Security-Aware Scheduling for Real-Time Parallel Applications on Clusters
-
Upload
xiao-qin -
Category
Technology
-
view
1.023 -
download
0
description
Transcript of Security-Aware Scheduling for Real-Time Parallel Applications on Clusters
04/10/23 Department of Computer Science and Software EngineeringAuburn University
1
Security-Aware Scheduling for Real-Time Parallel Applications on Clusters
Xiao Qin
04/10/23 Department of Computer Science and Software EngineeringAuburn University
2
Clusters
04/10/23 Department of Computer Science and Software EngineeringAuburn University
3
The PrairieFire Cluster at the University of Nebraska-Lincoln
04/10/23 Department of Computer Science and Software EngineeringAuburn University
4
Parallel Applications on Clusters
04/10/23 Department of Computer Science and Software EngineeringAuburn University
5
Security-Sensitive Real-Time Applications
Online Transaction Stock Trading
04/10/23 Department of Computer Science and Software EngineeringAuburn University
6
Common Threats and Security Services
Snooping
Alteration
Spoofing
Confidentiality
Authentication
Integrity
04/10/23 Department of Computer Science and Software EngineeringAuburn University
7
Scheduling Plays a Key Role
Conventional scheduling algorithms are inadequate for security-sensitive real-time applications on clusters
A process of assigning tasks to a set of resources
Head
Nodes
Tasks Users
04/10/23 Department of Computer Science and Software EngineeringAuburn University
8
Motivation
Improve Utilizatio
n
KeepLoad-Balancing
SupportScalability
Promote Throughput
EnableSecurity
Awareness
ReduceResponse
Time
04/10/23 Department of Computer Science and Software EngineeringAuburn University
9
Security-Aware System Architecture
OSHardware
Platform interfacePlatform interface
OSHardware
Middleware Services (including security services)
Low-Level Security Service APIs
User interface
Framework
Mapping to Middleware Services
Framework Private Service
Application Tool
High-Level Security Service APIs
Application Application
Quality of Security Control Manager (QSCM)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
10
Quality of Security Control Manager - QSCM Module
Application Task
Application Task
Application Task
Low Level Security Service APIs
Global Security
Optimization
Local Security
Optimization
Security Optimization
Resource MonitoringSecurity Service 1
Security Service n
Local Schedulability
Analyzer
Quality of Security Control Manager
04/10/23 Department of Computer Science and Software EngineeringAuburn University
11
Task Submission StructureDEFINE Task : flight_control{
Input = (altitude: 1230, heading: 35, …); Output = (takeoff_distance, climb_rate);
Type = “Real Time”;Deadline = 80;Completion_Time = 0;Owner = “Gary Xie”;Cmd = “flight_con”;Processor_num= 5;Data_secured=250;Constraint Arch == “INTEL”; OS == “UNIX”; Disk >= 480;
Memory >=128; Deadline = 80;
0.3 <= Authentication <=0.6; 0.4 <= Integrity <= 0.8; 0.5 <= Confidentiality <= 0.9;}
04/10/23 Department of Computer Science and Software EngineeringAuburn University
12
Security Overhead Model
Security is achieved at the cost of performance degradation
P
S
SecurityOverheads
SP
04/10/23 Department of Computer Science and Software EngineeringAuburn University
13
Cryptographic Algorithms for Confidentiality Service
Cryptographic Algorithms
Security Level
Performance (KB/ms)
RC4 0.22 96.43
Blowfish 0.56 37.5
Knufu/Khafre 0.63 33.75
RC5 0.72 29.35
Rijndael 1.00 21.09
04/10/23 Department of Computer Science and Software EngineeringAuburn University
14
Hash Functions for Integrity Service
Hash Functions Security Level Performance (KB/ms)
MD4 0.18 23.90
MD5 0.26 17.09
RIPEMD 0.36 12.00
RIPEMD-128 0.45 9.73
SHA-1 0.63 6.88
RIPEMD-160 0.77 5.69
Tiger 1.00 4.36
04/10/23 Department of Computer Science and Software EngineeringAuburn University
15
Authentication Methods
Authentication Methods
Security Level Computation Time (ms)
HMAC-MD5 0.3 90
HMAC-SHA-1 0.6 148
CBC-MAC-AES 0.9 163
04/10/23 Department of Computer Science and Software EngineeringAuburn University
16
System Model
Rejected Queue
Dispatch Queue
Local Queue
N1
N2
NmUser
p
User 2
User 1
Schedule Queue
Admission Controller
Security Level
Optimizer
TAPADS
04/10/23 Department of Computer Science and Software EngineeringAuburn University
17
Parallel Application
A single application (job) that has multiple processes that run concurrently
t1
t11
e2
t4
t9
t8
t3
t2
t5 t6
t10
t7
e1
e3 e4 e5
e7e6 e10
e8 e9
04/10/23 Department of Computer Science and Software EngineeringAuburn University
18
Task Model
Deadline Constraints
Security Constraints
Precedence Constraints
04/10/23 Department of Computer Science and Software EngineeringAuburn University
19
Directed Acyclic Graphs (DAG)
a parallel application is defined as a vector (T, E, d) T: {t1, t2,...,tn}
E : a set of weighted and directed edges used to represent communication among tasks, e.g., (ti, tj) E is a message transmitted from task ti to tj
d : Deadline
04/10/23 Department of Computer Science and Software EngineeringAuburn University
20
A Task
A task ti = (ei, li, Si)
ei :execution time
li : amount of data to be protected
Si: a vector of security requirements
