ABSTRACT. Due to the explosive growth of data demand from mobile devices, cellular operators have been seeking for non- 3GPP wireless technologies, e.g., WiFi, to supplement their LTE networks. Such an integration opens the door for exploiting the network usage diversity for further overall network performance improvement, by intelligently and dynamically scheduling flows over the most appropriate network. However, how such a function can be efficiently and systematically realize, is missing from the current standard specifications, especially on the network infrastructure side. In this paper, we aim to solve such a challenge by proposing a Software-Defined Networking (SDN) based flow scheduling system that is compatible to the 3GPP LTE-WiFi integration framework. The global view provided by SDN makes it easy to collect necessary flow information, and the flexible control of SDN enables efficient flow scheduling. We view the flow scheduling problem as an overall network utility maximization problem. We prove its hardness and propose an approximation algorithm for solving the problem. The proposed system can be incrementally deployed over existing wireless network infrastructure. With extensive simulations in NS3 and demo implementation, we prove the feasibility and effectiveness of both the framework and the scheduling algorithm.

ABSTRACT. The high-throughput, low-latency, and reliable data delivery are fundamental demands of many networked applications, e.g. BitTorrent and Skype. But the inappropriate congestion control of TCPs, caused by the reactive and coarse-grained congestion feedbacks, brings the low link utilization, high queuing delay and frequent packet loss in high bandwidth-delay product network. To mitigate this issue, TCP variants have been developed. Thereinto, the load factor based congestion control (LFCC), e.g. VCP, BMCC, have shown the powerful capabilities to achieve better performances in terms of high link utilization, low persistent queue length, negligible packet loss, and fairness. However, due to the conservative increase and synchronized feedbacks, LFCC faces the slow convergence of the link utilization and inter-flow fairness. This could incur the large flow completion time of new-coming flows indirectly. To solve the issue of existing LFCCs, an asynchronous congestion control based on hybrid feedbacks, called HFCC, is proposed to achieve the faster convergence while keeping the features of LFCCs in this paper. Specifically, HFCC decreases the congestion window when the bottleneck link is in the high-load region and the flow rate exceeds the fair share of the bottleneck bandwidth, or the bottleneck link is in overload region. Otherwise, HFCC increases the congestion window. Note that an overlay coding method is developed in HFCC. To reduce the flow completion time, HFCC adopts an available bandwidth estimation method to speed up the data delivery in low-load region. The simulation results indicate that HFCC has the better performance and faster convergence than VCP, MLCP, and BMCC.

ABSTRACT. Unmanned Aerial Vehicles (UAVs), also known as drones, have become a new paradigm to provide emergency wireless communication infrastructure when conventional base stations are damaged or unavailable. Unlike traditional fixed ground base stations, drones can be rapidly deployed and dispersed among users to intercede as base stations in various scenarios. Nonetheless, determining the optimal deployment of drones to provide optimal network service for users is a challenging issue. In this paper, we propose novel schemes to enable the 3D deployment of drones, which can provide network coverage and connectivity services for users located in uneven terrain. We formalize two models, including optimal coverage model and optimal connectivity model, which belong to NP-hard. To be specific, we first consider both the QoS requirements of users and the capacity of drones. We then formalize the problem and design a heuristic scheme, called Particle Swarm Optimization (PSO) algorithm to achieve a cost-effective solution, which can satisfy both the quality of service (QoS) requirements of users and the capacity of drones effectively. In addition, we address the optimal connectivity problem in a scenario, in which a number of isolated local networks have been established by users through ad hoc communication and/or device-to-device (D2D) communication. In this scenario, drones are deployed to provide relays to interconnect the different local networks, which are isolated from one another. We further develop the cost-effective heuristic algorithm to effectively minimize the total number of required drones. Via extensive performance evaluation, our experimental results demonstrate that the proposed schemes can achieve the effective deployment of drones for users in uneven terrain with respect to the QoS of users and the number of required drones.

