vol2 no 9

(IJCNS) International Journal of Computer and Network Security, Vol. 2, No. 9, September 2010

1

Shadow Honeypots

Kostas G. Anagnostakis1, Stelios Sidiroglou2, Periklis Akritidis1,3, Michalis Polychronakis4, Angelos D. Keromytis4, Evangelos P. Markatos5

1 Niometrics R&D, Singapore

[email protected] 2 Computer Science and Artificial Intelligence Laboratory, MIT, USA

[email protected] 3 University of Cambridge, UK

[email protected] 4 Department of Computer Science, Columbia University, USA

{mikepo, angelos}@cs.columbia.edu 5 Institute of Computer Science, Foundation for Research & Technology – Hellas, Greece

[email protected]

Abstract: We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network or service. Traffic that is considered anomalous is processed by a “shadow honeypot” to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular (“production”) instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives.

Keywords: honeypots, anomaly detection

1. Introduction Due to the increasing level of malicious activity seen on today’s Internet, organizations are beginning to deploy mechanisms for detecting and responding to new attacks or suspicious activity, called Intrusion Prevention Systems (IPS). Since current IPSes use rule-based intrusion detection systems (IDS) such as Snort [1] to detect attacks, they are limited to protecting, for the most part, against already known attacks. As a result, new detection mechanisms are being developed for use in more powerful reactive-defense systems. The two primary such mechanisms are honeypots [2], [3], [4], [5], [6], [7] and anomaly detection systems (ADS) [8], [9], [10], [11], [12], [13]. In contrast with IDSes, honeypots and ADSes offer the possibility of detecting (and thus responding to) previously unknown attacks, also referred to as zero-day attacks.

Honeypots and anomaly detection systems offer different tradeoffs between accuracy and scope of attacks that can be

detected, as shown in Figure 1. Honeypots can be heavily instrumented to accurately detect attacks, but depend on an attacker attempting to exploit a vulnerability against them. This makes them good for detecting scanning worms [14], [15], [3], but ineffective against manual directed attacks or topological and hit-list worms [16], [17]. Furthermore, honeypots can typically only be used for server-type applications. Anomaly detection systems can theoretically detect both types of attacks, but are usually much less accurate. Most such systems offer a tradeoff between false positive (FP) and false negative (FN) rates. For example, it is often possible to tune the system to detect more potential attacks, at an increased risk of misclassifying legitimate traffic (low FN, high FP); alternatively, it is possible to make an anomaly detection system more insensitive to attacks, at the risk of missing some real attacks (high FN, low FP). Because an ADS-based IPS can adversely affect legitimate traffic (e.g., drop a legitimate request), system designers often tune the system for low false positive rates, potentially misclassifying attacks as legitimate traffic.

We propose a novel hybrid approach that combines the best features of honeypots and anomaly detection, named Shadow Honeypots. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network. Traffic that is considered anomalous is processed by a shadow honeypot. The shadow version is an instance of the protected application (e.g., a web server or client) that shares all internal state with a “normal” instance of the application, but is instrumented to detect potential attacks. Attacks against the shadow honeypot are caught and any incurred state changes are discarded. Legitimate traffic that was misclassified by the anomaly detector will be validated by the shadow honeypot and will be transparently handled correctly by the system (i.e., an HTTP request that was mistakenly flagged as suspicious will be served correctly). Our approach offers several advantages over stand-alone ADSes or honeypots:

• First, it allows system designers to tune the anomaly

detection system for low false negative rates, minimizing the risk of misclassifying a real attack as legitimate traffic, since any false positives will be weeded out by the


2

shadow honeypot. • Second, and in contrast to typical honeypots, our

approach can defend against attacks that are tailored against a specific site with a particular internal state. Honeypots may be blind to such attacks, since they are not typically mirror images of the protected application.

• Third, shadow honeypots can also be instantiated in a form that is particularly well-suited for protecting against client-side attacks, such as those directed against web browsers and P2P file-sharing clients.

• Finally, our system architecture facilitates easy integration of additional detection mechanisms.

Figure 1. A simple classification of honeypots and anomaly detection systems, based on attack detection accuracy and scope of detected attacks. Targeted attacks may use lists of known (potentially) vulnerable servers, while scan-based attacks will target any system that is believed to run a vulnerable service. AD systems can detect both types of attacks, but with lower accuracy than a specially instrumented system (honeypot). However, honeypots are blind to targeted attacks, and may not see a scanning attack until after it has succeeded against the real server.

We apply the concept of shadow honeypots to a proof-of-

concept implementation tailored against memory violation attacks. Specifically, we developed a tool that allows for automatic transformation of existing code into its “shadow version.” The resulting code allows for traffic handling to happen through the regular or shadow version of the application, contingent on input derived from an array of anomaly detection sensors. When an attack is detected by the shadow version of the code, state changes effected by the malicious request are rolled back. Legitimate traffic handled by the shadow is processed successfully, albeit at higher latency. Note that the shadow may be an entirely separate process, possibly running on a different machine (loose coupling), or it may be a different thread running in the same address space (tight coupling). These two approaches reflect different tradeoffs in state-sharing overhead, ease of deployment, and transparency to the user.

In addition to the server-side scenario, we also investigate a client-targeting attack-detection scenario, unique to shadow honeypots, where we apply the detection heuristics to content retrieved by protected clients and feed any

positives to shadow honeypots for further analysis. Unlike traditional honeypots, which are idle whilst waiting for active attackers to probe them, this scenario enables the detection of passive attacks, where the attacker lures a victim user to download malicious data. We use the recent libpng vulnerability of Mozilla [18] (which is similar to the buffer overflow vulnerability in the Internet Explorer’s JPEG-handling logic) to demonstrate the ability of our system to protect client-side applications.

Our shadow honeypot prototype consists of several components. At the front-end of our system, we use a high-performance intrusion-prevention system based on the Intel IXP network processor and a set of modified Snort sensors running on normal PCs. The network processor is used as a smart load-balancer, distributing the workload to the sensors. The sensors are responsible for testing the traffic against a variety of anomaly detection heuristics, and coordinating with the IXP to tag traffic that needs to be inspected by shadow honeypots. This design leads to the scalability needed in high-end environments such as web server farms, as only a fraction of the servers need to incur the penalty of providing shadow honeypot functionality.

In our implementation, we have used a variety of anomaly detection techniques, including Abstract Payload Execution (APE) [10], the Earlybird algorithm [19], and network-level emulation [13]. The feasibility of our approach is demonstrated by examining both false-positive and true attack scenarios. We show that our system has the capacity to process all false positives generated by APE and EarlyBird and successfully detect attacks. Furthermore, it enhances the robustness of network-level emulation against advanced evasion attacks. We also show that when the anomaly detection techniques are tuned to increase detection accuracy, the resulting additional false positives are still within the processing budget of our system. More specifically, our benchmarks show that although instrumentation is expensive (20-50% overhead), the shadow version of the Apache Web server can process around 1300 requests per second, while the shadow version of the Mozilla Firefox client can process between 1 and 4 requests per second. At the same time, the front-end and anomaly detection algorithms can process a fully-loaded Gbit/s link, producing 0:3 to 0:5 false positives per minute when tuned for high sensitivity, which is well within the processing budget of our shadow honeypot implementation.

The remainder of this paper is organized as follows. Section 2 discusses the shadow honeypot architecture in greater detail. We describe our implementation in Section 3, and our experimental and performance results in Section 4. Some of the limitations of our approach are briefly discussed in Section 5. We give an overview of related work in Section 6, and conclude the paper with a summary of our work and plans for future work in Section 7.

2. Architecture The Shadow Honeypot architecture is a systems approach to handling network-based attacks, combining filtering,


3

anomaly detection systems, and honeypots in a way that exploits the best features of these mechanisms, while shielding their limitations. We focus on transactional applications, i.e., those that handle a series of discrete requests. Our architecture is not limited to server applications, but can be used for clientside applications such as web browsers and P2P clients. As shown in Figure 2, the architecture is composed of three main components: a filtering engine, an array of anomaly detection

Figure 2. Shadow Honeypot architecture.

sensors, and the shadow honeypot, which validates the predictions of the anomaly detectors. The processing logic of the system is shown in Figure 3.

The filtering component blocks known attacks. Such filtering is done based either on payload content [20], [21] or on the source of the attack, if it can be identified with reasonable confidence (e.g., confirmed traffic bi-directionality). Effectively, the filtering component short-circuits the detection heuristics or shadow testing results by immediately dropping specific types of requests before any further processing is done.

Traffic passing the first stage is processed by one or more anomaly detectors. There are several types of anomaly detectors that may be used in our system, including payload analysis [9], [19], [22], [10], [13] and network behavior [23], [24]. Although we do not impose any particular requirements on the AD component of our system, it is preferable to tune such detectors towards high sensitivity (at the cost of increased false positives). The anomaly detectors, in turn, signal to the protected application whether a request is potentially dangerous.

Depending on this prediction by the anomaly detectors, the system invokes either the regular instance of the application or its shadow. The shadow is an instrumented instance of the application that can detect specific types of failures and rollback any state changes to a known (or presumed) good state, e.g., before the malicious request was processed. Because the shadow is (or should be) invoked relatively infrequently, we can employ computationally

expensive instrumentation to detect attacks. The shadow and the regular application fully share state to avoid attacks that exploit differences between the two; we assume that an attacker can only interact with the application through the filtering and AD stages, i.e., there are no side-channels. The level of instrumentation used in the shadow depends on the amount of latency we are willing to impose on suspicious traffic (whether truly malicious or misclassified legitimate traffic). In our implementation, described in Section 3, we focus on memory-violation attacks, but any attack that can be determined algorithmically can be

Figure 3. System workflow.

detected and recovered from, at the cost of increased complexity and potentially higher latency.

If the shadow detects an actual attack, we notify the filtering component to block further attacks. If no attack is detected, we update the prediction models used by the anomaly detectors. Thus, our system could in fact self-train and fine-tune itself using verifiably bad traffic and known mis-predictions, but this aspect of the approach is outside the scope of this paper.

As we mentioned above, shadow honeypots can be integrated with servers as well as clients. In this paper, we consider tight coupling with both server and client applications, where the shadow resides in the same address space as the protected application.

• Tightly coupled with server. This is the most practical

scenario, in which we protect a server by diverting suspicious requests to its shadow. The application and the honeypot are tightly coupled, mirroring functionality and state. We have implemented this configuration with the Apache web server, described in Section 3.

• Tightly coupled with client. Unlike traditional honeypots, which remain idle while waiting for active attacks, this scenario targets passive attacks, where the


4

attacker lures a victim user to download data containing an attack, as with the recent buffer overflow vulnerability in Internet Explorer’s JPEG handling [25]. In this scenario, the context of an attack is an important consideration in replaying the attack in the shadow. It may range from data contained in a single packet to an entire flow, or even set of flows. Alternatively, it may be defined at the application layer. For our testing scenario using HTTP, the request/response pair is a convenient context.

Tight coupling assumes that the application can be

modified. The advantage of this configuration is that attacks that exploit differences in the state of the shadow vs. the application itself become impossible. However, it is also possible to deploy shadow honeypots in a loosely coupled configuration, where the shadow resides on a different system and does not share state with the protected application. The advantage of this configuration is that management of the shadows can be “outsourced” to a third entity.

Note that the filtering and anomaly detection components can also be tightly coupled with the protected application, or may be centralized at a natural aggregation point in the network topology (e.g., at the firewall).

Finally, it is worth considering how our system would behave against different types of attacks. For most attacks we have seen thus far, once the AD component has identified an anomaly and the shadow has validated it, the filtering component will block all future instances of it from getting to the application. However, we cannot depend on the filtering component to prevent polymorphic or metamorphic [26] attacks. For low-volume events, the cost of invoking the shadow for each attack may be acceptable. For high-volume events, such as a Slammer-like outbreak, the system will detect a large number of correct AD predictions (verified by the shadow) in a short period of time; should a configurable threshold be exceeded, the system can enable filtering at the second stage, based on the unverified verdict of the anomaly detectors. Although this will cause some legitimate requests to be dropped, this could be acceptable for the duration of the incident. Once the number of (perceived) attacks seen by the ADS drop beyond a threshold, the system can revert to normal operation.

3. Implementation

3.3 Filtering and Anomaly Detection During the composition of our system, we were faced with numerous design issues with respect to performance and extensibility. When considering the deployment of the shadow honeypot architecture in a high-performance environment, such as a Web server farm, where speeds of at least 1 Gbit/s are common and we cannot afford to misclassify traffic, the choice for off-the-shelf components becomes very limited. To the best of our knowledge, current solutions, both standalone PCs and network-processor-based network intrusion detection systems (NIDSes), are well

under the 1 Gbit/s mark [27], [28]. Faced with these limitations, we considered a distributed

design, similar in principle to [29], [30]: we use a network processor (NP) as a scalable, custom load balancer, and implement all detection heuristics on an array of (modified) Snort sensors running on standard PCs that are connected to the network processor board. We chose not to implement any of the detection heuristics on the NP for two reasons. First, currently available NPs are designed primarily for simple forwarding and lack the processing capacity required for speeds in excess of 1 Gbit/s. Second, they remain harder to program and debug than standard general purpose processors. For our implementation, we used the IXP1200 network processor. A high-level view of our implementation is shown in Figure 4.

Figure 4. High-level diagram of prototype shadow

honeypot implementation. A primary function of the anomaly detection sensor is the

ability to divert potentially malicious requests to the shadow honeypot. For web servers in particular, a reasonable definition of the attack context is the HTTP request. For this purpose, the sensor must construct a request, run the detection heuristics, and forward the request depending on the outcome. This processing must be performed at the HTTP level thus an HTTP proxy-like function is needed. We implemented the anomaly detection sensors for the tightly-coupled shadow server case by augmenting an HTTP proxy with ability to apply the APE detection heuristic on incoming requests and route them according to its outcome.

For the shadow client scenario, we use an alternative solution based on passive monitoring. Employing the proxy approach in this situation would be prohibitively expensive, in terms of latency, since we only require detection capabilities. For this scenario, we reconstruct the TCP streams of HTTP connections and decode the HTTP protocol to extract suspicious objects.

As part of our proof-of-concept implementation we have used three anomaly detection heuristics: payload sifting, abstract payload execution, and network-level emulation. Payload sifting as developed in [19] derives fingerprints of rapidly spreading worms by identifying popular substrings in network traffic. It is a prime example of an anomaly


5

detection based system that is able to detect novel attacks at the expense of false positives. However, if used in isolation (e.g., outside our shadow honeypot environment) by the time it has reliably detected a worm epidemic, it is very likely that many systems would have already been compromised. This may reduce its usage potential in the tightly-coupled server protection scenario without external help. Nevertheless, if fingerprints generated by a distributed payload sifting system are disseminated to interested parties that run shadow honeypots locally, matching traffic against such fingerprints can be of use as a detection heuristic in the shadow honeypot system. Of further interest is the ability to use this technique in the loosely-coupled shadow server scenario, although we do not further consider this scenario here.

The second heuristic we have implemented is buffer overflow detection via abstract payload execution (APE), as proposed in [10]. The heuristic detects buffer overflow attacks by searching for sufficiently long sequences of valid instructions in network traffic. Long sequences of valid instructions can appear in non-malicious data, and this is where the shadow honeypot fits in. Such detection mechanisms are particularly attractive because they are applied to individual attacks and will trigger detection upon encountering the first instance of an attack, unlike many anomaly detection mechanisms that must witness multiple attacks before flagging them as anomalous.

Finally, as discussed in Section 3.3, the third heuristic we use is network-level emulation [13], [31], a detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. The approach is based on the execution of all potential malicious instruction sequences found in the inspected traffic on a NIDS-embedded CPU emulator. Based on a behavioral heuristic, the detection algorithm can discriminate between the execution of benign and malicious code.

3.4 Shadow Honeypot Creation The creation of a shadow honeypot is based on a code-transformation tool that takes as input the original application source code and “weaves” into it the shadow honeypot code. In this paper, we focus on memory-violation errors and show source-code transformations that detect buffer overflows, although other types of failures can be caught (e.g., input that causes illegal memory dereferences) with the appropriate instrumentation, but at the cost of higher complexity and larger performance bottleneck. For the code transformations we use TXL [32], a hybrid functional and rule-based language which is well-suited for performing source-to-source transformation and for rapidly prototyping new languages and language processors. The grammar responsible for parsing the source input is specified in a notation similar to Extended Backus-Naur (BNF). In our prototype, called DYBOC, we use TXL for C-to-C transformations with the GCC C front-end.

Figure 5. Example of pmalloc()-based memory

allocation: the trailer and edge regions (above and below the write-protected pages) indicate “waste” memory. This is needed to ensure that mprotect() is applied on complete memory pages.

Figure 6. Transforming a function to its shadow-

supporting version. The shadow_enable() macro simply checks the status of a shared-memory variable (controlled by the anomaly detection system) on whether the shadow honeypot should be executing instead of the regular code.

The instrumentation itself is conceptually

straightforward: we move all static buffers to the heap by dynamically allocating the buffer upon entering the function in which it was previously declared; we de-allocate these buffers upon exiting the function, whether implicitly (by reaching the end of the function body) or explicitly (through


6

a return statement). We take care to properly handle the sizeof construct, a fairly straightforward task with TXL. Pointer aliasing is not a problem, since we instrument the allocated memory regions; any illegal accesses to these will be caught.

For memory allocation, we use our own version of malloc(), called pmalloc(), that allocates two additional zero-filled, write-protected pages that bracket the requested buffer, as shown in Figure 5. The guard pages are mmap()’ed from /dev/zero as read-only. As mmap() operates at memory page granularity, every memory request is rounded up to the nearest page. The pointer that is returned by pmalloc() can be adjusted to immediately catch any buffer overflow or underflow depending on where attention is focused. This functionality is similar to that offered by the ElectricFence memory-debugging library, the difference being that pmalloc() catches both buffer overflow and underflow attacks. Because we mmap() pages from /dev/zero, we do not waste physical memory for the guards (just page-table entries). Memory is wasted, however, for each allocated buffer, since we allocate to the next closest page. While this can lead to considerable memory waste, we note that this is only incurred when executing in shadow mode, and in practice has proven easily manageable.

Figure 6 shows an example of such a translation. Buffers that are already allocated via malloc() are simply switched to pmalloc(). This is achieved by examining declarations in the source and transforming them to pointers where the size is allocated with a malloc() function call. Furthermore, we adjust the C grammar to free the variables before the function returns. After making changes to the standard ANSI C grammar that allow entries such as malloc() to be inserted between declarations and statements, the transformation step is trivial. For single-threaded, non-reentrant code, it is possible to only use pmalloc() once for each previously-static buffer. Generally, however, this allocation needs to be done each time the function is invoked.

Any overflow (or underflow) on a buffer allocated via pmalloc() will cause the process to receive a Segmentation Violation (SEGV) signal, which is caught by a signal handler we have added to the source code in main(). The signal handler simply notifies the operating system to abort all state changes made by the process while processing this request. To do this, we added a new system call to the operating system, transaction(). This is conditionally (as directed by the shadow enable() macro) invoked at three locations in the code:

• Inside the main processing loop, prior to the beginning

of handling of a new request, to indicate to the operating system that a new transaction has begun. The operating system makes a backup of all memory page permissions, and marks all heap memory pages as read-only. As the process executes and modifies these pages, the operating system maintains a copy of the original page and

allocates a new page (which is given the permissions the original page had from the backup) for the process to use, in exactly the same way copy-on-write works in modern operating system. Both copies of the page are maintained until transaction() is called again, as we describe below. This call to transaction() must be placed manually by the programmer or system designer.

• Inside the main processing loop, immediately after the end of handling a request, to indicate to the operating system that a transaction has successfully completed. The operating system then discards all original copies of memory pages that have been modified during processing this request. This call to transaction() must also be placed manually.

• Inside the signal handler that is installed automatically by our tool, to indicate to the operating system that an exception (attack) has been detected. The operating system then discards all modified memory pages by restoring the original pages.

Although we have not implemented this, a similar

mechanism can be built around the filesystem by using a private copy of the buffer cache for the process executing in shadow mode. The only difficulty arises when the process must itself communicate with another process while servicing a request; unless the second process is also included in the transaction definition (which may be impossible, if it is a remote process on another system), overall system state may change without the ability to roll it back. For example, this may happen when a web server communicates with a remote back-end database. Our system does not currently address this, i.e., we assume that any such state changes are benign or irrelevant (e.g., a DNS query). Specifically for the case of a back-end database, these inherently support the concept of a transaction rollback, so it is possible to undo any changes.

The signal handler may also notify external logic to indicate that an attack associated with a particular input from a specific source has been detected. The external logic may then instantiate a filter, either based on the network source of the request or the contents of the payload [20].

3.5 Using Feedback to Improve Network-level Detection

A significant benefit stemming from the combination of network-level anomaly detection techniques with host-level attack prevention mechanisms is that it allows for increasing the detection accuracy of current network-level detectors. This improvement may go beyond simply increasing the sensitivity of the detector and then mitigating the extra false positives through the shadow honeypot. In certain cases, it is also possible to enhance the robustness of the anomaly detection algorithm itself against evasion attacks. In this section, we describe how shadow honeypots enhance the detection ability of network-level emulation, one of the detection techniques that we have used in our implementation.


7

Network-level emulation [13], [31] is a passive network monitoring approach for the detection of previously unknown polymorphic shellcode. The approach relies on a NIDSembedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. The principle behind network-level emulation is that the machine code interpretation of arbitrary data results to random code, which, when it is attempted to run on an actual CPU, usually crashes soon, e.g., due to the execution of an illegal instruction. In contrast, if some network request actually contains a polymorphic shellcode, then the shellcode runs normally, exhibiting a certain detectable behavior.

Network-level emulation does not rely on any exploit or vulnerability specific signatures, which allows the detection of previously unknown attacks. Instead, it uses a generic heuristic that matches the runtime behavior of polymorphic shellcode. At the same time, the actual execution of the attack code on a CPU emulator makes the detector robust to evasion techniques such as highly obfuscated or self-modifying code. Furthermore, each input is inspected autonomously, which makes the approach effective against targeted attacks, while from our experience so far with real-world deployments, it has not produced any false positives.

The detector inspects either or both directions of each network flow, which may contain malicious requests towards vulnerable services, or malicious content served by some compromised server towards a vulnerable client. Each input is mapped to a random memory location in the virtual address space of the emulator, as shown in Figure 7. Since the exact position of the shellcode within the input stream is not known in advance, the emulator repeats the execution multiple times, starting from each and every position of the stream. Before the beginning of a new execution, the state of the CPU is randomized, while any accidental memory modifications in the addresses where the attack vector has been mapped to are rolled back after the end of each execution. The execution of polymorphic shellcode is identified by two key behavioral characteristics: the execution of some form of GetPC code, and the occurrence of several read operations from the memory addresses of the input stream itself, as illustrated in Figure 7. The GetPC code is used for finding the absolute address of the injected code, which is mandatory for subsequently decrypting the encrypted payload, and involves the execution of some instruction from the call or fstenv instruction groups.

Figure 7. A typical execution of a polymorphic shellcode

using network-level emulation. There exist situations in which the execution of benign

inputs, which are interpreted by the emulator as random code, might not stop soon, or even not at all, due to the accidental formation of loop structures that may execute for a very large number of iterations. To avoid extensive performance degradation due to stalling on such seemingly “endless” loops, if the number of executed instructions for a given input reaches a certain execution threshold, then the execution is terminated.

This unavoidable precaution introduces an opportunity for evasion attacks against the detection algorithm through the placement of a seemingly endless loop before the decryptor code. An attacker could construct a decryptor that spends millions of instructions just for reaching the execution threshold before revealing any signs of polymorphic behavior. We cannot simply skip the execution of such loops, since the loop body may perform a crucial computation for the subsequent correct execution of the decoder, e.g., computing the decryption key.

Such “endless” loops are a well-known problem in the area of dynamic code analysis [33], and we are not aware of any effective solution so far. However, employing network-level emulation as a first-stage detector for shadow honeypots mitigates this problem. Without shadow honeypot support, the network-level detector does not alert on inputs that reach the execution threshold without exhibiting signs of malicious behavior, which can potentially result to false negatives. In contrast, when coupling network-level emulation with shadow honeypots, such undecidable inputs can be treated more conservatively by considering them as potentially dangerous, and redirecting them to the shadow version of the protected service. If an undecidable input indeed corresponds to a code injection attack, then it will be detected by the shadow honeypot. In Section 4.3 we show, through analysis of real network traffic, that the number of such streams that are undecidable in reasonable time (and thus have to be forwarded to the shadow) is a small, manageable fraction of the overall traffic.

4. Experimental Evaluation We have tested our shadow honeypot implementation against a number of exploits, including a recent Mozilla PNG bug and several Apache-specific exploits. In this section, we report on performance benchmarks that illustrate the efficacy of our implementation.

First, we measure the cost of instantiating and operating shadow instances of specific services using the Apache web server and the Mozilla Firefox web browser. Second, we evaluate the filtering and anomaly detection components, and determine the throughput of the IXP1200-based load balancer as well as the cost of running the detection heuristics. Third, we look at the false positive rates and the trade-offs associated with detection performance. Based on these results, we determine how to tune the anomaly detection heuristics in order to increase detection performance while not exceeding the budget allotted by the shadow services.


8

Figure 8. Apache benchmark results.

4.1 Performance of Shadow Services Apache: In this experiment, we determine the workload capacity of the shadow honeypot environment, using DYBOC on the Apache web server, version 2.0.49. We chose Apache due to its popularity and source code availability. Basic Apache functionality was tested, omitting additional modules. The tests were conducted on a PC with a 2GHz Intel P4 processor and 1GB of RAM, running Debian Linux (2.6.5- 1 kernel).

We used ApacheBench [34], a complete benchmarking and regression testing suite. Examination of application response is preferable to explicit measurements in the case of complex systems, as we seek to understand the effect on overall system performance.

Figure 8 illustrates the requests per second that Apache can handle. There is a 20.1% overhead for the patched version of Apache over the original, which is expected since the majority of the patched buffers belong to utility functions that are not heavily used. This result is an indication of the worst-case analysis, since all the protection flags were enabled; although the performance penalty is high, it is not outright prohibitive for some applications. For the instrumentation of a single buffer and a vulnerable function that is invoked once per HTTP transaction, the overhead is 1.18%.

Of further interest is the increase in memory requirements for the patched version. A naive implementation of pmalloc() would require two additional memory pages for each transformed buffer. Full transformation of Apache translates into 297 buffers that are allocated with pmalloc(), adding an overhead of 2.3MB if all of these buffers are invoked simultaneously during program execution. When protecting malloc()’ed buffers, the amount of required memory can skyrocket.

To avoid this overhead, we use an mmap() based allocator. The two guard pages are mmap()’ed write-protected from /dev/zero, without requiring additional physical memory to be allocated. Instead, the overhead of our mechanism is 2 page-table entries (PTEs) per allocated buffer, plus one file descriptor (for /dev/zero) per

program. As most modern processors use an MMU cache for frequently used PTEs, and since the guard pages are only accessed when a fault occurs, we expect their impact on performance to be small.

Mozilla Firefox: For the evaluation of the client case, we used the Mozilla Firefox browser. For the initial validation tests, we back-ported the recently reported libpng vulnerability [18] that enables arbitrary code execution if Firefox (or any application using libpng) attempts to display a specially crafted PNG image. Interestingly, this example mirrors a recent vulnerability of Internet Explorer, and JPEG image handling [35], which again enabled arbitrary code execution when displaying specially crafted images.

In the tightly-coupled scenario, the protected version of the application shares the address space with the unmodified version. This is achieved by transforming the original source code with our DYBOC tool. Suspicious requests are tagged by the ADS so that they are processed by the protected version of the code as discussed in Section 3.2.

For the loosely-coupled case, when the AD component marks a request for processing on the shadow honeypot, we launch the instrumented version of Firefox to replay the request. The browser is configured to use a null X server as provided by Xvfb. All requests are handled by a transparent proxy that redirects these requests to an internal Web server. The Web server then responds with the objects served by the original server, as captured in the original session. The workload that the shadow honeypot can process in the case of Firefox is determined by how many responses per second a browser can process and how many different browser versions can be checked.

Our measurements show that a single instance of Firefox can handle about one request per second with restarting after processing each response. Doing this only after detecting a successful attack improves the result to about four requests per second. By restarting, we avoid the accumulation of various pop-ups and other side-effects. Unlike the server scenario, instrumenting the browser does not seem to have any significant impact on performance. If that was the case, we could have used the rollback mechanism discussed previously to reduce the cost of launching new instances of the browser.

We further evaluate the performance implications of fully instrumenting a web browser. These observations apply to both loosely-coupled and tightly-coupled shadow honeypots. Web browsing performance was measured using a Mozilla Firefox 1.0 browser to run a benchmark based on the i-Bench benchmark suite [36]. i-Bench is a comprehensive, cross-platform benchmark that tests the performance and capability of Web clients. Specifically, we use a variant of the benchmark that allows for scrolling of a web page and uses cookies to store the load times for each page. Scrolling is performed in order to render the whole page, providing a pessimistic emulation of a typical attack. The benchmark consists of a sequence of 10 web pages containing a mix of text and graphics; the benchmark was ran using both the scrolling option and the standard page load mechanisms.


9

For the standard page load configuration, the performance degradation for instrumentation was 35%. For the scrolling configuration, where in addition to the page load time, the time taken to scroll through the page is recorded, the overhead was 50%.

Figure 9. Normalized Mozilla Firefox benchmark results

using a modified version of i-Bench.

Figure 10. Popularity of different Mozilla versions, as

measured in the logs of the CIS Department Web server at the University of Pennsylvania.

The results follow our intuition as more calls to

malloc() are required to fully render the page. Figure 9 illustrates the normalized performance results. It should be noted that depending on the browser implementation (whether the entire page is rendered on page load) mechanisms such at the automatic scrolling need to be implemented in order to protect against targeted attacks. Attackers may hide malicious code in unrendered parts of a page or in javascript code activated by user-guided pointer movement.

How many different browser versions would have to be checked by the system? Figure 10 presents some statistics concerning different versions of Mozilla. The statistics were collected over a five-week period from the CIS Department web server at the University of Pennsylvania. As evidenced by the figure, one can expect to check up to six versions of a particular client. We expect that this distribution will be more stabilized around final release versions and expect to

minimize the number of different versions that need to be checked based on their popularity.

4.2 Filtering and Anomaly Detection IXP1200-based firewall/load-balancer: We first determine the performance of the IXP1200-based firewall/load balancer. The IXP1200 evaluation board we use has two Gigabit Ethernet interfaces and eight Fast Ethernet interfaces. The Gigabit Ethernet interfaces are used to connect to the internal and external network and the Fast Ethernet interfaces to communicate with the sensors. A set of client workstations is used to generate traffic through the firewall. The firewall forwards traffic to the sensors for processing and the sensors determine if the traffic should be dropped, redirected to the shadow honeypot, or forwarded to the internal network.

Previous studies [37] have reported forwarding rates of at least 1600 Mbit/s for the IXP1200, when used as a simple forwarder/router, which is sufficient to saturate a Gigabit Ethernet interface. Our measurements show that despite the added cost of load balancing, filtering, and coordinating with the sensors, the firewall can still handle the Gigabit interface at line rate.

Figure 11. Utilization(%) of the IXP1200 Microengines,

for forwarding-only (FWD), load-balancing-only (LB), both (LB+FWD), and full implementation (FULL), in stress-tests with 800 Mbit/s worst-case 64-byte-packet traffic.

To gain insight into the actual overhead of our

implementation, we carry out a second experiment using Intel’s cycle-accurate IXP1200 simulator. We assume a clock frequency of 232 MHz for the IXP1200, and an IX bus configured to be 64- bit wide with a clock frequency of 104 MHz. In the simulated environment, we obtain detailed utilization measurements for the microengines of the IXP1200. The results are shown in Figure 11. The results show that even at line rate with worst-case traffic, the implementation is quite efficient as the microengines operate at 50.9%-71.5% of their processing capacity.

PC-based sensor performance: In this experiment, we measure the throughput of the PC-based sensors that cooperate with the IXP1200 for analyzing traffic and performing anomaly detection. We use a 2.66 GHz Pentium IV Xeon processor with hyper-threading disabled. The PC has 512 Mbytes of DDR DRAM at 266 MHz. The PCI bus is


10

64- bit wide clocked at 66 MHz. The host operating system is Linux (kernel version 2.4.22, Red-Hat 9.0).

We use LAN traces to stress-test a single sensor running a modified version of Snort that, in addition to basic signature matching, provides the hooks needed to coordinate with the IXP1200 as well as the APE and payload sifting heuristics. We replay the traces from a remote system through the IXP1200 at different rates to determine the maximum loss-free rate (MLFR) of the sensor. For the purpose of this experiment, we connected a sensor to the second Gigabit Ethernet interface of the IXP1200 board.

Table 1: Sensor throughput for different detection mechanisms.

Detection Method Throughput/Sensor

Content Matching 225 Mbit/s APE 190 Mbit/s

Payload Sifting 268 Mbit/s

The measured throughput of the sensor for signature matching using APE and Earlybird is shown in Table 1. The throughput per sensor ranges between 190 Mbit/s (APE) and 268 Mbit/s (payload sifting), while standard signature matching can be performed at 225 Mbit/s. This means that we need at least 4-5 sensors behind the IXP1200 for each of these mechanisms. Note, however, that these results are rather conservative and based on unoptimized code, and thus only serve the purpose of providing a ballpark figure on the cost of anomaly detection.

False positive vs. detection rate trade-offs: We determine the workload that is generated by the AD heuristics, by measuring the false positive rate. We also consider the trade-off between false positives and detection rate, to demonstrate how the AD heuristics could be tuned to increase detection rate in our shadow honeypot environment. We use the payload sifting implementation from [38], and the APE algorithm from [10]. The APE experiment corresponds to a scenario with a tightly-coupled shadow server, while the payload sifting experiment examines a loosely-coupled shadow honeypot scenario that can be used for worm detection.

We run the modified Snort sensor implementing APE and payload sifting on packet-level traces captured on an enterprise LAN with roughly 150 hosts. Furthermore, the traces contain several instances of the Welchia worm. APE was applied on the URIs contained in roughly one-billion HTTP requests gathered by monitoring the same LAN.

Figure 12 demonstrates the effects of varying the distinct destinations threshold of the content sifting AD on the false positives (measured in requests to the shadow services per minute) and the (Welchia worm) detection delay (measured in ratio of hosts in the monitored LAN infected by the time of the detection).

Figure 12. False positives for payload sifting.

Increasing the threshold means more attack instances are

required for triggering detection, and therefore increases the detection delay and reduces the false positives. It is evident that to achieve a zero false positives rate without shadow honeypots we must operate the system with parameters that yield a suboptimal detection delay. The detection rate for APE is the minimum sled length that it can detect and depends on the sampling factor and the MEL parameter (the number of valid instructions that trigger detection). A high MEL value means less false positives due to random valid sequences but also makes the heuristic blind to sleds of smaller lengths.

Figure 13. False positives for APE.

Figure 13 shows the effects of MEL threshold on the false

positives. APE can be used in a tightly coupled scenario, where the suspect requests are redirected to the instrumented server instances. The false positives (measured in requests to the shadow services per minute by each of the normal services under maximum load) can be handled easily by a shadow honeypot. APE alone has false positives for the entire range of acceptable operational parameters; it is the combination with shadow honeypots that removes the problem.

4.3 Fine-tuning Network-level Emulation In this scheme, the redirection criterion is whether a

given input reaches the CPU execution threshold of the network-level detector. Since most of the time the system will not be under attack, and thus the inspected inputs will be benign, an issue that we should take into account is how


11

often a benign inspected input may look “suspicious” and causes a redirection to the shadow honeypot. If the fraction of such undecidable inputs is large, then the shadow server may be overloaded with a higher request rate than it can normally handle. To evaluate this effect, we used full payload traces of real network traffic captured at ICS-FORTH and the University of Crete. The set of traces contains more than 2.5 million user requests to ports 80, 445, and 139, which are related to the most exploited vulnerabilities.

Figure 14. Percentage of benign network streams

reaching the execution threshold of the network-level detector.

Figure 14 shows the percentage of streams with at least

one instruction sequence that, when executed on the CPU emulator of network-level detector, reached the given execution threshold. As the execution threshold increases, the number of streams that reach it decreases. This effect occurs only for low threshold values, due to large code blocks with no branch instructions that are executed linearly. For example, the execution of linear code blocks with more than 256 but less than 512 valid instructions is terminated before reaching the end when using a threshold of 256 instructions, but completes correctly with a threshold of 512 instructions. However, the occurrence probability of such blocks is reversely proportional to their length, due to the illegal or privileged instructions that accidentally occur in random code. Thus, the percentage of streams that reach the execution threshold stabilizes beyond the value of 2048. After this value, the execution threshold is reached solely due to instruction sequences with “endless” loops, which usually require a prohibitive number of instructions for the slow CPU emulator in order to complete.

Fortunately, for an execution threshold above 2048 instructions, which allows for accurate polymorphic shellcode detection with a decent operational throughput [13], the fraction of streams that reach the execution threshold is only around 4% for port 445, 2.6% for port 139, and 0.1% for port 80. Binary traffic (ports 445 and 139) is clearly more likely to result to an instruction sequence that reaches the execution threshold in contrast to the mostly ASCII traffic of port 80. In any case, even in the worst case of binary-only traffic, the percentage of benign streams that reach the execution threshold is very small, so the extra

overhead incurred to the shadow server is modest.

5. Limitations There are two limitations of the shadow honeypot design presented in this paper that we are aware of. The effectiveness of the rollback mechanism depends on the proper placement of calls to transaction() for committing state changes, and the latency of the detector. The detector used in this paper can instantly detect attempts to overwrite a buffer, and therefore the system cannot be corrupted. Other detectors, however, may have higher latency, and the placement of commit calls is critical to recovering from the attack. Depending on the detector latency and how it relates to the cost of implementing rollback, one may have to consider different approaches. The trade-offs involved in designing such mechanisms are thoroughly examined in the fault-tolerance literature (c.f. [39]).

Furthermore, the loosely coupled client shadow honeypot is limited to protecting against relatively static attacks. The honeypot cannot effectively emulate user behavior that may be involved in triggering the attack, for example, through DHTML or Javascript. The loosely coupled version is also weak against attacks that depend on local system state on the user’s host that is difficult to replicate. This is not a problem with tightly coupled shadows, because we accurately mirror the state of the real system. In some cases, it may be possible to mirror state on loosely coupled shadows as well, but we have not considered this case in the experiments presented in this paper.

6. Related Work Much of the work in automated attack reaction has focused on the problem of network worms, which has taken truly epidemic dimensions (pun intended). For example, the system described in [24] detects worms by monitoring probes to unassigned IP addresses (“dark space”) or inactive ports and computing statistics on scan traffic, such as the number of source/destination addresses and the volume of the captured traffic. By measuring the increase on the number of source addresses seen in a unit of time, it is possible to infer the existence of a new worm when as little as 4% of the vulnerable machines have been infected. A similar approach for isolating infected nodes inside an enterprise network [40] is taken in [23], where it was shown that as little as four probes may be sufficient in detecting a new port-scanning worm.

Smirnov and Chiueh [41] describe an approximating algorithm for quickly detecting scanning activity that can be efficiently implemented in hardware. Newsome et al. [42] describe a combination of reverse sequential hypothesis testing and credit-based connection throttling to quickly detect and quarantine local infected hosts. These systems are effective only against scanning worms (not topological, or “hit-list” worms), and rely on the assumption that most scans will result in non-connections. As such, they are susceptible to false positives, either accidentally (e.g., when


12

a host is joining a peer-to-peer network such as Gnutella, or during a temporary network outage) or on purpose (e.g., a malicious web page with many links to images in random/notused IP addresses). Furthermore, it may be possible for several instances of a worm to collaborate in providing the illusion of several successful connections, or to use a list of known repliers to blind the anomaly detector. Another algorithm for finding fast-spreading worms using 2-level filtering based on sampling from the set of distinct source-destination pairs is described in [43].

Wu et al. [22] describe an algorithm for correlating packet payloads from different traffic flows, towards deriving a worm signature that can then be filtered [44]. The technique is promising, although further improvements are required to allow it to operate in real time. Earlybird [19] presents a more practical algorithm for doing payload sifting, and correlates these with a range of unique sources generating infections and destinations being targeted. However, polymorphic and metamorphic worms [26] remain a challenge; Spinelis [45] shows that it is an NP-hard problem. Vigna et al. [46] discuss a method for testing detection signatures against mutations of known vulnerabilities to determine the quality of the detection model and mechanism. Polygraph [47] attempts to detect polymorphic exploits by identifying common invariants among the various attack instances, such as return addresses, protocol framing and poor obfuscation.

Toth and Kruegel [10] propose to detect buffer overflow payloads (including previously unseen ones) by treating inputs received over the network as code fragments. They use restricted symbolic execution to show that legitimate requests will appear to contain relatively short sequences of valid x86 instruction opcodes, compared to attacks that will contain long sequences. They integrate this mechanism into the Apache web server, resulting in a small performance degradation. STRIDE [48] is a similar system that seeks to detect polymorphic NOP-sleds in buffer overflow exploits. [49] describes a hybrid polymorphic-code detection engine that combines several heuristics, including NOP-sled detector and abstract payload execution.

HoneyStat [3] runs sacrificial services inside a virtual machine, and monitors memory, disk, and network events to detect abnormal behavior. For some classes of attacks (e.g., buffer overflows), this can produce highly accurate alerts with relatively few false positives, and can detect zero-day worms. Although the system only protects against scanning worms, “active honeypot” techniques [4] may be used to make it more difficult for an automated attacker to differentiate between HoneyStats and real servers. FLIPS (Feedback Learning IPS) [50] is a similar hybrid approach that incorporates a supervision framework in the presence of suspicious traffic. Instruction-set randomization is used to isolate attack vectors, which are used to train the anomaly detector. The authors of [51] propose to enhance NIDS alerts using host-based IDS information. Nemean [52] is an architecture for generating semantics-aware signatures, which are signatures aware of protocol semantics (as opposed to general byte strings). Shield [20] is a mechanism

for pushing to workstations vulnerability-specific, application-aware filters expressed as programs in a simple language.

The Internet Motion Sensor [7] is a distributed blackhole monitoring system aimed at measuring, characterizing, and tracking Internet-based threats, including worms. [53] explores the various options in locating honeypots and correlating their findings, and their impact on the speed and accuracy in detecting worms and other attacks. [54] shows that a distributed worm monitor can detect non-uniform scanning worms two to four times as fast as a centralized telescope [55], and that knowledge of the vulnerability density of the population can further improve detection time. However, other recent work has shown that it is relatively straightforward for attackers to detect the placement of certain types of sensors [56], [57]. Shadow Honeypots [58] are one approach to avoiding such mapping by pushing honeypot-like functionality at the end hosts.

The HACQIT architecture [59], [60], [61], [62] uses various sensors to detect new types of attacks against secure servers, access to which is limited to small numbers of users at a time. Any deviation from expected or known behavior results in the possibly subverted server to be taken off-line. A sandboxed instance of the server is used to conduct “clean room” analysis, comparing the outputs from two different implementations of the service (in their prototype, the Microsoft IIS and Apache web servers were used to provide application diversity). Machine-learning techniques are used to generalize attack features from observed instances of the attack. Content-based filtering is then used, either at the firewall or the end host, to block inputs that may have resulted in attacks, and the infected servers are restarted. Due to the feature-generalization approach, trivial variants of the attack will also be caught by the filter. [8] takes a roughly similar approach, although filtering is done based on port numbers, which can affect service availability. Cisco’s Network-Based Application Recognition (NBAR) [21] allows routers to block TCP sessions based on the presence of specific strings in the TCP stream. This feature was used to block CodeRed probes, without affecting regular web-server access. Porras et al. [63] argue that hybrid defenses using complementary techniques (in their case, connection throttling at the domain gateway and a peer-based coordination mechanism), can be much more effective against a wide variety of worms.

DOMINO [64] is an overlay system for cooperative intrusion detection. The system is organized in two layers, with a small core of trusted nodes and a larger collection of nodes connected to the core. The experimental analysis demonstrates that a coordinated approach has the potential of providing early warning for large-scale attacks while reducing potential false alarms. A similar approach using a DHT-based overlay network to automatically correlate all relevant information is described in [65]. Malkhi and Reiter [66] describe an architecture for an early warning system where the participating nodes/routers propagate alarm reports towards a centralized site for analysis. The question of how to respond to alerts is not addressed, and, similar to


13

DOMINO, the use of a centralized collection and analysis facility is weak against worms attacking the early warning infrastructure.

