Tesi sul tema "Network services"

We developed a price-based resource allocation scheme for Differentiated Service (DiffServ) data networks. The DiffServ framework was proposed to provide multiple QoS classes over IP networks. Since the provider supports multiple service classes, we need a differentiated pricing scheme, as supposed to the flat-rate scheme employed by the Internet service providers of today. Charging efficiently is a big issue. The utility of a client correlates to the amount of bandwidth allocated. One difficulty we face is that determining the appropriate amount of bandwidth to provision and allocate is problematic due to different time scales, multiple QoS classes and the unpredictable nature of users. To approach this problem, we designed a pricing strategy for Admission Control and bandwidth assignment. Despite the variety of existing pricing strategies, the common theme is that the appropriate pricing policy rewards users for behaving in ways to improve the overall utilization and performance of the network. Among existing schemes, we chose auction because it is scalable, and efficiently and fairly shares resources. Our pricing model takes the system's availability and each customer's requirements as inputs and outputs the set of clients who are admitted into the network and their allocated resource. Each client proposes a desired bandwidth and a price that they are willing to pay for it. The service provider collects this information and produces parameters for each class of service they provide. This information is used to decide which customers to admit. We proposed an optimal solution to the problem of maximizing the provider's revenue for the special case where there is only one bottleneck link in the network. Then for the generalized network, we resort to a simple but effective heuristic method. We validate both the optimal solution and the heuristic algorithm with simulations driven by a real traffic scenario. Finally, we allow customers to bid on the duration for which the service is needed. Then we study the performance of those heuristic algorithms in this new setting and propose possible improvements.

As the size and complexity of the internet increased dramatically in recent years,the burden of network service management also became heavier. The need foran intelligent way for data analysis and forecasting becomes urgent. The wideimplementation of machine learning and data analysis methods provides a newway to analyze large amounts of data.In this project, I study and evaluate data forecasting methods using machinelearning techniques and time series analysis methods on data collected fromthe KTH testbed. Comparing different methods with respect to accuracy andcomputing overhead I propose the best method for data forecasting for differentscenarios.The results show that machine learning techniques using regression can achievebetter performance with higher accuracy and smaller computing overhead. Timeseries data analysis methods have relatively lower accuracy, and the computingoverhead is much higher than machine learning techniques on the datasetsevaluated in this project.
Eftersom storleken och komplexiteten på internet har ökat dramatiskt under de senaste åren så har belastningen av nätverkshantering också blivit tyngre. Behovet av ett intelligent sätt för dataanalys och prognos blir brådskande. Den breda implementeringen av maskininlärningsmetoder och dataanalysmetoder ger ett nytt sätt att analysera stora mängder data.I detta projekt studerar och utvärderar jag dataprognosmetoder med hjälp av maskininlärningstekniker och analyser av tidsserier som samlats in från KTHtestbädden. Baserat på jämförelse av olika metoder med avseende på noggrannhet och beräkningskostnader, så föreslår jag föreslår den bästa metoden för dataprognoser för olika scenarier.Resultaten visar att maskininlärningstekniker som använder regression kan uppnå bättre prestanda med högre noggrannhet och mindre datoromkostnader. Metoderför dataanalys av tidsserier har relativt lägre noggrannhet, och beräkningsomkostnaderna är mycket högre än maskininlärningstekniker på de datauppsättningar som utvärderatsi detta projekt.

Multicast has long been considered an attractive service for the Internet for the provision of multiparty applications. For over a decade now multicast has been a proposed IETF standard. Though there is a strong industry push towards deploying multicast, there has been little multicast deployment by commercial Internet Service Providers (ISPs) and more importantly most end-users still lack multicast capabilities. Depending on the underlying network infrastructure, the ISP has several options of implementing his multicast capabilities. With significantly faster and more sophisticated protocols being designed and prototyped, it is expected that a whole new gamut of applications that are delay sensitive will come into being. However, the incentives to resolve the conflicting interests of the ISPs and the end-users have to be provided for successful implementation of these protocols. Thus we arrive at the following economic questions: What is the strategy that will enable the ISP recover his costs ? How can the end-user be made aware of the cost of his actions ? Naturally, the strategies of the ISP and the end-user depend on each other and form an economic game. The research problems addressed in this thesis are: A pricing model that is independent of the underlying transmission protocols is prefered. We have proposed such a pricing scheme for multicast independent of the underlying protocols, by introducing the concept of pricing points* These pricing points provide a range of prices that the users can expect during a particular time period and tune their usage accordingly. Our pricing scheme makes both the sender and receiver accountable. Our scheme also provides for catering to heterogeneous users and gives incentive for differential pricing. We explore a number of formulations of resource allocation problems arising in communication networks as optimization models. Optimization-based methods were only employed for unicast congestion control. We have extended this method for single rate multicast. We have also devised an optimization-based approach for multicast congestion control that finds an allocation rate to maximize the social welfare. Finally we also show that the session-splitting problem can also be cast as an optimization problem. The commonly used "max-min" fairness criteria suffers from serious limitations like discriminating sessions that traverse large number of links and poor network utilization. We provide an allocation scheme that reduces discrimination towards multicast sessions that traverse many links and also improves network utilization.

The telecommunications industry is undergoing a fundamental revolution with the introduction of intelligent networks. In this thesis, we first give an overview of the intelligent network, which includes the review of the motivation, technology, evolution, standards, components and the open issues of the intelligent network. The emphasis of the thesis is put on the intelligent network service creation. Three AIN (Advanced Intelligent Network) services, namely, the call by name, the automatic telephone directory service and the information query service, are designed and implemented in the AIN Service Creation Environment (SCE). An AIN multimedia fax service which is a novel application of the AIN technology is proposed. With a gateway between the telephone network and the Internet, we use AIN to provide automatic addressing, dynamic routing and flexible selecting of document type for the multimedia fax service. The idea and the technique used in this AIN multimedia fax service bring up a new AIN service opportunity which allows telephone subscribers to access abundant Internet resources. The performance of this service is evaluated based on the simulation model of priority queuing system.

