D4.3 - Report on Self-preservation mechanisms and system...

IP CASCADAS “Component-ware for Autonomic,Situation-aware Communications, And Dynamically

Adaptable Services”D4.3

Bringing Autonomic Services to Life

D4.3 - Report on Self-preservation mechanisms and system mo delling

Status and version: 1.0 FinalDate of issue: June 28, 2008Distribution: PublicEditor(s): Name Partner

Roberto G. Cascella UNITNAuthor(s): Name Partner

Roberto G. Cascella UNITNPietro Michiardi EurecomIoannis Stavrakakis NKUAChristos Xenakis NKUARoberto Battiti UNITNMauro Brunato UNITNRicardo Lent ICLOmer Abdelrahman ICLErol Gelenbe ICL

Checked by: Nermin Brgulja UNIKMatthias Baumgarten UU

of 72




Abstract

In CASCADAS a wide range of security problems related to the very nature of autonomic systems hasbeen dissected. Not only numerous attacker models have been considered, ranging from maliciousentities, targeting at disrupting the correct functioning of the CASCADAS system as a whole or aimingat thwarting in particular the most sensible parts of it, to selfish entities, whose target is to maximisetheir utility in participating to the system or minimise their costs. But also numerous research directionshave been investigated, tackling problems that are specific to the very nature of an autonomic system.These initially widespread research directions have been narrowed down, yet they remain intellectuallyimportant and technically challenging problems that need to be carefully addressed during the wholeproject: they constitute the added-value, from a research stand point, of the WP4 activities in the securitydomain for the CASCADAS project.

The CASCADAS system is completely distributed and autonomous in such a way that we cannot as-sume the presence of a centralised authority or a-priori trust relations between entities. In CASCADAS,a key role is played by the ACE element, which constitutes the basic cell to build complex autonomicservices. Thus, instead of focusing on the simple interactions that drive the behaviour of single ACEs,it is important to address the macro-behaviour of complex elements constituted by several ACEs thataggregate (by some means, for example those described in the work carried out by WP3). Soft-securitymechanisms need to be in place to detect misbehaviour or to guide nodes in their interactions. Tech-niques akin to game theory and distributed optimisation are required to understand the behaviour, mainlyin terms of achievable performance, of complex systems. Macro-ACEs, driven by the individual interestsof the user or application that instantiate them, compete to achieve the highest payoff despite a dy-namic underlying environment. The proposed modelling effort is general in nature, but targets existingapplications and services in order to improve the understanding of the techniques used.

In their autonomicity, nodes can follow different strategies that consist in participating in an aggrega-tion or in providing a specific quality of service. Each participating peer in such a system is an autonomiccommunication element (ACE) of the system. This autonomicity is manifested in various ways and leadsto behaviours that try on one hand to exhibit sufficient cooperation so that the system objective is mate-rialised, and on the other hand to serve the interests of the particular element in a selfish manner. Thus,soft-security mechanisms must consider the impact of the autonomic behaviour of the ACEs on the per-formance of the system as selfish (greedy) behaviours may even “kill the P2P advantage” and lead tounacceptable performance. In the field of soft-security mechanisms, which is also called social controlmechanism, trust and reputation systems play a key role. Reputation schemes rely on the definition ofa heuristic or aggregation function that should capture the ACEs behaviour and enable malicious andselfish entities to be excluded from the system.

The need of determining their performance in real environment does not help to justify their use inthe CASCADAS autonomic system. Thus, the question of how building reputation is relevant for futureinteractions or how an ACE values its reputation are important and needs to be addressed. Reputationcannot immediately be assumed as a metric to define cooperation strategies or to implement a differen-tial service incentive scheme. This is not sufficient to explain why an ACE should increase its reputationvalue and to reason on the adoption of reputation management systems from the system componentspoint of view. If we assume that the system is mainly composed of rational entities, in the sense thatthey strategize to increase their expected utility from the system, the role of reputation in selecting aspecific action/strategy needs to be determined. In most cases ACEs want to cooperate to keep theirtrust value above a certain threshold that allows them to consume system resources and to provide fewresources in exchange. Game theory is used to discuss the evolution of a distributed system under theenforcement of a reputation management scheme and how cooperation can be enforced in autonomousdistributed systems formed by selfish agents.

In order for the ACEs to support and benefit from a distributed service environment, they should con-

of 72




strain themselves to operating under such policies that preserve the structure by keeping the outcomefor the various ACEs close. This way, a pool of ACEs will be available and in a position to take over whenthe need arises, to keep the quality of a service at reasonable levels or prevent an application built ontop of ACEs’ cooperation, such as the service model defined in CASCADAS, from collapsing altogether(self-preserving strategy). In a distributed environment, service provision is subjected to the participa-tory level of the ACEs, which may be disconnected from the system to prevent waste of resources. Tominimise uncertainty in such an environment, it is important to maximise the average peer lifetime intothe system and, equivalently, the amount of available resources into the system. Peer selection strate-gies that utilise the peer’s participatory outlook (chance to stay in the system for a long rather than ashort time horizon) are expected to increase the system’s self-preservation capability. Moreover, com-munication techniques that guarantee resilience of the system in presence of faulty nodes are importantto avoid that the whole system functioning depends might rely on few malicious nodes. Network codinghas many features to provide the protection of the information at low cost while at the same implement-ing path diversity for the information in such a way that an efficient communication paradigm can bedeployed in resource-constrained environments.

A key feature required by future networks of ACEs is the ability to autonomically protect againstsecurity attacks. Distributed denial-or-service attacks are perhaps the most difficult kind of attack todeal with because they hide under the cover of valid user traffic from compromised, but authorisedand authenticated users and computers. The development of feasible protection mechanisms involvingboth detection and response is important to guarantee the correct function of the system. Starting froma generic DoS detection scheme which uses multiple Bayesian classifiers and the biologically inspiredRandom Neural Network, two possible response mechanisms that ACEs may implement can be derived.The first allows ACEs to self-protect by filtering unwanted traffic once detected and it is applicable tocases when DoS attacks happen within ACE communication domain. The second case exploits servicemigration (self-configuration) to allow critical services evade malicious flows. A test case for the lattercase is the distributed auctions being developed by WP6.

of 72




Table of contents

1 Introduction 61.1 Purpose and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.3 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Toward cooperation in autonomic communication systems 112.1 Theoretical approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Incentives mechanisms to foster cooperation . . . . . . . . . . . . . . . . . . . . . . . . . 12

3 Economic models of Autonomic Communication Systems 133.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2 Selfish Service Overlay Networks: The case for n-way broadcast applications . . . . . . . 14

3.2.1 Introduction - Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.2.2 Peer-set Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2.3 Node Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.2.4 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.2.5 Dealing with Selfish Behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.2.6 Conclusion and perspective for the CASCADAS project . . . . . . . . . . . . . . . 24

3.3 Aggressive vs. Cooperative Applications: The case of P2P content Distribution . . . . . . 253.4 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.5 Misuse Opportunities in BitTorrent: an Analytical Perspective . . . . . . . . . . . . . . . . 27

3.5.1 Matching Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.5.2 Probability of Reciprocation and Expected Download Rate . . . . . . . . . . . . . . 283.5.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.6 Deconstructing BitTyrant: the Single Client Case . . . . . . . . . . . . . . . . . . . . . . . 323.6.1 Simulator Description, Methodology and Settings . . . . . . . . . . . . . . . . . . . 323.6.2 Impact of the Peer Set and Active Set Size . . . . . . . . . . . . . . . . . . . . . . 333.6.3 Impact of Greedy Uplink Capacity Allocation . . . . . . . . . . . . . . . . . . . . . 34

3.7 The Multiple Clients Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353.8 Conclusion and perspective for the CASCADAS project . . . . . . . . . . . . . . . . . . . 37

4 Game Theory for reputation 374.1 Network model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384.2 Definition of non-cooperative games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394.3 Prisoner’s dilemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.4 The reputation game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.4.1 Introducing reputation in the game . . . . . . . . . . . . . . . . . . . . . . . . . . . 414.5 The reputation model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.5.1 Nash equilibrium for the reputation game . . . . . . . . . . . . . . . . . . . . . . . 424.6 Experimental results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.7 Impact of defecting nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5 Autonomic Protection Against DoS 485.1 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.1.1 Multiple Bayesian Classifiers in DoS Detection . . . . . . . . . . . . . . . . . . . . 495.2 Self-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515.3 Defence Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.3.1 Basic Defence Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

of 72




5.3.2 DDoS Protection based on Prioritisation and Throttling . . . . . . . . . . . . . . . . 525.4 A Mathematical Evaluation of Denial of Service Protection . . . . . . . . . . . . . . . . . . 535.5 Numerical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555.6 Self-configuration and Distributed Auctions Use Case . . . . . . . . . . . . . . . . . . . . 55

5.6.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575.7 Income per unit time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595.8 Numerical evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6 Self-preservation in cooperative autonomic networking e nvironments 616.1 Self-preservation of autonomic distributed streaming environments . . . . . . . . . . . . . 61

6.1.1 On the Impact of Playout Policy on the Performance of P2P Live Streaming . . . . 626.1.2 Peer selection strategies under node churn in P2P streaming . . . . . . . . . . . . 63

6.2 Self-preservation of autonomic content replication . . . . . . . . . . . . . . . . . . . . . . 646.3 Network coding for security and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.3.1 Synchronous NC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686.3.2 Asynchronous partial NC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696.3.3 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706.3.4 Findings: self-preservation at low costs . . . . . . . . . . . . . . . . . . . . . . . . 70

7 Future Work 72

8 Conclusions 72

of 72




1 Introduction

The objective of WP4 is to secure the CASCADAS system and to define models to provide self-preservationmechanisms. The main objective is to ensure protection from external and internal (behavioural) attacks.

The directions of research in WP4 cover the definition of mechanisms that can be applied to guidethe interactions between ACE and the analysis of the performance of the system under attacks. Intheir autonomicity, nodes can follow different strategies that consist in participating in an aggregationor in providing a specific quality of service. Each participating peer in such a system is an AutonomicCommunication Element (ACE) of the system. This autonomicity is manifested in various ways andleads to behaviours that try on one hand to exhibit sufficient cooperation so that the system objective ismaterialised, and on the other hand to serve the interests of the particular element in a selfish manner.Thus, soft-security mechanisms must consider the impact of the autonomic behaviour of the ACEs onthe performance of the system as selfish (greedy) behaviours may even “kill the P2P advantage” andlead to unacceptable performance.

1.1 Purpose and Scope

This document discusses the models defined to study the performance of the system under uncertaintyin behaviour of the ACEs that constitute the CASCADAS system. Economic theories have been adoptedto study the interactions of the nodes from a macro-perspective approach and self-preservation modelsand strategies have been defined to overcome the presence of malicious and selfish entities. Thisdocument is internal and it is intended to collect this preliminary effort in identifying the problems andnew solutions to analyse the performance of the CASCADAS system under attacks.

This deliverable is the preliminary step toward the definition of models to thwart uncooperative andselfish behaviour of ACEs in the system. Starting from economic theories and the definition of how ser-vices are deployed in CASCADAS, we study the ACEs interactions and how the uncertainty in behaviourimpact on the performance of the system.

In this context, we have studied the behaviour of the autonomic components in different scenarios,through the definition of specific user-cases, to evaluate the effectiveness of the solutions proposed.

Economic models have been applied to model interactions among nodes and to capture peer be-haviour and trustworthiness. A game theoretic framework has been proposed to provide economicincentives to share resources. We have exploited economic theories and applied them to the specificcase of system self-preservation. In this framework, we have modelled reputation and reputation man-agement systems, which gives results on the importance of applying reputation management schemesin autonomic systems. Starting from the results derived from the analysis of selfish nodes, this study isimportant to build the ground for the analysis of the impact of malicious nodes in the system.

1.2 References

[1] http://www.guardian.co.uk/technology/2006/oct/19/guardianweeklytechnologysection.insideit.

[2] http://www.theglobeandmail.com/servlet/story/RTGAM.20071128.wgtbittorrent29/BNStory/Technology.

[3] http://arstechnica.com/news.ars/post/20080421-study-bittorren-sees-ig-growth-limewire-still-1-p2p-app.html.

[4] R. Ahlswede, N. Cai, S.-Y. Li, and R. Yeung. Network information flow. Information Theory, IEEETransactions on, 46(4):1204–1216, Jul 2000.

[5] E. Altman, T. Boulogne, R. El-Azouzi, T. Jimenez, and L. Wynter. A survey on networking games intelecommunications. Computers and Operations Research, 33(2):286–311, 2006.

of 72




[6] P. A. Bernstein and N. Goodman. Concurrency control in distributed database systems. ACMComput. Surv., 13(2), 1981.

[7] A. R. Bharambe, C. Herley, and V. N. Padmanabhan. Analyzing and improving a bittorrent networksperformance mechanisms. In Proc. of IEEE INFOCOM ’06, Barcelona, Spain, 2006.

[8] F. Bin, D. M. Chiu, and J. C. Lui. Stochastic differential equation approach to model bittorrent-likep2p systems. In Proc. of ICC, Instanbul, Turkey, 2006.

[9] F. Bin, D. M. Chiu, and J. C. S. Lui. The delicate tradeoffs in bittorrent-like file sharing protocoldesign. In Proc. of ICNP, 2006.

[10] R. H. Bisseling. Parallel Scientific Computation: A Structured Approach using BSP and MPI. OxfordUniversity Press, 2004.

[11] C. Buragohain, D. Agrawal, and S. Suri. A game theoretic framework for incentives in p2p systems.In Proceedings of the 3rd International Conference on Peer-to-Peer Computing (P2P ’03), page 48,Linkoping, Sweden, September 2003. IEEE Computer Society.

[12] L. Buttyan and J.-P. Hubaux. Stimulating cooperation in self-organizing mobile ad hoc networks.Mobile Networks and Applications, 8(5):579–592, 2003.

[13] N. Cai and R. Yeung. Secure network coding. Information Theory, 2002. Proceedings. 2002 IEEEInternational Symposium on, pages 323–, 2002.

[14] R. G. Cascella. The “Value” of Reputation in Peer-to-Peer Networks. In Fifth IEEE ConsumerCommunications and Networking Conference (CCNC 2008), Las Vegas, Nevada, USA, January10-12 2008.

[15] B. Cohen. Incentives Build Robustness in BitTorrent. In Proc. of the 1st Workshop on Economicsof Peer-to-Peer Systems, Berkeley, CA, USA, June 5-6 2003.

[16] C. Consortium. Security architecture. CASCADAS (IST-2004-2.3.4 FP6-027807) Deliverable(D4.1), Jan. 2007.

[17] J. Edmonds. Edge-disjoint branchings. In Proc. of the 9th Courant Computer Science Symposiumon Combinatorial Algorithms, Algorithmics Press, pages 91–96, 1972.

[18] J. Feigenbaum and S. Shenker. Distributed Algorithmic Mechanism Design: Recent Results andFuture Directions. In In Proc. of Dial-M, Atlanta, Georgia, USA, 2002. ACM.

[19] M. Feldman, K. Lai, I. Stoica, and J. Chuang. Robust incentive techniques for peer-to-peer net-works. In Proceedings of the 5th ACM conference on Electronic commerce (EC ’04), pages 102–111, New York, NY, USA, 2004. ACM Press.

[20] M. Felegyhazi, L. Buttyan, and J.-P. Hubaux. Nash equilibria of packet forwarding strategies inwireless ad hoc networks. IEEE Transactions on Mobile Computing, 5(5):463–476, 2006.

[21] M. Felegyhazi and J.-P. Hubaux. Game Theory in Wireless Networks: A Tutorial. Technical ReportLCA-REPORT-2006-002, EPFL, 2006.

[22] A. Gai, F. Mathieu, F. de Montgolfier, and J. Reynier. Stratification in p2p networks: Application tobittorrent. In Proc. of ICDCS, 2007.

of 72




[23] A. Garg, R. Battiti, and R. Cascella. Reputation management: Experiments on the Robustnessof ROCQ. In Proceedings of the 7th International Symposium on Autonomous Decentralized Sys-tems (First International Workshop on Autonomic Communication for Evolvable Next GenerationNetworks), pages 725–730, Chengdu, China, Apr. 2005.

[24] E. Gelenbe. Analysis of single and networked auctions. Accepted for publication in ACM Transac-tions on Internet Technology, 2008.

[25] E. Gelenbe. On approximate computer system models. J. ACM, 22(2):261–269, April 1975.

[26] E. Gelenbe and A. Ghanwani. Approximate analysis of coupled queueing in atm networks. Com-munications Letters, IEEE, 3(2):31–33, Feb 1999.

[27] E. Gelenbe and R. Iasnogorodski. A queue with server of walking type (autonomous service).Annales de l’institut Henri Poincar (B) Probabilits et Statistiques, 16(1):63–73, 1980.

[28] E. Gelenbe and I. Mitrani. Analysis and synthesis of computer systems. Academic Press, London,1980.

[29] R. Gibbons. A Primer in Game Theory. Prentice Hall, 1992.

[30] P. Golle, K. Leyton-Brown, and I. Mironov. Incentives for sharing in peer-to-peer networks. InProceedings of the 3rd ACM conference on Electronic Commerce (EC ’01), pages 264–267, Tampa,Florida, USA, 2001. ACM Press.

[31] L. Guo, S. Chen, Z. Xiao, E. Tan, X. Ding, and X. Zhang. Measurements, analysis, and modelingof bittorrent-like systems. In Proc. of ACM IMC’05, Berkeley, CA, 2005.

[32] L. Guo, S. Chen, Z. Xiao, E. Tan, X. Ding, and X. Zhang. A Performance Study of BitTorrent-likePeer-to-Peer Systems. IEEE Journal on Selected Areas in Communication (JSAC), Special Issueon Peer-to-Peer Communications and Applications, 25(1), January 2007.

[33] M. Gupta and M. H. Ammar. Service differentiation in peer-to-peer networks utilizing reputations. In5th COST264 International Workshop on Networked Group Communications (NGC 2003), volume2816 of Lecture Notes in Computer Science, pages 70–82, Munich, Germany, September 16-192003. Springer.

[34] J. M. Harrison. Assembly-like queues. Journal of Applied Probability, 10(2):354–367, Jun 1973.

[35] D. L. Hayes. Advanced copyright Issues on the internet. Fenwick and West LLP, 2007.

[36] S. M. Hedetniemi, S. T. Hedetniemi, and A. L. Liestman. A survey of gossiping and broadcasting incommunication networks. Networks, 18:319–349, 1988.

[37] E. Huang, J. Crowcroft, and I. Wassell. Rethinking incentives for mobile ad hoc networks. InPINS ’04: Proceedings of the ACM SIGCOMM workshop on Practice and theory of incentives innetworked systems, pages 191–196, Portland, Oregon, USA, September 2004. ACM Press.

[38] M. Izal, G. Urvoy-Keller, E. W. Biersack, P. Felber, A. Hamra, and L. Garces-Erice. Dissectingbittorrent: five months in a torrent’s lifetime. In Proc. of PACM, 2004.

[39] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, and M. Medard. Resilient network coding inthe presence of byzantine adversaries. INFOCOM 2007. 26th IEEE International Conference onComputer Communications. IEEE, pages 616–624, May 2007.

of 72




[40] E. Jaho, I. Jaho, and I. Stavrakakis. Distributed selfish replication under node churn. In MedHocNet2007, Corfu, Greece, June 2007.

[41] M. Jain and C. Dovrolis. End-to-end available bandwidth: measurement methodology, dynamics,and relation with tcp throughput. IEEE/ACM Trans. Netw., 11(4):537–549, 2003.

[42] N. Laoutaris, G. Smaragdakis, A. Bestavros, and I. Stavrakakis. Mistreatment in distributed cachinggroups: Causes and implications. In Proc. of IEEE INFOCOM ’06, Barcelona, Spain, 2006.

[43] N. Laoutaris and I. Stavrakakis. Intrastream synchronization for continuous media streams: Asurvey of playout schedulers. IEEE Network Magazine, 16(3), May 2002.

[44] N. Laoutaris, O. Telelis, and V. Zissimopoulos. Distributed selfish replication. IEEE Network Maga-zine, 17(12):1401–1413, December 2006.

[45] A. Leff, J. Wolf, and P. Yu. Replication algorithms in a remote caching architecture. IEEE Transac-tions on Parallel and Distributed Systems, 4(11):1185–1204, November 1993.

[46] A. Legout, N. Liogkas, E. Kohler, and L. Zhang. Clustering and sharing incentives in bittorrentsystems. In Proc. of SIGMETRICS, 2007.

[47] A. Legout, G. Urvoy-Keller, and P. Michiardi. Rarest first and choke algorithms are enough. InProceedings of the 6th ACM SIGCOMM on Internet measurement (IMC), pages 203–216, Rio deJaneriro, Brazil, October 25-27 2006. ACM Press.

[48] X. Li, F. Bian, M. Crovella, C. Diot, R. Govindan, and G. Iannaccone. Detection and identification ofnetwork anomalies. In Proc. of IMC ’06, Rio de Janeriro, Brazil, 2006.

[49] N. Liogkas, R. Nelson, E. Kohler, and L. Zhang. Exploiting bittorrent for fun (but not profit). In Proc.of IPTPS, 2006.

[50] E. H. Lipper and B. Sengupta. Assembly-like queues with finite capacity: bounds, asymptotics andapproximations. Queueing Syst. Theory Appl., 1(1):67–83, 1986.

[51] T. Locher, P. Moor, S. Schmid, and R. Wattenhofer. Free riding in bittorrent is cheap. In Proc. of theFifth Workshop on Hot Topics in Networks (HotNets-V), Irvine, CA, USA, November 2006.

[52] L. Massoulie, A. Twigg, C. Gkantsidis, and P. Rodriguez. Randomized decentralized broadcastingalgorithms. In Proc. of IEEE INFOCOM ’07, Anchorage, AK, USA, 2007.

[53] R. Morselli, J. Katz, and B. Bhattacharjee. A Game-Theoretic Framework for Analyzing Trust-Inference Protocols. In Second Workshop on the Economics of Peer-to-Peer Systems (P2Pecon2004), Cambridge, MA, USA, June 4-5 2004.

[54] N. Nisan and A. Ronen. Algorithmic Mechanism Design. Games and Economic Behavior, 35:166–196, 2001.

[55] M. Nowak and K. Sigmund. Evolution of indirect reciprocity. Nature, 437:1291–1298, October 2005.

[56] C. O’Riordan. Iterated Prisoner’s Dilemma: A Review. Technical Report NUIG-IT-260601, Depart-ment of Information Technology, National University of Ireland, Galway, 2001.

[57] M. Piatek, T. Isdal, T. E. Anderson, A. Krishnamurthy, and A. Venkataramani. Do incentives buildrobustness in bittorrent? In Proc. of the 4th Symposium on Networked Systems Design and Imple-mentation (NSDI), Cambridge, Massachusetts, USA, April 11-13 2007.

of 72




[58] D. Qiu and R. Srikant. Modeling and performance analysis of bittorrent-like peer-to-peer networks.In Proceedings of SIGCOMM, pages 367–378, Portland, Oregon, USA, 2004. ACM.

[59] S. Rao. Establishing the viability of end system multicast using a systems approach to protocoldesign. Carnegie Mellon University, Phd Thesis, Technical Report CMU-CS-04-168, Oct. 2004.

[60] V. Ribeiro, R. Riedi, R. Baraniuk, J. Navratil, and L. Cottrell. pathChirp: Efficient Available BandwidthEstimation for Network Paths. In Proc. of PAM’03, La Jolla, CA, 2003.

[61] A. Singh, M. Castro, P. Druschel, and A. Rowstron. Defending against eclipse attacks on overlaynetworks. In Proc. of ACM SIGOPS European Workshop, page 21, 2004.

[62] G. Smaragdakis, N. Laoutaris, P. Michiardi, A. Bestavros, J. Byers, and M. Roussopoulos. Swarm-ing on optimized graphs for n-way broadcast. Technical Report BUCS-TR-2007-009, CS Depart-ment, Boston University, July 2 2007.

[63] N. Spring, R. Mahajan, D. Wetherall, and T. Anderson. Measuring ISP topologies with rocketfuel.IEEE/ACM Trans. Netw., 12(1):2–16, 2004.

[64] V. Srivastava, J. Neel, A. B. Mackenzie, R. Menon, L. DaSilva, J. E. Hicks, J. H. Reed, and R. P.Gilles. Using game theory to analyze wireless ad hoc networks. IEEE Communciations Surveys &Tutorials, 7(4):46–56, 2005.

[65] Y. Tian, D. Wu, and K.-W. Ng. Analyzing multiple file downloading in bittorrent. In Proc. of ICPP’06, Washington, DC, USA, 2006.