Suh et al. [67], propose a hardware-based solution that can be used to thwart control-transfer attacks and restrict executable instructions by monitoring “tainted” input data. In order to identify “tainted” data, they rely on the operating system. If the processor detects the use of this tainted data as a jump address or an executed instruction, it raises an exception that can be handled by the operating system. The authors do not address the issue of recovering program execution and suggest the immediate termination of the offending process. DIRA [68] is a technique for automatic detection, identification and repair of control-hijaking attacks. This solution is implemented as a GCC compiler extension that transforms a program’s source code adding heavy instrumentation so that the resulting program can perform these tasks. Unfortunately, the performance implications of the system make it unusable as a front line defense mechanism. Song and Newsome [69] propose dynamic taint analysis for automatic detection of overwrite attacks. Tainted data is monitored throughout the program execution and modified buffers with tainted information will result in protection faults. Once an attack has been identified, signatures are generated using automatic semantic analysis. The technique is implemented as an extension to Valgrind and does not require any modifications to the program’s source code but suffers from severe performance degradation. One way of minimizing this penalty is to make the CPU aware of memory tainting [70]. Crandall et al. report on using a taint-based system for capturing live attacks in [71].

The Safe Execution Environment (SEE) [72] allows users to deploy and test untrusted software without fear of damaging their system. This is done by creating a virtual environment where the software has read access to the real data; all writes are local to this virtual environment. The user can inspect these changes and decide whether to commit them or not. We envision use of this technique for unrolling the effects of filesystem changes in our system, as part of our future work plans. A similar proposal is presented in [73] for executing untrusted Java applets in a safe “playground” that is isolated from the user’s environment.

7. Conclusion We have described a novel approach to dealing with zeroday attacks by combining features found today in honeypots and anomaly detection systems. The main advantage of this architecture is providing system designers the ability to fine tune systems with impunity, since any false positives (legitimate traffic) will be filtered by the underlying components. We have implemented this approach in an architecture called Shadow Honeypots. In this approach, we employ an array of anomaly detectors to monitor and classify all traffic to a protected network; traffic deemed anomalous is processed by a shadow honeypot, a protected

instrumented instance of the application we are trying to protect. Attacks against the shadow honeypot are detected and caught before they infect the state of the protected application. This enables the system to implement policies that trade off between performance and risk, retaining the capability to re-evaluate this trade-off effortlessly.

Our experience so far indicates that despite the considerable cost of processing suspicious traffic on our Shadow Honeypots and overhead imposed by instrumentation, such systems are capable of sustaining the overall workload of protecting services such as a Web server farm, as well as vulnerable Web browsers. We have also demonstrated how the impact on performance can be minimized by reducing the rate of false positives and tuning the AD heuristics using a feedback loop with the shadow honeypot. We believe that shadow honeypots can form the foundation of a type of application community.

Acknowledgments This material is based on research sponsored by the Air Force Research Laboratory under agreement number FA8750-06-2-0221, and by the National Science Foundation under NSF Grant CNS-09-14845. Evangelos Markatos is also with the University of Crete.

References [1] M. Roesch. Snort: Lightweight intrusion detection for

networks. In Proceedings of USENIX LISA, November 1999. (software available from http://www.snort.org/).

[2] N. Provos. A Virtual Honeypot Framework. In Proceedings of the 13th USENIX Security Symposium, pages 1–14, August 2004.

[3] D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. HoneyStat: Local Worm Detection Using Honepots. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 39–58, October 2004.

[4] V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 146–165, October 2004.

[5] L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, 2003.

[6] J. G. Levine, J. B. Grizzard, and H. L. Owen. Using Honeynets to Protect Large Enterprise Networks. IEEE Security & Privacy, 2(6):73– 75, Nov./Dec. 2004.

[7] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 167–179, February 2005.

[8] T. Toth and C. Kruegel. Connection-history Based Anomaly Detection. In Proceedings of the IEEE Workshop on Information Assurance and Security, June 2002.


14

[9] K. Wang and S. J. Stolfo. Anomalous Payload-based Network Intrusion Detection. In Proceedings of the 7th International Symposium on Recent Advanced in Intrusion Detection (RAID), pages 201–222, September 2004.

[10] T. Toth and C. Kruegel. Accurate Buffer Overflow Detection via Abstract Payload Execution. In Proceedings of the 5th Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.

[11] M. Bhattacharyya, M. G. Schultz, E. Eskin, S. Hershkop, and S. J. Stolfo. MET: An Experimental System for Malicious Email Tracking. In Proceedings of the New Security Paradigms Workshop (NSPW), pages 1–12, September 2002.

[12] C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pages 251–261, October 2003.

[13] M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Network-level polymorphic shellcode detection using emulation. In Proceedings of the Third Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 54–73, July 2006.

[14] CERT Advisory CA-2001-19: ‘Code Red’ Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html, July 2001.

[15] Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html, January 2003.

[16] S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, pages 149–167, August 2002.

[17] S. Staniford, D. Moore, V. Paxson, and N. Weaver. The Top Speed of Flash Worms. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 33–42, October 2004.

[18] US-CERT Technical Cyber Security Alert TA04-217A: Multiple Vulnerabilities in libpng. http://www.us-cert.gov/cas/techalerts/TA04-217A.html, August 2004.

[19] S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th Symposium on Operating Systems Design & Implementation (OSDI), December 2004.

[20] H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In Proceedings of the ACM SIGCOMM Conference, pages 193–204, August 2004.

[21] Using Network-Based Application Recognition and Access Control Lists for Blocking the “Code Red” Worm at Network Ingress Points. Technical report, Cisco Systems, Inc.

[22] H. Kim and Brad Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the 13th USENIX Security Symposium, pages 271–286, August 2004.

[23] J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy, May 2004.

[24] J. Wu, S. Vangala, L. Gao, and K. Kwiat. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), pages 143–156, February 2004.

[25] Microsoft Security Bulletin MS04-028, September 2004. http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx.

[26] P. Ször and P. Ferrie. Hunting for Metamorphic. Technical report, Symantec Corporation, June 2003.

[27] C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone, and A. Thomas. A Hardware Platform for Network Intrusion Detection and Prevention. In Proceedings of the 3rd Workshop on Network Processors and Applications (NP3), February 2004.

[28] L. Schaelicke, T. Slabach, B. Moore, and C. Freeland. Characterizing the Performance of Network Intrusion Detection Sensors. In Proceedings of Recent Advances in Intrusion Detection (RAID), September 2003.

[29] Top Layer Networks. http://www.toplayer.com. [30] C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer.

Stateful Intrusion Detection for High-Speed Networks. In Proceedings of the IEEE Symposium on Security and Privacy, pages 285–294, May 2002.

[31] M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2007.

[32] A. J. Malton. The Denotational Semantics of a Functional Tree-Manipulation Language. Computer Languages, 19(3):157–168, 1993.

[33] P. Ször. The Art of Computer Virus Research and Defense. Addison- Wesley Professional, February 2005.

[34] ApacheBench: A complete benchmarking and regression testing suite. http://freshmeat.net/projects/apachebench/, July 2003.

[35] Microsoft Security Bulletin MS04-028: Buffer Overrun in JPEG Processing Could Allow Code Execution. http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx, September 2004.

[36] i-Bench. http://http://www.veritest.com/benchmarks/i-bench/default.asp.

[37] T. Spalink, S. Karlin, L. Peterson, and Y. Gottlieb. Building a Robust Software-Based Router Using Network Processors. In Proceedings of the 18th ACM Symposium on Operating Systems Principles (SOSP), pages 216–229, Chateau Lake Louise, Banff, Alberta, Canada, October 2001.

[38] P. Akritidis, K. Anagnostakis, and E. P. Markatos. Efficient contentbased fingerprinting of zero-day worms. In Proceedings of the IEEE International Conference on Communications (ICC), May 2005.

[39] E. N. Elnozahy, Lorenzo Alvisi, Yi-Min Wang, and David B. Johnson. A survey of rollback-recovery


15

protocols in message-passing systems. ACM Comput. Surv., 34(3):375–408, 2002.

[40] S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, 2005. (to appear).

[41] N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In Proceedings of the 13th USENIX Security Symposium, pages 29–44, August 2004.

[42] S. E. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2004.

[43] S. Venkataraman, D. Song, P. B. Gibbons, and A. Blum. New Streaming Algorithms for Fast Detection of Superspreaders. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 149–166, February 2005.

[44] D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. In Proceedings of the IEEE Infocom Conference, April 2003.

[45] D. Spinellis. Reliable identification of bounded-length viruses is NP-complete. IEEE Transactions on Information Theory, 49(1):280– 284, January 2003.

[46] G. Vigna, W. Robertson, and D. Balzarotti. Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS), pages 21–30, October 2004.

[47] J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In Proceedings of the IEEE Security & Privacy Symposium, pages 226–241, May 2005.

[48] P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis. In Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC), June 2005.

[49] U. Payer, P. Teufl, and M. Lamberger. Hybrid Engine for Polymorphic Shellcode Detection. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2005.

[50] M. Locasto, K. Wang, A. Keromytis, and S. Stolfo. FLIPS: Hybrid Adaptive Intrusion Prevention. In Proceedings of the 8th Symposium on Recent Advances in Intrusion Detection (RAID), September 2005.

[51] H. Dreger, C. Kreibich, V. Paxson, and R. Sommer. Enhancing the Accuracy of Network-based Intrusion Detection with Host-based Context. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2005.

[52] V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An Architecture for Generating Semantics-Aware Signatures. In Proceedings of the 14th USENIX Security Symposium, pages 97–112, August 2005.

[53] E. Cook, M. Bailey, Z. M. Mao, and D. McPherson. Toward Understanding Distributed Blackhole Placement. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 54–64, October 2004.

[54] M. A. Rajab, F. Monrose, and A. Terzis. On the Effectiveness of Distributed Worm Monitoring. In Proceedings of the 14th USENIX Security Symposium, pages 225–237, August 2005.

[55] D. Moore, G. Voelker, and S. Savage. Inferring Internet Denialof- Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9–22, August 2001.

[56] J. Bethencourt, J. Franklin, and M. Vernon. Mapping Internet Sensors With Probe Response Attacks. In Proceedings of the 14th USENIX Security Symposium, pages 193–208, August 2005.

[57] Y. Shinoda, K. Ikai, and M. Itoh. Vulnerabilities of Passive Internet Threat Monitors. In Proceedings of the 14th USENIX Security Symposium, pages 209–224, August 2005.

[58] K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. P. Markatos, and A. D. Keromytis. Detecting Targetted Attacks Using Shadow Honeypots. In Proceedings of the 14th USENIX Security Symposium, pages 129–144, August 2005.

[59] J. E. Just, L. A. Clough, M. Danforth, K. N. Levitt, R. Maglich, J. C. Reynolds, and J. Rowe. Learning Unknown Attacks – A Start. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.

[60] J. C. Reynolds, J. Just, E. Lawson, L. Clough, and R. Maglich. The Design and Implementation of an Intrusion Tolerant System. In Proceedings of the International Conference on Dependable Systems and Networks (DSN), June 2002.

[61] J.C. Reynolds, J. Just, E. Lawson, L. Clough, and R. Maglich. Online Intrusion Protection by Detecting Attacks with Diversity. In Proceedings of the 16th Annual IFIP 11.3 Working Conference on Data and Application Security Conference, April 2002.

[62] J. C. Reynolds, J. Just, L. Clough, and R. Maglich. On-Line Intrusion Detection and Attack Prevention Using Diversity, Generate-and- Test, and Generalization. In Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS), January 2003.

[63] P. Porras, L. Briesemeister, K. Levitt, J. Rowe, and Y.-C. A. Ting. A Hybrid Quarantine Defense. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 73–82, October 2004.

[64] V. Yegneswaran, P. Barford, and S. Jha. Global Intrusion Detection in the DOMINO Overlay System. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), February 2004.

[65] M. Cai, K. Hwang, Y-K. Kwok, S. Song, and Y. Chen. Collaborative Internet Worm Containment. IEEE Security & Privacy Magazine, 3(3):25–33, May/June 2005.

[66] C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and Early Warning for Internet Worms. In


16

Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), pages 190–199, October 2003.

[67] G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. Secure program execution via dynamic information flow tracking. SIGOPS Operating Systems Review, 38(5):85–96, 2004.

[68] A. Smirnov and T. Chiueh. DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In Proceedings of the 12th ISOC Symposium on Network and Distributed System Security (SNDSS), February 2005.

[69] J. Newsome and D. Dong. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th ISOC Symposium on Network and Distributed System Security (SNDSS), February 2005.

[70] S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and C. Verbowski. Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In Proceedings of the International Conference on Dependable Systems and Networks (DSN), pages 378–387, June 2005.

[71] J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2005.

[72] W. Sun, Z. Liang, R. Sekar, and V. N. Venkatakrishnan. One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), February 2005.

[73] D. Malkhi and M. K. Reiter. Secure Execution of Java Applets Using a Remote Playground. IEEE Trans. Softw. Eng., 26(12):1197– 1209, 2000.


17

A 1.2V Fourth Order Low Pass Filter for UMTS Receivers

Sandeep Garg1, D.S. Ajnar2, P.K. Jain3

Electronics & Instrumentation Engg. Department,

Shri G.S.Institute of Technology and Science, Indore, India [email protected], 2 [email protected], 3 [email protected]

Abstract. A low-power analog filter to be used in UMTS and WLAN applications is reported. The 4th order low-pass continuous-time filter is going to be included in the receiver path of a reconfigurable terminal. The filter is made up by the cascade of two Active-Gm-RC low-pass Biquadratic cells. The unity-gain bandwidth of the opamps embedded in the Active-Gm-RC cells is comparable to the filter cut-off frequency. Thus, the power consumption of the opamp can be strongly reduced. In addition, the filter can be programmed in order to process UMTS and WLAN signals. A Fourth order low pass filter with 3 MHz cut-off frequency and a DC gain of 40 dB for UMTS receiver has been designed in 0.18μ CMOS technology with a 1.2 V supply voltage. The filter has a power dissipation of 122µW. The filter has input referred noise (spot noise) of 13.25 nV @ 2MHz. Keywords: Analog Filters, CMOS, low voltage, zero IF Receivers.

1. Introduction An analog Baseband filter is a three terminal device which is used in telecommunication systems as a low pass filter. The baseband filter is a channel selection filter used for low-pass filtering the mixer output and it eliminates the need of IF frequency stages as in the case of superheterodyne Receivers.

Figure 1. Block Diagram of Receiver

This low pass filter is to be used in Direct Conversion Receiver for selecting the desired message signal following RF mixer without any distortion and rejects the out-of-band signal. So it is also called channel select filter. A Fourth order active Gm-RC low pass filter is presented. Active Gm- RC technique is used because MOSFET-C ones have high linearity requirement. So the need of opamp bandwidth much larger than the filter cut-off frequency leads to high power consumption. As an alternative, Gm-C filters reduce the power consumption but have lower

linearity. The Active Gm- RC approach for realizing the filter is therefore proposed here in which both linearity is high and power consumption is low. Simulations confirm the excellent properties of the proposed circuit. In section 2, the active Gm-RC cell is proposed. The filter consists of opamps and passive elements. The opamp frequency response is taken into account in the synthesis of overall transfer function of filter where the opamp frequency response is fixed and the external components are designed as a function of opamp frequency response. This makes the overall transfer function to fully depend on the opamp.

2. Low Pass Filter The filter consists of two Biquad Cells connected in cascade. The figure shows the Biquad cell using Active Gm-RC technique. It is equivalent to second order Low Pass Filter. The opamp used in the structure is having a single pole transfer function given by - Where 1/T and A0 are the first pole angular frequency and DC gain of opamp respectively.

Figure 2. Circuit diagram of Active Gm-RC Biquad Cell

0AA(s) (1)1 sT

=+


18

The opamp unity gain frequency is given by – The Butterworth transfer function is used for realizing filter for larger stop band attenuation and in band maximum flat frequency response.

Figure 3. Block diagram of Low Pass Filter

The Transfer Function for the filter using Butterworth Approximation is as shown below – T(s) = (s2 + 0.7654s + 1)(s2 + 1.8478s + 1) (3)

Table 1: Baseband Filter Requirements Specifications Value

Order 4th Transfer Function Butterworth

DC gain 40 dB Cut-off frequency 2 MHz

Cell1 Cell2

Order 2nd 2nd Transfer Function Butterworth Butterworth

DC gain 20 dB 20 dB Cut-off frequency 2MHz 2MHz

Quality Factor 1.3066 0.5412

3. Operational Amplifier Design The Operational Amplifier used in Biquad Cell is a differential input, single ended output Amplifier. It consists of two stages. The First stage is a NMOS Differential-input, single-ended output stage with PMOS active load. The second stage is a common – source gain stage that has an active load. Capacitor Cc is included to ensure stability when opamp is used with feedback. It is a Miller capacitance. The gain of first stage is given by -

Av1 = gm1 (rds2││ rds4) (4) The gain of second stage is given by –

Av2 = -gm7 (rds6││ rds7) (5)

Figure 4. Schematic of opamp

Table 2 :MOSFETS and passive elements device size used in opamps

Opamp for Cell 1 Opamp for Cell 2 Devices Size Devices Size M1=M2 9.47μ/0.18μ M1=M2 12.47μ/0.18μ M3=M4 9.47μ/0.18 μ M3=M4 12.47μ/0.18 μ M5=M6 18.94μ/0.18 μ M5=M6 24.94μ/0.18 μ M7=M8 18.94μ/0.18μ M7=M8 24.94μ/0.18μ

M9 0.24μ/0.18μ M9 0.48μ/0.18μ Rc 680Ω Rc 920Ω Cc 2.4pF Cc 4.8pF IB 20μA IB 20μA

Table 3: Filter passive elements Cell 1 Cell 2

Specifications Value Value R1 3.17k 2.8k R2 31.7k 28k C 2.6pF 2.9pF

Table 4: Characteristics of opamps and cells after simulation

Cell 1 Cell 2

Specifications Value Value

Opamp DC gain(A0) 44 dB 48 dB

Opamp Cut-off frequency 42kHz 51kHz

Opamp Phase Margin 84° 78°

Opamp Slew Rate 2.25V/μs 2.4V/μs

Opamp Unity gain frequency 2.98MHz 3.02MHz

Opamp CMRR 110 dB 105 dB

Biquad Cell Gain 19.22dB 19.41dB

Biquad Cell Cutoff Frequency 2.04MHz 2.02MHz

0u

A(2)

Tω =


19

Table 5: Characteristics of filter after simulation Specifications Value Overall Filter Gain 38dB Cutoff Frequency 2.02MHz

The Simulation results for opamp in cadence 0.18μ UMC MOS technology are shown below.

Figure 5. Frequency Response of opamp for Cell 1

Figure 6. Frequency Response of opamp for Cell 2

4. Filter Design The Design Equations for filter are - (6) Where G = Gain of filter ωu = unity gain frequency of opamp ω0 = cutoff frequency of filter Q = Quality factor of filter

Figure 7. Schematic of Overall filter The simulation results for the Active Gm- RC filter in 0.18μ CMOS technology is as shown-

Figure 8. Frequency Response of Cell 1

Figure 9. Frequency Response of Cell 2


20

Figure 10. Frequency Response of Overall Filter

Figure 11. dB Compression point of filter

Figure 12. Layout of opamp used in filter

Fig.13 Output noise

Figure 13. Output noise 5. Applications The Active Gm-RC filter is used in Direct Conversion Receivers as a Channel select filter or Baseband filter. It eliminates the need of Intermediate frequency stages as in the case of Superheterodyne receivers. So that the cost and performance of circuit is improved. 6. Conclusion A low voltage fourth order analog baseband filter for UMTS receivers has been presented. The filter is able to operate at 1.2 V with a 2MHz -3dB Bandwidth. The filter operates with a good linearity and less noise.

Table 6: Filter Performance Summary This Design [1] [3]

DC gain(G) 38 dB 32dB 34dB f-3dB (Cut-off frequency) 2.02MHz 2.11MHZ 2MHz

Power Consumption 122 μ W 2.8mW 3.4mW

VDD 1.2 V 1.8V 2.5V

CMOS(um) 0.18μ 0.18μ 0.5μ

Noise(uVrms) 13.25nV/ Hz 30nV/ Hz

50nV/Hz

References [1] S. D’Amico and A. Baschirotto, “Active – Gm - RC

Continuous- Time Biquadratic Cells,” Analog Integrated Circuits and Signal Processing, Springer vol. 45, pp.281-294, 2005

[2] Marcello De Matteis, Stefano D’Amico and Andrea Baschirotto, “A 1.9 V 60 dB-DR Fourth-Order Analog Baseband Filter,” IEEE Journal of Solid-State Circuits, vol. 44, no. 9, pp. 2525- 2534, September 2006.

[3] S. Pavan, Y. P. Tsividis, and K. Nagaraj, “Widely programmable high frequency continuous-time filters in


21

digital CMOS technology,” IEEE Journal of Solid-State Circuits, vol. 35,no. 4, pp. 503-511, April 2000.

[4] D.A. Johns and K. Martin, Analog Integrated Circuit Design. John Wiley and Sons, Inc.1996, pp. 221-251

[5] H. Huang and E. K. F. Lee, “Design of low-voltage CMOS continuous time filter with on-chip automatic tuning,” IEEE Journal of Solid-State Circuits, vol. 36, no. 8, pp. 1168–1177, Aug. 2001.

Authors Profile

Sandeep Garg received the B.E. Degree in Electronics and Instrumentation Engineering from D.A.V.V. University, Indore ,India in 2002 and M.Tech. Degree in Microelectronics and VLSI Design from SGSITS, indore, India in 2010. His Area of interest is CMOS analogVLSI Design. He has published three

papers at national level.

D.S.Ajnar received the B.E. degree in Electronics and Communication Engineering from D.A.V.V.University, India in 1993 and M.E. Degree in Digital Techniques & InstrumentationEngineering from Rajiv Ghandhi Technical University Bhopal, India in 2000. He has been teaching and in research profession

since 1995. He is now working as Reader in Department of Electronics & Instrumentation Engineering ,S.G.S.I.T.S,Indore,India. His interest of research is in Designing of analog filter and Current-Conveyor.

P.K.Jain received the B.E. degree in Electronics and communication Engineering from D.A.V.V. University, India in 1987 and M.E. Degree in Digital Techniques & Instrumentation Engineering from Rajiv Ghandhi Technical University Bhopal, India in 1993. He has been teaching and in research

profession since 1988. He is now working as Reader in Department of Electronics & Instru. Engineering , S.G.S.I.T.S. Indore India. His interested field of research is analog cicuit design.


22

Evaluating Learning Objects for Students: An adaptive model

Sonal Chawla and Dr. R.K. Singla

Dept of Computer Science & Appl, Panjab

University, Chandigarh. INDIA [email protected]

Abstract: The research paper looks at the perception of students and their readiness for the new approach towards learning through the Learning Objects. The Learning Objects for the C++ course were developed as part of this study and then tested using the LORI scale and the performance of the students taught using learning objects was compared with the students learning the same course in the traditional way.Finally the conclusions are drawn. Keywords: Learning Objects, LORI Scoresheets, e-learning, learning evaluation. 1. Introduction The development of effective content suiting the learning style of users and the prevailing learning scenarios improves the success rate of an e-Learning initiative significantly. It is, therefore, important for content to adhere to the objectives of the program and be powerful enough to engage the user. The establishment of means of quality assurance, requires criteria for evaluation that supports the communication of meaningful feedback to designers for content information. Development of Learning objects that matches intended outcomes and delivers the requisite cognitive load requires careful planning and structured development. For that purpose, Nesbit and Li [10] developed a Learning Object Review Instrument (LORI 1.5) which can be used to reliably assess some aspects of Learning Objects. This approach was adopted in the design of their convergent participation model for the evaluation of learning objects. Their model proposed an evaluation panel drawn from different stakeholder groups and a two-cycle process, whereby participants would begin by evaluating the learning object independently and asynchronously. The two-stage cycle was facilitated by electronic communication tools and used the Learning Object Review Instrument (LORI) to specify the rating scale and criteria of evaluation. Subsequent research on the use of the LORI revealed that objects that were evaluated collaboratively led to greater inter-rater reliability as opposed to ones evaluated independently There have been a limited number of empirical studies examining the learning outcomes and the instructional effectiveness of Learning Objects despite the fact that Learning Object repositories commonly use the review instruments. A few of the worth mentioning are the study by Kay and Knaack [3][2] which examines the quality of Learning Objects through content analysis of open-ended

response questions based on principles of instructional design and perceived benefit under post-hoc structured categories. They evaluated five learning objects with secondary school students but this study has the limitation that it focused only on perceived benefits of Learning Objects rather than on the actual learning outcomes resulting from the Learning Object activities. In another study Akpinar and Simsek [1] tested eight Learning Objects, with school children in a pre-post test research design. The data analysis revealed that seven of the Learning Objects helped the sample students improve their pretest scores, but in one, the Horizontal Projectile Motion (HPM) LO for ninth grade students, the scores did not improve. On similar design, Nurmi and Jaakkola [4] conducted an experimental study using a pre-test post-test design to evaluate the effectiveness of three Learning Objects from three different subject areas, i.e. Mathematics, Finnish Language and Science. The Learning Objects, tested with school children, were used in different instructional settings. The results revealed that no significant differences were observed between the Learning Object and the traditional teaching conditions with low and high prior knowledge students. This study, thus, developed ten Learning Objects for the C++ course using the Authoring Software ‘Xerte’ [9] and ‘Moodle’ and then tested them by conducting two studies. The details of Learning Object development have been deliberately kept out of this research paper since its major focus is on evaluation of developed Learning Objects. 2. Study 1: To evaluate the Quality of Learning Objects using the LORI score sheets.

2.1 Aim of the Study

To evaluate the quality of developed Learning Objects the students were asked to rate and review the Learning objects individually using the LORI score sheets (Sample sheet variables discussed below). Following the reviewing and the rating process, the researcher combined the ratings and estimated average rating for each Learning Object. Average ratings were estimated both for each of nine issues for a particular Learning Object and for the overall rating of that Learning Object.


23

2.2 Methodology The evaluation of Learning Objects for their quality was based on the LORI (Learning Object Review Instrument) scale [10]. Dimensions for evaluating learning object quality in LORI 1.5 have been listed below:-

Content Quality (V1): refers to Veracity, accuracy, balanced presentation of ideas, and appropriate level of detail included in Learning Objects.

Learning Goal Alignment (V2): refers to Alignment among learning goals, activities, assessments, and learner characteristics.

Feedback and Adaptation (V3): refers to Adaptive content or feedback driven by differential learner input or learner modeling.

Motivation (V4): refers to the ability to motivate and interest an identified population of learners.

Presentation Design (V5): refers to the design of visual and auditory information for enhanced learning and efficient mental processing.

Interaction Usability (V6): refers to ease of navigation, predictability of the user interface and quality of the interface help features.

Accessibility (V7): refers to Design of controls and presentation formats to accommodate disabled and mobile learners

Reusability (V8): refers to the ability to use in varying learning contexts and with learners from differing backgrounds.

Standards Compliance (V9): refers to the adherence to international standards and specifications.

2.3 Observation

Table 1: Correlation Matrix between variables

Correlations

V1 V2 V3 V4 V5 V6 V7 V8 V9

V1

Pearson Correlation 1 .498(**) -.072 -

.478(**) -.330 .152 -.218 -.194 .412(*)

Sig. (2-tailed) .002 .682 .004 .053 .383 .208 .263 .014

N 35 35 35 35 35 35 35 35 35

V2

Pearson Correlation .498(**) 1 .172 .080 -

.547(**) -.196 -.734(**) -.099 .464(**

)

Sig. (2-tailed) .002 .324 .647 .001 .259 .000 .571 .005

N 35 35 35 35 35 35 35 35 35

V3

Pearson Correlation -.072 .172 1 .709(**) .150 .056 -

.511(**) -.119 .268

Sig. (2-tailed) .682 .324 .000 .389 .751 .002 .494 .119

N 35 35 35 35 35 35 35 35 35

V4

Pearson Correlation

-.478(**) .080 .709(**) 1 .206 -.031 -.293 .099 .157

Sig. (2-tailed) .004 .647 .000 .234 .860 .087 .570 .369

N 35 35 35 35 35 35 35 35 35

V5

Pearson Correlation -.330 -

.547(**) .150 .206 1 .181 .210 -.237 -.361(*)

Sig. (2-tailed) .053 .001 .389 .234 .298 .226 .170 .033

N 35 35 35 35 35 35 35 35 35

V6 Pearson Correlation .152 -.196 .056 -.031 .181 1 .459(**) -

.484(**) .084

Sig. (2-tailed) .383 .259 .751 .860 .298 .006 .003 .631


24

N 35 35 35 35 35 35 35 35 35

V7

Pearson Correlation -.218 -

.734(**) -

.511(**) -.293 .210 .459(**) 1 .201 -.343(*)

Sig. (2-tailed) .208 .000 .002 .087 .226 .006 .247 .043

N 35 35 35 35 35 35 35 35 35

V8

Pearson Correlation -.194 -.099 -.119 .099 -.237 -

.484(**) .201 1 -.211

Sig. (2-tailed) .263 .571 .494 .570 .170 .003 .247 .224

N 35 35 35 35 35 35 35 35 35

V9

Pearson Correlation .412(*) .464(**) .268 .157 -.361(*) .084 -.343(*) -.211 1

Sig. (2-tailed) .014 .005 .119 .369 .033 .631 .043 .224

N 35 35 35 35 35 35 35 35 35

** Correlation is significant at the 0.01 level (2-tailed). * Correlation is significant at the 0.05 level (2-tailed). 2.4 Analysis and Discussion

Table 7 is a 9 X 9 symmetric correlation table. Correlation between all the 9 variables of the LORI chart taken as V1 to V9 respectively has been shown here. ** marked values show the Correlation between two variables is significant at the level of 1% and * indicates the level of significance at 5%. The Correlation table shows that there is a significant positive correlation between V1 and V2 (r= .498, p<.002) and V1 and V9 (r=.412, p<.014) however, there is a negative correlation between V1 and V4 (r=-.478, p<.004). However, the correlation of V1 with other variables was found to be non-significant. Similarly, there is a significant positive correlation between V2 and V9 (r=.464, p<.005) and negative co-relation between V2 and V5 (r=-.547,p<.001) and the correlation of the rest of the variables with V2 are non-significant. A positive correlation exists between V3 and V4 (r=.709, p<.0001), V6 and V7 (r=.459,p<.006) and a negative correlation between V3 and V7(r=-.511,p<.002) and V6 and V8 (r= -.484,p< .003). So the Null hypothesis that there is no correlation between two variables is rejected wherever the correlation coefficient is significant. The above table also suggests that content quality has positive correlation with learning goal alignment and motivation which clearly suggests that when the content quality is enhanced the students are better aligned to their learning goals and their motivation enhances. The positive correlation has also been observed between other variables like Feedback adaptation and Motivation and Interaction Usability and Accessibility as shown in the table 7. This indicates that better the design features, better is the usability and accessibility i.e. they are directly proportional to one another. So wherever the correlation is significant, the Null hypothesis that the correlation between the two variables of LORI sheets is zero, is rejected.

3. Study 2: To compare the performance of students when taught C++ under traditional, teacher led instruction mode with the performance when taught C++ using Learning Object Approach.

3.1 Aim of the study

The aim of this study is to gain empirical evidence on the educational effectiveness and usefulness of Learning Objects in various instructional settings. In this study the effectiveness of Learning Object learning environment is compared with traditional classroom teaching environment in delivering course on C++. So this study becomes an exploratory study that consists of comparing performance of two groups of students studying Programming in C++ under two different conditions

• Using traditional teacher led approach • Using Learning Objects

3.2 Methodology followed The study was based on pre-test-post-test design in which the educational effectiveness of Learning conditions (Learning Object versus traditional instruction) is measured in terms of gains in subject knowledge. In addition to statistical analysis of test score data, more descriptive and qualitative observational analysis were made. The results of this study were compared and some conclusions were drawn. The study consisted of two hours of concrete working and administration of various tests. Before the actual working phase (treatment phase), students completed a pre-test to gain insight into their background about the programming language C++.


25

Over a period of a semester the students were taught the course in different modes. The total group size was 35 where 18 students were imparted training using Learning Object approach and the rest 17 using traditional mode. Ahead of this group formation the students with no programming experience and previous programming experience were identified and then the groups were formed with both types randomly distributed within the two groups. 3.3 Structure of Teaching Session Each group was given an hour’s session with the following structure

1. A lecture about the C++ topic. 2. Individual study and use of corresponding learning

materials 3. Solution of a test

In order to have a controlled teaching style variable the same teacher conducted both the sessions. In the LO condition (n=18) the students were given introduction on the subject content to the students first and for the rest of the sessions the students completed LO assignments individually at their own pace. The Learning Objects were principally quite simple drill-and-practice programs which were designed to be game-like and to provide instant feedback for students’ input/answers. The way of working was student-led because there was no direct teaching nor teacher controlled tasks during the assignment phase. The students were briefed that in order to be successful in this approach they required a higher level of self-regulation and meta cognitive skills like self-monitoring, controlling, maintenance of task orientation etc. than working in the traditional condition. The students (n=17) in the traditional mode were taught in the normal classroom. The teaching method resembled normal instruction with a teacher-led introduction followed by an assignment phase when students individually completed different paper-and-pencil tasks. These tasks were similar to the assignments completed in the LO mode.

3.4 Description of the Test The students were evaluated on the basis of a written exam. The test consisted of two exercises : one to demonstrate theoretical knowledge of the students and second to judge their practical programming abilities. The complete test summed up to a total maximum score of 10 points. The test was conducted for the one hour duration.

3.5 Teaching Methodology: The traditional group was imparted training using lecture delivery and instructional material containing theory and examples. Later they were given free time to explore, study and experiment with the topics covered in the class. However, the lectures were delivered to the Learning Object group by using the Learning Objects designed by the researcher as part of this study. They too were given free

time to explore the topic. At the end of the course both the groups were tested.

3.6 Hypothesis

Traditional Approach 1) HO = The teaching using traditional method is not

effective. 2) H1 = The teaching using traditional method is

effective Learning Object Approach

1) HO = The teaching using Learning Object method is not effective.

2) H1 = The teaching using Learning Object method is effective

Where HO is the Null Hypothesis which is an important technique used by the researchers in the field of education. A Null hypothesis is useful in testing the significance of difference. 3.7 Analysis and Observations In order to note and compare the behavioral patterns of the students studying the same course in different modes, the teacher conducting the test provided the qualitative data to the analysis. They asserted the following observations that during the course of evaluation it was found that the participants of the learning object group were nervous, stressed and anxious. They took more time to complete the test whereas the traditional group was more at ease, relaxed and less stressed. The data obtained for both groups has been summarized as below:-

Table 2: Pre-test Post-test analysis of Traditional and LO group

The results clearly indicate that the mean of the Learning Object group was slightly superior to the traditional group. They performed better for both the tests given to them as part of the evaluation. In the pre-test the traditional group (mean=2.29), though, did not perform better than the LO

Group N Mean Std.

Deviatio

n

Paired

t-test

p-

value

Traditiona

l Pre-test

Post-test

17

17

2.29

3.11

2.51

2.12

.483

>.05

LO

Pre-test

Post-test

18

18

3.00

3.61

2.26

2.10

.388

>.05


26

group(mean=3.00). However, the performance of the Learning Object group (mean=3.61) was better than the traditional group(mean=3.11). When a paired t-test was applied on the groups to pre and post observations, the t test results were non-significant in each case. (Pre-test =.483, Post test =.388). The paired t-test, thus, showed no statistically significant difference between the condition(p>.05). The Null Hypothesis, therefore, has to be accepted that there is no significant difference between the performance of students in both/each modes. According to the preliminary analysis , the observation revealed that in the LO condition students worked mainly on the perception that they had two different assignments: learn to use the Learning Objects and complete the test. They seemed to focus on the procedural features and concrete functions rather than on content or instructional aspects. They were more interested in solving the logic behind the Learning Objects i.e. how they worked. Although student’s task orientation remained well during the sessions while they were actively accomplishing LO assignments, the depth of orientation was not much. The working with LO did not engage students with thinking about the content being learnt. Instead, the work in the traditional condition was much more focused on the learning tasks. This could be due to a larger amount of external control imposed by the teacher. It can, therefore, be concluded that though the requirements of self-regulation in the LO condition were overwhelming at the same time they were detrimental to their learning outcomes. It can also be conveniently assumed that the sole use of Learning Object in lecture impartation and course delivery cannot bring a significant difference in the performance of students. There are other important contextual factors that may yet have to be identified to improve academic achievement. Besides, a more prolonged exposure to LO has to be explored and measured under carefully controlled conditions. Also it is imperative to think if the learning orientation in the LO condition of the students is mere curiosity to a new style of learning for students or the LO design then supporting pedagogy needs to be modified. Therefore, when examining the effectiveness of Learning Objects on student learning outcomes, it is essential to note that it is the effect of the whole learning environment and not just of that of Leaning Objects. As it is impossible to separate learning activities, learned contents and learning situations from each other, it is also not feasible to detach the educational technology applications used from the social and contextual factors of the learning processes. Thus, it is the Learning Objects and the instructional arrangements within learning environments that interact together to stimulate certain student learning activities, behaviours and outcomes. Learning Object represent only one part of the larger learning environment and not as self-contained instructional solution. References [1] Y. Akpinar & H. Simsek, “Should K-12 teachers

develop learning objects? Evidence from the field with K-12 students”. International Journal of Instructional

Technology and Distance Learning, 4(3), pp 31-44, 2007

[2] R. Kay & L. Knaack, “Developing learning objects for secondary school students: A multicomponent model”. Interdisciplinary Journal of Knowledge and Learning Objects,1, pp 229-254 , 2005

[3] R. Kay & L. Knaack, “Evaluating the learning in learning objects”. Open Learning: The Journal of Open and Distance Learning, 22(1), pp 5–28, 2007.

[4] S. Nurmi & T. Jaakkola, “Problems underlying the learning object approach”. International Journal of Instructional Technology and Distance Learning, 2(11), pp 61–66, 2005.

[5] K.Salas & L. Ellis, “The development and implementation of learning objects in a higher education setting”. Interdisciplinary Journal of Knowledge and Learning Objects, 2, pp 1-22, 2006.

[6] Felix g,Hamza-Lup, Razvan Stefan Bot, Ioan Salomie. “Virtual University of Cluj-Napoca, A Web based

Educational Framework”. [Accessed: Aug 20, 2010] [7] T. Cochrane, “Interactive QuickTime: Developing

and evaluating multimedia learning objects to enhance both face-to-face and distance e-learning environments”. Interdisciplinary Journal of Knowledge and Learning Objects. 2005

[8] D.A. Wiley, “Connecting learning objects to instructional design theory: A definition, a metaphor, and a taxonomy. In D. A.Wiley (Ed.), The instructional use

of learning objects”: Online version. [Accessed: Aug 20,

2010] [9] www.nottingham.ac.uk/xerte/. [Accessed: Aug 20, 2010] [10] J.C. Nesbit & J.Li, “ Web-based tools for learning

object evaluation”. Proceedings of the International Conference on Education and Information Systems: Technologies and Applications,

Orlando, Florida, USA, 2, pp 334-339, 2004.


27

A Mechanism for detecting Wormhole Attacks on Wireless Ad Hoc Network

Ajit Singh1, Kunwar Singh Vaisla2

1Department of CSE, VCT Kumaon Engineering College Dwarahat, District – Almora (Uttarakhand), India

[email protected]

1Department of CSE, VCT Kumaon Engineering College Dwarahat, District – Almora (Uttarakhand), India

[email protected]

Abstract: A wireless ad hoc network is an autonomous system of mobile hosts connected by wireless links. The nodes are free to move randomly and organize themselves arbitrarily; thus network’s topology may change rapidly and unpredictably. Unlike traditional wireless network, ad hoc network do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. One main challenge in the design of these networks is their vulnerability to security attacks. Ad hoc networks are vulnerable due to their fundamental characteristics, such as open medium, dynamic topology, distributed cooperation and constraint capability. Routing plays an important role in security of ad-hoc network. In Ad hoc network, there are mainly two kinds of routing protocols: proactive routing protocol and on demand routing protocol. In general, routing security in wireless ad hoc network appears to be a problem that is not trivial to solve.

In this paper, we introduce the wormhole attack, a severe attack in ad hoc networks that is particularly challenging to defend against. The wormhole attack is possible even if the attacker has not compromised any hosts and even if all communication provides authenticity and confidentiality. In the wormhole attack, an attacker receives packets at one point in the network, “tunnels” them to another point in the network, and then replays them into the network from that point. The wormhole attack can form a serious threat in wireless networks, especially against many ad hoc network routing protocols and location-based wireless security systems. For example, most existing ad hoc network routing protocols, without some mechanism to defend against the wormhole attack, would be unable to find routes longer than one or two hops, severely disrupting communication. We present a technique to identify wormhole attacks in wireless ad hoc network and a solution to discover a safe route avoiding wormhole attack. It is time based calculation which requires minimal calculation.

Keywords: Ad hoc Networks, Wormholes.

1. Introduction Ad hoc networks consist of wireless nodes that communicate with each other in the absence of a fixed infrastructure. These networks are envisioned to have dynamic, sometimes rapidly changing, random, multi-hop topologies, which are likely composed of relatively bandwidth-constrained wireless links. In such a network, each mobile node operates not only as a host but also as a router, forwarding packets for other mobile nodes in the network that may not be within direct wireless transmission range of each other. Each node participates in an ad hoc routing protocol that allows it to discover “multi-hop” paths through the network

to any other node. The idea of ad hoc networking is sometimes also referred to as “infrastructure less networking”, since the mobile nodes in the network dynamically establish routing among themselves to form their own network on the fly. Due to the limited transmission range of wireless networks interfaces, multiple network hops may be needed for one node to exchange data with another across the network.[1] Ad hoc network technology can provide an extremely flexible method of establishing communications in situations where geographical or terrestrial constraints demand a totally distributed network system without any fixed based station, such as battlefields, military applications, and other emergency and disaster situations.[2] However, security is an important issue of ad hoc network especially for security sensitive applications. The intrinsic nature of wireless ad hoc networks makes them vulnerable to attacks ranging from passive eavesdropping to active interfering. There is no guarantee that a routed communication path between two nodes will be free of malicious nodes that will, in some way, not comply with the employed protocol and attempt to interfere the network operation. Most routing protocol cannot cope with disruptions due to malicious behavior. For example, any node could claim that it is one hop away from a given destination node, causing all routes to that destination to pass through itself. In this paper, we introduce the wormhole attack, a severe attack in ad hoc networks that is particularly challenging to defend against. The wormhole attack is possible even if the attacker has not compromised any hosts and even if all communication provides authenticity and confidentiality. In the wormhole attack, an attacker receives packets at one point in the network, “tunnels” them to another point in the network, and then replays them into the network from that point. The wormhole attack can form a serious threat in wireless networks, especially against many ad hoc network routing protocols and location-based wireless security systems. For example, most existing ad hoc network routing protocols, without some mechanism to defend against the wormhole attack, would be unable to find routes longer than one or two hops, severely disrupting communication. We present a technique to identify wormhole attacks in wireless ad hoc network and a solution to discover a safe route avoiding wormhole attack.


28

The rest of paper is organized as follows. Section II of this paper presents the wormhole attacks in details. Section III studies various solutions to wormhole attack. Section IV discusses proposed mechanism to prevent ad hoc wireless network from wormhole attack. Section V concludes paper.

2. Wormhole Attacks In a wormhole attack, an attacker receives packets at one point in the network, “tunnels” them to another point in the network, and then replays them into the network from that point. For tunneled distances longer than the normal wireless transmission range of a single hop, it is simple for the attacker to make the tunneled packet arrive sooner than other packets transmitted over a normal multihop route, for example by use of a single long-range directional wireless link or through a direct wired link to a colluding attacker. It is also possible for the attacker to forward each bit over the wormhole directly, without waiting for an entire packet to be received before beginning to tunnel the bits of the packet, in order to minimize delay introduced by the wormhole. The wormhole attack is a particularly dangerous attack against many ad hoc network routing protocols in which the nodes that hear a single-hop transmission of a packet consider themselves to be in range of the sender.