This master project examines whether there is an existing model fordescribing network topologies in abstract and generic manner. I alsolooked for networking protocols for exchanging network topologiesand handling of dynamically creation of circuit connections acrossdomains. I?ve also been working on a prototype for visualization ofnetwork topologies using Network Administration Visualized (NAV)as a data backend, and further to check the possibilities to use thefound topology model in my prototype.My findings shows that there is progress towards creating a stan-dard topology model to describe network topologies in an abstractand generic manner. There is also progress in creating a network ar-chitecture with networking protocols for exchanging network topolo-gies across domains and providing a connection reservation service tohandle creation of dynamically circuit connections. Prototype showsthere is lots of ideas for further works on what to implement in re-gards of the found network topology model and networking systemsthat was found.

In the last 15 years, the adoption of enterprise level data networks had increased dramatically. This is mainly due to reasons, such as better use of IT resources, and even better coordination between departments and business units. These great demands have fuelled the push for better and faster connectivity to and from these networks, and even within the networks. We have moved from the slow 10Mbps to 1Gbps connectivity for end-point connections and moved from copper-based ISDN to fibre-linked connections for enterprise connections to the Internet. We now even include wireless network technologies in the mix, because of the greater convenience it offers. Such rapid progress is accompanied by ramifications, especially if not all aspects of networking technologies are improved linearly. Since the 1960s and 1970s, the only form of security had been along the line of authentication and authorisation. This is because of the widely used mainframes in that era. When the Internet and, ultimately, the wide-spread use of the Internet influxed in the 1980s, network security was born, and it was not until the late 1980s that saw the first Internet Worm that caused damage to information and systems on the Internet. Fast forward to today, and we see that although we have come a long way in terms of connectivity (connect to anywhere, and anytime, from anywhere else), the proposed use of network security and network security methods have not improved very much. Microsoft Windows XP recently switched from using their own authentication method, to the use of Kerberos, which was last revised 10 years ago. This thesis describes the many problems we face in the world of network security today, and proposes several new methods for future implementation, and to a certain extend, modification to current standards to encompass future developments. Discussion will include a proposed overview of what a secure network architecture should include, and this will lead into several aspects that can be improved on. All problems identified in this thesis have proposed solutions, except for one. The critical flaw found in the standard IEEE802.11 wireless technology was discovered during the course of this research. This flaw is explained and covered in great detail, and also, an explanation is given as to why this critical flaw is not fixable.

In the last 15 years, the adoption of enterprise level data networks had increased dramatically. This is mainly due to reasons, such as better use of IT resources, and even better coordination between departments and business units. These great demands have fuelled the push for better and faster connectivity to and from these networks, and even within the networks. We have moved from the slow 10Mbps to 1Gbps connectivity for end-point connections and moved from copper-based ISDN to fibre-linked connections for enterprise connections to the Internet. We now even include wireless network technologies in the mix, because of the greater convenience it offers. Such rapid progress is accompanied by ramifications, especially if not all aspects of networking technologies are improved linearly. Since the 1960s and 1970s, the only form of security had been along the line of authentication and authorisation. This is because of the widely used mainframes in that era. When the Internet and, ultimately, the wide-spread use of the Internet influxed in the 1980s, network security was born, and it was not until the late 1980s that saw the first Internet Worm that caused damage to information and systems on the Internet. Fast forward to today, and we see that although we have come a long way in terms of connectivity (connect to anywhere, and anytime, from anywhere else), the proposed use of network security and network security methods have not improved very much. Microsoft Windows XP recently switched from using their own authentication method, to the use of Kerberos, which was last revised 10 years ago. This thesis describes the many problems we face in the world of network security today, and proposes several new methods for future implementation, and to a certain extend, modification to current standards to encompass future developments. Discussion will include a proposed overview of what a secure network architecture should include, and this will lead into several aspects that can be improved on. All problems identified in this thesis have proposed solutions, except for one. The critical flaw found in the standard IEEE802.11 wireless technology was discovered during the course of this research. This flaw is explained and covered in great detail, and also, an explanation is given as to why this critical flaw is not fixable.

Network virtualization and overlay networks have emerged as powerful tools for improving the flexibility of the Internet. Overlays are used to provide a wide range of useful services in today's networking environment, and they are also viewed as important building blocks for an agile and evolvable future Internet. Regardless of the specific service it provides, an overlay needs assistance in several areas in order to perform properly throughout its existence. This dissertation focuses on the mechanisms underlying the provision of auxiliary support services that perform control and management functions for overlays, such as overlay assignment, resource allocation, overlay monitoring and diagnosis. The priorities and objectives in the design of such mechanisms depend on network conditions and the virtualization environment. We identify opportunities for improvements that can help provide auxiliary services more effectively at different overlay life stages and under varying assumptions. The contributions of this dissertation are the following: 1. An overlay assignment algorithm designed to improve an overlay's diagnosability, which is defined as its property to allow accurate and low-cost fault diagnosis. The main idea is to increase meaningful sharing between overlay links in a controlled manner in order to help localize faults correctly with less effort. 2. A novel definition of bandwidth allocation fairness in the presence of multiple resource sharing overlays, and a routing optimization technique to improve fairness and the satisfaction of overlays. Evaluation analyzes the characteristics of different fair allocation algorithms, and suggests that eliminating bottlenecks via custom routing can be an effective way to improve fairness. 3. An optimization solution to minimize the total cost of monitoring an overlay by determining the optimal mix of overlay and native links to monitor, and an analysis of the effect of topological properties on monitoring cost and the composition of the optimal mix of monitored links. We call our approach multi-layer monitoring and show that it is a flexible approach producing minimal-cost solutions with low errors. 4. A study of virtual network embedding in software defined networks (SDNs), identifying the challenges and opportunities for embedding in the SDN environment, and presenting two VN embedding techniques and their evaluation. One objective is to balance the stress on substrate components, and the other is to minimize the delays between VN controllers and switches. Each technique optimizes embedding for one objective while keeping the other within bounds.