04/10/23 Department of Computer Science and Software EngineeringAuburn University
21
A DAG
e2
t1
t4
t9
t8
t3
t2
t11
t5 t6
t10
t7
e1
e3 e4 e5
e7e6 e10
e8 e9
10Sec.,500KB,
{ [0.3,0.6], [0.4,0.8],
[0.5,0.9] }
10Sec.,500KB,
{ [0.3,0.6], [0.4,0.8],
[0.5,0.9] }
10KB, { [0.4,0.8],
[0.5,0.9] }
10KB, { [0.4,0.8],
[0.5,0.9] }
04/10/23 Department of Computer Science and Software EngineeringAuburn University
22
PE3
Link
PE1
Link
PE2
t6 t8 t9
e5 e7 e9
t1 t10t7t4t3t2
e4 e10
t5 t11
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60deadline
Befpre Security Optimization
Slack Time
04/10/23 Department of Computer Science and Software EngineeringAuburn University
23
After Security Optimization
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60
t10
e9
t4t3t2t1
e4 e10
t11t5
e5
t6
e7
t8 t9
t7
PE3
Link
PE1
Link
PE2
deadline
04/10/23 Department of Computer Science and Software EngineeringAuburn University
24
Security Requirements for A Task Ti
1iS q
iSjiSSi = ( ,…, ,…, )
Security level range of the j th security service for task Ti
1iS [0.3,0.6] 2
iS [0.4,0.8] 3iS [0.5,0.9]
04/10/23 Department of Computer Science and Software EngineeringAuburn University
25
Security Benefits Gained by Task Ti
qiiii ssss ,...,, 21 and10 j
iw
q
j
jiw
1
1
q
j
ji
jii swsSL
1
)(
Weight of the j th security service for task Ti
Security level of the j th security service for task Ti
04/10/23 Department of Computer Science and Software EngineeringAuburn University
26
Weights of Security Services
>
>
04/10/23 Department of Computer Science and Software EngineeringAuburn University
27
Security Benefits Gained by A Task Set
n
iiSL
1
SL s )()(T
qiiii ssss ,...,, 21The task set
04/10/23 Department of Computer Science and Software EngineeringAuburn University
28
Optimize Security Benefit of An Application
maximizesubject to:
i k
n q
ki
ki swTSL
1 1
ks kk ),max()min( iii SS
SL s )( iThe task set
04/10/23 Department of Computer Science and Software EngineeringAuburn University
29
Security Requirements of Message (ti, tj)
)ˆ,...,ˆ,ˆ(ˆ 21 pijijijij SSSS
The required security level range
of the p th security service
i j(ti, tj)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
30
Security Benefits Gained by One Message (ti, tj)
p
k
kij
kijij swsSL
1
ˆˆ)ˆ(
1ˆ0 kijw
p
j
kijw
1
1ˆand )ˆ,...,ˆ,ˆ(ˆ 21 pijijijij ssss
Security level of the
k th security service
04/10/23 Department of Computer Science and Software EngineeringAuburn University
31
Security Benefits Gained by A Message Set
Ett
ij
ji
sSLESL),(
)ˆ()(
.
)ˆ,...,ˆ,ˆ(ˆ 21 pijijijij ssss
04/10/23 Department of Computer Science and Software EngineeringAuburn University
32
Optimize Security Benefit of Message Set
,ˆˆ)(),( 1
Ett
p
k
kij
kij
ji
swESL
),ˆmax(ˆ)ˆmin( kij
kij
kij SsS
maximize
subject to
The message set )ˆ( ijsSL
04/10/23 Department of Computer Science and Software EngineeringAuburn University
33
Security Benefit of A Parallel Application
)()( ESLTSLSV
The message setThe task set
Security Value
04/10/23 Department of Computer Science and Software EngineeringAuburn University
34
The TAPADS Task Allocation Algorithm
Compute the critical path
path critical
min )(it
ii cef
Slack time= d – f
Allocate all ti subject to minimal security requirements
Identify the best candidate in V and E that has the highest benefit-cost ratio
Increase security levels of more important services at the minimal cost
Update the schedule in accordance with the increased security level
yes
Slack time > 0 ?no
Update slack time
End
04/10/23 Department of Computer Science and Software EngineeringAuburn University
35
Time Complexity of TAPADS
The time complexity of TAPADS is O(k(q|V|+p|E|))where k : the number of times Step 7 is repeatedq : the number of security services for computationp : the number of security services for communication
04/10/23 Department of Computer Science and Software EngineeringAuburn University
36
Performance Evaluation
LISTMIN: Selects the lowest security level of each security service required by each task and message of a parallel job
LISTMAX: Chooses the highest security level for each security requirement posed by each task and message within a parallel job
LISTRND: Randomly picks a value within the security level range of each service required by a task and a message
04/10/23 Department of Computer Science and Software EngineeringAuburn University
37
Experimental Parameters Parameter Value (Fixed) - (Varied)
CPU Speed 1000 million instructions/second or MIPS
Network bandwidth 1Gbps
Task execution time (min, top, max)=(1, 5, 10), (10,20,40), (40,80,160), (160,320,640) second
Number of nodes (32, 64,128, 256), (8, 12, 16, 20)
Deadlines (100, 200, 300, 400, 500, 600) second
Deadline ranges ([100, 200], [200, 300], [300, 400], [400, 500]) second
Out degrees (25, 50, 75, 100)
Size of data to be secured
(min, top, max)=(0.02, 0.1, 0.5), (0.2, 1, 5), (1, 5, 10), (10, 20, 30) MB
Weight of security services
0.2 (authentication), 0.5 (encryption), 0.3 (integrity)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
38
Performance Metrics
Security Value Schedulability: a fraction of total submitted jobs that are
schedulable Quality of security (QSA): quality of security for applications
Guarantee factor: it is zero if a job’s deadline cannot be met. Otherwise, it is one.
