false code is encountered, the Eject signal turns high, whereas the run signal turns low, making the DVD-ROM to eject the DVD. However, when the code matches with those of the database, the run signal turns high, and the eject signal goes low. VII. ADVANTAGES OF OUR SCHEME

We would like to take this opportunity to Show our gratitude to the faculty of the Electronics and Communication Department of our college, including our Head of the Department, Prof. Sudip Dogra who provided us with invaluable contributions regarding our present work. This achievement is also dedicated to our Administrator Mr. Satyen Mitra, who provided continuous support for this work. A special mention is made here about our friend Ms. Emon Dastider, who helped us with the composition of our document. And finally, we would like to thank Prof. Subir Kr. Sarkar for guiding us through this project. IX. CONCLUSION The basic advantage of our scheme lies in its costeffectiveness, and its simple design. Once it is implemented on a commercial basis, it will establish itself as a great hindrance to the degraded practice of Software-piracy. There is also scope for more development in the design, which will enhance its efficiency and security REFERENCES
[1] [2] [3] [4] “RFID handbook: applications, technology, security, and privacy” by Syed Ahson and Mohammad Ilyas. CRC Press , Boca Raton “RFID Technology & Applications” by Stephen B. Miles, Sanjay E. Sharma & John R. Williams. Cambridge University Press, New York. G. O. Young, “Synthetic structure of industrial plastics (Book style with paper title and editor),” in Plastics, 2nd ed. vol. 3, J. Peters, Ed. New York: McGraw-Hill, 1964, pp. 15–64. The Effect of Piracy on Markets for Consumer Transmutation Rights Lang, K.R.; Shang, R.D.; Vragov, R.; System Sciences, 2009. HICSS '09. 42nd Hawaii International Conference on 5-8 Jan. 2009 Method based static software birthmarks: A new approach to derogate software piracy Mahmood, Y.; Sarwar, S.; Pervez, Z.; Ahmed, H.F.; Computer, Control and Communication, 2009. IC4 2009. 2nd International Conference on 17-18 Feb. 2009 An intention model-based study of software piracy Tung-Ching Lin; Meng Hsiang Hsu; Feng-Yang Kuo; Pei-Cheng Sun; System Sciences, 1999. HICSS-32. Proceedings of the 32nd Annual Hawaii International Conference on Volume Track5, 5-8 Jan. 1999 Understanding the behavioral intention to digital piracy in virtual communities - a propose model Kwong, T.C.H.; Lee, M.K.O.; eTechnology, e-Commerce and e-Service, 2004. EEE '04. 2004 IEEE International Conference on 28-31 March 2004 AUTHORS PROFILE

Over the years the piracy rackets in the Software industry has taken a huge toll in the section of losses incurred in the selling of this software. Numerous costly softwares like Operating System, Antivirus, etc are available in cheap CD/DVDs in the illegal markets in many parts of the world. Our scheme offers a cost effective solution in tackling this problem. The following advantages can be easily pointed out. 1) Since the special RFID DVD can only be run using a RFID optical drive, there will be very little possibility of the content being copied, as the DVD wont start running without proper authentication . 2) As the DVD will be completely made especially for the purpose of selling costly software, there will be proper configuration of the hardware, so that there will be neither any chance of transferring the software data into any computer nor any chance of ripping the DVD. 3) New and advanced software are being launched everyday, which will eventually take the place of the older ones in the market. If our scheme is implemented by the software based companies, it will prevent the newer versions of the existing software to be available cheaply through piracy. Hence, the customer using the older version will be forced to buy the newer version only from the sources selling the original versions. 4) In view of the decreasing prices of the RFID readers and tags, a cheaper version of the modified DVD and its reader will be easily realizable for the customers of limited financial abilities. 5) The scheme will also provide enhanced security to the confidential data having huge importance, and hence can be used in places, where handling of sensitive data of high priority takes place

[5]

[6]

[7]

38

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009 Sudip Dogra: Sudip Dogra received the B. Saustav Ghosh is pursuing his Bachelor’s Tech and M. Tech. Degree from the Institute degree in Electronics & Communication of Radio Physics and Electronics, University Engineering in Meghnad Saha Institute of of Calcutta in 1996 and 2003, respectively. Technology. He has published more than 6 He is doing PhD at Jadavpur University. He technical research papers in journals and served Andrew Yule & Company Limited (A peer reviewed national and International Govt. Of India Enterprise) as a Development Engineer( R & D Dept.) for about 6 years Conferences. His earlier works were done before coming to teaching profession. He in the fields of 4G Mobile communications, joined as a faculty member in the Dept. of Co-operation in Mobile Communication, Electronics and Communication Mobile Security and WiMAX. His present Engineering, Meghnad Saha Institute of field of interest is RFID and it’s Technology, Kolkata in 2003. Presently he is application. Assistant Professor and Head of the Department in Electronics & Communication Engineering Department of Ritwik Ray is pursuing his Bachelor’s degree in Meghnad Saha Institute of Technology, Kolkata. He has published Electronics & Communication Engineering in more than 25 technical research papers in journals and peer – Meghnad Saha Institute of Technology. He has reviewed conferences. His most recent research focus is in the areas published more than 6 technical research papers of 4th Generation Mobile Communication, MIMO, OFDM, WiMax, in journals and peer reviewed national and UWB, RFID& its applications etc. International Conferences. His earlier works were done in the fields of 4G Mobile communications, Subir Kumar Sarkar completed his B. Co-operation in Mobile Communication, Mobile Tech and M. Tech. from Institute of Radio Security and WiMAX. His present field of Physics and Electronics, University of interest is RFID and it’s application. Calcutta in 1981 and 1983, respectively. He was in industry for about 10 years before coming to teaching profession. Debharshi Bhattacharya is pursuing his He completed his Ph.D. (Tech) Bachelor’s degree in Electronics & Degree from University of Calcutta in Communication Engineering in Meghnad Microelectronics. Currently he is a Saha Institute of Technology. He has professor in the Department Electronics and published more than 6 technical research telecommunication Engineering, Jadavpur papers in journals and peer reviewed national University. His present field of interest includes nano, single electron and spintronic and International Conferences. His earlier device based circuit modeling, wireless works were done in the fields of 4G Mobile mobile communication and data security in computer networks. communications, Co-operation in Mobile Communication, Mobile Security and WiMAX. His present field of interest is RFID and it’s application.

39

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal on Computer Science and Information Security, Vol. 6, No. 1, 2009

A O(|E|) Time Shortest Path Algorithm For NonNegative Weighted Undirected Graphs
Muhammad Aasim Qureshi, Dr. Fadzil B. Hassan, Sohail Safdar, Rehan Akbar
Computer And Information Science Department University Technologi PETRONAS Perak, Malaysia

Abstract— In most of the shortest path problems like vehicle routing problems and network routing problems, we only need an efficient path between two points—source and destination, and it is not necessary to calculate the shortest path from source to all other nodes. This paper concentrates on this very idea and presents an algorithms for calculating shortest path for (i) nonnegative weighted undirected graphs (ii) unweighted undirected graphs. The algorithm completes its execution in O(|E|) for all graphs except few in which longer path (in terms of number of edges) from source to some node makes it best selection for that node. The main advantage of the algorithms is its simplicity and it does not need complex data structures for implementations. Keywords-component; Shortest Path, Directed Graphs, Undirected Graphs, Algorithm, Theoretical Computer Science

to O(m log n). The complexity was further improved [9] when Fredman and Tarjan developed Fibonaccii heap. The work in [9] was an optimal implementation of Dijkstra’s algorithm in a comparison model since Dijkstra’s algorithm visits the vertices in sorted order. Using fusion trees of [8], we get an O(m (log n) ½ ) randomized bound. Their later atomic heaps give an O(m + n log n/log log n) bound presented in [7]. Afterwards, in [11][12][16] priority queues gave an O(m log log n) bound and an O(m + n(log n1+ε)½) bound. These bounds are randomized assuming that we want linear space. Afterwards [14] reduced it to O(m + n(log n log log n) ½) and next year [15] improved it with randomized bound to O(m + n(log n1+ε) 1/3) . Priority queue presented in [6] for SSSP improved the shortest path cost giving a running time of O(m + n(log C) ½) where C was the cost of the heaviest edge. Next work by [13] to reduced the complexity to O(m + n (3 log C log log C) 1/3 ) expected time and [15] presented a further improvement to O(m + n(log C) 1/4+ε). [3] presented an algorithm and claimed that it will out class dijekstra’s algorithm. Contrary to Dijekstra and many others this algorithm attacks the problem from both ends—source and destination. It searches source node (i.e.’s’), starting from destination node (i.e. ‘t’) and on the other side searches destination node starting from source node in parallel. II. BASIC IDEA

I.

INTRODUCTION

Shortest Path Problem can formally be defined as follows: Let G be a graph such that G = (V, E), where V = { v1, v2, v3, v4, …, vn } and E = { e1, e2, e3, e4, …, em } such that |V| = n and |E| = m. G is an undirected weighted connected graph having no negative weight edge, with pre-specified source vertex ‘s’ and destination vertex ‘t’ such that s ∈ V and d ∈ V. We have to find simple path from s to t with minimum most total edge weight. Theoretical Computer Science is one of the most important and hardest areas of Computer science (TCS) [17][18][19]. The single-source shortest paths problem (SSSP) is one of the classic problems in algorithmic graph theory of TCS. Since 1959, all theoretical developments in SSSP for general directed and undirected graphs have been based on Dijkstra’s algorithm, visiting the vertices in order of increasing distance from s. As a matter of fact many real life problems can be represented as SSSP. As such, SSSP has been extensively applied in communication, computer systems, transportation networks and many other practical problems [1]. The complexity of Dijkstra’s algorithm [10] has been determined as O(n2 + m) if linear search is used to calculate the minimum [2]. A new heap data structure was introduced by [4][5] to calculate the minimum which resulted he complexity

This algorithm is basically an extension of the work done in [20]. The basic idea can be best described using an analogy of two distinct persons involved in a task of searching a path between starting point (Point1) and finish point (Point2) of a labyrinth. First person, A, starts from point1 and second person starts from point2 as illustrated in fig. 1. A explores all possible paths searching for either B or point2. and in the same way second man, B, starts exploring all the paths starting from point2 looking for point1 or A as illustrated in fig. 2. They meets on the their way (see fig. 3) to their destination and as soon as they meet they exchange and combine their information about the path they have traversed and can easily be made a path along with total cost of the path.

40

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal on Computer Science and Information Security, Vol. 6, No. 1, 2009

t s

Point1
Figure 1:(step 1)Person A starts from point1 and Person B starts from pointB

Point2

s t

Point1
Figure 2: at next levels Both A and B are exploring different paths in search of one another

Point2

s t

Point1

Point2

Figure 3: Both A and B meet at some point and by interchanging information can make the whole path

41

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal on Computer Science and Information Security, Vol. 6, No. 1, 2009

III.

ALGORITHM

A. Algorithm Input Constraints This Algorithms runs well for all graphs but for the few having following properties: Len(Pi(s,w)) > Len(Pj(s,w)

RED: the node is explored and traversed. Each YELLOW node is picked and its neighbors are explored and then it is painted as RED. While exploring, neighboring nodes from any node (say p), it calculates the cost of the node being explored (cost of the path starting from NL0 point to the node in hand i.e. h ) in order to calculate the best cost so far (i.e. CSTh) and best parent of the node making its cost minimum (i.e. Πh). CSTh and Πx will be calculated as below: Cost at node h is old_ CSTh = CSTh CSTh = min(CSTh , CSTp + ep,h) and if CSTh = CSTp + ep,h then Πh p (2) Initially all nodes are painted as GREEN (while initializing except source and destination nodes) and as soon as a node is explored during the traversal it is painted as YELLOW and as soon as any node completes its traversal (i.e. all its neighbors are explored i.e. painted YELLOW) it is painted RED. Until all the YELLOW nodes are converted to RED of some level no node is selected for traversal from the next level. As soon as one level is completed the control is switched to the other part of the algorithm to proceed and it also performs the same steps. During these traversals if some node is found that was marked RED by other part then two nodes p and h are stored along with the total cost the complete path calculated as old_SPCST SPCST SPCST (3) (4) min ( SPCST, CSTh + CSTp + ep,h) ph (1)

k −1 l −1 ∑ w( xi, xi +1) ∠ ∑ w( y i, y i +1) i =0 i =0 for Pi for Pj
where k ≠ l and x0 = y0 = s and xk = yk = w and Pi and Pj are paths from s to w such that Pi = { x0 ,x1 ,x2 , . . . . . . . . ,xk } and Pj = { y0 ,y1 ,y2 , . . . . . . . . ,yl }

B. Algorithm Definition This algorithm has three main parts namely, PartA, PartB and PartC. Part A and PartB are identical. Both are searching the footmarks of the other Part. PartA is concerned with the search for the shortest path from the source node s to the destination node t and PartB targeting s, starts its search from t. Both PartA and PartB are replicas of one another and perform similar actions. The two parts are running in pseudo-parallel fashion, exploring nodes of the graph level by level. First of all data structures are initialized as:

∀[π
U ∈ V(G)/s/t

u

NIL,CSTu

—∞,CLRu

YELLOW, DSTu -1

]

If SPCST = CSTh + CSTp + ep,h Then SP In this way all possible paths are covered and their costs are stored. This algorithm continues until there is any YELLOW or RED node in the graph. When all nodes are colored RED, PartA and PartB of algorithm stops and PartC is invoked. PartC using a simple linear search algorithm searches for the path with minimum cost from the stored costs using the nodes that were stored. C. Working Example of the Algorithm NOTE: For this example the color scheme is changed to WHITE, GRAY and BLACK to get better display. The algorithm starts with PartA (i.e. from source s) and marking the cost of the node as 0 and painting it GRAY as shown in fig. 4. On the other end PartB starts in parallel from t and marking its cost as 0 and painting it GRAY as shown in fig. 4.

s and t is initialized with NIL, 0, GRAY, 0 respectively. Each part—PartA and PartB, starts investigation from its respective starting node (s for PartA and t for PartB) and explores all its neighboring nodes. So let’s say s and t are level0 nodes (NL0) and all nodes being explored from these nodes will be level-1 nodes (NL1) and all the nodes explored from level-1 node are level-2 (NL2) and so forth. Other than NL0 all nodes have to calculate and keep track of the best cost (i.e. CSTx) along with the parent node (Πx) making the best cost. The track of the status of each node is kept by the coloring them with specific colors (i.e. CLR). Details are as below: GREEN: the node is neither explored nor traversed. It means that algorithm has not yet come across this node YELLOW: node is explored by some node. This node can still be explored by other node(s).

42

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal on Computer Science and Information Security, Vol. 6, No. 1, 2009
0

s
1

NL0
4

PartA

a
5 3

b
2 5 1 2

parent is adjusted using (1), (2) (its cost is 4 as shown in red color i.e. 0+4) and marking p i.e. ‘s’ as its parent being shown as green line and marking it explored by painting it GRAY. Then next neighbor is chosen and the whole process is repeated and then next neighbor is picked. This process continues until all the neighbors are painted GRAY. Upon the completion of the exploration process p is painted BLACK.(see fig. 5) On the other end PartB starts its processing from NL0, and picks p = ‘t’ for traversal. All its neighbors are explored, one by one, randomly. Supposing h = ‘n’ is picked and now its cost and parent is adjusted using (1), (2) (its cost is 1 as shown in red color). t is marked as the parent of n, shown with blue line and its status is changed to explored by painting it GRAY. Then next neighbor is chosen and the whole process is continued until all the neighbors are painted GRAY. Upon the completion of the traversal process p is painted BLACK.(see figure 5) Now investigating NL1 nodes (a and b) one by one and checking their neighbors and performing actions like marking and/or adjusting costs and parents (using (1) and (2)) and painting neighbors GRAY. All NL1 nodes are painted BLACK (see fig. 6) one by one.

c
7 3 9

d
2

e
4 6

f
4

g
7

h
7 2

7

i
3

3

j
2 3

k
6

l
5

m
7 0

n
1

NL0

PartB

Same process is being repeated in PartB on NL1 nodes (m and n).(see fig. 6) PartA is repeating same steps that were performed previously but now on NL2 nodes(c, d, e, and f) (see fig. 7) In partB doing the same steps as in PartA e.g. exploring all nodes of NL2 (I, j, k, and l) one by one, the notable point, here, is that node i explores e and f and finds them already traversed
0

t

Figure 4: Starting PartA and PartB from s and t respectively

Continuing from NL0, the algorithm starts with investigation from p = ‘s’ exploring all it neighbors, one by one, randomly. Assume h = ‘b’ is picked and now its cost and

NL1
s
4

0

s
1

NL0
4

PartA

PartA
4 2 5 1

1

1 5

a
3

b
2 5 1

a
3 4 7 5

b
2 5 1

4 2

6

c
7 3 5

d
2

e
4 6

f
4

c

d
2

e
4

3 6

f
4

6

5

g
7

h
7 2

7

i
3

g
7

h
7 2

7

i
3

10

3

9

j
2 7 3

k
6

l
5

9

j
2

7 3

k
6

l
5

6

m
7 0

n
1

1

7

m

n

1

PartB

7
0

1

t

t

NL1

Figure 5: Traversing level-0 nodes from both sides

Figure 6: Traversing Level-1 nodes from both sides

43

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal on Computer Science and Information Security, Vol. 6, No. 1, 2009
0 s 1 4 1 b 2 3 4 d 2 6 7 h 7 e 5 1 3 6 i f 4 5 13 g 7 2 10
13 0

s

4

1 5

4 2 5

a

1

a

b 2 3
4

4

5

2

1
d 2
6

6

c

6

6

c 7

e 4 h 7

3

f 4 i
9

6

7
s

5

4

9
g 7

6

7 2

9 l

3 6
9

9
l

3
6

9

j 2 7

7 3 m 7 0

k 6 n 1 t

j 2

7

k 3 6 n 7
0

5 1

5
1

7

m

1 t

Figure 7: Investigating nodes (c,d,e,f) (only processing of PartA

Figure 9: Collision of two Parts of algorithm making SP

(painted BLACK) by other part (i.e. PartA) so algorithm here stores ‘I’ and ‘e’ and the cost 3+6+9 (using (3) and (4)) and then stores I and f and cost 6+4+9 (using (3) and (4)). This path is marked with yellow line. Here we explored and stored three steps(see fig. 8) PartA starts exploring NL3 nodes (i.e. g and h) that are

GRAY. Performing the same steps PartB did in the previous step (see fig. 8). Here three new paths are explored and stored along with their costs. PartB has no GREY nodes to continue its traversal. So it will terminate. As all the nodes in the graph are now BLACK so PartA and PartB terminates.
0

0

s s

1

4
b
4 2 1 6 3 6 6 1

1

4

1 5

a 3
4

b
2 5

4

a
3 4 7 9

2

5

5

2 1

6

c 7 5
13

d 2
6

e 4 h 7 2

3

c

d
2 6

e
4

f
4 9

f
4 i 3 l
6 9

6

9 g 7

6

5 13

g
7

h
7 2

7

i
3

7

9
9

9

9

j
2 7

7
3

k
6

l
5

6

j 2
7

7

k 3 6 n 7
0

5
1

m
7 0

n
1

1

m

1
t

t

Figure 8: Traversing i, j, k, l

Figure 10: linear search in calculated paths resulted in SP

44

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal on Computer Science and Information Security, Vol. 6, No. 1, 2009

PartC invokes and calculates the minimum out of all costs calculated so far and determines the shortest path (see fig. 10) (in the algorithm you will find it embedded in the PartA and PartB calculations) D. Pseudo Code In this pseudo-code we are using four subroutines— Shortest_Path_Algorithm, Initialize, PartA_B_C, Print_Path. Shortest_Path_Algorithm is the main subroutine that invokesother subroutines. Initialize is for all kind of initializations required for the execution of the algorithm. Then PartA_B_C is invoked twice with different queues making it PartA and PartB. PartC is embedded in the PartA_B_C in the end. Finally Print_Path is invoked to print the shortest path. 1) Legend being used in the algorithm: CLR: Color – can be one of the three—GREEN (no processing has yetstarted on this node) , YELLOW ( processing has started on this node) and RED ( Processing on the current node has completed CLRv: Color of v CLRu: Color of u CSTv: Cost of v (i.e. minimum cost from source to v) DSTv: Number of Edges in the path from source s to current node v REDo: Color RED painted by other part of the algorithm e.g. if currently PartA is being executed then it will be referring to a node that would be painted by PartB REDt: Color RED painted by this part of the algorithm e.g. if currently PartA is being executed then it will be referring to a node that would be painted by PartA YELLOW_: node is marked YELLOW and it is inserted in the next queue and should not be processed from current queue Qs: Queue that is being used by PartA Qs: Queue that is being used by PartB SPCST: shortest Path Cost SP: Shortest Path
Shortest_Path_Algorithm () (1) .. Initialize () (2) .. while (Qs ≠ ∅ AND Qt ≠ ∅ ) (3) .. do .. (4) .. .. PartA_B_C(Qs) (5) .. .. PartA_B_C(Qt) (6) .. Print_Path(SP) --------------------------------------Initialize () (1) .. for each v ∈ V (2) .. do .. (3) .. .. CLRv GREEN ∅ (4) .. .. Πv (5) .. .. CSTv —∞

(6) .. .. DSTv —∞ .. (7) .. CLRs = YELLOW (8) .. CLRt = YELLOW (9) .. ENQueue (Qs, s) (10) . EnQueue (Qt, t) --------------------------------------PartA_B_C(Q) (1)Qtmp ∅ (2)while Q ≠ ∅ (3) .. then u DeQueue(Q) (4) .. .. if u ≠ YELLOW_ (5) .. .. .. Then for each v ∈ Adj[u] (6) .. .. .. do if CLRv = GREEN (7) .. .. .. .. then CLRv YELLOW (8) .. .. .. .. .. EnQueue (Qtmp, v) (9) .. .. .. .. .. Πv u (10) . .. .. .. .. CSTv CSTu + eu,v (11) . .. .. .. .. DSTv DSTu + 1 (12) . .. .. .. Else if CLRv = YELLOW (13) . .. .. .. .. Then if CSTv > CSTu + eu,v (14) . .. .. .. .. .. Then If DSTv=DSTu & CLRv≠YELLOW_ (15) . .. .. .. .. .. .. Then EnQueue (Qtmp, v) (16) . .. .. .. .. .. .. .. CLRv YELLOW_ u (17) . .. .. .. .. .. .. Πv (18) . .. .. .. .. .. .. CSTv CSTu + eu,v (19) . .. .. .. .. .. .. DSTv DSTu + 1 (20) . .. .. .. Else if CLRv = REDt (21) . .. .. .. .. Then if CSTv > CSTu + eu,v (22) . .. .. .. .. .. Then print “wrong graph” (23) . .. .. .. .. .. .. Terminate Algorithm (24) . .. .. .. Else if CLRv = REDo (25) . .. .. .. .. Then (26) . .. .. .. .. .. Πv u (27) . .. .. .. .. .. If CSTu +CSTv +eu,v<SPCST (28) . .. .. .. .. .. Then . (29) . .. .. .. .. .. .. SP “uv” (30) . .. .. .. .. .. .. SPCST CSTu +CSTv +eu,v -------------------------------------Print_Path(SP) (1) .. PTH[1 to DSTv + DSTu + 1 (2) .. (3) .. (4) .. (5) .. (6) .. (7) .. (8) .. (9) .. (10) . (11) . (12) . (13) . (14) . (15) . (16) . (17) . i DSTSP[1] PTH[i] u While p is not eual to NULL Do .. i i - 1 .. PTH[i] p Πp i DSTSP[1] + 1 PTH[i] v While p is not eual to NULL Do .. i i + 1 .. PTH[i] p Πp For i 1 to DSTv + DSTu + 1 Do .. Print PTH[i], “,”

45

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal on Computer Science and Information Security, Vol. 6, No. 1, 2009

E. Complexity
[2]

This example shows that the algorithm successfully completes its execution for targeted graphs. The algorithm starts with two parts both traversing and covering the neighbors using edges. And a node never re-covers the node that it has already covered. Both parts are moving at the same pace (i.e. covering nodes level by level) so both parts will be covering almost same number of nodes (on average). So in this way each part will be covering E/2 edges making total = E. Embedded in Part A and PartB, PartC calculates shortest path using the technique of linear search. As there can not be more than E paths (in the worst case) so linear search can take maximum E time to complete its execution and find out minimum cost path. so it make total complexity to E+E=2E which is O(E). The main advantage as well as the beauty of this algorithm is that it is very simple, easy to learn and easy to implement. At the same time it does not require complex data structures. So this algorithm can be applied for problems like vehicle routing, where the maps of the roads grow always in hierarchical fashion and very rarely a situation occur in which a long path give a smaller cost. IV. SAME ALGORITHM FOR DIFERENT TYPES OF GRAPHS Applying this algorithm on weighted directed graphs, it produced a quick result as it solves the given problem from two ends (i.e. source and destination). Minor modification is required to calculate the shortest path for unweighted directed/undirected graphs of all types without any bound and/or condition. Modification that is required is to terminate the algorithm as soon as one investigating node checks some node that is colored GRAY by other part of the algorithm. In other words we can say that as soon as two parts collide for the first time. Algorithm is terminated and combining the paths of two nodes will give the shortest path. Though this algorithm also work in O(E) in worst case that is also the complexity of BFS but results showed that it conclude quite efficiently and calculates the path in less time. V. CONCLUSION

[3]

[4] [5]

[6] [7]

[8]

[9]

[10] [11]

[12]

[13]

[14]

[15] [16]

[17]

This algorithm is very efficient and robust for the targeted graphs due to its simplicity and along with it the constant factor is quite negligible. For all kinds of unweighted graphs, algorithm showed promising results. Though, it does not improve asymptotic time complexity but in terms of he number of processing steps its results were much better (most of the times) than Breadth First Search. In nonnegative weighted undirected graphs (except few) this is very fast and efficiently convergent algorithm for targeted graphs. REFERENCES
[1] Binwu Zhang, Jianzhong Zhang, Liqun Qi :The shortest path improvement problems under Hamming distance. In Springer

[18]

[19]

[20]

Science+Business Media, LLC 2006, (Published online: 20 September 2006) Mikkel Thorup :Undirected Single-Source Shortest Paths with Positive Integer Weights in Linear Time. In AT&T Labs Research, Florham Park, New Jersey, Journal of the ACM, vol. 46, No. 3, pp. 362–394 (May 1999) Seth Pettie, Vijaya Ramachandran, and Srinath Sridhar :Experimental Evaluation of a New Shortest Path Algorithm_ (Extended Abstract). In D. Mount and C. Stein (Eds.): ALENEX 2002, LNCS 2409, pp. 126– 142, 2002. Springer-Verlag Berlin Heidelberg (2002) Williams, J. W. J. :Heapsort. Commun. In ACM 7, 6 (June), 347–348. (1998) John Hershberger, Subhash, and Amit Bhosle :On the Difficulty of Some Shortest Path Problems. In ACM Transactions on Algorithms, Vol. 3, No. 1, Article 5 (2007) Ahuja, R. K., Melhorn, K., Orlin, J. B., and Tarjan, R. E. :Faster algorithms for the shortest path problem. J. ACM 37, 213–223. (1990) Fredman, M. L., and Willard, D. E. :Trans-dichotomous algorithms for minimum spanning trees and shortest paths. In J. Comput. Syst. Sci. 48, 533–551. (1994) Fredman, M. L., and Willard, D. E. : Surpassing the information theoretic bound with fusion trees. J. Comput. Syst. Sci. 47, 424 – 436. (1993) Fredman, M. L., and Willard, D. E. : Fibonacci heaps and their uses in improved network optimization algorithms. J. ACM 34, 3 (July), 596 – 615. (1987) Dijekstra, E. W. 1959. A note on two problems in connection with graphs. Numer. Math. 1, 269 –271. Therup, M. :On RAM priority queues. In Proceedings of the 7th Annual ACM-SIAM Symposium on Discrete Algorithms. ACM, New York, pp. 59 – 67 (1996) Thorup, M. :Floats, integers, and single source shortest paths. In Proceedings of the 15th Symposium on Theoretical Aspects of Computer Science. Lecture Notes on Computer Science, vol. 1373. Springer-Verlag, New York, pp. 14 –24.( 1998) Cherkassky, B. V., Goldberg, A. V., and Silverstein, C. :Buckets, heaps, lists, and monotone priority queues. In Proceedings of the 8th Annual ACM-SIAM Symposium on Discrete Algorithms. ACM, New York, pp. 83–92.( 1997) Raman, R.: Priority queues: small monotone, and trans-dichotomous. In Proceedings of the4th Annual European Symposium on Algorithms. Lecture Notes on Computer Science, vol. 1136, Springer-Verlag, New York, pp. 121–137. (1996) Raman, R.: Recent results on the single-source shortest paths problem. SICACT News 28, 81– 87.(1997) Andersson, A. Miltersen, P. B. and Thorup, M. :Fusion trees can be implemented with AC0 instructions only. Theoret. Comput. Sci., 215, 337–344. (1999) Muhammad Aasim Qureshi, Onaiza Maqbool, 2007, Complexity of Teaching: Computability and Complexity In ‘International Conference on Teaching and Learning 2007’ organized by INTI International University College at Putrajaya, Malaysia. Muhammad Aasim Qureshi, Onaiza Maqbool, 2007, Complexity of Teaching: Computability and Complexity, INTI Journal Special Issue on Teaching and Learnning 2007 Muhammad Aasim Qureshi, Mohd Fadzil Hassan, Sohail Safdar, Rehan Akbar; 2009, Raison D'Être of Students’ Plimmet in Comprehending Theoretical Computer Science (TCS) Courses, International Journal on Computer Science and Information Security Volume 6 (No 1) 2009.(in press) Muhammad Aasim Qureshi, Mohd Fadzil Hassan, Sohail Safdar, Rehan Akbar, Rabia Sammi; 2009, An Edge-wise Linear Shortest Path Algorithm for Non-Negative Weighted Undirected Graphs, Frontiers of Information Technology December 2009.(in press)

46

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Biologically Inspired Execution Framework for Vulnerable Workflow Systems
Sohail Safdar, Mohd. Fadzil B. Hassan, Muhammad Aasim Qureshi, Rehan Akbar
Department of Computer & Information Sciences, Universiti Teknologi PETRONAS, Malaysia .
Abstract—The main objective of the research is to introduce a biologically inspired execution framework for workflow systems under threat due to some intrusion attack. Usually vulnerable systems need to be stop and put into wait state, hence to insure the data security and privacy while being recovered. This research ensures the availability of services and data to the end user by keeping the data security, privacy and integrity intact. To achieve the specified goals, the behavior of chameleons and concept of hibernation has been considered in combination. Hence the workflow systems become more robust using biologically inspired methods and remain available to the business consumers safely even in a vulnerable state. Keywords— IDS (Intrusion Detection System), WFMS (Workflow Management Systems), Chameleon, Hibernation.

The major concern of any business is to secure all its data hence to keep customers’ as well as company’s privacy intact. The customer’s satisfaction in terms of getting good quality services well in time along with the guarantee of protected and secured transactions are of prime importance. Hence various mechanisms have been provided over the period of time to provide secured workflow transactions using Workflow transaction management and IDS (Intrusion Detection System). The current research is motivated from the efforts that have been made to provide secure workflow systems and the problems associated with those systems. Currently, the WFMS rely merely on IDS for intrusion detection. Once intrusion is detected the whole system is set to wait state and the running process is undo and redoes to recover the faulty parts. This practice might lead to lose the customer satisfaction to use the system as customers always willing to have the timely and accurate result with all of the protection provided. So when the system is in vulnerable state then the questions arise How data would be secured and its privacy would be maintained, when intrusion is found? How can the current and the remaining activities safely continue their execution? How will the workflow engine be able to execute workflow process in a robust fashion and ensures the secure availability of the system along with the integrity of data to all the customers? All the above mentioned questions concludes the problem associated to the workflow systems that are in vulnerable state due to some intrusion detected during their execution. The problem is to avoid the possibility of system to enter into wait state whenever the intrusion is detected. The current research is dealing with all of the concerns associated with the problem to provide best possible solution. Specifically, the problem statement for the research is: In the case of intrusion threat, the system goes into unsafe state. The workflow management system should ensure in time availability of services while keeping the data integrity intact and continue the workflow process robustly to provide satisfactory results to the end user/customer. The main objective of this research is to design a framework that will provide the data and services availability all the time by keeping data security and privacy intact, when

I.

INTRODUCTION

Now days, the world is moving towards the economic growth, achieving the business goals is of prime importance. The major requirement for achieving the business goals is the reliable business processes to provide customers with great deal of satisfaction in terms of Quality of Services. Customized software are in common use to provide solutions for different business processes to increase the performance and providing quick, in time concrete trade results. These business processes are known as business workflow processes or business workflows in terms of computing. Workflow Management Systems (WFMS) are the systems that are used to automate, manage, monitor and control the execution of the workflow processes. Workflow process is a business process for an enterprise. Workflow process contains set of workflow activities that are required to be completed in the specified sequence to finish the workflow process. Each workflow activity is a single or set of instructions to be executed. Workflows are currently very active area of research. Various efforts have been made to provide the business process optimizations and improving the quality of services. Improving coordination among cooperating workflows, process synchronizations, robustness of operational workflows, workflow representational techniques and secure workflows are all very hot areas in which lots of research work is going on.

47

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

the intrusion strikes and system goes into unsafe state. The proposed framework will be utilizing the biological inspired mechanisms to provide data protection, security and privacy. The following section will explain the background of the related literature in the context proposed research area followed by the overview of the proposed research. The details of the related concepts and proposed frame work will be explained in the proposed methodology. II. BACKGROUND

WFMS is a very hot area of research. Various efforts have been made in areas of workflow representations, adaptive workflows, workflows performance and management issues, workflows security and self healing in workflows. The current research is also related to the area of security and workflow system recovery. Various existing work involves different approaches for intrusion detection and then system recovery. Multi-Version Objects [1] approach is to replace the dirty objects with the clean version to recover the system, and the whole system works in more than one version of each object. Whenever there is an intrusion that infects the data object, the system is stopped and then recovered to the previous state with the help of these clean versions of the objects. The graph theory in theoretical computer science is also referred while recovering procedures are applied [18], [19], [20]. Trace back recovery [2] mechanism is based on Flow-Back Recovery Model [16] that uses the traces of the flow of execution and then recovers the workflow system. Another approach utilizes the workflow specification to detect the intrusions with the help of independent Intrusion Detection System. It proposes an “Attack Tree Model” [3] to describe the major goal of the attack and then splitting it to the sub goals. The work focuses to provide the system recovery through dynamic regeneration of workflow specification. The Undo and Redo mechanism is utilized to recover and bring the system to consistent state. This approach deals with the exception raised by the intrusions and regenerate the workflow specification dynamically for the workflow to execute successfully. Architecture consists of BPEL (Business Process Enterprise Language) Engine and Prolog Engine for intelligence is utilized to regenerate the workflow dynamically [3]. There is another architecture named MANET [4] that provides additional features of Mobile services, Workflow Modeler and policy Decision point to regenerate the Workflow specification more effectively [4]. Vulnerabilities are also detected by the use of a workflow layer on any system as a non intrusive approach is proposed based on this architecture for survivability in the cyber environment [5]. The overall security is based on the model [6] that Threat Agent causes threats that cause vulnerability. Vulnerability that causes risks can be reduced by a safe guard that protects an asset [6].There are different approaches like Do-It-All-Up-Front Approach, All or Nothing, Threat Modeling and Big Bang approach etc. for ensuring security on web and has their own pros and cons [7]. Ammann et al. [11] deals with the transactions done by malicious users and recover the system by cleaning the infected data items due to these transactions and hence undo all those transactions. Panda et al. [17] provides number of algorithms to recover the system based on the dependency information that is stored separately. Eder and Liebhart [14] also studies potential failures in workflows and found its possible recovery mechanisms. Problems associated with recovery and rollback in distributed environment has also been handled [15]. Few more work
48

related concurrency control in databases and its transaction [12] [13]. It must be noted that whenever an intrusion strikes a workflow system and is detected, the system must be stopped immediately to avoid any data infection for maintaining its integrity. So all of the recovery method needs the mechanism of undo all the faulty areas that require the system to wait and then start the process again to redo things once the system gets back to safe state. But making the system wait for the recovery and redoing the same processing again annoys the customer from the system. Hence ensuring the availability of the system even in the unsafe state is very much required that has not addressed yet by anyone. III. OVERVIEW OF THE PROPOSED RESEARCH

A. Problem Statement Business requires 100% availability of their workflow systems, so that the services have been provided to the customers securely and the customers have 100% satisfaction on their services. In the case of intrusion detected, the system needs to be stop so that it can be recovered from the possible threat. Due to which the availability of services at that time might not be possible. Hence whenever a system goes in to unsafe state due to some intrusion, the workflow management system should provide. • Security and privacy of data • In time availability of correct data to ensure the completion of desired transaction. • Complete the workflow process robustly to provide satisfactory services to the end user/customer. B. Objectives The main objectives of the research are following. Design an alternative execution framework for the workflows in vulnerable state such that it • Provides the robust execution of the entire workflow process. • Ensure the data security and privacy. • Availability of in time correct data to the customers. C. Concerns There are certain concerns associated with the methodology to achieve the objectives. How data can be secured and its privacy can be maintained, when intrusion is found? How can the remaining activities continue their execution? The argument for the first concern lies in the concept of chameleon characteristics, hence we can say that by applying chameleon characteristics to database portion for the specific ongoing activity to carry on. However the argument for the second concern is that we can apply the concept of data hibernation. Following section will provide the definitions of the concepts of Chameleon data sources and Data hibernation.

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

D. Definitions The following are the definitions of the useful concepts regarding the research paper. 1) Chameleon Data Sources The term is taken from the concept of chameleon characteristics of changing color and is defined as changing of data values to unreadable data when the data source is found to be under threat. The concept is shown in Figure 1 and Figure 2. 2) Data Hibernation The term is driven from the concept of hibernation in animals in which animals go to sleep for a certain period of time under soil and is defined as shifting a data from the original data source to multiple dimensions when there is a threat to its integrity and return back to original source when the threat is removed. The concept is shown in Figure 3 and Figure 4.

Dimensions

Normal data Source

Data Shifted to Dimensions

Figure 4. Behavior of Data Hibernation

IV.

PROPOSED METHODOLOGY

Proposed methodology is the base line for the desired framework to provide the execution of vulnerable workflows to provide services and data availability. The methodology includes designing a mechanism that provides and ensures the data security, integrity and privacy in the operational workflows. There is also a requirement of a mechanism to make the data available to the customer retaining its integrity when the system is in unsafe state. These two mechanism leads to the proposed framework for the execution of the vulnerable workflow system. The following is the explanation of the proposed methodology. A. Explanation 1) Designing a mechanism, to provide and ensure the data security and privacy in operational workflows: This whole mechanism is biologically inspired from the behavior of changing colors such as Chameleon does and hibernation mechanism in the wild life. There are two milestones to achieve while dealing with this issue. One is handling ongoing activity while other is handling the upcoming activities. Handling the ongoing activity while the system is declared as unsafe due to some intrusion requires an implementation of Chameleon Data Sources concept as follows: a) Role of Chameleon Data Sources The concept is drawn from the natural phenomenon of changing colors by Anole and Chameleon in case of any threat to provide them an appropriate sabotage. Getting inspiration from this concept and applying it to the portion of data source that has been utilized by the ongoing activity leads the data to be sabotage and becomes secured from the threat of intrusion and hence keep its privacy and integrity. Applying the concept requires data in the database should be changed dynamically from the meaningful state into meaningless state by using the encryption rules. It is not only the encryption of data but it is dynamically applying the encryption to the data sets whenever data’s privacy seems to be in danger.
Figure 3. Behavior of Animal Hibernation

Figure 1. Chameleon and its Characteristics

Normal data Source

Encrypted to

Chameleon Data Source

Figure 2. Chemeleon Data Source Behavior

49

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Simultaneously, the data associated with the upcoming activities should also be handled, which can be done by applying the data hibernation concept as following b) Role of Data Hibernation The concept is also raised from the animal behavior to reside under soil for the specific time. During Modeling Phase, the chunks of larger database needs to be divided and modeled correctly, so that it can easily be integrated with the larger database in terms of moving the portion of unsafe data to that small dimension and shifting them back when the system returns in a safe state again. The portion of database schema, whose data needs to be hibernating, should be changed using dimensional modeling. Each dimension of database is one that is referred during any specific workflow activity execution, i.e. the dimension is w.r.t the context of workflow activity. Each dimension is a normalized dimension unlike the dimensions in the data warehousing context. The data is then transformed using ETL into that dimension and needs to be accessed from that area until the system regain its safe state.

5. The current workflow activity accesses the data using encryption and decryption mechanism. However the upcoming workflow activities in the running system will access the data from the hibernated data source. 6. Using these two key phenomenon, workflow transaction will not stop and even in the unsafe state the whole system will robustly keep on operating in a secured, available and manageable fashion. A. Explanation The above mentioned working has to be done while workflow system follows an alternative path due to the intrusion threat and needs to be carried until the system is recovered fully from the threat as shown in the Figure 5 and Figure 6. In Figure 5, when the data in the main database has encrypted, at the same time, the data becomes read only so that all the activities to spoil the data by writing garbage on it can also be controlled. After the current active tasks finishes its execution then the transformed results in the memory and the existing data inside encrypted database portion would be written in the respective dimension. The other dimensions can be populated during the execution of the current task as background process. When the system is recovered from the possible threat or the threat is rectified then the data in the dimensions will be transferred back to the original database at their appropriate location. This whole phenomenon can be seen in Figure 6.

2) Designing a mechanism to make the data available in its correct form to the customer even if the system is in unsafe state: Dealing with the ongoing activity requires continue referring the same portion of the database on which the current transaction is based on. Applying the dynamic encryption to that portion of database making it a chameleon natured will help to solve the problem in the current scenario. Not only data becomes meaningless for all the external sources but also it becomes ready to use by the alternative commands that can be able to decrypt it and use it. The point of consideration here is to make the portion of that database as read only so that encrypted data might not be overwritten by intrusion activity with dirty data to become useless at all. Hence by doing so, the change that has been made by the ongoing activity should be stored using caching. Once the data is completed its required transformation then it should be written in the relevant hibernated dimension. All of the upcoming activities will refer the hibernated data from the respective dimensions. V. PROPOSED FRAMEWORK FOR ROBUST EXECUTION OF VULNERABLE WORKFLOWS

Figure 5. Workflow System state when intrusion strikes

The following is the proposed algorithm for robust execution of the vulnerable workflows to provide data and services availability to the customers in a non discrete fashion. 1. The intrusion attack is detected by a workflow process using some IDS. 2. Workflow server signals the flag to the workflow engine. 3. On receiving the flag, the workflow engine interrupts the resource manager. 4. Resource manager forces the active data source to change its state and hibernate the data in all of the dimensions except that of the currently active data.
Figure 6. Workflow System state when intrusion is rectified

50

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
for Workflow Systems”, Proceedings of the 19th Annual Computer Security Applications Conference, ACSAC 2003, 1063-9527/03, IEEE Meng Yu, Peng Liu, Wanyu Zang, “Self-Healing Workflow Systems under Attacks”, Proceedings of the 24th International Conference on Distributed Computing Systems, ICDCS’ 2004, 1063-6927/04, IEEE Casey K. Fung, Patrick C. K. Hung, “System Recovery through Dynamic Regeneration of Workflow Specification”, Proceedings of the Eighth IEEE International Symposium on Object-Oriented RealTime Distributed Computing, ISORC’ 2005, 0-7695-2356-0/05, IEEE Casey K. Fung, Patrick C. K. Hung, William M. Kearns, Stephen A. Uczekaj, “Dynamic Regeneration of Workflow Specification with Access Control Requirements in MANET”, IEEE International Conference on Web Services, ICWS' 2006, 0-7695-2669-1/06, IEEE Kun Xiao, Nianen Chen, Shangping Ren, Kevin Kwiat, Michael Macalik, “A Workflow-based Non-intrusive Approach for Enhancing the Survivability of Critical Infrastructures in Cyber Environment”, Third International Workshop on Software Engineering for Secure Systems, SESS' 2007, 0-7695-2952-6/07, IEEE Gernot Goluch, Andreas Ekelhart, Stefan Fenz, Stefan Jakoubi, Simon Tjoa, Thomas M¨uck , “Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management”, Proceedings of the 41st Hawaii International Conference on System Sciences, 2008, IEEE “Web Application Security Engineering”, IEEE Security Magazine, Published By The IEEE Computer Society, 2006, 1540-7993/06, p16 – 24 Margie Virdell, “Business processes and workflow in the Web services world”, 2003, http://www.ibm.com/developerworks/webservices/library/wswork.html , (referred in March 2009). Scott Mitchell, “Encrypting Sensitive Data in a Database”, MSDN Spotlight, 2005 Sung Hsueh , “Database Encryption in SQL Server 2008” Enterprise Edition SQL Server Technical Article, 2008 Paul Ammann, Sushil Jajodia, and Peng Liu., “Recovery from malicious transactions”. IEEE Trans on Knowledge and Data Engineering, 2002, 14:1167–1185. P. A. Bernstein, V. Hadzilacos, and N. Goodman., “Concurrency Control and Recovery in Database Systems”. Addison-Wesley, Reading, MA., 1987. P. Chrysanthis. ACTA, “A framework for modeling and reasoning out extended transactions”. PhD thesis, University of Massachusetts, Amherst, Amherst, Massachusetts, 1991. J. Eder, W. Liebhart., “Workflow Recovery”. In Proceeding of Conference on Cooperative Information Systems, 1996, pages 124– 134. M. M. Gore, R. K. Ghosh., “Recovery in Distributed Extended Longlived Transaction Models.” In Proceedings of the 6th International Conference DataBase Systems for Advanced Applicationns 1998, pages 313–320. B. Kiepuszewski, R.Muhlberger, M. Orlowska., “Flowback: Providing backward recovery for workflow systems”. In Proceeding of the ACM SIGMOD Inter- national Conference on Management of Data, 1998, pages 555–557. C. Lala, B. Panda., “Evaluating damage from cyber attacks.” IEEE Transactions on Systems, Man and Cybernetics, 2001, 31(4):300–3 Muhammad Aasim Qureshi, Mohd Fadzil Hassan, Sohail Safdar, Rehan Akbar; 2009, Raison D'Être of Students’ Plimmet in Comprehending Theoretical Computer Science (TCS) Courses, International Journal on Computer Science and Information Security Volume 6 (No 1) October 2009. Muhammad Aasim Qureshi, Mohd Fadzil Hassan, Sohail Safdar, Rehan Akbar, Rabia Sammi; 2009, An Edge-wise Linear Shortest Path Algorithm for Non-Negative Weighted Undirected Graphs, Frontiers of Information Technology December 2009. Muhammad Aasim Qureshi, Mohd Fadzil Hassan, Sohail Safdar, Rehan Akbar; 2009, A O(|E|) time Shortest Path Algorithm for NonNegative Weighted Undirected Graphs, International Journal on Computer Science and Information Security Volume 6 (No 1) October 2009.

[2]

[3]

[4]

[5]

[6]

[7] Figure 7: Overall view of the execution of vulnerable workflow in a secured fashion using the proposed framework

[8]

Figure 7 shows the overall view of the workflow process robustly executing under the proposed framework guidelines, providing the availability of the services and data to the customers. B. Strength & Weaknesses of the Proposed Framework The framework provides the workflow with great strength to continue its execution robustly in a secured manner by making the availability of the data and services possible for the customers. Due to this robustness and security, the end users and customers rely on the system with more confidence. On the other hand the proposed framework is targeting the centralized data sources. Framework does not target the issues related to distributed data sources that has to be taken care as its future implications. CONCLUSION The research contributes to resolve the issue of service unavailability to the end user or business customers in case of intrusion intervention in the workflow system. The services not only are available but in a secured fashion by keeping the privacy and integrity of the data intact. Moreover the research is a pioneer step in the area of making system keep working even in the unsafe state, so to provide maximum satisfaction to the customer. Providing such framework enables the enterprises to run their own customized solutions based on the provided guideline. The work also focuses to provide the workflow process providing self security. The framework is targeting the centralized data source, it may however be extended to cater the distributed data sources and services in future.

[9] [10] [11]

[12]

[13]

[14]

[15]

[16]

[17] [18]

[19]

[20]

REFERENCES
[1] Meng Yu, Peng Liu, Wanyu Zang, “Multi-Version Attack Recovery

51

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

RCFT : Re-Clustering Formation Technique in Hierarchical Sensor Network
BoSeung Kim
Computing Department Soongsil University Seoul, South Korea

Joohyun Lee
Computing Department Soongsil University Seoul, South Korea

Youngtae Shin
Computing Department Soongsil University Seoul, South Korea

Abstract— Because of limited energy of nodes, an important issue for sensor network is efficient use of the energy. The clustering technique reduces energy consumption as cluster head sends sensed information to a sink node. Because of such character of clustering technique, electing cluster head is an important element for networks. This paper proposes RCFT(Re-Clustering Formation Technique) that reconstruct clusters in hierarchical sensor networks. RCFT is a protocol that reconstructed clusters considering position of a cluster head and nodes in randomly constructed clusters. And this paper demonstrated that clusters are composed evenly through simulation, accordingly this simulation shows the result reducing energy consumption. Keywords-Wireless Sensor Networks, Clustering

The cluster settled in this way is not to be re-organized at every round, but to be fixed by the end of its life-span. This research aims for properly dividing the range of cluster, decreasing the waste of energy by fixing the cluster, and prolonging the life-span of the sensor network. II. RELATED STUDY

I.

INTRODUCTION

A. LEACH(Low-Energy Adaptive Clustering Hierarchy) LEACH[2] is the technique of Routing based upon clustering for the purpose of dispersing the loads of energy between the sensor-nodes. In LEACH, the sensor-nodes are being composed by themselves, and one sensor-node plays a part of head. In case of functioning as head of cluster, the sensor nodes waste energy much more than the ordinary senor nodes because they should collect and summarize data from other sensor nodes, and transmit it to BS. So, assuming that all the sensor nodes have the identical level of energy, the sensor nodes selected as the cluster heads exhaust out fast. Therefore, LEACH makes many sensor-nodes within the cluster take the position of the cluster heads by shift to prevent this situation. Also, LEACH exercises the regional absorption of data in order to absorb the data from cluster to BS, which helps to save the energy and to make life-span of the system longer. LEACH is composed of rounds, and each round has two(2) stages; 'set-up' stage, in which cluster get organized, and 'steady-state' stage, in which many TDMA frames get formed. LEACH is the basic technique for the hierarchical sensor network. So far LEACH-C[3], TEEN[4], APTEEN[5], which are gotten rid of weak points of LEACH, have been introduced. B. LEACH-C LEACH-C(LEACH-Centralized) is also the technique of Routing Protocol based upon clustering. Though it is similar with LEACH, LEACH-C is the method that synch selects the cluster heads according to the information on sensor-nodes' position and the holding amount of energy with regard to selecting the cluster heads.

AS the interest in the surroundings of Ubiquitous increases recently, we, also, pay much attention to the sensor-network, which composes one of the components in Ubiquitous. Sensornodes, which have the limited energy, are mostly set in the area where is dangerous or not easily accessible[1]. Accordingly, as it is very difficult for sensor-nodes to be replaced even after the energies of them are used up once set in, it is the most important part for study in the field to prolong the life-span of the sensor network through the proficient use of energy. Considering the trait that gathering of data is required in order to decrease the waste of energy caused by the double transmittance of information between the adjacent sensornodes, The Routing Protocol based upon cluster has much of advantages. Selecting the head of cluster is essential in the hierarchical Routing Protocol based upon cluster, so the proper selecting the head enables us to save the electrical power as well as to disperse the waste of energy. This paper suggests the devices to select differently the head taking the positions of the heads of cluster and the distance between sensor-nodes. The suggested technique is to select the heads of cluster optionally. And then the heads of cluster applied with the techniques are diversified in order.

52

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

During the stage of 'set-up', each sensor-node transmits the information on its present position and the level of energy to BS. On receiving the message, BS calculates the average values of energy level of all the sensor-nodes, and then decides the heads of cluster by minimizing the total sum of the distances between the cluster heads and non cluster heads.

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

B. RCFT(Re-Clustering Formation Technique) LEACH re-organizes cluster at every termination of one round, in this process the cluster heads is selected at random except for the sensor-nodes to have been already selected as heads. Accordingly, cluster can be divided equally, or not as shown in figure1)[7]. If cluster is not divided properly, each sensor-node' waste level of energy would increase as well as not be in order. 1) Abstract of RCFT: RCFT suggested in the paper selects randomly cluster heads at first, then re-selects cluster heads considering the numbers of hops between each cluster heads , and the numbers of hops of cluster nodes farthest away from the cluster heads. After selecting cluster heads, RCFT reorganizes cluster which is to be fixed till the termination of network's life-span. 2) Operation of RCFT: After broadcasting the broadcast message, the sensor-nodes selected as the first cluster heads wait for response for a while, and when received response, they inspect whether the responses are identical with ones from the same sensor-nodes, which responded before. If the response is the first time, they record the response of head with most small numbers of hops, and also record the information of the sensor-node with the most counting values among the responses on sensor-nodes. If there are over two of sensor-nodes having the most counting values, the information of sensor-node, which responded at the last, is to be recorded as it means that the sensor-node, which responded at the last, is the farthest away. If the sensor-nodes selected as the first cluster heads receive responses from all the nodes, they subtract the numbers of hops of the farthest sensor-node from the numbers of hops of the closest head. If the calculation results in plus, they move for the direction of the closest head as many as the numbers of hops in the values; If the calculation results in minus, they move for the direction of the farthest sensor-node as many as the numbers of hops in the values. Given the ttl value as result value, and if ttl value makes 0, the sensor-nodes are to be selected as new head cluster. If the result value makes 0, the first cluster head does not move to become cluster head again. (Figure2) shows the example of technique suggested.

When cluster is established, BS broadcasts messages including the ID of cluster heads to each sensor-node, and It is the sensor-nodes having the identical ID to the ID in the message that are to be selected as cluster heads. The strong point of LEACH-C is that it can leads in the equal waste of energy between sensor-nodes by inducing the cluster heads into the centre of cluster. However, each sensor-node should recognize the information on its position, for which each sensor-node should be loaded with GPS receiver set. This apparatus will make the price of sensor-nodes increase highly. As quantity of sensornodes to be needed for the network ranges from hundreds to hundred-thousands, increase in the price of sensor-nodes is not appropriate[6]. III. CLUSTERING ALGORITHM SUGGESTED

A. Problem of the established Clustering Algorithm LEACH re-organizes cluster at every termination of one round, in this process the cluster heads is selected at random except for the sensor-nodes to have been already selected as heads. Accordingly, cluster can be divided equally, or not as shown in figure1)[7]. If cluster is not divided properly, each sensor-node' waste level of energy would increase as well as not be in order.

Figure 2. Example of RCFT

Figure 1. Division of cluster in LEACH

(a) in left side shows that A and B are selected as the first cluster head. The cluster of (a) is not in order, which is common when the cluster heads are selected at random. (b) in

53

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

right side shows the condition of division of cluster after technique suggested applied. Head A moved 4 hops for the direction of nodes, and head B moved 1 hop for the direction of cluster. It is seen that the irregularly divided cluster(a) can be divided comparatively in order. IV. EVALUATION OF EFFICIENCY

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

of node result in. Especially, numbers of nodes under 10 and over 31 come out frequently. On the contrary, numbers of nodes ranging from 16 to 25, which can be considered as relatively good result, are found almost over 50% in the technique suggested.
LEACH 노드의 수 23 22 21 20 19 18 17 Cu s te r 1 Cu s te r 2 Cu s te r 3 Cu s te r 4 Cu s te r 5 RCFT

In order to show the superiority of RCFT, it is needed to compare and analyze the average numbers of sensor-nodes which each one cluster in LEACH and in the technique suggested have respectively. Also it is to be done to calculate the average distance between LEACH and LEACH-C, and between the cluster head in the technique suggested and the sensor-nodes belonging in, and to compare and analyze the level of energy consumed by sensor-node while the rounds repeat. A. Condition of experiment Table 1 shows the condition for evaluating the efficiency. Under the circumstance of 100m X 100m, the total numbers of sensor-nodes is 100units, and the cluster heads compose 5 units, which is 5% of the total sensor-nodes.
TABLE I. Classification Work condition Factor
Language OS Rage of sensor-field Total numbers of nodes Numbers of heads Position of BS Times of experiment size of packet

Figure 3. Distribution of the numbers of nodes per cluster
LEACH 30. 0% 25. 0% RCFT

TABLE TYPE STYLES Set-up
Visual C++ Windows XP Professional 100m X 100m 100 units 5 (50, 500) 20 Round X 10times 2000 bit

20. 0% 15. 0% 10. 0% 5. 0% 0. 0% 1~ 10 11~ 15 16~ 20 21~ 25 26~ 30 31~ the num ber of nodes

Experiment condition

Figure 4. Distribution of the numbers of nodes per cluster

To analyze whether the cluster is divided in order, calculated are the distances between cluster head and the each node belonging, and the numbers of belonging nodes at every termination of each round. The average distance was calculated by dividing the total sum of the distances between cluster head and the each belonging nodes by the numbers of the belonging nodes, and this experiment was conducted 10 times based upon the criteria of 20 rounds. The same numerical Formula used with LEACH was adopted for analyzing the consuming of LEACH, LEACH-C, and RCFT. B. Result of experiment and Analysis (Figure 3) shows the average numbers of nodes per cluster. It can be estimated that the closer to 20 units are the average numbers of nodes per cluster, the cluster is divided more regularly. In (Figure 3), it can be found out that as RCFT comes closer to the average values, 20 than LEACH, the gaps get small. (Figure 4) shows the distribution of the numbers of nodes per cluster. As the cluster heads of LEACH are selected randomly, the numbers of nodes belonging in cluster are irregular. Therefore, as shown in (Figure 4), various numbers

(Figure 5) shows the average distances between cluster heads and all the belonging node in LEACH, the technique suggested, and LEACH-C which uses separate information of position. As the longer is average distances, the wider cluster is, and the shorter is average distance, the closer cluster heads come to the center of cluster, it can be demonstrated that the more efficient does cluster get, the shorter is the average distance. In case of LEACH, 21.11m was measured as the average distance. On the contrary, the average distance was 20.68m in LEACH-C using the information of position. The technique suggested had 20.88m as average, which is a little worse than LEACH-C, but still shows similar capability. (Figure 6) shows the average energy-consuming quantity of nodes. LEACH-C using the positional information saved about 20% more of energy waste than LEACH. Even though at the first stage of 20 round RCFT caused almost two(2) times more of energy waste than other techniques as it organizes cluster once more than others at first, it shows gradually low rates of increase. After 120 round, the energy waste of RCFT became smaller than LEACH, and it increase in the similar ratio of LEACH-C.

54

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
(m) 25.00 24.00 23.00 22.00 21.00 20.00 19.00 18.00 LEACH LEACH-C RCFT

information. Through minimizing the energy-wastes of the entire network with the aid of the Re-clustering Formation Technique suggested in the paper, it is possible to accomplish more efficient surrounding of communications in the hierarchical sensor network. REFERENCES

[1]

Figure 5. Average distance between clusters and nodes
LEACH
mj 35 30 25 20 15 10 5 0 20R 40R 60R 80R 100R 120R 140R 160R 180R 200R R o u n d

LEACH-C

RCFT

Figure 6. Average amount of energy-waste of nodes

C. Analysis on experimental results The result of experiment shows that the technique suggested is more efficient than LEACH with regard to division of cluster. The average numbers of nodes was closer to the average value in the technique suggested than LEACH, and the average distance between cluster heads and nodes became shorter in the technique suggested than LEACH. In addition, the technique suggested enabled it to get the similar value with LEACH-C using the separate positional information. Even though at the first stage of 20 rounds RCFT caused more of energy waste than other techniques, it showed gradually low rates of increase than LEACH. After 120 rounds, the energy waste of RCFT became much smaller than LEACH. V. CONCLUSION

Ian F. Akyildiz, Weilian Su, Yogesh SanKarasubramaniam, and Erdal Cayirci, "A survey on Sensor Networks, "IEEE Communications Magazine, vol.40, No.8, pp.102-114, August 2002. [2] Wendy Rabiner Heinzelman, Anantha Chandrakasan, and Hari Balakrishnan, "Energy-Efficient Communication Protocol for Wireless Microsensor Networks", Proceedings of the Hawaii International Conference on System Sciences, January 2000. [3] Endi B. Heinzelman, Anantha P. Chandrakasan, and Hari Balakrishnan, “An Application-Specific Protocol Architecture for Wireless Microsensor Networks”, IEEE Transactions On Woreless Communications, Vol. 1, No. 4, October 2002. [4] Arati Manjeshwar, Dharma P. Agrawal, "TEEN: A Routing Protocol for Enhanced Efficiency in Wireless Sensor Networks," ipdps, p. 30189a, 15th International Parallel and Distributed Processing Symposium (IPDPS'01) Workshops, 2001. [5] A. Manjeshwar and D.P. Agrawal, "APTEEN: A Hybrid Protocol for Efficient Routing and Comprehensive Information Retrieval in Wireless Sensor Networks," in the Proceeding of the 2nd International Workshop on Parallel and Distributed Computing Issues in Wireless Networks and Mobile Computing, Ft.Lauderdale, FL, April 2002. [6] Mohammad Ilyas, Imad Mahgoub, "Handbook of Sensor Networks: Compact Wireless and Wired Sensing Systems", CRC PRESS, 01, 2006. [7] M. J. Handy, M. Haase, D. Timmermann, “Low Energy Adaptive Clustering Hierarchy with Deterministic Cluster-Head Selection", IEEE, 2002. AUTHORS PROFILE B. Kim. Author is with the Department of Computing, Ph.D. course, Soongsil University, Seoul, Korea. His current research interests focus on the communications in wireless sensor networks (e-mail:bskim@cherry.ssu.ac.kr). J. Lee. Author is with the Department of Computing, M.Sc. course, Soongsil University, Seoul, Korea. His current research interests focus on the communications in wireless sensor networks (e-mail:jhlee@cherry.ssu.ac.kr). Y. Shin. Author was with the Computer Science Department M.Sc. and Ph.D., University of Iowa. He is now with the Professor, Department of Computing, Soongsil University. (e-mail: shin@ssu.ac.kr).

This paper suggests Re-clustering Formation Technique in the hierarchical sensor network. The technique suggested is to disperse and re-organize cluster heads considering the numbers of hops between the clusters organized randomly and the belonging nodes for the sake of the efficient division of clusters. Network model was realized for analyzing the efficiency of the suggestion. The analysis on the efficiency shows that division of clusters is more efficient in the technique suggested than in the established techniques, which can save the waste of energy. Also, It was shown that the technique suggested is not much different from the one using separate positional

55

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

An alternative to common content management techniques
Rares Vasilescu
Computer Science and Engineering Department Faculty of Automatic Control and Computers, Politehnica University Bucharest, Romania

Abstract— Content management systems use various strategies to store and manage information. One of the most usual methods encountered in commercial products is to make use of the file system to store the raw content information, while the associated metadata is kept synchronized in a relational database management system. This strategy has its advantages but we believe it also has significant limitations which should be addressed and eventually solved. In this paper we propose an alternative method of storing and managing content aiming at finding solutions for current limitations both in terms of functional and nonfunctional requirements. Keywords-CMS; architecture content management; performance;

We identified several key characteristics of CMS and during research and experiments each will be addressed and a new architecture implemented [8]. In Section 2 we will present such list of key functionalities, functionalities which should be addressed by a high performance implementation model. In Section 3 we will describe the proposed information storage alternative while in the next section we will discuss the challenges generated by this approach in terms of finding the managed data. The conclusion summarizes experimental results derived from the model implementation experience and from some performance benchmarks. It also outlines the next open points for research. II. CMS SPECIFIC FUNCTIONALITIES

I.

INTRODUCTION

During previous years, several efforts [1, 2] were made to standardize an interface to content management systems. These initiatives have still some more room to expand but we can consider their existence as a validation of the fact that CMS becomes an infrastructure service, similar with database management systems and file systems. It therefore supports our approach of trying to design a high performance implementation model for CMS not necessarily based on other infrastructure services. In order to design a model for the CMS one must look at the key functions these systems provide and aim to implement them. When looking at CMS functionalities set the following key features were identified:           Data (content and metadata) management Security management Ability to ingest content Ability to process content Ability to classify content Retrieve data (metadata and content) Allow and control concurrent access Manage storage space Allow collaboration on content Allow definition of content enabled flows

Content management systems (CMS) can be defined as a set of processes and technologies which support the digital information management lifecycle. This digital information is usually referred as “content” and can be found as not-structured or semi-structured - such as photographs, images, documents or XML data. While one can look at CMS as a software application, it is more and more used as a technological software platform on which other end-user applications are built. In turn, CMS are commonly based on other core technologies such as relational database management systems (RDBMS) and file systems thus is common for information and processes to traverse multiple technical layers to implement a given functionality. The usage of out of the box components such as RDBMS helps systems achieve a lower time to market and high reliability metrics. On the other hand, this reuse comes with an inherent mismatch between components which can lead to nonoptimal performance, both in terms of functional and nonfunctional needs. Following experiments [3], [6] and practice we came to the conclusion that a high performance content management system needs to be designed specifically as an core infrastructure technology (such as database management systems are) rather than employing multiple layers from applications to data items.

