This paper presents and evaluates Toast, a scalable Video-onDemand (VoD) streaming system that combines the popular BitTorrent peer-to-peer (P2P) file-transfer technology with a simple dedicated streaming server to decrease server load and increase client transfer speed. Toast includes a modified version of BitTorrent that supports streaming data delivery and that communicates with a VoD server when the desired data cannot be delivered in real-time by other peers.The results show that the default BitTorrent download strategy is not well-suited to the VoD environment because it fetches pieces of the desired video from other peers without regard to when those pieces will actually be needed by the media viewer. Instead, strategies should favor downloading pieces of content that will be needed earlier, decreasing the chances that the clients will be forced to get the data directly from the VoD server. Such strategies allow Toast to operate much more efficiently than simple unicast distribution, reducing data transfer demands by up to 70-90% if clients remain in the system as seeds after viewing their content. Toast thus extends the aggregate throughput capability of a VoD service, offloading work from the server onto the P2P network in a scalable and demand-driven fashion.
This paper presents two approaches to parallelizing the Snort network intrusion detection system (NIDS). One scheme parallelizes NIDS processing conservatively across independent network flows, while the other optimistically achieves intra-flow parallelism by exploiting the observation that certain intra-flow dependences are uncommon and may be ignored under certain circumstances. Both schemes achieve average speedup over 2 on four cores, with an average throughput over 1 Gbps on 5 traces tested.Background. Network intrusion detection systems (NIDSes) run on a server at the edge of a LAN to identify and log Internet-based attacks against a local network, such as attempts at buffer overruns, cross-site scripting, and denial-of-service. Unlike firewalls, which work by shutting off external access to certain ports, NIDSes can monitor attacks on externally-exposed ports used for running network services. The most popular NIDS is the open-source Snort, which identifies intrusion attempts by comparing every inbound and outbound packet against a ruleset [4]. Rules in the set represent characteristics of known attacks, such as the protocol type, port number, packet size, packet content (both strings and regular expressions), and the position of the suspicious content. Each new type of attack leads to new rules, with rulesets growing rapidly. The most recently-released freely-available Snort rulesets have over 4000 rules.The processing required by a network intrusion detection system such as Snort is quite high, since the system must decode the data, inspect the data according to the ruleset, and log intrusions. These requirements limit Snort to an average packet processing rate of about 557 Mbps on a modern host machine (2.2 GHz Opteron processor) -just over half of the Gigabit link-level bandwidth. Consequently, it is not possible to deploy Snort directly at a highend network access point that requires a data rate of 1 Gbps or more. To address this problem, various companies and researchers have proposed solutions based on clustering [1,3,5]. Clustered
In the past few years, both the industry and the academic communities have developed several approaches to detect malicious Android apps. State-of-the-art research approaches achieve very high accuracy when performing malware detection on existing datasets. These approaches perform their malware classication tasks in an "oine" scenario, where malware authors cannot learn from and adapt their malicious apps to these systems. In real-world deployments, however, adversaries get feedback about whether their app was detected, and can react accordingly by transforming their code until they are able to inuence the classication. In this work, we propose a new approach for detecting Android malware that is designed to be resilient to feature-unaware perturbations without retraining. Our work builds on two key ideas. First, we consider only a subset of the codebase of a given app, both for precision and performance aspects. For this paper, our implementation focuses exclusively on the loops contained in a given app. We hypothesize, and empirically verify, that the code contained in apps' loops is enough to precisely detect malware. This provides the additional benets of being less prone to noise and errors, and being more performant. The second idea is to build a feature space by extracting a set of labels for each loop, and by then considering each unique combination of these labels as a dierent feature: The combinatorial nature of this feature space makes it prohibitively dicult for an attacker to inuence our feature vector and avoid detection, without access to the specic model used for classication. We assembled these techniques into a prototype, called LMC, which can locate loops in applications, extract features, and perform classication, without requiring source code. We used LMC to classify about 20,000 benign and malicious applications. While focusing on a smaller portion of the program may seem counterintuitive, the results of these experiments are surprising: our system ACM acknowledges that this contribution was authored or co-authored by an employee, contractor, or aliate of the United States government. As such, the United States government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for government purposes only.
This paper presents and experimentally evaluates two parallelization strategies for the popular open-source Snort network intrusion detection system (NIDS). Snort identifies intrusion attempts by processing a ruleset, a file which specifies various protocolbased, string-based, and regular-expression-based signatures associated with known attacks. As attacks proliferate, NIDS becomes increasingly important. However, the computational requirements of intrusion detection are great enough to limit average achievable throughput to 557 Mbps on a commodity server-class PCjust over half the link-level bandwidth. The strategies studied in this paper accelerate the performance of Snort by parallelizing rule processing while still maintaining the shared state information required for correct operation. The conservative version proposed here parallelizes ruleset processing at the level of TCP/IP flows, as any potential inter-packet dependences are confined to a single flow. Any single flow is processed in-order at one thread, but the flows are partitioned among threads. This solution provides good performance for 3 of the 5 network packet traces studied, reaching as high as 3.0 speedup and 1.7 Gbps inspection rate when implemented on x86-64 Linux for a server with two dual-core Opteron processors (four cores total). Conservative parallelization allows an average inspection rate of 1.07 Gbps across all 5 traces-nearly twice the serial performance. However, it is too restrictive to achieve good performance if there are not enough concurrent flows in the traffic stream. To handle this case, an optimistic version of Snort is also designed that exploits the observation that not all packets from a flow are actually connected by dependence orders (although these dependences cannot be discovered until deep in packet inspection). The optimistic version thus allows a single flow to be simultaneously processed by multiple threads, stalling processing only if an actual dependence is found. The optimistic version has additional overheads that reduce speedup by 7-13% for traces that have flow concurrency. However, the benefits of the optimistic appproach allow one additional trace to see substantial speedup (2.2 on four cores). The average * This work is supported in part by the National Science Foundation under Grant Nos. CCF-0532448 and CNS-0532452.. inspection rate stays nearly unchanged at 1.09 Gbps, but the peak increases to over 2 Gbps. Consequently, this may be a good option for protecting systems and networks with few flows.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.