Mitigating Denial-of-Service Attacks on the Chord Overlay Network: A Location Hiding Approach

Serverless distributed computing has received significant attention from both the industry and the research community. Among the most popular applications are the wide area network file systems, exemplified by CFS, Farsite and OceanStore. These file systems store files on a large collection of untrusted nodes that form an overlay network. They use cryptographic techniques to maintain file confidentiality and integrity from malicious nodes. Unfortunately, cryptographic techniques cannot protect a file holder from a Denial-of-Service (DoS) or a host compromise attack. Hence, most of these distributed file systems are vulnerable to targeted file attacks, wherein an adversary attempts to attack a small (chosen) set of files by attacking the nodes that host them. This paper presents LocationGuard - a location hiding technique for securing overlay file storage systems from targeted file attacks. LocationGuard has three essential components: (i) location key, (ii) routing guard, a secure algorithm that protects accesses to a file in the overlay network given its location key, and (iii) a set of location inference guards. Our experimental results quantify the overhead of employing LocationGuard and demonstrate its effectiveness against DoS attacks, host compromise attacks and various location inference attacks.     

基于树环Chord的大规模覆盖网的拓扑结构

提出一种基于树环Chord的网络拓扑结构,并设计了与该拓扑结构对应的节点的路由表结构.基于树环Chord的网络拓扑结构有效利用了IPv6地址协议的地址聚类特性把网络中的节点划分到相应的自治域,有效解决了物理网络和逻辑网络不匹配时路由绕路产生的搜索延迟问题;新的路由表消除了冗余信息并增加了目标资源列表,增加了启发信息,缩短了重复搜索的延迟.仿真实验结果表明,基于树环Chord的网络拓扑结构的搜索平均延迟和平均跳数优于Chord和DChord,有效提高了资源搜索的性能.     

A Framework for Supporting Tree-Like Indexes on the Chord Overlay

With the explosive growth of data, to support efficient data management including queries and updates, the database system is expected to provide tree-like indexes, such as R-tree, M-tree, B＋-tree, according to different types of data. In the distributed environment, the indexes have to be scattered across the compute nodes to improve reliability and scalability. Indexes can speed up queries, but they incur maintenance cost when updates occur. In the distributed environment, each compute node maintains a subset of an index tree, so keeping the communication cost small is more crucial, or else it occupies lots of network bandwidth and the scalability and availability of the database system are affected. Further, to achieve the reliability and scalability for queries, several replicas of the index are needed, but keeping the replicas consistent is not straightforward. In this paper, we propose a framework supporting tree-like indexes, based on Chord overlay, which is a popular P2P structure. The framework dynamically tunes the number of replicas of index to balance the query cost and the update cost. Several techniques are designed to improve the efficiency of updates without the cost of performance of the queries. We implement M-tree and R-tree in our framework, and extensive experiments on real- life and synthetic datasets verify the efficiency and scalability of our framework.     

Erratum to:A Framework for Supporting Tree-Like Indexes on the Chord Overlay

Erratum:Ming-Dong Zhu,De-Rong Shen,Yue Kou,Tie Zheng Nie,Ge Yu.A Framework for Supporting Tree-Like Indexes on the Chord Overlay.Journal of Computer Science and Technology 2013,28(6):962-972.DOI:10.1007/s11390-013-1391-8.“The publisher regrets the error made to the metadata published with the paper entitled”A Framework for Supporting Tree-Like Indexes on the Chord Overlay“in Volume 28,Issue 6,November 2013,pp.962-972.The third author's name should read:Yue Kou.The citation listed on the SpringerLink article(DOI 10.1007/s11390-013-1391-8)is correct.”     

一种QoS覆盖网络拓扑相关的方案

在覆盖网络中,物理网络和覆盖网络的拓扑是经常失配的.已提出的解决方案没有考虑到日渐增多的覆盖网络QoS需求.提出一种考虑覆盖网络QoS需求的拓扑相关的解决方案,该方案主要是交换节点的标号,保持网络不变.可以有效解决QoS覆盖网络拓扑相关的问题.     