ABSTRACT. In cognitive radio networks (CRNs), secondary users need to first discover neighbours and form communication links, referred to as the rendezvous process. Rendezvous between any two secondary users can only be achieved on the same channel. However, the nature of the CRN makes this a challenging problem. Specifically in CRN, not only the network is multi-channel, but the channels available at different nodes may be different. While most of the existing works study pair-wise rendezvous and design channel hopping sequence, in this paper, we focus on the performance improvement of the rendezvous process based on the existing channel hopping sequences with multiple users in CRN. We propose a new strategy, called Group Based Strategy (GBS) to achieve the acceleration, which is flexible to incorporate the existing sequence generation algorithms. Our basic idea is to group the encountered users and schedule rendezvous for them. With the purpose to increase rendezvous diversity, other users or groups can join the group if they get the group rendezvous information. Experiments are conducted to evaluate the proposed scheme. Overall, the performance can be improved by more than 50% under symmetric model or asymmetric model using our accelerating strategy.

ABSTRACT. Among the significant advances in mobile network technology, as evident in the latest 3GPP releases, one of the most notable is the possibility to do aggregation between a licensed carrier and an unlicensed one. With LTE transmitting over unlicensed bands, obvious concerns of a fair co-existence with other pre-existing technologies has risen up. In this study, we aim to evaluate the impact of LTE transmission on the key mechanism of Clear Channel Assessment (CCA), which is common to several unlicensed systems, amongst which Wi-Fi is the most notable. Relying on the statistical tool of stochastic geometry and a semi-analytical approach, we will obtain the probabilities of Wi-Fi preamble false alarm and detection under a wide set of realistic propagation effects, such as path-loss and Rayleigh distributed fading. Above all, we will model the effect of a single LTE downlink interfering transmission, as well as the aggregate interference effect. Hence, we shall be able to evaluate the modified energy detection threshold that has been long debated among 3GPP and the IEEE 802.11 Working Group.

ABSTRACT. As computing capability keeps growing, power consumption is becoming critical to HPC facilities. Enforcing power limits is emerging as a practical trend for power-constrained HPC facilities. However, it remains unclear how to choose the appropriate power limits for various HPC workflows and how to distribute the power limit of a workflow between simulation and analysis. In addition, given a power limit, it is unclear what the optimal scales and power capping levels are for various workflows, especially when taking reliability into account. In order to resolve these issues in power-constrained HPC, in this paper, we propose a reliability-aware model to determine the aforementioned platform configurations for HPC workflows. We also validate our model and present model-driven studies for a wide range of real-system scenarios. Our study reveals interesting insights about how platform configuration affects the performance and energy efficiency of HPC workflows under power constraints.

ABSTRACT. Network Function Virtualization (NFV) allows operators to deploy network functions in virtual machines (VMs) and benefit from on-demand deployment. VMs are placed on one of the hosts in the cloud, and existing resource management algorithms assume full knowledge of the system’s state. For large clusters, attaining the system’s state creates bottlenecks and therefore, placement decisions dominate the time required to deploy network functionalities. Intuitively, placement can be accelerated if the resource management algorithm operates on a cached system state which is not entirely up to date, but in that case, the quality may suffer. Our work introduces a new cache refresh method that achieves an up to 5:3x reduction in placement time with only a slight degradation of quality compared to having the complete and up to date system’s state.

ABSTRACT. Spark tuning with its dozens of parameters for performance improvement is both a challenge and time consuming effort. Current techniques rely on trial-and-error or best guess utilizing expert knowledge that very few posses. Previous tuning works are not compatible with Spark and also ignore the underlying problem of resource bottlenecks that is both the cause of performance issues, and a potential ally, if its awareness is leveraged in directing tuning to be more effective.

We propose and develop PETS, a new method that allows the tuning of associated parameters at the same time, using resource bottleneck awareness to adjust parameter ensemble values in few iterations. Performance evaluation based on testbed implementation shows that with the use of PETS, representative workloads achieve: (1) Significant speedups; (2) Fast convergence speed; (3) Performance gains that are stable with varying workload data sizes, homogenous and heterogenous clusters, and initial parameter settings. The results show that PETS outperforms a machine learning based method, and achieves speedups of up to x4.78 and convergence speed as low as 2 iterations.