Figure 1. Wormhole attack using out of band Channel

2.1 Classification There are several ways to classify wormhole attacks.

2.1.1 Depending on whether wormhole nodes put their identity into packet’s header.[12]

Here we can categorize wormhole attack into two categories: Hidden Attacks and Exposed Attacks. In Hidden Attack, Wormhole nodes do not update packets’ headers as they should so other nodes do not realize existence of them. In Exposed Attack, wormhole nodes do not modify the content of packets but they include their identities in the packet header as legitimate nodes do. Therefore, other nodes are aware of wormhole nodes’ existence but they do not know wormhole nodes are malicious.

2.1.2 Based on the techniques used for launching wormhole attack.[2]

(a) Wormhole using Encapsulation

This mode of the wormhole attack is easy to launch since the two ends of the wormhole do not need to have any

cryptographic information, nor do they need any special capabilities, such as a high speed wire line link or a high power source. A simple way of countering this mode of attack is a by-product of the secure routing protocol ARAN [10], which chooses the fastest route reply rather than the one which claims the shortest number of hops. This was not a stated goal of ARAN, whose motivation was that a longer, less congested route is better than a shorter and congested route.

(b) Wormhole using Out-of-Band Channel

This mode of the wormhole attack is launched by having an out-of-band high-bandwidth channel between the malicious nodes. This channel can be achieved, for example, by using a long-range directional wireless link or a direct wired link. This mode of attack is more difficult to launch than the previous one since it needs specialized hardware capability.

(c) Wormhole with High Power Transmission

In this mode, when a single malicious node gets a route request, it broadcasts the request at a high power level, a capability which is not available to other nodes in the network. Any node that hears the high-power broadcast, rebroadcasts it towards the destination. By this method, the malicious node increases its chance to be in the routes established between the source and the destination even without the participation of a colluding node. A simple method to mitigate this attack is possible if each node can accurately measure the received signal strength and has models for signal propagation with distance. In that case, a node can independently determine if the transmission it receives is at a higher than allowable power level. However, this technique is approximate at best and dependent on environmental conditions. LITEWORP provides a more feasible defense against this mode.

(d) Wormhole using Packet Relay

In this mode of the wormhole attack, a malicious node relays packets between two distant nodes to convince them that they are neighbors. It can be launched by even one malicious node.

(e) Wormhole using Protocol Deviations

In this mode, a malicious node can create a wormhole by simply not complying with the protocol and broad casting without backing off. The purpose is to let the request packet it forwards arrive first at the destination and it is therefore included in the path to the destination.

3. Solutions To. Wormhole Attacks Packet Leash [1] is an approach in which some information in added to restrict the maximum transmission distance of packet. There are two types of packet leashes: geographic leash and temporal leash. In geographic leash, when a node A sends packet to another node B, the node must include its location information and sending time into the packet. B can estimate the distance between them. The geographic leash computes an upper bound on the distance, whereas the temporal leash ensures that packet has an upper bound on its lifetime. In temporal leashes, all nodes must have tight time synchronization. The maximum difference between any


29

two nodes’ clocks is bounded by Δ, and this value should be known to all the nodes. By using metrics mentioned above, each node checks the expiration time in the packet and determine whether or not wormhole attacks have occurred. If packet receiving time exceed the expiration time, the packet is discarded.

Capkun et al. [7] presented SECTOR, which does not require any clock synchronization and location information, by using Mutual Authentication with Distance-Bounding (MAD). Node estimates the distance to another node in its transmission range by sending it one-bit challenge, which responds to instantaneously. By using the time of flight, detects whether or not is neighbor or not. However, this approach uses special hardware that can respond to one-bit challenge without any delay as Packet leash is.

The Delay per Hop Indicator (DelPHI) [9] proposed by Hon Sun Chiu and King-Shan Lui, can detect both hidden and exposed wormhole attacks. In DelPHI, attempts are made to find every available disjoint route between sender and receiver. Then, the delay time and length of each route are calculated and the average delay time per hop along each route is computed. These values are used to identify wormhole. The route containing wormhole link will have greater Delay per Hop (DPH) value. This mechanism can detect both types of wormhole attack; however, it cannot pinpoint the location of wormhole. Moreover, because the lengths of the routes are changed by every node, including wormhole nodes, wormhole nodes can change the route length in certain manner so that they cannot be detected.

Hu and Evans [6] use directional antennas to prevent the wormhole attack. To thwart the wormhole, each node shares a secret key with every other node and maintains an updated list of its neighbors. To discover its neighbors, a node, called the announcer, uses its directional antenna to broadcast a HELLO message in every direction. Each node that hears the HELLO message sends its identity and an encrypted message, containing the identity of the announcer and a random challenge nonce, back to the announcer. Before the announcer adds the responder to its neighbor list, it verifies the message authentication using the shared key, and that it heard the message in the opposite directional antenna to that reported by the neighbor. This approach is suitable for secure dynamic neighbor detection. However, it only partially mitigates the wormhole problem. Specifically, it only prevents the kind of wormhole attacks in which malicious nodes try to deceive two nodes into believing that they are neighbors.

In [9], another statistical approach called SAM (Statistical Analysis of Multi-path) was proposed to detect exposed wormhole attacks in Multi-path routing protocol. The main idea of the proposed scheme SAM is based on the observation that certain statistics of the discovered routes by routing protocols will change dramatically under wormhole attacks. Because wormhole links are extremely attractive to routing

requests so it will appear in more routes than normal links. By doing statistics on the relative frequency of each link appear in the set of all obtained routes, they can identify wormhole attacks. This technique is only used to detect

exposed attacks. It is unable to detect hidden attacks because in this kind of attack wormhole links does not appear in obtained routes.

In [10], the author proposed two statistical approaches to detect wormhole attack in Wireless Ad Hoc Networks. The first one called Neighbor Number Test bases on a simple assumption that a wormhole

will increase the number of neighbors of the nodes (fake neighbors) in its radius. The base station will get neighborhood information from all sensor nodes, computes the hypothetical distribution of the number of neighbors and uses statistical test to decide if there is a wormhole or not. The second one called

All Distance Test detects wormhole by computing the distribution of the length of the shortest paths between all pairs of nodes. In these two algorithms, most of the workload is done in the base station to save sensor nodes’ resources. However, one of the major drawbacks is that they can not pinpoint the location of wormhole which is necessary for a successful defense.

Possible solutions to wormhole attacks proposed by different researchers are discussed in this section. The detection of wormhole attacks that does not need any special hardware and additional information is proposed in this paper.

4. Proposed Detection Mechanism In this section the proposed wormhole detection mechanism is discussed in detail. This mechanism does not need any special hardware or synchronized clocks because it only considers its local clock to calculate the RTT.

4.1 Network model and assumptions The network is assumed to be homogeneous (all network nodes contain the same hardware and software configuration), static (network do not move after deployment), and Symmetric (Node A can only communicate with node B if and only if B can communicate with A). All nodes are uniquely identified.

To make detection, it is based on the RTT of the message between successive intermediate nodes. The consideration is that RTT between two fake neighbors or two wormhole links will be considerable higher than that between two real neighbors.

This proposed mechanism consists of two phases. The first phase is to find route between source and destination. In Second phase, it calculates the RTT of all intermediate nodes and detect wormhole link in route.

4.2 Phase 1: Route Finding In the first phase, node sends the route request (RREQ) message to the neighbor node and save the time of its RREQ sending TREQ. The intermediate node also forwards the RREQ message and saves

TREQ of its sending time. When the RREQ message reaches the destination node, it sends route reply message (RREP) with the reserved path. When the intermediate node receives the RREP message, it saves the time of receiving of


30

RREP. The assumption is based on the RTT of the route request and reply. The RTT can be calculated as

RTT= TREP – TREQ ………….. (1).

All intermediate nodes save this information and then send it also to the source node.

4.3 Phase 2: Wormhole Attack Detection In this phase, the source node calculates the RTT of all intermediate nodes since wormhole attack launched by adversary intermediate nodes there is no need to calculate RTT between source to first node and last node to destination. It calculates the RTT of successive intermediate nodes and compares the value to check whether the wormhole attack can be there or not. If there is no attack, the values of them are nearly the same. If the RTT value is higher than other successive nodes, it can be suspected as wormhole attack between this link. In this way the mechanism can pinpoint the location of the wormhole attack.

Figure 2. Time of forwarding RREQ & receiving RREP.

4.4 Calculation of RTT In this subsection, the detailed calculation of the RTT is discussed. The value of RTT is considered the time difference between a node receives RREP from a destination to it send RREQ to the destination. During route setup procedure, the time of sending RREQ and receiving RREP is described in Figure 2. In this case, every node will save the time they forward RREQ and the time they receive RREP from the destination to calculate the RTT and send these values to source node. The source node is in charge of calculating all RTT values between intermediate nodes along the established route.

Given all RTT values between nodes in the route and the destination, RTT between two successive nodes, say A and B, can be calculated as follows:

RTTA,B = RTTA – RTTB …………….. (2).

Where RTTA is the RTT between node A and the destination, RTTB is the RTT between node B and the destination.

For example, the route from source (S) to destination (D) pass through node A, and B so which routing path includes:

S → A → B → K→L→D

whereas T(S)REQ, T(A)REQ, T(B)REQ , T(K)REQ, T(L)REQ, T(D)REQ is the time the node S, A, B, K, L, D forward RREQ and (S)REP, T(A)REP, T(B)REP, T(K)REP , T(L)REP ,T(D)REP is the time the node S, A, B, K, L, D forward REP.

Then the RTT between S, A, B, K, L and D will be calculated based on equation (1) as follows:

RTTA = T(A)REP – T(A)REQ

RTTB = T(B)REP – T(B)REQ

RTTK = T(K)REP – T(K)REQ

RTTL = T(L)REP – T(L)REQ

And the RTT values between two successive intermediate nodes along the path will be calculated based on equation (2):

RTTA,B = RTTA – RTTB

RTTB,K = RTTB – RTTD

RTTK,L = RTTB – RTTD

Under normal circumstances, RTTA,B RTTB,K RTTK,L are similar value in range. If there is a wormhole line between two nodes, the RTT value may considerably higher than other successive RTT values and suspected that there may be a wormhole link between these two nodes.

Compare to another RTT based technique[12] our technique has lesser number of calculations. Our technique is based on the fact that wormhole attack is launched by intermediate nodes therefore there is no need to calculate RTT between source node to first node and RTT between last node to destination node. By doing so, we can reduce number of calculations which in turn speed up the wormhole attack detection process.

5. Conclusions In this paper, we have introduced the wormhole attack, a powerful attack that can have serious consequences on many proposed ad hoc network routing protocols. The countermeasures for the wormhole attack can be implemented at different layers. For example, directional antennas are used at the media access layer to defend against wormhole attacks, and packet leashes are used at a network layer. To detect and defend against the wormhole attack, we proposed an efficient mechanism based on the RTT of the route message. The significant feature of the propose mechanism is that it does not need any specific hardware to detect the wormhole attacks and it also reduces number of RTT calculations. Our mechanism is better than


31

other RTT based mechanisms since it re-quires lesser number of calculations to detect wormhole attacks.

References

[1] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru, and H Rubens, “Mitigating Byzantine Attacks in Ad Hoc Wireless Networks,” Department of Computer Science, Johns Hopkins University, Tech. Rep. Version 1, March 2004

[2] Levente Buttyán, László Dóra, István Vajda: Statistical Wormhole Detection in Sensor Networks. Second European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (ESAS 2005) Visegrád, Hungary, July 13-14, 2005: 128-141

[3] S. Capkun, L. Buttyán, and J.-P. Hubaux, SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” in Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks (SASN 03), pp.2132, 2003.

[4] L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole attacks,” in Network and Distributed System Security Symposium, 2004.

[5] L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole attacks,” in Netwotrk and Distributed System Security Symposium, 2004

[6] Y. Hu, A. Perrig, and D. Johnson,“Packet leashes: A defense against wormhole attacks in wireless networks.,” in INFOCOM, 2003.

[7] Issa Khalil, Saurabh Bagchi, and Ness B. Shroff, “Liteworp: A lightweight countermeasure for the wormhole attack in multihop wire-less networks.,” in DSN, 2005, pp. 612–621.

[8] Lijun Qian, Ning Song, and Xiangfang Li. Detecting and locating wormhole attacks in Wireless Ad Hoc Networks through statistical analysis of multi-path. IEEE Wireless Communications and Networking Conference -WCNC 2005.

[9] Hon Sun Chiu King-Shan Lui, DelPHI: WormholeDetection Mechanism for Ad Hoc Wireless Networks, International Symposium on Wireless Pervasive Computing ISWPC 2006.

[10] T. V. Phuong, Ngo Trong Canh: Transmission Time-based Mechanism to Detect Wormhole Attacks. IEEE Asia-Pacific Services Computing Conference 2007.

[11] V. T. Phuong, Le Xuan Hung, Young-Koo Lee, Heejo Lee, Sungyoung Lee, TTM: An Efficient Mechanism to Detect Wormhole Attacks in Wireless Ad-hoc Networks, Wireless Sensor Network Track at IEEE Consumer Communications and Networking Conference (CCNC), Las Vegas, USA, Jan 11-13, 2007.

[12] J. Zhen and S. Srinivas. Preventing replay attacks for secure routing in ad hoc networks. Proc. of 2nd Ad Hoc Networks & Wireless (ADHOCNOW' 03), pp. 140--150, 2003.

Authors Profile

Ajit Singh is currently working as Associate Professor in Dept. of Computer Science & Engineering, VCT Kumaon Engineering College, Dwarahat (Almora), India. He is having around 11 year teaching experience. His area of Interest is Artificial Intelligence.

K. S. Vaisla received the Graduate and Post Graduate degrees from University of Rajasthan, Jaipur in 1994 and 1998, respectively. Presently he is working as Associate Professor (Computer Science & Engineering) in Kumaon Engineering College (A Govt. Autonomous College), Dwarahat (Almora) – Uttarakhand. Interested field of research are ICT impact on

G2C of e-Governance, Data Warehouse and Mining, Complex / Compound Object Mining, IBIR. Authored many research papers in International / national journals/conferences in the field of computer science and also many books in reputed publishing house.


32

Detection of Selective Forward Attack in Mobile Wireless Sensor Networks

S.Sharmila1, and G.Umamaheswari2

1Research Scholor, Anna University, Coimbatore [email protected]

2Assistant Professor, Department of Electronics and Communication Engineering,

PSG College of Technology

Abstract: Mobile Wireless sensor networks are composed of a large number of wireless sensors and they require a careful consumption of available to prolong the life time of the network. From the security point of view, detecting schemes must be very light to increase the life time of the network. In this paper, defensive mechanism is proposed to detect selective forward attack in mobile wireless sensor networks. The proposed mechanism is simulated with Berkeley Mica 2 Motes configuration in Network Simulator Version 2. The scheme is evaluated in terms of packet delivery ratio and throughput. The simulation results show that the scheme achieves high detection rate.

Keywords: Selective Forward attack, Dynamic Window,

Mobile Wireless Sensor Networks.

1. Introduction Recent advances in wireless communications and micro

electro-mechanical system (MEMS) technologies have enabled the development of low-cost, low power and small size wireless sensor nodes. Wireless sensor nodes perform significant signal processing, computation and network self configuration to achieve scalable, robust and long-life networks. Many sensor nodes are capable of local processing to reduce communications and energy costs consequently. Wireless sensors have been used in hazard alarms, monitoring and tracking wild life, heartbeat monitoring for patients, habitat monitoring, and many more applications. In Wild life applications, sensors are cast in the field as well as equipped on animals to monitor. The self organized nodes are mobile as animals move. In telemedicine applications and human tracking applications, sensors are attached to patients and thus constitutes mobile wireless sensor network. Certain applications such as rescue management, emergency care and military applications require secure information transfer between the source and destination [1]. Considering an example where sensors are used to sense the blood pressure and temperature of patients and reports to the intensive care unit of the hospital. The patients are monitored remotely. In this case, if any data is hacked by malicious node lead a chaos .It is necessary to detect the malicious node in the network.

In Selective forward attack malicious node selectively

drops the packet and degrades the performance of the network. This paper focuses on detection mechanism against selective forward attack based on Dynamic Source Routing Protocol for mobile wireless sensor networks.

1.1 Motivation

Wireless sensor networks are vulnerable to many routing attacks such as Selective forward attack , HELLO flood attack , sinkhole attack, Wormhole attack ,etc because of broadcast nature of transmission medium, resource limitation on sensor nodes and uncontrolled environments where they are left unattended [7]. The existing security mechanisms are inadequate and new approaches are required for each routing attack since each attack has its own nature and characteristics. The major aim of this work is to detect the selective forward attack which also meets the security goals such as data authenticity, integrity, and availability.

The major security objectives are as follows: • To design defensive mechanisms against

selective forward attack considering the resource constraints of mobile nodes.

• To identify the malicious node on forward routing path.

• To provide data authenticity and data integrity.

• To improve the detection accuracy and data availability.

1.2 Our Contribution

Selective forwarding is one of the routing methods. The packet is forwarded to the destination node/base station based on routing table and network conditions. The defensive mechanism against selective forward attack based on Dynamic Window based concept is formulated. Window refers the session between the complete transmission of message from the source and destination node/base station. The message transmission timings of the sessions are different. With the particular window malicious node is identified based on the cumulative acknowledgement packet and drop ratio of the node which lies in the forward routing path. It is detected by checkpoint, source node, ordinary node, and node id. Once the node is identified, it is removed from the network and the packet is routed through the alternate path. Detection accuracy also depends upon the transmission and reception range since the nodes are mobile. Simulation results show that the communication overhead is slightly high but the detection accuracy is 90% when the drop ratio is less.

The remaining of this paper is structured as follows. In Section II represents the Back ground, reviews the existing works, and proposes the detection scheme. Sections III


33

discuss the performance evaluation. Section IV concludes with the scope of the scheme in future.

2. Background and proposed Scheme

This section describes the selective forward attack and reviews the existing works.

2.1 Selective Forward Attack

Figure 1 shows an example of selective forward attack. It

drops packet and refuses to forward the message to neighbor node. If the malicious nodes drop the entire message, the node is called black hole. Malicious node can forward the message in a wrong path and gives unfaithful routing information in the network. It creates unnecessary packet delay and it leads to confusion in forwarding the message. It also creates false information and transmission in the network. It is difficult to detect the malicious node when there is collision, packet drop due to timer expiry and link failure, since the nodes are mobile nodes. Selective forward attack affects the exsisting routing protocols such as DSR, GPSR, GEAR and Tinos beaconing. 2.2 Review

Selective forward attack may corrupt some mission-critical applications such as military surveillance and forest fire monitoring in wireless sensor networks. BinXiao[3][4] proposed a lightweight security scheme and detected the selective forward attack using multi-hop acknowledgements. It has limitations as it requires nodes to be loosely time synchronized and keep one-way key chains for authentication. Kim[5] suggested cumulative acknowledgement based detection. The limitations, data-reply packets are transmitted through multiple paths. But, the communication overhead will be high because of cumulative acknowledgement and there by reducing the node energy. Y.B.Reddy[7] proposed a new framework to detect the selective forward attack using game theory model, the detection of a malicious node is found between the selective acknowledgement points irrespective of the dropping rate. J.Brown[8] proposed a sequential probability ratio test for detecting the attacks in heterogeneous sensor networks. Mathematical foundations are also be helpful in detecting the attack. The major concept of the existing works adopted a scheme in routing protocols and analyzed its performance in terms of communication overhead, network throughput, and energy consumption. In this paper, the light weight scheme based on dynamic source routing protocol for detecting the attack

is used. The limitation of the scheme is high communication overhead and high energy consumption is high.

2.3 Assumptions Seven assumptions are proposed in detection mechanism.

First, the Nodes are mobile and transmit the messages during different sessions. Second, the size of the window is constant i.e. the total time duration for transmission of messages per session is kept constant. Third, the Dynamic Source Routing protocol is implemented in nodes. Fourth, during a particular session topology is static .Fifth; the node id is different per session. Sixth, the malicious node only drops maximum number of packets. And finally, the messages are authenticated using one-way hash chains.

2.4 Detection Scheme The existing detection scheme consists of inclusion of

packets such as cumulative acknowledgement of each node, event packet, acknowledgement packet, control packets and alert packet. With the inclusion of packets for detections, communication overhead will be more. The proposed detection schemes consist of cumulative acknowledgement packet between the check points of the forward path and the check point generates the trap message and is sent to the next node of the forwarding path.

The different phases of the proposed mechanism are as follows:

1. Node id assignment phase and location phase

2. Topology identification 3. Forward route selection path 4. Check Point assignment 5. Data transmission 6. Malicious node detection

2.4.1 Node id and Location Phase Node id is activated only when the transmission is

required. Node id is configured dynamically per session by the sink node/base station. Whenever the sink node/base station needs any information it broadcasts the set of node ids and activates the timer. Node id is valid until timer expires. Base station stores the allotted node id temporarily for each session temporarily. 2.4.2 Topology identification phase

After receiving the node id, the node identifies its neighbor node and stores the next hop neighbor id to dentify the topology of the network. 2.4.3 Forward route selection path

The source node sends the route_ request packet to the destination node/base station. It responds the route_reply packet with the selected forward path through which data is transmitted. Forward path is selected based on the Dynamic source routing protocol. 2.4.4 Check point selection phase

Base station/Destination node assigns the nodes to be the check point in the forward path randonly. In the downstream link, check point generates a trap message after the successful reception of the packet. 2.4.5 Data transmission phase

Once the forward path is selected, data is transmitted from the source to the base station/destination node. Upon successful reception of data, each node sends an acknowledgement packet to its next node which lies in the forward path. The acknowledgement packet of next node


34

and previous node is forwarded to next neighbor node in the forward path. In this way ,acknowledgement packets are cumulated. Once the check point receives the cumulative acknowledgement packet, it generates the trap message and sends to its next node in the forward path. If the destination receives the trap message generated by the last check point, it shows that the data has been successfully transmitted from the source and the destination.

2.4.6 Detection process

Step: 1 Base station issues the node id and it is dynamic

and unique for a window. Step 2: Base station sends the data request to all the

nodes. Step 3: Source nodes send a route request packet to the

base station. Step 4 : Base station sends a route reply packet to the

source station . Step 5: Base station selects the node in the forward path

as check points. Step 6. : Source node sends the data packet to the next

node which lies in the forward path. Upon receiving the data the node sends the acknowledgement packet and the receiving node sends its acknowledgement packet along with the data packet and thus frames the cumulative acknowledgement.

Step 7: Once the check point receives the cumulative acknowledgement, it generates the trap message and it is forwarded along with the data to the next check point.

Step 8: Upon receiving the cumulative acknowledgement packet and the trap message, the base station detects the exact malicious node in the forward path based on the negative acknowledgement. If any node holds its id after a predetermined time interval of the window that node is also suspected as a malicious node and is illustrated in Algorithm.

Step 9: Once the malicious node is detected it is removed from the network and the packet is forwarded through the alternate path.

30

2

31

1413

41

9

21

22

28

15

7

10

35

16

20

39

6

12

321

36

37

385

8

40

17

25

4

26

18

33

23

19

11

3

24

2734

BS

50

49

42

4647

43

45

48

44

Window-A

9946

1445 18

66

11

26

44

91

27

6

13

383

43

71

81

26

5422

2

4

77

52

44

78

14

88

21

36

80

810

5

98

17

72

48

17

23

919

43

5

62

44

54

BS

15

Window B

Figure 2. Node-id Detection 2.5 Detection Analysis The proposed detection mechanism has been analyzed

based on following background: Scenario 1: Based on node id

If any node holds the id after the timer expires, that node is suspected to be a malicious node. The value of the timer depends on the number of hops in the forward routing path and maximum transmission delay. Packet delivery ratio, throughput are further analyzed to confirm the node to be a compromised node. In Fig 2. the node id’s of Window A and Window B are different except the node ids such as 45,15 and 21 and such nodes are treated as malicious nodes. Scenario 2: Check-point detection

9946

1445 18

66

11

67

44

91

27

6

13

383

43

71

81

26

5422

2

4

77

52

44

14

88

21

36

80

810

5

98

17

72

17

23

919

43

51

62

44

54

BS

1516

78

Figure 3. Check-point detection

Algorithm: Determining malicious node Input: CAKP : A cumulative packet received {Datan,ACKo,ACK1,…….ACKn} Trap :{check point id, rds, node id of NACK} n: Total # of ACKs in CAKP m: Total # of nodes in the forwarding path

1. create a list of responses [] and traps[] of length m

2. for i=0,….n-1 responses [n-1]<- ack n-i remove ack n-i from CAKP if ack n-I == n then return {rds=1 } else {rds=0} retrun ckpid endif

3. for i=0,……., n-1 traps [n-i] <- nids(nack) remove and ckpid and rds from trap[]

4. for i=0,……., n-1 if ckpidi [trap] != ckpidi+1 then if (rdstrap[]==1) then return ckpids else return the nids(nack) end if


35

The Check-points are randomly selected, if the base station/destination selects the malicious node as check-points that generate acknowledgement and trap message on its own and forward the packet to its neighbor node. In that case, detection of malicious node may be suspected based on the node id and packet delivery ratio. Check point id is valid until window expires. In Fig. 3 Node 26 and 67 are source nodes whereas BS is the base station and it is treated as destination node and forward paths are 26-54-22-6-52-36 and 67-13-44-78-21-88-17-62 respectively. Check points are 22, 16 and 21.The forward path from the source 26 to base station does not contain any malicious node. But the forward path from 67 to the Base station contains 21 as check point but it is also a malicious node. In this case, check point is a malicious node and it is detected based on node id and packet drop ratio. Scenario 3: Source node detection

The base station broadcasts the request to nodes, and the malicious node responds to the base station with route request packet station to gather the routing information and misguide the route in the network. Fig. 4 shows that malicious node 67 voluntarily responds to the base station after receiving the route request and misguides the route. The actual forward path is 67-6-16-52-3 instead of 67-13-44-78-21-88-17-62. The node is detected based on the packet drop ratio and based on cumulative acknowledgement packet.

9946

1445 18

66

11

67

44

91

27

6

13

383

43

71

81

26

5422

2

4

77

52

44

14

88

36

80

810

5

98

17

72

17

23

919

43

51

62

44

54

BS

1516

78

21

Figure 4. Source Node Detection.

Scenario 4: Node can be a compromised node The existing methods such as CHEMAS, CADE,

[2][3][4][5] detect any two nodes in the selective forward path as malicious node . In CHEMAS, authors suggest that malicious node lies within the rang of check points. In CADE, authors present the detection mechanism to identify the two malicious nodes in the forward path. The proposed mechanism detects the exact compromised nodes. Check point generates a trap message and forwards it to the next check point stating that there is no packet drop exists upto that check point. Between the two check points, acknowledgements of each node are cumulated if the data has been transmitted successfully. Once the check point receives the cumulative acknowledgement successfully then it generates the trap message. If any node between the check points fail to forward the data packet, Cumulative acknowledgment and trap message, that node is suspected to be compromised node. Cumulative Acknowledgment packet can also drop by collision and timer expiry since nodes are

mobile nodes. Overlap of window causes the packet drop in the network. Check point should not misjudge an ordinary node to be a compromised node. In Fig. 5 Node 4 drops the cumulative acknowledgement packet and it is treated as compromised node. Based on the Negative acknowledgement, the compromised node is identified.

Source Destination

1 85

Figure 5. Node as Compromised Node

Format of the Cumulative Acknowledgement packet

Data

Ack0

Ack1

… Ack N

NACK

Format of the Trap message Check point

Node id RDS Node ids of NACK

If NACK is set to 0, it denotes that it is a negative

acknowledgement of data packet and if itis set to 1, it denotes that it is a negative acknowledgement of route, if the node has not seen the route packet sent by the base station/destination.

Received data successfully (RDS=1) denotes that data is received upto the particular check point indicated by its node id.Once the destination/base station identifies the malicious nodes, the destination broadcasts the node id of NACK packet .Source requests the destination to send the alternate forward path. 3. Performance Evaluation

The proposed algorithm is implemented in ns2 [6] and the performance is evaluated in terms of network throughput and packet delivery ratio

Evaluation Metrics: The following metrics [6][8] evaluate the effectiveness of

the proposed detection Scheme. Packet delivery ratio: It is the ratio of number of packets

received and the number of packets sent. Throughput: This gives the fraction of channel capacity

used for data transmission. Communication Overhead: It is the ratio of overheads

with and without the detection scheme. Average Latency: Mean time in seconds taken by the

packets to reach their respective destination. Undetected ratio: It is the ratio of number of undetected

maliciously dropped packets to the total number of maliciously dropped packets.

3.1 Simulation parameters The parameters used in our simulations are shown in

Table 1. Window is static and malicious nodes are randomly located on the forward paths of source and base station. Node ids, check points, source and destination are assigned before the transmission starts.


36

Table 1: Parameters used in simulations Area 2000mX2000m Nodes 50 Packet size 512 bytes Transmission protocol UDP Application Traffic CBR Transmission rate 10 Mbits/sec Pause time 24.73 sec Maximum speed 31sec Simulation time 100 sec Propagation model Radio Propagation Maximum Malicious node 50 Type of attack Selective forward attack Examined DSR 3.2 Performance Results In this section, the performance of the proposed

detection mechanisum is evaluated in terms of packet delivery ratio and network throughput. The check points, source node and destination nodes with its id are depicted in the Fig. 6.

Figure 6. Node Deployment Phase

Few packet drops are occurred during the data

transmission Phase and are indicated in Fig. 7.

Figure 7. Data transmission Phase

During the data transmission, malicious nodes are detected, and the authors have detected that node 2 is a check point node and also malicious node and other malicious nodes are 7, 14 and 41 as shown in Fig. 8.

Figure 8. Detection of Compromised Nodes

In the simulation, the authors used different types of field

configurations including the forward path nodes which are moving randomly, pausing for a fixed time of 25 seconds and moving randomly in a 2000m X 2000m area. The simulation time is 100 seconds and results are taken after 50 simulation runs. The same trends are observed in the results. The Constant Bit Rate (CBR) traffic is introduced while data transmission to check the detection accuracy. It is observed that Node 15 has dropped the packets due to CBR traffic and the proposed mechanism does not suspect the node to be a compromised node. The undetected ratio is 20 % which proves that detection accuracy is 80%. Further, it is observed that though the packet drop occurs with the overlap of different windows. The proposed mechanism does not suspect the nodes as compromised node because of different time interval and dynamic node id configuration. It is observed that the packet drop due to traffic exists due to overlap of the window. During the time interval from 30 seconds to 40 seconds and from 95 seconds to 96 seconds, the packet is dropped only due to CBR traffic window overlap. Few nodes hold the node id after the expiry of timer. Its packet delivery ratio is 30% where as packet delivery of normal nodes is 100% and it has been detected as compromised node. This is depicted in Fig. 9. It is also shown that packet delivery rate of normal nodes are from 70% to 100% and compromised node is only 30%.

It is observed that Node2 is a check point and is detected as compromised node. The packet delivery ratio is 80% like normal nodes. The proposed scheme detects the check point based on node id. The timer of that particular node holds above the maximum time delay. The authors observed that timer of normal node id is 40 seconds but the timer of check point is 120 seconds for a specific window. Fig. 10 depicts the packet delivery ratio of check point node, normal node, and malicious node. Further, the authors observed that malicious node in the forward path drops 270 packets /100


37

seconds and throughput is 47 packets /second .The average latency is 38.26 seconds after the detection of malicious node and 50 seconds before the detection of malicious node.

Figure 9. Packet Delivery Rate of normal nodes are from

70 % to 100% and compromised node is only 30 %.

Figure 10. Check point as compromised node

Figure 11. Packet drop ratio

Figure 12.Throughput

The researcher observes that the number of packets sent and throughput vary due to the presence of malicious nodes. In Fig. 11 and Fig. 12, the malicious nodes increase the packet drop ratio and decrease the throughput of the network, the presence of malicious node affects the performance of the network. A cumulative acknowledgement is transmitted up to the check point and thus reduces the communication overhead in the forward path.

The packet drop rate of the normal nodes is significantly different from that of the compromised node. The proposed detection scheme can achieve 90% of detection rate when drop rate is less.

The performance of the scheme is compared with the other existing schemes and it is tabulated in Table 2. The overall performance of the proposed scheme is better than the existing schemes. Though the scheme consumes 60% of node energy, it provides better accuracy than the existing schemes.


38

Table 2: Comparision with the Exsiting Schemes

Parameters CHEMAS

CADE

SPRT

Game theory

Multi-hop Acknowledgement

Proposed method

Detection rate

High Not analyzed

High

Channel rate and dropping rate

95% when channel error rate is 15%

90%

Communication overhead

Reasonable

Not analyzed

small

Not analyzed

high high

Includes base station for detection

No No No No No no

Time synchronization

Yes Not required

Yes Yes Not required

yes

Identifies the original reason for packet loss

Yes Not analyzed

yes No yes yes

Security against sinkhole attack

No Yes No No No yes

One-way key

chains

Requir

ed

Not

requi

red

No No Not

required

requi

red

Duplicate

packet

None Data-

reply

No No Data

packet

Data

pack

et

ACK

generation

Alway

s

pack

et is

drop

ped

No No none pack

et is

dropp

ed

Energy

Consumption

Not

analyze

d

Not

analy

zed

Not

anal

yzed

Not

analyze

d

Not

analyzed

60%

Nodes Station

ary

Stati

onary

Stati

onar

y

station

ary

stationary Mobi

les

4. Conclusions This paper has presented a dynamic window based

mechanism to detect selective forward attack. In packet forwarding routing algorithms need the detection mechanisms to identify the exact compromised nodes. A number of recent works have been studied before proposing this new methodology The drawbacks of the existing scheme is compromised nodes may be any two nodes in the forward path and lies between the check points . We overcome the drawbacks and we detected the exact compromised node which lies in the forward path base on Negative acknowledgement, node id, and packet drop ratio. The simulation using 50 nodes has proved the effectiveness of the proposed algorithm. The proposed scheme is equipped with technique to identify and isolate the malicious nodes from the active data forwarding and routing. Further studies are required to reduce the packet drop due to overlap of window and to evaluate the detection accuracy of proposed detection mechanism using probabilistic approach.

References [1] C.Karlof and D. Wagner, “Secure Routing in Sensor

Networks: Attacks and Countermeasures”, In the Proceedings of first IEEE International Workshop on Sensor Network Protocols and Applications, 2003.

[2] H. Lee, T. Cho, “Fuzzy-Based Reliable Data Delivery for Countering Selective Forwarding in Sensor Networks”, Lecture Notes in Computer Science, pp. 535-544, 2007.

[3] B. Xiao, B. Yu, and C. Gao, “CHEMAS: Identify Suspect Nodes in Selective Forwarding Attacks”, Journal of Parallel and Distributed Computing, Vol. 67, Issue 11, pp. 1218-1230, 2007.

[4] B. Yu and B. Xiao, “Detecting Selective Forwarding Attacks in Wireless Sensor Networks”, in the Proceedings of. 20th International Sympsium on Parallel and Distributed Processing (IPDPS 2006), pp.1-8, 2006.

[5] Young Ki Kim, Hwaseong Lee, Kwantae Cho, and Dong Hoon Lee, “CADE:Cumulative Acknowledgement Based Detection of Selective Forwarding Attacks in Wireless Sensor Networks”, in the Proceedings of third International Conference on Convergence and Hybrid Information Technology, 2008.

[6] N Bhalaji and Dr A Shanmugam, “Reliable Routing against Selective Packet Drop Attack in DSR based MANET”, Journal of Software, Vol.4 , No.6,2009.

[7] Yenumula B reddy and S .Srivathsan, “Game Theory Model for Selective Forward Attacks in Wireless Sensor Networks”, in the proceedings of 17th Mediterranean conference on control and automation, Greece, June 2009.

[8] Jeremy brown, Xiaojiang Du, “Detection of Selective Forward Attacks in Heterogeneous Sensor Networks”, published in the Proceedings of ICC 2008.

[9] Zia, T.A., and Zomaya, A.Y. “Secure Localization in Wireless Sensor Networks. In the Proceedings of fourth Asian Conference on Communication Systems and Networks (AsiaCSN 2007), April 2-4, 2007.

[10] Zia, T.A., and Zomaya, A.Y. “Malicious Node Detection Mechanism in Wireless Sensor Networks” , in the Proceedings of International Conference on Network Security (ICONS 2007), Jan 29-31, 2007.

[11] Zia, T.A., and Zomaya, A.Y, “Security issues in Wireless Sensor Networks. In the Proceedings of International Conference on Systems and Networks, 2006.

[12] Zia, T.A., and Zomaya, A.Y. “A Secure Triple Key Management Scheme for Wireless Sensor Networks”. In the proceedings of IEEE INFOCOM 2006.


39

Authors Profile

S.Sharmila received the B.E and M.E degrees in Electronics and Communication Engineering and Applied Electronics from Bharathiyar University and Anna University, India in 1999 and 2004 respectively. Her research interest includes wireless sensor networks, computer networks and security.

G. Umamaheswari is Assistant professor in Electronics and Communication Department, PSG College of Technology, Coimbatore, India. She completed her B.E. degree in Electronics and Communication from Madras University in 1989 and M.E. in Electronics Engineering from Anna University, in 1992. She is now supervising 5 Ph.D. candidates


40

Factors that Influence Learner-Content Interaction in the Online Top-Down Modeling Model

Environment

Sha Li1, Shirley King2, Yujian Fu3

1Alabama A&M University, School of Education 4900 Meridian Street, Normal, AL 35762, USA

[email protected] 2Alabama A&M University, School of Education 4900 Meridian Street, Normal, AL 35762, USA

[email protected] 3Alabama A&M University, School of Engineering & Technology

4900 Meridian Street, Normal, AL 35762, USA [email protected]

Abstract: This article explores the learner-content interaction in the Online Top-Down Modeling Model networked learning environment. It used a graduate computer literacy course as a case to explore the phenomenon. The findings of this study expose the major factors that influenced learners to actively use online learning resources and the factors that negatively affected the learners in using online learning resources. It discusses the strategies to design effective online learning resources so as to motivate students into active involvement in the Internet assisted resources-based learning. Keywords: learner-content interaction, networked learning, intrinsic factors, extrinsic factors, distance education.

1. Introduction This section introduces the background of the learner-content interaction in the networked learning environment.

1.1 The Background Internet is impacting education profoundly. The Internet’s capability of transferring information and multimedia empowers the delivery of instructional materials. The possibility of using online learning resources enables educators with a platform to generate creativity and increase the effectiveness of teaching and learning. The learning interaction has always been the core issue related to the quality of network assisted education [14]. More and more varieties of learning resources are put online, leading to more strategies for designing and using Internet-based learning resources. Resource-based learning emerges with the increasing use of the Internet [11]. The concept of interaction is an essential element of the seven principles of good practice in education [4]. These practices include: encouraging faculty/student contact; developing reciprocity and cooperation; engaging in active learning; providing quick feedback; emphasizing the amount of time dedicated to a task; communicating high expectations; and respecting diversity. Wagner [24] defines interaction as “reciprocal events that require at least two objects and two actions. Interactions occur when these objects and events mutually influence one another.” Northrup [15] describes the purposes of the interaction as 1) Interaction for content, 2) Collaboration, 3) Conversation, 4)

Intrapersonal interaction, and 5) Performance support. Hirumi [12] indicates in his study that there are three levels of interaction: Level I—within the learner, Level II—between the learner and human/non-human resources, and Level III—between learner and instruction. In summary, the learner-content interaction has been recognized as very important among all kinds of interactional perspectives. The issue of learner-content interaction has caught the attention of educators [13, 25]. It is a defining characteristic of education [13]. The learner-content interaction is among the four types of interactions in distance education [22]. The four types of interaction have been recognized widely in the literature as learner-content, learner-learner, learner-teacher, and learner-interface [27, 28]. The learner-content interaction is the essential process of learning in which the learners intellectually interact with the cognitive content matter. It is regarded an “internal didactic conversation” when the learner transfers or internalizes knowledge input in his mental cognitive structure [26]. Learning from a book is a kind of learner-content interaction. Yet in the network environment, learning from online resources makes the learning input richer in variety and more challenging [19, 20, 21]. Thurmond [22] defined interaction as:

…the learner’s engagement with the course content, other learners, the instructor, and the technological medium used in the course. True interactions with other learners, the instructor, and the technology results in a reciprocal exchange of information. The exchange of information is intended to enhance knowledge development in the learning environment. Depending on the nature of the course content, the reciprocal exchange may be absent – such as in the case of paper printed content. Ultimately, the goal of interaction is to increase Understanding of the course content or mastery of the defined goals.


41

The educational theorist Vygotsky [23] argues that learning is fundamentally a social process. He also contends that the most fruitful experience in learners’ educational processes occur when they interact, in a context, with more experienced partners or adults who provide an “intellectual scaffold” that allows the learner to achieve a higher level of skill or understanding than would be possible for the learner to do alone. Scaffolding provides individualized support based on the learner's “Zone of Proximal Development” [23]. In scaffolding instruction as Vygotskey said, a teacher, or an experienced person, provides scaffolds, or supports, to facilitate the learner’s development. The student builds on the prior knowledge and internalizes new information. The activities provided in scaffolding are just beyond the level of what the student can do alone. By scaffolding, the learners can accomplish (with assistance) tasks that would otherwise be overwhelming or they could not do. Scaffolding can take many forms. The form should be contingent on what the learner needs in order to move forward and achieve a higher level of skill with that support, until the next level is internalized by the learner and can be enacted without support of the scaffolding. In relation to active learning, constructivist learning has drawn great attention [1, 3]. The constructivist learning advocates assert that learning is experience based [6, 7]. The learners bring in different perspectives, cultures, interests and skills and actively engage in the learning activities. The learners explore additional resources and brainstorm to construct their own understanding and enhance learning through dialogue and joint production of knowledge artifacts for meaningful learning to occur. Constructivism suggests that students need to explore subject matter in a broader context than what is provided in their reading materials—by sharing experiences and interacting [2]. Within the constructivist paradigm, the emphasis of learning is on the learner rather than on the teacher. It is the learner who interacts with his or her environment and thus gains an understanding of its features and characteristics. The teacher is actually a facilitator who supports and guides the students in the learning process. Motivation is a component that energizes and directs behavior toward a goal [8]. Motivation is the energy to study, to learn and achieve, and to maintain these positive behaviors over time. Motivation is what stimulates students to make an effort to acquire, transform and use knowledge [10, 29]. According to Groccia, “People study and learn because the consequences of such behavior satisfy certain internal and/or external motives.” Without motivation, there would be no learning. Resource-based learning (RBL) is one instructional strategy where students construct meaning through interaction with a wide range of learning resources. The Internet assisted resource-based learning empowers learners with a large amount of information/resources and strategies necessary to make learning a truly productive and meaningful experience [5]. The RBL has a strong relationship to Inquiry Learning, Project-Based Learning and Problem-Based Learning. It is

student-centered and allows them to discover knowledge for themselves in a constructivist manner [9]. When teachers establish or design an effective course with online learning resources, there needs to be a connection to the learners. An effective course with learning resources ready is definitely effective in connecting students to this highly efficient learning behavior. The students’ needs and expectations for learning are vital to teachers. Understanding the students and what motivates students toward effective learning behavior is conducive to effective teaching and planning. Li and his colleague [18] have created an online learning model, the Online Top-Down Modeling Model at Alabama A&M University. The purpose of this model is to enhance the learning effectiveness through the learner-resource interaction on a graduate course website of FED 529 Computer-Based Instructional Technology at http://myspace.aamu.edu/users/sha.li. The FED 529 Course is a computer literacy course for graduate teacher students. It is taught in a blended format of the online resources and assisted traditional instruction. It is a project-based computer literacy class. It includes project creation, problem solving, hands-on activities and theory-based learning. Learning is based on a constructivist paradigm. The teacher teaches, but provides a resource rich course website to scaffold learners. The course website has plenty of tutorials and project models such as Word projects, PowerPoint projects, Excel projects, video production, and web page design, graphics design and tutorials. The tutorials (in FAQs) are available online in text and video formats. Through the integration of the online learning resources into class instruction, the effective learning outcome occurs, and the students’ motivation and positive attitude toward the use of technology-aided learning resource increases [18]. Even though the FED 529 class website provides plenty of learning resources for learners to access, this kind of interaction is learner-content, a one-way interaction. Some two-way interaction takes place in the Blackboard online learning space, such as discussion, chat room, video conferencing, email listserv, and bulletin board. The course website and the Blackboard space both constitute the online learning platforms for this class. The design of the course website interface is in Fig. 1.

