overview of umass activities

Overview of UMass ActivitiesD. TowsleyW. Gong

UMASS, MURI Workshop, Sep 9, 2009

Ongoing UMass MURI Research W. Gong, D. Towsley Poisson counter driven stochastic differential Equation (PCSDE) models ofcorrelation attack (D. Towsley) heavy tails (B. Jiang)queues fed by heavy-tailed trafficmultipatheffects of heavy tails on performance (W. Wei)graph sampling how does graph structure affect sampling (D. Towsley)UMASS, MURI Workshop, Sep 9, 2009*


On the Mitigation of Traffic Correlation Attacks on Router QueuesYan Cai, Patrick P. C. Lee, Weibo Gong, Don Towsley UMASSMURI Workshop Sep 9, 2009


UMASS, MURI Workshop, Sep 9, 2009*Correlation Attackdefinitionadversary introduces traffic burstiness at routersintroduce correlation among multiple attack flowsdegrades performance of normal flowssmall buffers more packet dropslarge buffers higher end-to-end transfer delaywhy daunting?low-rate: not to congest linksevade volume-based detectioncan be launched using botnets


UMASS, MURI Workshop, Sep 9, 2009*Contributionsanalytical framework to study correlation attack, using PCSDE fluid models:impact of inter-flow correlation on average queue lengthsimpact of increased queue length on normal flowsdefense strategytwo-stage pacing: ON-OFF pacing, rate-limiting


UMASS, MURI Workshop, Sep 9, 2009*Correlation-Attack ModelParametersxi(t) = ON-OFF process of flow i, xi(t) {0,1}hi = capacity of access link ic = capacity of outgoing linkv(t) = queue length of target router at time tSingle-Queue Model


UMASS, MURI Workshop, Sep 9, 2009*Correlation-Attack ModelSDE for v(t)

if xi(t) is Markov ON-OFF processNi1 = ON Poisson counter with rate i1Ni2 = OFF Poisson counter with rate i2Single-Queue Model


UMASS, MURI Workshop, Sep 9, 2009*Correlation-Attack ModelTheorem: If hi > c > hiE[xi],

inter-flow correlationSingle-Queue Model


UMASS, MURI Workshop, Sep 9, 2009*Evaluation of Correlation Attacksolution via numerical simulation from SDEsthree cases:Independent: xis have independent ON/OFF transitionsWeakly correlated: xis have same ON transitionsIdentical: xis have same ON/OFF transitionsresults:inter-flow correlation increases buffers average queue lengthPCSDE models conform to ns2 simulation


UMASS, MURI Workshop, Sep 9, 2009*Defense using Pacingput pacers on upstream routers to de-correlate flows, reduce burstiness at target router


UMASS, MURI Workshop, Sep 9, 2009*Two-Stage Pacingrate-limiting:limit peak rate using leaky buckethicici < hivirMarkov ON-OFF:chop long bursts into small burstsoutput bursts at random timeshiNi3 = ON Poisson counter Ni4 = OFF Poisson countervimzi {0,1}


UMASS, MURI Workshop, Sep 9, 2009*Two-Stage PacingSDEs :two-stage pacing: combine above componentsMarkov ON-OFFRate-limitinghihivimvirci


UMASS, MURI Workshop, Sep 9, 2009*Preliminary ResultsParameters:n = 60, hi=0.4Mbps, E[ON] = 1s, E[OFF] = 4s, ci = 0.2Mbps, c = 10Mbps

Two-stage pacing better than each pacing component alone


UMASS, MURI Workshop, Sep 9, 2009*Preliminary ResultsPacing removes delay spikes of normal flowsPacing in presence of correlation attackRTTs of TCP packets(without pacing)RTTs of TCP packets(with 2-stage pacing)


UMASS, MURI Workshop, Sep 9, 2009*Open issuesadaptive pacing?ON-OFF pacing adds delay to normal trafficpace only a subset of traffic classes? implementation?impact of two-stage pacing on heavy-tailed bursts?


