Self-Aware Networks: QoS & Performance Self-Aware Networks: QoS & Performance http://san.ee.ic.ac.uk http://san.ee.ic.ac.uk

Summary in E. Gelenbe, Summary in E. Gelenbe, Communications of the ACMCommunications of the ACM, July 2009, July 2009Introduction in S. Dobson et al. “Autonomic Communications”, Introduction in S. Dobson et al. “Autonomic Communications”,

ACM Trans. Adapt. Aut. Systems,ACM Trans. Adapt. Aut. Systems, 2006 2006

Erol GelenbeProfessor in the Dennis Gabor Chair

Imperial College www.ee.ic.ac.uk/gelenbe

e.gelenbe@imperial.ac.ukMember of Academy of Sciences of Turkey www.tuba.gov.tr

Academy of Sciences of Hungary www.mta.huAcademie des Technologies (France) www.academie-technologies.fr

Extension: Gene Regulatory Networks

Self Awareness and Adaptation in Networked Natural Systems is our Speculative Topic of Investigation: Spiking Neurons, Gene Regulatory Networks, Chemistry, Digital Economy

Computer-Communication Networks are Robust Control Systems

A Communication Network such as the Internet is a Control System whose function is to Adaptively and Robustly vehicule Information between Users and offer Services to Users

Old Goals include Quality of Service (Loss, Delay, Jitter, Low Overhead)

New Goals include Security, Privacy, Low Energy Consumption, Resilience to Attacks

Computer-Communication Networks Self-Aware Systems

Network Control cannot be based on “set point” approaches because such simple points do not exist

Models are routinely used for Preliminary Design of Topologies and Capacity Optimisation

The use of Models for Network Control is limited because of dimensionality, model accuracy, parameter identification, control computation and control delays

Self-Awareness in this Area can be based on On-line Measurement and Continuous, Distributed Adaptation

Co-Networks Self-Aware Systems

Self-Awareness must Address Network Security via Detection of Attacks and Adaptive Countermeasures

Energy Consumption by Networks and ITC represents 2% of worldwide consumption Self-Aware Control needs to address this issue to limit any further increase while ITC pervasively extends

smart homes, smart vehicles, smart grid, e-learningNetwork Self-Awareness must incorporate the

application: digital economy, smart grid Co-Networks

[Comms+Application] On-line Measurement and Continuous,

Distributed Adaptation

IP Core Technology also supports MobilityIP Core Technology also supports MobilityHot Stuff happens at the periphery: parasitic Hot Stuff happens at the periphery: parasitic

and symbiotic relationshipsand symbiotic relationships

Fixed and Mobile ConvergenceFixed and Mobile ConvergenceIP is obviously – for the time being – the universal solution provider for

Communications

Applications as Networks: The Family’s Private Network

The FPN is a Network User, and its is a Service for the Family

Private to the family and specific services: Home Security, Housekeeper, Parents

Fully known to itself (self-aware, self-monitoring) cheap, secure, private and

dependable

Must dynamically and economically use all available communication modalities:

Sensor Networks, IP etc., public fixed and mobile telephony, WiFi, .. You guess it ..

- Children and Parents have PDAs and Lap-Tops

- Children use home “learning center” based on multiple external services

- Parents’ cars are connected

- Infants, grand parents, teen-agers are being monitored

- House security system, Home temperature, sound sensors & actuators are on-line

- Home appliances, security, entertainment, heating, lighting are monitored and controlled

- Autonomic Self-Aware Management of Connections, U[grades, Costs, QoS, Policies,

Virtual Services, Network Resources, Monitoring …

The Internet Architecture: A Historical The Internet Architecture: A Historical PerspectivePerspective

- It was Invented “Against” the Telecoms Industry because of - It was Invented “Against” the Telecoms Industry because of DoD’s Dissatisfaction with Telephony for Dependable DoD’s Dissatisfaction with Telephony for Dependable

CommunicationsCommunications

- The Initial System was Built on top of Analog Telephony- The Initial System was Built on top of Analog Telephony

- The Telecoms Industry Fought it for Many Years and Created - The Telecoms Industry Fought it for Many Years and Created Competing Services (e.g. Minitel, Teletext) .. and so did some of Competing Services (e.g. Minitel, Teletext) .. and so did some of

the Computer Industry (IBM’s EARN, Frame Relay, Transpac)the Computer Industry (IBM’s EARN, Frame Relay, Transpac)