56

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

We consider that each of these features can be explored from the point of view of high performance. The scope of this paper is not to address all of them but to present some first steps done in this direction and outlining the next activities which are done to build a high performance CMS. Understanding how content management systems are different from other systems (such as database management or file management systems) is essential for being able to design and build a high performance variant. Content management usually needs a specialized approach on data management since it expresses a set of characteristics from which we mention the following:    Manages complex data structures (not only data tuples with atomic values) Shows a high variance in each item data size Nonstructured content processing (e.g. text or image based search) is necessary for standard data discovery functions Security rules and management rules need to act at multiple levels on the complex data structures

A high performance system should address this characteristic at its core and provide means to efficiently store and manage each and every item with performance scaling at least linearly comparing with size. C. Nonstructured content processing We are used to find and process information by using relational algebra on tuple based data organization. The fact that the piece of information is comprised of metadata and content at the same time leads to the need for at least enhancing the algebra with operators which can work on content. Since content is unstructured (or semi-structured in case or XML data, for example) such operators are different in nature than the common ones. Content processing is an essential function of CMS and is not unusual to be one of the most important functionality evaluated while choosing such a system. It is therefore mandatory that the system architecture embeds these at its core. Another fact is that technology evolves while content not necessarily changes. For example a photo would be taken at a certain moment in time and its original representation remains the same while the manipulation technologies evolve and can extract and process more and more information based on the representation. Considering this, a CMS must allow this technological evolution without requiring a fundamental change and while still observing the performance topic. D. Security management Arguably one of the top performance factors is the security model implementation subsystem. This is due to the fact that security should govern everything and this is not a trivial task to fulfill. Each managed element usually has an associated security set which determines who can perform what kind of operation on it. Characteristic to CMS is that these security rules apply not only at item level but also at sub-item level. For example, one system user could have the permissions to update some of the document’s metadata but not some of them and could operate on the content only for versioning not overwriting it. More, such permissions could address only an item version or format, not all of them (e.g. a user could be authorized to see only the PDF format of an item which also has a text editable format). III. PROPOSED STORAGE MODEL



A. Complex data structures Each element managed by such systems is comprised of a set of metadata (key-value(s) pairs) and the content itself (e.g. the binary file representing a photo). Metadata are not only simple key-value pairs in which the value is an atomic element – they can also contain complex data structures sometimes repetitive (e.g. a table with many columns and rows). This characteristic is obviously in contradiction with the first normal form [5] and a relational database implementation will most probably not model it in this manner. But what we consider essential is that the actual information can be modeled in various ways and we should identify a method adequate for high performance. Information also includes the actual data content which needs to be managed in synch with the metadata. There are ways for storing and managing this content inside the relational database tuples but experiments [3], [6] shown that such methods pose specific performance problems. Adding more challenge, each content item can have multiple versions which need to be tracked and managed. Versioning is not natively managed by common database management systems thus we can expect that such models are less than optimal. Content is not only versioned but can also be represented in multiple formats (each of the versions having multiple binary formats, such as multiple image representation formats of a picture). The relationship between renditions, versions and the information item itself should be addressed as core functionality. B. High variance of item size Managed items vary substantially in size between CMS implementations and even inside the same system. It is not unusual to encounter a system with item size ranging from several bytes to multiple gigabytes or even terabytes.

The proposed model shows a content management system which stores data in an autonomous, self descriptive manner, scalable both in terms of functionality and of usage. Individual content items are self-described and stored in a standardized format on generic file systems. The file format (Fig. 1) can follow any container convention (e.g. can be XML based) but is essential to contain all the information necessary to manage that specific piece of content regardless of the software built for this reason.

57

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

related ones appear or are modified in turn. The main reason behind this requirement is that items can be stored also on readonly media (such as tapes or optical disks) and are therefore not-updateable physically. Also, compliance rules could mandate the read-only access and the requirement is thus not only from a technical limitation but also from a legal perspective. Metadata values are contained into the next section (pairs of metadata name and associated values). A significant decision we took is to define each metadata completely (such as its name and data type) without referencing a global datadictionary. This decision keeps the item self-described and independent of other data collections. The independence comes at the price of storage overhead since each metadata item which is present in several items is described also in each of them. This overhead would be significant if there would be a fixed schema by which to classify items. In exchange, we choose not to employ a schema based classification but to include in each item’s metadata only the attributes which are relevant for that particular item. This decision has an impact also on the information retrieval techniques which need to be implemented since traditional methods are no longer suited. Another section contains data about the links to other items. Each other item is referenced by unique identifier or by version series identifier. Each relation has also a type classification to differentiate between possible link variants. Relations are necessary to link together different versions of the same item and different formats of the same version. After all these sections, the file records the content itself. This positioning of the data for several main reasons: any update of the metadata or associated relations can happen without accessing the whole file contents and the majority content updates can be handled by a file update not by an entire rewrite. In special cases we could choose to add at the end of the file some certificates to ensure the authenticity of item sections. These certificates can be applied using any kind of technique but one common method is using the IETF standard defined as RFC 3852 [7]. One addition to the above structure would be a header subsection which can determine which other sections of the file are protected in a different manner than the others. For example, the actual content and a part of the metadata need to be readonly while some metadata information can be added or changed still. This is particularly useful for CMS compliance and retention needs. IV. SPECIFIC PROPOSED MODEL CHALLENGES

Figure 1. Item file structure

The said file is designed to contain multiple segments, each representing a specific data area characterizing the information item. It is expected to store these segments in fixed size data pages (e.g. 1KB page increments) so that eventual updates do not trigger the rewrite of the entire file (which would be time consuming). Of course, the paging would increase the overhead on the storage space and this need to be considered when configuring the segment size. One option can be to define the segment size for each item or to dynamically choose it at system runtime based on item properties. The header area begins the file and contains the format version and the key content item identifier. Alongside it must contain also the version series identifier and the version identifier. This makes each item very easy to identify without reading or processing the whole file. The strategy used to assign series identification is designed so it does not need an update of existing version metadata when a new version appears in the series, keeping existing items stable. It is essential to not need modifications into an existing item when

The proposed model is based on a series of architectural decision which have a significant impact on the overall system design. We will discuss here some impacted functionalities and propose ways of mitigating the risk of negative impact while enhancing the benefits. Content is many times subject to retention rules. As the information gets transformed from physical supports (such as paper) to digital (e.g. scanned documents) the regulations also extend in similar ways. CMS users are expecting their system to provide methods of enforcing compliance rules and

58

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

managing these processes as efficiently as possible. It is not uncommon for regulations to state that certain content be stored for many years (tens or even permanently) and on storage which prevent alterations (accidental or not). Looking back at current software application lifespan we can see that operating systems evolve significantly every several years and we can hardly see systems which remain stable over a decade. Given this state of things it is not reasonable to believe that a system built today will remain as is for the time needed to manage its content. With consideration to the above we proposed the item storage technique described in the previous section. Each stored item has an essential ability of being selfdescribed and stable during its lifecycle. Having items selfdescribed empowers the system to employ information retrieval techniques which evolve in time while keeping the initial content unchanged. For example, when a new information processing technique is developed, the system can be simply extended to implement it also and then run it over the existing repository of items. More, the items can be stored on Write Once Read Many (WORM) mediums which can be stored outside the information system itself and processed only when needed (e.g. tapes libraries). All of this is possible by keeping the item catalog (index structure) separated to the content. The main difference versus common existing CMS models is that the catalog structure is not mandatory to be synchronized and maintained alongside the content itself since the content is selfdescribed and such catalog can be entirely rebuilt only in a matter of time. As previously presented, the self-described characteristic comes with an associated cost: overhead on the needed storage space and complexity of operations on the content file store itself generated by the paging algorithm. We believe that this cost is reduced since items do not include a fixed schema but are classified by individual characteristics (not even using a schema associated with item types). The approach gives the flexibility to classify an item by an initial set of attributes determined by the top application logic and then eventually add more metadata as the content progresses through its lifecycle. It helps a lot also in cases when an item needs to be perceived differently by various applications (e.g. a content item representing and invoice is used and classified differently by an accounts payable application then by a records management one). Considering that items have multiple versions and formats, this approach reduces significantly the metadata associated with each one since the only differentiating attributes can be stored on these items (e.g. format type) and the rest of them being inherited through the use of relations. The current large majority of content management systems need to keep a data dictionary to describe each type of content item they manage. This might be seen as convenient for a number of system administration tasks but actually we found that it imposes a lot of restrictions and overhead. It is also naturally not flexible and a lot of workarounds need to be designed in order to allow concepts like “inheritance” or “aspects”. A challenge of the proposed model is to retrieve and make use of the stored items. Only storing the self-described items does not provide an efficient manner to access them by

applying search filters – although this is possible with a full scan and filter approach. It is thus necessary to implement a data discovery mechanism which would enable application use the CMS for fast item retrieval and processing.

The proposed model considers also the lack of schema. Since there is no enforced schema, the top application is left with the task of choosing how an item is classified and then retrieved. Although this decision is different than the commonly established practice of the database system enforcing a schema which is then obeyed by caller applications we consider that this enforcement is necessary only when applications are not yet stable enough (e.g. in development phases) while afterwards the application itself becomes an enforcer of the schema. This assumptions is based on actual solution implementation experience and from observing that even though database systems have the ability to enforce referential constraints between tables, these features are seldom used when performance is key. While it can be the task of the application to determine the metadata used for an item, it is still the task of the CMS to manage these data and to provide a way to filter it efficiently. We propose a system which includes a collection of independent agents, each of them processing an atomic part of data: a metadata field or a content piece. Once an item is created or updated, these agents get triggered and each of them processed and indexes the associated data. When search queries are submitted the filters will be splitted in basic operators and then submitted in parallel to respective search agents. These agents will process the sub-queries and return results as found to a query manager which aggregates the results and replies to the top application with partial results as they are collected. A key advantage is that the top application can receive not only precise results but also results which partially match the search criteria. While this can seem not adequate (having a system which does not return precise matches) it can prove very efficient in practice since a user could be satisfied to obtain very fast an initial set of results and then – while it is evaluating the partial set – receive the complete result. One should note that the above terms “partial” and “complete” refer not only to the quantitative measure of the result (number of returned items) but also to the matching of partial or complete filter criteria. A challenge to this model is the query optimization technique which cannot be based on traditional relational database models given the lack of schema and the related statistical information. Solving this challenge requires a change of the approach to optimization itself: not aiming to provide a complete response opens the door to other optimization techniques by focusing on the feedback from actual execution rather than preparing a query plan. This optimization should take into account the fact that given the vertical organization of the metadata (each agent having its own specific associated metadata item) the memory locality of frequently used index structures can help the process a lot. Since memory efficiency tends to grow at a faster pace than disk efficiency and processors tend to include multi-core elements more and more, we expect than an architecture geared up memory usage and

59

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

parallel processing will provide the maximum possible performance right now. Coming back to the item storage, a key element is the file organization within the file system itself. Tests [3] have shown that file systems generally provide very good performance but files need to be organized properly beforehand. For example, it is not advisable to store millions of file in the same “folder” inside a file system. While this is perfectly possible in modern file systems, it can experience major performance impact on accessing that folder – thus also any of the contained files. Although there are a lot of different file management systems available, this behavior is valid for most of them. The proposed solution is to store files in such way that the location of the file is determined by the unique object identifier and that no more than 256 files exist on the same folder. This is achieved by representing the unique identifier as a hexadecimal number resulting 8 pairs of 2 digits. The less significant pair represents the filename. The rest of the digits represent the folder names toward that content file (in order). By applying this simple logic files will not overwhelm file system folders and each item is directly identified on the disk, saving a lot of expensive I/O operations. Other concerns of the proposed architecture are modern challenges such as refreshing digital signatures on fixed content for items which need long retention periods (e.g. over 10 years). For this reason, the content file has a dedicated area at the end of the file to store digital signatures on various areas (metadata and / or content). Multiple signatures can be stored for any area (e.g. successive signatures for same content part). V. CONCLUSION AND NEXT STEPS

on building an actual implementation of the system and benchmarking it versus other common CMS products. Since there is no known accepted benchmark procedure for content management systems we will consider the functional elements defined by industry standards such as CMIS [1] but we will also include nonfunctional requirements such as the ability of the system to manage information over extended time periods. REFERENCES
[1] OASIS, “Content Management Interoperability Services (CMIS) TC”, 01.04.2009, http://www.oasis-open.org/committees/cmis, accessed on 25.09.2009 Java Community Process, “JSR 170 – Content repository for java technology API”, 24.04.2006, http://jcp.org/en/jsr/detail?id=170, , accessed on 25.09.2009 M. Petrescu, R. Vasilescu, D. Popeanga, “Performance Evaluation in Databases – Analysis and experiments”, Fourth International Conference on Technical Informatics CONTI’2000, 12-13 October, “Politehnica” University of Timisoara J. F. Gantz, “The diverse and exploding digital universe”, IDC, 2008 Codd E.F, “A relational model of data for large shared data banks”, Communications of the ACM 13 (6) pag. 377-387, 1970. S.Stancu Mara, P. Baumann, V. Marinov, “A comparative benchmark of large objects in relational databases”, Proceedings of the 2008 international symposium on Database engineering & applications, 2008. R. Housely, “RFC 3852 - Cryptographic Message Syntax”, July 2004. R. Vasilescu, “Architectural model for a high performance content management system”, The 4th International Conference for Internet Technology and Secured Transactions (ICITST 2009), London, November 2009, in print AUTHORS PROFILE

[2]

[3]

[4] [5] [6]

[7] [8]

Independent studies [4] show that about 80% of the stored data is not inside a database management system and that the total volume increases exponentially to reach over a thousand Exabytes by 2011 (ten times more than in 2006). We believe that designing a CMS able to handle very large structured and semi structured content is key to maintaining the pace of this information growth. To validate the content storage techniques presented in high level within this paper, we work

Dipl. Eng. Rares Vasilescu is a PhD student at Politehnica University, Faculty of Automatic Control and Computers, Computer Science and Engineering Department, Bucharest, Romania. Previous work includes studies and experiments on the performance of database management systems. Current research addresses the area of content management systems in preparation of the PhD thesis conclusion.

60

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Routing Technique Based on Clustering for Data Duplication Prevention in Wireless Sensor Network
BoSeung Kim
Computing Department Soongsil University Seoul, South Korea

Huibin Lim
Computing Department Soongsil University Seoul, South Korea

Youngtae Shin
Computing Department Soongsil University Seoul, South Korea

Abstract— Wireless Sensor Networks is important to node’s energy consumption for long activity of sensor nodes because nodes that compose sensor network are small size, and battery capacity is limited. For energy consumption decrease of sensor nodes, sensor network’s routing technique is divided by flat routing and hierarchical routing technique. Specially, hierarchical routing technique is energy-efficient routing protocol to pare down energy consumption of whole sensor nodes and to scatter energy consumption of sensor nodes by forming cluster and communicating with cluster head. but though hierarchical routing technique based on clustering is advantage more than flat routing technique, this is not used for reason that is not realistic. The reason that is not realistic is because hierarchical routing technique does not consider data transmission radius of sensor node in actually. so this paper propose realistic routing technique base on clustering. Keywords-Wireless Sensor Networks, Clustering

technique to have the multi-hop routing as its trait. And, hierarchical routing protocol is the technique to grant the role of heads to the specific nodes in each region by dividing network into many regions based upon cluster[10]. This paper suggests RTBC(Routing Technique Based on Clustering), routing protocol based on cluster, organizing network as per a cluster, which can grasp the traits of communication happening in the surroundings of wireless sensor network, and control the resources of energy in terms of protocol. RTBC sets up a route between sink and cluster head by using the data values of sensor nodes distributed randomly, suggesting the technique for each member of nodes to transmit efficiently sensing information in cluster organized of cluster heads selected randomly like LEACH[4]. The structure of the paper is as follows: Section 2 in the paper discusses subjects to be considered of hierarchical protocol of sensor network, and analyzes various traits, weak and strong points. Section 3 suggests RTBC, routing protocol based on cluster, which can transmit efficiently sensing information by organizing network as per a cluster. Section 4 suggests the devices to realize the simulation of RTBC, and analyzes the efficiency of protocol suggested. At last, Section 5 summarizes the contents of paper and suggests the direction of research on the field later on. II. RELATED STUDY

I.

INTRODUCTION

The recent technology of wireless communication and electronics makes it possible to develop multi-functional sensor-nodes of small sizes, which enable communicating between short distance, with such low costs, and relatively a little amount of electrical power. Network Protocol is one of the technical factors which to organize the wireless network. As the wireless network has some factors to be overcome, which is not the case for the traditional networks, it is important to understand this traits in advance before designing wireless network. Among these traits, It is the requirement for efficient utilization of the energy resources that should be regarded the most important for the reflection into network protocol. If network protocol operates in the surroundings of wireless sensor network where communications occur frequently without any consideration for the resources of energy, it can interfere with the operation of wireless sensor network by causing separation, isolation, interruption etc. of network[1,2,3]. Routing Protocol of wireless sensor network diverges largely into plane routing Protocol and the hierarchical routing protocol. Plane routing protocol regards the whole network as one region, enabling all the nodes to participate in; It is the

Flooding is the traditional technique being used in wireless sensor network. Flooding is the technique for them to repeatedly transmit the packet to their adjacent nodes in case that the nodes receiving packet are not the last, or can not reach the most numbers of hops of packet. However, it has three(3) problems of double message, double sensing, and efficiency of energy which should be overcome so that flooding can be used in wireless network. SPIN(Sensor Protocols for Information via Negotiation)[5] is the protocol to transmit sensing information to many nodes via three(3) steps of negotiation in order to improve double message, double sensing, and efficiency of energy, which was pointed out as weak points of flooding. The message of SPIN includes meta-data which is the concise data on sensing information. It decides the double message and double sensing

61

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

information via negotiation before carrying out the transmittance of message. This trait of meta-data can control network protocol, which is distinctive for SPIN.

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

DD(Direct Diffusion)[6] is the routing technique focusing data based upon question-broadcasting of Sink, which can transmit sensing information on the specific region to random nodes. DD transmits sensing information after setting up a route reversely from the targeted region to source nodes via three(3) steps. LEACH(Low-Energy Adaptive Clustering Hierarchy)[4] is the routing protocol based on clustering for the purpose of dispersing the energy of nodes which organize network by themselves. In LEACH, selected cluster heads collect sensing information from member nodes of cluster, and transmit it Sink by itself. It is pointed out as traits of this technique that LEACH makes cluster heads, which functions as energy intensive, circulate at random in order to distribute energy waste equally to all the sensor-nodes in network, and collect and manage data of cluster from cluster heads for saving the cost of communication. But it is difficult to be applied to the real situation considering that all the nodes, which are selected as cluster heads, should communicate directly with Sink. III. ROUTING TECHNIQUE BASED ON CLUSTERING

2) Organizing Cluster: Like in LEACH, cluster heads are selected randomly by Sink nodes. The cluster heads, selected randomly, select nodes which reach 5% of the entire nodes. In the process, the node selected as cluster head is to be received the cluster head ID(CHID) from Sink. The selected cluster head should organize cluster by notifying the adjacent nodes that it is the cluster head via ADV message. The node, which received ADV message, organizes cluster by modifying its node information, and transmitting REP message later on. The message for organizing cluster is as follows.
TABLE I. MESSAGE FOR ORGANIZING CLUSTER

A. RTBC Even though the algorithm of hierarchical RTBC(Routing Technique Based on Clustering) has more strong points than the algorithm of plane routing, it is not used because it is unrealistic. In order to apply the algorithm of hierarchical routing to the real model, radius of transmitting data of senornodes should be taken into consideration. IEEE 802.15.4, known as the criteria of sensor network, defines radius of transmitting data of senor-nodes as 10m[7]. MICA2, which is being used most commonly as sensor-node, also rules the maximum radius as 10m[8]. This paper also limits the maximum radius of transmitting data of nodes to 10m. This chapter suggests RTBC(Routing Technique Based on Clustering) using sensor-nodes which have the limiting radius of transmittance. Like LEACH, RTBC selects cluster heads in between nodes by the equal times based on probability, and organize cluster based upon the selected cluster head. 1) Selecting Cluster Heads: It is the first priority to obtain the information of sensor-nodes, which are distributed randomly at first in order to select cluster heads. So Sink transmits questioning message to sensor-nodes, which are one(1) hop away. Sink is able to count the numbers of sensornodes distributed at random as each nodes transmit its hopcount and ID to Sink in the responses to the questioning message. Using the sensor-nodes to be obtained this way, like LEACH[4], Sink selects cluster heads in between nodes by the equal times based on probability so that the energy waste between nodes in network.

Figure 1. Cluster organizing and defined route within cluster-1

Figure 2. Cluster organizing and defined route within cluster-2

62

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

can bring A3 to its route. As shown in the picture above, A6 preoccupies A3 as it is closer than A11.

Sensor-nodes, which extended ADV message, meet the sensor-nodes with different CH1. In ④ of [Figure 4], A31, A32, A33 do not receive ADV message which A27 transmitted as A31, A32, A33 have different cluster head from A27. This part form the boundary in between clusters, organizing cluster of CH1 as shown in the picture above.
Figure 3. Cluster organizing and defined route within cluster-3

Figure 4. Cluster organizing and defined route within cluster-4

In [Figure 1], the selected cluster head CH1 transmits ADV message(CH1, CH1, 0) shown as ① to the nodes A15, A16, A22 which are one(1) hop away . The nodes which received the message, define CHID of ADV message as the cluster head ID, CH1 which they belong to, and also define the sender node as CH1, their own DNID. And they set 1 for their Hopcnt value by adding 1 to the received Hopcnt value 0. Shown as ② in response to ADV message, each node transmits REP message(CH1, 1) which is received by the cluster head CH1, responding node of REP message. In this way, the sensornodes have direction to the cluster head. [Figure 2] shows how the nodes A15, A16, A22 transmit again ADV message to the adjacent nodes. A15 re-transmits ADV message to the neighboring nodes A10, A6, A11. Then, shown as ① of [Figure 1], ADV message transmits the value of (CH1, A15, 1). And like in[Figure 1] A15, A16, A22 do, A10, A6, A11, which received this message, define their own information of sensor-nodes, and also, transmit REP message(A15, 2) to A15. Then, A15 decides whether the hop count value(Hopcnt) is 0. If hop count value(Hopcnt) is not 0, which means that this node plays a role of the mid-node, A15 re-transmits REP message(CH1, 1) shown as ②. At last, the cluster head is able to recognize the node within its cluster by receiving this value. [Figure 3] shows node A15, [Figure 2] shows the third stage to transmit ADV message. ③ shows the competition between sensor-nodes, or non transmittance of message owing to the nodes receiving ADV message. In case of A10, ADV message can be transmitted to A5, A14, but in case of A6, it can have the same hop-count value with A6 through ADV message transmitted from A15. Therefore, ADV message transmittance does not happen mutually because they are judged as the same level of nodes. Even though A6 and A11 transmit simultaneously ADV message, the one that arrives first

3) Routing Within Cluster: After each member node organized cluster, cluster head CH1 defined the imaginary routs of nodes for the direction of itself based upon the each belonging node data. Though node CH1 recognizes only nodes, which are one(1) hop away, each node also is connected together by this low level of information. Therefore, the node, which has an event, can transmit data by CH1 following the imaginary route set up shown as above. In case above, cluster head does not need to define route by transmitting a questioning message to the node with the event. Also to define the only route is because cluster heads change regularly; it is more efficient to maintain the transmittance of data within cluster via the defined route rather than to re-define the route according to events. 4) Routing out of Cluster: Each sensing information, which was received by cluster head from all the nodes, makes double data of cluster head as one, and checks the condition of each node by transmitting multi-hop and transmits it to Sink later on. Sink node should transmit regularly the interest message to network for the sake of communication between cluster head and Sink. Then, interest message is to be transmitted to the whole network from Sink node, and each node existing in the network recognizes the energy and numbers of hops of neighboring nodes by using this message. When transmitting data to Sink node, cluster head defines the nodes, of which condition of energy is good, and the number of hops is small as the receiving nodes among its neighboring nodes' tables, and transmits data later on. Also, the nodes receiving the data of cluster head transmit data in the same manner. Considering that it is difficult for cluster head to communicate directly with Sink node, the routing technique of cluster head suggested in this paper uses routing based upon the neighboring energy and numbers of hops directing to Sink. The suggested routing technique does not maintain a special routing-route for routing, but it is easy to use as is routing to the neighboring nodes having minimum of hops to Sink node. Additionally, cluster head can use the shortest distance to transmit data to Sink node. IV. REALIZATION AND ANALYSIS ON EFFICIENCY

A. Evaluation Model for RTBC Efficiency For evaluating efficiency, routing technique based upon clustering with limited radius of transmittance was realized by C++, and the related factors are decided to define the related environment. For simulation make-up, assuming N units of sensor-nodes are to form in space of a regular square

63

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

coordinates, movability and additional nodes was not considered. Also, each node has the same trait, and begins from the same condition. The nodes selected as each cluster head is the same nodes as well. In the process of experiment, it was noticeable that it can screen double data through clustering. To measure the efficiency of utilizing energy, it was done to compare the average amount of energy waste of the entire network according to the event node, to the one of established plane routing by changing the cycle of organizing cluster. Accordingly the amount of energy waste was measured.

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6 No. 1, 2009

occurrence. Looking over RTBC(50), RTBC(100), RTBC(200) which define the frequency to organize clustering respectively as 50, 100, 200, the demanding interest message is higher than DD which is non hierarchical routing technique when RTBC is set to 50 at the lowest. But when RTBC is set over 100, the interest message is lower than DD, or at the almost same level.

When comparing the numbers of message presented by the simulation, the message technique using clustering is shown as effective to protect double data. Also its effectiveness on the whole is as follows.
35 30
number of nodes in cluster

1) Definition of Environment Factor: As shown in Table 2, the size of network was limited to 100m x 100m. The numbers of sensor-nodes are to be used for recognizing the numbers of nodes with no errors which the simulation has in the size of network. Each node, which has event, was occurred at random from 100 units to 500 units. The range of sensing was defined as 10m based on the distance of nodes having limiting radius, and the maximum distance between each node was limited to 5m. Assuming that the coordinates defines as (50, 0), the energy of each node distributed at first, transmitting and receiving energy was also defined as in Table 2.
TABLE II. SURROUNDING FACTOR FOR SIMULATION

25 20 15 10 5 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Cluster Head ID

Figure 5.

Number of nodes within cluster

25000 20000 15000 10000 5000 0 100 200 300 number of events 400 500

Surrounding factor Size of network Unitofnodes Unitofeventnodes Sensor-node Unitofround Rangeofsensing Minimumdistancebetweennodes Sink Position Valueatfirst Energy Transmitting Receiving

number of messages

Value of setting up
100m x 100m 50,100,150,200,250,300 100,200,300,400,500 50,100,200 10m(=1hop) 5m (50,0) 100unit 1unit 0.25 (data) (interest) 1unit 0.25 (data) (interest)

DD RTBC(50) RTBC(100) RTBC(200)

Figure 6.

Comparison of number of interest messages

3000 2500
number of datas

2000 1500 1000 500 0 100 200 300 number of events 400 500
DD RTBC(50) RTBC(100) RTBC(200)

B. Evaluation and Analysis on RTBC In the experiment, the numbers of nodes of each cluster head in the network which does not have the isolation of nodes, and having 300 units of nodes, were compared. In average, the cluster forms the stable shape with 20 units of nodes. In the simulation, DD and RTBC were compared respectively 10 times under the same condition in sensor network having 300 units of nodes. Also, the frequency for organizing cluster was experimented by changing the occurrence of the event nodes as 50, 100, 200. This shows which frequency of occurrence of the event nodes is the most efficient; This is because organizing cluster needs more energy waste than non hierarchical techniques. The numbers of each message and the consuming amount of total energy were compared. The horizontal axis stands for the units of event, and the vertical axis of coordinators stands for the numbers of interest message according to the

Figure 7. Comparison of number of datas

16000 14000 12000
energy consumtion(unit)

10000 8000 6000 4000 2000 0 100 200 300 number of events 400 500
DD RTBC(50) RTBC(100) RTBC(200)

Figure 8.

Comparison of the total amount of energy consumption

64

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

C. Result of Evaluating Efficiency of RTBC RTBC, the hierarchical routing technique for the wireless sensor network was defined to 10m, which is the range of receiving and transmitting, and the realistic and practical technique was suggested through routing within and out of cluster. The result of the experiment above can induce several consequences. First, in case of using the hierarchical technique applied with clustering in the sensor network, it was possible to save entirely the energy waste as well as to consume the energy efficiently through the equal distribution of energy. Second, the numbers of interest message to the nodes with the occurrence of event also decreased. This can help to improve the efficiency of energy by over 18% on the average through the experiment. By transmitting interest message received from Sink, the cluster head can also prevent double message. Third, it can not only improve the credibility of transmitting data, but help to save the energy waste nationwide to prevent double data of cluster. RTBC was proven as the efficient routing technique by preventing about 58% of double message transmittance. Fourth, it is possible to organize the realistic clustering by using the sensor-nodes having the limiting range, which means that it is possible to use the trait of sensor-nodes based upon the communication of low electrical power. But it needs to define properly the frequency to organize each cluster so that this can be possible. V. CONCLUSION

technique based on clustering is possible, and superior from comparison and evaluation with DD. Based on the result of this research, it is well expected that the realistic routing technique will be able to used widely through preventing double data through clustering and managing data regionally.

REFERENCES
Akyildiz, I.F., W. Su, Y. Sankarasubramaniam, E. Cayirci, "A Survey on Sensor Networks", IEEE Communication Magazine, pp. 102-114 August 2002. [2] M. Tubaishat, S. Madria, "Sensor Networks : An Overview," IEEE Potencials, April/May 2003. [3] A. Wadaa, S. Olariu, L. Wilson, K. Jones, Q. Xu, "On Training a Sensor Network", Proceedings of the International Parallel and Distributed Processing Symposium(IPDPS'03), IEEE, 2003. [4] Wendi Rabiner Heinzelman, Anantha Chandrak asan, and Hari Balakrishnan, “Energy- efficient communication protocols for wireless microsensor networks,” in Proceedings of the Hawaii International Conference on Systems Sciences, Jan. 2000. [5] Wendi Rabiner Heinzelman, Joanna Kulik, Hari Balakrishnan, "Adaptive protocols for information dissemination in wireless sensor networks," Proceedings of the fifth annual ACM/IEEE international Conference on Mobile Computing and Networking, August 1999. [6] Chalermek Intanagonwiwat, Ramesh Govindan and Deborah Estrin, "Direct Diffustion : A Scalable and Robust Communication Paradigm for Sensor Networks," Proceedings of the Sixth Annual International Conference on Mobile Computing and Networks, August 2000. [7] J. A. Gutierrez, M. Naeve, E. Callaway, M. Bourgeois, V. Mitter and B. Heile, “IEEE 802.15.4: A Developing Standard for Low-Power LowCost Wireless Personal Area Networks,” IEEE Network Magazine, volume 15, Issue 5, pp.12-19, September/October 2001 [8] Noseong Park, Daeyoung Kim, Yoonmee Doh, Sangsoo Lee and Ji-tae Kim, “An Optimal and Lightweight Routing for Minimum Energy Consumption in Wireless Sensor Networks,” IEEE RTCSA 2005, August 2005 [9] Li-Chun Wang, Chuan-Ming Liu, Chung-Wei Wang, "Optimizing the Number of Clusters in a Wireless Sensor Networks Using Cross-layer", IEEE International Conference on Mobile Ad-hoc and Sensor Systems. 2004. [10] M. J. Handy, M. Haase, D. Timmermann, “Low Energy Adaptive Clustering Hierarchy with Deterministic Cluster-Head Selection", IEEE, 2002. AUTHORS PROFILE B. Kim. Author is with the Department of Computing, Ph.D. course, Soongsil University, Seoul, Korea. His current research interests focus on the communications in wireless sensor networks (e-mail:bskim@cherry.ssu.ac.kr). H. Lim. Author is with the Department of Computing, M.Sc. course, Soongsil University, Seoul, Korea. His current research interests focus on the communications in wireless sensor networks (e-mail: jhlee@cherry.ssu.ac.kr). Y. Shin. Author was with the Computer Science Department M.Sc. and Ph.D., University of Iowa. He is now with the Professor, Department of Computing, Soongsil University. (e-mail: shin@ssu.ac.kr). [1]

In wireless sensor network, it is more important to preserve the energy of nodes for organizing the continuous network than to consider efficiency owing to the trait of applications program and limitation of hardware. Also, collecting the sensing information should be easy. These traits can be applied to the network protocol, and the protocols of Flooding, SPIN, DD, and LEACH were suggested by the former research. But even though LEACH using the hierarchical routing can have a lot of strong points by sensing double data or managing regionally data transmittance, it is not efficient because it is not appropriate for the sensor-nodes having the limiting range. Therefore, the network protocol, which realistically has limiting range of transmittance, and can sense double data and manage it regionally compared with non hierarchical routing, is required. So this paper suggests RTBC, routing technique based on clustering for preventing double data, which recognizes diachronic trait in the surrounding of wireless sensor network; For this purpose, comparison between RTBC and the established non hierarchical routing technique was done by defining the process of organizing cluster, routing within cluster, and routing out of cluster. Through the simulation, it was experimented preventing double data of RTBC and analyzing the efficiency of managing data regionally, also it was induced that the realistic routing

65

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

An optimal method for wake detection in SAR images using Radon transformation combined with wavelet filters
* Ms.M.Krishnaveni ** Mr. Suresh Kumar Thakur *** Dr.P.Subashini

*** Research Assistant-NRB, Department of Computer Science, Avinashilingam University for Women, Coimbatore, India ** Deputy Director, Naval Research Board-DRDO, New Delhi, India. *Lecturer (SG), Department of Computer Science, Avinashilingam University for Women, Coimbatore, India.

Abstract -A new-fangled method for ship wake detection in
synthetic aperture radar (SAR) images is explored here. Most of the detection procedure applies the Radon transform as its properties outfit more than any other transformation for the detection purpose. But still it holds problems when the transform is applied to an image with a high level of noise. Here this paper articulates the combination between the radon transformation and the shrinkage methods which increase the mode of wake detection process. The latter shrinkage method with RT maximize the signal to noise ratio hence it leads to most optimal detection of lines in the SAR images. The originality mainly works on the denoising segment of the proposed algorithm. Experimental work outs are carried over both in simulated and real SAR images. The detection process is more adequate with the proposed method and improves better than the conventional methods.

Keywords: SAR images, threshold, radon transformation, Signal to noise ratio, denoising
I INTRODUCTION

presentation of the objects. The analysis of ship wakes in SAR imagery with specialized algorithms can provide significant information about a wake’s associated vessel, including the approximate size and heading of the ship [13]. The velocity of the vessel can be estimated by measuring the disarticulation of the ship relative to the height of the wake. Image processing algorithms such as the Fourier Transform and the Radon Transform allow the user to manipulate SAR images in a way that dramatically increases the chance of detecting ship wakes [2]. The paper is organized as follows: Section 2 deals with the Image localization (SAR images). Section 3 deals with wavelet denoising methods and its metrics. Section 4 comprises the comparison radon transformation and its performance. Section 5 converses the experimental results of the shrinkage methods and radon transformation. This paper also concludes with remarks on achievable prospects in this area.
II. IMAGE LOCALIZATION

In navy radar applications, the presentation of the radar image traditionally has been the way for the radar operator to interpret the information manually. The large increase in calculation capacity of the image processing in modern radar systems has great effects in detection and extraction of targets[5]. With powerful image processing techniques and algorithms, modern radar systems has the possibility to extract targets and their velocity from the surrounding background. A condition for this automatic detection is that the radar image should be relatively free from undesired signals [2]. Such undesired signals can be rain clutter, sea clutter, measuring noise, landmasses, birds etc. Conventional filtering like Doppler, median and wiener filtering is often used to remove these undesired signals and extract the interesting part of the radar image. Image processing techniques will improve the radar image and investigate an automatic classification and
66

This is the first and lowest level operation to be done on images. The input and the output are both intensity images. The main idea with the preprocessing is to suppress information in the image that is not relevant for its purpose or the following analysis of the image. The pre-processing techniques use the fact that neighboring pixels have essentially the same brightness. There are many different pre-processing methods developed for different purposes. Interesting areas of pre-processing for this work is image filtering for noise suppression. Conservative methods based on wavelet transforms have been emerged for removing Gaussian random noise from images [1]. This local preprocessing speckle reduction technique is necessary prior to the processing of SAR images. Here we identify wavelet Shrinkage or thresholding as denoising method [3]. It is well known that increasing the redundancy of wavelet transforms can significantly improve the denoising performances [7][8].
http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Thus a thresholding process which passes the coarsest approximation sub-band and attenuates the rest of the subbands should decrease the amount of residual noise in the overall signal after the denoising process [4].
III. IMAGE DENOISING USING WAVELET

SNR =
Where

σ (μ ) , σ ( n)

-- (2)

σ ( μ ) in equation (3) denotes the empirical standard deviation of μ (i ),
⎛ 1 σ (μ ) = ⎜ ⎜ I ⎝
And

The two main confines in image accuracy are categorized as blur and noise. Blur is intrinsic to image acquisition systems, as digital images have a finite number of samples and must respect the sampling conditions. The second main image perturbation is noise. Image denoising is used to remove the additive noise while retaining as much as possible the important signal features[1]. Currently a reasonable amount of research is done on wavelet thresholding and threshold selection for signal de-noising, because wavelet provides an appropriate basis for separating noisy signal from the image signal[3]. Two shrinkage methods are used over here to calculate new pixel values in a local neighborhood. Shrinkage is a well known and appealing denoising technique[9][10]. The use of shrinkage is known to be optimal for Gaussian white noise, provided that the sparsity on the signal’s representation is enforced using a unitary transform[6]. Here a new approach to image denoising, based on the image-domain minimization of an estimate of the mean squared error-Stein's unbiased risk estimate (SURE) is proposed and equation (1) specifies the same. Surelet the method directly parameterizes the denoising process as a sum of elementary nonlinear processes with unknown weights. Unlike most existing denoising algorithms, using the SURE makes it needless to hypothesize a statistical model for the noiseless image. A key of it is, although the (nonlinear) processing is performed in a transformed domain-typically, an undecimated discrete wavelet transform, but we also address nonorthonormal transforms-this minimization is performed in the image domain [6].

⎞ ∑ (u (i ) − μ ) ⎟ ⎟ i ⎠
2

1/ 2

--(3)

μ=

−

1 I

∑ ε μ (i)
i I

is the average grey level value.

The standard deviation of the noise can also be obtained as an empirical measurement or formally computed when the noise model and parameters are known. This parameter measures the degree of filtering applied to the image [5]. It also demonstrates the PSNR rises faster using the proposed method than the former. Hence the resulted denoised image is conceded to the next segment for the transformation to be applied and it is also proved to improve detection process.
IV. RADON TRANSFORMATION

Detection of ships and estimating their velocities are major work done in SAR images. Here the proposed method takes advantage of two thresholding techniques and inserts some innovation by using the Radon Transform to detect the ship wake and estimate the range velocity component[12]. The proposed technique was applied to synthetic raw data, which contains a moving vessel and its respective wake. The Radon Transform calculates the angle that a straight line perpendicular to the track makes with the x-axis in the center of the image. Knowing this, simply add 90º to the value obtained to find the angle of the wake arm. If an image is consider as I,
^

sure(t ; x) = d − 2.#{i : xi ≤ t} + ∑ ( xi Λt ) 2 --(1)
i =1

d

with dimensions MxM. The Radon transform I is given in equation (4)

where d is the number of elements in the noisy data vector and xi are the wavelet coefficients. This procedure is smoothness-adaptive, meaning that it is suitable for denoising a wide range of functions from those that have many jumps to those that are essentially smooth. It have high characteristics as it out performs Neigh shrink method. Comparison is done over these two methods to prove the elevated need of Surelet shrinkage for the denoising the SAR images. The experimental results are projected in graph format which shows that the Surelet shrinkage minimizes the objective function the fastest, while being as cheap as neighshrink method[15]. Measuring the amount of noise equation (2) is done by its standard deviation , σ (n) , one can define the signal to noise ratio (SNR) as

I (xθ ,θ) =

^

M/2

∑I(xθ cosθ − yθ sinθ, xθ sinθ + yθ cosθ) -(4)
θ ∈ [0; π ]

yθ =− M / 2

where ( ( xθ , yθ ) ∈ Z and

67

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Several definitions of the radon transform exists, and expresses lines in the form of rho=x*cos(theta)+y*sin(theta), where theta is the angle and rho the smallest distance to the origin of the coordinate system[12]. The Radon transform for a set of parameters (rho,theta) is the line integral through the image g(x,y), where the line is positioned corresponding to the value of (rho,theta). The delta() is the Dirac delta function which is infinite for argument 0 and zero for all other arguments[14]. This function is implied with the original image, and denoised image of two methods[11]. The detection of line segment in the SAR images is more appropriate with surelet denoising and radon transformation then with the former and the conventional method. Experiments are carried over with the proposed method to verify and validate the results. With the angle of both arms of the wake calculated, the equation of the line that passes by each of them can be estimated.
V. RESULTS AND DISCUSSION

value with variations in rho values which is shown in figure2.

Figure 2: (a) Original image (b) Angle using RT (c) Angle using first denoising method and RT (d) Angle using second denoising method and RT Table 1 explicates about the radial co ordinates values and the angle values for two SAR images with corresponding change of noise values for each method respectively.
SAR images Noise values Original Image with RT Denoised image (first method with RT) Denoised image (second method with RT) radial 195 angle 85

To verify the validity of the proposed method the results are compared based on PSNR ratio and time parameters for the Shrinkage methods and it is given in figure1. With the extension of the next segment work, detection of angle is also compared based on the radial coordinates (rho). Noise (sigma) is been the main phenomena for the comparison job. Surelet which is the latest method based on the SURE. The DWT was used with Daubechies, least asymmetric compactly-supported wavelet with eight vanishing moments with four scales. The 120 x 120 pixel region SAR images are used for applying radon transformation. They were contaminated with Gaussian random noise of 10 20 30 50 75 100.

radial Image 1 Image 2 10 100 10 100 48

angle 85

radial 50

angle 85

85

45

85

45

155

45

Table 1: Comparison of three methods with change of noise values
VI. CONCLUSION

Figure 1: Comparison of PSNR values and time for two Methods (NeighShrink and surelet) for Two SAR image For the wake detection the angle is got by applying the radon transformation which in results the same angle

In this proposed method, the originality of the technique consent to the wake detection and the estimation of the velocity of vessels more effectively. Here the projected method proves that surelet compared with Neighshrink can determine optimal results by using finest threshold instead of using the suboptimal universal threshold in all bands. It exhibits an excellent performance for wake detection and the experimental result signifies that it produces both higher PSNRs and enhanced visual eminence than the former and conventional methods. The Radon Transform is used to detect the ship wake and estimate the range velocity component. The key

68

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

advantage is that it holds low computational requirements. Further enhancement of the work can be concentrated on the neighbouring window size for every wavelet subband .This aid in difficulties when the ship wake is not visible in the image properly. This paper is therefore concluded that better detection with lower probability of false alarm rate. References [1] R. Sivakumar. 2007. Denoising of Computer Tomography Images using Curvelet Transform. ARPN Journal of Engineering and Applied Sciences. February. [2] Marques, P.; Dias, J.; Moving Target Trajectory Estimation in SAR Spatial Domain Using a Single Sensor, IEEE Trans. on Aerospace and Electronic Systems, Vol. 43, No. 3, pp. 864 - 874, July, 2007. [3] Ali,S.M., M.Y Javed and N.S.Khattak,2007.Wavelet based despeckling of synthetic aperture radar images using adaptive and mean filters .Int J.Computer Sci Eng.,1 (2) :108-112 [4] A. Gupta, S. D. Joshi, and S. Prasad. A new approach for estimation of statistically matched wavelet. IEEE Transac- tions on Signal Processing, 53:1778–1793, May 2005. [5] Lopez S, Cumplido R “A Hybrid Approach for Target Detection Using CFAR Algorithm and Image Processing” Fifth Mexican International Conference on Computer Science. 2004. [6] David K. Hammond and Eero P. Simoncelli,” Image denoising with an orientation-adaptive gaussian scale mixture model, Center for Neural Science, and Courant Institute of Mathematical Sciences New York University [7] S. Durand and J. Froment, Reconstruction of wavelet coeffients using total variation minimiza tion, SIAM Journal on Scienti¯c computing, 24(5), pp. 1754-1767, 2003. [8] G. Y. Chen and T. D. Bui, “Multi-wavelet De-noising using Neighboring Coefficients,” IEEE Signal Processing Letters, vol.10, no.7, pp.211-214, 2003. [9]Michaelis and G. Krell (Eds.): DAGM 2003, LNCS 2781, pp. 156-163.” Rotationally Invariant Wavelet Shrinkage”, Pavel Mr´azek and Joachim Weickert Mathematical Image Analysis Group Faculty of Mathematics and Computer Science, Building 27 Saarland University, 66123 Saarbr¨ucken, Germany {mrazek,weickert}@mia.uni-saarland.de http://www.mia.uni-saarland.de Springer-Verlag Berlin Heidelberg 2003. [10 Achim , A,P.Tsakalides and A. Bezerianos,2003 SAR Image Denoising via Bayesian Wavelet Shrinkage Based on “Heavy –Tailed Modeling In : IEEE Trans Geosci Remote Sensing,41 (8):17731784.DOI:10.11.09/TGRS.2003 813488 INSPEC:7733902 [11G. Chang, B. Yu, and M. Vetterli. Adaptive wavelet thresholding for image denoising and compression. IEEE Transac- tions on Image Processing, 9:1532–1546, September 2000.
69

[12] Copeland, A. C., Ravichandran, G., and Trivedi, M. M., (1995), Localized Radon transform-based detection of ship wakes in SAR images, IEEE Trans. On Geoscience and Remote Sensing, 33, 35-45. [13]www.mdpi.com/journal/sensors Article Haiyan Li 1,2 , Yijun He 1,* and Wenguang Wang Improving Ship Detection with Polarimetric SAR based on Convolution between Co-polarization Channels [14] Mari.T.Rey James.K.tunaley,member IEEE.J.T.Folinsbee,paul.A.Jahans john.A.Dixon,member IEEE,and Malcolm R,Vant,member IEEE, (1990,july) ”Application of radon transform techniques to wake detection in Seasat – A SAR images’IEEE transactions on geoscience and remote sensing vol 28, [15] T. Nabil, Mathematics Department, Faculty of Sciences, King Khalid University, P.O. Box 9004, Abha 16321, Kingdom of Saudi Arabia “SAR Image Filtering in Wavelet Domain by Subband Depended Shrink”, The Permanent address: Basic science Department Faculty of Computers and Informatics, Suez Canal University, Ismailia, Egypt e-mail:t_3bdelsadek@yahoo.com, Int. J. Open Problems Comp. Math., Vol. 2, No. 1, March 2009

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6 No. 1, 2009

AES Implementation and Performance Evaluation on 8-bit Microcontrollers
Hyubgun Lee
Computing Department Soongsil University Seoul, South Korea .

Kyounghwa Lee
Computing Department Soongsil University Seoul, South Korea .

Youngtae Shin
Computing Department Soongsil University Seoul, South Korea .

Abstract— The sensor network is a network technique for the implementation of Ubiquitous computing environment. It is wireless network environment that consists of the many sensors of lightweight and low-power. Though sensor network provides various capabilities, it is unable to ensure the secure authentication between nodes. Eventually it causes the losing reliability of the entire network and many secure problems. Therefore, encryption algorithm for the implementation of reliable sensor network environments is required to the applicable sensor network. In this paper, we proposed the solution of reliable sensor network to analyze the communication efficiency through measuring performance of AES encryption algorithm by plaintext size, and cost of operation per hop according to the network scale. Keywords-component; Wireless algorithm; 8-bit Microcontroller; Sensor Networks; AES

The structure of the paper is organized as follows: Section 2 describes The Rijndael's AES encryption algorithm in Symmetric key encryption; Section 3 measures the encryption and decryption performance on the 8-bit Microcontroller; Sections 4 analyzes the communication efficiency in sensor network through the total delay per hop; and Section 5 concludes this paper. II. AES(ADVANCED ENCRYPTION STANDARD)

I.

INTRODUCTION

The sensor network is a network technique for the implementation of Ubiquitous computing environment. It is wireless network environment that consists of the many sensors of lightweight and low-power. It is researching and developing at the various standards and research organizations. As a result, various fields such as logistics, environmental control, home network applied to sensor network [1]. In these environments, the data is collected by sensors is used through the systematic analysis and the cross-linking between services in a variety of services. Therefore, common security requirements (integrity, confidentiality, authentication, non-repudiation) are required for security service and applications. Public key encryption algorithm is a fundamental and widely using technology around the world. But it has hardware limitations as like memory and battery, so it is not applied to the sensor network [2]. Therefore, Symmetric key encryption algorithm with low-Energy consumption is used in the sensor networks. In this paper, we describe the Rijndael's AES encryption algorithm in the symmetric key encryption. And we measure the encryption and decryption performance on the 8-bit Microcontroller. Then, we analyse the communication efficiency through the total delay per hop in sensor network.

A. Rijndael‘s algorithm The AES (advanced encryption standard) [3] is an encryption standard as a symmetric block cipher. It was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001. The central design principle of the AES algorithm is the adoption of symmetry at different platforms and the efficiency of processing. After a 5-year standardization process, the NIST adopted the Rijndael algorithm as the AES. The AES operates on 128-bit blocks of data. The algorithm can encrypt and decrypt blocks using secret keys. The key size can either be 128 bit, 192 bit, or 256 bit. The actual key size depends on the desired security level. The different versions are most often denoted as AES-128, AES-192 or AES-256. The cipher Rijndael [4] consists of an initial Round Key addition, Nr-1 Rounds, a final round. Figure 1 shows the pseudo C code of Rijndael algorithm. Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For(i=1; i<Nr; i++) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); }
Figure 1. Rijndael algorithm

70

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

The key expansion can be done on beforehand and Rijndael can be specified in terms of the Expanded Key. The Expanded Key shall always be derived from the Cipher Key and never be specified directly. There are however no restrictions on the selection of the Cipher Key itself. Figure 2 shows the pseudo C code of Rijndael’s Expanded Key algorithm. Rijndael(State, ExpandedKey) { AddRoundKey(State, ExpandedKey); For(i=1; i<Nr; i++ ) Round(State, ExpandedKey + Nb*i); FinalRound(State,ExpandedKey + Nb*Nr); }
Figure 2. Rijndael’s Expanded Key algorithm

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6 No. 1, 2009

each column of the input state. Figure 5 show the ShiftRows cyclically shifts the last three rows in the State.

Figure 5. ShiftRows cyclically shifts the last three rows in the State

B. AES round transformation The round transformation [5] modifies the 128-bit State. The initial State is the input plaintext and the final State is the output ciphertext. The State is organised as a 4 X 4 matrix of bytes. The round transformation scrambles the bytes of the State either individually, rowwise, or columnwise by applying the functions SubBytes, ShiftRows, MixColumns, and AddRoundKey sequentially. Figure 3 show the AES iterates a round transformation.

MixColumns is a Mixing function in the Cipher round. In the MixColumns step, In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. The MixColumns function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion in the Cipher. Figure 6 shows the MixColumns operates on the State column-by-column.

Figure 6. MixColumns operates on the State column-by-column

Figure 3. AES iterates a round transformation.

An initial AddRoundKey operation precedes the first round. The last round differs slightly from the others the MixColumns operation is omitted. SubByte is a substitution function in the Cipher round. In the SubBytes step, each byte in the state is replaced with its entry using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently. Figure 4 shows the SubBytes applies the S-box to each byte of the State.

AddRoundKey is a key adding function in the Cipher round. In the AddRoundKey step, the subkey is combined with the state. For each round, a subkey is derived from the main key using Rijndael's key schedule, each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR. Figure 7 shows the AddRoundKey XORs each column of the State with a word from the key schedule.

Figure 7. AddRoundKey XORs each column of the State with a word from the key schedule Figure 4. SubBytes applies the S-box to each byte of the State

ShiftRows is a permutation function in the Cipher round. In the ShiftRows step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row. ShiftRows step is composed of bytes from

AES Decryption computes the original plaintext of an encrypted ciphertext. During the decryption, the AES algorithm reverses encryption by executing inverse round transformations in reverse order. The round transformation of decryption uses the functions AddRoundKey, InvMixColumns, InvShiftRows, and InvSubBytes.

71

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

III.

IMPLEMENTATION AND PERFORMANCE EVALUATION

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

A. Experiment and Device For the performance analysis of AES encryption algorithm in the sensor network, we use the ATmega644p [6] in 8-bit Microcontroller as a hardware device. The AVR Studio 4 and Programmer’s Notepad in the WinAVR are used as development tools. The JTAG (Joint Test Action Group) Emulator is used as a debugging tool. Figure 8 shows that device for the performance analysis of the AES encryption algorithm.

counter value (TCNT), which is cleared to zero, matches the OCR. The timer measurement measures the counts ( P ) of the compared interrupt per 1ms. The operation time per 1 clock ( TC ) is the following:
TC = 1 1 = Frequency 20 *106

(1)

The ATmega644P has a system clock prescaler, and the system clock can be divided by setting the Clock Prescale Register. The prescale time per system clock prescaler( TP ) is the following:
TP = prescaler ∗ TC

(2)

The Timer/Counter (TCNT) and Output Compare Registers (OCR) are 8-bit Registers. The OCR for the generating of the compare Interrupt is the following:
Figure 8. Device for the performance of analysis of AES

ATmega644p in 8-bit Microcontroller is made by Atmel. The main function of the ATmega644p is to ensure correct program execution. It must therefore be able to access memories, perform calculations, control peripherals, and handle interrupts. It has 20Mhz System Clock, prescaler of 8, 64, 256 or 1024 and advanced RISC Architecture. AVR Studio is execution or debuging without AVR Microcontroller board. And compiled programs are applied to the AVR. Programmer's Notepad with the Win-GCC Compiler compiles the written C language. The compiled programs are applied to the AVR Studio. JTAG Emulator in JTAG Standard is I/O device using JTAG Port which receives the information from PCB or IC. B. The implementation of principle For the performance Measurement of AES encryption algorithm, we apply the AES-128 CBC (Cipher Block Chaining) mode to the ATmega644p's EEPROM. In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. Also, to make each message unique, an initialization vector must be used in the first block. Figure 9 shows that CBC mode encryption [7].

OCR0 A = 0 xFF − (0 xFF − ( P / TP ) + 1)

(3)

C. Result For the comparison between encryption and decryption performance, we use the AES-128 CBC mode. The operation time of the encryption and decryption is measured to the data sizes of 16, 32, 64, 128, 256 and 512 Byte. Table 1 and Figure 10 show the encryption and decryption operation time and CPU cycle according to the data size.
TABLE I.
THE COMPARISON BETWEEN ENCRYPTION AND DECRYPTION PERFORMANCE BY DATA SIZES

Data Size(byte) Time (㎳) Enc CPU Cycle Time (㎳) Dec CPU Cycle

16 449 8,980 456 9,120

32 898 17,960 912 18,240

64 1,796 35,920 1,825 36,500

128 3,592

256 7,184

512 14,368

71,840 143,680 287,360 3,649 7,297 14,592

72,980 145,940 291,840

Encryption Decryption Operation Time (ms )

Encyption 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 16 32 64 128

Decyption

Figure 9. CBC mode encryption

The timer mode for the time measurement uses the Timer/Counter CTC (Clear Timer on Compare Match) Mode. The CTC Mode generates the compare interrupt only if the

256

512

Data Size (byte)

72

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6 No. 1, 2009
Encyption 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 16 32 64 128 256 Data Size (byte) 512 Decyption

The data delivery process by hop communication is following:

CPU cycle

∀Ni ∈ subnet

(i = 0...n)

Ni → Ni + 1 : msg E = E < K prv , plantext > Ni + 1 → Ni + n : msg E = E < K prv , D < K prv , msg E >>

(4)

Figure 10. The operation time and CPU Cycle by data sizes

If the delay by hop communication includes encryption delay, decryption delay and data transfer delay, total delay is the following:

In the result, the operation time and CPU Cycle by data sizes increase approximately 2 times. In 512 byte, it takes approximately 14 minutes to the encryption and decryption. IV. APPLICATION SCENARIO

Thop −by − hop = t Enc + t Transmitio n + t Dec + Δt

(5)

A. Network model Figure 11 shows that a general node (Ni) sends the secured data packet to the cluster head (CH) in the same subnet.
CH Ni N Ni Ni N2 N1 N3 N4

The Δt in equation (5) represents the delay for the allocation and channel access. It has between zero and Thop −by − hop . When the general node and the cluster head communicate to the encrypted packet data, the generated total delay is the following:
Ttot = ∑ i × (Thop −by −hop )
i =1 n

(1 < n)

(6)

Ni Ni
Cluster Head(CH) Sensor node (Ni) Subnet

The n in equation (6) represents the total hop counts. It has more than 1 for the communication by the neighbor node. Figure 12 shows that total delay according to the count of hop between CH and Ni. We assume that the encryption delay is 449ms, decryption delay is 456ms and data transfer delay is 10 ms in 16 byte data. And the number of nodes in the entire network is 215 which is less than the maximum number of nodes 65,535 in the WPAN area. We does not consider the channel access and allocation delay.

Figure 11. Sensor Network Application Model

Total Delay (ms )

For measurement of the data encryption and decryption transmission delay by the number of communication hop, the following assumptions are established. Namely, the every node within subnet has same performance, and there is no interfere or packet loss in the data communication. Each node shares common key with neighbor nodes in advance, and operates encryption and decryption once per hop. The communication for the generating of Pair-wise Shared Key is similar to the μTESLA(Micro Timed Efficient Stream Loss-tolerant Authentication) protocol of the sensor network [8]. B. Communication delay in sensor network In communication process of the sensor network, the Beacon Request Command and Association Request Command are communicated between new node and cluster head. The general node (N1) encrypts the data using the pre-deployed security key. It sends secured data to the neighbor node (N2). The node (N2) decrypts the encrypted message ( msg E ) using the pre-deployed security keys. Then it obtained to the plantext. The node (N2) repeats the same process in the previous step using the private key shared with its neighbor node (N3).

250,000 200,000 150,000 100,000 50,000 0 5 30 55 80 105 130 155 180 205 Number of hop count
Figure 12. Total delay according as the count of hop

In figure 5, the delay of 30 hops and 180 hops generate 27,450ms, 164,700ms respectively. If the number of nodes in the entire network is 65,535 (the maximum number of nodes in the sensor network [1]), the delay is measured 59,964,525ms (about 16 hours). The fundamental reason of the extensive delay occurred is the performance of the equipment that used in

73

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

the experiment as 8-bit Microcontroller has a low capability of the operation. Therefore, the scale of sensor network consisted of the equipments increases, the transmission delay and energy consumption will also increases. V. CONCLUSIONS

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

In this paper, we analyse the performance of AES encryption algorithm in the symmetric key encryption on ATmega644p in 8-bit microcontroller. In application scenario, we measure the encryption and decryption operation time by the plantext size. As a result, scale of the sensor network grows, the delay has been doubled. And energy consumption has also increased accordingly. In the future, specific researching on the performance analysis under plantext size and hop count require. ACKNOWLEDGMENT This work was supported by the IT R&D program of MKE/IITA [2008-S-041-01, Development of Sensor Network PHY/MAC for the u-City] REFERENCE
[1] IEEE Std 802.15.4: “Wireless Medium Access Control(MAC) and Physical Layer(PHY) Specifications for Low-Rate Wireless Personal Area Networks (LR-WPANs)”, 2003. Yun Zhou, Yuguang Fang, Yanchao Zhang, “Securing wireless sensor networks: a survey,” IEEE Communications Surveys and Tutorials, Vol. 10, No. 3, 3rd Quarter, 2008. FIP 197: Announcing the Advanced Encryption Standard, Nov. 26,. 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. J. Daemen and V. Rijmen, “AES Proposal: Rijndael, AES Algorithm,” Submission, September 3, 1999. M. Feldhofer, J. Wolkerstorfer, and V. Rijmen, “AES implementation on a grain of sand,” IEE Proc. Inf. Security, vol. 152, IEE, pp. 13-20, Oct. 2005. Atmel, 8-bit Microcontroller with 16/32/64K Bytes InSystemProgrammable Flash,. E ed., Atmel, San Jose, CA, 08 2008. http://www.atmel.com/dyn/resources/prod_documents/doc7674S.pdf. S. Kim, Ingrid Verbauwhede, “AES implementation on 8-bit microcontroller,” Department of Electrical Engineering, University of California, Los Angeles, USA, September, 2002. A. Perrig et al., “SPINS: Security Protocols for Sensor Networks,” ACM Wireless Networks, vol. 8, no. 5, Sept. 2002.

[2]

[3] [4] [5]

[6]

[7]

[8]

AUTHORS PROFILE H. Lee. Author is with the Department of Computing, M.Sc. course, Soongsil University, Seoul, Korea. His current research interests focus on the communications in wireless sensor networks (e-mail:hglee@cherry.ssu.ac.kr). K. Lee. Author is with the Department of Computing, Ph.D. course, Soongsil University, Seoul, Korea. Her current research interests focus on the communications in wireless sensor networks (e-mail:khlee@cherry.ssu.ac.kr). Y. Shin. Author was with the Computer Science Department M.Sc. and Ph.D., University of Iowa. He is now with the Professor, Department of Computing, Soongsil University. (e-mail: shin@ssu.ac.kr).

74

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6 No. 1, 2009

GoS Proposal to Improve Trust and Delay of MPLS Flows for MCN Services
Francisco J. Rodríguez-Pérez
Computer Science Dept., Area of Telematics Engineering University of Extremadura Cáceres, Spain

José-Luis González-Sánchez
Computer Science Dept., Area of Telematics Engineering University of Extremadura Cáceres, Spain

Alfonso Gazo-Cervero
Computer Science Dept., Area of Telematics Engineering University of Extremadura Cáceres, Spain routed away from network failures or congestion points [6], [7]. Resource Reservation Protocol with Traffic Engineering (RSVP-TE) is the signalling protocol used to allocate resources for those LSP tunnels across the network [8]. Therefore, MPLS allocates bandwidth on the network when it uses RSVP-TE to build LSP [9]. When RSVP-TE is used to allocate bandwidth for a particular LSP, then the concept of consumable resource in the network is introduced, in order to allow edge nodes finding paths across the domain, which has bandwidth available to be allocated. However, there is no forwardingplane enforcement of a reservation, which is signalled in the control plane only, which means that, for instance, if a Label Switch Router (LSR) makes a RSVP-TE reservation for 10 Mbps and later it needs 100 Mbps, it will congest that LSP [10]. The network attempts to deliver the 100 Mbps, causing a lower performance to other flows that can have even more priority, unless we attempt to apply traffic policing using QoS techniques [11]. In this context, extensions of RSVP-TE protocol are expected to be an important application for performance improvement in such problematic instances, because MPLS-TE is providing fast networks, but with no local flow control. Therefore, it is being assumed that devices are not going to be congested and that they will not lose traffic. However, resource failures and unexpected congestions cause traffic looses [12], [13]. In these cases, upper layers protocols will request re-transmissions of lost data at end points [14], [15], but the time interval to obtain re-transmitted data can be significant for some types of time-critical MCN applications, such as real-time data delivery or synchronized healthcare services, where there are time-deadlines to be met. The objective of this work is to analyze our Guarantee of Service (GoS) proposal as a resource engineering technique for local recovery of lost packets of MCN services, which need reliable and timely responses. With this purpose, GoS extensions of RSVP-TE [16] are used as a service-oriented technique, offering Privileged LSP to mission critical flows, in order to manage high requirements of delay and reliability. Furthermore, GoS does not propose the replacement of nodes in a MPLS domain but the incorporation of several GoS

Abstract—In this article, Guarantee of Service (GoS) is defined as a proposal to improve the integration of Mission Critical Networking (MCN) services in the Internet, analyzing the congestion impact on those privileged flows with high requirements of trust and delay. Multiprotocol Label Switching (MPLS) is a technology that offers flow differentiation and QoS in the Internet. Therefore, in order to improve network performance in case of congested domains, GoS is proposed as a technique that allows the local recovering of lost packets of MPLS privileged flows. To fulfill the GoS requirements for integration of MCN in MPLS, a minimum set of extensions to RSVP-TE has been proposed to provide GoS capable routes. Moreover, we have carried out an analytical study of GoS scalability and a performance improvement analysis by means of simulations. Keywords-MPLS, congestion, trust, RSVP-TE, Guarantee of Service, local re-transmissions

I. INTRODUCTION The integration of Mission Critical Networking (MCN) with the Internet allows enhancing reachability and ubiquity and the cost reduction of deployment and maintenance. However, an efficient network operation for MCN services is always required, but the Internet is a heterogeneous network that typically includes numerous resource-constrained devices [1], which creates bottlenecks that affect the network performance. In this context, Multiprotocol Label Switching (MPLS) is currently used to provide policy management for heterogeneous networks and protocols with QoS integration purposes, combining traffic engineering capabilities with flexibility of IP and class-of-service differentiation [2], [3]. MPLS Label Switched Paths (LSP) let the head-end Label Edge Router (LER) to control the path that traffic takes to a particular destination [4]. This method is more flexible than forwarding traffic based on destination address only. LSP tunnels also allow the implementation of a variety of policies related to the optimization of network performance [5]. Moreover, resilience allows LSP tunnels being automatically
This work is supported in part by the Regional Government of Extremadura (Economy, Commerce and Innovation Council) under GRANT PDT07A039.