Job completion time: earliest time that a job can finish its execution
n
i
q
k
ki
ki swSV
1 1
,ˆˆ),( 1
Ett
p
k
kij
kij
ji
sw
)()()( XPXPXP LCSC
04/10/23 Department of Computer Science and Software EngineeringAuburn University
39
Experiment One: Overall Performance
One job with 433 tasks
32 nodes in a cluster
Deadline varies from 0 to 600 seconds
04/10/23 Department of Computer Science and Software EngineeringAuburn University
40
Overall Performance Comparisons(1)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
41
Overall Performance Comparisons(2)
Improvement97.7%
Improvement25%
04/10/23 Department of Computer Science and Software EngineeringAuburn University
42
Overall Performance Comparisons(3)
Improvement54.5%
Improvement25.7%
04/10/23 Department of Computer Science and Software EngineeringAuburn University
43
Experiment Two: Adaptability
1000 diverse task graphs (54 tasks ~ 543 tasks)
4 deadline ranges [100, 200], [200, 300], [300, 400] and [400, 500]
32 nodes clusters
04/10/23 Department of Computer Science and Software EngineeringAuburn University
44
Adaptability(1)
TAPADS ties with LISTMIN
LISTMAX isthe worst
04/10/23 Department of Computer Science and Software EngineeringAuburn University
45
Adaptability(2)
TAPADS is always the best
TAPADS outperforms LISTMAX significantly
TAPADS outperforms LISTMAX significantly
04/10/23 Department of Computer Science and Software EngineeringAuburn University
46
Adaptability(3)
TAPADS noticeably outperforms all others
04/10/23 Department of Computer Science and Software EngineeringAuburn University
47
Experiment Three: Scalability
32 ~ 256 nodes in a cluster
A task graph with 520 tasks (nodes)
Deadline is set to 400 Seconds
04/10/23 Department of Computer Science and Software EngineeringAuburn University
48
Scalability
04/10/23 Department of Computer Science and Software EngineeringAuburn University
49
Experiment Four: Degree of Task Parallelism
A parallel application with 1074 tasks
Deadline is set to 400 Seconds
Number of nodes is 128
Maximal number of out degree varies from 25 to 100
04/10/23 Department of Computer Science and Software EngineeringAuburn University
50
Sensitivity to Degree of Task Parallelism
04/10/23 Department of Computer Science and Software EngineeringAuburn University
51
Experiment Five: Security Sensitive Data Size
Size of security sensitive data is in a triangle distribution
(min, top, max)=(0.02, 0.1, 0.5), (0.2, 1, 5), (1, 5, 10), (10, 20, 30) MB
04/10/23 Department of Computer Science and Software EngineeringAuburn University
52
Impact of Size of Security Sensitive Data
dx
dC
C
D
dt
dxv
B
dx
dC
C
D
dt
dxv
B
dx
dC
C
D
dt
dxv
B
04/10/23 Department of Computer Science and Software EngineeringAuburn University
53
Evaluation in Digital Signal Processing (1)
(a) Guarantee factor (b) Security value (c) QSA
Performance impact of deadline for DSP
04/10/23 Department of Computer Science and Software EngineeringAuburn University
54
Evaluation in Digital Signal Processing (2)
(a) Security value (b) QSA (c) Job completion time
Performance impact of number of nodes for DSP
04/10/23 Department of Computer Science and Software EngineeringAuburn University
55
Conclusions TAPADS can generate optimal allocations that
maximize quality of security for parallel applications running on clusters.
A security overhead model is proposed.
Experimental results show that TAPADS significantly improves the performance in terms of quality of security and schedulability over three existing allocation schemes.
04/10/23 Department of Computer Science and Software EngineeringAuburn University
56
Ph.D. Dissertation ProjectsMais Nijim [Summer 2007]
Adaptive quality of security control in storage systems.
Ziliang Zong [Ph.D. Candidate, Spring 2008 Expected] Conserving energy in clusters through resource allocation
Mohammed Alghamdi [Ph.D. Student, Spring 2008 Expected] Energy-efficient packet transmissions in real-time wireless
networks
Kiranmai Bellam [Ph.D. Student, Spring 2009 Expected] Power, fault tolerance, and security issues in real-time systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
57
Questions?