This article tries to describe the factors that influence the learners’ behavior in the learner-content interaction in the Online Top-Down Modeling Model network environment. Then the statistic data from surveys are analyzed to find the student perspectives and experiences in relation to the factors that influence their interaction with the online learning resources. There are several factors that commonly related to the student learning behavior in using online learning resources:

1) The extrinsic factors: the course content matter, the supportive resource platform, the course requirement, trustful and reliable resource environment, grading policy, and the social influence.


42

2) The learner’s intrinsic factors: interest, motivation, expectation to learn, and self efficacy.

1.2 The Extrinsic Factors Extrinsic factors are factors from the environment that relate to the students’ motivation of accessing the online learning resources.

1.2.1 The Course Content Matter

The FED class is a multimedia driven computer class. Almost every student likes multimedia, such as graphics design, animation, photo editing, sound editing and video production. Using multimedia to motivate students to learn computer literacy skills is the main strategy of this class. There are plenty of multimedia projects online that are free to education and students. Those attractive online resources are the initial motivators to the students to engage learners in learning, critiquing, creating and to mimicking the models.

1.2.2 A Supportive Resource Platform This class is a blended format that uses online support as a supplement to learning. The classroom provides the face-to-face interaction, and the online learning resources provide learner-content interaction for learning purposes. The website interface is user-friendly and easy to navigate. Once students found the online learning resource a trustful, reliable and convenient support, the students’ motivation to use it increased.

Figure1. The Layout of the Online Top-Down Modeling Model Site 1.2.3 The Course Participation Requirement

The instructor set the rules for the students to participate in the online learning activities. Each student must review three online model projects and tutorials to learn new projects. They have to post three discussions in each module to critique other people’s or other teams’ projects on the Blackboard Discussion Board. For the four modules of the whole semester, at least twelve accesses to the online models and twelve discussion postings are required. Actually most students created more postings than required. The access to the online communication activities are monitored and marked for grades. This makes it a disciplinary guideline for the teacher to monitor and prompt the students to retrieve and respond to the learning information.

1.2.4 The Social Influence

The social influence is essential to the students’ attitude toward using of the online learning resources. The experienced students who had this class before or who used online learning resources successfully often impacted each other in sharing the information on how to use online resources successfully. 1.3 The Intrinsic Factors Intrinsic factors are factors psychologically in the learner. The intrinsic factors have the most influence to guide the learners’ behavior.

1.3.1 Interest

Interest is the major factor that stimulates learning. Without interest, there would be no learning [17]. Our students are graduate teacher students. Using effective computer-based projects in teaching has aroused their attention and interest. The students’ personal interest to learn the multimedia skills guides them to invest energy and efforts in learning and searching for the useful resources.

1.3.2 Motivation

Motivation directs behavior toward particular goals; motivation leads to increased effort and energy, and increases initiation of and persistence in learning activities [30]. Since this course stimulates students’ interest, students are motivated to be involved in the activities. While they learn, they generate high frequency of using online learning resources to retrieve information and support.

1.3.3 Personal Goals and Self Expectation

The learner’s personal professional goal and high self expectation are another factor that transferred into motivation in learning. The higher self expectation drives students to aim high and work harder. The more dedicated workers always expected to see more and create more. The Internet resources were the easiest channel to meet their expectation. Those students had a higher frequency of accessing the online learning resources for their learning purposes.

2. Method To verify the students’ perspectives on the factors that influence their use of online learning resources, a survey is distributed. Then the descriptive statistic analysis is conducted. Twenty-nine students in the FED 529 Computer-Based Instructional Technology course participated in the survey in the spring semester of 2010. The data are presented below.

Table 1: Students’ Responses about their Multimedia Preference related to their learning Style

# Question: My learning style with using multimedia is

_________

N %

1. I like visual information more than others. 17 59

2. I like auditory information more than others. 0 0


43

3. I like text information more than others. 0 0

4.

I like the visual and auditory combined information like

graphics, animation, video, etc. combined with sound/music.

12 41

From Table 1, we can see that the students’ media related learning styles preference focuses on Choice 1, visual information, and Choice 2, visual and auditory combined information. The auditory only information (Choice 2) and the text only information (Choice 3) are not preferred. Since Internet information is rich with graphics and sound, providing multimedia rich resources for learners is preferred in the Internet assisted learning environment.

Table 2: Students’ Responses to their Preference of the Sources of information

# Question: When searching

Internet learning resources, I like to use__

N %

1. Resources from our course website. 4 14

2. Resources from other websites 5 17

3. Resources from both of the above websites. 20 69

In Table 2, it is shown that students prefer resources from both the course website and general websites. That means that students liked a broadened vision of the learning resources instead of a narrow focus on what one source of websites could provides.

Figure 2. The Frequency of the Student Access of

the Course Website for Learning Resources

Figure 2 shows the students’ frequency of accessing the FED 529 course website to retrieve the online learning resources (not including the students’ access to other websites). The frequency is tallied in the Blackboard Course Management System. In Fig. 2, during Week 1 and 2, students had a little higher frequency of accessing online learning resources, because they wanted to get familiar with the new course network environment like introduction to the course, rules,

syllabus, multimedia resources, discussion board, digital drop box, modules, and to browse the course website out of interest. From Week 3 to Week 8, the frequency was a little lower, probably because the course projects were a little easier at the start, and students needed less support from the website with face-to-face teaching ready in the classroom. During Week 9 and 10, students have highest frequency of access to the course website, it is because the students encountered with more challenging issues to solve and needed more online resources to help, as observed. From week 10 to the last week, the students’ access frequency drops gradually with the probable reason that they gradually became more familiar with the course content and depended less on the course online resources. And also they might start being busy preparing for the final exam. The weekly average frequency is 87. Definitely we saw that some of the students were tech-savvy, they learned more independently, relying less on the course online resources or facilitation. Table 3 shows the factors that positively influence the students to access the online learning resources. Item Number 1 to Item Number 8 relates to the resource content that motivated students to use the online learning resources for tasks. Item Number 9 to Item Number 13 relates to the needs and

Table 3: Factors that Positively Influence the

Learners’ Access to Online Learning Resources # Question Mean SD

1. The online learning resources are information-rich, multimedia driven, interesting, and engaging.

1.41 0.50

2. The online course info like syllabus, course rules/requirements are important to me.

1.52 0.51

3. The online content/knowledge resources are important to me. 1.45 0.5

1 4. The problem solving support

resources like tutorials/help are necessary to me.

1.48 0.57

6. The communication tools/resources are useful and comfortable to me. 1.59 0.7

3 7. The online collaborative/team work

support resources are helpful to me. 1.55 0.57

8. The online ongoing information like modules, discussion, Bulletin Board news are important to me.

1.41 0.50

9. I access online learning resources when I have to learn new skills and knowledge.

1.31 0.47

10. I access online learning resources when I prepare for the class. 1.48 0.5

1 11. I access online learning resources

when I encounter problems. 1.31 0.54

12. The effectiveness of the online learning resources motivates me to use more of them.

1.55 0.74

13. My own increased experience motivates me to use more of the online learning resources.

1.21 0.41

14. The teacher’s use of online resources influences me to use them. 1.38 0.5

6 15. The peer’s use of online learning

resources influences me to use them. 1.59 0.68

N = 29, Strongly Agree = 1, Strongly Disagree = 5


44

reasons why students like to use the online learning resources. Item Number 14 to Item Number 15 relates to how social effect influenced the students to use the online learning resources. Since the survey value of Strongly Agree is 1, and Strongly Disagree is 5, the lower the values, the more positive it is. It reveals that most of the students think that they access online learning resources voluntarily based on their learning needs and interests to the resource content, subject matter, or out of social influence. Table 4 shows the factors that might negatively affect the students’ access to the online learning resources. The response sequence range from 1 to 5 represents the students’ preference mean value sequence from the lowest to the highest on those questions. The data in this table verify students’ use of the online learning resources from another angle. The students’ responses to the five questions indicate that those factors negatively affecting students’ use of online learning resources did not produce a big consequence on the learners,

Table 4: Factors that Negatively Affect the Learners’ Access to Online Learning Resources

# Question Mean SD 1. If I can do without finding

information and support from Internet, I don’t want to spend time searching Internet resources.

2.38

1.08

2. If I had a hard time to locate the expected resource online, I drop using it.

2.86

1.36

3. I drop searching online learning resources because I feel intimidated and frustrated to use Internet.

3.55

1.35

4. I don’t really search for Internet resources because I am not skillful enough and not familiar with online learning resources.

4.07

1.03

5. I don’t really use online learning resources because I don’t have an easy access to facilities like computers, laptops, a computer lab and Internet connection.

4.17

1.07

N = 29, Strongly Agree = 1, Strongly Disagree = 5

but their information skills should be increased to minimize the negative influence and to increase their confidence in accessing online learning resources, since the use of online learning resources is a voluntary and self motivation-based learning behavior.

3. Discussion and Conclusion

The findings show that factors that influence the learners’ use of online learning resources include several variables. It indicates that the multimedia variety of the resources is an important factor in motivating students to use online learning resources. The content of the course website resources are favored by the students because they are targeted to the course content and activities, and are the instant help to them. Both the course website resources and the general Internet learning resources are preferred by the

learners because more sources of resources provide more varieties of information and tools that broaden students’ vision and inspire creativity. The convenient web design and the social influence are also impacting factors to the learners in using online learning resources. Finally, the personal experience of the information skill is also important. The more experience the students have to use online learning resources, the more willing the students are to use them. The factors that negatively affect the learners’ use of the online learning resources include the event in which learners could finish the projects/assignments without using online learning resources. They choose not bothering to search if they don’t have to. The next is the factor that the personal frustration and limited skills in using online learning resources impede them from using online learning resources. The last factor is the least recognized but is practical---having limited access to the facilities/computers to access online learning resources. Currently, computers and Internet access facilities are much cheaper than before, that is why it is considered as the least influential factor to affect the learners’ access to the online learning resources, even though it cannot be assumed that all students have these available. To understand learners is necessary for the teacher to teach effectively. Understanding the factors that influence learners’ access to use online learning resources is beneficial for the teachers to design and prepare the effective instruction and learning materials for learners with Internet technology. Students are not passive “receptacles” of information. Knowledge emerges only from situations in which learners draw it out of meaningful activities. The design of effective learning resources must be combined with the content targeted learning activities which drive students in active thinking and creative doing, which then turns into active exploring on the Information Net. To motivate more students’ use of the online learning resources, the following strategies are suggested:

1. Teach the students about the information skills to use the available course online resources and resources from other websites.

2. Design user-friendly course web interface for students to surf on an easy-to-use resource website.

3. Design and frequently update the course online learning resources that are anchored at the course content and activities. The strong relation to the learning content and goal is a motivation to students in using online learning resources.

4. Combine the use of the online learning resources with the learning activities like searching information for problem-solving, critical thinking, and creativity.

5. Provide facilitations or scaffolding online to alleviate students’ frustration in learning. The just-in-time help at a click will convince students about a trustful and reliable resource for their academic growth.

After this study, we expect further research that could explore the learners’ psychological behavior in using online learning resources and their correlation with various variables.


45

Acknowledgement: This project is funded by the Title III Mini Research Grant. Great thanks to the Title III Office in the Alabama A&M University for their support to this project.

Reference:

[1] G.J. Brooks, G.M. Brooks, In Search of Understanding: The Case for Constructivist Classrooms. Association for Supervision and Curriculum Development, Alexandria, VA, 1993.

[2] J. Bruner, Going Beyond the Information, Norton, Given. New York, 1973.

[3] J.P. Byrnes, Cognitive Development and Learning in Instructional Contexts. Allyn and Bacon, Boston, 1996.

[4] A.W. Chickering, Z.F. Gamson, Seven principles for good practice in undergraduate education, AAHE Bulletin, 39(7), 3-6, 1987.

[5] C. Crook, Deferring to Resources: Collaborations around Traditional vs. Computer-based Notes, Journal of Computer-Assisted Learning, 18, 64-76, 2002.

[6] J. Dewey, Experience and Education. Macmillan, New York, 1938.

[7] J. Dewey, Democracy and Education, Free Press, New York, 1966.

[8] P. Eggen, D. Kauchak, Educational psychology: Classroom connections, (2nd Ed.), Macmillan Publishing Company, New York, 1994.

[9] G. Gibbs, N. Pollard, J. Farrell, Institutional Support for Resource Based Learning, Oxford Centre for Staff Development, Oxford, 1994.

[10] J.E. Groccia, The college success book: A whole-student approach to academic excellence. Glenbridge Publishing Ltd , Lakewood, CO, p. 62, 1992.

[11] J.R. Hill, M.J. Hannafin, The resurgence of resource-based learning. Educational Technology, Research and Development, 49(3), 37-52, 2001.

[12] A. Hirumi, A Framework for Analyzing, Designing, and Sequencing Planned eLearning Interactions, Quarterly Review of Distance Education, 3(2), 141-160, 2002.

[13] M.G. Moore, Three types of interaction. The American Journal of Distance Education, 3(2), 1-6, 1989.

[14] B. Muirhead, Enhancing social interaction in computer-mediated distance education, USDLA Journal, 15(4), 2001.

[15] P.T. Northrup, A Framework for Designing Interactivity into Web-Based Instruction, Educational Technology, 41(2), 31-39, 2001.

[16] J. Piaget, The Psychology of Intelligence, Routledge, New York, 1950.

[17] M. Pressley, C.B. McCormick, Advanced educational psychology: for educators, researchers, and policymakers. Harper Collins college Publisher, New York, 1995.

[18] S. Li, D. Liu, The Online Top-Down Modeling Model, Quarterly Review of Distance Education, 6(4), 343-359, 2005.

[19] G.T. Sciuto, Setting students up for success: The instructor’s role in creating a positive, asynchronous,

distance education experience. Virtual University Gazette. January 2, 2004. Available: http://www.geteducated.com/vug/aug02/vug0802.htm

[20] N. Shin, Beyond interaction: The relational construct of 'Transactional Presence'. Open Learning, 17, 121-137, 2002.

[21] P. L. Smith, C.L. Dillon, Comparing distance learning and classroom learning: Conceptual considerations. American Journal of Distance Education, 13(2), 6-23, 1999.

[22] V.A. Thurmond, Examination of interaction variables as predictors of students' satisfaction and willingness to enroll in future Web-based courses while controlling for student characteristics. Unpublished Dissertation, University of Kansas, Parkland, FL, p. 4, 2003.

[23] L.S. Vygotsky, Mind in society, the development of higher psychological processes. Harvard University Press, Cambridge, Ma, p. 86, 1978.

[24] E.D. Wagner, In support of a functional definition of interaction. The American Journal of Distance Education, 8(2), 6-26, 1994.

[25] G. Zafeiriou, J.M. Nunes, N. Ford, Using students' perceptions of participation in collaborative learning activities in the design of online learning environments. Education for Information, 19, 83-106, 2001.

[27] H. Chen, Interaction In distance education. January 4, 2004. Available: http://seamonkey.ed.asu.eduac/disted/week2/7focushc.html

[28] M.W. Crawford, Students' perceptions of the interpersonal communication courses offered through distance education, unpublished doctoral dissertation, Ohio University, 1999. UMI Dissertation Services, (UMI No. 9929303).

[29] B. Holmberg, Growth and Structure of Distance Education. Croon Helm, London, 1986.

[30] P. R. Pintrich, V. De-Groot, Motivational and self-regulated learning components of classroom academic performance. Journal of Educational Psychology, 82(1), 33-40, 1990.

Author Profile Sha Li received the doctoral degree in educational technology from the Oklahoma State University in 2001. He is an Associate Professor in the Alabama A&M University. His research interests are in E-learning in the networked environment, distance education, multimedia production, and instructional design with technology. He is also an instructional design facilitator for the local public school systems. Shirley King received the Ed. D. degree in Special Education from the University of Alabama. She is an Associate Professor in the Alabama A&M University. Her research interests are in special education, elementary education, and multicultural education. She is the Program Coordinator of a USAID Textbooks and Learning Materials Project serving Ethiopia. Yujian Fu received the Ph. D. degree of Computer Science from the Florida International University. She is an Assistant Professor in the Alabama A&M University. Her research interests are in software verification, software quality assurance, runtime verification, and formal methods.


46

Video Streamed Acces and Use Control Using Digital Rights Management

Morad Rafi1 and Mohsine Eleuldj2

Mohammed V University, Mohammedia School of Engineers (EMI),

Telecom & Computer Departements Avenue Ibn sina, B.P. 765 Agdal Rabat Maroc

Tel: (212-537) 77.26.47 [email protected], [email protected]

Abstract: Digital Rights Management (DRM) is collection of technologies which protect the copy right holder’s revenue by protecting their digital works, based on a secure architecture against any illegal use. The challenge of DRM is to control, in real time, the access and use of these digital contents over a communication channel. In this paper we will use DRM technologies to control access and use of streamed videos in the case of a bandwidth-limited network. This contribution makes it suitable to enable real time DRM in multimedia systems.

Keywords: DRM, Network, Real time, Video Streaming, Control.

1. Introduction and Motivation One of the fastest growing and most profiting sectors of today’s economy is information industry. Its success has in short time brought new opportunities to do business with digital information products. New technologies like telecommunications, Internet, etc… is now enabling a new business models --- e-Commerce. On the market of digital content, this results in information prosperity and provides new distribution channels, lower costs and fewer barriers. The development of the broadband network allows the exchange, the download and the diffusion through the Peer to Peer networks, and perfect numerical reproduction of a digital content. Moreover, the use of technologies which are at the same time sophisticated and simple to handle as well as the provision of a powerful reading equipment of digital contents facilitate the task to circumvent technical protection measure of digital contents. Now industry is demanding urgently an efficient mechanism for e-Content protection. Thus DRM systems [1][2][3] were designed and implemented to take up the challenge to protect the copyright holder’s revenue by protecting their works against illegal use based in secure architecture[4][5]. These systems authorize only controlled rights associated with digital contents. Traditional analog video is sent as a continuous stream of electrical signals over a cable from the source (camera) to the destination such as a video monitor. Digital technology and IP has changed that. With this new type of video, a digital camera translates the viewed image into digital

signals which it then converts (encodes) into a series of IP packets that can be sent out over an IP-based network as a data stream. The IP network may be a local area network, a company wide area network, or even the public internet. At the destination, the receiver re-assembles these packets back into the original video stream. The reconstructed video can then be viewed, stored, searched, replayed, or retransmitted. Unlike other types of data, video requires large amounts of bandwidth, as well as highly reliable, predictable delivery mechanisms. Unfortunately, IP was not designed to provide this guaranteed quality of service (QoS) to the different types of traffic it carries and frequently one or more packets may be dropped during transmission. For applications such as video, packet re-transmission is a poor option since the missing packets are required to accurately reproduce the video image. Unmanaged, these factors cause latency, which result in poor quality or even unusable video at the receiving end. In this context, the use of Digital Rights Management (DRM) [6][7] to control the access and use of streamed video can degrade the quality of the broadcast (stream) of any digital contents through internet or telecommunication network. In order to study the use impact of DRM technology, we will use MATLAB/Simulink to simulate real time DRM control streaming video over a bandwidth-limited communication channel. It is necessary to specify rules stating the use conditions of the digital contents. These rules are often expressed in the form of a license which is a kind of contract between a supplier of a digital content and a consumer. A language to express licenses is needed. The Rights Expression Language (REL) chosen was the standardized MPEG-21 REL [8][9] witch is simple and sufficiently expressive in order to meet the requirements of the streaming videos over networks. The reminder of this paper is organized as follow: In section 2 we present our main contribution which consists of introducing DRM technologies to control user rights for a streamed video in real time. Then Experimental results are presented. The paper concludes in section III.


47

2. Main Contributions and Experimentation

3.6 Studied Model The Figure1 illustrates the video streaming scenario studied which consists of 3 parts: A video streaming source server (Blue block, Fig.2), video end user (Brown block, Fig.2) and a bandwidth-limited communication network (Green block, Fig.2). The implementation of DRM access control can be done either in the server side or in the end user side.

Video Source Server

Video End User

Bandwith -l imited communication channel

Figure 1. Video streaming over networks scenario studied

The Model (Fig.2) presents the studied scenario to implement DRM control which is simulated using MATLAB/Simulink. It illustrates a communication system that sends frames of video data over a channel. By dropping frames that wait too long to reach the end user, the model also illustrates how to use timeouts to implement point-to-point timing constraints. The video file used for the simulation is vipmen.avi (120*160, 30fps).

Figure 2. Video streaming Over Bandwidth-limited

Communication Channel

3.7 Introduction of DRM technologies In order to implement DRM to control the use of the video in real time we have chosen the standardized MPEG 21 Rights Expression Language to express the licenses [11]. These licenses, XML based, contain the rights that a user has and will be evaluated during DRM process. The license can be located in the source server side or in the end user side.

The DRM process is as follow: 1-The User request a play right for the video streamed. 2-The DRM block parse the license XML based with a parser 3-The DRM block evaluate the license according to the user request 4-If the play right exist then the user can play the video 5-If the play right doesn’t exit then a message will be played informing the user that he/she is not authorized to play the video. The MPEG-21REL Embedded MATLAB Function Block is inserted to the studied model to control user rights for the video streamed. We have two possibilities to implement the control: a)-In the video streaming server side or b)-in the end user video player side.

a)-In the video streaming server side: In the video source block (Fig.3), the embedded function is inserted to control the user rights before the video can be streamed in the case of a video on demand or IPTV [12]. The Red elements illustrate the added DRM controls:

Figure 3. Video Source block with DRM components inserted to control user rights for the streamed video.

b)-in the end user video player side: In the end user video block (Fig.4), the MPEG-21 REL Embedded MATLAB function can be inserted to control the user rights for the video before to be played. The Red elements illustrate the added DRM controls:

Figure 4. Video End User block with DRM components

inserted to control user rights for the streamed video.


48

The added DRM controls components are: 1- The Embedded MATLAB function block (Fig.5)

that we call “MPEG-21 REL” which consists of controlling the video user rights by parsing the XML license file

Figure 5. MPEG 21 REL Embedded MATLAB Function

After parsing the XML license file and evaluating the user rights, if the user is not authorized to view the video the constant K will be equal to “0” (Fig.10b):

Y1= U1 Y2= K*U2 , K =0 in order to transmit the video Y3= U3 without the green colour to deliver Y4= 0 a bad quality of video. Y5= 0 Y6= 0 Yi: The R,G,B output variables Uj,: The R,G,B input variables i=1,2,3,4,5,6. J=1,2,3.

After parsing the XML license file and evaluating the user rights, if the user is authorized to view the video (Fig.10a):

Y1= 0 Y2= 0 Y3= 0 Y4= U1 Y5= U2 Y6= U3

2- The MATLAB Insert Text block which consists of

watermarking the streamed video by inserting a text informing the user that he/she is not authorized to play the video. The video viewed by the user is a bad quality of the original video.

Figure 6. Insert Text MATLAB block

3- The MATLAB Add element which consists of

adding the outputs signals.

Figure 7. Add MATLAB block

3.8 Simulation and Experimentation

2.3.1 Without DRM Control When we run the simulation without DRM components (Fig.8), we have the Scopes that plot the following quantities to evaluate performance:

-uThe size of the “input buffer” shows how many frames

are waiting in the channel. Frames accumulate in the input buffer until they either progress through the channel or time out.

-vThe size of the “reception buffer” shows how many

frames are waiting in the receiver. Before T=10, frames accumulate in the reception buffer because the block labelled Flow Control keeps the path closed between the receiver's buffer and the video viewer.

-wThe status of “underflow” events in the receiver has a value of 1 whenever the Release Gate block permits a frame to advance from the reception buffer to the video viewer, but no frame is present.

-xThe “communication delay per frame” shows how

long the channel delays each frame that has advanced beyond the input buffer. In this model, the delay is periodic.

-yThe “number of timed-out entities” shows how many

frames have timed out in the channel. The end user does not receive these frames and can observe a gap in the video if many consecutive frames time out.

Figure 8. Simulation results without introducing DRM

controls

2.3.2 With DRM Control The simulation using DRM control gives the same video

performance as the original model without using DRM control for the case of authorized user (Fig.8, Fig.10a) or for the non-authorized user (Fig.9, Fig.10b). This shows that our implementation of the DRM control don’t affect the network performance and the quality of the streamed video.

u

y

v w

x

49

Figure 9. Simulation results using DRM control.

Figure 10. Comparison of the output videos

The MPEG 21 REL license file Alice.xml used for the simulation is as follow: Alice has the right to play the video 18 times.

<?xml version="1.0" ?> <license>  <grant lastModified="04-Jun-2009"> <keyHolder> Alice </keyHolder> <mx:play/> <digitalResource> <nonSecureIndirect URI="urn:video.world/999999/video/vpimen.avi"> </nonSecureIndirect> </digitalResource> <allConditions> <exerciseLimit> <count> 18 </count> </exerciseLimit> </allConditions> </grant> </license>

Constraint of Simulation MATLAB don’t have a toolbox that can be used to parse XML files. We have had to find a parser compatible with MATLAB to perform the simulation. After hard search, we

have find “XMLTree” [13] which is an XML parser toolbox that can be added to the set path of MATLAB. The XML Parser is an XML 1.0 parser written in MATLAB. It aims to be fully conforming. This XML Parser is embedded in a MATLAB class (@xmltree) including powerful methods to import, export, access and modify the data. Xpath[14] is used for addressing parts of the XML document. This program is free software, distributed under a GPL License.

3. Conclusion In this paper we have used DRM technologies to control access and use of real time streamed videos in the case of a bandwidth-limited network. The video quality and network performance was not affected by DRM processing. This makes it suitable to enable real time DRM e-commerce. Further research is under way to convert the program into VHDL to be tested on FPGA since the MATLAB software support the conversion operation to VHDL if all the components or programs are synthesizable like the parser used. In order to secure licenses to be tampered with we can convert them to binary format. Also more complex licenses will be studied in order to deal with complex business model and the XML licenses time parsing.

4. References [1] O. Patkanen, M. Valimaki, “Towards a Framework for

Digital Rights Management”, hiit.fi, [Online]. Available: www.hiit.fi/~opp/pub/drm_framework_iec2000.pdf. [Accessed: Sept. 15, 2010].

[2] P. Herwann, “Rapport DRM DESS,”, Université René Descartes, Paris, France, 2004.

[3] P. Chantepie. M. Herubel, F. Tarrier, “Mesures Techniques de Protection des œuvres & DRMS-1ère Partie : Un état des lieux,” Rapport Inspection générale de l'administration des affaires culturelles, Paris, France, 2003.

[4] M. Rafi, M. Eleuldj, “Digital Rights Management,” In Proceedings of the La conférence Internationale sur les Nouvelles Technologies de la Répartition (NOTERE), 2007.

[5] M. Rafi, M. Eleuldj, Z. Guennoun,“ Digital rights management adaptable architecture,” In Proceedings of the 3rd IEEE International Conference on Information & Communication Technologies: from Theory to Applications (ICTTA), 2008.

[6] M. Rafi, M. Eleuldj, “Les jetons dans les DRM,” In Proceedings of the Les 2ème JOurnées Scientifiques en Technologies de l'Information et de la Communication (JOSTIC), 2008.

[7] M. Rafi, M. Eleuldj, O.Diouri, “ Digital rights management-A developpement of a media player,” In Proceedings of the Scientific Research Outlook & Technology Development in the Arab World’08-SRO5, ICT Conference, 2008.

[8] M. Rafi, M. Eleuldj, Z. Guennoun, “Improvement of MPEG-21 Rights Expression Language,” In Proceedings of the 7th ACS/IEEE International

a) Output video for authorized user b) Output video for non authorized user


50

Conference on Computer Systems and Applications (AICCSA), 2009.

[9] “Moving Picture Expert Group. ISO/IEC JTC/SC29 WG11”, chiariglione.org, [Online]. Available: http://www.chiariglione.org/mpeg/index.htm. [Accessed: Sept. 15, 2010].

[10] “MATLAB Software”, mathworks.com, [Online]. Available: http://www.mathworks.com. [Accessed: Sept. 15, 2010].

[11] “MPEG 21 REL”, chiariglione.org, [Online]. Available: http://www.chiariglione.org/mpeg/technologies/mp21-rel/index.htm. [Accessed: Sept. 15, 2010].

[12] “IPTV (Internet Protocol Television)”, wikipedia.org, [Online]. Available: http://en.wikipedia.org/wiki/IPTV. [Accessed: Sept. 15, 2010].

[13] “XMLTREE:XML toolbox for MATLAB”, artefact.tk, [Online]. Available: www.artefact.tk/software/matlab/xml. [Accessed: Sept. 15, 2010].

[14] “XML Path Language (XPath)”, w3.org, [Online]. Available: http://www.w3.org/TR/xpath. [Accessed: Sept. 15, 2010].


51

Generating the New S-box and Analyzing the Diffusion Strength to Improve the Security of AES

Algorithm

Mohan H. S.1 and A Raji Reddy2

1 Research Scholar, Dr MGR University, Chennai. India [email protected]

2 Professor, Department of Electronics and Communication Madanapalle Institute of Technology & Science, Madanapalle. India

[email protected]

Abstract: Shared-key (symmetric) encryption is the most fundamental cryptographic task. It is used in a large variety of applications, including protection of the secrecy of login passwords, ATM, e-mail messages, video transmissions, wireless systems and internet-distributed digital content. Several encryption algorithms are available for deploying into these applications. The earlier standard for shared key encryption was the DES cipher, which was developed by in the early 70’s. Later RIJNDAEL was proposed and was selected as the Advanced Encryption Standard (AES). The main objective of this paper is to analyze RIJNDAEL algorithm, a Shared-key (symmetric) block cipher supporting 128-bit blocks and 128-bit key size and to develop a new S-box. Design of block ciphers requires implementation of high speed algorithms with less number of rounds. The number of rounds in a block cipher is decided based upon the resistivity levels against the known attacks. The very first level of attack on an encryption algorithm is to search for repetitive cipher values and relate them to plaintext. This attack can be made ineffective if an algorithm is designed to comply with Strict Avalanche Criteria (SAC). In this paper, diffusion analysis based upon First order SAC and higher order SAC is carried out for RIJNDAEL algorithm and suggesting a new S-box generation. The results provide good insight into RIJNDAEL strength by using the diffusion behavior and useful in the design of new strong encryption algorithm.

Keywords: Diffusion analysis, Strict Avalanche Criteria, First order SAC, higher order SAC.

1. Introduction Cryptography allows people to send and receive information over the communication channel thus allowing them to do business electronically, without worries of deception. The perpetual increase of information transmitted electronically has led to an increased reliance on cryptography. Cryptography is important to the continual growth of Internet and E-commerce.

Various cryptographic tools are used to provide information security. These tools are to be evaluated with respect to various criteria for (1) Level of security (2) Functionality (3) modes of operation (4) Performance and (5) ease of implementation.

A cryptographic algorithm or a cipher is the mathematical function used for encryption and decryption. If the security of an algorithm is based up on the way that algorithm works as a secret then it is known as restricted

algorithm. A large or changing group of users cannot use them, because every time a user leaves the group, everyone else must change the algorithm. Even more, restricted algorithms allow no quality control or standardization. But these are enormously popular for low security applications.

Modern cryptography solves this problem with a key, denoted by k. Both the encryption and decryption operations use this key. So the encryption and decryption functions now become Ek (M) =C for encryption Ek→Encryption using key k, M→ message Dk (C) =M for decryption Dk →Decryption using key k, C→ cipher text.

1.1 Symmetric Algorithms There are two general types of key based algorithms: Symmetric and Public Key. In Symmetric algorithms encryption key can be same as the decryption key and vice versa. These are also called as secret key algorithms. Symmetric algorithms can be divided into two categories: i) some operate on the plaintext a single bit at a time which are called Stream ciphers, and ii) others operate on the plaintext in groups of bits, such groups of bits are called blocks and such algorithms are called Block ciphers.

1.2 Stream Ciphers and Block Ciphers Stream ciphers are generally faster than block ciphers in hardware, and have less complex hardware circuitry. Stream ciphers are more suitable for situations where transmission errors are highly probable.

Symmetric key block ciphers are the most prominent and important elements in many cryptographic systems. Individually, they provide confidentiality. The examples of block ciphers are DES, 3-DES, FEAL, SAFER, RC5 and AES. The implementation of any basic block cipher is generally known as Electronic Code Book (ECB) mode. In order to increase the security further additional modes are also defined. They are (1) Cipher Feed Back (CFB) mode (2) Output Feed Back (OFB) mode (3) Counter mode (CTR). The counter mode has become popular in IPSec and IPv6 applications.

1.3 Cryptanalysis There are two general approaches for attacking a conventional encryption algorithm:

Cryptanalysis: This is used for deciphering a message without any knowledge of the enciphering details.


52

Cryptanalysis is the science of recovering the plaintext of a message without the access to the key. Successful cryptanalysis may recover the plaintext or the key. It also finds weakness in the cryptosystem.

Brute – Force attack: The attack tries every possible key on a piece of cipher text until an intelligible translation into plain text is obtained. This is tedious and may not be feasible if key length is relatively long.

1.4 Confusion and Diffusion These are the two important techniques for building any cryptographic system. Claude Shannon introduced the terms Confusion and Diffusion. According to Shannon, in an ideal cipher, “all statistics of the cipher text are independent of the particular key used”. In Diffusion, each plaintext digit affects many cipher text digits, which is equivalent to saying that each cipher text digit is affected by many plain text digits.

All encryption algorithms will make use of diffusion and confusion layers. Diffusion layer is based upon simple linear operations such as multi-permutations, key additions, multiplication with known constants etc. On the other hand, confusion layer is based upon complex and linear operations such as Substitution Box (S-box).

2. Related Work 2.1 Evaluation of Advanced Encryption Standard

The principal drawback of 3DES is that the algorithm is relatively sluggish in software. The original DES is designed for mid 1970’s hardware implementation and does not produce efficient software code. Since 3DES has three times as many rounds as DES, it is relatively slower. A secondary drawback is that both DES and 3DES use a 64-bit block size. For reasons of both efficiency and security a larger block size is desirable.

Because of the drawbacks, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard (AES), which should have security strength equal to or better than 3DES and significantly, improved efficiency. In addition, NIST specifies that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128,192 and 256 bits.

In first round 15 proposals were submitted and in second round 5 algorithms were selected. NIST completed its evaluation in November 2001 and selected Rijndael for AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen. This standard specifies the Rijndael algorithm ([3] and [4]), a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. Rijndael was designed to handle additional block sizes and key lengths; however they are not adopted in this standard. Throughout the remainder of this standard, the algorithm specified herein will be referred to as “the AES algorithm.” The algorithm may be used with the three different key lengths indicated above, and therefore these different “flavors” may be referred to as “AES-128”, “AES-192”, and “AES-256”.

2.2 S-Box Design

One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. The characteristic of the S-box is its size. An n x m S-box has n input bits and m output bits. Larger S-boxes, by and large, are more resistant to differential and linear cryptanalysis. However, large dimension n leads to larger lookup table. The size of lookup table decides the size of the program memory. Therefore, the small S-box is required for the hardware with less program memory and large S-box can be used with hardware having more program memory. For example, AES uses 16 x 16 S-box. This is implemented in a suite of hardware platforms: 8051 based microcontrollers, PIC processor, ARM processors, FPGA based processors, ASIC, etc. It is possible to implement 256 x 256 S-box in high end processors. Another practical consideration is that the larger the S-box, the more difficult it is to design it properly. S-box is required for both encryption and decryption. An n x m S-box typically consists of 2n rows of m bits each. The n bits of input select one of the rows of the S-box, and the m bits in that row are the output. For example, in an 8 x 32 S-box, if the input is 00001001, the output consists of the 32 bits in row 9 (the first row is labeled row 0). 2.3 Key Schedule Algorithm A final area of block cipher design is the key schedule algorithm. A block cipher requires one sub-key for each round of operation. The sub-key is generated from the input master key. Generation of sub-key requires an algorithm. This algorithm should ensure that not sub-key is repeated. In general, we select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. 2.4 Avalanche criteria: There are two different types of strict avalanche criteria: i) First order SAC: It is a change in output bit when a single input bit is flipped and ii) Higher order SAC: It is a change in output bit when many input bits are flipped.

3. Statement of the Problem AES is a symmetric block cipher which encrypts/decrypts one block of data a time. AES has an iterative structure consisting of a repetition of a round, which is applied to the data block to be encrypted for a fixed number of times. The mandatory feature required for any block cipher is good diffusion. The problem statement is given below:

i. To implement the encryption and decryption of the algorithm.

ii. To increase the Diffusion power of the AES algorithm. iii. To suggest a new S-box to the AES algorithm to

increase the confusion.

4. Algorithm Specification For the AES algorithm, the length of the input block, the output block and the State is 128 bits. This is represented by


53

Nb = 4 which reflects the number of 32-bit words (number of columns) in the State.

For the AES algorithm, the length of the Cipher Key, K, is 128, 192, or 256 bits. The key length is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words (number of columns) in the Cipher Key. For the AES algorithm, the number of rounds to be performed during the execution of the algorithm is dependent on the key size. The number of rounds is represented by Nr, where Nr = 10 when Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8.

The only Key-Block-Round combinations that conform are shown below.

Figure 1. Key-Block-Round Combinations.

For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that is composed of four different byte-oriented transformations: 1) byte substitution using a substitution table (S-box), 2) shifting rows of the State array by different offsets, 3) mixing the data within each column of the State array, and 4) adding a Round Key to the State.

4.1 The State Internally, the AES algorithm’s operations are performed on a two-dimensional array of bytes called the State. The State consists of four rows of bytes, each containing Nb bytes, where Nb is the block length divided by 32. In the State array denoted by the symbol s, each individual byte has two indices, with its row number r in the range 0 £ r < 4 and its column number c in the range 0 £ c < Nb. This allows an individual byte of the State to be referred to as either sr,c or s[r,c]. For this standard, Nb=4, i.e., 0 £ c < 4.

At the start of the Cipher and Inverse Cipher, the input – the array of bytes in0, in1 … in15 – is copied into the State array as illustrated in Fig. 2. The Cipher or Inverse Cipher operations are then conducted on this State array, after which its final value is copied to the output – the array of bytes out0, out1 … out15.

Figure 2. State array input and output.

Hence, at the beginning of the Cipher or Inverse Cipher, the input array, in, is copied to the State array according to the scheme: s[r, c] = in[r + 4c] for 0 ≤ r < 4 and 0 ≤ c < Nb and at the end of the Cipher and Inverse Cipher, the State is copied to the output array out as follows: out[r + 4c] = s[r, c] for 0 ≤ r < 4 and 0 ≤ c < Nb.

4.2 The State as an Array of Columns The four bytes in each column of the State array form 32-bit words, where the row number r provides an index for the four bytes within each word. The state can hence be interpreted as a one-dimensional array of 32 bit words (columns), w0...w3, where the column number c provides an index into this array. Hence, for the example in Fig. 2, the State can be considered as an array of four words, as follows: w0 = s0,0 s1,0 s2,0 s3,0 w2 = s0,2 s1,2 s2,2 s3,2 w1 = s0,1 s1,1 s2,1 s3,1 w3 = s0,3 s1,3 s2,3 s3,3

5. Diffusion Analysis Diffusion analysis of any encryption algorithm enables to estimate the strength of that algorithm. The strength of the algorithm is related to how cipher values are sensitive to input plain text changes. In other words, how many of output cipher text bits undergo changes when a single bit of input plain text is changed. Hamming distance is a measure of Hamming weight of a function derived from xoring two cipher text values. Hamming distance indicates the Avalanche of encryption algorithm. For well-diffused cipher values, higher avalanche values are required. Therefore, it is imperative to define the amount of avalanche is required for a given encryption algorithm. Strict Avalanche Criterion (SAC) is defined to indicate the required diffusion level. It is mandatory to every encryption algorithm to satisfy the SAC in order to meet the diffusion requirements.

In this paper, Avalanche values are measured for this encryption algorithm for First order SAC and for Higher Order SAC. The measured results are shown in later sections. Flipping one bit input plain text and keeping the key value constant, avalanche values are measured for each round. The measured result shows a definite pattern.

With respect to CASE (1) i.e. implementation of the first order SAC, keeping the plaintext constant. Initially in the first round it is low, the number of bits that differ are 22 and the SAC value is 17. Then increases to a maximum, in the 7th round ,the number of bits that differ are 75 with a SAC value 58 and decreases, finally after the 10 round, it ends with the number of bits differ are 72 with a SAC value 56 which satisfies the desired Strict Avalanche Criteria.

Similarly the same holds for all the other cases which are shown in the later sections. From the results, it is evident that Avalanche values exceed the SAC value in the initial, rounds, sometimes in the second round itself.

The AES encryption algorithm is designed based upon the various criteria, and then the number of rounds in here is adequate and robust, as it uses S-boxes as nonlinear components. So far Rijndael has no known security attacks.


54

Based upon the above considerations, we can conclude that an encryption algorithm can be designed with less number of rounds provided it does not show any weakness to differential and linear attacks.

6. Alternate S-box In a block cipher, S-box provides the confusion. S-box maps the plain text to a cipher value using nonlinear operations. Since plain text and cipher values are not related linearly, it is difficult to construct plain text from a given cipher value. This problem is generally known as “hard”. Some of the block ciphers have used multiplicative inverse of a byte in the GF(28) field for constructing S-box. This S-box is constructed by filling the multiplicative inverse values. The same S-box can be used for decryption thus providing involution. However, these are not as secure as that of an S-box constructed using double transformation, i.e., separate S-box for each encryption and decryption. But involution S-box is extremely useful for involution cipher, where hardware is premium such as Smart card, etc. This is also used as a basic building block to construct an S-box using double transformation.

6.1 Design Criteria for S-Box Following are the design criteria for S-box, appearing in order of importance: • Non – Linearity: (a) Correlation: The maximum input-output correlation amplitude must be as small as possible. (b) Difference propagation probability: The maximum difference propagation probability must be as small as possible. • Algebraic Complexity: The algebraic expression of SRD in GF (28) has to be complex.

6.2 S-Box of AES S-box is constructed in the following fashion: • Initialize the S-box with the byte values in ascending sequence row by row contains {00},{01},{02},……..{0F}; the second row contains {10},{11},etc.; and so on. Thus the value of a byte at row x, column y is {xy}. • Map each byte in the S-box to its Multiplicative inverse in the finite field GF(28); the value {00} is mapped to itself. • Consider that each byte in the S-box consists of 8 bits labeled (b7,b6,b5,b4,b3,b2,b1,b0). Apply the following transformation to each bit of each byte in the S-box: b`i=bi b(i+4)mod 8 b(i+5)mod 8 b(i+6)mod 8 b(i+7)mod 8

b(i+8) mod 8 ci Where ci is the ith bit of byte c with the value {63} i.e. (c7 c6 c5 c4 c3 c2 c1 c0) = (01100011). The prime (`) indicates that the variable is to be updated by the value on the right. The AES standard depicts this transformation in matrix form as follows:

6.3 Proposed S-box

Here we are proposing that we can generate our own S-boxes by choosing different constant value which is used in the affine transformation in the construction of S-box.

7. Experimental Results AES algorithm is designed with a same three key size alternatives i.e. 128/192/256 but limits the block length to 128 bits. The algorithm efficiently encrypts and decrypts the plaintext and the result is tabulated. Also diffusion analysis is used as a tool to measure the strength of the AES algorithm. This is achieved by analyzing the diffusion that exhibits a strong avalanche effect for the First order SAC and Higher order SAC taking the following cases.

• Changing one bit at a time in a plaintext, keeping key as constant.

• Changing one bit at a time in a key, keeping plaintext as constant.

• Changing many bits at a time in a plaintext, keeping key as constant.

• Changing many bits at a time in a key, keeping plaintext as constant.

Each round avalanche value is tabulated for all the above cases and proved that the Rijndael algorithm exhibit good Strict avalanche Criteria. Also, generation of an alternate S-box is an attempt to secure the algorithm from any attacks and then using the generated S-box for encryption and diffusion analysis, for comparison. The following are the results that have been achieved:

7.1 Encryption The length of the key is entered; accordingly the key and the plaintext are to be entered in hexadecimal. Simultaneously the cipher text is generated.

Figure 3. Shows the result of encryption using 128-bit

key length.