75

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

capable MPLS nodes in bottlenecks. This way, in case of MCN services packets loss in a congested node, there will be a set of upstream nodes to request a local re-transmission to, increasing possibilities of finding lost packets faster. The remainder of this article is structured as follows: Firstly, in Section 2, we define the GoS concept to be applied to MPLS flows for MCN services and how to signal the local recovery messages. Then, in Section 3 the proposed RSVP-TE extensions are studied, with the aim of minimizing the forwarding of GoS information across the MPLS domain. Next, an analysis of the GoS scalability is shown in fourth Section. In Section five, end-to-end (E-E) and GoS recoveries performances are compared by means of simulations [17], [18]. Finally we draw up some conclusions, results and contributions of our research. II. GUARANTEE OF SERVICE IN AN MPLS DOMAIN

GoS characterization information of a MCN flow packet consists of GoSP, GoS Level and Packet ID. GoSP is the most generic information. It is a constant value for every packet of flows in a same LSP. Therefore, it is related to the LSP, but neither to flows nor to packets. GoS Level is a constant value for every packet of a flow; i. e., it is flow specific information. A greater GoS level implies a greater probability that a packet can be re-transmitted from a previous hop, because a flow with a higher GoS level is signalled across an LSP with more GoS capable nodes. Moreover, more memory is allocated in GoS buffers for flows with the highest GoS level. It allows classifying the GoS priority level with respect to other MCN flows of the LSP or other paths in the domain. Moreover, this value keeps constant only in packets belonging to the same MPLS Forwarding Equivalence Class (FEC). Finally, Packet ID is necessary to request local re-transmissions in case of packet loss of a MCN service. It is packet specific information, with a unique value per packet of a flow. In order to get the GoSP from a GoS node when a MCN flow packet is lost, we consider a domain G(U), with a set of nodes U and a data flow ϕ(G)=ϕ(xi, xn) in G(U) across a path LSPi,n, with the origin in node xi and destination in node xn, with {xi, xn} ⊂ U. Maybe xn only knows incoming port and incoming label of any arrived packet of flow ϕ(G), i.e., xn only knows that xn-1 is the sender of ϕ(xi, xn). It would know which node the sender of a packet is, using label information. However, this is not a reliable strategy because, in case of flow aggregates, an RSVP-TE aggregator could perform reservation aggregation to merge k flows, in the form:
ϕ ( x n −1 , x n ) =

Our GoS technique can be defined as the possibility for resilience improvement in congested networks to flows with high requirements of delay and reliability. In particular, the GoS for MPLS protocol provide LSR nodes with the capacity to recover locally lost packets of a MPLS flow for MCN services. The GoS proposal is provided by a limited RSVP-TE protocol extension, to achieve GoS capacity in intermediate nodes, in order to get faster re-transmissions of lost packets. Furthermore, our proposal let RSVP-TE to get local recoveries in case of LSP failures by means of Fast Reroute point-to-point technique. In [6] the efficiency of this technique was studied and compared to other E-E failure recoveries techniques. Therefore, a buffer in GoS nodes to temporally store only packets of a MCN service is needed. However, a particular packet is only needed to be buffered for a short interval of time. This is because the time for a local recovery request for such packet to be received is very limited due to the low packets delay in MPLS backbones. So, a GoS node only needs to store a limited number of packets per flow, allowing very efficient buffer searches. This set of GoS nodes, which have switched the packets of a GoS flow, is called GoS Plane (GoSP) and the number of necessary hops to achieve a successfully local recovery is called Diameter (d) of the local re-transmission. This way, a greater GoS level gives a higher probability to achieve a local retransmission with lower diameter. Therefore, the diameter is the key parameter of a GoS re-transmission. In this paper we focus on an analysis of the diameter scalability. In Fig. 1, operation of GoS is shown when a packet of a MCN service is discarded, for instance, in intermediate node X4 and three feasible diameters can be used to recover locally the lost packet.

∑ϕ
i =1

k

i

( x n −1 , x n )

(1)

Furthermore, xn, may not be able to satisfy the Flow Conservation Law due to congestion:

∑p
i =1

k

il

>

∑p
j =1

k

lj

(2)

The parameter p ij is the traffic volume sent from xi to xj across xl. Therefore, one or more packets are being discarded in xl, because the number of outgoing packets from xl is lower than the number of incoming packets. In this case upper layers protocols will have to detect lost packets and re-transmit them from head-end. In order to request local re-transmissions when a packet of a MCN service is lost, it is necessary for GoS to know the set of nodes that forward the GoS packets. Thus, xn would know that discarded traffic have been stored in the upstream GoS nodes of LSPi,n. The first node to request a local retransmission is the previous GoS capable neighbour. With this purpose, RSVP-TE has been extended to allow signalling the GoS re-transmission requests, even, across non-GoS nodes. This proposal avoids the re-transmissions requests to the headend and brings a lesser increment of global ϕ(G) in the congested domain. Moreover, the deployment of GoS does not

x1

δ 1,2
d=3

x2

δ 2,3
d=2

x3

δ 3,4
d=1

x4

δ 4,5

x5

Figure 1. GoSP from node X4, with diameter = 3 hops

76

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

imply the replacement of a lot of routers in a MPLS domain, but only the insertion of several GoS capable nodes in bottlenecks. For this purpose, a study of distribution of GoS nodes in the domain has been carried out in order to get the optimal placement of GoS nodes. It has been carried out basing on several parameters, such as domain topology, links capacity, RSVP-TE reservations, network load and GoS level of the flows. The main benefit of this study is to minimize the diameter of local recoveries in case of MCN service data loss. A. A Connection-Oriented GoSP The throughput of a flow could be lower if GoS characterization information was carried with data packets. To avoid this, GoS information carried into data packets has been minimized, signalling the GoSP when the LSP is being signalled by RSVP-TE. This task is only carried out at the beginning, before data packets forwarding. Therefore, a GoS integrated with the MPLS Control Plane (CP), avoids that GoS information must be forwarded with every MPLS data packet. This way, GoS characterization info (GoS Level and GoSP previous hop) is only sent when LSP is being signalled, adding a new row in a table of the GoS nodes. This is similar to the operation of RSVP-TE protocol when an LSP is signalled across the domain, considering the GoSP as a connectionoriented subset of nodes of the LSP with GoS capability. The LSP that supports a GoSP to forward a MCN service with high requirements of delay and reliability is named privileged LSP. This way, GoS proposal extends the RSVP-TE protocol to let GoSP signalling as a subset of nodes of a privileged LSP. In the CP, when a node receives an RSVP-TE message requesting a new LSP, it inserts a new row in the Forwarding Information Base (FIB), about how to forward data packets across nodes of the LSP that is being signalled. Therefore, this is the info to be used by an LSR in the MPLS Forwarding Plane (FP) when it receives a MPLS packet to be switched. With FIB information it will know how to make the label swapping and how to forward it to the next hop. Therefore, with a connectionoriented GoSP, a GoS node that in FP detects an erroneous or discarded privileged packet, it only needs to get the FEC and GoS packet ID of the lost packet, because the GoS table already has all it needs to initiate a local re-transmission request. When RSVP-TE signals a new LSP for a MCN flow, then every GoS capable node of the LSP will add a new row to the FIB table, but also to the GoS Table. Flows information in that table is very simple, as in Table 1 is shown.
TABLE I. FEC 35 36 37 38 AN EXAMPLE OF GO S TABLE V ALUES GoS Level 0000000000001011 0000000000000001 0000000000010010 0000000000000001 GoSP PHOP x.x.160.12 x.x.160.73 x.x.160.17 x.x.160.35

The table includes a first column for FEC or flow identification, a second column for flow GoS level and, finally, a third column is used to know the previous GoS hop address, to send it a request in case of GoS packet loss. B. Guarantee of Service States Diagram In Fig. 2 a states diagram of the operation of a GoS node is shown. In the FP, the state of a GoS node is Data Forwarding, switching labels and forwarding data packets to the next node. There are only two events that change this state in the GoS node. The first event is the detection of a GoS packet loss. In this case, the GoS capable node gets FEC and GoS packet identification and change its state to Local recovery request, sending a local re-transmission request (GoSReq) to the first node of GoSP (the closest upstream GoS node). When a response (GoSAck) is received, it changes to the initial state. The other event that changes the state is reception of a GoSReq from any downstream GoS node, which is requesting a local re-transmission. In this case, the node changes its state to Buffer Access, to search the requested packet according to the information received in the GoSReq. If the requested packet is found in the GoS buffer, a GoSAck is sent in response to the GoSReq, indicating that requested packet was found and it will be re-transmitted locally. Therefore, it changes to Local Retransmission state to get the GoS packet from the GoS buffer and re-forward it. Next, it will return to initial Forwarding state. In case of not find the packet in GoS buffer, it will send a GoSAck message, indicating that packet was not found and changing to Local Recovery Request state, sending a new GoSReq to its previous GoS node in the GoSP, if it is not the last one. III. GUARANTEE OF SERVICE MESSAGES

GoS levels can easily be mapped to MPLS FEC, which is commonly used to describe a packet-destination mapping. A FEC is a set of packets to be forwarded in the same way (e.g. using the same path or Quality of Service criteria). One of the reasons to use the FEC is that allows grouping packets in classes. It can be used for packet routing or for efficient QoS supporting too; for instance, a high priority FEC can be mapped to a healthcare service or a low priority FEC to a web service.
Not found in GoS buffer

Local recovery request

GoS buffer access

GoS packet discarded

GoSAck received

GoSReq received

Found in GoS buffer

Data forwarding

Local retransmission

Figure 2. States diagram of a GoS capable node

77

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Label is used by MPLS to establish the mapping between FEC and packet, because an incoming and outgoing labels combination identifies a particular FEC. With different classes of services, different FEC with mapped labels will be used. In our proposal, GoS FEC concept is used to classify the different GoS levels, giving more priority to the most privileged FEC. Therefore, GoS FEC will allow giving different treatments to GoS packets belonging to flows with different privileges, although they are being forwarded along the same path. With the purpose of minimize GoS signalling in the MPLS FP, GoS characterization info (GoS Level, Packet Id and GoSP) can be signalled by RSVP-TE in the MPLS CP. When a privileged LSP is being established, extended RSVP-TE Path and Resv messages can forward GoS Level and GoSP info (see Figs. 3 and 4).
Version Flags (4 bits) (4 bits) TTL (1 octet) Message Type (1 octet) Reserved (1 octet) RSVP Checksum (2 octets) RSVP Message Length (2 octets) Class-Num (1 octet) C-Type (1 octet)

When an LSP tunnel is being signalled in the CP, a GoS node that receives a GoS-extended Path message will access this GoS info to update its GoS Table. Then, it will record its IP address in the GoSP PHOP field of the GoSPath object because it will be the previous hop of the next downstream GoS node that detects a packet loss. It is not necessary to transport the entire GoSP in the GoSPath message, but only the last GoS node, because the node that detects a packet lost only send a local retransmission request to the PHOP in the GoSP. If PHOP cannot find the requested packet, it will request a local retransmission to the GoS PPHOP of the point of loss (if it is not the last one). Finally, following the RSVP-TE operation way, when an LSP is being signalled, GoS information will be confirmed with the reception of a GoS-extended Resv message, confirming the requested GoS level. A. Signalling of GoS Local Re-transmissions It is not necessary to send GoSP in every GoSReq message, because GoS nodes have an entry in the GoS Table with the GoSP PHOP to every flow. Therefore, in case that a GoSP PHOP node cannot satisfy a local re-transmission request, then it will get the GoS PHOP from the GoS Table, to send a new GoSReq to its GoSP PHOP to forward the request. So, it is not necessary that a node, which initiates a GoSReq, sends more requests to previous nodes of the GoSP PHOP. This technique has benefits in the LSP overhead when sending GoSReq messages. This is the reason to only buffer one address in the GoSP PHOP column, instead of the entire GoSP. Therefore, in case of packet loss in a GoS node, this LSR would send to the upstream GoS PHOP a local re-transmission request. With this purpose, RSVP-TE Hello message has been extended. In particular, Hello Request message (see Fig. 5) has been extended with a GoSReq object, in order to allow requesting to the upstream GoSP PHOP the re-transmission of the lost packet specified in Packet ID field of the flow (specified in Privileged Flow ID field). Upstream GoS node that receives the GoSReq message sends a response in an extended Hello Ack message (see Fig. 6), with a GoSAck object to notify if requested packet has been found in the GoS buffer. Furthermore, following the RSVP-TE operation way, Source Instance and Destination Instance of the Hello object are used to test connectivity between GoSP neighbour nodes.
COMMON HEADER
Version Flags (4 bits) (4 bits) TTL (1 octet) Message Type (1 octet) Reserved (1 octet) RSVP Checksum (2 octets) RSVP Message Length (2 octets) Class-Num (1 octet) Source Instance (4 octets) Destination Instance (4 octets) Object Length (2 octets) Class-Num (1 octet) Privileged Flow ID (4 octets) Packet ID (4 octets) C-Type (1 octet) C-Type (1 octet)

COMMON HEADER BODY HDR.BODY HDR.

RSVP HOP SESSION OBJECT OBJECT

Object Length (2 octets)

Session object contents (variable length) Object Length (2 octets) Class-Num (1 octet) C-Type (1 octet)

RSVP_Hop object contents (variable length)

HDR.BODY HDR.

RRO OBJECT

Object Length (2 octets)

Class-Num (1 octet)

C-Type (1 octet)

Record_Route object (RRO) contents (variable length) Object Length (2 octets) Privileged Flow ID (2 octets) GoSP PHOP (4 octets) Class-Num (1 octet) C-Type (1 octet)

GoS PATH OBJECT

Figure 3. GoS extended Path message format with GoS Path object

BODY

GoS Level Request (2 octets)

COMMON HEADER

Version Flags (4 bits) (4 bits) TTL (1 octet)

Message Type (1 octet) Reserved (1 octet)

RSVP Checksum (2 octets) RSVP Message Length (2 octets) Class-Num (1 octet) C-Type (1 octet)

BODY HDR.BODY HDR.

RSVP HOP SESSION OBJECT OBJECT

Object Length (2 octets)

Session object contents (variable length) Object Length (2 octets) Class-Num (1 octet) C-Type (1 octet)

HDR.

HELLO REQ. OBJECT

RSVP_Hop object contents (variable length)

Object Length (2 octets)

BODY HDR.BODY HDR.

GoS RESV RRO OBJECT OBJECT

Privileged Flow ID (2 octets)

GoS Level (2 octets)

Figure 4. GoS extended Resv message format with GoS Resv object

Figure 5. GoS extended Hello message format, with GoS Request object after the Hello object

78

BODY

Object Length (2 octets)

Class-Num (1 octet)

C-Type (1 octet)

GoS REQ. OBJECT

Record_Route object (RRO) contents (variable length)

HDR.

Object Length (2 octets)

Class-Num (1 octet)

C-Type (1 octet)

BODY

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
COMMON HEADER
Version Flags (4 bits) (4 bits) TTL (1 octet) Message Type (1 octet) Reserved (1 octet) RSVP Checksum (2 octets) RSVP Message Length (2 octets) Class-Num (1 octet) Source Instance (4 octets) Destination Instance (4 octets) Object Length (2 octets) Class-Num (1 octet) Privileged Flow ID (4 octets) C-Type (1 octet) C-Type (1 octet)

HELLO ACK OBJECT

Object Length (2 octets)

GoS ACK OBJECT

IV. SCALABILITY OF THE GOSP DIAMETER In this section we analyze the scalability of the connectionoriented GoSP. A MPLS domain G(U) will be considered, with a set X of n nodes and a set U of links. Let δij the delay of link (xi, xj) ∈ U and let δ(xi, xj) the delay of a path between two any nodes xi and xj. Finally, let δGoS the delay proportion used for transmission of GoS characterization information in FP (GoS packet ID). The main objective is to analyze the scalability of the GoSP when lost packets are re-transmitted between two any nodes of LSPi,n in U(G). This way, minimum delay used by a packet when is forwarded between two nodes of the path LSPi,n of G(U) is:
min δ ( x i , x j ) =

BODY

HDR. BODY

HDR.

Packet ID (4 octets) GoS Ack (4 octets)

∑∑δ
i =1 j =1

n

n

ij

x ij

(3)

Figure 6. GoS extended Hello message format, with GoS Ack object after the Hello object

subject to:

In Fig. 7, operation of the GoS when a packet that is being forwarded from X1 to X5 (with delay δ1,5) is discarded in the intermediate node X4 is shown. For instance, in this case 3 GoSP diameters (d=1, d=2 and d=3) can be used to achieve a successfully local re-transmission. First, X4 sends a local retransmission request (GoS_Req) to the first node of the GoSP (X3). Then, that node will send a response (GoS_Ack) to indicate whether it has found the requested packet or not in the GoS buffer. If it is found (d=1), it will send that locally recovered packet (LRP) towards its destination. But if it is not found, X3 will send a new GoS_Req message to its PHOP in the GoSP (X2). If X2 finds requested packet, the successfully diameter would be d=2. Finally, if X1, which is the last node of the GoSP, finds the lost MCN packet, then a diameter d=3 would achieve a successfully local re-transmission. Furthermore, this local recovery process is compared with both end-to-end re-transmission request (EERR) and end-to-end retransmission packet (EERP).

∑
l=2

n

x1 l = 1

(4)

∑
i =1

n

x il − ∑ x lj = 0, l = 2, 3,..., n − 1
j =1

n

(5)

∑
l =1

n −1

x ln = 1

(6)

where: x i , j = 1, ∀ ( x i , x j ) ∈ LSP i , n , x i , j = 0 , ∀ ( x i , x j ) ∉ LSP i , n and δ i , i = 0 , ∀ i A. End-to-End Retransmissions Let xn a non-GoS congested end node. In case of packet discarding by xn, then Discarding Detection Time (DDTE-E) function between two nodes of LSPi,n is:
DDT E − E ( x i , x n ) =

∑δ
l =i

n −1

l , l +1

x l ,l +1

(7)

Minimal delay of the end to end (E-E) retransmission is:
δ E − E ( x i , x n ) = 2 ∑ δ l , l +1 x l , l +1
l =i n −1

(8)

Therefore, total delay ∆ E−E ( xi , xn ) to get discarded flow in xn is got from Eqs. (7) and (8):
Figure 7. Local re-transmission operation when a GoS packet is discarded in an intermediate node

∆ E − E ( x i , x n ) = 3 ∑ δ l , l +1 x l , l +1
l =i

n −1

(9)

79

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

B. GoS-based Local Re-transmissions Let xn be a GoS congested end node. In case of packet discarding by xn, then Discarding Detection Time (DDTd) between source and sink nodes of path LSPi,n is:
DDT d ( x i , x n ) =

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

diameter scalability with respect to the number of nodes of the privileged LSP and δGoS, we get parameter d:
d <

(( n

− 1 − i ) · ( 3 − δ GoS ) ) (2 · δ GoS

)+1

(17)

∑δ
l =i

n −1

l , l +1

· δ GoS · x l , l +1

(10)

Minimal delay of local retransmission using a GoSP with diameter d (δd) is:
δ d ( xi , x n ) = 2

In Fig. 8 scalability of the GoSP diameter for different LSP sizes (parameters i and n) is shown. In chart we can see that there is a lineal rise when increasing the number of nodes of the LSP, until a maximum LSP size of 251 nodes. After this point, the maximum feasible diameter that would allow a successfully local re-transmission has a value of 250 hops.

l = n −d

∑δ

n −1

l , l +1

· δ GoS · x l , l +1

(11)

250 225

subject to: 0 < d < n – i
Diameter

200 175 150 125 100 75 50 25 0 0 25 50 75 100 125 150 175 200 225 250 275 300

If the diameter in Eq. (11) was n-i, then if l = n–d = n – (n– i) = n – n + i = i, we get that:

2

l = n− d

∑δ

n −1

l , l +1

· δ GoS · x l , l +1 = 2 ∑ δ l , l + 1 · δ GoS · x l , l + 1
l =i

n −1

(12)

i.e., it would be an E-E retransmission. Moreover, if in Eq. (11) GoSP diameter was bigger than ni, then it would be trying to get a retransmission from a previous node to xi, but this one is the source of data flow, so it is unfeasible. Thus, total delay ∆ d ( xi , x n ) to get discarded traffic from initial instant of transmission is got from Eqs. (10) and (11):
∆ d ( x i , x n ) = ∑ δ l , l +1δ GoS x l , l +1 + 2
l =i n −1

Number of nodes of the LSP

Figure 8. Scalability of GoSP diameter for different LSP sizes

l = n −d

∑δ

n −1

l ,l + 1

δ GoS x l ,l +1 (13)

This proof can easily be extended to include the case where an intermediate node XDD is requesting re-transmission, getting the same half-plane of solutions for the GoSP diameter, as is shown in Eq (17). V. SIMULATION RESULTS In order to evaluate the performance of GoS approach, we have carried out a series of simulations focused on AT&T backbone network topology (see Fig. 9), which is MPLS enabled to provide QoS for customers who require value-added services. In our simulations, AT&T core topology is characterized by 120 LER nodes, 30 LSR nodes and 180 links, with capacities in the range of [45Mbps, 2.5Gbps]. A GoS enabled node has been located at the eight routers with the biggest connectivity. In scenarios, signalled LSP are unidirectional and the bandwidth demanded for each flow is drawn from a distribution over the range of [64Kbps, 4Mbps]. In order to analyze the effect that GoS re-transmissions have on transport layer protocols, several MCN services over TCP/IP that use LSP across a different number of GoS capable nodes have been compared with not privileged TCP/IP flows across the same paths. LSP congestion has also been considered in the range of [0.01%, 4%].

At this point we test if Eq. (13) < Eq. (9):

∑δ
l =i

n −1

l , l +1

δ GoS x l ,l +1 + 2

l = n− d

∑δ

n −1

l , l +1

δ GoS x l ,l +1 < 3∑ δ l , l +1δ GoS x l ,l +1

n −1 l =i

(14)
n −1

3∑ δ l , l +1 x l , l +1 > δ GoS
l =i

n −1

∑δ
l =i

n −1

l , l +1

x l ,l +1 + 2 δ GoS

(15)

l = n−d

∑δ

l , l +1

x l ,l + 1

∑δ
l=i

n −1

l , l +1

x l , l +1

n −1    2 δ GoS ∑ δ l , l +1 x l , l + 1   l = n−d  > (3 − δ GoS )

(16)

In Eq. (16) the half-plane of solutions has been obtained for the case of a local recovery with diameter d that have lower delay than an E-E re-transmission. Therefore, to get the GoSP

80

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
100% 90% GoSPdiameter=1 GoSPdiameter=2 GoSPdiameter=4 GoSPdiameter=8 E-E re-transmissions

Percentage of packets received

80% 70% 60% 50% 40% 30% 20% 10% 0%

10

70

190

240

350

400

450

Time (102 seconds)

Figure 9. AT&T core topology characterization

Figure 11. Packets received in sink in GoS re-transmission cases and E-E case at different time samples

Fig. 10 shows a throughput comparative between an E-E case, where lost packets need TCP re-transmissions from the head-end and a GoS case where dropped packets are recovered locally. Due to GoS assigned to the MCN service, 91.04% of discarded packets were recovered with diameter=1, 8.96% with d=2 and no packets were re-transmitted with d>2. Trend functions are also shown in the chart to allow a performance comparative, with a confidence interval of 12.5Kbps, at a 95% confidence level. Average difference between trend functions is 4.84%. Fig. 11 shows a comparison between the percentage of packets received at different time samples of a particular flow when dropped packets are E-E recovered by the transport level protocol and when they are re-transmitted locally with d=1, d=2, d=4 and d=8 diameters. For instance, at 35000s, 55.79% of E-E traffic has been received; at the lowest GoS level case (d=8), 58.12% of packets have already been received, in the d=4 case, 60.04% of packets, in the d=2 case 61.83% of packets and in the best GoS level case, when d=1, 62.91% of packets have been received.
2,10 2,00 1,90 1,80 1,70 1,60 1,50 1,40 0 100 200 300 400

Therefore, the more GoS capable nodes crossed by the LSP, the higher the probability for local re-transmissions with optimal diameter=1. Hence a MPLS service provider would assign flows with the highest GoS level to an LSP that crosses more GoS nodes. Fig. 12 shows a packet loss comparative between a no GoS case, where a lost packet need a TCP re-transmission from the head-end and a GoS case where discarded packets can be recovered locally; therefore, these would not be considered as lost packets at the head-end. Trend functions are also shown, with a confidence interval of 0.21%, at a 95% confidence level and an average difference between trend functions of 1.32%. This way, we conclude that a significant part of discarded traffic will not have to be recovered end-to-end by transport layer protocol due to GoS local re-transmissions. Furthermore, including GoS capable nodes in bottlenecks we obtain an improvement in the number of packets delivered for MCN services in the Internet, with a better use of network resources.
4,5 4 3,5

Percentage of loss
Max GoS Level No GoS GoS Trend Function No GoS Trend Function
500

3 2,5 2 1,5 1 0,5 0 100 200 300 400

Throughput (Mbps)

Time (102 seconds)
GoS flow GoS Trend Function No GoS flow No GoS Trend Function

Time (102 seconds)

Figure 10. Throughput sampling comparative between GoS and E-E retransmissions

Figure 12. Percentage of packet loss of GoS and E-E flows

81

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

500

0

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

VI. CONCLUDING REMARKS This article discusses GoS as a local traffic recovery technique in a MPLS domain with the aim of improving the network performance for MCN services in the face of congestion. We have first defined and discussed the requirements for GoS over MPLS. Then, we have explained that GoS signalling for MCN services with requirements of low delay and high reliability is possible. The scalability of the proposal has been analytically studied and, finally, the benefits due to local re-transmissions of discarded traffic with respect to end to end re-transmissions have been evaluated. Further work should include the evaluation and comparison of different network scenarios under different real traffic distributions. REFERENCES
[1] G. Siganos, “Powerlaws and the AS-level Internet topology,” ACM/IEEE Trans. on Networking, vol. 11, pp. 514–524, Aug. 2003. [2] Taesang Choi, “Design and implementation of an information model for integrated configuration and performance management of MPLSTE/VPN/QoS,” in Proc. The 8th IFIP/IEEE Int. Symp. on Integrated Network Management, Colorado Springs, USA, 2003, pp. 143–146. [3] E. Rosen, A. Viswanathan,and R. Callon, Multiprotocol Label Switching Architecture, IETF RFC 3031, Jan 2001. [4] S. Bhatnagar, S. Ganguly, and B. Nath, “Creating multipoint-to-point LSPs for traffic engineering,” IEEE Communications Magazine, vol. 43, issue 1, Jan. 2005, pp. 95–100. [5] S. Fowler, S. Zeadally, and F. Siddiqui, “QoS path selection exploiting minimum link delays in MPLS-based networks,” in Proc. The 2005 IEEE Systems & Comm., Montreal, Canada, Aug. 2005, pp. 27–32. [6] Li Li, Buddhikot, M.M., C. Chekuri, and K. Guo, “Routing bandwidth guaranteed paths with local restoration in label switched networks,” IEEE Journal on Selected Areas in Comm., vol. 23, issue 2, Feb. 2005, pp. 437–449. [7] A. Tizghadam, and A. Leon-Garcia, “Lsp and back up path setup in mpls networks based on path criticality index,” in Proc. The IEEE International Conference on Communications, Glasgow, Scotland, June. 2007, pp.441–448. [8] K. Suncheul, P. Jaehyung, and Y. Byung-ho, “A scalable and loadefficient implementation of an RSVP-TE in MPLS networks,” in Proc. The 7th IEEE International Conference on Advanced Communication Technology, Phoenix Park, Republic of Korea, Feb. 2005, pp. 950–953. [9] K. Sohn, Y. Seung, and D.K. Sung, “A distributed LSP scheme to reduce spare bandwidth demand in MPLS networks,” IEEE Trans. on Communications, vol. 54, issue 7, July 2006, pp. 1277–1288. [10] D. Oulai, S. Chamberland, and S. Pierre, “A New Routing-Based Admission Control for MPLS Networks,” IEEE Communications Letters, vol. 11, issue 2, Feb. 2007, pp. 216–218.

[11] A.B. Bagula, “On Achieving Bandwidth-Aware LSP//spl lambda/SP Multiplexing/Separation in Multi-layer Networks,” IEEE Journal on Selected Areas in Comm., vol. 25, issue 5, June 2007, pp. 987–1000. [12] S. Butenweg, “Two distributed reactive MPLS traffic engineering mechanisms for throughput optimization in best effort MPLS networks,” in Proc. The 8th IEEE Int. Symposium on Computers and Communications, Kemer - Antalya, Turkey, Jul. 2003, pp. 379–384. [13] L. Xu, K. Harfoush, and I. Rhee, “Binary Increase Congestion Control for Fast Long-Distance Networks,” in Proc. The 23rd Conference of the IEEE Communications Society (INFOCOM 2004), Hon Kong, China, Mar. 2004, pp. 2514–2524. [14] Y. Li, D. Leith, and R. Shorten, “Experimental Evaluation of TCP Protocols for High-Speed Networks,” IEEE/ACM Transactions on Networking, vol. 15, issue 5, Oct. 2007, pp. 1109–1122. [15] S. Floyd, HighSpeed TCP for Large Congestion Windows, IETF RFC 3649, Dec. 2003. [16] Q. Fu, and G. Armitage, “A Blind Method towards Performance Improvement of High Performance TCP with Random Losses,” in Proc. The 4th IEEE International Conference on Wired/Wireless Internet Comm., Bern, Switzerland, May. 2006, vol. 1, pp. 49–61. [17] K. Kompella, and J. Lang, Procedures for Modifying the Resource reSerVation Protocol (RSVP), IETF RFC 3936, Oct. 2004. [18] S. Floyd and E. Kohler, Tools for the Evaluation of Simulation and Testbed Scenarios, Internet-draft draft-irtf-tmrg-tools-05, work in progress, Feb. 2008. AUTHORS PROFILE Fco. Javier Rodríguez-Pérez received his Engineering degree in Computer Science Engineering at the University of Extremadura (Spain) in 2000, where he is currently a professor and a Ph. D candidate of GITACA group. His research is mainly focussed on QoS and traffic engineering, packet classification and signalling development over IP/MPLS systems. José-Luis González-Sánchez is a full time associate professor of the Computing Systems and Telematics Engineering department at the University of Extremadura, Spain. He received his Engineering degree in Computer Science and his Ph.D degree in Computer Science (2001) at the Polytechnic University of Cataluña, Barcelona, Spain. He has worked, for years, at several private enterprises and public organizations, accomplishing functions of System and Network Manager. He is the main researcher of the Advanced and Applied Communications Engineering Research Group (GÍTACA) of the University of Extremadura. He has published many articles, books and research projects related to computing and networking. Alfonso Gazo-Cervero received his PhD in computer science and communications from the University of Extremadura. He is currently a member of the research and teaching staff as assistant proffesor in GITACA group. His research interests are related mainly to QoS provision over heterogeneous networks, capacity planning, routing protocols and overlay networks.

82

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Novel Intrusion Detection using Probabilistic Neural Network and Adaptive Boosting
Tich Phuoc Tran, Longbing Cao
Faculty of Engineering and Information Technology University of Technology, Sydney, Australia {tiptran, lbcao}@it.uts.edu.au

Dat Tran
Faculty of Information Sciences and Engineering University of Canberra, Australia Dat.Tran@canberra.edu.au

Cuong Duc Nguyen
School of Computer Science and Engineering International University, HCMC, Vietnam ndcuong@hcmiu.edu.vn

Abstract— This article applies Machine Learning techniques to solve Intrusion Detection problems within computer networks. Due to complex and dynamic nature of computer networks and hacking techniques, detecting malicious activities remains a challenging task for security experts, that is, currently available defense systems suffer from low detection capability and high number of false alarms. To overcome such performance limitations, we propose a novel Machine Learning algorithm, namely Boosted Subspace Probabilistic Neural Network (BSPNN), which integrates an adaptive boosting technique and a semi-parametric neural network to obtain good trade-off between accuracy and generalty. As the result, learning bias and generalization variance can be significantly minimized. Substantial experiments on KDD-99 intrusion benchmark indicate that our model outperforms other state-of-the-art learning algorithms, with significantly improved detection accuracy, minimal false alarms and relatively small computational complexity. Keywords- Intrusion Detection, Adaptive Boosting Neural Network,

The majority of currently existing IDS face a number of challenges such as low detection rates which can miss serious intrusion attacks and high false alarm rates, which falsely classifies a normal connection as an attack and therefore obstructs legitimate user access to the network resources [1]. These problems are due to the sophistication of the attacks and their intended similarities to normal behavior. More intelligence is brought into IDS by means of Machine Learning (ML). Theoretically, it is possible for a ML algorithm to achieve the best performance, i.e. it can minimize the false alarm rate and maximize the detection accuracy. However, this normally requires infinite training sample sizes (theoretically) [2]. In practice, this condition is impossible due to limited computational power and real-time response requirement of IDS. IDS must be active in real time and they cannot allow much delay because this would cause a bottleneck to the whole network. To overcome the above limitations of currently existing IDS, we propose an efficient Boosted Subspace Probabilistic Neural Network (BSPNN) to enhance the performance of intrusion detection for rare and complicated attacks. BSPNN combines and improves a Vector Quantized-Generalized Regression Neural Network (VQ-GRNN) with an ensemble technique to improve detection accuracy while minimizing computation overheads by tuning of models. Because this method combines the virtues of boosting and neural network technologies, it has both high data fitting capability and high system robustness. To evaluate our approach, substantial experiments are conducted on the KDD-99 intrusion detection benchmark. The proposed algorithm clearly demonstrates superior classification performance compared with other well-known techniques in terms of bias and variance for the real life problems. NETWORK INTRUSION DETECTION AND RELATED WORKS Because most computers today are connected to the Internet, network security has become a major concern for organizations throughout the world. Alongside the existing techniques for preventing intrusions such as II.

I. INTRODUCTION As more and more corporations rely on computers and networks for communications and critical business transactions, securing digital information has become one of the largest concerns of the business community. A powerful security system is not only a requirement but essential to the livelihood of enterprises. In recent years, there has been a great deal of research conducted in this area to develop intelligent and automated security tools which can fight the latest cyber attacks. Alongside with static defense mechanisms such as keeping operating systems up-to-date or deploying firewalls at critical network segments for access control, more advanced defense systems, namely Intrusion Detection Systems (IDS), are becoming an important part of today’s network security architectures. Particularly, IDS can be used to monitor computers or networks for unauthorized activities based on network traffic or system usage behaviors, thereby detect if a system is targeted by a network attack such as a denial of service attack.

83

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

encryption and firewalls, Intrusion Detection technology has established itself as an emerging research field that is concerned with detecting unauthorized access and abuse of computer systems from both internal users and external offenders. An Intrusion Detection System (IDS) is defined as a protection system that monitors computers or networks for unauthorized activities based on network traffic or system usage behaviors, thereby detecting if a system is targeted by a network attack such as a denial of service attack [4]. In response to those identified adversarial transactions, IDS can inform relevant authorities to take corrective actions. There are a large number of IDS available on the market to complement firewalls and other defense techniques. These systems are categorized into two types of IDS, namely (1) misuse-based detection in which events are compared against pre-defined patterns of known attacks and (2) anomaly-based detection which relies on detecting the activities deviating from system “normal” operations. In addition to the overwhelming volume of generated network data, rapidly changing technologies present a great challenge for today’s security systems with respect to attack detection speed, accuracy and system adaptability. In order to overcome such limitations, there has been considerable research conducted to apply ML algorithms to achieve a generalization capability from limited training data. That means, given known intrusion signatures, a security system should be able to detect similar or new attacks. Various techniques such as association rules, clustering, Naïve Bayes, Support Vector Machines, Genetic Algorithms, Neural Networks, and others have been developed to detect intrusions. This section provides a brief literature review on these technologies and related frameworks. One of the rule-based methods which is commonly used by early IDS is the Expert System (ES) [3, 4]. In such a system, the knowledge of human experts is encoded into a set of rules. This allows more effective knowledge management than that of a human expert in terms of reproducibility, consistency and completeness in identifying activities that match the defined characteristics of misuse and attacks. However, ES suffers from low flexibility and robustness. Unlike ES, data mining approaches derive association rules and frequent episodes from available sample data, not from human experts. Using these rules, Lee et. al. developed a data mining framework for the purpose of intrusion detection [5, 6]. In particular, system usage behaviors are recorded and analyzed to generate rules which can recognize misuse attacks. The drawback of such frameworks is that they tend to produce a large number of rules and thereby, increase the complexity of the system.

Decision trees are one of the most commonly used supervised learning algorithms in IDS [7-11] due to its simplicity, high detection accuracy and fast adaptation. Another high performing method is Artificial Neural Networks (ANN) which can model both linear and nonlinear patterns. ANN-based IDS [12-15] have achieved great successes in detecting difficult attacks. For unsupervised intrusion detection, data clustering methods can be applied [16, 17]. These methods involve computing a distance between numeric features and therefore they cannot easily deal with symbolic attributes, resulting in inaccuracy. Another well-known ML techniques used in IDS is Naïve Bayes classifiers [7]. Because Naïve Bayes assumes that features are independent, which is often not the case for intrusion detection, correlated features may degrade its performance. In [18], the authors apply a Bayesian network for IDS. The network appears to be attack specific and its size grows rapidly as the number of features and attack types increase. Beside popular decision trees and ANN, Support Vector Machines (SVMs) are also a good candidate for intrusion detection systems [14, 19] which can provide real-time detection capability, deal with large dimensionality of data. SVMs plot the training vectors in high dimensional feature space through nonlinear mapping and labeling each vector by its class. The data is then classified by determining a set of support vectors, which are members of the set of training inputs that outline a hyperplane in the feature space. Several other AI paradigms including linear genetic programming [20] , Hidden Markov Model [21], Columbia Model [22] and Layered Conditional Random Fields [23] have been applied for the design of IDS. III. BOOSTED SUBSPACE PROBABILISTIC NEURAL NETWORK (BSPNN)

A. Bias-Variance-Computation Dilemma Several ML techniques have been adopted in the Network Security domain with certain success; however, there remain severe limitations. Firstly, we consider Artificial Neural Network (ANN) because of its wide popularity and well-known characteristics. As a flexible “model-free" learning method, ANN can fit training data very well and thus provide a low learning bias. However, they are susceptible to overfitting, which can cause instability in generalization [24]. Recent remedies try to improve the model stability by reducing generalization variance at the cost of worse learning bias, i.e. allowing underfitting. However, underfitting is not acceptable for some applications requiring high classification accuracy. Therefore, a system which can achieve both stable generalization and accurate learning is imperative for applications as

84

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

in Intrusion Detection [19]. Mathematically, both bias and variance may be reduced at the same time given infinite sized models. However, this is infeasible since computing resources must be limited in real life. We develop a learning algorithm which provides a good tradeoff for learning bias, generalization variance and computational requirement motivated by the need of an accurate detection system for Intrusion Detection. B. Objectives This paper is inspired by a light-weight ANN model, namely Vector Quantized-Generalized Regression Neural Network (VQ-GRNN) [25], which reduces the nonparametric GRNN [26] to a semiparametric model by applying vector quantization techniques on the training data, i.e. clustering the input space into a smaller subspace. Compared with GRNN method which incorporates every training vector into its structure, VQ-GRNN only applies on a smaller number of clusters of input data. This significantly improves the robustness of the algorithm (low variance), but also controls its learning accuracy to some extent [24]. To make the VQ-GRNN suitable for Intrusion Detection problems, i.e. enhancing its accuracy, we propose the Boosted Subspace Probabilistic Neural Network (BSPNN) which combines VQ-GRNN and Ensemble Learning technique. Ensemble methods such as Boosting [27] iteratively learn multiple classifiers (base classifiers) on different distributions of training data. It particularly guides changes of the training data to direct further classifiers toward more “difficult cases”, i.e. putting more weights for previously misclassified instances. It then combines base classifiers in such a way that the composite – boosted learner – outperforms the single classifiers. Amongst popular boosting variants, we choose Adaptive Boosting or AdaBoost [28] to improve performance of VQ-GRNN. AdaBoost is the most widely adopted method which allows the designer to continue adding weak learners whose accuracy is only moderate until some desired low training error has been achieved. AdaBoost is “adaptive” in the sense that it does not require prior knowledge of the accuracy of these hypotheses [27]. Instead, it measures the accuracy of a base hypothesis at each iteration and sets its parameters accordingly. Although classifier combinations (as in boosting) can improve generalization performance, correlation between individual classifiers can be harmful to the final composite model. Moreover, it is widely accepted that generalization performance of a combined classifier is not necessarily achieved by combining classifiers with better individual performance but by including independent classifiers in the ensemble [9]. Therefore, such independence condition among individual classifiers which is normally termed as

orthogonality, diversity or disagreement is required to obtain a good ensemble. C. Model description As shown in Figure 1, the proposed BSPNN algorithm has two major modules: the Adaptive Booster and the Modified Probabilistic Classifier. Given the input data , | 1… where output vector 1 … , the BSPNN algorithm aims to produce a classifier F such that: In this research, we implement F (referred to as Adaptive Booster), using SAMME algorithm [29]. F learns by iteratively training a Modified Probabilistic Classifier f on weighted data samples S and their weights are updated by the Distribution Generator according to previously created models of f. This base learner f is actually a modified version of the emerging VQ-GRNN model [25] (called Modified GRNN Base learner) in which the input data space is reduced significantly (by the Weighted vector quantization module) and its output is computed by a linearly weighted mixture of Radial Basis Function (RBF). This process is repeated until F reaches a desired number of iterations or its Mean Squared Error (MSE) approaches an appropriate level. The base hypotheses returned from f are finally combined by the Hypothesis Aggregator: . This combination depends not only on the misclassification error of previously added but also the diversity of the ensemble at that time. The Diversity Checker measures ensemble diversity by using Kohavi-Wolpert variance [30] (which is denoted by the hypothesis weighting coefficient ). To avoid any confusion, the adaptive booster F is called the master algorithm while f refers to the base learner. They are described in greater details in next sections. 1) Adaptive Booster The Adaptive Booster iteratively produces base hypotheses on a weighted training dataset. The weights are updated adaptively based on the classification performance of component hypotheses. The generated hypotheses are then integrated via a weighted sum based on their diversity.

85

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Figure 1. BSPNN high-level design view

TABLE I.

ADAPTIVE BOOSTER ALGORITHM

Input: , ,…, , and associated distribution W Initialize for all i=1…N, Do for t = 1 … T Generate base classifiers Train a classifier on the weighed sample { , } using the Modified Probabilistic Classifier and obtain hypothesis 0,1 Compute Kohavi-Wolpert variance ( ) of current ensemble ∑
.

:

Where L and are the number of base classifiers generated so far in the ensemble and the number of classifiers that correctly classifies . We have L=t. Compute class probability estimates ∑ 1 . log log , 1, . . , Where Update weights . exp Where Renormalize W , 1… ∑ End for Output is the weighted class probability of class k. . log . , 1, . . ,

argmax ∑

.

2) Modified Learner)

Probabilistic

Classifier

(Base

The Modified Probabilistic Classifier serves as the base learner which can be trained on { , } repeatedly by the Adatptive Booster to obtain the hypothesis

86

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

:

1, 1

In each boosting iteration, a base hypothesis is created with associated accuracy and diversity measures. From this information, the data weights are updated for the next iteration and the final weighting of that hypothesis in the joint classification is computed. We adapt VQ-GRNN [25] as a base learner in our BSPNN model. VQ-GRNN is closely related to Specht’s GRNN [26] and PNN [31] classifiers. This adaptation of VQ-GRNN can produce confidence-rated outputs and it is modified such that it utilizes weights associated with training examples (to compute cluster center vectors and find a single smoothing factor) and incorporates these weights as penalties for misclassifications (e.g. weighted MSE). This modified version of VQ-GRNN is similar to the original one in that a single kernel bandwidth is tuned to achieve satisfactory learning. They both cluster close training vectors according to a very simple procedure related to vector quantization. A number of equally sized radial basis functions are placed at each and every center vector location. These functions are approximated: , ,

Such modifications make VQ-GRNN specially suited is for boosting. In particular, the center vector computed as: ∑ where is the number of training vectors belonging to a cluster k; is the weight associated with . VQ-GRNN’s learning involves finding the optimal bandwidth giving the minimum MSE. In our implementation, a Weighted MSE (WMSE) is used instead: ∑ where and are the associated weight and prediction of an example , , i = 1…N 3) Remarks on BSPNN The high accuracy of BSPNN can be attributed to the boosting effects of SAMME method implemented in the Adaptive Booster module. By sufficiently handling the multiclass problem and using confidencerated predictions, SAMME can maximize the distribution margins of the training data [32]. Also, our implementation of Kohavi-Wolpert variance (KW) [30] in the reweighting of hypotheses in the joint classification can effectively enforce the ensemble diversity. The Modified Probabilistic Classifier has very fast adaptation and it is modified to better integrate with the Adaptive Booster module. Particularly, after being modified, it can produce confidence rated outputs and fully utilize the weights given by the booster into learning process. In the next sections, we apply BSPNN into specific Intrusion Detection problems. APPLICATION TO NETWORK INTRUSION DETECTION Current IDS suffer from low detection accuracy and insufficient system robustness for new and rare security breaches. In this section, we apply our BSPNN to identify known and novel attacks in the KDD-99 dataset [1], containing TCP/IP connection records. Each record consisted of 41 attributes (features) and one target value (labeled data) which indicates whether a connection is Normal or an attack. There are 40 types of attacks, classified into four major categories, namely Probing (Probe) (collect information of target system prior to an attack), Denial of Service (DoS) (prevent legitimate requests to a network resource by consuming the bandwidth or overloading computational resources), User-to-Root (U2R) (attackers with normal user level access gain privileges of root user), and Remote-to-Local (R2L) (unauthorized users gain the ability to execute commands locally). IV.

This approximation is reasonable because the vectors are close to each other in the input vector space. Using this idea, the VQ-GRNN’s equation can be generalized [25]: ∑ ∑ , ,

Where is the center vector for class i in the input space, , is the radial basis function with centre x and the width parameter , is the ouput related related to , is the number of vectors associated with centre . ∑ is the total number of training vectors. The above formula can be extended to a multiclass classification problem by redefining the output vector as a K-dimensional vector (K is the number of classes): ,…, where is the class membership probability of the k-th class of the vector . If the vector is of class k, then 1.0 and 0 for the remaining vector elements ( ). An input vector x is classified to class-k if the k-th element of the output vector has the highest magnitude. To suit ensemble learning, VQ-GRNN is adapted such that it incoperates the weights associated with each training vector into the learning process, i.e. using them in cluster center formation and Mean Square Error (MSE) calculation for realzing the smoothing factor .

87

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Table 2 describes the components of KDD-99 dataset (referred to as Whole KDD): 10% KDD containing 26 known attack types (for training) and
TABLE II.

Corrected KDD containing 14 novel attacks (for testing).

KDD-99 COMPONENT DATASETS [1]

Dataset Whole KDD 10% KDD Corrected KDD

DoS 3883370 391458 229853

Probe 41102 4107 4166

U2R 52 52 70

R2L 1126 1126 16347

Total Attack 3925650 396743 250436

Total Normal 972780 97277 60593

A. Experiment Setup 1) Cost-Sensitive Evaluation Because an error on a particular class may not be equally serious as errors on other classes, we should consider misclassification cost for intrusion detection. Given a test set, the average cost of a classifier is calculated as below [1]: ∑ Where N: total number of connections in the dataset ConfM(i,j): the entry at row i, column j in the confusion matrix. CostM(i,j): the entry at row i, column j in the cost matrix. 2) Datasets Creation First, we consider anomaly detection where only normal connection records are available for training. Any connections that differ from these normal records are classified as “abnormal” without further specifying which attack categories it actually belongs to. For this purpose, we filter all known intrusions from the 10% KDD to form a pure normal dataset (Norm). For misuse detection, we inject the 26 known attacks into Norm to classify 14 novel ones. For example, from the Probe attacks that appeared in the training set (ipsweep., nmap., portspeep., satan.), we aim to detect unseen Probe attacks that were only included in testing data (mscan., saint.). In [33], artificial anomalies are added to the training data to help the learner discover a boundary around the available training data. The method particularly changes the value of one feature of a connection while leaving other features unaltered. However, we do not adopt this method due to its high false alarm rate and its unconfirmed assumption that the boundary is very close to the known data and that they do not intersect one another. Instead, we group 26 known intrusions into 13 clusters , … , (note that these clusters are not artificially generated but real incidents, available in “10% KDD” set) and use it for classification. Each cluster contains intrusions that require similar features ∑ , , ( 4)

for effective detection and this method, as detailed in [33], is not influenced by cluster orders. In our experiments, we first created 13 datasets ,…, , as shown in Table 3, by incrementally adding each cluster into the normal dataset (Norm) to simulate the evolution of new intrusions:

The BSPNN and other learning methods are then tested against the “Corrected KDD” testing set, containing both known and unknown attacks. B. Experiment Result 1) Anomaly Detection We train BSPNN on the pure Normal dataset (Norm) to detect anomalies in “Corrected KDD” testing set. Table 4 shows that our BSPNN obtains competitive detection rate compared with [33] while achieves significantly lower false alarm rate (1.1%), minimizing major drawbacks of anomaly detection. 2) Misuse Detection To test the effect of having known intrusions in the training set on the overall performance, we run BSPNN on the 13 training sets: , … , . Its detection rates (DR) on different attack categories are displayed in Figure 2. We could discover a general trend of increasing performance as more intrusions are added into training set. In particular, detection of R2L attacks requires less known intrusion data (DR starts rising at ) than that of other classes. Using the full training set ( ), we test our BSPNN against other existing methods, including the KDD-99 winner [8], the rule-based PNrule approach [34], the multi-class Support Vector Machine [19], the Layered Conditional Random Fields Framework (LCRF) [23], the Columbia Model [22] and the Decision Tree method [11]. Their Detection Rate (DR) and False Alarm Rate (FAR) are reported in Table 5, with highest DR and lowest FAR for each class in bold.

88

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
TABLE III. CLUSTERS OF KNOWN INTRUSION

back ftp_write, warezclient, warezmaster imap portsweep, satan multihop phf spy, smurf

buffer_overflow, loadmodule, perl, rootkit guess_passwd land ipsweep, nmap neptune pod, teardrop

TABLE IV.

ANOMALY DETECTION RATE (DR) AND FALSE ALARM RATE (FAR) FOR ANOMALY DETECTION

Anomaly DR FAR

Fan et. [33] 94.26 2.02

BSPNN 94.31 1.12

Figure 2. Detection Rate on Datasets for misuse detection

For Probe and DoS attacks, BSPNN can achieve slightly better DR than other algorithms with very competitive FAR. Though improvement for detection of Normal class is not significant, our model can, in fact, get a remarkably low FAR. In addition, a clear performance superiority is claimed for BSPNN in the case of U2R and R2L classes. It is also important to note that, since KDD-99 dataset is unbalanced (U2R and R2L appeared rarely),

the baseline models can only classify the major classes and performs poorly on other minor ones, while our BSPNN exhibits superior detection power for all classes. Significant improvement in detection of more dangerous attacks (U2R, R2L) leads to lower total weight of misclassification of 0.1523 compared with 0.2332 of the KDD-99 winner.

89

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
TABLE V. DETECTION RATE (DR) AND FALSE ALARM RATE (FR) FOR MISUSE DETECTION

KDD 99 winner [8] PNrule [34] Multi-class SVM [19] Layered Conditional Random Fields [23] Columbia Model [22] Decision Tree [11]

99.5 27.0 99.5 27.0 99.6 27.8 99.8 3.6
[6]

83.3 35.2 73.2 7.5 75 11.7 98.60 0.91 96.7 81.4 99.3 1.1

97.1 0.1 96.9 0.05 96.8 0.1 97.40 0.07 24.3 60.0 98.1 0.06

13.2 28.6 6.6 89.5 5.3 47.8 86.30 0.05 81.8 58.8 89.7 0.03

8.4 1.2 10.7 12.0 4.2 35.4 29.60 0.35 5.9 24.2 48.2 0.19

DR FAR DR FAR DR FAR DR FAR DR DR DR FAR

BSPNN

V. CONCLUSION This research is inspired by the need of a highly performing but low in computation classifier for applications in Network Security. Particularly, the Boosted Subspace Probabilistic Neural Network (BSPNN) is proposed which combines two emerging algorithms, an adaptive boosting method and a probabilistic neural network. BSPNN retains the semiparametric characteristics of VQ-GRNN and therefore obtains low generalization variance while receives accuracy boosting from SAMME method (low bias). Though BSPNN requires more processing power due to the effect of boosting, the increased computation is still lower than GRNN or other boosted algorithms. Experiments on the KDD-99 network intrusion dataset show that our approach obtains superior performance in comparison with other state-of-the-art detection methods, achieving low learning bias and improved generalization at an affordable computational cost. REFERENCES

[7]

[8] [9]

[10] [11]

[12]

[13]

[14] [1] [2] C. Elkan, "Results of the KDD’99 Classifier Learning," ACM SIGKDD Explorations, vol. 1, pp. 63-64, 2000. I. Kononenko and M. Kukar, Machine Learning and Data Mining: Introduction to Principles and Algorithms Horwood Publishing Limited, 2007. D. S. Bauer and M. E. Koblentz, "NIDX – an expert system for realtime network intrusion detection," in Proceeding of the Computer Networking Symposium Washington, D.C., 1988, pp. 98-106. K. Ilgun, R. Kemmerer, and P. Porras, "State transition analysis: a rulebased intrusion detection approach," IEEE Transactions on Software Engineering, pp. 181-199, 1995. W. Lee, S. Stolfo, and K. Mok, "Mining Audit Data to Build Intrusion Detection Models," Proc. Fourth International Conference Knowledge Discovery and Data Mining pp. 66-72, 1999.

[15]

[3]

[16]

[4]

[17]

[5]

W. Lee, S. Stolfo, and K. Mok, "A Data Mining Framework for Building Intrusion Detection Model," Proc. IEEE Symp. Security and Privacy, pp. 120-132, 1999. N. B. Amor, S. Benferhat, and Z. Elouedi, "Naive Bayes vs. Decision Trees in Intrusion Detection Systems," Proc. ACM Symp. Applied Computing, pp. 420-424, 2004. B. Pfahringer, "Winning the KDD99 Classification Cup: Bagged Boosting," SIGKDD Explorations, vol. 1, pp. 65–66, 2000. V. Miheev, A. Vopilov, and I. Shabalin, "The MP13 Approach to the KDD’99 Classifier Learning Contest," SIGKDD Explorations, vol. 1, pp. 76–77, 2000. I. Levin, "KDD-99 Classifier Learning Contest: LLSoft’s Results Overview," SIGKDD Explorations, vol. 1, pp. 67–75, 2000. J.-H. Lee, J.-H. Lee, S.-G. Sohn, J.-H. Ryu, and T.-M. Chung, "Effective Value of Decision Tree with KDD 99 Intrusion Detection Datasets for Intrusion Detection System," in 10th International Conference on Advanced Communication Technology. vol. 2, 2008, pp. 1170-1175. Z. Zhang, J. Li, C. N. Manikopoulos, J. Jorgenson, and J. Ucles, "HIDE: A Hierarchical Network Intrusion Detection System Using Statistical Preprocessing and Neural Network Classification," Proc. IEEE Workshop Information Assurance and Security, pp. 85-90, 2001. J. Cannady, "Artificial neural networks for misuse detection," in In Proceedings of the National Information Systems Security Conference Arlington, VA, 1998. S. Mukkamala, G. Janoski, and A. Sung "Intrusion detection using neural networks and support vector machines," in International Joint Conference on Neural Networks (IJCNN). vol. 2: IEEE, 2002, pp. 17021707. C. Jirapummin, N. Wattanapongsakorn, and P. Kanthamanon, "Hybrid neural networks for intrusion detection system," In Proceedings of The 2002 International Technical Conference On Circuits/Systems,Computers and Communications, 2002. L. Portnoy, E. Eskin, and S. Stolfo, "Intrusion Detection with Unlabeled Data Using Clustering," Proc. ACM Workshop Data Mining Applied to Security (DMSA), 2001. H. Shah, J. Undercoffer, and A. Joshi, "Fuzzy Clustering for Intrusion Detection," Proc. 12th IEEE International Conference Fuzzy Systems (FUZZ-IEEE ’03), vol. 2, pp. 1274-1278, 2003.

90

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

DR/FAR (%)

Normal

Probe

U2R

R2L

DoS

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
[18] C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, "Bayesian Event Classification for Intrusion Detection," Proc. 19th Annual Computer Security Applications Conference, pp. 14-23, 2003. [19] T. Ambwani, "Multi class support vector machine implementation to intrusion detection," in Proc. of IJCNN, 2003, pp. 2300-2305. [20] D. Song, M. I. Heywood, and A. N. Zincir-Heywood, "Training Genetic Programming on Half a Million Patterns: An Example from Anomaly Detection," IEEE Trans. Evolutionary Computation, vol. 9, pp. 225-239, 2005. [21] W. Wang, X. H. Guan, and X. L. Zhang, "Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection," Proc. International Conference Machine Learning and Cybernetics, vol. 5, pp. 2830-2835, 2004. [22] W. Lee and S. Stolfo, "A Framework for Constructing Features and Models for Intrusion Detection Systems," Information and System Security, vol. 4, pp. 227-261, 2000. [23] K. K. Gupta, B. Nath, and R. Kotagiri, "Layered Approach using Conditional Random Fields for Intrusion Detection," IEEE Transactions on Dependable and Secure Computing, vol. 5, 2008. [24] A. Zaknich, Neural Networks for Intelligent Signal Processing. Sydney: World Scientific Publishing, 2003. [25] A. Zaknich, "Introduction to the modified probabilistic neural network for general signal processing applications," IEEE Transactions on Signal Processing, vol. 46, pp. 1980-1990, 1998. [26] D. F. Spetch, "A general regression neural network," IEEE Transactions on Neural Networks, vol. 2, pp. 568-576, 1991. [27] R. E. Schapire, "A brief introduction to boosting," in Proceedings of the Sixteenth International Joint Conference on Artificial Intelligence, San Francisco, CA, 1999, pp. 1401-1406. [28] Y. Freund and R. Schapire, "A decision-theoretic generation of on-line learning and an application to boosting," Journal of Computer and System Science, vol. 55, pp. 119–139, 1997. [29] J. Zhu, S. Rosset, H. Zhou, and T. Hastie, "Multiclass adaboost," The Annals of Applied Statistics, vol. 2, pp. 1290--1306., 2005. [30] R. Kohavi and D. Wolpert, "Bias plus variance decomposition for zeroone loss functions," in Proc. of International Conference on Machine Learning Italy, 1996, pp. 275-283. [31] D. F. Specht, "Probabilistic neural networks," Neural Networks, vol. 3, pp. 109-118, 1990. [32] J. Huang, S. Ertekin, Y. Song, H. Zha, and C. L. Giles, "Efficient Multiclass Boosting Classification with Active Learning," ICDM, 2007. [33] W. Fan, M. Miller, S. Stolfo, W. Lee, and P. Chan, "Using artificial anomalies to detect unknown and known network intrusions," Knowledge and Information Systems, vol. 6, pp. 507–527, 2004. [34] R. Agarwal and M. V. Joshi, "PNrule: A New Framework for Learning Classifier Models in Data Mining," in A Case-Study in Network Intrusion Detection, 2000.

91

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Building a Vietnamese language query processing framework for e-library searching systems
Dang Tuan Nguyen, Ha Quy-Tinh Luong
Faculty of Computer Science University of Information Technology, VNU- HCM Ho Chi Minh city, Vietnam

Tuyen Thi-Thanh Do
Faculty of Software Engineering University of Information Technology, VNU - HCM Ho Chi Minh city, Vietnam

Abstract—In the objective of building intelligent searching systems for e-libraries or online bookstores, we have proposed a searching system model based on a Vietnamese language query processing component. Such document searching systems based on this model can allow users to use Vietnamese queries that represent content information as input, instead of entering keywords for searching in specific fields in database. To simplify the realization process of system based on this searching system model, we set a target of building a framework to support the rapid development of Vietnamese language query processing components. Such framework let the implementation of Vietnamese language query processing component in similar systems in this domain to be done more easily.
Keyword—natural language processing; document retrieval; search engine.

II. FRAMEWORK ARCHITECTURE The VLQP framework is architecture of 2-tiers. This framework includes a restricted parser for analyzing Vietnamese query from users based on a class of the predefined syntactic rules and a transformer for transforming syntactic structure of query to its semantic representation. Main features of those components are described in brief as follows: The parser analyzes Vietnamese query syntaxes and output of the syntactic components that were analyzed from the query. After analyzing, the parts-of-speech and the sub-categories of these components are determined. The parser’s performing is based on a set of syntactic rules. This set of syntactic rules can cover various forms of Vietnamese query relating to the ebook searching application in e-libraries. The new syntactic rules can be added to the set of these rules for enriching it. The transformer bases on predefined transforming rules to transform the syntactic structure of Vietnamese query to its semantic representation. These rules are defined specifically for some determined application domain. The semantic representation model is also built to represent the semantic of all forms of Vietnamese query which are represented by syntactic rules.

I.

INTRODUCTION

In the objective of building intelligent searching systems for e-libraries or online bookstores, we have proposed a searching system model based on a Vietnamese language query processing component. Such document searching systems based on this model can allow users to use Vietnamese queries that represent content information as input, instead of entering keywords for searching in specific fields in database. This searching system model includes a restricted parser for analyzing Vietnamese query, a transformer for transforming syntactic structure of query to its semantic representation, a generator for generating queries on relational database from semantic model, and a constructor of answer. In fact, this searching system model inherits the idea of an earlier our document retrieval system, which supports users to use English queries for searching e-books in Gutenberg e-library. [1], [2], [3], [4], [5], [6], [7], [8]. To simplify the realization process of system based on this searching system model, we set a target of building a framework to support the rapid development of Vietnamese language query processing components. Such framework let the implementation of Vietnamese language query processing component in similar systems in this domain to be done more easily.

-

The architecture of framework is illustrated in figure 1.

92

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

-

S1 := Tác giả A có viết sách B vào năm 2008 không? (S1:= Did author A write book B in 2008?)

In this query, the words “có” and “không” are interrogative words. As a result, it can be analyzed into components: author: tác giả A (author A) interrogative1: có verb_write: viết (write) book: sách B (book B) adverbial phrase of time (APT): vào năm 2008 (in 2008) interrogative2: không

The above query is represented in BNF notation: S1_BNF:=<author> [<interrogative1>] <verb> <book> [<APT>] [<interrogative2>] “?”

Figure 1. Framework architecture

The VLPQ framework is given as a complete Java package. The Vietnamese language query processing components of searching systems based on VLPQ have an ability of getting Vietnamese queries as input and giving theirs semantic representations as output. The searching systems must build some additional components to process semantic representations of Vietnamese queries and give results to user. III. RESTRICTED PARSER

B. Syntactic rules The parser works on a set of predefined syntactic rules. Table 1 presents a full list of syntactic rules in BNF form which is included in VLPQ framework version 1.0.
TABLE 1. No 1 SYNTACTIC RULES

2

3

A. Description of syntactic rules The parser is built for analyzing the syntax of Vietnamese queries in determined application domain. For examples, some different query forms as following: Ai đã viết cuốn sách B vào năm 2000? (Who wrote book B in 2000?) Nhà xuất bản nào đã phát hành cuốn B trong năm 2008? (Which publisher published book B in 2008?) Sách B được tác giả A viết vào năm nào? (What year did author A write book B?) Trong năm 2009, tác giả A có viết sách nào thuộc chủ đề T không? (In 2009, does author A write any book with subject

4 5

6

7

Syntactic rules <Q1.1a> = <what_author> [<vperfect>] [<interrogative1>] <verb_write> <book> {[<conjunction>] <book>} [<time_phrase>] “?” <Q1.1b> = [<time_phrase>] [“,”] <what_author> [<vperfect>] [<interrogative1>] <verb_write> <book> {[<conjunction>] <book>} “?” <Q1.1c> = <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <what_author> <verb_write> [<time_phrase>] “?” <Q1.1d> = [<time_phrase>] [“,”] <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <what_author> <verb_write> “?” <Q1.2a> = [<interrogative3>] <creator> [<possessive>] <book> {[<conjunction>] <book>} <verb_be> <author> [<interrogative2>] “?” <Q1.2b> = [<interrogative3>] <author> <verb_be> <creator> [<possessive>] <book> {[<conjunction>] <book>} [<interrogative2>] “?” <Q1.2c> = <author> [<interrogative3>] <verb_be> <creator> [<possessive>] <book> {[<conjunction>] <book>} [<interrogative2>] “?” <Q1.3a> = [<interrogative3>] <author> [<vperfect>] [<interrogative1>] <verb_write> <book> {[<conjunction>] <book>} [<time_phrase>] [<interrogative2>] “?” <Q1.3b> = [<time_phrase>] [“,”] [<interrogative3>] <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <author> <verb_write> [<interrrogative2>]“?” <Q1.4a> = <author> [<vperfect>] [<interrogative1>] <verb_write> <book> {[<conjunction>] <book>} [<prep_time>] < what_time > “?” <Q1.4b> ::= <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <author> <verb_write> [<prep_time>] <what_time> “?” <Q2.1a> = <what_publisher> [<vperfect>] [<interrogative1>] <verb_publish> <book> {[<conjunction>] <book>} [<time_phrase>] “?”

