DESIGN AND DEVELOPMENT OF A WIRELESS SENSOR MODEL FOR VEHICULAR AREA NETWORKS
Umesh P, G.Varaprasad Department of Computer Science and Engineering, B.M.S. College of Engineering, Bangalore 5600 19, India. Email:drvaraprasad@gmail.com ABSTRACT Vehicular area network provides vehicle-to-vehicle, vehicle-to-infrastructure, and vehicle-to-person communications. Its aim is to increase the road safety and transport facility efficiency. It also provides a ubiquitous wireless environment for the end users. The vehicle area network is considered as one of the major applications for wireless networks. Here, each vehicle has a unique identifier and eavesdropper to accumulate the locations of vehicles. If the vehicle changes its pseudonym from time to time, then the longterm tracking is to be avoided. The proposed model automatically monitors the flow of vehicles and sends the data to the control room via gateway nodes. It uses number of sensors to reduce the traffic at important junctions while forwarding the vehicle from one place to another. Keywords: Vehicle adhoc network, sensor, control room, vehicle. NOMENCLATURES Val=Number of vehicles at sensor A P= Status of information at sensor A Z=Status of information at sensor B Q=Number of vehicles at sensor B Max=Maximum queue length is 200 Limit=Permissible vehicles between two sensors is 50 1. INTRODUCTION A Vehicle Adhoc Network(VANET) is a special type of mobile adhoc network[1], where all nodes are vehicles and move regularly at high speed. The VANET has unique requirements with respect to the applications, self organization and communication. It has been envisioned to be useful in many commercial applications[2]. For example, the VANET is also used to alert the drivers to avoid the traffic. It provides efficient routes while forwarding the vehicles from one node to another. It can also be used in propagation of the emergency warning information to the drivers to avoid the collisions[3]. In VANET, it uses sensor devices to monitor the network conditions such as vibration, pressure, motion, pollution, temperature and sound. Each sensor is capable of collecting valuable information and transmits the data to others[5]. These devices are very small, low cost and can be deployed in a large numbers in the network[1]. Failure of a single device does not affect the network performance. It is also possible to replace the broken device. The newly installed device should be detected with neighboring devices for communication. In mobile adhoc networks, the routing algorithms like proactive and reactive are used but proactive routing algorithms are not suitable for VANETs. Since, each MS keeps up-to-date information and consumes more amount of bandwidth. Generally, each MS has higher mobility and the topology will be changed frequently. The network performance depends on the mobility, density and load. The VANET is used for short-range wireless communication and has emerged as the preferred network design for quick transportation system. Federal Communications Commission has recently allocated 75MHz in 5.9GHz band for short range communication for vehicle-to-vehicle and vehicle-to-infrastructure communications.
UbiCC Journal - Volume 3
1
�This paper presents a design and development of wireless sensor model for VANETs to monitor the flow of vehicles and reduces the traffic over the network. Rest of the paper is arranged as follows. Section 2 presents some of the existing models. Proposed technique is discussed in section 3. Section 4 presents the simulation of proposed model. The results of this model are presented in section 5. Section 6 presents the conclusions and future research work. Figure 1. Sample model. 2. EXISTING WORK There are number of models used to monitor the traffic at different nodes. Each model has advantages and disadvantages. The conventional traffic methods are used to route the data packets based on the central administration principles. These models use loop-detectors and cameras to monitor the traffic. These devices are used to transmit the flow of vehicles data to the central room for taking necessary steps. But it is more expensive than non-conventional models. In fact, the performance of these systems is poor[6]. Advanced cruise-assistant-highway system helped to reduce the collisions[7]. It sends the traffic information to the drivers but it is a costly method. FleetNet[8] model uses built-in equipments with the sensors to monitor the vehicles. It is used in sending the emergency messages to the drivers over the networks. In[9], it measured end-to-end delay of a packet at local road. Greedy-perimeterstateless-routing algorithm is a location based protocol, which is presented in[10]. All the data packets are marked by the originator, and then transmitted to the destination location. Previous models are mainly focused on mobility and are used for small distance. 3. PROPOSED METHOD The traffic-dot sensor is equipped with ATmega128L microprocessor, battery and magnetometer as shown in Figure 2. It senses the flow of vehicles and then transmits the data to the control room and neighbor devices. The control room keeps track of all the regular nodes.
Figure 2. Traffic-dot device. Let us take two nodes ‘A’ and ‘B’. Both nodes exchange the flow of vehicles and same has been transmitted to the control room as shown in Figure 3. The traffic algorithm provides the sensing information from the node ‘A’ to the central room and ‘B’. If the number of vehicles crossed the road is less than Max, then the GREEN light is ‘ON’, This state is maintained till ‘A’ will receive the stop signal from ‘B’.
The proposed model monitors flow of the vehicles and reduces the traffic at various places. It consists of regular nodes and a control room. The regular node is equipped with traffic-dot sensor as shown in Figure 1. The proposed system uses IEEE 802.15.4 protocol for communication. It provides low-bit-rate, lowcost, and less-power-consumption. This model controls the flow of vehicles with the help of regular nodes at every entry and exit points of the road using RED and GREEN signals.
Figure 3. Proposed model. Traffic algorithm While(sensor_A_on) { Val=Read_sensor_A(); If(Y!=MAX) then Light_A(GREE); else
2
UbiCC Journal - Volume 3
�{ Send_B(complete); Z=Read_B(); while(Y==MAX&&Z!=complete) { Light_A(RED); Z=Read_B(); } Reset_sensor_A(); } } 4. SIMULATION Fig.5. Number of vehicles versus throughput. Figure 6 summarizes the packet delivery ratio. Based on the results, it concludes that up to traffic density of 5vehicles/km, the packet delivery ratios of two models are 93.56% and 98.35% respectively. At traffic density of 16vehicles/km per line, the packet delivery ratio of proposed model has decreased as compared to FleetNet model. If the traffic density is 25vehicles/km per line, then the proposed model delivers 95.86% of the data packets due to reactive algorithm principles.
The proposed model considers an area of 7KmX7Km with a set of regular nodes deployed randomly over the network. The vehicle transmission range is 50m. The simulation consists of 10,000 nodes moving around a circular and square road of 6283m length with four lines. Here, it uses UMPS simulator to evaluate the network performance of two routing algorithms. Table I. Simulation parameters. Simulation time 2000s Topology size 7KmX7Km No. of nodes 1000 No.of clusters 10 No.of cluster heads 10 No. of malicious nodes 7 Transmission range 50m Routing protocol ZRP Frequency 2.4Ghz Channel capacity 2Mbps Traffic type CBR CBR packet size 512 bytes Simulator UMPS Total packets 30000 5. SIMULATION RESULTS
Figure 6. Number of vehicles against packet delivery ratio. The average delay of a data packet is shown in Figure 7. The average delay of two models varies from 113ms to 1.10s. The FleetNet model has experienced more delay for all traffic densities. The route-discovery process will take long time in FleetNet model as compared to proposed model. If the traffic density is 25vehicles/km per line, then the proposed model takes only 0.19s. 6. CONCLUSIONS AND FUTURE WORK
This simulation considers three performance metrics namely packet delivery ratio, average packet delay and throughput. From the results, it is noticed that the throughput of two models is increased if the number of vehicles is 6vehicles/km per line. The proposed model clearly outperforms for 25vehicles/km per line as compared to Fleet model. The connectivity in network is significantly better than that of small density traffic as shown in Figure 5.
In urban areas, the VANET play an important role to provide transport facility efficiently. The performance evaluation is an important factor in VANET. It is also noticed that the proposed model has shown the better results in terms of packet delivery ratio, average
3
UbiCC Journal - Volume 3
�delay and throughput. In this work, transmission range and parameters are fixed. However, it also observed that low transmission range will not guarantee the connectivity among all nodes to ensure effective communication.
Figure 7. Number of vehicles against delay. REFERENCES 1. J. Beutel M. Dyer, L. Meier, “Scalable Topology Control for Deployment-Sensor Networks”, In Proc. of International Conference Information Processing in Sensor Networks, pp. 359-363(2005). J. Ding S. Y. Cheung, and P. Varaiya “Signal Processing of Sensor Node Data for Vehicle Detection”, In Proc. of IEEE ITS, pp. 70-75(2004). AutoNet: Adhoc Peer-to-Peer Information Technology for Traffic Networks www.its.uci.edu/ monally/mgmautonet.htm C. Li K. Ikeuchi, M. Sakauchi, “Acquisition of Traffic Information using Video Camera with 2DSpatiotemporal Image Transformation Technique”, In Proc. of IEEE ITS, pp. 634-638(1999). D. McErlean, S. Narayanan, “Distributed Detection and Tracking in Sensor Networks”, In Proc. of ASILOMAR, pp. 1174-1178(2002). Z. Sun, G. Bebis, and R. Miller, “On-road Vehicle Detection Using Optical Sensors: A
Review”, In Proc. of IEEE ITS, pp. 585590(2004). 7. O. Sidla, L. Paletta, and C. Janner, “Vehicle Recognition for Highway Lane Safety”, In Proc. of IEEE ITS, pp. 531-536(2004). 8. Wilfried E, “FleetNet Applications for InterVehicle Communication”, IEEE Intelligent Vehicles Symposium, pp. 162-167(2003). 9. Tatsuaki. O, Kazuya. M, Shoji F, Susumu Matsui, “Performance Measurement of Mobile Ad Hoc Network for Application to Internet-ITS”, In Proc. of International Symposium on Applications and Internet, pp. 83-87(2004). 10. J. P. Singh, Nicholas B, “Proposal and Demonstration of Link Connectivity Assessment Based Enhancements to Routing in Mobile Adhoc Networks”, IEEE Vehicular Technology Conference, vol. 15, pp. 2834-2838(2003). Author’s information Umesh P obtained B.E Degree in Electronics and Communication Engineering from Visveswaraiah Technological University, Belgaum in 2004. Currently he is doing M.Tech Degree in Computer Science and Engineering in B.M.S. College of Engineering, Bangalore. His areas of interests are embedded system, wireless communications. G.Varaprasad received B.Tech Degree in Computer Science and Engineering from Sri Venkateswara University, Tirupati in 1999 and M.Tech Degree in Computer Science and Engineering from B.M.S. College of Engineering, Bangalore in 2001 and PhD Degree in Computer Networks from Anna University, Chennai in 2004 and worked as a Postdoctoral fellow at Indian Institute of Science, Bangalore in 2005. Currently, he is working as an Asst. Professor in B.M.S. College of Engineering, Bangalore. His areas of interests are wireless communications and sensor network.
2.
3.
4.
5.
6.
UbiCC Journal - Volume 3
4
�A GAME THEORETIC POWER CONTROL APPROACH FOR MIMO MC-DS/CDMA SYSTEMS
V.Nagarajan and P.Dananjayan † Department of Electronics and Communication Engineering, Pondicherry Engineering College, Pondicherry -605014, India nagarajanece31@rediffmail.com,pdananjayan@rediffmail.com †
† Corresponding author
ABSTRACT A major challenge to enhance the performance of multiuser multiple-input multiple-output (MIMO) multi-carrier direct sequence code division multiple access (MC -DS/ CDMA) system relies on the effective multiple access interference suppression. In this work a novel distributed non cooperative power control game with pricing (NPGP) is considered for utilizing the system resource more efficiently. The ratio of throughput versus power is referred to as the utility function which should be maximized by combating the multiple access interference (MAI). Simulation results show that the propounded scheme achieves significant performance improvement, compared with the conventional system without NPGP. Keywords: Game theory, power control, pricing, MIMO, MC-DS/CDMA.