- The First Major Application was File Transfer .. Then E-mail ran - The First Major Application was File Transfer .. Then E-mail ran under FTPunder FTP

- The Internet grew in a Time of Deregulation based on Loose - The Internet grew in a Time of Deregulation based on Loose Standardization (e.g. IETF)Standardization (e.g. IETF)

Historical Internet Protocols: OSI LayersHistorical Internet Protocols: OSI Layers

TCP/IP is a layered protocol stackApplication handles particular

applications, Presentation handles compression and encryption of data, Session controls establishment, management, termination of sessions

Transport provides flow of dataNetwork handles the transmission of

packets in the networkData-link is responsible for the

interaction of the device driver in the operating system and the network card in the machine

Physical defines electrical and mechanical specifications

Applica tion

T ransport

N etwork

D ata L ink

Physica l

P resenta tion

Session

IP Architecture in Reality:IP Architecture in Reality:An Assembly of Inter-dependent ProtocolsAn Assembly of Inter-dependent Protocols

- - The Web is a “Standard User Interface”The Web is a “Standard User Interface”- TCP the Transmission Control Protocol: Controls Packet Flow for a - TCP the Transmission Control Protocol: Controls Packet Flow for a

Connection as a Function of Correctly Received or Lost Packets (TCP Connection as a Function of Correctly Received or Lost Packets (TCP Reno, Vegas, etc.) & Retransmits Lost PacketsReno, Vegas, etc.) & Retransmits Lost Packets

- BGP: Determines Paths between Clouds of Routers - BGP: Determines Paths between Clouds of Routers belonging to belonging to Autonomous Systems (AS)Autonomous Systems (AS)

- MPLS: Carries out fast Packet Switching based on Pre-determined - MPLS: Carries out fast Packet Switching based on Pre-determined

Paths within ASs using Labels, Implements Traffic Engineering within Paths within ASs using Labels, Implements Traffic Engineering within ASs ASs

- IP Implements Shortest Path Routing within ASs. Variants of IP - IP Implements Shortest Path Routing within ASs. Variants of IP Address QoS (e.g. DiuffServ, IPV6), Weighted Fair Queueing, Address QoS (e.g. DiuffServ, IPV6), Weighted Fair Queueing,

Congestion Control through Packet Drop …Congestion Control through Packet Drop …

IP Architecture: IP Architecture: A Distributed System which has Evolved A Distributed System which has Evolved

through Usage and Practicethrough Usage and Practice

- - It grew in a Time of DeregulationIt grew in a Time of Deregulation- The Web was developed to store technical papers- The Web was developed to store technical papers

- TCP is a Rudimentary Congestion Control Mechanism- TCP is a Rudimentary Congestion Control Mechanism- BGP Allows Different ISPs to Exchange Traffic- BGP Allows Different ISPs to Exchange Traffic

- MPLS Exploits ATM-like Fixed Path Routing and - MPLS Exploits ATM-like Fixed Path Routing and Reduces the Overhead of Packet SwitchingReduces the Overhead of Packet Switching

- The IP (Internet Protocol) provides Router Based - The IP (Internet Protocol) provides Router Based Staged Decisions & Shortest Paths to Staged Decisions & Shortest Paths to Minimize Minimize

Overhead Overhead

Critique from the Founding Funders (DARPA) Critique from the Founding Funders (DARPA)

in August 2004 in August 2004

- “Flaws in the basic building blocks of networking and computer - “Flaws in the basic building blocks of networking and computer science are hampering reliability, limiting flexibility and creating science are hampering reliability, limiting flexibility and creating

security vulnerabilities” security vulnerabilities” (Note that DARPA paid for most of these developments !!)(Note that DARPA paid for most of these developments !!)

