We introduce a family of authenticated data structures — Ordered Merkle Trees (OMT) — and illustrate
their utility in security kernels for a wide variety of sub-systems. Specifically, the utility of two types of
OMTs: a) the index ordered merkle tree (IOMT) and b) the range ordered merkle tree (ROMT), are
investigated for their suitability in security kernels for various sub-systems of Border Gateway Protocol
(BGP), the Internet’s inter-autonomous system routing infrastructure. We outline simple generic security
kernel functions to maintain OMTs, and sub-system specific security kernel functionality for BGP subsystems
(like registries, autonomous system owners, and BGP speakers/routers), that take advantage of
OMTs.
This document summarizes a lecture on speculative multithreading. The lecture discussed two papers: one that categorized hardware support for speculative multithreading, and one that described a software-only approach using transactional memory. The class discussion covered dividing responsibilities between hardware and software, sources of parallelism for speculation beyond just loops, scaling speculation, and programming support options.
This document discusses using spin transfer torque memory technology and lookup tables (STT-LUT) for efficient logic design. It proposes a hybrid design methodology using both STT-LUT and custom CMOS logic to maximize reconfigurability while minimizing performance penalties. As a case study, the document analyzes mapping individual gates of a 4-bit adder circuit to STT-LUTs and measuring the impact on delay, power, area, and other metrics. It finds that mapping certain gates does not significantly increase delay or power consumption.
The document discusses Abstract Syntax Notation (ASN.1), which defines a standard for representing and encoding data structures. It consists of an abstract syntax that describes data unambiguously and a transfer syntax that encodes objects for transmission. ASN.1 is associated with encoding rules like BER, DER, and PER. It provides an example of ASN.1 abstract syntax defining a student record. The document also discusses other related topics like XDR, data compression techniques, video compression, encryption, and security services provided by encryption.
Performance evaluation of ecc in single and multi( eliptic curve)Danilo Calle
The document discusses performance evaluation of ECC (Elliptic Curve Cryptography) implementation on FPGA-based embedded systems using single and dual processor architectures. It explores implementing ECC using a single MicroBlaze soft processor core and a dual MicroBlaze core design with shared memory for inter-processor communication. Experimental results show the dual core design improves throughput by 3.3x over the single core design, encrypting data 3.3 times faster, but utilizes more resources and power due to the additional processor core.
The document describes a distributed memory architecture for a coarse-grain reconfigurable architecture (CGRA) with network-on-chip (NoC) capabilities. The key aspects of the architecture are:
1) It uses a distributed memory approach with memory banks (mBanks) connected via a circuit-switched NoC to enable private and parallel execution environments (PREX).
2) The memory is partitionable and partitions can be reconfigured at runtime to modify the memory to computation ratio.
3) Controllers synchronize data streaming from mBanks to computation elements to improve performance and energy efficiency.
IJCER (www.ijceronline.com) International Journal of computational Engineeri...ijceronline
This document summarizes three techniques for format-preserving encryption (FPE): Prefix cipher, Cycle Walking, and Feistel Network. Prefix cipher encrypts each digit of a number separately and reorders the digits based on the encrypted values. Cycle Walking repeatedly encrypts the plaintext until the ciphertext matches the required format. The Feistel Network uses a Feistel structure along with repeated encryption via cycle walking. The Feistel Network technique is generally more efficient than Prefix cipher or Cycle Walking alone.
This document presents benchmarks to analyze the memory subsystem performance of multicore processors from AMD and Intel. The benchmarks measure latency and bandwidth for different cache coherence states and locations in the memory hierarchy. Testing was done on dual-socket systems using AMD Opteron 2300 (Shanghai) and Intel Xeon 5500 (Nehalem-EP) quad-core processors. Results show significant performance differences driven by each processor's distinct cache architecture and coherence protocol implementations.
Effective Sparse Matrix Representation for the GPU ArchitecturesIJCSEA Journal
General purpose computation on graphics processing unit (GPU) is prominent in the high performance computing era of this time. Porting or accelerating the data parallel applications onto GPU gives the default performance improvement because of the increased computational units. Better performances can be seen if application specific fine tuning is done with respect to the architecture under consideration. One such very widely used computation intensive kernel is sparse matrix vector multiplication (SPMV) in sparse matrix based applications. Most of the existing data format representations of sparse matrix are developed with respect to the central processing unit (CPU) or multi cores. This paper gives a new format for sparse matrix representation with respect to graphics processor architecture that can give 2x to 5x performance improvement compared to CSR (compressed row format), 2x to 54x performance improvement with respect to COO (coordinate format) and 3x to 10 x improvement compared to CSR vector format for the class of application that fit for the proposed new format. It also gives 10% to 133% improvements in memory transfer (of only access information of sparse matrix) between CPU and GPU. This paper gives the details of the new format and its requirement with complete experimentation details and results of comparison.
This document summarizes a lecture on speculative multithreading. The lecture discussed two papers: one that categorized hardware support for speculative multithreading, and one that described a software-only approach using transactional memory. The class discussion covered dividing responsibilities between hardware and software, sources of parallelism for speculation beyond just loops, scaling speculation, and programming support options.
This document discusses using spin transfer torque memory technology and lookup tables (STT-LUT) for efficient logic design. It proposes a hybrid design methodology using both STT-LUT and custom CMOS logic to maximize reconfigurability while minimizing performance penalties. As a case study, the document analyzes mapping individual gates of a 4-bit adder circuit to STT-LUTs and measuring the impact on delay, power, area, and other metrics. It finds that mapping certain gates does not significantly increase delay or power consumption.
The document discusses Abstract Syntax Notation (ASN.1), which defines a standard for representing and encoding data structures. It consists of an abstract syntax that describes data unambiguously and a transfer syntax that encodes objects for transmission. ASN.1 is associated with encoding rules like BER, DER, and PER. It provides an example of ASN.1 abstract syntax defining a student record. The document also discusses other related topics like XDR, data compression techniques, video compression, encryption, and security services provided by encryption.
Performance evaluation of ecc in single and multi( eliptic curve)Danilo Calle
The document discusses performance evaluation of ECC (Elliptic Curve Cryptography) implementation on FPGA-based embedded systems using single and dual processor architectures. It explores implementing ECC using a single MicroBlaze soft processor core and a dual MicroBlaze core design with shared memory for inter-processor communication. Experimental results show the dual core design improves throughput by 3.3x over the single core design, encrypting data 3.3 times faster, but utilizes more resources and power due to the additional processor core.
The document describes a distributed memory architecture for a coarse-grain reconfigurable architecture (CGRA) with network-on-chip (NoC) capabilities. The key aspects of the architecture are:
1) It uses a distributed memory approach with memory banks (mBanks) connected via a circuit-switched NoC to enable private and parallel execution environments (PREX).
2) The memory is partitionable and partitions can be reconfigured at runtime to modify the memory to computation ratio.
3) Controllers synchronize data streaming from mBanks to computation elements to improve performance and energy efficiency.
IJCER (www.ijceronline.com) International Journal of computational Engineeri...ijceronline
This document summarizes three techniques for format-preserving encryption (FPE): Prefix cipher, Cycle Walking, and Feistel Network. Prefix cipher encrypts each digit of a number separately and reorders the digits based on the encrypted values. Cycle Walking repeatedly encrypts the plaintext until the ciphertext matches the required format. The Feistel Network uses a Feistel structure along with repeated encryption via cycle walking. The Feistel Network technique is generally more efficient than Prefix cipher or Cycle Walking alone.
This document presents benchmarks to analyze the memory subsystem performance of multicore processors from AMD and Intel. The benchmarks measure latency and bandwidth for different cache coherence states and locations in the memory hierarchy. Testing was done on dual-socket systems using AMD Opteron 2300 (Shanghai) and Intel Xeon 5500 (Nehalem-EP) quad-core processors. Results show significant performance differences driven by each processor's distinct cache architecture and coherence protocol implementations.
Effective Sparse Matrix Representation for the GPU ArchitecturesIJCSEA Journal
General purpose computation on graphics processing unit (GPU) is prominent in the high performance computing era of this time. Porting or accelerating the data parallel applications onto GPU gives the default performance improvement because of the increased computational units. Better performances can be seen if application specific fine tuning is done with respect to the architecture under consideration. One such very widely used computation intensive kernel is sparse matrix vector multiplication (SPMV) in sparse matrix based applications. Most of the existing data format representations of sparse matrix are developed with respect to the central processing unit (CPU) or multi cores. This paper gives a new format for sparse matrix representation with respect to graphics processor architecture that can give 2x to 5x performance improvement compared to CSR (compressed row format), 2x to 54x performance improvement with respect to COO (coordinate format) and 3x to 10 x improvement compared to CSR vector format for the class of application that fit for the proposed new format. It also gives 10% to 133% improvements in memory transfer (of only access information of sparse matrix) between CPU and GPU. This paper gives the details of the new format and its requirement with complete experimentation details and results of comparison.
Pipelining Architecture of AES Encryption and Key Generation with Search Base...VLSICS Design
A high speed security algorithm is always important for wired/wireless environment. The symmetric block cipher plays a major role in the bulk data encryption. One of the best existing symmetric security algorithms to provide data security is AES. AES has the advantage of being implemented in both hardware and software. Hardware implementation of the AES has the advantage of increased throughput and offers better security. Search based S-box architecture has been proposed in this paper to reduce the constraint in the hardware resources. The pipelined architecture of the AES algorithm is proposed in order to increase the throughput of the algorithm. Moreover the key schedule algorithm of the AES encryption is pipelined to get the speedup.
VLSI ARCHITECTURE FOR NANO WIRE BASED ADVANCED ENCRYPTION STANDARD (AES) WITH...VLSICS Design
Advanced Encryption Standard (AES) Algorithm has been extensively applied in the present financial
applications. Sub-channel attacks are one of the main problems occurred n the AES Algorithm.
Asynchronous AES Architecture is one of the leading solutions of the sub-channel attacks due to its natural
properties. The AES architecture with the enhanced mix column to be proposed with reduced number of
transistor counts.. Then, the Verilog A modeling is used to evaluate the performance of the proposed AES
Architecture. Finally, the VLSI Implementations of the AES Processor is implemented with CMOS
technology 0.25 µm. By using the net list generations, the proposed AES Architecture is analyzed regarding
the VLSI design environment. The simulation results of the proposed structure are performed with the
minimum number of transistor counts as well as power utilizations. Moreover, the proposed CMOS
technology based AES Algorithm is integrated into the backend based chip technology.
The document describes how a computer's internal components are physically connected through a common bus. It explains the machine cycle process where the instruction control unit fetches instructions from memory over the bus, and the arithmetic logic unit executes instructions by fetching data from memory over the bus.
This document proposes a reverse encoding algorithm to address issues with data loss when compressing on-chip bus traces stored in a circular buffer.
Traditional forward encoding compression results in lost data when the initial uncompressed values are overwritten in the circular buffer. The proposed reverse encoding sets the newest data as uncompressed and encodes all preceding data in reference to the newest. This prevents data loss even when the buffer wraps around.
The algorithm is applied to common compression techniques and demonstrated on an on-chip bus architecture with Wishbone interfaces. Hardware is designed in VHDL and simulated, showing the approach supports both forward and backward tracing with efficient buffer usage and good compression ratios.
The document describes how a computer's internal components are physically linked through a machine cycle. It explains that during instruction time, the instruction control unit fetches instructions from memory and sends them to the instruction register. During execution time, the ALU executes the instruction and may fetch data from memory which is sent to a work register.
SMaRT is a 16-bit 2.5-address RISC-type single-cycl
e processor, which was recently designed
and successfully mapped into a FPGA chip in our ECE
department. In this paper, we use
SMaRT to run the well-known encryption algorithm, D
ata Encryption Standard. For
information security purposes, encryption is a must
in today’s sophisticated and ever-increasing
computer communications such as ATM machines and SI
M cards. For comparison and
evaluation purposes, we also map the same algorithm
on the HC12, a same-size but CISC-type
off-the-shelf microcontroller, Our results show tha
t compared to HC12, SMaRT code is only
14% longer in terms of the static number of instruc
tions but about 10 times faster in terms of the
number of clock cycles, and 7% smaller in terms of
code size. Our results also show that 2.5-
address instructions, a SMaRT selling point, amount
to 45% of the whole R-type instructions
resulting in significant improvement in static numb
er of instructions hence code size as well as
performance. Additionally, we see that the SMaRT sh
ort-branch range is sufficiently wide in
90% of cases in the SMaRT code. Our results also re
veal that the SMaRT novel concept of
locality of reference in using the MSBs of the regi
sters in non-subroutine branch instructions
stays valid with a remarkable hit rate of 95%!
This document summarizes a paper that proposes and evaluates the performance of a multithreaded architecture capable of exploiting both coarse-grained parallelism and fine-grained instruction-level parallelism. The architecture distributes processing across multiple processing elements connected by an interconnection network. Each processing element supports multiple concurrently executing threads by grouping instructions from different threads. The architecture introduces a distributed data structure cache to reduce network latency when accessing remote data. Simulation results indicate the architecture achieves high processor throughput and the data structure cache significantly reduces network latency.
Coarse Grained Hybrid Reconfigurable Architecture with NoC Router for Variabl...Dhiraj Chaudhary
This document describes a coarse-grained reconfigurable architecture with a Network-on-Chip (NoC) router designed for variable block size motion estimation. The architecture contains 16 processing elements arranged in a 2D array that can calculate Sum of Absolute Differences (SAD) for different block sizes. An NoC with intelligent routers is used to direct reference block data between processing elements to reduce memory interactions and increase computation efficiency. The architecture supports fast search algorithms like diamond search that further improve performance over full search.
The document discusses several key computer architecture concepts:
1. It describes the machine cycle process where the instruction control unit fetches instructions from memory and executes them through the arithmetic logic unit.
2. It explains how internal computer components are designed around a common word size for efficiency. A larger word size allows for faster processing, more memory capacity, and greater precision but a larger instruction set.
3. It provides an overview of computer architecture including the instruction set architecture, microarchitecture, and system design. The implementation of a computer design is also discussed.
Architecture and implementation issues of multi core processors and caching –...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
This document provides an introduction to computer networking concepts. It defines what a network is and explains that networks allow computers to share resources like files, printers, and storage. It then covers network topologies including bus, star, ring and mesh; common network devices like switches, routers and hubs; and different types of networks including local area networks (LANs), wide area networks (WANs) and metropolitan area networks (MANs). It also discusses client-server models and peer-to-peer networks.
This document introduces computer networking concepts. It defines a network as connecting two or more computers to share resources like files, printers, and storage. Network topologies include bus, star, ring and mesh configurations for connecting devices either physically or logically. The document also discusses client-server models, peer-to-peer networking, intranets vs the Internet, and network hardware and software components.
Efficient video compression using EZWTIJERA Editor
In this article, wavelet based lossy video compression algorithm is presented. The motion estimation and compensation, being an important part in the compression, is based on segment movements. The proposed work is based on wavelet transform algorithm Embedded Zeroed WaveletTransform (EZWT). Based on the results of peak signal to noise ratio (PSNR), mean squared error (MSE), different videos are analyzed. Maintaining the PSNR to acceptable limits the proposed EZWT algorithm achieves very good compression ratios making the technique more efficient than the 2-Discrete Cosine Transform (DCT) in the H.264/AVC codec. The method is being suitable for low bit rate video showing highest compression ratio and very good PSNR of more than 30dB.
A comprehensive study of non blocking joining techniquesIAEME Publication
The document discusses and compares various non-blocking joining techniques for databases. It describes 7 different non-blocking joining algorithms: 1) Symmetric hash join, 2) XJoin, 3) Progressive merge join, 4) Hash merge join, 5) Rate based progressive join, 6) Multi-way join, and 7) Early hash join. For each algorithm, it explains the basic approach, memory overflow handling technique, and provides diagrams to illustrate the process. The goal of the paper is to explain and evaluate these non-blocking joining techniques based on factors like execution time, memory usage, I/O complexity, and ability to handle continuous data streams.
GEOGRAPHIC MAPS CLASSIFICATION BASED ON L*A*B COLOR SYSTEMIJCNCJournal
Today any geographic information system (GIS) layers became vital part of any GIS system , and
consequently , the need for developing automatic approaches to extract GIS layers from different image
maps like digital maps or satellite images is very important.
Map classification can be defined as an image processing technique which creates thematic maps from
scanned paper maps or remotely sensed images. Each resultant theme will represent a GIS layer of the
images.
A new proposed approach to extract GIS layers (classes) automatically based on L*A*B colorsystem
selected from ( A and B ) is proposed in this paper, our experiments shows that the hsi color space gives
better than L*A*B.
International Journal of Computer Networks & Communications (IJCNC)IJCNCJournal
This document summarizes the scope and contents of the International Journal of Computer Networks & Communications (IJCNC). IJCNC is a bi-monthly peer-reviewed journal that publishes articles on all aspects of computer networks and data communications. Topics of interest include network protocols, architectures, routing techniques, wireless networks, next generation networks, network operations and management, and more. The goal is to bring together researchers and industry practitioners to advance networking concepts and collaboration.
ADAPTIVE MULTI-TENANCY POLICY FOR ENHANCING SERVICE LEVEL AGREEMENT THROUGH R...IJCNCJournal
The appearance of infinite computing resources that available on demand and fast enough to adapt with
load surges makes Cloud computing favourable service infrastructure in IT market. Core feature in Cloud
service infrastructures is Service Level Agreement (SLA) that led seamless service at high quality of service
to client. One of the challenges in Cloud is providing heterogeneous computing services for the clients.
With the increasing number of clients/tenants in the Cloud, unsatisfied agreement is becoming a critical
factor. In this paper, we present an adaptive resource allocation policy which attempts to improve
accountable in Cloud SLA while aiming for enhancing system performance. Specifically, our allocation
incorporates dynamic matching SLA rules to deal with diverse processing requirements from
tenants.Explicitly, it reduces processing overheadswhile achieving better service agreement. Simulation
experiments proved the efficacy of our allocation policy in order to satisfy the tenants; and helps improve
reliable computing.
CONGESTION AWARE LINK COST ROUTING FOR MANETSIJCNCJournal
Due to the dynamic topology, self-configuration and decentralized nature of Mobile Ad hoc Network
(MANET), it provides many benefits in wireless networks and is easy to deploy. But the transmission of
data over ad hoc networks has elevated many technical issues for successful routing. Congestion is one of
the important issues which cause performance degradation of a network, due to long delay and high packet
loss. This paper proposes a Congestion aware Link Cost Routing for MANET where the protocol finds a
path with optimized linked cost based on SNR, Link delay, and the and remaining battery power. Along
with this optimization, in this protocol, every node finds its congestion status and participates in the route
discovery on the basis of its status. Data forwarding is also done based on the congestion status at the time
of forwarding. The protocol results in better performance in terms of packet delivery fraction, end to end
delay, throughput, and packet drop when compared to existing protocols.