55

7.2 Decryption The key has to be entered, which was previously entered for encryption. As a result, the plain text entered during encryption and the text after decrypting is generated.

Figure 4. Showing the result after decryption for 128 bit key

length.

7.3 Diffusion Analysis for First Order SAC CASE 1: Changing one bit at a time in a key, keeping plaintext as constant

Figure 5. Shows the results of Avalanche Effect for

Case (1). CASE 2: Changing one bit at a time in a plaintext, keeping key as constant.


Case (2).

7.4 Diffusion Analysis for Higher Order SAC CASE 3: Changing many bits at a time in a key, keeping plaintext as constant


Case (3). CASE 4: Changing many bits at a time in a plaintext, keeping key as constant.


Case (4).

7.5 With alternate S-box The alternate S-box is generated, and the encryption and diffusion analysis is carried out with new S-box.

Figure 9. Shows the result of encryption using 128-bit key

length.

Figure 10. showing the diffusion analysis, for first order

SAC of 128-bit key length.

8. Conclusions The main aim of any encryption algorithm is to keep the data secure from the intruders. The DES did not satisfy the need for data security because of its short 56-bit key. Such short keys can be broken by brute force attacks and so it was proved insecure. So as a replacement, AES is proposed, Rijndael was selected, which is more secure than the DES.


56

The basic design of an encryption algorithm is based upon the strength of diffusion and confusion. This dissertation explored diffusion and confusion elements used in the AES to an extent. Based on the studies, following techniques are developed as a security improvement, these are • Diffusion analysis, which is used as a tool to measure the strength of the algorithm. Therefore from the Experimental results; it is proved that AES meets the Strict Avalanche Criteria which is mandatory to an encryption algorithm in order to meet the diffusion requirements. • Suggesting an alternate S-box.

9. Future Enhancements • An alternate S-box for decryption can be developed. • All encryption algorithms both symmetric and public key, involve with arithmetic operations on integers with a finite field. Rijndael algorithm uses a irreducible polynomial m(x) = x8 +x4 +x3+x+1 = 0x11b (hex). So, a new irreducible polynomial of degree 8 could be used. There are 30 irreducible polynomials of degree 8 are present

References [1] W Stallings, CRYPTOGRAPHY AND NETWORK

SECURITY, Printice Hall, 2003. [2] AES page available via

http://www.nist.gov/CryptoToolkit.4 [3] Computer Security Objects Register (CSOR):

http://csrc.nist.gov/csor/. [4] J. Daemen and V. Rijmen, AES Proposal: Rijndael,

AES Algorithm Submission, September 3, 1999. [5] J. Daemen and V. Rijmen, The block cipher Rijndael,

Smart Card research and Applications, LNCS 1820, Springer-Verlag, pp. 288-296.

[6] B. Gladman’s AES related home page http://fp.gladman.plus.com/cryptography_tetechnolo/.

[7] A. Lee, NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government, National Institute of Standards and Technology, November 1999.

[8] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, New York, 1997, p. 81-83.

[9] J. Nechvatal, Report on the Development of the Advanced Encryption Standard (AES), National Institute of Standards and Technology, October 2, 2000.

[10] Mohan H.S and A. Raji Reddy. " Diffusion Analysis of Mars Encryption Algorithm","International conference on current trends of information technology,MERG-2005”,Bhimavaram, Andhrapradesh.

[11] Mohan H.S and A. Raji Reddy. "An Effective Defense Against Distributed Denial of Service in Grid”, "IEEE International conference on integrated intelligent computing ICIIC-2010.SJBIT, Bangalore-60. ISBN 978-0-7695-4152-5, PP. 84-89.

Authors Profile Mohan H.S. received his Bachelor’s degree in computer Science and Engineering from Malnad college of Engineering, Hassan during the year 1999 and M. Tech in computer Science and Engineering from Jawaharlal Nehru

National College of Engineering, Shimoga during the year 2004. Currently pursing his part time Ph.D degree in Dr. MGR university ,Chennai. He is working as a professor in the Dept of Information Science and Engineering at SJB Institute of Technology, Bangalore-60. He is having total 12 years of teaching experience. His area of interests are Networks Security, Image processing, Data Structures, Computer Graphics, finite automata and formal languages, Compiler Design. He has obtained a best teacher award for his teaching during the year 2008 at SJBIT Bangalore-60. He has published and presented papers in journals, international and national level conferences.

A. Raji reddy received his M.Sc from Osmania University and M.Tech in Electrical and Electronics and communication Engineering from IIT, Kharagpur during the year 1979 and his Ph.D degree from IIT, kharagpur during the year 1986.He worked as a senior

scientist in R&D of ITI Ltd, Bangalore for about 24 years. He is currently working as a professor and head in the department of Electronics and Communication, Madanapalle Institute of Technology & Science. Madanapalle. His current research areas in Cryptography and its application to wireless systems and network security. He has published and presented papers in journals, international and national level conferences.


57

Knowledge Based Computing Using Semantic Web for Grid Applications

Dr. M. Rajaram1, Mrs. S. Latha Shanmuga Vadivu 2

1Professor & Head, EEE Dept,

Government college of engineering, Tirunelveli, Tamilnadu, India

2Assistant professor, Department of ECE,

Tamilnadu College of Engineering, Coimbatore, Tamilnadu, India

Abstract: Today most of the scientific enterprises are highly data-intensive, computation-intensive and collaboration-intensive. This necessitates the interaction and sharing of various resources, especially knowledge, despite their heterogeneity and geographical distribution. Intelligent process automation and collaborative problem solving have to be adapted. A Semantic Web-based approach is proposed to tackle the six challenges of the knowledge lifecycle namely those of acquiring, modeling, and retrieving, reusing, publishing and maintaining knowledge. To achieve this vision the Semantic Web community has proposed some core enabling technologies and reasoning which provide an infrastructure for distributed information and knowledge management based on metadata, semantics, and reasoning. A Semantic Web-based approach to managing Grid resources’ knowledge for Grid applications is an approach where a semantics-based knowledge layer is added between Grid resources and Grid applications. In this layer, the Semantic Web technologies are used to carry out knowledge acquisition, modeling, representation, publishing, storage and reuse Ontology’s. They are used to conduct knowledge acquisition through Ontology modeling and Semantic annotation. Ontology modeling provides conceptual structures for preserving knowledge and Semantic annotation captures metadata, generates semantic instances and populates them into knowledge bases. Keywords: Ontology, Semantic Web, Client, Grid, K-Service. 1. Introduction The Semantic Web is an extension of the current Web in which information is given well-defined meaning, better enabling computers and people to work in cooperation. It is the idea of having data on the Web defined and linked in a way that it can be used for more effective discovery, automation, integration, and reuse across various applications where data can be shared and processed by automated tools as well as by people. To achieve this vision, we have made use of core enabling technologies, APIs and tools, encompassing ontologies, ontology languages, annotation, semantic repositories, and reasoning, which provide an infrastructure for distributed information and knowledge management based on metadata, semantics, and reasoning. [3]. A Semantic Web-based approach to KM is proposed here in which we use ontology’s for knowledge

acquisition and modeling, the Web ontology language for Knowledge representation and semantic-based reasoning for decision making support. Grid computing offers a promising distributed computing infrastructure where large-scale cross organizational resource sharing and routine interactions are a common place. Grid applications usually refer to large-scale science and engineering that are carried out through distributed global collaboration enabled by the Grid. Typically, such scientific enterprises are data-intensive and/or collaboration-intensive and/or computation-intensive, i.e., they require access to very large data collections, very large-scale computing resources, and close collaboration among multiple stakeholders. This necessitates the interaction and sharing of specific resources, despite the heterogeneity of their respective policies, platforms and technologies, and their geographical and organizational dispersal. [8] It is envisioned that Grid applications would be carried out through flexible collaborations and computations on a global scale with a higher degree of easy-to-use and seamless automation.[1] Grid applications are usually knowledge resides implicitly in resource models and/or descriptions. Making domain knowledge explicit and understandable for third party consumers can enhance effective resource reuse by providing well-informed decisions regarding when, where, and how to use a resource.[4] By enriching metadata and knowledge with semantics, the Grid can break down the barrier of heterogeneity and move to truly seamless access and cross-organizational resource sharing. Furthermore, semantics empowers machines or software agents to understand and process resources’ metadata. Consequently it will increase the level of automation and reduce the need of manual intervention. 2. Existing System

Most of today’s Web content is suitable for human consumption. Even Web content that is generated automatically from databases is usually presented without the original structural information found in databases. Typical uses of the Web today involve people seeking and making use of information, searching for and getting in


58

touch with other people, reviewing catalogs of online stores and ordering products by filling out forms, and viewing adult material. These activities are not particularly well supported by software tools. Apart from existence of links that establish connections between documents, the main valuable, indeed indispensable, tools are search engines.[9] Keyword based search engines, such as Alta Vista, Yahoo and Google are the main tools for using today’s Web. However there are serious problems associated with their use. Most information is available in a weakly structured form, for example, text, audio and video. From the Knowledge management perspective, the current technology suffers from limitations in the following areas: Extracting Information: Human time and effort are required to browse the retrieved documents for relevant information. Uncovering Information: New knowledge implicitly existing in corporate databases is extracted using data mining. However this task is still difficult for distributed, weakly structured collection of documents.[4] Viewing Information: Often it is desirable to restrict access to certain information to certain groups of employees. “Views”, which hide certain information, are known form the area of databases but are hard to realize over an intranet (or the Web). Searching Information: Currently the keyword based search engines return too much or too little or irrelevant information. 2.1 Proposed System

Web represents information using natural language such as English, Hungarian, and Chinese etc. This is okay for humans but difficult for machines. In the case of distributed applications, automatic procedures are involved and not only humans, agents try to make “sense” of resources on the Web and a well defined terminology on the domain is necessary. So it is appropriate to represent the Web content in a form that is easily machine-processable and to use intelligent techniques to take advantage of the representations. We refer to this plan of revolutionizing the Web as the Semantic Web initiative. It is important to understand that the Semantic Web will not be a new global information highway parallel to the existing World Wide Web; instead it will gradually evolve out of the existing Web. The aim of the Semantic Web is to allow much more advanced knowledge management systems. Knowledge will be organized in conceptual spaces according to its meaning. Automated tools will support maintenance by checking for inconsistencies and extracting new knowledge. Keyword-based search will be replaced by query answering; requested knowledge will be retrieved, extracted, and presented in a human friendly way. Query answering over several documents will be supported. Defining who may view certain parts of information (even parts of documents) will be possible. Knowledge management is done using metadata, semantics and reasoning. Some of the cores enabling technologies made use are Ontology modeling and Semantic annotations. Ontology modeling provides

conceptual structures for preserving knowledge.[1] Semantic annotation captures metadata, generates semantic instances as knowledge entities, and populates them into knowledge bases. The essence of this approach is to add a semantics-based knowledge layer between primitive Grid resources and Grid applications. Grid applications would be carried out through flexible collaborations and computations on a global scale with a high degree of easy-to-use and seamless automation. 3. Owl (Web Ontology Language):

The OWL (Web Ontology Language) is designed for use by applications that need to process the content of information instead of just presenting information to humans. OWL facilitates greater machine interpretability of Web content than that supported by XML, RDF, and RDF Schema (RDF-S) by providing additional vocabulary along with a formal semantics. OWL has three increasingly-expressive sublanguages: OWL Lite, OWL DL, and OWL Full. OWL is intended to be used when the information contained in documents needs to be processed by applications, as opposed to situations where the content only needs to be presented to humans. [3] OWL can be used to explicitly represent the meaning of terms in vocabularies and the relationships between those terms. This representation of terms and their interrelationships is called ontology. OWL has more facilities for expressing meaning and semantics than XML, RDF, and RDF-S, and thus OWL goes beyond these languages in its ability to represent machine interpretable content on the Web. OWL is a revision of the DAML+OIL web ontology language incorporating lessons learned from the design and application of DAML+OIL.[11] 3.1 Owl Description: The Semantic Web is a vision for the future of the Web, in which information is given explicit meaning, making it easier for machines to automatically process and integrate information available on the Web. The Semantic Web will build on XML's ability to define customized tagging schemes and RDF's flexible approach to representing data. The first level above RDF required for the Semantic Web is an ontology language what can formally describe the meaning of terminology used in Web documents. If machines are expected to perform useful reasoning tasks on these documents, the language must go beyond the basic semantics of RDF Schema. OWL has been designed to meet this need for a Web Ontology Language. OWL is part of the growing stack of W3C recommendations related to the Semantic Web.[6,5] • XML provides a surface syntax for structured documents, but imposes no semantic constraints on the meaning of these documents. • XML Schema is a language for restricting the structure of XML documents and also extends XML with data types. • RDF is a data model for objects ("resources") and relations between them provides a simple semantics for this


59

data model, and these data models can be represented in XML syntax. • RDF Schema is a vocabulary for describing properties and classes of RDF resources, with a semantics for generalization-hierarchies of such properties and classes. • OWL adds more vocabulary for describing properties and classes: among others, relations between classes (e.g.disjointness), cardinality (e.g. "exactly one"), equality, richer typing of properties and characteristics of properties (e.g. symmetry), and enumerated classes.

3.2 SYSTEM DESIGN

The Semantic Web concept is used for knowledge sharing in Grid applications. The grid applications contain a knowledge base that is populated with relevant information uploaded by the authenticated service providers. The authenticated clients of the grid application can search for required information from the knowledge base. This search request will be processed automatically by the relevant phases of the grid that will return the relevant information, in the required format, eliminating redundancies.[7] Thus the system is designed by writing program for client, middleware and server.

The figure 1 shows the various layers for knowledge management in semantic web which are explained below. 3.2.1 Client The grid applications like e-business, e-science, e-banking have a number of clients who will wish to access the resources and knowledge available in the grid from anywhere in the world. All that is needed is they have access permissions to make use of the resources. The search request from them will be processed automatically by the middleware i.e. the knowledge layer and the knowledge will be presented to them as they want it and that too without any effort from them. 3.2.2 Client functions:

The client performs two functions namely that of searching by giving a keyword and downloading contents using the links returned by the middleware.

Search

In this module the clients of the Grid application who desire to obtain information from the knowledge base, must first login. In case they are new users they can register by providing their user name, password and e-mail. Once logged in they can specify a keyword or set of keywords and can choose categories i.e. if they want text or image or video files and select one main subcategory from the list available. Retrieve: The request from the client is sent to the middleware layer and is processed by the relevant grid phases. As a result a set of links are returned. The client downloads content using the links.

Figure 1. the semantic web based approach to knowledge management

Figure 2. user login page

The figure (2) shows the user login page from where the clients request is sent to the middleware layer.


60

Figure 3. new user registration page The figure (3) shows the new user registration

page. If the client has already not registered he can register and enter the site so that he can get the useful information he needs. 3.2.3 Middleware: This middleware region comprises of the Grid activities that are carried out in seven distinct phases. The system design modules of the middleware layer are shown in the figure 4 below and the modules are explained thereof.

Figure 3. system design modules

Application Analysis: Any request from the client or the server will be passed on to this phase of the grid. The application analyzer analyzes the request and if it is from the server forwards it to the Knowledge management phase else to the K-service development phase.

Knowledge Management Analysis: The content uploaded by the service providers is received and the Metadata information are categorized and extracted. It also collects and maintains the details about where the Knowledge information resides.

Ontology Development: This phase is activated after the previous phase. It creates a partial ontology for the uploaded file using the metadata extracted in the previous phase. It will be of the OWL file format. It conducts knowledge elicitation and builds the knowledge models.

Semantic Annotation: The complete OWL file for the uploaded content is generated in this phase. Each keyword will have a URL link attached with it separately and the knowledge base will be populated extensively in this phase.

K-Service Development:

In this phase knowledge services will be developed using application specifications and knowledge application scenarios. They are developed to make best use of available knowledge and provide maximum intelligent support for problem solving. The outputs of this phase are a number of K-services that can serve as building blocks for Grid applications or, more generally, as the middleware for the Semantic Grid infrastructure.

Testing and evaluation:

In this phase the K-services developed in the previous phase are tested for their functionality. If they produce the desired output then they are passed on to the System integrator. The K-services are also tested to yield optimum performance.

System integration:

While tasks are performed in each phase by different roles, they are a coordinated and collaborative endeavor. The outcomes of one phase will be used by tasks in later phases. Results from previous activities are evaluated and validated by later tasks. Sometimes, it is necessary to iterate the refinement-evaluation cycle several times between phases before all requirements are met. The system integrator performs this task. 3.2.4 Servers: The service providers are responsible for uploading the contents to the knowledge base in the Grid application.[5] If there are any updates in the uploaded file content then they will be providing information for the uploaded content also. Server Upload: The service providers upload and update information. First they need to login to be able to upload information into the grid. If they are new service providers, they have to register and be authenticated. Thus the screen shot of service provider upload page is given in the figure 5.

Once the authentication process is over they can select the categories and subcategories in which they wish to upload the file and send the upload request. This will be processed by the middleware and feedback if their request was accepted or not will be given back to them.

TESTING AND EVALUATION

SEMANTIC ANNOTATION

ONTOLOGY DEVELOPMENT

KNOWLEDGE MANAGEMENT

APPLICATION ANALYZER

SERVER REQUEST

CATEGORISED REQUEST

Structured OWL file

XML file

OWL file

Annotated

OWL file


61

Figure 5. service provider upload page

Update: The uploaded information can also be updated by the corresponding service providers from time to time. This makes sure that the information in the knowledge base remains consistent always. 4. Conclusion

The Semantic Web-based approach to knowledge management leverages the state of the art in ontology, ontology languages and DL reasoning technologies. To support the adoption and implementation of the proposed approach, a methodology has been developed to provide guidance for Grid practitioners to carry out knowledge management for Grid applications. References: [1] W. Johnston, “Semantic Services for Grid-Based, Large-

Scale Science,” IEEE Intelligent Systems, vol. 19, no. 1, pp. 34-39, Jan./Feb. 2004.

[2] N.R. Shadbolt, T. Berners-Lee, and W. Hall, “The Semantic Web Revisited,” IEEE Intelligent Systems, vol. 21, no. 3, pp.96-101, May/June 2006.

[3] E. Sirin, B. Parsia, and J. Hendler, “Filtering and Selecting Semantic Web Services with Interactive Composition Techniques,” IEEE Intelligent Systems, vol. 19, no. 4, pp. 42-49, July/Aug.2004.

[4] Grigoris Antoniou and Frank van Harmelen, “A Semantic Web Primer,” The MIT press, 2004.

[5]H. Zhuge, “Semantic Grid: scientific issues, infrastructure, and methodology,” ACM Communication, vol.48, no.4, pp.117-119, 2005.

[6] T. Berners-Lee, J. Hendler, and O. Lassila, "The Semantic Web," Scientific American, Vol. 284, no.4, pp.34-43, 2001.

[7] M.H. Eres, G.E. Pound and S.J. Cox, “Globus Installation Procedure,”http://www.geodise.org/files/tutorials/ Globus_Installation.pdf, 2004.

[8] C.A. Goble, D. De Roure, N.R. Shadbolt, and A.A.A. Fernandes, "Enhancing Services and Applications with Knowledge and Semantics,"The Grid 2: Blueprint for a New Computing Infrastructure, I. Foster and C. Kesselman, Eds., Morgan-Kaufmann, pp. 431-458, 2004.

[9] S. Schreiber, H. Akkermans, A. Anjewierden, R. Hoog and N.R. Shadbolt, “Knowledge Engineering and Management,” The MIT Press, London, 1999.

[10] I. Horrocks, U. Sattler and S. Tobies, “Practical reasoning for expressive description logics,” Lecture Notes in Artificial Intelligence,No.1705, H. Ganzinger, D. McAllester, and A. Voronkov, eds, pp.161-180, 1999.

[11] V. Haarslev and R. Möller, “Racer: A Core Inference Engine for the Semantic Web,” Proc. 2nd International Workshop on Evaluation of Ontology

Authors Profile

Dr. M. Rajaram, M.E., Ph.D., is a Professor and Head in Electrical and Electronics Engineering and Computer Science and Engineering in Government College of Engineering, Tirunelveli. He received B.E Degree in Electrical and

Electronics Engineering from Madurai University, M.E and PhD degree from Bharathiyar University, Coimbatore, in 1981, 1988 and 1994 years and his research interests are Computer Science and engineering, electrical engineering and Power Electronics. He is the author of over 120 Publications in various International and National Journals. 7 PhD scholars and 10 M.S (By Research) Scholars have been awarded under his supervision. At present, he is supervising 12 PhD Scholars.

Mrs. S. Lathashanmugavadivu is Assistant Professor in Electronics and Communication Engineering Department in Tamilnadu College of Engineering in Coimbatore. She received B.E Degree from Bharathiar University, Coimbatore in the year 1995. M.S (by research) in

Computer Science Engineering from Anna University Chennai in the year 2007 and pursuing PhD in Computer Science Engineering in Anna University Coimbatore. She has teaching experience of 15 years. Her research interest is in Data Mining and Networking. She is an active member of ISTE and CSI Societies also the Branch Counselor of IEEE Students Branch in Tamilnadu College of Engineering. Students of various institutions across the state have benefited over her seminars, guest lectures and workshops.


62

A Novel design of High Speed Adders Using Quaternary Signed Digit Number System

Reena Rani1, L.K. Singh2 and Neelam Sharma 3

1B.S.A. College of Engineering & Technology, Mathura

Uttar Pradesh, India [email protected]

2 Dr. R.M.L. Avadh University Faizabad, Uttar Pradesh, India

[email protected]

3 Institute of Engg. & Technology, Alwar, Rajasthan, India. [email protected]

Abstract: We proposed fast adders based on Quaternary signed digit number system. Quaternary Signed Digit number system in arithmetic circuits has the advantage of constant addition time irrespective of word length. Arithmetic operations in digital signal processing applications still suffer from problems including propagation delay and circuit complexity. QSD number representation allows a method of fast addition/subtraction because the carry propagation chains are eliminated and hence it reduces the propagation time. In QSD, each digit can be represented by a number from -3 to 3. The design of QSD adder is carried out using FPGA tools. The designs are simulated using Modelsim SE 6.4 software and synthesized using Leonardo Spectrum.

Keywords: Carry free addition, Fast computing, FPGA, VLSI.

1. Introduction Arithmetic operations play an important role in various digital systems such as computers, process controllers, signal processors computer graphics and image processing. Recent advances in technologies for integrated circuits make large scale arithmetic circuits suitable for VLSI implementation. However, arithmetic operations still suffer from known problems including limited number of bits, propagation time delay, and circuit complexity [1].

Now, the flexibility of field programmable gate arrays (FPGAs) allows the rapid development of high performance custom hardware [12]. By selecting arithmetic algorithms suited to the FPGA technology and subsequently applying optimal mapping strategies, high performance FPGA implementations can be developed [5].

In this paper, we propose a high speed QSD arithmetic logic unit which is capable of carry free addition, borrow free subtraction, up-down count and multiply operations. The QSD addition/subtraction operation employs a fixed number of minterms for any operand size.

Signed digit number system offers the possibility of carry free addition. QSD Adder / QSD Multiplier circuits are logic circuits designed to perform high-speed arithmetic operations. In QSD number system carry propagation chain are eliminated which reduce the computation time substantially, thus enhancing the speed of the machine [7].

The paper is structured as follows: Section 2 presents the Quaternary Signed digit number system. In Section 3, we Presented the Adder design using QSD number system which contains two step additions. Section 4 presents simulation results. Section 5 presents results implementation. Then we provide our conclusions in Section 6.

2. Quaternary Signed Digit numbers QSD numbers are represented using 3-bit 2’s complement notation. Each number can be represented by:

iiD 4

1-n

0 i

∑=

Χ=

Where Xi can be any value from the set { 3 ,2 ,1 ,0 ,1 ,2 ,3 } for

producing an appropriate decimal representation. A QSD negative number is the QSD complement of QSD positive number [2] i.e 3 ' = 3, 3' = 3 , 2 ' = 2, 2’ = 2 , 1' = 1, 1' = 1. For digital implementation, large number of digits such as 64, 128, or more can be implemented with constant delay. A higher radix based signed- digit number system, such as quaternary signed digit (QSD) number system, allows higher information storage density, less complexity, fewer system components and fewer cascaded gates and operations. A high speed and area effective adders and multipliers can be implemented using this technique.

For example Conversion of (43)10 to QSD number For n = 3, the number can be converted as (43)10 = 2 × 42 + 2 × 41 + 3 × 40 = (223)QSD The same number can be represented in another way as (43)10 = 3 × 42 + 1 × 41 + 1 × 40 = (311)QSD The number can be represented in one more way as (43)10 = 2 × 42 + 3 × 41 + 1 × 40 = (231)QSD Similarly one more representation is (43)10 = 3 × 42 + 2 × 41 + 3 × 40 = (3 2 3)QSD

As a QSD negative number is the QSD complement of the QSD positive number. So

(-43)10 = ( 2 2 3 )QSD = ( 311)QSD = ( 2 31)QSD = ( 32 3 )QSD


63

3. Adder Design

3.9 Design Algorithm Arithmetic has played an important role in human civilization especially in the field of science, engineering and technology. The everlasting need for higher computing power and processing speed in a wide range of information processing applications are placing stringent demands for fast computation on digital computer design.

Recent advances in technologies for integrated circuits make large scale arithmetic circuits suitable for VLSI implementation [9]. However, arithmetic operations still suffer from known problems including limited number of bits, propagation time delay, and circuit complexity [6]. With recent advances of integrated circuits technology higher radix circuits are becoming a reality.

Addition is the most important arithmetic operation in digital computation. A carry-free addition is highly desirable as the number of digits becomes large. We can achieve carry-free addition by exploiting the redundancy of QSD numbers and the QSD addition. The redundancy allows multiple representations of any integer quantity i.e.

(-5)10 = ( 2 3)QSD = (11)QSD

There are two steps involved in the carry-free addition [3]. The first step generates an intermediate carry and sum from the addend and augend. The second step combines the intermediate sum of the current digit with the carry of the lower significant digit[10].

To prevent carry from further rippling, we define two rules. The first rule states that the magnitude of the intermediate sum must be less than or equal to 2. The second rule states that the magnitude of the carry must be less than or equal to 1.Consequently, the magnitude of the second step output cannot be greater than 3 which can be represented by a single-digit QSD number; hence no further carry is required. In step 1, all possible input pairs of the addend and augend are considered. The output ranges from -6 to 6 as shown in Table 1.

Table 1: The ouputs of All Possible Combinations of a Pair

of Addend (A) and Augend(B)

In the step 1 QSD adder, the range of output is from -6 to

+6 which can be represented in the intermediate carry and sum in QSD format as shown in Table 2 [4]. We can see in the first column of Table 2 that some numbers have multiple representations, but only those that meet the above defined

two rules are chosen. The chosen intermediate carry and intermediate sum are listed in the last column of Table 2 as the QSD coded number. Table 2: The Intermediate Carry and Sum Between -6 to 6

This addition process can be well understood by following example. Example: To perform QSD addition of two numbers A = 107 and B = -233. First convert the decimal number to their equivalent QSD representation: (107)10 = 2 × 43 + 2 × 42 + 3 × 41 + 1 × 40 = (2 2 31)QSD (233)10 = 3 × 43 + 3 × 42 + 2 × 41 + 1 × 40 = (33 2 1)QSD

Hence, (-233)10 = ( 3 3 21)QSD Now the addition of two QSD numbers can be done as follows:

A = 107 2 2 3 1 B = -233 3 3 2 1 Decimal Sum -1 -5 5 -2

IC 0 1 1 0 IS 1 1 1 2 S 2 0 1 2 Cout 0

The sum output is ( 2 01 2 )QSD which is equivalent to (-126)10 and carry output is 0.

The QSD adder design process will carry two stages for addition. The first stage generates intermediate carry and sum according to the defined rules. In the second stage the intermediate carry from the lower significant digit is added to the intermediate sum of current digit which results in carry free output. In this step the current digit can always absorb the carry-in from the lower digit.

3.10 Step 1 Adder Design The step 1 QSD adder accepts QSD number as the input and gives intermediate carry and sum as the output. Figure 1 shows the step 1 adder block as the intermediate carry and sum circuit.


64

Figure 1. The intermediate Carry and Sum Generator

The range of input numbers can vary from -3 to +3, so the addition result will vary from -6 to +6 which needs two QSD digits. The lower significant digit serves as sum and most significant digit serves as carry. The generation of the carry can be avoided by mapping the two digits into a pair of intermediate sum and intermediate carry such that the nth intermediate sum and the (n-1)th intermediate carry never form any carry generating pair (3,3), (3,2), (3,1), ( 3 , 3 ), ( 3 , 2 ), ( 3 ,1 )[13] .

Both inputs and outputs can be encoded in 3-bit 2’s complement binary number [8]. The mapping between the inputs, addend and augend, and the outputs, the intermediate carry and sum considered in binary format.

3.11 Step 2 Adder Design In step 2, the intermediate carry from the lower significant digit is added to the sum of the current digit to produce the final result. The addition in this step produces no carry because the current digit can always absorb the carry-in from the lower digit [11]. The step 2 adder accepts intermediate carry and intermediate sum as input and gives single digit carry free QSD output. Figure 2 shows the block diagram for step 2 adder.

Figure 2. The Second Step QSD Adder

The range of the intermediate carry is -1 to +1 and the range of the intermediate sum is -2 to +2. The addition result of intermediate carry and intermediate sum lies in the range of -3 to +3, which can be represented by single digit QSD number. Table 3 shows all possible combinations of the summation between the intermediate carry and the sum. Table 3: Outputs of All Possible Combinations of A pair of

Intermediate carry (IC) and Sum(IS)

Table 3: The Mapping Between Inputs and Outputs of the Second Step QSD Adder

3.4 Single Digit QSD Adder design The single digit QSD adder accepts two QSD numbers as inputs and gives carry and sum as the output. Figure 3 shows the single digit QSD adder . At the input side, the addend Ai is represented by 3 variable input as a2, a1, a0 and the augend Bi is represented by 3 variable input as b2, b1, b0. At the output side, the carry C is represented by C2, C1, C0 and the sum S is represented by S2, S1, S0. The addend and augend can be selected in the range of -3 to +3.

The addition result according to the specified rules can be represented in the range of -3 to +3. The addition result is a single digit QSD number; hence no further carry is required. Both inputs and outputs are encoded in 3-bit 2’s complement binary number.As the range of carry is from -1 to +1, it can be represented in 2 bit binary number but we take the 3 bit representation for the bit compatibility with the sum, So C2 = C1.

Figure 3. Single Digit QSD Adder

The internal logic diagram for single digit QSD adder is shown in figure 4.


65

Figure 4. Single Digit QSD Adder Structure

4. Simulation Results The four digit QSD adder written in VHDL, compiled

and simulated using Modelsim SE 6.4. The simulated result for 4-digit QSD adders is shown in figure 6.

Figure 5. Simulated Result of Four Digit QSD Adder

5. Result Implementation

Design Synthesized on Xilinx VIRTEX-IV FPGA devices using Leonardo Spectrum from Mentor Graphics. Figure 7 shows the RTL schematic for four digit QSD adder.

Figure 6. RTL Schematic of Four Digit QSD Adder

The delay for QSD adder is 2ns which is the minimum delay in comparision to Ripple Carry Adder (RCA) and Carry Look Ahead (CLA) Adder The QSD adders have constant delay of 2ns for higher number of bits. Figure 8 shows the timing comparision chart for RCA, CLA Adder and QSD Adders.


66

0102030405060708090

100110120130140150160170180

4 8 16 32 64 128

Number of Bits

Del

ay (n

s) RCA

CLA

QSD

Figure 7. Timing Comparision of RCA, CLA and QSD

Adder

6. Conclusion We have presented an algorithm for radix-4 carry free addition which is suitable for realizing high-speed compact arithmetic VLSI circuits. The QSD addition scheme is independent of the processed bit strings length and thus it is very fast. QSD based addition technique is also memory efficient since more information can be encoded in fewer digits than its BSD addition counterpart.

References [1] A. Avizienis, "Signed-digit number representations for

fast parallel arithmetic," IRE Trans. on Electronic Computers, vol.- EC-10, pp. 389-400, 1961.

[2] Abdallah K. Cherri, “Canonical Quaternary Arithmetic Based on Optical Content- Addressable Memory (CAM)”, Proc. IEEE National Aerospace and Electronic Conference, vol.- 2, 1996, pp. 655-661.

[3] Reena Rani, Upasana Agrawal, Neelam Sharma, L.K. Singh, “High Speed Arithmetic Logical Unit using Quaternary Signed Digit Number System” International Journal Of Electronic Engineering Research, ISSN 0975 – 6450, Volume 2 Number 3, 2010 pp. 383–391.

[4] Songpol Ongwattanakul, Phaisit Chewputtanagul, David J. Jackson, Kenneth G. Ricks, “Quaternary Arithmetic Logic Unit on a Programmable Logic Device”, proc. IEEE conference, 2001.

[5] Reena Rani, Neelam Sharma, L.K.Singh, “FPGA Implementation of Fast Adders using Quaternary Signed Digit Number System” proc. IEEE International Conference on Emerging Trends in Electronic and Photonic Devices & Systems (ELECTRO-2009), 2009, pp 132-135.

[6] Behrooz Parhami, “Carry-Free Addition of Recoded Binary Signed-Digit Numbers”, IEEE Transactions on Computers, Vol. 37, No. 11, pp. 1470-1476, November 1988.

[7] A. T. M. Shafiqul Khalid, A. A. S. Awwal and O. N. Garcia, “Digital Design of Higher Radix Quaternary Carry Free Parallel Adder”, Proc. 39th Midwest

Symposium on circuits and Systems, august 1996, pp. 187-189.

[8] A. A. S. Awwal and J. U. Ahmed, “Fast Carry Free Adder Design Using QSD Number System”, Proc. IEEE National Aerospace and Electronic Conference, Vol. 2, 1993, pp 1085-1090.

[9] Hwang K., ComputerArithmatic Principles Architecture and Design. New York : Wiley, 1979.

[10] Reena Rani, Neelam Sharma, L.K.Singh, “Fast Computing using Signed Digit Number System” proc. IEEE International Conference On Control, Automation, Communication And Energy Conservation -2009, 4th-6th June 2009, pp.1-4.

[11] N. Takagi, H. Yasuura, and S. Yajima, “High Speed VLSI Multiplication Algorithm with a Redundant Binary Addition Tree, ” IEEE Trans. Comp., C-34, pp. 789-795, 1985

[12] A.A.S Awwal, Syed M. Munir, A.T.M. Shafiqul Khalid, Howard E. Michel and O. N. Garcia, “Multivalued Optical Parallel Computation Using An Optical Programmable Logic Array”, Informatica, vol. 24, No. 4,2000, pp. 467-473.

[13] P. K. Dakhole, D.G. Wakde, “ Multi Digit Quaternary adder on Programmable Device : Design and verification” International Conference on Electronic Design, 2008, 1-3 Dec, pp. 1-4.

Authors Profile

Reena Rani obtained M.Tech (VLSI design) from Banasthali Vidyapith, Rajasthan, INDIA. Currently pursuing Ph.D. in Electronics from Dr. Ram Manohar Lohiya, Avadh University. Wnner of Prize 3rd from AMIETE council of INDIA. Her research area is VLSI design.She is Senior Lecturer in department of Electronics &

Communication Engineering at B.S.A. College of Engineering & Technology, Mathura (U.P.), and Associate Member Institution of Electronics and Telecommunication Engineering.

Lakshami Kant Singh obtained Ph.D. (Optoelectronics) in 1976. He is currently Director and Professor in Dr. Ram Manohar Lohiya, Avadh University, Faizabad.U.P. India. Posts hold was dean faculty of science, Pro-Vice Chancellor. He has over 35 years of teaching experience and has published around 30 research papers and articles. He is a member of the Institution of

Engineers, Institution of Electronics and Telecommunication Engineering, Delhi, and Computer Society of India.

Neelam Sharma received the PhD and M.Tech from U.P.T.U., Lucknow UP and B.E. from Thapar Institute of Engineering and Technology, Punjab India. Presently she is Professor in the Department of Electronics and Instrumentation Engineering, Institute of Engineering and Technology, Alwar, Raj. India. Her current research interests

are Computer Architecture, Neural Networks, VLSI, FPGA, etc. She has twenty-five research publications and convened number of sponsored research projects. She is member of IEEE, IETE and IE.


67

Triple-Critical Graphs

Basheer Ahamed M., and Bagyam I

Department of Mathematics, Karunya University, Coimbatore-641114, Tamilnadu, INDIA

Abstract: A graph ( , )G V E= is said to be double-critical if

G is connected and the chromatic number of G decreases by 2 when any two adjacent vertices of G are removed. We extend this concept to triple-critical graphs.

Mathematic Subject Classification 2010: 05C15.

Keywords: Complete graphs, Degree, Double-critical k-chromatic graph, Complete decomposable graph, triple-critical graphs.

1. Introduction The double-critical graph conjecture is a special case of Erdos-Lovasz Tihany conjecture [4], which states that for any graph ( , )G V E= with ( ) ( )G Gχ ω> and any two

integers , 2a b ≥ with ( ) 1a b Gχ+ = + , there is a

partition (A, B) of the vertex set V(G) such that

[ ]( )G A aχ ≥ and [ ]( )G B bχ ≥ . The double-critical

graph conjecture is proved [2] which states that kK is the (only) double-critical k-chromatic graph. In this paper, we extend the concept to triple-critical graphs and prove a theorem.

2. Preliminaries Throughout this paper, we assume that ( , )G V E= is a finite, connected, undirected, simple graph. . The order and size of a graph G is represented as ( )n G and ( )m G

respectively. The degree of a vertex v is denoted by ( ).d v

The maximum degree of the graph G is denoted as ( )v∆ and the minimum degree of the graph G is denoted as

( ).vδ A graph ( , )G V E= is said to be a clique or a

complete graph if .E V V= × It is denoted as ,nK where

V n= . Further, the subgraph of G: }{\)( xGV is

denoted by .G x− We summarize some notations and results which are

useful to develop the main results of this paper.

2.1 Definition [6].

A k-coloring of a graph ( , )G V E= is a function φ from the vertex set V of G into a set c of cardinality k so that

( ) ( )u vφ φ≠ for every edge ( ).uv E G∈

2.2 Definition [6]. A graph G is k-colorable if it has a k-coloring. The elements of the set c are referred to as colors and a vertex ( )v V G∈

is said to be assigned the color ( )vφ byφ .

2.3 Definition [6].

The chromatic number, denoted by ( )Gχ is the minimum integer ‘k’ for which a graph G is k-colorable.

2.4 Theorem [3].

For any graph ( , )G V E= , we have ( )Gχ ≤ Δ (G) +1.

2.5 Theorem [3].

For a complete graph ( , )G V E= , ( )Gχ = Δ (G) +1.

2.6 Definition [6].

A graph ( , )G V E= is called vertex-critical or simply

critical if ( ) ( )G v Gχ χ− < for every ( ).v V G∈

2.7 Definition [7].

A graph ( , )G V E= is said to be double-critical if G is connected and the chromatic number of G decreases by 2 when any two adjacent vertices of G are removed.

2.8 Definition [6].

A graph ( , )G V E= is said to be decomposable if it

consists of two disjoint non-empty subgraphs 1G and 2G

together with all edges joining a vertex of 1G and a vertex

of 2.G

2.9 Theorem [5].

A k-critical graph with at most 2 2k − vertices is always decomposable.

2.10 Definition [1].

A graph ( , )G V E= is called complete decomposable if it

consists of two disjoint non-empty subgraphs 1G and 2G

together with all the edges that join every vertex of 1G to

every vertex of 2.G Then, the complete decomposition of

the graph G is written as 1 2G G G= ⊗ .

2.11 Theorem [8].


68

5K is the only double - critical 5-chromatic graph.

2.12 Theorem [2].

kK is the (only) double-critical k-chromatic graph.

3. Main Results In this section, we extend the concept of double-critical graphs to triple-critical graphs and prove a theorem.

3.1 Definition A graph G is said to be triple-critical if G is connected and the chromatic number of G decreases by 3, when any 3 vertices of G, which form a triangle are removed.

3.2 Theorem

Let G be a complete decomposable graph and 1G and 2G

be the components of .G If 1G and 2G are complete

graphs on n-vertices, 2,n ≥ then, G is a triple-critical graph. Proof: By the theorem, kK is the (only) double-critical k-chromatic graph, it is clear that

A complete graph on k vertices ,kK 2k ≥ is a double-critical graph. (1)

Since, the complete graph kK is critical for every

k, kK is a critical graph. (2)

Let G be a complete decomposable graph. Then,

1 2( ) ( ) ( )G G Gχ χ χ= + (3)

Also, let 1G and 2G be the complete graphs

on n-vertices, 2.n ≥ Then, clearly from (1) and (2), 1G

and 2G are both critical and double-critical graphs. (4) The components aG and bG , a b≠ and , 1,2a b = will be of three cases. Case 1: 2aG K= and 2.bG K=

Case 2: 2aG K= and , 2.b nG K n= >

Case 3: , 2a nG K n= > and , 2.b nG K n= >

Let , , ,i j kv v v i j k≠ ≠ and , , ( )i j kv v v V G∈ be

the three vertices which are removed to verify triple-critical property of the graph G.

Case 1: 2aG K= and 2.bG K=

Let , ( )i j av v V G∈ and ( ).k bv V G∈ Then by (4),

( ) ( ) 2a i j aG v v Gχ χ− − = −

and ( ) ( ) 1.b k bG v Gχ χ− = − Then we have,

( ) ( ) 2 ( ) 1.i j k a bG v v v G Gχ χ χ− − − = − + −

( ) ( ) 3.a bG Gχ χ= + − ( ) 3.Gχ= −

Therefore, ( ) ( ) 3.i j kG v v v Gχ χ− − − = −

Hence, G is a triple-critical graph.

Case 2: 2aG K= and , 2.b nG K n= >

Sub-case 2(a): ( )i av V G∈ and , ( ).i j bv v V G∈

Using (4), we have ( ) ( ) 1a i aG v Gχ χ− = − and

( ) ( ) 2.b j k bG v v Gχ χ− − = − Therefore, we have

( ) ( ) ( )i j k a i b j kG v v v G v G v vχ χ χ− − − = − + − −( ) 3.Gχ= − Thus; G is a triple-critical graph. Sub-case 2(b):

, ( )i j av v V G∈ and ( ).k bv V G∈ By case (1), ( ) ( ) 2a i j aG v v Gχ χ− − = − and

( ) ( ) 1.b k bG v Gχ χ− = − Hence,

( ) ( ) ( )i j k a i j b kG v v v G v v G vχ χ χ− − − = − − + −( ) 3.Gχ= − Therefore, G is a triple-critical graph. Sub-case 2(c): Consider , , ( )i j k av v v V G∈ and no vertex from

( )bV G is removed.

By (1), ( ) ( ) 2.b i j bG v v Gχ χ− − = − The induced

graph b i jG v v− − is a complete graph on ( ) 2bn G −

vertices. Therefore, ( ) ( ) {[ ( ) 2] 1}i j k a bG v v v G Gχ χ χ− − − = + − −

( ) ( ) 3a bG Gχ χ= + − ( ) 3.Gχ= − Hence, G is a triple-critical graph.

Case 3: , 2a nG K n= > and , 2.b nG K n= >

Sub-case 3(a): Let , ( )i j av v V G∈ and ( ).k bv V G∈ By case (1), G

is a triple-critical graph. Sub-case 3(b): Let , , ( )i j k av v v V G∈ and no vertices from the

component bG is removed. By sub-case 2(c), G is a triple-critical graph. □

We illustrate the above theorem with an example for each case.

3.3 Example

For case (1), Let 1 2G K= and 2 2.G K= Then, the graph

1 2 2 2.G G G K K= ⊗ = ⊗ Then, the chromatic number, 1( ) 2,Gχ = 2( ) 2Gχ = and ( ) 4.Gχ = After the

removal of the three vertices,

1 2( ) ( ) ( )a b c a b cG v v v G v v G vχ χ χ− − − = − − + −

1 2( ) 2 ( ) 1G Gχ χ= − + − 1.= Therefore, G is triple-critical graph.


69

3.4 Example

For subcase 2(a), when 1 2G K= and 2 5 ,G K= 2 5.G K K= ⊗ Then, the chromatic number, ( ) 7,Gχ =

1( ) 2Gχ = and 2( ) 5.Gχ = Removing a vertex

1( )av V G∈ and two vertices 2, ( )b cv v V G∈ , we get,

1 2( ) ( ) ( )a b c a b cG v v v G v G v vχ χ χ− − − = − + − −

2 1 5 2 4.= − + − = Hence, 7G K= is a triple-critical graph.