- DARPA wants to see the IP and the OSI protocol stack - DARPA wants to see the IP and the OSI protocol stack revampedrevamped

- “The packet network paradigm … needs to change … we must - “The packet network paradigm … needs to change … we must … have some mechanism for … have some mechanism for assigning capabilities to different assigning capabilities to different

usersusers … today’s networks are stationary and have a static … today’s networks are stationary and have a static infrastructure … infrastructure … (mobile) nodes should be able to automatically (mobile) nodes should be able to automatically

sign on to networks in their vicinitysign on to networks in their vicinity … …

The “Historical” Need for QoSThe “Historical” Need for QoS

- - Exploit different technologies dynamically, for the Exploit different technologies dynamically, for the users’ benefitusers’ benefit

- Identify and eliminate undesirable traffic flows, e.g. - Identify and eliminate undesirable traffic flows, e.g. SPAMSPAM

- Protect from Malicious Attacks: Viruses and Worms, - Protect from Malicious Attacks: Viruses and Worms, Denial of Service AttacksDenial of Service Attacks

- Identify services and charge for them- Identify services and charge for them- Provide security to connections- Provide security to connections

- Demonstrable service levels and monitored - Demonstrable service levels and monitored agreementsagreements

- Wireless makes it all the more urgent- Wireless makes it all the more urgent

The Means for Quality of ServiceThe Means for Quality of Service

- Effective user interfaces & Access Control- Effective user interfaces & Access Control- Pro-active monitoring of users- Pro-active monitoring of users

- On-line monitoring of flows- On-line monitoring of flows- Pro-active measurement - Pro-active measurement

- Monitoring of QoS/QoE and Service Level - Monitoring of QoS/QoE and Service Level AgreementsAgreements

- Technical approach that Crosses Protocol - Technical approach that Crosses Protocol LayersLayers

Coordinated Measurement Based Dynamic Coordinated Measurement Based Dynamic AdaptationAdaptation

In Theory, QoS Optimisation Problems can be In Theory, QoS Optimisation Problems can be defined and Solveddefined and Solved

In Practice Optimisation is ImpossibleIn Practice Optimisation is ImpossibleThe network is very large – for specific users,

optimization is relevant for a subset of routes at a timeThe system is large .. information delay, control delay

and combinatorial explosion: global algorithms can be very slow and come too late

The system is highly dynamic – traffic varies significantly over short periods of time

There are large quantities of traffic in the pipes – congestion can occur suddenly, reaction and detours must be very rapid

Measurements are local to subset of users, and adaptivity is needed which is relevant to the users most concerned by the measurements

On-Line Measurement and Adaptation On-Line Measurement and Adaptation “Self-Aware Networks”“Self-Aware Networks”

- Many applications have implicit or explicit QoS requirements

• Voice, Video conferencing, Network games and simulation, Commerce , Banking

– QoS techniques based on “parameter setting” such as IntServ, DiffServ and IPv6 have been unsuccessful

Our proposal:

Users and Services formulate their Needs and QoS Goals The Network Service adaptively offers Services to Users

and the Resources to Users and ServicesThe Network Service Monitors the outcome and Adaptively

re-allocates Services and Resources as neededThe Approach is that of Adaptive Control in a Random

Environment

How about theory?How about theory?

Sensible Routing Theorem [Gelenbe, Computational Management Science ‘03]

Consider any decision point x at with n choicesLet q(x,i) be a r.v. representing the QoS that results

from choice i, and lrt W(x,i) = E[u(q(x,i))] be the expected outcome of choice i

Theorem If p(k)(x,i) = [W(x,i)]-k/ nm=1 [W(x,m)]-k

and W(k)(x) = n

m=1 W(x,m) p(k)(x,i),

thenW(k+1)(x) < W(k)(x)

Simulation of Routing with Perfect IgnoranceSimulation of Routing with Perfect IgnoranceAverage Travel Time E[T] vs Average Time-Out 1/r Average Travel Time E[T] vs Average Time-Out 1/r

for a regular 8 neighbour grid with d=1 and D=10 (b=0, for a regular 8 neighbour grid with d=1 and D=10 (b=0, c=1.5)c=1.5)

21/04/23 23

General ContextGeneral Context

Packets go from some source S to a Destination (that may move) that is initially at distance d

The wireless range is << d, there are no collisions Packets can be lost in [t,t+t] with probability t anywhere

on the path There is a time-out R (in time or number of hops), or timed-

out in [t,t+t] with probability rt with a subsequent retransmission delay M

Packets may or not know the direction they need to go – we do not nail down the routing scheme with any specific assumptions

We avoid assumptions about the geography of nodes (in some m-dimensions) but assume temporal and spatial homogeneity and temporal and spatial independence along the distance to the destination – each physical setting will have a different distance ..