1
INTRODUCTION
The enormous growth of wireless services during the last decade gives rise to the need for a bandwidth efficient modulation technique that can reliably transmit high data rates. As multi carrier technique combine good bandwidth efficiency with an immunity to channel dispersion, these techniques have received considerable attention. To able to support multiple users, the multicarrier transmission technique can be combined with a CDMA scheme. In tandem the demand for wireless services increases, efficient use of resources has gained a significant importance. Ever increasing need for wireless systems to provide high data transmission rates need a system which performs well under severe fading conditions. Though MIMO MC-DS /CDMA seem to be an excellent candidate for high data rate communication, its performance is limited by multiple access interference (MAI) and near-far effect. The power control algorithm plays a significant role in combating this effect. Compared with single antenna MC-DS /CDMA, MIMO MCDS /CDMA exhibits better performance, but it has the traditional impairment as the single carrier system [1,2]. Hence the performance of a MIMO MC-DS /CDMA consequently lies in the area of interference suppression and power control in multi user scenario. Recently, an alternative approach to the power control problem in wireless systems based on an
economic model has been proposed [3]. In [3] game theoretic approach is employed to study the power control in the multi user scenario for the proposed model. It is a powerful tool in modeling interactions between self-interested users and predicting their choice of strategies. Each player in the game maximizes some function of utility in a distributed fashion [3, 4]. The game settles at Nash equilibrium if one exists. Since users act selfishly, the equilibrium point is not necessarily the best operating point from a social point of view. To circumvent this, pricing the system resources appears to be a powerful tool for achieving a more socially desirable result [2,3]. In the MC-DS/CDMA, raising one’s power not only increase their signal-to interference-and–noise ratio (SINR), but also increases the interference observed by other users, thereby declining their SINR, each tend to increase their own power levels, thereby reaching the Nash equilibrium. To overcome this situation a distributed game theoretic power control algorithm to provide efficient use of the radio resources in CDMA system has been established [4,5]. The power control problem in multi-user MIMO CDMA system, using game theory framework has been proposed in [2,6] is considered in this work. A new utility functions for the NPG by using singular value decomposition (SVD) is proposed to solve the problem. The new utility functions, which are based on MIMO MC-DS /CDMA system for wireless data, refer to the spectral efficiency and power efficiency is
UbiCC Journal - Volume 3
5
�considered. The utility functions also reflect to the quality of service (QoS) that the data users get, where utility is defined as the ratio of throughput to transmit power. Then Nash equilibrium and the performance of the power control games in a single cell MIMO MC- DS/ CDMA system is considered which seems to be an ideal solution to use the system resource more efficiently. The paper is organized as follows. Section 2 explains MIMO MC –DS/ CDMA system and the utility function of the power control game. Section 3 shows the two NMPCGs for the MIMO MC– DS/CDMA system. Section 4 discusses the existence and uniqueness of the games and the algorithm to reach the Nash equilibrium. Simulation results are given and discussed in section 5. Finally, Section 6 draws the conclusion. 2 MIMO MC –DS/CDMA SYSTEM AND UTILITY FUNCTIONS The uplink of a single cell N-users MIMO MC- DS/ CDMA system with feedback is considered for our analysis. Each user is assumed to have Mt transmit antennas and the base station is equipped with Mt x Mr antennas. Each antenna is Subchannel. capable of transmitting 1x Mr subcarriers and processing gain G are considered. In this system, the user's bit stream is demultiplexed among several transmitting antennas, each of which transmits an independently modulated signal, simultaneously and in the same frequency band. The base station receives these signal components by an antenna array whose sensor outputs are processed such that the original data stream can be recovered. Assume that the channel state information (CSI) is perfectly known to receiver, and the transmitter can get the CSI through feedback. Assume H, which is the channel matrix of user i can be decomposed using SVD is given in Eq. (1).
H i =U i iV i = m in M t ,M r k =1
convenience. Since each antenna can accommodates sub carriers, the total throughput will be the summation of the throughput of individual carrier. In order to solve the power control problem in the MIMO MC –DS/ CDMA system, a marginal utility function which is expressed in Eq (3) is established.
um = T / P i i i min Mt ,Mr N 1 L log M 1 BER 2 k ,i k ,i k=1 S=1
{
}
( ( ))
=
min Mt ,Mr N 1 P ,i k k=1 S=1
{
}
(3)
The power control utility function is given in Eq (4)
min Mt ,Mr N 1 L log Mk ,i 1 2BER k ,i 2 k=1 S=1
{
}
(
( ))
u = i
min Mt ,Mr N 1 P ,i k k=1 S=1 min Mt ,Mr N 1 log Mk ,i f k ,i 2 k=1 N=1 min Mt ,Mr N 1 P ,i k k=1 S=1
{
}
{
}
( )
=
(4)
{
}
where, f( k,i) =(1-2BER(( k,i))L is called efficiency function. The frame successive rate (FSR) is approximated by, f( ,i), which closely follows the behaviour of the probability of correct reception while producing FSR equals zero at Pi =0. The pricing mechanism was introduced into the CDMA non-cooperative power control game [4]. By using the pricing mechanism, the power control game was more efficient. A new utility function with pricing in MIMO MC- DS/ CDMA power control game is developed. It is expressed in Eq. (5)
min Mt ,Mr N 1
{
}
U i ( k ) i ( k )V i ( k )
M r×I
(1)
where
M t×I
U i( k )
and unitary
Vi( k )
are vectors,
and respectively,
and i ( k ) are the singular values of Hi. The peruser attainable normalized throughput, in bit per second Hertz, of MIMO MC- DS /CDMA system is the sum of the normalized throughputs of the min (Mt, Mr) decoupled sub channels. Then the normalized throughput of ith user is given in Eq (2).
min Mt ,Mr T = i k=1
{
}
u
c
i
=
k =1
S =1
log Mk ,i f 2
( k ,i )
tP i
P i
{
}
min Mt ,Mr N 1 L log Mk ,i 1 BER ,i Tk ,i = 2 k k=1 S=1
{
}
(
( ))
(2)
where k,i is to represent the SINR of ith user in kth sub channel, which is using sth sub carrier for
min Mt ,Mr N 1 P = k =1 P ,i i k S =1
{
}
(5)
where Pi is the total transmitting power of the ith
UbiCC Journal - Volume 3
6
�user, and t is a positive scalar. This proposed utility function, which gives attention to both spectral efficiency and power efficiency, are based on MlMO MC- DS/ CDMA system. . 3. NON COOPERATIVE MIMO POWER CONTROL GAME Let
G = N ,{ Ai},{Ui (.)}
no user may gain by unilaterally deviating Nash equilibrium. Hence, Nash equilibrium is a stable operating point because no user has any incentive to change strategy [3]. The Nash equilibrium of proposed NMCPGs are given in sec 4.1 and 4.2. 4.1. The NMCPG, GI, G2 are supermodular games with appropriate strategy space
Ai = P i , Pi
denote
the
non
respectively [8,9]. Consider the game G1 first.
cooperative MlMO power control game (NMCPG) where N = {l, 2... N} is the index set for the mobile users currently in the cell. The ith user select a total transmit power strategy Pi, such that Pi Ai where Ai, denotes the strategy space of ith user. Let the vector P =( P1,........, PN ) denote the outcome of the game in terms of the selected power levels of all users, and P-i, denotes the vector consisting of elements of P other than the ith element. The strategy space of all the users excluding the ith user is denoted A-i. According to the analysis, two NMCPGs are established. These games have the same player space and strategy space, but different utility functions The game G1 is given by,
min Mt ,Mr N 1 log M f 2 k ,i k ,i k=1 S=1 P i
in t f k,i uli 1 m M ,Mr N 1 = 2 f k,i log2Mk,i k,i P P i k= S= 1 1 i k,i
{ }
( )
( ) ( ) ( )
2f
(8)
2u min Mt,Mr N=1 1 li log2 Mk,i = 2 P Pj P i k=1 S=1 i
{
}
( k,i )
( )
2 k,i
( k,i )
k,i Pj
(9)
2
{
}
G1 = max U1i( P ,P i ) = i P Ai i
( )
(6)
If
f ( k ,i ) u li for 0 , it can be concluded that Pi P j ( 2 k ,i ) all jKi. Assume there exists a P-i such that 00 for all Pj Aj, j " i. Then the Nash equilibrium is unique and general updating algorithm converges monotonically to an equilibrium whose convergence holds for any initial policy in the strategy space. It can be concluded that each of our NMCPGs has unique Nash equilibrium point and then the asynchronous power control algorithm, we considered in this work, converges to a unique Nash equilibrium point. In this algorithm
UbiCC Journal - Volume 3
7
�users update their transmission powers in the same manner as in [2].Assume user i updates its transmission power at time instances in the set Ti ={ti1 ti2 …..}, with tik Tha, then the packet is classified as attack and is used to update the trees and then dropped at the router itself. This feedback of the attack characteristics helps in refining the detection accuracy by enabling the packets to score values that have distinct margins for attack and legitimate packets.
UbiCC Journal - VolumeUbiquitous Computing and Communication Journal 3
3
17
�The defense mechanism is deployed in active routers at the perimeter of the network. Routers get their defense structures updated periodically by way of exchange of attack knowledge from peer routers. The router updation is essential for preventing attacks at the source network. Instead of sending the whole tree structures, which is costly, the routers are designed to send the hash value of the node whenever the frequency of that node hits a particular threshold as defined. The router information exchange is part of the prevention mechanism of the system.
features is identified for the six attributes considered for traffic classification by the proposed system namely Destination address and port, Source address, Frequency of packets per flow, Frequency variations in traffic flow, Length of the packets per flow, Type of protocol used in per flow traffic. Six attribute trees are used and packets over a time window of 2 plus minutes is used to analyze the output parameters. 6.2 Performance Analysis The threshold value for the packet score to discriminate the attack traffic is evaluated as depicted in fig. 4 and fig. 5. The system is tested with attack traffic and legitimate traffic separately to define the limit. As the threshold value approaches 0.32, the number of attack packets getting dropped at the router is increased. Similarly the maximum legitimate traffic passed through the routers is for the threshold value nearly 0.3. Hence the attack threshold Tha is set as 0.32 for testing.
6
RESULTS AND ANALYSIS SIMULATED STUDY
OF
6.1 Simulation Environment The proposed system is deployed in active networks where the routers are programmable. ANTS is a Java based toolkit used for constructing an active network and the solution is deployed and tested in ANTS. As ANTS has limitation in the size of topology that can be defined, a distributed version is developed, as defined in our earlier work[36], to support larger network topology for simulation. The test topology with zombies to launch DDoS attacks as shown in fig.3 is used for testing the defense system proposed that is deployed in all the intelligent routers at the network perimeter.
Figure 4: Flow through router for attack traffic
Figure 5: Flow through router for legitimate traffic Figure 3: Test topology in active network DARPA dataset is the standard dataset in the field of intrusion detection [37],[38] .KDD 99 intrusion detection datasets, which are based on DARPA 98 dataset, provides labeled data for feature identification and is the only labeled dataset publicly available. 10% of the data set corresponds to DoS attacks. In the training data set containing 24 attack types classified into 4 broad classes, only the DoS class of records were taken as the data set for evaluation. The relevance of each feature in KDD 99 intrusion detection datasets with 41 Based on various simulation runs performed using generic, nominal and SYN-flood attacks, the false alarm rate is evaluated. The average false positive percentage is 2.65 for nominal traffic and 0 for others while the average false negative percentage is 2.5, 2.08, 3.55 for generic, nominal and SYN flood attacks. Since the solution deployed at the routers employs feed back loops to allow learning cum detection for fine tuning the detection process, it is justified that false negative rate exceed false positive as some attack packets get through the routers undetected at the initial time instances of testing time window.