Overlay网络上的覆盖节点的放置问题

Overlay服务网络是一种通用的服务框架,它利用覆盖网络技术来向用户提供各种各样的服务。该文在讨论Overlay服务网络的基础上,提出了覆盖节点放置的问题,对该问题进行了形式化,并提出了相应的算法,对算法进行了相应的仿真。     

Secure Overlay Network Design

Due to the increasing security threats on the Internet, new overlay network architectures have been proposed to secure privileged services. In these architectures, the application servers are protected by a defense perimeter where only traffic from entities called servlets are allowed to pass. End users must be authorized and can only communicate with entities called access points (APs). APs relay authorized users’ requests to servlets, which in turn pass them to the servers. The identity of APs are publicly known while the servlets are typically secret. All communications are done through the public Internet. Thus all the entities involved form an overlay network. The main component of this distributed system consists of n APs and m servlets. A design for a network is a bipartite graph with APs on one side, and the servlets on the other side. If an AP is compromised by an attacker (or fails), all the servlets that are connected to it are subject to attack. An AP is blocked, if all servlets connected to it are subject to attack. We consider two models for the failures: In the stochastic model, we assume that each AP i fails with a given probability p _i . In the adversarial model, we assume that there is an adversary that knows the topology of the network and chooses at most k APs to compromise. In both models, our objective is to design the connections between APs and servlets to minimize the (expected/worst-case) number of blocked APs. In this paper, we give a polynomial-time algorithm for this problem in the stochastic model when the number of servlets is a constant. We also show that if the probability of failure of each AP is at least 1/2, then in the optimal design each AP is connected to only one servlet (we call such designs star-shaped), and give a polynomial-time algorithm to find the best star-shaped design. We observe that this statement is not true if the failure probabilities are small. In the adversarial model, we show that the problem is related to a problem in combinatorial set theory, and use this connection to give bounds on the maximum number of APs that a perfectly failure-resistant design with a given number of servlets can support. Our results provide the first rigorous theoretical foundation for practical secure overlay network design.     

mTreebone: A Collaborative Tree-Mesh Overlay Network for Multicast Video Streaming

Recently, application-layer overlay networks have been suggested as a promising solution for live video streaming over the Internet. To organize a multicast overlay, a natural structure is a tree, which, however, is known vulnerable to end-hosts dynamics. Data-driven approaches address this problem by employing a mesh structure, which enables data exchanges among multiple neighbors, and thus, greatly improves the overlay resilience. It unfortunately suffers from an efficiency-delay trade-off, because data have to be pulled from mesh neighbors by using extra notifications periodically. In this paper, we closely examine the contributions of overlay nodes, and argue that performance of a mesh overlay closely depends on a small set of stable backbone nodes. This is validated through a real trace study on PPLive, the largest commercial application-layer live streaming system to date. Motivated by this observation, we then suggest a novel collaborative tree-mesh design that leverages both mesh and tree structures. The key idea is to identify a set of stable nodes to construct a tree-based backbone, called treebone, with most of the data being pushed over this backbone. These stable nodes, together with others, are further organized through an auxiliary mesh overlay, which facilitates the treebone to accommodate node dynamics and fully exploit the available bandwidth between overlay nodes. This hybrid design, referred to as mTreebone, brings a series of unique and critical design challenges. In particular, the identification of stable nodes and seamless data delivery using both push and pull methods. In this paper, we present optimized solutions to these problems, which reconcile the two overlays under a coherent framework with controlled overhead. We evaluate mTreebone through both simulations and PlanetLab experiments. The results demonstrate the superior efficiency and robustness of this hybrid solution in both static and dynamic scenarios.     

LION: Layered Overlay Multicast With Network Coding

Recent advances in information theory show that the throughput of a multicast session can be improved using network coding. In overlay networks, the available bandwidth between sender and different receivers are different. In this paper, we propose a solution to improve the throughput of an overlay multicast session with heterogeneous receivers by organizing the receivers into layered data distribution meshes and sending substreams to each mesh using layered coding. Our solutions utilize alternative paths and network coding in each mesh. We first formulate the problem into a mathematical programming, whose optimal solution requires global information. We therefore present a distributed heuristic algorithm. The heuristic progressively organizes the receivers into layered meshes. Each receiver can subscribe to a proper number of meshes to maximize its throughput by fully utilizing its available bandwidth. The benefits of organizing the topology into layered mesh and using network coding are demonstrated through extensive simulations. Numerical results indicate that the average throughput of a multicast session is significantly improved (up to 50% to 60%) with only slightly higher delay and network resource consumption.     