8

9

10

T?) The syntax of Vietnamese question forms can be described by BNF notation (Backus–Naur Form). The set of syntactic rules contains about 60 forms of Vietnamese queries involving in titles, authors, years of publication, publishers, subject … For example, the following query’s analyzed into syntactic components:
11

12

93

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
13 <Q2.1b> = [<time_phrase>] [“,”] <what_publisher> [<vperfect>] [<interrogative1>] <verb_publish> <book> {[<conjunction>] <book>} “?” <Q2.1c> = <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <what_publisher> <verb_publish> [<time_phrase>] “?” <Q2.1d> = [<time_phrase>] [“,”] <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <what_publisher> <verb_publish> “?” <Q2.2a> = [<interrogative3>] <publisher> [<vperfect>] [<interrogative1>] <verb_publish> <book> {[<conjunction>] <book>} [<time_phrase>] [<interrogative2>] “?” <Q2.2b> = [<time_phrase>] [“,”] [<interrogative3>] <publisher> [<vperfect>] [<interrogative1>] <verb_publish> <book> {[<conjunction>] <book>} [<interrogative2>] “?” <Q2.2c> = [<interrogative3>] <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <publisher> <verb_publish> [<time_phrase>] [<interrogative2>] “?” <Q2.2d> = [<time_phrase>] [“,”] [<interrogative3>] <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <publisher> <verb_publish> [<interrogative2>] “?” <Q2.3a> = <publisher> [<vperfect>] [<interrogative1>] <verb_publish> <book> {[<conjunction>] <book>} [<prep_time>] <what_time> “?” <Q2.3b> = [<prep_time>] <what_time> <publisher> [<vperfect>] [<interrogative1>] <verb_publish> <book> {[<conjunction>] <book>} “?” <Q2.3c> = <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <publisher> <verb_publish> [<prep_time>] <what_time> “?” <Q2.3d> = [<prep_time>] <what_time> <book> {[<conjunction>] <book>} [<vperfect>] <vpassive> <publisher> <verb_publish> “?” <Q3.1a> = <book> [<of_author>][<by_publisher>][<time_phrase>] <is_of> <what_subject> ? <Q3.1b> = [<time_phrase>] [,] <book> [<of_author>] [<by_publisher>] <is_of> <what_subject> ? <Q3.1c> = <field> <possessive> <book> [<of_author>] [<by_publisher>] [<time_phrase>] <interrogative4> ? <Q3.1d> = [<time_phrase>] [,] <field> <possessive> <book> [<of_author>] [<by_publisher>] <interrogative4> ? <Q3.2a> = <book> [<of_author>] [<by_publisher>] [<time_phrase>] [<interrogative1>] <is_of> <subject> [<interrogative2>] ? <Q3.2b> = [<time_phrase>] [,] <book> [<of_author>] [<by_publisher>] [<interrogative1>] <is_of> <subject> [<interrogative2>] ? <Q3.2c> = <book> [<of_author>] [<by_publisher>] [<time_phrase>] [<interrogative3>] <verb_be> <book_type> <is_of> <subject> [<interrogative2>] ? <Q3.2d> = [<time_phrase>] [,] <book> [<of_author>] [<by_publisher>] [<interrogative3>] <verb_be> <book_type> <is_of> <subject> [<interrogative2>] ? <Q3.3a> = [<time_phrase>] [,] <author> [<vperfect>] [interrogative1] <verb_write> [<plural>] <book_type> <verb_have> <what_subject> ? <Q3.3b> = <author> [<vperfect>] [interrogative1] <verb_write> [<plural>] <book_type> <verb_have> <what_subject> [<time_phrase>]? <Q3.3c> = [<time_phrase>] [,] <author> [<vperfect>] [interrogative1] <verb_write> [<plural>] <book_type> <is_of> <what_subject> ? 35 36 <Q3.3d> = <author> [<vperfect>] [interrogative1] <verb_write> [<plural>] <book_type> <is_of> <what_subject> [<time_phrase>] ? <Q3.4a> = <publisher> [<vperfect>] [<interrogative1>] <verb_publish> [<plural>] <verb_have> <what_subject> [<time_phrase>] ? <Q3.4b> = [<time_phrase>] <publisher> [<vperfect>] [<interrogative1>] <verb_publish> [<plural>] <verb_have> <what_subject> ? <Q3.4c> = <publisher> [<vperfect>] [<interrogative1>] <verb_publish> [<plural>] <is_of> <what_subject> [<time_phrase>] ? <Q3.4d> = [<time_phrase>] <publisher> [<vperfect>] [<interrogative1>] <verb_publish> [<plural>] <is_of> <what_subject> ? <Q4.1a> = [plural] [book_type] [<verb_have> <subject>] [<by_author>] [<time_phrase>] <interrogative4> ? <Q4.1b> = [<time_phrase>] [,] [plural][book_type] [<verb_have><subject>] [<by_author>] [interrogative4] ? <Q4.1c> = [plural][book_type] [<is_of><subject>] [<by_author>] [<time_phrase>]<interrogative4> ? <Q4.1d> = [<time_phrase>] [,] [plural][book_type] [<is_of><subject>] [<by_author>] <interrogative4> ? <Q4.2a> = [plural] <book_type> [<verb_have> <subject>] <by_publisher> [<time_phrase>] <interrogative4> ? <Q4.2b> = [<time_phrase>][,][plural]<book_type> [<verb_have> <subject>] <by_publisher> <interrogative4> ? <Q4.2c> = [plural]<book_type> [<is_of><subject>] <by_publisher> [<time_phrase>] <interrogative4> ? <Q4.2d> = [<time_phrase>] [,] [plural] <book_type> <is_of> <subject> <by_publisher> <interrogative4> ? <Q5.1a> = <book> [<vperfect>] <vpassive> [<publisher>] <verb_publish> <what_place> [<time_phrase>] “?” <Q5.1b> = [<time_phrase>] [“,”] <book> [<vperfect>] <vpassive> <verb_publish> <what_place> “?” <Q5.2> = <publisher><verb_locate><what_place> “?” <Q6.1a> = [<verb_buy>] <book> <verb_cost> “?” <Q6.1b> = <price> [<possessive>] <book> [<what_price>] “?” <Q7.1> = <how_many> <book> <in_elib> “?” <Q7.2a> = <author> [<vperfect>] [<interrogative1>] <verb_write> <how_many> <book> [<time_phrase>] “?” <Q7.2b> = [<time_phrase>] [“,”] <author> [<vperfect>] [<interrogative1>] <verb_write> <how_many> <book> “?” <Q7.3a> = <publisher> [<vperfect>] [<interrogative1>] <verb_publish> <how_many> <book> [<time_phrase>] “?” <Q7.3b> = [<time_phrase>] [“,”] <publisher> [<vperfect>] [<interrogative1>] <verb_publish> <how_many> <book> “?”

14 15 16

37

38

17

39

18

40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

19

20

21

22

23 24 25 26 27 28 29

30

31

32

33

This framework also allows adding new syntactic rules which are implemented appropriate treatments.

34

94

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

IV. SEMANTIC TRANSFORMATION After analyzing the syntax of the query, the next step is transforming the syntactic structure to its semantic representation. The semantic representations of queries are based on the semantic model which we have built to represent semantic content of queries. A. Semantic model In semantic model, the verb plays a central role and nouns modify the meaning for it. Relationships are also defined from sub-categories containing verbs, noun phrases, adverbial phrases and prepositional phrases. For instance, in the case of the verb “viết” (“to write”): “author” is its subject, the relationship is called as « rel_sub »; “book” is its object, the relationship is called as “rel_obj”; APT is the time that the verb “viết” (“to write”) is considered, the relationship is called as “rel_time” and it can be multiple values (before, in, after), so we mark with three single values: rel_time1 (before), rel_time2 (in) and rel_time3 (after). In notation, the convention of the semantic model: if we wish to ask a certain component of BNF query, we’ll have to place the question mark (“?”) right after it. From S1_BNF, the semantic model is defined as following: S1_SEM:=(verb_write? ((author, rel_sub), (book0, rel_obj), (APT, rel_time2)))

In BNF, to identify what subject or object is depends on the main verb meaning: if the main verb is “viết” (“to write”), the subject will be “author” and the object will be “book”. If the main verb is “xuất bản” (“to publish”), the subject and the object will be “publisher” and “book”, … The transferring from syntactic structure to semantic representation could be processed automatically by the predefined rules. Semantic model helps to eliminate unnecessary components in queries (interrogative words such as: interrogative1,…, interrogative4) and remain the key information in presenting the query. B. Predefined semantic structures The full list of semantic structures included in VLPQ framework version 1.0 as follows:
TABLE 2. Syntactic structure Q1.1
Q1.2 Q1.3 Q1.4 Q2.1 Q2.2

SEMANTIC STRUCTURES Semantic structures

In BNF, the elements with “what” labels are those which need to be asked, and they will be marked by a question mark after their name in semantic model. In the case of the elements without “what” labels will belong to Yes/No questions. These questions can also be recognized by identifying used interrogative words. Another example as following: S2:=Nhà xuất bản nào đã xuất bản sách B trong năm 2009? (S2:= which publisher has published book B in 2009?) S2_BNF:=<what_publisher>[<vperfect>]<verb_publish ><book>[<APT>] “?” In there: what_publisher: Nhà xuất bản nào vperfect: đã verb_publish: xuất bản book: sách B APT: trong năm 2009

Q2.3 Q3.1 Q3.2 Q3.3 Q3.4 Q4.1 Q4.2 Q5.1 Q5.2 Q6.1 Q7.1 Q7.2 Q7.3

(verb_write ((author?, rel_sub), (book, rel_obj), [(year, rel_time2)])) (verb_be? ((author, rel_sub), ((verb_possessive ((author, rel_sub), (book, rel_obj))), rel_obj))) (verb_write? ((author, rel_sub), (book, rel_obj), [(time_phrase, rel_time)])) (verb_write? ((author, rel_sub), (book, rel_obj), [(year?, rel_time2)])) (verb_publish ((publisher?, rel_sub), (book, rel_obj), [(year, rel_time2)])) (verb_publish? ((publisher, rel_sub), (book, rel_obj), [(time_phrase, rel_time)])) (verb_publish ((publisher, rel_sub), (book, rel_obj), (year?, rel_time2))) (is_of ((is_of (((is_of (book, rel_sub), ([publisher], rel_obj), [(year, rel_time2)])), rel_sub), ([author], rel_obj))), (subject?, rel_obj))) (is_of? ((is_of (((is_of (book, rel_sub), ([publisher], rel_obj), [(year, rel_time2)])), rel_sub), ([author], rel_obj))), (subject, rel_obj))) (is_of ((is_of ((book, rel_sub), (author, rel_obj), [(year, rel_time2)])), rel_sub), (subject?, rel_obj))) (is_of ((is_of ((book, rel_sub), (publisher, rel_obj), [(year, rel_time2)])), rel_sub), (subject?, rel_obj))) (verb_write ((author, rel_sub), ((is_of(book?, rel_sub), ([subject], rel_obj)), rel_obj), [(time_phrase, rel_time)])) (verb_publish ((publisher, rel_sub), ((is_of(book?, rel_sub), ([subject], rel_obj)), rel_obj), [(time_phrase, rel_time)])) (verb_publish (([publisher], rel_sub), (book, rel_obj), [(year, rel_time2)], (location?, rel_loc))) (verb_locate ((publisher, rel_sub), (location?, rel_obj))) (verb_cost ((book, rel_sub), (price?, rel_obj))) (verb_have ((source, rel_sub), (book, rel_obj), (book_amount?, rel_amount))) (verb_write ((author, rel_sub), (book, rel_obj), [(time_phrase, rel_time)], (book_amount?, rel_amount))) (verb_publish ((publisher, rel_sub), (book, rel_obj), [(time_phrase, rel_time)], (book_amount?, rel_amount)))

The semantic model S2_SEM involving to S2_BNF: S2_SEM:=(verb_publish((publisher?, rel_sub), (book, rel_obj), (APT, rel_time2)))

Respectively, each syntactic structure is represented by a syntactic rule, a semantic structure is defined.

95

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

V. CONCLUSION Building computer systems with ability of understanding human’s natural language is a challenging research. Only pure syntax analyzing does not let computer understand human language. We have proposed the semantic representation model to process Vietnamese query forms in determined application domains. Some gained results show that this is a right and promising approach, due to the lacking of methods that help computer to understand all terms presented by human language at the present. In VLQP framework, the semantic model is an original feature we have addressed. This semantic model contributes to the syntax analyzing and representation of Vietnamese query forms involving to application domain. We also propose transforming rules to transform syntactic structures to their semantic representation. The framework has been deployed and tested with 200 Vietnamese queries. Results of manual testing stage show that the framework meets all of described requirements. This framework can be further developed to work with more new forms of Vietnamese queries. From this model framework, we anticipate building more frameworks to handle Vietnamese queries for other application domains. References
[1] Dang Tuan Nguyen, Tuyen Thi-Thanh Do, “E-Library Searching by Natural Language Question-Answering System”, Proceedings of the Fifth International Conference on Information Technology in Education and Training (IT@EDU2008), pages: 71-76, Ho Chi Minh and Vung Tau, Vietnam, December 15-16, 2008. [2] Dang Tuan Nguyen, Tuyen Thi-Thanh Do, “e-Document Retrieval by Question Answering System”, International Conference on [3]

[4]

[5]

[6]

[7]

[8]

Communication Technology, Penang, Malaysia, February 25-27, 2009. Proceedings of World Academy of Science, Engineering and Technology, Volume 38, 2009, pages: 395-398, ISSN: 2070-3740. Dang Tuan Nguyen, Tuyen Thi-Thanh Do, “Natural Language Question Answering Model Applied To Document Retrieval System”, International Conference on Computer Science and Technology, Hongkong, China, March 23-25, 2009. Proceedings of World Academy of Science, Engineering and Technology, Volume 39, 2009, pages: 36-39, ISBN: 2070-3740. Dang Tuan Nguyen, Tuyen Thi-Thanh Do, “Document Retrieval Based on Question Answering System”, Proceedings of the Second International Conference on Information and Computing Science, pages: 183-186, Manchester, UK, May 21-22, 2009. ISBN: 978-0-7695-3634-7. Editions IEEE. Dang Tuan Nguyen, Tuyen Thi-Thanh Do, Quoc Tan Phan, “A Document Retrieval Model Based-on Natural Language Queries Processing”, Proceedings of the International Conference on Artificial Intelligence and Pattern Recognition (AIPR), pages: 216-220, Orlando, FL, USA, July 1316, 2009. ISBN: 978-1-60651-007-0. Editions ISRST. Dang Tuan Nguyen, “Interactive Document Retrieval System Based-on Natural Language Query Processing”, Proceedings of the Eighth International Conference on Machine Learning and Cybernetics, pages: 2233-2237, Baoding, Hebei, China, July 12-15 2009. ISBN: 978-1-42443703-0. Editions IEEE. Dang Tuan Nguyen, Tuyen Thi-Thanh Do, Quoc Tan Phan, “Integrating Natural Language Query Processing and Database Search Engine”, Proceedings of the 2009 International Conference on Artificialal Intelligence - ICAI'09, Volume 1, pages: 137-141, Las Vegas, Nevada, USA, July 13-16, 2009. ISBN: 1-60132-107-4, 1-60132-108-2 (1-60132109-0). CSREA Press. Dang Tuan Nguyen, Tuyen Thi-Thanh Do, Quoc Tan Phan, “Natural Language Interaction-Based Document Retrieval”, The 2nd IEEE International Conference on Computer Science and Information Technology 2009 (ICCSIT 2009), Volume 4, pages: 544-548. Beijing, China, August 8-11, 2009. ISBN: 978-1-4244-4520-2. Editions IEEE.

96

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Detecting Botnet Activities Based on Abnormal DNS traffic
Ahmed M. Manasrah, Awsan Hasan
National Advanced IPv6 Center of Excellence Universiti Sains Malaysia, Pulau Pinang, Malaysia {ahmad,awsan}@nav6.org
Abstract— The botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic and consequently protect the network from the malicious Botnets activities. In this paper, a simple mechanism is proposed to monitors the DNS traffic and detects the abnormal DNS traffic issued by the botnet based on the fact that botnets appear as a group of hosts periodically. The proposed mechanism is also able to classify the DNS traffic requested by group of hosts (group behavior) and single hosts (individual behavior), consequently detect the abnormal domain name issued by the malicious Botnets. Finally, the experimental results proved that the proposed mechanism is robust and able to classify DNS traffic, and efficiently detects the botnet activity with average detection rate of 89%. Keywords-Botnet detection, Network worm detection. Network threat detection,

Omar Amer Abouabdalla, Sureswaran Ramadass National Advanced IPv6 Center of Excellence Universiti Sains Malaysia, Pulau Pinang, Malaysia {omar, sures}@nav6.org Nowadays, Botnet is considered as a serious problem as it forms a major and dangerous part of the Internet. This is because it spreads rapidly in the network over the Internet, and it is difficult to be detected because they have the ability to hide themselves as the virus and propagate as the network worms [9, 21]. II. BOTNET PHENOMENON

Botnet consists of a collection of Bots running on a compromised computer, which can be remotely controlled by an attacker called “botmaster” via the command-andcontrol (C&C) server. Importantly, these Bots are individual piece of programmable software. It can be installed and run automatically in any compromised system, and it has the ability to spread similar to the worms’, and also it can evade any detection programs similar to viruses [26]. So any compromised network infected with a large number of Bots, is called a botnet [1]. All Bots receive and execute the same command from the botmaster and respond to the same C&C server for an execution result [5]. The Botnet listens to a particular channel (i.e. IRC and HTTP) in C&C server [14] to receive further instructions from the botmaster [7]. These channels are used to carry out commands issued by the botmaster to the Bots [18]. In most cases, the C&C server is a compromised system under the control of the botmaster who is controlling the entire Botnet. The Bots need to communicate with the C&C server regularly to receive more instructions from the botmaster [5]. Therefore, if the network administrators or authorities block the C&C server, the Bots cannot receive the commands issued by the botmaster. In this case, the botmaster will compromise a new C&C server and use the Dynamic Domain Name System (DDNS) to move his domain name from the old C&C server to the new C&C server [18] The DNS is a distributed database spread over the Internet, which is used to translate the domain names into IP addresses and vice versa [14,23]. Thus, by using the DNS,

I.

INTRODUCTION

The growth in the area of network in the past few years is considered as a part of the exponential growth of the communication system. The network is just like computers; it needs software to simplify its functionality and makes it easy to use. Internet browsing, e-mail, and instant messaging are a few examples of the usage of computer communication over the Internet. Nowadays, personal computer systems are widely used, hence the number of Internet subscribers have increased gradually. Generally, these computers contain important data, such as users’ information and probably any business activities [9]. Therefore, the computers have become a favorite target that attracts the attacker s’ community. Even though, these systems are protected by antivirus software and firewalls, they may still be exposed to different malicious attacks. Especially, those attackers are always looking for various techniques to assist them in compromising a large number of computer systems in the world [2].
This work was supported by the Research University Grant 1001/PPTMK/817022, Distributed Network Monitoring and Security Platform, Universiti Sains Malaysia,

97

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

“botmaster” could direct the Bots to migrate to the domain name, which has been moved to new C&C server as the domain name is hard-coded in the Bots’ binary. The botnet queries the DNS server to find out the “botmaster’s” domain name. In return, the DNS server replies to the Bots and provides them with the new IP address of the “botmaster’s” domain name, which is located in a new compromised C&C server [18]. Nowadays, the DNS has become the desired target of “botmasters” due to its importance in the Internet. DNS is not owned or controlled by a specific organization and the DNS traffic flows between the clients and DNS server without any protection or restriction. As such, the Botnet can exploit the DNS to perform their malicious activities. The Botnet queries the DNS server just like any legitimate host and the DNS server responds to this query without distinguishing the source of the query [3].

•

Bots Responding: When the Bot receives commands from the botmaster, it responds immediately to those commands and executes them accurately. When the Bot receives a command from the botmaster, it executes it immediately without a need to think about it, so the time taken to do this is always constant. Thus, this response time can be used to discover the presence of the Botnet.

III.

BOTNET AND DNS

Monitoring the botnet behaviors and exploit it, is considered as one of the detection keys of the Botnet activities in DNS traffic. Choi et al. (2007) discussed some Botnet features in the DNS, and how the Botnet could exploit the DDNS to move to new C&C server when the old one is blocked. If so, the Botnet queries the DNS server to find the location of the domain name [4]. Table 1 shows the comparison between the activities of a legitimate host and Botnet when both are using the DNS.

There are many computer applications and legitimate users who utilize the DNS to access the Internet and perform their jobs correctly [24]. On the other hand, Botnet also utilizes the DNS to perform its malicious activities. Since many normal applications require DNS to access the Internet, the problem persists in how the normal DNS traffic caused by a legitimate user or application can be distinguished from the abnormal DNS traffic caused by the Botnet activity. However, by monitoring the DNS traffic, it is possible to identify and detect the Botnet in the DNS traffic [11,24]. IV. BOTNET BEHAVIOR

TABLE I.

DIFFERENCE BETWEEN BOTNET AND LEGITIMATE HOSTS

Using DNS By

Requested Domain Name Botnet members have fixed group size Anonymous

Activity and Appeared Pattern Group appears immediately Usually appears randomly and continuously

Botnet

Legitimate Host

legitimate users have random size

Akiyama et al. (2007) proposed three important behaviors of botnet, which was discovered by monitoring the activities of Botnets during the flow of data in the C&C servers [1]. These behaviors are: • Bots Relationship: The relationship between botmaster and Bots is one to many, because the botmaster usually controls a number of Bots and issues the same command to all the Bots. Hence, the Bots work as one group and it is possible to detect their behavior by monitoring the activities of these groups of Botnet in the network traffic. Bots Synchronization: Botnet receives the same command from the botmaster. They communicate between each other and attack at the same time. This action can expose the group of Botnet, because the ratio of traffic that is released from this group is very high compared to the others and in some cases these traffic are discrete in time.

V.

DNS MONITORING

There are several researches conducted with regards to this problem, these researches focused on distinguishing between the normal DNS traffic generated legally in the monitored network, and those suspicious and alike to Botnet behavior. Kristoff, (2004) conducted a study that monitors the DNS, in order to detect the botnet with prior knowledge of the blacklisted servers that spread or connect to malicious malware. This approach can simply evade when the botmaster knows this mechanism, hence it could be easily tricked by using fake DNS queries [11]. Therefore, Weimer, (2005) conducted another study to monitor the DNS traffic. The study was in passive DNS replication. The purpose of it was to build a reverse lookup with IP addresses for which no PTR records exist. By doing so, it will be easy to detect any domain name used to contact a system on the Internet [23].

•

98

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Dagon (2005) discovered that the ratio of abnormal DNS traffic is high compared to the others and this indicates the presence of botnet activity. But this approach generates false results and could classify the legitimate domain name as abnormal domain name [6]. Ramachandran et al.’s (2006) proposed a technique and heuristics by utilizing the DNSBL blacklist lookup traffic to identify the botnet, where the technique performs counterintelligence that detects DNSBL inspection on the botnet activity group that spreads the mail spam. But this technique also generates false positives due to the active nature of counter-measures such as inspection poisoning. Besides, this approach could not detect the distributed inspection [16]. As a result, Schonewille and Van Helmond (2006) proposed an approach based on the abnormal frequency of NXDOMAIN reply rates. However, the approach could detect several abnormal domain names effectively and generate less false positives [20]. Choi et al.’s (2007) study detects the botnet by exploiting the group activity feature of the botnet. This approach is stronger than the previous approaches but the main weakness of this approach is when it is applied to large scale network as the processing time will be higher [4]. Finally Tu et al. (2007) conducted a study to identify the activities of botnets by mining the DNS traffic data [22]. Meanwhile, the proposed approach in this paper does not require any prior knowledge of blacklisted servers to classify the DNS. Besides, it also does not depend on the high ratio of DNS traffic to detect the botnet. However, it depends on exploitation of the Botnet’s behavior in the DNS traffic, particularly the appearance of botnet as a periodic group of hosts. The probability of botnet detection can be obtained by measuring the ratio of similarities between any blocks of the hosts that requested the same domain name at any given time interval.

Z is the number of similar elements that are in both two objects X and Y. X is the number of elements in the first object X only but not in Y. Y is the number of elements in the second object Y only but not in X. Table 2 clarifies the probability value of the Jaccard similarity coefficient S when used to match between two blocks of hosts.

TABLE II.

JACCARD SIMILARITY VALUES

Jaccard Similarity Value S =1

Probability Similarity ratio between all the hosts in the two blocks is 100%. So this domain name is an abnormal domain name issued by Botnet activity. There is an assurance that 80% of the hosts make association in a direct or indirect relation. It is a good value for this research (considering false alarm rates and network delay time). Hence, this domain name is an abnormal domain name issued by Botnet activity. The similarity ratio is less than 80% as it cannot be stated exactly that there is a similarity between the two blocks of hosts. So this domain can classify as normal domain name. There is no similarity between hosts in the two blocks and consequently the domain name is normal domain name.

S

≥ 0.8

And S ≤1

S

≥0

And S < 0.8 S =0

VI.

THE PROPOSED METHOD

The proposed mechanism refers to monitoring and capturing the DNS traffic at different time intervals t , and measure the ratio of similarity between any two blocks of hosts X and Y (group behavior) requesting the same domain name at time intervals t and t . Therefore, the Jaccard similarity coefficient S is chosen because it is simple and provides good results [4, 17]. Jaccard similarity coefficients consist of three summation variables: X, Y and Z as shown in Equation 1:

To apply the Jaccard similarity values between the two blocks of hosts, the MAC address is a preferred choice as the host’s identifier rather than the IP address. This is because the botmaster exploits the feature of dynamic IP that may hide the identity of the infected hosts with the Bot. Consequently; it is not reliable to place this IP on the blacklist. The Dynamic Host Configuration Protocol (DHCP) assigns multiple dynamic IP addresses to the unique host. Any infected host such as laptops can move from one network to another with new IP address assigned to it each time it connects to a new network. This forms the host’s identifier by tracing the IP address aliasing and generating false information about the activity of this host [25].

S

=

(1)

99

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

By using the MAC as host’s identifier to identify the activity of the hosts, accurate results could be obtained even if the hosts move from one location to another, because the DHCP cannot act on the MAC address. Moreover, the infected hosts that caused this abnormal traffic can be detected. However, the MAC address spoofing is not taken into consideration, because any Bot infected host would want the reply back to itself when sending a query to the DNS server. In the case of spoofing, the reply is sent back to different host which is out of the scope of this research. However, the spoofing takes place in another scenarios such as DDoS attack.

(2) R in T 0

VII.

MONITORING NORMAL AND ABNORMAL DNS TRAFFIC BEHAVIORS

The ratio of abnormal traffic in the C&C server appeared to be higher compared to the normal DNS traffic in the case of Botnet [6]. This abnormal DNS traffic appears only in a short and discrete time, but the activity of a legitimate host appears for a longer and maybe continuous time as shown in Figure 1.

Figure 2. Applying Jaccard Similarity between Two Blocks of Hosts

A simple mechanism framework is created to classify the DNS traffic and detect the Botnet activity in DNS; it is called the Botnet Detection Mechanism (BDM). The BDM consists of three main phases: capturing phase, analyzing phase, and classifying phase as illustrated in Figure 3.

Figure 1. Normal and Abnormal DNS Traffic

The “botmaster” instructs all the Bots to perform their malicious activities simultaneously as groups in a short and discrete time and then stop all these activities suddenly, and so on. Taking this important behavior into consideration, the detection of Botnet can be made possible.

This method relies on monitoring the DNS traffic for certain time ; this time is divided into different time
Figure 3. BDM Framework

intervals t and t . A relationship is formed between any two blocks of hosts requesting the same domain name and calculates the probability of botnet detection between these two blocks of hosts by using Jaccard similarity as portrayed is in Figure 2. The probability of botnet detection possible if the size of block X and Y is not equal to zero and within the monitoring time if the DNS ratio R greater then zero as depicted in Equation 2: is also

The BDM counts the query data at each time intervals for any domain name requested by blocks of hosts during the monitoring time . If there are two groups/bocks of hosts requesting the same domain name at time interval t t , then the BDM applies the Jaccard similarity S and between

these groups of hosts and uses the MAC addresses as the

100

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

host’s identifier. The BDM performs this by measuring the ratio of overlapping MAC addresses in the two groups. Hence, the BDM stores the results in the database as normal domain name issued by legitimate hosts or abnormal domain name issued by botnet activity as per the similarity probabilities detailed in Table 2. If an abnormal domain name is found, the BDM sends alarm to the network administrator to block this abnormal domain name. The MAC addresses of these infect hosts are marked as blacklist. Since bots queries the DNS server as a group of hosts periodically, If there is any domain name requested by a single host at different time intervals then it could be a normal domain. Therefore, the probability is calculated for this single host (could be an infected host used by the botmaster to check his domain validity in C&C server). This host activity usually occurs before the block of infected hosts queries the domain name that has been checked by the “botmaster”. The BDM performs checking at every single host on whether it is a bot infected host or legitimate host. This can be done by matching the domain name requested by this single host with the normal and abnormal domain name stored in BDM database and requested by groups of hosts. If a single host that had requested a normal domain name which is stored in the database then, it cannot be clearly stated that this is a normal domain name because the infected host also requests for normal domain name due to the user’s activity. Thus, in this case the MAC matching is performed to obtain better identification results. If there is no matching between the domain names requested by the single host and the domain names stored in the database, then the BDM considers this as a new domain name which is not stored in its database. In this case, the BDM performs MAC matching between the MAC address of this host and the blacklisted MAC addresses stored in the database and checks if this host sends repeated query to this domain name as depicted in Figure 4. However, if there is no matching, then the BDM considers it as a normal domain name, and stores it in its database.

If there is a matching (the host activity sends repeated queries), then the BDM sends alarm to the network administrator to block this new abnormal domain name, because this behavior caused by the bots in the single hosts (i.e. early infection stages). However, this new domain name is stored in database as abnormal domain name, because it is a new domain name that the botmaster will use to communicate with his bots and issue further commands in the future. This allows BDM to predict the new attackers’ domain name and send alarm to the network administrator to block it before the group of infected hosts appear and acquire it, which prevents the botnet activity on the network.

VIII. VALIDATION Test is performed on BDM at NAv61 Network in USM to capture the real DNS requests from the hosts. The iNetmon2 project was utilized in this test. The BDM runs on Intel core2 Duo 2.00 GHz CPU and 2.00 GB memory with Microsoft Windows Vista operating system. The simulator BotDNS is installed and runs in different hosts of the NAv6 network and set up requests a specific domain name (i.e. www.xxx.com) periodically, which is every 60 seconds. The action taken in this scenario is to store this domain name as an abnormal domain name and send alarm to the network administrator to block it before the infected hosts request for this new domain name and consequently prevent the network from botnet activity in the future.

A. Performance Test Results The experiment was carried to capture the real DNS request from the hosts in NAv6 network. The obtained results of classifying domain names are stored in the BDM database. These results contain more than 2000 domain names, which are requested by the hosts during the experiment. The classification of domain names into normal domain names caused by the legitimate hosts and abnormal domain names caused by Botnet activity is shown in Figure 6. The threshold value for the Botnet domain name is set within 0.8 to 1 and for legitimate domain name, it is set within 0 to less than 0.8, based on the Jaccard similarity value as mentioned earlier in Table 2.

Figure 4. Matching Single Host with Database
1 2

National Advanced IPv6 Centre of Excellence, www.nav6.org iNetMon: Network Monitoring Platform, www.inetmon.com

101

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Figure 5. Domain Names Classification Based on Jaccard Similarity

B. False Positive A false positive classifies a normal domain name as abnormal domain name. The false positive rate can be calculated with Equation 3 [8]:

abnormal domains, so the false positive is present in this experiment, where the BDM classifies Google as abnormal domain name. During the second experiment period, there are three abnormal domain names detected and one legitimate domain name classified as abnormal domain name. The rate of false positive generated during this experiment is 33%.

=

(3)

=

≈ 33%

Where, positive, positive,

refers to the number of false positive domain refers to the total number of true domain name detected and the number of false domain names detected. Finally the third experiment is same as the first experiment where no false positive is generated, so the false positive rate is 0% in this experiment. By taking the average value for the false positive rate from these three experiments, the rate of false positive generated during the experiments is 11%.

names detected and

We repeated the above test three times*; hence, it is observed that in the first experiment there is no false positive generated, whereas most legitimate domain names are classified correctly as normal domain names, so the false positive rate is 0% for this experiment. In the second experiment, there is a normal domain that is classified as
* These tests were repeated three times for average reading. While the detection experiment was performed over one week.

Average

=

≈ 11%

102

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

From the ratio of false positive rate, the detection rate of BDM can be obtained. The detection rate, can be calculated with Equation 4 [8]:

domain names, consequently, detecting the Botnet activity within the network.
 The
 BDM
 classifies
 domain
 names
 based
on
the
Jaccard
similarity
value.
However, during the experiments, in average the BDM generated false positive and false negative rate, which was approximately 11% in each case. The main limitation in the testing is that the average detection rate is based on three experiments only. A future work could be to do more experiments for better accuracy. Another future work is considering the improvement of the BDM to enable identifying and tracing back the infected hosts within the monitored network as well as enhancing and increasing the detection rate by minimizing the false positive/negative alerts by incorporating different statistical methods such as chai-square along with the jaccard similarities coefficient.

=

(4)

From the first and third experiments, there is no false positive found, hence the detection rate is approximately 100%. However, in the second experiment the detection rate, is approximately 67%:

=

≈ 67% X. REFERENCES

By taking the average of detection rate, it can be observed that BDM has average detection rate of 89% during these three experiments that are considered acceptable.

[1]

Average

=

≈ 89%

[2]

http://www.honeynet.org/papers/bots/
[3]

Mitsuaki Akiyama, Takanori Kawamoto, Masayoshi Shimamura, Teruaki Yokoyama, Youki Kadobayashi, Suguru Yamaguchi (2007) A proposal of metrics for botnet detection based on its cooperative behavior. Proceedings of the Internet Measurement Technology and its Applications to Building Next Generation Internet Workshop (SAINT 2007). pp. 82-82. Bacher, P., Holz, T., Kotter, M. & Wicherski, G. (2005) Know your Enemy. Available from URL:

IX.

CONCLUSION

In this paper, a simple framework is proposed called the BDM for botnet detection in a network environment. The framework consists of three phases that capture the DNS traffic, extract the MAC address, and query name from this DNS packet and store it in the database for further analysis. After that, the BDM classifies the DNS traffic that is issued by blocks of hosts (group behavior) and single host (individual behavior). The proposed method depends on monitoring the DNS traffic and exploiting the behavior of Botnet. The Botnet is detected in blocks of hosts (group behavior) by measuring the degree of similarities between any two blocks of hosts requesting the same domain name at different time intervals based on the Jaccard similarity coefficient S . The MAC address is used as host’s identifier instead of IP address. The results of the experiments on the NAv6 network shows that the BDM is robust and works well, with the average detection rate of about 89%. It is capable of classifying the domain names into normal and abnormal

Castillo-Perez, S. & Garcia-Alfaro, J. (2008) Anonymous Resolution of DNS Queries. Lecture Notes in Computer Science, International Workshop on Information Security (IS'08), International OTM Conference. pp. 987–1000. [4] Choi, H., Lee, H., Lee, H. & Kim, H. (2007) Botnet Detection by Monitoring Group Activities in DNS Traffic. Seventh IEEE International Conference on Computer and Information Technology (CIT 2007). pp. 715-720. [5] Cooke, E., Jahanian, F. & Mcpherson, D. (2005) The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In The 1st Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2005). pp. 39-44. [6] Dagon, D. (2005) Botnet Detection and Response. The Network is the Infection, OARC Workshop, 2005. Available from URL: http://www.caida.org/workshops/dns-oarc/200507/slides/oarc0507Dagon.pdf [7] Gu, G. (2008) Correlation-Based Botnet Detection In Enterprise Networks. Ph.D thesis, College of Computing. Georgia Institute of Technology, Georgia. pp. 1-6. [8] Husna, H., Phithakkitnukoon, S., Palla, S. & Dantu, R. (2008) Behavior Analysis of Spam Botnets. The 3rd International Conference on Communication Systems Software and Middleware (COMSWARE 2008). pp. 246-253. [9] Ianelli, N. & Hackworth, A. (2005) Botnets as a Vehicle for Online Crime. CERT Coordination Center. pp. 1-28. [10] Kim, M. C. & Choi, K. S. (1998) A comparison of collocation-based similarity measures in query expansion. Information Processing & Management. pp. 19-30. [11] Kristoff, J. (2004) Botnets. North American Network Operators Group (NANOG 32). Available from URL:

http://www.nanog.org/mtg-0410/kristoff.html

103

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009
[12] Kugisaki, Y., Kasahara, Y., Hori, Y. & Sakurai, K. (2007) Bot Detection based on Traffic Analysis. International Conference on Intelligent Pervasive Computing (IPC). pp. 303-306. [13] Mockapetris, P. (1987) Domain Names - Concepts And Facilities. RFC 1034. Available from URL: [20] Schonewille, A. & Helmond, D.-J. V. (2006) The Domain Name Service as an IDS. Master’s Project, Netherlands, University of Amsterdam. pp. 5-14. [21] Symantec (2007) Internet Security Threat Report White Paper. Available from URL: http://www.symantec.com/ [22] Tu, H., Li, Z.-T. & Liu, B. (2007) Detecting Botnets by Analyzing DNS Traffic. Intelligence and Security Informatics. pp. 323-324. [23] Weimer, F. (2005) Passive DNS Replication. In 17th Annual FIRST Conference on Computer Security Incident Handling (FIRST 2005). [24] Wills, C. E., Mikhailov, M. & Shang, H. (2003) Inferring Relative Popularity of Internet Applications by Actively Querying DNS Caches. Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement. PP. 78-90. [25] Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M. & Wobber, T. (2007) How Dynamic are IP Addresses. In Proceedings of the 2007 conference on Applications, technologies, architectures,and protocols for computer communications (SIGCOMM 2007). [26] Zou, C. C. & Cunningham, R. (2006) Honeypot-Aware Advanced Botnet Construction and Maintenance. Proceedings of the 2006 International Conference on Dependable Systems and Networks (DSN 2006). PP. 100-208.

http://www.faqs.org/rfcs/rfc1034.html http://www.faqs.org/rfcs/rfc1035.html http://www.faqs.org/rfcs/rfc1459.html

[14] Mockapetris, P. (1987) Domain Names - Implementation And Specification. RFC 1035. Available from URL: [15] Oikarinen, J. & Reed, D. (1993) Internet relay chat protocol. RFC 1459. Available from URL: [16] Ramachandran, A., Feamster, N. & Dagon, D. (2006) Revealing botnet membership using dnsbl counter-intelligence. 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006). [17] Rieck, K., Laskov, P. & Klaus-Robertmuller. (2006) Efficient Algorithms for Similarity Measures over Sequential Data: A Look Beyond Kernels. Proc of 28th DAGM Symposium (LNCS). pp. 374– 383. [18] Schiller, C. A., Binkley, J., Harley, D., Evron, G., Bradley, T., Willems, C. & Cross, [19] M. (2007) Botnets: The Killer Web App, Syngress Publishing. pp. 77-93.

104

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

SOAP Serialization Performance Enhancement
DESIGN AND IMPLEMENTATION OF A MIDDLEWARE
Behrouz Minaei
Computer Department Iran University of Science and Technology Tehran, Iran

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

Parinaz Saadat
Computer Department Iran University of Science and Technology Tehran, Iran

Abstract—The most straightforward way to improve performance of any system is to define the bottlenecks and think of ways to remove them. Web services are the inseparable part of any web application, as a result enhancing performance of web services will have a great effect on the overall performance of the system. The most widely used communication protocol in the web services model, SOAP, is a simple protocol for the exchange of messages. The serialization of large SOAP responses is a major performance bottleneck in a SOAP message exchange. Clearly, some web servers can expect to receive many similar messages for a particular web service as they share the same signature. The idea behind this paper is to avoid the redundant serialization stage of SOAP responses for request which have the same call parameters. The technique exploits the similarities between call parameters to improve web service Response Time by avoiding redundant serialization of the same response with the help of a middleware running on top of web server. The middleware will maintain a trie of incoming parameters for every set of current requests. This way request processing and serialization of the response of same requests will be done only once.
In a nutshell, to serialize only the different responses is the simplest way to avoid extra work done by a serializer. It might worth noting that although our approach is to utilize the exact repeating portion parameters, the middleware can be configured to apply changes made to the result set of response to the serialized response being maintained in a trie to generate valid results. Keywords:Web Sercives,Performance,Middleware,Serialization

enhancement, consider a web service for a search process in a search engine, each message arrives at the web services container to invoke a simple search. Aside from the search string, the only other difference in SOAP contents is the value of the ―Content Length‖ field in the header. If this search engine has 500 request per second, messages arrived in succession, the SOAP server side would ordinarily have to parse and deserialize, process and then serialize the response all of them completely and independently of one another. Ideally, the server would be able to save time by recognizing that a large percentage of messages are completely the same, the result of these service calls needs to be serialized only once. Thus, the effectiveness of the Middleware optimization depends on the following factors:    The percentage of same messages in an incoming message stream The percentage of similarity between different messages in an incoming message stream The overhead of message analysis. II. RELATED WORK

I.

INTRODUCTION

Web service is a widely-used technology for exchanging data between applications and its scope of usage has widened even more in recent years. In this paper, we describe the design and implementation of a server side middleware, which we call SEM (Serialization Enhancement Middleware). The idea is similar to the approach introduced in [1] but the implementation differs completely. In a nutshell, to serialize only the different responses is the simplest way to avoid extra work done by a serializer. To illustrate the opportunity for performance

In [4, 3, 2] this problem is addressed on the sender’s side, by avoiding serializing entire messages.The sender side of our SOAP implementation, called bSOAP, saves copies of outgoing message buffers, and tracks when the client code makes changes to the data sent in the messages. Only the changes are reconverted and rewritten into the outgoing message buffer template. The rest of the template remains unchanged from the previous send, avoiding serialization for that portion of the message. Our performance study indicates that this technique, called differential serialization (DS). The approach in [1] describes the design and implementation of differential serialization’s analogue on the server side, called differential deserialization (DDS). The idea is to avoid fully deserializing each message in an incoming stream of similar messages. Differential deserialization gets its name because the server-side parser deserializes the differences between an incoming message and a previous one.

105

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

SEM and DDS are completely separated and independent ideas and implementations; neither depends on the other for any portion of the performance enhancements; the two techniques represent very different realizations of the same high level idea; DS for sending SOAP data, and DDS for receiving it.SEM is a combination of DS and DDS, that is, it shares the idea behind both techniques. On the other hand serialization process will be improved but with a completely different implementation. In general, SEM is more promising optimization technique than DS, because it is more applicable. DS only works if the same client sends a stream of similar messages. DDS can avoid deserialization of similar messages sent by multiple different clients while SEM does both.

A. The Middleware Request comparison, analysis and processing consist of five main steps, each running in a different thread for maximum performance enhancement. Each step is described in detail as follows.

1) Gathering Current Requests In order to maintain web service statelessness, we concentrated on Current Requests on the web server. So we had to define the term ―Current‖ in this context. In the implementation the term current requests is used for incoming messages during a predefined period of time. For the purpose of our implementation this predefined period of time was set to 2 milliseconds, a timer is activated and all incoming messages are collected in a dataset which is then passed to the next step each 2 milliseconds for further analysis 2) Retrieving Parameter sequences As soon as the Current Collection is ready it is passed to another thread, where the parameters are retrieved from each SOAP message and a sequence containing parameters is maintained for each Soap message.That way a large portion of messages can bypass the serialization phase if the message is totally the same. In this phase parameters are retrieved from each Soap request in the Current Collection and a parameter sequence is generated for each request. If the sequence of parameters is duplicated, there is no need to do all the job of request processing and serialization of response for every single request. So all but one of duplicated sequences is ignored, but the id for each request is saved so that the serialized response can be sent for these duplicated requests.
Sequence1 Sequence2
…

III.

OUR PROPOSED SOLUTION

The first component responsible for handling requests in a Client-Server Model is the Web Server; therefore it would be the best candidate for hosting a middleware. Our approach is to implement a middleware to run on top of any web server (IIS,Apache,..) and act as the primary component for processing request. By definition, Web services can be communicated with over a network using industry standard protocols, including SOAP. That is, a client and a Web service communicate using SOAP messages, which encapsulate the in and out parameters as XML. Fortunately, for Web service clients, the proxy class handles the work of mapping parameters to XML elements and then sending the SOAP message over the network [5]. This means that the SOAP message can be reached before and after Serialization/Deserialization process. As the calling of web service methods has a unique signature, the probability of receiving requests with completely the same parameters for a service is so high. The idea behind this paper is to avoid the redundant serialization stage of SOAP responses for request which have completely the same parameters. The approach will be even more efficient if a constraint is put on the method signature. Our researches show that the best case is the situation in which the method parameters are all string and the response is a result set. IV. DESIGN AND IMPLEMENTATION

Parameters of the first request in the Current Collection Parameters of the second request in the Current Collection
…

SequenceN

Parameters of the N-th request in the Current Collection Figure1.A List of Sequences of input parameters

This section describes SEM’s design and implementation. Section 4.1 begins with a description of the middleware and discusses the algorithms used for comparison between SOAP messages. Section 4.2 then describes an optimization on the given approach. This is accomplished by a feature of the algorithm used for maintaining Soap Request Parameters which compares messages and considers overhead. Section 4.3 gives the alternative ways to enhance performance.

3) Comparing Parameter sequences One of the most challenging issues of the approach is the algorithm by which the identical parameter sequences are detected. The simplest algorithm is to simply compare each of n sequence with other n-1 sequences in the collection. In many applications, it is necessary to determine the string similarity. Edit distance approach is a classic method to determine Field Similarity [8,9]. A well known dynamic programming algorithm is used to calculate edit distance with the time complexity O(nm). The Hamming distance also can be used. A faster algorithm had to be chosen otherwise the comparison phase would be a bottleneck itself. So a data structure which satisfied the need was chosen. The opportunity for performance enhancement largely depends on the decision

106

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

whether to use SEM or to continue with regular serialization. At this step based on the amount of similarity a decision has to be made whether to use the technique or take the regular steps of serialization combined with compression or JSON to enhance the performance. In a more general case when some of the parameters are the same and some not. SEM utilizes an algorithm to track the amount of a parameter sequence occurrence and performs even better. A trie, or prefix tree, is an ordered tree data structure that is used to store an associative array where the keys are usually strings. Unlike a binary search tree, no node in the tree stores the key associated with that node; instead, its position in the tree shows what key it is associated with. All the descendants of a node have a common prefix of the string associated with that node, and the root is associated with the empty string. Values are normally not associated with every node, only with leaves and some inner nodes that correspond to keys of interest[7]. So we chose to maintain a trie for the sequence collection that is to insert every parameter sequence in the trie. A sample code for doing so is as follows:
char[] charArray = s.ToLower().ToCharArray(); TrieNode node = root; foreach (char c in charArray) {if (node.Contains(c)) node= node.GetChild(c); else {int n = Convert.ToByte(c) - TrieNode.ASCIIA; TrieNode t = new TrieNode(); node.nodes[n] = t; node= t;} node.isEnd = true;} Figure 2. Sample code for adding parameter sequences to the trie

So at the end of each sequence just before tagging the end of the sequence, it is clear if the request is duplicated, if so that request is marked as the duplicate so that when the response of that particular request is ready we can send the response for that too.
char[] charArray = s.ToLower().ToCharArray(); TrieNode node = root; bool contains = true; foreach (char c in charArray) {node = Contains(c, node); if (node == null) {contains = false; break;}} if((node == null) ||(!node.isEnd)) contains = false; Figure 4. Sample code for searching if a parameter sequences is already added to the trie

The following are two main advantages of tries:  Looking up keys is faster. Looking up a key of length m takes worst case O(m) time. A BST performs O(log(n)) comparisons of keys, where n is the number of elements in the tree, because lookups depend on the depth of the tree, which is logarithmic in the number of keys if the tree is balanced. Hence in the worst case, a BST takes O(m log n) time. Moreover, in the worst case log(n) will approach m. Also, the simple operations tries use during lookup, such as array indexing using a character, are fast on real machines[7]. A trie can provide an alphabetical ordering of the entries by key.



By now, a collection of sequences of parameters is prepared. The next phase is to compare these sequences and find identical sequences so that the serialization step for identical sequences can be done just once. So trie lookup (and membership) can be used easily. A key factor for choosing trie for detecting duplicate sequence of length m takes worst case O(m) time, in other words trie structure guarantees that no duplicate parameter sequence is maintained. Besides tries require less space when they contain a large number of short strings, because the keys are not stored explicitly and nodes are shared between keys with common initial subsequences.

Tries do have some drawbacks as well. Tries can be slower in some cases than hash tables for looking up data, especially if the data is directly accessed on a hard disk drive or some other secondary storage device where the random access time is high compared to main memory. 4) Regular Processing After this phase the requests are processed, that is every single request, plus one out of n identical request, are sent to the web server, where they are deserialized and processed. 5) Sending Duplicate Responses When the response of that request is ready it is sent to all other identical requests as well. B. Yet another Optimization In order to gain the maximum performance enhancement, the serialized response having the most number of requests in each Current Collection is also maintained in another trie,so that each time another request with those parameters arrives, the response can be generated by some inserts and updates.

Figure3. A Trie.Nodes are represented by an array of pointers

There is no need to be worry about memory limits as when the trie is mostly static and when the trie nodes are not keyed by node specific data (or if the node's data is common) it is

107

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

possible to compress the trie representation by merging the common branches. The result of such compression may look similar to trying to transform the trie into a directed acyclic graph (DAG), because the reverse transform from a DAG to a trie is obvious and always possible. C. Alternatives There is a tradeoff between overhead of comparing messages and the performance enhancement gained. As a result, the portion of the same parameter sequence determines whether it is worth taking advantage of our approach. That is, there exists an opportunity for switching to regular Serialization/Deserialization when requests are not the same. Consequently, the process of detecting when to utilize the technique is twofold. Firstly, we measure the percentage of same requests per Current Collection. Secondly we must ensure that the overhead regarding comparison and analysis worth it. Imagine the case when the parameter values differ totally. In this case the overhead of our approach would be so high, so an alternative approach is chosen. This alternative approach could be using other format for serialization/deseriaization such as JSON1, using techniques to compress the SOAP message, etc. V. EXPERIMENTAL SETUP AND ANALYSIS

web service was simulated, and every step was monitored till the response was ready.  Situation A simulated 1000 concurrent requests for the same web service, each with completely different parameter values for the call.  Situation B simulated 1000 concurrent requests for the same web service, with completely the same parameter values for the call.  Situation C simulated 1000 concurrent requests for the same web service, with 50% the same parameter values for the call. The monitoring tool then showed the results of each. The middleware, running on top of IIS 7.0, read a sequence o f ―incoming‖ SOAP messages from the load test generator and passes them to the comparison algorithm module where call parameters of SOAP message were retrieved. At this step based on the amount of similarity a decision was made, whether to use the technique or take the regular steps of serialization combined with compression or JSON to enhance the performance.

We ran all performance tests on a single Pentium 4 3.00 GHz machine with 3 . 2 4 GB of RAM, and a 100GB SATA Drive. In order to be able to simulate any situation a Load Test Generator was also developed. This application generates SOAP request and calls a web service method in the following situations:  Simulation of X Concurrent Requests per second (with threads) from Y Clinets  Simulation of X Serial Requests per second from 1 client  A Monitoring tool for monitoring the web server’s Performance Counters such as Byte Received/Sec, Byte Send/Sec, Total Bytes/Sec, and Connection Attempts/Sec. Multiple situations were tested so that the results can be compared for a better conclusion. In each situation the amount of similarity between web service calls and the number of web service call were the factors indicating the performance enhancement or degradation. The method was the same for all situations, a request to a
1

2

4

6

8

Figure5. The performance enhancement of middleware when the percentage of similar calls is 70%

As shown in figure 3, the number of requests per second is nearly three times more, when the percentage of the same calls is 70.

2

4

6

8

10

12

14

Java Script Object Notation

Figure5. Parameters fetched from the parameter collection

108

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

As mentioned before, a collection of parameters is maintained and call simulator uses this collection to simulate server calls. When there are more similar parameter sequences, the effectiveness of SEM on performance is significantly higher. Table 1 shows the final results of the implementation. In this table, response time of requests is shown in milliseconds. Clearly, sequences of identical messages do not represent a realistic scenario. The values reported in this section show that as the percentage of parameter sequence similarity increases response time of request processing using SEM gets better.
TABLE I. THE DEGREE OF PARAMETER SEQUENCE RESEMBLANCE LEADS TO DIFFERENT RESPONSE TIMES Trie Depth Parameter Sequence resemblance 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 15 25 35 65 75

similarity between concurrent messages increases. It might worth noting that by trie depth is related to the length of call parameters.

Figure7. The effect of parameter similarity on response time

2.89 0.83 0.70 0.67 0.57 0.56 018 0.13 0.05 0.04

28.7 8.24 6.93 5.67 1.72 1.32 0.75 0.67 0.51 0.21

71.5 17.7 16.0 13.6 4.29 3.23 2.11 1.85 0.78 0.60

144 42.7 35.4 28.6 8.03 5.89 3.69 2.95 1.54 1.27

288 85 71.3 63.9 55.4 16.7 12.5 7.72 3.55 2.91

As shown in figure 7 parameter similarity has a great impact on service call response time. As shown in the figure as the similarity of call parameters between concurrent messages increases better response time is gained. The optimal condition is when there are exact same call parameters between concurrent messages. VI. SUMMARY AND FUTURE WORK

Serialization Enhancement Middleware (SEM) is a Middleware running on top of web server to take advantage of similar Soap requests on a web server for a particular web service.

Another point is that the depth of trie, parameter sequence length, has also a dramatic effect on performance enhancement.

This way a large portion of responses can bypass the serialization phase if the message is totally the same. Current requests for incoming messages during a predefined period of time are collected in a dataset which is then passed to the next step Each 2 seconds for further analysis. Next parameters are retrieved from each Soap request and a parameter sequence is generated for each request. If the sequence of parameters is duplicated, there is no need to do all the job of request processing and serialization of response for every single request. Then a trie is maintained for the sequence collection that is to insert every parameter sequence in the trie. A key factor for choosing trie for detecting duplicate sequence of length m takes worst case O(m) time,in other words trie structure guarantees that no duplicate parameter sequence is maintained. After this phase the distinct requests, plus one out of n identical request are deserialized and processed. When the response of that request is ready it is sent to all other identical requests as well. Although our approach is to utilize the exact repeating portion parameters, one optimization is to enable the Middleware so that it can be configured to apply changes made to the result set of response to the serialized responses being maintained in a trie to generate valid results. But this can also lead to a larger percentage of time spent for the comparison and analysis phase

Figure6. The effect of trie depth on response time

Figure 6 illustrates the effect of tire depth on response time for requests with different percentage of similarities. As shown in the figure deeper tries cause less performance but this impact can be lessened as the percentage of

109

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009 Deserialization‖. IEEE/ACM International Conference REFERENCES on Web Services, pages 185–192, Orlando, FL, July [1] N. Abu-Ghazaleh, M. J. Lewis. ―Differential Deserialization 12-15, 2005. for Optimized SOAP Performance‖. 2005 ACM/IEEE conference on Supercomputing, pp. 21-31, Seattle WA, November 2005. [2] N. Abu-Ghazaleh, M. Govindaraju, and M. J. Lewis. ―Optimizing Performance of Web Services with ChunkOverlaying and Pipelined-Send. Proceedings of the International Conference on Internet Computing (ICIC) ‖, pages 482–485, June 2004. [3] N. Abu-Ghazaleh, M. J. Lewis, and M. Govindaraju―Performance of Dynamic Resizing of Message Fields for Differential Serialization of SOAP‖ Messages. Proceedings of the International Symposium on Web Services and Applications, pages 783–789, June 2004. [4] N. Abu-Ghazaleh, M. J. Lewis, and M. Govindaraju. ―Differential Serialization for Optimized SOAP Performance‖. Proceedings of the 13th IEEE International Symposium on High Performance Distributed Computing (HPDC-13), pages 55–64, June 2004, Honolulu, Hawaii. [5] Miranda, Claudio: ―Tools and Tips to Diagnose Performance Issues,‖The International Conference on JAVA Technology, Zurich. (2008) [6] K. Chiu and W. Lu. ―A Compiler-Based Approach to Schema-Specific Parsing‖. In First International Workshop on High Performance XML Processing,2004. [7] David Megginson et al. SAX 2.0.1: ―The Simple API for XML. http://www.saxproject.org. [8] K. Devaram and D. Andresen. ― SOAP Optimization via Parameterized Client-Side Caching‖. In Proceedings of PDCS 2003, pages 785–790, November 3-5, 2003. [9] E. Christensen et. al. Web Services Description Language (WSDL) 1.1, March 2001. http://www.w3.org/TR/wsdl. [10] I. Foster, C. Kesselman, J. Nick, and S. Tuecke. Grid Services for Distributed System Integration. Computer 35(6), 2002. [11] M. R. Head, M. Govindaraju, A. Slominski, P. Liu,N. AbuGhazaleh, R. van Engelen, K. Chiu, and M. J. Lewis. ―A Benchmark Suite for SOAP-based Communication in Grid Web Services‖. SC—05: Supercomputing ’05, page to appear, Seattle WA, November 2005. [12] N. Juric,Matjaz and Rozman,Ivan and Brumen,Bustjan and Hericko,Marjan: ―Comparison of performance of Web services,WSSecurity,RMI and RMI-SSL ‖ The journal of systems and software, 79, 689, 2006. [13] Indiana University, Extreme Computing Lab. Grid Web Services. http://www.extreme.indiana.edu/xgws/. [14] T. Suzumura, T. Takase, and M. Tatsubori. Optimizing Web Services Performance by Differential

110

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Breast Cancer Detection Using Multilevel Thresholding
+

Y.Ireaneus Anna Rejani+, Noorul Islam College of Engineering,Kumaracoil,, Tamilnadu, India.

Dr.S.Thamarai Selvi* *Professor&Head, Department of Information and technology, MIT, Chennai, Tamilnadu, India.

Abstract— This paper presents an algorithm which aims to assist the radiologist in identifying breast cancer at its earlier stages. It combines several image processing techniques like image negative, thresholding and segmentation techniques for detection of tumor in mammograms. The algorithm is verified by using mammograms from Mammographic Image Analysis Society. The results obtained by applying these techniques are described.

Keywords- Image negative, thresholding, segmentation. 1. INTRODUCTION

Breast cancer is one of the leading causes of cancer related death among women. The death rate can be reduced if the cancer is detected at its early stages. Early diagnosis and treatment increases the chance of survival. Early breast cancer detection requires periodical, readings of mammograms. Women over 40 years of age and those who have family history are recommended to take mammograms regularly for screening. At present, mammogram readings are performed by radiologists and mammographers, who visually examine mammograms for the presence of deformities that can be interpreted as cancerous changes. Manual readings may result misdiagnosis due to human errors caused by visual fatigue. To improve the diagnostic accuracy and efficiency of screening mammography computer aided diagnosis techniques are introduced. The main aim of this work is the detection of cancer from mammograms. The mammograms suspicious for cancer are found out for more detailed examination by the attending physicians. There are several image processing methods proposed for the detection of tumors in mammograms. Although there are various tumor detection algorithms in the literature, the detection rate is still not high. Our algorithm is implemented using the concept of thresholding, segmentation and then finally checking the roughness value to identify tumor. Image segmentation is typically used to locate objects and boundaries in images. After segmentation we get the required portion of the image. The segmented output may or may not be a tumor. The segmented output may be a fatty tissue. To confirm this, calculation of roughness value (D) is needed. Roughness of the image will be varying pixel to pixel. For tumor affected region the roughness value lies between 2

to 3.For other regions the roughness value will be less than 2 or it will be greater than 3.By this way the segmented output is confirmed whether it is a Tumor or not. Digital mammography is a technique for recording xray images in computer code instead of on x-ray film, as with conventional mammography. The images are displayed on a computer monitor and can be enhanced (lightened or darkened) before they are printed on film. Images can also be manipulated; the radiologist can magnify or zoom in on an area. This screening will generate large number of mammograms to be determined by a small number of radiologists resulting in misdiagnosis due to human errors caused by visual fatigue. The sensitivity of human eye decreases with increasing number of images. Hence, it may be helpful for a radiologist, if a computer-aided system is used for detection of tumors in mammograms. Computer-aided detection (CAD) involves the use of computers to bring suspicious areas on a mammogram to the radiologist’s attention. It is used after the radiologist has done the initial review of the mammogram. There are several image processing methods proposed for detection of tumors in mammograms. In some cases the primary objective was to enhance the mammograms[1];in other cases,[2];[3];[4];[5];[6]researchers have concentrated on identifying areas in mammograms that may contain cancerous changes. Steps have been taken [8];[9];[10],to fully automate mammogram analysis. Various technologies such as wavelet based image denoising[11];multiresolution based image processing[13]and Markov random field(MRF)[14],have been used Even though many algorithms are available for tumor detection the detection rate is still not high. This is due to the high variance in size and shape of the tumors, and also due to the disturbance (noise) from the fatty tissues, veins and glands. 2. THEORY A. Image Negative The negative of an image with gray levels in the range [0,L1] is obtained by using the negative transformation shown in the figure1.It is given by the expression s=L-1-r (1)

111

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

each and every pixel has to be taken. Use of fractal analysis reduces the search region. The area of the fractal surface canbe expressed as: Ar = k x r2-D Where Ar r k D Figure 1. Image Negative The digitized mammogram is applied for negative transformation. The complement of the image is obtained in this stage which is used for further processing. In image negative, the gray value of the original mammogram is complemented using the following mapping function O(x,y) = 255-I(x,y) (2) E. Parameters for Tumor Detection: The features selected in our approach to locate the regions that are suspicious of tumors are given as follows. Area A: This parameters is the total number of pixels with in a certain extracted region. Compactness cmp: This quantity reflects the shape of the given region and equal to Cmp = (Area of the given region)/ (Area of the smallest rectangle circumscribe the given region) Mean gradient with in current region – Mwg: This parameter measures the average gradient of each pixel in the given region. Mwg = (1/N)∑N k=1 (gk) (5) - Surface Area - Ruled Area - Scaling constant - Roughness of the region
(3)

Blanket method is used to calculate D. Log (Ar) = (2-D) log(r) + k’ (4) For a surface D is between 2-3. The larger the D is, rougher the surface. For all subdivided blocks of a mammogram, the blocks that have smooth surface or a very rough surface are discarded.

B. Threshold Value After inverting the image, thresholding is done. The main goal of the thresholding is to classify each image pixels into two categories (eg.Foreground and Background). Thresholding is the process of picking up a fixed gray scale value and then to classify each image pixel by checking whether it lies above or below this threshold value. Setting a threshold value for an image can be done by trial and error method. Threshold value is not same for images; it will be varying from one image to another. Hence the threshold can be called as Adaptive Threshold. Thresholding is done to extract the portions of the image whose pixel intensity value is greater than the fixed threshold value of that particular image. Then the resultant image is subjected to the segmentation process. C. Segmentation Image segmentation is the partitioning of an image into several constituent components. Segmentation should be stopped when the objects of interest in an application have been isolated. Segmentation distinguishes objects from background.

Where N equals the total number of pixels with in the given region and gk is the gradient at each pixel k. Mean gradient of region boundary – mg: This parameter indicates the sharpness of the region boundary. Mg = (1/N’)∑N k=1 (gk’) (6)

D.

Calculation of the Roughness value (D): Fractals are rough or fragmented geometric shape that can be subdivided into parts, each of which is approximately a reduced copy of the whole. In fractal analysis, the fractal dimension measures the roughness of a block. Generally, an image is subdivided into N x N blocks and the fractal dimension is calculated for each block. Since in this work, a mammogram is used for cancer detection, the roughness of

Where N’ equals the total number of pixels on the boundary of the given region and gk’ is the gradient along the boundary of the given region. Gray value variance – var: var measures the smoothness of the given region Var = ((1/N) ∑ (i, j) €A (X (i, j) – X’) 2)1/2 (7) X’= (1/N) ∑ (i, j) €A X (i, j) (8)

112

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6 No. 1, 2009

Where X (i, j) is the gray level of each pixel with on region, A and N is the total number of pixels in the region. Edge Distance Variance - edv: edv measures the shapes of the shape of the region and its rotational symmetry Edv = ((1/N) ∑N k=1 (dk – d’) 2) / d’ (9)

Where dk represents the distance from pixel k on the edge to the center of the region and d’ is the mean value of all edge distances. Figure 3 Inverted image Mean Intensity Difference – diff: This parameter measures the gray value difference between the value inside the region and those outside the region but inside the smallest rectangle cover of the region. Diff = (1/Na) ∑ (i, j) €A X (i, j) – (1/Nc) ∑ (i, j) €C (10)

X(i, j)

Where Na is the total number of pixels in region A, Nc is the total number of pixels in a rectangle region C, which represents the region pixels covered by the rectangle but not inside the region A. 3. DEVELOPMENT OF THE ALGORITHM Preprocessing steps The techniques done in the preprocessing steps were the inverting and thresholding of the mammogram image. The input mammogram is shown in figure as given below F.

H. Setting the threshold value From the inverted image, we have to find the threshold value. Normally the threshold value can be found by trial and error method or from the histogram of the image. After finding the threshold value, we have to apply for the image. Threshold is used to classify each image pixel by checking whether it lies above or below this threshold value. Then finally taking the object from the image as shown in the figure

Figure 4 Thresholded image I. Steps for segmentation

Segmentation refers to the process of partitioning a digital image into multiple regions (sets of pixels).segmentation can be done by the following steps. Figure 2 Input image G. Inverting steps Intensity of the first pixel is taken. Subtract the maximum intensity value (255) from the intensity value taken from the pixel. Then repeat the first two steps for all the pixels in the image to invert the image. After inverting all the pixels value, we get inverted image as shown in figure Now the pixels having same intensity value are grouped into regions. Image was taken into consideration and checked whether they had dissimilarities within themselves. If there were dissimilarities those regions were again subdivided. After each split, the adjacent regions were compared and merged if there exists any similarity between them. This process was continued until there was no further splitting or merging possible. Finally the roughness value of each region is calculated. If the roughness value lies between 2 to 3,

113

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

then that region is finally segmented as shown in the figure given below

Figure 7 Result for normal image

Figure 5 Final segmented image J. Tumor classification From the segmented output, the area of the segmented image is calculated. Similarly compactness, variance etc. are calculated from the segmented image. These features are used for the classification of the segmented area into tumor or normal. K. Results

Figure 8 For affected image

Figure 6 For Normal image

Figure 9 Result for affected image

4.CONCLUSION This algorithm is verified using a database from MIAS. The fractal dimension used to process the mammograms was between 2.4 and 2.75. A 3 level DWT decomposed image

114

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

had been chosen .Three level decomposition reduces an image of size 1024×1024 to 128×128. The results of this algorithm are the identification of tumor from normal ones. In this project, we have described an algorithm that acts as a preprocessor for marking out the suspicious tumor regions in the mammogram to increase the segmentation accuracy, fractal analysis and Adaptive Thresholding is used for the segmentation initialization procedure. Fast Segmentation is used for the Final segmentation. During the Classification the properties of the tumor are calculated. The result shows that Adaptive Thresholding and Fast Segmentation Algorithm is efficient and successful. This algorithm acts as an assistant to radiologists in detecting tumors in mammograms.

ACKNOWLEDGEMENTS The authors are thankful to The International Cancer Research Institute ,Neyoor, Tamilnadu ,India. REFERENCES
[1] Lei Zheng and Andrew K.Chan’ An Artificial Intelligent algorithm for Tumour Detection in Screening Mammogram, IEEE Transactions on Medical Imaging,2001, Vol. 20, pp. 559-567. Karssemeijer N, Computer-Assisted Reading of Mammograms, European Radiology, 1997, Vol. 7, pp. 743-748. Pisano E and Shtern F, Image Processing and Computer-aided Diagnosis in Digital Mammography in State In The Art of Digital Mammographic Image Analysis, 1994, World Scientific Publishing, Vol. 7, No. 6, pp. 280-291. W.Qian,L.Li,L.P.Clarke,F.Mao and R.A.Clark, “Adaptive CAD modules for mass detection in digital mammography,” in Proc. 20th Annuual Imternational Conference IEEE Engineering in Medicine and Biology Society, vol.20,1998,pp.1013-1016. Patricia McKenzie and Michael Alder, "Unsupervised learning: the dog rabbit strategy," Proc. IEEE Int. Conf. Neural Networks, vol. 2, 1994. Markov RandomField Theorywww.fmrib.ox.ac.uk/analysis/ techrep/tr00yz1/tr00yz1/node4.html Markov RandomField Segmentation splweb.bwh.harvard.edu:8000/ pages/papers/elena/node3.html B.Mandelbrot,The Fractal Geometry of Nature. NewYork;1977 N.Petrick,H.P.Chan, and D.Wei, “An adaptive density weighted contrast enhancement filtermammographic breastmassdenIEEE Trans. Med.Imag.Vol.15,pp-59-67,feb 1996.