ABSTRACT. To counter face presentation attack in face recognition system, the chromatic facial texture differences between the real faces and the facial artefacts are fully analyzed, and chromatic co-occurrence of local binary pattern (CCoLBP) is proposed to investigate the inter-channel based information. Based on the principle of presentation attack and its influence on color component of the face image, a face presentation attack detection (PAD) scheme based on CCoLBP is proposed. By combining intra-channel based facial texture and CCoLBP feature, the differences of color distortion and texture distribution between the real faces and the artefacts are characterized. With these features, the detection is accomplished by using a Softmax classifier. Experiments are done with 5 public databases, and the experimental results and analysis indicate the effectiveness of CCoLBP, and it can achieve good performance in cross-database testing. It has great potential in the application of face PAD with real-time requirement.

ABSTRACT. Today's modern computing landscape consists of a huge amount of heterogeneous devices, including powerful, stable desktop computers as well as lightweight, unreliable mobile edge devices. This heterogeneity in terms of computation power and reliability increases the complexity for fault tolerance in distributed computing systems. When tasks are offloaded, slow resources providers easily become the bottleneck of a parallel computation. Further, unstable edge devices can leave the system spontaneously, discontinue remote tasks executions, and therefore lose the computation progress. These two effects increase the response time for remote task executions. In this paper, we introduce two mechanisms to avoid delayed or lost execution of tasks caused by edge devices. The paper has five contributions. First, we define a failure model and identify the parameters that determine the magnitude of delays caused by faults and performance bottlenecks. Second, we present reactive and proactive task migration to handle system leaves. Third, we show how computational bottlenecks can be avoided by two-dimensional context-aware task partitioning. Fourth, we integrate these two solutions into an existing heterogeneous distributed computing system. Fifth, we run an evaluation on a real-world testbed to show the benefits of the solutions in practice. The evaluation shows, that we can improve systems with device fluctuation and heterogeneity by up to 39% and 53% respectively.

ABSTRACT. Checkpoint-based fault tolerant method has been widely used to enhance the reliability of Distributed Stream Processing Engines (DSPEs), but a checkpointing process usually introduces considerable overhead. It is a critical issue to choose the Optimal Checkpoint Interval (OCI) that maximizes the processing efficiency. Traditional OCI models consider the recovery time only related to the execution time from the last checkpoint to the moment of the failure. They are not suitable for stream processing jobs because the recovery time is related to the reprocessing workload, which depends on the realtime input data before a failure. A new model is needed to choose the OCI for stream processing applications. Moreover, the input data rate of an stream processing job fluctuates over time. The OCI of an application should also be adjusted dynamically according to the input workload. To solve these problems, we present a novel DSPS Optimal Checkpoint Interval (DOCI) model in this paper. We prove that it maximizes the processing efficiency for a given time period. We propose an approach to dynamically adjust the OCI for an application to accommodate the realtime workload fluctuations. We conduct simulation experiments to verify the effectiveness of DOCI model and the efficiency of the online OCI adjustment algorithm. Experimental results with a real-world dataset show DOCI achieves an improvement on system efficiency by up to 40%, comparing with existing fault-tolerant approaches.

ABSTRACT. With the pervasive availability of LCD displays and phone cameras, screen-camera communication has attracted grate attentions due to the characteristics of convenience, security, infrastructure-free, and contactless. The existing screen-camera communication systems using dynamic barcodes suffer from poor ability of color recognition. In this paper, we propose a machine learning based multi-color dynamic barcode system called MMCode to overcome such limit. We formulate the color recognition problem as a machine learning task, and proposed a semi-supervised clustering algorithm to achieve finer-grained color recognition. The proposed mechanism inserts reference colors in the barcode design, and adopts a semi-supervised Gaussian Mixed Model (GMM) algorithm for frame decoding. We implement MMCode as an Android APP and test its performance under real screen-camera communication scenarios. Extensive experiments show that the proposed MMCode achieves significant enhancement on the capacity of dynamic barcodes compared to the state-of-the-arts.

ABSTRACT. In recent years, many companies have developed various distributed computation frameworks for processing machine learning (ML) jobs in clusters. Networking is a well-known bottleneck for ML systems and the cluster demands efficient scheduling for huge traffic (up to 1GB per flow) generated by ML jobs. Coflow has been proven an effective abstraction to schedule flows of such data-parallel applications. However, the implementation of coflow scheduling policy is constrained when coflow characteristics are unknown a prior, and when TCP congestion control misinterprets the congestion signal leading to low throughput. Fortunately, traffic patterns experienced by some ML jobs support to speculate the complete coflow characteristic with limited information. Hence this paper summarizes coflow from these ML jobs as self-similar coflow and proposes a decentralized self-similar coflow scheduler Cicada. Cicada assigns each coflow a probe flow to speculate its characteristics during the transportation and employs the Shortest Job First (SJF) to separate coflow into strict priority queues based on the speculation result. To achieve full bandwidth for throughput-sensitive ML jobs, and to guarantee the scheduling policy implementation, Cicada promotes the elastic transport-layer rate control that outperforms prior works. Large-scale simulations show that Cicada completes coflow 2.08 faster than the state-of-the-art schemes in the information-agnostic scenario.