UbiCC Journal - VolumeUbiquitous Computing and Communication Journal 3
2
18
�7
CONCLUSION
DDoS attacks threatening the inter network services need to be detected effectively and as early as possible. In this paper, an effective detection method using packet features mined using set of trees for detection has been proposed. As the static nature of the trees prevents it from gaining knowledge as traffic pattern changes on the fly, for the new attack patterns, a dynamic updation algorithm has been employed by restructuring it into an array of optimal attribute trees. Attribute trees have been designed such that they keep track of the distinct properties of attack packets as learned from attack traffic profile to improve detection accuracy. Hence multiple trees do help in determining the legitimacy of the packets. The trees are weighed to reflect the efficiency with which it can classify the packet as attack or legitimate. To prevent the random growth of the trees, an optimization mechanism has been applied for efficient searching of the tree to improve the detection time as well as the detection efficiency. As the detection mechanism is deployed at source network, it also acts as a prevention system, though not a complete prevention system. 8 REFERENCES
[8] J. Ioannidis and S.M. Bellovin: Implementing Pushback: Router-Based Defense Against DDoS Attacks, Proceedings of Network and Distributed System Security Symposium (2002). [9] M. Adler: Trade-offs in probabilistic packet marking for IP trace back Journal of the ACM, vol. 52, no. 2, pp. 217-244 ( 2005). [10] A. Yaar, A. Perrig, and D. Song: FIT: Fast Internet trace back, IEEE INFOCOM, pp. 13951406, (2005). [11] A. Belenky and N. Ansari: IP Trace back with Deterministic Packet Marking, IEEE communications Letters, vol. 7, no. 4, pp. 162-164 (2003). [12] A. Yaar, A. Perrig, and D. Song: Pi: A path identification mechanism to defend against DDoS attacks, IEEE Symposium on Security and Privacy, pp. 93-107 ( 2003). [13] A. Yaar, A. Perrig, and D. Song. SIFF: A Stateless Internet Flow Filter to mitigate DDoS flooding attacks, IEEE Symposium on Security and Privacy( 2004). [14] Xiaowei Yang, David Wetherall and Thomas Anderson: A DoS limiting Network Architecture SIGCOMM’05, pp: 22–26 , (2005). [15] Takanori Komatsu and Akira Namatame: On the Effectiveness of Rate-Limiting Methods to Mitigate Distributed DoS (DDoS) Attacks, IEICE Transactions on Communications, E90-B(10), pp: 2665-2672 (2007). [16] C.-K. Fung and M.C. Lee: A Denial-of-Service Resistant Public-key Authentication and Key Establishment Protocol, Proceedings of IEEE International Performance, Computing and Communications, (2002). [17] Shuyuan Jin, Daniel S. Yeung: A Covariance Analysis Model for DDoS Attack Detection, IEEE Communications ( 2004). [18] George Oikonomou, Peter Reiher, Max Robinson, and Jelena Mirkovic: A Framework for Collaborative DDoS Defense, Proceedings of the Annual Computer Security Applications Conference ( 2006) [19] Matthew Beaumont-Gay: A Comparison of SYN Flood Detection Algorithms, Proceedings of the Second International Conference on Internet Measurement and Protection ( 2007). [20] Jelena Mirkovic, Peter Reiher: D-WARD: A
[1] L.Garber: Denial of service attacks rip the Inter net, IEEE Computer, vol. 33, no. 4, pp. 12-17 (2000). [2] D. Pappalardo and E. Messmer: Extortion Via DDoS on the Rise, Network World( 2005). http://www.networkworld.com/news/2005/051605ddos-extortion.html [3] D.L.Tennenhouse and D.J.Wetherall: Towards active network architecture, Computer communication review,vol.26,no.2( 1996). [4] K. L. Calvert et al.: Directions in Active Networks, IEEE Communications( 2001). [5] P. Ferguson and D. Senie: Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing, RFC 2827 (2000). [6] S.Templeton: Detecting Spoofed Packets, Seminars , UC Davis Computer Security Laboratory ( 2002). [7] Cheng Jin, Kang G. Shin, and Haining Wang: Defense Against Spoofed IP Traffic Using HopCount Filtering, IEEE/ACM Transactions on Networking ( 2007).
UbiCC Journal - VolumeUbiquitous Computing and Communication Journal 3
3
19
�Source End Defense against Flooding Denial of Service Attacks, IEEE transactions on Dependable and Secure computing, Vol. 2, No. 3, pp. 216232(2005). [21] Keromytis, A.D. Misra, V. Rubenstein, D.: SOS: an architecture for mitigating DDoS attacks, IEEE Journal on Selected Areas in Communications, Volume: 22, Issue: 1,pp: 176188 (2004) [22] Papadopoulos, C.; Lindell, R.; Mehringer, J.; Hussain, A.; Govindan, R.:COSSACK: coordinated suppression of simultaneous attacks, DARPA Information Survivability Conference and Exposition Proceedings, Volume 1, Issue , pp: 2 13 (2003) [23] Robinson, M. Mirkovic, J. Michel, S. Schnaider, M. Reiher, P.:DefCOM: defensive cooperative overlay mesh, DARPA Information Survivability Conference and Exposition Proceedings, Volume: 2,pp: 101- 102, vol.2 (2003) [24] G. Kim, T. Bogovic, and D. Chee: Active Edge-Tagging (ACT): An Intruder Identification & Isolation Scheme in Active Networks, proceedings of 6th IEEE Symposium on Computers and Communications (2001). [25] D. E. Denning: An intrusion detection model, IEEE Transactions on Software Engineering, vol. 13,no. 2, pp. 222-232 ( 1987). [26] W. Lee, S. J. Stolfo, and K. Mok: A data mining framework for building intrusion detection model, IEEE Symposium on Security and Privacy, pp. 120–132(1999). [27] R. Lippmann and R. K. Cunningham: Improving intrusion detection performance using keyword selection and neural networks, Computer Networks, vol.34, pp. 597–603 ( 2000). [28] D. E. Goldberg: Genetic Algorithms in Search, Optimization and Machine Learning, AddisonWesley (1989). [29] D. Zhu, G. Premkumar, X. Zhang, and C.-H. Chu: Data mining for intrusion detection: A comparison of alternative methods, Decision Sciences, vol. 32, no. 4, pp. 635-660( 2001). [30] T. Verwoerd and R. Hunt: Intrusion detection techniques and approaches, Computer Communications, vol. 25, no. 15, pp. 1356-1365 (2002). [31] P.Jayashree, K.S.Easwarakumar: An alternative approach to DDoS attack defense in
active networks, Proc. of International conference on Information security, pp: 242-248 (2005) [31] Kumar: Classification and Detection of Computer Intrusions, Doctoral Dissertation, Purdue University(1995) [32] .Breiman: Random Forests, Machine Learning, 45(1):5–32( 2001) [33] Frederick Livingston: Implementation of Breiman’s Random Forest Machine Learning Algorithm, ECE591Q Machine Learning Journal Paper ( 2005). [34] Jiong Zhang and Mohammad Zulkernine: Network Intrusion Detection using Random Forests, Queen’s University ( 2006). [35] Peter K. Pearson :Fast Hashing of VariableLength Text Strings., Communications of the ACM 33(6), 677 (1990). [36] P.Jayashree, K.S.Easwarakumar, Ramya.P Chandrasekar.M, and Vijay.M: Design of a Distributed Active Network Toolkit, proc. of International Conference on Contemporary Computing, (2008) [37] R. Lippmann, J. W. Haines, D. J. Fried, J. Korba,and K. Das: The 1999 DARPA offline intrusion detection evaluation, Computer Networks, vol. 34, pp.579–595(2000). [38]S. D. Moitra and S. L. Konda: An empirical investigation of network attacks on computer systems, Computers and Security, vol. 23, no. 1, pp. 43–51,(2004).
UbiCC Journal - VolumeUbiquitous Computing and Communication Journal 3
4
20
�.
UbiCC Journal - VolumeUbiquitous Computing and Communication Journal 3
5
21
�Coordinated Support for Application-Aware Networks
LakshmiPriya TKS , Ranjani Parthasarathi Department of Computer Science and Engineering, Anna University, Chennai, Tamilnadu, India. tkslp@cs.annauniv.edu, rp@annauniv.edu
ABSTRACT The networking doma in is witnessing a shift from traditional ‘protocol layer-aware’ processing to operating across these layers. Current network devices are being designed to inspect and even process packet contents. Thus the network is beginning to be application-aware. In this paper the evolution of application-aware networks is analyzed. Given the current trend, it is observed that application-aware networks would soon face certain challenges, one of them being lack of coordination among the application-aware services. As a solution, a grid-based framework that facilitates the provisioning and coordination of application-awareness in the network is provided. The service architecture and mode of operation of this framework are presented. A case study is then presented to demonstrate the use of this grid to support multimedia data transfers, and the performance is analyzed using network processor-based devices are as grid nodes. The analysis shows that (a) network processor-like devices, with their rich set of packet processing resources, can handle additional load to support application-aware processing, and (b) with minimal overheads, end-to-end performance can be enhanced with the help of the grid. Keywords: Application-aware networks, application-aware services, network-infrastructure grid, network processors .
1
INTRODUCTION
The network is undergoing a paradigm shift from a dumb bit-transferring medium to an intelligent packet processing entity, keeping QoS as a key parameter. With the introduction of Deep Packet Inspection (DPI) [1], this slow but sure shift is crossing the barriers of the conventional layered protocol architecture. DPI, wherein, layer 4-7 headers are inspected for classifying flows, is adopted in many routers to provide QoS guarantees. This is a major step towards better utilization of information contained in the packets for providing intelligent network services to applications and end-users. An extension to the DPI concept is content inspection [15], wherein, policy decisions in the network are based on application-layer data. With the advent of multi-core processor-based networking equipments, it is now possible to operate upon the packet contents as well – i.e., there is a move towards content processing [9]. Thus networks are now becoming applicationaware. All these techniques, namely, DPI, content inspection and content processing, which contribute to this application-awareness, are being adopted by the networking vendors in the design of their networking devices. Industry initiatives such as those by Cisco and F5 Networks [2, 7] are making provisions for applications to talk to network devices. Such communication between applications and network is enabled by adopting metadata descriptors [17] and semantic tags [18], i.e., the application is made vis ible to the network. By
incorporating this visibility to application data, application-specific policies are made in the network, to offer QoS services that cater to specific transactions. Currently, the focus of the applicationaware services is mainly in the area of traffic management and security [23, 27]. However, other areas such as enriching web services by gathering designated data [13], context -aware content adaptation for mobile devices [19], and XML processing [17] are also being examined. Given this trend, it can be seen that the scope for application-awareness in the network is tremendous. Entire applications that run at the end systems can be offered from within the network to support lowcapability end-systems. Further, such services can be offered dynamically on-the-fly, to improve the end-to-end performance. However, to elevate the existing network to such an intelligent, applicationaware, ‘processor’ that interconnects heterogeneous networks and devices; the authors foresee a number of challenges. These challenges are mainly in terms of (i) need for global view, (ii) coordination and (iii) interoperability. A global view of the network is essential for application-aware services that are offered along the datapath, to support a given application. This facilitates proper resource utilization and enhanced end-to-end performance. Further, to offer optimized multi-point services, these services must coordinate among themselves. Thirdly, interoperability among the services is essential to handle heterogeneity issues in terms of device capability, multiplicity in network infrastructure vendors, specifications and protocols.
UbiCC Journal - Volume 3
22
�Currently, the application-aware services offered lack one or more of these requirements. This leads to unorganized provisioning of services, resulting in inefficient use of network resources and unidentified bottlenecks that hinder end-to-end performance. Thus, it can be seen that, there is a need for a network-wide framework that allows for heterogeneity, but facilitates seamless integration of services. We identify that this scenario is akin to that of a computational grid that pools distributed resources to offer services on demand. Hence we propose a grid-based framework at the networklayer that spans across the entire network, in the form of an overlay, offering end-to-end applicationaware services. Just as the conventional computational grid harnesses the distributed computational resources, this grid-based framework pools the application-aware processing power in the network and facilitates coordinated support for provisioning and offering network-wide application-aware services. In this paper, we present the details of this framework and showcase the benefits that such a framework can offer. In the next section we provide a survey of the current state of application-awareness in the network. In Section 3, the concept of the grid-based framework is introduced and its service architecture and mode of operation are detailed. In Section 4, the application-awareness exhibited by the various entities in this framework is discussed to bring out the in-network coordinated support offered by this network-layer grid. The performance benefits of this grid framework are illustrated using a case study for a specific application, namely, media data transfer, in Section 5. The choice of media data transfer as a case study, demonstrates the provisioning of an application-level service such as media adaptation, as an in-network service in a coordinated manner. This also serves to highlight the integration of existing protocols into the gridbased framework. The additional load on the networking devices, specifically, network processors , to support the application-aware services, is evaluated. We find that network processors are suitable candidates for hosting such services. Further, while comparing the experimental results of the end-to-end delays using the grid framework with those of the conventional network scenario the authors find that the overheads of innetwork processing are negligible. Thus, our major contributions in this paper are, (i) proposal of a framework for a network-layer grid to provide coordinated support for applicationawareness, (ii) survey of the current applicationaware scenario and (iii) substantiating the framework in terms of feasibility and performance using a currently relevant application as a case study.
