Dynamic CPU provisioning for self-managed secure web applications in SMP hosting platforms

Overload control mechanisms such as admission control and connection differentiation have proven effective for preventing overload of application servers running secure web applications. However, achieving optimal results in overload prevention is only possible when some kind of resource management is considered in addition to these mechanisms.In this paper we propose an overload control strategy for secure web applications that brings together dynamic provisioning of platform resources and admission control based on secure socket layer (SSL) connection differentiation. Dynamic provisioning enables additional resources to be allocated to an application on demand to handle workload increases, while the admission control mechanism avoids the server’s performance degradation by dynamically limiting the number of new SSL connections accepted and preferentially serving resumed SSL connections (to maximize performance on session-based environments) while additional resources are being provisioned.Our evaluation demonstrates the benefit of our proposal for efficiently managing the resources and preventing server overload on a 4-way multiprocessor Linux hosting platform, especially when the hosting platform is fully overloaded.     

基于接纳时间比控制和比例积分调节器的接纳控制机制

讨论电子商务网站的过载保护问题,给出了一种基于接纳时间比控制和比例积分调节器的接纳控制(admission control)机制.该机制运用PI调节器,动态调整控制周期中服务器接纳请求的时间长度,主动拒绝过量请求,实现接纳控制.实验表明,基于接纳时间比的反馈控制机制即使在严重过载时,仍能使服务器的实际负载与最大处理能力接近,其吞吐率和响应时间均与服务器满载时相当;此外,仿真还表明这一机制能有效地实现资源控制和服务质量控制.     

一种基于在线辨识的Web 服务自适应接纳控制

设计并实现了一种基于量子行为粒子群算法(QPSO)系统模型在线辨识的Web服务自适应接纳控制,根据系统模型的变化在线调节比例积分控制器参数.通过接纳时间比反馈控制机制,调整控制周期内服务器接纳请求的时间长度,进而实现接纳控制.通过仿真实验,并与多种不同控制方法进行比较,所得结果表明,在线辨识自适应控制能够在服务器过载的情况下更有效地控制系统资源,进一步提高了服务质量.     

一种改善SSL服务器性能的模型

SSL协议为网络中数据的安全传输提供了有利的保障,但是大量SSL连接所引起的开销,导致了服务器性能的急剧下降.根据标准的SSL协议,提出了一个建立连接的优化模型,它将协议改进和功能分化融合到原有的协议中,以重用和分化的思想提高SSL服务器的性能.     

Resource Allocation for Session-Based Two-Dimensional Service Differentiation on e-Commerce Servers

A scalable e-commerce server should be able to provide different levels of quality of service (QoS) to different types of requests based on clients' navigation patterns and the server capacity. E-Commerce workloads are composed of sessions. In this paper, we propose a session-based two-dimensional (2D) service differentiation model for online transactions: intersession and intrasession. The intersession model aims to provide different levels of QoS to sessions from different customer classes, and the intrasession model aims to provide different levels of QoS to requests in different states of a session. A primary performance metric of online transactions is slowdown. It measures the waiting time of a request relative to its service time. We present a processing rate allocation scheme for 2D proportional slowdown differentiation. We then introduce service slowdown as a systemwide QoS metric of an e-commerce server. It is defined as the weighted sum of request slowdown in different sessions and in different session states. We formulate the problem of 2D service differentiation as an optimization of processing rate allocation with the objective of minimizing the service slowdown of the server. We prove that the derived rate allocation scheme based on the optimization guarantees client requests' slowdown to be square-root proportional to their prespecified differentiation weights in both intersession and intrasession dimensions. We evaluate this square-root proportional rate allocation scheme and a proportional rate allocation scheme via extensive simulations. Results validate that both schemes can achieve predictable, controllable, and fair 2D service differentiation on e-commerce servers. The square-root proportional rate allocation scheme provides 2D service differentiation at a minimum cost of service slowdown.     