The explosive growth in worldwide communication via the Internet has increased the reliance oforganizations and individuals on the electronically transmitted information, which consequentlycreated rising demands to protect data from information leakage, corruption or alteration duringtransmission. Various security service requirements are demanded among different applications andcustomers with consideration of respective data sensitivity level, performance requirement andmonetary investment. It becomes important to provide end-to-end security service commitment tosatisfy the diverse customers needs. We expect the Quality of Protection (QoP) to fulfill end-to-endsecurity service commitment to be integrated within the emerging QoS networks to support secure QoSInternet service. For clarity, we call both of QoP and QoS ?Quality of Network Services? (QoNS).The security issues surrounding the QoNS (QoP and QoS) provisioning have been studied in my PhDresearch. The thesis is composed of two main parts, i.e. QoP security and QoS security. First, thepolicy issues of QoP security service are analyzed and automatic policy generation algorithms arepresented. Furthermore, a signaling protocol is designed to provide end-to-end security service forQoP. The protocol is designed to be secure to protect messages against possible forgery andmodification attacks. Second, the threats to the QoS signaling protocol RSVP are analyzed andcountermeasures are proposed. In addition, the intrusion detection methods for QoS attacks directly ondata flow are investigated and experimented.

The complex environment of a living cell contains many molecules interacting in a variety of ways. Examples include the physical interaction between two proteins, or the biochemical interaction between an enzyme and its substrate. A challenge of systems biology is to understand the network of interactions between biological molecules, derived experimentally or computationally. Sophisticated dynamic modelling approaches provide detailed knowledge about single processes or individual pathways. However such methods are far less tractable for holistic cellular models, which are instead represented at the level of network topology. Current network analysis packages tend to be standalone desktop tools which rely on local resources and whose operations are not easily integrated with other software and databases. A key contribution of this thesis is an extensible toolkit of biological network construction and analysis operations, developed as web services. Web services are a distributed technology that enable machine-to-machine interaction over a network, and promote interoperability by allowing tools deployed on heterogeneous systems to interface. A conceptual framework has been created, which is realised practically through the proposal of a common graph format to standardise network data, and the investigation of open-source deployment technologies. Workflows are a graph of web services, allowing analyses to be carried out as part of a bigger software pipeline. They may be constructed using web services within the toolkit together with those from other providers, and can be saved, shared and reused, allowing biologists to construct their own complex queries over various tools and datasets, or execute pre-constructed workflows designed by expert bioinformaticians. Biologically relevant results have been produced as a result of this approach. One very interesting hypothesis has been generated regarding the regulation of yeast glycolysis by a protein found to interact with seven glycolytic enzymes. This has implied a potentially novel regulatory mechanism whereby the protein in question binds these enzymes to form an 'energy production unit'. Also of interest are workflows which identify termini (system inputs and outputs), and cycles, which are crucial for acquiring a physiological perspective on network behaviour.

This study develops an integrated framework to improve understanding of network learning and value creation in global engineering services (GES). Network learning is the process that enhances firm performance through better knowledge and understanding. Prior research has developed GES network learning and value creation as a set of independent processes with customers, suppliers or intra-firm engineering units. Their practices have been fragmented, facilitating either inter- or intra-firm network learning and focusing on either GES efficiency or innovation. The absence of an integrated approach to network learning makes it difficult for researchers to understand, and for GES firms to manage. A more holistic understanding of GES network learning is urgently needed for firms to compete effectively in an ever-changing global market. This research develops the theory of integrated GES network learning and value creation through a multiple case study. It integrates existing insights from multiple streams of research, and builds on these to explore network learning within three GES firms. The empirical study reveals an integrated network learning process adopted across customers, suppliers and intra-firm engineering units which enhances GES efficiency, flexibility and innovation. It clarifies the interrelated knowledge acquisition and development processes and supporting boundary spanning mechanisms within network learning. These processes and mechanisms are integrated in a framework that offers a more holistic view of GES network learning. The framework contributes conceptually to the literature on network learning in GES and offers managerial implications for firms to facilitate integrated network learning for effective GES value creation.

On the way towards a low carbon electricity system, flexibility has become one of the main sources for achieving it. Flexibility can be understood as the ability of a power system to cope with the variability and uncertainty of demand and supply. Both the generation-side and the demand-side can provide it. This research is focused on the role of the demand-side flexibility for providing a service to the distribution system operator, who manages the medium and low-voltage network. By activating this flexibility from the demand-side to the distribution network operator, the latter can avoid or mitigate congestions in the network and prevent grid reinforcement. This thesis starts with analyzing the current state of the art in the field of local electricity markets, setting the baseline for flexibility products in power systems. As a result of the previous analysis, the definition of flexibility is developed more specifically, considering the flexible assets to be controlled, the final client using this flexibility and the time horizon for this flexibility provision. Following the previous step, an aggregated flexibility forecast model is developed, considering a flexibility portfolio based on different flexible assets such as electric vehicles, water boilers, and electric space heaters. The signal is then modeled under a system-oriented approach for providing a service to the distribution network operator under the operation timeline on a day-ahead basis. The flexibility required by the distribution network operator is then calculated through an optimization problem, considering the flexibility activation costs and the network power flow constraints. Finally, since this scenario aims to lower the environmental impacts of the power system, its sustainability is assessed with the life-cycle assessment, considering the entire life cycle and evaluating it in terms of greenhouse gas emissions. This approach enhances the analysis of the potential role of flexibility in the power system, quantifying whether, in all cases, there is a reduction of emissions when shifting the consumption from peak hours to non-peak hours.
En el camí cap a un sistema elèctric amb baixes emissions de carboni, la flexibilitat s'ha convertit en una de les principals fonts per aconseguir-ho. La flexibilitat es pot entendre com la capacitat d'un sistema de reaccionar davant la variabilitat i la incertesa provocades per la demanda i la generació. Tant la part de la generació com el costat de la demanda tenen actius per a poder proporcionar-ho. La recerca presentada en aquest manuscrit està enfocada en el paper de la flexibilitat oferta per la demanda, per a proporcionar un servei a l'operador del sistema de distribució, que gestiona les xarxes de mitja i baixa tensió. Gràcies a l'activació de la flexibilitat de la demanda, l'operador de les xarxes de distribució pot evitar o mitigar la congestió de la xarxa i evitar-ne les inversions per a reforçar-la, així com el seu impacte ambiental. Aquesta tesi comença amb l'anàlisi de l'estat de l'art en el camp dels mercats d'electricitat locals, establint-ne la línia base per a la definició dels productes de flexibilitat en els sistemes elèctrics. Com a resultat de l'estudi anterior, la definició de flexibilitat es desenvolupa més específicament, considerant els actius flexibles que han de controlar-se, el client final que utilitza aquesta flexibilitat i l'horitzó temporal per a aquesta disposició de flexibilitat. A continuació es desenvolupa un model de predicció de flexibilitat agregada, considerant una cartera de flexibilitat basada en diferents actius flexibles, com ara vehicles elèctrics, calderes d'aigua i escalfadors elèctrics, gestionats per la figura de l’agregador. El senyal es modela sota un enfocament orientat al sistema per proporcionar un servei a l'operador de la xarxa de distribució, per un horitzó temporal corresponent a l'operació de la xarxa de mitja i baixa tensió. El resultat és un model de la flexibilitat que pot oferir l’agregador. Una vegada desenvolupat el model de flexibilitat pel costat de l’agregador, la tesi s’enfoca al càlcul de la flexibilitat requerida per l’operador de la xarxa de distribució. Això es desenvolupa mitjançant un problema d'optimització, tenint en compte els costos d'activació de la flexibilitat, la localització dels punts on s’injectarà la flexibilitat i les restriccions de flux de potència de la xarxa de distribució. Finalment, atès que aquest escenari pretén reduir l'impacte mediambiental del sistema elèctric, la seva sostenibilitat s'avalua considerant tot el cicle de vida de les tecnologies que hi participen, i avaluant-la en termes d'emissions de gasos d'efecte d'hivernacle. L'ús d'aquest enfocament millora l'anàlisi del potencial paper de la flexibilitat en el sistema elèctric, quantificant si, en tots els casos, hi ha una reducció de les emissions traslladant el consum de les hores punta a hores vall.
Enginyeria elèctrica