GAME THEORY BASED INTERFERENCE CONTROL AND POWER CONTROL FOR D2D COMMUNICATIO...IJCNCJournal
With the current development of mobile communication services, people need personal communication of
high speed, excellent service, high quality and low latency,however, limited spectrum resources become
the most important factor to hamper improvement of cellular systems. As big amount of data traffic will
cause greater local consumption of spectrum resources, future networks are required to have appropriate
techniques to better support such forms of communication. D2D (Device-to-device) communication
technology in a cellular network makes full use of spectrum resources underlaying, reduces the load of the
base station, minimizes transmit power of the terminals and the base stations, thereby enhances the overall
throughput of the networks. Due to the use of multiplexing D2D UE (User equipment) resources and
spectrum, and the interference caused by the sharing of resources between adjacent cells, it has become a
major factor affecting coexisting of cellular subscribers and D2D users. When D2D communication
multiplexes the uplink resources, the base-stations are easily to be disturbed; when the downlink resources
are multiplexed, the users of downlink are susceptible to interference. In order to build a high-efficient
mobile network, we can meet the QoS requirements by controlling the power to suppress the interference
between the base station and a terminal user.
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...IJCNCJournal
In the current Internet-based systems, there are many problems using anonymity of the network
communication such as personal information leak and crimes using the Internet systems. This is because
the TCP/IP protocol used in Internet systems does not have the user identification information on the
communication data, and it is difficult to supervise the user performing the above acts immediately. As a
solution for solving the above problem, there is the approach of Policy-based Network Management
(PBNM). This is the scheme for managing a whole Local Area Network (LAN) through communication
control of every user. In this PBNM, two types of schemes exist. The first is the scheme for managing the
whole LAN by locating the communication control mechanisms on the course between network servers and
clients. The second is the scheme of managing the whole LAN by locating the communication control
mechanisms on clients. As the second scheme, we have been studied theoretically about the Destination
Addressing Control System (DACS) Scheme. By applying this DACS Scheme to Internet system
management, we intend to realize the policy-based Internet system management finally. In the DACS
Scheme, the inspection is not done about compatibility to cloud environment with virtualization technology
that spreads explosively. As the result, the coverage of the DACS Scheme is limited only in physical
environment now. In this study, we inspect compatibility of the DACS Scheme for the cloud environment
with virtualization technology, and enlarge coverage of this scheme. With it, the Virtual DACS Scheme
(vDACS Scheme) is established.
SIMULATING CORTICAL MAPS FOR ATTENTION SHIFT IN AUTISMIJCNCJournal
Autism is a pervasive neuro-developmental disorder, primarily encompassing difficulties in the social,
language, and communicative domains. Because autism is a spectrum disorder, it affects each individual
differently and has varying degrees. There are three core aspects of impairment based upon the Diagnostic
and Statistical Manual of Mental Disorders (DSM-IV), namely impairment in socialization, impairment in
communication, and restricted repetitive activities or interests. This work describes the experiment aims at
expressing autistic traits through the use of self-organizing map. Works related to simulating autism
through self-organizing map is limited. This work compare and contrast the difference in attention index
for normal learning and marred attention shift learning ability. It was found that the attention index of
normal learning is 9 times better marred attention shift for both random and pre-fixed input data. In the
marred attention shift context, neurons adapt more towards the mean of both sources combined under
marred context while some neurons adapt towards mean of one source under normal context. The normal
learning ability produces maps with neurons orienting towards mean values of combined stimuli source.
Impairment in learning ability produces similar cortical maps compared to normal learning ability. The
major difference is in the attention index.
SIMPLIFIED CBA CONCEPT AND EXPRESS CHOICE METHOD FOR INTEGRATED NETWORK MANAG...IJCNCJournal
This document proposes a simplified method for evaluating and selecting a network management system (NMS) for integration into an existing computer network. The method evaluates NMS options based on 3 criteria: 1) the level of integration risk, 2) the expected increase in network maintenance effectiveness, and 3) the level of management tasks completed by the system. Each criterion is evaluated on a standardized scale of 0 to 2. The scores are combined to calculate an overall value for each NMS, with the highest scoring option selected for integration. The method aims to provide a rapid evaluation that does not require extensive expertise, resources or time.
Pipelining Architecture of AES Encryption and Key Generation with Search Base...VLSICS Design
A high speed security algorithm is always important for wired/wireless environment. The symmetric block cipher plays a major role in the bulk data encryption. One of the best existing symmetric security algorithms to provide data security is AES. AES has the advantage of being implemented in both hardware and software. Hardware implementation of the AES has the advantage of increased throughput and offers better security. Search based S-box architecture has been proposed in this paper to reduce the constraint in the hardware resources. The pipelined architecture of the AES algorithm is proposed in order to increase the throughput of the algorithm. Moreover the key schedule algorithm of the AES encryption is pipelined to get the speedup.
VLSI ARCHITECTURE FOR NANO WIRE BASED ADVANCED ENCRYPTION STANDARD (AES) WITH...VLSICS Design
Advanced Encryption Standard (AES) Algorithm has been extensively applied in the present financial
applications. Sub-channel attacks are one of the main problems occurred n the AES Algorithm.
Asynchronous AES Architecture is one of the leading solutions of the sub-channel attacks due to its natural
properties. The AES architecture with the enhanced mix column to be proposed with reduced number of
transistor counts.. Then, the Verilog A modeling is used to evaluate the performance of the proposed AES
Architecture. Finally, the VLSI Implementations of the AES Processor is implemented with CMOS
technology 0.25 µm. By using the net list generations, the proposed AES Architecture is analyzed regarding
the VLSI design environment. The simulation results of the proposed structure are performed with the
minimum number of transistor counts as well as power utilizations. Moreover, the proposed CMOS
technology based AES Algorithm is integrated into the backend based chip technology.
The document describes how a computer's internal components are physically connected through a common bus. It explains the machine cycle process where the instruction control unit fetches instructions from memory over the bus, and the arithmetic logic unit executes instructions by fetching data from memory over the bus.
This document proposes a reverse encoding algorithm to address issues with data loss when compressing on-chip bus traces stored in a circular buffer.
Traditional forward encoding compression results in lost data when the initial uncompressed values are overwritten in the circular buffer. The proposed reverse encoding sets the newest data as uncompressed and encodes all preceding data in reference to the newest. This prevents data loss even when the buffer wraps around.
The algorithm is applied to common compression techniques and demonstrated on an on-chip bus architecture with Wishbone interfaces. Hardware is designed in VHDL and simulated, showing the approach supports both forward and backward tracing with efficient buffer usage and good compression ratios.
The document describes how a computer's internal components are physically linked through a machine cycle. It explains that during instruction time, the instruction control unit fetches instructions from memory and sends them to the instruction register. During execution time, the ALU executes the instruction and may fetch data from memory which is sent to a work register.
SMaRT is a 16-bit 2.5-address RISC-type single-cycl
e processor, which was recently designed
and successfully mapped into a FPGA chip in our ECE
department. In this paper, we use
SMaRT to run the well-known encryption algorithm, D
ata Encryption Standard. For
information security purposes, encryption is a must
in today’s sophisticated and ever-increasing
computer communications such as ATM machines and SI
M cards. For comparison and
evaluation purposes, we also map the same algorithm
on the HC12, a same-size but CISC-type
off-the-shelf microcontroller, Our results show tha
t compared to HC12, SMaRT code is only
14% longer in terms of the static number of instruc
tions but about 10 times faster in terms of the
number of clock cycles, and 7% smaller in terms of
code size. Our results also show that 2.5-
address instructions, a SMaRT selling point, amount
to 45% of the whole R-type instructions
resulting in significant improvement in static numb
er of instructions hence code size as well as
performance. Additionally, we see that the SMaRT sh
ort-branch range is sufficiently wide in
90% of cases in the SMaRT code. Our results also re
veal that the SMaRT novel concept of
locality of reference in using the MSBs of the regi
sters in non-subroutine branch instructions
stays valid with a remarkable hit rate of 95%!
This document summarizes a paper that proposes and evaluates the performance of a multithreaded architecture capable of exploiting both coarse-grained parallelism and fine-grained instruction-level parallelism. The architecture distributes processing across multiple processing elements connected by an interconnection network. Each processing element supports multiple concurrently executing threads by grouping instructions from different threads. The architecture introduces a distributed data structure cache to reduce network latency when accessing remote data. Simulation results indicate the architecture achieves high processor throughput and the data structure cache significantly reduces network latency.
Coarse Grained Hybrid Reconfigurable Architecture with NoC Router for Variabl...Dhiraj Chaudhary
This document describes a coarse-grained reconfigurable architecture with a Network-on-Chip (NoC) router designed for variable block size motion estimation. The architecture contains 16 processing elements arranged in a 2D array that can calculate Sum of Absolute Differences (SAD) for different block sizes. An NoC with intelligent routers is used to direct reference block data between processing elements to reduce memory interactions and increase computation efficiency. The architecture supports fast search algorithms like diamond search that further improve performance over full search.
The document discusses several key computer architecture concepts:
1. It describes the machine cycle process where the instruction control unit fetches instructions from memory and executes them through the arithmetic logic unit.
2. It explains how internal computer components are designed around a common word size for efficiency. A larger word size allows for faster processing, more memory capacity, and greater precision but a larger instruction set.
3. It provides an overview of computer architecture including the instruction set architecture, microarchitecture, and system design. The implementation of a computer design is also discussed.
Architecture and implementation issues of multi core processors and caching –...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
This document provides an introduction to computer networking concepts. It defines what a network is and explains that networks allow computers to share resources like files, printers, and storage. It then covers network topologies including bus, star, ring and mesh; common network devices like switches, routers and hubs; and different types of networks including local area networks (LANs), wide area networks (WANs) and metropolitan area networks (MANs). It also discusses client-server models and peer-to-peer networks.
This document introduces computer networking concepts. It defines a network as connecting two or more computers to share resources like files, printers, and storage. Network topologies include bus, star, ring and mesh configurations for connecting devices either physically or logically. The document also discusses client-server models, peer-to-peer networking, intranets vs the Internet, and network hardware and software components.
Efficient video compression using EZWTIJERA Editor
In this article, wavelet based lossy video compression algorithm is presented. The motion estimation and compensation, being an important part in the compression, is based on segment movements. The proposed work is based on wavelet transform algorithm Embedded Zeroed WaveletTransform (EZWT). Based on the results of peak signal to noise ratio (PSNR), mean squared error (MSE), different videos are analyzed. Maintaining the PSNR to acceptable limits the proposed EZWT algorithm achieves very good compression ratios making the technique more efficient than the 2-Discrete Cosine Transform (DCT) in the H.264/AVC codec. The method is being suitable for low bit rate video showing highest compression ratio and very good PSNR of more than 30dB.
A comprehensive study of non blocking joining techniquesIAEME Publication
The document discusses and compares various non-blocking joining techniques for databases. It describes 7 different non-blocking joining algorithms: 1) Symmetric hash join, 2) XJoin, 3) Progressive merge join, 4) Hash merge join, 5) Rate based progressive join, 6) Multi-way join, and 7) Early hash join. For each algorithm, it explains the basic approach, memory overflow handling technique, and provides diagrams to illustrate the process. The goal of the paper is to explain and evaluate these non-blocking joining techniques based on factors like execution time, memory usage, I/O complexity, and ability to handle continuous data streams.
GEOGRAPHIC MAPS CLASSIFICATION BASED ON L*A*B COLOR SYSTEMIJCNCJournal
Today any geographic information system (GIS) layers became vital part of any GIS system , and
consequently , the need for developing automatic approaches to extract GIS layers from different image
maps like digital maps or satellite images is very important.
Map classification can be defined as an image processing technique which creates thematic maps from
scanned paper maps or remotely sensed images. Each resultant theme will represent a GIS layer of the
images.
A new proposed approach to extract GIS layers (classes) automatically based on L*A*B colorsystem
selected from ( A and B ) is proposed in this paper, our experiments shows that the hsi color space gives
better than L*A*B.
International Journal of Computer Networks & Communications (IJCNC)IJCNCJournal
This document summarizes the scope and contents of the International Journal of Computer Networks & Communications (IJCNC). IJCNC is a bi-monthly peer-reviewed journal that publishes articles on all aspects of computer networks and data communications. Topics of interest include network protocols, architectures, routing techniques, wireless networks, next generation networks, network operations and management, and more. The goal is to bring together researchers and industry practitioners to advance networking concepts and collaboration.
ADAPTIVE MULTI-TENANCY POLICY FOR ENHANCING SERVICE LEVEL AGREEMENT THROUGH R...IJCNCJournal
The appearance of infinite computing resources that available on demand and fast enough to adapt with
load surges makes Cloud computing favourable service infrastructure in IT market. Core feature in Cloud
service infrastructures is Service Level Agreement (SLA) that led seamless service at high quality of service
to client. One of the challenges in Cloud is providing heterogeneous computing services for the clients.
With the increasing number of clients/tenants in the Cloud, unsatisfied agreement is becoming a critical
factor. In this paper, we present an adaptive resource allocation policy which attempts to improve
accountable in Cloud SLA while aiming for enhancing system performance. Specifically, our allocation
incorporates dynamic matching SLA rules to deal with diverse processing requirements from
tenants.Explicitly, it reduces processing overheadswhile achieving better service agreement. Simulation
experiments proved the efficacy of our allocation policy in order to satisfy the tenants; and helps improve
reliable computing.
CONGESTION AWARE LINK COST ROUTING FOR MANETSIJCNCJournal
Due to the dynamic topology, self-configuration and decentralized nature of Mobile Ad hoc Network
(MANET), it provides many benefits in wireless networks and is easy to deploy. But the transmission of
data over ad hoc networks has elevated many technical issues for successful routing. Congestion is one of
the important issues which cause performance degradation of a network, due to long delay and high packet
loss. This paper proposes a Congestion aware Link Cost Routing for MANET where the protocol finds a
path with optimized linked cost based on SNR, Link delay, and the and remaining battery power. Along
with this optimization, in this protocol, every node finds its congestion status and participates in the route
discovery on the basis of its status. Data forwarding is also done based on the congestion status at the time
of forwarding. The protocol results in better performance in terms of packet delivery fraction, end to end
delay, throughput, and packet drop when compared to existing protocols.
GAME THEORY BASED INTERFERENCE CONTROL AND POWER CONTROL FOR D2D COMMUNICATIO...IJCNCJournal
With the current development of mobile communication services, people need personal communication of
high speed, excellent service, high quality and low latency,however, limited spectrum resources become
the most important factor to hamper improvement of cellular systems. As big amount of data traffic will
cause greater local consumption of spectrum resources, future networks are required to have appropriate
techniques to better support such forms of communication. D2D (Device-to-device) communication
technology in a cellular network makes full use of spectrum resources underlaying, reduces the load of the
base station, minimizes transmit power of the terminals and the base stations, thereby enhances the overall
throughput of the networks. Due to the use of multiplexing D2D UE (User equipment) resources and
spectrum, and the interference caused by the sharing of resources between adjacent cells, it has become a
major factor affecting coexisting of cellular subscribers and D2D users. When D2D communication
multiplexes the uplink resources, the base-stations are easily to be disturbed; when the downlink resources
are multiplexed, the users of downlink are susceptible to interference. In order to build a high-efficient
mobile network, we can meet the QoS requirements by controlling the power to suppress the interference
between the base station and a terminal user.
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...IJCNCJournal
In the current Internet-based systems, there are many problems using anonymity of the network
communication such as personal information leak and crimes using the Internet systems. This is because
the TCP/IP protocol used in Internet systems does not have the user identification information on the
communication data, and it is difficult to supervise the user performing the above acts immediately. As a
solution for solving the above problem, there is the approach of Policy-based Network Management
(PBNM). This is the scheme for managing a whole Local Area Network (LAN) through communication
control of every user. In this PBNM, two types of schemes exist. The first is the scheme for managing the
whole LAN by locating the communication control mechanisms on the course between network servers and
clients. The second is the scheme of managing the whole LAN by locating the communication control
mechanisms on clients. As the second scheme, we have been studied theoretically about the Destination
Addressing Control System (DACS) Scheme. By applying this DACS Scheme to Internet system
management, we intend to realize the policy-based Internet system management finally. In the DACS
Scheme, the inspection is not done about compatibility to cloud environment with virtualization technology
that spreads explosively. As the result, the coverage of the DACS Scheme is limited only in physical
environment now. In this study, we inspect compatibility of the DACS Scheme for the cloud environment
with virtualization technology, and enlarge coverage of this scheme. With it, the Virtual DACS Scheme
(vDACS Scheme) is established.
SIMULATING CORTICAL MAPS FOR ATTENTION SHIFT IN AUTISMIJCNCJournal
Autism is a pervasive neuro-developmental disorder, primarily encompassing difficulties in the social,
language, and communicative domains. Because autism is a spectrum disorder, it affects each individual
differently and has varying degrees. There are three core aspects of impairment based upon the Diagnostic
and Statistical Manual of Mental Disorders (DSM-IV), namely impairment in socialization, impairment in
communication, and restricted repetitive activities or interests. This work describes the experiment aims at
expressing autistic traits through the use of self-organizing map. Works related to simulating autism
through self-organizing map is limited. This work compare and contrast the difference in attention index
for normal learning and marred attention shift learning ability. It was found that the attention index of
normal learning is 9 times better marred attention shift for both random and pre-fixed input data. In the
marred attention shift context, neurons adapt more towards the mean of both sources combined under
marred context while some neurons adapt towards mean of one source under normal context. The normal
learning ability produces maps with neurons orienting towards mean values of combined stimuli source.
Impairment in learning ability produces similar cortical maps compared to normal learning ability. The
major difference is in the attention index.
SIMPLIFIED CBA CONCEPT AND EXPRESS CHOICE METHOD FOR INTEGRATED NETWORK MANAG...IJCNCJournal
This document proposes a simplified method for evaluating and selecting a network management system (NMS) for integration into an existing computer network. The method evaluates NMS options based on 3 criteria: 1) the level of integration risk, 2) the expected increase in network maintenance effectiveness, and 3) the level of management tasks completed by the system. Each criterion is evaluated on a standardized scale of 0 to 2. The scores are combined to calculate an overall value for each NMS, with the highest scoring option selected for integration. The method aims to provide a rapid evaluation that does not require extensive expertise, resources or time.
The document proposes a clustering-based approach to dynamically allocate bandwidth in wireless networks. It extracts student data from a university's course timetable to predict user distributions over time. It then applies K-means clustering to group buildings into wireless nodes based on expected user loads. This clusters student devices and allows wireless nodes to adapt their bandwidth allocation according to predicted user demands at different times. The approach is tested on a university campus network, extracting student data to predict building loads and applying K-means clustering to allocate optimal bandwidth across wireless nodes over time.