Chord网络环境下的Gossip算法

本文研究和分析Gossip算法在Chord网络中的适用性,并根据Chord网络的特点对基于Push&Pull模式的Gossip算法提出一种改进算法Mod-Gossip。实验表明,Push&Pull模式的Gossip算法可以很好地适应Chord网络,在Chord网络中将任意节点上的信息传播到整个网络中需要的周期数与在全连通网络中相当;本文所提出的Mod-Gossip算法则可以减少大约两个周期;在动态网络中,节点的加入不会对Push&Pull模式的Gossip算法以及Mod-Gossip算法的执行产生影响。     

一种基于Overlay Network的自优化网格架构

网格和OverlayNetwork已经引起研究领域和工业界的广泛关注,然而,工业、学术以及商业界的研究主要围绕网格的应用、服务和中间件,很少研究基础网络。论文提出了一种基于OverlayNetwork的自优化网格架构,并且展示了这一架构在数据管理领域的应用,如副本的生成、放置、访问优化、同步等等,这些都是利用部署在OverlayNetwork上独立的P2P组件协作实现的,并且所有组件是并发执行的,每一个组件根据自己的目标优化系统,通过很少交互且易处理的组件来完成优化,这个独立优化的方案与整体优化相比较,得到的结果相近,甚至更好,而且其复杂性更小。     

覆盖网络中一种公平负载均衡QoS路由算法

覆盖网络通过选择资源消耗代价较低的应用层服务路径实现分布式网络应用的负载均衡,但传统方法未考虑局部负载较重链路中存在的资源瓶颈问题,导致系统吞吐量的下降.针对该问题提出一种公平负载均衡QoS路由算法,该方法引入表征路径瓶颈程度的资源公平指数,依据代价模型建立新的负载均衡效用函数,并采用自适应的系统负荷状态加权方法修正Q...     

一种关于重叠服务网络的可用带宽测量技术

本论文介绍的是一种关于在一条网络路径上的两端主机之间的可用带宽测量的新算法。这种算法是对目前在线网络测量中使用的主动测量方法的一种调整。这种测量是由TCP的数据包和确认包的传输和接受的时间间隔中推断出来的网络特性的信息实现的。在全方位服务网络中在线网络测量起到很大的作用,在其中可用带宽的最近数据信息将会尽快的被下一层的IP层获得。在本论文中,首先介绍了这种算法,然后讨论在主动TCP连接中应用这种算法所遇到的问题。     

具有可用性改善的P-Grid覆盖网络

原P-Grid覆盖网络通过大量冗余将低在线率的节点构建成高可用性的系统.考虑分布式环境下节点不一定具有低在线率而呈现周期性,提出一种基于P-Grid的具有可用性改善的节点周期性组织方式.分类节点为长期节点、周期节点和普通节点,将长期节点按原P-Grid方式形成周期性组织下的主体二叉树,设计适当的信息表结构建立节点间的关系,并给出相应的查找、节点加入和数据对象创建的算法.数值分析和模拟实验表明在相同的节点规模及树高度下,周期性组织方式可以达到更高的可用性,同时数值分析也表明不影响维护消耗.     

Self-stabilizing somersaults

We investigate the open-loop stability of a planar biped robot performing a periodic motion of forward somersaults with alternating single-leg contacts. The robot has a trunk and two actuated telescopic legs with point feet which are coupled to the trunk by actuated hinges. There is compliance and damping in the hip and in the legs. The concept of open-loop control implies that all actuators of the system receive predetermined inputs that are never altered by any feedback interference. Only with the right choice of model parameters and actuator inputs is it possible to create such self-stabilizing motions exploiting the natural stability properties of the system. These unknowns have been determined using special-purpose stability-optimization methods. The resulting motion is not only stable, but also a more efficient form of forward motion than running for the investigated robot.     