3.5 Example

For subcase 2(b), when 1 2G K= and 2 5 ,G K= 2 5.G K K= ⊗ Then, the chromatic number, ( ) 7,Gχ =

1( ) 2Gχ = and 2( ) 5.Gχ = Removing two vertices from

1G and a vertex from 2G , we get,


1 2( ) 2 ( ) 1G Gχ χ= − + − 2 2 5 1 4.= − + − = Hence,

7G K= is a triple-critical graph.

3.6 Example

For subcase 2(c), when 1 2G K= and 2 5 ,G K= 2 5.G K K= ⊗ Then, the chromatic number, ( ) 7,Gχ =

1( ) 2Gχ = and 2( ) 5.Gχ = Removing no vertex from

1G and three vertices from 2G , we get,

1 2( ) ( ) ( )a b c a b cG v v v G G v v vχ χ χ− − − = + − − −

1 2( ) ( ) 3G Gχ χ= + − 2 5 3 4.= + − = Hence, 7G K= is triple-critical graph.

3.7 Example. For subcase 3(a), when 1 3G K= and 2 6 ,G K=

3 6 9.G K K K= ⊗ = Then, the chromatic number,

( ) 9,Gχ = 1( ) 3Gχ = and 2( ) 6.Gχ = Removing two

vertices from 1G and one vertex from 2G , we get,


1 2( ) 2 ( ) 1G Gχ χ= − + − 3 2 6 1 6.= − + − =

Hence, 9G K= is triple-critical graph.

3.8 Example

For subcase 3(b), when 1 3G K= and 2 6 ,G K= 3 6 9.G K K K= ⊗ = Then, the chromatic number,

( ) 9,Gχ = 1( ) 3Gχ = and 2( ) 6.Gχ = Removing no

vertex from 1G and three vertices from 2G , we get,

1 2( ) ( ) ( )a b c a b cG v v v G G v v vχ χ χ− − − = + − − −

1 2( ) ( ) 3G Gχ χ= + − 3 6 3 6.= + − =

Therefore, 9G K= is a triple-critical graph.

References [1] M. Basheer Ahamed, I. Bagyam, Complete decomposable

graphs, communicated [2] M. Basheer Ahamed, I. Bagyam, Double-critical k-

chromatic graphs, accepted [3] V.K. Balakrishnan, Schaum’s outline of Theory and

Problems of Graph Theory. McGraw Hill, USA, 1997. [4] P. Erdos, Problem 2. In theory of Graphs (Proc. Colloq.,

Tihany, 1966), pp. 361. Academic Press, New York, 1968.

[5] T. Gallai, Critical graphs, In Theory of Graphs and its Applications (Proc. Sympos. Smolenice, 1963), Publ. House Czechoslovak Acad. Sci., pp. 43-45, Prague, 1964.

[6] K. Kawarabayashi, A. Pederson, B. Toft, Double-critical graphs and complete minors, 2008. [online]. Available:URL:http://arxiv.org/PS_cache/arxiv/pdf/0810/0810.3133v1.pdf. [Accessed: Dec. 11, 2009].

[7] Matej Stehlik, Critical graphs, Ph.D. Thesis, University of London, 2003.

[8] M. Stiebitz, 5K is the only double-critical 5-chromatic graph. Discrete Math., 64: pp. 91-93, 1987.

Authors Profile

Basheer Ahamed M received the Ph,D degree in Mathematics from Bharathidasan University in 2005. He is working as Associate Professor of Mathematics in Karunya University, Coimbatore, INDIA.

Bagyam I received the M.Sc degree in Mathematics from University of Madras in 2009. She is doing research in Mathematics at Karunya University.


70

A Modified Feistel Cipher Involving Modular Arithmetic and Interlacing

V. U. K. Sastry1, D. S. R. Murthy2, S. Durga Bhavani3

Dept. of Computer Science & Engg., SNIST, Hyderabad, India, [email protected]

Dept. of Information Technology, SNIST, Hyderabad, India,

[email protected]

3School of Information Technology, JNTUH, Hyderabad, India, [email protected]

Abstract: In this paper, we have developed a block cipher with Feistel structure. In this the plain text is consisting of 256 bits and the key is containing 128 bits. The process of encryption is carried out by using modular arithmetic and interlacing the plain text at various rounds of the iterative process. The avalanche effect and the cryptanalysis firmly indicate that the cipher is a strong one and it cannot be broken by any cryptanalytic attack.

Keywords: Feistel Cipher, Modular arithmetic, Interlacing, avalanche effect, Cryptanalysis, Encryption and Decryption.

1. Introduction In a pioneering paper, sometime before the development of DES [1, 2], Feistel [3, 4] developed a block cipher which involves an iterative procedure including 16 iterations. In this, the plain text contains 2w binary bits. The procedure for encryption is governed by the relations

P0 = w, Q0 = w, (1) and

Pi = Qi-1, Qi = Pi-1 ⊕ F(Qi-1, Ki), for i = 1 to 16. (2)

Here, Ki is the key in the ith round of the iterative process occurring in the analysis; P and Q stand for the left and right halves of the plain text, and ⊕ denotes the XOR operation. The process of decryption is governed by the relations

Qi-1 = Pi, Pi-1 = Qi ⊕ F(Pi, Ki), for i = 16 to 1, (3)

and the initial conditions are taken from the cipher text obtained at the end of the encryption.

Though this process involves interchange of modified text from left to right, operation with the key Ki and a number of rounds in the iteration process, this cipher was found to be a weak one and it was broken by several researchers [5].

In the present paper, our objective is to modify the Feistel cipher by taking the length of the plain text as 8m bytes (each byte can be represented by a decimal number lying in the interval 0 to 255) and operating on each 2m bytes simultaneously by adopting Feistel approach. A square key matrix K of size m is associated separately with each 2m bytes as a multiplicant and mod 256 is applied

appropriately. At the end of each round of the iteration, the resulting binary strings are interlaced in an appropriate manner. This process is expected to enhance the strength of the cipher enormously.

In what follows, we mention the plan of the paper. We discuss the development of the cipher, and design the algorithms for encryption and decryption in section 2. Then we illustrate the cipher with an example in section 3. After that we perform cryptanalysis in section 4. Finally, we present numerical computations and draw conclusions in section 5.

2. Development of the cipher Consider a plaintext P containing 8m characters. On using EBCDIC code, we have 8m decimal numbers (8m bytes). This can be divided into four parts wherein each one contains 2m decimal numbers. Then each substring is further divided into two parts. Let the left and right parts of the first substring be denoted as P0 and Q0. In a similar manner, let the portions of the other substrings be denoted as R0, S0, T0, U0, and V0, W0 respectively. Here, P0, Q0, …, W0 are vectors wherein each one is having m components. Let K be a square key matrix of size m.

In this analysis, following Feistel, the processes of encryption and decryption can be described by the relations

Pi = Qi-1, Qi = Pi-1 ⊕ (Qi-1 K) mod 256, for i = 1 to n,

(4) and

Qi-1 = Pi, Pi-1 = Qi ⊕ (Pi K) mod 256, for i = n to 1.

(5) In writing these relations, the function F in (2), is

assumed to be in a particular form. Similar relations can be written for (Ri, Si), (Ti, Ui), and

(Vi, Wi). At the end of each round, after obtaining all the eight quantities, Pi, Qi, Ri, Si, Ti, Ui, Vi, and Wi, the binary bits of all the strings can be interlaced (by a procedure which is described later) and hence the new Pi, Qi, …, Wi can be obtained.

The flow charts concerned to encryption and decryption are presented in Fig. 1.


71

Figure 1. Schematic Digram of the Cipher

Let us now describe the process of interlacing. As we

have m decimal numbers in each part, Pi, Qi, …, Wi, we can represent them in the form of a matrix, containing binary bits, as shown below.

(6) In the process of interlacing, we associate the binary

bits given above, in a column wise manner. Thus we get the new Pi as the first m columns of the matrix in (6), the new Qi as the next m columns of the matrix in (6), and so on. For example,

(7) In a similar manner, we can obtain Qi to Wi.

Let us illustrate the above process by considering a simple example. Let

(8) This can be written in the binary form as shown below.

(9) Now on interlacing, we get the new Pi to Wi as follows.

(10) Here, the first row contains the first four columns of (9),

the second row contains the next four columns of (9) and so on. Thus we get

(11) This completes the process of interlacing. It may be noted here that inverse interlacing is a reverse

process to interlacing. In what follows, we present the algorithms for

encryption, and decryption.

Algorithm for Encryption

Algorithm for Decryption


72

3. Illustration of the cipher Consider the plain text given below.

“Dear brother! I have passed my B. Tech (ECE) with distinction. All this is due to the scholarship sanctioned by our Government. Now I want to enter into politics” (12)

Let us focus our attention on the first 32 characters. This is given by

“Dear brother! I have passed my B” (13) On using EBCDIC code, (13) can be written in the form

(14) Let us consider a square key matrix K of size 4. We

have

(15)

On using (14) and (15) and applying the encryption algorithm, given in section 2, with n = 16, we get the cipher text C in the form

(16) On applying the decryption algorithm (See Section 2),

we get back the original plain text given by (13). Now, let us study the avalanche effect for determining

the strength of the algorithm. Let us change the 24th character ‘s’ to ‘t’ in (13). Due to this, 162 in (14) becomes 163 and hence, the P0 undergoes a change of 1 binary bit. Thus the entire plain text comprising P0 to W0 also undergoes a change of 1 binary bit. Now, on applying the encryption algorithm on the modified plain text, we get

(17) On comparing the cipher texts given by (16) and (17),

after converting them into binary form, we find that they differ by 130 bits. As a change of 1 bit in the plain text is leading to a change of 130 bits (out of 256 bits) in the cipher texts, we notice that the cipher is a strong one.

Now let us consider the effect of changing the key by one binary bit. This can be done by replacing 126 (the 2nd row 2nd column element of the key) by 127. Now on applying the process of encryption on the original plain text (14), we get the new C given by

(18) On comparing the cipher text C given in (16) and (18),

we notice that they differ by 138 bits (out of 256 bits). This also shows that the cipher is a strong one.

4. Cryptanalysis In the study of cryptography [6] the well known methods for cryptanalysis are: 1. Cipher text only (brute-force) attack 2. Known Plain text attack 3. Chosen Plain text attack 4. Chosen Cipher text attack In all these attacks, it is assumed that the encryption algorithm and the cipher text are known to the attacker.

In the brute-force attack, as the key is containing 128 binary bits, the size of the key space is

2128 = (210)12.8 ≈ 1038.4

If we assume that the process of encryption with each key requires 10–7 seconds, then the time required for the computation with all possible keys is equal to

As this process of computation is taking a very long

time, the brute-force attack is totally impossible. Let us now study the known plain text attack. In this

case, we are having as many plain text and cipher text pairs as we require. Here, in carrying out the encryption process, as the m decimal numbers in each of the 2m decimal numbers are multiplied by the key and as the portions of the modified plain text are interlaced at the end of each round of the iteration process, the key K cannot be determined by any means.

In the last two cases, that is, in the chosen plain text attack and in the chosen cipher text attack, intuitively no special choice appears as a possible one, as the process of encryption is a complex one.

In the light of the above analysis, we conclude that the cipher cannot be broken by any attack.

5. Computations and Conclusions In this paper, we have developed a block cipher by using a Feistel structure. In this, we have taken a plain text of length 256 binary bits and made use of a key K containing 128 bits. The programs for encryption and decryption are written in C language.

On adopting the procedure discussed in section 3, the cipher text corresponding to the rest of the plain text (which can be divided into four parts) can be obtained as

The avalanche effect mentioned in section 3 and the

cryptanalysis discussed in section 4, clearly indicate that the cipher is a strong one, and it cannot be broken by any cryptanalytic attack.

References [1] William Stallings, Cryptography and Network Security,

Principles and Practice, Third Edition, Pearson, 2003. [2] Schaefer, E., “A Simplified Data Encryption Standard

Algorithm”, Cryptologia, Jan 1996. [3] H. Feistel, “Cryptography and Computer Privacy”,

Scientific American, May 1973. [4] Feistel, H., Notz, W., and Smith, J., “Some

Cryptographic Techniques for Machine-to-Machine Data Communications”, Proceedings of the IEEE, Nov. 1975.

[5] R. C. W. Phan, and Mohammed Umar Siddiqi, “A Framework for Describing Block Cipher Cryptanalysis”, IEEE Transactions on Computers, Vol. 55, No. 11, pp. 1402 – 1409, Nov. 2006.

[6] D Denning, “Cryptography and Data Security”, Addison-Wesley, 1982.


73

A Graph-based Testing of UML2 Sequence Diagram

Yujian Fu1 and Sha Li2

1Alabama A&M University, Department of Computer Science

Normal AL, 35762 USA [email protected]

2Alabama A&M University, Department of Education

Normal AL, 35762 USA [email protected]

Abstract: Correct functioning of object-oriented software systems depends upon the successful interaction of objects and classes. While individual classes may function correctly, several new faults can arise when these classes are integrated together. The interaction among classes has increased the difficulty of object-oriented testing dramatically. Currently traditional approaches generates testing paths from source code or UML1 diagram lacks of analysis and puts obstacles of automation of test case generation. In this paper, we present an integrated approach to enhance testing of interactions among classes. The approach combines UML2 sequence diagrams and statecharts hierarchically and generate test paths based on message flow graph. We have applied it to a case study to investigate its fault detection capability. The results show that the proposed approach effectively detects all the seeded faults. As a result, this work provides a solid foundation for further research on automatic test case generation, coverage criteria analysis of sequence diagram based object oriented testing.

Keywords: Software testing, UML model, sequence diagram, statecharts diagram.

1. Introduction Nowadays, object-oriented paradigm has become a popular technology in modern software industry due to several distinguish features, such as encapsulation, abstraction, and reusability to improve the quality of software. However, along with the development of object-oriented software, compared to testing of procedural software [10, 4], OO features also introduce new challenges for testers: communications and interactions between objects may give rise to subtle errors that could be hard to detect. Although, most traditional unit testing and system testing techniques may also be applicable to object-oriented testing, it still makes a great difference for testing of procedural software and object-oriented software since object communication and interaction may introduce more complicated and unforeseen situations. Therefore, it is necessary to explore new and effective object-oriented testing technique in theory and practice.

The Unified Modeling Language (UML) has emerged as the de facto standard for analysis and design of OO systems. UML provides a variety of diagramming notations for capturing design information from different perspectives.

In recent years, researchers have realized the potential of

UML models as a source of information in software testing [1, 5, 6, 7, 9, 12, 15, 19, 21, 24, 27, 26, 28, 14]. Many UML design artifacts have been used in different ways to perform different kinds of testing. For instance, UML statecharts have been used to perform unit testing, and interaction diagrams (collaboration and sequence diagrams) have been used to test class interactions.

As the major benefit of object oriented programming, encapsulation aims at modularizing a group of related functionalities in classes. However, a complete system-level functionality (use case) is usually implemented through the interaction of objects. Typically, the complexity of an OO system lies in its object interactions, not within class methods which tend to be small and simple. As a result, complex behaviors are observed when related classes are integrated and several kinds of faults can arise during integration: interface faults, conflicting functions, and missing functions [4]. Thus testing each class independently does not eliminate the need for integration testing. A large number of possible interactions between collaborating classes may need to be tested to ensure the correct communication among classes and further functionality of the system.

More and more software developers use UML and associated visual modeling tools as a basis to design and implement their applications. In addition, UML sequence diagram is widely used for specifying the dynamic behaviors of classes and contains necessary information about object communications in terms of object life lines that is more propitious to object-oriented software testing. Therefore, in the research reported in this paper, UML sequence diagram are used as a basis to generate message flow graph (MFG) hierarchically. Firstly, we discuss an approach to generated hierarchical MFG based on sequence and state chart diagram of corresponding objects. After that, a verification method is provided for the coverage criteria.

The remainder of the paper is organized as follows. Section 3 presents a brief survey of the related works in the areas of state-based testing and UML-based test path generation. A description of classification with respect to UML2 diagrams is given in Section 2. Section 4 presents an approach to generate a hierarchical message flow graph based test cases. This approach can also derive independent testing path. A case study of a web-based information system is illustrated


74

in Section 5. Conclusive remarks and future work are, finally, indicated in Section 6.

2. Related Works Traditional testing strategies for procedural programs, such as data flow analysis and control flow analysis cannot be directly applied to OO programs [22]. Extensions of these techniques for OO programs have been proposed by Buy et al. [9] and Martena et al. [25]. A structural test case generation strategy by Buy et al. [8] generates test cases through symbolic execution and automates deduction for the data flow analysis of a class. Kung et al. [20] proposed an idea to extract state models from the source code, whereas others suggest test generations from pre-existing state-models [12, 13, 29]. In the sections below, we will discuss more specific UML-based testing techniques.

Tse and Xu [30] have proposed an approach to derive test cases from Object Test Models (OTM). State space partitions of the attributes of a class are used with the OTM to generate a test tree. The actual test cases are derived from the test tree. Nori and Sreenivas [26] have proposed a specification-based testing technique that splits the specifications of a class into structural and behavioral components. Structural aspects define the attributes and method specifications of a class, whereas state machine is used to defined the behavioral component that describes the sequence of method invocation. In the work of [12, 28], an idea of converting test generation into an AI planning problem was proposed. UML statecharts are processed by planning tools and used to produce AI planning specifications. The test cases are generated based on the processed statecharts. Another example of statecharts based test case generation technique was proposed by Kim et al. [18]. These statecharts are transformed to Extended Finite State Machines (EFSMs) to generate test cases and then use traditional control and data flow analysis on the generated test cases.

Several state-based approaches were proposed based on state-chart or finite state machine. In the work of [23], Li et al. presented an approach to testing specific properties of reactive systems. Kim et al. [17] used statecharts to generate test sequences for Java-based concurrent systems. Kansomkeat and Rivepiboon [16] have converted UML statecharts into an intermediate model known as Testing Flow Graph (TFG). This graph reduces complexities of statecharts and produces a simple flow graph. Test cases are finally generated by traversing the TFG using state and transition coverage criteria. The proposed methodology was evaluated using mutation testing. Results of an experiment carried out to validate the application of Round Trip Test Strategy [4] on UML statecharts are presented in Briand et al. [6]. Authors also propose improvements on the strategy based on the analysis of these results. Swain et al. has proposed a method of statecharts and activity model based testing technique by constructing an intermediate model named state-activity diagram (SAD) [29]. Besides, some recent work [11] was proposed using formalization on the statechart diagram to perform model-based testing. In the work of [3] a semantic model is proposed using the labeled

transition system. The formalization of model based testing represents a new trend of state based testing.

Although many works had been done on the OO testing of sequence diagram and statecharts diagram, this work is different from the above unit level testing in two aspects. First, this work presents a hierarchical synthesized approach to sequence diagram testing using a message flow graph (MFG). The proposed MFG is generated from the statechart that supports message generation in the sequence diagram. Secondly, the hierarchical structure provides a novel graphic based testing technique for OO program validation.

3. Graph based Testing Approach The run-time behavior of an object-oriented system is modeled by well-defined sequences of messages passed among collaborating objects. In the context of UML, this is usually modeled as interaction diagrams (sequence and/or collaboration diagrams). In many cases, the states of the objects sending and receiving a message at the time of message passing strongly influence their behavior in following aspects:

• An object receiving a message can provide different functionalities in different states.

• Certain functionalities may even be variable or unavailable if the receiving object is not in the correct state.

• The functionality of providing object may also depend on the states of other objects including the sending object of a message.

In this work, a graph based testing technique is proposed, which is on the idea that the communication between objects should ideally be exercised (represented by sequence diagram) for all possible states of the objects involved (statecharts diagram). This is of particular importance in the context of OO software as many classes exhibit an interaction state-dependent behavior. Such testing objective is implemented by generating a graph-based testing approach and testing path on message flow graph (MFG) on the defined criteria. The proposed technique can be applied during the integration test phase, right after the completion of class testing. It consists of the following three steps:

1. Message Flow Graph (MFG) Generation: We investigate the sequence diagram of the (sub)system, and generate corresponding MFG following the MFG generation algorithm (will be discussed in the following section).

2. Hierarchical Testing Path Generation: Based on the MFG of sequence diagram, for each object that we concern, we refer the state-chart diagram and generate a MFG for some node of MFG.

3. Coverage Criteria: We test the sequence diagram against the coverage criteria that we defined.

In the following sub-sections, we describe the proposed testing technique in greater detail with the help of a simple example.


75

3.3 Definitions First, we introduce message flow graph generation. As we see, one of the basic communication among objects is message passing. In sequence diagram, we represent all communications as messages. Based on the sequence diagram and each object’s behavior (state-chart diagram), we can build a message flow graph (MFG).

In this work, we refer message to be as object, expression, primary variable, and other specific terms defined in UML2. For instance, a message can be Students = new Student() which indicates an object is instantiated. An arithmetic expression z = x+y, a variable double salary, or a stereo type << create >> can be a message. Therefore, in this work, term refers to any legal statement that can be allowed to used in sequence diagram and state-chart diagram in UML2.

In the next, we first define Message Flow Graph (MFG) that would be used in the description of our methodology.

Figure 1. Example of Message Flow Graph.

Definition 1 (Message Flow Graph (MFG)) Message Flow Graph (MFG) is defined as a directed graph with (N, E, L, V), where

• N is a set of nodes, which represent a set of messages that connect objects in the sequence diagram, denoted by circles.

• E is a set of edges, which represent flow direction between objects, and are denoted by arrows.

• L is a label function that maps each node and edge to a set of terms (alphabets (constants and variables) and expressions on alphabets), and

• I is a set of initial nodes that indicate the starting of the program.

Each node represents a message, which can be a data (parameter or argument), a method call, or a memory, a plain text. Each edge represents the dependency relation between two nodes, and denoted by (N1, N2), where N1 and N2 are two nodes. The direction of the edge N1, N2 is from node N1 to node N2. The direction shows the dependency of a given node on others. For example, given a MFG G in Fig. 1, edge (N1, N2) < G, while edge (N0, N2) ∈ G.

We define dependency path as follows.

Definition 2 (Dependency Path (DP)) Given a MFG G =< N, E, L, I >, a dependency path (DPi) in G from node ni to

node nj is defined as a sequence of connected acyclic nodes from node ni to node nj in G. For any node nk ∈ G, and nk ∉ DPi, there does not exist a dependency path Dpi’ such that nk ∈ DPi’ and DPi ⊆ DPi’ .

In Fig. 1, N0, N1, N5, N7, N8 is a DP. To generate test cases, our purpose is to find the enough independent dependency path (DP) from a completed MFG.

Definition 3 (Independent Dependency Path (IDP))

Given a MFG G =< N, E, L, I >, two dependency paths (Dpi, DPj ∈ G) are independent from each other iff there is at least one node (ni) in one DP (DPi) that is not covered in another DP (DPj), i.e. ni ∈ DPi ∧ ni ∉ DPj, where ni ∈ G,Dpi, DPj ⊆ G.

To identify IDP, a key issue is to find the predicate node, since predicate node usually is the one that split the program to branches. Here we define predicate node as follows.

Definition 4 (Predicate Node) Any boolean condition that needs to be evaluated can be represented by a predicate node. A predicate node is associated with more than one edges that have logic relation.

Graphically, a predicate node is denoted by a box, and anyregular node as a circle graphically. In Fig. 1, node N2 is a predicate node, and others are regular nodes. Predicate nodes take the program to multiple paths and act as the key nodes of program branches. Predicate nodes are usually by more than one dependency path. For example, in Fig 1, N0, N2, N3, N5, N7, N8 and N0, N2, N4, N6 are two IDPs regarding to predicate node N2.

3.4 MFG generation This is a systematic approach to generate test cases based on UML2 sequence diagrams. Given any sequence diagram S D in UML2, we have following two big steps in pseudocode form. Subsequently this method is explained using an example.

1. First, for any message that labeled in SD, we generate a node by following life line of each object. Each node has affiliation of its owner (object), and we use dot notation to denote the owner relation.

2. For message mi that involves internal state transitions (such as method invocation, object creation, and more actions), we generate a subset of MFG for the node (mi).

Therefore, each node may be hierarchically represented by a set of nodes and edges that form a MFG. By traversing this MFG, we can tell if the message mi causes the object’s state transition. In addition, we can tell if message mi+1 is the one after message mi of object execution. This approach can connect black-box testing on the inter-class level with white box testing on the intra-class level. The advantages can be not only we can tell if a message is passed properly when an error is detected, but also can we tell internally what causes the message not passed properly internally of the object.

For example, in Fig. 1, assume node N6 involve a series of state transitions, then we can generate a subset of MFG GN6

for it (Fig. 2).


76

Figure 2. A hierarchical structure of MFG shown in Figure

1.

Definition 5 (MFG of Sequence Diagram (SD)) Let sequence diagram SD be defined as SD, < O, M, Ix >, where O be the set of object, M be the message set of a class instance; Ix be the set of index of all messages in SD. Let MFG G be the message flow graph of sequence diagram (SD), where GS D =< N, E, L, I > and

• N is the set of all the observable messages mi of set M, where mi ∈ M;

• E is the set of message communication sequences, e.g., there is message mi ∈ M and mi+1 ∈ M, the correspond nodes ni; ni+1 ∈ N form an edge < ni; ni+1 >.

• L is the set of any message identifiers or pseudo code.

• I is the set of initial nodes ninit, where init ∈ Ix, and ∀i ∈ Ix, init ≤ i.

It is worth to note that MFG is generated upon the message passing through objects. The hierarchical subset MFG is generated upon the state-chart diagram, then the potential question is how to identify the messages in state-chart diagram. To solve this problem, we extend the message used in the MFG to including states. Therefore, we can extend the above two-step generation algorithm to the state-chart diagram by following steps:

1. Generate a node in the subset MFG for each state in the state-chart diagram.

2. Generate a predicate node for each evaluation condition defined in the label of a transition.

3. Generate an edge for each transition between two states.

4. Generate a label for each label of a transition.

We first generate the MDP in SD, then for some messages (m ∈ M and M ∈ S D) we refer to SC and generate MDP in SC. Let the algorithm of MDP generation in SD be generateMFGS D, and the algorithm of MDP generation in SC be generateMFGSC. The algorithms are shown in following.

Generation of Predicate Node in Sequence Diagram:

Any fragment in sequence diagram (of UML2) can generate a predicate node whose condition is evaluated to be a boolean value. The fragment with the condition is formed a predicate node. Each predicate node can cause more than one execution branches. Corresponding to fragment of sequence diagram of UML2, therefore, we can have three types of predicate node:

Figure 3. MFG predicate node of optional fragment.

1. Alternative predicate node: for ALT fragment, we have an alternative predicate node which introduces the program to two different path depending on the condition satisfaction.

2. Loop predicate node: for LOOP fragment, we have an iteration predicate node with regarding to condition. The predicate node takes the program to a certain path when the condition is met. Otherwise, the predicate node takes the program to a node that outside the iteration.

3. Optional predicate node: for OPT fragment, there is a condition defined. If the condition is evaluated to be true, then execute this optional part; otherwise, skip the optional fragment. A predicate node of MFG is shown in Fig. 3.

In addition, we have predicate nodes for state-chart diagram. The predicate node is generated whenever there is guard condition labeled for a transition or a state action.

Similarly, the predicate node indicates different execution path inside the object depending on the evaluation of the condition.

3.5 Testing Path Generation As the discussion above, atomic generating independent message dependency path is the essential element of integrating testing. As compound message dependency path is related to sequence diagram and statechart diagram, the generation of message dependency path concerns the parse of both sequence and statechart diagrams. In this work, we


77

define both sequence and statechart diagrams in XML format so that it’ll be easily to be read and analyzed.

In order to solve the generation problem precisely, we make two assumptions as follows.

UML Statechart diagram here is deterministic, consistent, and self-contained. There is no sub state, nested state and concurrent state. Only message event might be taken account of.

Message dependency path here is based on life line order and mapping relationship of the message in sequence diagram and the actions in state-chart diagram.

Let M be the message set of class instance; Gm be the set of guard conditions with respect to message m (m ∈ M); p be independent MDP with respect to message m.

Generating atomic message dependency path from UML sequence and state-chart diagram comprises the following steps:

• Extract information from UML sequence and statechart diagram, and creating message connecting table.

• Identify message dependency path from sequence diagram and message response table.

• Generate a hierarchical MFG based on the message connecting table and diagrams.

• Generate a set of independent message dependency paths from MFG.

For any sequence diagram, it can be generated a message flow graph (MFG) in the top level if assume there is no internal investigation of any objects. However, if we need to traverse the internal states for some message of some object, the MFG will be hierarchical. For example, in Fig. 2, there are 5 IDPs considering the hierarchy representation of node N6.

6. Conclusion and Future Work In this paper, we have presented a new strategy for class integration testing that is based on a hierarchical approach that combines information from sequence diagram and statechart diagrams and converts into the form of a direct flow graph based on message communication (MFG). The motivation is to exercise class interactions in the context of multiple state combinations in order to detect program faults. Therefore, it takes into account the messages of all objects involved in a communication to exercise class interactions in the context of integration testing. For instance, if the functionality provided by an object depends on the message of other objects, then the proposed technique can effectively detect faults occurring due to invalid object messages.

Acknowledgment

Authors would like to thank all reviewers for their kind comments and valuable suggestions.

References [1] Abdurazik and J. Offutt. Using uml collaboration

diagrams for static checking and test generation. pages 383–395. Springer, 2000.

[2] J. H. Andrews. Is mutation an appropriate tool for testing experiments. In In ICSE 05: Proceedings of the 27th international conference on Software engineering, pages 402–411. ACM Press, 2005.

[3] H. R. Asaadi, R. Khosravi, M. Mousavi, and N. Noroozi. Towards Model-Based Testing of Electronic Funds Transfer Systems, May 2010.

[4] R. V. Binder. Testing Object-Oriented Systems-Models, Patterns, and Tools. Addison-Wesley Professional, Novmember 1999.

[5] K. Bogdanov. Automated Testing of Harels statecharts. PhD thesis, University of Sheffield, 2000.

[6] L. C. Briand, M. Di Penta, and Y. Labiche. Assessing and improving state-based class testing: A series of experiments. IEEE Trans. Softw. Eng., 30(11):770–793, 2004.

[7] L. C. Briand and Y. Labiche. A uml-based approach to system testing. In UML’01: Proceedings of the 4th International Conference on The Unified Modeling Language, Modeling Languages, Concepts, and Tools, pages 194–208, London, UK, 2001. Springer-Verlag.

[8] U. Buy, A. Orso, and M. Pezz. Automated testing of classes. In Proceedings of the International Symposium on Software Testing and Analysis, pages 39–48, New York, NY, USA, 2000. ACM Press.

[9] U. Buy, A. Orso, and M. Pezze. Automated testing of classes. SIGSOFT Softw. Eng. Notes, 25(5):39–48, 2000.

[10] W. K. Chan, T. Y. Chen, and T. H. Tse. An overview of integration testing techniques for object-oriented programs. In Proceedings of the 2nd ACIS Annual International Conference on Computer and Information Science (ICIS 2002), pages 696–701. 2002.

[11] V. A. de Santiago Junior, M. Cristia, and N. L. Vijaykumar. Model based test case generation using statecharts and Z: A comparison and a combined approach. Technical Report INPE-16677-RPQ-850, 2010.

[12] P. Frohlich and J. Link. Automated test case generation from dynamic models. In ECOOP ’00: Proceedings of the 14th European Conference on Object-Oriented Programming, pages 472–492, London, UK, 2000. Springer-Verlag.

[13] L. Gallagher, J. Offutt, and A. Cincotta. Integration testing of object-oriented components using finite state machines: Research articles. Softw. Test. Verif. Reliab., 16(4):215–266, 2006.

[14] Hartman and K. Nagin. The agedis tools for model based testing. SIGSOFT Softw. Eng. Notes, 29(4):129–132, 2004.

[15] J. Hartmann, C. Imoberdorf, and M. Meisinger. UML-based integration testing. In ISSTA’00: Proceedings of the 2000 ACM SIGSOFT international symposium on Software testing and


78

analysis, pages 60–70, New York, NY, USA, 2000. ACM.

[16] S. Kansomkeat and W. Rivepiboon. Automated-generating test case using uml statechart diagrams. In SAICSIT ’03: Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology, pages 296–300, , Republic of South Africa, 2003. South African Institute for Computer Scientists and Information Technologists.

[17] S.-K. Kim, L.Wildman, and R. Duke. A uml approach to the generation of test sequences for java-based concurrent systems. In ASWEC ’05: Proceedings of the 2005 Australian conference on Software Engineering, pages 100–109,Washington, DC, USA, 2005. IEEE Computer Society.

[18] Y. Kim, H. Hong, D. Bae, and S. Cha. Test cases generation from uml state diagrams. Software, IEE Proceedings, 146(4):187–192, 1999.

[19] Y. Kim, H. S. Hong, S. Cho, D. H. Bae, and S. D. Cha. Test cases generation from uml state diagrams. In In IEEE Proceedings: Software, pages 187–192, 1999.

[20] D. C. Kung, P. Hsia, Y. Toyoshima, C. Chen, and J. Gao. Object-oriented software testing: Some research and development. In HASE ’98: The 3rd IEEE International Symposium on High-Assurance Systems Engineering, pages 158–165, Washington, DC, USA, 1998. IEEE Computer Society.

[21] D. C. Kung, N. Suchak, J. Gao, P. Hsia, Y. Toyoshima, and C. Chen. On object state testing. In in Proceedings of Computer Software and Applications Conference, pages 222–227. IEEE Computer Society Press, 1994.

[22] D. C. Kung, N. Suchak, J. Gao, P. Hsia, Y. Toyoshima, and C. Chen. On object state testing. In in Proceedings of Computer Software and Applications Conference, pages 222–227. IEEE Computer Society Press, 1994.

[23] S. Li, J. Wang, and Z.-C. Qi. Property-oriented test generation from uml statecharts. In ASE ’04: Proceedings of the 19th IEEE international conference on Automated software engineering, pages 122–131, Washington, DC, USA, 2004. IEEE Computer Society.

[24] W. Linzhang, Y. Jiesong, Y. Xiaofeng, H. Jun, L. Xuandong, and Z. Guoliang. Generating test cases from uml activity diagram based on gray-box method. In APSEC ’04: Proceedings of the 11th Asia-Pacific Software Engineering Conference, pages 284–291, Washington, DC, USA, 2004. IEEE Computer Society.

[25] V. Martena, A. Orso, and M. Pezz´e. Interclass testing of object oriented software. In ICECCS ’02: Proceedings of the Eighth International Conference on Engineering of Complex Computer Systems, page 135, Washington, DC, USA, 2002. IEEE Computer Society.

[26] A. V. Nori and A. Sreenivas. A technique for model-based testing of classes. In Proceedings of the Second

International Workshop on Software Engineering Tools and Techniques, 2001.

[27] H. Reza, K. Ogaard, and A. Malge. A model based testing technique to test web applications using statecharts. In ITNG’08: Proceedings of the Fifth International Conference on Information Technology: New Generations, pages 183–188, Washington, DC, USA, 2008. IEEE Computer Society.

[28] M. Scheetz, A. v. Mayrhauser, R. France, E. Dahlman, and A. E. Howe. Generating test cases from an oo model with an ai planning system. In ISSRE ’99: Proceedings of the 10th International Symposium on Software Reliability Engineering, page 250, Washington, DC, USA, 1999. IEEE Computer Society.

[29] S. K. Swain, D. P. Mohapatra, and R. Mall. Test case generation based on state and activity models. Journal of Object and Technology, 9(5):1–27, 2010.

[30] T. Tse and Z. Xu. Class-level object-oriented state testing: A formal approach. Technical Report HKU CSIS Technical Report TR-95-05, Department of Computer Science, The University of Hong Kong, 1995.

[31] Q. ul-ann Farooq, M. Z. Z. Iqbal, Z. I. Malik, and M. Riebisch. A model-based regression testing approach for evolving software systems with flexible tool support. Engineering of Computer-Based Systems, IEEE International Conference on the, 0:41–49, 2010.

Authors Profile Yujian Fu is an assistant professor at department of computer science. Dr. Fu received the B.S. and M.S. degrees in Electrical Engineering from Tianjin Normal University and Nankai University in 1992 and 1997, respectively. In 2007, she received her Ph.D. degree in computer science from Florida International University. Dr. Yujian Fu conducts research in the software verification, software quality assurance, runtime verification, and formal methods. Dr. Yujian Fu continuously committed as a member of IEEE, ACM and ASEE.

Sha Li is an associate professor at department of curriculum, teaching and educational leadership, school of education of Alabama A&M University. Dr. Sha Li received his doctorial degree of educational technology from Oklahoma State University, 2001. Sha Li’ research interests include distance education, instructional technology, instructional design and multimedia for learning.


79

Performance Evaluation of Peer–to-Peer system in Video on Demand with Load Sharing Scheduling

Algorithm S.Nagaprasad1*, A.VinayaBabu2, K.Madhukar3, D.Marlene G Verghese4, V.Mallaiah1and A.Sreelatha5

1Research Scholar, Dept. of CSE, Aacharya Nagarjuna University, Guntur,

1*[email protected]

2Professor, Dept. of CSE, JNTU College of Engineering, Hyderabad,

[email protected]

3Professor, Nizam College, Osmania University, Hyderabad [email protected]

4Associate Professor Bhimavaram Institute of Engineering & Technology

Pennada, West Godavari [email protected]

5Student, Dept. of CSE, JITS College of Engineering, Karimnagar,

[email protected] Abstract: Peer-to-Peer (P2P) networks have been shown to be a promising approach to provide large-scale Video on Demand (VoD) services over Internet for its potential high scalability. However, for a normal peer, how to efficiently schedule media data to multiple asynchronous peers for VoD services in such networks remains a major challenge. These systems dramatically reduce the server loading, and provide a platform for scalable content distribution, as long as there is interest for the content. The main challenges reside in ensuring that users can start watching a movie at any point in time, with small start-up times and sustainable playback rates. In this work, we address the challenges underlying the problem of near Video-on-Demand (nVoD) using P2P systems, and provide evidence that high-quality nVoD is feasible. In particular, we investigate the scheduling problem of efficiently disseminating the blocks of a video file in a P2P mesh-based system, and show scheduling algorithm can provide significant benefits and the experimental results will show that load sharing scheduling performs significantly better than other dynamic algorithm, network coding.

Keywords: Networks, VoD, nVoD, P2P.

1. Introduction

Video-on-demand (VoD) systems provide multimedia services offering more flexibility and convenience to users by allowing them to watch any kind of video at any point in time. Such systems are capable of delivering the requested information and responsible for providing continuous multimedia visualization [5].

Currently, the traffic generated by P2P systems accounts for a major fraction of the Internet traffic today, and is bound to increase. The increasingly large volume of P2P traffic highlights the importance of caching such traffic to reduce the cost incurred by Internet Services Providers (ISPs) and alleviate the load on the Internet backbone. We are faced with a problem of delivering quality video to a single receiver computer. In the streaming scenarios, the entire video is not always available at every peer machine and/or it would not be feasible to transmit the entire video from a single peer ,for example, that would overload a particular peer. The beauty of streaming is obviously the fact that we don’t need to have the entire video downloaded before the play out begins [6][10]. We can simply split the video file, identify the peers that have the segments of interest available, request these segments from the peers, receive them and play them out. An important requirement of a VoD service is scalability, i.e., to be able to support a large number of users, as a typical video stream imposes a heavy burden both on the network and the system resources e.g. disk I/O of the server. The multicasting paradigm has been proposed to address the scalability issues. However, these systems require a multicast-enabled infrastructure, which unfortunately has never materialized. Peer-to-Peer networks promise to provide scalable distribution solutions without infrastructure support.


80

The difficulty lies in the fact that users need to receive blocks “sequentially” in order to watch the movie while downloading, and, unlike streaming systems, the users may be interested in different parts of the movie, and may compete for system resources. In other words, we assume linear viewing, but we allow the users to join at arbitrary times. The resources especially network bandwidth of the server are limited, and hence users contribute their own resources to the system. Users organize themselves in an unstructured overlay mesh which resembles a random graph. The goal then is to design a P2P system which meets the VoD requirements, while maintaining a high utilization of the system resources [10]. We study algorithms that provide the users with a high-quality VoD service while ensuring a high utilization of the system resources. We evaluate our algorithm such as segment scheduling using both extensive simulations and real experiments under different user arrival/departure patterns. The results will show that load sharing scheduling algorithm will be able to improve throughput for bulk data transfer and scheduling that results in high system throughput while delivering content “pseudo sequentially”, to provide efficient VoD with small setup delays as compared to other dynamic algorithms such as Segment Scheduling and Network Coding[1][2][6]. In this paper we are implementing Scheduling which takes Segment Scheduling in which the entire video is divided into segments once the play out begins. It takes video in the form of segments, define the segments, identify the peers that have segments of interest available, request these segments from the peers , receive them and play them out. Load sharing Scheduling algorithm will improve performance by increasing sender’s bandwidth, dividing segments based on loads and the number of segments and decreasing number of missed segments. Section 2 describes Architecture of the peer to peer system with load sharing scheduling algorithm. Section 3 describes brief description of algorithm. Section 4 describes the implementation of the whole algorithm, Section 5 describes simulations and Section 6 presents our conclusion.

2. Architecture and Environment

P2P-VoD system has the following major components: (a)A set of servers as the source of content (e.g., movies); (b)A set of trackers to help peers connect to other peers to share the same content; (c) A bootstrap server to help peers to find a suitable tracker (e.g. based on which geographical region the peer is located), and to perform other bootstrapping functions;

(d)Other servers such as log servers for logging significant events for data measurement, and transit servers for helping peers in the system [11]. We assume a large number of users interested in some video content, which initially exists on a special peer that we call the server. Users arrive at random points in time, and want to watch the video sequentially from the beginning of the server are limited, and hence, users should contribute their own resources to the system. The upload and download capacities of the users are also limited and typically asymmetric. A client joins the system by contacting a central tracker. This tracker gives the client a small subset of active nodes .The client then contacts each of these nodes and joins the network. At any point in time, a node is connected to a small subset of the active nodes, and can exchange content and control messages only with them. We call this subset the neighborhood of the node.The neighborhood changes as a result of node arrivals and departures, and because nodes periodically try to find new neighbors to increase their download rates. We assume cooperative nodes. The file is divided into a number of segments, which are further divided into blocks. The system is media codec agnostic, hence, nodes need to download all blocks; if a block is not available when needed, the video pauses and this is undesirable. Clients have enough storage to keep all the blocks they have downloaded. Our system divides the constant stream of data into stripes to improve performance and robustness. In a peer-to-peer system, the stream of data is dis-rupted whenever a client leaves the system either due to a failure or a regular disconnects. Since clients receive pieces of the content from different senders, they can continue to receive some data even if one of the senders disconnects. To further hide disruption from the user, a client keeps a buffer of several seconds of data. When a client reconnects after being cut off from a sender, the buffer allows the video to play smoothly as the client catches up on the data that was missed during the disconnection. In a one-directional live video streaming system, it is allowable for the video to be viewed a few seconds after its creation.

Figure 1. System Architecture of Video on demand


81

The goals of our system include the following:

• To ensure low set up time and a high sustainable playback rate for all users, regardless of their arrival time.

• We are also interested in increasing the total number of blocks exchanged per round, which we call throughput, and the total server bandwidth.

3. Related Work

The overall throughput improves if all the nodes seek to improve the diversity of segments in the network. If the segment policy is to upload a block from a lesser represented segment whenever possible throughput improves significantly for both existing and new nodes [15] [19]. We are faced with a problem of delivering quality video to a single receiver computer. In the streaming scenarios, the entire video is not always available at every peer machine and/or it would not be feasible to transmit the entire video from a single peer. It is important that we provide a continuous supply of the video segments once the play out begins. If only a few segments are missing once in a while, the video quality will still be acceptable by most standards. If too many segments are missing the video and the audio quality will suffer and the media will not be useful. A missing segment does not always indicate network failure (due to congestion or other problems). It may simply mean that the segment was not available at the receiver’s media player at the time it was supposed to be rendered, i.e. the segment deadline was missed. The main problem that we are solving is creating a schedule that minimizes the number of video segments missing their deadlines [14][15][18][19]. Load Sharing Scheduling Algorithm provides track of every sender’s estimated load. Before we can sort the list of suppliers for segments, where segment has n potential suppliers, we create a look-ahead estimated load, i.e. what would be the load of each one of those potential suppliers if segment s was to be assigned to them. Once we have these look-ahead estimated loads, we can sort the list of potential suppliers in the increasing order of the estimated load. Since we do not have a guarantee that the supplier with the smallest estimated load is suitable to deliver segments, we iterate over the list of potential suppliers. Algorithm minimizes the number of missed segments and the easiest way to do this is to compare it against a couple of other known scheduling algorithms and the results show that that load sharing scheduling improves the throughput of the system and decrease missed segments[20].