PROPOSED A HETEROGENEOUS CLUSTERING ALGORITHM TO IMPROVE QOS IN WSNIJCNCJournal
In this article it has presented leach extended hierarchical 3-level clustered heterogeneous and dynamics
algorithm. On suggested protocol (LEH3LA) with planning of selected auction cluster head, and
alternative cluster head node, problem of delay on processing, processing of selecting members, decrease
of expenses, and energy consumption, decrease of sending message, and receiving messages inside the
clusters, selecting of cluster heads in large sensor networks were solved. This algorithm uses hierarchical
heterogeneous network (3-levels), collective intelligence, and intra-cluster interaction for communications.
Also it will solve the problems of sending data in Multi-BS mobile networks, expanding inter-cluster
networks, overlap cluster, genesis orphan nodes, boundary change dynamically clusters, using backbone
networks, cloud sensor. Using sleep/wake scheduling algorithm or TDMA-schedule alternative cluster head
node provides redundancy, and fault tolerance. Local processing in cluster head nodes, and alternative
cluster head, intra-cluster and inter-cluster communications such as Multi-HOP cause increase on
processing speed, and sending data intra-cluster and inter-cluster. Decrease of overhead network, and
increase the load balancing among cluster heads. Using encapsulation of data method, by cluster head
nodes, energy consumption decrease during sending data. Also by improving quality of service (QoS) in
CBRP, LEACH, 802.15.4, decrease of energy consumption in sensors, cluster heads and alternative cluster
head nodes, cause increase on lift time of sensor networks.
Mobile paymentmethodbased on public keyIJCNCJournal
Mobile payment is defined as mobile money, which is considered as an attractive alternative for cash,
cheque, or credit. In this paper we propose a new secure mobile paymentmethod. This method is
summarized in three processes: firstly, the authentication process, which involves the authentication phases
for the applied customers. Secondly, the member recognition process which tests and ensures the customer
membership by the market server. Finally, payment processwhich will be done by ciphering the customer
information using public-key encryption cryptosystem (RSA), to be submitted over an insecure network to
the market server. Actually, this mobile payment methodis more efficient than otherpayment methods since
the customer can pay from his/her own mobilephone without any extra cost and effort. The RSA public-key
encryption system ensures the security of the proposed method. However, to prevent a brute force attack,
the choice of the key size becomes crucial.
LIGHT FIDELITY (LI-FI) BASED INDOOR COMMUNICATION SYSTEMIJCNCJournal
Indoor wireless communication is an essential part of next generation wireless communication system.For
an indoor communication number of users and their device are increasing very rapidly so as a result
capacity of frequency spectrum to accommodate further users in future is limited and also it would be
difficult for service providers to provide more user reliable and high speed communication so this short
come can be solve in future by using Li-Fi based indoor communication system. Li-Fi which is an emerging
branch of optical wireless communication can be useful in future as a replacement and backup of Wireless
Fidelity (Wi-Fi)for indoor communication because it can provide high data rate of transmission along with
high capacity to utilize more users as its spectrum bandwidth is much broader than the radio spectrum. In
this paper we will look at the different aspects of the Li-Fi based indoor communication system,summarizes
some of the research conducted so far andwe will also proposed a Li-Fi based communication model
keeping in mind coverage area for multiple user and evaluate its performance under different scenarios .
Efficient management of bandwidth in wireless networks is a critical factor for a successful communication system. Special features of wireless networks such user mobility and growth of wireless applications and their high bandwidth intensity create a major challenge to utilize bandwidth resources optimally. In this research, we propose a model for an adaptable network bandwidth management method that combines bandwidth reservation and bandwidth adaptation to reduce call blocking and dropping probabilities. The model is an integer program that determines whether or not to accept new calls and decides how to allocate bandwidth optimally in a way to maximize user satisfaction. The results of a simulation study show that the proposed method outperforms an existing method with respect to key performance measures such as call blocking and dropping probabilities and call time survivability. This survivability indicator is a new measure that is introduced for the first time in this paper. We also present a second tradeoff model to allow the network manager to control call dropping probability. The results of a second simulation study show that network users are better off if a zero call dropping policy is adopted as proposed in the first model.
PERFORMANCES OF ORTHOGONAL WAVELET DIVISION MULTIPLEX (OWDM) SYSTEM UNDER AWG...IJCNCJournal
Orthogonal Wavelet Division Multiplexing (OWDM) has been considered as an alternative of Orthogonal
Frequency Division Multiplexing (OFDM) in the recent years. OWDM has lower computational complexity
and higher flexibility compared to its OFDM counterpart. The core component of OWDM is wavelet.
Wavelet has been a much investigated and applied topic in digital image processing for a long time.
Recently, it has drawn considerable attention of the researchers working in communication field. In this
work we investigate the performances of OWDM under different channel conditions. We consider three
channel conditions namely Additive White Gaussian Noise (AWGN), Rayleigh, Ricean, and frequency
selective. We consider a number of wavelets namely Haar, Daubechies, Biorthogonal, Reverse
Biorthogonal, Coiflets, and Symlets in OWDM design. For system model we choose Digital Video
Broadcasting-Terrestrial (DVB-T). Originally DVB-T system was designed based on OFDM. In this work
we use OWDM instead. The simulation results show OWDM outperforms OFDM in terms of bit error rate
(BER), noise resiliency, and peak-to-average ration. The results also show that the Haar wavelet based
OWDM outperforms other wavelets based OWDM system under all three considered three channel
conditions.
FLEXIBLE VIRTUAL ROUTING FUNCTION DEPLOYMENT IN NFV-BASED NETWORK WITH MINIMU...IJCNCJournal
In a conventional network, most network devices, such as routers, are dedicated devices that do not
have much variation in capacity. In recent years, a new concept of Network Functions
Virtualisation (NFV) has come into use. The intention is to implement a variety of network functions
with software on general-purpose servers and this allows the network operator to select any
capabilities and locations of network functions without any physical constraints.
This paper focuses on the deployment of NFV-based routing functions which are one of critical
virtual network functions, and present the algorithm of virtual routing function allocation that
minimize the total network cost. In addition, this paper presents the useful allocation policy of
virtual routing functions, based on an evaluation with a ladder-shaped network model. This policy
takes the ratio of the cost of a routing function to that of a circuit and traffic distribution in the
network into consideration. Furthermore, this paper shows that there are cases where the use of
NFV-based routing functions makes it possible to reduce the total network cost dramatically, in
comparison to a conventional network, in which it is not economically viable to distribute smallcapacity
routing functions
Minimum Physical Hop (MPH) has been proposed as a peer selection algorithm for decreasing inter-AS (Autonomous System) traffic volume in P2P live streaming. In MPH, a newly joining peer selects a peer whose physical hop count (i.e., the number of ASes traversed on the content delivery path) from it is the minimum as its providing peer. However, MPH shows high inter-AS traffic volume when the number of joining peers is large. In this paper, we propose IMPH that tries to further decrease the inter-AS traffic volume by distributing peers with one logical hop count (i.e., the number of peers or origin streaming servers (OSSes) traversed on the content delivery path from an OSS to the peer) to many ASes and encouraging the following peers to find their providing peers within the same AS. Numerical examples show that IMPH achieves at the maximum of 64% lower inter-AS traffic volume than MPH.
Fuzzy based clustering and energy efficientIJCNCJournal
Underwater Wireless Sensor Network (UWSN) is a particular kind of sensor networks which is
characterized by using acoustic channels for communication. UWSN is challenged by great issues specially
the energy supply of sensor node which can be wasted rapidly by several factors. The most proposed
routing protocols for terrestrial sensor networks are not adequate for UWSN, thus new design of routing
protocols must be adapted to this constrain. In this paper we propose two new clustering algorithms based
on Fuzzy C-Means mechanisms. In the first proposition, the cluster head is elected initially based on the
closeness to the center of the cluster, then the node having the higher residual energy elects itself as a
cluster head. All non-cluster head nodes transmit sensed data to the cluster head. This latter performs data
aggregation and transmits the data directly to the base station. The second algorithm uses the same
principle in forming clusters and electing cluster heads but operates in multi-hop mode to forward data
from cluster heads to the underwater sink (uw-sink). Furthermore the two proposed algorithms are tested
for static and dynamic deployment. Simulation results demonstrate the effectiveness of the proposed
algorithms resulting in an extension of the network lifetime.
A proposal to enhance cellular and wifiIJCNCJournal
WiFi offloading is becoming one of the key enablers to help the network operators dealing with the exponentially growing demand of mobile data. The idea of using WiFi to offload data traffic from cellular network has proposed for many years. However, the interoperability issue between the two networks needs to be enhanced so that WiFi can efficiently supplement for the cellular network in case of congestion or outage. In this paper, we propose a novel network roaming and selection scheme based on 3GPP TS 24.312 and IEEE 802.11k, u standards to enhance cellular and WiFi interworking. The proposed scheme is aimed at enhancing the network roaming and selection so that WiFi network can serve as a supplement and backup access network for the cellular not only for congestion control but also in case of unexpected network failure event. We also model and evaluate the proposed scheme in a typical HetNet with interworking WiFi access points and cellular base stations. The simulation result shows that our proposed scheme quickly detects unexpected network failure event and assists active UEs to perform handoff to preferable alternative point of access. As a result, service disruption is substantially reduced and quality of experience (downlink/uplink’s throughput) is improved. Therefore, our proposed scheme can be used for a more reliable HetNet in terms of congestion control and disruption tolerance.
08680982.pdfArchitectures for Security A comparative anal.docxcroftsshanon
08680982.pdf
Architectures for Security: A comparative analysis
of hardware security features in Intel SGX and
ARM TrustZone
Muhammad Asim Mukhtar
Information Technology University
Lahore, Pakistan
[email protected]
Muhammad Khurram Bhatti
Information Technology University
Lahore, Pakistan
[email protected]
Guy Gogniat
University of South Brittany
Lorient, France
[email protected]
Abstract—A variety of applications are executing on a large
untrusted computing base, which includes the operating system,
hypervisor, firmware, and hardware. This large computing base
is becoming complex and unverifiable. This untrusted computing
base problem opens a way for a malicious application to steal
secrets of a security-critical application by compromising the
untrusted computing base. To resolve the untrusted computing
base problem, computer architectures have introduced a concept
of the trusted execution environment, which aim to ensure
the sensitive data to be stored and processed in an isolated
environment. Existing popular trusted execution environments
are relying on hardware to isolate the environments without
or minimum relying on system software. However, existing
hardware assisted trusted execution environments are still vul-
nerable to sophisticated attacks. This paper analyses popular
trusted execution environments that are Intel SGX and ARM
TrustZone in order to provide better insights about the intended
scope of the protection. This paper illustrates the functionality,
implementation and security analysis.
Index Terms—Trusted Execution Environments, TEE, Memory
isolation, Intel SGX, and ARM TrustZone.
I. INTRODUCTION
Normal and security-critical applications are executing on
a large untrusted computing base, which includes an operat-
ing system, hypervisor, firmware, and hardware. This large
computing base is becoming complex and unverifiable. For
example, an operating system such as Linux has 17 millions
of lines code [2] and CVE has reported 166 vulnerabilities in it
during the year of 2018 related to Denial-of-Service, overflow,
unauthorized privilege gain, memory corruption, directory
traversal, execute unauthorized code. Similarly, Xen is a well-
known hypervisor that has 150,000 lines code [27], which has
relatively small code than Linux but still has vulnerabilities,
and CVE has reported 18 vulnerabilities in Xen in the year
of 2018 [11]. Moreover, attacks that subvert firmware are
reported [1] [25] [23]. Execution of normal and security-
critical applications are executing on shared resources that
controlled by untrusted computing base raises security threats.
This opens the way for a malicious application to attack the
This research work is partially supported by the PHC PERIDOT Project
e-health.SECURE and National Center for Cyber Security (NCCS), Pakistan.
vulnerabilities to gain the unauthorized privilege, and then
steal secrets form security critical application’s address space.
To cope up the.
A SERIAL COMPUTING MODEL OF AGENT ENABLED MINING OF GLOBALLY STRONG ASSOCIATI...ijcsa
The intelligent agent based model is a popular approach in constructing Distributed Data Mining (DDM) systems to address scalable mining over large scale and ever increasing distributed data. In an agent based
distributed system, variety of agents coordinate and communicate with each other to perform the various
tasks of the Data Mining (DM) process. In this study a serial computing mode of a multi-agent system
(MAS) called Agent enabled Mining of Globally Strong Association Rules (AeMGSAR) is presented based
on the serial itinerary of the mobile agents. A Running environment is also designed for the implementation and performance study of AeMGSAR system.
SYMMETRIC KEY MANAGEMENT SCHEME FOR HIERARCHICAL WIRELESS SENSOR NETWORKSIJNSA Journal
Wireless Sensor Networks (WSNs) are critical component in many applications that used for data collection. Since sensors have limited resource, Wireless Sensor Networks are more vulnerable to attacks than other wireless networks. It is necessary to design a powerful key management scheme for WSNs and take in consideration the limited characteristics of sensors. To achieve security of communicated data in the network and to extend the WSNs lifetime; this paper proposes a new scheme called Symmetric Key Management Scheme (SKMS). SKMS used Symmetric Key Cryptography that depends only on a Hash function and XOR operation for securing homogeneous and heterogeneous hierarchical WSNs. Symmetric Key Cryptography is less computation than Asymmetric Key Cryptography. Simulation results show that the proposed scheme provides security, save the energy of sensors with low computation overhead.
SYMMETRIC KEY MANAGEMENT SCHEME FOR HIERARCHICAL WIRELESS SENSOR NETWORKSIJNSA Journal
Wireless Sensor Networks (WSNs) are critical component in many applications that used for data
collection. Since sensors have limited resource, Wireless Sensor Networks are more vulnerable to
attacks than other wireless networks. It is necessary to design a powerful key management scheme for WSNs
and take in consideration the limited characteristics of sensors. To achieve security of communicated
data in the network and to extend the WSNs lifetime; this paper proposes a new scheme called
Symmetric Key Management Scheme (SKMS). SKMS used Symmetric Key Cryptography that depends
only on a Hash function and XOR operation for securing homogeneous and heterogeneous hierarchical
WSNs. Symmetric Key Cryptography is less computation than Asymmetric Key Cryptography. Simulation
results show that the proposed scheme provides security, save the energy of sensors with low
computation overhead.
BSA 385 Week 3 Individual Assignment EssayTara Smith
Kudler Fine Foods has engaged Smith Systems Consulting to develop a Frequent Shopper Program that will track customer purchasing histories and accumulate redeemable loyalty points. The technical specifications outline the logical and physical models for the program, including hardware requirements, network architecture, software components, database design, and security controls. Smith Systems will provide IT services and consulting to develop the Frequent Shopper Program for Kudler Fine Foods.
This document discusses system devices and how operating systems interact with and configure devices. It provides an overview of device interconnects, configuration from the hardware and software perspectives, and device naming schemes in various operating systems. Specific topics covered include generic system architecture, device terminology, viewing the system device configuration, and adding new devices to Windows and Linux systems.
Efficient Data Mining Of Association Rules in Horizontally Distributed Databasesijircee
This document proposes a protocol to securely mine association rules from horizontally distributed databases in a privacy-preserving manner. The key aspects of the protocol are:
1) It uses a novel secure multi-party protocol to compute the union of private subsets held by different players, improving on prior work by avoiding commutative encryption and oblivious transfer.
2) It includes a protocol to test if an element held by one player is contained within a private subset held by another player.
3) Experimental results show the protocol has significantly lower communication and computation costs than prior work, while still protecting individual player's privacy beyond just the final mining results.
PERFORMING AN EXPERIMENTAL PLATFORM TO OPTIMIZE DATA MULTIPLEXINGijesajournal
This article is based on preliminary work on the OSI model management layers to optimized industrial
wired data transfer on low data rate wireless technology. Our previous contribution deal with the
development of a demonstrator providing CAN bus transfer frames (1Mbps) on a low rate wireless channel
provided by Zigbee technology. In order to be compatible with all the other industrial protocols, we
describe in this paper our contribution to design an innovative Wireless Device (WD) and a software tool,
which will aim to determine the best architecture (hardware/software) and wireless technology to be used
taking in account of the wired protocol requirements. To validate the proper functioning of this WD, we
will develop an experimental platform to test different strategies provided by our software tool. We can
consequently prove which is the best configuration (hardware/software) compared to the others by the
inclusion (inputs) of the required parameters of the wired protocol (load, binary rate, acknowledge
timeout) and the analysis of the WD architecture characteristics proposed (outputs) as the delay introduced
by system, buffer size needed, CPU speed, power consumption, meeting the input requirement. It will be
important to know whether gain comes from a hardware strategy with hardware accelerator e.g or a
software strategy with a more perf
This document discusses NoSQL databases and how they differ from traditional relational databases. NoSQL databases are designed for large scale data storage needs and do not require a fixed schema. They prioritize high performance, availability, and scalability over strict consistency. The document then describes key aspects of NoSQL databases like their use of non-SQL queries, flexible data models, and eventual consistency.
Blue Gene_SM
Introduction
The word "supercomputer" entered the mainstream lexicon in 1996 and 1997 when IBM's Deep Blue supercomputer challenged the world chess champion in two tournaments broadcast around the world.
Since then, IBM has been busy improving its supercomputer technology and tackling much deeper problems.
Their latest project, code named Blue Gene, is poised to shatter all records for computer and network performance.
What is a Super Computer
A supercomputer is a computer that is at the frontline of current processing capacity, particularly speed of calculation.
Today, supercomputers are typically one-of-a-kind custom designs produced by "traditional" companies such as Cray, IBM and Hewlett-Packard, who had purchased many of the 1980s companies to gain their experience.
Why we need Super Computers
Supercomputers are very useful in highly calculation-intensive tasks such as
Problems involving quantum physics,
Weather forecasting,
Climate research,
Molecular modeling (computing the structures and properties of chemical compounds, biological macromolecules, polymers, and crystals),
Physical simulations (such as simulation of airplanes in wind tunnels, simulation of the detonation of nuclear weapons, and research into nuclear fusion).
Why we need Super Computers
Also, they are useful for a particular class of problems, known as Grand Challenge problems, full solution for such problems require semi-infinite computing resources.
NASA™s Linux-based Super Computer
Why Supercomputers are Fast
Several elements of a supercomputer contribute to its high level of performance:
Numerous high-performance processors (CPUs) for parallel processing
Specially-designed high-speed internal networks
Specially-designed or tuned operating systems
What is Blue gene
Blue Gene is a computer architecture project designed to produce several supercomputers that are designed to reach operating speeds in the PFLOPS (petaFLOPS = 1015) range, and currently reaching sustained speeds of nearly 500 TFLOPS (teraFLOPS = 1012).
It is a cooperative project among IBM(particularly IBM Rochester and the Thomas J. Watson Research Center), the Lawrence Livermore National Laboratory, the United States Department of Energy (which is partially funding the project), and academia.