An SDE Model for Power LawBo Jiang, Weibo Gong, Don Towsley UMASSMURI Workshop Sep 9, 2009


UMASS, MURI Workshop, Sep 9, 2009*From Lognormal to Power Law , geometric Brownian motion

, standard Wiener process (Brownian motion) lognormally distributed

independent of has double Pareto distribution [Reed 2001]


UMASS, MURI Workshop, Sep 9, 2009*SDE Model for Double ParetoConsider following SDE

W, standard Wiener processN, Poisson process with rate


UMASS, MURI Workshop, Sep 9, 2009*Fokker-Planck EquationApply Its rule to

Take expectation

Since is arbitary, density of evolves according to following Fokker-Planck equation


UMASS, MURI Workshop, Sep 9, 2009*Steady-state DistributionIn steady state,

where are roots of quadratic equation

If , degenerates to


UMASS, MURI Workshop, Sep 9, 2009*Speed of ConvergenceLet characteristic function ofApply Its rule to and take expectation,

Solution is

where converges exponentially.exponential convergence


UMASS, MURI Workshop, Sep 9, 2009*Future WorkApplication as traffic model for fluid queueing systemAllows for power-law traffic rateMay degrade queueing performanceMay have longer burst of output traffic

Pacing as potential mitigation mechanismCost vs. benefitExpect overall performance improvementNeed detailed analysis and simulations


Can Multipath Mitigate Power Law Delays?Wei Wei, Bo Jiang, Patrick Lee, Weibo Gong, Don TowsleyUniversity of Massachusetts, Amherst


OutlineMotivationRedundant routingSplit RoutingConclusionsFuture Work


Motivation - Outages Lead to Power Law Retransmissions Packet Length L: On-off Channel: A, U

N: # of transmissions needed to deliver a packet

If then

Jelenkovic & Tan, Infocom 2007

LLLLLLight tail distributionsCan lead to power law N


Can Multipath Mitigate Power Law Delays?Given K i.i.d. channelsRedundant RoutingDuplicate packet and send over K channelsSplit RoutingSplit packet into K equal length pieces and send over K channelsQuestionWhat is effect on number of transmissions?


Redundant RoutingGiven a packet, packet transmission succeeds if one channel succeedsGiven a packet, N = min{N1, N2, , NK}

If then

Redundant routing does not mitigate power law retransmissions


Split RoutingTradeoffsSmaller packet in each channel (L/K)For each packet, transmission succeeds iff when all channels succeedGiven a packet, N = max{N1,N2,,NK} Looks ugly, Taylor expansion?General result? Or depends on F and G?


Split Routing No General Results If F, G both Pareto F, G both ExponentialF, G both Weibull

Let , we have

Different H(y)Different P(N>n)


Split Routing - Pareto and ExponentialPareto

ExponentialRate Unchanged!Same as RedundantBetter than Redundant


Split Routing - Weibull

b > 1, tail lighter than exponentialRate better than exponential0 < b < 1, tail heavier than exponentialRate worse than exponential


Split Routing Exponential TailIf

then

for split routing over K i.i.d. channels.


ConclusionsPower law retransmissionsRedundant routingDoes not mitigate power law retransmissionsSplit RoutingDepends on distributionSometimes better than redundant routingSometimes same as redundant routing


Future WorkComplete analysis for split routingMore general distributionsAnalysis on packet delivery delayDifferent combinations of distributionsIndependent but not identical channels


Thank you!


Network Characterization via SamplingB. Ribeiro, D. TowsleyUMass-Amherst


ProblemGiven large, possibly dynamic, network, how does one efficiently sample/crawl to accurately characterize it?degree distributionassortativityclustering coefficient


Motivationunderstanding technological networks Internet, wireless networks

social networks on-line social networks such as FaceBook, MySpace, Orkut, YouTube,

where network dataset not availablesize, lack of global view, dynamics


Sampling methodsrandom node samplingunbiasednot always possiblelimited entry pointshigh overheadon-line social networks sparsely populatedbreadth first, depth first crawlingsnowball sampling commonly used methodrandom walk