21/04/23 24

Simulation examples in an infinite grid: Simulation examples in an infinite grid: =1 =1 (D=6) or (D=6) or =sqrt(2) (D=4)=sqrt(2) (D=4)

Destination

Source

21/04/23 25

Simulations of Average Travel Time Simulations of Average Travel Time vs Constant Time-Out vs Constant Time-Out

=1, D=10, M=20, No Loss=1, D=10, M=20, No LossPerfect Ignorance: b=0, c=1Perfect Ignorance: b=0, c=1

Brownian Motion ModelBrownian Motion Model

Assumes homogeneity with respect to distance to the destinationAssumes homogeneity with respect to distance to the destinationAfter each Loss or Time-Out, the Source waits M time units and then After each Loss or Time-Out, the Source waits M time units and then

retransmits the packet under identical statistical conditionsretransmits the packet under identical statistical conditions

1

1

M after timecopy new aout send it will

out;- timeaafter state wait in the is Sy that probabilit theis W(t)-

R valueaverage

ofout - timeaafter out"-time" willS lost. ispacket

ransmittedrecently tmost y that theprobabilit theis L(t) -

unit timeafter

tedretransmit be lpacket wil new a that andn destinatio

thereached haspacket ay that probabilit theis P(t) -

at timen destinatio thefrom

distanceat ispacket y that theprobabilit theis ),(

r

Δt[[t,tdxxXx

dxdttxf

t

21/04/23 27

solution stationary thefrom obtained 1P E[T]

.0lim ; 1)()()(

)()()(

)()(

]2

1[lim)(

)(

)()]()([2

1

1][ where at times dtransmitte

ispacket new a and renewed is process the, at timesn destinatior reach thei Packets

1-

00

0

0

0

2

2

ii

ffdxtWtLtP

tWtrLfdxrdt

tdW

trLfdxdt

tdLx

fcbftP

dt

tdP

DxtPtWx

fc

x

fb

t

f

sEsT

T

x

x

i

i

21/04/23 28

Theoretical Result: Time to Travel Theoretical Result: Time to Travel to a Destination at Distance Dto a Destination at Distance DAverage Time E[T]Drift b < 0 or b>0, 2nd Moment Param. c>0Average Time-Out 1/r , M=1/, then

)(2

12][

2 rcbb

rr

DTE

21/04/23 29

Theory: Average Travel Time for D=10, b=0, 4-Theory: Average Travel Time for D=10, b=0, 4-Neighbours and M=50 with LossesNeighbours and M=50 with Losses

21/04/23 30

Theory: what happens when loss rate increasesTheory: what happens when loss rate increases

21/04/23 31

What happens if we send multiple copies of What happens if we send multiple copies of each packet and accept the each packet and accept the firstfirst one that one that arrives ?arrives ?

21/04/23 32

What happens if we send multiple copies of each packet What happens if we send multiple copies of each packet and accept the and accept the firstfirst one that arrives ? one that arrives ?

21/04/23 33

Send N copies of each packet and accept the Send N copies of each packet and accept the firstfirst that arrives .. that arrives ..

21/04/23 34

SummarySummary Mathematical model assumes exponentially distributed loss

time, time-out and re-start time after time-out It assumes temporal and spatial homogeneity It allows for generally distributed times between hops Closed form expressions are obtained for E[T] from the

diffusion model with jumps for al values of D, b, c, r, If b<0 (good) the average total travel time E[T] is finite If b>0 (bad), E[T] is finite provided that time-outs (hara-

kiri) exist and c>0 There is a single minimum of E[T] as a function of r Additional results: Multiple Copies of Each Packet – You can

actually save on energy and improve timeliness Sufficient conditions under which the packet gets to the destination when the destination moves

QoS Routing Pragmatics :QoS Routing Pragmatics :The Cognitive Packet Network The Cognitive Packet Network ApproachApproach

Let the Measurements and On-Line Adaptation be under “user” or meta-user control

Let the user make his/her own QoS and economic decisions

Remain compatible with the core IP protocol .. i.e. be able to run CPN and IP simultaneously and tunnel IP packets through CPN sub networks