4. Load Sharing Scheduling Algorithm

Our algorithm hinges on having a good estimate of how well-represented a segment is. This estimate should include nodes that have the complete segment, and those that have partially downloaded the segment. In our implementation, the tracker monitors the rarity of segments in the network. Clients in our system report the fraction of blocks they have received from each segment. Those fractions are used to estimate the popularity of the segments; for example, a segment is considered under-represented if the vast majority of nodes have very few blocks from that segment [14] [15]. The primary objective of the scheduling algorithm is to create a schedule such that all requested video segments are delivered to the receiver before their respective deadlines. If that is impossible to achieve given insufficient resources, etc., we want to minimize the number of segments missed. We also have two secondary objectives. We want to make efficient use of the bandwidth and avoid transmitting segments before they are required because there is no guarantee that they will even be used. Finally, since we do not want to overload any of the senders, we make sure that the peers are load balanced. The sender for a particular segment is selected based on the estimated load of each sender. The estimated load of a sender is the amount of work time spent transmitting segments that the sender has assigned by the schedule at a particular instance of time. The time it takes a particular sender to transmit a segment depends on the segment size and the sender bandwidth. We predict the load of each sender by temporarily assigning the next scheduled segment to each sender. We select the sender with the smallest predicted estimated load. This ensures that the load is shared among all the senders. The proper segment transmission start time is also most essential for a successful schedule. We schedule each segment to arrive at the receiver a fixed amount of time before its deadline thus fixing the client buffer. This ensures the least amount of bandwidth wasted on unsolicited video segments. In situations where senders do not have all segments available, we must make sure that we do not commit a sender who is the only one that can deliver particular segments to do work delivering other segments that could be delivered by other senders. When determining the appropriate peer to deliver a segment, we must therefore examine the number of potential senders that have the segment available. It is usually more difficult to meet the deadline of a segment that has fewer potential suppliers [4] [10] [14] [15]. For this reason, the algorithm first calculates the number of potential suppliers for each segment and the segments with least potential suppliers are scheduled first. That is, the segments with one potential supplier are scheduled first, then segments with two potential suppliers,


82

then three and so on. This is a potential area of improving the algorithm in the future because it is not always necessary to schedule the segments with the least potential suppliers first. It is still possible to change segment scheduling order from the order of the number of potential suppliers and still create an efficient schedule where all segment deadlines are met. The proper segment transmission start time is also most essential for a successful schedule. We schedule each segment to arrive at the receiver a fixed amount of time before its deadline thus fixing the client buffer. This ensures the least amount of bandwidth wasted on unsolicited video segments [16] [18]. In the most general form we are given a set of n video segments, S = {S1, S2, . . . , Sn}, with an associated set of segment lengths, L = {L1, L2, . . . , Ln}, and a set of segment deadlines, D = {D1, D2, . . . , Dn}. We also have a set of m peers, P = {P1, P2, . . . , Pm} with an associated set of peer bandwidths, B = {B1, B2, . . . , Bm}[20]. Finally, we are given the set of segment ranges available at each peer. Since typically peers hold contiguous ranges of segments, we assume that the segment range at each peer is simply given by the highest segment number available. We assume that all segments with lower segment numbers are also available at that peer. The set of available segments is given by A = {A1, A2, . . . , Am}. We need to create a schedule J where each segment has an assigned peer and transmission start time such that the segment will be transmitted to the receiver before its deadline. Since this may not always be possible and missed segments must be taken into consideration, we want to minimize the number of segments that miss their deadlines. We have the additional constraint that the schedule cannot exceed the incoming receiver bandwidth. Consider an instance of the segment scheduling problem where we are given a set of n segments. S = {S1, S2,..., Sn} and a set of m peers P = {P1, P2,..., Pm}. We apply two restrictions: 1) There is only one sender peer available, i.e. m = 1. 2) The sender peer has all the segments available. The segment transmissions are the tasks that need to be scheduled. The release time of each segment transmission is 0. Since we only have one sender, clearly only one segment can be transmitted at a time. The execution length of each task is the segment transmission time, which can be calculated from the Segment length and the sender’s bandwidth. Every segment still has a deadline. At this point, it should be obvious that we have an instance of sequencing the Sender’s problem to be solved by our Efficient Scheduling algorithm. Increasing the average sender bandwidth has very little effect on the execution time but a higher average sender

bandwidth decreases the number of missed segments which solves the problem of missing segments. It’s possible that we will have any number of segments with n potential suppliers; we must iterate over the list of segments with n potential suppliers. If we have large-scale video, we can simply split the video file into well defined segments, identify the peers that have the segments of interest available, request these segments from the peers receive them and play them out. In situations where senders do not have all segments available, we must make sure that we do not commit a sender who is the only one that can deliver particular segments to do work delivering other segments that could be delivered by other senders. The first task is to create the segment supplier table. The reason for creating this table is to enable actual schedule creation code to iterate the segments in the increasing order of the number of segment suppliers. The Segment table should fetch data in such a way that it can be easy to retrieve. For every potential sender p for segment s, we must confirm that the sender p is suitable to deliver segment s. This means that sender p must be able to deliver segment s before its deadline and it cannot overload the receiver, i.e. the resulting bandwidth at the receiver must be ≤ maximum Bandwidth. Secondly, we create schedule that minimizes the number of video segments missing their deadlines. Increasing the average sender bandwidth has very little effect on the execution time but a higher average sender bandwidth decreases the number of missed segments which solves the problem of missing segments. It’s possible that we will have any number of segments with n potential suppliers; we must iterate over the list of segments with n potential suppliers. This data is readily available from the segment supplier table. For every segment with n potential suppliers, we need to determine its sender and transmission start time. Since we want to schedule the segments with least potential suppliers first, we must iterate over the collection of segment supplier table indices in the increasing table index order. It’s possible that we will have any number of segments with n potential suppliers; we must iterate over the list of segments with n potential suppliers. This data is readily available from the segment supplier table. For every segment with n potential suppliers, we need to determine its sender and transmission start time. Here, schedule creation iterates the segments in the increasing order of the number of segment suppliers. The data is arranged in such a way that it is easy to retrieve. For every potential sender p for segment s, we must confirm that the sender p is suitable to deliver segment s. Then, the segments are transferred from senders to the receivers with the least segment first. The step 5-10 iterates the loop for loading peers. The segments are then loaded at the client


83

side with the increased bandwidth at the server side. The bandwidth of client should not exceed the maximum available bandwidth at Server side. Finally, the scheduled peers are returned. For every potential sender p for segment s, we must confirm that the sender p is suitable to deliver segment s. This means that sender p must be able to deliver segment s before its deadline and it cannot overload the receiver, i.e. the resulting bandwidth at the receiver must be ≤ maximum bandwidth. As the initial guess, we set the start time to be such that segment s will arrive at the receiver right before its deadline and before we confirm this transmission slot for segment s we must make sure that it doesn’t violate the maximum bandwidth constraint.

Figure 2. Load Sharing Scheduling Algorithm Replication

Strategy of Segments Assuming each peer contributes with some amount of hard disc storage, a P2P storage system is formed by the entire viewer population, each of them containing segments. Once all the segments are available locally, the segment is advertised to other Peers. The aim of replication strategy is to make segments available to every user in the shortest time possible in order to meet with viewing demands. Design issues regarding replication strategies contemplate: (i) Allowing multiple movies to be cached if there is room on the hard disc. This is referred as multiple movie cache (MVC); and lets a peer watching a movie upload a different movie at the same time.

(ii) To pre-fetch or not to pre-fetch; while pre-fetching could improve performance, it could also waste uplink bandwidth resources of the peer. (iii) Selecting which segment or movie to remove when the disc cache is full; preferred choices for many caching algorithms are least recently used (LRU) or least frequent used (LFU).

Content Discovery: Together with a good replication strategy, peers must also be able to learn who is holding the content they need without introducing too much overhead into the system. P2P systems depend on the following methods for content discovery: (i) A tracker; to keep track of which peers are replicating what part of the movie; (ii) DHT; used to assign movies to trackers for load balancing purposes.

Congestion Control

• Rate Control-Match the rate of the video stream to the maximum available bandwidth thus reducing congestion and segment loss. Without rate control segments which would exceed the maximum bandwidth would be discarded. This approach focuses on the transport concept. • Rate-adaptive video encoding -Use compression to make video feeds more practical and bandwidth efficient. This approach focuses on the compression concept. • Rate Shaping -This approach is a combination of the previous two. The video feed is being re-coded with rate-adaptive video encoding and rate control makes sure there is no loss in segments.

5. Performance Evaluation

In this section we evaluate the performance of both segment scheduling and load sharing scheduling algorithm. Initially, we will present data that compares the segment rate of both the algorithms. Then Load sharing Scheduling algorithm will be compared with another dynamic algorithm. And then the results will clearly show that load sharing scheduling algorithm is better than segment scheduling especially under the missed segments.

5.1. Simulation Set Up: Matlab Software was used for all simulations. Along with

load sharing scheduling algorithm network coding and segment scheduling will also be simulated for benchmark comparison purposes. In general, the behavior of the algorithms is rather intuitive. For all 3 algorithms, increasing the number of senders has very little effect on the execution time but having more senders’ decreases the number of missed segments. Similarly, increasing the average sender bandwidth has very little effect on the execution time but a higher average sender bandwidth


84

decreases the number of missed segments. Finally, increasing the bit rate has similar effects, i.e. it has little effect on the execution time but increasing the bit rate increases the number of missed segments[11][13].

The parameters that we should vary include:

• Average segment size, i.e. video quality (bit rate) • Segment count (shorter vs. longer videos) • Number of senders • Bandwidth of senders • Receiver’s bandwidth For each scenario, we should compare the results of each algorithm according to the following criteria: • Number of missed segments • Running time In the current evaluation, the maximum receiver bandwidth constraint has been ignored for all test cases. Since we are most interested in the effects of the bit rate on the number of missed segments and the algorithm execution time, most results provide an execution time or number of missed segments vs. bit rate graphs. More specifically, we plot the following result graphs: a. Execution time/missed segments vs. time for varying

number of segments b. Execution time/missed segments vs. time for varying

number of senders c. Execution time/missed segments vs. time for a varying

average sender bandwidth. d. Missed segment and execution time algorithm

comparison graph. On the other hand, increasing the number of segments (video length) has little effect on the number of missed segments or at least little effect on the bit rate at which the number of missed segments starts to increases but in the case of the segment scheduling algorithm, longer videos take more time to schedule. This could possibly be caused by the fact that those 2 algorithms are much faster than the Load Sharing Scheduling algorithm and the inputs provided in the tests do not stress the algorithms enough to product trends in the execution time graphs. When comparing the algorithms, the general trends exhibited by all 3 of them are very similar. When comparing actual values, it becomes evident that the Load Sharing Scheduling algorithm is superior to the other 2 when it comes to minimizing the number of missed segments but in most cases, this algorithm takes a lot to compute the results. This table-1 summarizes various system parameters which are included in the simulation calculation and the system used for our experiments. Before presenting empirical results, we present the simulation model as follows. Table 1 summarizes the configuration parameters of

simulated scheduling algorithm with increased bandwidth on server side systems used in our experiments.

Table 1: System Parameters.

Parameters. Values Segments 10

Potential Suppliers 4 Bandwidth 100kbps

bandwidth1 80kbps Deadline 60 seconds Size 250kbs Available 2

5.2 Impact of missed Segments:

The Graph here shows the segment loss is less in load sharing scheduling algorithm as compared to other dynamic algorithms. Measuring the available bandwidth is of great importance for predicting the end-to-end performance of applications, for dynamic path selection and traffic engineering, and for selecting between a numbers of differentiated classes of service. The available bandwidth is an important metric for several applications, such as grid, video and voice streaming, overlay routing, p2p file transfers, server selection, and inter domain path monitoring. The overall throughput improves if all the nodes seek to improve the diversity of segments in the network.

Graph1. Bit Rate v/s Time.

From the above graph we can conclude that as the transmission time increases for the senders the amount of data that can be sent through the sender of a particular segment, the data rate of the segment decreases.

Graph 2. Time v/s Bit rate for varying Segments


85

From the above graph we can conclude that as transmission time increases for the senders the number of segments that it can handle in any given time reduces and hence the bit rate decreases. 5.3 Scalability:

Generally speaking, scalability can be defined as the adaptability to changes in the peer-to-peer system size, load extent and nature of the load. That is, the network load should be distributed evenly among the peers, which means that every peer should be aware of approximately the same number of other peers. From the data it can be concluded that our algorithm is more scalable than other dynamic algorithm such as segment scheduling and network coding. The second approach to deal with the scalability issue of video streaming systems is to use P2P load sharing. “P2P networking architectures receive a lot of attention nowadays, as they enable a variety of new applications that can take advantage of the distributed storage and increased computing resources offered by such networks”. Their advantage resides in their ability for self organization, bandwidth scalability, and network path redundancy, which are all very attractive features for effective delivery of media streams over networks .Also the space is saved for the peers as the replicas will be deleted.

6. Conclusion

The success of the peer-to-peer paradigm in both file distribution and live streaming application derived in the adoption of this technology for the delivery of video-on-demand content. Fast response time is a technology factor that end-users demand. Considerable research has been performed to find better ways to arrange data such that fast response time can be achieved by increasing throughput and maximum bandwidth with low startup delay. Load sharing scheduling is better for improving the performance of peer-to-peer systems. Though further work is required towards a better understanding of the efficacy of our algorithms in more realistic scenarios, we believe that the guidelines proposed in this paper can be used to build high-performance P2P VoD systems. Thus, high quality VoD is feasible with high playback rates. Our system was designed to guarantee that the video starts playing shortly after the beginning of the download, and progresses without interruptions until the end of the movie. While we have made an implicit assumption that users watch the entire video linearly, we believe that the same principles used in our system could be extended to support non-linear viewing, i.e., where users would be able to start watching from arbitrary points in the video and perform fast forward and rewind operations. However, if the user desires to watch a part of the video that is not available

locally, then the user will suffer a (moderate) waiting time as the system searches for segments of peers to download the desired content from.

References

[1] Gnutella, “http://gnutella.wego.com/”. [2] Y.-H. Chu, S. G. Rao, and H. Zhang, “A case for end

system multicast,” in Measurement and Modeling of Computer Systems, 2000.

[3] B. Cohen, “Incentives Build Robustness in BitTorrent,” in Workshop on Economics of Peer-to-Peer Systems, 2003.

[4] V. Agarwal and R. Rejaie. Adaptive Multi-source Streaming in Heterogeneous Peer-to-Peer Networks In MMCN, 2005.

[5] Y. Huang, Tom Z.J. Fu, Dah-Ming Chiu, J.C.S. Lui, and C. Huang, “Challenges, design and analysis of a large-scale p2p-vod system,” Proc ACM SIGCOMM 2008, pp. 375-388, 2008.

[6] X. Zhang, G. Neglia, J. Kurose, and D. Towsley. On the benefits of random linear coding for unicast applications in disruption tolerant networks. Second Workshop on Network Coding,Theory, and Applications (NETCOD), 2006.

[7] Wikipedia, P2P http://en.wikipedia.org/wiki/P2P, accessed 20/11/2006.

[8] M. R. Garey and D. J. Johnson, Computers and intractability: a guide to the theory of NP-completeness. New York: W.H. Freeman, 1979.

[9] C. Gkantsidis, J. Miller, and P. Rodriguez, “Comprehensive view of a live network coding P2P system”, in Proc. ACM SIGCOMM/USENIX IMC’06, Brasil, October 2006.

[10] S. Deering and D. Cheriton, “Multicast routing in datagram internetworks and extended LANs”, ACM Transaction on Computer Systems, vo. 8, no. 2, pp. 85-110, May 1990.

[11] S. Banerjee, B. Bhattacharjee, and C. Kommareddy, “Scalable application layer multicast”, in Proc. ACM SIGCOMM’02, Pittsburgh, PA, August 2002.

[12] M. Castro, P. Druschel, A.-M. Kermarrec, A. Nandi, A. Rowstron and A. Singh, “SplitStream: High-bandwidth multicast in cooperative environments”, in Proc. ACM SOSP’03, New York, USA, October 2003.

[13] S. Acendanski, S. Deb, M. Medard, and R. Koetter, “How good is random linear coding based distributed networked storage?,” in NetCod, 2005.

[14] PPLive internet site. http://www.pplive.com. [15] Xiaojun Hei, Chao Liang, Jian Liang, Yong Liu and

Keith Ross, "Insight into PPLive: A Measurement Study


86

of a Large-Scale P2P IPTV System", Proc of WWW 2006 workshop of IPTV services over World Wide Web.

[16] “PeerSim P2P Simulator,” 2005, accessed 01-May-2006. [Online]. Available: http://peersim.sourceforge.net/.

[17] [Agr02] R. Agrawal and V. Subramanian, “Optimality of Certain Channel Aware Scheduling Policies,” Proc. of 2002 Allerton Conference on Communication,Control and Computing, Oct. 2002.

[18] J.A. Pouwelse, J.R. Taal, R.L. Langendijk, D.H.J. Epema,, “Real-time Video Delivery using Peer-to-Peer Barterin Networks and Multiple DescriptionCoding”http://ishare.ewi.tudelft.nl/public/PouwelseTaal_SMC2 004.pdf.

[19] R. Ahlswede, N. Cai, S.-Y. R. Li, and R. W. Yeung, “Network information flow,”

[20]H. Kopetz. Real-time systems-design principles for distributed embedded applications. Kluwer Academic Publishers, 1997.

Authors Profile

S.Nagaprasad Sri. Received the Bacholar of Computer Applications (B.C.A.) From Osmania University, Hyderabad, in 2001, M.Sc (I.T.) From Sikkim Manipal University, Manipal in 2003 and M.Tech (C.S.) From Allahabad Agricultural University, Allahabad in 2005. Presently Pursing Ph.D in Computer Science &

Engineering from Aacharya Nagarjuna University, Guntur.

Prof. A.Vinay Babu obtained his Bachelors degree in Electronics & Communication Engineering from Osmania University. Has duel Masters degree, one in Computer Science & Engg and the other one is in ECE from JNTU. He obtained his PhD from JNTU, Hyderabad. His research

area is Data Mining and Image processing.

Prof. K.Madhukar received his Masters in Engineering Physics and Instrumentation from Osmania University in 1980 and PhD from Osmania University in 1989. Presently he is Professor and Head Dept of Physics and Electronics, Nizam College, Osmania University, Hyderabad. He worked as ICT4D programme specialist in United Nations Development Programme

(UNDP) for more than four years. His research area is Data mining, Knowledge Discovery and Networks. Eight students working for their doctorial degree under his supervision.


87

Data Aggregation Trees based Algorithm using Genetic Algorithm in Wireless Sensor Networks

Mehdi Dabbaghian1, Abolfazl Kalanaki2, Hamed Taghvaei3, Faezeh Sadat Babamir 4 and Seyed Mehrdad

Babamir5

1 Islamic Azad University Abhar Branch,

Member of Young Researchers Club, Abhar Branch, Abhar, Iran [email protected]

2 University of Tehran,

Faculty of Management, Tehran, Iran [email protected]

3 Islamic Azad University Arak Branch,

Arak, Iran [email protected]

4 Shahid Beheshti University of Tehran,

Evin 1983963113, Tehran, Iran [email protected]

5 Sharif University of Technology,

Electrical Engineering Faculty, Tehran, Iran [email protected]

Abstract: This study investigates balanced and energy efficient data collecting spanning tree in order to propose Genetic Algorithm (GA) based approach. Optimum solution from GA, consumes lowest possible energy to transmitting data from random placed nodes to the Base Station (BS). As a result, monitoring and sending data are intensively energy consuming. Using an algorithm which is able to balance residual energy among nodes can help the network to withstand more and consequently extend its own lifetime. The GA and data aggregation tree simulation shows that balancing operation practically increases the network lifetime.

Keywords: Wireless Sensor Networks, Data Aggregation,

Genetic Algorithm

1. Introduction Now-a-day, wireless sensor network are appeared every where especially in ubiquitous and pervasive applications. These kinds of networks consist of number of small, low power, certain communication range sensing nodes which cooperatively monitor environment and transmit data to the Base Station (BS) or sink. This task is seriously energy consuming so that due to limited power nodes, intelligent data dissemination with energy efficient protocols are attended. The lifetime of network is defined as exchanged message toward sink with a network in which has minimum required active nodes [1]. Intelligent optimum energy consumption protocols can extend the network lifetime and consequently withstand long transmission periods. In this study, sensor nodes monitor data and remove

redundant ones then aggregate them according to the data aggregation spanning tree and just then they send packet data to the appropriate neighbors. BS is a powerful station which has connection between WSN and IP network. The proposed technique would be suitable for a homogeneous WSN with some spatial correlation in the collected data. Genetic Algorithm (GA) is classified as heuristic functions which can obtain optimum solution, using investigating search space. In this paper, a GA based algorithm is used to create an efficient data aggregation tree in which any node has value property. Consequently, any chromosome consists of some genes or nodes that index of gene indicates the node and corresponding value identifies parent node. We apply, single point crossover to generate future population where corrupted individuals are distinguished by selection process. The fitness function assigns individuals suitable value on the basis of residual energy, number of transmission and receive data packet. Number of iteration and population size determined according to the network size. Following, we organize the paper with section 2: brief description of literature, section 3: problem discussing, section 4: giving more detail about usage of GA to create data aggregation tree, section 5: providing simulation results and finally, section 6: conclusion and future work.

2. Related Work During 2000’s, there are many researches have been devoted. For instance, Kalpakis et al. [2] propose MLDA (Maximum Lifetime Data gathering Algorithm). In fact, MLDA finds edge capacities that flow maximum


88

transmission by running a linear program. This algorithm is able to maximum lifetime of network with certain location of each node and base station. One year later, Dasgupta et al. [3] extend MLDA with applying cluster based heuristic algorithm called CMLDA where nodes are grouped into several clusters with pre-defined size. The energy summation of cluster member nodes is their cluster’s energy. The distance between clusters is computed by maximum distance between every pair of nodes of two clusters. From cluster formation on then, MLDA is applied. Ten at al. [4] study two spanning tresses so that aggregate scheme and data gathering have been applied to extend network lifetime. In this paper, generally, two methods are considered to manage power among nodes. The first, power aware version (PEDAP) which have an attempt to extend lifetime, balancing the energy consumption among nodes, unlike second method, PEDAP, non power aware version which minimizing the total energy consumed from the system in each data gathering round [1]. This method extends the lifetime of the last node. The edge cost is calculated in different ways. In PEDAP, edge cost is the same summation of energy mounts for transmission and receiving while PEDAPPA, dividing PEDAP edge cost with transmitter residual energy results asymmetric communication costs. A node with higher cost is considered later in the tree as it has few incoming. After determining of edge costs, Prime’s minimum spanning tree rooted at the BS, will be formed for routing of packets. This calculation is computed per every 100 iterations. Being active for all nodes and awareness of node locations at the BS also are their assumptions. Jin et al. [5] utilize GA to fulfill energy consumption reduction. This algorithm gets a primary number of pre-defined independent clusters and then biases them toward optimal solution with minimum communication distance by the iterations of generation. They come to conclusion that the number of cluster heads is reduced about 10 percentage of the total number of nodes. They also show cluster based methods decrease 80 percentage of communication distance as compare to direct transmission distance. In 2005, Ferentinos et al. [6] improve the proposed Jin et al. algorithm with extended fitness parameter. They investigate energy consumption optimization and uniformity measurement point, using a fitness function involved status of sensor nodes, network clustering with the suitable cluster heads, and also the selection between two signal ranges from normal sensor nodes.

3. Problem Statement In this study, we suppose that every node firstly has pre-defined energy for receiving multi data packets as it is able to monitor environment in addition to transmit children packets as well as sending single one to parent or BS. This task periodically will be continued as long as possible. In our algorithm, at first, all nodes send a sample certain packet to the BS once they are at ready. Just then minimum

spanning tree or the same an aggregation tree rooted at BS is formed. In this paper, the network lifetime is credited until all nodes are active.

4. Genetic Algorithm In this study, GA is applied in order to obtain balanced and energy efficient spanning trees. Every chromosome represents a tree where gene index indicates node and contained value point out corresponding parent. Using standard GA, the optimum minimum spanning tree will be resulted.

4.1 Gene and Chromosome A chromosome is the collection of genes or nodes which have fixed length according to the number of former nodes.

3 0 5 1 2 0

Figure 1. Chromosome and corresponding Tree Example

4.2 Crossover The main step to produce new generation is crossover or reproduction process. In fact, it is a simulation of the sexual reproductive process that the inheritance characteristics naturally are transferred into the new population. To generate new offspring, crossover selects a pair of individuals as parents from the collection formed by selection process for breeding. This process will continue until the certain size of new population is obtained. In general, there are various crossover operations which have been developed for different aims. The simplest method is single-point in which a random point is chosen whereby two parents exchange their characteristics. Table 1 shows an example of mating of two chromosomes in single point way.

Table 1: Single point method at random point 6 First Second Parents 101101’01101101 011110’10001011 Offspring

101101’10001011 011110’01101101

4.3 Fitness Function Fitness function is a procedure which scores any chromosome. This value helps us to compare the whole ones to each other to survival or death. Below, we propose a fitness function where N is the number of nodes and setup energy is considered for calculating electrical power. Echildren is required energy to sending data packet received from children.

5

0 2 4

1

3


89

NEiF

EEEEE

Total

SetupChildrenMonitorSendTotal

=

+++=

)( (1)

Above, we try to compute average energy mount with division to the number of nodes. Each individual is assessed by selection function where the better fitness value; the more chance to participate in the next generation.

5. Simulation

5.1 Network Properties The simulation parameters for the experienced sensor network are: 1) The network dimension is 100*100 m2, 2) Initial energy of each node is .8 J, 3) Random nodes placement is considered, 4) Each tree is used just for 15 periods, 5) each scenario is simulated for 5 times that average one is reported 6) BS is situated at the center of resource 7) Wireless sensor network simulator, a free software is utilized for simulation.

5.2 Genetic Algorithm parameters The simulation for our heuristic algorithm is as follows: 1) Population size is 500 equal to network nodes, 2) number of generation is 200, 3) mutation and crossover rate is 0.7. Figure 2 represents the network under experience in early setup where little white point is the data packet while they are transmitting among nodes and green circles are active nodes at that moment. The light ones are transmitting while dark ones transmitted at this near time. Hereinabove shows the network with fewer active nodes but it is not out of order as the required paths for transmitting are credited. At last, Figure 4 indicates our experienced network at its later lifetime. According to this fig, just a few nodes are valid for transmitting children and monitored data. In this status, the network is being to be out of order.

Figure 2. Network status in early setup

Figure 3. Failing some nodes after several periods

Figure 4. Network status in later lifetime

As a result, these figures indicate that using proposed algorithm, the network has most withstanding to transmit data packet, as minimum spanning tree intelligently selects an affordable routing leading to extend lifetime.

6. Conclusion According to the simulation, we came to conclusion that proposed algorithm extends network lifetime as compared to PEDAPPA. In future, the fitness function and other GA parameters can be improved to present more efficient algorithm. Furthermore, we would like to investigate tree which can efficiently adapt with network structure.

References [1] O. Islam, S. Hussain, and Haiyi Zhang, “Genetic

algorithm for data aggregation trees in wireless sensor networks,” In Proceedings of 3rd International Conference on Intelligent Environments, pp. 312-316, September 2007.

[2] K. Kalpakis, K. Dasgupta, and P. Namjoshi, “Maximum lifetime data gathering and aggregation in wireless sensor networks”, In Proceedings of IEEE International Conference on Networking, pp. 685–696, August 2002.

[3] K. Dasgupta, K. Kalpakis, and P. Namjoshi, “An efficient clustering-based heuristic for data gathering and aggregation in sensor networks”, In Proceeding of IEEE Wireless Communications and Networking Conference, pp. 1948 - 1953 vol.3, March 2003.

[4] H. O. Tan and I. Körpeoğlu, “Power efficient data gathering and aggregation in wireless sensor networks”, In SIGMOD Rec, Volume 32, Issue 4, pp.66–71, 2003.

[5] S. Jin, M. Zhou, and A. S. Wu, “Sensor network optimization using a genetic algorithm”, In Proceedings of the 7th World Multiconference on Systemics, Cybernetics and Informatics, pp. 1031-1051, Nov 2003.

[6] K. P. Ferentinos, T. A. Tsiligiridis, and K. G. Arvanitis, “Energy optimization of wirless sensor networks for environmental measurements”, In Proceedings of the International Conference on Computational Intelligence for Measurment Systems and Applicatons (CIMSA), pp. 250 – 255, July 2005.


90

Cloth Deformation Simulation Based on a simplified mass-spring model

Yao yu-feng 1, Xia kai-jian 2 and Zhou jin-cheng 3

1 Changshu Institute of Technology ,Computer science and Engineering College,

Suzhou Jiangsu china,215500 [email protected]

2 Changshu Institute of Technology ,Computer science and Engineering College,

Suzhou Jiangsu china,215500 [email protected]

3 Department of Mathematics, Qiannan Normal College for Nationalities,

Duyun Guizhou 558000 [email protected]

Abstract: Simulating the motion of cloth is an important part in virtual simulation. The computational costs are still high. Cloth deformation simulation is an important research topic in the Computer Graphics. This paper presents a physics-based simulation of cloth deformation model approach, using a simplified mass-spring model for the cloth-object. To cope with requirements such as real-time and stability in cloth deformation, this paper makes the mass-spring model simple. The dynamic equation of the cloth-object model is worked out by the Euler integration method. Experimental results show that the model creates realistic simulations good stability, easy to implement.

Keywords: Cloth deformation; mass-spring model; Euler integration method; collision detection.

1. Introduction The real time simulation of the cloth has been widely

used in film、 television and network games currently. It makes a lot of animators to work less from the heavy works. As a classic soft objects[1],Cloth shows thin shape, good shape variability. The shape can be changed according to the shape of its attached surface. At the same time, it can be swung and deformed by the external forces (such as wind). How to simulate the cloth truly has been a hot area of research. But currently available simulation methods have many problems in solving real time and stability at the same time. So this is the bottleneck to use this technology to application.

Animation technology based on physical models has been considered the attributes of the real world object, such as its quality, inertia moment, spring, friction and so on, and automatically generates the original object with dynamic movement, generate the movement by using dynamic theory.

Cloth-object Simulation model Based on the physical method-mass-spring[2],[3] is used widely as its model is easy to use and the algorithm is easy to implement. In this paper the cloth is based on the mass-spring model and regarded as the grid system which is composed by the masses and the spring which connects between the masses. In order to meet the cloth physical properties of the nonlinear stress-strain. The spring is divided into three

kinds: shear spring, structural spring and bending spring[4] in the mass – spring model. The mass – spring model is simplified to avoid the disadvantage of the complex algorithms and the high computation cost which is generated in seeking the physical reality. In this paper the mass-spring model is simplified and use a simple and effective display Euler integration method to Simulate the swung states more realistic and more quickly. This method greatly improves the calculation efficiency and is good at the stability and real-time, and is easy to implement.

2. Creating the Model The mass-spring model is composed of m × n mass

virtual network, the relationship between the masses is mainly transmitted through the spring, each mass is connected to the adjacent mass by the spring whose quality is zero. The spring is divided into three kinds: shear spring, structural spring and bending spring in the adjacent mass-spring model. Shown in Figure 1. Figure 1a shows the basic mass-spring model, Figure 1b is the structural spring, Figure 1c is the shear spring, and figure 1d is the bending spring. We can simulate all kinds of cloth deformation by using these three springs.

(a)basic mass-spring model (b)structural spring

(c) shear spring (d) bending spring

Figure 1. the mass-spring model and the three kinds of spring type


91

The mass-spring model is simplified in this paper, we

know that spring 1ji, +P j1,i+Pand ji,P 1j1,i ++P

are the shear spring in Figure 1a. It is proved by the experiment that two shear springs do not have much affection for the performance of the system instead of one shear spring. Therefore we reduce one shear spring to simplify the model, figure 2 is the simplified mass-spring model.

Figure 2. the simplified mass-spring model

3. Analysis of Model stressing In the model, the cloth is described by using the

simplified mass-spring model, The model is consisted of a number of virtual masses of the triangle mesh, each mass connects to its adjacent mass. The movement of each mass is determined by the sum of the external forces and internal forces. The internal forces are spring force and damp force between the masses, the external forces are the force of gravity and wind. Mass should show the cell movement which is represented by it. The movement effect of all masses represents the deformation shape of the entire cloth. The following is the analysis of the force of cloth.

3.1 internal forces 1.spring force In order to simulate cloth deformation， supposed that

any two masses on the cloth surface are connected by spring, a mass can produce forces of the opposite direction and same direction to its neighboring mass .The spring force is adopted to the Hooke's Law. supposed that there is a spring connected the mass i and its neighboring mass. According

to Hooke’s Law, force t

siF is directly proportional to the length changes of the spring [5],[6]:

||)(

)|(| 0,,si

ij

ijjiijji

t

xxxx

lxxkF−

−−−=

(1) t

siF is the spring force between the mass i and its

neighboring mass j， jik , is the coefficient of elasticity of the spring between the mass i and its neighboring mass j，

ix and jx is the location of the mass i and its neighboring

mass j,0, jil is the initial length of spring, t is the current

time step. The mass has forces which are the same direction and opposite direction to its neighboring masses. So the

force of one mass istjiF , , then the force of its neighboring

mass is tjiF ,−.

2、damp force

In the dynamic simulation of the cloth, the damp force is

necessary for maintaining the system stability, the tFdi (the

damp force of all masses j that are the neighboring masses of the mass i at the cloth surface) expression is as follow：

∑=

−=n

jjiij

t vvF0

di )(d （2）

tFdi is the damp force, jid , is the coefficient of elasticity of the spring between the mass i and its neighboring mass

j, iv is the speed of the mass i, jv is the speed of the mass j,

t is the current time step.

3.2 external forces There are many kinds of external forces including the

forces of the gravity and the wind (the system only considers the forces of the wind and the gravity, does not consider the impact of other external forces).

1.The force of the gravity The force caused by the attraction of the Earth is called

the force of the gravity. The gravity at the same point on the earth is directly proportional to the quality of the object. The

gravity of the mass i on the cloth surface tFgi is:

gF it mgi =

（3） tFgi is the gravity of the mass i at the time t, im is the

quality of the mass i, g is the acceleration of gravity, it is a constant.

2.The force of the wind Aerodynamics and hydrodynamics [7]gives the flow of air

movement, The computational complexity of this type of applications is often prohibitively large. A flow of wind is designed to simplify the computation complexity and satisfy the physical reality. The flow has a parallel direction, and ignores the changes when the wind collide the cloth. So the

force of the wind tFwi is:

)(wi iwwt vvkF −= （4） tFwi is the force of the wind of the mass i. wk is the

coefficient of the force of the wind. wv is the speed of the

wind. iv is the speed of the mass i. In the actual scenario, some masses on the cloth surface are blocked, so there are no wind effect on these masses.

According to Newton's Second Law of Motion, the total

force of the mass i at the time t tFi is:

twi

ttdi

tsi

t FFFFF +++= gii （5）

4. Explicit Euler integration method to solve the dynamic equation

This section mainly uses explicit Euler integration method[8],[9] to solve the mass-spring model.


92

i

nin

ini m

Ftvv ⋅∆+=+1

(6) 11 ++ ⋅∆+= n

ini

ni vtxx (7)

This method needs to store two variables for each mass. They are current speed and position. Through calculating the time step t∆ ,new speed and position can be calculated by equation（6）and（7）. This method is simple and computing quickly and good at parallelism. But it needs the time step t∆ small enough to guarantee the stability of the algorithm. The external forces (the force of the gravity and the wind) are relatively small in the model, so this issue will not affect the result of simulation.

Judging from the general system, the position of the masses of the cloth is moving fast, so it would lead to instability occurs such as collision reaction. To solve this problem, a simple method is proposed, that is modifying the value of the speed after each time step:

tx

vni

nin

i ∆−

=−1x

（8） Equation (8) shows that, the speed of the mass is

calculated by the position movement. So the position movement can directly affect the speed at the next time step, and this method can enhance the stability of the numerical integration algorithms. Substitute equation (6) into equation (7)：

)(i1

i

nin

inn

i mF

tvtxx ⋅∆+∆+=+

（9） Substitute (8) into (9)：

i

nin

ini

ni m

Ftxx 211 x2 ∆+−= −+

（10） The mass position can be calculated at any time step

according to equation (10).

5. Collision detection and treatment In real time simulation, only consider the collision

between the cloth and the shape object, collision detection can be implemented by calculating the distance between the objects. In the experiment, calculate the distance to judge whether the collisions occur between the cloth and the geometrical object, or whether the infiltrations into the object occur.

In the following collision detection experiment, use Point to Plane model to carry out the collision detection. In the experiment, given a rigid geometric sphere, the coordinate of the mass is( , ,x y z ),supposed the coordinate of the center

of the sphere is ）（ cb,a, , nr

is the surface normal vector,

the radius of the sphere is r，then the distance d between the center of the sphere and the mass is:

222 )()(a)-(xd czby −+−+= （11）

If rd < the infiltration would occur；

If rd ≥ the infiltration would not occur；

Collision detection is simple by using this method, but there are some problems, when the cloth grid is sparse, Even the mass is outside of the geometrical object, the infiltration can occur. For solving this problem, the expansion avoiding method[10]is given, that is increasing a bounding layer in the outer surface of the ball, which is to increase the radius of the sphere, this can be effective to avoid the infiltration phenomena.

When the collision detected, the system should respond timely for realistic simulations. Equation (10) shows that the Euler integration method does not solve the system equations by using the speed variable, so the system calculates fast, and can remain stability.

6. The simulation results

6.1 The work flow The simulation for the cloth collision essentially is to

determine the coordinate’s information about the mass position on the cloth at each time step. The position is mainly influenced by the external forces and internal forces. The work flow for the cloth deformation simulation is shown in figure 3：

Figure 3. cloth simulation flow chart

6.2 Experiments and Results We implement the simplified mass-spring model on PC

which is P4 T2310 1.86G, 2GRAM, Inte182865G graphic cards, and based on the OpenGL graphics library, using the VC + + as a development environment. As the mass-spring model is a simplified physical model which is discrete, the simulation results can only be a degree of approximation.

We have detected the collision that the cloth is draped. The collision object is a red ball, simulate the masses of the cloth and draping cloth. The following figures show experimental results by using different parameters. Figure 4（a）is the result of the draping cloth, the red dots on the cloth are the masses of the model. Figure 4（b）is the result when the collision occurs. Figure 4（c）and （d）are the result without masses.


93

(a)draped cloth (b)cloth deformation when the

collision occurs

(c) draped cloth (d) cloth deformation when the collision

occurs（）without masses Figure 4. experimental results

7. Conclusions In this paper, we present a mass-spring model to simulate

the cloth deformation, and use simplified mass-spring model when create the model of cloth, and decrease some shear springs. The computation performance is highly improved by using this model. The dynamic equation of the cloth-object model is worked out by the Euler integration method. The collision between the cloth and object is also considered. Experimental results show that the model creates realistic simulations good stability, easy to implement.

References [1] NGNH，GRIMSDALE R L. Computer graphics

techniques for modeling cloth[J]． IEEE Computer Graphics and Applications， l996,16-36．

[2] Bridson R, Marino S, Fedkiw R. Simulation of clothing with folds and wrinkles[C]. Proceeding of the 2003 ACM SIGGRAPH/Eurographics Symposium on Computer Animation, San Diego，2003,28-36.

[3] Xia kai-jian, Wang shi-tong. [J]. computer engineering and applications，，2009 45(29):177-179.

[4] Li Jian, Li Peng-kun, Liao Qiu-jun. Cloth simulation based on improved mass-spring model[J].journal of computer applications，，2009 29(9):2386-2388.

[5] Ning Song, Lin mu-hua, Liu Jiao. A quick cloth simulation based on physical modeling[J]. Computer Simulation，，（）：2006 12 23 118-121

[6] Jaruwan M, Ratan G, Shafaq C. 3D Soft Body Simulation Using Mass-spring System with Internal Pressure Force and Simplified Implicit Integration[J]. Journal of Computers. 2007,2(8):34-43.

[7] Li Chang-feng, Xiu Yi. Cloth 3D dynamic deformation [J]. CAD&CG,2006,18(9):1372-1376.

[8] MEYER M, DEBUNNE G, BARR A. Interactive animation of cloth-like objects for virtual reality[J].

The Journal of Visualization and Computer Animation.2001,12:1-12.

[9] Jin Bi-peng.Research on the computer real-time animation[D].HeFei:University of Electronic Science and Technology of China,2007.

[10] Wang Jian-chun,Hu Xin-rong,Wang Hui. Simulation Technology of Cloth Modeling Based on Mass Spring Model [J]. Journal of Wuhan University of Science and Engineering. 2008,21(9):6-8.

Author Profile

Yao yu-feng received the M.S. degrees in Computer science and technology from Beijing University of posts and telecommunication in 2008. Then works as an teaching assistant at Changshu Institute of Technology ,Computer science and Engineering College .


94

The Performance Analysis for MAP Selection Scheme of Hierarchical Mobile IP Networks

Shan Zhong 1, Jin-yi CHANG 1, Dan Zhao 2 and Hong Zhao 3

1 School of Computer Science and Engineering, Changshu Institute of Technology,

Changshu 215500, China [email protected]

2 Zhe Jiang Yinjiang Electronics Co., Ltd.,

Hangzhou 310023, China [email protected]

3College of Computer Science and Technology, Zhejiang University of Technology

Austria Hangzhou, China [email protected]

Abstract: To provide more flexibility to end-users and achieve better mobility management (MN), the concept of mobility anchor point (MAP) was introduced. How to select an appropriate MAP for MN has an important effect on the total signaling overheads and network performance in Hierarchical Mobile IP networks. This paper introduces two types of MAP selection methods which include static and dynamic programs, and lists out several existed schemes such as the nearest selection scheme, the farthest selection scheme, the selection scheme based on mobility characteristic and the adaptive selection scheme. Finally we get a conclusion through the compare for the four schemes.

Keywords: Mobile IP; Hierarchical; Mobility; MAP.

1. Introduction With the development of internet and wireless access technologies, more and more users hope mobile devices such as mobile phone and PDA can access to internet in casual. The appearance of Mobile IP satisfies this need, and it is a mobility management scheme for all the world worked out by IEIF and has been a hot research area [1] [2]. The protocol can insure route to the mobile host regardless of the access point on the internet, two functional agents such as Home Agent (HA) and Foreign Agent (FA) are used, and location update and tunnel mechanism are used to rout the packet between them, but the main problem of IETF Mobile IP is the frequent position announce results in the high signaling overhead. When the MN (mobile node) changes CoA (Care of Address), it is necessary to register to HA. If MN has long distance with the local network, the signaling overhead and the propagation delay are considerable big.

The introduction for hierarchical management schema is in order to solve the high signaling overhead generated in the frequent switch in the Mobile IP. The network is departed to different domains by layered technologies, and the mobility problem are departed to macro-mobility and micro-mobility. The standard Mobile IP is used when the MN is moving between domains. The tiny mobile IP

protocol is used when it is moving in domain. A new node called MAP is introduced in HMIPv6 [3], it is a router positioned in MN access network. Then MN use MAP as a local HA, when MN is moving in MAP domain without the need to register to HA, just needing to register to the current MAP. When it moves out from MAP domain and then needs to register to HA, it lessens the spending for location update. There can be several MAPs in the access network. The selection problem of MAP is exited when several MAP is found in the same domain, namely, how to find the suitable MAP.

The paper is organized as follows: Firstly, several static MAP selection schemas are listed in the second part; then several dynamic selection schemas are introduced in the third part; finally, the advantages and the disadvantages are listed in this paper, and the result is given finally.