04/10/23 Department of Computer Science and Software EngineeringAuburn University
58
Real-Time Stock Quote System
04/10/23 Department of Computer Science and Software EngineeringAuburn University
59
Some Typical Security Levels
Routing + message security
Routing + SSL
Routing + SSL + message security
Routing + SSL + client authentication
Routing + SSL + message security + client authentication
04/10/23 Department of Computer Science and Software EngineeringAuburn University
60
Related Work
[Hou&Shin] A task allocation scheme to schedule periodic tasks with precedence constraints in distributed real-time systems.
[He et al.] Dynamic scheduling of parallel real-time jobs executing on heterogeneous clusters.
[Yurcik et al.] Tools for managing cluster security via process monitoring.
[Azzedin&Maheswaran] The notion of “trust” into resource
management of a large-scale wide-area system.
04/10/23 Department of Computer Science and Software EngineeringAuburn University
61
Future Work
Extend our security overhead models to multi-dimensional computing resources
Accommodate more security services into our security overhead model
Apply TAPADS scheme to heterogeneous clusters
04/10/23 Department of Computer Science and Software EngineeringAuburn University
62
Selected Journal Publications X. Qin and T. Xie, “Allocation of Tasks with Availability Constraints in Heterogeneous Systems,”
IEEE Transactions on Computers. Accepted April 2007.
M. Nijim, X. Qin, and T. Xie, “Modeling and Improving Security of a Local Disk System for Write-Intensive Workloads,” ACM Transactions on Storage, vol. 2, no. 4, pp. 400-423, Nov. 2006.
T. Xie and X. Qin, “Improving Security for Periodic Tasks in Embedded Systems through Scheduling,” ACM Transactions on Embedded Computing Systems, vol. 6, no. 1, 2007.
T. Xie and X. Qin, “Scheduling Security-Critical Real-Time Applications on Clusters,” IEEE Transactions on Computers, vol. 55, no. 7, pp. 864-879, July 2006.
X. Qin, “Performance Comparisons of Load Balancing Algorithms for I/O-Intensive Workloads on Clusters,” Journal of Network and Computer Applications, 2007. Accepted
X. Qin, “Design and Analysis of a Load Balancing Strategy in Data Grids,” Future Generation Computer Systems: The Int'l Journal of Grid Computing, vol. 23, no. 1, pp. 132-137, Jan. 2007.
Z.-L. Zong, M. Nijim, and X. Qin, “Energy-Efficient Scheduling for Parallel Applications on Mobile Clusters,” Cluster Computing: The Journal of Networks, Software Tools and Applications, 2007. [In press]
M. Nijim, X. Qin, and Z.-L. Zong, “StReD: A Quality of Security Framework for Storage Resources in Data Grids,” Future Generation Computer Systems: The Int'l Journal of Grid Computing, 2007. [In press]
X. Qin and H. Jiang, “A Dynamic and Reliability-driven Scheduling Algorithm for Parallel Real-time Jobs on Heterogeneous Clusters,” Journal of Parallel and Distributed Computing, vol. 65, no. 8, pp.885-900, Aug. 2005.
04/10/23 Department of Computer Science and Software EngineeringAuburn University
63
Selected Conferences Publications X. Qin, M. Alghamdi, M. Nijim, and Z.-L. Zong, “Scheduling of Periodic Packets in Energy-
Aware Wireless Networks,” Proc. the 26th IEEE Int'l Performance Computing and Communications Conf. (IPCCC'07), New Orleans, Louisiana, April 2007.
T. Xie and X. Qin, “A Security-Oriented Task Scheduler for Heterogeneous Distributed Systems,” Proc. 13th Annual IEEE Inter’l Conf. on High Performance Computing (HiPC), Bangalore, India, Dec. 18-21, 2006. (Acceptance Rate: 15.5%, 52/335)
M. Nijim, X. Qin, and T. Xie, “Adaptive Quality of Security Control in Networked Parallel Disk Systems,” Proc. 15th Int’l Conf. Computer Communications and Networks (ICCCN'06), Arlington, Virginia, Oct. 2006. (Acceptance Rate: 32%, 71/221)
Z.-L. Zong, A. Manzanares, B. Stinar, and X. Qin, “Energy-Efficient Duplication Strategies for Scheduling Precedence Constrained Parallel Tasks on Clusters,” Proc. IEEE 8th Int’l Conf. Cluster Computing (Cluster'06), Sept. 2006. (Acceptance Rate: 33%, 42/127)
T. Xie and X. Qin, “Stochastic Scheduling with Availability Constraints in Heterogeneous Systems,” Proc. IEEE 8th Int’l Conf. Cluster Computing (Cluster'06), 2006. (Acceptance Rate: 33%, 42/127)
T. Xie, X. Qin, and M. Nijim, “Solving Energy-Latency Dilemma: Task Allocation for Parallel Applications in Heterogeneous Embedded Systems,” Proc. 35th Int’l Conf. Parallel Processing (ICPP), Columbus, Ohio, Aug. 2006. (Acceptance Rate: 32%, 64/200)
T. Xie and X. Qin, “SAHA: A Scheduling Algorithm for security-Sensitive Jobs on Data Grids,” Proc. IEEE/ACM 6th Int'l Symp. Cluster Computing and the Grid (CCGrid), 2nd Int'l Workshop on Cluster Security, May 2006. (Acceptance Rate: 25%)
T. Xie and X. Qin, “SHARP: A New Real-Time Scheduling Algorithm to Improve Security of Parallel Applications on Heterogeneous Clusters,” Proc. the 25th IEEE Int’l Performance Computing and Communications Conf. (IPCCC'06), Phoenix, AZ, April 2006. (Acceptance Rate: 35%)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
64
Selected Conferences Publications (cont.) M. Nijim, X. Qin, T. Xie, and M. Alghamdi, “Awards: An Adaptive Write Scheme for Secure
Local Disk Systems,” Proc. the 25th IEEE Int’l Performance Computing and Communications Conf. (IPCCC'06), April 2006. (Acceptance Rate: 35%)