2
APPLICATION-AWARE NETWORKING – A SURVEY OUR APPROACH
In this section, a survey of Application-Aware Networking (AAN) is presented. Research in incorporating application-awareness in the network was pioneered by Peter Steenkiste et al. as part of the Darwin project [4, 24]. Their work focuses on the need for incorporating application-awareness in the network and claims that network services should adapt themselves to the application flows in order to offer an effective service to highly demanding applications. They identify that such an adaptation requires developments along resource discovery, resource management, security, accounting, and cooperative processing. Their work involves development of resource management mechanisms [24] that may be customized by the applications or the user, thereby making it application-aware and proposes a programmable network architecture, the core of which is a programmable router, namely, the Darwin router. The Darwin router architecture is shown in Figure 1.
Figure 1. Darwin Node Architecture (Courtesy: Darwin Project website) It consists of ‘delegates’ that perform control plane tasks and Packet Processing Modules (PPMs) that perform the data plane tasks. The interface between these modules is a set of function calls called the Router Control Interface (RCI). The RCI triggers a hierarchical Scheduler and a resource monitor with system calls. Thus with this router architecture it is shown that application-specific adaptation can be performed to optimize QoS at runtime. Another notable work towards enhancing the network’s application-awareness is the effort by IETF’s Open Pluggable Edge Services [20] working group. This group has developed a framework that distributes and invokes network services at the application-layer, referred to as ‘networked content services’. Network intermediaries such as proxies and web caches may utilize these services to improve the users’ experience. The work mainly focused on providing
UbiCC Journal - Volume 3
23
�networked content services for HTTP and SMTP based applications [12]. Further research in introducing applicationawareness, has been on developing applicationaware networking algorithms and protocols. In this line, deAm orim et al., [5] have used applicationlevel information for application-based classification to improve the quality of multicast multi-layered applications. Vogel et al. [25] have made use of application semantics to construct multicast distribution trees efficiently. Here, the application specifies the priority, based on which the multicast tree is constructed. For higher priorities, the tree is constructed with a more direct path from the sender to packet’s destination. Yin and Wang [26] have employed a customized application engine that translates the applicationspecific security policies and provides them to the existing IPSec policy management interface. By doing this they show that end-to-end IPSec security services can be exploited for environments like VPN. Turning to the developments from the industry side, we find that a number of major network device vendors have introduced different versions of AAN concepts and devices. F5 Networks [6] has introduced traffic management products like Big -IP that have a built-in application-aware networking logic, namely the iControl. This is an integrated, open architecture that facilitates the network devices to talk to the applications. This new layer of intelligence facilitates the automation of network traffic management tasks and decisions thereby eliminating human intervention. Recently the combined effort of F5 and Microsoft has resulted in the use of XML for the inter-communication between devices and applications [7]. Cisco has introduced its Application-Oriented Networking (AON), a network-embedded intelligent messagerouting system [3]. AON-enabled CISCO routers and switches can probe deep into the data packets, explore the application-layer messages and perform business policy-based operations on the messages in transit, thus enhancing the network functions such as quality-of-service, traffic offloading, caching and compression on the application-layer messages. Cisco’s conceptual model of the AON architecture [2] is shown in Figure 2. The AON concept is based on the principles of Applicationaware networking (AAN), i.e., every AON node is application-aware. Cisco aims at providing quick cross-enterprise integration by using the AONenabled network as a channel. Juniper Networks has introduced the Enterprise Infranet framework [16] for intelligent traffic processing which aims at providing unified access control of the enterprise network. The framework consists of Infranet controllers, enforcers and
agents, which coordinate to offer access control, security and application delivery. The key focus of this framework is security. Secure communication between the endpoints and the network is provided using policies based on dynamically assessing the endpoints. The framework facilitates networking operations such as filtering, security and assured delivery using deep packet inspection.
Figure 2. Cisco’s AON architecture (Courtesy: ACM Queue) Datapower has also entered the application-aware arena by introducing its XML-aware network devices that are capable of routing XML messages in a secure and optimized manner. XML-aware networking (XAN) offers interoperability and quick deployment. Datapower has introduced a series of XML-aware network devices [17], including XML accelerators and XML security gateways specifically for security. Processor manufacturers have also been lured into this arena. Freescale Semiconductor has developed a multi-core processor architecture [10] that handles control/data plane and application-aware content processing [9] with security as the focus. The processor has support for operations such as deep packet inspection, pattern matching, encryption acceleration, and network admissioncontrol. These tasks can be performed at multiGigabit speeds. Thus it is evident that in the recent years the concept of application-aware networking has pervaded the networking industry. Although all these industry majors have coined a new term for their respective innovations, they all fall under the common umbrella – Application-Aware Networking. As it can be observed, some of these industries are offering AAN-based services for specific purposes - for instance, Juniper Networks offers AAN-based secure communication within the network and DataPower offers AAN-based network traffic and application-specific routing. A few others, such as Cisco, have proposed a
UbiCC Journal - Volume 3
24
�framework that accommodates several networking features. Except one or two efforts [3, 6] many of the application-aware initiatives concentrate on localized solutions and do not view the network as a whole, i.e., they do not address the challenges in terms of interoperability, coordination and global view. Further, the potential of AAN is much larger than the current developments - it is possible to offer entire applications in-the-network in an organized manner thereby enhancing the end-to-end performance. But with the current trend, networks would be inundated with uncoordinated high performance spots. Such provisioning of these services with lack of coordination among the intelligent networking devices creates an ‘unorganized’ application-aware environment for end-to-end applications. In a scenario such as this, the end-to-end performance is limited to that of the least performance spot along the service path despite the availability of an intelligent, application-aware environment with powerful networking devices. Thus, there is a need for an infrastructure that facilitates an organized provisioning of applicationawareness. Such an infrastructure must pool the application-aware power in a coordinated manner and offer seamless performance benefits to the endto-end applications. The Network-layer grid that we have proposed in our earlier work [28] is one such infrastructure to enhance the network experience of end-to-end applications by dynamically provisioning appropriate services along the service path and offering them in a coordinated, composite manner. The idea of this grid-based framework is motivated by the advent of powerful network devices such as the network processors [11] which can take the additional load in the network and the introduction of mechanisms such as DPI and content processing. In the next section, the details of this grid, its service architecture and mode of operation are provided. 3 THE NETWORK-LAYER GRID
end-systems are the users. Unlike the computational grid, the network-layer grid can be transparent to its users. That is, the grid-users need not explicitly request the grid for a service. During a client/server transaction on the Internet, the onset of the client/server request may implicitly trigger the grid operations.
Infrastructure Grid
Powerful Network Intermediaries
Network Servers Clients
Figure 3. Network-infrastructure grid as an overlay The network-layer grid, with a single-system view of the network, coordinates the sharing of the resources across areas of under/over-utilization. The ‘resources’ in the context of the network-layer grid refer to the network-processing services offered at the in-network nodes. The architecture of the network-layer grid, namely the iSEGrid, is presented below. The network entities, which are inherently application-aware, are termed in-network-Service-aware Entities (iSEs), thus giving the grid its name - iSEGrid. 3.1 iSEGrid Architecture The iSEGrid architecture is a four-layer hourglassshaped service architecture analogous to the 4-layer conventional computational grid protocol architecture [8] which consists of the Application layer, the Collective layer, the Resources and Connectivity layer and the Fabric layer. The four layers of the iSEGrid architecture are: (i) iSEGrid Services layer, analogous to the Application layer, (ii) Aggregate Decision-making Layer (ADm services) analogous to the Collective layer, (iii) Local Decision-making Layer (LDm services) analogous to the Resource layer and (iv) Basic Network -processing Layer (BNp layer) analogous to the Connectivity and Fabric layers put together as shown in Figure 4. The iSEGrid services layer, which is the topmost layer, comprises of the services, which the grid offers to its consumers. These are applications supported by the iSEGrid, transparently with the benefits of global view, coordinated approach and application-awareness. For instance, a regular file request service when offered as an iSEGrid service
The network layer grid consists of the network entities that form the infrastructure of the network. This grid shares the following characteristics with a conventional application-layer grid: use of idle/under-utilized resources, large-scale sharing of heterogeneous resources, and possession of a global view. However, a number of other features distinguish it from the conventional grid. The network infrastructure grid forms an overlay on the existing network, spanning across the entire Internet, edge-to-edge, as shown in Figure 3. The network service providers, and other service providers, who operate in the network, form the service providers of the network-layer grid. The
UbiCC Journal - Volume 3
25
�reaps the benefits from the global view of the network by coordination of load-balancer at the server edge, link-level caches at the core and virus filtering at the client edge. Similarly a media multicast service when offered as an iSEGrid Service may involve application-aware processing to perform early transcoding in the network.
iSEGrid Service S tack (at the IP layer of the TCP/IP stack) Transport layer and above iSEGrid Services Layer Aggregate Decision-making (Adm) Layer Local Decision-making (LDm) Layer Basic Network-processing (BNp) Layer MAC and Physical Layers Computational Grid Architecture Application Layer Collective Layer Resources Layer Connectivity & Fabric Layer
network-processing tasks, known as the Basic Network-processing services (BNp services) that makeup the BNp layer. The BNp services (eg., classification, filtering, header extraction, and table lookup) of the various network elements, constitute the fabric of the iSEGrid. The imple mentation of these services is architecture specific. The iSEGrid mediates shared access to these network-processing services. The iSEGrid service architecture takes an hourglass shape wherein the LDm layer is thin. That is, to accommodate the diverse range of in-the-net nodes, the set of core LDm services is kept small and a broad range of services at the ADm layer are implemented on top of these. 3.2 iSEGrid Components The iSEGrid consists of all varieties of edge nodes as well as core nodes, as its grid-nodes – the iSEs. These nodes possess diverse characteristics in terms of processing power, memory, data rate, type-ofprotocol handled, QoS characteristics, data medium, and type of interface. In addition, being part of different administrative domains, these nodes, follow different policies and practices. The requirement for an in-network node to be an iSE is the availability of ‘excess’ resources that it can volunteer to the grid, the ability to be an Active Node and the ability to perform application-awa re processing. Resources that may be volunteered by the iSEs are services of the BNp layer. To volunteer services, the network node should have an excess supply of the underlying resources, namely, computational threads, CPU time, memory or buffers, and ability to handle an additional flow of packets. The iSEGrid environment consists of five types of ‘entities’ and two types of users as shown in Figure 5. Apart from being service providers (i.e., the iSEs), the volunteering nodes may assume the role of Resource Brokers (iSE_RBs), Grid portal (iSEGrid Portal), information Directories (iSE_Dirs) and Active-Code Repositories (iSE_ACRs). The server applications and the client applications of the Internet form the two types of users (iSE_user_SA and iSE_user_CA). These user applications may run on large servers, PCs, laptops, mobile phones or any other computational devices. The iSEs are the network nodes that are scattered across the network. They perform the services of the LDm and BNp layers. The iSE_RBs are the powerful network nodes, preferably at the network edge. They are the key players on the iSEGrid and possess a global view of the network. They intercept the traffic from the user nodes to detect the need for an iSEGrid service. They perform the operations that constitute the ADm services layer and the operations that involve management and
Figure 4. iSEGrid Service Architecture and its Functional Analogy to Computational Grid Architecture Each iSEGrid service is partitioned into many network-wide services such as choosing the best/alternate path, selecting the appropriate server or setting up a network-pipeline along the datapath. These services constitute the Aggregate Decisionmaking layer. Apart from these, management and control services that involve monitoring, control and recovery, resource brokering, and other application-specific tasks, are also classified as ADm services. Typical resource brokering operations are managing idle resources, delegating tasks to the grid nodes, aggregating services from them, enforcing policies, resource accounting and charging, and triggering the grid activities. The services of this layer are implemented with the global view of the network and with coordination among the datapath elements. The Local Decision-making layer comprises of services that are performed at the individual network ele ments. These node-level in-the-net services may be the typical network-layer services such as Diffserv, multicasting, traffic monitoring, feedback-based packet processing and load balancing, or the application-layer services that involve content processing such as, media adaptation or XML processing. Management and security services such as local resource management and secure access to the grid resources are also part of the LDm layer. The services of this layer are implemented with application-awareness. Each of these services may be developed as code components to enable on-demand code-deployment using appropriate mechanisms such as active network technology or agent technology. Each LDm service constitutes several node-specific
UbiCC Journal - Volume 3
26
�control. Typical management and control operations include responding to the messages from other iSE nodes and triggering the activities at the iSEs and at the iSE_RB itself.