Why Blue Gene
Blue Gene is an IBM Research project dedicated to exploring the
frontiers in supercomputing:
in computer architecture,
in the software required to program and control massively parallel systems, and
in the use of computation to advance the understanding of important biological processes such as protein folding.
Learning more about biomolecular mechanisms is expected to give medical researchers better understanding of diseases, as well as potential cures.
Why the name Blue gene
Blue - The corporate color of IBM
Gene - The intended use of the Blue Gene clusters was for Computational biology.
Blue Gene Projects
VLSI Architecture for Nano Wire Based Advanced Encryption Standard (AES) with...VLSICS Design
Advanced Encryption Standard (AES) Algorithm has been extensively applied in the present financial applications. Sub-channel attacks are one of the main problems occurred n the AES Algorithm. Asynchronous AES Architecture is one of the leading solutions of the sub-channel attacks due to its natural properties. The AES architecture with the enhanced mix column to be proposed with reduced number of transistor counts.. Then, the Verilog A modeling is used to evaluate the performance of the proposed AES Architecture. Finally, the VLSI Implementations of the AES Processor is implemented with CMOS technology 0.25 µm. By using the net list generations, the proposed AES Architecture is analyzed regarding the VLSI design environment. The simulation results of the proposed structure are performed with the minimum number of transistor counts as well as power utilizations. Moreover, the proposed CMOS technology based AES Algorithm is integrated into the backend based chip technology.
PERFORMANCE ANALYSIS OF SYMMETRIC KEY CIPHERS IN LINEAR AND GRID BASED SENSOR...cscpconf
The linear and grid based Wireless Sensor Networks (WSN) are formed by applications where
objects being monitored are either placed in linear or grid based form. E.g. monitoring oil,
water or gas pipelines; perimeter surveillance; monitoring traffic level of city streets, goods
warehouse monitoring. The security of data is a critical issue for all such applications and as
the devices used for the monitoring purpose have several resource constraints (bandwidth,
storage capacity, battery life); it is significant to have a lightweight security solution. Therefore,
we consider symmetric key based solutions proposed in the literature as asymmetric based
solutions require more computation, energy and storage of keys. We analyse the symmetric
ciphers with respect to the performance parameters: RAM, ROM consumption and number of
CPU cycles. We perform this simulation analysis in Contiki Cooja by considering an example
scenario on two different motes namely: Sky and Z1. The aim of this analysis is to come up with
the best suited symmetric key based cipher for the linear and grid based WSN.
Here are the key steps I would take to design a computer network:
1. Define the goals and needs of the network. What needs to be connected? How many users? What applications and services will be used?
2. Map out the physical layout. Where are devices located? How will they connect - wired or wireless? Design a logical topology to organize devices.
3. Select network hardware. Choose switches, routers, access points suitable for the size and needs. Consider wired/wireless infrastructure requirements.
4. Design the IP addressing scheme. Plan subnetting and IP ranges for efficient use of available addresses.
5. Configure network segmentation. Use VLANs or separate subnets to logically separate traffic as needed for
Key Management Schemes for Secure Communication in Heterogeneous Sensor NetworksIDES Editor
Hierarchical Sensor Network organization is
widely used to achieve energy efficiency in Wireless Sensor
Networks(WSN). To achieve security in hierarchical WSN,
it is important to be able to encrypt the messages sent
between sensor nodes and its cluster head. The key
management task is challenging due to resource constrained
nature of WSN. In this paper we are proposing two key
management schemes for hierarchical networks which
handles various events like node addition, node compromise
and key refresh at regular intervals. The Tree-Based
Scheme ensures in-network processing by maintaining some
additional intermediate keys. Whereas the CRT-Based
Scheme performs the key management with minimum
communication and storage at each node.
The document discusses Mondriaan Memory Protection (MMP), a hardware mechanism that provides efficient word-level memory protection to enforce modularity in software. It aims to address issues with large, complex software failing too often by allowing fine-grained isolation of modules with narrow, irregular interfaces. MMP supports conventional instruction set architectures and binaries with low overhead, and provides a smaller trusted computing base than safe language alternatives.
The document provides an overview of the seven layers of the OSI model:
1) The physical layer defines physical connections and transmission of raw bit streams.
2) The data link layer provides addressing and error checking for data transmission between systems on a local network.
3) The network layer establishes logical addressing to route packets across multiple networks and provides fragmentation and reassembly of packets.
4) The transport layer offers reliable or unreliable data transmission and handles issues like flow control and multiplexing of data streams.
5) The session layer manages communication sessions, synchronizing data flow between endpoints.
ICDE2015 Research 3: Distributed Storage and ProcessingTakuma Wakamori
The document summarizes a research presentation on distributed storage and processing. It discusses two papers: 1) PABIRS, a data access middleware for distributed file systems that efficiently processes mixed workloads of queries. It proposes an integrated data access middleware to address this. 2) Scalable distributed transactions across heterogeneous stores.
It then provides details on PABIRS, which uses a hybrid index with a bitmap index and LSM (log-structured merge) tree index. The bitmap index is used for low selectivity keys, while the LSM index is built for "hot" values with selectivity above a threshold. The system aims to efficiently support data retrieval and insertion for various query workloads on distributed file systems.
Vulnerability Exploitation in the Open Shortest Path First ProtocolIRJET Journal
The document discusses vulnerabilities in the Open Shortest Path First (OSPF) routing protocol. It describes how an attacker inside the network can intercept OSPF hello messages and modify them to establish unauthorized neighbor relationships with routers. This allows the attacker to redirect traffic through their machine and perform man-in-the-middle attacks. The document outlines experiments conducted using Cisco routers that demonstrate how an attacker can listen to OSPF messages, send modified messages, and change the direction of network traffic.
International Journal of Engineering Research and Development (IJERD)IJERD Editor
This document summarizes a study that analyzed the performance of the AES-128 encryption algorithm using CBC mode on wireless sensor network motes. The study implemented AES-128 encryption and decryption with a 128-bit key on TinyOS motes. It found that AES-128 CBC provided reliable encryption for sensor networks and its performance was analyzed by measuring encryption time and energy consumption for different plaintext sizes and network scales. The encryption and decryption processes used the same 128-bit key and performed 10 rounds of AES transformations as specified for a 128-bit key.
This paper modifies the DYMO protocol and develops the AIS-DYMO protocol that is
capable to handle the network layer attack. It means the performance of the network doesn’t get
degraded under the attack. Various immune algorithms can be used to enhance the performance of
the DYMO protocol, but the clonal selection algorithm is used in this work to enhance the
performance of the DYMO protocol. Overall the DYMO protocol is modified to handle the network
layer attacks by using the clonal selection immune algorithm.
Similar to OMT: A DYNAMIC AUTHENTICATED DATA STRUCTURE FOR SECURITY KERNELS (20)
Particle Swarm Optimization–Long Short-Term Memory based Channel Estimation w...IJCNCJournal
Paper Title
Particle Swarm Optimization–Long Short-Term Memory based Channel Estimation with Hybrid Beam Forming Power Transfer in WSN-IoT Applications
Authors
Reginald Jude Sixtus J and Tamilarasi Muthu, Puducherry Technological University, India
Abstract
Non-Orthogonal Multiple Access (NOMA) helps to overcome various difficulties in future technology wireless communications. NOMA, when utilized with millimeter wave multiple-input multiple-output (MIMO) systems, channel estimation becomes extremely difficult. For reaping the benefits of the NOMA and mm-Wave combination, effective channel estimation is required. In this paper, we propose an enhanced particle swarm optimization based long short-term memory estimator network (PSOLSTMEstNet), which is a neural network model that can be employed to forecast the bandwidth required in the mm-Wave MIMO network. The prime advantage of the LSTM is that it has the capability of dynamically adapting to the functioning pattern of fluctuating channel state. The LSTM stage with adaptive coding and modulation enhances the BER.PSO algorithm is employed to optimize input weights of LSTM network. The modified algorithm splits the power by channel condition of every single user. Participants will be first sorted into distinct groups depending upon respective channel conditions, using a hybrid beamforming approach. The network characteristics are fine-estimated using PSO-LSTMEstNet after a rough approximation of channels parameters derived from the received data.
Keywords
Signal to Noise Ratio (SNR), Bit Error Rate (BER), mm-Wave, MIMO, NOMA, deep learning, optimization.
Volume URL: https://airccse.org/journal/ijc2022.html
Abstract URL:https://aircconline.com/abstract/ijcnc/v14n5/14522cnc05.html
Pdf URL: https://aircconline.com/ijcnc/V14N5/14522cnc05.pdf
#scopuspublication #scopusindexed #callforpapers #researchpapers #cfp #researchers #phdstudent #researchScholar #journalpaper #submission #journalsubmission #WBAN #requirements #tailoredtreatment #MACstrategy #enhancedefficiency #protrcal #computing #analysis #wirelessbodyareanetworks #wirelessnetworks
#adhocnetwork #VANETs #OLSRrouting #routing #MPR #nderesidualenergy #korea #cognitiveradionetworks #radionetworks #rendezvoussequence
Here's where you can reach us : ijcnc@airccse.org or ijcnc@aircconline.com
June 2024 - Top 10 Read Articles in Computer Networks & CommunicationsIJCNCJournal
The International Journal of Computer Networks & Communications (IJCNC) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of Computer Networks & Communications. The journal focuses on all technical and practical aspects of Computer Networks & data Communications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
Enhanced Traffic Congestion Management with Fog Computing - A Simulation-Base...IJCNCJournal
Abstract: Accurate latency computation is essential for the Internet of Things (IoT) since the connected
devices generate a vast amount of data that is processed on cloud infrastructure. However, the cloud is not
an optimal solution. To overcome this issue, fog computing is used to enable processing at the edge while
still allowing communication with the cloud. Many applications rely on fog computing, including traffic
management. In this paper, an Intelligent Traffic Congestion Mitigation System (ITCMS) is proposed to
address traffic congestion in heavily populated smart cities. The proposed system is implemented using fog
computing and tested in a crowdedCairo city. The results obtained indicate that the execution time of the
simulation is 4,538 seconds, and the delay in the application loop is 49.67 seconds. The paper addresses
various issues, including CPU usage, heap memory usage, throughput, and the total average delay, which
are essential for evaluating the performance of the ITCMS. Our system model is also compared with other
models to assess its performance. A comparison is made using two parameters, namely throughput and the
total average delay, between the ITCMS, IOV (Internet of Vehicle), and STL (Seasonal-Trend
Decomposition Procedure based on LOESS). Consequently, the results confirm that the proposed system
outperforms the others in terms of higher accuracy, lower latency, and improved traffic efficiency.
Call for Papers -International Journal of Computer Networks & Communications ...IJCNCJournal
International Journal of Computer Networks & Communications (IJCNC)
Citations, h-index, i10-index of IJCNC
---- Scopus, ERA Listed, WJCI Indexed ----
Scopus Cite Score 2022--1.8
https://airccse.org/journal/ijcnc.html
IJCNC is listed in ERA 2023 as per the Australian Research Council (ARC) Journal Ranking
Scope & Topics
The International Journal of Computer Networks & Communications (IJCNC) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of Computer Networks & Communications. The journal focuses on all technical and practical aspects of Computer Networks & data Communications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
Authors are solicited to contribute to this journal by submitting articles that illustrate research results, projects, surveying works and industrial experiences that describe significant advances in the Computer Networks & Communications.
Topics of Interest
· Network Protocols & Wireless Networks
· Network Architectures
· High speed networks
· Routing, switching and addressing techniques
· Next Generation Internet
· Next Generation Web Architectures
· Network Operations & management
· Adhoc and sensor networks
· Internet and Web applications
· Ubiquitous networks
· Mobile networks & Wireless LAN
· Wireless Multimedia systems
· Wireless communications
· Heterogeneous wireless networks
· Measurement & Performance Analysis
· Peer to peer and overlay networks
· QoS and Resource Management
· Network Based applications
· Network Security
· Self-Organizing Networks and Networked Systems
· Optical Networking
· Mobile & Broadband Wireless Internet
· Recent trends & Developments in Computer Networks
Paper Submission
Authors are invited to submit papers for this journal through E-mail: ijcnc@airccse.org or through Submission System. Submissions must be original and should not have been published previously or be under consideration for publication while being evaluated for this Journal.
Important Dates
· Submission Deadline : June 22, 2024
· Notification : July 22, 2024
· Final Manuscript Due : July 29, 2024
· Publication Date : Determined by the Editor-in-Chief
Contact Us
Here's where you can reach us: ijcnc@airccse.org or ijcnc@aircconline.com
For other details please visit - http://airccse.org/journal/ijcnc.html
Rendezvous Sequence Generation Algorithm for Cognitive Radio Networks in Post...IJCNCJournal
Recent natural disasters have inflicted tremendous damage on humanity, with their scale progressively increasing and leading to numerous casualties. Events such as earthquakes can trigger secondary disasters, such as tsunamis, further complicating the situation by destroying communication infrastructures. This destruction impedes the dissemination of information about secondary disasters and complicates post-disaster rescue efforts. Consequently, there is an urgent demand for technologies capable of substituting for these destroyed communication infrastructures. This paper proposes a technique for generating rendezvous sequences to swiftly reconnect communication infrastructures in post-disaster scenarios. We compare the time required for rendezvous using the proposed technique against existing methods and analyze the average time taken to establish links with the rendezvous technique, discussing its significance. This research presents a novel approach enabling rapid recovery of destroyed communication infrastructures in disaster environments through Cognitive Radio Network (CRN) technology, showcasing the potential to significantly improve disaster response and recovery efforts. The proposed method reduces the time for the rendezvous compared to existing methods, suggesting that it can enhance the efficiency of rescue operations in post-disaster scenarios and contribute to life-saving efforts.
Blockchain Enforced Attribute based Access Control with ZKP for Healthcare Se...IJCNCJournal
The relationship between doctors and patients is reinforced through the expanded communication channels provided by remote healthcare services, resulting in heightened patient satisfaction and loyalty. Nonetheless, the growth of these services is hampered by security and privacy challenges they confront. Additionally, patient electronic health records (EHR) information is dispersed across multiple hospitals in different formats, undermining data sovereignty. It allows any service to assert authority over their EHR, effectively controlling its usage. This paper proposes a blockchain enforced attribute-based access control in healthcare service. To enhance the privacy and data-sovereignty, the proposed system employs attribute-based access control, zero-knowledge proof (ZKP) and blockchain. The role of data within our system is pivotal in defining attributes. These attributes, in turn, form the fundamental basis for access control criteria. Blockchain is used to keep hospital information in public chain but EHR related data in private chain. Furthermore, EHR provides access control by using the attributed based cryptosystem before they are stored in the blockchain. Analysis shows that the proposed system provides data sovereignty with privacy provision based on the attributed based access control.
EECRPSID: Energy-Efficient Cluster-Based Routing Protocol with a Secure Intru...IJCNCJournal
A revolutionary idea that has gained significance in technology for Internet of Things (IoT) networks backed by WSNs is the " Energy-Efficient Cluster-Based Routing Protocol with a Secure Intrusion Detection" (EECRPSID). A WSN-powered IoT infrastructure's hardware foundation is hardware with autonomous sensing capabilities. The significant features of the proposed technology are intelligent environment sensing, independent data collection, and information transfer to connected devices. However, hardware flaws and issues with energy consumption may be to blame for device failures in WSN-assisted IoT networks. This can potentially obstruct the transfer of data. A reliable route significantly reduces data retransmissions, which reduces traffic and conserves energy. The sensor hardware is often widely dispersed by IoT networks that enable WSNs. Data duplication could occur if numerous sensor devices are used to monitor a location. Finding a solution to this issue by using clustering. Clustering lessens network traffic while retaining path dependability compared to the multipath technique. To relieve duplicate data in EECRPSID, we applied the clustering technique. The multipath strategy might make the provided protocol more dependable. Using the EECRPSID algorithm, will reduce the overall energy consumption, minimize the End-to-end delay to 0.14s, achieve a 99.8% Packet Delivery Ratio, and the network's lifespan will be increased. The NS2 simulator is used to run the whole set of simulations. The EECRPSID method has been implemented in NS2, and simulated results indicate that comparing the other three technologies improves the performance measures.
Analysis and Evolution of SHA-1 Algorithm - Analytical TechniqueIJCNCJournal
A 160-bit (20-byte) hash value, sometimes called a message digest, is generated using the SHA-1 (Secure Hash Algorithm 1) hash function in cryptography. This value is commonly represented as 40 hexadecimal digits. It is a Federal Information Processing Standard in the United States and was developed by the National Security Agency. Although it has been cryptographically cracked, the technique is still in widespread usage. In this work, we conduct a detailed and practical analysis of the SHA-1 algorithm's theoretical elements and show how they have been implemented through the use of several different hash configurations.
Optimizing CNN-BiGRU Performance: Mish Activation and Comparative AnalysisIJCNCJournal
Deep learning is currently extensively employed across a range of research domains. The continuous advancements in deep learning techniques contribute to solving intricate challenges. Activation functions (AF) are fundamental components within neural networks, enabling them to capture complex patterns and relationships in the data. By introducing non-linearities, AF empowers neural networks to model and adapt to the diverse and nuanced nature of real-world data, enhancing their ability to make accurate predictions across various tasks. In the context of intrusion detection, the Mish, a recent AF, was implemented in the CNN-BiGRU model, using three datasets: ASNM-TUN, ASNM-CDX, and HOGZILLA. The comparison with Rectified Linear Unit (ReLU), a widely used AF, revealed that Mish outperforms ReLU, showcasing superior performance across the evaluated datasets. This study illuminates the effectiveness of AF in elevating the performance of intrusion detection systems.
An Hybrid Framework OTFS-OFDM Based on Mobile Speed EstimationIJCNCJournal
The Future wireless communication systems face the challenging task of simultaneously providing high-quality service (QoS) and broadband data transmission, while also minimizing power consumption, latency, and system complexity. Although Orthogonal Frequency Division Multiplexing (OFDM) has been widely adopted in 4G and 5G systems, it struggles to cope with a significant delay and Doppler spread in high mobility scenarios. To address these challenges, a novel waveform named Orthogonal Time Frequency Space (OTFS). Designers aim to outperform OFDM by closely aligning signals with the channel behaviour. In this paper, we propose a switching strategy that empowers operators to select the most appropriate waveform based on an estimated speed of the mobile user. This strategy enables the base station to dynamically choose the waveform that best suits the mobile user’s speed. Additionally, we suggest retaining an Integrated Sensing and Communication (ISAC) radar approach for accurate Doppler estimation. This provides precise information to facilitate the waveform selection procedure. By leveraging the switching strategy and harnessing the Doppler estimation capabilities of an ISAC radar.Our proposed approach aims to enhance the performance of wireless communication systems in high mobility cases. Considering the complexity of waveform processing, we introduce an optimized hybrid system that combines OTFS and OFDM, resulting in reduced complexity while still retaining performance benefits.This hybrid system presents a promising solution for improving the performance of wireless communication systems in higher mobility.The simulation results validate the effectiveness of our approach, demonstrating its potential advantages for future wireless communication systems. The effectiveness of the proposed approach is validated by simulation results as it will be illustrated.