[66] C. Vassilakis, N. Laoutaris, and I. Stavrakakis. The Impact of Playout Policy on the Performance ofP2P Live Streaming. National and Kapodistrian University of Athens, Technical Report, Oct. 2007,http://cgi.di.uoa.gr/˜istavrak/publications/TR-2007-10-p2p-playout.pdf.

[67] C. Vassilaks, N. Laoutaris, and I. Stavrakakis. On the benefits of synchronized playout in peer topeer streaming. In ACM CoNEXT 2006, Poster Session, pages 278–279, Lisbon, December 2006.

[68] C. Vassilaks, N. Laoutaris, and I. Stavrakakis. The impact of playout policy on the performance ofp2p live streaming...or how not to kill your p2p advantage. In 15th Annual SPIE/ACM MultimediaComputing and Networking (MMCN ’08), San Jose, California, January 2008.

[69] L. Vu, I. Gupta, J. Liang, and K. Nahrstedt. Measurement and modeling a large-scale overlay formultimedia streaming. In QShine 2007, Vancouver, British Columbia, August 2007.

[70] B. Yang and H. Garcia-Molina. Ppay: micropayments for peer-to-peer systems. In CCS ’03: Pro-ceedings of the 10th ACM conference on Computer and communications security, pages 300–310,Washington D.C., USA, October 27-30 2003. ACM Press.

[71] W. Yang and N. Abu-Ghazaleh. Gps: A general peer-to-peer simulator and its use for modelingbittorrent. In Proceedings of the 13th IEEE International Symposium on Modeling, Analysis, andSimulation of Computer and Telecommunication Systems (MASCOTS), pages 425–434, Atlanta,Georgia, USA, 2005. IEEE Computer Society.

[72] X. Yang and G. de Veciana. Performance of peer-to-peer networks: service capacity and role ofresource sharing policies. Performance Evaluation, 63(3):175–194, 2006.

of 72




1.3 Document History

Version Date Author Comment0.1 December 18, 2007 Partners Initial contributions.0.2 December 19, 2007 Roberto Cascella First draft version.0.3 February 13, 2008 Roberto Cascella Finalisation of internal document.0.4 March 23, 2008 Roberto Cascella Update of the internal document.0.5 June 16, 2008 Omer Abdelrahman Contribution on Network Coding for self-

preservation.0.6 June 17, 2008 Pietro Michiardi Update of the Game Theory part and Eco-

nomic models.0.7 June 23, 2008 Roberto Cascella Internal draft.0.9 June 25, 2008 Roberto Cascella Updated the document, checked referenced.

Internal draft ready for internal review.1.0 June 28, 2008 Roberto Cascella Incorporated comments of internal reviewers.

2 Toward cooperation in autonomic communication systems

As discussed in [16], cooperation is a new security issue that must be tackled to ensure the survivabilityof autonomic communication systems. ACEs cannot be assumed to cooperate and fulfil their obligationstoward the system goal. They have a selfish nature and there is no centralised authority that monitorsthe behaviour of the nodes and distributes the resources in accordance.

2.1 Theoretical approaches

The CASCADAS system is self-organised and also characterised by the presence of heterogeneousentities which might be under different administrative domains or authorities. In this context, cooperationcannot be assumed unless the system is managed or designed in such a way that individual selfishbehaviour results in the system goal. If the rules of the system are designed to create the appropriatecontext for nodes to behave selfishly and, at the same time, to guarantee that the social optimum isachieved, cooperation is promoted inside the system. The design of the system’s rules with this goal inmind is part of the mechanism design theory [54].

Part of mechanism design is to study how the preferences of the users can be aggregated efficiently.However, these preferences are private and nodes can misreport their preferences to modify the be-haviour of the system. Moreover, the autonomic communication systems are in continuous evolutionand adaptation and nodes can modify their behaviours to self-adapt to the new context of communi-cation. For these reasons, mechanism design is not fully applicable in these systems. The distributedversion of the theory is named distributed algorithmic mechanism design and it is still under definition.Definitions and details of the theory can be found in [18].

Game theory [29] is another powerful theory used to study the outcome of a system when nodesstrategize their behaviour. To study the equilibrium of a system, an important assumption is to con-sider rational entities as their behaviour can be predicted. Rational nodes act to maximise their utility,which can be defined, in a simplified version, as the amount of resources they obtain compared to theresources they have spent to access them.

Game theory and mechanisms design are theoretical tools and simplifications must be made to studythe complexity of a networked system. Thus, their primary use is to study the behaviour of the nodesand to have useful insights to understand how to reach an equilibrium point in the system. The existenceof this equilibrium guarantees that the system has inherent self-preservation properties.

of 72




A considerable amount of research has focused on the exploitation of economic theories to modelnodes’ interactions. Most of this effort has been centred on the analysis of how selfish behaviour impactsthe performances of peer to peer and ad-hoc networks [5, 21]. Previous work show that incentivesschemes encourage cooperation in these networks and increase the benefit nodes obtain from theirparticipation [20,64,14].

In [11] it is proposed an approach based on game theory to define and analyse a differential serviceincentive scheme to improve system’s performances. Game theory is used to evaluate the amount ofresources that a node must contribute to the system and the probability with which nodes’ request willbe served by others.

However, autonomic communication systems are also populated by malicious nodes and their actionare difficult to be predicted as they do not follow any specific strategy. If cooperation is achieved ina fully rational environment, malicious nodes can easily get control of the system by attacking. Thus,starting from an evaluation of the system properties in a rational environment, countermeasures mustbe used to reduce the impact of malicious nodes. [19] revises the approach presented in [11] to studywhitewashing and collusion attacks within a game theory framework.

Game theory is also used as a tool to analyze the robustness of trust inference protocols in thepresence of adversarial rational nodes [53], such as nodes joining in a collusion or whitewashing, definedas possible attacks to the CASCADAS system [16].

If we base the survivability of autonomous system on nodes’ behaviour, the system might not properlyfunction with respect to the designed goal: non-cooperative and malicious behaviour are predominantin the system. In unmanaged and distributed systems, incentive mechanisms must be used to eliminatemalfunctioning components and to foster cooperation among selfish nodes.

2.2 Incentives mechanisms to foster cooperation

The result of uncooperative behaviour causes service degradation if not the complete system collapse.The area that has gained much attention to solve the problem of selfish and malicious nodes is peer-to-peer and autonomic networks. The main reason consists of the growing number of users that use thesesystems for file sharing or for distributed storage.

A solution that has been implemented to guarantee the correct sharing of resources is the tit-for-tatstrategy of BitTorrent [15]. This strategy consists of copying the strategy of the node at the previousinteraction. In BitTorrent, the tit-for-tat mechanism is used by a node to decide whether to upload aportion of a file to the requesting node or not. The cooperation is measured as the amount of downloadedinformation from the requesting peer decreased by the uploaded bits. This scheme has been proven tobe effective and to speed up the mean download time of a file [47].

However, in BitTorrent malicious nodes are not rated for their actions. Nodes can upload fake portionof a file without being punished for their actions. Nodes have incentives to cooperate for the distributionof the file they are interested in, but they are not stimulated to cooperate for other resources. Moreover,the contribution of the nodes in providing different resources (i.e. participate in multiple torrents) is notconsidered. Preliminary work has shown that the implementation of an inter-resources collaborationmechanism improves the performances of BitTorrent [32].

In the literature, monetary or credit-exchange schemes have been proposed to foster cooperationin peer-to-peer [30] and ad hoc [12] networks. In these schemes nodes receive a payment every timethey participate actively in the system operations, e.g., serving a file to a node in a file sharing settingor by forwarding packets in an ad-hoc network. Micropayments rely entirely on cryptographic primitivesand use virtual currency to remunerate good actions [70]. The access to resources is granted uponpayment. This solution is rather effective if we can assume tamper-proof hardware to safely store creditsor a trusted centralised entity that mitigates disputes in the system and accounts for credits. However,a centralised or accounting infrastructure is not applicable in a distributed system and the operations

of 72




required by a monetary scheme might be cumbersome if nodes have limited connectivity or limitedcomputational capabilities [37].

Another class of solutions is based on service differentiation: nodes that contribute more will get bet-ter services [33]. This solution anticipates the definition of reputation management schemes. Reputationis defined to give an estimation of the expected cooperation level of the user or nodes. In these schemesnodes’ behaviour is monitored by a fraction of the nodes in the system and evaluated to construct thereputation value. Access to services and the quality of the service are controlled by the reputation of therequesting node.

3 Economic models of Autonomic Communication Systems

3.1 Introduction

In this Section we present a set of case studies that stem from applications originally addressed by theframework of CASCADAS. Before delving into the details of our work, which mainly focuses on peer-to-peer content distribution (CD) and on reputation mechanisms, we first discuss a general framework thatprovides a basis to understand the models used to describe the applications we focused on.

In the CASCADAS framework, a key role is played by the ACE element, which constitutes the basiccell to build complex autonomic services. In our work, instead of focusing on the simple interactions thatdrive the behaviour of single ACEs, we address the macro-behaviour of complex elements constitutedby several ACEs. It is sufficient a little effort to understand how multiple ACEs, using the techniquesdeveloped in the CASCADAS framework (see for example Deliverable D3.1), can combine their featuresto provide complex services. We try and address this exercise in the following paragraphs, where wefocus on an application based on “swarming”1.

Assume the following ACEs to be deployed in the context of a P2P CD application: ACEA, respon-sible for handling connectivity such as neighboring relationships; ACEB , providing a storage service;ACEC , that implements the P2P protocol used to replicate and distribute the content. These three ACEscan be deployed for example on the same physical device connected to the Internet. The combinationof ACEA,B,C provides a macro-block, that we term ACECD, which is nothing but what is commonlydefined as a peer in the peer-to-peer literature. Several ACEi

CD ∀i ∈ {1, ..., N}, deployed on differentphysical devices, form a logical network and are responsible to replicate the content among each other.Specifically:

• ACEA: This ACE handles what goes under the name of distribution overlay network: it is respon-sible for the establishment and maintenance of logical connections among different ACEi

CD. Asusually done in the literature, we assume the presence of a central entity to help ACEi

CD in es-tablishing two-way connections among them: This central entity (that can be also the results of acombination of different ACEs) maintains a list of ACEs currently taking part in the content distri-bution process. When ACEi

CD joins the CD application, it requests the central entity (that we termTracker ) a list of other ACECD to connect to.

We focus on the behaviour of this ACE in Sec. 3.2. ACEiCD is an autonomous entity that, once

the bootstrap phase is completed, is required self-organise and maintain connectivity in spite ofsystem dynamics. We further assume ACEi

CD to be independent of any other ACEjCD: it strives

to maintain the best possible connectivity, with respect to application requirements, in spite of othersimilar ACEs taking part to the system. In an extreme case (studied in Sec. 3.3), we also considerthe possibility for users to manipulate the behaviour of this ACE and study the consequences ofan aggressive behaviour dictated by user selfish requirements.

1More details on swarming techniques will be provided in Sec. 3.2 and Sec. 3.3.

of 72




• ACEB : This ACE simply handles the physical storage space available on the device it is executedon. Although some services, such as P2P storage and backup, may require subtle techniques forthis ACE to operate, in the context of CD services we take the stance of a very simple ACE thatstores and retrieves pieces of the content.

• ACEC : This ACE dictates the behaviour of the whole ACECD macro-block. It executes the pro-tocol and the algorithms necessary to replicate content. Precisely, it executes the algorithm thatselects pieces of the content to be exchanged by various ACEi

CD, that we term piece selectionalgorithm, and the algorithm that selects which (one or more) remote ACEj

CD is entitled to requestpieces of the content owned by ACEi

CD. A protocol is necessary to coordinate the operation ofthe various ACECD and in this work we assume it to be compliant to the BitTorrent protocol.

We analyse, through modelling and simulation, the behaviour of this ACE in Sec. 3.3. As of todaywe have witnessed the emergence of several CD services on the Internet based on techniques akinto swarming: in particular, the widely recognised BitTorrent application exists in several mutations,from the mainline version to more aggressive ones such as BitTyrant. Our goal is to understand thecoexistence of mutations of the same protocol and algorithms that compete for the same service.

In what follows we use techniques akin to game theory and distributed optimisation to understand thebehaviour, mainly in terms of achievable performance, of such complex systems. Macro-ACEs, drivenby the individual interests of the user or application that instantiate them, compete to achieve the highestpayoff despite a dynamic underlying environment. Our modelling effort is general in nature, but we targetexisting applications and services (even those that are still deployed under a more traditional softwareframework than the one offered by CASCADAS) in order to improve the understanding of the techniqueswe used. Furthermore, insights gained through our work can be re-introduced in the service-design loopin order to conceive application and services tailored to a distributed, selfish setting.

The following Sections report on several works done in the context of the CASCADAS project.

3.2 Selfish Service Overlay Networks: The case for n-way broadcast applica-tions

3.2.1 Introduction - Outline

Motivation: The BitTorrent protocol [15] has established swarming, i.e., parallel download of a file frommultiple peers with concurrent upload to other requesting peers, as one of the most efficient methods formulticasting bulk data. A fundamental characteristic of the existing BitTorrent is that the overlay graphresulting from its bootstrap and choke/unchoke algorithms is mostly ad-hoc, in the sense that it is theoutgrowth of random choices of neighbouring peers. This is justified given the scale of P2P file swappingnetworks.

P2P file swapping, is not the “be all and end all” for swarming. In this work we consider n-waybroadcasting — another class of applications, in which each one of n overlay nodes must push a verylarge chunk of data (a distinct file) to all other n− 1 peers, as well as pull the n− 1 files pushed by theseother peers. Once completed, this push-pull cycle may be repeated with new sets of files.

Applications using n-way broadcasting would involve small/medium-sized networks, as they are in-herently of n2 nature. Examples include: distribution of large scientific data-sets in grid computing, dis-tribution of large traffic log files for network-wide distributed intrusion/anomaly detection schemes [48],synchronisation of distributed databases [6], and several other enterprise applications. Contrary to theprevailing assumption underlying the design of BitTorrent, the nodes that make up such networks arebasically cooperative (at an extreme case they belong to the same administrative authority).

Even for relatively small networks, n parallel broadcasts of distinct large files can create data volumesthat are impossible to handle via centralised solutions: uploading each file to a centralised server and

of 72




then copying it back to all destinations in a point-to-point manner means that the same file is transmittedO(n) times over the same link, i.e., imposing an O(n) stretch on the physical links.

n-way broadcast via swarming: Swarming is clearly an attractive approach to supporting n-way broad-cast applications. The obvious solution is to outsource the push-pull functionality to BitTorrent: set-up ndifferent torrents, each one seeded by a different node.

In this work, we question the effectiveness of BitTorrent for n-way broadcasting (which is not whatit is primarily designed to support). In particular, we note that BitTorrent runs on the topologies thatresult from the composition of its bootstrapping and choke/unchoke algorithms. These topologies aremostly unoptimised. Indeed, the only topological optimisation in BitTorrent is a local one: under thechoke/unchoke algorithm, fast peers are matched up with other fast peers from within the same randomlybootstrapped neighbourhood. By virtue of the relatively small size of neighbourhoods compared to theentire network, the resulting topology is close to being random. While randomly-bootstrapped graphsmay possess desirable theoretical properties (such as small diameters), they are likely to be inefficientwhen compared to graphs that are systematically constructed to optimise a specific application. Noticethat BitTorrent’s matching of fast nodes is mostly in the protocol as an efficient tool against free-riding,rather than as a conscious attempt to optimise the overall overlay topology for applications such asn-way broadcast.

Our work — Swarming over optimised overlays: For n-way broadcast applications (as well as forother potential classes of applications), the overriding goal is to optimise the efficiency of the entireoverlay as opposed to creating a tit-for-tat environment to reign in selfish, free-riding behaviour of indi-vidual nodes. Also, the scale of the applications we envision makes it possible/practical to optimise theconstruction of the overlay, especially if distributed optimisation is used.

Armed with this realisation, our goal will be to construct highly efficient topologies to be used byswarming protocols for n-way broadcast. Specifically, we construct an optimised, common overlay net-work, upon which swarming is used. In order to control the stretch of the physical links supporting theoverlay, we impose an upper bound on the degree of the nodes in the constructed overlay network.

Next we present justification for several of the salient features of our solution – features that will bedeveloped and presented fully later in the work.

Why swarming on top of an overlay? Because hop-by-hop relay of the entire file over a shortest-pathtree embedded on the overlay topology and rooted at the seed node would take too long. We want toharness the power of parallel downloads as exemplified in BitTorrent.

Why use a common overlay? Because a topological optimisation requires monitoring the performanceof overlay links, and we want to amortise the cost of such monitoring — pay it only once per link andreuse the result for the benefit of all n transmissions (and avoid monitoring the same link up to n timesas can happen if one builds n independent overlays).

How could swarming benefit from an end-to-end optimised overlay? Our overlays are optimised for end-to-end performance over multi-hop paths, e.g., by maximising the minimum available bandwidth to anydestination over multiple paths, or by maximising the total available bandwidth to all destinations overall available paths. From a single node’s perspective, swarming involves point-to-point transfers withinthe neighbourhood of that node. Each node, however, has in its neighbourhood nodes that also belongto other “adjacent” neighbourhoods. Noting this, one can see that, through swarming, data chunkseventually reach their destinations through multi-hop paths formed through single hop transfers betweenneighbourhoods. If these multi-hop paths are end-to-end optimised, then swarming will be more effectivein operating upon them as compared to upon unoptimised paths.

Why optimise the overlay based solely on network characteristics, without consideration of data avail-ability? Arguably, one could conceive of more general overlay constructions in which neighbours areselected based on criteria involving both the network characteristics and the availability of chunks ateach candidate connection point. In our work, we adopt a bandwidth-centric/data-agnostic approach to

of 72




the construction of the overlay for two main reasons: (1) for large objects it is high bandwidth that leadsto small delivery completion times and high object throughput; (2) the global state in terms of availablechunks per node changes too frequently (with each successful chunk exchange between two nodes),resulting in an optimised topology that changes too frequently to be of practical use. The fact that wedo not consider data availability in the construction of the overlay does not mean that data availabilitydoes not play a role in our approach: it does, but not at the overlay construction time-scale. Specifically,we advocate a “two-pronged approach” operating at two distinct time scales: at a coarse time scale,we address issues related to network characteristics through the construction of a dynamic, distribu-tively optimised overlay, and at a finer time scale, we address issues related to data availability throughthe upload/download scheduling algorithms employed in the swarming protocol that runs on top of theoverlay.

3.2.2 Peer-set Selection

Let V = {v1, v2, . . . , vn} denote a set of nodes. Node vi selects k other nodes to be in its peer-setsi = {vi1 , vi2 , . . . , vik

} and establishes bidirectional links to them. Let S = {s1, s2, . . . , sn} denote theedge set of the overlay graph G = (V, S) resulting from the superposition of the individual peer-sets.Each link of G is annotated with a capacity cij which captures the available bandwidth [41] (availbw)on the underlying IP layer path that goes from vi to vj . Capacities can be asymmetric, meaning thatcij 6= cji in the general case. Let MF (vi, vj , S) denote the resulting max-flow from vi to vj under S. Letalso Φ(vi, S) and Ψ(vi, S) denote the minimum max-flow from vi to any other node under S, and the sumof max-flows from vi to all other nodes under S, respectively, i.e.:

Φ(vi, S) = minvj∈V−i

MF (vi, vj , S), Ψ(vi, S) =∑

vj∈V−i

MF (vi, vj , S)

In the above definitions, each max-flow from vi to an individual destination is computed independentlyof other max-flows from the same node to different destinations (i.e., each one is computed on an emptyflow network G). These definitions should not be confused with multi-commodity flow problems in whichmultiple distinct flows co-exist.

Definition 1 (Max-Min and Max-Sum peer-sets) A peer-set si is called Max-Min if it maximises theminimum max-flow of node vi, i.e., Φ(vi, {si}+S−i) ≥ Φ(vi, {si′}+S−i), ∀si′ 6= si, where S−i denotes thesuperposition of the peer-sets of all nodes but vi. Similarly, a peer-set is called Max-Sum if Ψ(vi, {si} +S−i) ≥ Ψ(vi, {si′} + S−i), ∀si′ 6= si.

Lemma 1 Finding a Max-Min or Max-Sum peer-set for vi given S−i is an NP-hard problem.

These peer-set selection policies optimise the connectivity of a given node to the remaining network.One could say that this constitutes selfish behaviour. This is indeed the case if the nodes use thisconnectivity to only disseminate their own file. However, when they also indiscriminately relay the filesof others, which is the assumption for the applications we consider, then optimising one’s connectivityboosts the aggregate social performance of the network. Later on, in Sect. 3.2.5 we discuss what hap-pens when the swarming protocol (running above the overlay) ceases to be indiscriminate with respectto the upload quality it gives to local and remote files.

Why Max-Min and Max-Sum? Given a flow network G, the broadcast problem asks what is the max-imum (broadcast) rate at which a source vi can deliver its stream concurrently to all other nodes. Ed-monds showed in [17] that the broadcast rate is equal to minvj∈V−i

mincut(vi, vj), which in view of themax-flow/min-cut theorem is equal to minvj∈V−i

MF (vi, vj). Therefore, the Max-Min peer-set is the peer-set that maximises the broadcast rate of a node, or conversely the delivery rate to the slowest receiving

of 72




2

1

6

5

4

3B

1

2

3

4

5

6

A

A 6

1A,B

A,B

A,B

2

3

4

5

6

1

2

3

4

5

2

1B

A

A

6

5

4

3

2

1

A’,B’

A’,B’

A’,B’

6

5

4

3

Figure 1: Mixing max-flows. Left: empty network. Middle: RF(1,5) and RF(1,6) co-existing. Right:RF(1,2), RF(1,3), RF(1,4), RF(1,5), RF(1,6) co-existing. Top: initial network. Bottom: Initial augmentedwith edges, (3,2) and (3,4).

peers. It does so by placing the links so as to boost the max-flow to these slowest peers. Of course forthis to be possible there must be available bandwidth to be utilised at the IP level (this is reflected on thecij ’s which steers the peer-set selection, and which are obtained through measurements as explainedin Sect 3.2.3). Edmonds gave an exponential time centralised algorithm for achieving the broadcastrate, which was later improved to a small polynomial time by Lovasz, Gabow and others [36]. Recently,Massoulie et al. [52] showed that a simple randomised decentralised algorithm can achieve a deliveryrate that is arbitrarily close to the broadcast rate.

A Max-Sum peer-set on the other hand is a peer-set that maximises the theoretical maximum aggre-gate transmission rate from a node. Contrary to the Max-Min peer-set that maximises a provably attain-able broadcasting rate, the Max-Sum maximises only an upper bound on the aggregate rate which, inthe general case, is not attainable due to contention for link bandwidth when max-flows from the samesource to different destinations share common overlay links.2 We elaborate with an example.

Consider the flow network of Fig. 1 (top-left) in which all links have unit capacity and node 1 is thesource. Computing each max-flow on an empty network we get that the max-flow from the sourceto nodes 2, 3, and 4 is equal to 1 whereas that to nodes 5 and 6 is equal to 2, thereby Ψ(1) = 7.Consider now the maximum real flows that can exist concurrently from the source to nodes 5 and 6(top-center). Breaking the file into two equal parts A and B the source can transmit A at full rate overthe dotted paths (1 → 2 → 5 and 1 → 4 → 6) and B at full rate over the dashed path (only onceover link (1,3)) and achieve concurrent real flows that match the capacity of corresponding max-flowson an empty graph, i.e., RF(1,5)=MF(1,5)=2 and RF(1,6)=MF(1,6)=2. This is possible because a singletransmission of B on the edge (1,3) suffices for contributing to both RF(1,5) and RF(1,6). Thus thetwo flows don’t compete for bandwidth on the shared link and can achieve the same capacity as thecorresponding max-flows on empty networks. This is not, however, generally possible. On the top-rightpart of the figure we depict the situation when sending from the source to all destinations (nodes 2-6)concurrently. In this case the entire file (both A and B) has to go over links (1,2), (1,3), and (1,4) andthus RF(1,5)=RF(1,6)=1<MF(1,5)=MF(1,6)=2 leading to a real aggregate rate Ψ(1) = 5 smaller than thebound Ψ(1) = 7.

Generally, the bound becomes less tight with increasing link density k/n. On the bottom-left part ofFig. 1 we add to the previous network two new links: (3,2) and (3,4). It is easy to verify that the max-flowfrom the source to nodes 2, 4, 5, and 6 is now 2 and to node 3 is 1, leading to Φ(1) = 9. As before, if we

2The contention between max-flows “from” different sources does not come explicitly in these objective functions. It is capturedin our framework through the measured availbw cij : the availbw on a direct overlay link from vi to vj depends on the capacity ofthe underlying physical path and the amount of this capacity already captured by the competing max-flows from other sources. Atthis level the problem is indeed a multi-commodity flow.

of 72




consider only the flows to 5 and 6, it is easy to see that their max-flow values can co-exist. Considering,however, the flows to all destinations, we see that any partition of the file into parts will inevitably leadagain to all real flows being 1, whereas the corresponding max-flows with the exception of MF(1,3) arenow 23. In other words, although the new links increased both MF(1,2) and MF(1,4) by 1 compared tothe previous network, they cannot increase any of the real flows and thus widen the gap between thebound (Φ(1) = 9) and the maximum attainable aggregate rate (Φ(1) = 5).