T. Xie and X. Qin, “A New Allocation Scheme for Parallel Applications with Deadline and Security Constraints on Clusters,” Proc. the 7th IEEE Int’l Conf. Cluster Computing (Cluster 2005), 2005. (Acceptance Rate: 32%, 48/150)
T. Xie, X. Qin, and A. Sung, "SAREC: A Security-Aware Scheduling Strategy for Real-Time Applications on Clusters," Proc. the 34th Int’l Conf. Parallel Processing (ICPP 2005), pp.5-12, Norway, June 14-17, 2005. (Acceptance Rate: 28%, 69/241)
X. Qin and Hong Jiang, “Improving Effective Bandwidth of Networks on Clusters using Load Balancing for Communication-Intensive Applications,” Proceedings of the 24th IEEE International Performance, Computing, and Communications Conference (IPCCC 2005), pp.27-34, Phoenix, Arizona, April 7-9, 2005. (Acceptance Rate: 35%, 36/103)
X. Qin, “Improving Network Performance through Task Duplication for Parallel Applications on Clusters,” Proc. the 24th IEEE Int’l Performance, Computing, and Communications Conference (IPCCC 2005), 2005. (Acceptance Rate: 35%, 36/103)
X. Qin, H. Jiang, Y. Zhu, and D. Swanson, "Dynamic Load Balancing for I/O-Intensive Tasks on Heterogeneous Clusters," Proceedings of the 10th International Conference on High Performance Computing (HiPC 2003), pp.300-309, 2003 (Acceptance Rate: 29%)
X. Qin, H. Jiang, Y. Zhu, and D. Swanson, "Towards Load Balancing Support for I/O-Intensive Parallel Jobs in a Cluster of Workstations," Proc. of the 5th IEEE International Conference on Cluster Computing(Cluster 2003), 2003. (Acceptance Rate: 29%)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
65
Adaptive Quality of Security Control in Storage Systems
Xiao Qin
04/10/23 Department of Computer Science and Software EngineeringAuburn University
66
Outline
Introduction to Storage Systems Local Disk Systems Parallel Disk Systems Security-Aware Cache Partitioning Conclusion Publications
04/10/23 Department of Computer Science and Software EngineeringAuburn University
67
Data-Intensive Applications
Video Surveillance Digital Libraries
Radio Astronomy Observatory
04/10/23 Department of Computer Science and Software EngineeringAuburn University
68
Data-Intensive Applications (Cont.)
long running simulations
remote-sensing database systems
biological sequence analysis
04/10/23 Department of Computer Science and Software EngineeringAuburn University
69
Motivation
Existing storage systems fail to meet the security requirements of modern data- intensive applications
There is no way to dynamically choose security services to meet disk requests flexible security requirements
Existing storage systems are not suitable to guarantee desired response times of disk requests
04/10/23 Department of Computer Science and Software EngineeringAuburn University
70
Common Threats and Security Services
Snooping
Alteration
Spoofing
Confidentiality
Authentication
Integrity
04/10/23 Department of Computer Science and Software EngineeringAuburn University
71
Cache Partitioning Scheme
Topics Security-Aware Local Disk Systems
Adaptive Quality of Security Control in Parallel Disk Systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
72
System model of a Data Grid
04/10/23 Department of Computer Science and Software EngineeringAuburn University
73
Quality of Security Framework for Disk Systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
74
Security-Aware Local Disk Systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
75
Contributions
A Security-Aware Adaptive Write Strategy (AWARDS) for Local Disk Systems
AWARDS can achieve high security for local disk systems while making the best effort to guarantee desired response times
AWARDS
Security
Performance
04/10/23 Department of Computer Science and Software EngineeringAuburn University
76
The Architecture of AWARDS
Security Service 1Security Service 1 Security Service mSecurity Service m
Adaptive Security Service ControllerAdaptive Security Service Controller
Disk Request SchedulerDisk Request Scheduler
Disk Request
Security Mechanism
Disk DriverUntrusted Local Disk
04/10/23 Department of Computer Science and Software EngineeringAuburn University
77
Modeling Disk Requests
Each disk request specifies quality of service requirement A security requirement can be defined as a lower bound security level The range is between 0.1 and 1.0 A performance requirement is specified as a desired response time
Disk Requests
04/10/23 Department of Computer Science and Software EngineeringAuburn University
78
Quality of security for each security service is measured by a security level
For example: An encryption service with high security level means the
high quality of security provided by the service A disk request specifies a lower bound security level as 0.4 Encryption services with security levels higher than or equal
to 0.4 can successfully meet the disk request’s security requirements
Modeling Disk Requests (Cont.)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
79
r = (o, a, d, s, t) o: type of the request
a: disk address
d: data size (KB)
s: lower security level bound
t: desired response time
Modeling Disk Requests (Cont.)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
80
Rr
i
i
Security Level
. and ,1: iiiii tsRr
Disk Request
Desired response time
Real response time
Subject to
Maximize