Enhanced Traffic Congestion Management with Fog Computing - A Simulation-Base...IJCNCJournal
Accurate latency computation is essential for the Internet of Things (IoT) since the connected devices generate a vast amount of data that is processed on cloud infrastructure. However, the cloud is not an optimal solution. To overcome this issue, fog computing is used to enable processing at the edge while still allowing communication with the cloud. Many applications rely on fog computing, including traffic management. In this paper, an Intelligent Traffic Congestion Mitigation System (ITCMS) is proposed to address traffic congestion in heavily populated smart cities. The proposed system is implemented using fog computing and tested in a crowdedCairo city. The results obtained indicate that the execution time of the simulation is 4,538 seconds, and the delay in the application loop is 49.67 seconds. The paper addresses various issues, including CPU usage, heap memory usage, throughput, and the total average delay, which are essential for evaluating the performance of the ITCMS. Our system model is also compared with other models to assess its performance. A comparison is made using two parameters, namely throughput and the total average delay, between the ITCMS, IOV (Internet of Vehicle), and STL (Seasonal-Trend Decomposition Procedure based on LOESS). Consequently, the results confirm that the proposed system outperforms the others in terms of higher accuracy, lower latency, and improved traffic efficiency.
Rendezvous Sequence Generation Algorithm for Cognitive Radio Networks in Post...IJCNCJournal
Recent natural disasters have inflicted tremendous damage on humanity, with their scale progressively increasing and leading to numerous casualties. Events such as earthquakes can trigger secondary disasters, such as tsunamis, further complicating the situation by destroying communication infrastructures. This destruction impedes the dissemination of information about secondary disasters and complicates post-disaster rescue efforts. Consequently, there is an urgent demand for technologies capable of substituting for these destroyed communication infrastructures. This paper proposes a technique for generating rendezvous sequences to swiftly reconnect communication infrastructures in post-disaster scenarios. We compare the time required for rendezvous using the proposed technique against existing methods and analyze the average time taken to establish links with the rendezvous technique, discussing its significance. This research presents a novel approach enabling rapid recovery of destroyed communication infrastructures in disaster environments through Cognitive Radio Network (CRN) technology, showcasing the potential to significantly improve disaster response and recovery efforts. The proposed method reduces the time for the rendezvous compared to existing methods, suggesting that it can enhance the efficiency of rescue operations in post-disaster scenarios and contribute to life-saving efforts.
Vehicle Ad Hoc Networks (VANETs) have become a viable technology to improve traffic flow and safety on the roads. Due to its effectiveness and scalability, the Wingsuit Search-based Optimised Link State Routing Protocol (WS-OLSR) is frequently used for data distribution in VANETs. However, the selection of MultiPoint Relays (MPRs) plays a pivotal role in WS-OLSR's performance. This paper presents an improved MPR selection algorithm tailored to WS-OLSR, designed to enhance the overall routing efficiency and reduce overhead. The analysis found that the current OLSR protocol has problems such as redundancy of HELLO and TC message packets or failure to update routing information in time, so a WS-OLSR routing protocol based on improved-MPR selection algorithm was proposed. Firstly, factors such as node mobility and link changes are comprehensively considered to reflect network topology changes, and the broadcast cycle of node HELLO messages is controlled through topology changes. Secondly, a new MPR selection algorithm is proposed, considering link stability issues and nodes. Finally, evaluate its effectiveness in terms of packet delivery ratio, end-to-end delay, and control message overhead. Simulation results demonstrate the superior performance of our improved MR selection algorithm when compared to traditional approaches.
May 2024, Volume 16, Number 3 - The International Journal of Computer Network...IJCNCJournal
The International Journal of Computer Networks & Communications (IJCNC) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of Computer Networks & Communications. The journal focuses on all technical and practical aspects of Computer Networks & data Communications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
Vehicle Ad Hoc Networks (VANETs) have become a viable technology to improve traffic flow and safety on the roads. Due to its effectiveness and scalability, the Wingsuit Search-based Optimised Link State Routing Protocol (WS-OLSR) is frequently used for data distribution in VANETs. However, the selection of MultiPoint Relays (MPRs) plays a pivotal role in WS-OLSR's performance. This paper presents an improved MPR selection algorithm tailored to WS-OLSR, designed to enhance the overall routing efficiency and reduce overhead. The analysis found that the current OLSR protocol has problems such as redundancy of HELLO and TC message packets or failure to update routing information in time, so a WS-OLSR routing protocol based on improved-MPR selection algorithm was proposed. Firstly, factors such as node mobility and link changes are comprehensively considered to reflect network topology changes, and the broadcast cycle of node HELLO messages is controlled through topology changes. Secondly, a new MPR selection algorithm is proposed, considering link stability issues and nodes. Finally, evaluate its effectiveness in terms of packet delivery ratio, end-to-end delay, and control message overhead. Simulation results demonstrate the superior performance of our improved MR selection algorithm when compared to traditional approaches.
A Novel Medium Access Control Strategy for Heterogeneous Traffic in Wireless ...IJCNCJournal
So far, Wireless Body Area Networks (WBANs) have played a pivotal role in driving the development of intelligent healthcare systems with broad applicability across various domains. Each WBAN consists of one or more types of sensors that can be embedded in clothing, attached directly to the body, or even implanted beneath an individual's skin. These sensors typically serve asingle application. However, the traffic generated by each sensor may have distinct requirements. This diversity necessitates a dual approach: tailored treatment based on the specific needs of each traffic typeand the fulfillment of application requirements, such asreliability and timeliness. Never the less, the presence of energy constraints and the unreliable nature of wireless communications make QoS provisioning under such networks a non-trivial task. In this context, the current paper introduces a novel Medium AccessControl (MAC) strategy for the regular traffic applications of WBANs, designed to significantly enhance efficiency when compared to the established MAC protocols IEEE 802.15.4 and IEEE 802.15.6, with a particular focus on improving reliability, timeliness, and energy efficiency.
May_2024 Top 10 Read Articles in Computer Networks & Communications.pdfIJCNCJournal
The International Journal of Computer Networks & Communications (IJCNC) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of Computer Networks & Communications. The journal focuses on all technical and practical aspects of Computer Networks & data Communications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
A Topology Control Algorithm Taking into Account Energy and Quality of Transm...IJCNCJournal
The efficient use of energy in wireless sensor networks is critical for extending node lifetime. The network topology is one of the factors that have a significant impact on the energy usage at the nodes and the quality of transmission (QoT) in the network. We propose a topology control algorithm for software-defined wireless sensor networks (SDWSNs) in this paper. Our method is to formulate topology control algorithm as a nonlinear programming (NP) problem with the objective to optimizing two metrics, maximum communication range, and desired degree. This NP problem is solved at the SDWSN controller by employing the genetic algorithm (GA) to determine the best topology. The simulation results show that the proposed algorithm outperforms the MaxPower algorithm in terms of average node degree and energy expansion ratio.
Multi-Server user Authentication Scheme for Privacy Preservation with Fuzzy C...IJCNCJournal
The integration of artificial intelligence technology with a scalable Internet of Things (IoT) platform facilitates diverse smart communication services, allowing remote users to access services from anywhere at any time. The multi-server environment within IoT introduces a flexible security service model, enabling users to interact with any server through a single registration. To ensure secure and privacy preservation services for resources, an authentication scheme is essential. Zhao et al. recently introduced a user authentication scheme for the multi-server environment, utilizing passwords and smart cards, claiming resilience against well-known attacks. This paper conducts cryptanalysis on Zhao et al.'s scheme, focusing on denial of service and privacy attacks, revealing a lack of user-friendliness. Subsequently, we propose a new multi-server user authentication scheme for privacy preservation with fuzzy commitment over the IoT environment, addressing the shortcomings of Zhao et al.'s scheme. Formal security verification of the proposed scheme is conducted using the ProVerif simulation tool. Through both formal and informal security analyses, we demonstrate that the proposed scheme is resilient against various known attacks and those identified in Zhao et al.'s scheme.
Advanced Privacy Scheme to Improve Road Safety in Smart Transportation SystemsIJCNCJournal
In -Vehicle Ad-Hoc Network (VANET), vehicles continuously transmit and receive spatiotemporal data with neighboring vehicles, thereby establishing a comprehensive 360-degree traffic awareness system. Vehicular Network safety applications facilitate the transmission of messages between vehicles that are near each other, at regular intervals, enhancing drivers' contextual understanding of the driving environment and significantly improving traffic safety. Privacy schemes in VANETs are vital to safeguard vehicles’ identities and their associated owners or drivers. Privacy schemes prevent unauthorized parties from linking the vehicle's communications to a specific real-world identity by employing techniques such as pseudonyms, randomization, or cryptographic protocols. Nevertheless, these communications frequently contain important vehicle information that malevolent groups could use to Monitor the vehicle over a long period. The acquisition of this shared data has the potential to facilitate the reconstruction of vehicle trajectories, thereby posing a potential risk to the privacy of the driver. Addressing the critical challenge of developing effective and scalable privacy-preserving protocols for communication in vehicle networks is of the highest priority. These protocols aim to reduce the transmission of confidential data while ensuring the required level of communication. This paper aims to propose an Advanced Privacy Vehicle Scheme (APV) that periodically changes pseudonyms to protect vehicle identities and improve privacy. The APV scheme utilizes a concept called the silent period, which involves changing the pseudonym of a vehicle periodically based on the tracking of neighboring vehicles. The pseudonym is a temporary identifier that vehicles use to communicate with each other in a VANET. By changing the pseudonym regularly, the APV scheme makes it difficult for unauthorized entities to link a vehicle's communications to its real-world identity. The proposed APV is compared to the SLOW, RSP, CAPS, and CPN techniques. The data indicates that the efficiency of APV is a better improvement in privacy metrics. It is evident that the AVP offers enhanced safety for vehicles during transportation in the smart city.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
OMT: A DYNAMIC AUTHENTICATED DATA STRUCTURE FOR SECURITY KERNELS
1. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
DOI: 10.5121/ijcnc.2016.8401 1
OMT: A DYNAMIC AUTHENTICATED DATA
STRUCTURE FOR SECURITY KERNELS
Somya D. Mohanty1
, Mahalingam Ramkumar2
and Naresh Adhikari3
1
Department of Computer Science, University of North Carolina - Greensboro,
Greensboro, USA
2
Department of Computer Science and Engineering, Mississippi State University,
Starkville, USA
3
Department of Computer Science and Engineering, Mississippi State University,
Starkville, USA
ABSTRACT
We introduce a family of authenticated data structures — Ordered Merkle Trees (OMT) — and illustrate
their utility in security kernels for a wide variety of sub-systems. Specifically, the utility of two types of
OMTs: a) the index ordered merkle tree (IOMT) and b) the range ordered merkle tree (ROMT), are
investigated for their suitability in security kernels for various sub-systems of Border Gateway Protocol
(BGP), the Internet’s inter-autonomous system routing infrastructure. We outline simple generic security
kernel functions to maintain OMTs, and sub-system specific security kernel functionality for BGP sub-
systems (like registries, autonomous system owners, and BGP speakers/routers), that take advantage of
OMTs.
KEYWORDS
Security Kernels, Broader Gateway Protocol (BGP), Authenticated Data Structure (ADS)
1. INTRODUCTION
Any system can be seen as a network of sub-systems, each with a specific role in the operation of
the system, interacting with each other according to system-specific and/or role-specific rules. For
an ever increasing range of systems, some or all sub-systems take the form of a computer, or a
collection of computers (most often a server with one or more back-end servers). For example,
sub-systems in the domain name system (DNS) have roles like zone authorities, who create DNS
resource records (RR) pertaining to the zone; authoritative name servers, that are chosen by the
zone authority to disseminate DNS RRs for the zone; and local (or preferred) name servers, that
iteratively query authoritative name servers to resolve queries from clients. Similarly, sub-
systems in the inter-domain routing infrastructure for the Internet — the Border Gateway Protocol
(BGP) — have different roles like autonomous system (AS) owner; AS registry, that assigns AS
numbers to AS owners; IP registry that issues (through IP registrars and ISPs) chunks of IP
addresses, or IP prefixes (a chunk of consecutive addresses) to AS owners; and BGP speakers for
an AS, authorized by the AS owner to originate routes for IP prefixes owned by AS.
Undesired functionality in any hardware/software component of a sub-system may be exploited
by an attacker to cause sub-system to misbehave. Undesired functionality may be deliberately
hidden malicious functionality (HMF), or accidental bugs. Attackers who exploit undesired
functionality may be personnel with legitimate access to the sub-system, or anyone who can take
advantage of remotely exploitable HMF/bug to exert some control over the sub-system. For
2. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
2
example, an attacker can a) compromise a BGP speaker (in a router) to send incorrect routing
information; or b) compromise a computer used by the AS administrator to modify the AS
policies/preferences; or c) compromise a computer of an administrator in the IP/AS/DNS registry
to make duplicate address/AS number assignments.
1.1. Security Kernel
It is far from practical to assure the integrity of every hardware/software component in every
component of every sub-system. One possible approach to secure systems is to mandate that all
important sub-systems should be associated with an appropriate security kernel that vouches for
the integrity of (system-specific and role-specific) tasks performed by the sub-system.
Specifically, all components of the sub-system are assumed to be untrustworthy; only the security
kernel is trusted.
The security kernel for a system/sub-system is also referred to as the trusted computing base
(TCB) for the system/sub-system. The TCB for any system is “a small amount of software and
hardware that security depends on, and that we distinguish from a much larger amount that can
misbehave without affecting security” [1]. For purposes of this paper, the exact nature TCB is not
important. For example, the TCB for any sub-system could take the form of a dedicated hardware
security module, or a software module executed on a general purpose platform, with some special
protections [2] to guarantee that the security kernel will run unmolested, etc.
In the rest of this paper we shall assume that the security kernel for a sub-system is a set of
functions executed by a read-proof and write-proof module T . It is essential that the security
kernel functionality is deliberately constrained to be simple — to permit consummate verification
of the functionality, and thereby, rule out the presence of undesired functionality within the
security kernel.
Some of the components of the security kernel will necessarily be specific to the nature of the
sub-system whose operation is assured by the module — the security kernel functionality for a
DNS server will be different from that of an IP registry or a BGP speaker. Nevertheless, to
simplify testing of the security kernel functionality, it is advantageous to possess efficient re-
usable components of the security kernels, with potential to be useful in a wide range of sub-
systems. The specific contributions of this paper are: a) an efficient resuable authenticated data
structure (ADS), an ordered merkle tree (OMT), and b) illustration of utility of OMTs in a broad
range of security kernels (for a broad range of sub-systems).
1.2. Ordered Merkel Tree
An ADS [3, 4, 5, 6, 7] is a strategy for obtaining a concise cryptographic commitment for a set of
records. Often, the commitment is the root of a hash tree. Any record can be verified against the
commitment by performing a small number of hash operations. An ordered merkle tree (OMT) is
an ADS that is derived as an extension of the better known merkle hash tree. Similar to a plain
merkle tree, an OMT permits a resource (computation and storage) limited module to track the
records in a dynamic database of any size, maintained by untrusted components of the associated
sub-system. Using an OMT (instead of a plain merkle tree) permits the resource limited module
to additionally infer a few other “useful holistic properties” regarding the database. For
illustrating the broad utility of OMTs, we explore the security kernel functionality necessary for
assuring the operation of various BGP sub-systems like IP and autonomous system (AS)
registry/registrars, AS owners, and BGP speakers, etc.
3. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
3
The rest of this paper is organized as follows. In Section 2 we introduce OMTs, and discuss two
types of OMTs — the index ordered merkle tree (IOMT) and the range ordered merkle tree
(ROMT). In Section 3 we provide an overview of BGP. We enumerate the desired assurances
regarding the operation of BGP and suggest high level designs of the security kernel functionality
utilizing OMTs to guarantee the desired assurances (to the extent the security kernels are trusted).
In Section 5, we suggest other possible applications of OMTs and offer our conclusions.
2. ORDERED MERKEL TREE
The merkle hash tree [8] is a data structure constructed using repeated applications of a a pre-
image resistant hash function ()h (for example, SHA-1). Figure 1 depicts a tree with 16=N
leaves. In practical merkle tree applications each leaf can be seen as a record belonging to some
database.
Figure 1. A binary hash tree with 16 leaves. Nodes
3
0
2
1
1
36 ,,, vvvv (filled gray) and root ξ are ancestors of
leaf 6L . },,,{= 3
1
2
0
1
276 vvvvv are complementary” to 6v .
A tree with N leaves has a height of NL log= 2
. At level 0 of the tree are N leaf-nodes, one
corresponding to each leaf, typically derived by hashing the leaf. At the next level (level 1) are
1
/2=/2 NN nodes, each computed by hashing together a pair of “sibling” nodes in level 0. Level
i has i
N/2 nodes computed by hashing a pair of siblings in level 1−i , and so on, till we end up
with a lone node ξ at level L — the root of the binary tree. A tree with L
N 2= nodes has
12 −N nodes distributed over 1+L levels, where NL log= 2 . Two nodes node j
iv and j
iiv +
at level j are siblings if i is even (else j
iv 1− and j
iv are siblings). Two siblings — the left sibling
u and the right sibling v are hashed together to obtain the parent node as ),(= vuhp . Given a
value 0
iv , the index i of the leaf node, and the set of k complementary nodes, it is trivial to
identify the sequence of k hash operations necessary to map a leaf node to the root. We shall
represent by
),,,(= iim vivfy (1)
a sequence of k hash operations to obtain the sub-tree root y from a leaf-node with value v and
position index i.
4. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
4
2.1. OMT Leaves and Node
An ordered merkle tree (OMT) is an extension of the merkle tree with the imposition of a special
structure for the leaves of the tree. Every leaf is of the form.
),,(= AAAL ω′ (2)
Corresponding to a leaf ),,( AAA ω′ is a leaf node computed as
),,(= ALA AAHv ω′
≠′ 0.),,(
0,=0
=
AAAh
A
Aω
(3)
In addition, unlike a plain merkle tree which is intended primarily for dynamic databases with a
static number of records (leaves), OMTs are intended to be used for scenarios where leaves may
need to be inserted/deleted. For this purpose it is advantageous to redefine the operation of
mapping two siblings u and v to their parent p as
≠≠ 00,),(
0=
0=
=),(=
vuifvuh
uifv
vifu
vuHp V (4)
In other words, the parent of two nodes is the hash of the two child nodes only if both children
are non-zero. If any child is zero, the parent is the same as the other child. The parent of
0== vu is 0=p .
An OMT leaf with the first field set to zero is an empty leaf, represented as Φ . The leaf hash
corresponding to an empty leaf is 0. As introducing an empty leaf node (corresponding to an
empty leaf) does not affect any other node of the tree, any number of empty leaves may be seen
part of the tree.