Securing a cloud network is an important challenge for delivering cloud services to cloud users. There are a number of secure network protocols, such as VPN protocols, currently available to provide different secure network solutions for enterprise clouds. For example, PPTP, L2TP, GRE, IPsec and SSL/TLS are the most widely used VPN protocols in today’s securing network solutions. However, there are some significant challenges in the implementation stage. For example, which VPN solution is easy to deploy in delivering cloud services? Which solution can provide the best network throughput in delivering the cloud services? Which solution can provide the lowest network latency in delivering the cloud services? This thesis addresses these issues by implementing different VPNs in a test bed environment set up by the Cisco routers. Open source measurement tools will be utilized to acquire the results. This thesis also reviews cloud computing and cloud services and look at their relationships. It also explores the benefits and the weaknesses of each securing network solution. The results can not only provide experimental evidence, but also facilitate the network implementers in development and deployment of secure network solutions for cloud services.
Master of Computing (Research)

Thesis (M.S. in Computer Science) Naval Postgraduate School, March 1999.
Thesis advisor(s): Cynthia E. Irvine, James P. Anderson. "March 1999:. Includes bibliographical references (p. 213-215). Also available online.

To reduce the cost and complexity of the current DoD information infrastructure, a Multilevel Secure (MLS) network solution eliminating hardware redundancies is required. Implementing a high assurance MLS LAN requires the ability to extend a trusted path over a TCP/IP network. No high assurance network trusted path mechanisms currently exist. We present a design and proof- of-concept implementation for a Secure LAN Server that provides the trusted path between a trusted computing base extension (TCBE) servicing a COTS PC and protocol servers executing at single sensitivity levels on the XTS-300. The trusted path establishes high assurance communications (over a TCP/IP network) between a TCBE and the Secure LAN Server. This trusted channel is used first for user authentication, then as a trusted relay between the protocol server and TCBE. All transmitted data passed over the LAN can be protected by encryption, providing assurance of integrity and confidentiality for the data. This thesis documents the implementation of a demonstration prototype Secure LAN Server using existing technology, including high assurance systems, COTS hardware, and COTS software, to provide access to multilevel data in a user-friendly environment. Our accomplishment is crucial to the development of a full scale MLS LAN.

The motivation behind this thesis is to develop a procedure for internetworking the Defense Data Network (DDN) with an Integrated Services Digital Network (ISDN). To accomplish this internetworking problem an integrated gateway must be designed to compensate for incompatibilities between the two networks. This thesis approaches this problem by giving a description of the two networks, DDN and ISDN, and also presenting a general approach to gateway design. This information is then combined into a detailed procedure for implementing a gateway to internetwork the DDN and ISDN. This is followed by a discussion of the practical aspects of the DDN/ISDN internetworking problem.

Geoinformatics field of science becomes more and more important nowadays. This is not only because it is crucial for industry, but it also plays more important role in consumer electronics than ever before. The ongoing demand for complex solutions gave a rise to SOA1 architecture in enterprise and geographical field. The topic that is currently being studied is interoperability between different geospatial services. This paper makes a proposal for a master thesis that tries to add another way of chaining different geospatial services. It describes the current state of knowledge, possible research gap and then goes into the details on design and execution part. Final stage is the summary of expected outcomes. The result of this proposal is a clearly defined need for a research in the outlined area of knowledge.
Contact details: email: dawidnejman@gmail.com phone: +48 511-139-190

Configuration capabilities are important for modern advanced network services. Network conditions and user populations have been significantly diversified after decades of evolution of the Internet. Configuration capabilities allow network services to be adapted to spatial, temporal, and managerial variations in application requirements and service operation conditions. Network service providers need to decide on the best configuration. Ideally, a network service should have all of its components optimally configured to most effectively deliver the functionality for which it was designed. The optimal configuration, however, is always a compromise between different metrics. To decide on an optimal configuration, the prominent performance and cost metrics must be identified, modeled, and quantified. Optimization objective functions and constraints that combine these metrics should be formulated and optimization techniques should be developed. More important, in the scenarios where the application requirements and system conditions change over time, the service configuration needs to be dynamically adjusted and strategies that guide the reconfiguration decisions need to be developed. Because the actual process of configuring a network service incurs configuration costs, an optimal reconfiguration strategy should be one that achieves a tradeoff between the (re)configuration costs and static optimization objectives. Furthermore, such tradeoffs must be based on the consideration of long-term benefits instead of short-term interest. This thesis focuses on understanding the strategies for dynamic (re)configuration of advanced network services positioned above the Transport Layer. Specifically, this thesis investigates the configuration and more important dynamic reconfiguration strategies for two types of advanced network services: Service Overlay Networks, and Content Resiliency Service Networks. Unlike those network services whose configuration involves mainly arrangement of hard-wired components, these network services have the ability to change service configuration in small time scales. This makes the modeling of application requirements and system condition dynamics not only possible but also meaningful and potentially useful. Our goal is to develop modeling and optimization techniques for network service configuration and dynamic reconfiguration policies. We also seek to understand how effective techniques can improve the performance or reduce the cost of these advanced network services, thus demonstrating the advantage of allowing configurability in these advanced network services.