[2] [3]

[4]

[5] [6] [7] [8] [9]

[10] M.Malfait and D.Roose, “Wavelet-based image denoising using a Markov random field a priori model” IEEE Trans. Image Processing,vol.6,pp-549-565,apr.1997. [11] Mammographic Image Analysis Society,Manchester,U.K [12] C.H. Chen and G.G.Lee, “On digital mammogramsegmentation andMicrocalcification detection using multiresolution wavelet analysis”Graphical Models Image Processing,vol.59,no.5,5,pp.349364,1997. [13] S.Z.Li,M.Kallergi,L.P.Clarke,V.K.Jain, and R.A.Clark, “Markov random field for tumor detection in digital mammography”IEEE Trans.Med.Imag.vol.14,pp-567-576,sept-1995. [14] S.Caulkin,S. Astley,J.Asquith and C.Boggis “Sites of occurrence of Malignancies in mammograms”in 4th International Workshop on Digital Mammography. [15] D.Brzakovic and M.Neskovic , “Mammogram screening and multiresolution based image segmentation,”Int.J.Pattern Recog.Artif.Intelligence,vol.7 no.6,pp1437 – 1460 [16] Bick.U., M.Giger, R.Schmidt, R.Nishikava, D. Wolverton, and K.Dol (1995), “Automated Segmentation of Digitized Mammograms”, Acad Radiol. Vol.2 pp. 1-9. [17] R.Carmona and S.Znong, “ Adaptive smoothing respective feature dimentons”, IEEE Trans Image Processing, vol.7,no. 3, pp. 353358,1998. [18] R.Malladi and J. Scthian, “A unified approach to noise removal, image enhancement, and shape recovery”, IEEE Trans. Pattern Anal Machine Intell., vol.5, pp.1554-1568, 1966. [19] B. Mandelbrot, “The Fractal Geometry of Nature”, New York: Freeman, 1977, p.468. [20] N.Petrick, H.P. Chan, and D. Wei, “An Adaptive Density-Weighted Contrast Enhancement Filter for Mammogram breast detection”, IEEE Trans. Med. Image Volume 15, pp. 59-67, Feb-1996. [21] Rafael C. Gonzalez, Richard E.Woods, “Digital Image Processing”,pp567,612-613,2nd edition, 7th Indian reprint, 2004 [22] O.D.trier and T.Taxt, “Evaluvation of binarization methods for document images”, IEEE Trans. Pattern and Machine Intell., vol. 17, pp. 312-315, Mar. 1995. [23] S.D. Yanowitz and A.M. Bruckdtein,”Anew method for image segmentation”, Comput.Vis, Graph, Image Processing, vol.46, no.1, pp.82-95, 1989. AUTHORS PROFILE 1.Y.Ireaneus Anna Rejani is working as assistant professor in Noorul Islam College of Engineering,Kumaracoil,, Tamilnadu, India.Her area of research is Neural networks.

2. Dr.S.Thamarai Selvi is working as Professor&Head, Department of
Information and technology, MIT, Chennai, Tamilnadu, India.She is having vast teaching and research experience.Her area of interest is neural network and grid computing.

115

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Energy Efficient Security Architecture For Wireless Bio-Medical Sensor Networks
Rajeswari Mukesh1
Dept of Computer Science & Engg Easwari Engineering College Chennai- 600 089

Dr.A.Damodaram2
Vice Principal JNTU College of Engineering Hyderabad-500 072

Dr.V.Subbiah Bharathi3
Dean Academics DMI College of engineering Chennai-601 302

Abstract Latest developments in VLSI, wireless communications, and biomedical sensing devices allow very small, lightweight, low power, intelligent sensing devices called biosensors. A set of these devices can be integrated into a Wireless Biomedical Sensor Network (WBSN), a new breakthrough technology used in telemedicine for monitoring the physiological condition of an individual. The biosensor nodes in WBSN has got resource limitations in terms of battery lifetime, CPU processing capability, and memory capacity. Replacement or recharging of batteries on thousands of biosensor nodes is quiet difficult or too costly. So, a key challenge in wireless biomedical sensor networks is the reduction of energy and memory consumption. Considering, the sensitivity of information in WBSN, we must provide security and patient privacy, as it is an important issue in the design of such systems. Hence this paper proposes an energy efficient security protocol for WBSN where security is provided to the physiological data, which is being transmitted from the sensor node to the sink device. This is achieved by authenticating the data using patients biometric , encrypting the data using Quasi Group cryptography after compressing the image data using an energy efficient number theory based technique. keywords -Wireless Biomedical Sensor Networks, Chinese remainder Theorem, Heart Rate Variability, QRS complex, Quasigroup Encryption, Latin Squares

heart beat interval[3] is used as a biometric characteristic to generate the identity of the individual. This usage of biometrics allows automatic identification/ verification of individuals by their physiological characteristics. This type of authentication detects intruders entering into the sensor network between the sensor node and the sink device there by securing the data against meetin-the-middle attack. Healthcare Provider

BIOSENSORS

INTER NET

PD As

Local dB

Personal Server
PC s

CLINIC AL dB

Figure 1. Wireless Biomedical Sensor Network II. RELATED WORK Wireless Sensor Network was initially designed without taking the security aspect into consideration. Research has been carried out in the field of security protocols for WSN for providing authentication and confidentiality security service. Authentication using MAC and biometrics like ECG [3] and EEG [4] has been already proposed by many researchers in different levels. Shu-Di-Buo [5] et. all has proposed mutual biometric authentication using ECG or PPG between two sensor nodes that are intended to communicate with each other. The communication range between these sensor nodes is very short. Hence the possibility attack is also very less and this scheme does not provide any solution to overcome the attack between the sink device and the biosensor nodes. For providing confidentiality security service the security architectures like, SNEP, Zigbee makes use of AES, RC5 kind of symmetric cipher. These symmetric cryptographic algorithms are complex and hence they are not energy efficient.

I. INTRODUCTION The WBSNs [1,2] promise inexpensive [1,2], unobtrusive [1,2], and unsupervised ambulatory monitoring [1,2] during normal daily activities for prolonged periods of time. An example of WBSN is shown in Figure 1.To make this technology efficient and cheap, the tradeoffs between the system configuration and the security should be resolved. In WBSN the sink nodes collect data from the mobile patients through biosensors and is then transmitted to the healthcare provider for health monitoring[2]. In the existing system the authentication between biosensor nodes and sink devices, and between sink devices and healthcare providers is performed only by using Message Authentication Code (MAC). In the proposed system, security is provided in two steps. In the first step, the data that is being transmitted from the biosensor nodes to the sink device is compressed and encrypted using Quasigroup encryption algorithm to provide confidentiality. In the second step, the strong authentication of the biosensor nodes to the sink device is done by using the Heart rate variability of the patient. The beat-to-beat

.
116 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

III. OUR CONTRIBUTION In the proposed system an energy efficient two level security architecture is designed for WBSN. In the first level, the physiological data taken from the individual is transmitted from the biosensor nodes to the sink device securely by compressing it using a number theory based CRT technique and then encrypting it using an energy efficient quasigroup encryption. The Chinese Remainder Theorem (CRT) [6] has been a useful tool in applications of number theory to other fields. The CRT is based on the solution of linear and modular congruencies. The congruence is nothing more than a statement about divisibility. Since it makes use of few arithmetic operations it is considered to be energy efficient to compress the biomedical images. Quasi groups [7] (or Latin squares) provide a powerful method for generating a larger set of permutation transformations by permuting not only the samples but also transforming the amplitudes themselves across their range. By doing this, they provide an immensely large number of keys, even for small alphabets. Therefore, quasi group based ciphers can have a variety of applications, and also strong in overcoming brute force attacks. It has been proved that the quasi group transformation maximizes the entropy at the output, which is desirable for a good system. This system provides extremely large group of keys that ensures enhanced security. It can work either in the chain mode or in the block mode. Block mode is more tolerant to errors compared to the chain mode. The following Table I [7] shows the no. of latin squares used in quasigroup encryption. It is clear from the Table I that if the value of n increases, the task of breaking the quasi group cipher is of astronomical complexity. Thus if the key is temporary, it would be very difficult to extract the information using brute force. The known plain text attack and replay attack are also not possible because the key keeps changing. Thus using energy efficient Quasigroup encryption provides the confidentiality security service. Biometrics is a metric that is commonly used for automatic identification or verification of persons by his or her own taken from the body surface. Some of the famous biometrics are fingerprint, iris pattern and hand geometry etc, are patterns taken from the body surface. But the biometric used in WBSN is a physiological sign generated by a biological system of an individual like heart rate variability (HRV) or EEG signals. Table I. Bounds on the number of Latin squares for n = 16, 32, 64 N Lower Limit (no. of Upper Limit (no. Latin squares) of Latin squares) 16 .101*10119 .689*10138 32 64 .414*10726 .133*104008 .985*10784 .176*104169

HRV is estimated by taking the inverse of the time interval between the peaks of adjacent R waves (RR interval) in ECG. HRV has been shown to be unique [3] for different subjects, which satisfy the basic criteria of a biometric characteristic. Physiological signals such as HRV are time variant which make them difficult to be applied in conventional biometric systems. In the proposed system two sensors placed at different locations of the individual, will capture their own copy of biometric characteristic independently but simultaneously at time t. The HRV of these two sensors are proved to be identical or highly correlated. If the two sensors were not on the same individual, i.e) if any one of the sensor nodes is compromised, HRV measured from the two sensors will not be identical. Thus the authentication of biosensor nodes by the sink device is done. This proposed architecture is intended to apply to telemedicine and related fields, where data collected by the sensors for medical application are now as well used intelligently as biometric characteristic for sink device to recognize the sensors placed on a human body. IV. OVERALL ARCHITECTURE Wireless Sensor Network is becoming a promising technology for various applications. One of its potential deployments is in the form of Wireless Biomedical Sensor Network (WBSN) for measuring physiological signals. The architecture of secure WBSN is illustrated in Figure 2. The miniature wireless intelligent module, which can be integrated with some kind of biosensor, is referred as WBSN node. Physiological signals (EEG, ECG, Temperature, Blood pressure, Glucose level etc) measured by wearable or implantable biosensors are gathered by the sink device and transmitted to the healthcare provider via 3G network. The server at the healthcare provider stores the data into patient database, do long term trend analysis and prediction. The data are published via web service. The healthcare professionals and patients can access the long term physiological data via internet. WBSN provide long term and continuous monitoring of patients under their natural physiological states even when they move. Then clinicians can analyze the physiological data and give diagnosis advices accordingly. Alternatively, when a clinician is away from the hospital, he/she still can get the data via a PDA and give diagnosis advices to the patient remotely. This system provides convenience for patients as well as for clinicians. For patients, they can get medical service at home or any other places they prefer. And they can move around freely while carrying light hand-held medical device. For clinicians, they can give diagnosis suggestions to patients remotely without the necessity to go to the hospital if nothing emergency happens.

.
117 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Sender Side

Physiological data

Receiver Side (Sink Device) Quasigroup Encryption key EK(Physiological data) Secured Channel ECG data Biometric Authentic ation Z-1

Bio Sensors

Z

To Health care provider via 3G network

Quasigrop Decryption

Figure 2 : Overall Architecture

The two level security for providing confidentiality and authentication security service for the physiological data transmitted from the sensor node to the sink device is clearly illustrated in Figure 2. V. DESIGN OVERVIEW The following assumptions are made in this design (i) Biosensors have acquired initial certificate from the trusted third party, got authenticated from the sink and has a shared key with which the ECG data has to be encrypted. (ii) The routing functionalities are being taken care by the network layer and not included in this work. (iii) Wearable biosensors are used for data acquisition. (iv) Noise in the data is eliminated by means of filters. A. Compression Using Chinese Remainder Theorem The Chinese Remainder Theorem (CRT) [6] has been a useful tool in applications of number theory to other fields. The CRT is based on the solution of linear and modular congruencies. The congruence is nothing more than a statement about divisibility. Given a system of congruencies to different moduli: x ≡ a1 (mod m1 ), x ≡ a2 (mod m2 )... x ≡ ar (mod mr ) and

The merits of CRT are as follows that suits WBSN • Increased efficiency in machine computation. • Reduced memory, and sophisticated hardware requirements • Reduction in space requirement for storage of data because large numbers are converted into relatively smaller ones by solution of linear congruencies. • Use of simple arithmetic operations like addition, subtraction, multiplication, and division and hence execution of Million Instructions Per Second (MIPS) is possible. • Faster computation process and hence reduction in processing time. • Widespread application in cryptography, secure transmission of codes and signals in military and defense applications. The algorithm for image compression using CRT is as follows. The images are generally represented in the form of NxM matrix. In color image coding applications[6] the color spaces, namely red, green and blue in 24 bits per pixel (bpp) RGB scale of 8 bpp each are compressed separately as in the gray scale image. An image of size NxM is taken and is fragmented into blocks of size 1xK. Each pixel r[i] in the block is divided by 16 to produce two half pixels of 4 bits each. a[i ] = r[i ] / 16 , i = 1 to k (1) a '[i ] = r[i ]mod 16, i = 1 to k (2) Thus the input image is considered as a sequence of half pixels a[1, 2...k ] , a '[1, 2...k ] and the key sequence is a set of relatively prime numbers given by n[1, 2...k ] > a[i ] and a '[i ]

if

each pair of moduli are relatively prime, i.e.) gcd( mi , m j ) = 1 for i ≠ j , the system has exactly one common solution modulo. M = m1 * m2 * ...mr and any two solutions are congruent to one another modulo M. The Chinese Remainder Theorem can be used to increase efficiency by making use of relatively small numbers in most of the calculation.

Image: a[1, 2...k ] , a '[1, 2...k ] - block of half pixels Key: n[1, 2...k ] -> set of relatively prime integers, can also be generated by a cryptographically strong random number generator such as BBS. Now generating N for each key value using P, where P is the product of all the keys, calculates the Coefficients of the CRT using equation 5.

.
118 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

N[i] = P / n[i] where P = ∏ n[i]. (3) using the equation 4 linear congruencies are generated N[i] * x[i] = 1 ( mod n[i] ) (4) where x[i] satisfies the above congruency and C[i] = N[i] * x[i] (5) These stages are carried in prior to transmission, the values of C[i] can be generated once the key is decided; hence they are calculated and stored in the system to be used during transmission. For the transmission of the image, the value of TR is determined for each block of k half pixel values as follows.
TR = ∑ C[i] * a[i](modP) - Cipher Text (quotient) TR' = ∑ C[i] * a[i]'(modP) - Cipher Text (remainder)

(6) (7)

For k half pixel values, one TR and TR' value is transmitted providing compression; moreover, this value is dependent on the key used which incorporates encryption. This is the most vital step of the algorithms as it ensures simultaneous encryption and compression. At the receiving end, the k half pixel values are regenerated from the single value TR and TR'. ar[i] = TR ( mod n[i] ) -Plain Text quotient (8)
ar'[i] = TR' ( mod n[i] ) -Plain Text remainder

(9)

information. The strength of this encryption has been already examined[7]. A groupoid [8] is a finite set Q that is closed with respect to an operator *, i.e., a* b ∈ Q for all a, b ∈ Q. A groupoid is a quasigroup, if it has unique left and right inverses, i.e., for any u, v ∈ Q there exists unique x and y such that x*u = v and u * y = v. This means that all operations are invertible and have unique solutions, which implies their usability as cryptographic substitution operations. A quasigroup can be characterised with a structure called Latin square. A Latin square is an n x n matrix where each row and column is a permutation of elements of a set. In this case |Q| = n. The requirements for WBSN information encryption are the following: • It must be computationally easy for the biosensor node to encrypt the data using quasigroup encryption and send it to the sink device. • It must be computationally easy for the sink device to decrypt the cipher text using Quasigroup decryption. • Computationally faster in the network environments which has a limited processing power and other resource constraints. • Be compact enough for use in sensor node memory space.
C. Biometric Authentication between Biosensor Node and Sink

The pixels are then reconstructed from the half pixels using equation 10. s[i] = ar[i] * 16 + ar'[i] (10) As explained in the previous section, the encoded image, to be transmitted, is given by In equation 6 C[i] are pre-calculated coefficient and a[i] are the pixel values after applying the threshold. Since C[i] are pre-calculated, they need not be calculated for every TR. The reason for using Chinese Remainder Theorem[6] for solving the linear congruencies is to reduce a bigger number to a smaller representation. For image of size N x M and block size K, all (N x M)/K TR are computed. After computing all TR, the frequency of each distinct TR and their counts are determined. They are sorted in descending order of their count and assigned new set of numbers. A table of unique TR and an equivalent code is generated. Using this table each TR obtained is encoded into this new code. The same is followed for TR'. At the receiver, the same encoding table is used to recalculate the actual TR and TR' values from which the half pixel values ar[i] and ar'[i] and thus the reconstructed image pixels s[i] are determined. Since the integrated encryption done is lacking security level, one more level of encryption is done by using Quasigroup[7] technique and is described in the next algorithm.
B. Data Enciphering And Deciphering

As described in section 3 the ECG signal at time t is taken from the two biosensors placed on the same individual and the difference between their HRV are calculated using Hamming distance. A normal ECG trace consists of a P wave, a QRS complex and a T wave. A small U wave may also be sometimes visible, but is neglected in this work for its inconsistency. An ECG sample is shown in figure 3. The P wave is the electrical signature of the current that causes atrial contraction; the QRS complex corresponds to the current that causes contraction of the left and right ventricles; the T wave represents the repolarization of the ventricles; and the U wave, although not always visible, is considered to be a representation of the papillary muscles or Purkinje fibers. The QRS complex is the most characteristic waveform of the signal with higher amplitudes.

In order to provide additional security to WBSN by considering the limitations in memory and processing capability, the information that is being transmitted between the sensor node/head and the base station can be encrypted using Quasigroup encryption algorithm. Quasigroups [7] are well suited for encrypting physiological signal related

P wave (0.08 - 0.10 sec) QRS ( 0.06 – 0.10 sec) P-R interval (0.12 – 0.20 sec) Q-T interval (0.2 - 0.4 sec)
Figure 3: ECG Sample

.
119 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Using Hamming distance data comparison of HRVs of 2 sensor nodes are done. If the difference between HRV from two random sensor nodes exceeds a threshold, then an alarm signal will be raised to healthcare provider mentioning that the biosensor node has been compromised. The Hamming distance between two strings of bits (binary integers) is the number of corresponding bit positions that differ. This can be found by using XOR on corresponding bits or equivalently, by adding corresponding bits (base 2) without a carry. For example, in the two bit strings that follow: A 0100101000 B 1011010101 A XOR B = 1 1 1 1 1 1 1 1 0 1 The Hamming distance (H) between these 10-bit strings is 9, the number of 1's in the XOR string. The following algorithm may be used to find the hamming distance. Integer Hamdist(string value1, string value2) Begin Integer dist=0 Integer I=1 Integer len If length(value1)>length(value2) then len=length(value1) else len=length(value2) If((value1 is NULL) or (value2 is NULL)) Return NULL While(I<=len) dist=dist+(substring(value1,I,1) !=substring(value2,I,1))?1:0) I=I+1 Return dist End
VI. RESULTS A. Compression using CRT

Table II. Comparison of compression ratio of various algorithms
Algorithm JPEG LZW SPIHT NTICE Execution time in sec 1.04 0.65 0.78 0.64 Compression ratio 2.7603 6.2313 4.7714 7.4057

B Quasigroup encryption

A part of the encoded MRI barin image shown in fig 4 is given in the screen shot figure 5 shown below and it is found that the quasigroup has more randomness in the cipher text than the complex AES symmetric cipher that has been proposed for WSN. The comparison of output randomness is shown in fig 6a & fig 6b.

Figure 5. Partial encoded compressed brain Image

The biosensor image takes for analysis is MRI brain image shown in fig 4.

Figure 4: MRI brain Image

Figure 6a: Graph Analysis For QuasiGroup Cryptography

The implementation of the CRT compression algorithm is done in MATLAB 7 and the execution time and the compression ratio of the various compression algorithms are shown in table II.

.
120 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

RR interval

Figure 6b: Graph Analysis For AES Cipher

Fig 7b. ECG wave of sensor2 of person1

C. Biometric authentication using HRV

RR interval

The R peaks have the largest amplitudes among all the waves, making them the easiest to detect and good reference points for future detections. The R peaks occur after the P peaks within 0.1 seconds. The R peak occurs between 0.12 seconds and 0.2 seconds after the P peak. Q and S peaks occurs about the R peaks within 0.1 seconds. The QT interval lies within 0.44 seconds. The MATLAB output for R peak detection for two ECG sensors placed on the same individual with a heartbeat rate of 72 is shown in Figure 7. The RR interval for both the ECG waves are 0.84 sec and HRV is 1.19. Hence the difference is zero and they are proved to be from the same person. The MATLAB output for R peak detection for two ECG sensors placed on two different persons with a heartbeat rate of 72 and 60 respectively is shown in Figure 8. The RR interval for the ECG wave of sensor1 from person1 is 0.84 sec and HRV is 1.19, and the RR interval for the ECG wave of sensor2 of person2 is 1and HRV is 1. The difference between HRV is 0.19 and hence this indicates that one of the node has been compromised by an intruder.

Fig 8a. ECG wave of sensor3 of person1

RR interval

RR interval

RR interval

Fig 8b. ECG wave of sensor2 of

person2

VII. CONCLUSIONS AND FUTURE WORK

Fig 7a. ECG wave of sensor1 of person1

The proposed scheme detects malicious biosensor nodes using biometric authentication and provides confidentiality using Quasigroup encryption after compressing the biomedical images using CRT.These techniques are proved to be energy efficient which is an important requirement of WSN. Among the patient’s vital signals, ECG generates the highest data rate which is about 10 kB/s. R-interval analysis can be performed to determine the peaks. By transmitting Rintervals instead of the whole ECG waveform, the data rate can be lowered and power consumption can be reduced subsequently. ECG signals are easy to identify and relatively immune to potential noise interferences. The future work is to build experiment environment based on the proposed

.
121 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

system and to extend the security at the health care provider level.
REFERENCES

[1] DDKouvatsos, G Min and B Qureshi. Performance issues in a Secure Health Monitoring Wireless Sensor Networks, Performance Modeling and Engineering Group, University of Bradford, Bradford BD7 1DP, UK, WP. [2] Aleksandar Milenkovic, Chris Otto, Emil Jovanov, Wireless Sensor Network for Personal Health Monitoring : Issues and an Implementation, Electrical and Computer Engineering Department, The University of Alabama, Huntsville, AL 35899. [3] L. Biel, O. Pettersson, L.Philipson and P.Wide, "ECG Analysis: A New Approach in Human Identification," IEEE Trans on Instrumentation and Measurement,vol.50, pp.808-812, June 2001. [4] Sebastein Marcel, Jose del R.Millan, Person Authentication Using Brainwaves (EEG) and Maximum A Posteriori Model Adaptation, IEEE Conference on pattern analysis and machine intelligence, April 2007, Vol.29, No.4, pp 743-752. [5] Shu-Di-Bao, Yuang-Ting Zhang, Liang-Feng Shen, Physiological Signal based Entity Authentication for Body Area Sensor networks and Mobile Healthcare systems, IEEE Conference proceedings of Annual International Conference of the IEEE Engineering in Medicine and Biology Society ,2005,3:2455-2458. [6] Vikram Jagannathan, Aparna Mahadevan, Hariharan and Srinivasan, “Number Theory Based Image compression Encryption and Application to Image Multiplexing”, © 2007 IEEE - ICSCN, Feb. 2007, pp.59-64. [7] Maruti Venkat, Kartik Satti, A Quasigroup Based Cryptographic System, International Journal of Network Security, July 2006, Vol.7, No.1, pp. 15– 24. [8] Marko Hasinen, Smile Markovski, “Secure SMS messaging using Quasigroup encryption and Java SMS API”
1

Networks and Image Processing. Prof. Damodaram was awarded his Ph.D. in Computer Science & Engineering from JNTU . He has a rich experience of 17 years in Teaching, Research and mentoring research scholars in his respective areas. He is Member of Academic Council in Cochin University of Science and Technology, Cochin. He is a member of AIEEE, New Delhi and Governing Council, JNTU College of Engineering, Hyderabad. Dr.V.Subbiah Bharathi is working as Dean Academics at DMI Engineering College, Chennai. He has received Ph.D from Manonmaniam Sundaranar University. He has got 25 national and international papers published in reputed journals including ACM. His area of research include Image processing and Network Security .
3

Rajeswari Mukesh is working as Assistant Professor in Department of Computer Science and Engineering at Easwari Engineering College, Chennai. She has received her B.E and M.E in Computer Science and Engineering and currently pursuing Ph.D at JNTU Hyderabad. Her area of interests include Network Security and Image Processing.

2

Dr. A. Damodaram is Director, ASC and Professor of Computer Science & Engineering, JNTU College of Engineering, Hyderabad. His research interests include Software Engineering, Computer

.
122 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Software Security Rules: SDLC Perspective
C. Banerjee, S. K. Pandey
Department of Information Technology Board of Studies, The Institute of Chartered Accountants of India, Noida- 201301, INDIA
Abstract---Software has become an integral part of everyday life. Everyday, millions of people perform transaction through internet, ATM, mobile phone, they send email & e-greetings, and use word processing and spreadsheet for various purpose. People use software bearing in mind that it is reliable and can be trust upon and the operation they perform is secured. Now, if these software have exploitable security hole then how can they be safe for use. Security brings value to software in terms of people’s trust. The value provided by secure software is of vital importance because many critical functions are entirely dependent on the software. That is why security is a serious topic which should be given proper attention during the entire SDLC, ‘right from the beginning’. For the proper implementation of security in the software, twenty one security rules are proposed in this paper along with validation results. It is found that by applying these rules as per given implementation mechanism, most of the vulnerabilities are eliminated in the software and a more secure software can be built. Keywords-Security rules, Security rules in SDLC, Software Security

I. INTRODUCTION The issue related to computer security surfaced for the first time in 1970s with report of earliest known intrusion in 1977, first spam email in 1978, earliest large-scale identity theft in June 1984 and attack of first known computer virus reported in 1987. In hackers named 414s attacked 60 computer systems. During 1980s and 1990s, many international banks were targeted by crackers and hackers. In 1995, U.S. Department of Defense computers were attacked roughly 250,000 times. In 1996, hackers alter websites of the U.S. Department of Justice in August, CIA in October, and U.S. Air Force in December. In 2001, Microsoft becomes victim of Denial of Service attacks. In May 2006, a Turkish hacker successfully hacked 21,549 websites. In March 2008, around 20 Chinese hackers claim of gaining access to the world's most sensitive sites, including Pentagon. In April 2009, Conficker, a worm infiltrated billions of PCs worldwide including many government-level top-security computer networks [1] [2]. While trying to identify and analyze the reason behind the cause of security breach, we generally put blame entirely on virus attack, denial of service, spam mail etc. If we introspect in true sense, we see that our thinking becomes so partial that while analyzing the facts we intend to forgo a very important and real fact which is one of the most important factors in software security breach, and, that is, bad software which is actually behind every security problem and malicious attack [3]. Besides identifying and targeting those individual security threats and providing solution for those attacks, if we also put focus on the

security aspect of software, we surely can build a more robust and reliable system in totality. Security loop holes in software can also endanger intellectual property and business operations and services. It is estimated that 70 percent of reported security incidents result from exploits against defects in the design or code of software [4] [5]. It is a pre assumption that security features implemented in software delays the project as it adds time and increase the cost. Due to this, many designers tends to ignore or given little importance to the security aspect of the project. However, implementing security in software by complying with regulatory standards gives long term benefits in terms of litigation avoidance, protection against loss of sensitive information, and protection against loss of reputation. It also provides assurance that the data in a system has a reasonably expectation of protection and privacy [6]. It also ensures reliability, integrity, and safety for the system using secured software. Implementing security in software from the very stages of its development makes the system as vulnerable and fault free as possible. It further enforces limits on the damages occurring consequently due to various failures caused by attack triggered fault. It also provides mechanism for quick recovery by the system from the damages caused by failure. It ensures that the system continues to operate under most adverse condition created due to the various attacks on the system. In doing so, the system provide a mechanism of resistance against the attacker who tries to exploit the weakness in the software. It also provides a tolerance level of such failures resulting from such exploits [7]. In a 2005 report, approximately 163000 consumer records were stolen leading to the case of identity thefts with a US $10 million settlement fine. In 2006, hackers accessed the account and personal information of nearly 19,000 AT&T credit card holders [8]. Estimated revenue losses due to piracy in Asia-Pacific region during 2006 were reported to be US$11.6 billion [9]. In 2007, information of around 100 million credit and debit card accounts were stolen in U.S., resulting in recovery cost estimated to be about US $16 million. In U.K., loss of personal information of around 25 million people with an estimated recovery cost of about US $500 million was reported. In 2008, 4.2 million credit & debit card numbers were stolen from a supermarket chain during the card authorization process [8]. Although researchers have done remarkable work in the field of integrating security throughout the SDLC, ‘right from the beginning’, still a major portion of work needs to be carried out in order to made software more secure and reliable. In extension to the work carried out earlier, in this paper we intend to propose twenty one security rules which

123

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

if practically applied from the beginning of SDLC i.e., from requirement analysis phase will definitely contribute in secure and reliable development of software. Rest of the paper is organized as follows: in section II we discuss about ‘Software Security’, and in section III, ‘Security Rules’ are given, section IV, throws light on ‘Implementation Mechanism’ and Section V focuses on ‘Validation and Experimental Results’ with ‘Conclusion and Future Work’ given in section VI. II. SOFTWARE SECURITY The objective of software security is to imagine about the attacker and to foresee attacker’s motive and perception. Generally, software development is thought of as building software that works under normal conditions. But when the security aspect is clubbed with building software, the designer and developer focal point becomes attacker's perspective and ‘how they can become a threat to the software’. After proper analysis, various mechanisms of dealing with those threats can be provided. The security can be correctly build inside software by integrated it throughout the entire software development life cycle [7]. The activity of software security can be thought of as building software which performs under intentional and unintentional malicious attack [7]. The software security should exhibit ability to defend itself and the system from the attacker’s exploitation and misuse of software security loop holes [10]. Moreover, software security should have the ability to identify the deficiencies of the software development process and to identify critical threats that can make software vulnerable. Software with build-in security should reflect features like predictable execution, trustworthiness and conformance. Along with these properties, the secure software should be attack resistant, attack tolerant and attack resilient [7]. Information is a very important ingredient in software and its security can be achieved by three globally accepted properties CIA (Confidentiality, Integrity, and Availability).

• • •

C : Confidentiality is prevention of unauthorized disclosure of information. I : Integrity is prevention modification of information. of unauthorized

A : Availability is prevention of unauthorized withholding of information. The main objective of confidentiality is to ensure that only authorized user can access regardless of where the information is kept and how it is accessed. Confidentiality can be maintained by mechanism like access control, password, biometrics, encryption, privacy and ethics [11]. The main objective of integrity is to safeguard the accuracy and completeness of information and processing methods from being changed intentionally, unintentionally, or accidentally. Integrity needs to be maintained for ensuring privacy, security and reliability of data and information. Integrity can be maintained by mechanisms like configuration management and auditing [11]. The main objective of availability is to ensure access of information and related assets for authorized users whenever needed. Availability can be maintained by mechanisms like data backup plan, disaster recovery plan, business continuity or resumption plan [11]. III. SECURITY RULES The various issues encompassing software security is a point of discussion and debate among the researchers and security practitioners. One obvious way to spread software security knowledge is to train software development staff on critical software security issues. Beyond awareness, more advanced software security training should offer coverage of security engineering, design principles and guidelines, implementing risks, design flaws, analysis techniques, and security testing. Researchers have done tremendous job in this direction but there are so many research issues that need to be addresses. On the basis of various best practices available in the literature, twenty one security rules are proposed which are discussed in this section and visually shown in Figure 1.

Awareness Accountability

Integrity

NonRepudiation

Accuracy

Authorization

Assessment / Evaluation

Flexibility Unambiguity

Auditability

SOFTWARE  SECURITY  RULES 

Prevention

Confidentiality

Availability

Access Control

Identification & Consistency Authentication

Privacy

Excellence

Fortification

Error
Classification

Interoperability

Figure 1. Rules of Software Security in SDLC

124

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

All stakeholders in software development must obey these rules in order not to introduce vulnerabilities into the system and ensure the production of secured software system. By analyzing the implementation results, it is observed that if the software engineers have these rules at the back of their minds throughout the stages of the software production, it will ensure efficient production of secure software product to a greater extent. These rules are given as follows: 1. Rule of Awareness: Awareness of the software security is a major point of discussion & concern among the various researchers and security practitioners [12]. The rule suggests a constant acquisition of new information and updation of existing knowledge relating to security aspect for the software development team which includes software architecture, software developers and software testers [13]. This can be implemented by developing an active security awareness program for training software development team on critical software security issues [12]. 2. Rule of Prevention: As said that prevention is better than cure, in the same way, the software designer should design the software and associated security in such a way that the software when attacked internally or externally by some threat should provide some kind of safeguard and protect it from being infected. The rule suggests that the security in software should be synchronized in such a way that it should be able to prevent any kind of threat from internal as well as external source rather then let it happen and later on cure it. The latter option of cure is also one of the remedy but it is quite possible that by the time remedy comes into effect some more resources and application will become infectious by the infected source. 3. Rule of Accountability: Accountability is a key security goal which is very vital with regards to internal systems of security and reveals what a subject actually did. The rule of accountability suggests that a log needs to be maintained for all the tasks / activities / acts performed during an operation / action with the purpose of prevention of the security policy violations and enforcement of certain liabilities for those acts [14]. Accountability involves tracking of activities of users as well as processes and maintains their details in a log book. The main purpose of accountability is to determine the attacker or source of attack incase transaction is committed successfully [15]. 4. Rule of Confidentiality: Security in terms of software is defined as the prevention of or protection against access to information by unauthorized persons [16]. The rule suggests that confidentiality should be maintained by ensuring that information is not accessed by unauthorized persons [16]. In other words, we can say that, the confidentiality in software can be maintained by keeping the contents of a transient communication or data on temporary or persistent storage secret [15]. It provides assurance that the information is shared only among authorized users or organizations [17]. The data should be handled in an adequate manner to safeguard the confidentiality of the information concerned [18].

5. Rule of Integrity. Software Security in respect of integrity security is the prevention of, or protection against intentional but unauthorized destruction or alteration of that information [16]. The rule suggests that integrity should be maintained by ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users [16]. It provides assurance that the information is authentic and complete [17]. The integrity of data means that it can be trusted and relied upon and not that the data is 'correct' [17]. 6. Rule of Availability: Availability is typically thought of as a performance goal, but it needs to be thought of as a security goal as the loss of availability is referred to as “denial-of-service” [15]. The rule states that a balanced approach needs to be maintained between security and availability providing a system that is highly secure and available at all the times [15]. It provides assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them [16]. A system can ensure availability through redundancy providing alternative paths and methods in which the system is operational and functional at a given moment [16]. 7. Rule of Non-repudiation: In general, the concept of ensuring that parties involved in a transaction can not repudiate (reject) or refute the validity of the transaction. The rule states that the objective of non-repudiation is to ensure undeniability of a transaction by any of the parties involved where a trusted third party can play an important role [15]. Non-repudiation protocols can be used as a tool of security to prove that the transaction actually took place and that the two parties actually interacted with each other where both the parties can not deny this fact in presence of a valid set of evidences [15]. 8. Rule of Access Control: Access control provides a form of authority to control access to areas and resources in a given domain thereby contributing to security issue in a software development process. The rule suggests that access to resources and services should be permission based and the user if given permission should be permitted / allowed to access those resources and services and these eligible users should not be denied access to services that they legitimately expect to receive [16]. To have a secure software, implementation of access control in totality is mandatory. 9. Rule of Identification & Authentication: Authentication is the act of establishing that the claims made by a user are true which includes conforming the identity and origin of the user for security purpose [19]. The rule suggests that the process of identification and authentication must be implemented to determine who can log on to a system and their legitimate association which various users with respect to their granted access rights [19]. A wide variety of techniques are present to provide authentication which may include use of passwords, biometric techniques, smart cards, certificates, etc [20].

125

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

10. Rule of Accuracy: Assurance of accuracy in security is necessary for the software system to be secured and reliable [21]. The rule suggests that the software development team should perform the various actions, activities, methods, process & tasks correctly and accurately every time [13]. Here, timely accuracy is also very important from strategic point of view [22]. Highest standards of technical accuracy are also a prerequisite in designing and developing secure and reliable software. 11. Rule of Consistency: Consistency is an essential feature of software security which the protocol designer should keep in mind during protocol designing phase of the software. The rule suggests that the various requirements, protocols or standards or policies designed for securing the software system should be consistent in any case. Consistence among various security policies is a demand for secure software. Consistency should be maintained at all cost among the software system, their security requirements and violation related modules. 12. Rule of Authorization: Authorization is the process of verifying that an authenticated subject has the authority to perform a specified operation for security reasons [19]. The rule suggests that the process of authorization must be implemented to determine what a subject can do on the system. By implementing the process of authorization, it can be determined whether an identity is permitted to perform specified action or not [20]. The process of authorization can only be performed after the process of authentication has successfully accomplished [19]. 13. Rule of Privacy: Privacy can be seen as an art of being concealed / secluded / isolated from the presence or view of others. Privacy as a social and legal issue has for a long time been a matter of concern and individual’s privacy in this electronic age is increasingly endangered [23]. The rule states that privacy can ensures that individuals maintain the right to control what information is collected about them, how it is used, who has used it, who maintains it, and what purpose it is used for [16]. Privacy protection as a tool of security can be implemented by designing and enforcing sound privacy and data protection laws and technologies [23]. 14. Rule of Assessment / Evaluation: Assessment is a characteristic which can be applied on process or processes to get a quality software product. The rule suggests that each and every process irrespective of size should be evaluated and assessed after it has been created by the software developer [13]. The consistency of an assessment done for process or processes ensures the reliability of a software system [24]. Assessment is also important for the software to be valid as it measures the expected / desired output with the observed output [24]. If the assessment of a process or processes is done properly it means it is consistent and valid which represents quality a subset of security. Assessment or evaluation if done considering the current security environment can help the software developer to analyze and measure the level of security

implementation in their software product versus industry standards and best practices [25]. 15. Rule of Excellence: Quality in a software means that solution provided by that software should exactly and in totality match the needs and demands of the environment and its users. The rule suggests that security is a subset of quality and the control and variability of the security features will depend on the quality [13]. Hence in order to achieve security in totality, the quality of the software should be of highest standards. 16. Rule of Flexibility: Flexibility in relation to secure software development can be defined as the systems design synchronization with security in such a way that it can adapt to the external changes when it occurs. The rule suggests that the various requirements regarding security should not be rigid and must be flexible as well as realizable [13]. Here the details of the security specifications must be realized by the software designer and developer. 17. Rule of Fortification (Protection): Integrity is an important ingredient of software and it should be maintained throughout the software engineering process while implementing security for strengthening the software. The rule suggests that the various process used in security engineering process should be secured in individuality and totality [13]. Only the concerned individual should have access to the technicalities of software security and for the rest it should be kept a secret. 18. Rule of Unambiguity: Unambiguity in software security means that the implementation issues of security in software should be free from anonymity and easy to understand under any circumstances by its designer and developer. The rule suggests that for easy implementation of software security, the details pertaining to it should be clear and concise [13]. All issues related to software security must be clearly understood by the software designer and developer. 19. Rule of Error Classification: Security vulnerabilities very often occur due to bad error handling and due to lack of proper understanding of various errors [15]. Software developers and software security practitioners should be concerned about the various errors which create problems leading to software vulnerability. The rule suggests that errors should be categorized & classified according to a schema containing a set of security rules for better understanding of the problem which might have an impact on the security of the software [26, 27]. It further suggests that any error when recognized should be removed as soon as possible and should not, in any case, resurface again [13]. 20. Rule of Auditability: Auditing in security is a feature which produces a sequential record of all the activities performed in / by a system which further aids in the reconstruction and examination of the sequence of events and/or changes in an event. The rule suggests that auditability must be implemented to judge the accountability feature of software security and aids in redesign a full proof security policy and procedures for implementing a secure

126

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

software system [28]. It helps the security auditor to thoroughly understand the flow of information and develop a plan for properly securing the system. It establishes the role of security auditor as that of a validator and advisor [29]. 21. Rule of Interoperability: In today’s age, most of the software that comes in the market is platform independent and provides interoperability i.e., one software can interact with many software for exchange of data and information and for other operations. In doing so it is highly likely that software which is not secure can infect other software despite of the fact that the latter software is secured software. This rule suggests that if more than one software are interacting or communicating with each other then all the software involved in the interaction or communication must be secured. IV. IMPLEMENTATION MECHANISM For implementing security right from the requirements phase, all the personnel from requirement engineers to maintenance engineers and other stakeholders should make themselves aware about the latest software security issues, especially the critical ones. For SDLC team, this awareness should be more technical, and, for other stakeholders, the awareness should be more general, but necessary. The requirements engineer, system software designer,

programmer, test engineer, implementation engineer and the maintenance engineer should carry on their respective roles keeping in mind all the twenty one security rules quoted above. Further, the implementation engineer and the maintenance engineer should make themselves more focused on auditability and interoperability rules. If the security rules are followed properly, it will help the requirement engineers to implement the most appropriate security mechanisms like threat modeling for meeting the true underlying security requirements. The designers will be able to design more secure design architecture and the programmer will be able to develop techniques for producing more secure coding. These security rules will broaden the role of test engineers and they will be able to choose the appropriate tool and techniques for testing the software from security point of view with focus on destructive testing. Following these security rules, the implementation engineer will be able to configure and run the software more securely. The maintenance engineers will be able to make secure maintenance plan and will help him / her to adapt the software to a more secured modified environment. The implementation mechanism of our software security rules throughout the SDLC, ‘right from the beginning’ is shown in Figure 2.

Figure 2. Implementation Mechanism
V. VALIDATION AND EXPERIMENTAL RESULTS These security rules were applied to a real life project from industry (on the request of the company, identity is concealed), and the final result of security assessment is calculated as per prescribed implementation mechanism. Then the level of security assurance is compared with the other project’s security assurance in which these rules were not applied. The study shows that the level of risk is minimized upto 40.5%. Due to the page limit constraint, we are not providing the details of validation results in this paper; we will discuss in our next paper. VI. CONCLUSION AND FUTURE WORK Secure software does not happen by accident. It is accomplished only when every designer, developer, tester and manager working on a project takes security seriously and that too during each and every phase of software

127

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

development lifecycle. Security is not something that is addressed at the end of the product lifecycle nor is it a specific milestone that occurs during project execution. Security must be everywhere. It should begin at the requirement level and should be on the mind of every personnel during the entire SDLC. The paper tried to present some concrete work on software security and hence, twenty one security rules are proposed. Validation results show the applicability of these rules during the development life cycle. Future work may include the sub division of each of the twenty one rules into their sub rules. Then set theory may be applied on those sub rules to quantify the values as well as steps. This may increase the accuracy level of these rules. These rules are validated on a project given in the validation section. Further work may be done by applying these rules on a large sample for finding the accuracy of the same. This work will help security experts to introduce security ‘right from the beginning’ and for building more secure software. REFERENCES
[1] [2] [3] [4] Joseph Migga Kizza: A Guide to Computer Network Security, Springer, 2008, pp112-115. http://en.wikipedia.org/wiki/Timeline_of_computer_ security_hacker_history Jari Råman: Regulating Secure Software Development. Analysing the potential regulatory solutions for the lack of security in software, Lapland University Press, 2006, pp 2. Hao Wang, Andy Wang: Security Metrics for Software System, ACM Southeast Regional Conference, Proceedings of the 47th Annual Southeast Regional Conference, 2009, ACM-SE 47, pp 1-2. J. A. Wang, M. Xia, and F. Zhang, “Metrics for Information Security Vulnerabilities, Journal of Applied Global Research, Volume 1, No. 1, 2008, pp 48-58. http://www.executivebrief.com/project-management/softwaresecurity-standards-project-security /P1/ Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead: Software Security Engineering: A Guide for Project Managers, Addison Wesley Professional, 2008, pp 6-8. http://www.isc2.org/uploadedFiles/(ISC)2_ Public_Content/Certification_Programs/CSSLP/CSSLP _WhitePaper.pdf http://cwe.mitre.org/documents/sources/Seven PerniciousKingdoms.pdf Hoglund, G. and McGraw, G., Exploiting Software: How to Break Code. Boston: Addison-Wesley, 2006 pp 1-4. http://searchwarp.com/swa268042.htm Gary McGraw, Software Security: Building Security In, Addison Wesley Software Security Series, 2006, pp 36. A. S. Sodiya, S. A. Onashoga, and O. B. Ajayi: Towards Building Secure Software Systems, Volume 3, 2006, pp 636 – 645. Vladimir Golubev: Using Of Computer Systems Accountability Technologies in The Fight Against Cybercrimes, Computer Crime Research Center, downloadable from http://www.crimeresearch.org/library/Using.htm Neil Daswani, Christoph Kern, Anita Kesavan: Foundations of security What Every Programmer Needs to Know, APRESS, 2007, pp 44. http://www.albion.com/security/intro-4.html http://security.practitioner.com/introduction/infosec_2.htm http://www.yourwindow.to/informationsecurity/gl_confidentialityintegrityandavailabili.htm http://en.wikipedia.org/wiki/Access_control Clifford Lynch: A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked

[21] [22] [23] [24] [25] [26] [27] [28] [29]

Information Resources, Coalition for Networked Information, 1998, pp 3. Marshall D. Abrams, Marvin V. Zelkowitz: Striving for correctness, Computers & Security Volume 14, Issue 8, 1995, pp 719-738. Lawrence Chung, Brian A. Nixon, Eric Yu, John Mylopoulos: Non-functional requirements in software engineering, Kluwer Academic Publisher, 1999, pp 324. Simone Fischer-Hübner: IT-security and privacy: Design and Use of Privacy-Enhancing Security Mechanisms, Springers, 2001, pp 5. http://en.wikipedia.org/wiki/Assessment http://www.sun.com/service/security/securityassessment.xml http://www.fortify.com/vulncat/en/vulncat/index.html http://www.fortify.com/security-resources/taxonomy.jsp Elizabeth Wasserman: The Role of Auditing in IT and Security, downloadable from http:// www. ciostrategycenter.com/Board/smarts/role_of_audit/index.html Michael Rasmussen, Adam Brown: The Role Of Audit In IT And Security: Separating Roles — Establishing Collaboration, Forrester Research, 2004, pp 1-2.

[5] [6] [7] [8] [9] [10] [11] [12] [13] [14]

Chitreshh Banerjee is currently working as Faculty (Executive Officer) in the Department of Information Technology, Board of Studies, The Institute of Chartered Accountants of India (Set up by an Act of Parliament) New Delhi. Before joining the present institute, he was associated with Gyan Vihar University, Jaipur as a senior faculty. During this tenure, he was instrumental in development of Management Information System (MIS) of the university. He has an excellent academic background with a very sound academic and research experience. Under the Institute-Industry linkage programme, he delivers expert lectures on varied themes pertaining to IT. As a prolific writer in the arena of Computer Sciences and Information Technology, he penned down a number of books on Multimedia Systems, Information Technology, Software Engineering, and E-banking Security Transactions. He has contributed various research papers in the conferences of national repute. His area of interest includes multimedia systems, e-learning, e-banking, and software security. Santosh K. Pandey is presently working as a Faculty (Executive Officer) in the Department of Information Technology, Board of Studies, The Institute of Chartered Accountants of India (Set up by an Act of Parliament) New Delhi. Prior to this, he worked with the Department of Computer Science, Jamia Millia Islamia (A Central University) New Delhi. He has a rich Academics & Research experience. His research interest includes: Software Security, Requirements Engineering, Security Policies and Standards, Software Engineering, Access control and Identity Management, Vulnerability Assessment etc. Currently, he is working in the areas of Software Security and Requirements Engineering. He has published around 26 high quality research papers in various acclaimed International/ National Journals and reputed Conferences/Seminars. He has been nominated in the board of reviewers of various international/ national Journals/Conferences. His one of the research papers was adjudged as the Best Paper in the National Conference on IT- Present Practices and Challenges held at New Delhi during Aug 31- Sep 1, 2007.

[15] [16] [17] [18] [19] [20]

128

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

An Entropy Architecture for Distributed denial-of-service attacks
G.Meera Gandhi, CSE, Research Scholar, Sathyabama University Chennai, Tamil Nadu

defending

S.K.Srivatsa, Professor, ICE, St.Joseph’s College of Engineering Chennai, Tamil Nadu

Abstract
The goal of intrusion detection is to identify entities attempting to destabilize the security controls. Network based intrusion detection techniques are used to identify unauthorized, illicit and anomalous behavior based on the network traffic. Identifying the network intruders is the most significant problem for network administrators and network security experts. Intrusion detection systems are an important component of defensive measures protecting computer systems and networks from abuse. New threats are emerging at an increasing rate. Distributed Denial-of-Service (DDoS) attacks have emerged as a popular means of causing mass damage. The impacts of DoS attack will cause greater collateral damage. DoS attacks remain a serious threat to the users, organizations, and infrastructures of the Internet. The approaches used in the existing defense techniques are based on traffic characteristics such as traffic deviation, attack pattern matching etc, which may not yield accurate detection and involves high complexity.

In this paper, the router based entropy algorithm has been designed to improve the performance and protection from the distributed denial-of-service attacks. This work includes attack tree construction, attacks detection and clustering of alerts. By calculating the predicted entropy for a router, alerts are raised for flows in which the predicted entropy is more than a threshold value. Then the alerts are grouped into different clusters according to their source, target, time and attack-type. It helps to avoid group redundant alerts and to associate alerts that are of the same nature. By Simulation results, it has been shown that the proposed architecture improves the detection accuracy and throughput while reducing the alert overhead. In this paper, we have explored the current research potential in terms of security, throughput performance of the router and impact of DoS attack technology based on intruder activity and attack tools. Key words: Intruders, denial of service, attacks, router entropy; attack tree, attack type.

.

129

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

called the attack tree, where the attack victim is the tree root, and the different traffic sources are many tree leaves. I. INTRODUCTION Attacks detection: We design an entropy based scheme for attack detection. Entropy is a measure of the uncertainty or randomness associated with a random variable or data coming over the network. Entropy is calculated per router depending on the packet header information. If the projected entropy is below a threshold value for any router, then that flow is considered to be an attack flow and the source is identified as an attacker. The several existing defense techniques have been discussed and can be distinguished from the proposed criteria. A. Denying Denial-of-Service Attacks: A Router Based Solution

During the time when Internet provides essential communication for an infinite number of people, security becomes a tremendous issue to deal with Intrusion Detection Systems (IDS) .IDS is mainly considered to be the mainstream of security technology. IDS are designed to identify security breaches. However, one of the major problems with current IDS is the lack of the "environmental awareness" (i.e. security policy, network topology and software [1] .This ignorance triggers many false positives and false negatives. A false negative is corresponding to a non-detected attack and it occurs because an attacker is misclassified as a normal user. A false positive is corresponding to a false alert and it occurs because the IDS misinterpret normal packets or activities as attacks. DDoS traffic also creates a heavy congestion in the Internet core which interrupts communication between all Internet users whose packets cross congested routers, during the very large attacks [2]. II. PROBLEM IDENTIFICATION

To prevent DDoS attacks a general method based on more secure packet forwarding among routers is proposed as a solution. Encryption, digital signatures, and authentication are modified by the routers to enable the tracing of a packet back to its origin. Thus it stops further traffic at the closest intelligent router point. Though this system provides more secure and private communication between the routers involved, a remarkable amount of complexity is introduced results in increasing cost, delay, and bandwidth parameters. In addition, as it decrypts the initial packet, knowledge of the last router is vital. Thus a single point of failure and consequently a less reliable information system is created

Network traffic of DOS attacks creates a heavy congestion in the router which disturbs the services. The impacts of DoS attacks are causing greater collateral damage. DoS attacks remain a serious threat to the users, organizations, and infrastructures of the Internet. The approaches used in the existing defense techniques are based on traffic characteristics such as traffic deviation, attack pattern matching etc, which may not yield accurate detection. Also these techniques involve high complexity. The flooding alerts which are sent upon detection may be false alerts or duplicate alerts and may result in additional overhead. So these alerts need to be checked and organized. So our objective is to design a defense mechanism which detects the DDoS attackers accurately with less complexity and alert overheads. In this paper, we propose a router entropy based algorithm has been designed to improve the performance of services and protecting from the distributed denial-of-service attacks. In our proposed solution there are 3 steps:

B.

Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic

Hop-count filtering is a victim based solution. It depends on the number of hops between source and destination. It is indirectly indicated by the TTL field in an IP packet. If major discrepancies exist between the value stored in the previously built table and its hop count, received IP packet is discarded and the attack is detected. This process heavily depends on assumptions and probabilistic methods, representing the method inaccurate. C. Implementing Pushback: Router-Based Defense against DDoS Attacks

1) Attack tree construction 2) Attacks detection 3) Clustering of alerts.
Attack tree construction: It is defined as the process of obtaining an abstraction of the router-level Internet graph,

Pushback is a network-based solution. It tries to solve the problem of DDoS attacks using the congestion level between different routers within the network. The router sends a pushback message to the routers connecting it to other congested links when a link’s congestion level reaches a certain threshold. It asks them to limit the inward traffic to this destination. .

130

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

D.

Protection against DDoS Attacks Based on Traffic Level Measurements

Traffic level measurement is another defense method. A DDoS module is attached to a given server making it a virtual server [6]. If traffic reaches high level, while continuously monitoring, most incoming packets will be dropped. The module thus tries to isolate the server from the attack. Illegitimate traffic is recognized by its higher mean of traffic level and thus can be effectively suppressed. E. Stack Pi: A Path Identification Mechanism against IP Spoofing and DDoS Attacks

Sherif Khattab, Rami Melhem, Daniel Moss´e, and Taieb Znati [4] propose a honeypot back propagation scheme to trace back attack sources when attacks occur. Based on this scheme, the reception of a packet by a roaming honeypot triggers the activation of a DAG of honeypot sessions rooted at the honeypot under attack towards attack sources. The formation of this tree is achieved in a hierarchical fashion: first at the Autonomous system (AS) level and then at the router level within an AS if needed. The proposed scheme supports incremental deployment and provides deployment incentives for ISPs. Aleksandar Kuzmanovic and Edward W. Knightly [5] investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counterDoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, they show that maliciously chosen low-rate DoS traffic patterns that exploit TCP’s retransmission timeout mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. Moreover, as such attacks exploit protocol homogeneity they study fundamental limits of the ability of a class of randomized timeout mechanisms to thwart such lowrate DoS attacks.

Stack Pi is a method that acts to mitigate illegitimate traffic by marking packets deterministically. It comprises two parts: Marking and Filtering. In the meantime, to detect illegitimate traffic based on the marking scheme, the filtering scheme is responsible. Here access is allowed if the marking matches the database entry and is denied otherwise. Alert Clustering: The alerts are grouped into different clusters according to their source, target, time and attacktype. Clustering helps to avoid group redundant alerts and to associate alerts that are of the same nature. For example, in [10], detection of DDoS flooding attacks is based on IV. ATTACK TREE CONSTRUCTION distributed change-point detection (DCD) method. In that Based on the immediate packet flows to the victim, the attack method, predicting the deviation rate may not be accurate and involve high complexity. tree rooted at the victim is a notion of the Internet router- level graph. Hence it remains static over quite short intervals of The paper is organized as follows. Section 2 presents the time. The attack tree is refreshed rarely or based on an related work done. Section 3 discusses the attack tree interrupt. When the structure is modified, it triggers an construction phase. Section 4 presents the entropy based interrupt. detection technique. Section 5 presents the alert clustering. The simulation results are given in Section 6 and conclusion is given in Section 7. A. Recursive Approach III. RELATED WORK

Jelena Mirkovic, Max Robinson, Peter Reiher, George Oikonomou [3] propose a distributed system for DDoS defense, called DefCOM. DefCOM nodes span source, victim and core networks and cooperate via an overlay to detect and stop attacks. Attack response is twofold: defense nodes constrain the attack traffic, relieving victim’s resources; they also cooperate to detect legitimate traffic within the suspicious stream and ensure its correct delivery to the victim. DefCOM design has a solid economic model where networks deploying defense nodes directly benefit from their operation. DefCOM further offers a framework for existing security systems to join the overlay and cooperate in the defense. These features create excellent motivation for wide deployment, and the possibility of large impact on DDoS threat.

A distributed divide-and-conquer approach has been proposed. The problems are broken down repeatedly into multiple subproblems at each router and are handled by the router’s neighbors respectively. The attack tree combines and propagates up the solutions of sub-problems from the traffic sources to the victim. Thus we use a bottom-up approach instead of top-down approach. If an intermediate router assigns unique labels to all its immediate children, then the degree in the attack tree is the maximum value of the local identifier. The attack sub-trees (SRi) of its neighbors (children) are aggregated at each router and forwards it to its immediate upstream neighbor. When employed by every router in the attack tree, an incremental attack tree evolution results in a bottom-up distributed fashion.

131

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

B.

Modular Path Tree

This scheme provides more strong and clear support for dynamic changes to the attack tree, without complete retransmission of the attack tree.
R1

0.15

0.78

0.24

The constructed attack tree is essentially an attack path tree which uses out-of-band packet marking embedding only the router connectivity information. It has been proposed to overload this attack path tree to also embed path entropy information, to construct a novel attack path entropy tree.

R2

R4

V.
0.25

ENTROPY BASED ATTACKS DETECTION Entropy

0.4

.0.4

0.2

0.3

. A.

Entropy or Shannon-Wiener index is a measure of the uncertainty or randomness associated with a random variable. In this case it is a measure of data coming over the network.
Figure1. Attack path tree

C.

Logical Representation:

Consider a notion of the attack tree as shown in Fig. 1. It shows the attack sub-tree of some router R1, having 3 different tree children, namely R2, R3 and R4. The logical representation of this sub-tree is

The range of sample entropy lies in [0, logn]. The entropy value is smaller when the class distribution belongs to one class and it is larger otherwise. For detecting changes in the randomness, entropy of some sample packet header fields is compared with another sample packet header fields. The entropy E (Y ) of a random variable Y with possible values

S R1 = H R1 U S R 2 U S R 3 U S R 4

------ (1)

{ y1, y2 ,..., yn } and distribution of probabilities PR = { pr1, pr2 ,..., prn } with n elements, where 0 ≤ pri ≤ 1 and Σi pri = 1 can be calculated as

H R1 -> Degree of router R1 S R1 -> Attack sub-tree of router R1
The equation is generalized for every router in the attack tree as

E (Y ) = −∑ PR( yi ) log PR( yi ) ------------- (3)
i =1

n

B.

Detection Technique

S Ri = H Ri

R j ∈CRi

US

Rj

-------------------- (2)

CRi ->the immediate children of Ri .
Thus the proposed distributed divide-and-conquer approach is represented as a concise recurrence relation. D. Physical Representation

An entropy based technique is used for detection. The number of packets it has received from each of its immediate children in the attack path tree is measured by entropy, which is employed in every intermediate router. In our proposed detection algorithm we use entropy as a principal matrix. pr ( yi ) ( where yi ∈ Y ) is the probability that Y takes the value yi . Suppose we arbitrarily observe Y for a fixed time window w, then pr ( yi ) = ti / t , where ti s the frequency or number of times we observe Y taking the value i.e.

The structural modification to the attack tree supports a simple plug-n-play design (different shaded regions in Figure 1). It can propagate up the tree to the victim, without needing a total re-computation of the whole attack tree or affecting other independent sub-trees attack. By periodic or triggered update messages we can model the dynamic Internet routing characteristics. This message contains only the attack sub-trees which have been structurally modified.

t = ∑ ti
i =1

n

132

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

E (Y ) = ∑ (ti / t ) log(ti / t ) ------------------- (4)
i =1 Here n is the maximum number of ports.

n

Algorithm 1: DDoS detection algorithm

If we want to calculate probability of any source (destination) address then,

Step 1: Collect sample flows for a time window t on each routers. Step2: Calculate router entropy n

ti = number of packets with yi as source (Destination)
address t = total number of packets

E ( y ) = ∑ PR (Yi ) log PR( yi )
i =1

Step 3: Calculate NE = ( E / log n 0 ) where, NE= normalized router Entropy. Step 4: If NE < th1 , where th1 is the threshold value 4.1 Mark the flow as suspected. 4.2 Raise an alert Step 5: Calculate the

PR (yi) = Number of packets with yi as Source (destination ) address -----------------------------------------------------Total number of packets Here total number of packets is the number of packets seen for a time window T . Normalized entropy calculates the over all probability distribution in the captured flow for the time window T . Normalized entropy = ( E / log n 0 ) ----------- (5) Here n0 is the number of distinct yi values in the given time window. Since the attack flow dominates the whole traffic, the normalized entropy of the traffic is decreased in a detectable manner in DDoS attack from the captured traffic in time window T . It is also possible in the case of massive legitimate network accessing. So Entropy rate has to be calculated to confirm the DDoS attack. The projected entropy (PE) is the rate of growth of entropy of a random process. If we have a sequence of n random variables, then the projected entropy of a stochastic process { yi } is defined by

PE ( y ) = lim

1 E ( y1, y2 ,..., yn ) n

n− > ∞

of the suspected flows in that router and the routers on down Stream. Step 6: If, PEi ( y ) ≤ th 2 where th 2 is the threshold value 6.1 Mark the flow as attacked. 6.2 Raise a final alert. 6.3 Discard the attack flow.

Figure 2 . The algorithm for DDos detection using router entropy

Er ( y ) = lim

1 E ( y1, y2 ,..., yn ) n− > ∞ ----- (6) n

C.

Overall Description of Our Architecture

The steps in the proposed DDoS detection algorithm are described in figure 2.

Figure 3 gives the diagrammatic representation of our entire architecture while figure 5 presents a consolidated function of operations involved in our proposed architecture.
.

133

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Figure 4. Experimental Setup

Figure 3. Entropy Based Architecture

B.

Simulation Results • Varying Attack Traffic Rate

VI

. EXPERIMENTAL RESULTS In our initial experiment, we vary the attack traffic rate as 100,200,…500kb and measure the number of alerts raised. We compare our results with the DCD-CAT scheme [10]. As we can see from figure 5, our proposed EBA scheme has lower number of alerts when compared with the DCD- CAT scheme, since it contains the alert clustering technique.

A.

Simulation Setup

This section deals with the experimental performance evaluation of our algorithms through simulations. In order to test our protocol, the NS2 simulator [17] is used. The experimental setup is similar to Figure 4.

AttackRate Vs No.ofAlerts 25

No.ofAlerts

20 15 10 5 0 100 200 300 400 500 AttackRate alert-EBA alert-Normal

Figure 5 . Attack Rate Vs No. of Alerts

.
134 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Attack Rate Vs Packet Loss 50000
packets lost

AttackTraffic w ith EBA
EBA
Throughput

40000 30000 20000 10000 0 100 200 300 Rate 400 500

DCD-CAT NoDefense

0.2 0.15 0.1 0.05 0 1 2 3 4 5 Time(s) 6 7 8 9

Figure 6 Attack Rate Vs Packet Loss

Figure 6 shows the number of packets lost by the legitimate users when the attack traffic rate is varied. From the figure 7 , it is concluded that the loss is very less in the case EBA followed by DCD-CAT. The loss is maximum, when there is no defense. • . Attack and Normal Throughput

AttackThroughput

NormalThroughput

Figure 8 . Attack Traffic with EBA

In the second experiment, we measure the Throughput obtained by the legitimate users (Normal throughput) and throughput obtained by attackers (Attack throughput).
Attack Traffic without Defense

Figure 8 shows the normal throughput and attack throughput values of our proposed EBA scheme. From the figure 9 , we can see that the attack throughput is very much reduced, increasing the normal throughput.

Attack Traffic with DCD-CAT
0.4 0.3 0.2 0.1 0 1 2 3 4 5 Tim e(s ) AttackThroughput NormalThroughput 6 7 8 9

Throughput

0.3 0.2 0.1 0 1 2 3 4 5 Tim e(s) AttackThroughput NormalThroughput 6 7 8 9

Figure 9. Attack Traffic with DCD-CAT

Figure 7. Attack Traffic With Out Defense

Figure 7 shows the normal throughput and attack Throughput values, without applying any defense. It has shown that the attack throughput is very high, there by
reducing the normal throughput.

Figure 9. Shows the normal throughput and attack throughput values of the DCD-CAT scheme . From this figure, it has been found that the attack throughput is reduced to a low extent, slightly increasing the normal throughput.

.
135 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

Throughput

0.4

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

VII. CONCLUSION In this paper, the new architecture has been proposed for protecting against the distributed denial-of-service attacks. This mechanism helps in identifying the attacks, constructing the attack trees, improving the attacks detection and clustering of alerts. This system helps in measuring the number of alerts raised and its performance improvement. This defense mechanism detects the DDoS attackers accurately with less complexity. By Simulation results, it has been shown that the proposed architecture improves the detection accuracy and throughput while reducing the alert overhead. VIII. REFERENCES
[1]. Adel Bouhoula (et.al) ‘A security policy and Network Cartography based Intrusion Detection and Prevention Systems ‘Journal of Information Assurance and Security 4 (2009), 279-291. [2] Keromytis, A.D., Misra, V., and Rubenstein, D. “SOS: architecture for mitigating DDoS attacks”.Selected Areas in Communications, IEEE Journal volume: 2, Issue: 1, January 2004. [3] Jelena Mirkovic, D-WARD: Source-End Defense against Distributed Denial-of-Service Attacks, Ph.D. thesis, University of California Los Angeles, 2003. [4]. Sherif Khattab, Rami Melhem, Daniel Moss´e, and Taieb Znati,” Honeypot Back-propagation for Mitigating Spoofing Distributed Denial-of-Service Attacks”, IEEE, 2006. [5]. Aleksandar Kuzmanovic and Edward W. Knightly, ” Low-Rate TCPTargeted Denial of Service attacks and Counter Strategies”,IEEE/ACM Transactions on Networking (TON), 2006. [6] Zhu Lina, Zhu Dongzhao, “A Router-based Technique to Detect and Defend against Low-rate Denial of Service”, academy publisher, 2009. [7]. B. B. Gupta, Manoj Misra and R. C. Joshi,” An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach”, Journal of Information Assurance and Security ,2008. [8] Fanglu Guo Jiawu Chen Tzi-cker Chiueh,” Spoof Detection for Preventing DoS Attacks against DNS Servers”, IEEE, 2006. [9] M. Muthuprasanna, G. Manimaran,” Distributed divide- and-conquer techniques for effective DDoS attack defenses”, white papers, 2008. [10]. Yu Chen, Kai Hwang and Wei-Shinn Ku,” Collaborative Detection of DDoS Attacks over Multiple Network Domains”, IEEE, 2007 [11]. Cheng Jin Haining Wang Kang G. Shin,” Hop-Count Filtering: An Effective Defense Against Spoofed Traffic”, ACM 2003. [12]. John Ioannidis, Steven M. Bellovin,” Implementing Pushback: Router- Based Defense against DDoS Attacks” 2002.