2.2. OMT Types
OMTs can be seen as falling under two broad categories depending on the interpretation of the
first two values. In the first category are index ordered MTs (IOMT), where the first value is
interpreted as an index, the second value is the next higher index in the tree. For the leaf
corresponding to the highest index the next index is the least index. The third value Aω in a leaf
),,( AAA ω′ provides some information regarding index A. For example, Aω could be the hash
of the contents of a database record with index A. It is also possible that Aω is a root of another
OMT, in which case A is an index of a database (which may consist of any number of indexed
records).
In an IOMT, existence of a leaf like )(432,562, ω indicates that no leaf exists for indexes
between 432 and 562. A wrapped around leaf like )(796,241, ω indicates that no leaf exists
for indexes greater than 796, and for indexes less that 241.
5. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
5
For range ordered MT (ROMT) the values A and A′ represent the range ),[ AA ′ of some
quantity associated with the third value Aω . For example, a leaf like )(432,562,ω indicates that
the quantity ω is associated with a range [432,562) (or 562<432 x≤ ). For example, an
ROMT may be used to represent a look up table (LUT) for some function )(= xfy . In such an
ROMT each leaf indicates a range of the independent variable x , corresponding to which the
function evaluates to the dependent variable ω=y (the third value in the leaf).
2.3. OMT Properties.
Some of the important properties of OMTs are as follows. The leaf hash corresponding to an
empty leaf Φ is zero. A tree with root 0 can be seen as a tree with any number of empty leaves.
For a tree with a single leaf, the leaf hash is the same as the root of the tree. The existence of a
leaf ),,( AAA ω in an OMT indicates that the leaf is the only leaf in the tree (in which case the
root will be the same as the leaf hash ),,( AL AAH ω ). Existence of a leaf like )(1,3, 1ω is proof
that no leaf exists with first field in-between 1 and 3. Existence of a leaf like )(7,1, 7ω is proof
that no leaf exists with first field less than 1 and that no leaf exists with first field greater than 7.
As leaves are ordered virtually, the actual physical ordering of leaves has no inherent meaning.
Thus, swapping leaves of an OMT does not affect the integrity of the database represented by the
OMT.
For both IOMT and ROMT, a leaf with a first field A can be inserted only if a leaf with first two
fields that circularly encloses A exists. For inserting a leaf the contents of two leaves in the tree
will need to be modified; and empty leaf Φ will be modified to become the newly inserted leaf,
and the second value of the enclosing leaf will need to be modified.
A place-holder is a non-empty leaf whose insertion does not change the interpretation of the
database. For an IOMT, a leaf of the form ,0),( AA ′ (third value zero) is a place holder.
Introduction of a place holder for an index A does not change the database in any way, as both
existence of place holder for index A and non-existence of a leaf for index A implies that “no
record exists for index A.” Thus,
)(7,1,(5,7,0),),(4,5,),(1,3,),(3,4,
)(7,1,),(4,7,),(1,3,),(3,4,
7413
7413
ωωωω
ωωωω and
(5)
which correspond to before and after insertion of a place holder for an index 5, represent an
identical database. For an ROMT, a place holder is a leaf with third value the same as the third
value of the enclosing leaf. Specifically, inserting a leaf can be seen as a process of splitting a leaf
(for example), )(4,7, 4ω into two leaves (for example) )(4,5, 4ω and )(5,7, 4ω . Specifically,
both
)(7,1,),(5,7,),,(4,5),(3,4,,)(1,3,
)(7,1,),(4,7,),(3,4,),(1,3,
dccba
anddcba
(6)
represent an identical database. Before insertion, the leaf )(4,7,c indicated that values 7<4 x≤
are associated with c . Nothing has changed after the range is split into two, as values
5)<(4 x≤ and values 7)<(5 x≤ are associated with the same quantity c .While operations
like swapping leaves in any OMT or insertion/deletion of a place holder do not change the
contents of the database, they will result in a change in the root of the tree — say from r to r′.
Such roots are considered as equivalent roots.
6. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
6
2.4. OMT Functions for Security Kernels
The module T is assumed to possess limited protected storage, and expose well defined
interfaces to the associated untrusted sub-system. Such interfaces can be used by an untrusted
sub-system (say) A to demonstrate the integrity of databases stored by the sub-system, and
request AT associated with sub-system A to attest verified records.
For attesting records or contents of records (for verification by other sub-systems, or security
kernels in other sub-systems) every module is assumed to possess a unique identity, and secrets
used for authenticating messages. For example, the secret could be a private component of an
asymmetric key pair, which is used for signing messages. In this case, the public key of the
module is certified by a trusted key distribution center, attesting the integrity of the module.
Alternately one or more secrets could be provided by a trusted key distribution center to each
module. Only modules that have been verified for integrity and issued such secrets by the trusted
key distribution centers will be able to use their secrets to compute a pairwise secret with other
modules attested by the KDCs. Such pairwise secrets may be used to compute message
authentication codes for attesting the integrity of the contents of a record.
Apart from secrets provided by trusted KDCs or certified by trusted certificate authorities, every
module is assumed to spontaneously generate a random self-secret χ which is used for
authenticating memoranda to itself. For example, after executing (say) ),,(= vixfz m , a module
may issue a memoranda to itself to remind itself that it has already verified that “ z is an ancestor
of x .”
As we shall see very soon, the self-memoranda in this scenario is a value ),,1,(= χρ zxVh
computed as a function of the type 1V of the memoranda, the values x and z , and the secret χ .
No entity other than the module can fake such a memorandum. Thus, if values ,,zx and ρ are
provided as inputs to the module, the module can safely conclude that “ z is an ancestor of x .”
In the rest of this section we provide an algorithmic description of generic OMT functions
suitable for security kernels for a wide range of systems/ sub-systems. OMT functions issue
different types of self-memoranda. Such self-memoranda may then be used by other system-
specific (or role-specific) security kernel components of the same module. As an illustration of
how such memoranda can be used by other system-specific security kernel components of the
same module, in a later section we outline the use of such memoranda in security kernels for
various BGP sub-systems.
}
);,,,,,,2,(
;)),,,,1,((
);,,,2,())=()=(0)=((
;)),,,,,,2,((
{),,,,,,,,,(
}
);,,,,,,2,(
);,();,(
);,,,,1,())=()=((
;)),,,,1,((
);,,1,())=(0)=((
;)),,,,1,((
{),,,,,,,,,(
}
);,,,,1,(
);,,(:)?=();,,(
{),,,(
2121
2
2122112
21211
2121212
2121
1122
22222
1112
111
2221111
χ
χρ
χρ
χρ
ρρ
χ
χ
χρ
χρ
χρ
ρρ
χ
zxxzxxUhRETURN
RETURNzyzyUhIF
yxxVhRETURNxxxxIF
RETURNyxxyxxUhIF
zzyxxyxxF
pxxpxxUhRETURN
zyHpzyHp
zxzxUhRETURNxyxyIF
RETURNyxyxUhIF
yxVhRETURNxxIF
RETURNyxyxUhIF
zxzxyxyxF
yxyxUhRETURN
vixfyxxyvixfy
vixxF
cat
VV
cat
xmxm
xbt
′
′′≠
∧∧
′≠
′′
′
′′←′←
′′∧
≠
∧
′≠
′′
′′
′′←′←
′
′′
′′
′′
′′
′′
′′
′′
′
′
′′
Figure 2. Verification and Update Memoranda.
7. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
7
2.5. OMT Memoranda
Five different types of memoranda are issued by OMT functions.
A certificate of type 1U is issued by functions ()btF and ()1catF . The inputs to ()btF include a
leaf node x in a subtree, the index i of the leaf node (in the sub-tree), and complementary nodes
v. The root of the subtree can now be computed as ),,(= vixfy m . The function also accepts
another value x′ and computes ),,(= vixfy m
′ (using the same complementary nodes). The
certificate of type 1U issued by this function, viz,
),,,,,,2,(= 2121 χρ pxxpxxUh ′′′
(7)
states that “(it has been verified by me that) y is the root of a sub-tree with leaf node x , and if
xx ′→ then yy ′→ .” More generally, such a certificate implies that y is an ancestor of x , and
that if xx ′→ , then yy ′→ .
Functions ()1catF and ()2catF combine self memoranda to issue (in general) more complex self-
memoranda. ()1catF accepts inputs necessary to verify the integrity of two type 1U certificates. If
the second certificate is 0, and if in the first certificate binding yxyx ,,, 11 ′ if 11 = ′xx (implying
merely that y is an ancestor of 1x , a certificate of type 1V , viz., ),,1,(= 1 χρ yxVh is issued.
If the child in the second certificate 2x is the same as the parent y in the first certificate, the two
certificates are combined to issue a single certificate of type 1U binding the child 1x in the first
certificate to the parent z in the second certificate. Else, ()1catF computes ),(= zyHp V and
),(= zyHp V
′′′ to issue a certificate of type 2U
1 2 1 2( 2, , , , , , , )h U x x p x x pρ χ′ ′ ′= (8)
to the effect that that “ 1x and 2x are leaf nodes of a sub-tree with root p , and if 11 ′→ xx and
22 ′→ xx then pp ′→ . Note that if y is an ancestor of 1x and z is an ancestor of 2x , then
),(= zyHp V is simultaneously an ancestor of 1x and 2x .
Function ()2catF extends the common ancestor y of two nodes to an ancestor z of y . In other
words, ()2catF combines a 2U certificate with a 1U certificate to produce a 2U certificate. If
only a certificate of type 2U is provided as input to ()2catF with 11 = ′xx and 22 = ′xx , bound to
yy ′= , ()2catF issues a certificate of type 2V binding two nodes 1x and 2x to a common
ancestor y .
Certificates of type 1U and 2U are useful for simultaneously verifying and updating the root of
the tree. Certificates of type 1V and 2V are useful in scenarios where only verification is
required. Functions ()(), swph FF and ()ceF create certificates that bind equivalent roots. A
certificate of ),,,(= χρ yyEIh ′ attests to the equivalence of IOMT roots y and y′ . A
certificate ),,,(= χρ yyERh ′ attests to the equivalence of ROMT roots y and y′ .
8. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
8
Through a certificate of type 2U , ()swF recognizes the relationship between two roots resulting
from swapping two leaves. As swapping leaves does not affect the integrity of an IOMT or an
ROMT, the roots are equivalent for both IOMT and ROMT. Thus, depending on the value o
which identifies the type of request ( 1=o for ROMT certificate) ()swF outputs a EI or ER
certificate.
Function ()phF issues equivalence certificates binding roots before and after deletion of a place
holder. The input 1=o is a request to issue a ER certificate (else, the request is for an EI
certificate). If no certificate is provided as input to ()phF (or 0=ρ ), one root is assumed to the
root of an empty tree, and the equivalent root is after insertion of the first place-holder for an
index A . For both IOMT and ROMT the first place holder will be ,0),( AA , and the root after
insertion will be ,0),( AAHL .
If 0≠ρ this function interprets ),,( AAA ω′ (with leaf hash 1x ) and a place-holder ),,( ωBA ′′
(with leaf hash 2x ) as two leaves in a tree with root y. If 1=o (ROMT) the place holder has
Aωω = , else (for an IOMT), 0=ω . If the place holder is the first leaf it needs to be modified to
),,( ABA ω′ (leaf-hash 1′x ) and the second leaf to an empty leaf (leaf hash 0 ). The certificate ρ
attests that modifying two leaves 1x and 2x to 1′x and 2′x is equivalent to changing the root
from y to y′. Hence, y and y′ are equivalent roots.
}
);,,,(
))),,,(=()),,,(=((
);,,,())),,,(=(0)=((
;},{
{),,,,,(
}
);,,,(:),,,(1)?=(
))),,,,,,2,(=(
)),,,,,,2,(=((
0;);,,();,,(
,0);,(:),,(1)?=(
),0),,(,0,(0)=(
),0),,(,0,(1)=(0)=(
{),,,,,,,(
}
);,,,(
);,,,(1)=(
)),,,,,,2,(=(
{),,,,,(
21
12
21
1212
2121
211
2
1221
21
χ
χρχρ
χχρρ
ρρ
χχ
χρ
χρ
ωω
ω
χρ
χρ
ρω
χ
χ
χρ
ρ
zxihRETURN
zyihyxihIF
xyihRETURNyxihIF
RETURNEREIiIF
zyxiF
yyEIhyyERhoRETURN
yxxyxxUh
yxxyxxUhIF
xBAHxAAHx
BAHBAHox
AAHEIhRETURNIFELSE
AAHERhRETURNoIF
oyyBAAF
yyEIhRETURNELSE
yyERhRETURNoIF
yxxyxxUhIF
oyyxxF
ce
ALAL
LAL
L
L
Aph
sw
∧
∧
∈/
′′
′
∨′
←′←′←
′′′′←
∧
′′′
′
′
′
′
′′
′′
′′
Figure 3. OMT Functions for Issuing Equivalent-Root Memoranda.
3. BGP SUBSYSTEMS
The Internet is an interconnection of autonomous systems (AS) [9], [10]. Each AS owns one or
more chunks of the IP address space, where the number of addresses in each chunk is a power of
2. IP chunks are represented using the CIDR (classless inter-domain routing) IP prefix notation.
For example, the IP prefix 132.5.6.0/25 represents 2532
2 −
IP addresses for which the first 25 bits
are the same as the address 132.5.6.0, viz., addresses 132.5.6.0 to 132.5.6.127. An AS registry
assigns AS numbers to AS owners. AS owners may acquire ownership of IP prefixes from an IP
registry (through IP registrars, or ISPs).
9. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
9
While each AS may follow any protocol for routing IP packets within their AS, all ASes need to
follow a uniform protocol for inter-AS routing. The current inter-AS protocol is the border
gateway protocol (BGP), where AS owners employ one or more BGP speakers to advertise
reachability information for IP prefixes owned by the AS. Specifically, every BGP speaker
recognizes a set of neighboring BGP speakers. Neighbors may belong to the same AS or a
different AS. The main responsibility of BGP speakers are a) originate BGP update messages for
prefixes owned by the AS, and convey such originated messages to neighbors of other ASes; b)
relay BGP update messages received from neighbors to other neighbors; and c) aggregate
destination prefixes (that can be aggregated) for reducing the size of routing tables.
BGP is a path vector protocol. BGP update messages communicated between BGP speakers
indicate an AS path vector for a prefix. Specifically, a BGP update message
]),,,,(,[ da WDCBAP (9)
from a speaker dS (belonging to the last AS in the path) indicates that prefix aP owned by the
first AS A in the path. dW is the weight of the path.
3.1. BGP Updates
A BGP speaker may receive multiple paths for the same prefix. All such paths are stored by the
BGP speaker in the incoming routing information database (RIDB-IN). However only the best
path for a prefix may be copied to the outgoing database (RIDB-OUT), and advertised to other
BGP speakers. Most often a BGP speaker is a component of a router which uses entries in RIDB-
OUT (best path for different prefixes) to forward IP packets.
3.1.1. BGP Weights
The best path is the one with the maximum weight. Several parameters are used to compute the
weight of a BGP path. For simplicity, in this paper we restrict ourselves to some of the more
important weight parameters, i) pre-path weight; ii) local preference iii) AS path length; and iv)
multi-exit descriptor (MED).
The pre-path weight is assigned at time of origination. If two paths for the same prefix have the
same pre-path weight, then the the local preference is considered (higher the better). If both pre-
path weight and local preference are the same, the AS path length (number of ASes in the path) is
considered. The longer the path, the lower the weight. If the path lengths are also the same, then
the MED weight is considered (higher the better).
Local Preference and MED: Every BGP speaker recognizes a set of other BGP speakers as
neighbors. Every neighbor is associated with two weight parameters — a local preference, and an
MED. From the perspective of a speaker aS . That bL is the local preferenc of bS implies that for
all paths received from bS the local preference component of the weight should be reset to bL .
That bM is the MED of bS implies that for all paths advertised to bS , the MED component of
the weight should be set to bM . Local preference and MED weights are assigned only to
neighbors that are speakers of foreign ASes.
10. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
10
Processing Received BGP Updates: When a BGP update message is received from a foreign
speaker bS (of AS B ) the steps to be taken by a speaker aS (AS A ) are as follows: 1)
increment hop-count; 2) add own AS A to the path vector; 3) change local preference to value
bL ; 4) set next hop to bS ; and 5) store path in RIDB-IN. When a path is received from a speaker
aS ′ belonging to the same AS, no component of the weight is changed, and the AS number is not
inserted.
Relaying and Originating BGP Updates: For relaying a BGP message for a prefix P to a BGP
speaker bS in a foreign AS, the steps to be taken by speaker aS are: a) among all paths for the
same prefix, choose the path with the highest weight; b) change the MED component of weight
to; c) advertise the path with modified weight. For originating a path (for owned prefixes), the
pre-path weight is set, and the MED is set to that of the foreign neighbor. Such originated paths
are not sent to speakers of the same AS (as paths to IP addresses within the AS are established
using an intra-AS protocol). For relaying a BGP update message (for a prefix owned by a foreign
AS) to a speaker aS ′ of the same AS, simply choose the path with the highest weight and send it
without changing the weight.
Policies and Preferences: The choice of BGP speakers for the AS, the prefixes for which a
speaker may originate BGP update messages (along with their pre-path weights), neighbors of
each speaker, along with their local preference and MED weights, etc., can be seen as policies and
preferences specified by the AS owner to influence the weights assigned to BGP paths.
Aggregation: One of the major benefits of CIDR prefixes come from the fact that BGP speakers
may aggregate prefixes. If two consecutive prefixes A and B (say 126.5.4.0/25 and
126.5.4.128/25) and can be aggregated into a single prefix C (126.5.4.0/24) if the next hop for
prefixes A and B is the same. The speaker that performed the aggregation is the originator for
the aggregated prefix.
4. SECURITY KERNELS FOR BGP SUB-SYSTEMS
Thus far we have outlined generic security kernel functionality for issuing OMT certificates. In
this section we consider other sub-system specific security kernel functionality for various BGP
sub-systems like AS and IP registries, AS owners, and BGP speakers.
For simplicity, we shall assume a single registry for both AS numbers and IP addresses. All
security kernel modules have a unique identity. Let U be the identity of the module associated
with the registry. One module is associated with every AS owner. We shall assume the identities
of an AS owner modules to be the same as the AS number. Each BGP speaker is associated with
a module. We shall assume that the identity of BGP speaker modules to be the IP address of the
router/BGP speaker. We also assume the existence of module functionality for
authentication/verification of messages exchanged between modules. Specifically, we shall
represent such functionality as
andvvYXfa }),,{,,(= 21 Kµ )},,,{,,(={0,1} 21 µKvvYXfv
(10)
11. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
11
the process of authentication (by module X , using ()af ) and verification (by module Y , using
()vf ) of a message conveying values },,{ 21 Kvv , from module X to module Y . Function ()af
outputs a authentication code µ . Function ()vf outputs a binary value (TRUE if authentication
µ is consistent, or FALSE).