Thesis (M.S. in Systems Technology) Naval Postgraduate School, June 1999.
"June 1999". Thesis advisor(s): John C. McEachen, Dan C. Boger. Includes bibliographical references (p. 84). Also avaliable online.

This thesis evaluates the Differentiated Services (diffserv) mechanism proposed by IETF to provide QoS and resource reservation under bursty web traffic. Particularly, the performance of Weighted Fair Queuing (WFQ) algorithm is studied, using two-node and multiple link network configuration. A self-similar realistic web workload model generating aggregation of web-accessing traffic flows is developed and used to evaluate the performance, as well as other multimedia applications. Our analysis reveals that due to the burstiness of web traffic, diffserv cannot achieve all the desired QoS guarantees, especially packet delay and jitter. Three mainstream multimedia applications are modeled and analyzed in the Diffserv network with our realistic web traffic model as background traffic. Finally, our performance analysis also demonstrates that in more realistic network environment, only bi-directional resource reservation can provide to the customers QoS guarantees in Diffserv network. Several scenarios of aggregations of applications traffic flows are used to evaluate the performance, such as short-lived web traffic and non-adaptive UDP traffic.

With the increasing growth of communication networks, systems, and devices,technology has driven much research and development on a variety of communication protocols, applications, and smart devices. As a result, a variety of heterogeneous networks, de facto and standards have emerged. In parallel, users are also demanding to seamlessly use any device on any network infrastructure within this heterogeneous environment. To go beyond this problem, one of solutions is deploying service entities to be served in/on the network. The services can be composed of many independent service entities to redirect the communication flow combined with pipelined transformations. The service in the network can start from an application to intercept the user flow in a range of formats, originating in different access networks, and deliver them appropriately formatted for a particular end terminal based on the other end user preferences. To provide independent services to be served within the network, we have created a decentralized virtual market-place, which facilitates a place for services to be traded, discovered, and composed between providers and consumers. This approach of virtual market based on a decentralized system is leading to many advantages and challenges compared to other traditional network services. This thesis presents a novel approach towards using market management techniques to improve cooperation among traders in the community, while enhancing the community-oriented network service architecture. Without the centralized control, the decentralized virtual market-place requires the inclusion of techniques to provide better incentives. Given such incentives, rational traders will choose to behave co-operatively and contribute their resources to maximize the efficiency of the community. This will allow an application with dramatically improved utility, efficiency, and robustness and hence enable whole new domains of use. The viability of the decentralized virtual market-place is demonstrated using a prototype implementation and simulation system. The results have clearly shown that the decentralized virtual market-place can improve and overcome the major problems of most existing network service models.