iSEGrid Portal
iSE_Dir iSE_User_SA
iSEGrid Service Provider (iSEs) iSE_ACR
iSE_User_CA
nodes that maintain the collective data, metadata and other information required for normal grid operations. The iSEGrid Portal is a publicly accessible entry point for the iSEGrid. The in-network node owners can register their nodes as iSEs via this portal while the server applications and the client applications can register themselves as users. This portal maintains the static part of the directories while the rest is maintained at the iSE_Dirs. 3.3 iSEGrid operations
iSEGrid Resource Brokers (iSE_RBs)
Figure 5. iSEGrid Environment with its components The users communicate directly with the iSEGrid only at the time of registration. They need not make an explicit request for service to the grid. The grid and its operations are thus transparent to the endusers. The iSEs and iSE_RBs are nodes that offer services on the iSEGrid, while the iSE_ACRs, the iSE_Dirs and the iSEGrid Portal provide support functions. The iSE_ACRs are nodes, such as the storage servers, that volunteer storage space. The code modules necessary for offering the various services on the iSEGrid are developed as active software components and are stored at the iSE_ACRs. These active components are deployed at the grid nodes either during registration or on-demand while offering the services. The iSE_Dirs are volunteer
The iSEGrid operation is designed to be transparent to the end-users. Even without an explicit request for service on the iSEGrid, the iSE_RBs which are positioned at the edge of the network, intercept the application packets passing between the endsystems and detect the need for iSEGrid service. It is of course possible for an end-user to make a request for an iSEGrid service. The iSEGrid operates in a two-phase mode for each end-to-end application. The two phases are the setup phase and the in-service phase as shown in Figure 6. (i) During the setup phase, network nodes (i.e., network service providers who own the network nodes) register themselves as appropriate iSEGrid components, via the iSEGrid Portal and necessary initialization tasks are performed. In this phase, the iSEGrid users specify their service requirements (i.e., service-level agreements and QoS specifications) while iSEGrid nodes provide their resource specifications.
iSE_user_SA iSEGrid Portal
iSE_RBs iSEs
iSE_CR iSE_Dir
iSE_RBs
iSE_user_CA
iSE Registration iSE_RB Registration iSE_user_CA Registration iSE_user _SA Registration Client/server Request Triggering the iSEGrid service Initiate the iSEs Active Deployment Offering the services
Setup Phase
In-service Phase
Figure. 6. iSEGrid – 2-phase Operation This is followed by service or resource negotiation. After successful negotiation, iSEGrid specific code modules are deployed at the newly registered nodes and they are ready for operation. In the case of a user-registration, certain additional tasks are performed that are necessary to make the grid operation transparent to its users. For this, after a user has successfully registered, the iSEGrid Portal
UbiCC Journal - Volume 3
27
�identifies appropriate iSEGrid services (i.e., top layer of iSEGrid service stack) and their service requirements as per the negotiation. For each of these iSEGrid Services, the portal determines the equivalent aggregate decision-making services. To offer these services, iSE_RBs are chosen and tasks are delegated to them. A special iSE_RB that is situated at the network edge, close to the user, is chosen and designated as the ‘ user’s contact point with the grid’. In the iSEGrid terminology, this task is referred to as “RB-user pairing”. All further communications with the grid are done through this iSE_RB and this iSE_RB is responsible for offering iSEGrid services to this user. (ii) The in-service phase extends throughout the request/response session between clients and servers (or peers in a P2P network). The onset of this phase is the arrival of a request message (such as a http request) at the network edge. At the edge, an iSE_RB awaits this event by intercepting messages from the client. This iSE_RB determines the type of services required for the current service session, chooses appropriate iSEGrid nodes along the request/response path and delegates the tasks to them. The iSEGrid nodes offer the services in a cooperative manner and work towards the goal of ‘offering enhanced network experience’. During the services, the iSE_RBs facilitate and aid the coordination among the iSEGrid nodes. They also monitor the services to detect any need for alternate services, in case of any deviation from the expected QoS guarantees. The iSE_RBs may cooperate with each other or form a hierarchical resource broker structure if necessary, to provide a service. iSE_ACRs are contacted for on-demand code deployment and iSE_Dirs offer information services during the two phases. At the end of the service-phase wind-up operations take place during which the grid nodes associated with this service, are relieved of their tasks. In this section, the service architecture which facilitates the design of application-aware services and the overall operation of the iSEGrid are described. In the next section, the role of the iSEs and the iSE_RBs in providing application-aware services is discussed. 4 APPLICATION-AWARENESS EXHIBITED BY THE ISEGRID
on the packets flow may be (i) decision-making operations and/or (ii) packet processing operations. iSEs can determine the kind of network service required for the current packet flow by probing deep into the packets, even up to the application payload (i.e., packet contents). These tasks are the LDm services, described in the iSEGrid service stack. The application-aware packet processing operations involve content inspection/processing. Content-based classification, content extraction and content table manipulation fall under this category. These tasks belong to the BNp layer of the iSEGrid service stack. 4.2 Application-awareness at the iSE_RBs (uncoordinated) The iSE_RBs employ DPI mechanism to intercept the traffic passing through them for detecting the request/response packets. Once an iSEGrid service is detected the iSE_RB begins resource brokering tasks, i.e., implicit triggering. The ‘implicit triggering’ task demonstrates uncoordinated application-awareness at the iSE_RBs.
Server
iSE iSE 1 2 Client/Server Request Select iSEs
iSE_RB
Client Implicit Triggering
Initialization Operations Start Service at iSEs
Figure 7. Implicit Triggering at a single iSE_RB – To demonstrate Application-awareness in iSE_RBs Implicit triggering involves selecting the iSEs required for the current service, initiating necessary initialization operations at the iSE and starting the services at the iSEs. Figure 7 shows the sequence of these events. Each of these tasks operates on the application-layer messages. These tasks may involve aggregating the results from other nodes on the iSEGrid and are services belonging to the ADm layer of the iSEGrid service architecture. 4.3 Application-awareness exhibited due to coordination of the iSE_RBs On the iSEGrid, during most of the iSEGrid services, the client and server side iSE_RBs must coordinate and offer resource brokering services. This helps them to acquire knowledge of the client and server side networks, to determine the parameters that influence the service and to select the appropriate intermediate iSEs for the service. Further, this coordination helps to make dynamic on-the-fly decisions regarding the choice of services. This is more significant for composite services that are offered at multiple points or for services that require aggregation of results. Such tasks involve message-
The application-awareness exhibited by the iSEGrid can be in one of three ways: the in–the-net services performed at the iSEs, the network-wide services performed at the iSE_RBs (uncoordinated) and network-wide services performed at the iSE_RBs with coordination. These are discussed below. 4.1 Application-awareness at the iSEs The application-aware operations that iSEs perform
UbiCC Journal - Volume 3
28
�level processing and semantic analysis of the content. Figure 8 shows the time sequence diagram of a typical client/server request b eing serviced by the iSEGrid. Here the two iSE_RBs, namely RB1 and RB2 coordinate with each other to offer iSEGrid services for the client/server transactions, effectively.
Server
RB 1
iSE 1
iSE 2
RB 2
Client
any application on the iSEGrid), are considered. The iSEGrid environment for multimedia data transfer with in-the-net media transcoding service is shown in Figure 9. The Edge Routers (ER) at client-side and server-side, play the role of iSE_RBs, while the mrouters (mR) along the datapath form the iSEs on the iSEGrid. The media transcoding service is offered at the mrouters while the resource-brokering service is offered at the edge-routers.
Client/Server Request Request Implicit Triggering RB – RB Coordination Select iSEs Initialization Operations
Implicit Triggering
…
S User ER RB Insert XML Description mR
…
mR
…
ER C
iSE iSE RB User Multicasting S: Server Transcoding ER: Edge router mR: multicast Router C: Client
Start Service
Figure 9. Datapath for iSEGrid-based transcoding service
media
Figure 8. Implicit Triggering at two iSE_RBs -To demonstrate Application-awareness in coordinating iSE_RBs The operation of the iSEGrid and its benefits can be best understood with an example. In the next section a case study is used to walk through the process of building application-aware services in this framework and evaluate the benefits. 5 DESIGNING SERVICES ON THE ISEGRID AND PERFORMANCE EVALUATION
The application chosen for the case study is multimedia data transfer over wide-area networks to end-systems of varying capabilities. In an environment where clients such as mobile nodes or laptops, have varying resource capabilities, it is necessary to transcode the data before delivering to the client. Different levels of transcoding are normally employed to cater to the heterogeneity of the clients and transcoding is normally carried out at the network edge, i.e., server-edge or client-edge. A typical media multicast scenario consists of multicast routers (mrouters) and multicast groups of heterogeneous clients, forming a tree-topology. In order to avoid unnecessary traffic down the multicast tree, the task of transcoding (i.e., media adaptation) may be entrusted to the mrouters that lie in the network. That is, in the iSEGrid scenario, transcoding can be offered as an in-network service. One of the mrouters along the path may be dynamically assigned this task while all other mrouters perform the regular IPv4 forwarding operation, under the control of the iSE_RBs. Thus, two services to support multimedia data transfers, namely, the media transcoding service and the resource-brokering service (which is required for
All video files are encoded using a hierarchical encoding scheme to facilitate faster transcoding and to support codec independent adaptation. Mediacontent-specific annotations are provided from the server end. The server-side RB which is responsible for such annotations intercepts, the traffic to the server, detects the client/server request that requires annotations, probes the corresponding serverresponse packets and provides the annotations. To describe the structure of the video, XML has been used in this service. The XML-based metadata which is followed by the raw video bit stream constitutes a parse-able unit of a video, defined as the ‘unit’. Each such unit is transmitted to the multicast clients in IP packet(s). The level of media adaptation done at a router depends on the maximum capabilities of the client group under it and the congestion information along the downstream. Of the two services supporting this application, the media transcoding service demonstrates high application-awareness at the iSEs and involves complex content-processing tasks. The resource brokering service is an ADm service and is an example for uncoordinated application-awareness at the RBs. These two services are developed using appropriate LDm and BNp services, as discussed below. 5.1 Design of Media transcoding service at the mrouters on iSEGrid The entire service is designed using established protocols and standards [22], such as, Internet Group Management Protocol (IGMP) for maintaining the mu lticast groups corresponding to the media streaming sessions; Resource reSerVation Protocol (RSVP) for clients to provide their capability information; Real Time Protocol (RTP) for
UbiCC Journal - Volume 3
29
�transmitting the media content; RTP Control Protocol (RTCP) for feedback-based congestion determination; and Global BitStream Definition (gBSD) [21] with a standardized eXtended Markup Language (XML) for media content description. Each mrouter, that plays the role of an iSE in this service, is triggered by the server-edge RB that provides annotations for this service. These nodes probe deep into the various packets to determine the packet type (IGMP, RSVP, and RTCP), interpret the commands in them, and take appropriate protocol actions. Upon receiving the IGMP join/leave commands, the mrouter performs multicast group handling actions. In response to the RSVP capability information command, the client capability parameters are updated in a look-up table (capability table). The Receiver Reports (RR) of RTCP carry the feedback, which specifies the status of the media packet (sequence number, time stamp etc.) received at the client, is used by the mrouters to adjust the transcoding level. Each of these actions is composed of LDm or BNp services. RTP packet processing, however, is different and involves content inspection/processing tasks. The iSEs begin by parsing the XML data (i.e., metadata) to extract the video descriptions in each RTP packet. The metadata helps to identify the layers of the video and to selectively drop layers (i.e., to transcode). Finally the iSEs generate new video descriptions that match the transcoded data and forward the entire packet downstream. The iSEGrid -based transcoding service is transparent to both the servers and the clients. This service demonstrates the application-awareness exhibited by an iSE. This is evident from the fact that each iSE extracts the semantics from the RTP packets, interprets it, and processes it. Processing the contents involves two tasks: transcoding the video unit (an application-layer task), and generating a new packet with updated application-layer information (content generation for a packet). Secondly, this service demonstrates the coordination of services among the iSEGrid nodes, to facilitate ‘in -the-net transcoding’ by employing an RB to provide annotations at the server edge. Thirdly, this service is an illustration of traffic-reduction along the multicast tree, achieved by employing transcoding at an early point along the datapath. For the purpose of evaluating this scenario, this service is designed for the Intel IXP2400 network processor, which can be considered as a typical innetwork node. IXP2400 has 8 microengines (MEs) and memory resources for packet processing. Hence it is necessary to efficiently map the tasks onto these microengines to support in-the-net processing. One such mapping, in the form of a design pipeline for the transcoding service, is shown in Figure 10. The data pipeline stages, designed for the media transcoding service, are (i) Classifier at the Ingress,
(ii) Packet Segmentation and Packet Generation at the Egress and (iii) Content Adaptation module. At the Ingress, the media switch fabric interface of IXP2400 stores layer-2 ‘mpackets’ in the receive buffers. The Ingress operations include, picking up the mpackets from buffers, assembling them into layer-3 (IP) packets using a state machine and validating them. The Classifier operations employ content inspection (i.e., LDm Services) to classify the packets into different flows for appropriate processing. The Packet Generator module is responsible for generating layer-3 packets and involves content processing tasks (i.e., LDm services). Finally the Egress validates the packets, splits them into mpackets and sends them into the network through the media switch fabric interface. Content inspection/processing operations involved in the classifier and the packet generator modules would cause movement of content between the buffers of the appropriate microengines. To avoid the overhead due to these expensive memory movements, these content-based tasks have been incorporated in the media processing module. This has made the media processing module heavy and so three microengines have been assigned for it. Multimedia data handling task which is the major content processing task has been designed with the following three stages: i) Multicast Request Processing: This module receives the IGMP and RSVP packets from the classifier module for processing join/leave commands and capability commands. Accordingly, the Multicast Table is populated with multicast client information and the Capability Table is populated with the frame rate and resolution information. ii) Feedback Processing: Feedback information in the RR reports of the RTCP packets, are extracted to populate the TransRate Table, with information regarding the network state along the path to the client. iii) Multicast Media Processing: This module deals with processing the media (i.e., RTP) packets, and transcoding the video, based on client capability and congestion information. The Content Adaptation module performs selective dropping of frames and RTP reassembly. It uses the Parser module for XML validation, the Transcoder module for identifying the video layers to be dropped and the Packet Segmentation module for updating the metadata and packetizing the video data.