Modeling Disk Requests (Cont.)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
81
Security Overhead Model
Eight encryption algorithms In accordance with the cryptographic algorithms’
performance Each cryptographic algorithm is assigned a
security level from 0 to 1 e.g., Assign security level 1 to the strongest yet
slowest encryption algorithm (IDEA)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
82
The AWARDS Strategy
To aim at improving the quality of security for local disks (i.e., to increase the security levels)
To guarantee timing constraints. (i.e., response time desired response time)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
83
Example
Requests
Data Size (di) Minimal Security Level (si)
Desired Response Time (ti)
Response Time (T) under AWARDS
Security Level (i)
under AWARDS
r190 KB 0.2 18 ms 17.7 ms 0.8
r2150 KB 0.1 41 ms 40.7 ms 0.7
r3
30 KB 0.3 55 ms 54.5 ms 0.9
r1 r2 r3
r1 r2 r3
Time
Time
Sl = 0.1 Sl = 0.3Sl = 0.2
SO= 0.93ms SO= 0.89ms SO= 0.8ms
Security level of r1 = 0.8Response time =17.7 ms
Security level of r1 = 0.7Response time =40.7 ms
Security level of r1 = 0.9Response time =54.5 ms
04/10/23 Department of Computer Science and Software EngineeringAuburn University
84
The AWARDS Algorithm
04/10/23 Department of Computer Science and Software EngineeringAuburn University
85
StartStart
Insert ri into Q
For each ri in Q
Initialize Security Level
Sl < 1.0
For each ri in the Q
Sl = Sl + 0.1
For each rk
rk can’t finsihed Sl = Sl - 0.1
Yes
Yes
NoENDEND
No
ENDEND
04/10/23 Department of Computer Science and Software EngineeringAuburn University
86
Property of AWARDS
If the security level ri is increased by 0.1, the following conditions must hold.
1. The current security level of ri is less than 1.0, i.e., i < 0.1
2.
.),()es(:, kkkkikk trTrttQr
Start time processing time
04/10/23 Department of Computer Science and Software EngineeringAuburn University
87
Estimated Start Time (es)
lll ttQr
llk rTr,
),,()es(
),()()(),( iisecuritydisk
iirotiseekii dT
B
daTaTrT
04/10/23 Department of Computer Science and Software EngineeringAuburn University
88
Experimental Result
Disk Parameters
IBM Ultrastar 36Z15
Size 18.4 GB
RPM 15000
Seek Time, Tseek 7.18 ms
Rotational Time, Trot4.02 ms
Disk Bandwidth, Bdisk 30 MB/Sec.
04/10/23 Department of Computer Science and Software EngineeringAuburn University
89
Experimental Result
Workload Configurations
Parameter Value (Fixed) - (Varied)
Disk Bandwidth 30MB/Sec.
Request Arrival Rate (0.1, 0.2, 0.3, 0.4, 0.5) No./Sec.
Desired Response Time 10 Sec.
Security Level (0.5) - (0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9)
Write Ratio (100%) - (0%, 10%, 20%, 30%, … 100%)
Data Size (500 KB) – (300, 400, 500, 600, 700) KB
04/10/23 Department of Computer Science and Software EngineeringAuburn University
90
Performance Metrics
Satisfied ratio: a fraction of total arrived disk requests that are found to be finished before their desired response times
Average security level: measured by the average value of security levels of all disk requests issued
Average security overhead : measured in sec. Overall performance: product of satisfied ratio and
the average security level
04/10/23 Department of Computer Science and Software EngineeringAuburn University
91
Impact of Arrival Rate
Improvement138.2%
Improvement125.6%
04/10/23 Department of Computer Science and Software EngineeringAuburn University
92
Impact of Data Size
04/10/23 Department of Computer Science and Software EngineeringAuburn University
93
Impact of Disk Bandwidth
04/10/23 Department of Computer Science and Software EngineeringAuburn University
94
Sparse Cholesky
Desired response time
04/10/23 Department of Computer Science and Software EngineeringAuburn University
95
Lu Decomposition
Desired response time
04/10/23 Department of Computer Science and Software EngineeringAuburn University
96Sparse Cholesky
Bandwidth
04/10/23 Department of Computer Science and Software EngineeringAuburn University
97
Lu Decomposition
Bandwidth
04/10/23 Department of Computer Science and Software EngineeringAuburn University
98
Adaptive Quality of Security Control
in Parallel Disk Systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
99
Parallel Disk Systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
100
Motivation
Existing parallel disk systems lack the means to adaptively control quality of security for dynamically changing workloads
To develop an adaptive quality of security control scheme for parallel disk systems (ASPAD)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
101
Contributions
ASPAD aims to adapt to changing security requirements and workload conditions
ASPAD endeavors to determine security services for disk requests while guaranteeing the desired response time for the requests
ASPAD
Security
Performance
04/10/23 Department of Computer Science and Software EngineeringAuburn University
102
Disk 1 Disk 2 Disk m
Adaptive Security Quality Controller
Data Partitioning mechanism
Security Service Middleware
Security Service q Security Service 1
Clients
Disk Requests
Parallel Disk System
Network
Response Time Estimator
Security Service 2
The ASPAD Framework
04/10/23 Department of Computer Science and Software EngineeringAuburn University
103
Quality of Security
The quality of security for each security service is measured by security level.