To sum up, we propose and study these peer selection policies for the following reasons: (1) Max-flows are used to capture the fact that in a swarming protocol the chunks of a source node vi traveltowards a sink node vj over (potentially) all the available paths of the overlay graph of point-to-point peerrelationships. (2) The gap between the bound on the aggregate rate Ψ(vi, S) given by a Max-Sum peer-set and the actual maximum attainable aggregate rate Ψ(vi, S) which factors in the sharing of overlaylinks from multiple max-flows to different destinations, is reduced by the fact that swarming protocolsguarantee that any chunk is transmitted at most once between any two peers; therefore, Ψ(vi, S) canuse an overlay link multiple times (for different max-flows) but would seize bandwidth only once, therebyreducing its gap from the bound Ψ(vi, S) that assumes that the entire flow network is available to eachindividual max-flow from vi. (3) The overlay network has to be rather sparse (small k) so as to limitthe stretch on the physical links. Thus the bound Max-Sum won’t be very much off from the actualachievable aggregate rate and it makes sense optimising the peer-set based on it. Regarding Max-Min,this is provably attainable, and optimal for broadcast rate as discussed earlier.

Since a node cares to both upload its local file to all other nodes as well as download from them allremote files, we combine the previous definitions in the following objective functions:

Φ(vi, si) = αΦ(vi, {si} + S−i) + (1 − α) minvj∈V−i

MF (vj , vi, {si} + S−i),

Ψ(vi, si) = αΨ(vi, {si} + S−i) + (1 − α)∑

vj∈V−i

MF (vj , vi, {si} + S−i)

In the above functions, the parameter α regulates the relative importance between upload and down-load quality in selecting a peer-set. If the link capacities are symmetric, then optimising Φ or Ψ reducesto optimising Φ or Ψ, independently of α.

3.2.3 Node Architecture

Nodes consist of the following components: a peer selection module implementing the peer-set se-lection algorithms described in Sect. 3.2.2; a downloader module, responsible for issuing requests toneighbouring nodes and downloading missing chunks; and an uploader module, responsible for send-ing back local and in-transit chunks (an in-transit chunk is a chunk that does not belong to the localsource file). In this section we describe these three modules under the assumption that nodes are coop-erative (therefore we don’t need mechanisms like choke/unchoke). Later on, in Sect. 3.2.5 we discussthe necessary changes for dealing with selfishly behaving nodes.

Peer Selection Module

Every time period T , a node: (1) measures its available bandwidth to all other nodes using pathChirp [60],(2) executes a peer-set selection algorithm from Sect. 3.2.2 and connects to the corresponding nodes(incoming links are left untouched). Since both Max-Min and Max-Sum are NP-hard, we use fast localsearch heuristics to compute approximately optimal peer-sets (which we verified to be always within 1%of the exact optimal for all problem sizes on which we were able to use integer linear programming tocompute the latter). Once links are established, the node keeps monitoring them (including the incoming

3The fact that the entire file has to go over the edge (1,3), eliminates any chance for increasing the real flows to nodes 2, 4, 5,and 6 beyond 1.

of 72




ones) and relays their capacity to all other nodes through an overlay link-state announcement protocol.Remote nodes need this information to compute their own peer-sets. Although each node measuresO(n) overlay links every re-wiring epoch T , the monitoring and announcement overhead is only O(kn)and not O(n2) since only the O(k) established links are monitored and announced in between the (in-frequent) rewiring epochs, where k ≪ n.

The Downloader Module

The downloader module monitors the available chunks on the peer-set and issues requests for down-loading missing ones. The selection is based on the well established Local Rarest First (LRF) heuris-tic [47] that looks at the peer-set and issues a request for any missing chunk that is among the leastreplicated ones in the peer-set. New requests are triggered either upon the completion of a download,or if an overlay link is inactive, upon the detection on the other side of the link of a missing chunk.

The Uploader Module

The uploader receives requests and sends back chunks. Our baseline uploader allows for up to 1active upload (chunk) per overlay link (neighbour). It implements this by maintaining a FIFO queuefor each overlay connection. This choice bounds the number of concurrent uploads by the number ofneighbours thereby avoiding excessive fragmentation (over partitioning) of the upload bandwidth of thelocal (physical) access link of a node (this choice is backed-up by results appearing in [65]). We alsoexperimented with an uploader that allows up to 1 active chunk per source file per connection, but thiscan lead to up to n − 1 parallel uploads per overlay link, which becomes problematic as n increases.Indeed, over-partitioning the upload bandwidth defeats the entire concept of swarming: it takes too muchtime to upload an entire chunk, and during this time the downloading node is under utilising its uploadbandwidth as it cannot relay the chunk before it completes the reception. We want to note, however,that our baseline design is by no means claimed to be optimal. For an example consider a node thatcan upload to its first k − 1 neighbours with rate x and to the last one with rate larger than k · x. Thenas long as this last neighbour can always find k missing chunks from our node, and can also itselfdisseminate them further down in the network faster than the k − 1 slow neighbours, then the systemwould be better off allowing up to k parallel uploads to the fast one at the expense of the slow ones.Such situations though are rather peculiar and even if they arise, it is difficult to check the necessaryconditions for taking advantage of them, so we leave their investigation to future work and stick to thesimple one-chunk-per-connection policy.

3.2.4 Performance Evaluation

In this section we compare the performance of Max-Min and Max-Sum peer selection policies againstthree reference selection policies: Random (node vi selects k peers at random from the set of all nodesin V−i); k-Widest (node vi selects node vj if cij is among the k largest ones across all nodes in V−i);Rand k-Widest (vi performs k-Widest on a random subset of V−i of size β · k). Rand k-Widest isincluded in the evaluation to mimic the effect of combining random bootstrapping with choke/unchoke inBitTorrent.

We compare these policies in terms of (node,remote file) finish times. We denote f(j, i) the timethat the sink vj completes downloading the file of source vi, assuming that all exchanges start at time0. In all experiments we assume that nodes are fully cooperative (they belong to the same authority)and thus follow exactly and truthfully the peer-selection policies of Sect. 3.2.2 and the swarming protocolof Sect. 3.2.3 (i.e., no choke/unchoke mechanism is employed). We discuss the impact of selfishlybehaving nodes in Sect. 3.2.5.

Our performance evaluation is done in two settings. In the first, we assume that the n-way broadcastis to be carried over the Internet. We do so by evaluating the performance of a prototype implementation

of 72




0

0.2

0.4

0.6

0.8

1

1.2

1.4

RandomRnd kWkWMaxSumMaxMin

Nor

mal

ized

tim

eaverage finish time per topology

0

0.5

1

1.5

2

2.5

RandomRnd kWkWMaxSumMaxMin

Nor

mal

ized

tim

e

worst finish time per topology

Figure 2: PlanetLab experiment, mid June 2007.

of our architecture on PlanetLab. In the second, we assume that the n-way broadcast is to be carriedon a closed (controlled/isolated) network. We do so by evaluating the performance of a prototype imple-mentation of our architecture on a discrete event simulator of the closed network. [62] contains additionalresults and discussion that do not fit here.

Case Study 1: A PlanetLab Prototype

In this setting, we compare the performance of different overlay topologies when the underlying physicalnetwork is the Internet and the overlay nodes are single-homed, i.e., all overlay links of a node goover the same physical access link. For this purpose we selected n = 15 PlanetLab nodes (10 inNorth America, 1 in South America, 3 in Europe, 1 in Asia) and let each one of them disseminate adifferent 100MBytes file and allow it to connect to k = 2 neighbours (and accept additional incominglinks). Notice that we limited our experiment to only 15 nodes and only 100MBytes per node so asto keep the amount of exchanged traffic on PlanetLab at reasonable levels, while also allowing us tomonitor the network throughout the experiment. Notice that if data were to be transferred in a point-to-point manner, then it would amount to over a Terabyte for each execution of the entire experiment:5 different peer-set selection policies, each one generating 15*14*100MBytes of data at each run, andrepeated 10 times to get confidence intervals. We let the re-wiring epoch be T = 10 minutes and themeasurement/announcement epoch for existing links be 2 minutes. Also we set α = 0.5 to indicate thatnodes care equally for download and upload quality.

For a node vj , we compute its maximum finish time max(j) = maxi6=j f(j, i), i.e., the time at whichit has completed downloading all n − 1 remote files, as well as its average finish time avg(j) = 1/(n −1)

∑

i6=j f(j, i). For peer-set selection policy X , we let max(X ) = maxj max(j) denote its maximum finishtime across all nodes, and avg(X ) = 1/n

∑

j avg(j) denote its average finish time across all nodes.On the left-hand-side of Fig. 2 we present the normalised average finish time of each policy with

respect to the average finish time of the Max-Sum policy. On the right-hand-side, we present the nor-malised maximum finish time of each policy with respect to the maximum finish time of the Max-Minpolicy. These results show that the various policies perform quite similarly with respect to average fin-ish time. When looking at maximum finish times though, the picture is completely different. Max-Minmanages to complete all downloads anywhere between 40% and 120% faster than the heuristics andalmost 30% faster than Max-Sum. This can be very significant for Bulk Synchronous Parallel (BSP)applications [10], in which the global progress depends on the finish time of the slowest node. It is worthnoting that optimising the worst case finish time is much more difficult than optimising the average, andthus it should come as no surprise that the heuristics perform well on average but fail to improve theworst case.

of 72




Case Study 2: A Dedicated Network Prototype

In this setting, we examine overlay networks whose links are dedicated, meaning that they do not com-pete for bandwidth on the underlying physical network. This model is plausible for (multi-homed) net-works set-up in support of an enterprise through the acquisition of dedicated links to connect its variouslocations. Such link acquisitions could be done through SLA contracts with ISPs, or through virtualiza-tion technologies such as those envisioned for GENI. In either cases, a dedicated link could be set upbetween two enterprise nodes i and j for a given price. Any such dedicated link will have a nominalcapacity cij , which may depend on any number of factors (e.g., physical constraints of the underlyingtechnology, the demand at the ISP for carrying traffic between these two locations, or the price paid forvarious links. Since setting up a complete network to connect all n nodes directly to each other may notbe feasible (especially for systems of moderate sizes), designers of such enterprise networks are likelyto construct the network so as to maximise its utility with respect to some objective function. Indepen-dent of which process/strategy is used to construct the optimised overlay, the resulting network wouldallow all enterprise nodes to communicate either directly or through overlay paths.

The construction we propose for optimising the overlay for n-way broadcast proceeds as follows.First, we order the nodes according to their ids. Next, we proceed in rounds in which nodes take turnsin selecting their peer-sets (as discussed in Sect. 3.2.2). This process is repeated until we converge byreaching a round that does not introduce changes in the constructed topology.4

Towards our goal of evaluating the impact of various peer selection policies on the performance of n-way broadcast in this setting, we developed a discrete-event simulator that is able to run over dedicatedoverlay networks. We constructed the dedicated overlay (enterprise) network using the procedure de-scribed above, using the publicly available trace of Sprint’s physical topology taken from Rocketfuel [63].In particular, we assumed that the dedicated capacity that could be acquired from the ISP (Sprint) wouldreflect an “equal-share” partitioning, which we approximated as follows. We counted the number ofshortest-paths (for all physical node pairs) that go over a physical link and set the available bandwidthof that link to be its real capacity divided by this number.5 Then, for an overlay link (i, j) we set ci,j tobe equal to the available bandwidth of the tightest physical link on the induced shortest-path over thephysical topology. This produces the amount of available bandwidth that the ISP can guarantee for thenew application if it admits it into its network and treats it equally with pre-existing ones.

One advantage of simulations (compared to PlanetLab prototyping) is that it allows us to considera bigger network. In particular, in the experiments that follow, we study overlays of size n = 50 nodes,which are randomly selected from the physical Sprint network — each node holding a 500Mbytes file. InFig. 3 we compare the average and maximum finish times of different policies for different link densitiesk/n. Compared to the previous results from PlanetLab, we observe a qualitatively similar behaviour.The gap, however, between Max-Min and the rest in terms of maximum finish time widens substantially:Max-Min is able to finish 2-3 times faster in this setting, even for relatively large k/n (∼10%). Thereason is that Max-Min has more real bandwidth to work with in this case: When it places a link (i, j),the capacity (both upload and download) of the two end-points increases by the capacity of the newly-added dedicated overlay link, whereas in PlanetLab the physical bandwidth is fixed, so when Max-Minplaces an overlay link it can only benefit by whatever unused bandwidth exists on the underlying physicalnetwork.

4It is worth noting that the convergence of the above procedure relates to a question regarding the existence of pure Nashequilibria, and their reachability through local improvement paths, in a strategic game with Max-Min or Max-Sum as its payofffunction. Although interesting from a theoretical standpoint, the question is not directly relevant here as we have assumed thatnodes forward indiscriminately local and in-transit chunks. In all our experiments we got fast convergence but could also stopprematurely after a maximum number of iterations so as to deal with inexistence, unreachability, or slow convergence to stabletopologies.

5The idea is that each pair of physical nodes represents a different application that is assigned an equal share of the physicalcapacity of all links on which it competes with other applications.

of 72




100 150 200 250 300 350 400 450 500 550 600

0.04 0.06 0.08 0.1

time

(sec

s)

k/n

average finish time per link density

Max-MinMax-Sumk-Widest

Rnd k-WidestRandom

400 600 800

1000 1200 1400 1600 1800 2000 2200 2400 2600

0.04 0.06 0.08 0.1

time

(sec

s)

k/n

worst finish time per link density

Max-MinMax-Sumk-Widest

Rnd k-WidestRandom

Figure 3: Simulation of a closed network based on Sprint’s topology.

3.2.5 Dealing with Selfish Behaviour

Up to now we have assumed that nodes are fully cooperative, which is a realistic assumption for theapplications enumerated in the introduction. In this section we will try to explore ways to accommodateapplications that involve selfish nodes. We will focus on the following definition of selfishness:

Definition 2 (Upload-selfishness) An upload-selfish node is a node that wants to use as much of itsupload capacity as possible for forwarding its local chunks and avoid “wasting” it in relaying the in-transitchunks that it holds.

A Brief Taxonomy of Deterrence Mechanisms

The amount of extra benefit for an upload-selfish node (and potential harm to others) depends on themechanisms that the network deploys for discouraging such behaviour. We examine the following cases.

Case 0 (neutral): Here the network stays neutral and does not deploy any deterrence mechanism. Insuch a setting, the upload-selfish node could simply upload its own chunks and ignore all other requests.The harm to cooperative nodes can easily be quantified for this case, so we don’t discuss it further; it willbe proportional to the number of upload-selfish nodes, and cooperative nodes will be slowed down and atan extreme case will be unable to receive some files (e.g., when all their neighbours are upload-selfish,which is similar to the case of an eclipse attack [61]).Case 1 (oblivious retribution): A network can employ several retribution mechanisms to punish anode that fails to deliver a chunk after a request. The choke/unchoke [15] mechanism of BitTorrent, ormodified versions based on bit-level tit-for-tat [7, 31] are two established existing proposals. Contraryto the original BitTorrent, such mechanisms are marginally useful here because they are oblivious towhether a node uploads local or in-transit chunks. An upload-selfish node will appear to be contributingby the mere fact that it is certainly uploading its own chunks. Thus oblivious strategies fail to punishnodes that “free-ride” by not uploading in-transit chunks.Case 2 (non-oblivious retribution): Now, let’s assume that there exists a non-oblivious retributionmechanism that punishes a node that fails to service requests6 for in-transit chunks that it holds. Whatcan a selfish node do against such mechanism? The simplest strategy is to hide (by not announcing)the availability of in-transit chunks it holds, and thus get rid of the burden of having to service requestsfor these chunks. This can be addressed with a simple two-hop announcement strategy in which a

6We do not want to punish nodes that don’t have enough in-transit content for whatever reason (slow local link or peer-set) butwould relay if they had, so we only punish when a request exists and is not honoured.

of 72




5 10 15 20 25 30 35 40 45 50

5

10

15

20

25

30

35

40

45

50

file id

node

id

0

200

400

600

800

1000

1200

1400

1600

1800

5 10 15 20 25 30 35 40 45 50

5

10

15

20

25

30

35

40

45

50

file id

node

id

0

200

400

600

800

1000

1200

1400

1600

1800

Figure 4: Maximum finish time for all nodes and all files under Random with cooperative nodes andMax-Min with upload-selfish slowest node (n

k = 0.04).

node that uploads to another node announces on its behalf the availability of the chunk (using HAVEmessages [15]) to downloaders belonging to the peer-set of the receiving node. This requires obtainingupon bootstrap (and re-wiring) second hop neighbours. Assuming that the retribution is severe enough,the upload-selfish node will have to honour all requests. Despite that, the upload-selfish node still hassome room to game the system by changing the uploader and the downloader as follows.– The upload-selfish node can substitute each FIFO queue at its uploader with a selfish FIFO (S-FIFO)that gives priority (preemptive or non preemptive) to requests for local chunks.– The upload-selfish node can switch from Least Replicated First to Most Replicated First (MRF) down-loads. Highly replicated chunks receive fewer requests and thus reduce the “waste” of upload bandwidthfor sending in-transit chunks, is smaller (most nodes already have these chunks, and any requests forthese chunks will be divided over many peers).

Since it is difficult to detect such deviations from the protocol, we instead quantify their impact.

Quantifying the Impact of S-FIFO/MRF

We quantify the advantage for a single upload-selfish node by looking at the ratio between the time ittakes to upload its file to all other nodes when it is selfish and when it is cooperative, granted that allother nodes are cooperative. We examined this ratio for different overlays built on the Sprint trace and fordifferent choices with respect to the choice of selfish node. We consider three cases, where the selfishnode is : (1) the slowest node, i.e., the one whose adjacent links have the minimum aggregate uploadcapacity; (2) the fastest node; or (3) a typical node (median upload capacity).

On the Max-Min overlay the selfish node reduced its maximum upload finish time by 30% when itwas the slowest one. When it was a typical (or the fastest one), then it got almost no benefit, since inthese cases the bottleneck is at the downloading nodes (so a local selfishness behaviour cannot help).In all other overlays, the selfish node got almost no benefit, even when it was the slowest node. Unlikethe Max-Min, the other overlays are not optimised for the slowest node, so even if this bottleneck nodetries to selfishly upload its file, it cannot really benefit because it has very limited bandwidth.

From the above, it is clear that there exist cases in which upload-selfishness pays substantially.Granted that upload-selfishness is hard to detect, we also look at its impact on the cooperative nodes.We consider again a single selfish node (one can easily extrapolate for multiple selfish nodes). Theimpact depends on the considered metric and on the identity of the selfish node. If we care aboutthe worst-case download time of cooperative nodes and let the selfish node be the slowest node, thencounter-intuitively, the impact on the cooperative nodes is positive. This is simply because by being self-ish, the slowest node helps all other nodes improve their (bottleneck) downloads from it. To get a feelingof this we show a scatter-plot on the left of Fig. 4 with the download time for each pair (node,remotefile) when the topology is random and all the nodes are cooperative. The solid black line that stands out

of 72




corresponds to the slowest node (node 29), whose file is the last one to be downloaded by all others. Tocontrast this, we plot on the right the corresponding times when the topology is Max-Min and the slow-est node is upload-selfish. As it can be seen, the combination of Max-Min topology and upload-selfishscheduling on the slowest node does a pretty good job at smoothing out the differences in maximumfinish times. If, on the other hand, the selfish node is a typical node, or the fastest node, then its effect onthe download quality of others is rather marginal. First, its own file is not a bottleneck. Second, the relayof in-transit chunks is largely carried by the other n − 1 nodes. Third, S-FIFO and MRF impact primarilyfirst-hop neighbours and have small impact on nodes further away.

Overall, upload-selfishness, unlike its name suggest, is not necessarily bad. A socially incliningglobal scheduling policy, for example, would certainly make slow nodes upload only their own chunksso as to reduce the severity of the bottlenecks that they cause. More generally, for social optimality, oneshould split the upload bandwidth of a node between local and in-transit chunks according to the relativespeed of the node. Nodes that are fast should contribute heavily in relaying in-transit chunks. Nodes thatare slow, should focus only on uploading their own chunks so as to avoid becoming bottleneck points.Stated differently, a single uploading policy across all nodes cannot be socially optimal. We postponethe investigation of node-dependent upload scheduling for future work (see Sect. VI of [42] for a similardiscussion based on our previous work on selfish caching).

Download-Selfishness and Other

It is tempting to ask whether a notion of download-selfishness would make sense. Our answer leanstowards the negative. First, there is no contention between local and in-transit chunks in the incomingdirection towards a node — only in-transit chunks flow there. Second, as long as the downloader keepsall its overlay connections busy by immediately identifying and requesting missing chunks, its download-finish time will be the same, so it gets no foreseeable benefit by deviating from LRF. Finally, trying tomanipulate the system by advertising false cij ’s for the established links can be disclosed by havingnodes periodically “audit” others by measuring some remote cij ’s and comparing with the advertisedvalues on the link-state protocol. Such methods are quite elaborate and fall outside the scope of thecurrent work.

3.2.6 Conclusion and perspective for the CASCADAS project

In this Section we showed that swarming protocols for bulk data transfers perform much better whenoperating over optimised overlay topologies that take into consideration the end-to-end performancecharacteristics of the underlying network. Such topologies improve the aggregate transmission capacityof nodes, but where they make a huge difference compared to existing heuristic approaches, is on reliev-ing bottleneck points. Random and myopic heuristics used in practice lack the required sophisticationfor overcoming such bottlenecks.

Our optimised topologies are opaque to the details of the swarming protocol that runs on top. Theyleverage the available bandwidth of the underlying network and abstract the swarming protocol by view-ing it as a series of max-flows. Thus they can benefit a variety of swarming protocols with differentupload/download scheduling characteristics. Since our topologies are data-blind, it is the job of theswarming protocol to make the best use of the end-to-end bandwidth that they offer. To that end, wehave shown that a commonly parameterized swarming protocol is far from being optimal. Designingswarming protocols tailored to the characteristics of individual nodes is on our future research agenda.

In the perspective of the CASCADAS project, several lessons can be learned from this work. The goalof the project is to deploy a multitude (maybe in the order of several hundreds) of ACEs in a distributedenvironment to offer services to user requests. Building optimised logical communication networks ontop of the physical graph that connects ACE instances is mandatory for a number of reasons, and in

of 72




this Section we illustrated a possible application for ACEs to disseminate to other ACEs a large quantityof data. As illustrated throughout this Section, our work calls for a monitoring and supervision serviceto help ACEs in building the optimised overlay on which they operate. This kind of service is availablein the CASCADAS system through the work developed in Work Package 2. ACEs characteristics, andthe context in which they operate is reported and or collected by the supervision infrastructure. Wetake the stance that this information can be accessed by ACEs in order to self-optimise the way theycommunicate and we show how to use this information in practice.

The prototype implementation we used for our experiments did not use the ACE Development Toolkitfor the simple reason that the software framework was undergoing some final tests by the time we had toperform our evaluation. Nevertheless, the algorithms presented in this work can be easily plugged into aspecialised ACE: our algorithms are based on local search, and they converge quickly to approximatelyoptimal configuration.

In the next Section, we will discuss another important issue that must be addressed in the CAS-CADAS system, which tackles greedy strategies and their impact on the performance of peer to peersystems.

3.3 Aggressive vs. Cooperative Applications: The case of P2 P content Distri-bution

In the framework of the CASCADAS project, one cannot assume ACEs deployed in the system to beall part of the same organisation. What this implies is that different ACEs, though offering the sameservice, may try to achieve different goals. In this context, the analysis of the consequences of differentstrategies adopted to offer the same service need to be studied.

In this work, we make the case of ACEs used to provide a content distribution service, as illustratedin the introduction to this Section. Due to its large diffusion, we argue that such a content distributionservice would resemble in nature to that offered by the BitTorrent protocol. BitTorrent, which will begreatly illustrated in what follows, implements some very simple algorithms to achieve content distribu-tion: every element of the content distribution network needs to select which neighbours it wishes tocollaborate with, and which data to exchange. These algorithms are local in nature and can be easilyplugged in ACEs through the Development Toolkit.