UbiCC Journal - Volume 3
30
�Figure 10. Data pipeline for Media transcoding service on IXP2400 The Transcoder module operates by referring to TransRate table and Capability table, and follows conventional approaches such as interleaved dropping of frames and preferring enhancement layers over base layers to ensure reduced jitter and better quality. 5.2 Design of Resource Brokering service at the Edge Routers on iSEGrid The server-side RB intercepts the traffic to the server, detects the client/server request that requires annotations, intercepts the corresponding serverresponse packets, and provides the annotations. To generate the annotations a content-table-lookupbased approach has been adopted by which the structure of the video data is represented in XML and the metadata is attached to the video content. These resource brokering tasks are built using applicationaware packet processing tasks such as contentinspection, content field extraction, content generation, content table manipulation and contentbased packet generation (i.e., services of the BNp layer). The pipeline stages for the Resource Broker services are (i) Ingress and classifier at the input side, (ii) packet generator and egress at the output end and (iii) content processing stages constituting content extractor, content table manipulation (look-up and updation). The edge router at the server-side creates XML annotations and inserts them into the media packets. Due to space constraints the details of this design pipeline is not presented here. 5.3 Performance Evaluation In order to evaluate the performance of the iSEGrid for this case study, the following are considered: (i) additional load at the iSEGrid nodes due an iSEGrid service, (ii) processing time at these nodes for an iSEGrid service and (iii) end-to-end delay of the application. To highlight the benefits of the iSEGrid approach, the iSEGrid scenario is compared with a non-iSEGrid scenario using as Standard IPv4 Forwarder application, at the network nodes. The Standard IPv4 Forwarder is a sample application provided by the Intel Developer Kit for IXP2400 [14]. The two services have been simulated using the Intel Developer Workbench simulator for the Intel IXP2400 network processor-based networking node. A clock speed of 400MHz is chosen to handle data rates upto 2.5Gbps. For the media transcoding service, the additional load at the iSEGrid node is determined in terms of utilization of processing elements (i.e., microengines of IXP2400) and memory resources (i.e., DRAM, SRAM, and scratch ring buffers). The tasks assigned to the microengines of IXP2400 are shown in Table I, in comparison with those assigned to the Standard IPv4 Forwarder. It can be seen that the Standard IPv4 Forwarder uses 3 microengines while the remaining 5 are unused. This indicates that IXP2400 can accommodate additional services. This design uses these unused microengines to accommodate the media transcoding service three microengines for media processing module and one each for the transcoder and the parser.
UbiCC Journal - Volume 3
31
�TABLE I
MICROENGINE UTILIZATION AND PROCESSING TIME FOR MEDIA TRANSCODING ON IXP2400
Microengines (8 threads each) (Cluster #: MEid) 0:0 0:1 0:2 0:3 1:0 1:1 1:2 1:3 Total
Standard IP Forwarder Task module (and Processing Time % utilization) (and machine cycles) Ingress (36%) 9 microsecs (3500) Forwarder (35%) Not used Not used Not used Not used Egress (41%) Not used 19 microsecs (7500) 17 microsecs (6800) 45 microsecs (180,00)
Media Adaptation Service Task module and Processing Time (% utilization ) (and machine cycles) Ingress (24%) 1.5 microsecs (600) Classifier (40%) Media Processing 0 (31%) Media Processing 1 (43%) Media Processing 2 (43%) Egress (68%) Transcoder (49%) Parser (26%)
725 microsecs (290,000)
8. 5 microsecs (3400) 25 microsecs (10,000) 100 microsecs (40,000) 860 microsecs (344,000)
Further, the utilization percentage of these microengines shows that the values lie within 25% to 70% indicating a well-balanced pipeline design.
TABLE II
MEMORY USAGE OF MEDIA TRANSCODING ON IXP2400
Memory Usage DRAM (Longwords) SRAM (Longwords) Scratch (Longwords) Receive Buffer (Bytes) Transmit Buffer (Bytes)
Standard IPv4 Forwarder 1280K 1K 2K 64K 64K
Media Adaptation Service 1280K 132K 5K 943K 943K
Table II shows the amount of memory used for the media transcoding service and the Standard IPv4 Forwarder. The DRAM space (1280K longwords) has been utilized to store the incoming and yet-to-beprocessed packets and is comparable with the Standard IPv4 Forwarder. A major part of the total SRAM used (132K longwords), has been allocated for content table maintenance. Out of the total twelve scratch rings of each 1KB, available in the IXP2400, media transcoding service makes use of eight (4 x 1KB + 4 x 256B = 5KB). The SRAM usage and scratch ring usage for the transcoding service is quite high since it processes application data whereas the Standard IPv4 Forwarder operates on the header fields. Thus, using the idle resources, it has been possible to deploy a heavy and resource-demanding task such as transcoding as an in-network service. To evaluate the media transcoding service in terms of processing time, the execution cycles for each processing module have been obtained and the execution times have been calculated. Table I shows the average number of execution cycles and the execution time of the various processing modules for media transcoding service and the Standard IPv4
Forwarder. Ingress & classifier modules require less time for media transcoding service (1.5 microsecs) compared to the corresponding module of Standard IPv4 Forwarder (9 microsecs). Similarly, packet generator & Egress modules of media transcoding service requires less time (8.5 microsecs) compared to the corresponding module for Standard IPv4 Forwarder (17 microsecs). This is because, in the design, certain ingress and egress operations that involve the packetcontent manipulation, have been moved to the media processing module, in order to minimize overhead due to the movement of packet contents between memory buffers. The media processing module (constituting transcoder, parser and media processing modules) takes 850 microsecs out of 860 microsecs for the entire service, whereas the Standard IPv4 Forwarder requires 45 microsecs. With the overhead of additional processing time, and resources it has been possible to deploy transcoding as an in-network service. It can be seen later in the analysis that this additional processing time at the node does not affect the end-to-end time adversely. The evaluation of the resource brokering service in terms of processing time is shown in Table III for the iSE_RBs at the client-edge and at the server-edge. Content-based packet generation at the server-edge is the bulkiest module requiring 25 microsecs, due to packet generation tasks associated with annotations. The same module at the client-edge requires only 13 microsecs. The total processing time at the server edge router is 65 microsecs (i.e., about 26K execution cycles) and at the client edge it is 49 microsecs (i.e., about 20K execution cycles). It can be seen that the overhead due to this resource brokering task is not significant compared to the Standard IPv4 Forwarder (45 microsecs as shown in Table II).
UbiCC Journal - Volume 3
32
�TABLE III EXECUTION CYCLES FOR RESOURCE BROKERING (RB) SERVICE Packet/ RB service with RB service at the Content metadata annotation client edge Processing at the server edge Task No of Processing No of Processing ME time ME time cycles (microsecs) cycles (microsecs) 1642 4 1642 4 Ingress 1956 5 1956 5 Classifier 2954 7 2954 7 content extractor 1409 3.5 1409 3.5 Tablelookup 9965 25 5100 13 Packet Generation 2192 5.5 2192 5.5 Egress 6000 15 4352 11 Table Updation Total 26244 65 19605 49
The end-to-end performance comparison is done as follows: The end-to-end delay (Delaye2e) of the data flow between the server and the client in the sample scenario shown in Figure 9 is calculated as the sum of the delays at each node (TotalDelaynodes) plus the aggregate link delay (AggregateDelayLink), i.e., Delaye2e = TotalDelaynodes + AggregateDelayLink (1) TotalDelaynodes = ? (? along the path) delayn n AggregateDelayLink = ? (? ink L
along the path)
The execution time for each of the services in the sample scenario is shown in Figure 11. It must be noted that among the two multicast routers, for a given flow, only one performs the transcoding service while the other does regular IPv4 forwarding (Standard IPv4 Forwarder). From the simulation results discussed above and indicated in Figure 11, we have, delayER-at-server = 65 microsecs (processing time at server-edge router), delaymR1 = 860 microsecs (processing time for media transcoding service at an mrouter), delaymR2 = 45 microsecs (processing time for IPv4 forwarding at the other mrouter) and delayER-at-client = 49 microsecs (processing time at client-edge router). Thus, TotalDelaynodes = 65 + 860 + 45 + 49 = 1019 microsecs ? 1ms. The AggregateDelayLink is calculated for three different cases with link rates at the user edge being 128Kbps, 512Kbps and 1Mbps, while the core links are considered to be OC-24 (1244.16Mbps) lines. The packet size before transcoding is 250B and after transcoding it is 240B for the selected level of transcoding. These values have been used appropriately, to calculate the link delay. The delay at each link in the sample scenario and the aggregate link delay are tabulated in Table IV.