SSL协议拒绝服务攻击及其对策研究

SSL协议是电子商务中常用的一种安全电子交易协议,对信息传输起到了加密和认证的作用。该文针对最新的SSL服务器DoS工具,分析了SSL协议存在的拒绝服务漏洞,讨论了建立一个SSL连接服务端所消耗计算资源远多于客户端的原因,并提出了几种解决方案,以缓解攻击带来的危害,其中基于连接限制的解决方案可有效缓解此类问题。     

面向智能电子商务的移动Agent迁移策略研究

以智能电子商务系统为应用研究背景,综合考虑商家服务质量、网络负载等影响查询效率的因素,引入时间片概念,提出了一种基于商品智能搜索的Agent迁移策略模型。在模型中给出了一种客观准确的商家服务质量评价方法,采用申请与应答的方式有效避免了因网络负载和商家服务器负载等原因造成的迁移失败的问题,同时减少了网络带宽和服务器资源的浪费。     

一种实现随机端口的SSL VPN

本文中我们提出一种新的SSLVPN体系结构,以支持所有应用,同时增强抵抗Dos和分类的Dos攻击的能力。SSLVPN的关键优势是不需要特定的客户端软件。当用户要求访问一个服务器时,由JavaApplet编写的SSL客户端模块首先被下载到主机上。但是,并不所有应用都可以很好运行的,因为客户不能通过HTTPS连接某些我们熟知的应用。而且,当SSL端口受到Dos或分类的Dos攻击时,我们不能使用VPN进行连接。改进的VPN同样使用现存SSLVPN中应用的JavaApplet,但是这Applet实现的功能我们称之为动态编码,它通过Java远程方法调用(RMI)实现动态改变。VPN客户端Applet可以和服务器端的VPN服务器和防火墙进行互操作。     

ADO.Net连接池中非正常断开连接的异常控制

动态的Web站点常常要从数据库中获得必要的数据来生成Web页面，因此Web应用程序与数据库之间将耗费巨大的开销来创建数据库连接，ADO．Net采用连接池来减少创建数据库连接的开销。但是，ADO．Net连接池中经常会出现非正常断开的连接，池管理程序会将这些实际无效的连接分配给请求的应用程序使用，应用程序在使用这些连接执行SQL语句时会发生连接异常，提出了避免在SQL Server，Net数据提供程序中出现这种连接异常的解决方案。     

Improving e-payment security using Elliptic Curve Cryptosystem

The use of e-commerce has been associated with a lot of skepticism and apprehension due to some crimes associated with e-commerce and specifically to payment systems. The secure socket layer (SSL) protocol is trusted in this regard to secure transactions for sensitive applications like e-commerce. Unfortunately, the use of SSL protocol causes slow response time on the server which is a major cause of frustration for on-line shoppers. In this paper, we propose a secured credit-debit card payment systems based on Elliptic Curve Cryptosystem (ECC). We first examined ECC algorithm over prime fields GF(p), implement our proposed method using a typical transaction involving credit/debit card numbers and compared the performance with RSA cryptosystem. Our result shows that ECC is faster in terms of response to transaction request and occupies less memory space than equivalent RSA system. Thus, these makes it more suitable public Key cryptography scheme for application in a constraint open environment like payment system where fast operations are needed.     

The Role of SSL in Cybersecutiry

In this paper, the security in computer networks using the secure sockets layer (SSL) protocol is discussed. Security refers to many different ideas, principles, and concepts. SSL provides three categories of security: confidentiality, message integrity, and endpoint authentication. It's important to keep security traits in mind as we consider some common scenarios involving secure sockets layer (SSL). The SSL can help secure communications in e-commerce and in other business or personal communication where security is required between a client and server. However, SSL doesn't address some other security aspects     