What happens in such a distributed system when the content distribution service offered by a multi-tude of ACEs is carried out by entities that do not belong to the same authorisation domain? What is theimpact on the normal execution of the content distribution service of the presence of greedy ACEs thatfollow an objective that is not in line with what the majority of ACEs is following? We try and addressthese questions in the following work. Before delving into the details of our analytical and experimentalsetting, we will introduce the concepts necessary to obtain a clear system model. We begin by describ-ing the BitTorrent protocol, its algorithms and the variations to these components that emerged in thepast few years.

BitTorrent [15] is a peer-to-peer (P2P) content distribution application that has been adopted bymillions of end-users, as witnessed by several specialised sources [1, 2, 3]. BitTorrent (BT) has notonly gained a huge popularity among the mass, it has also attracted the attention of a large body ofresearchers that focused on its building blocks and its performance analysis through measurement [47,31, 38], simulation [72, 7] and analytical [58, 9, 8] studies. These previous works indicated that the keyof its success can be substantially attributed to its scalability and its greater robustness to free-riding incomparison to previous P2P proposals.

Some recent studies [49,51,57] have proposed new clients, that are compliant to BitTorrent messageprotocol, but change its algorithms and adopt greedy strategies with the purpose to optimise the localperformance of the client. For example, authors in [51] designed a modified client, called BitThief, thattries to maximise the client download rate without uploading any content by continuously increasing its

of 72




neighbourhood set. Another prominent example is that of BitTyrant [57], which tries to maximise itsdownload rate by shaping its contribution to remote peers; additionally, BitTyrant borrows the techniqueto construct large neighbourhoods from BitThief. Note that while BitThief client is intrinsically a free-rider, BitTyrant make its whole upload capacity available to spread the content. Similar techniques areproposed in [49].

Our research interest is twofold. First, we want to evaluate to what extent greedy clients have com-petitive advantages in comparison to standard ones and hence can be expected to be widely adoptedto the peer-to-peer community. Second, we want to investigate if the widespread adoption of such tech-niques would lead to a general performance improvement (as it is suggested in [49, 57]). We first focuson a single client (we chose BitTyrant in this work because it merges several greedy techniques dis-cussed in the literature) and characterise its performance gain over legacy clients. We do so by isolatingits key ingredients to understand what is their contribution to the improved performance. We then makethe case for an extreme scenario in which all users would adopt BitTyrant and discuss its implications onthe whole community.

The main contributions of this work can be summarised as follows:

• We generalise the analytical model presented in [57] to identify the extent to which BitTorrent canbe exploited by greedy clients. Unlike previous results discussed in [57], our findings indicatethat exploiting the altruism of BitTorrent is effective only during a short transient regime when thesystem is bootstrapping;

• We study the different components of a prominent example of a greedy client, BitTyrant [57], andwe evaluate to what extent each part of the proposed solution is responsible for the performanceachieved; we also compare the results with the ones obtained by the mainline BitTorrent client;

• We cast light on the subtle choke algorithm used by BitTyrant and show its unexpectedly positiveimpact on system performance, especially during the most delicate phase of content distribution,the startup phase;

• Finally, we make the case for a wide adoption of the BitTyrant client by the mass. We show thatthe interaction of BitTyrant clients may lead to an undesirable state with some peers progressivelythrottling the uploading rate to their neighbours and others intermittently choking their contribution,with resulting poor system performance.

The remainder of the Section is organised as follows: Sec. 3.4 provides some background on Bit-Torrent and its variants; in Sec. 3.5 we analyse to which extent BitTorrent can be exploited by greedystrategies; Sec. 3.6 presents a simulation-based performance evaluation of a single BitTyrant client andpinpoints the merit of its key components to the increased performance; finally, in Sec. 3.7 we make thecase of a wide-spread adoption of BitTyrant and analyse the implications on global system performance.

3.4 Background

In this section we briefly outline the key algorithms used by BitTorrent [15], BitTyrant [57] and BitThief[51].

BitTorrent. The BitTorrent protocol is designed for bulk data transfer. The file is divided into pieces,which can be downloaded in parallel from peers belonging to a specific torrent. A central entity, calledtracker, keeps track of all peers downloading the content and bootstraps new peers joining the torrentwith a random set (of size 50 peers) of remote peers to connect to: the neighbourhood of a peer is calledthe peer set .

of 72




A BT peer executes two key algorithms, one that is used to select pieces of the content to download(termed the piece selection algorithm) and one that is used to select remote peers to upload data to(termed the peer selection algorithm, or the choke algorithm). In this work we focus on the chokealgorithm, and gloss over the details of piece selection. With the choke algorithm, a node builds asubset of its peer set that is termed active set : peers in the active set are entitled to request piecesof the content. The choke algorithm is executed every 10 seconds: all remote peers are ranked basedon their upload rate and only the first k top peers are unchoked. Along with regular unchokes, every30 seconds a peer randomly unchokes ω peers irrespectively of their rank: this technique is termedoptimistic unchoke and allows a peer to explore its peer set and discover fast neighbours. With thechoke algorithm, peers discover and maintain an active set (of size k + ω) composed by neighboursthat maximise reciprocation, i.e. the amount of data downloaded given the amount of data uploaded toremote peers.

In the basic version of BT, k and ω are empirically set parameters: generally k = 4 and ω = 1.This configuration is used also by Azureus. The upload bandwidth of a peer is shared equally (besideTCP effects) among all unchoked peers; the portion of the bandwidth that each peer is able to obtain isdefined as equal-split .

Recently, a new version the mainline BT protocol has been released. Despite its rather small diffusionamong users (only 2% of the clients appear to be of type mainline [57]), we analyse in this work theimpact of this new client, that we termed BTnew . The key difference of BTnew lies in the choice of theparameters of the choke algorithm. The number of regular unchokes is determined as a function of theuplink capacity C of a peer, that is k =

√0.6C (C is expressed in KBytes/s). Moreover, ω = 2. With

these new parameters, peers with a high uplink capacity open more active connections.

BitTyrant. The key modifications introduced by BitTyrant (hereinafter BTyr ) are related to the peerselection algorithm. As for BTnew, the number of unchoked peers is a function of a peer’s uplink capacity.However, BTyr uses a dynamic bandwidth allocation algorithm by which uplink capacity is assigned ona per-connection basis. During the initial phase of the download process, a BTyr peer allocates thesame bandwidth c = 15 KBytes/s to all connections. This initial value, found empirically, is set such thatthe probability of reciprocation from remote peers is high. The authors in [57] compute c considering abandwidth distribution derived from real measurements: as in this work we adopt the same distribution,we also use the same value for c.

Subsequently, the alternative choke algorithm works as follows: if a remote peer reciprocates for atleast 3 unchoking intervals, the bandwidth allocated for this active connection is reduced by a factor of0.9. If an unchoked neighbour stop reciprocating, then the bandwidth allocated to the active connectionis increased by a factor 1.2. Every choke interval (set to 10 sec.), neighbours are sorted according to theratio between the amount of data received and sent (in the last 20 sec.); the available uplink capacityis then progressively allocated to remote peers in descending order. Hence, the amount of bandwidthallocated to a remote peer should converge to the exact value required to guarantee reciprocation.

BitThief. The primary aim of this client was to show the intrinsic weakness of the optimistic unchokeadopted by BT. BitThief continues to contact the tracker in order to increases as much as possible itspeer set size. As a consequence, the probability to be optimistically unchoked increases, and the clientcan receive the content without uploading at all.

3.5 Misuse Opportunities in BitTorrent: an Analytical Pers pective

In this section we take a data agnostic approach and analyse the extent to which the altruistic behaviourof both BT and BTnew might be exploited by self-interested peers. Our analysis extends and formalises

of 72




rigourously the key observations made in [57], which are behind the design of BTyr. We do not considerhere the BitThief scheme since the evaluation of its benefits is straightforward.

3.5.1 Matching Time

As noted in prior studies [46, 22], the choke algorithm, which constitutes the basis of the peer selectionprocess, can be seen as a distributed algorithm for the stable b-matching problem, that converges to a(weakly) stable state in which peers are matched based on their upload capacity and no peer has anincentive to deviate from its matches. The algorithm converges to a stable state through a series of ex-ploration rounds (i.e. optimistic unchokes) in which unstable matchings are formed: in such intermediatecases, a peer may end up being matched to remote peers that cannot sustain a fair reciprocation. Thisimplies that some peers might offer more upload bandwidth than they receive.

The time it takes for the algorithm to converge could be exploited by a peer striving for maximising thereciprocation it receives from remote peers. In the following we endeavour to quantify the convergencetime, termed matching time hereinafter. The matching time we derive ignores (i) the peer churn rate, (ii)the content availability and (iii) that some remote peers could be not willing to reciprocate. The last issueis going to be taken into account in the following section.

During a time interval equal to Topt, a peer discovers (using optimistic unchokes) the equal split ofω new peers and its equal split is discovered by other ω new peers. Given peer i with equal split ui,let Ai be the set of active connections (neighbours it has unchoked). We denote with b(u) and B(u)respectively the Probability Density Function (PDF) and the cumulative distribution function (CDF) of theequal split. b(u) (B(u)) can be evaluated through an empirical distribution7.

The expected number of interactions peer i needs to find an attractive peer is geometrically dis-tributed, with expected value 1/(1 − B(ui)). The expected number of interactions needed to discover anumber of peers equal to the number of active connections |Ai| is simply |Ai|/(1−B(ui)). If we considerthat the peer has one interaction every Topt/(2ω) seconds, then the matching time is:

Topt

2ω

|Ai|1 − B(ui)

. (1)

The equation shows that the matching time increases when the number of active connections or theequal split increases.

In Fig. 5 we show the matching time for BT and BTnew clients with different uploading capacities.Matching times are as large as 1 and 10 hours respectively for high capacity BT and BTnew clients.The sawtooth behaviour of the BTnew curve is due to non-monotonic relation between the uploadingcapacity and the equal split. Given two peers with similar capacities, it can happen that the one withhigher capacity opens one additional connection; in this case, its equal-split is smaller and the timeneeded to discover faster peers is lower.

Long matching times paves the way for clients such as BTyr that tries to exploit high-capacity peersas long as their discovery phase has not converged yet.

3.5.2 Probability of Reciprocation and Expected Download R ate

The extremely long convergence time (especially with respect to typical download times) toward a stablematching that we discussed in the previous section has encouraged the design of subtle techniques [57]to exploit peers until a global matching is reached. By that time, peers would be immune to greedystrategies. A greedy peer, however, is not guaranteed to be reciprocated from remote peers at all timesduring the matching time.

7In this work we use the same empirical distribution as in [57].

of 72




102

103

104

102

104

Capacity (kB/s)

Exp

ecte

d T

FT

mat

chin

g tim

e (s

)

BTBTnew

Figure 5: Time required for a new peer to discover a number of peers of equal or greater equal-split tofill its active set size.

We show this by studying the evolution in time of the probability of reciprocation and its impact onthe expected download rate of a peer. The following analysis constitutes a significant extension to thatsketched in [57]. As noted above, the download rate peer i can achieve varies over time. Indeedpeer i can select its |Ai| best uploaders from a progressively larger set, but reciprocation from its peerset fluctuates: reciprocation from peers with higher capacity decreases (because they discover similarpeers), while reciprocation from lower capacity peers increases (because they are progressively chokedby their best uploaders). Being that each peer optimistically unchokes ω new peers every Topt, weconsider a discrete time system where every Topt/(2ω) seconds each peer discovers the equal split of anew peer. Let us define ρ(ui, uj , k) the probability that a node with equal split uj is willing to reciprocatewith a node with equal split ui at the k-th interaction. The probability that a generic peer is willing toreciprocate to peer j at the k-th interaction is

∫ ∞

0

ρ(uj , v, k)b(v)dv,

and the expected number of peers not reciprocating peer j (Rj(k)) is:

Rj(k) = k

(

1 −∫ ∞

0

ρ(uj, v, k)b(v)dv

)

.

We simplify our analysis assuming that: (i) the number of peers not reciprocating peer j is alwaysequal to the integer nearest to Rj (we denote it as Rj) and (ii) that these peers are the best uploaders ofpeer j. Then if we rank the uploaders of peer j on the basis of their equal split in decreasing order, peerj at the k-interaction will be willing to reciprocate peers with rank from Rj(k) + 1 to wj = Rj(k) + |Aj |,being that it is willing to open up to |Aj | connections. Now the probability that peer i is going to bereciprocated from peer j at the following interaction is equal to the probability that peer i has an higherequal split than that of the wj -th uploader of peer j8. We can then use order statistic results to derivethe equal split PDF of the z-th uploader of peer j:

b(z)uj

(v, k) =k!

(z − 1)!(k − z)!B(v)k−z(1 − B(v))z−1b(v).

8 If wj = Rj(k) + |Aj | > k, peer j will be always willing to reciprocate with a new peer.

of 72




The reciprocation probability at the k + 1-th iteration can be evaluated considering that peer i will bereciprocated by peer j only if it will be better than the wj -th best uploader of peer j, then:

ρ(ui, uj, k + 1) =

∫ ui

0

b(wj)uj

(v, k)dv. (2)

The system starts from a state where every peer has an empty active set and it is willing to reciprocatewith everyone else (ρ(ui, uj , 0) = 1), then Eq. 2 can be used to evaluate the evolution of reciprocationprobabilities.

The expected download rate of peer j can be derived as:

Rj(k)+|Aj |∑

h=Rj(k)+1

∫ ∞

0

vb(h)uj

(v, k)dv + ω

∫ ∞

0

vb(v)dv, (3)

where the first term corresponds to the aggregated rate from active connections, while the second oneto the aggregated rate from optimistic unchoking.

(a) After 150 seconds (b) After 15 minutes

Figure 6: Reciprocation probability for BT.

Fig. 6 shows the reciprocation probability for BT clients after 150 seconds and after 15 minutes,respectively the time intervals needed by each peer to discover the equal splits of 10 and 60 peers. Everypoint (x, y) of the figure indicates the probability that a peer with capacity x is going to be reciprocated bya peer with capacity y. After 150 seconds (Fig. 6-a), peers with lower uplink capacities are very unlikelyto be reciprocated by fast peers; however, the probability for fast peers to reciprocate remote peers thatcannot sustain their upload rates is very close to one. This observation no longer holds after 15 minutes,(Fig. 6-b): in this case a large fraction of peers is willing to reciprocate only with other peers with similaror higher capacities.

Fig. 7 shows the corresponding results for the BTnew client. BTnew appears to be more generousin that the probability of an unfair reciprocation (a slow peer being served by a fast one) is still high after15 minutes.

Fig. 8 reports the expected download rate of a peer with a given uplink capacity, after 15 minutesfrom the beginning of the download process. Fairness is achieved when the uplink capacity equals theexpected download rate (diagonal line in the figure). We recall that both regular and optimistic unchokescontribute to the download rate observed by a peer. In the BT case, Fig. 8 illustrates that low capacitypeers are able to get more then their fair rate. This is mainly due to optimistic unchokes: focusing only on

of 72




(a) After 150 seconds (b) After 15 minutes

Figure 7: Reciprocation probability for BTnew.

102

103

104

102

103

104

Capacity (kB/s)

Dow

nloa

ding

rat

e (k

B/s

)

BTBTnew

Figure 8: Expected download rate for a peer of a given capacity after 15 minutes.

regular unchokes would reveal that the expected download rate is parallel to the diagonal up to roughly200kB/s. On the contrary, peers with capacity greater than 3000kB/s offer more upload capacity thanthey receive: this is exploited by peers with intermediate upload capacity.

While similar observations can be drawn for the BTnew case, we notice that the advantage for lowcapacity peers is less pronounced: this is due to the larger number of active connections (hence loweruplink bandwidth dedicated to each of them) of a BTnew client.

3.5.3 Discussion

Our data agnostic analysis indicates that exploiting BT or BTnew clients appears tempting in a firstinstance, if one considers the time required by the peer selection to stabilise. However, due to thevariability in time of the probability of reciprocation, a greedy strategy would work best during the initialstages of the download process, where high capacity peers are still willing to serve low and intermediatecapacity peers.

This conclusion raises the legitimate question of whether these results carry over when piece avail-ability is considered. Indeed, piece availability plays a crucial role, especially during the initial phase

of 72




of the download process, when the number of pieces being exchanged by peers is scarce. This keyobservation calls for a deeper study of the performance that can be achieved by a greedy client. Due tothe complexity of the analysis when piece availability is taken into account, we revert in the following toa simulation-based performance analysis.

3.6 Deconstructing BitTyrant: the Single Client Case

In the following we carry out a simulation-based analysis of the performance of a prominent exampleof a strategic client, BTyr. We decided to focus on BTyr because it merges several greedy techniquespreviously discussed in the literature [51,49]: (i) greedy peer set size and (ii) greedy uplink allocation :

(i) implies that peer set size in BTyr is largely bigger than that of a traditional BT or BTnew client(this approach is adopted also in BitThief [51]); the consequence is that the probability of beingoptimistically unchoked is higher;

(ii) implies that the uplink capacity of a peer is not equally split among its active connections, butshaped according to a greedy objective; hence, the number of active connections is not a fixedparameter but varies over time.

Here we deconstruct the BTyr client to understand the contributions of its building blocks to theincreased performance achieved by a single BTyr client in a torrent of BT or BTnew clients.

3.6.1 Simulator Description, Methodology and Settings

Our work is based on a customised version of the publicly available BitTorrent simulator called GPS [71].GPS is a discrete time flow level simulator, featuring a simple fluid model of TCP: the available bandwidthbetween two peers is equally shared among active flows on the path joining the peers. Peers have infinitedownlink capacity and a finite uplink capacity, which is distributed according to the bandwidth distributionof [57]. It implements the BT client, including the piece selection, the choke algorithm and the tracker.We complemented the simulator with an implementation of (i) the new version of the mainline BT client(BTnew) and (ii) the BTyr client.

The main performance metrics we use are:

Download time of the single client (BT, BTyr or BTnew) in the different scenarios (all BT and all BTnew);

Number of pieces uploaded by the single client during the download process;

Empirical Cumulative Distribution Function (ECDF or CDF) of the download time of all peers.

For the BTyr case, we also characterise the uplink capacities of the peers unchoked over time. Note thatwhen we focus on a single client, we compare the performance of one peer using BTyr, BT or BTnewclients in the same simulation conditions.

We analyse torrents of 350 peers where one initial seed distributes a file of 50 MB. We select thisfile size since the gain of a strategic client is mainly concentrated at the beginning of the distributionprocess (as showed in the analysis in Sect. 3.5), thus BTyr should benefits more from short torrents thanlarger ones. Peers randomly start to download the content within a small interval of time (10 sec.) andstay as seeds in the system once they finish downloading the content. For each scenario, we perform10 simulation runs, generating different random arrival patterns, where peers have different bandwidths,randomly selected from the bandwidth distribution. We estimate the mean download time, along withthe confidence interval for a confidence level of 95%.

of 72




3.6.2 Impact of the Peer Set and Active Set Size

In this Section we build a baseline scenario in which a single, fully-fledged BTyr client operates in atorrent of BT or BTnew peers. We then artificially obstruct the greedy peer set construction of BTyr bylimiting the frequency of requests to the tracker: the peer set size is then equal at most to 80 for everypeer in the torrent.

Fig. 9(a) illustrates the download time of a single BT, and BTyr client for different classes of uplinkcapacity in the baseline case. Similarly, Fig. 9(b) depicts the download time of a BTnew client versus aBTyr client. We observe that the performance gain of BTyr over BTnew dramatically drops as comparedto the same setting when BT is used. This is due to the large number of active connections establishedby fast peers using BTnew. Their uplink capacity is over-carved, hence remote peers receive smallerdownload rates as compared to the original BT algorithm.

0

50

100

150

200

250

300

350

400

0 2000 4000 6000 8000 10000 12000

Don

wlo

ad T

imes

(se

c)

Upload Cap (KB/s)

BitTyrantBitTorrent

(a) BTyr with all BT

0

50

100

150

200

250

300

350

400

0 2000 4000 6000 8000 10000 12000

Don

wlo

ad T

imes

(se

c)

Upload Cap (KB/s)

BitTyrantBitTorrent

(b) BTyr with all BTnew

Figure 9: Mean download time of a single client with different bandwidths.

Figs. 10(a) and 10(b) show the download time for the same set of experiments shown above whenthe greedy peer set construction is obstructed. The results illustrate a significant performance loss ofBTyr in a torrent of both BT and BTnew clients, indicating that the increased peer set size constitutesone of the main factors influencing download performance.

We note that, with BTnew clients, BTyr could completely lose all its benefits. BTyr not only uses alarger peer set size, but also a larger active set size, i.e. it maintains many active connections, giving asmall fraction of bandwidth to each of them. Assuming that this policy provides a gain (we will show inSect. 3.6.3 why it actually does), in an environment where other peers use the same approach – i.e. ina torrent with all BTnew clients – the benefits of maintaining many active connections should be limited.The results shown in Figs. 10(b) confirm this observation. As a further test, we have considered a singleBTnew client that operates in a torrent of BT clients. Our experiments show that a single BTnew clientachieves similar performance as BTyr (see Fig. 10(a)).

These results hint at the fact that the dynamic uplink bandwidth allocation algorithm adopted by BTyrappears to have little impact on performance. We further note that our simulation study reveals to benecessary: piece availability plays a crucial role that could not be understood using a simplified theoreticformulation of the problem.

of 72




0

50

100

150

200

250

300

350

400

0 2000 4000 6000 8000 10000 12000

Don

wlo

ad T

imes

(se

c)

Upload Cap (KB/s)

BitTyrantBitTorrent

(a) BTyr with all BT

0

50

100

150

200

250

300

350

400

0 2000 4000 6000 8000 10000 12000D

onw

load

Tim

es (

sec)

Upload Cap (KB/s)

BitTyrantBitTorrent

(b) BTyr with all BTnew

Figure 10: Mean download time of a single client with a constrained peer set.

3.6.3 Impact of Greedy Uplink Capacity Allocation

In the previous section we unveiled that the performance gain of BTyr is mainly due to the larger peer setand active set. While the effect of a larger peer set is well understood, we discuss here the advantageof a larger active set, along with the impact of the subtle uplink bandwidth allocation strategy of BTyr.

The rationale behind the BTyr design is to dynamically adapt both the uplink capacity dedicated to aremote unchoked peer and the number of active connections (i.e. unchoked peers) so as to maximisethe probability of reciprocation. Our analysis showed that this technique can be exploited best duringthe initial stages of the download process, which however is characterised by low piece availability.

On the one hand, by opening a larger number of active connections, BTyr strives for maximising thechance of being reciprocated, with the knowledge that reciprocation will happen on a tit-for-tat basis dueto the choke algorithm. On the other hand, since during the initial phase of the download process thelack of fresh pieces to serve could cause uplink capacity underutilisation, a larger active set size helpsspreading available pieces to a large number of peers that would otherwise remain unserved. Thisincreases the utilisation of the uplink capacity of both the BTyr peer and its neighbours. Interestingly, thegreedy strategy adopted by BTyr has actually a hidden altruistic nature.

Fig. 11 depicts the ratio between the cumulative number of uploaded pieces over time by singleBTyr client with respect to the corresponding BT client. Especially during the early stages of contentdistribution, BTyr uploads up to 25 times (for a high bandwidth peer) the number of pieces uploaded byBT. During steady state, the total number of pieces uploaded for BTyr and BT converges.

The unexpected altruism of BTyr has a beneficial effect on all peers involved in the distribution pro-cess. In Fig 12, we show the cumulative distribution function (CDF) of the download times of all peersin the system. Results indicate that, when even only one fast peer (with high bandwidth equal to 5000KB/s) adopts BTyr instead of BT, there is a positive impact on the performance of all the other peers. Wealso note that similar observations can be made when introducing one BTnew client.

The results obtained in this Section hint toward an important direction of future research, that isthe study of dynamic uplink allocation algorithms, where the number of active connections is not anempirically set parameter as done in BT. However, we show next that the apparently attractive uplinkallocation strategy of BTyr cannot readily be used by all peers in a system.

of 72




0

5

10

15

20

25

0 50 100 150 200 250 300 350

Cum

ul. m

ean

# of

upl

oade

d pi

eces

Time (sec)

bw: 10000bw: 5000bw: 1000bw: 80

Figure 11: Time series of the ratio between cumu-lative uploaded pieces by BTyr and BT.

0

0.2

0.4

0.6

0.8

1

0 50 100 150 200 250 300 350 400

CD

FTime (sec)

All BitTorrent+ one fast BitTyrant

All BitTorrent

Figure 12: CDF of download times with or withouta single standard BTyr client with bandwidth 5000KB/s.