TABLE IV AGGREGATE LINK DELAY FO R MULTIMEDIA T RANSFER ON ISEGRID Link transmission time for various links in the sample scenario for different edge link rates (microsecs) Case 1 Case 2 Case 3 128Kbps 512Kbps 1Mbps Link at Server Edge (packet size = 250B) 15,258.78 3,814.69 1,907.34 Core Link 1 (ER to mR) (packet size = 250B) 1.53 1.53 1.53 Core Link 2 (mR to mR) After transcoding 1.47 1.47 1.47 (packet size =240B) Core Link 3 (mR to ER) 1.47 1.47 1.47 (packet size =240B) Link at Client Edge (packet size =240B) 14,648.43 3,662.10 1,831.05 29,911.70 7,481.28 3,742.87 Aggregate Link delay ? 30ms ? 7.5ms ? 3.7ms
(2) delayLink (3)
For the given scenario, TotalDelaynodes is calculated using the execution time obtained from the simulation of the various services as discussed above, i.e., TotalDelaynodes = delayER-at-server + delaymR1 + delaymR2 + delayER-at-client (4)
Node Processing Delay for Multimedia transfer on iSEGrid
1000 900 800 860
Processing Delay
Microsecs
700 600 500 400 300 200 100 0 65 45 49
Server Edge Router
multicast router (with transcoding)
multicast router (only IPv4)
Client Edge Router
Nodes in the sample scenario
Figure 11. Processing time for various iSEGrid services in the sample scenario
It can be seen that the aggregate link delay is 30ms when the edge link is 128Kbps and gets as low as 3.7ms when the edge link is a 1Mbps line. The end-to-end delay is calculated for each of the three cases and tabulated in Table V. The link delay component of this is more significant and the total processing time at the nodes is in the order of 1ms for the sample scenario. To bring out the overheads due to the iSEGrid and to show its performance benefits, this is compared with a non-iSEGrid scenario, i.e., conventional multimedia transfers. In this case, transcoding is done by the client node. Thus, in the absence of the iSEGrid, all nodes in the sample scenario perform IPv4 forwarding (45 microsecs). The total processing
UbiCC Journal - Volume 3
33
�time at all nodes is TotalDelaynodes = 180microsecs (i.e., 4 x 45). Since the packet is not transcoded, the packet length is 250B along the path. For this case, the aggregate link delay constitutes delay at t o w edge-links (delayEDGELINK ) and three core links (delayCORELINK ) i.e., AggregateDelayLink = 2 x delayEDGELINK + 3 x delayCORELINK
(5)
Thus the values calculated for the three cases are 30.5ms (for 128Kbps), 7.6 ms (for 512Kbps) and 3.8 ms (for 1Mbps). The total end-to-end delay is tabulated in Table V for the three cases of edge link rates. Comparing the delays in the non-iSEGrid scenario with those of the iSEGrid scenario as shown in Table V, it can be seen that there is no significant difference in the end-to-end delay. The overheads of in-network processing are negligible. Further, the iSEGrid offers benefits in that (i) it facilitates transcoding of the packets on-the-fly, (2) relieves the load (of transcoding) at the end-systems and (3) reduces downstream traffic.
TABLE V PERFORMANCE COMPARISON FOR MULTIMEDIA TRANSFER APPLICATION ISEGRID SCENARIO VS NON- ISEGRID SCENARIO Delay values for iSEGrid Scenario End-to-end Aggregate Total delay at delay Link Delay the nodes 30ms 1ms 31ms 128Kbps 7.6ms 1ms 8.6ms 512Kbps 3.8ms 1ms 4.8ms 1 Mbps Delay values for non-iSEGrid scenario End-to-end Aggregate Total delay at delay Link Delay the nodes 30.5ms 180microsecs 30.68ms 128Kbps 7.6ms 180microsecs 7.78ms 512Kbps 3.8ms 180microsecs 3.98ms 1 Mbps
service – that is, from Table I it can be seen that the percentage utilization of the microengines, assigned for media processing tasks, lies between 30% and 45%. In terms of resource usage, from Table II, it is obvious that a significant amount of memory resources have been utilized by the media transcoding service – that is, 132K SRAM (vs 1K SRAM for Standard IPv4 Forwarder), 943K transmit and receive buffers (vs 64K for Standard IPv4 Forwarder). Although an overhead the benefits are in terms of down stream traffic -reduction and better utilization of the otherwise unused resources. Further, it can be seen that simple application-aware co-ordination services such as inserting metadata in media files and resource brokering tasks, can be composed using content-based packet processing tasks such as content extraction and content manipulation. The overhead in terms of execution time, for these tasks at the iSE_RBs and mrouters, is negligible – that is, about 65 microsecs for the server-edge router and 49 microsecs for client-edge router, while Standard IPv4 Forwarder takes about 45microsecs (Figure 11). On comparing an end-to-end scenario, the substantial benefits that can be offered by the iSEGrid framework are evident. With an edge data rate of 1Mbps, core data rate of the order of OC24, and with IXP2400-based network nodes (operating at 400MHz and capable of handling upto 2.5Gbps), results as shown in Table V indicate that the total processing time at the nodes along the datapath (1ms for iSEGrid scenario), is not considerable when compared to the aggregate link delay (3.8 ms). Although for higher data rates, the link delay will reduce further, to support those data rates, faster network nodes (processors) will have to be used, which will also reduce the application-aware processing delay at the nodes. Thus, the grid-based approach presented here, will scale accordingly. 6. CONCLUSION A network-layer grid that forms an overlay above the existing networks, which harnesses the in-the-net compute power and offers it as a commodity, has been proposed to support application-aware services. A sample application, supported by coordinated application-aware services, has been discussed to highlight the benefits of the grid-based framework. The simulation results of these in-network services show the feasibility of provisioning them at network nodes with no significant overheads. From a practical point of view, this framework being grid-based will allow network operators to offer the services in a coordinated manner while still retaining their value-additions and unique features. Existing protocols can be integrated into this framework as demonstrated while new protocols which exploit the features of the grid are developed. This will ensure a
A common approach in the conventional noniSEGrid scenario is the provision of transcoding service at the client edge, thereby relieving the client’s burden. This approach caters to traffic reduction at the network edge, whereas in the iSEGrid scenario, it is possible to move the transcoding point into the network, at a point common to many multicast nodes that may span across multiple LANs. Thus the case study may be summarized as follows: Network processor-based devices can be used to support application-awareness in the iSEGrid framework. Even complex tasks such as media transcoding can be effectively mapped on these devices. However, care is required to map the application onto the network device. The pipeline design of the transcoding service presented here has been arrived at, after multiple designimplementation-testing iterations. As a result it has been possible to obtain a balanced pipeline for this
UbiCC Journal - Volume 3
34
�smooth transition to a fully application-aware network.
REFERENCES
[1] Elan Amir, ‘The Case for Deep Packet Inspection’, 29Oct.2007, IT Business Edge, Available at: http://www.itbusinessedge.com [2] Anthias,T. and Sankar,K. (2006) ‘The Network's NEW Role’, ACM Queue, Vol. 4, No. 4, May 2006. [3] Cisco (2005) ‘Cisco Unveils Application-Oriented Networking’, available at: http://newsroom.cisco.com/dlls/2005/prod_062105.ht ml [4] Darwin Project website: http://www.cs.cmu.edu/afs/cs/project/cmcl/www/dar win/ApAwNe.html [5] de Amorim,M.D, Duarte,O.C.M.B, and Pujolle.G, (2001) ‘Application-aware multicast’, IEEE Global Telecommunications Conference, GLOBECOM ‘01, Volume 4, Nov. 2001, (pp.2506 – 2510). [6] F5 Networks (2005), ‘Benefits of BIG-IP Application Optimization over the WAN’, White paper, F5 Networks Inc. [7] F5 and Microsoft (2005), ‘Creating an ApplicationAware Network with Microsoft Application Center and iControl’ available at: www.f5.com/solutions/success/pdfs/microsoft_succes s.pdf [8] Foster,I., Kesselman,C., and Tuecke,S., (2001) ‘Anatomy of the grid - Enabling Scalable Virtual Organizations’, Intl J. Supercomputer Applications, 2001. [9] FreeScale Semiconductor (2005) ‘Freescale’s Network Content Processing Technology’, White paper, Document Number: CNTNTPROCESSWP, Available at http://www.freescale.com. [10] FreeScale Semiconductor (2006) ‘Freescale Unveils PowerQUICC(TM) III Processor Architecture for Next -Generation, Application-Aware Networks’, BUSINESS WIRE, July 24, 2006, Available at: www.freescale.com [11] Heppel,A., (2003) ‘Introduction to Network Processors’, White Paper, Roke Manor Research Ltd, Jan 2003. [12] Hofmann, M., Beaumont,L.R., (2007) ‘Open Pluggable Edge Services: An Architecture for Networked Content Services’, IEEE Internet Computing, vol. 11, no. 1, pp. 6773, Jan/Feb, 2007. [13] Inoue,K., et al., (2008) ‘Semantic router using data streams to enrich services’, 3rd International Conference on Future Internet Technologies (CFI08), Seoul, Korea, June 18-20, 2008.
[14] Intel IXP2400 Network Processors, online: www.intel.com/design/network/products/npfamily/ind ex.html [15] Iqbal,Z., (2003) ‘Deep Content Inspection: Beyond Deep Packet Inspection’, White Paper, Barbewire Technologies, Nov 2003. [16] Juniper Networks (2006) ‘An Introduction to Enterprise Infranets’, Solution Brief, Available at: www.juniper.net/solutions/literature/solutionbriefs/35 1166.pdf [17] Kuznetsov,E. (2003), ‘XML-aware Network Infrastructure’, Datapower Technology Inc.,. [18] Kodeswaran,S.B and Joshi,A. (2006) ‘Content and Context Aware Networking Using Semantic Tagging’, Proceedings of the 22nd International Conference on Data Engineering Workshops, Page: 77, ISBN:0-7695-2571-7. [19] Mohomed,I., (2006) ‘Context -Aware Interactive Content Adaptation’, 4th International Conference on Mobile Systems, Applications, and Services (MobiSys), Uppsala, Sweden, June 2006. [20] Open Pluggable Edge Services Working Group (OPES WG), www.ietf-opes.org [21] Panisa,G., et al., (2003) ‘Bitstream syntax description: a tool for multimedia resource adaptation within MPEG-21’, Signal processing: Image communication, 2003. [22] Request For Comments: http://www.ietf.org/rfc.html [23] Sherr,M., Loo,B.T and Blaze,M., (2007) ‘Towards application-aware anonymous routing’, Second USENIX Workshop on Hot Topics in Security (HotSec), August 2007. [24] Steenkiste,P., Fisher,A., and Zhang,H., (1997) ‘Darwin: Resource Management for ApplicationAware Networks’, School of Computer Science, Carnegie Mellon University CMU technical report CMU-CS-97-195, December 1997. [25] Vogel,J., et al., (2002) ‘Application-Aware Distribution Trees for Application-Level Multicast’, Universität Mannheim, Fakultät für Mathematik und Informatik, Reihe Informatik / Technical Report, Nr. TR-02-010, 2002. [26] Yin,H. and Wang,H., (2005) ‘Building an IPSec Policy System’, Proceedings of the USENIX Security Symposium (Security'05), Baltimore, MD, August 2005. [27] Yazdani,M. et al., (2006) ‘Two Level State Machine Architecture for Content Inspection Engines’, Proceedings of 25th IEEE International Conference on Computer Communications (INFOCOM 2006), April 2006, (pp:1–12), Digital Object Identifier 10.1109/INFOCOM .2006.281 [28] LakshmiPriya TKS, Ranjani Parthasarathi, “Architecture for an Active Network Infrastructure Grid – the iSEGrid”, The International Workshop on Active Networks – IWAN05, Oct 2005, France.
UbiCC Journal - Volume 3
35
�NEW SECURITY ALGORITHM FOR MOBILE ADHOC NETWORKS USING ZONAL ROUTING PROTOCOL
G.Varaprasad1, S. Dhanalakshmi2, M. Rajaram3 1 Department of Computer Science and Engineering, B.M.S. College of Engineering, Bangalore, India. 2 Department of Computer Applications, Dr. Mahalingam College of Engineering and Technology, Pollachi, India 3 Department of EEE/ECE, Thanthai Periyar Govt. Institute of Technology, Vellore, India.