ABSTRACT. This paper describes the design of a new software zero-copy network framework for NVM-assisted key-value stores, which directly stores and persists transactions from network into raw non-volatile memory used as write-ahead cache for data consistency. NVM is fast and bit-addressable which makes it the perfect choice for transient transaction log persistency than hard disks or even Flash drives, but its limited write cycle requires wear-leveling during direct access. However, popular RDMA-based zero-copy transmission normally needs to have the remote memory address beforehand and cannot cope with the address changing caused by wear-leveling easily. The software zero-copy solution proposed in this paper is designed with the awareness of NVM wear-leveling and log metadata management. Simulation results show that the new network framework improves performance by over 200× in throughput and decreases latency by more than 20× comparing to the traditional socket and hard disk based solution. When both equipped with NVM, the zero-copy network stack improves performance by 18 to 62% in throughput and 40 to 81% in latency comparing to the standard socket and with the lowest CPU consumption.

ABSTRACT. Datacenter applications demand both low latency and high throughput; while interactive applications (e.g., Web Search) demand low tail latency for their short messages due to their partition-aggregate software architecture, many data- intensive applications (e.g., Map-Reduce) require high through- put for long flows as they move vast amounts of data across the network. Recent proposals improve latency of short flows and throughput of long flows by addressing the shortcomings of existing packet scheduling and congestion control algorithms, respectively. We make the key observation that long tails in the Flow Completion Times (FCT) of short flows result from packets that suffer congestion at more than one switch along their paths in the network. Our proposal, Slytherin, specifically targets packets that suffered from congestion at multiple points and prioritizes them in the network. Slytherin leverages ECN mechanism which is widely used in existing datacenters to identify such tail packets and dynamically prioritizes them using existing priority queues. As compared to existing state-of-the- art packet scheduling proposals, Slytherin achieves 18.6% lower 99th percentile flow completion times for short flows without any loss of throughput. Further, Slytherin drastically reduces 99th percentile queue length in switches by a factor of about 2x on average.

ABSTRACT. Vehicular ad-hoc network (VANET) plays an extremely important role in future intelligent transportation. Many experts and scholars proposed many schemes to improve communication efficiency under the premise of conditional privacy-preserving. In this paper, we proposed an efficient conditional privacy-preserving authentication scheme using revocation messages to enhance the performance of VANET communication. Lightweight hash operations are used in the anonymous identity generation and message signing phase. We also reduce message length to minimize both the computation and communication overheads in VANET. In the vehicle revocation phase, we use revocation messages broadcasted by Road Side Units (RSU), which can prevent malicious vehicles from generating anonymous identity and signing messages quickly. Security and performance analysis demonstrate that our proposed scheme is more secure and efficient than current schemes, and is more suitable for the deployment of VANET. The abstract goes here.

ABSTRACT. Outsourcing sensitive data and operations to untrusted cloud providers is considered a challenging issue. To perform a search operation, even if both the data and the query are encrypted, attackers still can learn which data locations match the query and what results are returned to the user. This kind of leakage is referred to as data access pattern. Indeed, using access pattern leakage, attackers can easily infer the content of the data and the query. Oblivious RAM (ORAM), Fully Homomorphic Encryption (FHE), and secure Multi-Party Computation (MPC) offer a higher level of security but incur high computation and communication overheads.

One promising practical approach to process the outsourced data efficiently and securely is leveraging trusted hardware like Intel SGX. Recently, several SGX-based solutions have been proposed in the literature. However, those solutions suffer from side channel attacks, high overheads of context switching, or limited SGX memory. In this paper, we present an SGX-assisted scheme for performing search over encrypted data. Our solution protects access pattern against side channel attacks while ensuring search efficiency. It can process large databases without requiring any long-term storage on SGX. We have implemented a prototype of the scheme and evaluated its performance using a dataset of 1 million records. The equality query and range query can be completed in 11 and 40 milliseconds, respectively. Comparing with ORAM-based solutions, such as ObliDB, our scheme is more than 10x faster.