3.7 The Multiple Clients Case

The results presented in the previous section indicate the potential performance improvement of agreedy client such as BTyr, and its counter-intuitive positive impact on a torrent. Authors in [57] make thepoint that there are reasons to assume an increasing popularity of BTyr and present some initial resultsfor the case of a torrent of all BTyr clients. They argue that a wide-spread adoption of BTyr may havea negative impact on global system performance. To cope with this problem, [57] suggest the followingfix: when peers establish a connection and perform the initial handshake, if they realise that they bothare using BTyr, they should switch to a block based TFT strategy. There is however no hints toward anyincentive compatibility of this approach: truthful revelation (revelling that a peer is using BTyr) may notbe a dominant strategy9.

In this section we take a different perspective and progressively isolate the effects of the peculiaruplink allocation strategy of BTyr to understand exactly why system performance degrade when all peersuse it. First, we analyse system performance when all clients are BTyr and they use a peer set size atmost equal to 80. Note that this approach also reflects a recent trend of commonly deployed trackersthat implement some sort of access control mechanism to limit the frequency of the requests from peersgreedily trying to extend their peer set size.

Fig. 13 illustrates the CDF of the download times for a torrent of all BT, BTnew and BTyr clients: aglance at the median and worst case download times indicates that a large-scale adoption of BTyr canindeed jeopardise the content distribution process, even with a constrained peer set size. In contrast,the best performance are achieved by a torrent formed by BTnew clients only.

We now deepen our analysis and neglect the effect of piece availability in our simulations. Weassume that each peer has always interesting pieces to serve, hence a peer’s uplink capacity can bealways fully utilised. This approach allows to focus only on the exact values allocated by the BTyr chokealgorithm to remote peers, rather than on the actual amount of data sent or received.

9If peer i uses BTyr and lies it may be better off when facing an honest peer, or worse off if facing another liar. It is out of thescope of the work to analyse this simple game.

of 72




0

0.2

0.4

0.6

0.8

1

0 200 400 600 800 1000

CD

F

Time (sec)

All BitTyrant

All BitTorrent

All New BitTorrent

Figure 13: CDF of download times for BT, BTnew and BTyr.

Next, we show the uplink rate assigned by a peer to each neighbour, over time: for every peer k inthe system we maintain a matrix E(k) where the element e

(k)ij represents the rate assigned by peer k to

peer i at choking interval j. Fig. 14 illustrates E(k) for a peer k with 10000 KB/s uplink capacity. Thevalue of rate is visualised using shades of grey: the darker regions indicate higher rates. During theinitial phase of the download process, peer k allocates the same uplink rate to all its neighbours 10.

The uplink capacity allocated by peer k varies over time, and it’s possible to observe two differenttrends: (i) some neighbours of peer k are allocated less and less uplink bandwidth; (ii) other neighboursare assigned an increasing amount of bandwidth, which then degenerates into a periodic, on-off, phase.

We now focus on the latter case. The initial increasing trend can be explained as follows: on theone hand, peer k has spare uplink capacity, thus it unchokes all its neighbours; on the other hand, itsneighbours may have limited capacity, hence they choke peer k. As a consequence, peer k (that followsthe BTyr choke algorithm) increases the uplink capacity to remote peers to increase the probabilityof reciprocation. This behaviour is visible for the first 20-30 rounds. At this point, the rate allocatedby peer k to remote peers reaches a very high value. As a consequence, (i) peer k starts chokingsome neighbours, since it does not have enough capacity for all of them; (ii) on the contrary, peer k’sneighbours start unchoking it. These two phases are interleaved and concur in creating the periodicbehaviour.

A close look at Fig. 14 indicates that the periodicity is equal to three rounds11. This is a consequenceof the probing period used by BTyr (and BT) to estimate the received/sent rate.

The instability we emphasise here clearly arises due to an implicit feedback loop that is created whentwo peers interact. However, the uplink allocation strategy of BTyr cannot handle this situation, whichmay appear in the case of a wide-spread adoption of this modified client. In the extreme case of a torrentcomposed by BTyr clients only, the whole content distribution process may be disrupted.

10Note that, since the initial rate for each unchoked neighbour is 15 KB/s, peer k unchokes all its neighbours; moreover, thetotal amount of assigned capacity is in any case lower than the available uplink capacity.

11Similar results are obtained for a peer k with different uplink capacity.

of 72




Round

Peer

ID

20 40 60 80 100

10

20

30

40

50

60

70

80

more200 and

180

160

140

120

100

80

60

40

20

0 KB/s

Figure 14: Upload rate in the multiple clients case: snapshot for a fast BTyr client.

3.8 Conclusion and perspective for the CASCADAS project

Recent days have witnessed the development of new, greedy peer-to-peer clients aiming at decreasingcontent download times by leveraging on subtle techniques to exploit generous clients. In this work wefocused on BitTorrent networks and analysed two commonly deployed greedy techniques (implementedin BitTyrant), while we glossed over explicit misbehaviours such as pollution attacks. We showed that theBT protocol can be misused to gain an advantage over standard peers by building progressively largerpeer sets; we noted however that it is straightforward to protect against such a greedy technique.

We then argued that further work on more sophisticated choke algorithms would constitute an im-portant avenue for future research. Indeed, we showed that the greedy uplink allocation algorithm ofBitTyrant has some unexpected positive implications on the content distribution process, especially dur-ing its bootstrap phase. However, our results indicated that this greedy algorithm could not be readilydeployed in a setting in which multiple (if not only) greedy client would coexist.

In this work we showed that greedy strategies can have dramatic impact on a distributed systemoffering content distribution services. In the context of the CASCADAS project, this has several implica-tions: i) if we were to assume that ACEs could be deployed by different entities belonging to separateadministrative domains with possibly conflicting goals, then we can assume that alternative algorithmswill emerge and their impact on the global system behaviour could be non-negligible; ii) a large fractionof greedy components (such as ACEs) has a catastrophic effect on the system as a whole, but also onthe same misbehaving entities that, if they were operating alone, would otherwise benefit from beinggreedy. What is the evolution that the system is going to undergo in such a scenario? We will addressthis issue in our future work through evolutionary game theory.

4 Game Theory for reputation

In the unmanaged and fully distributed CASCADAS system, incentive mechanisms are required to fostercooperation among ACEs who aggregate and exploit services to build complex functionalities. Cooper-ation upon previous successful experience (see Figure 15 (a)) is applicable if the same nodes interactfrequently during their lifetime. However, such approach proves to be ineffective as nodes sporadically

of 72




Figure 15: ACE A serves ACE B only if it has experienced a positive service in the past, i.e., directreciprocity (a). ACE A serves ACE B to build its reputation so that in the future it can be served by ACEC, i.e., indirect reciprocity (b).

meet. Another approach is based on indirect collaboration of nodes as shown in Figure 15 (b), whichimplies that collaboration can be established if the transactions are monitored and the result of thisobservation is shared among the nodes [55].

To foster cooperation, solutions based on service differentiation have been proposed: nodes thatcontribute more will get better services [33]. This solution leads directly to the adoption of reputationmanagement schemes. Reputation can be used to give an estimation of the expected cooperation levelof the nodes in the view of the community.

Reputation schemes rely on the definition of a heuristic or aggregation function that should capturethe nodes behaviour and enable malicious and selfish nodes to be excluded from the system.

In this section we investigate how building reputation is important for a node’s future interactions orhow a node values its reputation. Previous work assumes reputation as a metric to define cooperationstrategy or to implement a differential service incentive scheme. This is not sufficient to explain whya node should increase its reputation value and to reason on the adoption of reputation managementsystems from the nodes point of view.

If we consider rational nodes, in the sense that they strategize to increase their expected utility fromthe system, there is no clear understanding of the role of reputation in selecting a specific action/strategy.In most cases nodes want to cooperate to keep their trust value above a certain threshold that allowsthem to consume system resources and to provide as few resources as possible in exchange.

In this section, we analyse reputation management systems in the context of an autonomous peerto peer network envisioned in CASCADAS from an interdisciplinary perspective taking in considerationsocial and economic sciences. In our formalisation, we discuss the evolution of the CASCADAS systemunder the enforcement of a reputation management scheme. Herein, we concentrate on incentivesand punishment and propose a trust economic model based on the Iterated Prisoner’s Dilemma. Wefinally derive conclusions from the adoption of specific economic theories to model virtual communitiesof ACEs and discuss how cooperation can be enforced in these autonomous distributed systems formedby selfish ACEs.

4.1 Network model

We assume an autonomous peer to peer network formed by selfish and rational ACEs who want tomaximise their own interests from participating in the system activities. Moreover, we assume that 1)the system population is composed of a fix number of ACEs (N ) with the same capabilities 2) ACEsdo not participate in a collusion and 3) the identities of the ACEs are fixed during the game. ACEs aredefined to be rational and strategic: at each interaction they can choose the action, which will influencethe outcome of the system. An action can be either cooperation or defection.

of 72




We identify two possible network models that are worth investigating for the applicability of reputationmanagement systems in CASCADAS: (1) an interaction between ACEs is defined as a simultaneouslyexchange of services, i.e., the transaction is symmetric; (2) interactions can be asymmetric as ACEshave different roles (there is a node that requests a service via the GN message and a serving nodethat decides to satisfy the request by issuing the GA message).

We analyse the second model: the serving ACE has to decide on the service provision and the re-ceiving ACE should decide whether to reward the action of the provider. This results in a non-cooperativegame, as ACEs want to maximise their utility. The game is played in multiple stages and ACEs follow astrategy (set of actions). We further assume that the end of the game is not known to ACEs and, thus, itis supposed to run indefinitely and that ACEs will be present in the system for the whole duration of thegame.

We assume a system where at each stage there is a resource request and requests are satisfiedat the same rate during the evolution of the game. At the end of each period of time, the results ofthe interaction are made available to the system population and the utility functions of the ACEs areupdated. The utility of an ACE depends on the resources or services it can access and the cost toprovide or obtain them. Thus, it is a function of the actions that other ACEs in the system take.

A reputation value is associated with each ACE; this value is updated after every transaction to keeptrack of ACEs’ behaviour and it is assumed to be common knowledge.

4.2 Definition of non-cooperative games

IIn this section we introduce key notions in non-cooperative games [29] and the formalism that will beused for the rest of the section. We restrict the analysis to games in strategic form and in particular weintroduce the Prisoner’s Dilemma game that is used to model the reputation system.

A game consists of a set of players N = 1, 2, ..., n and for each player i ∈ N let Si be the set ofpossible actions. The deterministic choice of an action si ∈ Si is called a pure strategy for the playeri ∈ N while the vector s = (s1, . . . , sn) ∈ ×i∈NSi is the pure strategy profile or outcome of the game.S = ×i∈NSi is defined as the space of all pure strategy profiles, i.e., the Cartesian product of the purestrategies of the players.

For any strategy profile s ∈ S and player i ∈ N , the payoff of the player i, denoted as πi(s), is definedas function of the strategy profile s. Let the collection of the payoffs of the players be denoted by thevector function π = (πi(s))i∈N . A strategic game is indicated by the triplet G = (N, S, π).

In game theory we assume that the players are rational in the sense that they maximise their utility,which is defined by the payoff πi, by selecting the best strategy against the strategies of the other playersgiven by the deleted strategy profile s−i = (s1, . . . , si−1, si+1, . . . , sn) with s−i ∈ S−i. S−i is the space ofall pure strategy profiles for all players j ∈ N with j 6= i.

Definition 3 A strategy s∗i ∈ Si is a best response for player i ∈ N to the deleted strategy profiles−i ∈ S−i iff πi(s

∗i , s−i) ≥ πi(si, s−i), ∀si ∈ Si : si 6= s∗i .

Definition 4 A pure Nash Equilibrium is a strategy profile or outcome s ∈ S iff ∀i ∈ N , si is a bestresponse of player i to the deleted strategy profile s−i. That is πi(s

∗i , s−i) ≥ πi(si, s−i), ∀i ∈ N , ∀si ∈

Si : s∗i 6= si.

This definition states that, in a Nash equilibrium strategy, no player has incentives to deviate unilat-erally from its best response strategy.

Thus, an important property of a system is characterised by the outcome that maximises players’payoff, i.e., in finding the Nash equilibrium. However, multiple Nash equilibria might exist in a game andplayers might have different payoffs in different Nash equilibria of the game.

of 72




Table 1: Generalised Form of the Prisoner’s Dilemma game: payoff matrix. Temptation, Reward, Sucker,Punishment

ReceiverCooperate Defect

Serving Cooperate (Rs, Rr) (Ss, Tr)Defect (Ts, Sr) (Ps, Pr)

The rules of the game are based on two basic assumptions: 1) players choose their own strategiesoptimally based on the beliefs they have on the other players’ strategies; 2) the prediction of otherplayers’ strategies must be correct.

4.3 Prisoner’s dilemma

We model the CASCADAS autonomous system by using definitions and results based on the Prisoner’sDilemma [29,56]. In this game two ACEs decide simultaneously whether to cooperate or defect withoutknowing a-priori the choice of the other player. If both cooperate, they receive a specific reward (R).If both defect, they receive a punishment (P). If one defects and the other cooperates, the player whodefects will receive a larger reward, temptation (T ), and the other will receive a larger punishment, thesucker’s payoff (S).

Table 1 shows the strategic form of the game represented in a bi-matrix where the rows and thecolumns are the available strategies for the two players and each box specifies the payoff to each player,respectively for player (S)erving and (R)eceiving, when the strategy profile corresponding to that cell isplayed.

The Prisoner’s Dilemma is a non-cooperative and simultaneous game where in its generalised formthe payoffs are not identical for the players. To create the dilemma, mutual cooperation must providehigher payoff than other strategies and defection should be the dominant strategy. Therefore, the follow-ing conditions must hold:

T > R > P > S (4)

Rs + Rr > Ps + Pr (5)

In the single stage game, the best choice for the players is to defect, i.e., (Defect, Defect), as it isalways the best response to the opponent strategy [29]. More interesting is the iterated version of thegame where nodes play against each other repeatedly and track the history of the game. In this setting,nodes can be punished for their defection in past interactions.

In the iterated version of the game, the payoff of the players are computed by summing the singlestage payoff over all the stages played. However, to maintain the dilemma in the iterated version, thefollowing inequality must also be valid:

Rs + Rr > Ss + Tr and Rs + Rr > Tr + Sr (6)

Conditions (6) state that alternation between defection and cooperation, i.e., nodes take the action(Defect, Cooperate) and (Cooperate, Defect) in subsequent transactions, does not give higher payoffthan mutual cooperation, i.e., always Cooperate, Cooperate.

However, in the finite iterated version of the game, rational players defect for their last move as ithas higher payoff. But if the game is iterated infinitely (it is sufficient to assume that nodes do not knowwhen the game ends) cooperation results in a Nash equilibrium of the game, i.e., where no player hasincentives to deviate unilaterally from its best response strategy.

of 72




4.4 The reputation game

This section describes the reputation game which is based on the Iterated Prisoner’s Dilemma. At eachstage of the game two ACEs, picked at random, are considered for the game: one ACE is acting as theresource provider and the other as the resource consumer. Their roles in the system are interchange-able, i.e., an ACE who is service provider at time ti might be service receiver at time tj . In our model,we use the general term resource as it can represent a file in the case of content distribution networks,a request to cache a file in distributed caching systems, a job execution request and so on.

The two available actions are collaborate (provide the service) or defect (ignore the request) for theserving ACE and collaborate (reward) or defect (do not reward) for the receiving ACE. We are interestedin showing how the decisions affect ACEs’ utility and reputation values in the long run of the game.

4.4.1 Introducing reputation in the game

First we define the role of reputation in the game. A provider ACE pays a cost for providing the service,but this cost is compensated by the increase in its reputation I and by the reward obtained from thereceiving ACE. A receiver pays the requested service but it increases its reputation value as result offulfilling its commitment.

After each transaction, the reputation value is updated, based on the reputation calculated at theprevious stage and of the outcome of the single stage game. The updating function is defined as follow:

It+1 =

{

0, if t = 0

It ∗ (1 − α) + v ∗ α, if t > 0(7)

with 0 ≤ α ≤ 1 and v ∈ {0, 1}, thus, 0 ≤ It ≤ 1.This means that if an ACE cooperates, it will increase its reputation by a factor determined by the

constant α, which models the importance of the new interaction for the computation of the reputation,and v, a binary parameter that indicates if cooperation has taken place. α is a system parameter and de-pends on network conditions. If transactions are infrequent, a low value of α is desirable whereas whentransactions are frequent, a high value is desirable. ACEs with high reputation values are consideredtrustworthy in the system.

4.5 The reputation model

The reputation game evolves as follow, where steps 2.a and 2.b are simultaneous:

1) The requesting ACE identified as Nr has an associated reputation value Ir . It sends a request for aspecific service (Goal Needed request) to other ACEs in the system by offering a reward B. Theselection of the service provider is done by selecting the server with the highest reputation Is.

2.a) The serving ACE Ns has two possible actions: 1) cooperate and send the service (replay with aGoal Achievable) or 2) defect and ignore the request.

2.b) The receiving ACE Nr has also two possible actions: 1) cooperate and send the promised rewardor 2) defect and fail to meet the commitment.

3) The single stage game ends and the ACEs update their utility functions and reputation values.

The dilemma for Ns consists of deciding to:

a) afford the cost of serving the request and behave correctly, thereby obtaining the reward Rs if Nr

cooperates or the punishment Ss if Nr defects or;

of 72




b) ignore the request obtaining the reward Ts without having sent the file if Nr fulfils its commitmentor the punishment Ps if Nr defects as well (see Table 1).

Nr has to face a similar dilemma but with different payoffs.The payoffs for a generic serving ACE Ns and requesting ACE Nr at a specific iteration of the game

t are given by eq. 9 and eq. 9.

πt+1s =

−C + B − Cp(Ir) + f(Its), Rs

−C − Cp + f(Its), Ss

B + f(Its), Ts

f(Its), Ps

(8) πt+1r =

−B + S + g(Itr), Rr

−B + g(Itr), Sr

S + g(Itr), Tr

g(Itr), Pr

(9)

where C is the cost for providing the service, B is the reward for serving ACEs and S is the valueof a service for the requesting ACE. Cp(Ir) = B/(1 + e5Ir ) is the punishment factor and f(It

s) = B ∗[Is ∗ (1 − α) + α ∗ v] and g(It

r) = S ∗ [Ir ∗ (1 − α) + α ∗ v] are the benefit for the ACEs in terms of futurepayments based on their level of cooperation, respectively for the serving and receiver ACE (refer to (7)for the update function of the reputation). The punishment factor Cp(Ir) is inserted to reduce the payoffof serving ACEs when providing services to untrustworthy ACEs. To provide incentives for cooperationto the ACEs, we must have that (B − C) > 0, (S − B) > 0.

The game is a Prisoner’s Dilemma if the conditions introduced in Sec. 4.3 hold. From condition (4)we can derive for Ns that f(Is)def > f(Is)coop − Cp(Ir) − C and B > C + Cp(Ir). This means that thebenefit in serving must compensate the direct cost and the cost derived from the punishment of servingless trustworthy ACEs.

Hence, the lower the reputation Ir, the greater is the punishment that Ns will receive, thus, it is moretempted to defect. For the requesting node Nr, it is sufficient to have that g(Ir)def + B > g(Ir)coop as wehave assumed (S − B) > 0.

The dilemma is kept in the iterated version of the game (6) if S > C +Cp(Ir) as we assume the utility,derived from future payments, to be greater in case of cooperation.

4.5.1 Nash equilibrium for the reputation game

In this section we demonstrate the effectiveness of the reputation game and we show how Nash equi-librium is obtained by analysing the impact of actions at each stage on the reputation value. We use amodified version of the ROCQ [23] reputation management system on top of a peer to peer network tosimulate nodes interactions. The parameters’ settings and decision metrics that we use to evaluate theresults, obtained from the simulations, are summarised in Table 2 and they are defined in accordancewith the conditions of the Iterated Prisoner’s Dilemma, introduced in Sec. 4.3.

In the repeated game strategy, reputation is sufficient to sustain cooperation in the system if theplayers are patient. Let’s consider the repeated game with a trigger strategy where the serving node Ns

and the receiving node Nr cooperate for t transactions and at transaction t + 1 the provider node Ns

unilaterally defects triggering an open loop for Nr to defect in subsequent interactions. After transactiont + 1, the best response for Ns is to defect. The curves in Fig. 16 show when the payoff resulting fromthis action is equal to the payoff earned from cooperating all the time. This is summarised in eq. (10)that indicates after how many x interactions, with x defined after transaction t, always cooperate is thebest strategy with respect to the entering reputation value Is(t = 0).

Is(t = 0) ≤ 10x + 15(2 − α)[(1 − α)t − 1] − 15(1 − α)x + 15/(1 + e5∗{(1−α)t[Ir(t=0)−1]+1})

25(2 − α)(1 − α)t(10)

of 72




0

0.2

0.4

0.6

0.8

1

t+6t+5t+4t+3t+2t+1t

Ent

erin

g re

puta

tion

valu

e

Iterations after defection

alpha 0.01alpha 0.1alpha 0.2alpha 0.3alpha 0.4

Figure 16: Nash Equilibrium for the reputation game: the defecting player has greater payoff from al-ways cooperation (π =

∑

Ri) rather then cooperation defection (π =∑t

Ri + Tt+1 +∑

t+2 Pi) (this isrepresented by the points below the curves when t = 10 is the last cooperative interaction.) The NashEquilibrium depends from the reputation value at the beginning of the game.

Table 2: Parameters’ settingNumber of Nodes 1,000 Network Topology randomInitial transactions 1,000 Number of iterations 9,000Experiments run 5 Service value [S] 25Benefit [B] 15 Cost [C] 5

The plot in Fig. 16 shows that the defecting player has no incentive for being uncooperative at trans-action t+1 as the Temptation reward obtained for this interaction is not sufficient to compensate the lossdue to future Punishment rewards.

For different choices of the parameter α (used to calculate the reputation value, refer to eq. (7) forthe updating function) and for the initial reputation value Is(t = 0), that the defecting ACE Ns had atthe beginning of the game, it is more advantageous to cooperate when Is(t = 0) is below the curves(defined by eq. (10)) as it is the case after 5 interactions (transaction (t + 6)), for all considered valuesof α.

Fig. 17 shows that the incentive for being cooperative increases as the number of transactions beforedefection increases. In particular, when α is small, a player has a slight benefit by defecting just afterentering the game, plot (a). For higher values of α, plot (b), the reputation value of the player drops to avalue that does not allow the node to access services in 3 transactions after defection.

Thus, we have established that if ACEs are sufficiently patient, i.e., they do not maximise immediatelytheir payoff by defecting but they value more future payments, cooperation is a Nash equilibrium for thereputation repeated game. Thus, they need to cooperate for few transactions at the beginning of thegame to build their reputation inside the community, to benefit from their participation. The same resultcan be derived for the receiver as defecting node.

4.6 Experimental results

In our experiments we use the parameters listed in Table 2 and we run 1, 000 initial transactions tobootstrap the reputation management system. In each stage, two ACEs are selected randomly, whichcan act either as service provider or as service receiver. We follow the strategies defined in Table 3 for

of 72




0

0.2

0.4

0.6

0.8

1

t+6t+5t+4t+3t+2t+1t

Ent

erin

g re

puta

tion

valu

e


t = 5t = 10t = 20t = 50

(a) α = 0.1

0

0.2

0.4

0.6

0.8

1

t+6t+5t+4t+3t+2t+1t

Ent

erin

g re

puta

tion

valu

e


t = 5t = 10t = 20t = 50

(b) α = 0.2

Figure 17: Definition of the regions that define when it is more convenient for ACEs to always cooperaterather then cooperation defection for different values of t, i.e., the first defecting transaction, with α = 0.1(a) and α = 0.2 (b).

Table 3: Strategies available to playersAverage A node decides for cooperation if the opponent reputation value is greater than

the average reputation.Adaptive A node considers its reputation value, the correspondent reputation value and

the average reputation in the system to decide for cooperation or defection.Relative A node cooperates if its reputation value is below the correspondent reputation

value.Discriminant A node decides for cooperation if the correspondent reputation value is above

a fix threshold (if not specified the threshold is set to 0.5).Random A node decides randomly if cooperate (this is the only strategy that is not based

on reputation).

the game and ACEs follow the same strategy in each experiment.Fig. 18 shows the impact of the different strategies in terms of fraction of cooperative interactions. A

cooperative transaction is defined as an interaction when both players are cooperative. In this case, thediscriminant strategy gives better results compared to the others, but this strategy heavily depends onthe threshold for the reputation value chosen to differentiate between cooperation and defection.

Fig. 19 also shows that the discriminant strategy performs better as it increases the average reputa-tion value when it is above the fixed threshold. An interesting property is associated with the average andadaptive strategies as they maintain a constant average trust level (see Fig. 19) and constant fraction ofcooperative transactions in the system (see Fig. 18). The explanation of this behaviour is associated withthe definition of the strategies as they choose cooperation or defection to maintain stable the reputationvalue.