OSI Layers & CPNOSI Layers & CPNTCP/IP is a layered protocol stackApplication handles particular

applications, Presentation handles compression and encryption of data, Session controls establishment, management, termination of sessions

Transport provides flow of dataNetwork handles the transmission of

packets in the networkData-link is responsible for the

interaction of the device driver in the operating system and the network card in the machine

Physical defines electrical and mechanical specifications

Applica tion

T ransport

N etwork

D ata L ink

Physica l

P resenta tion

Session

CPN PrinciplesCPN Principles

CPN operates seamlessly with IP and creates a self-aware network environment

Users select QoS goalsThe User’s Packets collectively learn to

achieve the goalsLearning is performed by sharing

information between packetsUser Packets sharing the same goals can

be grouped into classesNodes (Cognitive Routers) are storage

centers, mailboxes and processing units

CPN and Smart PacketsCPN and Smart Packets

Smart Packets route themselves based on QoS Goals, e.g.,

Minimise Delay or Loss or CombinationMinimise Jitter (for Voice)Maximise Dispersion (for security)Minimise CostOptimise Cost/Benefit

Smart Packets make observations & take decisions

ACK Packets bring back observed data and trace activity

Dumb Packets execute instructions, carry payload and also may make observations

Cognitive Adaptive RoutingCognitive Adaptive RoutingQoS Goals are obtained from Path

Measurements: Traffic, Delay, Loss, Cost, Power, Security Information – this is the “Sufficient Level of Information” for Self-Aware Networking

Smart packets collect path information and datesACK packets return Path, Delay & Loss

Information and deposit W(K,c,n,D), L(K,c,n,D) at Node c on the return path, entering from Node n in Class K

Smart packets use W(K,c,n,D) and L(K,c,n,D) for decision making using Reinforcement Learning

Decision System: a “neural” network of networks (neural networks embedded in each router)

Internal State of Neuron i, is an Integer xi > 0

Network State at time t is a Vector x(t) = (x1(t), … , xi(t), … , xk(t), … , xn(t))

Is the Internal Potential of Neuron I

If xi(t)> 0, we say that Neuron i is excited and it may fire at t+ in which case it will send out a spikeIf xi(t)=0, the Neuron cannot fire at t+

When Neuron i fires: :It sends a spike to some Neuron k, w.p. pik

Its internal state changes xi(t+) = xi(t) - 1

Rates and Weights

If xi(t)> 0, then Neuron i will fire with probability rit in the interval [t,t+t] , and as a result:

From Neuron i to Neuron m - Excitatory Weight or Rate is wim

+ = ri pim+

- Inhibitory Weight or Rate is wim- = ri pim

- - Total Firing Rate is ri = n

m=1 wim+ + wim

–

To Neuron i, from Outside the Network- External Excitatory Spikes arrive at rate i - External Inhibitory Spikes arrive at rate i

State EquationsState Equations

whereqqkpformproductthehasitthen

solutionstationaryahaveequationsKCtheIf

txqandktxkp

Let

tkrtkp

tktkpdrtkpprtkptkprtkptkpdt

d

ekkekk

eekkeekk

}{x(t):tktxtkp

iki

it

it

iii

ii

iiiiii

iiijiijjijiji

ij

iiii

jiijjiij

i ,)1()(""

,

]0)(Pr[lim],)(Pr[lim)(

:

]]0)([1)[(),(

]]0)([1),())(,([]),(]0)([1),([),(

Equations Kolmogorov -The

:,

,and

process, Markov space-state discrete a is 0 where])(Pr[),(

n

1i

,

Theorem

Chapman

10

j jijjii

j jijji

i prqr

prqq

ji

ji

Firing Rate ofNeuron i

External ArrivalRate of ExcitatorySpikes

External ArrivalRate of InhibitorySpikes

Probability thatNeuron I is excited

Goal Based Reinforcement Goal Based Reinforcement Learning in CPNLearning in CPN

The Goal Function to be minimized is selected by the user, for instance G = [1-L]W + L[T+W]

On-line measurements and probing are used to measure L and W, and this information is brought back to the decision points

The value of G is estimated at each decision node

and used to compute the estimated reward R = 1/G

The RNN weights are updated using R stores G(u,v) indirectly in the RNN which makes a myopic (one step) decision