Random sampling, snowball sampling Snowball sampling highly biasedstrong degree correlationOrkut data set (Mislove 2007), 3M nodes, 200M edges True distributionRandom node sampling5000 samples


Random walk samplingrandom walk (RW)produces biased estimate iRW v vertex in undirected graph Gno. neighbors n(v )

P(v selected in RW) n(v)

iRW i i

i = iRW avg. degree/i

avg degree estimated during RW

CCDFRW sampling^


Sampling error independent degreesdegree distribution i, n samplesrandom sampling

random walk head: GOOD tail: BADPower-law tails easier to sample head: BAD tail: GOOD


Node sampling vs. RW: Orkut

node sampling better for low degree nodes

RW better for high degree nodes

random walklog(degree)log(CCDFnode sampling


Future workhybrid sampling: node sampling, RW sampling)budget of m samplesuse m to sample nodesuse RW to sample m-m

example 10000 node power law network100 samplesedge sampling not feasible


Future workadaptive samplingcombine node sampling, RW samplingdynamically tradeoff accuracyother statisticshow do graphs affect sampling efficiencypower law vs exponential tailspatial correlation, independence vs. SRD vs. LRDapplication to different networkswireless, social, wireless/social


**We analyze the impact of traffic burstiness on router queues from a security perspective, in which a router queue is a target point of attack. We consider a DoS attack called the correlation attack that intentionally introduces traffic burstiness at the target router.

The correlation attack is inherently low-rate, meaning that the average rate of the attack bursts is small enough to not congest a network link. The main idea of the correlation attack is to exploit the correlation among multiple attack flows scattered across different locations and have them generate small attack bursts in a highly correlated manner. As a result of the inter-flow correlation, the aggregation of these small bursts will increase router queue lengths and hence the end-to-end transfer delays of normal flows. This is particularly annoying for real-time applications, such as interactive sessions or video streaming, where timely packet delivery is crucial for the quality of service.

The practicality of the correlation attack is further justified with the emergence of botnets. The botmaster can send a command to the bots and schedule them to send attack bursts to a target router in a correlated manner.*One low-rate attack is called the low-rate TCP attack. Its main idea is to send bursts periodically at regular intervals. This will synchronize the TCP flows to enter the same retransmission timeout state. The correlation attack considered here does not require periodicity of attack bursts, provided that the bursts from multiple attack flows are correlated.

The main objective of this paper is to provide an analytical framework to study the impact of the correlation attack on router queues, from both attack and defense perspectives.

In the attack part, we analyze how the correlation attack increases the average router queue length by exploiting the inter-flow correlation.

In the defense part, we propose to mitigate the correlation attack using pacing, a technique that absorbs traffic bursts and outputs traffic in a controlled manner. In particular, we propose a novel pacing scheme called two-stage pacing, which combines Markov ON-OFF pacing and rate limiting. Markov ON-OFF pacing leverages randomness to break down the inter-flow correlation by emitting traffic bursts at different times using an alternating Markov ON-OFF switch, while rate limiting further suppresses the peak rates of traffic bursts. Two-stage pacing seeks to minimize traffic burstiness and hence reduce the average router queue length.*We start with a simple single-queue model. We assume there are n attack flows, while each of these attack flows is described by an ON-OFF process x_i. We assume that each flow i is connected to a router with link capacity hi. The outgoing capacity of the router buffer is c. We let v(t) be the instantaneous queue length at the router at time t.

We assume that the queue capacity is infinite. Although many studies advocate small router queues, todays commercial routers still provision very large queue capacities to maximize the network throughput, and this motivates us to assume an infinitely large queue. Note that we can easily incorporate the finite queue condition.

We assume zero link latency here. We can also easily incorporate non-zero link latency.

*We can now model v(t) with the following stochastic differential equation. Iv is an indicator function that equals 1 if some valuev > 0, or 0 otherwise. Note that SDE for v(t) holds for arbitrary ON-OFF distributions of xi(t).