Fig. 20 shows the distribution of reputation values in the system. The plots show that the adaptiveand average strategies tend to aggregate the reputation values of the ACEs close to 0.5, as anticipatedabove. For the case of the average strategy, the threshold used to decide for cooperation or defectionis the average trust value in the system. Thus, ACEs choose cooperation and defection alternativelyto keep their reputation value close to the average. The discriminant strategy with a low threshold 0.3shows a behaviour that can be assimilated to always cooperate. The effectiveness of all strategiesdepends on the reputation value of the nodes after bootstrapping the reputation management system.

of 72




0

0.2

0.4

0.6

0.8

1

9000 6000 3000 0

Coo

pera

tive

/ Tot

al T

rans

atci

ons

Iterations

averageadaptive

relativedis. 0.3dis. 0.5dis. 0.7random

Figure 18: Number of cooperative transactions(both provider and receiver cooperate) for the avail-able strategies.

0

0.2

0.4

0.6

0.8

1

9000 6000 3000 0

Ave

rage

Tru

st V

alue

Iterations

averageadaptive


Figure 19: Average reputation value in the systemfor the available strategies.

0

0.05

0.1

0.15

0.2

0.25

0 0.2 0.4 0.6 0.8 1

(PD

F)

Rep

utat

ion

Reputation Value

dis 0.3dis 0.5dis 0.7dis 0.9

averageadaptive

Figure 20: Probability Distribution Function (PDF)of reputation values in the system with respect todifferent strategies.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

9000 6000 3000 0

Ave

rage

Tru

st V

alue

Iterations

average - 0.7adaptive - 0.7

dis. 0.3 - 0.7dis. 0.5 - 0.7dis. 0.7 - 0.7

average - 0.3adaptive - 0.3

dis. 0.3 - 0.3dis. 0.5 - 0.3dis. 0.7 - 0.3

Figure 21: Average reputation value consideringdifferent conditions of the system at the bootstrap.Initial training transactions are cooperative with aprobability of 0.7 or 0.3.

Fig. 21 shows the impact of the initial reputation value I(t = 0) after the bootstrap of the reputationmanagement system. Fig. 21 plot the average reputation values in the system for an initial value closeto 0.7 and 0.3. As expected, the discriminant strategy depends on the threshold that an ACE choosesto decide whether to cooperate or defect. It is worth noticing that cooperation is not propagated in thesystem, if the threshold is above the initial reputation value.

An interesting property is associated with the adaptive and average strategies as they work to bringthe system to a stable operating point that has the average reputation value close to 0.5.

Fig. 22 plot the difference of the reputation values of the nodes involved in a transaction. We ran thesimulation for 200, 000 interactions to study if the reputation values of the nodes converge to the samevalue. The plots for the discriminant strategy (a) and the adaptive strategy (c) show that nodes tend tointeract with nodes that have similar reputation values. As we have assumed that the nodes follow thesame strategy in a simulation, we can derive conclusions on the convergence of the system to a stablepoint for the nodes’ reputation.

In Fig. 20, it is shown that ACEs tend to have a reputation value close to 0.5 for the adaptive strategy.Thus, the node strategies to have a reputation value close to the mean value, for this reason we call thisstrategy adaptive. On the contrary, the discriminant strategy fosters cooperation in the system, as theaverage reputation value increases in Fig. 19, and the the reputation values is close to 1 in Fig. 20.

Thus, we can conclude from plot (a) in Fig. 22 that this strategy tends to aggregate the nodes to

of 72




0

0.05

0.1

0.15

0.2

0

200

00

400

00

600

00

800

00

100

000

120

000

140

000

160

000

180

000

Rep

utat

ion

Diff

eren

ce

Iterations(a) Discriminant strategy - thr = 0.5

0

0.1

0.2

0.3

0.4

0.5

0

200

00

400

00

600

00

800

00

100

000

120

000

140

000

160

000

180

000

Rep

utat

ion

Diff

eren

ce

Iterations(b) Random strategy

0

0.05

0.1

0.15

0.2

0

200

00

400

00

600

00

800

00

100

000

120

000

140

000

160

000

180

000

Rep

utat

ion

Diff

eren

ce

Iterations(c) Adaptive strategy

0

0.05

0.1

0.15

0.2

0

200

00

400

00

600

00

800

00

100

000

120

000

140

000

160

000

180

000

Rep

utat

ion

Diff

eren

ce

Iterations(d) Average strategy

Figure 22: Difference between the reputation values of the peers involved in the transaction.

similar reputation value and it is a good solution to combat the problem of free-riders in autonomiccommunication systems if there are no malicious nodes and the initial reputation value is sufficient tofoster cooperation in the beginning.

ACEs that select the random and the average strategies do not converge to a stable reputation value,i.e., a consistent behaviour in the system. They tend to alternate cooperation and defection withoutgiving any guarantee to the correspondent party which cannot predict the next action with accuracy.

4.7 Impact of defecting nodes

In this section, we analyse the impact of defecting ACEs on the strategies discussed in previous sections.We define two classes of defecting ACEs to model free-riders and completely uncooperative nodeswhich prefer not be involved in any transaction. Free-riders cooperate when they request services, butthey deny access to resources when they receive a request. They are not interested in increasing theirreputation value, but only in accessing the wanted resource and fulfilling the obligation with the serviceprovider. Uncooperative ACEs deny the access to resources and they do not pay back the service to theprovider.

Fig. 23 shows the fraction of cooperative transactions when the fraction of free-riders (plots (a) and(d)) and uncooperative ACEs (plots (b) and (e)) is 10% and 30%. A small percentage of free-riders (a) donot degrade the performance of the reputation system as their partial uncooperative behaviour is com-pensated by trustworthy ACEs. They actively participate in transactions when they are receiver, whichalso counts for the total number of cooperative transactions. If we increase the percentage of ACEs(d) that are only interested in receiving resources, the fraction of cooperative transaction decreases asthere are less nodes that are willing to contribute resources.

The impact of uncooperative ACEs reduces significantly the number of cooperative transactions asany attempt to interact with these nodes is useless. Only the adaptive and the average strategies are

of 72




Provider Defection Provider and Receiver Defection

0

0.2

0.4

0.6

0.8

1

0

500

0

100

00

150

00

200

00

250

00

300

00

350

00

400

00

450

00

500

00Coo

pera

tive

/ Tot

al T

rans

atci

ons

Iterations(a) 10% defecting nodes

0

0.2

0.4

0.6

0.8

1

0

500

0

100

00

150

00

200

00

250

00

300

00

350

00

400

00

450

00

500

00Coo

pera

tive

/ Tot

al T

rans

atci

ons

Iterations(b) 10% defecting nodes

averageadaptive


0

0.2

0.4

0.6

0.8

1

0

500

0

100

00

150

00

200

00

250

00

300

00

350

00

400

00

450

00

500

00Coo

pera

tive

/ Tot

al T

rans

atci

ons

Iterations(d) 30% defecting nodes

0

0.2

0.4

0.6

0.8

1

0

500

0

100

00

150

00

200

00

250

00

300

00

350

00

400

00

450

00

500

00Coo

pera

tive

/ Tot

al T

rans

atci

ons

Iterations(e) 30% defecting nodes

averageadaptive


Figure 23: Fraction of cooperative transactions (both provider and receiver cooperate) for the availablestrategies.

able to operate well in these settings, plot (e) in Fig. 23, as the decision for cooperation or defection isbased on the average reputation value.

Our hypothesis is confirmed by Fig. 24, as the average reputation value tend to be close to 0.5.This value implies high uncertainty for the evaluation of ACEs’ behaviour and introduces a higher risk intransactions. This risk is given by the fact that ACEs are not able to determine if the correspondent partyis a free-rider or a uncooperative ACE.

The lack of accuracy for the prediction of the reputation value is more evident in Fig. 24. In this figure,we plot the probability distribution of the reputation values for ACEs in the system. In an ideal situation,two classes of ACEs should be present in the system, cooperative ACEs, with high reputation values,and uncooperative ACEs, low reputation values. This is not our case as reputation values are almostuniformly distributed except for the threshold strategy, plots (b) and (d) in Fig. 24. This is the result ofthe behaviour of defecting ACEs that bias the strategies’ performance of cooperative ACEs.

Plots (a) and (d) of Fig. 24 show the presence of a group of ACEs that have similar reputationvalues for the discriminant strategy. The reason behind this behaviour is due to the fact that free-riderscooperate when they are service receivers, thus, they increase their reputation value. However, theircooperation is only in one direction and this causes the system to lower their reputation since they arenot rated as trustworthy nodes. If we increase the fraction of free-riders, the distribution of reputationvalues show that a high fraction of nodes has a reputation value between 0.4 and 0.6. This is true for allstrategies plotted in Fig. 24 except for the discriminant strategy with thresholds of 0.3 and 0.7.

This behaviour is a consequence of the amount of risk ACEs puts in their interactions. For a dis-criminant strategy with threshold 0.3, ACEs are willing to take a higher risk in their transaction and thisrisk is compensated by a greater number of cooperative transaction, see Fig. 23, which reflects the high

of 72




Provider Defection Provider and Receiver Defection

0

0.1

0.2

0.3

0.4

0.5

0 0.2 0.4 0.6 0.8 1

(PD

F)

Rep

utat

ion

Reputation Value

dis 0.3dis 0.5dis 0.7

averageadaptive

(a) 10% defecting nodes

0

0.1

0.2

0.3

0.4

0.5

0 0.2 0.4 0.6 0.8 1

(PD

F)

Rep

utat

ion

Reputation Value


averageadaptive

(b) 10% defecting nodes

0

0.1

0.2

0.3

0.4

0.5

0 0.2 0.4 0.6 0.8 1

(PD

F)

Rep

utat

ion

Reputation Value


averageadaptive

(c) 30% defecting nodes

0

0.1

0.2

0.3

0.4

0.5

0 0.2 0.4 0.6 0.8 1

(PD

F)

Rep

utat

ion

Reputation Value


averageadaptive

(d) 30% defecting nodes

Figure 24: Probability Distribution Function (PDF) of the reputation values of the nodes in the systemwith respect to different strategies.

reputation value of the nodes. On the contrary, ACEs that choose a threshold of 0.7 do not want to risktheir transactions and prefer to defect if they are not sure about the outcome.

5 Autonomic Protection Against DoS

A key feature required by future networks of ACEs is the ability to autonomically protect against securityattacks. Distributed denial-or-service attacks are perhaps the most difficult kind of attack to deal withbecause they hide under the cover of valid user traffic from compromised, but authorised and authenti-cated users and computers. We focus our study on this particular type of attacks and develop feasibleprotection mechanisms involving both detection and response. We have investigated a generic DoSdetection scheme which uses multiple Bayesian classifiers and the biologically inspired Random NeuralNetwork. We have considered two possible response mechanisms that ACEs may implement. The firstallows ACEs to self-protect by filtering unwanted traffic once detected and it is applicable to cases whenDoS attacks happen within the ACE communication domain. The second case exploits service migration(self-configuration) to allow critical services evade malicious flows. We investigated the latter case on ause case based on the system of distributed auctions as being developed by WP6.

of 72




5.1 Detection

5.1.1 Multiple Bayesian Classifiers in DoS Detection

The Bayesian Decision theory is a major pattern recognition technique based on a probabilistic descrip-tion of the underlying features of a problem. It aims to minimise the risks encountered by the decisiontaking process by evaluating the various tradeoffs between decisions. For a classification problem of twocategories (w1 and w2), the use of Bayesian classifiers entails evaluating the likelihood ratio, which isthe ratio of the probability density functions ∆(x) = f(x|w1)

f(x|w2), for the measured value x of the observation

variable, and comparing it with a threshold T . Then, x is assigned to category w1 if ∆(x) > T ; otherwiseit is assigned to category w2. The task of DoS detection can be considered as a two-category classifi-cation problem, where w1 corresponds to normal network condition and w2 to existence of DoS attack.We have used multiple Bayesian classifiers to take individual decisions for the monitored features of thetraffic and combined them with an information fusion phase to detect DoS attacks on the incoming traffic.

1. Selecting Input Features

The selection of useful and information bearing input features is vital for a successful detectionof DoS. Since DoS attacks aim at overwhelming the networking or processing capacity of thevictim’s system , the detection method should not further aggravate the situation by consumingtoo many resources. Thus, we chose the following statistical features, which represent both theinstantaneous and long-term behaviour of the incoming traffic and are easy to measure:

• Bitrate. An unusually high value of incoming bitrate is the most conspicuous property offlooding DoS attack. Although it is a very strong, if not the strongest indication of DoS, asimilar condition is observed during flash crowds, when for some legitimate reason interestfor a network resource increases dramatically. Due to its simplicity, the bitrate measurementand similar measurements such as the number of packets per flow are often used in detectionmechanisms.

• Increase in Bitrate. Depending on its type, a DoS attack typically demonstrates sudden andsustained increases in the rate of the incoming traffic. For example, flooding attacks start witha long period of increasing bitrate, while in pulsing attacks, the incoming traffic undergoesconsecutive periods of increasing and decreasing bitrate.

• Entropy. The entropy is a measure of randomness or uncertainty of information. It has beenreported in technical literature that the entropy of normal internet traffic and traffic under DoSattack differ significantly. In our work, we compute the entropy of the incoming bitrate at thenodes we monitor, E =

∑

i fi log fi, where fi correspond to the histogram obtained for thebitrate. This would yield a higher value when the probability distribution expands over a widerrange of values, indicating an increase in uncertainty.

• Hurst Parameter. The self-similarity properties of normal and attack traffic are distinctivelydifferent. Since the Hurst parameter is an indicator of the self similarity of traffic, it can beused in DoS detection. In our approach we compute the actual value of the Hurst parameterfor the incoming bitrate, for which we have used the (R/S) analysis.

• Delay. Although a DoS attack is also expected to increase the packet delays as congestionbuilds up, to our knowledge it has not been used as an attack indicator. For the fastest andleast invasive way to detect changes in the delays, the node we monitor sends constantly asmall number of packets to all its direct neighbours. By measuring the average round trip time(RTT) for the acknowledgments to return, we have a clear indication of the congestion nearthe node.

of 72




• Delay Rate. As with bitrate, depending on the type of the attack and for its whole duration,the packet delays are expected to undergo significant changes. Although we are not awareof an existing work using the change of the delay as a detection feature, we consider it as anatural next step.

2. Offline Statistical Information Gathering

The statistical information gathering phase in our detection scheme consists of two steps: We firstobtain the probability density function (pdf) values for normal and attack traffic and then evaluatethe likelihood ratios. This information is collected offline at each victim candidate of the network,from available traffic data, known to belong to normal or DoS traffic. For each of the input featuresof Section II-A, estimates of probability density functions for both normal and attack traffic areobtained. We have to compute ffeature(x|wN ) and ffeature(x|wA), where feature could representbitrate, bit acceleration, entropy, Hurst parameter, delay or delay rate, x is the measured value ofthe feature from the available traffic data, wN denotes the normal traffic and wA the attack traffic.We have used the histogram method to calculate the estimates of the probability density functions.With this method the range of observable values for a variable is divided into a number of intervals.Then, for each interval, we compute the ratio of the number of data points that fall into it to thetotal number of data points available. After obtaining the probability density function estimatesfor each input for both traffic types, we compute the likelihood ratios lfeature for each feature:ffeature(x|wA)ffeature(x|wN) , which will then be used for the detection decision. Actual values and likelihoodratios of the features are also used for training a RNN.

3. Detection Decision

We have designed the following four implementations of the decision taking process:

• Average likelihood estimation: The actual values of the input features of section II-A aremeasured in real-time at each of the DoS victim candidates that we monitor. For each feature,a likelihood ratio is obtained by resorting to the likelihood functions computed in II-B. Theinformation collected from all of these features must be aggregated in a higher level decisionmaking step where a compensation is provided for possible errors, so that a low level offalse alarms and missed detections are observed at the final decision. The first approach wepursue to combine individual features is to compute the likelihood of the existence of a DoSattack by averaging the likelihood of attack for each feature:

lfinal =lbit + lacc + lentr + lHurst + ldelay + ldelrate

total number of features

lfinal has a value between 0 and 1. The decision on whether the incoming traffic is normal orDoS is then taken by comparing this value to a specified threshold, which may or may not bedependent on the impact that the DoS attack is expected to have on the victim.

• RNN with likelihood values: the computed likelihoods are used as input to a Random NeuralNetwork (RNN). We have used a feed-forward RNN structure with six inputs, twelve neuronsin one hidden layer and two outputs. The inputs receive the values of the likelihood ratios forthe six input features and the output nodes correspond to normal and attack traffic.In the RNN, neurons exchange positive and negative impulse signals, which represent exci-tation and inhibition respectively. Neurons accumulate signals as they arrive and positive sig-nals are cancelled by negative signals. Neurons may fire if their potential is positive, to sendsignals either to other neurons or outside the network. In a RNN, a signal may leave neuroni for neuron j as a positive signal with probability p+(i, j), as a negative signal with probability

of 72




p−(i, j), or may depart from the network with probability d(i), where p(i, j) = p+(i, j)+p−(i, j)and

∑

j p(i, j) + d(i) = 1. Positive and negative weights are computed with:

w+(j, i) = r(i)p+(i, j) ≥ 0

w−(j, i) = r(i)p−(i, j) ≥ 0

where r(i) is the firing rate. The potential for neuron i is qi = N(i)/D(i), where

N(i) =∑

j

qjw+(j, i) + ∆(i)

D(i) = r(i) +∑

j

qjw−(j, i) + δ(i)

with ∆(i) and δ(i) denoting the external inputs into neuron i. The firing rate r(i) is thencomputed as the sum: r(i) =

∑

j w+(i, j) + w−(i, j).

• RNN with histogram categories: To observe the performance of the RNN when actual valuesof features were presented, we carried out another implementation of RNN where we usedthe histogram values of each of the features as inputs. The advantage of using histogramvalues instead of actual values is to achieve better learning performance for the RNN sincethe range of values that it has to learn is quantised.

• RNN with actual values: For the sake of comparison we have also implemented the detectionmechanism consisting only of the RNN module and using as input the raw values for the sixinput features that we measured during the experiments.

5.2 Self-protection

ACEs aggregate to create communication paths based on a defined goal needed (GN) parameter. Con-venient aggregations would be selected, which will be characterised by a goal achievable (GA) value,which can dynamically change. Self-adaptation and self-organisation would attempt to maintain a GAclose to the desired GN. From a network context perspective, such goals will be expressed in terms of aQoS metric (e.g. delay, loss, jitter, or other composite metrics). We further assume that network metricswill be continuously monitored by ACEs either by implementing the functionality themselves or by relyingon a situated-aware network able to monitor and report the QoS of paths. Despite any ACE could in-corporate the functionality required to create a self-protecting network, we assume that this functionalitywill be restricted to a certain class of ACE (cops), specifically deployed to achieve protection. That way,DDoS protection would exist without excessive overhead network-wide.

A complete protection architecture should include the following elements:

• Detection of the existence of an attack.

• Classification of the incoming packets into valid (normal packets) and invalid (DDoS packets). As indetection, one can choose between anomaly-based and signature-based classification techniques.

• Response. In the most general sense, the protection system either drops the attacking packets orit redirects into a trap for further evaluation and analysis.

Therefore we start with the postulate that we will consider a generic DDoS defence scheme that isbased on the following principles:

of 72




• The ACE which is targeted by a distributed DoS (DDoS) attack (the victim ACE) has the ability todetect or to be informed about the attack, based either on a local or distributed detection scheme.All ACEs upstream, from the victim up to the source(s) of the attack, will also be informed of theongoing threat.

• The victim ACE and the informed ACEs will react by dropping packets which are thought to be partof the attack.

• The attack itself can produce buffer overflows and saturation of network resources such as CPUcapacity, due to the inability of the ACEs or routers to handle the resulting heavy packet traffic.

• The detection scheme is always imperfect, so that both false alarms and detection failures arepossible. Imperfections are possible both with regard to the detection of the attack as a whole,and the identification of the packets that belong to this attack. Thus, for any packet that flows inthe network we need to consider a probability of correct identification as being an attacking packet,and a probability of false alarm, which means that some attacking packets will be missed and somenon-attacking packets may be incorrectly dropped.

5.3 Defence Schemes

5.3.1 Basic Defence Scheme

To provide the necessary defence against DDoS attacks, ACE will require the ability to trace traffic goingboth down- and upstream. A way this requirement can be achieved is by introducing acknowledgements(ACKs) in end-to-end communications to carry network context information back to the ACEs. When anACE detects a DoS attack, it will use the ACKs to ask all intermediate ACEs upstream to drop packetsof the incoming flow.

Detection can be achieved by allowing any ACE to determine for itself two parameters governingbandwidth allocation: the maximum that it is able to receive (BTOT), and the maximum that it is willing toallocate to any particular flow that traverses it (BClient); both are dynamic parameters that may changeover time as a function of the conditions at the ACE, and on the identity and GN (QoS needs) of the flows,and they may also vary during the life of a particular flow or connection. This idea can be extended toallowing an ACE to specify different bandwidth restrictions for flows of different QoS classes. When anACE receives a packet from a flow that it has not already seen before (e.g. with a new source-destinationpair, accompanied with a new GN), it will send a specific Flow-ACK packet back to the source along thereverse path, and inform the source of its (BClient) allocation. This may occur periodically for eachongoing flow. An ACE will monitor all of the flows that traverse it, and drop some or all of the packetsof any flow that exceeds this allocation. When the allocation is exceeded, the ACE informs (usingACKs) upstream ACEs that packets of this flow should be dropped. Other possible actions could includediverting the flow into a “honeypot”, or into a special overlay network used for protection, or it may simplyalert a network administrator.

5.3.2 DDoS Protection based on Prioritisation and Throttli ng

The performance of the defence scheme based on dropping DDoS packets previously described de-pends heavily on the accuracy of the detection and classification methods available. Inaccurate methodswould easily lead to false alarms on normal packet flows causing a degradation in communications.

We suggest traffic prioritisation and throttling as the basis of the response mechanism instead ofa simple dropping scheme. If an ACE (either a recipient or a transit ACE) receives packets towards adestination: (1) at a rate higher than the current rate threshold (packets/sec or bytes/sec) and (2) with arate increase higher than the current increase threshold (packets/sec2 or bytes/sec2), then it announces

of 72




the existence of an ongoing DDoS attack and sends this information to all upstream ACEs and to thevictim. From then on, the protection mechanism is set into motion along the informed path. In case ofdisagreement, it is the alleged victim ACE’s responsibility to inform those ACE that there was a falsealarm and that they should return to normal operation.

When there is a detected attack in progress, each informed ACE contributes to the defence byexamining every incoming packet for deviations from the normal behaviour. Packets undergo a collectionof anomaly-based validity tests which may differ for each type of traffic (see Section 1.2). ACEs whichhave a role in the defence will prioritise traffic with priority levels which are related to the tests. Each timea packet fails a validity test, it’s priority level may drop accordingly. Additionally, the upstream routersare instructed to throttle down their traffic directed towards the victim ACE to a level which it handles.This two-fold protection framework ensures that packets with higher probability of being both valid andharmless, are offered preferential service. Packets which have been marginally classified as invalid maynow receive service if there is available bandwidth so as to minimise the collateral damage inflictedby false detection. Packets which have been identified as being harmful are either delayed by beingassigned low priority, or dropped. Various simplifications of this scheme, based for instance on groupingall traffic that has been identified as being invalid, can also be considered.

5.4 A Mathematical Evaluation of Denial of Service Protecti on

We discuss an approach that we have developed to analyse the impact of DDoS protection on theoverall performance of a network of ACE, based on the probabilities of detection and of false alarm. Weassume an abstract network model in which DDoS packets are identified with a certain probability anddropped, while some other valid (i.e. non-DDoS) packets are mistakenly identified as DDoS flows andalso dropped.

The network consists of N ACEs 1, ...i, ..., N . At any ACE i, the arriving traffic is the aggregateof several normal (valid or non-DDoS) flows, and possibly of several invalid (DDoS) flows, where n =(n1, n2, ... , nj , ... , nL(n)) and d = (d1, d2, ... , dj , ... , dL(d)) are the paths in a normal and a DDoS flow,respectively. L(n) is the path length of flow n, and j is used to denote the position of a generic ACEinside the path. The total traffic rate λi arriving externally to ACE i is composed of two parts:

λi =∑

n

λni,n +

∑

d

λdi,d , (11)

where λni,n is the “normal” or benign incoming traffic rate which belongs to normal flow n, and λd

i,d isthe arrival rate of DDoS packets belonging to flow d.