An SSL Back-End Forwarding Scheme in Cluster-Based Web Servers

State-of-the-art cluster-based data centers consisting of three tiers (Web server, application server, and database server) are being used to host complex Web services such as e-commerce applications. The application server handles dynamic and sensitive Web contents that need protection from eavesdropping, tampering, and forgery. Although the secure sockets layer (SSL) is the most popular protocol to provide a secure channel between a client and a cluster-based network server, its high overhead degrades the server performance considerably and, thus, affects the server scalability. Therefore, improving the performance of SSL-enabled network servers is critical for designing scalable and high-performance data centers. In this paper, we examine the impact of SSL offering and SSL-session-aware distribution in cluster-based network servers. We propose a back-end forwarding scheme, called ssl_with_bf, that employs a low-overhead user-level communication mechanism like virtual interface architecture (VIA) to achieve a good load balance among server nodes. We compare three distribution models for network servers, round robin (RR), ssl_with_session, and ssl_with_bf, through simulation. The experimental results with 16-node and 32-node cluster configurations show that, although the session reuse of ssl_with_session is critical to improve the performance of application servers, the proposed back-end forwarding scheme can further enhance the performance due to better load balancing. The ssl_with_bf scheme can minimize the average latency by about 40 percent and improve throughput across a variety of workloads.     

Multi-tier service differentiation by coordinated learning-based resource provisioning and admission control

Multiple Internet applications are often hosted in one datacenter, sharing underlying virtualized server resources. It is important to provide differentiated treatment to co-hosted applications and to improve overall system performance by efficient use of shared resources. Challenges arise due to multi-tier service architecture, virtualized server infrastructure, and highly dynamic and bursty workloads. We propose a coordinated admission control and adaptive resource provisioning approach for multi-tier service differentiation and performance improvement in a shared virtualized platform. We develop new model-independent reinforcement learning based techniques for virtual machine (VM) auto-configuration and session based admission control. Adaptive VM auto-configuration provides proportional service differentiation between co-located applications and improves application response time simultaneously. Admission control improves session throughput of the applications and minimizes resource wastage due to aborted sessions. A shared reward actualizes coordination between the two learning modules. For system agility and scalability, we integrate the reinforcement learning approach with cascade neural networks. We have implemented the integrated approach in a virtualized blade server system hosting RUBiS benchmark applications. Experimental results demonstrate that the new approach meets differentiation targets accurately and achieves performance improvement of applications at the same time. It reacts to dynamic and bursty workloads in an agile and scalable manner.     

Secure and Light Weight Elliptic Curve Cipher Suites in SSL/TLS

In the current circumstance, e-commerce through an online banking system plays a significant role. Customers may either buy goods from E-Commerce websites or use online banking to move money to other accounts. When a user participates in these types of behaviors, their sensitive information is sent to an untrustworthy network. As a consequence, when transmitting data from an internal browser to an external E-commerce web server using the cryptographic protocol SSL/TLS, the E-commerce web server ensures the security of the user’s data. The user should be pleased with the confidentiality, authentication, and authenticity properties of the SSL/TLS on both the user’s web browser and the remote E-commerce web server. E-Commerce web servers should choose the best SSL/TLS cipher suites for negotiating the user in order to attain such optimistic scenarios, as the cipher suite used in SSL/TLS plays an important role in securing E-Commerce web servers. The paper primarily focuses on analyzing the SSL/TLS cipher and elliptic curves. The paper also recommends the best elliptic curve cipher suites for E-Commerce and online banking servers, based on their power consumption, handshake execution time, and key exchange and signature verification time.     

基于多核的SSL协议性能的并行优化

将服务器端的负载转移到客户端,可以解决安全套接层SSL协议握手过程中服务器端负载过重的问题。但该方法会使客户端负载加重,特别是当客户端需要进行高安全级别的握手和使用大量富因特网应用时,客户端负载加重明显。为了保证良好的服务质量,针对当前客户端以多核设备为主,对SSL客户端进行并行优化,使SSL在握手时即保证服务器端负载较低又能使客户端负载降低,从两方面对SSL性能进行改进,保证服务质量。     

A distributed admission control model for QoS assurance in large-scale media delivery systems