If x_i(t) is a Markov ON-OFF process, then it can be modeled using PCSDE, where N_i1 and N_i2 are the ON and OFF Poisson counters for flow i respectively.*Suppose that: (i) hi > c for all i, meaning that every ON burst of a single flow always creates queued packets, and (ii) sum_{i=1}^n E[xi(t)] < c, meaning that the queue of the target router is stable. Then we can derive Theorem 1. Note that the average queue length E[v] is an increasing function of the sum of the pairwise inter-flow correlations, i.e., increasing the correlation of any two flows i and j (i.e., E[xixj ]) will increase E[v] while keeping E[xi] constant.

E[xi(t)xj(t)] is defined as the correlation function, which is also equal to the probability that both xi(t) = 1 and xj(t) = 1. We say that flows iand j have a higher inter-flow correlation if E[xi(t)xj(t)] is larger. In particular, flows i and j are said to be independent (or uncorrelated) if E[xi(t)xj(t)] = E[xi(t)]E[xj(t)].*We conducted numerical simulation using our fluid modeling and packet-level simulation using the ns2 simulator.

We consider three attack cases that account for different levels of the inter-flow correlation: (i) independent, in which all attack flows are driven by independent ON and OFF Poisson counters, (ii) weakly correlated, in which all attack flows are driven by a single ON Poisson counterbut independent OFF Poisson counters, and (iii) identical, in which all attack flows are driven by the same ON and OFF Poisson counters.

Figure 3 shows the average router queue length versus the number of attack flows for a particular set of parameters. We observe that the results from both the fluid model and ns2 simulation conform to each other. Also, both the weakly correlated and identical cases significantly increase the average queue length over the independent case by introducing the inter-flow correlation. In particular, the identical case, which introduces the highest inter-flow correlation.*A fundamental characteristic of the correlation attack is to generate attack bursts from multiple attack sources in a correlated manner, such that the aggregation of the attack bursts forms a high-peak-rate burst at the target router. Thus, in order to mitigate the correlation attack, our goal is to pace high-rate bursts into smaller-rate bursts so that the target router has enough time to absorb and forward traffic bursts without queueing too many packets.

It is important to pace incoming bursts before they arrive at the target routers and are aggregated to form high-rate bursts. Thus, we suggestto deploy pacing at upstream routers that connect to the downstream routers to be protected.*We propose a two-stage pacing scheme that includes Markov ON-OFF pacing and rate limiting.

Markov ON-OFF pacing aims to introduce randomness when forwarding traffic, and it forwards correlated bursts at different time periods so as to break down the inter-flow correlation. To achieve this, each Markov ONOFF pacer independently alternates between the ON and OFF states, whose durations are exponentially distributed. It forwards packets if it is in the ON state, or holds packets in a queue if it is in the OFF state.

Rate limiting further suppresses the peak rates of traffic bursts, using leaky-bucket algorithm.*In our two-stage pacing scheme, data traffic is first paced by a Markov ON-OFF pacer, and is then forwarded to a conventional rate-limiting pacer, which bounds the peak rate of the data traffic to be forwarded to the target route.

We can derive the SDEs for two-stage pacing scheme.

*Result highlights. Two-stage pacing performs better than each pacing component alone.

x-axis = switching rate of Markov ON-OFF pacer.y-axis = average queue length.*Most importantly, the two-stage pacer can remove the delay spikes. *Although Markov ON-OFF pacing is motivated as a way for reducing inter-flow correlation, it can also reduce traffic burstiness due to high autocorrelation (intra-flow correlation), which is typically seen in practice. Intuitively, with a high enough switching rate, Markov ON-OFF pacing chops a long (heavy-tailed) traffic burst into small (light-tailed) bursts and forwards the bursts at different time periods. Thus, two-stagepacing still sees its potential in practical scenarios. We plan to investigate this in future work.

Open issues.

**Add graph to show success and failure

*Define N and explain.

*

overview of umass activities

Documents

ongoing umass muri research

don towsley umassmuri

study correlation attack

correlationattack modelsde

overview of umass activitiesd

towsley poisson counter

rate i2singlequeue modelumass

increased queue length