Any traffic that node i takes to be DDoS traffic is dropped at the entrance of the node. Thus, a fractionfi,n of normal traffic (the probability of false alarms) and a fraction of DDoS traffic di,d (the probabilityof correct detection) will be dropped as it arrives to the node. If the node’s DDoS detection mechanismwere perfect we would have fi,n = 0 and di,d = 1. Once a packet is admitted into a ACE, it is queuedand then forwarded based on its destination address. We model each ACE by a single server queuewith service time si representing both the time it takes to process the packet in the ACE and the actualtransmission time. The traffic intensity parameter ρi is then:

ρi = si(∑

n

Ini,n(1 − fi,n) +

∑

d

Idi,d(1 − di,d)), (12)

where for ACE i, Ini,n is the arriving traffic rate of the normal flow n, and Id

i,d is the arriving traffic rateof a DDoS flow d.

Since DDoS attacks will tend to overwhelm the ACE’s packet processing and transmission capability,packets will be lost by the ACE with probability Li. We could use different formulas to relate trafficintensity to this probability based on modelling congestion of various type that may occur at the ACE.

of 72




We take a simplistic view that this loss probability is due to buffer overflow, and we use loss probabilityexpressions for a finite capacity queueing model.

Since any traffic that is correctly or mistakenly thought to be DDoS traffic is dropped at the input ofthe ACE, and since the traffic which effectively enters a ACE has been filtered in this manner, the trafficequations for the system become:

Innj ,n = λn

n1,n

j−1∏

l=0

((1 − Lnl)(1 − fnl,n))

Iddj ,d = λd

d1,d

j−1∏

l=0

((1 − Ldl)(1 − ddl,d)), (13)

where we set Ln0= Ld0

= fn0,n = dd0,d = 0. These equations express the fact that, at any ACE, anincoming packet may be dropped due to correct or mistaken identification as a DDoS packet, or due tobuffer overflow because the ACE is overloaded, while all packets which enter the buffer queue and arenot dropped are eventually routed to the next ACE on their path or absorbed at the current ACE if it isitself the destination ACE. Equations (13) relate input rates to the ACEs to the the buffer overflow or lossprobabilities, while ρi and consequently the buffer overflow probabilities Li in turn depend on the trafficrates. The solution of (13) is obtained numerically via a non-linear iteration:

• Step 0

In,(k=0)i,n = λn

i,n (14)

Id,(k=0)i,d = λd

i,d (15)

(16)• Step k > 0

ρ(k)i = siI

(k−1)i (17)

L(k)i = ρ

Bi,(k)i

1 − ρ(k)i

1 − ρBi+1,(k)i

(18)

In,(k)nj ,n = λn

n1,n

j−1∏

l=0

((1 − L(k)nl

)(1 − fnl,n)) (19)

Id,(k)dj ,d = λd

d1,d

j−1∏

l=0

((1 − L(k)dl

)(1 − ddl,d)) (20)

I(k)i =

∑

n

In,(k)i,n +

∑

d

Id,(k)i,d (21)

The “goodput” or aggregate of the packets that either have reached their destination, or are readyto be forwarded to the next ACE in their route, is used as a measure of the effectiveness of the DDoSprotection scheme, and also of how successful or unsuccessful the DDoS attack has been. Thus afterthe algorithm converges we obtain the goodput G(i) at each ACE using:

G(i) =∑

n

Ini,n(1 − Li)(1 − fi,n) (22)

of 72




5.5 Numerical Example

To illustrate the use of the mathematical model we evaluate the impact of a DDoS attack on the networktopology shown in Figure 25. In this example, web-server 0 is being attacked by three DDoS flows of2500 packets/sec each, entering the network through ACEs 3, 4 and 5, so that the model represents aDDoS attack. Both web-servers receive normal packets by all valid clients at a rate of 100-500 pack-ets/sec per client (100 corresponds to very low and 500 to very high load level). We evaluate the impactof the attack and the defence mechanism by considering the goodput or rate of “valid” packets whichmake it safely to their destination ACEs. We investigate the impact of the attack on the goodput at eachACE under varying load levels and different detection probabilities. We choose an average service timeper packet of si = 0.4ms and a buffer size of Bi = 40 packets at each ACE.

14

4

1

11 8

12

15

109

16

6

5

7

2 3

Attacker

Attacker

Attacker

1stWebserver

(Victim)

2ndWebserver

client client

client

client

client

0

13

0

Figure 25: Attack scenario: 3 attack flows through 3, 4 and 5 towards web-server 0.

The results presented in Figures 26 and 27 show that a moderate attack can cause an undefendednetwork’s performance to degrade dramatically. For example, at high load level, the victim web-server(0) operates at less than 22% of its ideal capacity, compared to 99% without the attack. Applying asimplistic defence in which we drop half of the packets which are destined to it (Figure 26, naıve defence,f = 0.5, d = 0.5), the results do not improve, at least from the victim’s perspective. They do improvethough for web-server 13 (Figure 27). So, if web-server 0 were not a crucial part of the infrastructure,but only a decoy or a “honeypot” whose role is to attract the attacking traffic, then that very lightweightnaıve defence choice would prove useful. We represent a more sophisticated defence approach asnormal defence, for which we arbitrarily choose (f = 0.1, d = 0.6) as the set of dropping probabilities.The results show significant improvement in both web-servers for all load levels. An even more accuratedefence (f = 0.1, d = 0.9) would of course yield even better results.

5.6 Self-configuration and Distributed Auctions Use Case

We have explored the use of migration as an alternative way to deal with DoS attacks applicable tocritical tasks. To illustrate the idea, we have used the distributed auction scenario being developed byWP4 and studied the effects of the attack and migration on the income rate of sellers.

of 72




Figure 26: Mathematical Analysis results for web-server 0.

Figure 27: Mathematical Analysis results for web-server 13.

An autonomic auctioneer migration consists in the transfer of auction handling responsibilities to asurrogate. The migration process involves the following steps:

1. Selection of a surrogate and negotiation. Each auctioneer starts with a list of possible surrogatesobtained from the AC (contained in the ADVACK message). The AC creates the list by randomlychoosing participant addresses in the system. We assume the implementation of a system ofincentives (i.e. monetary) to motivate participants to serve as surrogates. From the list, the auc-tioneer selects randomly one possible surrogate. Then, it contacts the selected surrogate, whichmay accept the task. A surrogate may accept handling an auction depending on the level of incen-tive available and its own suitability for the task from observations of its own network state. If thesurrogate finds itself suitable and decides to accept the task, it will send a MACK message to theauctioneer. Otherwise, it will reject the task with a MREJ message. If the surrogate rejects, theauctioneer will try again with another selection.

2. Transfer. Once agreed, the auctioneer transfers the auction state to the surrogate. The auctionstate consists of the current price, highest bidder identification, list of bidders and AC address. Afteran auction has been transferred, the surrogate handles it independently of the seller by receivingoffers and deciding when to accept one of them.

3. Closing. When the auction finishes, the surrogate transfers back the state to the seller, which takescare of terminal operations of the auction.

There are three possible schemes for timing an autonomic migration:

1. Reactive. In the reactive case, auctioneers monitor the network to detect DDoS attacks. Theimplementation of one or more detection mechanisms is therefore required. The migration setuptime and detection time will define the auctioneer’s “reaction time” to a DDoS attack. A positivedetection therefore triggers the migration process.

2. Proactive. With this mode, auctioneers continuously migrate from surrogate to surrogate for theduration of the auction in an attempt to escape from any possible attack. Migration can be sequen-tial and periodic and limited to a number of steps. The selection of the sequence to follow can becoordinated in one of two ways:

• Dynamically select a surrogate each time as in the reactive case.

• Statically select a N step migration sequence at the beginning of the process. The advantageof the static selection is that bidders would know ahead of time the address of the surrogate

of 72




handling the auction at any time, which should reduce bid forwarding and increase efficiency.After N steps, a new sequence is selected. This method is comparable to frequency-hoppingspread spectrum in radio transmission, where a transmission quickly changes carrier amongseveral channels to escape interference an interception using a pseudorandom sequenceknown only by the communication parties.

3. Hybrid. Auctioneers may start a proactive migration at a specific time or after detecting the firstDoS attack. The advantage of the latter is that if no attack is detected during the auction, nomigration occur.

5.6.1 Analysis

The following analysis extends the single auction study with unit increments documented in [24] to studythe model under a DDoS attack and migration. As with the original model, it is assumed that bids arriveto the auctioneer according to a Poisson process of rate λ, which increment in one the value of the offeras long as the value is less than V (the value of the item for buyers). The auctioneer may accept anoffer if no new bids are received within a decision time (exponential random variable of parameter d).After accepting an offer, the auctioneer restarts the process (for a new item) after resting for some time,exponentially distributed with parameter r.

However, unlike the original model which assumes instant bid arrivals at the auctioneer, bids arrivefirst to a collection point in the network. From the collection point, bids need to traverse the networkto reach the auctioneer, which then updates the price and decides termination of the auction. In thisscenario, the auctioneer may be subject to a DDoS attack, which will introduce latency and losses in thereception of bids. To simplify the model, we assume that bids arrive in order. Migration would cause achange of network conditions between the collection point and auctioneer.

The model consists of a continuous time Markov chain X = {X(t), t ≥ 0} with a finite state space S ={A0,0, . . . , Ai,j , . . . , B0,1, . . . , Bi,j , . . . W1, . . . , WV }, 0 ≤ i < j ≤ V , where V is a random variable withknown probability distribution function. We are interested in finding the stationary probability distributionof the Markov chain PV (.) and use it to calculate the expected accepted offer of the auction. The Ai,j

states represent the auction under no DDoS attack, with i bids at the collection point and an offer ofj units at the auctioneer. Transmission latency from the collection point to the auctioneer is modelledwith an exponential random variable of parameter δ. In a similar way, the Bi,j states represent theauction under a DDoS attack. To model the increase in latency caused by a DDoS attack, the averagetransmission rate is αδ, with 0 ≤ α ≤ 1. Parameter α is simply the ratio of the average end-to-end delayof bids before and during the attack. Furthermore, we assume a message loss probability of p beforethe attack and q during the attack, with 0 ≤ p ≤ q ≤ 1.

State A0,0 is the initial state of the auction right after the auctioneer registers a new auction withthe auction centre and before any bid arrives at the collection point. After an auction finishes, the statereturns to A0,0 (from state Wi with an accepted offer of i units) and after some resting time.

λPV (A0,0) = rV

∑

i=1

PV (Wi) (23)

(λ + (1 − p)δ)PV (Ai,0) = λPV (Ai−1,0) ; 1 ≤ i ≤ V (24)

Attackers require some time to identify its victim and setup the attack. We model the “attack setuptime” with an exponentially distributed random variable of parameter f . On the other hand, the auctioneer“reaction time” is modelled with an exponentially distributed variable of parameter m that accounts for thepositive detection time of an attack (in reactive and hybrid cases) and to prepare and execute migration(in all migration cases).

of 72




A

0,0

. . .

λ

A

1,0

A

V-1,0

λ

A

V,0

A

0,1

λ

A

1,1

A

V-1,1

A

0,V-1

λ

A

1,V-1

A

0,V

λ λ

λλ

(1-p)δ

(1-p)δ

(1-p)δ

(1-p)δ (1-p)δ

(1-p)δ

(1-p)δ

(1-p)δ

W_1 W_VW_

V-1

ddd

. . .

B

0,1

λ

B

1,1

B

V-1,1

B

0,V-1

λ

B

1,V-1

B

0,V

λ

λ

(1-q) α δ

(1-q) α δ

(1-q) α δ

(1-q) α δ

(1-q) α δ

d

d

d

d

d

d d

d

d

rr

r

f

m

f

m

f

m

f

m

f

m

f

m

Figure 28: Model of system of distributed auctions with migration

Attackers are most likely to be interested in active auctions, so we do not expect attacks before thereception of the first bid. Likewise, it is sensible to expect migrations to start only for active auctions(those with at least one offer received).

(λ + d + f)PV (A0,j) = (1 − p)δPV (A1,j−1) + mPV (B0,j) (25)

; 1 ≤ j ≤ V

(λ + d + f + (1 − p)δ)PV (Ai,j) = λPV (Ai−1,j) + (1 − p)δPV (Ai+1,j−1) + mPV (Bi,j) (26)

; 1 ≤ i ≤ V − 1, 1 ≤ j ≤ V − i

Transitions under a DDoS attack mirror that of the un-attacked system with the addition of possiblemigrations:

((1 − q)αδ + d + m)PV (Bi,1) = (1 − p)δPV (Bi−1,1) + fPV (Ai,1) (27)

; 1 ≤ i ≤ V − 1

(λ + d + m)PV (B0,j) = fPV (A0,j) ; 2 ≤ j ≤ V (28)

(λ + d + m)PV (B0,j) = (1 − p)αδPV (B1,j−1) + fPV (A0,j) (29)

; 2 ≤ j ≤ V

(λ + d + m + (1 − p)αδ)PV (Bi,j) = λPV (Bi−1,j) + (1 − p)αδPV (Bi+1,j−1) + fPV (Ai,j) (30)

; 1 ≤ i ≤ V − 1, 1 ≤ j ≤ V − i

of 72




After receiving its first offer, the auctioneer may accept it if no additional offer is received within itsdeciding time regardless of being under attack or not.

rP (Wi) = d

V −1−k∑

k=0

(PV (Ak,i) + PV (Bk,i)) (31)

Finally, stationary probabilities must sum one, which gives the additional equation needed to solvethe system.

V∑

i=0

V −i∑

j=0

PV (Ai,j) +

V −1∑

i=0

V −i∑

j=1

PV (Bi,j) +

V∑

j=1

PV (Wi) = 1 (32)

5.7 Income per unit time

From the equations for the stationary probabilities in the previous section, the probability to end anauction with a selling price of i is [24]:

π(i, V ) =PV (Wi)

∑Vj=1 PV (Wi)

(33)

therefore, the expected income per unit of time (Φ) is

Φ = E[

∑Vj=1 jπ(j, V )

T] (34)

where T is the average auction duration (T = 1P (A0)λ

), E[g(V )] =∑∞

V =0 p(V )g(V ) and p(V ) theprobability distribution function of V . Numerical solutions of these equations are presented in the nextsection.

5.8 Numerical evaluation

It is interesting to relate bid transmission latency and the average income per unit time of the seller aslatency increases when a DDoS attack occurs. A numerical solution of the model is shown in Figure 29.The calculation used a bidding rate λ = 10.0, resting rate r = 1.0 and a range of decision rates. Thesystem was un-attacked (p = q = 0, f = 0, m = 1e12) and the results were computed for various valuesof δ. The value for V was selected uniformly in the range 40 and 60.

It can be observed that Φ decreases abruptly after a certain (critical) value of δ. The critical valuewas approximately in the rage of 50 to 200 ms for the cases analysed. A typical DDoS attack can easilyproduce much larger latencies than the critical range. As a reference, consider that a usual end-to-endtransmission on the Internet can take about 30 ms. A typical DDoS (if no response) can easily increasethat latency by 10 to 100 times. For example, in the case d = 0.1, an attack increasing latency by 10times would decrease Φ in 40%.

Another aspect that is worth looking at is the intensity of the DDoS attack, caused by data flows ofhigher packet rate or larger number of flows, and its consequences to the expected income per unit time.The intensity of an attack is represented by values of α in the range of 0.001 (severe) to 1.0 (light). Thesolutions are shown in Figure 30 as a function of the decision rate for a system under attack and withoutmigration capabilities (m = 1e − 12, f = 1e12). The bid loss probability was set to 0.2. Increases in theintensity of the attack can produce a quick degradation in the expected Φ regardless of the decision rateas it can be observed from the results. It is interesting to note that in most cases, a DDoS attack willgradually increase their intensity as more agents start sending malicious traffic to the target.

of 72




0 5 10 15 20 25 30 35 400

1

2

3

4

5

6

7lambda=10.0, r=1.0, p=0.0, q=0.2, f=0.0, m=1e12, alpha=1.0

delta

Phi

d=2.0d=1.0d=0.5d=0.2d=0.1d=0.01

Figure 29: Income per unit time vs. bid transmis-sion latency.

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

1

2

3

4

5

6

7lambda=10.0, r=1.0, p=0.0, q=0.2, f=1e12, m=1e−12, delta=100, alpha=1.0

dP

hi

alpha=0.001alpha=0.01alpha=0.05alpha=0.1alpha=1.0

Figure 30: Income per unit time vs. seller decisionrate in a system under attack for various values forα.

Finally, we quantify the effectiveness of migration by looking at the tradeoffs between attack setuptimes and reaction times. The results are illustrated in Figure 31 for rates between 0.01 to 10. Asexpected, attack setup times faster than reaction times produce the worse impact in the auctioneerincome per unit time.

0 1 2 3 4 5 6 7 8 9 101

1.5

2

2.5

3

3.5

4

4.5

5

5.5lambda=10.0, r=1.0, p=0.0, q=0.2, f=1e12, m=1e−12, delta=100, alpha=1.0

m

Phi

f=0.01f=0.1f=0.5f=1.0f=2.0f=10.0

Figure 31: Income per unit time vs. reaction rate.

of 72




6 Self-preservation in cooperative autonomic networking e nviron-ments

In the first part of this section we present studies on self-preservation in autonomic-cooperative stream-ing and content replication environments. In the second part we discuss the use of network coding asself-preservation technique to guarantee protection of the information and system resiliency to faultynodes.

6.1 Self-preservation of autonomic distributed streaming environments

Distributing a live video stream using a Peer to Peer (P2P) streaming system has the advantage over apoint-to-point client/server system of offering more resources to clients by effectively turning each oneof them into a secondary server that assists in the distribution of the stream. These additional resourcescan yield improved scalability and/or resilience, depending on the design of the system.

Each participating peer in such a system is an autonomic communication element (ACE) of thesystem. This autonomicity is manifested in various ways and leads to behaviours that try on one hand toexhibit sufficient cooperation so that a content distribution network is materialized, and on the other handto serve the interests of the particular element in a selfish manner. We study the impact of the autonomicbehaviour of the ACEs (referred to also as peers or nodes, to allow for a more clear connection of oursystem to real distributed networked streaming environments that are currently under design) on theperformance of the system and argue that selfish (greedy) behaviours may even “kill the P2P advantage”and lead to unacceptable performance.

In particular we study two aspects of the autonomic peer behaviour: first, we investigate the impactof a peer’s freedom or ability to adopt an operation policy (here, a video playout policy) of its own choice;and second, we investigate the impact of its self-determined decision to stop participating into the system(churn) at any time.

In the first part of our study we show that playout policies which permit the divergence of the playoutpoints of the peers can deteriorate drastically the performance of P2P live streaming. Consequently, weargue in favor of keeping different playout points “near-in-time”, even if this requires sacrificing (dropping)some late frames that could otherwise be rendered (assuming no strict bidirectional interactivity require-ments are in place). Such nearly synchronized playout policies create “positive correlation” with respectto the available frames at different playout buffers. Therefore, they increase the number of upstreamrelay nodes from which a node can pull frames and thus boost the playout quality of both single-parent(tree) and multiple-parent (mesh) systems. On the contrary, diverging playout points reduces the num-ber of upstream parents that can offer a gapless relay of the stream. This is clearly undesirable andshould be avoided as it contradicts the fundamental philosophy of P2P systems, which is to supplementan original service point with as many additional ones presented by the very own users of the service.

A conclusion of this first part of the study is that in order for the ACEs to support and benefit froma distributed streaming environment, they should constrain themselves to operating under such policiesthat preserve the structure by keeping the playout points of the various ACEs close. This way, a pool ofACEs will be available and in a position to take over when the need arises, to keep the quality at reason-able levels or prevent a streaming application from collapsing altogether (self-preserving strategy).

In the second part of our study, we show that the seemingly purely unpredictable and totally auto-nomic behaviour of ACEs participating in a P2P streaming system, is possible to “predict” in certaincases, by noting that there is a strong correlation between the experienced quality of service by a nodeand this node’s decision to churn (leave the system). Based on these observations, we argue that peerselection strategies should not only take into account the (traditional) end to end quality of a connectionbut also other criteria which capture the experienced quality of service by a potential parent-node. Thisway, we can predict the stability or participatory outlook of an ACE that we consider as the stream feeder

of 72




of another ACE-peer and make parent (feeder) choices that lead to long-lived connections and enhancedperformance. Basically, by considering the participatory outlook we attempt to minimize uncertainty insuch an environment, maximize the average peer lifetime into the system and, equivalently, the amountof available resources into the system. Peer selection strategies that utilize the peer’s participatory out-look (chance to stay in the system for a long rather than a short time horizon) are expected to increasethe system’s self-preservation capability.

In the next two sub-sections we provide some more details on the aforementioned self-preservingstrategies for autonomic P2P streaming systems.

6.1.1 On the Impact of Playout Policy on the Performance of P2 P Live Streaming

The playout scheduler is the component of a video receiver that handles the buffering and rendering ofreceived frames. Designing appropriate playout schedulers for video streaming applications was oneof the central research topics of the multimedia transmission community up to the emergence of P2Pstreaming systems, at which point the focus shifted towards overlay construction and coding issues.Although fairly well understood in the context of point-to-point video streaming [3], playout schedulinghas received a rather limited attention in the context of P2P video streaming. The new setting, however,perplexes playout scheduling beyond our previous understanding. In addition to achieving the desiredtradeoff between interactivity and stream continuity, the playout scheduler must now jointly factor-in thatdifferent playout processes become coupled in the context of P2P: buffering, rendering, or dropping aframe affects not only the local process but also downstream ones that might connect and request framesfrom the local node. We argue that, although seemingly subtle compared to topology construction andcoding, playout scheduling still deserves our attention. Indeed, a bad choice of playout scheduling canimpact quite negatively the performance of P2P streaming systems, despite the existence of the othertwo powerful enablers.

We consider a delay preserving playout policy called Sync and a data preserving one called Asyncin the context of a P2P streaming system [68, 66, 67]. These two policies lay at the extremes of thespectrum of studied playout policies [43]. With Sync, the playout scheduler enforces a fixed predefinedtime offset between the time that a frame is presented at a receiver and the time it was captured at thesender. To do so, it has to drop “late” frames that arrive after their scheduled playout time, even if theyare eventually received correctly and in their entirety. The data preserving Async policy on the otherhand, imposes an initial buffering delay and then presents frames by draining the buffer at a constantrate. In the event of a buffer underflow, the playout freezes and resumes again upon the reception of thenext frame. Not dropping late frames makes the offset between encoding and decoding times variable.In fact, in the absence of losses in the network, the offset increases with each underflow by an amountequal to the duration of the underflow.

We operate each one of these playout policies in a P2P streaming system with the following charac-teristics: (1) hierarchical structure, (2) threshold-based handoffs (change of upstream parent) based onpartial or full information on the remaining network, (3) single-description coding. Such a setting resem-bles initial P2P streaming systems like the one presented in [59] and was chosen due to the popularityof such systems, their simplicity, and most importantly, in order to protect our evaluation of playout fromissues that are orthogonal to it. In a sense, our chosen setting is the most fragile one as it includesa minimum amount of redundancy. Certainly one can design an over-provisioned system based on adense overlay graph with multiple reception points and elaborate coding, but this would obscure theeffects of playout policy, which is what we want to isolate in this work.

We develop a simulation environment for the above policies and setting and use it to compare themacross different levels of network load and heterogeneity with respect to link capacities.

Our evaluation is based on “direct” metrics such as Discontinuity, which reflects the average timespent viewing some frozen frame and Loss, which reflects the average lost playback time of frames never

of 72




presented to the user. To explain the observed results on these metrics we introduce a new “indirect”one – called Availability – which roughly amounts to the number of available upstream parents to which anode can perform a smooth handoff at a time of poor reception quality from its current parent. Based onseveral simulation scenarios for our control variables (load, heterogeneity, information on remote nodes,number of past frames kept) we arrive at the following observations and conclusions:

• Sync performs consistently better than Async with respect to both Discontinuity and Loss undera wide spectrum of load and heterogeneity. The improved performance can be explained by thefact that Sync maintains higher Availability and thus is able to perform smooth handoffs at timesof poor reception. Under Async, the underflows contribute to the time divergence of playout pointsand the de-correlation of buffer contents. Thus when a node seeks a handoff it becomes difficultto find a parent with the missing frames for a smooth transition.

• Sync is effective even under limited knowledge of remote nodes (used for performing handoffs).Having the playout nodes nearly synchronized means that any one of them can offer more or lessmissing frames, so we don’t need to have a global view of buffer contents – tracking a small setof alternative parents suffices for handoff operations. Async on the other hand needs to know thebuffer contents of remote nodes so as to identify the one (if any) whose playout point is at the rightdistance for a gapless handoff.