In the recent years, social network services, such as Facebook or LinkedIn, have experienced an exponential growth. People enjoy their functionalities, such as sharing photos, finding friends, looking for jobs, and in general, they appreciate the social benefits that social networks provide. However, as using social network has become routine for many people, privacy breaches that may occur in social network services have increased users' concerns. For example, it is easy to find news about people being fired because of something they shared on a social network. To enable people define their privacy settings, service providers employ simple access controls which usually rely exclusively on lists or circles of friends. Although these access controls are easy to configure by average users, research literature points out that they are lacking elements, such as tie strength, that play a key role when users decide what to share and with whom. Additionally, despite the simplicity of current access controls, research on privacy on social media reports that people still struggle to effectively control how their information flows on these services. To provide users with a more robust privacy framework, related literature proposes a new paradigm for access controls based on relationships. In contrast to traditional access controls where permissions are granted based on users and their roles, this paradigm employs social elements such as the relationship between the information owner and potential viewers (e.g., only my siblings can see this photo). Access controls that follow this paradigm provide users with mechanisms for disclosure control that represent more naturally how humans reason about privacy. Furthermore, these access controls can deal with specific issues that social network services present. Specifically, users often share information that concerns many people, especially other members of the social network. In such situations, two or more people can have conflicting privacy preferences; thus, an appropriate sharing policy may not be apparent. These situations are usually identified as multiuser privacy scenarios. Since relationship based access controls are complex for the average social network user, service providers have not adopted them. Therefore, to enable the implementation of such access controls in current social networks, tools and mechanisms that facilitate their use must be provided. To that aim, this thesis makes five contributions: (1) a review of related research on privacy management on social networks that identifies pressing challenges in the field, (2) BFF, a tool for eliciting automatically tie strength and user communities, (3) a new access control that employs communities, individual identifiers, tie strength, and content tags, (4) a novel model for representing and reasoning about multiuser privacy scenarios, employing three types of features: contextual factors, user preferences, and user arguments; and, (5) Muppet, a tool that recommends sharing policies in multiuser privacy scenarios.
En los últimos años, los servicios de redes sociales, como Facebook o LinkedIn, han experimentado un crecimiento exponencial. Los usuarios valoran positivamente sus muchas funcionalidades tales como compartir fotos, o búsqueda de amigos y trabajo. En general, los usuarios aprecian los beneficios que las redes sociales les aportan. Sin embargo, mientras el uso de redes sociales se ha convertido en rutina para mucha gente, brechas de privacidad que pueden ocurrir en redes sociales han aumentado los recelos de los usuarios. Por ejemplo, es sencillo encontrar en las noticias casos sobre personas que han perdido su empleo debido a algo que compartieron en una red social. Para facilitar la definición de los ajustes de privacidad, los proveedores de servicios emplean controles de acceso sencillos que normalmente se basan, de forma exclusiva, en listas o círculos de amigos. Aunque estos controles de acceso son fáciles de configurar por un usuario medio, investigaciones recientes indican que éstos carecen de elementos tales como la intensidad de los vínculos personales, que juegan un papel clave en cómo los usuarios deciden qué compartir y con quién. Además, a pesar de la simplicidad de los controles de acceso, investigaciones sobre privacidad en redes sociales señalan que los usuarios han de esforzarse para controlar de forma efectiva como su información fluye en estos servicios. Para ofrecer a los usuarios un marco de privacidad más robusto, trabajos recientes proponen un nuevo paradigma para controles de acceso basado en relaciones. A diferencia de los controles de acceso tradicionales donde los permisos se otorgan en base a usuarios y sus roles, este paradigma emplea elementos sociales como la relación entre el propietario de la información y su audiencia potencial (por ejemplo, sólo mis hermanos pueden ver la foto). Los controles de acceso que siguen este paradigma ofrecen a los usuarios mecanismos para el control de la privacidad que representan de una forma más natural como los humanos razonan sobre cuestiones de privacidad. Además, estos controles de acceso pueden lidiar con problemáticas específicas que presentan las redes sociales. Específicamente, los usuarios comparten de forma habitual información que atañe a muchas personas, especialmente a otros miembros de la red social. En tales situaciones, dos o más personas pueden tener preferencias de privacidad que entran en conflicto. Cuando esto ocurre, no hay una configuración correcta de privacidad que sea evidente. Estas situaciones son normalmente identificadas como escenarios de privacidad multiusuario. Dado que los controles de acceso basados en relaciones son complejos para el usuario promedio de redes sociales, los proveedores de servicios no los han adoptado. Por lo tanto, para permitir la implementación de tales controles de acceso en redes sociales actuales, es necesario que se ofrezcan herramientas y mecanismos que faciliten su uso. En este sentido, esta tesis presenta cinco contribuciones: (1) una revisión del estado del arte en manejo de privacidad en redes sociales que permite identificar los retos más importantes en el campo, (2) BFF, una herramienta para obtener automáticamente la intensidad de los vínculos personales y las comunidades de usuarios, (3) un nuevo control de acceso que emplea comunidades, identificadores individuales, la intensidad de los vínculos personales, y etiquetas de contenido, (4) un modelo novedoso para representar y razonar sobre escenarios de privacidad multiusario que emplea tres tipos de características: factores contextuales, preferencias de usuario, y argumentos de usuario; y, (5) Muppet, una herramienta que recomienda configuraciones de privacidad en escenarios de privacidad multiusuario.
En els darrers anys, els servicis de xarxes socials, com Facebook o LinkedIn, han experimentat un creixement exponencial. Els usuaris valoren positivament les seues variades funcionalitats com la compartició de fotos o la cerca d'amics i treball. En general, els usuaris aprecien els beneficis que les xarxes socials els aporten. No obstant això, mentre l'ús de les xarxes socials s'ha convertit en rutina per a molta gent, bretxes de privacitat que poden ocórrer en xarxes socials han augmentat els recels dels usuaris. Per exemple, és senzill trobar notícies sobre persones que han perdut el seu treball per alguna cosa que compartiren a una xarxa social. Per facilitar la definició dels ajustos de privacitat, els proveïdors de servicis empren controls d'accés senzills que normalment es basen, de forma exclusiva, en llistes o cercles d'amics. Encara que aquests controls d'accés són fàcils d'emprar per a un usuari mitjà, investigacions recents indiquen que aquests manquen elements com la força dels vincles personals, que juguen un paper clau en com els usuaris decideixen què compartir i amb qui. A més a més, malgrat la simplicitat dels controls d'accés, investigacions sobre privacitat en xarxes socials revelen que els usuaris han d'esforçar-se per a controlar de forma efectiva com fluix la seua informació en aquests servicis. Per a oferir als usuaris un marc de privacitat més robust, treballs recents proposen un nou paradigma per a controls d'accés basat en relacions. A diferència dels controls d'accés tradicionals on els permisos s'atorguen segons usuaris i els seus rols, aquest paradigma empra elements socials com la relació entre el propietari de la informació i la seua audiència potencial (per exemple, sols els meus germans poden veure aquesta foto). Els controls d'accés que segueixen aquest paradigma ofereixen als usuaris mecanismes per al control de la privacitat que representen d'una forma més natural com els humans raonen sobre la privacitat. A més a més, aquests controls d'accés poden resoldre problemàtiques específiques que presenten les xarxes socials. Específicament, els usuaris comparteixen de forma habitual informació que concerneix moltes persones, especialment a altres membres de la xarxa social. En aquestes situacions, dues o més persones poden tindre preferències de privacitat que entren en conflicte. Quan açò ocorre, no hi ha una configuració de privacitat correcta que siga evident. Aquestes situacions són normalment identificades com escenaris de privacitat multiusari. Donat que els controls d'accés basats en relacions són complexos per a l'usuari mitjà de xarxes socials, els proveïdors de servicis no els han adoptat. Per tant, per a permetre la implementació d'aquests controls d'accés en xarxes socials actuals, és necessari oferir ferramentes i mecanismes que faciliten el seu ús. En aquest sentit, aquesta tesi presenta cinc contribucions: (1) una revisió de l'estat de l'art en maneig de privacitat en xarxes socials que permet identificar els reptes més importants en el camp, (2) BFF, una ferramenta per a obtenir automàticament la força dels vincles personals i les comunitats d'usuaris, (3) un nou control d'accés que empra comunitats, identificadors individuals, força dels vincles personals, i etiquetes de contingut, (4) un model nou per a representar i raonar sobre escenaris de privacitat multiusari que empra tres tipus de característiques: factors contextuals, preferències d'usuari, i arguments d'usuaris; i, (5) Muppet, una ferramenta que recomana configuracions de privacitat en escenaris de privacitat multiusuari.
López Fogués, R. (2017). Enhancing Privacy Management on Social Network Services [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/85978
TESIS

Network virtualization allows operators to host multiple client services over their base physical infrastructures. Today, this technique is being used to support a wide range of applications in cloud computing services, content distribution, large data backup, etc. Accordingly, many different algorithms have also been developed to achieve efficient mapping of client virtual network (VN) requests over physical topologies consisting of networking infrastructures and datacenter compute/storage resources. However as applications continue to expand, there is a growing need to implement scheduling capabilities for virtual network demands in order to improve network resource utilization and guarantee quality of service (QoS) support. Now the topic of advance reservation (AR) has been studied for the case of scheduling point-to-point connection demands. Namely, many different algorithms have been developed to support various reservation models and objectives. Nevertheless, few studies have looked at scheduling more complex "topology-level'' demands, including virtual network services. Moreover, as cloud servers expand, many providers want to ensure user quality support at future instants in time, e.g., for special events, sporting venues, conference meetings, etc. In the light of above, this dissertation presents one of the first studies on advance reservation of virtual network services. First, the fixed virtual overlay network scheduling problem is addressed as a special case of the more generalized virtual network scheduling problem and a related optimization presented. Next, the complete virtual network scheduling problem is studied and a range of heuristic and meta-heuristic solutions are proposed. Finally, some novel flexible advance reservation models are developed to improve service setup and network resource utilization. The performance of these various solutions is evaluated using various methodologies (discrete event simulation and optimization tools) and comparisons made with some existing strategies.