ABSTRACT Mobile adhoc network is a special kind of wireless networks. It is a collection of mobile nodes without having aid of establish infrastructure. In mobile adhoc network, it is much more vulnerable to attacks than a wired network due to its limited physical security, volatile network topologies, power-constrained operations, intrinsic requirement of mutual trust among all nodes in underlying protocol design and lack of centralized monitoring and management point. The main aim of this work is to provide secure data transmission between the source and destination. The simulation is carried out for different number of mobile nodes using network simulator with the help of 1000 mobile nodes. We have compared this model with the existing models such as DSR and AODV. This model has shown the better results in terms of packet delivery, packet drop, and delay. The proposed model has dropped 19% of the packets even if network has five malicious nodes. Keywords: MANET, ZRP, security, mobility, route. 1. INTRODUCTION potential of realizing a free, ubiquitous, and Omnidirectional communication[3].
In recent years, Mobile Adhoc Network(MANET) has received marvelous attentions due to self-design, self-maintenance, and cooperative environments. In MANET, all the nodes are mobile nodes and the topology will be changed rapidly. The structure of the MANET is shown in Figure 1. Here, the mobile devices such as PDAs and laptops are used to route the data packets. In MANET, all the nodes are actively discovered the topology and the message is transmitted to the destination over multiple-hop[1]. Usually, the endpoints and routers are indistinguishable in MANET[2]. It uses the wireless channel and asynchronous data transmission through the multiple-hop. The vital characteristics of MANETs are lack of infrastructure, dynamic topology, multi-hop communication and distributed coordination among all the nodes. The end-nodes are enabling QoS such as end-to-end delay, packet-loss, throughput and secure data transmission[2]-[3]. The potential deployment of MANETs exists in many scenarios, for example in situations where the infrastructure is not feasible such as disaster relief and cyclone, etc. The MANETs have
Figure 1. Structure of MANET. The wireless channels can be accessible for both legitimate users and malicious users. In such environment, there is no guarantee that a route between the two nodes will be free for the malicious users, which will not comply with the employed protocol. The malicious users will attempt to harm the network operations. The primary focus of this work is to provide secure data transmission between the mobile nodes. Rest of the paper is organized as follows. Some of the existing models are presented in section 2.
UbiCC Journal - Volume 3
36
�Section3 presents the proposed model and its functions. Simulation of proposed model is discussed in section 4. Results of this model are presented in section 5. Finally, section 6 presents the conclusions and future work. 2. EXISTING WORK
method to authenticate the source. After execution of the key management module, a session key is invoked, this is used by both source and destination for further communication confidentially. In this way, all the important messages are transmitted to the destination. 3.1 Routing protocol
The secure routing algorithms in wireless communication are addressed and have been suggested for increasing the security levels[4]. However, these algorithms are unable to protect the network from attackers, who acquired the key information[5]. J.Li et al[6] proposed a common key encryption mechanism for MANETs using Dynamic Source Routing(DSR). Drawback of this model is that it dropped more packets even if the network had few malicious users[7]. Adhoc On-Demand Distance Vector(AODV), which is used to provide secure and reliable data transmission over the MANETs[8]. Several strategies are used to detect the non-cooperate nodes while forwarding the data packets to the destination[9]. In[10], authors discussed a trusted approach to establish the communication between the mobile users. Here, the communication takes place based on the watch dog. The trusted values are represented from -1 to +1. A black hole attack is a kind of denial of service where a malicious node can attract all packets by falsely claiming a fresh route to the destination and then absorb them without forwarding them to the destination[11]. Smith et al[12] examined the routing security of distance vector protocols in general and developed countermeasures for vulnerabilities by protecting both routing messages and routing updates. They propose sequence numbers and digital signatures for routing messages and updates as well as including predecessor information in routing updates. 3. PROPOSED MODEL
The paths are maintained as long as source needs. Here, we use sequence numbers to maintain the up-to-date information. The routing information has been updated using Route Request RREQ packet. If the source wishes to communicate with destination, for which it does not have a path, then it broadcast the RREQ packet to the network. After receiving, the intermediate node will broadcast a Route Reply(RRE) packet. If the RREQ packet has already processed, then it will be discard. The proposed model uses Zonal Routing Protocol(ZRP). Here, each node proactively maintains a set of possible routes within the region. Knowledge of each region is learned by the ZRP to improve the network performance efficiency. The DSDV is used to learn about nodes within the region. In order to find the routes for nodes, which are out-of-region and DSR is used. 4. SIMULATION
This model has considered an area of 1000mX1000m with a set of mobile nodes placed randomly and broadcast range is 150m. The simulation was carried out for different number of nodes using Network Simulator(NS2). The node mobility is simulated with a velocity of 0-20m/s. It sends 30000CBR packets approximately and the simulation parameters are shown in Table I. The performance metrics are packet-delivery ratio, throughput and control message packet. Table I. Simulation parameters. Simulation time 2000s Topology size 1000mX1000m No. of nodes 1000 No.of clusters 10 No.of cluster heads 10 No. of malicious nodes 7 Node mobility 0 to 10m/s Transmission range 250m Routing protocol ZRP Frequency 2.4Ghz
This model presents a secure communication between the mobile nodes. A scenario of data transmission between the two mobile nodes has been considered. Whenever a source wants to transmit the data packets to the destination, it ensures that the source is communicating with real node via the cluster head. The authentication service uses a key management to retrieve the public key, which is trusted by the third party for identification of the destination. The destination also used similar
UbiCC Journal - Volume 3
37
�Channel capacity Traffic type CBR packet size Number of packets Simulator Communication system Pause time Mobility model Total packets
2Mbps CBR 512 bytes 30000 NS2 IEEE802.11g 1s Random way 30000
5. SIMULATION RESULTS Here, we consider 250 mobile nodes(5 malicious nodes) and 3 cluster heads, number of data packets sends between 5-20 packets/s, and each node moves with 8 m/s. We have executed our model with different arrival of rates of packets for 20times. The simulation results are shown in Figure 2. From the results, we conclude that AODV protocol is delivered around 72% of the packets, while proposed model delivers 60%. For 5 malicious nodes, the proposed model delivers 51% of the packets due to packet loss caused, during the detection phase, i.e., after a malicious node has launched attacker yet before it is finally isolated, whereas AODV and DSR protocols have transmitted with 40% and 35% of the packets respectively. Figure 3. Number of malicious nodes against packet dropped. Network load versus end-to-end delay has shown in Figure 4. Here, we have considered 350 mobile nodes(5 malicious nodes), 4 cluster heads, and number of packets sends between 100-150 packets/s and each node moves constantly with 2 m/s. Initially, all the three models have delivered the data packets with equal delay as long as load is low. If the load increases, then the end-to-end delay of the packet is increased. From the results, we conclude that AODV has delivered the data packets at low delay as compared to other protocols.
Figure 2. No.of malicious nodes versus packets deliver ratio. Figure 3 shows the number of data packets dropped by the malicious nodes, as total number of data packets is transmitted by the source. Here, we have considered 125 nodes(5 malicious nodes), 2 cluster heads, and number of packets sends between 0-80 packets/s and each node moves constantly with 2 m/s. In DSR model, 47% of the packets are caused by the malicious nodes, while AODV protocol has caused with 39% and the proposed model with 19% of the packets. 6.
Figure 4. Network load against end-to-end delay. CONCLUSIONS AND RESEARCH WORK FURTHER
There are various MANET protocols proposed by the subject to a variety of attacks through the modifications or fabrications of routing message or impersonations of other nodes. It allows the attackers to influence the victim's selection of routes or enable the denialof service attacks. In this model, we have discussed the security issues for MANETs. It
UbiCC Journal - Volume 3
38
�focuses on the security architecture. Since, every attack has own characteristics. One of the limitations of this model is that it works based on the assumption of malicious nodes, which do not work as a group. It may be happened in a real situation. REFERENCES 1. H. Yang, H. Y. Luo, F. Ye, S. W. Lu, and L. Zhang, “Security in Mobile Adhoc Networks: Challenges and Solutions”, IEEE Wireless Communications, Vol. 11, pp. 38-47(2004). 2. A. Perrig et al., “The TESLA Broadcast Authentication Protocol”, RSA Crypto Bytes, Vol. 5, No. 2, p. 2-3(2002). 3. C. Bettstetter, G. Resta, and P. Santi, “The Node Distribution of the Random Waypoint Mobility Model for Wireless Adhoc Networks”, IEEE Transactions on Mobile Computing, Vol. 2, No. 3, pp. 257-269(2003). 4. Y. Zhang, W. Lee, and Y.-A. Huang, “Intrusion Detection Techniques for Mobile Wireless Networks”, ACM Wireless Networks, Vol. 9, pp. 545 – 556(2003). 5. Y. C. Hu and A. Perrig, “A Survey of Secure Wireless Adhoc Routing,” IEEE Security and Privacy Magazine, Vol. 2, No. 3, pp. 2839(2004). 6. J. Li, J. Jannotti, Douglas S. J. D. Couto, David. R. Karger, and R. Morris, “A Scalable Location Service for Geographic Adhoc Routing”, In Proceedings of International Conference on Mobile Computing and Networking, pp. 120-130(2002). 7. B. Karp and H. Kung, “Greedy Perimeter Stateless Routing for Wireless Networks”, In Proceedings of International Conference on Mobile Computing and Networking, pp. 243254(2003). 8. Y. A. Huang and W. Lee, “Attack Analysis and Detection for Adhoc Routing Protocols,” In Proceedings of International Symposium on Recent Advances in Intrusion Detection, pp. 125-145(2004). 9. L. Zhou S. B. Fred, and R. Van Renesse, “COCA: A Secure Distributed Online Certification Authority”, ACM Trans. on Computer Systems, Vol. 20, No. 4, pp. 329368(2002). 10. M. Gasser and E. McDermott, “An Architecture for Practical Delegation in a Distributed System”, In Proceedings of IEEE Symposium on Security and Privacy, pp. 2030(2004).
11. Z. J. Haas, M. Perlman, “The Performance of Query Control Schemes of Zonal Routing Protocol”, IEEE Trans. on Networking, vol. 9, no. 4, pp. 427-438(2001). 12. Bradley R. Smith, Shree Murthy, and J.J. Garcia-Luna-Aceves, “Securing DistanceVector Routing Protocols”, In Proceedings of Internet Society Symposium on Network and Distributed System Security, pp. 85-92(1997). Author’s information G.Varaprasad received B.Tech in Computer Science and Engineering from Sri Venkateswara University, Tirupati in 1999 and M.Tech in Computer Science and Engineering from B.M.S. College of Engineering, Bangalore, in 2001 and PhD in Computer Networks from Anna University, Chennai, in 2005 and worked as a Postdoctoral fellow at Indian Institute of Science, Bangalore, in 2005. Currently, he is working as an Asst.Professor at B.M.S. College of Engineering, Bangalore. His areas of interests are MANET, SNMP and algorithms. S. Dhanalakshmi received B.Sc. in Chemistry from University of Madras, Madras in 1995, Master of Computer Applications in Computer Applications from Bharathidasan University, Trichirappalli in 1998 and M.Phil. in Computer Science from Periyar University, Salem in 2004. Currently, she is working as a Senior Lecturer at Department of Computer Applications, Dr. Mahalingam College of Engineering and Technology, Pollachi. Her areas of interests are Computer Network and Mobile Communications. M. Rajaram received B.E. in Electrical and Electronics Engineering from Madurai Kamaraj University, Madurai, in 1981, M.E in Power System Engineering from Bharathiyar University, Coimbatore in 1988 and PhD in the field of Control Systems from Bharathiyar University, Coimbatore, in 1993. Currently, he is working as an Assistant Professor in Department of EEE, Thanthai Periyar Govt. Institute of Technology, Vellore. His areas of interests are control systems and computer net works.
UbiCC Journal - Volume 3
39