• Similarly, Sync is relatively immune to constraints on the number of downstream nodes that aparent can support. Having the playout points of different nodes near in time creates a naturalload-balancing with respect to the handoffs because all nodes hold approximately the same framesthus are equally good from the standpoint of a seeking node. Contrary to this, in Async there aremany cases where few nodes exist that are at the “correct” time distance from many other nodes,but cannot accommodate all of them due to these constraints and thus the seeking nodes areforced to perform handoffs that induce gaps in playout.

• Although rather counter intuitive, Async’s performance is favored by randomness in parent selec-tion (imposed by restrictions such as the ones described above) since the latter eventually assistsin keeping playout points “near-in-time”; peers are forced not to diverge a lot by performing hand-offs that induce loss and thus restore up to a point their offset.

• Unlike Sync, Async can benefit from keeping frames in the buffer even after they have been dis-played locally. This, however, leads to several known complications (how much of it is needed tosmooth out the disruption without making the offset exceedingly large) as well as some new ones(copyright restrictions permit the nodes of P2P streaming systems to buffer only a limited timewindow of a copyright protected material [35].

All the above point to that Sync is a better option for the considered P2P systems. At the coreof its advantage is that it is conforming to the P2P character of the application. Async on the otherhand, by virtue of the divergence that it fosters, goes against the P2P paradigm by effectively reducingthe number of secondary service points that are available to a node, thus reducing the ability of theautonomic environment to preserve itself.

6.1.2 Peer selection strategies under node churn in P2P stre aming

Churn in P2P streaming is fundamentally different from churn in P2P file sharing. Major causes of churnin P2P streaming seem to be the loss of interest and the low observed performance. Measurementsstudies of popular P2P streaming systems, such as ESM [59] and PPLive [69], point out this fact butthey do not further investigate the role that these factors play on a peer’s decision to leave the systemor join another channel.

of 72




We introduce a novel model capturing a peer’s participation into the service by linking a measureof the experienced quality of service in terms of continuity of playback with the probability of the peerto leave the service. This model also takes into account the fact that a peer may churn for arbitraryreasons such as loss of interest. In fact such a model reflects an attempt to take into account andpredict behaviors developed in the social layer i.e., the users’ domain that have a direct impact on thedynamics developed in the physical layer i.e., the associated nodes’ domain.

In this context we study the impact of the adopted peer selection strategy on the performance of thesystem. Preliminary results show that end-to-end connection quality criteria are not adequate and thatnew criteria should be introduced to help identify potential parents which would not only “promise” toprovide a good connection but also a long lived one. Such additional criteria that were evaluated includethe age of a peer in the system and the experienced impairment in playback continuity.

This approach to reduce uncertainty and improve stability of the distribution network not only adds tothe quality experienced by each participating end user, but also helps preserve such autonomic struc-tures. If the peer selection is “blind” with respect to a choice for a long-living parent, the resulting frequentdiscontinuities and the associated poor quality of service would increase the peer departure from thesystem (due to discontent), which in turn would lead to worse service, an increase discontent, an in-crease departure from the system, and so on, leading to a catastrophic situation and a collapse of thesystem. Clearly, adopting policies that increase the peer’s lifetime and content (and these are correlatedas said earlier), helps preserving the system.

6.2 Self-preservation of autonomic content replication

Content distribution networks have been implemented in the past by installing large amounts of storageresources in various locations in the network and managing them so that their cumulative efficiency ishigh and the benefits for the owner of the resources be maximized.

Nowadays, it has been well understood that there is great potential in implementing distributed con-tent distribution networks by utilizing widely available (not necessarily installed for this purpose) storagefacilities, that are owned by numerous independent entities. In the extreme case - that is seriously en-visioned today, though - part of the disk space in every networked computer could contribute to theimplementation of this highly distributed and inexpensive content distribution facility.

Despite the great prospects of such an approach to content distribution, there are serious challengesto be addressed before such a concept is transformed into an operational and reliable infrastructure.

At the heart of these challenges lies the autonomic nature of these independently owned storagefacilities. Each such storage facility is necessarily networked and expected to provide in principle acommunications service (i.e., help deliver content in a faster and inexpensive manner) and may beviewed as an Autonomic Communication Element (ACE).

The challenge faced in this environment is one that appears more and more as we moved fromcentrally-controlled environments to distributed and autonomic ones: On one hand the autonomic enti-ties must cooperate in order to create the needed infrastructure and on the other hand they must alsoensure that they benefit from this cooperation. Unless the latter is indeed the case and, thus, an auto-nomic element is not mistreated, ACEs will leave the cooperative structure and eventually the distributedautonomic environment will collapse (cannot be preserved)

Ensuring mistreatment-free cooperative environment is key to encouraging and preserving it. In thefirst year we focused on: (a) investigating the source of mistreatment in cooperative content distributionstructures formed by autonomic storage and communication entities, as well as on mechanisms to miti-gate it; (b) on devising cooperation strategies that poses the mistreatment-free property. Details of theseworks may be found in [42], [44].

In the second year we have focused on another manifestation of autonomicity, through the behavior.Not only autonomic elements expect to benefit from participating in a cooperative scheme, but they

of 72




themselves are in control of their behavior. That is, autonomic elements may decide to behave differentlythan expected, either in order to profit more, or due to their (temporary) inability to behave as expectedfor technical reasons. In any case, such autonomic behaviors are present.

The autonomic behavior of storage elements participating in a cooperative, distributed content repli-cation group, is the focus of this part of the work.

The environment we have considered is described next. The problem is to devise object placementstrategies in a group of cooperating storage elements, ensuring if possible no mistreatment and takinginto consideration the behavior (reliability, etc) of these elements.

A useful abstraction employed in placement problems is that of a distributed replication group [45].This consists of a set of storage elements (referred to as nodes), usually with common interests, witha high degree of proximity where each one locally stores and shares content. A user’s request is firstreceived by the local node a user is associated with. If the requested object is stored locally, it is returnedto the requesting user immediately, thereby incurring a minimum access cost. Otherwise, the requestedobject is searched for, and fetched from other nodes of the group, at a potentially higher access cost. Ifthe object cannot be located anywhere else in the group, it is retrieved from an origin server – assumedto be outside the group – thus incurring a maximum access cost (Fig 32).

Figure 32: A distributed replication group

The behavioral aspect of the autonomic communication and storage elements considered here isthat of its presence or not in the group when service is requested. That is, we consider operation ofthe cooperative scheme under churn - change in the set of participating nodes due to random “join”and “leave” events. This environment appears when a node suddenly disconnects itself, or when linkfailures occur mainly in networks with wireless links and node mobility, or when a node decides to ignorea service request to conserve its own resources. Clearly, node churn impacts on both the effectivenessof cooperation as a whole, as well as on the ability of the cooperative scheme to preserve itself asmistreatment may arise or even becomes significant.

We study cooperative replication schemes using game-theoretic approaches and analyze their per-formance under two cases: when nodes are considered to be always available and when node churnexits, in which case we consider a probability estimate of each node being available (or ON) that iscommon knowledge to all the nodes. The distributed object placement problem is suitably addressed ina game-theoretic context as follows. We consider users and nodes to be indistinguishable, and to formthe players in the game. Each player implements a placement strategy which consists of choosing whichobjects to replicate locally in its limited storage space. This induces a local utility for each node, equal tominus its total access cost for all the requested objects. When a node does not cooperate with any othernode (acts in isolation), the optimal strategy is to replicate a number of most wanted objects, equal to itscapacity. This is called the greedy local strategy. Naturally, selfish users who are certainly not interestedin increasing the social benefit, would want to cooperate with other nodes only if such cooperation couldfurther reduce their cost from the greedy local strategy and thus benefit more by cooperation than acting

of 72




in isolation. This is the key requirement that should be met for a node to suffer no mistreatment [42] andparticipate in a cooperative content management scheme. Mistreatment may occur for instance, whena node locally stores less requested objects and some other nodes benefit more at its expense. In thiscase it is better for the mistreated node to act in isolation.

In the setting of a distributed replication group, we consider the following strategies in an effort to findthe best placement strategy which incites all nodes to cooperate and store objects in such a way thatthe access cost is minimized:

• Greedy local (in isolation): Nodes do not cooperate to replicate objects. They replicate their mostrequested objects to maximize the gain by accessing these objects from their local storage.

• Cooperative strategies: Nodes cooperate with each other to replicate objects in their limited stor-age in order for each node to minimize the total access cost for all its requested objects. Thecooperative strategies we study are:

– Greedy churn-unaware: After applying the greedy local strategy first, nodes take turns toimprove their placements (the set of objects replicated to their local storage) by exploitingplacements of other nodes, but falsely consider other nodes to be always available. We call it“greedy”, because each node acts greedily, i.e., it makes the number of changes that will giveit the greatest imminent access cost reduction, and “churn-unaware”, because the nodes areassumed to be unaware of the reliability (i.e., value of their ON probability) of the other nodeswhen making changes to their placement.The greedy churn-unaware strategy is essentially the one proposed in [44] under no nodechurn. It arrives at a Nash equilibrium where no node can gain by changing its placementunder the assumption that all the nodes of the group are always present. However, it is shownin [40] that under node churn, the algorithm may result in mistreatment for some nodes. Thus,the following object replacement strategy is proposed.

– Greedy churn-aware: Again the nodes apply the greedy local strategy to replicate the re-quested objects, but then they take turns to improve their placements by exploiting place-ments of other nodes, considering also their availability. Under this proposed strategy, eachnode consider object placement changes based on greediness or the greatest imminent cost-reduction.It can be shown by a simple example that the greedy-churn aware strategy may not arrive ata Nash equilibrium, since a node can make a change in its placement that it doesn’t benefitit after. Despite this negative result, a good property of this strategy is that mistreatmentproblems can be avoided under some assumptions, that is when nodes take turns to improvetheir placement in increasing order of their ON probability, have the same request rates forall objects and same capacity, and a node can evict an object from its placement only if it isevicted by all previous nodes, or not evicted by any of the previous nodes.

To analyze their performance, we evaluate the mean total access cost per unit time for each nodeunder the following orderings of players based on their reliability: (1) Least Reliable First (LRF) wherenodes play in increasing order of their ON probabilities, (2) More Reliable First (MRF) where nodes playin decreasing order of ON probabilities, (3) Random order, in which nodes take a selected random orderto play and (4) same value of probabilities (0.5) for all nodes.

The results we get are shown in Fig. 33 and we can see that the greedy churn-aware strategy inducesa smaller access cost to all nodes compared to the greedy churn-unaware and greedy local strategy, inthe majority of cases.

When comparing the churn-unaware and churn-aware greedy strategies, we observe that a signifi-cant improvement occurs when the ordering is LRF (Fig. 33(a)), while similar costs are produced for an

of 72




0

10

20

30

40

50

60

1 2 3 4 5 6 7 8 9 10

Acc

ess

cost

Node number

LRF (π=[0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1])

Greedy localGreedy churn-unaware (1 rnd)

Greedy churn-aware (1 rnd)Greedy churn-aware (multiround)

(a)

0

10

20

30

40

50

60

1 2 3 4 5 6 7 8 9 10

Acc

ess

cost

Node number

MRF (π=[1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1])



(b)

0

10

20

30

40

50

60

1 2 3 4 5 6 7 8 9 10

Acc

ess

cost

Node number

Random order (π=[0.1 0.4 0.7 0.3 0.2 1 0.8 0.9 0.6 0.5])



(c)

0

10

20

30

40

50

60

1 2 3 4 5 6 7 8 9 10

Acc

ess

cost

Node number

πj=0.5 for all j=1...N



(d)

Figure 33: Access cost for different placement strategies with different node orderings

MRF order (Fig. 33(b)). To understand this, notice that under the LRF order, the churn-unaware strategyresults in many high request rate objects being stored at less reliable nodes; more reliable nodes falselytrust high request rate objects to be accessible from the previous nodes, while it would be better to havethem stored locally. Such erroneous placements occur less when the order is MRF. The churn-awarestrategy can also yield a significant improvement when there is no pre-specified order of play, but nodestake random turns (Fig. 33(c)). On the contrary, a slight improvement is observed when all nodes havethe same probability of being ON. Finally, repeating the churn-aware algorithm for multiple rounds yieldsonly a small extra benefit to some nodes; depending on the order of play, some nodes may benefit fromthe extra rounds, at the expense of others.

We can also examine the fairness aspects of different orderings. In this way, if some mediator (e.g.,a system administrator) could enforce a certain order, we would like to know the fairest one. It is fairthat more reliable nodes obtain a greater benefit by participating in the game than the less reliable ones.We established previously that when all nodes follow the churn-unaware strategy, LRF is an unfair orderbecause it leads more reliable nodes to erroneous placements. Instead, MRF should be followed. Underthe churn-aware strategy, such fairness problems are mitigated and both the LRF and MRF order tendto give similar benefits, as all nodes behave in a rational manner.

6.3 Network coding for security and QoS

In the scope of the CASCADAS project we are interested in identifying new security solutions that meetthe requirements and principles defined within the framework of autonomic systems while at the sametime guaranteeing the target level of quality of service (QoS). Network coding (NC) [4] is a relatively newtechnique which allows nodes in a network to process and mix data flows instead of simply relaying them.

of 72




NC, with its ability to disguise the origin and content of data, provides a new form of system securitybeyond encryption by rendering the traffic streams traversing networks much more difficult to decipher.The application of NC for security, however, is not a replacement of other security mechanisms, butit is a complementary strategy that provides additional security features for autonomic communicationelements (ACEs) without requiring special processing capabilities. In the following, we give a briefdescription of some types of attacks, which may take place in a situation where an ACE uses a network torelay secure information to other ACEs, and we show the utility of NC to improve security and robustness:

Message tampering a malicious node may modify the messages in transit. NC allows receiver nodesto detect any inconsistencies in the received information as long as they obtain at least one un-modified message [39].

Eavesdropping an adversary may attempt to access the sent information. With NC, information ismore spread out and thus more difficult to track [13]. Also, nodes can only decode messages ifthey have received a sufficient number of flows, which a wiretapper might not be able to do.

Blackhole attack an attacker can refuse to cooperate with other nodes by dropping received mes-sages instead of relaying them, which can cause denial of service. NC benefits from the inherentredundancy and use of multiple paths to deliver information which increase the the probability ofsuccessful delivery.

Given the security gain offered by NC, a natural question that arises is: does this gain result inpenalties in terms of QoS, particularly when NC is used in an autonomic environment such as the oneproposed by CASCADAS? In this work, we study the trade-offs in NC between QoS and security usinga queueing theoretic approach. We derive analytical models that allow us to evaluate the performanceof NC with respect to metrics such as delay and throughput.

6.3.1 Synchronous NC

The simplest to NC would require that each packet in each flow be encoded with a packet in each ofthe other flows that pass through that node, with each encoding being carried in sequence for eachflow. The server waits for the arrival of one packet from each class before it can start encoding, andis idle when there is not at least one packet from each class. A related model was studied [34] forassembly processes, and it was shown that such queueing systems, when the input buffers are infinite,are inherently unstable since the waiting time process cannot converge in distribution to a non-defectivelimit. Because the exact analysis of a synchronous NC with finite buffers appears to be very difficult, wepropose a “decomposition approximation” along the lines of [26,50]. Consider a node which receives Fdistinct and independent flows of packets with general inter-arrival time distribution Ai(x) = Prob[Ai <x], which queue up in distinct buffers of finite capacity Bi for i = 1, . . . , F . Assume that packet lengths ineach stream are independent, and that they are mutually independent between flows, and with generaldistribution S(x) = Prob[S ≤ x], where S is the random variable representing length. We will assumethat the node transmission time is directly proportional to packet length with a constant of proportionalityof 1. We suppose that the node encodes the flows together and then forwards one encoded packetfor each F packets of the distinct flows. If all the input buffers contain at least one packet, the serverwill pack the shorter packets with zero-bits to reach the length of the longest packet, and encode theresulting packet bit by bit, so that its length will be equal to the largest of the F packet lengths. Thequeue length process seen by the i − th individual flow includes its own arrival process, and a servicetime which is the proportional to the length of the largest of the F co-encoded packets. If any of theother buffers are empty, the resulting service time will include the effect of the time until the missingpackets arrive, followed by the encoding and transmission time. The decomposition approximation weadopt is as follows. Let pji be the probability that in steady state the j − th queue is empty when a

of 72




service ends at the designated i − th queue. We will assume that the steady-state probability that anysubset Z ⊆ {1, ... , F} of the F queues is empty when a service ends at i is

∏

j∈Z pji

∏

k/∈Z [1− pki] and

therefore that the total equivalent service time Si observed by the i − th queue is the waiting time forpackets to arrive to all currently empty queues followed by the maximum of the transmission times for allof the packets:

Si(x) ≡ Prob[Si < x] =∑

Z:|Z|=n

∏

j∈Z

pji

∏

k/∈Z

[1 − pki]

∫ x

0

fZ(x − y)FS(y)F−1 dS(y)

dy(35)

and

fZ(r) =d

dr

∏

j∈Z

1

E[Aj ]

∫ r

0

[1 − Aj(y)]dy (36)

To simplify matters, we will also assume that pji does not depend on i, and can obtain pj from theprobability that queue j is empty from the solution of a G/G/1/Bj queue with service time distributionSj(x) and inter-arrival time distribution Aj(x). We can also use an approximate solution using the diffu-sion approximation for a finite buffer using the results in [25]. Thus the numerical approach then consistsin solving the coupled equations (35) with the appropriate expression for pj .

6.3.2 Asynchronous partial NC

Asynchronous partial coding schemes are NC techniques which opportunistically encode packets fromdistinct flows with any packets present, except packets belonging to the same flow. Thus after theencoding node forwards a packet, the next packet forwarded will simply be the encoded version of thepackets from distinct flows that are present in the queues. If only one of the flows has a packet present,just that unencoded packet will be forwarded, while if all flows have at least one packet present in theirqueues, then the encoded packet will include the head-of-the-line packet from each of those flows.Again, we will study a queue, say the j − th in isolation from the others and consider that the queuesinteract with each other via the steady-state probabilities, which in this case we will call qj for the j − thqueue, that the j− th server does not participate in encoding a packet. In this case this may occur eitherbecause that queue is idle, or because the queue is busy but the server is idle because there is anothercurrently ongoing encoding and transmission which started while the j−th queue was empty. To analysethe system we have just described, we propose an approximation based on constructing an “equivalent”G/G/1 model for any of the F individual queues, having the “server with vacations” property [28, 27].Note that in this case the assumption of finite buffers is not made because (contrary to the synchronousNC coding) the system with infinite buffers is not always unstable. The server with vacation is a queueingsystem in which, after each service ends, if the queue is empty then the server will “go off” for a vacationtime V , and the process repeats itself if the server finds the server empty at the end of the vacationtime. Service starts again if at the end of a vacation time there is at least one customer in queue. Theassumption is usually that each successive vacation time is an independent and identically distributedrandom variable.

Let W be the random variable representing the steady-state distribution of the customer waiting timeof a server with vacations, for a single server queue with service time S and vacation time V , whichare mutually independent random variables. We assume that the inter-arrival times of customers to thequeue are i.i.d. (but the arrival process need not be Poisson). Let U be the waiting time for exactly thesame queue, but without vacations. Then the following equality holds in distribution [27]:

W = U + V (37)

of 72




where V is a random variable whose distribution is given by:

Prob[V ≤ x] =1

E[V ]

∫ x

0

P [V > y]dy (38)

Thus (38) allows us to map all properties of interest of a queue with vacations in steady state to those ofa system without vacations using the probability distribution of the vacation time V . In particular we cansee that only U depends on the arrival process, and therefore the stability conditions for the queue withvacations is not affected by the vacation time distribution and are identical to the stability conditions forthe corresponding ordinary queue.

We note that if at the end of a service time the j− th queue is not empty then the subsequent servicetime distribution Sj(x) will be the obtained from maximum of the service times for the set of non-emptyqueues including the j − th queue. Let Z(j) = {1, ... j − 1, j + 1, ... F}. The resulting approximation forthe service time distribution after a departure that does not leave an empty queue at j would be:

Sj(x) = S(x)∑

Z⊆Z(j)

S(x)|Z|∏

i∈Z

[1 − qi]∏

i/∈Z

qi (39)

On the other hand, if after its service ends the i − th queue is empty, then when the next arrival to thatqueue occurs, the arriving packet will wait for service until after any currently ongoing service involvingother queues ends. Thus after the i− th queue becomes empty at the end of a service time, a sequenceof service times involving other queues will take place, some of these other services possibly being ofzero duration if the other queues are empty. These other service times have a probability distributionsimilar to Sj(x), except that the j− th queue is not involved. We will denote that service time distributionby Vj(x) given by:

Vj(x) =∑

Z⊆Z(j)

S(x)|Z|∏

i∈Z

[1 − qi]∏

i/∈Z

qi (40)

We can now use the formula for the probability qj that the j − th queue is empty or that it is busy butthat the server is idle due to a vacation time, from the corresponding result for the model with vacations,where Sj(x) and Vj(x) are, respectively, the service time and vacation time distributions.

6.3.3 Performance evaluation

In order to evaluate the efficiency of each proposed coding technique, we compare its performance witha peer non-coding scheme. For fair comparisons, we provide the same per node buffering capacity,total incoming traffic and message length distribution. We also investigate the quality of the proposedapproximations through comparison with discrete event simulation. Figure 34 shows the total delay andloss probability as a function of the input data rate for synchronous coding of two traffic streams. Onemay observe that NC increases the total delay for transmitting an encoded message especially when thesystem is lightly loaded. Figure 35 depicts the total delay for partial NC scenario under different packetlength distributions. The obtained results suggest that this security scenario provides delay performancegains over the non-security scheme.

6.3.4 Findings: self-preservation at low costs

In this work, we overviewed some of the security aspects of NC that can be exploited in the context ofautonomic systems. We presented analytical models to study the impact of NC on QoS, and we showedthat NC can improve performance provided that it is implemented in a distributed manner. Finally,it should be noted that NC does not present in itself a complete security solution that can replaceother security mechanisms. However, NC can improve robustness and performance without requiringadditional computational capabilities which is critical to the design of light weighted ACEs.

of 72




Figure 34: Results for synchronous NC with parameters F = 2, B = 15, λ = λ[1 1.3], Erlang-2processing time distribution, and for an M/E2/1/2B system (no-coding) with arrival rate 2.3λ.

Figure 35: Results for partial coding with (i) constant processing time,F = 3, λ = λ[1 1.5 2],and for an M/D/1 system (no-coding) with input rate 4.5λ (ii) Erlang-4 processing time, F = 4,λ = λ[1 1.5 2 2.5], and for an M/E4/1 system (no-coding) with input rate 7λ.

of 72




7 Future Work

The results presented in this deliverable will be refined so that further solutions can be defined in thefuture. Specifically, we will continue the definition of new mechanisms to study the evolution of thesystem when nodes deviate from the protocol in order to analyze how different variants of the sameservice and ACEs coexist in the system.

In this direction, we will try to analyze how the system copes with different strategies which arebased on the reputation value. The use of reputation as a tool for new strategies is effective and itcan be applied to foster cooperation in an autonomic system. Thus, reputation can be used to defineopportunistic strategies, as the degradation of the system performance is not only due to possible poortransmission quality or lack of resources, but to the behaviour of the nodes.

Finally, we will continue to deal with the protection of the system from distributed denial of serviceattacks. Based on the mathematical model herein presented, the objective is to analyze how the systemcan react to a DDoS attack. The defence mechanisms will be based on ACEs with advanced securityfunctionalities, that have been identified in the Security Architecture deployed during the first year ofthe project. Preliminary results show that the mechanism is able to protect the system from distributedattacks.

8 Conclusions

The CASCADAS system consists of heterogeneous components which might expose selfish or mali-cious behaviour. Indeed, the presence of this type of entities introduces new security issues which mustbe tackled down. In order to protect the system from traditional attacks that undermine the system byexploiting communication vulnerabilities or by improper use of messages and resources, it is mandatoryto focus on basic security problems that are common to any communicating systems and that rangefrom information security to communication security services.

Autonomic Communication Elements (ACEs) are required for basic operations to realize securityservices such as confidentiality, integrity, authentication, and non-repudiation; complex services can bedefined by the aggregation of these simple components. This function is proper of the second class ofcomponents identified in the CASCADAS security architecture.

However, these solutions are not sufficient to protect the system as a whole and new mechanismsbased on so-called social control are investigated and proposed in this deliverable. We have analysedthe evolution of the system when ACEs can take different strategies and modelled ACEs’ interactions byintroducing reputation as a metric to decide upon transactions.

In the second part of the deliverable we have presented a mathematical model to detect and todefine defensive mechanisms to thwart denial of service attacks which might reduce the performance ofthe system or in the worst case partition the system itself. Finally, we have presented self-preservationstrategies which have been tested on specific application scenarios.

of 72

D4.3 - Report on Self-preservation mechanisms and system...

Documents

Transcript of D4.3 - Report on Self-preservation mechanisms and system...