ABSTRACT. Software Defined Network (SDN) and Network Function Virtualization (NFV) are essential technologies that support next generation 5G networks. Security provisioning in 5G network is major issue due to involvement of numerous users. To provide security against major attacks in SDN and NFV enabled 5G network, in this paper an enhanced attack aware security provisioning scheme is proposed. In this work, security is provided by following process: (i) Initial Authentication process, (ii) Classification of packets, and (iii) Switch migration process. Initial authentication is performed at Access Point (AP) for each user by Secure ID based Authentication (SIA) scheme. The suspected packets are detected in controller and classified at Virtual Network Function (VNF). For packet classification, the optimal packet features are selected using Genetic Algorithm with Correlation (GAC) based feature selection algorithm. We have proposed a Radial Basis Function with Extreme Learning Machine (RBF-ELM) classifier. Then, the malicious packets are dropped at VNF and normal packets are redirected to destination address through controller. To mitigate flow table overloading attack, we have presented an Enhanced Artificial Bee Colony (EABC) algorithm in controller. Experimental result shows that our proposed security provisioning scheme shows better performance in terms of delay, amount of redirected packets, detection accuracy, packet transmission rate and packet loss ratio.

ABSTRACT. With the development of virtualization technology and fast expansion of network-scale, SDN has been employed in various cases from campus networks to cloud data center networks. However, SDN networks are also facing some new security issues, relative to the traditional networks. In this work, we demonstrate a novel network isolation attack in SDN networks, called Network Harvesting, that lets an attacker can access to the user’s network privileges without the awareness of victim and OpenFlow SDN architecture, which significantly increases persistence. We then present a defense, SpoofDefender, that prevents network isolation attacks or other spoofing attacks by leveraging SDN’s data and control plane separation, global network view, and programmatic control of the network, while building upon IEEE 802.1x and encryption. In addition, we also implement SpoofDefender on ONOS 1.10.4 and Mininet with a real network, and extensive simulation results demonstrate that our proposed SpoofDefender is highly effectiveness in terms of computation and communication costs.

ABSTRACT. Keystroke dynamics is an effective behavioral biometric for user authentication at a computer terminal. While many promising approaches have been proposed to enhance the recognition performance and several applications have been deployed to improve the system security level, the robustness under forgery attacks has not been well studied. In this paper, we propose a new approach to launch synthetic forgery attacks against the existing keystroke authentication systems. We analyze users' typing traits and select certain type of users who are good at imitating others from a large keystroke dataset and use their data to forge a master key. The attacks are launched under both zero effort as well as nonzero effort scenarios. Our initial results indicate that in the wake of the proposed synthetic impostor attack, the recognition rate can be weakened, thus exposing a significant vulnerability of current keystroke authentication systems.

ABSTRACT. Accurate and robust localization is crucial for wireless ad-hoc and sensor networks. Among the localization techniques, component-based methods advance themselves for conquering network sparseness and anchor sparseness. But component-based methods are sensitive to ranging noises, which may cause huge accumulated error either in component realization or mergence process. This paper presents three results for robust component-based location under ranging noises. (1) For a rigid graph component, a novel method is proposed to evaluate the graph’s possible flip ambiguities under noises. In particular, graph’s MInimal sepaRators that are neaRly cOllineaR (MIRROR) is presented as the cause of flip ambiguity, and algorithms for efficiently detecting MIRRORs are presented. The number of MIRRORs indicates the possible number of flip ambiguities under noise. (2) Then the sensitivity of a graph’s local deforming regarding to ranging noises is investigated by perturbation analysis, leading to a novel Ranging Sensitivity Matrix (RSM) which maps the variation of edge lengths to the deviation of the node locations. The condition number of RSM is therefore indicating the sensitivity of a realized component’s local deforming regarding to the ranging noises. (3) By integrating the flipping and the local deforming indicators, a Robust Component Generation and Realization (RCGR) algorithm is developed, which generates and realizes components selectively and with priority based on the robustness evaluations. RCGR was evaluated by simulations, which showed much better noise resistance and locating accuracy improvements than the the-state-of-the-art of the component-based localization algorithms.