[13]. Qiming Li [et.al] ,” On the Effectiveness of DDoS Attacks on Statistical Filtering”, IEEE 2005. [14]. Jelena Mirkovic, Peter Reiher,” Taxonomy of DDoS attack and DDoS Defense Mechanisms”, ACM, 2004. 15]. Guangsen Zhang and Manish Parashar,” Cooperative Defense against DDoS Attacks “, Journal of Research and Practice in Information Technology, 2006. [16]. Arjita Ghosh and Sandip Sen, ”Agent-Based Distributed Intrusion Alert System”, SpringerLink, 2004. [17]. The Network Simulator - ns-2. http://www.isi.edu/nsnam/ns

[18]. Debra L( et.al), “Websos: Protecting web servers from ddos attacks,” in the Proceedings of the 11th IEEE International Conference on Networks (ICON)., 2003.

Author’s Profile:

MEERA GANDHI.G received her B.E (Computer Science and Engineering) degree and has been awarded M.E (Computer Science and Engineering) degree by Sathyabama University, Chennai. Currently. She is pursuing her PhD in Computer Science degree in Sathyabama University, Chennai and will be finishing her research this academic year.She is working as a Professor in the Department of Computer Science and Engineering in Sathyabama University, Chennai. She is having seventeen years of experience in the field of Computer Science. She is doing her research in the area of Information Security and Neural Networks She is also interested in the areas of Intrusion Detection Systems, Intrusion prevention systems, Artificial Intelligence, Genetic Computing, Web mining ,Data Security. She has published many papers in International Journals/ National Journals and Proceedings. She has also participated and presented papers in International and National Conferences. She is a Member in Professional associations like Indian Society for Technical Education, Computer Society of India. She is also acting as reviewers for the Journal “EXPERT SYSTEMS” and Scientific Journal International.

136

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

A Context-based Trust Management Model for Pervasive Computing Systems
Negin Razavi
Islamic Azad University, Science and Research Branch Tehran, Iran

Amir Masoud Rahmani
Islamic Azad University, Science and Research Branch Tehran, Iran

Mehran Mohsenzadeh
Islamic Azad University, Science and Research Branch Tehran, Iran

Abstract—Trust plays an important role in making collaborative decisions about service evaluation and service selection in pervasive computing. Context is a fundamental concept in pervasive systems, which is based on the interpretation of environment and systems. The dynamic nature of context can strongly affect trust management and service selection. In this paper, we present a context-based trust management model for pervasive computing systems. The concept of context is considered in basic components of the model such as trust computation module, recommender assessment module, transaction management module, and request responder. In order to measure a predicted trustworthiness according to the fuzzy nature of trust in pervasive environments, fuzzy concepts are integrated in the proposed model. Keywords-Pervasive Computing Systems; Management; Privacy; Service Selection. Context; Trust

trust management models in pervasive computing and a model is suggested to facilitate the interactive of entity and environment and improve the efficiency of trust-building. Some approaches use special techniques in their trust models. In [5] a model based on cloud theory is presented. This theory is used to describe uncertain concepts such as trust. The model proposed in [6] uses a new feature of gravitation to analyze the trust relationship between pervasive interaction entities. Performance and privacy protection are other concepts which are considered in recent researches. [7] presents a privacy-preserving credential chain discovery mechanism for credential chain discovery problem in trust management. By this mechanism, credentials are no longer available to everyone. In [8] a specific framework is presented for implementing the distributed trust scheme and the performance is evaluated for the metrics of throughput, packet loss ratio and message overhead. Most decisions about establishing relationships between entities or selecting services among different service providers in a pervasive environment depend on the concept of context. A context relates information types with resources in the environment, and provides a Situation Derivation Function that gathers actual information [9] which can influence the interactive behavior of entities. The meaning of the term context may vary, dependent on the system or the domain of usage. Distance, packet rate, packet loss ratio, time, and delay are some examples of context in different domains. For more efficiency, information gain from context can be used in trust management model in order to help decision making. In this paper, we propose a context-based trust management model which increases the reliability of interactions such as service selection. In the proposed model, most of the components rely on context to obtain effective functionality. Recommendations from other entities are used in order to achieve faster and more accurate trust evaluation. As mentioned in [10], trustworthiness measurement and prediction are complex and limited by the fuzzy, dynamic and complex nature of trust. Therefore, we also consider fuzzy concepts in our trust management model. Privacy protection has always been the subject of legislation, since there is an inherent conflict in service provisioning [11]. We use a privacy agent for satisfying privacy-levels in our model.

I. INTRODUCTION Having an effective trust management model plays an important role in evaluating relationships among communicating entities. Communicating entities in pervasive computing environments may include service requesters and service providers. Pervasive computing is an emerging research field that improves revolutionary paradigms for computing models. An efficient pervasive computing model depends on the trust management model. A pervasive environment is consisting of multi-resources (or multi service providers) which demonstrate the need for an efficient model for trust management. The fundamental issue in pervasive computing is to create ambient intelligence where embedded entities in the environment provide persistent connectivity and service without awareness of communications or computing technologies. In pervasive computing environment, having efficient and trusted relationships and privacy solutions both together is a challenge [1]. Besides pervasive computing prepares additional features and functionality, such as invisibility and context awareness [2]. As a result, presenting a trust management model can help us to have a safely structure for our pervasive environment. Trust management concept was used in 1996 for the first time to solve network problems [3]. In [4] a research is done on

137

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

None of the previous works considers the concept of context and its fundamental role in the trust management. The advantage of our work is that the context concept is considered in the proposed trust management model. Outline of the paper: In Section II, an overview of basic concepts in the proposed trust management model is presented. Section III defines trust management model at service requester and Section IV defines trust management model at service provider. Section V describes the procedure of trust computation in the proposed model. Some characteristics of the proposed model are represented in Section VI and finally the conclusion and future works are given in Section VII. II. AN OVERVIEW OF BASIC CONCEPTS IN THE PROPOSED TRUST MANAGEMENT MODEL

Figure 1. Trust management model at service requester

A. Definition of Trust Trust has been defined in several ways. In our trust management model, the trust of entity A on entity B shows the strength of A’s belief that B can provide a service, which will satisfy A’s request, and that the behavior of B is without malicious intent. This definition is based on the definition of trust in [12], [13]. In this model, trust values (TRV) range from -1 to 1. TRV=0 indicates that the service requester has no trust information about the service provider, TRV > 0 indicates that the service provider is considered trustworthy, and TRV < 0 indicates that the service provider is considered untrustworthy. B. Definition of Context As mentioned in [14], context is any evidence that can be used to support arguments for the conditions of the situation of any entity or target, which influences their interactive behavior. Privacy, security, and trust may be representatives of the rules that influence the interactive behavior between entities. Therefore, the concept of context is integrated with other concepts such as privacy, security, and trust. C. Definition of Service In our model, entities interact with each other by means of services. A service can be presented with an array of attributes where different attributes in services result in different service types. Each service type has one (or more) critical context(s) that can affect the selection of the target entity or influence the provided quality of service (QoS). Time, delay, and distance can be treated as context. When several entities afford the same kind of services, the service requester needs to handle critical contexts while services are provided. D. Model Framework Analysis In the proposed model, we define two types of entities: service requester and service provider. As shown in Fig. 1,
Figure 2. Trust management model at service provider

each service requester has a component, named service selection and invocation, which interacts with domains of the environment. Each service provider has a component named request responder, shown in Fig. 2, which is responsible for the request arrivals. Service selection and invocation and request responder are the two major functional components in the framework. III. TRUST MANAGEMENT MODEL AT SERVICE REQUESTER Service selection and invocation component is composed of service management module, request management module, and trust computation module at service requester. The functionalities of these modules together result in service request and selection by the corresponding component. Service selection and invocation component uses a context aware agent for the purpose of context maintenance. CONTEXT AWARE AGENT: This agent divides the environment into domains, considering the contexts which are critical in service selection. As a result, each domain contains entities that are suitable for a type of service. For example, in mobile services, this agent can create domains in which the distance of the entities from the requester is not more than 1 km.

138

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Figure 3. Representation of a service request

SERVICE MANAGEMENT MODULE: This module identifies the required service type and denotes the threshold value (TV) of each service attribute which is required for a service to be satisfied. Service management module also sends requests to the selected service provider which is determined by the request management module. Fig. 3 represents a service request. Att i denotes i th service attribute and TVi denotes the threshold value of Att i . REQUEST MANAGEMENT MODULE: After determining the service type and required threshold values by service management module, the request is passed to request management module. This module sends the request to the domains that are identified by context aware agent. After that, entities which can provide the requested service, send their real values to request management module. Request management module uses a fuzzy evaluation to select the best service provider and informs service management module to send the service request to the selected service provider. If none of the entities in the corresponding domains respond, request management module broadcasts the request to all the domains. The fuzzy evaluation function of service providers is as following.

Figure 4. Trust Computation Module

 mi11   mi21  . SPi  W  M i  ( w1 , w2 ,..., wn ).   .  .   mi  n1

mi12 mi22 . . . min 2

mi13   mi23  .  . .  .   min 3  

(1)

where Vi is the result value for the evaluation of i th service provider, n is the number of service providers, SPGood i represents the membership degree of i th service provider with respect to the quality level of Good, TRV i is the trust value for i th service provider, and α is the weight factor which denotes the importance of the trust value in the computation. Equation (3) shows the selection method of the target entity.  TE  (entityi | Vi  max(Vz ) and 1  i, z  k )  Here, k is the number of service providers and TE denotes the i th entity (entityi ) which has the maximum evaluation result value (Vi ) . Finally, entityi is selected as service provider. TRUST COMPUTATION MODULE: Selecting an entity as a service provider depends on the trust value that the service requester makes on the entity. Trust computation module is responsible for computing trust values. Trust computation module helps request management module to select the service provider that has an acceptable trust value and plays a fundamental role in our trust management model. IV. TRUST MANAGEMENT MODEL AT SERVICE PROVIDER

 wj  1 ; 1  j  n ; 1  i  k
Here, n is the number of service attributes and k is the number of service providers. Element w j in the array W represents the weight factor for the j th service attribute which reflects the importance of the attribute. Element mi in matrix M represents the membership degree for real values proposed by i th service provider with respect to the quality level that can be Good, Average and Bad. SP is the membership degree array i for i th service provider. The evaluation method of service providers is presented in (2).  Vi  ( )TRVi  (1   ) SPGood  i  0    1 1  i  n 

Request responder component responds to service requests and consists of request processor module and privacy agent.

139

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
Begin For all Att i in the requested service where 1  i  n If ( RVi  TVi ) Service can be provided; Request responder component responds to the request management module with real values; Else Request processor module searches trust records DB; If (there is a trust record with an acceptable trust value for the requested service type) Request processor module recommends another entity corresponding to service provider ID of the trust record; Request responder component responds to the request management module with the trust record; The indirect trust value is computed by indirect trust computation method; Else Request responder component does not respond to request management module; End if End if End Figure 5. The request processing function

TRUST RECORDS DB: It is a repository consisting of trust records. The important fields of a record are: service type, service attributes, last updated time and service provider ID. TRUST MAINTENANCE: This module initializes, fetches, and updates records in trust records DB. If the last updated time field of a record contains an expired time, then it has to be updated. INTERACTION HISTORY: It is a repository consisting of records that each record contains service attributes, context attributes, satisfaction degree, and the interaction time. For each interaction there exists a record in interaction history. TRANSACTION MANAGEMENT MODULE: This module monitors the behavior of each transaction and then calculates the satisfaction degree. Context and critical attributes directly influence on satisfaction degree. Satisfaction degree is computed as in (4).  SD   | EVi norm  PVi norm | / n  1 i  n  where SD is the satisfaction degree, n is the number of attributes, EVi norm is the expected value, and PVi norm is the provided value for the attributes that are normalized. COMPUTATION METHOD SELECTION: In the case that there is not any trust for a specific entity in trust records DB, or the trust records DB needs to be updated, this module computes the trust value by selecting the corresponding computation method. In the case that there are adequate records in interaction history and the occurrence times are acceptable, trust value is computed directly. Otherwise, trust value is computed indirectly by the help of recommenders as shown in Fig. 6. Trust computations are mostly based on the records in interaction history. Therefore, it is important to treat each record in interaction history, considering the interaction time. The results of recent interactions, which represent the current behavior of the entity, are more important than those of older interactions. Hence, we give weights to records based on the time they occur. Equation (5) computes the direct trust value for an entity.  DT 

PRIVACY AGENT: Each entity in the pervasive environment has an agent (privacy agent) to maintain its security and privacy policies. These policies restrict irregular accesses and do not allow some services to be used by other entities. Furthermore, some entities do not like others to be aware of their context (e.g. location). Privacy agent is composed of local policy module and context assessment module described below. LOCAL POLICY MODULE: This module is responsible for authentication. It also specifies access levels and access rules by considering the defined policy-levels and decides whether to forward the request to request processor module or to reject it. CONTEXT ASSESSMENT MODULE: This module evaluates service attributes and critical contexts, and assigns each of them a privacy-level. Privacy-levels influence the decisions made by local policy module. REQUEST PROCESSOR MODULE: The request which is passed from local policy module arrives to request processor module. Request processor module determines whether the corresponding entity can provide the service attributes with the values greater than the thresholds or not. In the former case, request responder component responds to the request management module at service requester with real values. In the latter case, request processor module searches trust records DB to find another entity which can provide the service and has a good trust value. The entity is then recommended to the service requester. Fig. 5 shows the request processing function where n is the number of service attributes, RVi is the real value, and TVi is the threshold value for i th attribute. V. TRUST COMPUTATION IN THE PROPOSED MODEL As shown in Fig. 4, the following modules are responsible for trust computing.

 ((W )

( t cur tiocc )

1  i  k  0  W  1 

 SDi ) /  (W ) (t

cur

tiocc )



where DT represents the direct trust value, SDi represents the satisfaction degree for i th interaction, t cur is the current time, tiocc is the occurance time of the i th interaction, W is a weightcur factor which is used to give a moving weight occ ((W )(t ti ) ) to i th interaction based on the occurance time, and k is the number of interactions with the corresponding entity.

140

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
Begin Trust maintenance module searches trust records DB for the trust record; If (the trust record is found) Trust computation ends; Else If (there is any unexpired record in interaction history) The direct trust value is computed by direct trust computation method;
End if

 UF  1  ( / erroracpt )  where erroracpt is the acceptable error between provided and recommended values and UF is the update factor for the recommender’s trust value. Finally, a recommender’s trust value is updated as in (9).

If (the number of unexpired records is not adequate) Request management module broadcasts request for recommendation; Request management module gathers recommendations; The indirect trust value is computed by indirect trust computation method;
End if

RT new

 1   1 (1  UF )  RT old 

if (1  UF )  RT old  1 if (1  UF )  RT old  1  Otherwise

The trust value is computed considering the direct and indirect trust values; Trust maintenance module inserts new trust record in trust records DB; End if End

where RT old is the old and RT new is the updated value for a recommender trust and UF is the update factor. A recommender’s trust value will be increased in the case of having less error. An unaccepted error causes the recommender trust value to be decreased. As shown in Fig. 4, recommender assessment module is responsible for context monitoring. The context of a recommender can effect directly on the recommender’s trust value. Recommender assessment module uses a rule-based evaluation method to evaluate the context of a recommender. The evaluation decreases the recommender’s trust value in the case of unsuitable contexts. For example, the trust value of a long distance recommender is decreased according to special service types. The indirect trust value for a recommended entity is computed as in (10).  IT 

Figure 6. The process of trust computation

RECOMMENDER ASSESSMENT MODULE: Different recommenders have different weights that can be mentioned as their trust values. Recommender assessment module judges recommenders according to their honesty and context. Recommenders which are more trustworthy have more effect in computing the trust value of the recommended entity. Equation (6) represents the initialization function of a recommender’s trust value.  RT 

 ( RT  TRV ) /  RT 
i i i

1  i  n 

 TRV / n 
i

0  i  n

where RT is recommender’s trust value, n is the number of records in trust records DB that their service provider ID is same as the recommender ID, and TRV i is the trust value of the i th trust record. Recommenders will be updated after each interaction with the corresponding recommended entity. The similarity distance between the provided value and the real value is computed as in (7).   

where IT is the indirect trust value for the recommended entity, n is the number of recommenders for that recommended entity, RTi is the recommender’s trust value corresponding to i th recommender, and TRV i is the trust value which is recommended by the i th recommender. The trust value for a service provider is computed according to the direct and indirect trust values which are described previously. The trust value affects request management module directly on the selection of a service provider. Equation (11) computes the trust value for an entity.  TRV  ( ) DT  (1   ) IT  0   1 where TRV is the trust value, DT is the direct trust value, IT is the indirect trust value, and β is a factor which gives weight to the direct and indirect trust values. In the case that there exist enough unexpired interaction records in interaction history, β is equal to 1.

| PV

norm

i

 RVi norm | / n 

 1  i  n 

where δ represents the similarity distance, the shorter the distance means the more accurate recommender, PVi norm is the normalized provided value and RVi norm is the normalized recommended value for i th attribute, and n is the number of attributes. The update factor for a recommender’s trust value is computed as in (8).

141

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

VI. CHARACTERISTICS OF THE PROPOSED MODEL A pervasive computing environment has a dynamic nature. Therefore, new entities constantly enter the environment. A new entity is unknown to all other entities in the environment No recommendation is available for the new entity. In this case, it is important to determine how the new entity can build trust relationship with other entities. In the proposed model, we assign the trust value of zero to the new entity. Thus, the interactions with the new entity can happen when other entities have negative trust values (untrustworthy entities). Recommendations help a service requester to compute an indirect trust in the case that there are not adequate records in interaction history for direct trust computation. False recommendations effect on the computed trust value. Dishonest and malicious recommenders can provide false recommendations. In the proposed model, dishonest recommenders are identified and all recommendations provided by dishonest recommenders are excluded from indirect trust computation. To identify a dishonest recommender, the service requester uses all recommendations which are received from a specific recommender and computes the mean value of the recommended trust values. In the case that the mean value is so low or so high (not in an adequate range), the service requester judges the recommender to be dishonest. The method of assigning weights to the interactions over time causes each past interaction to be effective in trust computing according to the assigned weight. Therefore, the weighting mechanism can protect the entity against the dynamic behavior of malicious recommenders. Context aware agent in the trust management model provides a service selection mechanism which is based on contexts. As a result, target entities are restricted to the domains which are identified by context aware agent. Sending requests to domains, considering the context, facilitates the functionality of request management module and in this case, service providers with accurate context have more priority over other service providers. VII. CONCLUSION AND FUTURE WORKS In this paper, we proposed a trust management model for pervasive computing systems based on the concept of context. We specified the details of each of the main components, and we presented the adjustments to the proposed methods that are needed to make the trust computation more accurate. Because of the fuzzy and dynamic nature of trust, we considered fuzzy concepts in our model. The trust value of an entity is dynamically updated after each related interaction. We provided an acceptable privacy-level in our trust management model to handle security and privacy protection of the pervasive computing. It is important to provide an adaptive trust mechanism which safeguards service interactions in the dynamic and

uncertain pervasive environment. The structure of the proposed models is needed to make the actual applications feasible. In the future we are going to work on implementing and simulating adaptive trust management models for dynamic and uncertain environments. ACKNOWLEDGMENT This work was supported by Iran Telecommunication Research Center (ITRC). REFERENCES
[1] Z. Liu and D. Peng, “A security-supportive middleware architecture for pervasive computing,” in Proceeding of 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC’06), 2006, pp. 137–144. R. Campbell, J. Al-Muhtadi, P. Naldurg, G. Sampemane, and M. D. Mickunas, “Towards security and privacy for pervasive computing,” in Lecture Notes in Computer Sience, vol.2609, 2003, pp. 77–82. X. GY, S. YC, and X. WK, “Pervasive computing,” in Chinese Journal of Computers, 2003, pp. 1042–1044. Z. Jian-Yong, “Research on trust management model in pervasive computing,” in 2nd International Conference on Pervasive Computing and Applications, 2007, pp. 419–423. R. He, J. Niu, M. Yuan, and J. Hu, “A novel cloud-based trust model for pervasive computing,” in The Fourth International Conference on Computer and Information Technology, 2004, pp. 693– 700. Z. Chen, L. Ge, H.Wang, X. Huang, and J. Lin, “A trust-based service evaluation and selection model in pervasive computing environment,” in 1st International Symposium on Pervasive Computing and Applications, 2006, pp. 641–646. Z. Y. Peng and S. P. Li, “Privacy protection in trust management,” in Proceedings of the Seventh International Conference on Machine Learning and Cybernetics, 2008, pp. 1358–1362. T. Sun and M. K. Denko, “Performance evaluation of trust management in pervasive computing,” in 22nd International Conference on Advanced Information Networking and Applications, 2008, pp. 386–394. P. Robinson, “Architecture and protocol for authorized transient control,” in The Springer International Series in Engineering and Computer Science, Vol.780, 2006, pp. 113–129. E. Chang, P. Thomson, T. Dillon, and F. Hussain, “The fuzzy and dynamic nature of trust,” in Second International Conference on Trust, Privacy and Security in Digital Business, 2005, pp. 161–174. P. Robinson, H. Vogt, and W. Wagealla, “Some research challenges in pervasive computing,” in The Springer International Series in Engineering and Computer Science, Vol.780, 2006, pp. 1–16. C. T. Nguyen, O. Camp, and S. Loiseau, “A bayesian network based trust model for improving collaboration in mobile ad hoc networks,” in Proceedings of 2007 IEEE International Confrence on Research, Innovation and Vision for the Future, 2007, pp. 499–521. A. Josang, “The right type of trust for distributed systems,” in Proceedings of the 1996 workshop on New security paradigms, 1996, pp. 119 – 131. P. Robinson, H. Vogt, and W. Wagealla, “Some research challenges in pervasive computing,” in The Springer International Series in Engineering and Computer Science, Vol.780, 2006, pp. 1–16.

[2]

[3] [4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

142

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Proposed platform for improving grid security by trust management system
Safieh Siadat
Islamic Azad University, Science and Research Branch, Tehran, Iran

Amir Masoud Rahmani
Islamic Azad University, Science and Research Branch, Tehran, Iran

Mehran Mohsenzadeh
Islamic Azad University, Science and Research Branch, Tehran, Iran

Abstract— With increasing the applications of grid system, the risk in security field is enhancing too. Recently Trust management system has been recognized as a noticeable approach in enhancing of security in grid systems. In this article due to improve the grid security a new trust management system with two levels is proposed. The benefits of this platform are adding new domain in grid system, selecting one service provider which has closest adaption with user requests and using from domains security attribute as an important factor in computing the trust value. Keywords- trust, grid, platform, security,component.

I.

INTRODUCTION

Grid computing is a newly developed technology for complex systems with large-scale resource sharing, widearea communication, and multi-institutional collaboration [1]. Due to the complexity of grid computing, the traditional network security practices cannot meet the security requirement of grid. As a result, trust management is crucial to security and trustworthiness in grids. Security and trust are two distinct concepts. In literature trust has been sometimes termed as “soft security” and can implement sophisticated security decisions. So the TMS will not replace GSI, it only assist it to provide more refined and rational choices for Grid security [2]. In this paper a novel TMS with tow levels is proposed. The goal of this platform is optimizing available TMS in the grid systems. Our TMS is a comprehensive platform in grid environment and try to remove the weakness of the old platform. In new platform there are components such as security management and demand trust evaluation that old trust management system in grid environment had not paid attention yet. The presence of these components is crucial in making true decision. Security management component has used for measuring of different domain security level in grid systems. Demand trust evaluation component select one service provider which has closest adaption with user requests. Other component used in this platform are trust negotiation, registration, propagation, feedback evaluation, trust evaluation, access control and monitoring which they have specified task. Trust negotiation task is to add of new

domain in grid systems. The activity of registration component is to register new domain properties in grid systems. Propagation component task is to broadcast of new domain properties for all domains in grid systems. Feedback evaluation component duty is evaluate and update received feedback from service requester. Trust evaluation component task is to compute servers trust value based on received feedback, user satisfaction value and self defense capability in each domain. The task of accesses control component is accessing control on available repository and the duty of monitoring component is trust re-evaluation and adding new information in TMS. Outline of the paper: In Section 2, related work is presented. Section 3 propose newly developed platform. At last a conclusion and future work is given in Section 4. II.
RELATED WORK

Trust management was first introduced by Blaze, et al. in 1996 [3], and many trust management models were proposed, for instance, PolicyMaker [3], KeyNote [4], REFEREE [5], SPKI/SDSI [6]. Recently trust management is known as a new method to make secure grid systems and some researches is done using TMS in grid systems. A number of researches are mentioned below. The problems of managing trust in Grid environments are discussed by Azzedin and Maheswaran [7]-[9]. They define the notion of trust as consisting of identity trust and behavior trust. They separate the “Grid domain” into a “Client domain” and a “resource domain”, and the way they calculate trust is limited in terms of computational scalability, because they try to consider all domains in the network; as the number of domains grows, the computational overhead grows as well. Hwang et al. [10] and Sobolewski [11] try to build trust and security models for Grid environments, using trust metrics based on e-business criteria. Alunkal et al. [12] propose to build an infrastructure called “Grid Eigentrust” using a hierarchical model in which entities are connected to institutions which then form a VO. They conclude with the realization of a “Reputation Service”, however, without providing mechanisms that automatically can update trust values. Papalilo and

143

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Freisleben [13] has proposed a Bayesian based Trust model for Grid but the suggested metrics cover only limited trust aspects in practical Grid. TieYan et al. [14] consider trust only to improve the Grid Security Infrastructure (GSI) to achieve additional authentication means between Grid users and Grid services. Ching et al. [16] use the concepts of the subjective logic in the context of Grid computing using trust relationships to enhance the grid security. M.H. Durad, Y. Cao proposed grid trust management system. In their research only the platform was described, while there was not the comprehensive description of components mathematically [2]. In this article to conquer above problem a complete platform including mathematic formulation is proposed. III.
PROPOSED PLATFORM

authorized to be added into grid system which can satisfy half of c1, c2,c3,…ck at least .

c1 , c2 , c3 ,....., ck ∈ C.
′ ′ ′ c1 , c2 , c3 ,.....cl′ ⊂ C , l ≥ k .  2

(1) (2)

Fig.3 illustrates algorithm of adding new domain in grid systems.
Upper level GRM Back up of GRM

Registration and initialization component
Trust negotiation component Domains property repository

As shown in Fig. 1 the proposed platform has two levels that in next section will be explained. In newly developed platform there is one DTM1 in each domain of grid system that its task is managing the available resource nodes in that domain. DTM is one of resource nodes in every domains selected by using Ring algorithm. Also there is one GRM2 that its task is managing DTMs. GRM is one of DTMs selected by Ring algorithm and located in upper level of platform. In order to increasing in fault tolerance, there are back up of DTM and GRM. A. Upper level of platform There is GRM in upper level which its task is management of DTM. In this level there is virtual mapping of DTM from different domains. By this way the neighborhood of domains will be saved in grid systems. Upper level includes 3 components: 1-Trust negotiation component 2- Registration and initialization component 3- Propagation component. 1) Trust negotiation component The task of this component is adding new domain in grid systems. The trust negotiation component has two levels: a) Authentication level. b) Policy mapping level. This component is illustrated in Fig.2. a) Authentication level This level accomplishes the authentication of new domain that wants to be added in grid systems. b) Policy mapping level The task of this level is to adapt the policy of grid domains with the new domain policy. After adaption process if there is minimum satisfaction between new domain and grid domains, new domains will be authorized for adding in grid systems. DEFINITION 1. MINIMUM SATISFACTION As shown in relation (1) and (2), If c1, c2, c3, ….ck are defined and agreed policy in grid system, the domain has
1 2

Propagation component

_____________________________________
Lower level DTM Back up of DTM

Security management component

Trust evaluation component

Monitoring component

Feedback evaluation component Trust DTM repository repository

Access control component

Demand trust evaluation component

Figure 1. Proposed platform Trust negotiation component Authentication level Policy repository

Policy mapping level

Figure 2. Trust negotiation component

Domain Trust manager (DTM) Global Resource manager (GRM)

2) Registration and initialization component The activity of this component is to register new domain property which is authorized by trust negotiation component in domain property repository. The other task of registration and initialization component is initializing trust value of new domain resource node by 0.5 because in this platform has been assumed that to every resource nodes added into grid system, the allocated trust value is middle.

144

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009 1Begin 2 new domains send to GRM adding request to grid system; 3 GRM call trust negotiation component ( ); 4 if (trust negotiation component authorize new domain) then 5 Goto 8; 6 Else 7 Goto 11; 8 New Domain send to GRM new domain properties; 9 GRM call registration and initialization component ( ); 10 registration and initialization component call
Figure 3. adding new domain in grid systems

3) Propagation component The task of propagation component is broadcasting new domain properties for all domains in grid systems. B. Lower level of platform This level includes domains in grid system. There is one DTM in each domain that its task is management of resource nodes. Lower level includes 6 components: 1- Security management component 2- Feedback evaluation component 3- Demand trust evaluation component 4- Trust evaluation component 5- Accesses control component 6- Monitoring component. Fig. 4 shows lower level of platform algorithm.
1 Begin 2 DTM receives request (C, D, PL, Q, T) // C ∈ (service-request, feedback, security) // D ∈ (inter-domain, intra-domain) //PL ∈ (parameter-list) // Q = DTM-number or resource-node number // T= type of service 3 DTM sends request for security management component () 4 if (security management component() authorized request) then 5 goto 8 6 else 7 goto 18 8 security management component sends request to DTM 9 DTM checks C in request 10 if (C = service request) then 11 DTM calls demand trust evaluation (PL, Q) 12 else if (C=feedback) then 13 DTM calls feedback evaluation component (PL) 14 else if (C = security and D = intra-Domain) 15 DTM calls security management component () 16 else 17 goto 18 18 trust evaluation component ( ) 18 End.

1) Security management component This component has been used for measuring different domain security level in grid systems. In this platform the domain security level has been applied as important factor for measuring resource node trust value in each domain. As shown in Fig.5 this component has two levels: a) Authentication level b) Self defense capability level a) Authentication level The received request to each domain will be authenticated by accessing the certificate repository in this level also registering DTM certificate property of each domain in its certificate repository is the task of this level. Two mentioned jobs will be done by authorization and DTM registry management. a) Self defense capability This level task is to evaluate the self defense capability of different domains in grid system. The self defense ability of different grid domains will be calculated by using of security attribute. Security attributes and evaluation criteria of theirs are shown in table 1. Relation (3) calculate self defense capability different domain in grid systems where as Sai is security attribute and wi is weight of each security attribute.

DF (new) = ∑ wi × Sai .
i =1

m

(3)

Figure 4. Lower level of platforme algorithm

2) Feedback evaluation component This component duty is evaluate and update received feedback from service requester after receiving service. Feedback is a statement issued by a client about the quality of a service or product provided by the service provider after transaction. As shown in Fig.6 Feedback evaluation component has 3 levels: a) Feedback collection level b) Feedback verification level c) Feedback updating level a) Feedback collection level This level has been used for collecting received feedback and sending them to feedback verification level. b) Feedback verification level The task of this level is investigating the received feedback by below sub process: 1- identification 2- legitimacy 3- Reasonability 4- Time 5- Rectification Above sub processes are described in [15]. The only change is on reasonability sub processes. The modification in reasonability sub process is shown in Fig.7 that fpi(new) represent received feedback of ith parameter and a is average of the end l feedbacks. a) Feedback updating level

145

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

The duty of this level is updating received feedback from feedback verification level in feedback repository. 3) Demand trust evaluation component This component receives the user requests according to getting a service. Based on user request the best server will be selected for providing the service. To achieve this aim users initialize service quality parameters determined in the platform. It should be noticed that user enters the service quality parameters based on percentage. This component selects the server which has nearest adaption with the request of user. Demand trust evaluation component respond to the user request in batch manner. This component includes two levels: a) Trust evaluation with demand parameter level b) Server selection and request allocation. This component is illustrated in Fig.8. a) Trust evaluation with demand parameter level This level task is to compute the demand trust values and to select multiple servers as candidate of service provider. The parameters which are effective in service quality in this platform are: 1- delay 2- response time 3- accuracy 4- cost 5availability 6- jitter. The user initialize mentioned parameters according to their importance in providing users request. Demand trust value will be calculated based on above parameters with accessing trust repository by weights middle method. In each computation p servers that have maximum demand trust value will be selected as candidate of service provider. They will be transmitted to server selection and request allocation level. All of above processes are simulated by relation (4) until (8).

TABLE I. Security 1 intrusion detection capability Antivirus capability Firewall capability Usage of secure network capability Provision of execution sandbox Key management capability

SECURITY ATTRIBUTE

Evaluation criteria Traffic audit data-size Signature file size Signature update frequency Memory scan frequency Number of firewall rule TLS and/or IPsec Isolated JVM Include Cryptographic function

Security attribute

Sa1

2 3 4 5 6

Sa2 Sa3 Sa4 Sa5 Sa6

Feedback evaluation component Feedback collection level Feedback verification level Identification Legitimacy Reasonability

Rectification

Time

DP = (dp1........dpm ).

(4) (5)

Feedback updating level

Feedback repository

wi =

dpi

∑ dp
i =1

m

,

∑ w = 1.
i

Figure 6. Feedback evaluation component

i

DTV j = (dtv1 , dtv2 , dtv3 ,......dtvn ).
m

(7)

d tvi =

∑∑
i =1

n

j =1

w j, p

j ,i

.

(6)

Security management component Authentication level
DTM registry management Authorization

⎡ DTV1 ⎤ ⎢ DTV ⎥ 2⎥ ⎢ ⎥. DTV = ⎢. ⎢ ⎥ . ⎢ ⎥ ⎢ DTVk ⎥ ⎣ ⎦

(8)

Certificate repository

Security attribute repository

Self defense capability level Intrusion detection capability Usage of secure network capability Provision of execution sandbox
Antivirus capability

Firewall capability

Key management capability

Figure 5. Security management component

In relation (4) DP is list of parameters initialized by user. In relation (5) wi represent weight of each parameter. In relation (6) dtvi stand for demand trust value of every service provider and m is the number of parameter. In relation (7) dtvi will be stored in DTVj for each request and n is the number of resource node. In relation (8) DTV represent an array of DTVj where as k is batch size. a) Server selection and request allocation level This level based on DTVj determined by relation (8) will select the appropriate service provider and will allocate the user request to selected service provider. This level has two sections. 1- Server selection based on roulette wheel mechanism 2- user request allocation.

146

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

1 feedback verification level (receive feedbacks from feedback collection level) 2 Begin 3 for i=1 to m do // m is the number of parameter

4 a=

1 l

∑f
i =1

l

pi

5 If ( f pi ( new) − a > δ ) then 6 rectify ( ) 7 feedback updating level ( )

value, domain self defense capability. Finally this component updates service provider trust value saved in trust repository. As shown in Fig.9 this component has two levels: a) Trust value computing level b) Trust value updating level. a) Trust value computing level The task of this level is to calculate the user satisfaction value which it will be obtained from relation (14), whereas Pdmi and wi have been received from demand trust evaluation component. Fpi is obtained from feedback evaluation ′ component and m is the number of parameters described in demand trust evaluation component. Relation (15) computes the recommendation that Cs is a number of successful recommendations and Cf is a number of failed recommendations. In relation (16) DF(new) represent self defense capability which has been transmitted from security management component to trust evaluation component. Relation (17) will calculate trust value with using user satisfaction value, recommendation and self defense capability whereas α, β and δ are the weight of theirs.
S = ∑ wi
i =1 m

8 End
Figure 7. Feedback verification level

SERVER SELECTION BASED ON ROULETTE WHEEL
MECHANISM

This section uses roulette wheel mechanism to select appropriate service provider. The main reason of using this method is preserving load balance on all of service provider in a good manner. Relations (9) to (13) compute the percentage of user requests transmission to each service provider. In relation (9) m stand for the number of parameter and w is weight of each parameter. Pi is the value of every parameter that has been stored in trust repository. In relation (10) w is received from relation (9). In relation (11) dtvi will be stored in T.V array. spi represent the percentage of user sending request to ith service provider in relation (12). Finally in relation (13) spi will be stored in SP array.

′ pdmi − Fpi pdmi

.

(14)

RE =

cs . cs + c f

(15)

SD = DF(new).

(16) (17)

w = 1/ m . t.vi = ∑∑ w × p j ,i
i =1 j =1 n m

(9) (10) (11) (12)

T .V = α .S + β .Re + δ .SD , α + β + δ = 1.

a) Trust value updating level The duty of Trust value updating level is updating trust repository with using below relation:

T .V = (tv1 , tv2 ,........tvn ).
spi = tvi .

T n ew = e − β . Δ t

n n T o ld + (1 − e − β . Δ t )T .V . (18) n +1 n +1

∑ tv
i =1

n

i

SP = ( sp1 , sp2 ,.......spn ),

∑ sp
i =1

n

i

= 1.

(13)

USER REQUEST ALLOCATION This section allocates appropriate service provider between service provider candidates and appropriate service providers to user request by use of SP and roulette wheel mechanism. 4) Trust evaluation component Trust evaluation component task is computing the servers trust values based on received feedback, users satisfaction

Whereas Tnew represent new trust value, Told is old trust value, N stand for the current number of transaction, T.V is computed by relation (17) and t is the time difference between T.V and Told . e − β .Δt represent a discount factor of Told. Relation (18) is a reformed equation which earlier was used in [16] to calculate trust value. In last relation T.V has been computed from relation (17) whereas in [16] r was a trader’s feedback. 5) Accesses control component This component has the task of accesses control on available repository in lowest level of proposed platform. 6) monitoring component Trust monitoring and trust re-evaluation is very important for implementation of TMS. Most of trust management solutions assume that trust is a static concept and therefore does not require monitoring or (periodic) re-evaluation. It involves updating or adding new information. as stated

147

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

earlier the trust is dynamic in the real world as it changes with time. Trust monitoring ensures to reduce the risks involved [2].
Demand trust evaluation component Trust evaluation with demand parameter level

[3]

[4]

[5] [6]

M. Blaze and J. Feigenbaum, J. Lacy, “Decentralized Trust Management”, IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1996, pp.164-173. M. Blaze, J. Ioannidis and A.D. Keromytis, “Experience with the KeyNote Trust Management System: Applications and Future Directions”, iTrust 2003,Heraklion, Crete, Greece, May 2003, LNCS 2692. M. Strauss, “REFEREE: Trust Manage-ment for Web

Applications”, World Wide Web Journal, 1997, 2(3), 127-139.

Server selection and user request allocation
Server selection Based on Roulette Wheel selection

[7]
User request allocation

D. Clarke, J.E. Elien, C. Ellison, M. Fredette, A. Morcos and R.L. Rivest, “Certificate Chain Discovery in SPKI/SDSI”, Journal of Computer Security, 2001, 9(4), 285-322. Azzedin, F., Maheswaran, M., “Evolving and Managing Trust in Grid Computing Systems”, Conference on Electrical and Computer Engineering,Canada. IEEE Computer Society Press 2002, pp1424–

1429.

[8] Figure 8. Demand trust evaluation component Trust evaluation component
Trust value computing level

[9]

Trust value updating level Figure 9. Trust evaluation component

[10]

[11]

IV.

CONCLUSION AND FEATURE WORK
[12]

In this article the trust management systems with two levels in order to improving the security in grid systems has been proposed. In upper level there are trust negotiation, registration and initialization and propagation components which their tasks are adding new domain, registering and propagating new domain properties in grid systems. Also the lower level includes security management, feedback evaluation, demand trust evaluation, trust evaluation, access control and monitoring components. Their missions have been described in lower level section. The benefits of this platform are adding new domain in grid system, selecting one service provider which has closest adaption with user requests and using from domains security attribute as an important factor in computing the trust value. For future work we propose using of fuzzy method for computing trust value in trust evaluation component. V. ACKNOWLEDGEMENT

[13]

[14]

[15]

[16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31]

This work was supported by Iran Telecommunication Research Center (ITRC). REFERENCES
[1] Y.S. Dai, M. Xie and K.L. Poh, “Availability Modeling and Cost Optimization for the Grid Resource Management System”, IEEE

Transactions on Systems, and Cybernetics — Part A: Systems and Humans, Vol. 38, No. 1, pp.170-179.

[2]

M.H.DURAD, Y.CAO, “A Vision for the Trust Managed Grid”, Proceedings of the Sixth IEEE International Symposium on Cluster Computing and the Grid Workshops, 2006,vol. 2, pp.34.

Azzedin, F., Maheswaran, M., “Towards Trust-Aware Resource Management in Grid Computing Systems”, Second IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGRID), Berlin, Germany. IEEE Computer Society 2002, pp 452– 457. Azzedin, F., Maheswaran, M., “Integrating Trust into Grid Resource Management Systems”, International Conference on Parallel Processing, Vancouver, B.C., Canada. The International Association for Computers and Communications. IEEE Computer Society Press 2002, pp 47–54. Hwang, K., Tanachaiwiwat, S., “Trust Models and NetShield Architecture for Securing Grid Computing” Journal of Grid Computing 2003. Goel, S., Sobolewski, M., “Trust and Security in Enterprise Grid Computing Environment” Proceedings of the IASTED International Conference on Communication, Network and Information Security, New York, USA 2003. Alunkal, B., Veljkovic, I., von Laszewski, G., “Reputation-Based Grid Resource Selection”, Workshop on Adaptive Grid Middleware (AgridM), New Orleans, Louisiana, USA 2003. Papalilo E. and Freisleben B., “Towards a Flexible Trust Model for Grid Environments” GSEM 2004, LNCS 3270 Springer-Verlag Berlin Heidelberg 2004, pp. 94–106. Tie-Yan L., HuaFei Z., and Kwok-Yan L., “A Novel Two-Level Trust Model for Grid”, ICICS 2003, LNCS 2836 Springer-Verlag Berlin Heidelberg 2003, pp. 214–225. M. Qiu, L.He, J.Xue, “A Model for Feedback Credibility of Trust Management in Web Services”, International Seminar on Future Information Technology and Management Engineering, 2008. H.Li and M.Singhal “Trust Management in Distributed Systems”, Computer, vol. 40, no. 2, pp. 45-53, Feb. 2007. Fjnefnfkek Fdjdkjnvejnv Fd;fdfcvfde Fdlerl,refrgr Efrgtgtr,gt;g, Freggtrgtr Gfergtrg Frfrgrtg Efrerfg Erfrefre Refrefreferfree Rerer Reerejfj Jferfjrej Krffrnnkl Kmlml;;k;

148

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

An Innovative Scheme For Effectual Fingerprint Data Compression Using Bezier Curve Representations
Vani Perumal
Department of Computer Applications S.A.Engineering College, Chennai – 600 077, India.

Dr.Jagannathan Ramaswamy
Deputy Registrar (Education) Vinayaka Missions University, Chennai, India.

Abstract— Naturally, with the mounting application of biometric systems, there arises a difficulty in storing and handling those acquired biometric data. Fingerprint recognition has been recognized as one of the most mature and established technique among all the biometrics systems. In recent times, with fingerprint recognition receiving increasingly more attention the amount of fingerprints collected has been constantly creating enormous problems in storage and transmission. Henceforth, the compression of fingerprints has emerged as an indispensable step in automated fingerprint recognition systems. Several researchers have presented approaches for fingerprint image compression. In this paper, we propose a novel and efficient scheme for fingerprint image compression. The presented scheme utilizes the Bezier curve representations for effective compression of fingerprint images. Initially, the ridges present in the fingerprint image are extracted along with their co-ordinate values using the approach presented. Subsequently, the control points are determined for all the ridges by visualizing each ridge as a Bezier curve. The control points of all the ridges determined are stored and are used to represent the fingerprint image. When needed, the fingerprint image is reconstructed from the stored control points using Bezier curves. The quality of the reconstructed fingerprint is determined by a formal evaluation. The proposed scheme achieves considerable memory reduction in storing the fingerprint. Keywords-Biometrics; Fingerprint; Orientation field; Minutiae points; Ridges; Compression; Bezier curves; Control points.

techniques alleviates the need to bear in mind a password or carry a token [14]. One good application area of biometrics is forensics; another important application area is criminal identification and prison security. Moreover, it has the impending to be utilized in a large range of civilian application areas. The most frequently used biometric traits include fingerprint, face, iris, hand geometry, voice, palmprint, handwritten signatures and gait [38]. A various other modalities are in different stages of development and assessment [1]. Amongst all the biometric traits, fingerprints possibly possess the highest level of reliability and have been widely used by forensic experts in criminal investigations [15]. It is also used by the police departments around the world to identify suspects and bodies. Because of their uniqueness and immutability, fingerprints, at present are the most widely used biometric features [10]. Other factors that make fingerprint verification one of the most reliable means of biometric authentication is its universality, distinctiveness, permanence and accuracy [6, 7, 24]. Moreover, the price of fingerprint recognition systems has been cost-effective enough to make its way into public use. Generally, there are two kinds of biometric systems: identification and verification. In identification systems, a biometric signature of a relatively new person is offered to a system. The system matches the new biometric signature with a database of existing biometric signatures of known individuals to identify if the person is previously known or else a stranger. In verification systems, a user offers a biometric signature and the system verifies, if the biometric signature belongs to the claimed identity [2]. Both these systems necessitate the storage of huge number of biometric templates for accomplishing effective recognition of identity. With the rising usage of fingerprint recognition systems the inquiry arises naturally how to store and manage the obtained fingerprint data [18]. Generally, the databases of fingerprint recognition systems may contain millions of fingerprint images. Moreover, a fingerprint image itself consists of massive amounts of data; the storage of fingerprint image databases necessitates huge secondary storage devices [39]. So as to lessen the escalating demand on storage space, efficient data compression techniques are badly desirable [11], [39]. Recently, the compression of fingerprints has gained enormous popularity in automated fingerprint recognition

I. INTRODUCTION In recent times, biometrics-based verification has been receiving a lot of attention chiefly, because of the unprecedented proportion of identity fraud ensuing in our society and the increasing emphasis on the emerging automatic personal identification applications [8]. The term “biometrics” is derived from the Greek words - “bio” which means life and “metrics” which means to measure. A more detailed definition of biometrics is “any automatically measurable, robust and unique physical characteristic or personal trait, which can be made use of to recognize an individual or verify the claimed identity of an individual” [1]. The technique of biometric identification is favored over traditional methods involving passwords and PINs (Personal Identification Numbers) for a number of reasons, 1) the person to be verified is to be physically present at the point of identification and/or 2) identification based on biometric

149

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

systems due to the increasing number of the fingerprint records in their databases. There are numerous image compression techniques existing for image compression, like DCT, JPEG, Sub-band Coding, JPEG2000, Wavelet and more [13]. The general objective of all these techniques is to accomplish high compression ratio. In spite of some really good compression algorithms, there is still a need to develop more efficient algorithms for fingerprint images [12]. The chief difficulty in developing compression algorithms for fingerprint is the necessity to achieve minutiae preservation i.e. ridges endings and bifurcations, which are afterwards used in identifications [17]. Literature presents with several different methods for fingerprint compression. They can be categorized in two divisions: 1) Fingerprint data compression techniques based on extraction and compression of essential details in fingerprints like ridges and/or features. Some studies in this category are Abdelmalek et al. [40], Chong et al. [41], Yamada et al. [42] and Costello et al. [43]. 2) Fingerprint image compression techniques based on image transformations that are tuned for fingerprint images. A small number of them also use several vector quantization techniques [44]. The techniques in this category cannot exploit the regular structural properties of fingerprints to accomplish higher compression ratios. In the second category, Hopper et al. [45], Bradley et al. [46] and Brislawn et al. [11] studied wavelet/scalar quantization which is used as a standard algorithm by FBI [9]. Numerous other compression methods utilizing wavelets have been reported by Kasei et al. [19] and Sherlock et al. [33, 34]. This research is aimed at devising an efficient fingerprint data compression scheme that will extract and compress the essential data (ridges) in fingerprints. Recently, Yuan Huaqiang et al [36] have presented a fingerprint feature extraction algorithm based on curvature of Bezier curves. Primarily in their algorithm, the ridges in the fingerprint images were traced and then those ridges are fit with Bezier curves. The proposed fingerprint data compression scheme drives motivation from the work of Yuan Huaqiang et al [36]. This paper describes a novel and efficient compression scheme for fingerprint images using Bezier representations. The proposed compression scheme is designed in a way to preserve the fine details in the fingerprint images such as ridge endings and bifurcations. The Bezier curve representations are employed in the presented scheme for achieving better compression with some cost to quality. Initially, the ridges are extracted from the fingerprint image along with their coordinate values using the approach discussed. The ‘regionprops’, a function to measure properties of regions, in MATLAB’s Image Processing Toolbox is utilized in the extraction of the ridges. Subsequently, control points of all the ridges are determined by visualizing each ridge as a Bezier curve. The control points consist of a starting point, ending point and two selected co-ordinate values. Afterwards, the control points determined for all the ridges are stored in a file to represent the fingerprint image. These control points are to be utilized in the reconstruction of fingerprint image using Bezier curves. The presented scheme considerably reduces the memory needed for storing a fingerprint biometric template,

from KiloBytes (KB) to bytes. The quality of the reconstructed fingerprint is determined using a formal evaluation. The experimental results demonstrate the effectiveness of the proposed scheme in compressing fingerprint images with a better compression ratio and reasonable reconstruction quality. The rest of the paper is organized as follows: A brief review of the recent researches related to fingerprint image compression is given in Section II. An introduction to Bezier curves is provided in Section III. The novel and efficient compression scheme proposed for compressing fingerprint images is discussed along with the extraction of ridges in Section IV. The reconstruction procedure of the Bezier curves is discussed in section V. The experimental results are presented in Section VI. Finally, the conclusions are summed up in Section VII. II. REVIEW OF RELATED RESEARCHES A handful of researchers have presented approaches for the compression of fingerprint images. With fingerprint image databases growing at rapid rate, developing schemes for the compression of fingerprint images has emerged as an active and eminent research area. A brief review of some recent and significant researches is presented here. Awad Kh. Al-Asmari [16] has implemented a progressive fingerprint image compression method (for storage or transmission) by means of edge detection scheme. The image was decomposed into two components, the first component is called as the primary component which encloses the edges and the second component contains the textures and the features. An approximate of the image was reconstructed in the first stage at a bit rate of 0.0223 bpp for one Sample and 0.0245 bpp for another Sample image. The quality of the reconstructed images was competitive to the 0.75 bpp target bit set by FBI standard. The compression ratio for the algorithm is about 45:1 (0.180 bpp). S. S. Gornale et al. [17] have highlighted different transforms of wavelet packet and their compression ratio for noisy and noiseless fingerprint images. They have also showed that the compression ratio can be increased by selecting appropriate threshold value. The compression ratios of noisy and noiseless fingerprint images are found by considering the number of zeros and the retain energy. Wavelet packet transform certainly has an effect on the Retain Energy (RE) and Number of Zeros (NZ) but the extent of it is dependent on the decomposition level, the type of image, threshold and also the type of transform used. For a maximum threshold value and greater level of decomposition, more energy can be lost, since, at higher levels of decomposition there is a higher proportion of the coefficients in the detail sub-signals. Therefore, it is always crucial to choose an optimal threshold value so as to achieve better compression and minimum loss to images. S. Esakkirajan et al. [21] have presented an approach based contourlet transform and multistage vector quantization for the compression of fingerprint images. An extensive result has been taken on different types of fingerprints. It can be seen that the PSNR (peak signal to noise ratio) obtained by contourlet transform was higher than that of wavelet

150

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

transform. Therefore, a better image reconstruction was achievable with less number of bits, by using contourlet transform. The experimental results proved the fact that MSVQ (multistage vector quantization) was appropriate for low bit rate image coding. The proposed system yields encoding outputs of good quality around 0.5 bits per dimension (bpd) and very good results at around 1 bpd. One possible and easy extension to the proposed scheme is to include more stages in MSVQ in order to increase the output image quality. R. Sudhakar et al. [22] have focused a great deal on the compression scheme by integrating wavelet Footprints with Non-linear Approximation (NLA). The results of the Compression Algorithm based on wavelet footprints portrayed that there was a gradual progression in the Compression Ratio (CR) and Peak Signal to Noise Ratio (PSNR) over the set partitioning in Hierarchical Trees (SPIHT) Algorithm. Both the results, theoretical and experimental, have proved the potential of the scheme.S.S.Gornale et al. [23] has evaluated to identify the best of the bi-orthogonal wavelet filter from Daubechies, Symlet and Coiflet for lossy fingerprint image compression and they have used it through different orders at 1 to 5 decomposition levels on the fingerprint images. The results have shown that the Coiflet4 (4th order) wavelet filter is more appropriate for lossy fingerprint image compression and provides an enhanced compression at 5th level. Gulzar A. Khuwaja [35] has identified the best design parameters for a data compression scheme designed for fingerprint images. Their method focuses on reducing the transmission cost while maintaining the person's identity. In choosing the wavelet packet’s filters, decomposition level, and sub-bands that are better adapted to the frequency characteristics of the image, one may achieve better image representation in the sense of lower entropy or minimum distortion is considered. Empirical results proved that the selection of the best parameters has a remarkable effect on the data compression rate of fingerprint images. Statistical significance test was conducted on the experimental measures to perform the most suitable wavelet shape for fingerprint images. Image quality measures such as mean square error and peak signal-to-noise ratio are used to estimate the performance of different wavelet filters. Song Zhao and Xiao-Fei Wang [20] have presented a compression algorithm termed as, Wavelet-Based Contourlet Transform (WBCT), for fingerprint images. It is based on wavelet transform and directional filter banks (DFBs) and can be used for efficiently approximating natural images containing contours and oscillatory patterns. To minimize frequency scrambling, a scheme based on maximally-flat filters which implements the DFBs was proposed. A quadtree sorting procedure, similar to SPIHT, is used to explicitly form classes of WBCT coefficients. The classes are encoded using arithmetic and trellis-coded quantization. The resulting encoding algorithm presents constant improvement over SPIHT performance. Simulations reveal that the new encoding algorithm gives enhanced encoding performance over SPIHT and preserves more fingerprint image details.

Kasaei. S et al. [11] have presented a vector quantization scheme based on an accurate model for the distribution of the wavelet coefficients and a compression algorithm for fingerprint images using wavelet packets and lattice vector quantization. This technique is based on the generalized Gaussian distribution. They also discussed a method for determining the largest radius of the lattice used and its scaling factor, for both uniform and piecewise-uniform pyramidal lattices. The presented algorithm aims to achieve the best ratedistortion function by adapting to the characteristics of the sub-images. In the optimization algorithm, no assumptions about the lattice parameters are made, and no training and multi-quantizing are required. They proved that the wedge region problem encountered with sharply distributed random sources was resolved in the proposed algorithm. The proposed algorithm adjusts to variability in input images and to the specified bit rates. Compared to other available image compression algorithms, the proposed algorithm results in high quality reconstructed images for identical bit rates. Fingerprint feature extraction is the main step of fingerprint identification. Yuan Huaqiang et al. [36] have proposed a feature extraction algorithm, which describes the fingerprint features with the bending information of fingerprint ridges. Firstly, the ridges in the specific region of fingerprint images are traced by the algorithm, and then, these ridges are fit with Bezier curve. Finally, the point that has the maximal curvature on Bezier curve was defined as a feature point. Experimental results confirmed that these kinds of feature points characterize the bending trend of fingerprint ridges efficiently, and they are robust to noise. Also, the extraction accuracy of the algorithm is superior to the conventional approaches. III. BEZIER CURVES Originally, Bezier curves were introduced in 1959 by Paul de Casteljau. But, only in the 1970's, when Pierre Bezier, French engineer at Renault, utilized them to design automobiles, they emerged as a famous shape. Presently, Bezier curves are extensively utilized in many fields: industrial and computer-aided design, vector-based drawing, font design (especially in PostScript font) and 3D modeling [29]. Bezier curves are also being made use of in computer graphics to model smooth curves. Since the curve is entirely contained in the convex hull of its control points, it is possible to graphically display the points and also the control points can be used to manipulate the curve intuitively. A Bezier curve lets you to state, not only the end points of the line, but also the course of the line as it goes by the end points. Bezier curves of the third order are the most commonly used and can be completely defined by four points: two endpoints (P1, P4) and two control points (P2, P3). The control points are not positioned on the curve itself but they define the shape of the curve [25]. Considering Figure 1, the Bezier curve defined starts at P1, goes toward P2 and arrives at P4 coming from the direction of P3. Generally, these Bezier curves do not pass through the control points P2 or P3. Such a curve is called cubic Bezier curve.

151

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

curve and can be stored in as four points (two end points and two control points). IV. NOVEL AND EFFICIENT COMPRESSION SCHEME FOR FINGERPRINT IMAGES The proposed novel scheme for effective compression of fingerprint images is described in this section. The proposed scheme consists of two steps: 1) Extraction of ridges along with their co-ordinate values and 2) Compression using Bezier curve representations. The major steps involved in the proposed fingerprint image compression scheme are shown in Figure 2.

Figure 1. Cubic Bezier Curve

Clearly, a cubic Bezier curve is a function of four points, of which two will be the end points of the curve and the other two will be the points lying outside the curve. These set of four points specify how the entire curve can be built in entirety. The reverse method is employed for regenerating the curve from the control points. In this research, so as to reduce the memory overhead incurred in fingerprint storage, each ridge in the fingerprint can be visualized as a cubic Bezier

Figure 2. Block diagram of the Proposed Compression Scheme

A. Extraction of Ridges with Their Co-Ordinates The extraction of ridges and their co-ordinate values from the fingerprint image is discussed in this sub-section. A fingerprint can be defined as a pattern of friction ridges on the surface of a fingertip. Minutiae are local discontinuities in the fingerprint pattern that symbolize terminations and bifurcations. The point where a ridge ends abruptly is called the ridge termination and the point where a ridge forks or diverges into branch ridges is called the ridge bifurcation [3]. The ridge structures in fingerprint images are not at all times well defined, and hence, an enhancement algorithm that can enhance the clarity of the ridge structures, is essential [32]. Every ridge or a portion of a line in a fingerprint is classified into one of the three different major patterns; a loop or a whorl or an arch. A loop pattern in a fingerprint can be shown when the ridges start on one side of the finger, reach the center of the finger (core point) and then "loop" back to the same side. A whorl pattern can be identified as the concentric circles that are formed by the ridges in the center of one's finger. The remainder of these ridges shape themselves around this whorl pattern. Finally, the arch pattern: where the ridges start at one

side of the finger and span themselves across the center of the finger to the other side [4, 5]. The major steps involved in the extraction of the ridges and their co-ordinate values are, • • Preprocessing Ridge Extraction

1) Preprocessing: The preprocessing steps involved in the extraction of the ridges from the fingerprint image are namely: • Histogram Equalization • • • • Fast Fourier Transform (FFT) Enhancement Binarization Orientation Field Estimation Region of Interest (ROI) Extraction by Morphological operations

(i) Histogram Equalization Histogram equalization describes a mapping of grey levels p into grey levels q in such a way that the distribution of grey

152

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

level q is uniform. This mapping stretches contrast (expands the range of grey levels) for grey levels near the histogram maxima. As the contrast is extended to most of the image pixels, the transformation increases the detectability of many image features [26]. A fingerprint image and its histogram equalized output are shown in Figure 3.

and noise from the image. In addition, the morphological operators remove the unnecessary spurs, bridges and line breaks. Then, thinning process is performed to reduce the thickness of the lines (removes redundant pixels) so that the lines become 1-pixel wide and easily distinguishable from the other regions of the image. Clean operator, Hbreak operator, Spur operator and Thinning are the morphological operators utilized in the proposed scheme [30], [28]. The result of morphological operations is depicted in Figure 4.

(a)

(b)

Figure 3. (a) Original Fingerprint (b) Histogram equalized Fingerprint

(ii) Fast Fourier Transform (FFT) Enhancement The image enhancement techniques are frequently used to decrease the noise and improve the definition of ridges against valleys. In our scheme, to enhance the fingerprint image, Fast Fourier Transform (FFT) is applied separately to each block of the image [26]. The enhanced image is then binarized and fed as input to orientation field estimation. (iii) Binarization Binarization increases the contrast between the ridges and valleys in a fingerprint image, and as a result eases minutiae extraction. The binarization process involves, a) Investigating the grey-level value of each pixel in the enhanced fingerprint image, and

Figure 4. Fingerprint Image after Morphological Operations

b) If the value is greater than the global threshold, then the pixel value is set to a binary value one; otherwise, it is set to zero. The binarization results a binary fingerprint image containing two levels of information, the foreground ridges and the background valleys [27]. (iv) Orientation Field Estimation The orientation field of a fingerprint image defines the local orientation of the ridges contained in that the fingerprint. The orientation estimation is an elementary step in the enhancement process as the succeeding filtering stage depends on the local orientation so as to efficiently enhance the fingerprint image [27]. Principally, there exists two methodologies to compute the orientation field of fingerprint namely, 1) filter-bank based approaches and 2) gradient-based approaches. The proposed scheme for fingerprint compression employ gradient based approach for estimating the orientation field of the fingerprint image. Primarily, the gradient vectors are computed by considering the partial derivatives of image intensity at every pixel. The gradient vectors can be represented as [ g x , g y ] . With an input fingerprint image, the gradient vectors signify the highest deviation of gray intensity that lie perpendicular to the edge of ridge lines [31]. (v) Morphological Operations The binary morphological operators are applied on the binarized fingerprint image. The primary function of the morphological operators is the elimination of any obstacles
T

2) Extraction of Ridges: The preprocessing steps result with a fingerprint image that gives a clear depiction of foreground ridges. Subsequently, the ridges present in the preprocessed fingerprint image are separated and their co-ordinate values are found using the following steps: 1. The preprocessed fingerprint image is likely to have some connected ridges that might affect the extraction of ridges. Hence, we first segregate those connected ridges based on the minutiae points. Here, the ridge thinning algorithm is utilized for minutiae points’ extraction [38]. In the ridge thinning algorithm, the image is first divided into two dissimilar subfields that show a likeness to a checkerboard pattern. In the initial sub iteration, only when all three conditions, G1, G2, and G3 are satisfied the pixel p from the initial subfield is removed. Whereas, in the second sub iteration, only when all three conditions, G1, G2, and G3’ are satisfied, the pixel p from the foremost subfield is removed. Condition G1:

X H ( P) = 1
Where

X H ( P ) = ∑ bi
i =1

4

1 if x 2i −1 = 0 and (x 2i = 1 or x 2i+1 = 1)  bi =   0 otherwise 

x1 , x2 ,..., x8 are the values of the eight neighbors of p ,
starting with the east neighbor and numbered in counterclockwise order. Condition G2:

2 ≤ min{n1 ( p), n2 ( p )} ≤ 3
where

n1 ( p ) = ∑ x 2 k −1 ∨ x 2 k
k =1

4

153

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

n 2 ( p ) = ∑ x 2 k ∨ x 2 k +1
k =1

4

image I .

R[i ] = regionprop s ( I ) ; i → no of ridges
4. The individual ridges are extracted and the properties of the individual ridges are utilized to acquire the coordinate values C v of the ridges.

Condition G3:

( x2 ∨ x3 ∨ x8 ) ∧ x1 = 0
Condition G3’:

( x6 ∨ x7 ∨ x ) ∧ x5 = 0
One iteration of the thinning algorithm combines the two subiterations. 2. The pixel locations corresponding to the minutiae points are replaced with black pixels. The resultant fingerprint image contains the ridges; each separated from the other. The fingerprint image obtained in Step 2 is fed as input to the regionprops function of MATLAB’s Image Processing Toolbox [47]. The regionprops function determines the properties of each of the individual ridges R present in the fingerprint

3.

B. Compression Using Bezier Curve Representations A fingerprint image can have hundreds of ridges each having its own structure. In the proposed scheme, each ridge is visualized as a cubic Bezier curve and its Bezier control points (two end points and two control points) are determined. The set of four Bezier control points determined, serve as compressed form of an individual ridge. So, every fingerprint image with n ridges can be compressed into a file containing 4*n Bezier control points. The different structures of the ridges present in the original fingerprint image are shown in Figure 5.

Figure 5. Different structures of the ridges

154

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Subsequently, for every ridge visualized as a Bezier curve, 1) Determine two end points namely, P1 (the origin or starting point) and P2 (the destination or terminating point), from Cv . 2) Compute two control points that directs the construction of the Bezier curve. The two control points are, P2 (control point towards which the Bezier curve moves from P1) and P3 (control point that directs the Bezier curve towards P4). The Bezier control points of the ridges are determined by bearing in mind the following factors: The Bezier curve at all times passes through the end points and lies within the convex hull of the control points. The curve is tangent to P2-P1 and PnPn-1 the endpoints. The "variation diminishing property" of these curves is that no line can have more intersections with a Bezier curve than with the curve obtained by joining consecutive points with straight line segments. A desirable property of these curves is that the curve can be translated and rotated by performing these operations on the control points. It is sufficient to store all the four Bezier control points instead of storing the actual Bezier curve i.e. ridge of the fingerprint. Also, the original ridge in the fingerprint can be reproduced from these stored control points by the properties of the Bezier curve. Thus, the proposed scheme for fingerprint compression achieves an effective reduction in the memory space required to store the fingerprint. V. RECONSTRUCTION OF FINGERPRINT IMAGE FROM BEZIER CONTROL POINTS The encoded fingerprints comprise of a set of control points, each corresponding to individual ridges of the original fingerprint. For reconstruction or decoding of the compressed fingerprint, every individual ridge in the fingerprint is decoded using the properties of the Bezier curve. All these decoded ridges finally unite to form the fingerprint image. The input to the reconstruction is a set of control points from which the Bezier curve is to be constructed. The mathematical formulation of the Bezier curve construction from the control points is as follows [37]:

Since, Bezier curves are parametric curves the above formula is applied independently to the x and y coordinates of a point in a 2D curve [37].
B(u ).x =

  0 ≤ u ≤1 N! N −k  k B(u ). y = ∑ (Pk . y ) u (1 − u )  k!( N − k )! k =0 
k =0 N

∑ (Pk .x ) k!( N − k )! u k (1 − u )N −k 

N

N!