The identity U of the registry module is known to all AS owner modules. The registry module
U delegates AS numbers and IP prefixes to AS owner modules. AS owner modules will only
accept delegations from U . AS owner modules in turn delegate IP address ranges they own to
one or more BGP speaker modules.
Some of the specific desired assurances regarding the operation of BGP are as follows:
1. AS number can not have more than one owner; an IP address can not be owned by one
or more ASes. Such assurances should be guaranteed even if the computers employed by
the registry have been compromised by an attacker.
2. AS owners can only delegate address ranges owned by the AS to BGP speakers.
3. Notwithstanding the possibility that a router/ BGP speaker may be under the control of an
attacker, the following assurances are desired
a) The BGP speaker will only be able to create BGP update messages for prefixes
delegated by the AS owner
b) No BGP update message can be created by violating any of the policies /
preferences specified by the AS owner (neighboring speakers, local preference
and MED, pre-path weights) or BGP rules (only the path with the best weight can
be advertised).
c) A speaker will not accept paths which already includes its own AS (to ensure that
routing loops can not be created).
d) All BGP speakers will increment the hop count exactly by one.
e) A speaker will be able to aggregate only prefixes for which the next hop is the
same speaker.
4.1. OMTs Used by BGP Subsystems
The registry and AS owners maintain an ROMT where each leaf indicates a range of IP
addresses, and the third value is the AS number (of the AS that owns the address range).
BGP speakers maintain one ROMT, multiple IOMTs, and a plain Merkle tree. A plain Merkle
tree is used to maintain a neighbour table with a static number of records. More specifically, for
scenarios involving dynamic databases where records can not be inserted or deleted (the
dynamics come only from modification of records) OMT is an over-kill; a plain Merkle tree is
adequate. The ROMT is used maintaining address ranges for which the speaker can originate
BGP updates (owned prefixes and aggregated prefixes).
An IOMT is used for maintaining the RIDB-IN database. More specifically a nested IOMT is
used where the root corresponds to a tree with leaves whose indexes are IP prefixes.
Corresponding to each prefix the value (third field) is the hash of two IOMT roots. The root of
the “path tree” has one leaf for every path for the prefix. The root of the “weight tree” represents
the weights of different paths, and enables the module to readily identify the path with the highest
weight. The index of leaves in path tree is a function of a quantity that is itself the root of an
IOMT. Specifically, the “path vector” IOMT with root has a leaf corresponding to every AS in
the AS path. Representing the AS path in this way makes it possible for the module to recognize
that it is already in the path, and thereby prohibit creation of routing loops.
12. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
12
4.2. Registry Module U and AS Owner Modules
The registry module maintains an ROMT root rξ , where each leaf indicates ranges of IP
addresses, and the AS number of the owner. Unassigned IP chunks have a leaf with value 0.
}
});,{,,(=),,1,(=(
{),,,(
}
;),,,,1,(=(
;0)=),,,((
);,,(,0);,(
{),,,,(
}
;)),,,(=(
{),(
}
});{,,()),),,,(1,(=(
{),,,(
}
;),),,,(,,0),,(1,(=(
{),,,,(
}
;)),,,(=(
{),(
'
'
noaro
no
O
dp
rrpr
v
LL
rap
pr
ph
arL
R
dp
rrrLrL
r
R
as
rr
R
ph
SAfRETURNVhIF
SF
xxUhIF
RETURNxAUfIF
AIIHxIIHx
IIF
xxERhIF
xF
xAUfRETURNAIIHVhIF
AIIF
AIIIIHUhIF
AIIF
xxERhIF
xF
′′′
′′
′′
′
′′
′
→′
′
′←′′←
′
←
′
′
←′′
′
←
ξξµχξξρ
ξρξ
ξξχξξρ
µ
ξρµ
ξχξρ
ρ
χξρ
ρ
ξξχξξρ
ξρ
ξχξρ
ρ
Figure 4. Security Kernel Functionality in Registry and AS Owner Modules.
The function ()R
phF can be utilized to insert/delete any place holders in the ROMT by providing a
memoranda of type ER . The registry employs the function ()R
asF to convert the third value of
any leaf from 0 to a non zero value. A leaf ),,( AII ′ in the ROMT indicates that the IP addresses
in the range I and 1−′I have been assigned to AS A . The leaf ),,( AII ′ can be conveyed to an
AS owner module A using interface ()R
dpF .
AS owner modules also maintain an ROMT with root rξ . The leaves indicate IP addresses owned
by the AS. In the tree maintained by the owner of AS A who (for example) owns two non
consecutive chunks with addresses between ),[ aa ′ and ),[ bb ′ the ROMT leaves will be
),,( Aaa ′ , ,0),( ba′ , ),,( Abb ′ and ,0),( ab′ . The function ()o
phF can be used to insert/delete
place-holders in the tree. Once a place older ,0),( aa ′ exists, a delegation ),,( Aaa ′ from the
registry module U can be used to update the place holder to a leaf ),,( Aaa ′ . Any node in the
tree with root rξ can now be sub-delegated to a BGP speaker. Depending on which prefixes need
to be delegated to which BGP speaker the owner can use ()O
phF to subdivide owned prefixes and
swap positions of prefix leaves, and choose the root of a subtree which includes all prefixes to be
delegated to the speaker. Apart from delegating IP prefixes, the AS owner also specifies various
preferences as leaves of a hash tree (with root n′ξ ). The types of records in this tree include
1) Pre-path weight; a record of the form ],[ oP for each owned prefix P that can be
originated by the speaker, indicating the pre-path weight o .
2) Neighbor preferences record for each neighbor. A record for neighbor F is of the form
13. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
13
],,,0,=0,=,[= ffffffF MLAtsFN τ (11)
where fA is the AS number of the neighbor, fL and fM are the local preference and MED
weights, and fτ is the maximum permitted duration between HELLO messages from the
neighbor N . The values fs and ft are set to zero by the AS owner. Such fields can be modified
only by the module of a BGP speaker initialized using the value n′ξ . The value fs is the time at
which a link to F was established. Value ft is the time at which the F was last heard-from.
4.3. BGP Speakers
The security kernel of BGP speakers maintains 3 dynamic roots (see Figure 5): the root oξ of an
ROMT is initialized to a value o′ξ communicated by the AS owner module; the root nξ of a
Merkle tree (with a leaf corresponding to every neighbour, and a static leaf for every owned
prefix corresponding to which BGP speaker can originate BGP updates) is initialized to the value
n′ξ conveyed by the AS owner module; the root dξ of an IOMT indexed by IP prefix – the RIDB
tree, which is initialized to zero. BGP speakers also maintain a static value A — initialized to
the AS number represented by the speaker. During regular operation of the BGP speaker the
RIDB root dξ is updated whenever a BGP update message is received, or if a path is removed
(for example) due to loss of link to neighbor.
The neighbor/preferences tree root nξ is updated whenever a neighbor state is updated.
Specifically, corresponding to each neighbor are two dynamic values: a connection identifier s
(which is the time at which the connection was initiated) and a time-stamp t (time of last activity
in the connection).
The leaves of the ROMT are IP address ranges for which the speaker can originate BGP updates.
Originated updates can be for owned IP address ranges or for aggregated prefixes. When
initialized, the ROMT root oξ is a commitment to leaves corresponding to owned IP ranges
(delegated by the AS owner module by conveying a root of a sub-tree from its tree of owned
prefixes). In all such leaves the third value a is the AS number. The ROMT root oξ may also be
updated for purposes of aggregating CIDR prefixes. Specifically, for any prefix in the RIDB tree
the address range and the next hop in the best path to the prefix can be added to the ROMT. Thus,
for leaves corresponding to foreign IP ranges the third value is the next hop. Two adjacent
prefixes with the same next hop can now be aggregated. More specifically, aggregation
corresponds to removing a place-holder. For example, two leaves ),,( 21 xII and ),,( 32 xII
where ),[ 21 II and ),[ 32 II are two ranges with the same next hop x , can be converted to a
single leaf ),,( 31 xII through an equivalence operation.
From the perspective of the BGP speaker modules, corresponding to a BGP update message from
a speaker (with IP address) X to a speaker Y is an authenticated message from module X to
module Y computed as:
14. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
14
]}),,,,,{,,(= medlpppa wwwlPYXf αµ (12)
where P is the prefix for which the path is advertised, α is a one-way function of the AS path,
l is the path length, lppp ww , and medw are respectively the pre-path weight, local preference,
MED. The four weights are used to construct a weight represented as
].[= medlppp wlMAXwwW − (13)
Thus, for any prefix the path with the highest weight W is the best path.
Security kernel functions ()S
relF and ()S
origF are used to create such BGP update messages, and
()S
updF is used to process such messages from neighboring speakers and update the RIDB root.
More specifically, ()S
origF is used to originate BGP updates (for own prefixes and aggregated
prefixes). Specifically, a path for a prefix P (represented in the origin tree as a leaf with range
),[ 21 II and third value v ) can be advertised only if a) the third value v is its own AS number,
and a leaf exists in the tree with root nξ for the prefix P, conveying the pre-path weight ppw for
prefix P ; or b) the third value v corresponds to a neighbor with a live link, and no leaf with
prefix P exists in the RIDB tree. ()S
relF is used to relay stored BGP paths in the RIDB to
neighbors. ()S
relF identifies the best path for a prefix, and only the best path may be advertised.
Alternately, information regarding the best path can also be added to the origination tree to
aggregate a prefix.
Figure 5: OMTs Used by BGP Speakers.
Neighbouring BGP speakers maintain a TCP connection over which BGP update messages are
exchanged. To keep the connection alive, and for testing the existence of the link, special HELLO
messages are exchanged periodically. From the perspective of the security kernel in a speaker S
the link to a neighbour F is associated with the link establishment time fs and a timestamp ft .
15. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
15
Once a link has been established, the module F in is expected to confirm their continued
presence by periodically sending authenticated time-stamped messages for updating the
timestamp ft .
In the RIDB-IN, multiple paths, each with possibly different weights, may exist for each prefix.
To enable the security kernel to readily determine the path with the highest weight, the plurality
of weights for each prefix are maintained as an ordered list. In the weight IOMT, the index of a
leaf is a weight, and the value (third field) is the number of occurrences of the weight in the list.
For example, corresponding to a list with four weights 42)(21,21,34, , three leaves
(42,21,1)(34,42,1),(21,34,2), will exist in the weight tree (index 21 occurs twice as indicated
by the value field). As in any IOMT, insertion of a place-holder (say for index 5, which signifies
“zero occurrences of value 5 in the list)” does not modify the list.
Within the RIDB IOMT a special IOMT is also used to represent AS paths. In the AS path IOMT
the the index of leaves are ASes. A tree corresponding to a path of length 5 will have 5 leaves.
The value field (third field) is the position in the path. As an example, corresponding to a path
EBDA →→→ the leaves of the tree will be ,2),(,3),,(,1),,( EDDBBA and ,4),( AE
(note that the value for index D is 2 as D is the second AS in the path).nIn the RIDB IOMT the
index of leaves are IP prefixes. The value field in the IOMT is a one way function of two IOMT
roots 1) OMT root γ — is the root of a weight-IOMT; and 2)IOMT root θ — the root of an
IOMT whose leaves like ),,( vββ ′ characterize each path to the prefix.In the IOMT with root θ
the index of leaves are functions of the path; more specifically, in the index )),(,(= αβ lhGh ,
G is the next hop, l is the path length, and α is the root of an AS-path IOMT root. The value v
corresponding to an index β is a function of two values — the weight W of the path, and the
connection identifier of the next hop that provided the path. If the connection identifier in a path
is not the same as the identifier in the neighbor record for that neighbor, then the path is
considered as stale (and the weight is set to 0).
4.4. Using Security Kernel Functions in BGP Speaker Module
BGP speaker modules expose a function ()S
initF which is invoked to initialize the module. In the
rest of this paper we shall investigate the functionality of a speaker S belonging to an AS A . An
authenticated message from AS module A (created by using function ()A
dpF in Figure 6) is
necessary for initializing the roots of the neighbor tree to n′ξ , and the origin tree to o′ξ .
Any place holder can be added to the IOMT with root rξ or the ROMT with root pξ . Using
function ()S
phF . Any place holder can also be added to the path tree or weight tree corresponding
to any prefix. This can be accomplished using function ()2
S
phF which issues a equivalence
memoranda of type 2E identifying two roots corresponding to before and after insertion of a
place holder in a tree with root θ , or a tree with root γ , or both.
16. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
16
Function ()hlo
SF can be invoked to create authenticated messages that can be sent to other
speakers. This function ensures that speaker S can only connect to speakers explicitly authorized
by the AS owner (by providing the initial root nξ ). Such authenticated messages can be used to
create a connection (with a new value of s deemed sufficiently close to the current time t), and
for updating time stamps of neighbors.
}
});,{,,(;
)),),,,,,,,(,,1,(=(
:)))<()=(()<((
:0)=)},,{,,((
};=,={0)=(
}0;=0,={0)=(0)=(
0};=,={)|<(|0)=(
);,,,,,,(
){,,,,,,,,,,,,(
}
);,,2,()),,,,1,(=(
));,(,,());,(,,(
;0)=(
;0)=(
;)),,,((0)(
;)),,,((0)(
{),,,,,,,,,,(
}
;)),,2,(=(3)=(
;)),,,(=(2)=(
;)),,,(=(1)=(
{),,(
}
;0;;;
))},,{,,((
{),,,(
2
1
11
11
212
tsGSfRETURN
MLAtsGhvUhIF
RETURNttssssIF
RETURNtsSGfIFELSE
ttssIFELSE
tstIFELSE
ttsttIF
MLAtsGhv
ttsMLAtsGF
EhRETURNvvUhIF
hPPHvhPPHv
IF
IF
RETURNEIhIF
RETURNEIhIF
PPF
EhoIFELSE
EIhoIFELSE
ERhoIF
oF
AA
SAfIF
AF
gann
nggggggn
gggggg
ggv
gggg
gg
gg
gggggg
ggngggggg
S
hlo
pp
LpLp
S
ph
dr
dr
oo
S
ph
doonn
nov
no
S
init
′′
′′′
′′′
′′
′′
′′
′′
′′′
′
′
′′
′′
′′
→
∧∨
′∧
′′−∧
←
′
′′
′′′←′←
←′
←′
′≠∧≠
′≠∧≠
′′′′
′←′∧
′←′∧
′←′∧
′
′←←←←
′
′
ξξ
χξτξρ
µ
µ
µ
δµ
τ
µξρτ
χξξχξξρ
γθγθ
γγρ
θθρ
χγγρρ
χθθρρ
ξξρργγρθθ
ξξχξξρ
ξξχξξρ
ξξχξξρ
ρξ
ξξξξξ
µξξ
µξξ
Figure 6: Security Kernel Functions for BGP Speakers.
4.5. Processing BGP Updates
Function ()S
updF is invoked to update the RIDB-IN tree — either due to a BGP update message
received from a neighbor, or due to loss of link to the next hop. From the perspective of the
security kernel the link to the next hop is broken if the time-stamp in the neighbor record is stale.
If the current neighbor session identity is different from the session identity of the next hop in the
stored path, then the path is assumed to be invalid (as the path was provided during an earlier
session). If the neighbor is no longer active, or if the path is invalid, the path weight will be set to
0.
()S
updF is invoked to update a path for a prefix P . Recall that a prefix P is associated with a
path tree root θ and a weight tree root γ . A path in the path tree is uniquely identified as a
function of the AS-path α , path-length l , and next hop N : the index of the path is
)),(,(= αβ lhNh . The path is associated with a path weight cW and the session identity ns of
the next hop.
17. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
17
}
;),,,,1,(=
));,(,,());,(,,(
;))),,,,1,((
1);,,();,,(0)>(
0;0))<(0)=((
1);,,();,,(
0))>(0)>(0)((
;)),,,,1,((
);,,();,,());,(,(=
);,(:1)?0=();,(:0)?0=(
];[
];[)(
1)=)},,,,{,,((
1;0)=(0)=(
0;))>()((0)=(
;)),),(1,((
{//),,
//,,,,,
//,,,),,(,
//],,,,,,,[=,
//,],,,,([
ddddd
LL
w
LL
c
cLcL
c
t
LL
nccc
medlppp
mednppn
medlpppnnv
c
nncn
nNn
rdd
w
tcc
nnnnnnNn
medlppp
S
upd
vvUhIF
hPPHvhPPHv
RETURNvvUhIF
mWWHvmWWHvWIFELSE
vvWWIFELSE
mWWHvmWWHv
WmWIF
RETURNvvUhIF
vHvvHvlhNh
sWhWvsWhsv
wlMAXwwWELSE
wlMAXLwWAAIF
wwwPsSNfIFELSE
WWIFELSE
WltssIF
RETURNNhVhIF
rootRIDBupdateandP
treeweightinweightandmW
treepathinpathinsertsW
NspeakergneighborinfromMLAtsNN
PprefixregardingUpdatewwwlPF
′′
′
←′
′′′→′′→
′′≠
+′←′′←
←′←∧
−′←′′←
∧∧≤
′′≠
′′←′′←
−←′←
−←
−←≠
−←∧
←+∨≠∧
≠
′
′′
′′
ξξχξξρ
γαγα
χγγρ
χθθρ
ββββαβ
µα
µ
τµ
χξρ
ξξρ
ργγ
ρθθβ
τρ
µα
||||||
||||||
||||
||||
Figure 7. BGP Speaker Security Kernel Functionality for Accepting BGP Updates
Updating the path implies modifying the current weight cW associated with the index β to a
weight W . In addition, modification of the weight requires the weight tree to be modified.
Specifically, a) if 0=cW and 0≠W (inserting a path), then the value W has to be added to
the IOMT with root γ ; b) if 0=W and 0≠cW (setting path weight to 0) then the value cW has
to be removed from the tree with root γ . c) if 0== cWW , then ()S
updF is invoked to delete a
path with zero weight. In this case no change is necessary to the weight tree root γ .
For inserting a path ()S
updF is invoked by submitting a received BGP update from a neighbor N
specifying path vector α , path length l , and weights medlppp www |||| . The weight for the
inserted path is then
medpp wlMAXxwW |||||| −= (14)
where nLx = or lpwx = . Specifically, if the neighbor N providing the update belongs to from a
foreign AS, the nLx = (the local preference of X ); if N belongs to the same AS, the local
preference lpw advertised by N is retained.
For setting weight to zero ()S
updF may be invoked without a BGP message, or a BGP message
that withdraws a previously advertised path. A withdraw message from a neighbor indicates
0=== medlppp www .
18. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
18
In general, updating a path with index β (for prefix P ) will require modification to the path tree
root θ and weight tree root γ (in the leaf for prefix P ). For incorporating the change in values
α and γ associated with leaf index P , the RIDB root dξ will need to be modified.