Routing with Reinforcement Routing with Reinforcement Learning using the RNNLearning using the RNN

Each “neuron” corresponds to the choice of an output link in the node

Fully Recurrent Random Neural Network with Excitatory and Inhibitory Weights

Weights are updated with RL Existence and Uniqueness of

solution is guaranteed Decision is made by

selecting the outgoing link which corresponds to the neuron whose excitation probability is largest

Reinforcement Learning in CPNReinforcement Learning in CPNThe decision threshold is the Most Recent

Historical Value of the Reward

Recent Reward Rl If

then

else

11 ,)1(

GRRaaTT lll

jkn

Rkiwkiw

Rjiwjiw

l

l

,2

),(),(

),(),(ll RT 1

l

l

Rjiwjiw

jkn

Rkiwkiw

),(),(

,2

),(),(

Re-normalize all weights

Compute q = (q1, … , qn) from the fixed-pointSelect Decision k such that qk > qi , i=1, …, n

n

i miwmiwr1

* )],(),([

*

*

),(),(

),(),(

i

i

i

i

r

rjiwjiw

r

rjiwjiw

Test-Bed MeasurementsOn-Line Route Discovery by Smart Packets

Route Adaptation without Obstructing Traffic

Packet Round-Trip Delay with Saturating Obstructing Traffic at Count 30

Route Adaptation with Saturating Obstructing Traffic at Count 30

Packet Round-Trip Delay with Link Failure at Count 40

Path Tags with Link Failure at Count 40

SP

DP

All

Average Round-Trip Packet Delay VS

Percentage of Smart Packets

QoS vs Route SwitchingQoS vs Route Switching

Average delay of each user is computed individually, and the median is plotted in the graph: Error bars indicate the 1st and 3rd quartile

Frequency of Oscillations vs Route Frequency of Oscillations vs Route SwitchingSwitching

Undesirable Effect of Route Switching:Undesirable Effect of Route Switching:Packet Loss due to De-sequencingPacket Loss due to De-sequencing

The rate at which packets are dropped at the reordering (resequencing) buffer increases with the switching probability

A QoS Driven Application Voice over CPN

Fig. 1. Voice over CPN

Experimental Results Voice over CPN

Fig. 4

Experimental Results Voice over CPN

Fig. 6 : Average round trip delay (left) and jitter (right) for user payload when only DPs are allowed to carry user payload

Experimental Results: Voice over CPNPacket desequencing Probability at Receiver vs Packet Rate

Fig. 7. Probability of packet desequencing perceived by the receiver side

CPN for Traffic EngineeringCPN for Traffic Engineering

Other experimentsOther experiments

CPN routing algorithm is used to conduct experiments using different QoS goals:◦Delay [Algorithm-D]◦Hop count [Algorithm-H]◦Combination of delay and hop [Algorithm-HD]

Average path length for each algorithmThe route usage under different traffic

rates◦Low Traffic Rate (LTR)

100 packets/second◦Medium Traffic Rate (MTR)

500 packets/second◦High Traffic Rate (HTR)

1000 packets/secondThe forward delay of each algorithm with

different background traffic is also reported

Average path length with different Average path length with different levels of background trafficlevels of background traffic

H-Algorithm Route usage with Low TRH-Algorithm Route usage with Low TR

25 routes are discovered and one of them is the shortest path

Above 90% of DPs use this shortest path

H-Algorithm Route usage: Medium TRH-Algorithm Route usage: Medium TR

20 routes are discovered and 4 of them are the shortest path

Above 85% of DPs use these 4 shortest paths

H-Algorithm Route usage: High TRH-Algorithm Route usage: High TR

12 routes are discovered and 4 of them are the shortest path

Only about 51% of DPs use these 4 shortest paths

Delay with different background traffic levelsDelay with different background traffic levels

High background traffic

Medium

None

Another extension:Another extension:Genetic Algorithms for CPNGenetic Algorithms for CPN

Exploit an analogy between “genotypes” and network paths

The fitness of the individual is the QoS of the path

Selection function chooses paths for reproduction based on the QoS of paths

The genetic operation used to create new individuals is crossover

Populations in CPNPopulations in CPN

No backgroundtraffic

2.4Mb backgroundtraffic

Delay

Loss

4.0Mb backgroundtraffic

5.6Mb backgroundtraffic

Delay

Loss

Wireless Power-Aware Adhoc CPN Test-Bed

Denial of Service Protection using CPNDenial of Service Protection using CPN

• 1996. Panix

• 1998. “Analyzer” attacks the Pentagon

• 2000. “Mafiaboy” attacks Amazon, Yahoo etc.