ABSTRACT. Software Defined Networking (SDN) is fundamentally changing the way networks work, which enables programmable and flexible network management and configuration. As the de facto southbound interface of SDN, OpenFlow defines how the control plane can directly interact with the forwarding plane. In OpenFlow, flow tables play a significant role in packet forwarding. However, the capacity of flow table is limited due to power, cost, and silicon area constraints. The capacity-limited flow table cannot hold the explosive flows generated by the fine-grained granularity control mechanism used in SDN. Thus the flow table is frequently overflowed. In the case of overflow, eviction strategy which replaces existing flow entries with the new ones is critical to guarantee the efficient usage of the flow table. In this paper, we present a machine learning based eviction approach which can identify whether a flow entry is active or inactive and thus timely evict the inactive flow entries when flow table overflow occurs. Our simulations based on real network packet traces show that the proposed method can increase the usage of flow table by more than 55% and reduce the number of capacity misses by up to 80%, compared with the Least Recently Used eviction policy.

ABSTRACT. A logically centralized controller of Software Defined Networking (SDN) is responsible for the management of routing planning and monitoring of network status. With this central control and global visibility, in this paper, we propose a congestion-aware fast failure recovery scheme (CAFFE), which can not only recover the affected flows fast from a wide range of failure scenarios but also avoid potential congestion in the post-recovery network. CAFFE achieves fast recovery by detouring the traffic from neighbour switches as soon as they detect failures and avoids potential congestion by protected paths constructed with the combined consideration of the knowledge of network topology, failure states and network load distribution.

We formulate and solve the protected path planning problems where all potential network failures should be protected and the maximum link load in the post-recovery network should be minimized. The resulting protected paths ensure high traffic reachability and low link load even when network failure happens. All these paths are set up a priori by CAFFE. This allows switches to handle failures automatically without the need on waiting for the response from the controller. Experimental results show that CAFFE achieves fast recovery with relatively low overheads on either switches (in terms of backup rule number to configure) or controller (in terms of computational time). It also shows that CAFFE is able to better load-balance the post-recovery network comparing to shortest path re-calculation and OpenFlow-based Segment Protection (OSP).

ABSTRACT. OpenFlow supports internal buffering of data packets in an SDN switch whereby a fraction of data packet header is sent to the controller instead of an entire data packet. This internal buffering increases the robustness and the utilization of the link between SDN switches and controller by absorbing temporary burst of packets which may overwhelm the controller. Existing queuing models for SDN have focused on the switches that immediately send packets to the controller for decisioning, with no existing models investigating the impact of the internal buffer in an SDN switch and the associated trade-offs of having an internal buffer. In this paper, we propose an analytical model for SDN switch with the internal buffer to investigate the potential benefits, drawbacks and trade-off of internal buffering in SDN switches. It was observed that a switch with internal buffer achieves up to 30% lower average packet transfer delay and 7% lower packet loss rate at the cost of requiring up to 50% more queue capacity than one without the internal buffer. The proposed model is validated with discrete event simulation where the difference between simulation and analytical results was between 0.6% and 2.8% for average packet transfer delay and less than 6% for average packet loss rate. With this investigation, we provide some guidelines to SDN switch designers on the merits, demerits and trade-off of internal buffering in an SDN switch.

ABSTRACT. As new network paradigms, software-defined net- working (SDN) and network function virtualization (NFV) enable network innovation and brings flexibility in network management and service deployment. However, It is still a challenging task to ensure that network policy remains consistent during network updates due to the inherently distributed nature of the network. In this paper, we propose the Generalized Update Model (GUM) to support fast and consistent network updates under different levels of constraints, including connectivity consistency, policy consistency, and performance consistency. In our model, we use general high-level abstractions for capturing these consistent constraints and generate a state-resource dependency graph (SDG). With the help of the SDG, we analyze the relations between update operations, and construct the operation relation graph (ORG) to find the optimal update operation sequence. We prototype GUM on Ryu and evaluate it by comprehensive emulations and data-driven simulations. The results show that our scheme can always obtain the best update operation sequence under different requirements and speed up the update process by 32% on average.