The inputs to ()S
updF include a) a neighbor record NN for N and a 1V memoranda nρ to
verify the integrity of the record against the root nξ b) 1U memoranda tρ , necessary to update a
leaf with index β in a tree with root θ , c) 1U memoranda wρ , necessary to increment the
counter in leaf with index W (when a path with weight W is inserted), or decrement the counter
in a leaf with index cW (when the current weight cW of the path is reset to 0), in the weight tree
with root γ , d) 1U memoranda dρ , necessary to update the RIDB-IN root dξ due to the
changes to values γ and θ associated with index P ; and e) a received authenticated BGP
update message ],,,[ µα medlppp wwwl |||| from neighbor N .
4.6. Advertising BGP Paths
Function ()S
advF is invoked to identify the best path for a prefix and a) advertise the best path
(create BGP update) to a neighbor, or b) add the prefix for the path (along with the next hop and
session identity of the next hop) to the origination (This is to enable aggregation of prefixes, i.e.
two adjacent prefixes with the same next hop and session identity can be aggregated by removing
a place-holder in the ROMT) tree. ()S
advF can also be invoked to create a BGP update to
withdraw a path with weight 0.
}
})0,,,,{,,(
}),,,,,,{,,()=(
;],,,[
))<()<((
0});0,0,,{,,(0)=(
);(
;),,,1,((
);,,(,0);,(1;
;)),,,((
)(
;;)),,,,1,(=(
);,,(,0);,();,[
),[//0)=(
;)),)),,(,,(1,((
;)>(1)<(
;)),),,,(1,((
;)),,1,((
)),(,,());,(,(
;)),),(),(2,((
;))),),(1,((0)=((
){,,,,,,,,,
,,,,,,,,,,,,,(
fppfa
medlpppfaf
medlenlppp
ggff
fa
ias
LL
ii
f
ooooo
g
dLd
Lw
t
gL
nGFn
nGn
ooFfasiiGn
dwt
S
snd
MwlPsFSfRETURNELSE
wwwlPsFSfRETURNAAIF
Wwwww
ttttIFELSE
lsFSfRETURNWIF
ELSE
RETURNvvUhIF
lAAHvAAHvll
RETURNEIhIF
AAIF
RETURNvvUIF
sGyxvyxvyxP
PprefixofrangeaddresstheisyxletFIF
RETURNhPPHVhIF
RETURNWWmIF
RETURNmWWHVhIF
RETURNvVhIF
sWhHvlhGh
RETURNNhNhVhIFELSE
RETURNNhVhFIF
NN
PPmWWlF
||||
||||
||
α
α
ττ
α
αα
ααρ
χααρ
ξξχξξρ
χξγθρ
χγρ
χθρ
ββαβ
χξρ
χξρ
ξρρραραρ
ρργρθβα
′
←
+∧+
′
←′
′′≠
′←′′←+←
≠
≠
←′
←′←→
′≠
′∨
′≠
≠
′←←
≠
≠∧
′
′′′
′′
′
Figure 8. BGP Speaker Security Kernel Functionality for Relaying BGP Updates.
19. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
19
If W is the best weight for prefix P then a leaf ),,( mWW ′ with WW <′ and 0≠m should
exist in the tree with root γ . This is demonstrated using a memorandum of type 1V . There
should also exist a leaf for an index )),(,(= αβ lhGh in the tree with root θ associated with
values gs and W . For this purpose a 1V memoranda is necessary to demonstrate the integrity of
a neighbor record for G against nξ , and another 1V memoranda is required to demonstrate the
integrity of the leaf with index β against root θ . Finally, another 1V memoranda is required to
demonstrate the integrity of values θ and γ associated with index P against the RIDB root dξ .
Now that the best path (described by next hop G , AS vector α , path length l and weight W )
has been identified,
1. a leaf with range ),[ yx corresponding to prefix P can be added to the origination tree
indicating next hop and session identity gsG || , or
2. a BGP update for prefix P can be created and sent to a neighbor F .
In the former case, updating the origination tree will require a leaf ,0),( yx to be modified to
)||,,( gsGyx P where ),[ yxP ≡ . For updating the leaf of the origination tree, a 1U memoranda
is required as input to ()S
advF .
Before a BGP message for a path can be advertised to a foreign neighbor F , the path vector and
path length have to be modified (to insert own AS number). If the path vector root is currently α ,
and the length is currently l, the value l should be incremented, and a new leaf needs to be
inserted into the IOMT with root α . Specifically, the new leaf will have index A (AS number of
the speaker) and value 1+l . More specifically, a place holder for A needs to be inserted in a tree
with root α , following which the place holder can be updated to modify the third field from 0 to
1+l . Thus, a memoranda of type EI (for inserting a place holder) and a memoranda of type 1U
(for updating the place-holder) are required as inputs.
4.7. Originating BGP Updates
}
})0,1),1,0,(,,{,,(
)<(
;)),,0),,(1,((
;))),),(),(2,((
})0,1),1,,(,,{,,(
)),),(),,(2,(=(0)=(
;),,1,((
;)>(
;;),,0),,(,,1,(=(
;))),),(1,((
//))(0)=((
);,,();,[
;;0)=(
;)=(
){,,,,,,,,,,(
fLfa
gg
rLr
nGFn
fpLfa
nFpn
oo
ff
oooLoo
nGn
gg
L
g
f
ogGfFnrop
S
orig
MAAHPsFSfRETURN
ttIF
RETURNPPHVhIF
RETURNNhNhVhIF
MWAAHPsFSfRETURN
NhWPhVhGIF
RETURNvVhIF
RETURNttIF
RETURNyxHvUhIF
RETURNNhVhIF
prefixaggregatedRemovessFIF
vyxHvyxP
sGvELSEAvGIF
RETURNAAIF
sNNWPPF
PP
PP
P
τ
χξρ
χξρ
χξρ
χξρ
τ
ξξχξξρ
χξρ
ξρρρρ
+
′≠
≠
∧
≠
+
←
≠
≠∧
←→
←←
′
′′
′
′
′′
Figure 9. BGP Speaker Security Kernel Functionality for Originating BGP Updates.
20. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
20
()S
origF is used to advertise path information for two categories of prefixes 1) prefixes owned by
the AS; and 2) aggregated prefixes. Specifically, in leaves corresponding to owned prefixes in the
origination tree, the third value will be its own AS number A. Corresponding to other leaves the
third value will be a neighboring speaker G (next hop for the prefix) and a session identity gs ′
of G (at the time the prefix was added to the origination tree.) An owned range ),[ yx can be
converted into a prefix P and advertised to a neighbor F only if a record ),( ppwP exists in the
neighbor/policies tree with root nξ . A certificate of type 2V is provided as input to
simultaneously verify the integrity of the neighbor record FN and record ),( ppwP in the
neighbor tree. To advertise an aggregated prefix P a 1V memoranda attesting the integrity of the
next hop neighbor record GN is required. In addition, a 1V certificate is required to demonstrate
that prefix P does not exist in the RIDB-IN tree. If the next hop F (to whom the origination
message is to be sent) is set to 0=F , then ()S
origF interprets this as a request to delete an
aggregated leaf for prefix P with third value gsG ′|| . To remove the aggregated prefix the third
value gsG ′|| is set to 0. For this purpose a certificate oρ of type 1U is required as input.
When a BGP message is originated for an owned prefix or an aggregated prefix the MED weight
is set to to value fM (for the intended receiver F ) provided by the AS owner; the local
preference is set to 0; for owned prefixes the pre-path weight is set to the value pW prescribed by
the AS owner, and for aggregated prefixes the pre-path-weight is set to 0.
5. RELATED WORK AND CONCLUSIONS
In a large majority of security-kernel based approaches in the literature, the purpose of the
security kernel is to ensure that verified software is executed unmolested on an untrusted
platform. In the trusted computing group (TCG) approach based on the trusted platform modules
(TPM) only the security kernel is trusted to realize the assurance that that “only pre-verified
software can take control of the platform.”
The security kernel, or the TCB for the TCG-TPM approach, can be seen as composed of three
roots of trust — the root of trust for storage (RTS), reporting (RTR) and measurement (RTM).
The RTS and RTR are offered by a hardware TPM bound to an untrusted platform. The RTM
includes “all essential hardware required to run software.” Most often, the “essential hardware”
includes the CPU, RAM, CPU-RAM bridge and BIOS.
The purpose of the RTM is to measure every unit of software that takes control of the CPU. The
unit of software is typically a file, and the measure is the file hash. The trusted BIOS includes
software that measures itself, reports the measurement to the TPM, load the next level of software
(usually the boot-loader), measure the boot-loader, and report the measurement to the TPM.
If the boot loader can be verified to be free of malicious code then the boot loader loads the next
level of code (the operating system kernel), measures the kernel and reports the measurement to
the TPM. Similarly the operating system can load other higher level components and report
measurements to the TPM.
21. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
21
The RTS is trusted to securely store measurements; the RTR is trusted to report measurements.
Any entity interacting with the untrusted platform can now request the TPM to report the
measurements, and may choose to abandon the interaction if the reported measurements differ
from expected measurements. This strategy of building a chain of trust starting with the BIOS is
the AEGIS model [11] adopted in the TCG approach.
The main issues with the TCG-TPM approach are three fold:
1. Ensuring that software can run unmolested is very little comfort when the software itself
becomes too complex to be thoroughly verified. Furthermore, hidden malicious
functionality in complex software may actually load other software without reporting
their measurements (or reporting arbitrary measurements) to TPM.
2. Lack of a secure binding between the RTM (trusted components of the untrusted
platform) and the TPM (which houses RTS and RTR). The implication of this is that the
TPM can uncoupled from the RTM, and supplied expected measurements (while the
platform runs arbitrary software).
3. The “minimal hardware trusted to run software” may also include peripherals with direct
access to RAM. This results in the well known TOCTOU problem [12] in the TCG
approach.
In the proposed approach the goal of the security kernel is not to ensure the integrity of the all
software related to a system/ sub-system. Rather, the goal is to ensure only some very specific
sub-system specific properties. For example, if the TCG approach is used to secure the AS/IP
Registry, every computer used by the Registry should be TPM enabled, and every piece of
software that can take control of any computer should be carefully examined to be free of
malicious code. However, in the proposed approach, only the simple security kernel functionality
outlined in Figure 4 needs to be assured to be clear of undesired functionality.
Most commonly used hash tree based ADSs include the well-known merkle tree [8], skip-lists
[7], red-black trees [5], and B-trees [3, 13]. All such ADSs (except the plain Merkle tree)
essentially provide the capability to order values in a set (based on some index). The main
difference between OMTs and other ADSes like skip-list, red-black trees and B-trees are:
1. In the OMT, the ordering is virtual (the first two fields in an OMT can be seen as a
circular link list). In other trees the ordering is physical.
2. An OMT without the third field is functionally equivalent to other trees. The third value
in an OMT binds the first value to a record (in an IOMT) or a range to some “owner” (in
an ROMT).
Alternately, a skip-list and a merkle tree are together functionally equivalent to an OMT. From
this perspective, the main advantage of the OMT is that with a simple tweak to the merkle tree,
the OMT realizes the advantages of ordering values (viz., ability to readily determine existence
and non-existence of records, maximum/minimum values, etc.) without using an additional tree.
While there is very little algorithmic difference between an ROMT and an IOMT, there is a
substantial difference in their functional utility. In this paper we illustrated the utility of an
ROMT for registry and AS owner security kernels to maintain database of IP address ranges and
the ownership of the range. In a BGP speaker the ROMT additionally enables the speaker to
aggregate IP prefixes. The IOMT is used for a wide range of purposes like maintaining the RIDB,
AS path trees (one for every path), and weight trees (one for every prefix).
22. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
22
The current approach to secure BGP is based on the Secure BGP [14] protocol proposed by Kent
et.al. This approach employs public key certificates to authenticate communication between ASes
(BGP updates) and delegation of AS numbers/IP prefixes. More specifically, a dual certificate
system (supported in the back-end by a public key infrastructure (PKI)) is used where the one
certificate binds the public key of the AS owner to the operating address space (IP prefix) and AS
number, and a second certificate binds routers to an AS. Apart from such static certificates,
dynamic certificates are also created by BGP speakers along with every update message.
Specifically, such certificates created by every AS in the path seeks to assure the integrity of the
AS path vector. Whenever a router receives an update message, it verifies the dual certificates to
ascertain the validity of the message. In order to advertise the received message it extends the
path by adding itself to the path and signing it (along with the nested signatures of the previous
hops) with its own public key. To prevent deletion attacks a speaker in AS A sending an update
message to a speaker in AS B also includes the next hop in the signature.
While S-BGP approach is successful in its claims for identity verification (AS owner, routers) and
update message integrity, it fails to provide any assurances for the overall operation of a sub-
system in the protocol. For example, there are no assurances provided by the protocol
guaranteeing that a router will indeed select the best path and that it will strictly abide by the
policies and preferences prescribed by the AS owner. The security features of S-BGP protocol
does not extend to aggregated prefixes as it is impractical to create static certificates to validate
“ownership” of aggregated prefixes. This is a severe disadvantage of S-BGP as much of the
advantages of CIDR stem from the ability to aggregate prefixes.
In the proposed approach the simple security kernel associated with BGP speakers ensure that the
speakers can only advertise the best path, that all preferences and policies of the As owner will be
strictly adhered to. More importantly, the assurances also extend to aggregated prefixes.
REFERENCES
[1] B. Lampson, M. Abadi, M. Burrows, and E. Wobber, “Authentication in distributed systems: Theory
and practice,” ACM Transactions on Computer Systems, vol. 10, pp. 265–310, 1992.
[2] E. R. Sparks, “A Security Assessment of Trusted Platform Modules Computer Science Technical
Report,” Power, pp. 1–29, 2007
[3] P. T. Devanbu, M. Gertz, C. U. Martel, and S. G. Stubblebine, “Authentic Third-party Data
Publication,” in Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on
Database Security: Data and Application Security, Development and Directions. Deventer, The
Netherlands, The Netherlands: Kluwer, B.V., 2001, pp. 101–112. [Online]. Available:
http://dl.acm.org/citation.cfm?id=646118.758638.
[4] A. Buldas, P. Laud, and H. Lipmaa, “Accountable Certificate Management Using Undeniable
Attestations,” in Proceedings of the 7th ACM conference on Computer and communications security,
ser. CCS ’00. New York, NY, USA: ACM, 2000, pp. 9–17. [Online]. Available:
http://doi.acm.org/10.1145/352600.352604
[5] A. Anagnostopoulos, M. T. Goodrich, and R. Tamassia, “Persistent Authenticated Dictionaries and
Their Applications,” in Proceedings of the 4th International Conference on Information Security, ser.
ISC ’01. London, UK, UK: Springer-Verlag, 2001, pp. 379–393. [Online]. Available:
http://dl.acm.org/citation.cfm?id=648025.744371
[6] C. Martel, G. Nuckolls, M. Gertz, P. Devanbu, A. Kwong, and S. G. Stubblebine, “A General Model
for Authentic Data Publication,” Algorithmica, 2004
[7] M. Goodrich, R. Tamassia, and A. Schwerin. Implementation of an Authenticated Dictionary with
Skip Lists and Commutative Hashing. In DARPA Information Survivability Conference Exposition
II, 2001. DISCEX ’01. Proceedings, volume 2, pages 68 –82 vol.2, 2001.
[8] R. C. Merkle, “Protocols for Public Key Cryptosystems,” Security and Privacy, IEEE Symposium on,
p. 122, 1980. [Online]. Available:
http://www.computer.org/portal/web/csdl/doi/10.1109/SP.1980.10006
23. International Journal of Computer Networks & Communications (IJCNC) Vol.8, No.4, July 2016
23
[9] Y. Rekhter and T. Li, “A border gateway protocol 4 (bgp-4),” 1995.
[10] Y. Rekhter and P. Gross, “Application of the border gateway protocol in the internet,” 1995.
[11] W. A. Arbaugh, D. J. Farbert, and J. M. Smith, “A Secure and Reliable Bootstrap Architecture,” in IN
PROCEEDINGS OF THE 1997 IEEE SYMPOSIUM ON SECURITY AND PRIVACY. IEEE
Computer Society, 1997, pp. 65–71
[12] S. Bratus, E. Sparks, and S. W. Smith, “TOCTOU, Traps, and Trusted Computing,” in In Trust 08:
Proceedings of the 1st International Conference on Trusted Computing and Trust in Information
Technologies, 2008, pp. 14–32.
[13] M.T. Goodrich, R.Tamassia, N. Triandopoulous, and R. Cohen, “Authenticated Data Structures for
Graph and Geometric Searching,” in Proceedings of the 2003 RSA conference on The
cryptographers’ track, ser. CT-RSA’03. Berlin, Heidelberg: Springer-Verlag, 2004, pp. 295-313.
[Online]. Available: http://dl.acm.org/citation.cfm?id=1767011.1767042
[14] S. Kent, C. Lynn, and K. Seo, “Secure border gateway protocol (s-bgp),” Selected Areas in
Communications, IEEE Journal on, vol. 18, no. 4, pp. 582–592, 2000
AUTHORS
Dr. Somya D. Mohanty is an Assistant Professor at the Department of Computer
Science at University of North Carolina – Greensboro. He received his Master‘s
degree in Computer Science from Florida State University and his doctorate from
the department of Computer Science and Engineering at Mississippi State
University. His doctoral research focuses on designing security kernels for
distributed applications. Somya has worked as the Data Scientist/Systems Architect
on the Social Media Tracking and Analysis System (SMTAS) project with the
Innovative Data Laboratory at the Social Science Research Center. In the research effort, he designed
system architectures capable of handling Big Data and develops algorithms to gain insights from the data in
real-time. He also contributed to the server architecture design with the use of dynamic scalable
components capable of handling large data influx (Big Data). Somya’s other research interests include
information/network security, cryptographic protocols, content analysis, machine learning and distributed
storage architectures.
Dr. Mahalingam Ramkumar is an Associate Professor of Computer Science and
Engineering at MSU. He received his Bachelors degree in Electrical Engineering from
University of Madras, India, MS in Electrical Engineering from Indian Institute of
Science, Bangalore, India, and PhD in Electrical Engineering from New Jersey
Institute of Technology, Newark, NJ, in Jan 2000. He served as the Chief Technology
Officer for a technology start-up in Newark between Feb 2000 to Sep 2002, and as a
Research Assistant Professor in Polytechnic University, Brooklyn, NY from Oct 2002 to July 2003. His
current research interests include trustworthy computing, applied cryptography, and network security. His
has authored 2 books, 20 Journal articles/book chapters, and over 70 refereed conference publications.
Mr. Naresh Adhikari is a graduate research assistant in Computer Science and
Engineering at MSU. He received his Bachelors degree in Software Engineering from
Pokhara University, Nepal and is pursuing PhD in computer science in MSU under
advisorship of Dr. Ramkumar. His current research interests include event detection in
high speed network and machine learning.