• 2001. Port of Houston

• 2002. 13 Root Servers

• 2003. American hackers attack Al Jazeera

• 2007 Attacks on Estonia’s e-Government and Financial Sector

What is a DoS AttackWhat is a DoS Attack

An attack with the purpose of preventing legitimate users from using a specific network resource

Is it a new threat?Is it a new threat?1985, R.T. Morris writes:“The weakness in the Internet Protocol is that the source host itself fills in the IP source host id, and there is no provision in TCP/IP to discover the true origin of a packet” .. IP SpoofingSYN Flood Attack

Distributed DoSDistributed DoS

Issues that we have adressedIssues that we have adressed

Detection◦Pattern detection◦Anomaly detection◦Hybrid detection◦Third-party detection

Response◦Agent identification◦Rate-limiting◦Filtering◦Reconfiguration

CPN DDoS Defence SchemeCPN DDoS Defence Scheme

The CPN architecture traces flows using smart and ACK packets

A DoS produces QoS degradationThe user(s) and victim(s) detect the attack and

inform nodes upstream from the victim(s) using ACK packets

These nodes drop possible DoS packetsThe detection scheme is never perfect (false

alarms & detection failures)

Mathematical modelMathematical model (1)(1)

Analyses the impact of DDoS protection on overall network performance

Measures traffic rates in relation to service rates and detection probabilities

Mathematical modelMathematical model

1

1,,,

1

1,,,

))1)(1((

))1)(1((

j

ldd

dd

dd

j

lnn

nn

nn

lljj

lljj

dLI

fLI

ddd

nnn

))1()1(( ,,,, d

ddn

nn idii

niii dIfIs

i

BiB

ii

i

iL

1

1 1

Illustration on an Experimental CPN Test-Bed

PredictionsPredictions of the Model of the Model

Impact on the nodesImpact on the nodes(without Defence)(without Defence)

Impact of the Defence on the NodesImpact of the Defence on the Nodes

ExperimentExperiment

2.4GHz P4 PCs, Linux kernel 2.4.26, CPN

Different QoS protocols for normal and attack traffic

Delay-based FIFO queuing60 sec

Averaged Likelihood

Feedforward RNN

Recurrent RNN

False Alarms: 2.8 %Correct Detections: 88 %

False Alarms: 11 %Correct Detections: 96 %

False Alarms: 11 %Correct Detections: 96 %

Trace1 --- Attack Traffic

Averaged Likelihood

Feedforward RNN

Recurrent RNN

False Alarms: 0 %Correct Detections: 76 %

False Alarms: 8.3 %Correct Detections: 84 %

False Alarms: 2.8 %Correct Detections: 80 %

Trace2 --- Attack Traffic

Stable Networks in the Presence of Failures: Initial Results

• A node failure is emulated by disabling some or all of the Ethernet interfaces of a node (so that no traffic will be able to go through that node, just like in a real breakdown of a machine) and is restored by re-enabling all the interfaces.

• Failures are considered to be similar to worm attacks and their spread is modelled according to the AAWP (Analytical Active Worm Propagation) model. This is a discrete-time and continuous state deterministic approximation model, proposed by Chen et al. [1] to model the spread of active worms that employ random scanning.

• The AAWP is a discrete time model which is more realistic, since a node must be completely infected before it starts infecting other node, so that the speed of the spread is connected to the number of nodes that can be infected.

• AAWP uses the random scanning mechanism in which it is assumed that every nodes is just as likely to infect or be infected by others. Other scanning mechanisms can be used, such as local subnet, permutation and topological scanning.

Current Experiments

DoS on a streaming videoDoS on a streaming video

Math. Analysis, Simulation and ExperimentMath. Analysis, Simulation and ExperimentComparisonComparison

http://san.ee.ic.ac.uk