0.1 to 1.0 The quality of security can be quantitatively
measured using seven levels Extremely high, very high, high, medium, low, very
low, and no security protection Translation mechanism is implemented to make the
conversions
04/10/23 Department of Computer Science and Software EngineeringAuburn University
104
Modeling Quality of Security
ip
jijirS
1
)( Security level of the jth stripe
unit of ri
mps iiij and
Parallelism degree
No. of disks
04/10/23 Department of Computer Science and Software EngineeringAuburn University
105
Modeling Quality of Security (Cont.)
nrrrR ,,, 21
n
iirSRS
1
)()(
04/10/23 Department of Computer Science and Software EngineeringAuburn University
106
Optimize Quality of Security
To maximize security benefit of the parallel disk system
Maximize
n
i
p
jij
i
RS1 1
Subject to
a) ,max:11
ipj
ij tnii
b) mps iiij and
Where θij : the response time of jth strip unit of request ri
04/10/23 Department of Computer Science and Software EngineeringAuburn University
107
Optimize Quality of Security (Cont.)
The response time of all stripe unit in request ri must be smaller than the desired response time
The parallelism degree of ri ≤ number of disks in the system
04/10/23 Department of Computer Science and Software EngineeringAuburn University
108
The ASPAD Framework
Data Partitioning
Response time estimator
Adaptive Quality of Security Controller
Adaptive control
04/10/23 Department of Computer Science and Software EngineeringAuburn University
109
Data Partitioning
Determine the optimal parallelism degree for disk request Reduces the response time of the disk request to increase
the security level Dynamically calculate the optimal parallelism degree of the
request
04/10/23 Department of Computer Science and Software EngineeringAuburn University
110
Data Partitioning (cont.)
Expected disk service time
,),()()(),( iitransirotiseekiidisk pdTEpTEpTEpdTE
Where
),( and ,)(,)( iitransirotiseek pdTEpTEpTE
Expected values of seek time, rotational time, and transfer time
04/10/23 Department of Computer Science and Software EngineeringAuburn University
111
Data Partitioning (cont.) Scheuermann et al., VLDB98
fpbaeCpTE iiseek )ln(1)(
Where C: number of cylinders on disk
a, b : two disk type independent constants
e, f : disk type dependent constants
04/10/23 Department of Computer Science and Software EngineeringAuburn University
112
Data Partitioning (cont.)
The expected value of rotation time
The expected transfer time
ROTi
iirot T
p
ppTE
1)(
diski
iiitrans Bp
dpdTE
1),(
04/10/23 Department of Computer Science and Software EngineeringAuburn University
113
Data Partitioning (cont.) Scheuermann et al., VLDB98
Expected disk service time
Parallelism degree
.1
1)ln(1),(
diski
iROT
i
iiiidisk Bp
dT
p
pfpbaeCpdTE
.0
1
)1(1
),(22
diski
i
ii
ROTi
i
ROT
i
iidisk
Bp
d
p
eCb
p
Tp
p
T
pdE
pdTdE
The optimal parallelism degree is given by min(pi,m)
04/10/23 Department of Computer Science and Software EngineeringAuburn University
114
Estimate Response Time
Estimate the maximum response time of a disk request
Response time is the interval between the time a request sent by a client and the time the parallel disk system complete disk I/O operation
04/10/23 Department of Computer Science and Software EngineeringAuburn University
115
Estimate Response Time (cont.)
The response time of a disk request is:
),,(max),,(1
iiproc
p
ipartitionqueue prTTTprT
p : is the parallelism degree
: request vector of security level for p stripes unit
Tqueue : queuing delay at the client side
Tpartition : time spent in data partition
: system processing delay
),,,( 21 p
iprocT
04/10/23 Department of Computer Science and Software EngineeringAuburn University
116
The ASPAD Algorithm
04/10/23 Department of Computer Science and Software EngineeringAuburn University
117
Start
Insert r into Q
For each r in Q
Calculate pi of ri
Partition ri into pi stripe unit
For each stripe unit
Initialize SL
Ph
a se1
. Da t
a P
a rt i
tio n
i ng
Estimate response time
Ph
ase2
res
pon
se t
ime
SL < 1.0
While est. < desired
YSL = SL + 0.1
Estimate response timeEND
N
EST >des. dec. SLYN
Apply the security service with level ij to the jth stripe unit
04/10/23 Department of Computer Science and Software EngineeringAuburn University
118
Property of ASPAD
With respect to the ith request, the following two conditions must hold if the jth stripe unit’s security level is increased by 0.1:
1. The current security level ij is less than 1.0;
2. , where Tj is the response time of the jth
stipe unit, ti is the desired response time of the request,
and . iiiij tprT ),,(
04/10/23 Department of Computer Science and Software EngineeringAuburn University
119
Experimental Results
a) data size is 100KB and P = 3
04/10/23 Department of Computer Science and Software EngineeringAuburn University
120
Impact of Arrival Rate
a) data size is 100KB and P = 3
ASPAD is always the best
04/10/23 Department of Computer Science and Software EngineeringAuburn University
121
Impact of Parallelism Degree
The impact of the parallelism degree when arrival rate = 0.5 No./sec.