Conventional admission control models incur some performance penalty. First, admission control computation can overload a server that is already heavily loaded. Also, in large-scale media systems with geographically distributed server clusters, performing admission control on each cluster can result in long response latency, if the client request is denied at one site and has to be forwarded to another site. Furthermore, in prefix caching, initial frames cached at the proxy are delivered to the client before the admission decisions are made. If the media server is heavily loaded and, finally, has to deny the client request, forwarding a large number of initial frames is a waste of critical network resources. In this paper, a novel distributed admission control model is presented. We make use of proxy servers to perform the admission control tasks. Each proxy hosts an agent to coordinate the effort. Agents reserve media server's disk bandwidth and make admission decisions autonomously based on the allocated disk bandwidth. We develop an effective game theoretic framework to achieve fairness in the bandwidth allocation among the agents. To improve the overall bandwidth utilization, we also consider an aggressive admission control policy where each agent may admit more requests than its allocated bandwidth allows. The distributed admission control approach provides the solution to the stated problems incurred in conventional admission control models. Experimental studies show that our algorithms significantly reduce the response latency and the media server load.     

An approximation-based load-balancing algorithm with admission control for cluster web servers with dynamic workloads

The growth of web-based applications in business and e-commerce is building up demands for high performance web servers for better throughputs and lower user-perceived latency. These demands are leading to a widespread substitution of powerful single servers by robust newcomers, cluster web servers, in many enterprise companies. In this respect the load-balancing algorithms play an important role in boosting the performance of cluster servers. The previous load-balancing algorithms which were designed for the handling of static contents in web services suffer from significant performance degradation under dynamic and database-driven workloads. Regarding this, we propose an approximation-based load-balancing algorithm with admission control for cluster-based web servers in this study. Since it is difficult to accurately determine the loads of web servers through feedbacks from distributed agents in web servers, we propose an analytical model of a web server to estimate the web servers’ loads. To achieve this, the algorithm classifies requests based on their service times and track numbers of outstanding requests for each class of each web server node and also based on their resource demands to dynamically estimate the loads of each node. For the error handling of the model a proportional integral (PI) controller from control theory is used. Then the estimated available capacity of each web server is used for load balancing and admission control decisions. The implementation results with a standard benchmark confirm the effectiveness of the proposed scheme, which improves both the mean response time and the throughput of the cluster compared to rival load-balancing algorithms, and also avoids situations in which the cluster is overloaded, even when the request rates are beyond the cluster capacity.     

基于批量化密钥重分配的SSL握手协议*

SSL(安全套接层)握手协议利用公开密钥体制(RSA)保护通信实体之间传输信息的机密性和完整性,其存在信息处理速度过慢的缺点,基于batch RSA的SSL握手协议能较好地解决这一问题,但当服务器收到大量客户端请求或遭受DoS攻击时,易导致服务器性能下降。为此,提出一种基于批量化密钥重分配 (batch key redistribution)的改进协议。协议将密钥分解成两个密钥序列分支,并将一个密钥序列分支发送至客户端,由客户端来部分解密,以减少服务器的计算开销,从而克服服务器性能下降的问题。分析和实验结果表明,协议能很好地保证信息传输的安全,且有效提高了信息处理的速度。     

基于SSL的HTTP安全日志

SSL能够为电子交易提供认证性、私有性、完整性服务,却无法保证电子交易的不可抵赖性,无法为事后提供稳定的验证性。文章针对HTTP协议,在SSL基础上设计了SHL协议,有效地保证了电子交易的不可抵赖性。SHL协议工作在交易服务器和客户端,对交易请求和响应进行签名、验证、记录。SHL有SPC和SPS两个部分组成,SPC和SPS之间使用SSL安全通信。SPC对客户端请求签名,验证服务器签名;SPS验证客户端签名,对服务器请求签名。SHL为交易提供稳定的验证性,保证交易的不可抵赖性。     

基于虚拟服务的SSL VPN研究

基于对标准SSL VPN（Secure Socket Layer Virtual Private Network）的研究分析，提出了基于虚拟服务的SSLVPN结构．该结构包含两项关键性技术：虚拟服务和基于VPN流的访问控制模型．一方面，通过在客户端动态生成虚拟服务来支持传统应用软件安全透明地访问VPN内部服务群；另一方面，针对VPN流的特点，将访问控制与VPN隧道、转发机制紧耦合，从而实现了细粒度的访问控制及应用层入侵检测．最后，给出了一个实现原型及相关性能测试．