In our scheme, we employ cubic Bezier curves, which can very well be illustrated by four control points. So, given 4 we derive the controls points ( p 0 , p1 , p 2 , p3 ) , mathematical formula of the cubic Bezier as follows [37]:

B(u ) = ∑ Pk
k =0

3

3! u k (1 − u )3−k k!(3 − k )!

B(u ) = P0 (1 − u ) + 3P u (1 − u ) 2 + 3P2u 2 (1 − u ) + P3u 3 1 3 B(u) = u (− P0 + 3P − 3P2 + P3 ) + u 2 (3P0 − 6P + 3P2 ) + u(− 3P0 + 3P ) + P0 1 1 1 3 2 B (u ) = u (P3 + 3(P − P2 ) − P0 ) + 3u (P0 − 2 P + P2 ) + 3u (P − P0 ) + P0 1 1 1
VI. EXPERIMENTAL RESULTS The experimental results of the novel and efficient scheme presented for compressing fingerprint images are provided in this section. The proposed scheme is implemented using Matlab (Matlab 7.4) and Java. The ridges present in the fingerprint image are first extracted by using Matlab. Then, the process of determining the Bezier control points and the reconstruction phase are performed using Java. First, the ridges in the preprocessed fingerprint image are separated with their respective co-ordinate values. Subsequently, each ridge is visualized as a Bezier curve and for every curve, four control points are determined. The set of four control points represent the compressed form of an individual ridge. Consequently, using the Bezier control points, we have reconstructed the fingerprint image, which preserves the fine details of the original fingerprint image. The results obtained from experimentation with two fingerprint images are shown in Figure 6 and 7. Each figure consists of a) the original fingerprint image, b) image constructed from the co-ordinate values of the extracted ridges, c) the reconstructed image using Bezier control points and d) Evaluation result (image (b) superimposed on image (c)). The performance of the presented scheme has been evaluated by superimposing the fingerprint image constructed using the co-ordinate values of the extracted ridges on the reconstructed fingerprint image using Bezier control points

3

Pk with k = 0 to N . The Bezier parametric curve is given by B (u ) ,
Given N + 1 control points

B(u ) =

k =0

∑ Pk k!( N − k )! u k (1 − u )N −k  0 ≤ u ≤ 1 


N

N!

 

Figure 6. (a) Original Fingerprint Image 1 (b) Constructed Fingerprint image using co-ordinates of the ridges (c) Reconstructed fingerprint image using Bezier control points (d) Evaluation Result

155

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Figure 7. (a) Original Fingerprint Image 2 (b) Constructed Fingerprint image using co-ordinates of the ridges (c) Reconstructed fingerprint image using Bezier control points (d) Evaluation Result

Moreover, the proposed fingerprint compression scheme has achieved an exceptionally good compression ratio. The results obtained in compressing two fingerprint images are given in Table 1.
TABLE I: COMPRESSION RESULTS OF THE PROPOSED SCHEME Image Fingerprint 1 Fingerprint 2 Original image size (KB) 19.4 19.2 Compressed file size (KB) 2.7 2.6

VII. CONCLUSION In this paper, we have presented a novel and efficient compression scheme using Bezier curves for compressing fingerprint images. Initially, the ridges and their co-ordinate values in the fingerprint image have been extracted with the aid of the approach discussed in the paper. Subsequently, the control points for all the extracted ridges have been determined by visualizing the ridges as Bezier curves. The determined control points have been stored in a file that represents the compressed counterpart of the fingerprint image. The fingerprint images are reconstructed, when needed, from the stored control points using Bezier curves. The presented scheme has achieved better compression with some cost to accuracy. The experimental results have demonstrated the effectiveness of the presented compression scheme. REFERENCES
[1] John D. Woodward, Christopher Horn, Julius Gatune, and Aryn Thomas, "Biometrics A Look at Facial Recognition", RAND Public Safety and Justice for the Virginia State Crime Commission, 2003. [2] P. Jonathon Phillips, Alvin Martin, C.L. Wilson, Mark Przybocki, "An Introduction to Evaluating Biometric Systems", IEEE computer, pp: 5663, 2000. [3] Balasubramanian.K and Babu .P, "Extracting Minutiae from Fingerprint Images using Image Inversion and Bi-Histogram Equalization", Proceedings of SPIT-IEEE Colloquium and International Conference, Vol.1, No.53, Mumbai, India, 2008. [4] Yevgeniy Libov, "Biometrics: Technology That Gives You a Password You Can't Share", White paper, SANS Institute InfoSec Reading Room, October 2003. [5] Sen Wang, Wei Wei Zhang and Yang Sheng Wang, "Fingerprint Classification by Directional Fields", In Proceedings of the 4th IEEE International Conference on Multimodal Interfaces, pp. 395 - 399, 2002. [6] A. Sibbald, “Method and apparatus for fingerprint characterization and recognition using auto-correlation pattern,” U.S. Patent No: 5,633 947, 1994.

[7] H. C. Lee and R. E. Gaensslen, Eds., “Advances in Fingerprint Technology”, New York: Elsevier, 1991. [8] Anil K. Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti, "Filterbank-Based Fingerprint Matching", IEEE Transactions On Image Processing, Vol. 9, No. 5, pp:846-859, May 2000. [9] Federal Bureau of Investigation, “WSQ Gray-Scale Fingerprint Image Compression Specification”, IAFIS-IC-0110 (rev. 2.0), Feb. 1993. [10] Dario Maio, Davide Maltoni, "Direct Gray-Scale Minutiae Detection in Fingerprints", IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 19, No. 1, pp: 27 – 40, April 1997. [11] Shohreh Kasaei, Mohamed Deriche, Boualern Boash, "A Novel Fingerprint Image compression technique using Wavelet packets and Pyramid Lattice Vector Quantization", IEEE Tran. on Image Processing, Vol.11, No.12. , pp: 1365-1378, Dec-2002. [12] Karen Lees, "Image compression using Wavelets", Technical Report, 2002 [13] Milan Sonka, Roger Boyle, "Image processing Analysis and Machine Vision", international Thomson Computer press-1996. [14] John D. Woodward, Nicholas M. Orlans, Peter T. Higgins, "Biometrics", chapter 1, Publisher: Mcgraw-hill/osborne Media, Pages: 416, Dec 2002. [15] Ju Cheng Yang and Dong Sun Park, "Fingerprint Feature Extraction based on Invariant Moments and Gabor Filters", Complex Systems And Applications-Modeling, Control and Simulations, Vol: 14, pp: 14411444, 2007. [16] Awad Kh. Al-Asmari, "Progressive Fingerprint Images Compression Using Edge Detection Technique", International Journal of Images Systems & Technology, John Wiley & Sons, Vol. 12, pp. 211 – 216, 2002. [17] S. S. Gornale, Vikas T Humbe, R. R. Manza and K.V.Kale, "Fingerprint Image Compression using Retain Energy (RE) and Number of Zeros (NZ) through Wavelet Packet (WP)", International Journal of Computer Science and Security, Vol: 1, No:2, pp: 35-42, 2008. [18] A. Mascher-Kampfer, Herbert Stögner, Andreas Uhl, "Comparison of Compression Algorithms’ Impact on Fingerprint and Face Recognition Accuracy", Proc. SPIE, Vol. 6508, 2007. [19] S. Kasaei, M. Deriche and B. Boashash, “Fingerprint compression using wavelet packet transform and pyramid lattice vector quantization," IEICE Trans. on Fundamentals of Electronics, Comm. and Comp. Sci., Japan, vol.E80-A, no.8, pp. 1446-52, Aug. 1997. [20] Song Zhao, Xiao-Fei Wang, "Fingerprint Image Compression Based on Directional Filter Banks and TCQ ", 2009 Second International Workshop on Knowledge Discovery and Data Mining, pp.660-663, 2009. [21] S. Esakkirajan, T. Veerakumar, V. Senthil Murugan, R. Sudhakar, "Fingerprint Compression Using Contourlet Transform and Multistage Vector Quantization", International Journal of Biological and Medical Sciences, Vol: 1, No: 2, pp: 140 -147, 2006. [22] R.Sudhakar, N.Vignesh, Dr.S.Jayaraman, "Application of Wavelet Footprints for Fingerprint Compression", ICGST-GVIP Journal, Vol: 5, No: 6, pp.39-45, June 2005. [23] S.S.Gornale, R.R.Manza, Vikas Humbe and K.V.Kale, "Performance Analysis of Biorthogonal Wavelet Filters for Lossy Fingerprint Image Compression", International Journal of Imaging Science and Engineering (IJISE), Vol: 1, No: 1, 2007.

156

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

[24] Arun Ross , James Reisman, Anil Jain, "Fingerprint Matching Using Feature Space Correlation ", Lecture Notes in Computer Science, Vol: 2359, pp:48-57, 2002. [25] G. Farin, “Curves and surfaces for computer aided geometric design: a practical guide.” Academic Press, 1997. [26] Greenberg, S., Aladjem, M., Kogan, D., Dimitrov, I., "Fingerprint image enhancement using filtering techniques", In Proc. 15th International Conf. on Pattern Recognition III, pp. 326–329, 2000. [27] Raymond Thai, Fingerprint Image Enhancement and Minutiae Extraction, Technical Report, The University of Western Australia, 2003. [28] Manvjeet Kaur, Mukhwinder Singh, Akshay Girdhar, and Parvinder S. Sandhu, “Fingerprint Verification System using Minutiae Extraction Technique", in proc. of World Academy of Science, Engineering and Technology, Vol. 46, pp: 497, 2008. [29] Aleksas Riskus, "Approximation of a Cubic Bezier Curve By Circular Arcs and Vice Versa", Information Technology and Control, Vol.35, No.4, pp: 371-378, 2006. [30] N. Lalithamani, K.P. Soman, "An Effective Scheme for Generating Irrevocable Cryptographic Key from Cancelable Fingerprint Templates", International Journal of Computer Science and Network Security, Vol.9, No.3, pp: 183- 193, 2009. [31] Yi Wang, Jiankun Hu and Fengling Han, "Enhanced gradient-based algorithm for the estimation of fingerprint orientation fields," Applied Mathematics and Computation, Special Issue on Intelligent Computing Theory and Methodology, Vol. 185, No. 2, pp. 823-833, February 2007. [32] L.Hong, Y. Wan, A. Jain, “Fingerprint Image Enhancement: Algorithm and Performance Evaluation,” IEEE Trans. Pattern Analysis and Machine Intelligence, Vol. 20, No.8, pp.777-789, 1998. [33] B.G. Sherlock, D.M. Monro, “Balanced uncertainty wavelets for fingerprint compression," IEE Colloquium on Image Proc. for Security Appl., London, pp.1-6, 1997. [34] B.G. Sherlock, D.M. Monro, “Psycho visually tuned wavelet fingerprint compression," Proc. of 3rd IEEE Int'l Conf. on Image Proc., ICIP '96, Lausanne, vol.2, pp. 585-8, 1996. [35] Gulzar A. Khuwaja, "Best parameter based compression of fingerprints with wavelet packets", International Journal of Computer Applications in Technology, Vol: 19, No: 1, pp: 51-62, 2004. [36] Yuan Huaqiang, Ye Yangdong, Deng Jianguang, Chai Xiaoguang, Li Yong "A fingerprint feature extraction algorithm based on curvature of Bezier curve", Progress In Natural Science, Vol:17, No:11, 2007. [37] Timothée Groleau, "Approximating Cubic Bezier Curves in Flash MX", http://www. timotheegroleau.com/Flash/articles/cubic_bezier_in_flash.htm, 2002. [38] Anil K. Jain, Karthik Nandakumar, and Abhishek Nagar, “Biometric Template Security,” EURASIP Journal on Advances in Signal Processing, vol. 2008, Article ID 579416, 17 pages, 2008. doi:10.1155/2008/579416. [39] Khuwaja G.A., Tolba A.S., "Fingerprint image compression", Proceedings of the IEEE Signal Processing Society Workshop on Neural Networks for Signal Processing, Vol:2, pp: 517-526, 2000. [40] N. N. Abdelmalek, T. Kasvand, D. Goupil, N.Otsu, “Fingerprint data compression," Proc. Of Seventh Int. Conf. on Patt. Rec., Montreal, vol.2, pp. 834-836, Aug. 1984. [41] M.M.S. Chong, R.K.L. Gay, H.N. Tan, J. Liu, “Automatic representation of fingerprints for data compression by B-spline functions", Pattern Recognition, vol.25, no.10, pp. 1199-1210, Oct.1992. [42] M. Yamada, N. Itoh, H. Tominaga, “A study on pseudo coding of thinned fingerprint image using fractal curve," Trans. of the Institute of Electronics, Inf. and Comm. Eng., Japan, vol.76,, no.3, p. 807-11, Mar. 1993. [43] B.D. Costello, C.A. Gunawardena, Y.M. Nadiadi, “Automated coincident sequencing for fingerprint verification", IEE Colloquium on Image Proc. for Biom. Measurement, Vol: 100, London, pp. 3/1-5, Apr. 1994. [44] S. Kasaei, M. Deriche, “Fingerprint compression using a piecewiseuniform pyramid lattice vector quantization," In Proc. of 1997 IEEE Int'l Conf. on Acoustics, Speech, and Sig. Proc., Munich, vol.4, pp. 3117-20, 1997.

[45] T. Hopper, F. Preston, “Compression of grayscale fingerprint images," In Proc. Data Compress. Conf., DCC '92, Snowbird, pp. 309-318, 1992. [46] J.N. Bradley, C.M. Brislawn, “The wavelet/scalar quantization compression standard for digital fingerprint images," Proc. of Conf. Signal, Image Proc. and appl., Annecy, France, pp.245-247, 1996. [47] "Regionprops" from MATLAB’s Image Processing Toolbox, http://www.mathworks.com/ access/helpdesk/help/toolbox/images/ regionprops.html. AUTHORS PROFILE Vani Perumal received the B.Sc degree from the Department of Computer Science, University of Madras, the M.C.A degree from the Department of Computer Applications, Bharathidasan University, the M.Phil degree from the Department of Computer Science, Mother Teresa Women’s University. She is currently pursuing Ph.D degree in Computer Science, specialization in Image Processing and Pattern Recognisation at Mother Teresa Women’s University, Tamil Nadu, India. From 2002 to 2006, she was the Head in charge of Computer Science Department, Soka Ikeda College, Chennai. She is currently working with S.A.Engineering College, Chennai, India. Jagannathan Ramaswamy received B.Sc, M.Sc and Ph.D degrees from the University of Madras, India He obtained his Master of Philosophy degree in Space Physics from Anna University, Chennai. He was the Reader and the Head of the Postgraduate Department of Physics at D.G.Vaishnav College, Chennai. Dr.Jagannathan is currently the Chairman cum Secretary of India Society of Engineers, Madras Chapter, Managing Editor (Publications), Asian Journal of Physics and Deputy Registrar (Education), Vinayaka Missions University, Chennai, India.

157

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Exception Agent Detection System for IP Spoofing Over Online Environments
Al-Sammarraie Hosam
Center for IT and Multimedia, Universiti Sains Malaysia Penang, Malaysia

Adli Mustafa
School of Mathematical sciences, Universiti Sains Malaysia Penang, Malaysia

Merza Abbas Shakeel Ahmad
School of Mathematical sciences, Universiti Sains Malaysia, Institute of Computing and Information Technology, Gomal University, Pakistan Penang, Malaysia .
Abstract—Over the recent years, IP and email spoofing gained much importance for security concerns due to the current changes in manipulating the system performance in different online environments. Intrusion Detection System (IDS) has been used to secure these environments for sharing their data over network and host based IDS approaches. However, the rapid growth of intrusion events over Internet and local area network become responsible for the distribution of different threats and vulnerabilities in the computing systems. The current signature detection approach used by IDS, detects unclear actions based on analyzing and describing the action patterns such as time, text, password etc and

Center for IT and Multimedia, Universiti Sains Malaysia Penang, Malaysia

has been faced difficulties in updating information, detect unknown novel attacks, maintenance of an IDS which is necessarily connected with analyzing and patching of security holes, and the lack of information on user privileges and attack signature structure. Thus, this paper proposes an EADS (Exception agent detection system) for securing the header information carried by IP over online environments. The study mainly concerns with the deployment of new technique for detecting and eliminating the unknown threats attacks during the data sharing over online environments. Keywords-component; IP spoofing; Intrusion detection system; Exception agent system; Local area network

I.

INTRODUCTION

The rapid growth of intrusion events over local area network and Internet have been distributed among the organizations and other environments, which pushed most of these environments to implement security techniques against corresponding threats. Internet Protocol (IP) provides sustainable services for information delivery across Internet. The packet will present these information depends on TCP/IP layers. IP datagram contain a header for caring the source details of network to be forwarded to the same IP datagram destination. Details carried by IP header are a) time to live b) source and destination addresses c) types of service and others relevant information. The importance of header to send and receive information over LAN is usually grabbed by attackers. Moreover, attackers may also use
Sponsored by USM

some other techniques to grab the header information carried via IP over LAN online environments [5]. Hence environments used to integrate powerful techniques for detecting and preventing IP changes, such as intrusion detection system (IDS) may deploy to secure and monitor IP behavior over LAN. Intrusion Detection Systems are tools to assist in managing threats and vulnerabilities in this changing environment. Threats are people or groups who have the potential to compromise other computer system [4]. These may be an inquisitive teenager, a discontented worker / employee, or spy from an opponent company or any foreign government. Attacks on network computer system could be devastating, affect networks, and corporate establishments. It’s

158

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

requiring to provide and curb these attacks and Intrusion Detection System helps to identify the intrusions. Without an NIDS, to monitor any network activity, possibly resulting in irreparable damage to an organization’s network. Intrusion attacks are “those attacks in which an attacker enters your network to read, damage, and/or steal your data” [1]. These attacks can be divided into two subcategories: pre intrusion activities and intrusions. The current IDS used two intrusion detection approaches firstly; anomaly detection approach, that used to manipulate the relation between profile and the current behavior of the TCP/IP, also determine the difference between profiles and detect possible attack attempts. Secondly; signature detection approach, used to detect ambiguous and unclear actions by analyzing and describing the action patterns such as (time, text, password etc) [11]. Figure 1 shows the proposed EADS workflow over online environments such as (ENA, ENB, ENC, and END). Data sharing over these environments presented the IDS technique for securing IP datagram during the transfer between environments to another. However, many protocols and architectures for LAN and Host based IDS were designed without taking care of the possibility of other threats attack. Moreover, the existing defense mechanisms against such attacks in host network are not effective to analyze and laminate the unknown attacks, which back to the differences in their characteristics. Furthermore, most of these environments require secure systems to detect and eliminate the external and internal attacks from other attackers over LAN and Host based IDS. Environments are constantly evolving and changing with the emergence of new technologies and the Internet which may introduce new threats and unknown attacks. Hence, intrusion detection system has been used to secure and support these environments for sharing their data over LAN and Host based IDS. Furthermore, IP spoofing over online environments presents different patterns and follow exceptional behaviors based on attacker’s techniques. This paper mainly concerns with the deployment of new technique for detecting and eliminating the unknown threats attacks during the data sharing.

Figure 1. Online environment workflow Additionally, different disadvantages have been detected over using the current signature detection approach such as (Difficulties in updating information, unable to detect unknown novel attacks, maintenance of an IDS is necessarily connected with analyzing and patching of security holes, the attack knowledge is operating environment dependent, and the lack of information on user privileges and attack signature structure). Moreover, there is a lack of detecting and describing the new IP spoofing patterns based on signature detection approach, such as a) random spoofing b) spoof a set of addresses consistently c) spoof a small address based on the attackers moves from set to another and etc. Hence, we proposed an improvement in the current detection techniques for IP spoofing over online environments based on signature detection approach. Moreover, this paper proposes an enhancement in the current detection approach (signature approach) in terms of exception agent (virtual agent) system to examine and analyze the network traffic (packets) over multiple online environments. In addition, this paper will follow the classification of intrusion detection system which modified to present the study requirements.

Sponsored by USM

159

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Agent system is used to monitor and organize the networks performance among different threats over LAN. An agent is used to present the threats behavior for processing these behaviors over LAN and Host. Moreover, an agent is a computational system in which agents with different capabilities and resources perform their task by coordinating and cooperating with each other in order to achieve a set of goals through interaction, coordination, cooperation and collective intelligence [9]. Rest of the paper is organized as follows. Related work is presented in section 2. Section 3 presents IDS methodology. EADS is presented in section 4. Experimental results based on HIDS presented in section 5 followed by conclusion. II. RELATED WORK

that represents the route an IP packet has traversed; ANTID is able to distinguish IP packets that traverse different Internet paths [7]. A study presented a model and architecture for enhancing the current signature detection approach based on intrusion detection engine with different threat capability. They modeled and enhanced the efficacy of the threat-aware signature based intrusion detection approach for obtaining network specific useful alarms. Furthermore, the study presented its experiments based on various threat scenarios and the obtained results shown that external threats formed 95% of the alarms by using the proposed model [10]. III. METHODOLOGY An intrusion detection systems methodology (IDS) is concerned with the detection of hostile actions [2]. Moreover, this selected methodology will present two main techniques i.e. the first technique of anomaly detection in general investigates issues associated with contradiction/deviations from normal routine system/user behavior whereas the 2nd technique employs signature detection approach use to distinguish between attack or anomaly signatures and known ID signatures. Figure 2 shows the classification interaction detection system.

Recently, different studies have been presented to describe the architecture and the implementation of techniques for detecting and manipulating the spoofing activities over LAN. However, researchers such as [3] explained the Probabilistic Agent-Based Intrusion Detection (PAID) system. These systems provide cooperative agent architecture, which can perform specific intrusion detection tasks (e.g., identify IP-spoofing attacks). PAID allow to other agents to share the probability distribution of an event occurrence. A study presented a framework to investigate the prospective adaptive and cooperative defense mechanisms against the Internet attacks. The suggested approach is based on the multi agent modeling and simulation. This framework represents the attack as interacting teams of intelligent agents that act under some adaptation criterion. They adjust their configuration and behavior in compliance with the network conditions and attack (defense) severity [6]. However, a study reported the design and evaluation of the Clouseau system, with the route-based filtering (RBF). This design was an effective and provide practical defense against IP spoofing. Since RFB process critically customize on the accuracy of the IP layer information that used for spoofed packet detection. The inference process as described by them is “resilient to subversion by an attacker who is familiar with Clouseau” [8]. Another study proposed an ANTID scheme for detecting and filtering DDoS attacks which uses spoofed packets to circumvent the conventional intrusion detection schemes. This ANTID intends to complement the conventional schemes by embedding in each IP packet a unique path fingerprint
Sponsored by USM

Figure 2. Classification of intrusion detection system modified version

160

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

There are different IDS tools for exploiting IDS information such as a) host based IDS (HIDS) which exploit host details from single host b) network based IDS (NIDS) which exploit IDS information from multiple signals of a local network. This paper presents EDS (Exception Detection System) technique to detect IP spoofing in HIDS. This study has been employed an exception agent detection system in HIDS environments. IV. EADS TECHNIQUE

// finally, we will create a virtual ARP packet based source IP of ENA, to analyze and examine the unknown ARP received (ARPR) from ENB //

//*1, *2, and *3 presents the exceptional process for detecting the unknown threats over host networks// 1 ENA send request to ENB *1 2 Send ARPS from ENA to ENB 3 Receive ARPR request from ENB 4 Match ARPS from ENA with ARPR from ENB 5 ARPC = (ENA/ARPS) * (ENB/ARPR) 6 If ARPC > 0 *2 7 Then save ARPC and transfer data from ENA to ANB

A typical description of the process involved in exception agent detection technique is: { ENA ENB Environment A Environment B}

// selected environments to analyze and detect unknown IP spoofing// { ARPS ARPR IP Sent IP Received

8 Else Create VARP 9 Extract ENA/ARPS & ENB/ARPR 10 Create VGS and VGR 11 Resend request VGS to ENB 12 (ENA/VGS) * (VGS/ VARP) = (ENA/VARP) 13 Receive VGS request from ENB 14 (ENB/VGR) * (VGR/VARP) = (ENB/VARP) 15 Compare based VGC = (ENB/VARP) * (ENA/ARPS) 16 If VGC > 0 *3 17 Then save VGC in ARP 18 Else, IP spoofing Alarm 19 Stop transfer (Data sharing) 20 Eliminate VARP, VGS, VGR, and VGC 21 End

ARPC Examine the received IP with the Mack address data}

// this part will present an examinatation of the ARP information (compare IP with existing Mack addresses) for data transfer from ENA to ENB // { VARP Virtual IP & Mack (Extract the ARP (IP) source from ENA and the received ARP (IP) from ENB) VGS Virtual Agent (Send the same source ARP (IP) request from ENA to the unknown ARP (IP) received from ENB) VGR Virtual Agent (Receive a request about ARP (IP) from ENB) VGC Virtual Agent Compares and examines the extracted ARP (IP) source from ENA (VGS) with the ARP (IP) of VGR from ENB }

Sponsored by USM

161

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

online environments. Additionally, the proposed EADS will deploy a virtual agent and virtual ARP based intrusion detection system during the attack from unknown IP, which lacks in the existing signature detection approach used by conventional IDS. These virtual agents will detect and analyze the unknown threats over host network by catching the unknown IP information and matching it with the existing IP source information. Then the proposed system will identify the unknown IP threats by inserting the IP information in the virtual ARP (during the attack) and save it later to the main ARP (after the attack). Virtual ARP has been implemented to save the incoming IP address from one host environment to another in the host networks. Furthermore, the virtual ARP used to resolve and analyze different network layer protocol addresses to map hardware addresses, which it’s primarily used to translate IP addresses to Ethernet MAC addresses. This process will help to recognize and identify the unknown threats during the matching process of the incoming IP addresses over host networks with the existing IP information in the main ARP. Moreover the proposed model is expected to: • • • • Analyse and monitor user and system activities more efficiently. Provide much better system auditing and configuration vulnerabilities. Facilitates with better integrity of data and system files. Recognize pattern reflecting known attacks more smartly and provide efficient statistical analysis for ambiguous/abnormal activities. Efficiently monitor the data trail and tracing activities from start to exit point. VI. CONCLUSION

Figure 3. EADS activity diagram V. EXPECTED EXPERIMENTAL RESULTS

Figure 4 shown below is a simple process of the proposed technique based on HIDS.

•

Figure 4. The EADS implementation architecture This technique is used to examine and analyze the attempts threats over

Nowadays, the rapid growth of designing and developing new techniques to secure data transferring over online environments have been deployed against certain network-oriented attacks like IP spoofing, packet storms, etc. that can be detected via IP datagram examination. This paper presents EADS, which deploy virtual agent based intrusion detection system during the attack from unknown IP, which lacks in existing IDS. The paper also presents process flow of the proposed model. The expected results presented in the paper shows the credibility of the proposed model.

Sponsored by USM

162

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

ACKNOWLEDGMENT This work is funded in part by USM Fellowship and USM RU grant. REFERENCES C. Biermann, M. A.Venter, “Comparison of Intrusion detection systems,” Computers and Security, 2001, vol. 8, pp. 676–683, 17 December 2001. A. Clyde, “Intrusion Detection Methodologies,” AXENT Technologies, Inc 24 July 2001, http://www.fostermelliar.co.za/updates/whitepapers/secur ity/intrusion.htm. V. Gowadia, C. Farkas, and M. Valtorta, “PAID: A Probabilistic AgentBased intrusion Detection system,” Computers & Security 2005, P. 01674048, 16 June 2005. M. Gandhi, and S. Srivatsa, “Detecting and preventing attacks using network intrusion detection systems,” International Journal of Computer Science and Security, vol. 2, issue. 1, January 2006. M. Kim, and K. Chae, “A Fast Defense Mechanism against IP Spoofing Traffic in a NEMO Environment,” SpringerVerlag Berlin Heidelberg 2005. LNCS 3391, pp. 843–852. January 28, 2005. I. Kotenko, and A. Ulanov, “Multiagent Framework for Simulation of Adaptive Cooperative Defense Against Internet Attacks,” Springer-Verlag Berlin Heidelberg, , LNAI 4476, pp. 212–228. AIS-ADM 2007. F. Lee, and S. Shieh, “Defending against spoofed DDoS attacks with path fingerprint,” Computers & Security 2005, vol. 24, pp. 571-586. 28 March 2005. J. Mirkovic, N. Jevtic, and P. Reiher,”A Practical IP Spoofing Defense through Route-Based Filtering,” 09 May 2006, http://www.cis.udel.edu/~sunshine/publ ications/csig.pdf. A. Nazaraf, B. Rahat, B. Anne, and K. Iqbal, “Exception representation and management in open multi-agent systems,” Elsevier Inc. 2009, Information Sciences 179, pp. 2555– 2561, 10 February 2009. S. Neelakantan, and S. Rao, “A ThreatAware Signature Based IntrusionDetection Approach for Obtaining Network-Specific Useful Alarms,” IEEE, August 2008. J. Steven, and E. Templeton, “Detecting Spoofed Packets,” 21 Jun 2004, http://seclab.cs.ucdavis.edu/papers/Dete ctingSpoofed-DISCEX.pdf.

[1]

[9]

[2]

[10]

[3]

[11]

[4]

[5]

[6]

[7]

[8]

Sponsored by USM

163

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009
AUTHORS PROFILE

Mr.Hosam Alsammarie received his Bachelor Degree in Computer Engineering from Iraq (2006) and his Master in Infromation Technology from University Utara Malaysia (UUM). Curentlly, he is deoing his PhD by rsearch in University Saince Malaysia (USM) under followship schema. His research interests in Network Security, Ontology classification, Multi Agent System, Mobile programming based knowledge,and DBMS. He has presented papers in International conferences.

Dr. Shakeel Ahmad received his B.Sc. with distinction from Gomal University, Pakistan (1986) and M.Sc. (Computer Science) from Qauid-eAzam University, Pakistan (1990). He served for 10 years as a lecturer in Institute of Computing and Information Technology (ICIT), Gomal University Pakistan. Now he is serving as an Assistant Professor in ICIT, Gomal University Pakistan since 2001. He is among a senior faculty member of ICIT. Mr. Shakeel Ahmad received his PhD degree (2007) in Performance Analysis of Finite Capacity Queue under Complex Buffer Management Scheme. Mr. Shakeel’s research has mainly focused on developing cost effective analytical models for measuring the performance of complex queueing networks with finite capacities. His research interest includes Performance modelling, Optimization of congestion control techniques, Software Engineering, Software Refactoring, Network security, Routing Protocols and Electronic learning. He has produced many publications in Journal of international repute and also presented papers in International conferences.

Assoc. Prof. Dr. Merza Abbas is working as a head researchers in center of IT and Multimedia, USM, Malaysia. He served for 30 years as a lecturer in University Saince Malaysia and other international insititutes. He has produced many publications in Journal of international repute and also presented papers in International conferences.

Sponsored by USM

164

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

A Trust-Based Cross-Layer Security Protocol for Mobile Ad hoc Networks
A.Rajaram
Anna University Coimbatore Coimbatore, India .

Dr.S.Palaniswami
Registrar, Anna University Coimbatore Coimbatore, India

Abstract—In this paper, we develop a trust based security protocol based on a cross-layer approach which attains confidentiality and authentication of packets in both routing and link layers of MANETs. In the first phase of the protocol, we design a trust based packet forwarding scheme for detecting and isolating the malicious nodes using the routing layer information. It uses trust values to favor packet forwarding by maintaining a trust counter for each node. A node is punished or rewarded by decreasing or increasing the trust counter. If the trust counter value falls below a trust threshold, the corresponding intermediate node is marked as malicious. In the next phase of the protocol, we provide link-layer security using the CBC-X mode of authentication and encryption. By simulation results, we show that the proposed cross-layer security protocol achieves high packet delivery ratio while attaining low delay and overhead. Keywords-MANETs; Cross-Layer; Security Encryption; authentication; Packet Delivery; Overhead. Protocol;

large adhoc networks and hence, it is more much difficult to detect the attacks from an Altogether it denotes that every node should work in a way that it should not trust immediately.

dangerous and affected node. be prepared to on any node

Distributed architecture should be applied in order to achieve high availability. This is because if the central entity is used in the security solution, it causes serious attack on the entire network when the centralized entity gets affected. The following are the types of active attacks and its relevant solutions: A. Black hole attack Let H be a malicious node. When H receives a Route Request, it sends back a Route Reply immediately, which constructs the data and can be transmitted by itself with the shortest path. So S receives Route Reply and it is replaced by H -> S. Then H receives all the data from S. B. Neighbor attack The neighbor attack and the black hole attack prevent the data from being delivered to the destination. But the neighbor attacker does not catch and capture the data packets from the source node. It leaves the settings as soon as sending the false messages. C. Wormhole attack Two malicious nodes share a private communication link between them. One node captures the traffic information of the network and sends them directly to other node. Warm hole can eavesdrop the traffic, maliciously drop the packets, and perform man-in- the-middle attacks against the network protocols. [6]. D. DoS (Denial of Service) attack When the network bandwidth is hacked by a malicious node [5], then it results to the DoS attack. In order to utilize precious network resources like bandwidth, or to utilize node resources like memory or computation power, the attacker inserts packets into the network. The specific instances of the DoS attack are the routing table overflow attack and energy consumption attack. E. Information Disclosure attack The information disclosure attack aims at the privacy requirements of network. The confidential information’s like

I. INTRODUCTION A. Mobile Ad-hoc Networks A mobile ad-hoc network (MANET) is a temporary infrastructure less multi-hop wireless network in which the nodes can move arbitrarily. Such networks extend the limited wireless transmission range of each node by multi-hop packet forwarding, thus, well suited for the scenarios in which pre deployed infrastructure support is not available. In an ad hoc network, there is no fixed infrastructure such as base stations or mobile switching centers. Mobile nodes that are within each other’s radio range communicate directly via wireless links, while those that are far apart rely on other nodes to relay messages as routers. Node mobility in an ad hoc network causes frequent changes of the network topology. Mobile ad hoc networks are finding ever increasing applications in both military and civilian scenarios due to their self-organizing, self-configuring capabilities. B. Security Threats in MANETS An adhoc network can be attacked from any direction at any node which is different from the fixed hardwired networks with physical protection at firewall and gateways. Altogether it denotes that every node should be equipped to meet an attacker directly or indirectly. Malicious attack can be initiated from both inside and outside of the network. Tracking a specific node is difficult in

165

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

routing location, node status or secret keys and password are leaked out by the malicious node to the unauthorized nodes. F. Rushing attack The rushing attack aims against on-demand routing protocols which uses identical suppression at each node. In order to find routed to the destinations, the source nodes sends out the RREQ. Each intermediate node processes only the first non-duplicate packet and discards any duplicate packet which arrives at a later time. Rushing attackers can forward these packets quickly by skipping some of the routing processes. They are also able gain access to the forwarding group [7]. G. Jellyfish attack A malicious node receives and sends RREQ and RREP normally. But before forwarding it delays the data packets without any reason for some time [7]. Since the node has to intrude the forwarding group first, it is difficult to implement this type of attack. If the number of malicious node is few, then the influence to the network is also less. H. Byzantine attack It is also called as impersonation attack because the malicious node might imitate another normal node. It also sends false routing information for creating an anomaly update in the routing table. In addition to this, an attacker may get unauthorized admission to resource and sensitive information. I. Blackmail attack This attack is applicable against routing protocols which uses mechanisms for the recognition of malicious nodes and broadcast the messages which try to blacklist the offender [8]. By adding other legitimate nodes to their blacklists, an attacker might blackmail a legitimate node. Thus the nodes can be avoided in those routes. II. RELATED WORK Farooq Anjum et al. [1] have proposed an initial approach to detect intrusions in ad hoc networks. Anand Patwardhan et al. [2] have proposed a secure routing protocol based on AODV over IPv6, further reinforced by a routing protocolindependent Intrusion Detection and Response system for adhoc networks. Chin-Yang Henry Tseng [3] has proposed a complete distributed intrusion detection system has consisted of four models for MANETs with formal reasoning. Tarag Fahad and Robert Askwith [4] have concentrated on the detection phase and they have proposed a mechanism Packet Conservation Monitoring Algorithm (PCMA) is used to detect selfish nodes in MANETs. Panagiotis Papadimitratos and Zygmunt J. Haas[5] have proposed the secure message transmission (SMT) protocol and its alternative, the secure single-path (SSP) protocol SMT and SSP robustly detect transmission failures and continuously configure their operation to avoid and tolerate data loss, and to ensure the availability of communication. Ernesto Jiménez Caballero [6] has reviewed the possible attacks against the routing system, some of the IDSs proposed. Yanchao Zhang et al. [7] have proposed a credit-based Secure Incentive Protocol (SIP) to stimulate cooperation in packet forwarding for infrastructure less MANETs. Liu et al. [8] have proposed the 2ACK scheme that has served as an

add-on technique for routing schemes to detect routing misbehavior and to mitigate the adverse effect Li Zhao and José G. Delgado-Frias [9] have proposed a scheme MARS and its enhancement E-MARS to detect misbehavior and mitigate adverse effects in ad hoc networks. Patwardhan et al. [10] have proposed an approach to secure a MANET using a threshold-based intrusion detection system and a secure routing protocol. Madhavi and Tai Hoon Kim [11] have proposed a MIDS (Mobile Intrusion Detection System) suitable for multi-hop ad-hoc wireless networks, which has detected nodes misbehavior, anomalies in packet forwarding, such as intermediate nodes dropping or delaying packets. Syed Rehan Afzal et al. [12] have explored that the security problems and attacks in existing routing protocols and then they have presented the design and analysis of a secure on-demand routing protocol, called RSRP which confiscated the problems mentioned in the existing protocols. In addition, RSRP has used a very efficient broadcast authentication mechanism which does not require any clock synchronization and facilitates instant authentication Bhalaji et al. [13] have proposed an approach based on the relationship between the nodes to make them to cooperate in an ad hoc environment. The trust values of each node in the network are calculated by the trust units. The relationship estimator has determined the relationship status of the nodes by using the calculated trust values. Their proposed enhanced protocol was compared with the standard DSR protocol and the results are analyzed using the network simulator-2.za Kamal Deep Meka et al[14] have proposed a trust based framework to improve the security and robustness of adhoc network routing protocols. For constructing their trust framework they have selected the Ad hoc on demand Distance Vector (AODV) which is popular and used widely. Making minimum changes for implementing AODV and attaining increased level of security and reliability is their goal. Their schemes are based on incentives & penalties depending on the behavior of network nodes. Their schemes incur minimal additional overhead and preserve the lightweight nature of AODV. Muhammad Mahmudul Islam et al. [15] have presented a possible framework of a link level security protocol (LLSP) to be deployed in a Suburban Ad-hoc Network (SAHN). They have analyzed various security aspects of LLSP to validate its effectiveness. To determine LLSP's practicability, they have estimated the timing requirement for each authentication process. Their initial work has indicated that LLSP is a suitable link-level security service for an ad-hoc network similar to a SAHN. Shiqun Li et al. [16] have explored that the security issues of wireless sensor networks, and in particular propose an efficient link layer security scheme. To minimize computation and communication overheads of the scheme, they have designed a lightweight CBC-X mode Encryption/Decryption algorithm that attained encryption/decryption and authentication all in one. They have also devised a novel padding technique, enabling the scheme to achieve zero

166

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

redundancy on sending encrypted/authenticated packets. As a result, security operations incur no extra byte in their scheme. Stefan Schmidt et al. [17] have proposed security architecture for self-organizing mobile wireless sensor networks that prevented many attacks these networks are exposed to. In addition, it has limited the security impact of some attacks that cannot be prevented. They analyzed their security architecture and they have showed that it has provided the desired security aspects while still being a lightweight solution and thus being applicable for self-organizing mobile wireless sensor networks. III. OBJECTIVES & OVERVIEW OF THE PROPOSED PROTOCOL A. Objectives In this paper, we propose to design a Trust-based Crosslayer Security protocol (TCLS) based on a cross-layer, approach which attains confidentiality and authentication of packets in routing layer and link layer of MANETs, having the following objectives: lightweight in order to considerably extend the network lifetime, that necessitates the application of ciphers that are computationally efficient like the symmetric-key algorithms and cryptographic hash functions cooperative for accomplishing high-level security with the aid of mutual collaboration/cooperation amidst nodes along with other protocols attack-tolerant to facilitate the network to resist attacks and device compromises besides assisting the network to heal itself by detecting, recognizing, and eliminating the sources of attacks; flexible enough consumption; to trade security for energy

and communication overhead. This algorithm supports encryption/decryption and authentication of packets on a onepass operation. The upper layers of the protocol stack are provided with security services obviously. A CBC-X mode symmetric key mechanism is devised to employ our link layer security system. Encryption/Decryption and authentication operations are included into a single step which reduces the computational overhead to half, instead of calculating them individually. The padding technique states that this method has no cipher text expansion for the transmitted data payload. Thus the communication overhead is reduced significantly. IV. EFFICIENT MAC LAYER SECURITY PROTOCOL A. Trust Based Forwarding Scheme In our proposed protocol, by dynamically calculating the nodes trust counter values, the source node can be able to select the more trusted routes rather than selecting the shorter routes. Our protocol marks and isolates the malicious nodes from participating in the network. So the potential damage caused by the malicious nodes are reduced. We make changes to the AODV routing protocol. An additional data structure called Neighbors’ Trust Counter Table (NTT) is maintained by each network node. Let {Tc1 , Tc 2 ,.....} be the initial trust counters of the nodes {n1 , n 2 ,.....} along the route R1 from a source S to the destination D. Since the node does not have any information about the reliability of its neighbors in the beginning, nodes can neither be fully trusted nor be fully distrusted. When a source S want to establish a route to the destination D, it send route request (RREQ) packets. Each node keeps track of the number of packets it has forwarded through a route using a forward counter (FC). Each time, when node n k receives a packet from a node ni , then n k increases the forward counter of node ni .

compatible with the security methodologies and services in existence scalable to the rapidly growing network size B. Overview of the Protocol We propose a Trust based packet forwarding scheme in MANETs without using any centralized infrastructure. It uses trust values to favor packet forwarding by maintaining a trust counter for each node. A node is punished or rewarded by decreasing or increasing the trust counter. Each intermediate node marks the packets by adding its hash value and forwards the packet towards the destination node. The destination node verifies the hash value and check the trust counter value. If the hash value is verified, the trust counter is incremented, other wise it is decremented. If the trust counter value falls below a trust threshold, the corresponding the intermediate node is marked as malicious. This scheme presents a solution to node selfishness without requiring any pre-deployed infrastructure. It is independent of any underlying routing protocol. We focus on the CBC-X mode Encryption/Decryption algorithm to satisfy the necessity of minimum computational

FC ni = FC ni + 1,

i = 1,2.....

(1)

Then the NTT of node n k is modified with the values of FCni . Similarly each node determines its NTT and finally the packets reach the destination D. When the destination D receives the accumulated RREQ message, it measures the number of packets received Prec . Then it constructs a MAC on Prec with the key shared by the sender and the destination. The RREP contains the source and destination ids, The MAC of Prec , the accumulated route from the RREQ, which are digitally signed by the destination. The RREP is sent towards the source on the reverse route R1. Each intermediate node along the reverse route from D to S checks the RREP packet to compute success ratio as,

167

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

SRi = FC ni / Prec

(2)

or failure. Then the route discovery process is initiated by the source again. The same procedure is repeated for the other routes R2, R3 etc and either a route without a malicious node or with least number of malicious nodes, is selected as the reliable route. In this protocol, authentication is performed for route reply operation. Also, only nodes which are stored in the current route, need to perform these cryptographic computation. So the proposed protocol is efficient and more secure. B. CBC-X Mode Our proposed link layer security scheme adapts the packet format of [16]. But the encryption and decryption mechanisms are different. It works between the link layer and the radio layer. Our proposed method encrypts the data and computes the MAC, when the application data payload is passed from the link layer to the radio layer. With the help of the radio channel, the encrypted message is sent out bit-by-bit. Confidentiality and authentication are the of security services which are present in our proposed packet format. The packet format of the proposed scheme is illustrated in Figure.1. The fields of the packet are the destination address field, the active message type field, the length field and the data field. We keep the one byte group field in the proposed scheme to make it general and applicable. We also use a 4 byte MAC field since it can provide enough security of integrity and authenticity for the mobile adhoc networks. Any error alteration during message transmission can be detected by re-computing the MAC and the error message would be discarded to improve efficiency. It uses an 8 byte initial vector (IV) and a block cipher mechanism to encrypt the data field of the packet. The fixed portions of both IVs are the destination address field, the link type field and the length field. These fields take 4 bytes totally.

Where Prec is the number of packets received at D in time interval t1 . The FCni values of ni can be got from the corresponding NTT of the node. The success ratio value SRi is then added with the RREP packet. The intermediate node then verifies the digital signature of the destination node stored in the RREP packet, is valid. If the verification fails, then the RREP packet is dropped. Otherwise, it is signed by the intermediate node and forwarded to the next node in the reverse route. When the source S receives the RREP packet, if first verifies that the first id of the route stored by the RREP is its neighbor. If it is true, then it verifies all the digital signatures of the intermediate nodes, in the RREP packet. If all these verifications are successful, then the trust counter values of the nodes are incremented as

Tc i = Tc i + δ 1
If the verification is failed, then

(3)

Tc i = Tc i − δ 1

(4)

Where δ 1 is the step value, which can be assigned a small fractional value during the simulation experiments. After this verification stage, the source S check the success ratio values SRi of the nodes ni . For any node n k , if SRk < SRmin , where SRmin is the minimum threshold value, its trust counter value is further decremented as

Tc i = Tc i − δ 2

(5)

For all the other nodes with SRk > SR min , the trust counter values are further incremented as

Figure 1. Packet Format

Tc i = Tc i + δ 2
Where δ 2 is another step value with δ 2 < δ 1 .

(6)

For a node n k , if Tck < Tcthr , where Tcthr is the trust threshold value, then that node is considered and marked as malicious. If the source does not get the RREP packet for a time period of t seconds, it will be considered as a route breakage

In our scheme, the generic communication interfaces are given to the upper layer and uses the lower radio packet interfaces. The nodes in the communication are not conscious of the operations on encryption/authentication because the security services are given clearly. To make the scheme easier, the encryption and authentication for every packet is carried out by our default mode in a single pass. In order to finish the message authentication and encryption concurrently before sending message, we built an authentication and encryption scheme called as CBC-X mode.

168

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

1) CBC-X Mode Operations:

Figure 2. Encryption

Figure 3. Decryption

The basic steps involved in the encryption and decryption operations are illustrated in figure 2 and figure 3 , respectively. If the first block has index 1, the formula for CBC encryption is C i = E K ( Pi ⊕ C i −1 ), C 0 = IV the formula for while is Pi = D K (C i ) ⊕ C i −1 ), C 0 = IV CBC decryption

V. PERFORMANCE EVALUATION A. Simulation Model and Parameters We use NS2 to simulate our proposed algorithm. In our simulation, the channel capacity of mobile hosts is set to the same value: 2 Mbps. We use the distributed coordination function (DCF) of IEEE 802.11 for wireless LANs as the MAC layer protocol. It has the functionality to notify the network layer about link breakage. In our simulation, 100 mobile nodes move in a 1000 meter x 1000 meter square region for 50 seconds simulation time. We assume each node moves independently with the same average speed. All nodes have the same transmission range of 250 meters. In our simulation, the speed is varied from 10 m/s to 50m/s. The simulated traffic is Constant Bit Rate (CBR). Our simulation settings and parameters are summarized in table I
TABLE I.SIMULATION PARAMETERS No. of Nodes Area Size Mac Radio Range Simulation Time Traffic Source Packet Size Mobility Model Speed Pause time 100 1000 X 1000 802.11 250m 50 sec CBR 512 Random Way Point 10,20,30,40,50m/s 5

The working of the present CBC mode is described below: One cipher text block will be returned for each plaintext block, if a part of the plaintext is encrypted. In encryption of the last block of the plaintext, one or two cipher text blocks can be returned. On the other hand, decryption works in the reverse order. Apart from the decryption of the last block, a one plaintext block will be returned for each cipher text block. After the decryption of the last plaintext block, its padding is calculated and cut off, returning a valid plaintext. 2) CBC Padding Schemes: Plaintext is divided into blocks of 8 bytes (64 bits). The final plaintext block must be padded: the final a plaintext bytes 0 ≤ a ≤ 7 are followed by 8 − a padding bytes, valued 8 − a . For example:
messagebyte1|| messagebyte2 ||'06' ||'06' ||'06' ||'06' ||'06' ||'06' ESP

X padding bytes 1 ≤ X ≤ 255 '01' ||'02' ||'03' || … .. ||' X'

169

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

B. Performance Metrics We evaluate mainly the performance according to the following metrics.
O verh ead (p kts)

Attackers Vs Overhead
5000 4000 3000 2000 1000 0 5 10 15 Attackers 20 25 TCLS LLSP

Control overhead: The control overhead is defined as the total number of routing control packets normalized by the total number of received data packets. Average end-to-end delay: The end-to-end-delay is averaged over all surviving data packets from the sources to the destinations. Average Packet Delivery Ratio: It is the ratio of the number .of packets received successfully and the total number of packets transmitted. The simulation results are presented in the next section. We compare our TCLS protocol with the LLSP [15] protocol in presence of malicious node environment. C. Results A. Based On Attackers In our First experiment, we vary the no. of misbehaving nodes as 5,10,15,20 and 25.
Attackers Vs Delivery Ratio 1 0.8 Delratio 0.6 0.4 0.2 0 5 10 15 Attackers 20 25 TCLS LLSP

Figure 6. Attackers Vs Overhead

Figure 4 show the results of average packet delivery ratio for the misbehaving nodes 5, 10….25 scenario. Clearly our TCLS scheme achieves more delivery ratio than the LLSP scheme since it has both reliability and security features. Figure 5 shows the results of average end-to-end delay for the misbehaving nodes 5, 10….25. From the results, we can see that TCLS scheme has slightly lower delay than the LLSP scheme because of authentication routines. Figure 6 shows the results of routing overhead for the misbehaving nodes 5, 10….25. From the results, we can see that TCLS scheme has less routing overhead than the LLSP scheme since it does not involve route re-discovery routines. B. Based On Speed In our Second experiment, we vary the speed as 10,20,30,40 and 50, with 5 attackers.
Speed Vs Delivery Ratio 1.2

Figure 4. Attackers Vs Delivery Ratio
Delratio

1 0.8 0.6 0.4 0.2 0 10 20 30 Speed(s) 40 50 LLSP TCLS

Attackers Vs Delay
7 6 5 4 3 2 1 0 5 10 15 Attackers 20 25

D elay(s)

TCLS LLSP

Figure 7. Speed Vs Delivery Ratio

Figure 5. Attackers Vs Delay

170

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Speed Vs Delay
1 0.8 D elay(s) 0.6 0.4 0.2 0 10 20 30 Speed(s) 40 50 TCLS LLSP

protocol is efficient and more secure. This scheme presents a solution to node selfishness without requiring any predeployed infrastructure. It is independent of any underlying routing protocol. In the next phase of the protocol, we provide link-layer security using the CBC-X mode of authentication and encryption. By simulation results, we have shown that the proposed cross-layer security protocol achieves high packet delivery ratio while attaining low delay and overhead. As a future work, we will try to reduce the energy consumption, control overhead and delay of our proposed protocol by applying some optimization techniques. REFERENCES
[1] Farooq Anjum, Dhanant Subhadrabandhu and Saswati Sarkar “Signature based Intrusion Detection for Wireless Ad-Hoc Networks: A Comparative study of various routing protocols” in proceedings of IEEE 58th Conference on Vehicular Technology, 2003. [2] Anand Patwardhan, Jim Parker, Anupam Joshi, Michaela Iorga and Tom Karygiannis “Secure Routing and Intrusion Detection in Ad Hoc Networks” Third IEEE International Conference on Pervasive Computing and Communications, March 2005. [3] Chin-Yang Henry Tseng, “Distributed Intrusion Detection Models for Mobile Ad Hoc Networks” University of California at Davis Davis, CA, USA, 2006. [4] Tarag Fahad and Robert Askwith “A Node Misbehaviour Detection Mechanism for Mobile Ad-hoc Networks”, in proceedings of the 7th Annual PostGraduate Symposium on The Convergence of Telecommunications, Networking and Broadcasting, June 2006. [5] Panagiotis Papadimitratos, and Zygmunt J. Haas, “Secure Data Communication in Mobile Ad Hoc Networks”, IEEE Journal On Selected Areas In Communications, Vol. 24, No. 2, February 2006. [6] Ernesto Jiménez Caballero, “Vulnerabilities of Intrusion Detection Systems in Mobile Ad-hoc Networks - The routing problem”, 2006. [7] Yanchao Zhang, Wenjing Lou, Wei Liu, and Yuguang Fang, “A secure incentive protocol for mobile ad hoc networks”, Wireless Networks (WINET), vol 13, No. 5, October 2007. [8] Liu, Kejun Deng, Jing Varshney, Pramod K. Balakrishnan and Kashyap “An Acknowledgment-based Approach for the Detection of Routing Misbehavior in MANETs”, IEEE Transactions on Mobile Computing, May 2007. [9] Li Zhao and José G. Delgado-Frias “MARS: Misbehavior Detection in Ad Hoc Networks”, in proceedings of IEEE Conference on Global Telecommunications Conference,November 2007. [10] A.Patwardhan, J.Parker, M.Iorga, A. Joshi, T.Karygiannis and Y.Yesha “Threshold-based Intrusion Detection in Adhoc Networks and Secure AODV” Elsevier Science Publishers B. V. , Ad Hoc Networks Journal (ADHOCNET), June 2008. [11] S.Madhavi and Dr. Tai Hoon Kim “An Intrusion Detection System In Mobile Adhoc networks” International Journal of Security and Its Applications Vol. 2, No.3, July, 2008. [12] Afzal, Biswas, Jong-bin Koh,Raza, Gunhee Lee and Dong-kyoo Kim, "RSRP: A Robust Secure Routing Protocol for Mobile Ad Hoc Networks", in proceedings of IEEE Conference on Wireless Communications and Networking, pp.2313-2318,April 2008. [13] Bhalaji, Sivaramkrishnan, Sinchan Banerjee, Sundar, and Shanmugam, "Trust Enhanced Dynamic Source Routing Protocol for Adhoc Networks", in proceedings of World Academy Of Science, Engineering And Technology, Vol. 36, pp.1373-1378, December 2008 [14] Meka, Virendra, and Upadhyaya, "Trust based routing decisions in mobile ad-hoc networks" In Proceedings of the Workshop on Secure Knowledge Management, 2006. [15] Muhammad Mahmudul Islam, Ronald Pose and Carlo Kopp, "A Link Layer Security Protocol for Suburban Ad-Hoc Networks", in proceedings of Australian Telecommunication Networks and Applications Conference, December 2004.

Figure 8. Speed Vs Delay
Speed Vs Overhead
1600 1400 1200 1000 800 600 400 200 0 10 20 30 Speed(s) 40 50

O verh ead (p kts)

TCLS LLSP

Figure 9. Speed Vs Overhead

Figure 7 show the results of average packet delivery ratio for the speed 10, 20…50 for the 100 nodes scenario. Clearly our TCLS scheme achieves more delivery ratio than the LLSP scheme since it has both reliability and security features. Figure 8 shows the results of average end-to-end delay for the speed10, 20….50. From the results, we can see that TCLS scheme has slightly lower delay than the LLSP scheme because of authentication routines Figure 9 shows the results of routing overhead for the speed 10, 20….50. From the results, we can see that TCLS scheme has less routing overhead than the LLSP scheme. VI. CONCLUSION In this paper, we have developed a trust based security protocol which attains confidentiality and authentication of packets in both routing and link layers of MANETs. In the first phase of the protocol, we have designed a trust based packet forwarding scheme for detecting and isolating the malicious nodes using the routing layer information. It uses trust values to favor packet forwarding by maintaining a trust counter for each node. A node is punished or rewarded by decreasing or increasing the trust counter. If the trust counter value falls below a trust threshold, the corresponding intermediate node is marked as malicious. In this protocol, authentication is performed for route reply operation. Also, only nodes which are stored in the current route need to perform this cryptographic computation. So the proposed

171

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009 [16] Shiqun Li, Tieyan Li, Xinkai Wang, Jianying Zhou and Kefei Chen, "Efficient Link Layer Security Scheme for Wireless Sensor Networks", Journal of Information And Computational Science, Vol.4, No.2,pp. 553-567, June 2007. [17] S. Schmidt, H. Krahn, S. Fischer, and D. Wätjen, "A Security Architecture for Mobile Wireless Sensor Networks", In proceedings of First European Workshop on Security in Ad-Hoc and Sensor Networks (ESAS 2004), August 2004. AUTHORS PROFILE

S. Palaniswami received the B.E. degree in electrical and electronics engineering from the Govt., college of Technology, Coimbatore, University of Madras, Madras, India, in 1981, the M.E. degree in electronics and communication engineering (Applied Electronics) from the Govt., college of Technology, Bharathiar University, Coimbatore, India, in 1986 and the Ph.D. degree in electrical engineering from the PSG Technology, Bharathiar University, Coimbatore, India, in 2003. He is currently the Registrar of Anna University Coimbatore, Coimbatore, India, Since May 2007. His research interests include Control systems, Communication and Networks, Fuzzy logic and Networks, AI, Sensor Networks. . He has about 25 years of teaching experience, since 1982. He has served as lecturer, Associate Professor, Professor, Registrar and the life Member of ISTE, India.

A. Rajaram received the B.E. degree in electronics and communication engineering from the Govt., college of Technology, Coimbatore, Anna University, Chennai, India, in 2006, the M.E. degree in electronics and communication engineering (Applied Electronics) from the Govt., college of Technology, Anna University, Chennai, India, in 2008 and he is currently pursuing the full time Ph.D. degree in electronics and communication engineering from the Anna University Coimbatore, Coimbatore, India. His research interests include communication and networks mobile adhoc networks, wireless communication networks (WiFi, WiMax HighSlot GSM), novel VLSI NOC Design approaches to address issues such as low-power, cross-talk, hardware acceleration, Design issues includes OFDM MIMO and noise Suppression in MAI Systems, ASIC design, Control systems, Fuzzy logic and Networks, AI, Sensor Networks.

172

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Generalized Discriminant Analysis algorithm for feature reduction in Cyber Attack Detection System
Shailendra Singh
Department of Information Technology Rajiv Gandhi Technological University Bhopal, India

Sanjay Silakari
Department of Computer Science and Engineering Rajiv Gandhi Technological University Bhopal, India intrusion detection system. Unlike misuse detection, which generates an alarm when a known attack signature is matched, anomaly detection identifies activities that deviate from the normal behavior of the monitored system and thus has the potential to detect novel attacks [4]. Currently there are three basic approaches [5] for cyber attack detection. The data we use here originated from MIT’s Lincoln Lab. It was developed for KDD (Knowledge Discovery and Data mining) competition by DARPA and is considered a standard benchmark for intrusion detection evaluation program [6]. Empirical studies indicate that feature reduction technique is capable of reducing the size of dataset. The time and space complexities of most classifiers used are exponential function of their input vector size [7]. Moreover, the demand for the number of samples for the training the classifier grows exponentially with the dimension of the feature space. This limitation is called the ‘curse of dimensionality.’ The feature space having reduced features that truly contributes to classification that cuts pre-processing costs and minimizes the effects of the ‘peaking phenomenon’ in classification [8]. Thereby improving the over all performance of classifier based intrusion detection systems. The most famous technique for dimensionality reduction is Linear Discriminant Analysis [9] [10]. This technique searches for directions in the data that have largest variance and subsequently project the data into it. By this we obtain a lower dimensional representation of the data that removes some of the “noisy” directions. But this suffers from many difficult issues with how many directions one needs to choose. It fails to compute principal component in high dimensional feature spaces, which are related to input space by some nonlinear map. In this paper we present Generalized Discriminant Analysis (GDA) [11] technique to overcome the limitations of LDA technique. This is unique approach to reduced size of attack data The Each network connection is transformed into an input data vector. GDA is employed to reduce the high dimensional data vectors and identification is handled in a low dimensional space with high efficiency and low use of system resources. The normal behavior is profiled based on normal data for anomaly detection and the behavior of each type of attack are built based on attack data for intrusion identification. Each reduced feature dataset is applied to the Artificial Neural

Abstract—This Generalized Discriminant Analysis (GDA) has provided an extremely powerful approach to extracting non-linear features. The network traffic data provided for the design of intrusion detection system always are large with ineffective information, thus we need to remove the worthless information from the original high dimensional database. To improve the generalization ability, we usually generate a small set of features from the original input variables by feature extraction. The conventional Linear Discriminant Analysis (LDA) feature reduction technique has its limitations. It is not suitable for non-linear dataset. Thus we propose an efficient algorithm based on the Generalized Discriminant Analysis (GDA) feature reduction technique which is novel approach used in the area of cyber attack detection. This not only reduces the number of the input features but also increases the classification accuracy and reduces the training and testing time of the classifiers by selecting most discriminating features. We use Artificial Neural Network (ANN) and C4.5 classifiers to compare the performance of the proposed technique. The result indicates the superiority of algorithm.

Keywords-Linear

Discriminant

Analysis,

Generalized

Discriminant Analysis, Artificial Neural Network, C4.5.

I. INTRODUCTION Information assurance is an issue of serious global concern. The internet has brought about great benefits of the modern society. According to the statistics of American Computer Emergency Response Team /Coordination Center (CERT) [1], network cases annually showed index growth in recent years and according to the report of information security [2] internet attacks have became new weapon of world war. Further the report said that Chinese Military Hacker had drew up plan, with the view of attacking American Aircraft Carrier Battle Group to making in it weak fighting capacity thorough internet. Such information reveals that there is an urgent need to effectively identify and hold up internet attacks. It is not an exaggerated statement that an intrusion detection system is must for modern computer systems. Anomaly detection and misuse detection [3] are two general approaches to computer

173

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Network (ANN) and C4.5 decision tree classifiers and their performance are compared. II. THE DATA SET In the 1998 DARPA intrusion detection evaluation program [6], an environment was setup to acquire raw TCP/IP dump data for a network by simulating a typical U.S. Air Force LAN. The LAN was operated like a true environment, but being blasted with multiple attacks. For each TCP/IP connection, 41 various quantitative (continuous data type) and qualitative (discrete data type) features were extracted among the 41 features, 34 features are numeric and 7 features are symbolic. The data contains 24 attack types that could be classified into four main categories: • • • • DOS: Denial of Service attack. R2L: Remote to Local (User) attack. U2R: User to Root attack. Probing: Surveillance and other probing.

applications with very large input spaces critically need space dimensionality reduction for efficiency of the classifiers. In this section we discuss two techniques LDA and proposed GDA for reducing dimensionality of KDDCup99 intrusion detection dataset. Each feature vectors is labeled as an attack or normal. The distance between a vector and its reconstruction onto those reduced subspaces representing different types of attacks and normal activities is used for identification. A. Linear Discriminant Analysis (LDA) Linear Discriminant Analysis [9][10][13] is a class specific method in the sense that it represents data to make if useful for classification. Finds the optimal transformation matrix as to preserve most of the information that can be used to discriminate between the different classes. Therefore the analysis requires the data to have appropriate class labels. In order to mathematically formulate the optimization
1 2 M Let be the dataset given Ndimensional vectors of KDDCup99 dataset. Each data point
1 2 C . The belongs to one of C object classes between class scatter matrix and the within-class scatter matrix are defined as C

X = {x , x ,.......x }

{ X , X ,.......X }

A. Denial of service Attack (DOS) Denial of service (DOS) is class of attack where an attacker makes a computing or memory resource too busy or too full to handle legitimate requests, thus denying legitimate user access to a machine. B. Remote to Local (User) Attacks A remote to local (R2L) attack is a class of attacks where an attacker sends packets to a machine over network, then exploits the machine’s vulnerability to illegally gain local access to a machine. C. User to Root Attacks User to root (U2R) attacks is a class of attacks where an attacker starts with access to a normal user account on the system and is able to exploit vulnerability to gain root access to the system. D. Probing Probing is class of attacks where an attacker scans a network to gather information or find known vulnerabilities. An attacker with map of machine and services that are available on a network can use the information to notice for exploit. III. TECHNIQUES FOR FEATURE EXTRACTION Feature extraction applies a mapping of the multidimensional space into a space of lower dimensions. Feature extraction [12] includes feature construction, space dimensionality reduction, sparse representations, and feature selection. All these techniques are commonly used as pre processing to machine learning and statistics tasks of prediction, including pattern recognition and regression. Although such problems have been tackled by researchers for many years, there has been recently a renewed interest in feature extraction. A number of new

B = ∑ M c (mc − m)(mc − m) T
c =1

(1)

C

W = ∑ ∑(xc − mc )(x − mc )T
c=1 x∈X cc

(2)

Where mc denotes the class mean and m is the global mean of the entire sample. The number of vectors in class X c is denoted by M c . LDA finds matrix, U, maximizing the ratio of determinant of the between-class scatter matrix to the determinant of the within-class scatter matrix a

U opt = arg max U

| (U T BU | = [u1 , u 2 ......u N ]. | (U T WU |

(3)

The solution { u i | i = 1,2,3......N } is a set of generalized eigenvectors of B and W, i.e. Bu i = λ iWu i . With these definitions, we can easily formulate the optimization criterion. Namely the numerator represents the covariance of the pooled training data in the transformed feature space. The denominator represents the average covariance within each class in the transformed feature space. Hence, the criterion really tries to maximize the ‘distance’ between classes, while minimizing the ‘size’ of each of the classes at the same time. This is exactly what we want to achieve because this criterion guarantees that we preserve most of the discriminant information in the transformed feature

174

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

space. It turns out that the optimum matrix according to the above formula can be found in a fairly easy way. LDA is applied to the KDDCUP99 data and the features selected are given below
TABLE I. S. No 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
FEATURES SLECTED BY LDA TECHNIQUE

Feature duration protocol_type service src_bytes land wrong_fragment num_failed_logins logged_in root_shell num_file_creation is_guest_login count srv_count serror_rate srv_serror_rate diff_srv_rate dst_host_count Continuous Discrete Discrete Continuous Discrete Continuous Continuous Discrete Continuous Continuous Discrete

Type

B. Generalized Discriminant Analysis (GDA) The Generalized Discriminant Analysis is used for multi-class classification problems. Due to the large variations in the attack patterns of various attack classes, there is usually a considerable overlap between some of these classes in the feature space. In this situation, a feature transformation mechanism that can minimize the between-class scatter is used. The Generalized Discriminant Analysis GDA [11][14] is a method designed for nonlinear classification based on a kernel function φ which transform the original space X to a new high-dimensional feature space Ζ : φ : X → Z . The withinclass scatter and between-class scatter matrix of the nonlinearly mapped data is
C

B = c =1
C

φ

∑ M mφ (mφ )
c c c

T

(4)

Continuous Continuous Continuous Continuous Continuous Continuous

W = c=1
Where

φ

∑ ∑ φ ( x )φ ( x )
x∈ X
c

T

(5)

mc

φ

is the mean of class X c in Z and
Xc

M c is

the number

of samples belonging to such projection matrix
φ U opt = arg max
U

. The aim of the GDA is to find

φ

that maximizes the ratio

TABLE II. Predicted Actual Normal Probe DOS R2L U2R %Correc t

CONFUSION MATRIX FOR ANN CLASSIFIER BY LDA TECHNIQUE.

| (U φ )T BφU φ | φ = [u1 ,....,u φ ] N | (U φ )T W φU φ |

(6)

Norma l 58748 104 4211 13359 57 76.81

Probe 773 40002 2805 1550 127 43.23

DOS 1070 59 222833 474 4 99.28

R2L 1 1 1 180 0 99.83

U2R 1 0 3 1 40 88.8 8

%Correc t 96.95 96.06 96.94 10.4 17.54

The vectors, u , can be found as the solution of the generalized eigenvalue problem i.e. Bφ uiφ =λiW φ uφ . The training i vectors are supposed to be centered (zero mean, unit variance) in the feature space Z .from the theory of reproducing kernels any solution u φ ∈Z must lie in the span of all training samples in Z, i.e.
C

φ

TABLE III. Predicted Actual Normal Probe DOS R2L U2R %Correc t

CONFUSION MATRIX FOR C4.5 CLASSIFIER BY LDA TECHNIQUE.