Thesis (M.S. in Information Systems and Operations)--Naval Postgraduate School, March 2007.
Thesis Advisor(s): Alex Bordetsky. "March 2007." Includes bibliographical references (p. 161-163). Also available in print.

Thesis (M.S.)--School of Computing and Engineering. University of Missouri--Kansas City, 2004.
"A thesis in computer science." Typescript. Advisor: Cory Beard. Vita. Title from "catalog record" of the print edition Description based on contents viewed Feb. 24, 2006. Includes bibliographical references (leaves 76-80). Online version of the print edition.

Accelerated by on-demand computing, the number and diversity of the Internet services is increasing. Such online services often have unique requirements for the underlying wide-area network: For instance, online gaming service might benefit from low delay and jitter paths to client, while online data backup service might benefit from cheaper paths. Unfortunately, today's Internet does not accommodate fine-grained, service-specific wide-area route control. In this dissertation, I achieve the following goals: 1) improve the access to the routes, 2) quantify the benefits of fine-grained route control, and 3) evaluate the efficiency of current payment schemes for the wide-area routes. * Improving access to wide-area route control. Online services face significant technological and procedural hurdles in accessing the routes: Each service in need to control the Internet routes, has to obtain own equipment, Internet numbered resources, and establish contracts with upstream ISPs. In this dissertation, I propose and describe implementation and deployment of a secure and scalable system which provides on-demand access to the Internet routes. In setting such as cloud data center, the system can support multiple online services, providing each service with an illusion of direct connectivity to the neighboring Internet networks, which, for all practical purposes, allows services to participate fully in the Internet routing. * Quantifying the benefits of fine-grained route control. Even if online services are presented with wide-area route choice, it is not clear how much tangible benefit such choice provides. Most modern Online Service Providers (OSP) rely primarily on the content routing to improve network performance between the clients and the replicas. In this dissertation, I quantify the potential benefit the OSPs can gain if they perform a joint network and content routing. Among other findings, I find that by performing joint content and network routing, OSPs can achieve 22% larger latency reduction than can be obtained by content routing alone. * Modeling and evaluating the efficiency of the current payment schemes for wide-area routes. Finally, increasing diversity and sophistication of the online services participating in the Internet routing poses a challenge to payment models used in today's Internet. Service providers today charge business customers a blended rate: a single, "average" price for unit of bandwidth, without regard to cost or value of individual customer's flows. In my dissertation, I set to understand how efficient this payment model is and if more granular payment model, accounting for the cost and value of different flows could increase the ISP profit and the consumer surplus. I develop an econometric demand and cost model and map three real-world ISP data sets to it. I find that ISPs can indeed improve the economic efficiency with just a few pricing tiers.

The progress in the computing and communication industries together with the fast evolution of the semiconductor industry has made possible advances in the communications field. These advances have been used by other related applications to improve the services that they bring about. On the other hand, business crimes have increased three digits orders of magnitude in one decade, making from 20% to 30% of small businesses fail. These conditions demand new solutions to make security systems more reliable and efficient. The present work combines ISDN as a network with a security system to create a security network (SECNET). It will create intelligent and distributed security devices that communicate information from different places to a main security office by using the ISDN lines available at the premises. This work also introduces a new idea of individual equipment protection.

Semantic Web Services (SWS) are a facility towards full automation of service usage, providing seamless integration of services that are published and accessible on the Web. Based on Semanic Web technology SWS is simply a semantic annotation of the functionalitites and interfaces of Web Services. In the very same way that ontologies and metadata lanaguages will facilitate the integration of static data on the Web, the annotation of services wil help to facilitate the automation of service discovery, service composition, service contracting, and execution.In this thesis we demonstrate how SWS technology can be applied to a network management system (NMS), which can install SNMP managers during run-time in systems running TAPAS platform. Several reasoning applications are made and integrated with the existing system. In addition, we specify a set of Semantic Web Services described using OWL-S, in order to execute these applications.

Conventional wisdom suggests that in order to build a secure system, security must be an integral component in the system design. However, cost considerations drive most system designers to channel their efforts on the system's performance, scalability and usability. With little or no emphasis on security, such systems are vulnerable to a wide range of attacks that can potentially compromise confidentiality, integrity and availability of sensitive data. It is often cumbersome to redesign and implement massive systems with security as one of the primary design goals. This thesis advocates a proactive approach that cleanly retrofits security solutions into existing system architectures. The first step in this approach is to identify security threats, vulnerabilities and potential attacks on a system or an application. The second step is to develop security tools in the form of customizable and configurable plug-ins that address these security issues and minimally modify existing system code, while preserving its performance and scalability metrics. This thesis uses overlay network applications to shepherd through and address challenges involved in supporting security in large scale distributed systems. In particular, the focus is on two popular applications: publish/subscribe networks and VoIP networks. Our work on VoIP networks has for the first time identified and formalized caller identification attacks on VoIP networks. We have identified two attacks: a triangulation based timing attack on the VoIP network's route set up protocol and a flow analysis attack on the VoIP network's voice session protocol. These attacks allow an external observer (adversary) to uniquely (nearly) identify the true caller (and receiver) with high probability. Our work on the publish/subscribe networks has resulted in the development of an unified framework for handling event confidentiality, integrity, access control and DoS attacks, while incurring small overhead on the system. We have proposed a key isomorphism paradigm to preserve the confidentiality of events on publish/subscribe networks while permitting scalable content-based matching and routing. Our work on overlay network security has resulted in a novel information hiding technique on overlay networks. Our solution represents the first attempt to transparently hide the location of data items on an overlay network.