ASPAD noticeably outperforms the other
Add more slides for results!!!
04/10/23 Department of Computer Science and Software EngineeringAuburn University
122
A Caching Strategy to Improve Security of Cluster Storage Systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
123
Security Service 1Security Service 1 Security Service mSecurity Service m
Cache (Volatile/Non-volatile memory)Cache (Volatile/Non-volatile memory)
Adaptive Security Service ControllerAdaptive Security Service Controller
Security-aware cache management mechanismSecurity-aware cache management mechanism
A Cluster Storage SystemA Cluster Storage System
Network
Clients
Disk Request
Disk1 Disk 2 Disk n
04/10/23 Department of Computer Science and Software EngineeringAuburn University
124
Cache Partitioning
The entire cache of the cluster storage system is divided into separate partitions, one for each disk, by a security-aware cache partitioning mechanism.
Each cache partition for a disk is managed separately using the conventional LRU replacement algorithm.
04/10/23 Department of Computer Science and Software EngineeringAuburn University
125
ip
jdijdi PrSLPrS
1
),(),(
,, PPmp di Total cache size
is the partition size of the dth disk
04/10/23 Department of Computer Science and Software EngineeringAuburn University
126
04/10/23 Department of Computer Science and Software EngineeringAuburn University
127
Conclusion
AWARDS and ASPAD maximize the quality of security for local and parallel disk system
Experimental result shows that AWARDS and ASPAD significantly increase the security level as well as the overall performance over an existing algorithm
A security-aware cache management mechanism (CaPaS) for cluster storage systems. CaPaS can achieve high security and
desired performance for clusters.
04/10/23 Department of Computer Science and Software EngineeringAuburn University
128
Future Work
Security-Aware Load Balancing Energy-Efficient Mobile Storage Systems
04/10/23 Department of Computer Science and Software EngineeringAuburn University
129
StReD : A Quality of Security Framework for Storage Resources in Data Grids. M. Nijim, Z.-L. Zong, and X. Qin, Future Generation Computer Systems: The Int'l Journal of Grid Computing, 2007. (Forthcoming)
Modeling and Improving Security of a Local Disk System for Write-Intensive Workloads. M. Nijim, X. Qin, and T. Xie, ACM Transactions on Storage, vol. 2, no. 4, pp. 400-423, Nov. 2006
Performance Analysis of an Admission Controller for CPU- and I/O-Intensive Applications in Self-Managing Computer Systems. M. Nijim, T. Xie, and X. Qin, ACM Operating Systems Review, vol. 39, no. 4, pp.37-45, October, 2005
Energy-Efficient Scheduling for Parallel Applications on Mobile Clusters. Z.-L. Zong, M. Nijim, and X. Qin, Cluster Computing: The Journal of Networks, Software Tools and Applications, 2007. (In press)
Journal Publications
04/10/23 Department of Computer Science and Software EngineeringAuburn University
130
Awards: An Adaptive Write Scheme for Secure Local Disk Systems. M. Nijim, X. Qin, T. Xie, and M. Alghamdi, Proc. 25th IEEE Int'l Performance Computing and Communications Conference (IPCCC), April 2006 (Acceptance rate 30%)
Integrating a Performance Model in Self-Managing Computer Systems under Mixed Workload Conditions. M. Nijim, T. Xie, and X. Qin, Proc. IEEE Int’l Conf. Information Reuse and Integration, Aug. 2005
An Adaptive Strategy for Secure Distributed Disk Systems. M. Nijim, T. Xie, Z.-L. Zong, and X. Qin, NASA/IEEE Conference on Mass Storage Systems and Technologies, WIP Session, May 2006
Sharp: A New Real-Time Scheduling Algorithm to Improve Security of Parallel Applications on Heterogeneous Clusters. T. Xie, X. Qin, and M. Nijim, Proc. 25th IEEE Int'l Performance Computing and Communications Conference (IPCCC), April 2006. (Acceptance rate 30%)
Solving Energy-Latency Dilemma: Task Allocation for Parallel Applications in Heterogeneous Embedded Systems. T. Xie, X. Qin, and M. Nijim, Proc. 35th International Conference on Parallel Processing (ICPP), Columbus, Ohio, Aug. 2006. (Acceptance rate 28%)
Adaptive Quality of Security Control in Networked Parallel Disk Systems. M. Nijim, X. Qin, and T. Xie, Proc. 15th Int'l Conference on Computer Communications and Networks (ICCCN), Oct. 2006 (Acceptance rate 29%)
Selected Conference Publications
04/10/23 Department of Computer Science and Software EngineeringAuburn University
131
Questions?
04/10/23 Department of Computer Science and Software EngineeringAuburn University
132
AWARDS Complexity
The complexity of AWARDS is O(n2)
Proof : To increase the security level of the request, it takes O(n).
There is O(n) number of write requests
04/10/23 Department of Computer Science and Software EngineeringAuburn University
133
Download the presentation slideshttp://www.slideshare.net/xqin74
Google: slideshare Xiao Qin
04/10/23 Department of Computer Science and Software EngineeringAuburn University
134
Complexity of ASPAD
The time complexity is O(n2p)
P: the maximum parallelism degree
n: is the number of disk requests