基于覆盖网的协同式网络安全防护与分析系统

互联网安全形势依然严峻,网络安全事件层出不穷,虽然网络安全系统一直在不断的发展,但是传统安全系统间缺少协同机制,难以实施统一的安全策略,无法发挥整体优势。文章提出了一种基于覆盖网的协同式网络安全防护与分析系统,通过覆盖网架构,将原本孤立的网络安全设备互连起来,协同工作,分布式感知与控制管理网络流量,集中分析与处理安全事件,形成全程全网的网络安全事件管理与解决方案。该方案充分利用了覆盖网技术、P2P通讯技术、可信网络连接技术、高速流量记录查询技术和云计算技术等现有的技术来架构一个实用的协同网络安全防护与分析系统。     

Chord2: A two-layer Chord for reducing maintenance overhead via heterogeneity

Empirical studies have shown that participating nodes in peer-to-peer (P2P) systems are not equivalent. Some nodes, known as “super peers”, are more powerful and stable than the others. Such heterogeneity has been taken into account in the design of P2P systems in two ways: by employing super peers to serve as index servers for query, and by routing through super peers to speed up query. In this paper, we use super peers to reduce maintenance cost in Chord—a DHT network which, like other DHT-based systems, is often praised for its guaranteed search feature but has relatively higher maintenance overhead than Gnutella-like unstructured P2P networks.     

一种动态网格Overlay Network拓扑优化蚁群算法

如何提供丰富的通信交互是高级网格应用的关键问题，但是目前的网格技术还不能满足这一需求，提出了一种基于Overlay Network的网格架构来弥补这一不足，如何优化Overlay Network拓扑结构是该架构必须首先解决的重要问题，给出了一种动态环境中拉各朗日蚁群优化算法DLagrAnt，计算的结果显示该算法具有更快的适应性和更小的开销。     

结构化覆盖网络模型Chord研究

在P2P应用系统中,如何有效地定位分布在网络中不同节点上的数据资源一直是研究的重点。Chord模型通过提供了一个分布式的资源查找协议成功地解决了这个问题,同时Chord协议能够有效支持节点动态地加入和退出网络。文章对Chord的系统基础及特性进行了论述,并重点分析了协议所提供的文件资源查询和节点加入退出算法,从理论上论证了Chord是一种具有可扩展性的低消耗系统。     

Self-stabilizing multi-token rings

Summary A distributed system consists of a set of loosely connected machines that do not share a global memory. The system isself-stabilizing if it can be started in any global state and achieves consistency all by itself. This also means that the system can deal withinfrequent errors. This paper presents self-stabilizing multi-token rings. A multitoken ring is a generalization of a (one-)token ring. The algorithms presented are generalizations of a self-stabilizing mutual exclusion algorithm by Dijkstra [5] which can also be viewed as a token ring. We develop the algorithms in a stepwise manner, to show how and why we arrived at the final multi-token rings. The final parameterized algorithm represents a set of algorithms, one for each choice of the parameter. This enables one to select the algorithm with an optimal trade-off in desired flexibility versus memory requirements and stabilization time. Mitchell Flatebo received the B.S. degree in Mathematics (1990), the B.S. degree in Computer Science (1990), the M.S. degree in Mathematics (1992), and the M.S. degree in Computer Science (1993) from the University of Nevada, Las Vegas. He is currently a software engineer for Loral Space and Range Systems. His research interests include distributed systems, fault-tolerant computing, and self-stabilization. Ajoy Kumar Datta received the Ph.D. degree in Computer Science from the Jadavpur University, Calcutta, India in 1983. He is currently an Associate Professor of Computer Science at the University of Nevada, Las Vegas. His area of research is distributed and fault-tolerant computing —algorithms and self-stabilization. Anneke Schoone received an M.Sc. degree in Biology in 1978, an M.Sc. degree in Mathematics in 1981, and a Ph.D. degree in Computer Science in 1991 from Utrecht University (The Netherlands). Currently she is a senior research associate at the Department of Computer Science of Utrecht University, supported by ESPRIT Basic Research Action No. 7141 (project ALCOM II:Algorithms and Complexity) of the EC. Her research interests include assertional verification of distributed algorithms and the concept of self-stabilization.The research of this author was supported partially by the ESPRIT Basic Research Action No. 7141 (project ALCOM II:Algorithms and Complexity), and partially by the Netherlands Organization for Scientific Research (NWO) under contract NF 62-376 (NFI project ALADDIN:Algorithmic Aspects of Parallel and Distributed Systems)