The combination of location-awareness and social networks has introduced systems containing an increased amount of protection-worthy personal information, creating the need for improved privacy control from a user point of view.End-user privacy requirements were derived from identified end-user privacy preferences. These requirements were used to evaluate current Location-Aware Social Network Services' (LASNSs') end-user privacy control as well as help develop relevant enhancements.These requirements allows users to be able to control (if they wish) which of the objects related to them are accessed by whom, in what way and under which conditions. Two enhancement ideas which together helps fulfill this requirement have been presented. The few LASNSs offering the user access control rule specification only provides a small list of pre-defined subjects (e.g. "Friends", "Everyone"). This list is too limited for specification of many fine-grained privacy preferences. With a more extensive implementation of Role Based Access Control (RBAC) in LASNSs, with the user as the system administrator of roles, users will be able to create roles (e.g "colleague", "close friend", "family"), assign them to their connections, and specify these roles as subjects in access control rules. The user will also be allowed to specify conditions, under which subject(s)/role(s) can access an object. These conditions can be based on system attributes of the object owner (e.g location), the subject requesting access (e.g age) or external attributes (e.g time). A suitable user-friendly access control user interface has been proposed, showing how this can be presented in an effective and understandable way to the user. A few example user privacy preferences, each one representing one of the identified end-user privacy control requirements have been translated from data sent to the system through the proposed interface, into formal languages like Datalog and XACML.Current end-user privacy control can be improved, by making more fine-grained access control rule specification possible, through the proposed enhancements, suitable both from an end-user perspective and from a developer's point of view.

Virtualization of servers and network infrastructure is an effective way to reduce hardware costs as well as power consumption. Today cloud systems are often used to handle virtualization of servers but lack the ability of deploy and configure network equipment. Facilitating network equipment configuration within a cloud environment, would make it possible to create complete virtual networks along with well known and proven features of cloud computing today. Our solution provides users with a graphical tool for easy and quick configuration of not only virtual machines but also virtual network equipment within a cloud environment. This makes it possible for a user to create advanced network topologies. Creating complete virtual networks like this using a single tool, will speed up configuration and minimize the errors that can occur when manually configuring multiple instances. The implemented software solution consists of two major parts, a graphical user interface (GUI) and a back-end server. The back-end server is responsible for handling communication between the user application and an underlying cloud platform, in this case OpenStack. The graphical user interface gives the user the possibility to draw networks and launch virtual machines using simple drag-and-drop features. It also monitors all the running virtual instances and physical machines, and alerts the user if a problem occurs. This project is the first step towards supporting global virtual networks spanning across multiple data centers. It shows that it is possible to create virtual networks using a cloud environment as a base.

The following thesis entails the development and a feasibility study for the integration of a Service Oriented Architecture platform applied to the IEEE 1451 Sensor interface standard. The research work leverages a service oriented software-development approach via the XML Web Services Integration Framework (XWIF) process for exposing a sensor controller's application services to remote clients via web service based interfaces. Further, the J2EE framework hosts a web services based middleware. The J2EE middleware provides WSDL service interfaces for exposing operations required for sensor interaction, and a web-services communication mechanism via the SOAP XML based messaging protocol. The thesis extends the IEEE 1451.1 instrumentation standard's based platform, by introducing a software development model for web-services based sensor network applications. The prototype architecture of a web enabled 1451.1 NCAP controller connectable via the web-services middleware is investigated. Further, the research contribution presents the feasibility for introducing a service-oriented approach to distributed sensor monitoring via the developed web-services based NCAP platform connected to a real-time smart multi-sensor. Moreover, this thesis will provide the academic and instrumentation scientific community a performance study for integrating emerging web-service technologies within the instrumentation domain.

Thesis (M.S. in Operations Research and M.S. in Applied Mathematics)--Naval Postgraduate School, June 2008.
Thesis Advisor(s): Alderson, David ; Zhou, Hong. "June 2008." Description based on title screen as viewed on August 22, 2008. Includes bibliographical references (p. 39-40). Also available in print.

The problems of identity management inherent in distributed subscription-based resource sharing are investigated in this thesis. The thesis introduces a concept of authentication delegation and distributed RBAC (DRBAC) to support fine granular access control across multiple autonomous resource sites and subscribing sites. The DRBAC model extends the RBAC model to a distributed environment. A prototype system based on the concepts of authentication delegation and distributed role and the distributed RBAC model has been implemented and tested. Access is allowed based on the distributed roles, subject to certain constraints. Enforcing distributed role based access control policies allows organizations to ease the administrative overhead in a distributed environment. This thesis concentrates on both theoretical and practical aspects. It describes the design, implementation and performance of a prototype system that provides controlled access to subscription-based remote network services through a web browser. The prototype system is developed using Java technology and runs on a Tomcat web server. A third-party authentication protocol is designed and employed to exchange security assertions among involved parties. An XML-based policy language has been employed in the system for authorization decision. Public key cryptography and XML security technology are used to ensure the confidentiality and integrity of the system and interaction among the involved parties. The web servers use plug-ins to provide an authentication-delegation service and a policy-based authorization service. Users can use a single userID and password to access multiple subscribed resource sites.

PONTIFÍCIA UNIVERSIDADE CATÓLICA DO RIO DE JANEIRO
O principal objetivo desta dissertação consiste na proposta de implementação de uma rede de telecomunicações utilizando novas tecnologias, enfatizando as aplicações de entretenimento. As soluções adotadas foram orientadas pelas características econômicas verificadas nas áreas nobres das regiões metropolitanas brasileiras e também pelas novas tecnologias de roteamento, chaveamento, armazenamento e distribuição local. A avaliação do custo de investimento e operacional da rede, bem como a formulação de um modelo de negócios associado a uma estrutura de serviços oferecidos foram apresentadas e desenvolvidas. A construção de um plano de negócio hipotético para avaliar a relação custo-benefício resultante da utilização da infra-estrutura da rede proposta associado ao modelo e estrutura dos serviços elaborados foi implementado e executado. Quatro alternativas de implementação de rede foram avaliadas.
The present dissertation is aiming at proposing a telecommunications network implementation using some new technologies where the emphasis is put on entertainment applications. The adopted solutions try to offer a selection grid that qualitatively cope with the economic level of some selected noble metropolitan areas in Brazil and rely in new routing, switching storage and local distribution technologies. The investment evaluation, the operational network costs and the formulation of a business model associated with the respective used service structure is subsequently introduced and described. Next, a hypothetic business plan service model is launched in order to evaluate the cost-benefit ratio between the network infrastructure proposed working together with its new service model and its new structure. Four possible alternatives of network implementation were evaluated and commented.