Norma l

Probe

DOS

R2L

U2R

%Corr ect

u φ = ∑∑α ciφ ( xci )
c =1 i =1

Mc

(7)

59969 194 17927 13813 149 65.14

423 3881 8969 614 20 27.90

190 90 202942 6 2 99.85

5 1 10 1726 6 98.7 4

6 0 5 30 51 52.4 3

98.17 93.15 88.29 22.3 10.66

Where α ci are some real weights and xci is the ith sample of the class c. The solution is obtained by solving

λ =

α T KDK α α T KK α

(8)

175

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

Where

α = (α c )

c=1…C

is a

vector

of

weights with

3 4 5 6

dst_bytes logged_in Count srv_count serror_rate rv_rerror_rate srv_diff_host_rate dst_host_count dst_host_srv_count dst_host_diff_srv_rate

Continuous Discrete Continuous Continuous Continuous Continuous Continuous Continuous Continuous Continuous

α = (α ci ),i =1... M c .The kernel matrix K ( M × M ) is composed of the dot products of nonlinearly mapped data, i.e.

K = (K ) kl k = 1...C , l = 1....C
Where
K kl = ( k ( x ki xlj )) i =1... M , j =1.... M k l

(9) The matrix
D( M ×M )

7 8

is a

9 10 11

block diagonal matrix such that

D = ( Dc )c =1...C

(10)

12

Where the cth on the diagonal has all elements equal to 1/Mc.. Solving the eigenvalue problem yields the coefficient vector α that define the projection vectors u φ ∈Z . A projection of a testing vector xtest is computed as

TABLE V. Predicted Actual Normal Probe DOS R2L U2R %Correc t

CONFUSION MATRIX FOR ANN CLASSIFIER BY GDA TECHNIQUE.

Normal 59975 100 2585 11562 99 69.83

Probe 430 4010 552 3027 67 25.1

DOS 192 55 226710 8 8 99.7

R2L 5 0 4 1956 1 99.6

U2R 6 1 2 1 55 76.3

(u )T φ ( xtest ) = ∑∑α ci k ( xci , xtest )
c =1 i =1

C Mc

(11)

%Corr ect 98.95 96.25 98.63 12.08 24.12

The procedure of the proposed algorithm could be summarized as follows: • Compute the matrices K and D by solving equation(9) and(10), • Decompose K using eigenvectors decomposition, • Compute eigenvectors α and eigenvalues of equation(6), φ • Compute eigenvectors u using α ci from equation and normalize them, • Compute projections of test points onto φ eigenvectors u from equation (11). the

TABLE VI. Predicted Actual Normal Probe DOS R2L U2R %Correc t

CONFUSION MATRIX FOR C4.5 CLASSIFIER BY GDA TECHNIQUE..

Normal 60400 10 3058 3468 46 90.17

Probe 151 4150 160 984 47 75.56

DOS 38 4 227339 1010 4 99.53

R2L 1 1 2 10726 1 99.95

U2R 3 1 3 1 130 94.2

the (7) the

%Co rrect 99.68 99.61 98.60 66.25 57.01

TABLE VII.

SUMMARY OF DATASET OBTAINED AFTER FEATURE EXTRACTION

The input training data is mapped by a kernel function to a high dimensional feature space, where different classes is supposed to be linearly separable. The Linear Discriminant Analysis (LDA) [15] scheme is then applied to the mapped data, where it searches for those vectors that best discriminate among the classes rather than those vectors that best describe the data [16]. Furthermore, gives a number of independent features which describe the data, LDA creates a linear combination of the features that yields the largest mean differences to the desired classes [17] The number of original 41 features is reduced to 12 features by GDA as shown in the Table IV.
TABLE IV. S.No 1 2 Service src_bytes
FEATURES SELECTED BY GENERALIZED DISCRIMINANT ANALYSIS

Dataset Name ORIGDATA LDADATA GDADATA

Features 41 17 12

Method None LDA GDA

The resulting confusion matrices of ANN and C4.5 classifiers are obtained as shown in the Table V and VI respectively. We obtain two reduced datasets by LDA and GDA techniques in addition to the original dataset as shown in Table VII. IV. EXPERIMENTAL RESULT

Feature Discrete Continuous

Type

We will conduct two experiments one with Artificial Neural Network (ANN) [18] and another with C4.5 [19] for training and testing. There are approximately 4,94,020 kinds of data in training dataset and 3,11,029 kinds of data in test dataset of five classes (Normal, DOS,R2L,U2R and Probe). We choose 97277, 391458, 1126, 52 an d 4107 samples for Normal, DOS, R2L, U2R and Prob respectively to train the PCA and proposed GDA and then used test data 60593, 229853, 16189, 228, and

176

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

4166 for Normal, DOS, R2L, U2R and Prob respectively to compare the training and testing time and recognition rate. Each sample vector is of dimensionality 41. We use Gaussian kernel

In the confusion matrix above, rows correspond to predicted categories, while columns correspond to actual categories. Comparison of detection rate: Detection Rate (DR) is given by.
TP × 100 % TP + FN

k ( x, y ) = exp( − x − y / 0.1) to calculate the

2

kernel matrix. All these experiments are run on the platform of Windows XP with 2.0GHz CPU and 1GB RAM by Weka3.5.8 software to implement the proposed technique. A. Artificial Neural Network (ANN) We use Artificial Neural Network (ANN) for classification of cyber attacks. In this we use multi-layer feed forward neural network. Since a (multi-layer feed forward) ANN is capable of making multi-class classification. A single ANN is employed to perform the cyber attack detection, using same training and testing sets as those for C4.5. ANN takes long time to train or fail to converge at all when the number of patterns gets large. B. C4.5 classifier Algorithms for constructing decision trees are among the most well known and widely used of all machine learning methods. Among decision tree algorithms, J. Ross Quinlan's ID3 and its successor, C4.5, are probably the most popular in the machine learning community. These algorithms and variations on them have been the subject of numerous research papers since Quinlan introduced ID3. Classification tree is a prediction mode in machine learning and it is also called Decision tree. It is tree pattern graph similar to flow chart structure; any internal nodes of leaves represent distributed situation of various types. There are two methods for tree construction; top-down tree construction and bottom-up pruning, C4.5 used top-down tree construction. The detection and identification of attack and non-attack behaviors can be generalized as follows: True Positive (TP): the amount of attack detected when it is actually attack. True Negative (TN): the amount of normal detected when it is actually normal. False Positive (FP): the amount of attack detected when it is actually normal (False alarm). False Negative (FN): the amount of normal detected when it is actually attack. Confusion matrix contains information actual and predicted classifications done by a classifier. In the performance of such a system is commonly evaluated using the data in a matrix. Table VIII shows the confusion matrix.
TABLE VIII. Predicted Actual Normal Attack
CONFUSION MATRIX

DR =

Comparison of false alarm rate: False Alarm Rate (FAR) refers to the proportion that normal data is falsely detected as attack behavior.

FAR

=

FP FP + TN

× 100 %

The reported results in term of detection rate, false alarm rate, training time and testing time of ANN and C4.5 decision tree classifiers are summarized in Tables IX, X.
TABLE IX.
DETECTION RATE, FALSE ALARM RATE, TRAINING TIME AND TESTING TIME OF ANN AND C4.5 CLASSIFIER WITH LDA TECHNIQUE

ANN DR Norm al Probe
DOS R2L U2R

C4.5 TE. 31s 15s
27s 15s 10s

FA R 23.1 9 56.7 7
0.72 0.17 11.1 2

TR. 44s 16s
55s 17s 10s

DR 98.1 7 93.1 5
88.2 9 10.6 6 22.3

FA R 34.8 6 72.1
0.15 1.26 47.5 7

TR. 41s 16s
51s 15s 10s

TE. 30s 16s
27s 12s 9s

96.9 5 96.1 5
96.9 4 10.4 17.5 4

DR-detection rate, FAR-false alarm rate, TR- training, TE-testing time

TABLE X.

DETECTION RATE, FALSE ALARM RATE, TRAINING TIME AND TESTING TIME OF ANN AND C4.5 CLASSIFIER WITH GDA.TECHNIQUE

DR Norma l Probe DOS R2L U2R 98.9 5 96.2 5 98.6 3 12.0 8 24.1 2

ANN TR. FA R 30.1 39s 7 74.9 15s 0.3 0.4 23.7 49s 14s 10s

TE. 25s 13s 24s 11s 8s

DR 99.6 8 99.6 1 98.6 0 66.2 5 57.0 1

C4.5 FA TR. R 9.83 32s 24.4 4 0.47 0.05 5.8 13s 45s 12s 7s

TE. 23s 11s 22s 9s 6s

Normal True Negative (TN) False Negative (FN)

Attack False Pasitive (FP) True Positive (TP)

177

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

ANN CLASSIFIER
120 100 Detection Rate 80 LDA 60 40 20 0 Normal Prob DOS Attack Classes R2L U2R GDA

C4.5 Decision tree Classifier
80 70 60 False Alarm Rate 50 LDA 40 GDA 30 20 10 0 Normal Prob DOS Attack Classes R2L U2R

Figure 1. Comparision of detection rate of LDA and GDA for ANN Figure 4. Comparision of false alarm of LDA and GDA for C4.5
C4.5 Decision tree Classifier
120 100
60

ANN Classifier

Detection Rate

80
Training Time

50

LDA 60 GDA 40 20

40 LDA 30

GDA
20 10

0 Normal Prob DOS Attack Classes R2L U2R
0 Normal Prob DOS Attack Classes R2L U2R

Figure 2. Comparision of detection rate of LDA and GDA for C4.5
ANN CLASSIFIR
80 70 60 Flase Alarm Rate 50 LDA 40 GDA 30 20

Figure 5. Comparision of training time of LDA and GDA for ANN

C4.5 Decision tree Classifier
60 50 Training Time 40 LDA 30 GDA 20 10

10 0 Normal Prob DOS Attack Classes R2L U2R

0 Normal Prob DOS R2L U2R

Attack Classes

Figure 3. Comparision of false alarm rate of LDA and GDA for ANN

Figure 6. Comparision training time of LDA and GDA for C4.5

178

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

ANN Classifier
35 30 25 Testing Time 20 15 10 5 0 Normal Prob DOS Attack Classes R2L U2R LDA GDA

available and tested and compared, they can more accurately reflect current network situation. We propose ensemble approach for cyber attack detection system in which Generalized Discriminant Analysis (GDA) is used as feature reduction technique and C4.5 as classifier for future research. REFERENCES
[1] [2] [3] [4] [5] American Computer Emergency Response Team /Coordination Center (CERT),http://www.cert.org/. Information Security Report, http://www.isecu-tech.com.tw/. Bace, R.G.: Intrusion Detection. Macmillan Technical Publishing. 2000. H. Debar etal. “Towards a taxonomy of intrusion detection systems” Computer Network,pp.805-822, April1999. Shailendra Singh, Sanjay Silakari, “ A survey of Cyber Attack Detection Systems” International Journal of Computer Science and Network Security(IJCSNS) Vol.9 No.5.pp.1-10, May,2009. KDDCup99dataset,August2003 http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. R.O.Duda, P.E.Hart, and D.G.Stork, Pattern Classification, vol. 1. New York: Wiley, 2002. A.K.Jain, R.P.W.Duin, and J.Mao, “Statistical Pattern Recognition: A Survey,” IEEE Transactions on Pattern Analysis and Mission Intelligence, vol. 22, pp.4-37, January 2000. Computer Science Jing Gao et al.“A Novel Framework for Incorporating Labeled Examples into Anomaly Detection”, Proceedings of the Siam Conference on Data Mining 2006. W. Zhao, R. Chellappa, and N. Nandhakumar, “Empirical Performance Analysis of Linear Discriminant Classifiers,” Proc.Computer Vision and Pattern Recognition, pp. 164-169, June 1998. G.Baudt and F. Anouar “Generalized Discriminant Aanlyis Using a Kernal Approach” Neural Computation, 2000 Gopi K. Kuchimanchi,Vir V. Phoha, Kiran S.Balagani, Shekhar R. Gaddam, Dimension Reduction Using Feature Extraction Methods for Real-time Misuse Detection Systems, Proceedings of the IEEE on Information, 2004 Kemal Polat,et.al.. A cascade learning system for classification of diabetes disease: Generalized Discriminant Aanalysis and Least Square Support Vector Machine. Expert Systems with Applications 34 pp-482487. 2008. K. Fukunaga. Introduction to Statistical Pattern Classification. Academic Press, San Diego,California, USA, 1990 Kim HC et al. Face recognition using LDA mixture model. In: Proceedings int conf. on pattern recognition, 2002. Martinez AM, Kak AC. PCA versus LDA. IEEE Trans Pattern Anal Mach Intel; 23(2):228-33, 2001. Martinez AM, Kak AC. PCA versus LDA. IEEE Trans Pattern Anal Mach Intel; 23(2):228-33, 2001. Cannady J. Artificial neural networks for misuse detection. National Information Systems Security Conference;1998. p. 368–81. J.R. Quinlan, C4.5 Programs for machine learning Morgan Kaufmann 1993.

Figure 7. Comparision of testing time of LDA and GDA for ANN

[6] [7] [8]

C4.5 Decision tree Classifier
35 30 25 Testing Time 20 15 10

[9]

[10]
LDA GDA

[11] [12]

5 0 Normal Prob DOS R2L U2R

[13]

Attack Classes

[14] Figure 8. Comparision testing time of LDA and GDA for C4.5 [15]

V. CONCLUSION As we seen from the result the Generalized Discriminant Analysis algorithm is better than the Liner Discriminant Analysis for the case of large scale dataset where the number of training samples is large. GDA gives better detection rate, less false positives, reduced training and reduced testing times than LDA for the both classifiers. Moreover, when we compared two classifiers, the C4.5 classifier shows better performance for all the classes (Normal, DOS, R2L, U2R, Prob,) and comparables training and testing times as shown in Table IX and X. Dataset KDDCup99 applied in the research paper is popularly used in current cyber attack detection system; however, it is data of 1999 and network technology and attack methods changes greatly, it can not reflect real network situation prevailing nowadays. Therefore, if newer information is

[16] [17] [18] [19]

179

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

AUTHORS PROFILE

Shailendra Singh Lecturer in, Department of Information Technology at Rajiv Gandhi Technological University, Bhopal, India. He has publised Two research papers in International Journals and 8 papers in international and national conference proceedings His research interest include datamining and network security.He is a life member of ISTE, Associte member of Institution of Engineers (India) and member of International Association of Computer Science and Information Technology (IACSIT) Singapore.

Dr. Sanjay Silakari Professor and Head, Department of Computer Science and Engineering at Rajiv Gandhi Technological University, Bhopal, India. He has awarded Ph.D. degree in Computer Science He posses more than 16 years of experience in teaching undergraduate and post-graduate classes. He has publised more than 55 papers in international and national journals and conference proceedings. He is member of International Association of Computer Science and Information Technology (IACSIT).

180

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

Management of Location Based Advertisement Services using Spatial Triggers
in Cellular Networks
M. Irfan 1, M.M. Tahir N. Baig 2, Raheel M. Hashmi 3, Furqan H. Khan4, Khurram Shehzad, Assad Ali Department of Electrical Engineering, COMSATS Institute of Information Technology, Islamabad, Pakistan 3 Department of Electronics & Information, Politechnico di Milano, Italy

Abstract- This paper discusses the advent of new technologies which have emerged under the area of Location Based Services (LBS). An innovative implementation and approach has been presented for design of applications which are inventive and attractive towards the user. Spatial Trigger is one of the most promising additions to the LBS technologies. This paper describes ways in which mobile advertisement services can be introduced effectively in the cellular market by bringing innovation in them through effective usage of Spatial Triggers. Hence, opening new horizons to make the consumer cellular networks, commercially, more effective and informative. Keywords-Location based services; GSM; Wireless Communication; 3G and 4G Technologies; Spatial triggers.

categories for LBS include Emergency and Safety services, Information and Navigation services, Tracking and Monitoring services, and Communities and Entertainment based services. II. LOCATION DETERMINATION TECHNIQUES

I.

INTRODUCTION

Location Based Services (LBS) are one of the most highly sought services after Value Added Services (VAS), which are targeted to generate heavy revenues for the cellular communication industry. These services, on the other hand, are aimed to benefit the user by providing valuable information and opportunity access at the same time. Bounding the discussion, it can be derived that “Location Based Services are subsidiary options to voice and data communication which employ the consumers’ locations to provide them with different kinds of information services”. The LBS where first introduced in the last decade of 20th century, but are still not as popular as Value Added Services (VAS) and have yet to go a long way. As the cellular communications have progresses, the advancement of LBS has also progressed. LBS are termed to be very low-cost and efficient data services which can be beneficial for the consumers as well as the network. Location determination technology (LDT), such as Cell ID, A-GPS, E-OTD, etc., are used to find the user’s location information which usually consists of X-Y coordinates [1]. For implementation of a specific location based service, modifications are be made at either the network terminals or in the mobile station (MS) equipment. In some cases, it is needed to upgrade both the network and MS for LBS implementation; however, the updates are software based solutions and involve very low enhancement costs. Some of the main service

Location Determination Techniques (LDT) are an important part of LBS. Various position determination methods used include satellite based positioning; network based positioning and local positioning methods. Each of them has its merits and de-merits but almost all of them serve their purpose which is to provide the latest information about user’s location. Some of the most common positioning methods with their accuracy levels are listed below. A. Cell Identification or Cell Global Identity (CGI): CGI is the most basic method of mobile positioning; it is supported by all the handsets and provides the location of the mobile station based on the location of base station it is connected with [1], [2]. CGI is most commonly used alongside timing advance, together named CGI-TA. The accuracy of this method depends on the cell size. It can provide accuracy ranging from 100m to 1100m in urban areas, while its accuracy is much lower in rural areas where the cell

Figure 1: Cell site with Sector and Timing Advance

size is bigger [3]. B. Enhanced Cell Global Identity (E-CGI) In Enhanced Cell Global Identity the positioning accuracy is enhanced by making use of the power level calculated by the mobile phones together with CGI. The power level measured at the handset is used by the server to calculate distance

181

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

measurement methods. Time delay measurements made by the handsets are transferred via air interface to the Serving Mobile

Figure 2: Enhanced Cell Global Identity

between the base station and mobile station. As in the case of CGI, the accuracy of E-CGI also depends on cell density and can vary from 50 to 550 meters in urban areas [1],[2]. C. Time of Arrival (TOA): TOA determines the location of the user based on the received signal’s time of arrival from three different base stations (BS) [4]. The positions of the base stations are known accurately and used to determine the position of the mobile user. The TOA method requires high synchronization between the base stations [5]. The accuracy of the location information acquired through this method ranges from 125m to 200m. The prime advantage of TOA is that it does not require extra hardware or software at MS terminal but has much greater accuracy than CGI-TA [1], [5],[6]. D. Enhanced Observed Time Difference (E-OTD): E-OTD is a modification of the TOA method. In E-OTD the handset measures the differences of arrival time of signals transmitted from a minimum of three synchronized base stations [5]. OTD is the time of interval that is observed by a handset between the receptions of bursts from two BS’s in the cellular network. This time-measurement capability is a feature of the consumer handsets which limits this feature to only enabled and provisioned handsets to utilize the E-OTD technology. An E-OTD capable handset is equipped with special software to execute E-OTD signaling and

Figure 4: Assisted Global Positioning System

Location Centre (SMLC). The E-OTD method requires network modification introducing Location Measurement Units (LMU) to compensate for the case when GSM network is not very highly synchronized [2]. Accuracy of E-OTD positioning method can differ from 50 m to 150 m [3][6]. E. Assisted Global Positioning System (A-GPS): A-GPS is terminal based positioning technique which requires modification in both the hardware and software of the mobile handset. It is the most expensive LDT but on the other hand it is the most accurate technique with accuracies ranging from 5m to 40m [3], [5]. III. POSITIONING REQUEST METHODS

Besides the LDT what is more important for the core network’s server-end application development in LBS is the use of Location Requests. There are two major types of Location Requests discussed below. A. Mobile Terminated Location Request (MT-LR): MT-LR are the requests, which arrive from outside the Public Land Mobile Network (PLMN), for the purposes like legal interception etc. These requests must come through a gate-way called GMLC (Gateway Mobile Location Centre) which verifies that the necessary agreements exist between the operator and the organization owning the external node called the LCS Client [7]. B. Mobile Originated Location Request (MO-LR): MO-LR may also come from the MS in order to support mobility applications. The procedure of MO-LR can also be used to enable a MS to request its own location to be sent to an external LCS client. The mobile initiates the location request towards the SMLC. Once location data is obtained, the MS is informed of its location and in the case where the LCS

Figure 3: Enhanced Observed Time Difference

182

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

client is to be informed, the GMLC is sent a location report, which it forwards, to the LCS client [7]. As these definitions reveal, the MT-LR is more simple application and is also the one most widely used; but it does not support the high quality mobility applications as MO-LR does. The use of MO-LR can be termed as a little complex but it makes the services based on it much simple and user friendly. Moreover, the MO-LR supports the use of spatial triggers which are the most promising features of LBS since they have come into being. Figure 5 shows basic flow diagram of an MO-LR C. Spatial Triggers: Spatial Triggers are the triggers created either when a user enters or leaves a predefined geographical area, or when two MSs come relatively close to each other. Detecting such an event is the most important part of applications developed on the principal of spatial triggers. The most commonly used method to detect spatial triggers is constant database queries based on the latest location data received from the SMLC. Many companies have included the feature of spatial triggers in their GMLCs but if the system supports MO-LR, the spatial triggers can also be checked out of the GMLC. In this case the process has a slight amount of additional processing load. The proposed approach defines the functionality of spatial triggers to ensure their best utilization to introduce location based advertisement services in commercial GSM, UMTS and other consumer cellular networks. IV. SPATIAL TRIGGER BASED MOBILE ADVERTISEMENT Mobile advertisements are very common during the present days. Most of these advertisements are for general purpose as they are not targeted to a single user class. The introduced approach is to develop an application which takes advantage of the user’s location to send advertisements of the nearest commercial opportunities and prospective commercial outlets. Moreover, the application should also keep in view the

interests of the user and the revenues of the network. Although the developed application is for operation at the server-end yet it has three distributed parts: 1) server module, 2) advertiser handler and 3) MS module or user module. The application has to be programmed on the server equipment and is implemented as a part of GMLC. The description of these modules is given in this section in increasing order of their complexity. A. Advertiser Handler: The advertiser is the first contributor to the proposed application. To make our application attractive to the advertiser, a web interface has been designed, which provides the platform to the advertiser for management of the advertisements. Each advertiser is provided a unique identifier to login to this interface to insert the data of the prescribed, outlet or product, into the database which keeps the spatial data about all the advertisers in a certain area. This data includes advertiser’s location specifications based on a preprogrammed geographical map in the application, the identifier which helps to login to the system, the service type which is to be provided and miscellaneous promotional information to be forward to the consumers. All this information can be modified by the advertiser based on the needs and desires. The selections can also be modified whenever desired using the advertiser ID. B. User Module: Each user in the customer database is requested to subscribe for this application based on individual desire and need. If a user is interested in subscription, the classification is done into a common user, GPRS user or a GPRS and GPS user. The GPRS users must also have the software package for digital mapping to earn additional benefits. Each user is also queried regarding the kind of service advertisements intended to be received. The user has the freedom to choose all, some or one of the offered advertisement classes, as per the individual aspirations. After the subscription is done, the user’s location is constantly updated to the application by using MO-LR. C. Server Module: Server module is principal area for our application. It consistently maintains a database which has three major fields: 1) User: this section keeps the information about the user, the designated interests and the user class. 2) Advertisement: this section keeps the information about the advertisers, their location specifications in terms of coordinates, service types and promotional information. This information can only be modified by the advertiser in person. 3) Info-log: this section keeps volatile data about the user’s most recent location. This data is acquired from the GMPC and is removed as soon as it is processed to remove storage overheads.

Figure 5: Mobile Originated Location Request

183

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

At present, all the service providers equipped with LBS have different features in their GMLC. Some of the GMLCs support MO-LR while some are not capable to do so. Similar is the case of spatial triggers associated with LBS. A very few GMLC’s support this feature at present for example, the Ericsson’s Mobile Positioning System (MPS) is one the few which not only supports MO-LR but its GMPC (Gateway

Mobile Positioning Center) also checks from the spatial triggers according to pre-defined parameters. This lessens the burden on the server several orders than if the spatial triggers are created separately in a neighborhood application. Due to scarcity of such features, this research and development venture also explains the process of creating and determining spatial triggers at the application level out of the GMLC.

Figure 6. Message flow for operation of LBS advertisement application. The dotted region is showing MO-LR Process

The message flow in the system for operation of our application is shown in figure 1. As we start the mobile user who has subscribed for the advertisement service moves from one location to another, MO-LR is invoked which is processed by the SMLC and the location information is forwarded to the GMLC. This information contains the user’s MS-ISDN, location coordinates of user and the parameters which define uncertainty in case the information has been acquired through a network based LDT. For example for a CGI-TA method it contains parameters such as inner radius, outer radius and arc

width to define the area where user is located with reference to the BS. The information forwarded by the SMLC is then forwarded to the database info-log section. This information is then picked up by the scripts which run continuously in the server. These scripts are designed and programmed using integrated JAVA and PHP support. The scripts classify the information and then check the service types against which the user has subscribed. The script then selects the location data of advertisers in that area, one at a time, calculates the distance

184

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol.6, No. 1, 2009

between the user and the advertiser’s coordinates and determines whether the service type matches the user’s interests or not. If the distance is less than a specified limit and the service types match then it is concluded that a trigger exists and the user is to be forwarded with the designated information. It is also to be kept in notice that the spatial triggers cannot be retrieved at any level other than their mother application and hence are determined through constant query method. Once it is determined that a trigger exists between the user and the advertiser, the next step is to determine how to forward the information to the MS. As described above, we classified the user in three unique classes. The common user is forwarded the information through simple text message based on ‘Flash’ message format. Such a user does not have support for a high accuracy but as the service is aimed to operate in urban and densely populated areas, the uncertainty can easily be covered in approximations. The second and third type of users can be forwarded the selected information by first determining whether their application is active. If the check results positive, the information is forwarded using the text message format with highly accurate service. The information which the user is forwarded with contains the approximate distance from the advertiser’s outlet, advertisers ID and any other advertisement which the advertiser wants to attach with the message. The scenario shown in the figure 1 has been designed and simulated using the Ericsson’s Mobile Positioning System Software Development Kit (MPS-SDK) and MPC Map Tool. The map tool can be used to create route files on any given map. These route files are then loaded into the MPS-SDK whose emulator simulates them and provides the application with MO-LR based location information of the users defined in the route-file. The information is based on any available type of LDT and contains all the content types of data which SMLC forwards to the GMLC. This information is then processed as defined earlier in the section. For simulation purposes the SMSC is replaced by the NowSMS® Gateway. V. CONCLUSION

VI. FUTURE WORK The applications based on the spatial triggers have a vast scope in the mobile market. With slight modifications in the database and server application this feature can also be used to introduce proximity teller services and tracking services. The same application can also be modified to support more features in the future. The advertisements can be made more practical by allowing users to go for subscriptions offered in the advertisements by using the same service with which they are forwarded the advertisement. ACKNOWLEDGMENT We would like to thank the officials of Ericsson Inc. Pakistan who provided us the platforms and software support to do this R&D venture. We would also like to acknowledge the role of Mr. Riaz Hussain, Assistant Professor, CIIT Islamabad, who helped us during the course of our project. REFERENCES
[1] GSM Association, Location Based Services, Version 3.1.0, Permanent Reference Document: SE.23, 2003 [2] T. Kos, M. Grgic, G. Sisul, Mobile User Positioning in GSM/UMTS Cellular Networks, Proc. of the 48th Int. Symposium ELMAR-2006 focused on Multimedia Signal Processing and Communications, Zadar, Croatia, pp. 185-188, 2006 [3] G. Retscher, A. Kealy, Ubiquitous Positioning Technologies for Modern Intelligent Navigation Systems, The Journal of Navigation, vol. 59, no.1, pp. 91-103, 2006 [4] A. Sage, Future Positioning Technologies and their Application to the Automotive Sector, The Journal of Navigation, vol. 54, no. 3, pp. 321328, 2001 [5] Motorola, Inc., Overview of 2G LCS Technologies and Standards, 3GPP TSG SA2 LCS Workshop, London, UK, January 2001 [6] Tomislav Kos , Mislav Grgic , Jakov Kitarovic, Location Technologies for Mobile Networks, Proc of 6th EURASIP Conference focused on Speech and Image Processing, Multimedia Communications and Services.Publication, pp. 319-322, 2007 [7] Mayank Taya!, “Location Services in the GSM and UMTS Networks” IEEE International Conference on Personal Wireless Communications, 2005. ICPWC 2005.

AUTHORS PROFILE
Muhammad Irfan, Mirza Muhammad Tahir Naveed Baig and Furqan Hameed Khan, have done Electrical Engineering with majors in Telecommunications from Dept. of Electrical Engineering, CIIT, Islamabad in 2009. They are graduate students and are involved in research regarding the field of Value Added Services for Mobile Communications and Computer Networks. Raheel Maqsood Hashmi is a graduate student at Dept. of Electronics & Information, Politecnico di Milano, Italy. He did his degree in Electrical Engineering from CIIT, Islamabad in 2009 and received Gold Medallion Award. He has research contributions in the area of Mobile Communication, Wireless Networking and Security. KhurramShehzad and Assad Ali have done Electrical Engineering with majors in Telecommunication from Dept. of Electrical Engineering, CIIT, Islamabad in 2009. They were recommended by CIIT, EE Dept as student researchers for the CIMI (CIIT Medals for innovation) Awards 2008. They have research contributions in the area of Mobile Communication and QoS Management in Wireless Networks.

The spatial trigger based mobile advertisement is a unique idea which can be implemented in any environment where the GMLC supports MO-LR. This is a three tier application with all the stakeholders that is mobile user, service provider and advertisers; actively participating in the application process. As this application is applicable to all types of users, it can prove to be a good source of generating revenue for the service providers; a new and innovative platform for small business enterprise to advertise themselves; and a good, attractive, easy to use, and low cost application for the user. Moreover, the ease of integration of this application in 2G, 3G and 4G communication networks endorses the reliability and capability of this application interface.

185

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

A Way to Understand Various Patterns of Data Mining Techniques for Selected Domains
Dr. Kanak Saxena Professor & Head, Computer Application SATI, Vidisha, kanak.saxena@gmail.com D.S. Rajpoot Registrar, UIT RGPV, Bhopal dsrphd@yahoo.com

Abstract: This has much in common with traditional work in statistics and machine learning. However, there are important new issues which arise because of the sheer size of the data. One of the important problem in data mining is the Classificationrule learning which involves finding rules that partition given data into predefined classes. In the data mining domain where millions of records and a large number of attributes are involved, the execution time of existing algorithms can become prohibitive, particularly in interactive applications. patterns for decision support, selective marketing, 1. Introduction : An enormous amount of data stored in databases and data warehouses, it is increasingly important to develop [1] powerful tools for analysis of such data and mining interesting knowledge from it. Data mining [4] is a process of inferring knowledge from such huge data. It has five major components: Association rules Classification or clustering Characterization & Comparison Sequential Pattern Analysis. Trend Analysis 2. A brief review of the work already done in the field : Sequential pattern mining is an interesting data mining problem with many real-world applications. This problem has been studied extensively in static databases. However, in recent years, emerging applications have introduced a new form of data called data stream. In a data stream [6], new elements are generated continuously. This poses additional constraints on the methods used for mining such data: memory usage is restricted, the infinitely [8] flowing original dataset cannot be scanned multiple times, and current results should be available on demand. Mendes, L.F. Bolin Ding, Jiawei Han [9] introduces two effective methods for mining sequential patterns from data streams: the SS-BE method and the SS-MB method. The proposed methods break the stream into financial forecast, medical diagnosis and many other applications, it has attracted [3] a lot of attention in recent data mining research. Mining association rules may require iterative scanning of large transaction or relational databases which is quite costly in processing.

An association rule [5] is a rule which implies certain association relationships among a set of objects in a database. In this process we discover a set of association rules at multiple levels of abstraction from the relevant set(s) of data in a database. For example, one may discover a set of symptoms [2] often occurring together with certain kinds of diseases and further study the reasons behind them. Since finding interesting association rules in databases may disclose some useful

186

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

batches and only process each batch once. The two methods use different pruning strategies [10] that restrict the memory usage but can still guarantee that all true sequential patterns are output at the end of any batch. Both algorithms scale linearly in execution time as the number of sequences grows, making them effective methods for sequential pattern mining in data streams. The experimental results also show that our methods are very accurate in that only a small fraction of the patterns that are output are false positives. Even for these false positives, SS-BE guarantees that their true support is above a pre-defined threshold. Previous studies have shown mining closed patterns provides more benefits than mining the complete set of frequent patterns, since closed pattern mining leads to more compact results and more efficient algorithms. It is quite useful in a data stream environment where memory and computation power are major concerns. Lei Chang Tengjiao Wang Dongqing Yang Hua Luan [20] studies the problem of mining closed sequential patterns over data stream sliding windows. An efficient algorithm SeqStream is developed to mine closed sequential patterns in stream windows incrementally, and various novel strategies are adopted in SeqStream [7] to prune search space aggressively. Extensive experiments on both real and synthetic data sets show that SeqStream outperforms PrefixSpan, CloSpan and BIDE by a factor of about one to two orders of magnitude. The input data is a set of sequences, called datasequences. Each data sequence is ordered list of transactions (or itemsets), where each transaction is a sets of items (literals). Typically there is a transactiontime associated with each transaction. A sequential pattern also consists of a list of sets of items. The problem is to find all sequential patterns with a user-

specified minimum support, where the support of a sequential pattern is the percentage of data sequences that contain the pattern. The framework of sequential pattern discovery is explained here using the example of a customer transaction database as by Agrawal & Srikant [11]. The database is a list of time-stamped transactions for each customer that visits a supermarket and the objective is to discover (temporal) buying patterns that sufficiently many customers exhibit. This is essentially an extension (by incorporation of temporal ordering information into the patterns being discovered) of the original association rule mining framework proposed for a database of unordered transaction records (Agrawal et al 1993) [12] which is known as the Apriori algorithm. Since there are many temporal pattern discovery algorithms that are modeled along the same lines as the Apriori algorithm, it is useful to first understand how Apriori works before discussing extensions to the case of temporal patterns. Let D be a database of customer transactions at a supermarket. A transaction is simply an unordered collection of items purchased by a customer in one visit to the supermarket. The Apriori algorithm [13] systematically unearths all patterns in the form of (unordered) sets of items that appear in a sizable number of transactions. We introduce some notation to precisely define this framework. A non-empty set of items is called an itemset. An itemset i is denoted by (i1,i2,i3,· · · im), where ij is an item. Since i has m items, it is sometimes called an m-itemset. Trivially, each transaction in the database is an itemset. However, given an arbitrary itemset i, it may or may not be contained in a given transaction T . The fraction of all transactions in the database in which an itemset is contained in is called the support of that itemset. An

187

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

itemset whose support exceeds a user-defined threshold is referred to as a frequent itemset. These itemsets [14] are the patterns of interest in this problem. The brute force method of determining supports for all possible itemsets (of size m for various m) is a combinatorially explosive exercise and is not feasible in large databases (which is typically the case in data mining). The problem therefore is to find an efficient algorithm to discover all frequent itemsets in the database D given a user-defined minimum support threshold. The Apriori algorithm exploits the following very simple (but amazingly useful) principle: if i and j are itemsets such that j is a subset of i then the support of
j

process of progressively building itemsets of the next bigger size is continued till a stage is reached when (for some size of itemsets) there are no frequent itemsets left to continue. This marks the end of the frequent itemset discovery process. 3. Note Worthy Contribution in the field of proposed work : Mendes, L.F. Bolin Ding, Jiawei Han [21]

introduces two effective methods for mining sequential patterns from data streams: the SS-BE method and the SS-MB method. The proposed methods break the stream into batches and only process each batch once. The two methods use different pruning strategies that restrict the memory usage but can still guarantee that all true sequential patterns are output at the end of any batch. Both algorithms scale linearly in execution time as the number of sequences grows, making them effective methods for sequential pattern mining in data streams. The experimental results also show that our methods are very accurate in that only a small fraction of the patterns that are output are false positives. Even for these false positives, SS-BE guarantees that their true support is above a pre-defined threshold. Lei Chang Tengjiao Wang Dongqing Yang Hua Luan [22] studies the problem of mining closed sequential patterns over data stream sliding windows. An efficient algorithm SeqStream is developed to mine closed sequential patterns in stream windows incrementally, and various novel strategies are adopted in SeqStream to prune search space aggressively. Extensive experiments on both real and synthetic data sets show that SeqStream outperforms PrefixSpan, CloSpan and BIDE by a factor of about one to two orders of magnitude.

is greater than or equal to the support of i. Thus, for an itemset to be frequent all its subsets must in turn be frequent as well. This gives rise to an efficient levelwise construction of frequent itemsets in D. The algorithm makes multiple passes over the data. Starting with itemsets of size 1 (i.e. 1-itemsets), every pass discovers frequent itemsets of the next bigger size. The first pass over the data discovers all the frequent 1itemsets. These are then combined to generate candidate 2-itemsets and by determining their supports (using a second pass over the data) the frequent 2itemsets are found. Similarly, these frequent 2-itemsets are used to first obtain candidate 3-itemsets and then (using a third database pass) the frequent 3-itemsets are found, and so on. The candidate generation before the m pass uses the Apriori principle described above as follows: an m-itemset is considered a candidate only if all (m−1)-itemsets contained in it have already been declared frequent in the previous step. As m increases, while the number of all possible m-itemsets grows exponentially, the number of frequent m-itemsets grows much slower, and as a matter of fact, starts decreasing after some m. Thus the candidate generation method in Apriori makes the algorithm efficient. This
th

188

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

The input data is a set of sequences, called datasequences. Each data sequence is a ordered list of transactions (or itemsets), where each transaction is a sets of items (literals). Typically there is a transactiontime associated with each transaction. A sequential pattern also consists of a list of sets of items. The problem is to find all sequential patterns with a userspecified minimum support, where the support of a sequential pattern is the percentage of data sequences that contain the pattern. 4. Proposed Methodology: We have done study about pattern of different Result Analysis of Our University Result Data of Different Semesters as shown below.

year 2003 2004 2005 2006 2007

R_pst 66.55 68.69 79.72 72.66 68.08

1.2 Result Graph for BE-102 1.3 Year wise Data for Subject Code BE-103 Year 2003 2004 2005 2006 2007 R_percent 88.62 90.54 91.57 90.28 90.94

1.1 Result Graph for BE-101 Year wise Data for Subject Code BE-101 Year 2003 2004 2005 2006 2007 Rst _Per 62.5 79.8 71.3 78.4 60.4 1.3 Result Graph for BE-103

1.2 Year wise Data for Subject Code BE-101

189

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

1.4 Year wise Data for Subject Code BE-104 year 2003 2004 2005 2006 2007 R_pst 88.62 90.54 91.57 90.28 90.94

The methodology applied to complete the research work of “A Way to Undwerstand Various Pattern Mining Techniques for Selected Domain” was divided into series of steps. We envisage to study and implement the following methods. Study of Temporal relations. Provide an overview, the research survey and summarizing previous work that investigated the various functions of data sequences in various domains. Problem formulation and generate the frequent sequences. Sub-division of the sequences based on structure of the sequence i.e. constraints based mining and extended sequence based mining with pruning strategies. Analysis and evaluation of the proposed sequential pattern mining algorithm with item gap and time stamp. 5. Expected outcome of the proposed work : Appropriate duration modeling for events in sequences. Improving time and space complexities of algorithms. Comparison with the existing models on extract sequence quality, number of extracted sequences and execution time. Implementation of the proposed sequential patterns. If implementation is successful then tested for evaluation. 6. Bibliography in standard format :

1.4 Result Graph for BE-104 1.5 Year wise Data for Subject Code BE-105 Year 2003 2004 2005 2006 2007 R_percent 72.8 87.44 69.45 74.4 29.69

1.5 Result Graph for BE-105

190

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No. 1, 2009

[1] R. Agrawal, R. Srikant, ``Mining Sequential Patterns'', Proc. of the Int'l Conference on Data Engineering (ICDE), Taipei, Taiwan, March 1995. [2] Ayres J, Gehrke J, Yu T and Flannick J: "Sequential Pattern Mining using a Bitmap Representation" in Int'l Conf Knowledge Discovery and Data Mining, (2002) 429-435 [3] Garofalakis M, Rastogi R and Shim k, “Mining Sequential Patterns with Regular Expression Constraints”, in IEEE Transactions on Knowledge and Data Engineering,(2002), vol. 14, nr. 3, pp. 530-552 [4] Pei J, Han J. et al: “PrefixSpan: Mining Sequential Patterns Efficiently by Prefix-Projected Pattern Growth” in Int'l Conf Data Engineering, (2001) 215-226 [5] Pei J and Han J: "Constrained frequent pattern mining: a pattern-growth view" in SIGKDD Explorations, (2002) vol. 4, nr. 1, pp. 31-39 [6] Antunes C and Oliveira A.L: "Generalization of Pattern-Growth Methods for Sequential Pattern Mining with Gap Constraints" in Int'l Conf Machine Learning and Data Mining, (2003) 239251 [7] R. Srikant, R. Agrawal: ``Mining Sequential Patterns: Generalizations and Performance Improvements'', Proc. of the Fifth Int'l Conference on Extending Database Technology (EDBT), Avignon, France, March 1996.

[8] Zaki M, "Efficient Enumeration of Frequent Sequences", in ACM Conf. on InformationKnowledge Management, (1998) 68-75 [9] R. Agrawal, A. Arning, T. Bollinger, M. Mehta, J. Shafer, R. Srikant: "The Quest Data Mining System", Proc. of the 2nd Int'l Conference on Knowledge Discovery in Databases and Data Mining, Portland, Oregon, August, 1996. [10] Eui-Hong (Sam) Han, Anurag Srivastava and Vipin Kumar: "Parallel Formulations of Inductive Classification Learning Algorithm" (1996). [11] Agrawal, R. Srikant: ``Fast Algorithms for Mining Association Rules'', Proc. of the 20th Int'l Conference on Very Large Databases, Santiago, Chile, Sept. 1994. [12] J. Han, J. Chiang, S. Chee, J. Chen, Q. Chen, S. Cheng, W. Gong, M. Kamber, K. Koperski, G. Liu, Y. Lu, N. Stefanovic, L. Winstone, B. Xia, O. R. Zaiane, S. Zhang, H. Zhu, `DBMiner: A System for Data Mining in Relational Databases and Data Warehouses'', Proc. CASCON'97: Meeting of Minds, Toronto, Canada, November 1997. [13] Cheung, J. Han, V. T. Ng, A. W. Fu an Y. Fu, `` A Fast Distributed Algorithm for Mining Association Rules'', Proc. of 1996 Int'l Conf. on Parallel and Distributed Information Systems (PDIS'96), Miami Beach, Florida, USA, Dec. 1996. [14] Ron Kohavi, Dan Sommerfield, James Dougherty, "Data Mining using MLC++ : A Machine Learning Library in C++", Tools with AI, 1996

191

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

IJCSIS REVIEWERS’ LIST
Assist Prof (Dr.) M. Emre Celebi, Louisiana State University in Shreveport, USA Dr. Lam Hong Lee, Universiti Tunku Abdul Rahman, Malaysia Dr. Shimon K. Modi, Director of Research BSPA Labs, Purdue University, USA Dr. Emanuele Goldoni, University of Pavia, Dept. of Electronics, Italy Dr. Jianguo Ding, Norwegian University of Science and Technology (NTNU), Norway Assoc. Prof. N. Jaisankar, VIT University, Vellore,Tamilnadu, India Dr. Amogh Kavimandan, The Mathworks Inc., USA Dr. Ramasamy Mariappan, Vinayaka Missions University, India Dr. Yong Li, School of Electronic and Information Engineering, Beijing Jiaotong University, P.R. China Assist. Prof. Sugam Sharma, NIET, India / Iowa State University, USA Dr. Jorge A. Ruiz-Vanoye, Universidad Autónoma del Estado de Morelos, Mexico Dr. Neeraj Kumar, SMVD University, Katra (J&K), India Dr. Junjie Peng, Shanghai University, P. R. China Dr. Ilhem LENGLIZ, HANA Group - CRISTAL Laboratory, Tunisia Prof. Dr. Durgesh Kumar Mishra, Acropolis Institute of Technology and Research, Indore, MP, India Jorge L. Hernández-Ardieta, University Carlos III of Madrid, Spain Prof. Dr.C.Suresh Gnana Dhas, Anna University, India Prof. Pijush Biswas, RCC Institute of Information Technology, India Dr. Siddhivinayak Kulkarni, University of Ballarat, Ballarat, Victoria, Australia Dr. A. Arul Lawrence, Royal College of Engineering & Technology, India Mr. Wongyos Keardsri, Chulalongkorn University, Bangkok, Thailand Mr. Somesh Kumar Dewangan, CSVTU Bhilai (C.G.)/ Dimat Raipur, India Mr. Hayder N. Jasem, University Putra Malaysia, Malaysia Mr. A.V.Senthil Kumar, C. M. S. College of Science and Commerce, India Mr. R. S. Karthik, C. M. S. College of Science and Commerce, India Mr. P. Vasant, University Technology Petronas, Malaysia Mr. Wong Kok Seng, Soongsil University, Seoul, South Korea Mr. Praveen Ranjan Srivastava, BITS PILANI, India Mr. Kong Sang Kelvin, Leong, The Hong Kong Polytechnic University, Hong Kong Mr. Mohd Nazri Ismail, Universiti Kuala Lumpur, Malaysia Dr. Rami J. Matarneh, Al-isra Private University, Amman, Jordan Dr Ojesanmi Olusegun Ayodeji, Ajayi Crowther University, Oyo, Nigeria Dr. Riktesh Srivastava, Skyline University, UAE Dr. Oras F. Baker, UCSI University - Kuala Lumpur, Malaysia Dr. Ahmed S. Ghiduk, Faculty of Science, Beni-Suef University, Egypt and Department of Computer science, Taif University, Saudi Arabia Mr. Tirthankar Gayen, IIT Kharagpur, India

Ms. Huei-Ru Tseng, National Chiao Tung University, Taiwan Prof. Ning Xu, Wuhan University of Technology, China Mr Mohammed Salem Binwahlan, Hadhramout University of Science and Technology, Yemen & Universiti Teknologi Malaysia, Malaysia. Dr. Aruna Ranganath, Bhoj Reddy Engineering College for Women, India Mr. Hafeezullah Amin, Institute of Information Technology, KUST, Kohat, Pakistan Prof. Syed S. Rizvi, University of Bridgeport, USA Mr. Shahbaz Pervez Chattha, University of Engineering and Technology Taxila, Pakistan Dr. Shishir Kumar, Jaypee University of Information Technology, Wakanaghat (HP), India Mr. Shahid Mumtaz, Portugal Telecommunication, Instituto de Telecomunicações (IT) , Aveiro, Portugal Mr. Rajesh K Shukla, Corporate Institute of Science & Technology Bhopal M P Dr. Poonam Garg, Institute of Management Technology, India Mr. S. Mehta, Inha University, Korea Mr. Dilip Kumar S.M, University Visvesvaraya College of Engineering (UVCE), Bangalore University, Bangalore Prof. Malik Sikander Hayat Khiyal, Fatima Jinnah Women University, Rawalpindi, Pakistan Dr. Virendra Gomase , Department of Bioinformatics, Padmashree Dr. D.Y. Patil University Dr. Irraivan Elamvazuthi, University Technology PETRONAS, Malaysia Mr. Saqib Saeed, University of Siegen, Germany Mr. Pavan Kumar Gorakavi, IPMA-USA [YC] Dr. Ahmed Nabih Zaki Rashed, Menoufia University, Egypt Prof. Shishir K. Shandilya, Rukmani Devi Institute of Science & Technology, India Mrs.J.Komala Lakshmi, SNR Sons College, Computer Science, India Mr. Muhammad Sohail, KUST, Pakistan Dr. Manjaiah D.H, Mangalore University, India Dr. S Santhosh Baboo, D.G.Vaishnav College, Chennai, India Prof. Dr. Mokhtar Beldjehem, Sainte-Anne University, Halifax, NS, Canada Dr. Deepak Laxmi Narasimha, Faculty of Computer Science and Information Technology, University of Malaya, Malaysia Prof. Dr. Arunkumar Thangavelu, Vellore Institute Of Technology, India Mr. M. Azath, Anna University, India Mr. Md. Rabiul Islam, Rajshahi University of Engineering & Technology (RUET), Bangladesh Mr. Aos Alaa Zaidan Ansaef, Multimedia University, Malaysia Dr Suresh Jain, Professor (on leave), Institute of Engineering & Technology, Devi Ahilya University, Indore (MP) India, Mr. Mohammed M. Kadhum, Universiti Utara Malaysia Mr. Hanumanthappa. J. University of Mysore, India Mr. Syed Ishtiaque Ahmed, Bangladesh University of Engineering and Technology (BUET) Mr Akinola Solomon Olalekan, University of Ibadan, Ibadan, Nigeria

Mr. Santosh K. Pandey, Department of Information Technology, The Institute of Chartered Accountants of India Dr. P. Vasant, Power Control Optimization, Malaysia Dr. Petr Ivankov, Automatika - S, Russian Federation Dr. Utkarsh Seetha, Data Infosys Limited, India Mrs. Priti Maheshwary, Maulana Azad National Institute of Technology, Bhopal Dr. (Mrs) Padmavathi Ganapathi, Avinashilingam University for Women, Coimbatore Assist. Prof. A. Neela madheswari, Anna university, India Prof. Ganesan Ramachandra Rao, PSG College of Arts and Science, India Mr. Kamanashis Biswas, Daffodil International University, Bangladesh Dr. Atul Gonsai, Saurashtra University, Gujarat, India Mr. Angkoon Phinyomark, Prince of Songkla University, Thailand Mrs. G. Nalini Priya, Anna University, Chennai Dr. P. Subashini, Avinashilingam University for Women, India Assoc. Prof. Vijay Kumar Chakka, Dhirubhai Ambani IICT, Gandhinagar ,Gujarat Mr Jitendra Agrawal, : Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal Mr. Vishal Goyal, Department of Computer Science, Punjabi University, India Dr. R. Baskaran, Department of Computer Science and Engineering, Anna University, Chennai Assist. Prof, Kanwalvir Singh Dhindsa, B.B.S.B.Engg.College, Fatehgarh Sahib (Punjab), India Dr. Jamal Ahmad Dargham, School of Engineering and Information Technology, Universiti Malaysia Sabah Mr. Nitin Bhatia, DAV College, India Dr. Dhavachelvan Ponnurangam, Pondicherry Central University, India Dr. Mohd Faizal Abdollah, University of Technical Malaysia, Malaysia Assist. Prof. Sonal Chawla, Panjab University, India Dr. Abdul Wahid, AKG Engg. College, Ghaziabad, India Mr. Arash Habibi Lashkari, University of Malaya (UM), Malaysia Mr. Md. Rajibul Islam, Ibnu Sina Institute, University Technology Malaysia Professor Dr. Sabu M. Thampi, .B.S Institute of Technology for Women, Kerala University, India Mr. Noor Muhammed Nayeem, Université Lumière Lyon 2, 69007 Lyon, France Dr. Himanshu Aggarwal, Department of Computer Engineering, Punjabi University, India Prof R. Naidoo, Dept of Mathematics/Center for Advanced Computer Modelling, Durban University of Technology, Durban,South Africa Prof. Mydhili K Nair, M S Ramaiah Institute of Technology(M.S.R.I.T), Affliliated to Visweswaraiah Technological University, Bangalore, India M. Prabu, Adhiyamaan College of Engineering/Anna University, India Mr. Swakkhar Shatabda, Department of Computer Science and Engineering, United International University, Bangladesh Dr. Abdur Rashid Khan, ICIT, Gomal University, Dera Ismail Khan, Pakistan

CALL FOR PAPERS International Journal of Computer Science and Information Security IJCSIS 2009-2010 ISSN: 1947-5500 http://sites.google.com/site/ijcsis/
International Journal Computer Science and Information Security, now at its sixth edition, is the premier scholarly venue in the areas of computer science and security issues. IJCSIS 2009-2010 will provide a high profile, leading edge platform for researchers and engineers alike to publish state-of-the-art research in the respective fields of information technology and communication security. The journal will feature a diverse mixture of publication articles including core and applied computer science related topics. Authors are solicited to contribute to the special issue by submitting articles that illustrate research results, projects, surveying works and industrial experiences that describe significant advances in the following areas, but are not limited to. Submissions may span a broad range of topics, e.g.:

Track A: Security Access control, Anonymity, Audit and audit reduction & Authentication and authorization, Applied cryptography, Cryptanalysis, Digital Signatures, Biometric security, Boundary control devices, Certification and accreditation, Cross-layer design for security, Security & Network Management, Data and system integrity, Database security, Defensive information warfare, Denial of service protection, Intrusion Detection, Anti-malware, Distributed systems security, Electronic commerce, E-mail security, Spam, Phishing, E-mail fraud, Virus, worms, Trojan Protection, Grid security, Information hiding and watermarking & Information survivability, Insider threat protection, Integrity Intellectual property protection, Internet/Intranet Security, Key management and key recovery, Languagebased security, Mobile and wireless security, Mobile, Ad Hoc and Sensor Network Security, Monitoring and surveillance, Multimedia security ,Operating system security, Peer-to-peer security, Performance Evaluations of Protocols & Security Application, Privacy and data protection, Product evaluation criteria and compliance, Risk evaluation and security certification, Risk/vulnerability assessment, Security & Network Management, Security Models & protocols, Security threats & countermeasures (DDoS, MiM, Session Hijacking, Replay attack etc,), Trusted computing, Ubiquitous Computing Security, Virtualization security, VoIP security, Web 2.0 security, Submission Procedures, Active Defense Systems, Adaptive Defense Systems, Benchmark, Analysis and Evaluation of Security Systems, Distributed Access Control and Trust Management, Distributed Attack Systems and Mechanisms, Distributed Intrusion Detection/Prevention Systems, Denial-of-Service Attacks and Countermeasures, High Performance Security Systems, Identity Management and Authentication, Implementation, Deployment and Management of Security Systems, Intelligent Defense Systems, Internet and Network Forensics, Largescale Attacks and Defense, RFID Security and Privacy, Security Architectures in Distributed Network Systems, Security for Critical Infrastructures, Security for P2P systems and Grid Systems, Security in ECommerce, Security and Privacy in Wireless Networks, Secure Mobile Agents and Mobile Code, Security Protocols, Security Simulation and Tools, Security Theory and Tools, Standards and Assurance Methods, Trusted Computing, Viruses, Worms, and Other Malicious Code, World Wide Web Security, Novel and emerging secure architecture, Study of attack strategies, attack modeling, Case studies and analysis of actual attacks, Continuity of Operations during an attack, Key management, Trust management, Intrusion detection techniques, Intrusion response, alarm management, and correlation analysis, Study of tradeoffs between security and system performance, Intrusion tolerance systems, Secure protocols, Security in wireless networks (e.g. mesh networks, sensor networks, etc.), Cryptography and Secure Communications, Computer Forensics, Recovery and Healing, Security Visualization, Formal Methods in Security, Principles for Designing a Secure Computing System, Autonomic Security, Internet Security, Security in Health Care Systems, Security Solutions Using Reconfigurable Computing, Adaptive and Intelligent Defense Systems, Authentication and Access control, Denial of service attacks and countermeasures, Identity, Route and

Location Anonymity schemes, Intrusion detection and prevention techniques, Cryptography, encryption algorithms and Key management schemes, Secure routing schemes, Secure neighbor discovery and localization, Trust establishment and maintenance, Confidentiality and data integrity, Security architectures, deployments and solutions, Emerging threats to cloud-based services, Security model for new services, Cloud-aware web service security, Information hiding in Cloud Computing, Securing distributed data storage in cloud, Security, privacy and trust in mobile computing systems and applications, Middleware security & Security features: middleware software is an asset on its own and has to be protected, interaction between security-specific and other middleware features, e.g., context-awareness, Middleware-level security monitoring and measurement: metrics and mechanisms for quantification and evaluation of security enforced by the middleware, Security co-design: trade-off and co-design between application-based and middleware-based security, Policy-based management: innovative support for policy-based definition and enforcement of security concerns, Identification and authentication mechanisms: Means to capture application specific constraints in defining and enforcing access control rules, Middleware-oriented security patterns: identification of patterns for sound, reusable security, Security in aspect-based middleware: mechanisms for isolating and enforcing security aspects, Security in agent-based platforms: protection for mobile code and platforms, Smart Devices: Biometrics, National ID cards, Embedded Systems Security and TPMs, RFID Systems Security, Smart Card Security, Pervasive Systems: Digital Rights Management (DRM) in pervasive environments, Intrusion Detection and Information Filtering, Localization Systems Security (Tracking of People and Goods), Mobile Commerce Security, Privacy Enhancing Technologies, Security Protocols (for Identification and Authentication, Confidentiality and Privacy, and Integrity), Ubiquitous Networks: Ad Hoc Networks Security, DelayTolerant Network Security, Domestic Network Security, Peer-to-Peer Networks Security, Security Issues in Mobile and Ubiquitous Networks, Security of GSM/GPRS/UMTS Systems, Sensor Networks Security, Vehicular Network Security, Wireless Communication Security: Bluetooth, NFC, WiFi, WiMAX, WiMedia, others This Track will emphasize the design, implementation, management and applications of computer communications, networks and services. Topics of mostly theoretical nature are also welcome, provided there is clear practical potential in applying the results of such work. Track B: Computer Science Broadband wireless technologies: LTE, WiMAX, WiRAN, HSDPA, HSUPA, Resource allocation and interference management, Quality of service and scheduling methods, Capacity planning and dimensioning, Cross-layer design and Physical layer based issue, Interworking architecture and interoperability, Relay assisted and cooperative communications, Location and provisioning and mobility management, Call admission and flow/congestion control, Performance optimization, Channel capacity modeling and analysis, Middleware Issues: Event-based, publish/subscribe, and message-oriented middleware, Reconfigurable, adaptable, and reflective middleware approaches, Middleware solutions for reliability, fault tolerance, and quality-of-service, Scalability of middleware, Context-aware middleware, Autonomic and self-managing middleware, Evaluation techniques for middleware solutions, Formal methods and tools for designing, verifying, and evaluating, middleware, Software engineering techniques for middleware, Service oriented middleware, Agent-based middleware, Security middleware, Network Applications: Network-based automation, Cloud applications, Ubiquitous and pervasive applications, Collaborative applications, RFID and sensor network applications, Mobile applications, Smart home applications, Infrastructure monitoring and control applications, Remote health monitoring, GPS and location-based applications, Networked vehicles applications, Alert applications, Embeded Computer System, Advanced Control Systems, and Intelligent Control : Advanced control and measurement, computer and microprocessor-based control, signal processing, estimation and identification techniques, application specific IC’s, nonlinear and adaptive control, optimal and robot control, intelligent control, evolutionary computing, and intelligent systems, instrumentation subject to critical conditions, automotive, marine and aero-space control and all other control applications, Intelligent Control System, Wiring/Wireless Sensor, Signal Control System. Sensors, Actuators and Systems Integration : Intelligent sensors and actuators, multisensor fusion, sensor array and multi-channel processing, micro/nano technology, microsensors and microactuators, instrumentation electronics, MEMS and system integration, wireless sensor, Network Sensor, Hybrid

Sensor, Distributed Sensor Networks. Signal and Image Processing : Digital signal processing theory, methods, DSP implementation, speech processing, image and multidimensional signal processing, Image analysis and processing, Image and Multimedia applications, Real-time multimedia signal processing, Computer vision, Emerging signal processing areas, Remote Sensing, Signal processing in education. Industrial Informatics: Industrial applications of neural networks, fuzzy algorithms, Neuro-Fuzzy application, bioInformatics, real-time computer control, real-time information systems, human-machine interfaces, CAD/CAM/CAT/CIM, virtual reality, industrial communications, flexible manufacturing systems, industrial automated process, Data Storage Management, Harddisk control, Supply Chain Management, Logistics applications, Power plant automation, Drives automation. Information Technology, Management of Information System : Management information systems, Information Management, Nursing information management, Information System, Information Technology and their application, Data retrieval, Data Base Management, Decision analysis methods, Information processing, Operations research, E-Business, E-Commerce, E-Government, Computer Business, Security and risk management, Medical imaging, Biotechnology, Bio-Medicine, Computer-based information systems in health care, Changing Access to Patient Information, Healthcare Management Information Technology. Communication/Computer Network, Transportation Application : On-board diagnostics, Active safety systems, Communication systems, Wireless technology, Communication application, Navigation and Guidance, Vision-based applications, Speech interface, Sensor fusion, Networking theory and technologies, Transportation information, Autonomous vehicle, Vehicle application of affective computing, Advance Computing technology and their application : Broadband and intelligent networks, Data Mining, Data fusion, Computational intelligence, Information and data security, Information indexing and retrieval, Information processing, Information systems and applications, Internet applications and performances, Knowledge based systems, Knowledge management, Software Engineering, Decision making, Mobile networks and services, Network management and services, Neural Network, Fuzzy logics, Neuro-Fuzzy, Expert approaches, Innovation Technology and Management : Innovation and product development, Emerging advances in business and its applications, Creativity in Internet management and retailing, B2B and B2C management, Electronic transceiver device for Retail Marketing Industries, Facilities planning and management, Innovative pervasive computing applications, Programming paradigms for pervasive systems, Software evolution and maintenance in pervasive systems, Middleware services and agent technologies, Adaptive, autonomic and context-aware computing, Mobile/Wireless computing systems and services in pervasive computing, Energy-efficient and green pervasive computing, Communication architectures for pervasive computing, Ad hoc networks for pervasive communications, Pervasive opportunistic communications and applications, Enabling technologies for pervasive systems (e.g., wireless BAN, PAN), Positioning and tracking technologies, Sensors and RFID in pervasive systems, Multimodal sensing and context for pervasive applications, Pervasive sensing, perception and semantic interpretation, Smart devices and intelligent environments, Trust, security and privacy issues in pervasive systems, User interfaces and interaction models, Virtual immersive communications, Wearable computers, Standards and interfaces for pervasive computing environments, Social and economic models for pervasive systems, Active and Programmable Networks, Ad Hoc & Sensor Network, Congestion and/or Flow Control, Content Distribution, Grid Networking, High-speed Network Architectures, Internet Services and Applications, Optical Networks, Mobile and Wireless Networks, Network Modeling and Simulation, Multicast, Multimedia Communications, Network Control and Management, Network Protocols, Network Performance, Network Measurement, Peer to Peer and Overlay Networks, Quality of Service and Quality of Experience, Ubiquitous Networks, Crosscutting Themes – Internet Technologies, Infrastructure, Services and Applications; Open Source Tools, Open Models and Architectures; Security, Privacy and Trust; Navigation Systems, Location Based Services; Social Networks and Online Communities; ICT Convergence, Digital Economy and Digital Divide, Neural Networks, Pattern Recognition, Computer Vision, Advanced Computing Architectures and New Programming Models, Visualization and Virtual Reality as Applied to Computational Science, Computer Architecture and Embedded Systems, Technology in Education, Theoretical Computer Science, Computing Ethics, Computing Practices & Applications Authors are invited to submit papers through e-mail ijcsiseditor@gmail.com. Submissions must be original and should not have been published previously or be under consideration for publication while being evaluated by IJCSIS. Before submission authors should carefully read over the journal's Author Guidelines, which are located at http://sites.google.com/site/ijcsis/authors-notes .

© IJCSIS PUBLICATION 2009 ISSN 1947 5500


				
DOCUMENT INFO
Shared By:
Stats:
views:5066
posted:11/4/2009
language:English
pages:205