2. Static MAP Selection Schema In the following part we listed two static MAP schemas based on the distance in HMIPv6 network such as the nearest selection scheme and the farthest selection scheme. Because this scheme is the basis of the other schemas, so it is described in detail firstly. MAP selection schema or the farthest MAP selection scheme, namely, is MN selecting the farthest or the nearest MAP to communicate as its service MAP. The specific operation [4] is as follows: • Analyze all the MAP selection (the message format of

MAP selection message is as figure 1) • Order MAP according the distance sequence (if the

nearest selection schema is used, then order it with the ascending sequence, and if it is the furthest selection schema is used, then order it with the descending sequence)

• Select the first MAP in the selection list • If the priority and the value of survival field are 0, then

select the sequent MAP in the table. Repeat executing (4), until finding MAP the priority of


95

MAP and the effective survival period of which not 0. The above procedure will go on until all the priority value

of MAP is lessoned to 0, then another MAP is selected. The advantage of the furthest selection schema is

registering frequently and repeatedly, it is effective for the MN of quicker mobile speed. The relative further MAP can lesson the communication price between HA and CN, but is not proper for the MN of slower mobile speed. Furthermore, if all MN choose the furthest MAP as their service MAP, the MAP can be the performance bottleneck of system, the higher operation time delay is generated.

The nearest selection schema is selecting the nearest MAP as the current MAP of MN, respecting to the furthest selection schema, the price for the local register renewing of the schema is relatively small, but the frequent changing MAP makes the overall price bigger. The message of mobility anchor point is showed in Fig.1.

Figure 1. The Message format of Mobility anchor point

3. Dynamic MAP Selection Schema The procedures of the dynamic schema are showed as follows:

(1)MN receives RA contained the MAP choice, and a MAP list is obtained, so the information of MAP is obtained (the distance leap and the load of MAP).

(2) Through the reckoning some special parameters (like session arrival rate), a proper MAP is confirmed dynamically. According the different value of selective parameters, it can be departed to the following several schemas.

3.1 Selection Schema Based on Mobility Character The schema is improved based on the distance schema. MN selects the service MAP according the self mobility characters. The schema based on speed schema is deciding which MAP to choose according the mobile character such as mobile speed. Here the rapider mobility MN selects the farthest MAP as the service MAP, and the slower mobile speed MN selects the nearest MAP as its service MAP. The procedure based on speed is as follows:

(1)Reckon on the speed of MN. This is the difficulty of the schema, because it is difficult to be reckoned precisely, namely, the speed is not the practical speed, the history speed is used as the current speed of MN.

(2)Choose the properest MAP. When the speed is given, a proper MAP is selected in the list. The selective list records the mapping relation between mobility type and the answer MAP. Wan Zheng[5] introduces whether MN interacting with high layer MAP, low layer MAP or register with HA

all depends its speed and the counts. When the load balance problem is solved, a limit control algorism and substitute algorism is used to make the load balance for the two MAP layer and the different MAP in the same layer.

The schema based on topology structure designs the two information of mobile history such as the IP address of AR and the access time for MN. Every MN has its own mobile history. When a new AR area is entered, the mobile history is sent to the current AR, then computing the relative high speed of MAP. If there is a big speed of MAP, MN can register with it.

3.2 Adaptive MAP Selection Schema For the performance of HMIPv6 relying on the activity and the mobility of the conversation, the transport price and the binding renewing price of packet can not be ignored. These aspects is considered in adaptive MAP selection schema, and compared with the above schema, it is more precisely and flexible.

One of the schemas in adaptive selection schemas is to compute the signaling overheads between the remote home registration and the local register, namely, to decide whether the current FA can come to MAP or not. The schema also considers the mobile characters and the network load.

The familiar adaptive selection schema is through reckoning on the ratio of packet of arrival speed and the mobile speed to select MAP. The ratio of MN is smaller, the quicker speed of mobile speed of MN, so the furthest MAP is used as service MAP. Contrarily, the ratio is bigger, the nearest MAP is selected.

4. Comparing of Schemas The farthest selection schema MAP is relative near with the gateway, so it is often used as the gateway of the outer gateway. If the farthest MAP is selected, the MAP will be the bottleneck of the network. Moreover, if the MN just can move in the limited area of the out network, it is no necessary to register in the farthest MAP. In this case, if we select the farthest selection schema, for the distance between MN and MAP is larger than the distance with the nearer MAP, therefore, the register time delay will be larger. If we select the farther schema, then the MAP is not necessary to be renewed in the moving process of MN. So the moving counts are lessoned, for the MAP area is large, so the switch counts of area in the moving process will be added.

The nearest selection schema is contrary to the farthest selection. If MN is registering with the nearer MAP, the register time delay is smaller, because the formed MAP domain is smaller, the switch counts in area is relatively smaller. But MAP needs to renew frequently, so the switch counts between domains are larger and the signaling overheads is relatively large.

The selection schema based on the mobile characters using the mobile characters to select the farthest MAP or the nearer MAP, it is a compromise of the two schemas, but has an improvement in the performance.

Compared with the former schemas, the adaptive selection schema is more flexible and precise, the load of


96

every MAP is balanced effectively, the switch counts between areas and in area is balanced, so the signaling overheads is lessoned.

For clearance, we list the MAP load, the switch counts in area, the switch counts between areas, the signaling overheads and the comparing results of the register time delay.

Table 1: The result 1 of several MAP selection schema

The performance schema

MAP load Switch

counts in areas

Register time delay

Farthest Large Much Large

Nearest Medium Less small Based on mobile

characters Medium Medium Mediu

m

Adaptive Small Medium Small

Table 2: The result 2 of several MAP selection schema

The performance schema

Switch counts

between areas

Signal overload

Farthest Less Medium

Nearest Much Large

Based on mobile characters Medium Small

Adaptive Less Small

5. The Conclusion The MAP selection schemas are concluded in the current HMIPv6, the advantages and the disadvantages are analyzed. The adaptive selection schema is the relative excellent schema. The next work is to introduce the intelligence algorism to the adaptive selection schema, then simulate it and compare it with the other schemas.

References [1] HU Qing,ZHANG Shu-fang,ZHANG Jing-bo, WANG

Er-shen. “A New Automatic Identification System (AIS) Model-MIP-AIS,”.ACTA ELECTRONICA SINICA， PP. 1186-1191, 2009.(in chinese)

[2] LU Bin., “Study of multi-layer mobile support mechanism in IP network,” Journal on Communication, PP.129-135,2006.

[3] SOLIMAN H, CASTELLUCCIA C, MALKI K E L, et al. RFC 4140, “Hierarchical mobile IPv6 mobility management ［］EB/OL ,”(2005-08-10). http://www.ietf.org/rfc/ rfc4140.txt

[4] Jiang Liang, Guo Jiang, etc.The next network mobile movement Ipv6 technology. Press: Beijin: Mechnism industry Press, 2005.

[5] Zheng Wan, Xuezeng Pan, Jian Chen et al, “A Three-level Mobility Management Scheme for Hierarchical Mobile IPv6 Networks,”Zhejiang University: Science,PP.8-13, 2006.

[6] Sangheon Pack, Taekyoug Kwon, Yanghee Choi, “An Adaptive mobility Anchor Point Selection Scheme in Hierarchical Mobile IPv6 networks,” Computer Communications,PP. 3066-3078,2006.

Authors Profile

Shan Zhong received M.S. degrees in Computer Science from Jiangsu University in 2008, her main research area is Mobile IP, PETRI NE , and Artificial intelligence. Now she works in school of computer science and engineering in Changshu Institute of technology.


97

A Visual Grammar Approach for TV Program Identification

Tarek ZLITNI1 and Walid MAHDI2

1Mir@cl, Multimedia, Information Systems and Advanced

Computing Laboratory Higher Institute of Computer Science and Multimedia Sfax BP 3021, 69042 TUNISIA, University of Sfax

[email protected]

2 Mir@cl, Multimedia, Information Systems and Advanced Computing Laboratory Higher Institute of Computer Science and Multimedia

Sfax BP 3021, 69042 TUNISIA, University of Sfax [email protected]

Abstract: Automatic identification of TV programs within TV streams is an important task for archive exploitation. This paper proposes a new spatial-temporal approach to identify programs in TV streams in two main steps: First, a reference catalogue for video grammars of visual jingles is constructed. We exploit visual grammars characterizing instances of the same program type in order to identify the various program types in the TV stream. The role of video grammar is to represent the visual invariants for each visual jingle using a set of descriptors appropriate for each TV program. Secondly, programs in TV streams are identified by examining the similarity of the video signal to the visual grammars in the catalogue. The main idea of identification process consists in comparing the visual similarity of the video signal signature in TV stream to the catalogue elements. After presenting the proposed approach, the paper overviews the encouraging experimental results on several streams extracted from different channels and composed of several programs.

Keywords: Visual grammar, TV programs identification, TV stream segmentation, video signature.

1. Introduction Face to the ubiquity of large volumes of digital videos, effective and rapid access to multimedia information has become a difficult endeavour. This difficulty created a growing demand for efficient tools that offer direct access to unstructured video contents, which in turn require automatic video segmenting and indexing methods. Indeed, several approaches were proposed to segment/index particular video types, cf. [1] [4] for sports videos, [5] for news videos. However, being dependent on the video type (e.g., documentaries, sports, films, news, etc), the effectiveness of the proposed approaches cannot be sustained when the video stream is composed of several programs of different types. Hence, to profit from the robustness of these approaches, one must first segment the video stream by identifying the types of video programs it contains. In fact, besides video stream segmentation for efficient indexing of its programs, video type identification can be exploited in a wide range of applications like controlling the respect of broadcasting policies and agreements by TV channels or video copies detection. For instance, companies invest several millions to

reserve particular time spaces for their advertisements; in this context, an automatic content/type identification tool can assist these companies in verifying if their advertisements are broadcasted during the agreed periods.

The above mentioned applications and importance as a pre-treatment step for efficient indexing, we present in this paper a new approach for video TV stream content/type structuring. Our approach constructs first a reference catalogue composed of visual markers (visual jingles) for various TV programs associated to their video grammars. Each grammar defines a set of visual descriptors appropriate to a particular TV program. In the second stage, our approach exploits this catalogue to identify programs in TV streams based on the visual similarity between the visual grammars and the given video stream signal.

The rest of the paper is structured as follows: in Section 2, we introduce the context and motivation of our approach. In Section 3, we describe the two-step proposed approach. We present the results of a preliminary experimental evaluation in Section 4. We conclude the paper with discussions of the proposed solution and an outline of future work.

2. Context and Motivation Video segmentation is an essential step in any video

exploitation application. On the other hand, in spite of their satisfying results, the performance of the majority of current video segmentation approaches depends on the video type (news program, action film, documentary film, sport program, etc). This dependency on the video type is explained essentially by the fact that currently proposed approaches are based on the production rules of the video. For example, the work in [5] segments through face detection because it considers that the occurrence of a person shot indicates mostly a subject change in news programs; Mahdi et Al. [11] relies on the detection of cinematic rhythm to segment fiction films; the works presented in [4] and [1] are based on prior knowledge about production rules specific to sports programs in order to detect particular events e.g., attacks, fowls, etc.

Overall, prior knowledge of the video type is required for


98

a good semantic exploitation of a video segmentation. However, this knowledge is often unavailable in particular in archive videos, videos widely distributed over the web, etc. Furthermore, videos are generally integrated into heterogeneous and long streams, like for instance those incorporated into channel broadcasts. In this latter case, a video sequence can include a set of programs of various types (documentaries, news programs, films, etc.) and/or inter-programs (spotlights, commercials, etc.) without any indication about the boundaries between them.

Given this context, two levels of segmentation are required for an efficient video structuring (Figure 1). The first level, called inter-segmentation, is dedicated to identifying a program or an inter-program in the TV stream. The second level, called intra-segmentation, aims to segment the identified program into a set of temporal units and semantic entities.

Figure 1. A two-level structuring process for TV streams.

Besides efficient intra-segmentation, inter-segmentation for TV streams could be the object of various applications. In fact, the identification of TV programs could serve to develop control mechanisms for TV channels broadcasting. On this matter, the audiovisual authorities (such as the superior audiovisual council (CSA) in France) impose a set of policies for TV broadcasting and control the respect of these ones by TV channels. As an example, the CSA [3] imposes that total duration of advertisements within one hour of broadcasting must not exceed 4 minutes for the public channels and 6 minutes for the private ones. Another control example is in the context of respect of political pluralism, where the candidates must have the same duration in television electoral campaigns.

Besides the authorities of audiovisual control, companies paying millions to reserve particular time spaces with high audience for their advertisements need a means to control whether the agreement was respected. In this context, such companies would find it more advantageous to use automatic tools than a manual verification to control tens of channels with a big risk of inattention of 15 seconds from a human agent, which can have devastating consequences.

In another context, channels diffusing 24 hours a day would have digital archives with thousands of gigabytes of data. However, even though most channels diffuse around the hour (24/24), programs are diffused at least twice a day. Consequently, identifying the repeated contents (replay programs) as well as the inter-programs and their removal during the digital storage phase reduce a large part of these archives.

3. Video type identification approach A great deal of multimedia content identification research focuses on identifying video copies and web databases [10] [17], whereas a few works has been interested in programs identification in long TV streams.

Among the latter works, we refer to the work presented in [2] which proposes a method to detect the repeated sequences in TV streams. This method is based on inter-program detection (commercials, jingles, spots …) to split the TV stream and extract useful programs. It detects repeated sequences using a clustering technique that groups similar audio/visual features vectors of key-frames.

On the other hand, Naturel presents in [12] a two-step method to structure TV streams. The first step creates a hash-table that contains the key-frames signatures. Then, the second step uses signature similarity comparison between the stream signal and the hash-table to identify the various programs.

Contrary to these two methods, we propose a video grammar-based method that relies on TV channel “graphic charter” to generate an appropriate grammar for visual jingles. The produced grammar provides for the detection of the generics (i.e., the starting points) of programs in a TV stream.

As illustrated in Figure 2, our approach proceeds mainly in two steps. The first step constructs a reference catalogue containing visual grammar definitions. Each grammar is represented in a spatial-temporal signature format. The second step identifies the program types in TV streams based on grammar components similarity measurement.

Figure 2. Our TV program type identification approach.

3.1 Construction of the video reference catalogue The reference catalogue contains a set of visual markers associated with their grammars. The markers are the visual jingles whose principal role is to identify visually the starting moment of a given program, as perceived by the viewers.

Generally, the graphic chart of the TV channels uses jingles for a particular program during a long period.

SegRef.avi

Loading of catalogue elements signatures

Signature similarity test

For each signature i:

Yes

Type of Segment k is i

Signature generation

SegRefGrammar.xml

Signature (SegRef.avi)

Catalogue

Signature(Segment k)

No AND C2

Unidentified Segment type

No AND C1

i=i+1

C1: i<signatures number C2: i=signatures number

Video stream

Segment k

Catalogue construction

Segment type identification


99

Consequently, based on the fact that the instances of a given program have the same visual marker, we proceed to represent the visual characteristics of an instance of a particular type to identify thereafter the other ones.

3.1.1 State of art of visual content representation Several researches have dealt with visual content signature generation. A signature is a compact description that constitutes the start point for the similarity detection of the visual contents. Signature determination allows a direct indexing that facilitates the identification of similar contents. Generally, a signature generation requires mainly two steps: First, detecting the significant low-level image features, and secondly characterizing descriptors in compact format.

According to the most realized researches in this context, we cite two main types of relevant image primitives used to compute the signature: point of interest [15] [18] and color [7] [8]. Works based on first class of primitives (POI) were designed using different detectors such as Harris [6] or SIFT detector [15]. These methods are based on a common ground: detection and description of the most relevant points in the image, which gives more information than others [15]. As an example, we cite the work of Stoettinger [14] which uses a color version of POI detector for image retrieval. For the second class relying on the color feature, the main idea is to represent the image color information in a distinctive and reduced format. For example, [7] [8] use the ordinal measure method to represent the intensity distribution within the image. These methods proceed first by computing the intensity average of N blocks in the given image. Secondly, the set of average intensities is sorted in ascending order and the rank is assigned to each block referring to their mean intensity value. The ordinal measure is expressed by the ranked sequence. On the other hand, another type of methods exploiting the color information to create the signature use color coherent vectors CCV [16] and Vector quantization [9].

In summary, most existing video signature computing employ feature vector extracted from a single frame for two reasons: some approaches are proposed to CBIR systems, and others rely on key-frame signature generation to detect web videos copies. Hence, the majority of these approaches do not consider the temporal aspect even though it improves the signature efficiency.

3.1.2 Audiovisual grammar and video signature generation

The concept of grammar is defined as a set of formalisms allowing representing the relations which can exist between a set of entities. This formalization makes it possible to represent data in structured and significant way for a better semantic interpretation. Inspired from this definition, in the audiovisual field, the grammar notion is a recent concept whose aim is to define an appropriate style to the TV channels and to deduce the typical structures of TV programs. Hence, a video grammar could be exploited in a multitude of multimedia applications. As examples of these applications, we cite the identification of TV programs type [19], the characterization of a particular event in a sport program (substitution, goals …). Indeed, video grammar is

defined by the set of the visual and sound entities and their relations which carry out to characterize a visual identity for a particular TV channel. This identity is created by the conception of a suitable graphic style. Graphic components of this style are generally recurring for a long duration (minimum a year) and their application follows a logic specified by the “graphic chart” of TV channel. Consequently, the grammar generation consists first of detecting the visual invariants, then describing them in a formal way and finally deduce the semantic interpretation for their appearance. For example, in the case of sport video grammar, the detection of cautioned player event requires the extraction of the markers zones of text as well as the visual invariants to symbolize the yellow card.

3.1.3 A spatial-temporal video signature Our video signature generation method is based on visual invariants (forms, colors …) (Figure 3). This approach relies on the fact that the TV channels programs (such as news or sport programs) use distinctive graphical components to identify them visually. As a result, we exploit visual grammars characterizing instances of the same program type in order to identify the various program types in the TV stream. The main role of this grammar is to represent the visual invariants for each visual marker (jingle) using a set of descriptors appropriate for each TV program.

Figure 3. Samples of visual invariants of different TV programs. For an efficient representing of the visual invariants, it is necessary to extract the most relevant features that can characterize them. In fact, the signature generation process creates a compact description of these features while respecting two crucial properties: robustness and uniqueness. These properties guarantee the discriminative effect for distinguishing video content and ensure the capability of noise tolerance. For the robustness property, a signature must not vary when the video sequence contains for example an insignificant signal noise or slight luminosity variation. For the uniqueness property, two different video contents must have two different signatures. In this sense, every semantically different video segment should possess a unique signature. Consequently, we propose a new spatial-temporal method to generate a


100

signature for video segment identification that preserves these two properties.

Indeed, contrary to most proposed approaches, we generate video signature from a set of frames of the audiovisual segment and not a single (key) frame. This fact may influence on the signature efficacy (i.e., the uniqueness property) as two videos with similar key-frames do not necessarily have the same or similar content.

In order to overcome this deficiency, we opt for a bi-dimensional signature. The main idea is to create a spatial-temporal signature (1) where the generation process is carried out from a set of frames, separated by a definite time step Tstep. That is, the generation process provides different levels of signature discrimination. Two signatures will be similar/ dissimilar on three levels: Nframe, Tstep and SigF which can further guarantee the uniqueness property.

[ ]( )stepframe TNSigFVsig ,,= (1)

Our signature generation process starts by select a number of frames Nframe and a temporal step (Tstep) which separates them. Secondly, for each frame of the Nframe selected frames, we compute SigF the low-level characteristics vector derived from this frame. The signature of a video segment is defined by the whole of frames signatures. Figure 4 illustrates our spatial-temporal signature generation process.

Figure 4. Process of spatial-temporal video signature generation.

3.1.4 Frame level signature Several methods were proposed to create an identified image representation, especially these designed for CBIR applications. Most common approaches are based on low level features (color, intensity …) as detailed in the previous section. In our approach and in order to ensure the robustness of signature, we opted to use two descriptors: colorimetric feature and a POI descriptor.

a) CCV descriptor For the colorimetric descriptor, histograms are used to represent images in many multimedia applications. Their advantages are insensitivity to small changes. However, color histograms lack spatial information, so images with very different appearances can have similar histograms. Hence, we use a histogram-based method for representing images, that incorporates spatial information. Each pixel is classified in a given color bucket as coherent or incoherent, based on whether or not it is part of a large similarly-homogeneous region. A color coherence vector (CCV) stores the number of coherent versus incoherent pixels for each

color. CCV is a more sophisticated form of histogram refinement, in which buckets are partitioned based on spatial coherence. By separating coherent pixels from incoherent ones, CCV provides finer distinctions than classic histograms. The CCV computing process is composed essentially of three steps:

• Image preprocessing This first step smoothes the image by applying a medium filter to the neighboring pixels. The major aim of this preprocessing is to eliminate small variations between adjacent pixels. Then, we precede to discrete the color space, to obtain only Ncolor distinct colors in the image for the following two reasons: First decreasing the luminance variation effects, and secondly reducing the size of image signature.

• Image segmentation To classify pixels within a given color bucket as coherent or incoherent, we proceed in the second step to region segmentation.

In order to determine the pixel groups, the image is segmented into disjoint and homogeneous regions. A region is defined as a connected set of pixels for which uniformity (homogeneity) condition is satisfied. Referring to segmentation method category, a uniform region can be obtained by two different ways: It can be derived by growing from a seed block/pixel by joining others pixels or obtained by splitting a large region which is not uniform.

Several image segmentation advanced techniques have been proposed and classified in different categories (region growing, split and merge…). We use the Statistical Region Merging (SRM) [13] algorithm that belongs to the family of region growing techniques with statistical test for region fusion. The advantages of this method are simplicity and performance without the use of color space transformations. In addition, we opted also for the SRM method as it gives, for each segmented region, the list of pixels belonging to it and the related mean color which facilitates afterward the computing of CCV’s bins. Note that in our work we apply the SRM method on grayscale quantified images. Image is segmented according to color buckets. This effectively segments the image based on the discretized color space. The SRM method is based on two major components: a merging predicate (2) and the order followed in testing this predicate. The merging predicate is defined as:

( ), ' ( ') ( )

, ',

true if R R b R b RP R R

false otherwise

− ≤ +=

(2)

with: 1( ) ln2

RRb R g

Q R δ

=

where R and R’ represent the two regions being tested, R denotes the color average in region R and R|R| is the set of regions with p pixels. The order of region merging follows a criterion f, which implies that when any test between two parts within a true region is performed. g and Q are global (random) variables are used to determine the merging predicate threshold.


101

(a)

(b)

Figure 5. Image segmentation using SRM: (a) input color image, (b) segmented grayscale image. The SRM’s algorithm is described as follow:

• First of all, an appropriate data structure was created to stack the pairs of adjacent pixels based on 4-connectivity.

Let p and p' be two pixels of an image I, we denote by R(p) the region including the pixel p.

• Sort all pairs of pixels (using bucket sort) in ascending order according to a function f (3) which is a simplified version to calculate adjacent pixels gradients.

• After sorting, the test the predicate merge P (R (p), R (p ')) only once for pixels for which R (p) = R (p') (i.e. belong to the same region) if the predicate is satisfied, the two regions R (p) and R (p ') will be merged. The merging phase is realized using the union-find algorithm (a simple and efficient algorithm to classify a set of elements into disjoint classes).

f (p, p ') = | p'-p| (3)

• Pixels classification

Following the image segmentation, each pixel belongs to exactly one region. Pixels are classified as coherent or incoherent depending on the size of their regions. A pixel is coherent if the size of region which it belongs exceeds a threshold (proportional to image size); otherwise, the pixel is considered as incoherent. For a given discretized color, some pixels will be coherent and some others will be incoherent. We nominate by αj the number of coherent pixels of the j’th discretized color and by βj the number of incoherent pixels. The total number of pixels for color j is αj + βj.

As a result, we obtain for each color j the pair (αj, βj) called the j’th color’s coherence pair. The color coherence vector for the image consists of ((α1,β1),...,(αn,βn)) . So, the set of bins presents the CCV frame signature (4):

[ ]{ }, 1,CCV i ColorSigF CCV i N= ∈uuuuuur

(4)

where ( ),i i iCCV α β=uuuuuur

b) POI descriptor

We opted to use the POI (Point Of Interest) descriptor for the next reasons:

In image processing, POI is a point in an image that has special properties which make it stand out in comparison to its adjacent points. Referring to their definition, POIs are located where the photometric information is the most important within an image. These points are characterized by robustness to luminosity variation, blur effect and geometric transformations. Indeed, using a POI descriptor, we can provide a rich and compact signature at once.

Furthermore, studies of comparison between different POI detectors under variant conditions like illumination variation proved that most repeatable results are obtained for the Harris detector [6]. It is among the most stable and broadly used POI detectors due to its robustness to noise and lighting variations. The Harris detector relies on a basic principle: at a corner, the intensity will change greatly in different directions. Based on this observation, the central idea of this detector is to use the autocorrelation function, i.e. the second moment matrix, to determine locations where the image intensity changes in two directions.

Thus, the POI’s frame signature is expressed by a POIs vector (5):

[ ]{ }, 1,POI k POISigF POI k N= ∈uuuuur

(5)

Where

( )

=

kk

k

k

k

yxryx

POI, ,

r(x,y) is the Harris metric value at (x,y) pixel.

3.2 TV programs type identification In this section, we describe the video programs identification process in TV streams. The basic idea of this process consists in comparing the visual similarity of the video signal at instant k to the catalogue reference elements. Our video type identification relies on a central assumption: two video V1 and V2 are visually similar if and only if their signatures are similar. The identification process is described as follows: To identify the video type at the current frame k, for each video signature Vsig(t) selected from the catalogue, we load its NFSig frame signatures SigF[1.. NFSig] where SigF denotes both SigFPOI and SigFCCV. For each elementary signature SigF (j: from 1 to NFSig), we measure the similarity of this signature and the frame k signature.

3.2.1 Signature descriptors similarity The program TV type identification relies essentially on signature similarity measurement respectively between SigFCCV descriptors and SigFPOI descriptors in reference catalogue and TV stream signal. For SigFCCV, we calculate a normalized average of CCV bins similarities defined in frame signature SimSigFCCV (6).

( )( )

1, ( ) ( ) ( ) ( )

( , ),

ccvN

k j k j k ji

CCVk j

CCV CCV i i i iSimSigf k j

CCV CCV

α α β β=

− − + −

=∑ ∑

∑

uuuuur uuuuur

uuuuur uuuuur (6)


102

with : 1

( , ) ( ), ( ), ( ), ( )ccvN

k j k j j ki

CCV CCV i i i iα β α β=

=

∑ ∑

uuuuur uuuuur

As for SigFPOI signature similarity measurement, we test the Euclidean distance of all POIs values defined in this signature. Two SigFPOI signatures are similar if and only if the majority of POIs (a percentage number of NPOI) descriptors are similar (7).

1( , )

( , )

POIN

k jk

POIPOI

Sim POI POISimSigf k j

N==

∑uuuuur uuuuur

(7)

with: 1,

( , )0,

eucd harrisk j

if Dist threDist Dist threHarrisSim POI POI

otherwise< <

=

uuuuur uuuuur &

22 )()(),( jkjkjkeucd yyxxPOIPOIDist −+−=

),(),(),( jjkkjkHarris yxryxrPOIPOIDist −=

3.2.2 Descriptors similarity combination Since a frame has a composed-signature (SigfCCV and SigfPOI), to detect the video type after computing the similarity of these signatures, we combine their similarities to obtain a single decision value: SimVideo(9). This combination aims at increasing the identification rates. The combination is done using the average rule, following normalizing and pondering coefficients of two signature descriptors. Hence, the frame signature similarity is defined as (8):

1 2

1 2

( , ) ( , )( , ) CCV POIw simSigf k t w simSigf k tsimSigf k tw w

× + ×=

+ (8)

1,

( , )0,

SigVideo

if simsigf thsim k t

ohterwinse

>=

(9)

with:

1 2

1 2

POI CCVSig

w th w ththw w

+=

+ According to our experimental study, we concluded that a discriminative identification of a descriptor d differ from a channel to another. This could be explained by the fact that the graphic charter of channel used during the generics production stage exploits graphics compositions rich of a particular descriptor (Figure 3) than another. Therefore, the weighted coefficient wd of descriptor d must be relative to its efficiency to identify individual types of programs to indicate the importance of d in the combination with other(s) descriptor(s) (8). In other words, the identification rate of d is as important as its weight of its coefficient. That is, this weight must be proportional to identification rate (12).

The relevance of descriptor d is evaluated by its capacity to identify the maximum number of correct identifications

with a minimum number of false identifications i.e. d is significant if both recall and precision having high values at once. So that, wd is a combination formula of these two metrics.

d

d d

CIRCI MI

=+

(10)

d

d d

CIPCI FI

=+

(11)

21dR Pw F

R P× ×= =

+ (12)

With: CId: number of programs identified correctly using descriptor d MId: number of missed identifications using descriptor d FId: number of false identifications using descriptor d In order to define these weights, we conducted a training phase to choose the optimum weight value for the descriptor d of each TV program/channel. Table 1 summarizes the weight values for various TV channels.

Table 1: w1 and w2 values for each channel. Recall (R)

Precision (P)

wd (F1)

Descriptor Channel

d1 d2 d1 d2 w1 w2

M6 0,8 0,92 1 0,92 0,89 0,92

RTV 0,95 0,66 0,75 0,87 0,84 0,75

LCI 0,99 0,69 0,98 0,9 0,98 0,78

itele 0,83 0,53 0,67 0,75 0,74 0,62

Abmoteurs 0,66 0,74 1 0,67 0,79 0,70

France 24 1 0,5 0,84 0,71 0,91 0,59

A segment localized at frame j in a video stream was identified of type t only if the frames signatures (NsigF) of Vsig(t) are similar to their homologous in the stream as detailed in our similarity measurement metrics (13).

( )1

( ), ,( )

,

sigFN

Video sigFi

videoType t if Sim k t NVideoSegment j

undefined otherwise=

==

∑

(13)

4. Experimental Results

4.1 AViTyp: Automatic Video Type identification tool

To implement the proposed approach and in order to evaluate its efficacy, we have developed a system called AViTyp (Figure 6). This system offers two main features: signature creation for references catalogue items, and programs identification in files from TV channels. In addition, AViTyp provides an ergonomic interface to adjust


103

identification process: defining the weights and appropriate thresholds for the current channel.

Figure 6. User interface of the AViTyp tool.

4.2 Evaluation of the video type identification performance

To evaluate experimentally our video type identification approach, we used a large and varied corpus composed of a set of video files which are long streams from 6 different TV channels. Various programs and inter-programs types (news, sport, varieties, documentaries, pubs…) are contained in these streams.

To evaluate the performance of the proposed approach, we used the recall (10) and precision (11) metrics. Table 2 presents the experimental results values regrouped by TV channel.

Table 2: Experimental results grouped by channel. TV channel recall Precision

M6 93,2 100 RTV 81,6 100 LCI 85,22 85,71 Itele 74,2 83,33

Abmoteurs 75 100 France 24 94,7 87,5

All channels (average)

83,98 92,75

In this experimentation, despite the good precision value,

we conclude that the recall was rather satisfactory (83,98%) and needs to be improved. The degradation of the recall is due essentially to some missed identifications. The main reason behind the missed cases is due essentially to the quality of the broadcast streams, like a blur signal.

5. Conclusion and future work We have proposed in this paper a grammar-based approach for video program identification in TV streams. The approach is composed by two steps: (i) creation of references catalogue and (ii) identification of programs TV in channels streams. It compares the visual similarity between TV stream signal and video signatures stored within as grammar descriptors in a reference catalogue. This catalogue is composed of a set of visual “jingles” that characterize the starting of TV programs associated, with

their grammars expressed as spatial-temporal video signatures.

In order to improve the video type identification quality, we focus our future work on the integration of other descriptors such as the form or the texture features in video grammar which can characterize the visual jingles since the used features are not always discriminative.

References [1] Babaguchi, N. ; Kawai, Y. ; Kitahashi, T. “Event

Based Indexing of Broadcasted Sports Video by Intermodal Collaboration”. IEEE Transactions On Multimedia, Vol. 4, NO. 1, pp. 68-75 (2002)

[2] Berrani, S. A. ; Manson, G. ; Lechat ,P. “A Non-Supervised Approach for Repeated Sequence Detection in TV Broadcast Streams”. Signal Processing: Image Communication, special issue on "Semantic Analysis for Interactive Multimedia Services", pp. 525-537 (2008)

[3] Conseil Supéreiur de l’Audiovisuel. “Publicité, parrainage et téléachat à la télévision et à la radio”, http://www.csa.fr, (2008) France

[4] Duan, L. Y.; Xu, M. ; Tian, Q. ; Xu C. S. ; Jin, J.S. “A Unified Framework For Semantic Shot Classification In Sports Video”. IEEE Transactions on Multimedia Volume: 7, Issue 6, pp. 1066- 1083(2005)

[5] Haller, M. ; Hyoung-Gook, K. ; Sikora, T. “Audiovisual Anchorperson Detection For Topic-Oriented Navigation In Broadcast News” IEEE International Conference on Multimedia and Expo (ICME), pp. 1817 – 1820 Canada (2006).

[6] Harris, C.; Stephens M. “A Combined Corner And Edge Detector”. Alvey Vision Conf, pp. 147-151 (1988)

[7] Hua, X.S. ; Chen, X. and Zhang, H.J. “Robust Video Signature Based On Ordinal Measure International”. Conference on Information Processing ICIP04, pp. 685-688 (2004)

[8] Kimura, A. ; Kashino,K. ; Kurozumi, T. ; Hiroshi, M. “A Quick Search Method for Multimedia Signals Using Feature Compression Based on Piecewise Linear Maps”. Proc. of International Conference on Acoustics, Speech and Signal Processing (ICASSP), vo1.4, pp. 3656-3659 (2002)

[9] Kurozumi, T. ; Kashino, K. ; Hiroshi, M. “A Method for Robust and Quick Video Searching Using Probabilistic Dither-Voting”. Proc. International Conference on Image Processing, vol.2, pp. 653-656 (2001)

[10] Law-To, J. ; Chen, L.; Joly, A. ; Laptev, Y. ; Buisson, O. ; Gouet-Brunet, V. ; Boujemaa, N. ; Stentiford, F. “Video Copy Detection: A Comparative Study” ACM. International Conference on Image and Video Retrieval (CIVR'07), pp. 371-378 (2007).

[11] Mahdi, W. ; Ardebilian, M. ; Chen, L. “Automatic Video Scene Segmentation Based On Spatial-Temporal Clues And Rhythm”. Journal on Network Info Systems. v.2(5), pp. 1-25 (2000)

[12] Naturel, X.; Gros, P. “Detecting repeats for video structuring”. Multimedia Tools and Applications Vol 38, Issue 2, pp. 233 – 252 (2008).


104

[13] Nock, R.; Nielsen, F. “Statistical Region Merging”. IEEE Trans. Pattern Anal. Mach. Intell. 26(11), pp. 1452-1458 (2004)

[14] Stoettinger, J.; Hanbury, A.; Sebe, N.; Gevers, T.Do Colour Interest Points Improve Image Retrieval, IEEE International Conference on Image Processing (ICIP ). Volume 1, pp. 169 - 172 (2007)

[15] Valle, E. ; Cord, M. ; Foliguet, S. P. “CBIR in Cultural Databases for Identification of Images: A Local-Descriptors Approach”. Int. Conf. on Geometric Modeling and Imaging, pp. 177-182, London (2006)

[16] Wen, L. ; Tan, G. “Image Retrieval Using Spatial Multi-color Coherence Vectors Mixing Location Information”. Proceedings of the 2008 ISECS International Colloquium on Computing, Communication, Control, and Management - Volume 01. pp. 299 – 302 (2008)

[17] Yang, X.; Sun, O.; Qi Tian, Q. “Content-based video identification: a survey”, in International Conference on Information Technology: Research and Education, 2003. Proceedings (ITRE), pp. 50–54. (2003)

[18] Zhang, H.; Rahmani, R.; Cholleti, S. R. ; Goldman S. A. “Local Image Representations Using Pruned Salient Points with Applications to CBIR”. Proceedings of the 14th annual ACM international conference on Multimedia. pp. 287-296 (2006)

[19] Zlitni, T.; Mahdi, W.; Ben-Abdallah, H. “A New Approach for TV Programs Identification Based On Video Grammar”. Proceedings of the 7th International Conference on Advances in Mobile Computing and Multimedia (MoMM), pp. 316-320, Malaysia (2009)

Authors Profile Tarek ZLITNI received the M.S degree in information systems and new technologies in 2007 from the University of Sfax, TUNISIA, where he is pursuing the Ph.D. degree in computer science. His research interests focus on video and image processing and analysis, multimedia indexing, and content-based video segmentation and

structuring.

Walid MAHDI received a Ph.D. in Computer and Information Science from Ecole Centrale de Lyon, France in 2001. He is currently Assistant Professor at Higher Institute of Computer Science and Multimedia, at the University of Sfax, TUNISIA. His research is about image and video

processing.


105

A Modified Hill Cipher Involving a Pair of Keys and a Permutation

V.U.K.Sastry1, Aruna Varanasi2 and S.Udaya Kumar3 1Department of Computer Science and Engineering, SNIST

Hyderabad, A.P.India, [email protected]

2Department of Computer Science and Engineering, SNIST

Hyderabad, A.P. India, [email protected]

3Department of Computer Science and Engineering, SNIST

Hyderabad, A.P. India, [email protected]

Abstract: In this paper, we have developed a block cipher by introducing a pair of keys-one as a left multiplicant of the plaintext and the second one as a right multiplicant of the plaintext. Here as we utilize EBCDIC code for converting characters into decimal numbers, we use mod 256. We have developed an iterative procedure, which includes a permutation, for the cipher. The avalanche effect and the cryptanalysis clearly show that the cipher is a potential one. Keywords: Encryption, Decryption, Cryptanalysis, avalanche effect, permutation, pair of keys.

1. Introduction

In the recent years, several modifications of Hill Cipher [1-5] have appeared in the literature of Cryptography. In all these investigations, modular arithmetic inverse of a key matrix plays a vital role in the processes of encryption and decryption.

It is well known that the Hill Cipher containing the key matrix on the left side of the plaintext as multiplicant can be broken by the known plaintext attack. In a recent paper, to overcome this drawback, Sastry et al.[6] have developed a block cipher which includes a key matrix on both the sides of the plaintext matrix. In this analysis they have discussed the avalanche effect and cryptanalysis, and have shown that the cipher is a strong one.

In the present paper, our objective is to modify the Hill Cipher by including a pair of key matrices, one on the left side of the plaintext matrix and another one on the right side of the plaintext matrix as multiplicants, so that the strength of the cipher becomes highly significant. In this we represent each character of the plaintext under consideration in terms of EBCDIC code and use mod 256 as a fundamental operation. Here the security of the cipher is expected to be more as we have two keys. This is on account of the fact that, in some untoward circumstances, though one key is known to the hackers, other remains as a secret one and it protects the secrecy of the cipher.

In what follows we present the plan of the paper. In section 2, we have mentioned the development of cipher. In section 3, we have illustrated the cipher by giving an example and discussed the avalanche effect. Section 4 is devoted to the cryptanalysis of the cipher. In section 5 we have presented the summary of the results obtained in this

analysis. Finally in section 6 we have presented the numerical computations carried out in this analysis and drawn conclusions.

2. Development of the cipher

Consider a plaintext, P. Let this be written in the form of a matrix given by P = [Pij], i= 1 to n , j=1 to n. (1) Here each Pij is a decimal number lying between 0 and 255. Let us choose a pair of keys denoted by K and L, where K and L can be represented in the form K = [Kij], i=1 to n, j=1 to n, (2) and L = [Lij], i=1 to n, j=1 to n. (3) Here the elements of K and L are decimal numbers lying in [0-255]. Let the ciphertext, C be given by C = [Cij], i=1 to n, j=1 to n, (4) in which all the elements of C also lie in the interval 0 to 255. The process of encryption and the process of decryption are described by the flow charts given in Figure1.

Figure 1. Flow Charts of the Cipher


106

The process of encryption, which is in the form of iteration, is governed by the relations P = (K P L) mod 256, and P = Permute(P). The process of decryption is governed by the relations, C= IPermute(C ) and C= (K¯1 C L¯1) mod 256, The process of permutation adopted in Permute() function can be described as follows. Let us convert each element of P into its binary form. Then we get a matrix, which can be brought to the form given below:

8pnn1pnn

128p121p118p111p

K

MOM

MOM

O

L

This contains m (=n2) rows and eight columns. Assuming that n is an even number, the above matrix is divided into two halves. The upper half contains m/2 rows and eight columns, and similarly the lower half. Then the upper half is mapped into a matrix containing m rows and four columns. In the process of mapping we start with the last element of the upper half and place it as the first row, first column element of a new matrix. Then we place the last but one element of the upper half as the element in the second row and first column. We continue this process of placing the remaining elements of the upper half, one after another, till we get m rows and four columns of the new matrix. Then we place the elements of the lower half from the beginning to the end, such that they occupy four more columns and m rows. Thus we again get a matrix of size mx8. This process of permutation is expected to thoroughly permute the binary bits of the elements. The clear picture of this permutation can be seen later in illustration.

It may be noted here that IPermute() in decryption is a reverse process of Permute() used in encryption.

The algorithms for encryption and decryption can be written as follows.

Algorithm for Encryption 1. Read n,P,K,L,r 2. for i = 1 to r

{ P = (K P L) mod 256 P= Permute(P) }

C = P 3. Write( C ) Algorithm for Decryption 1. Read n,C,K,L,r 2. K¯1 = Inverse(K) L¯1 = Inverse(L) 3. for i= 1 to r

{ C = IPermute(C) C = (K¯1 C L¯1) mod 256 }

4. P = C 5. Write (P) Algorithm for Inverse(K) 1. Read A, n, N

// A is an n x n matrix. N is a positive integer with which modular arithmetic is carried out. Here N= 256.

2. Find the determinant of A. Let it be denoted by Δ, where Δ ≠ 0.

3. Find the inverse of A. The inverse is given by [Aji]/ Δ, i= 1 to n , j = 1 to n // [Aij] are the cofactors of aij, where aij are the elements of A

for i = 1 to N {

// Δ is relatively prime to N if((iΔ) mod N == 1) break; }

d= i; B = [dAji] mod N. // B is the modular arithmetic

inverse of A.

3. Illustration of the cipher Let us consider the plaintext given below. The Government is trying to break our unity. What wrong we have done! we are working according to our conscience. Unity is our Divinity. Spread this motto. (5) Let us focus of our attention on the first sixteen characters of the plaintext. Thus we have The Government i (6)

On using EBCDIC Code we get the plaintext matrix, P in the form

P =

1376416314913314814915313316515019964133136227

(7)

Let us now select the Key matrices K and L. Here we take

K =

92855539751099948112017467912012

(8) and

L =

37543310235349799789120117453320102

(9)

The process of permutation, included in the function Permute(), involved in the process of encryption can be explained as follows. Let us express each element of P, obtained in the current iteration, in its binary form. For example, in the first iteration after carrying out the computation of the relation P = (KPL) mod 256, we get


107

P =

144401661871492309024544541652502029040142

(10)

On converting each element of P, given by (10), into its binary form, and placing the binary bits of the first element 142 in the fir st row, the binary bits of 40 in the second row and so on, we rewrite P in the form of a 16x8 matrix as shown below. Thus we have

P =

00001001000101000110010111011101101010010110011101011010101011110011010001101100101001010101111101010011010110100001010001110001

(11)

On adopting the permutation process described in section 2, (11) can be brought into the form of a matrix, containing 16 rows and eight columns, given by

P =

00101010010101100110001100010111101111100100100100011111111000000101011001100100001110111100000001011101111100110011010001110010

(12)

Here the first column is obtained by writing the elements of the eighth row and then the seventh row of (11) in reverse order, similarly the other three columns are obtained by using the sixth and fifth rows, and so on, one after the other, taking two rows of (11) at a time and placing the elements in reverse order. Then the fifth column is formed by placing the ninth and tenth rows of (11) directly in their order. Further the remaining three columns are achieved by using the remaining six rows of (11), by taking two rows at a time, and placing the elements in their order. On converting each row of (12) into decimal form, and arranging the decimal numbers in a matrix of size 4x4, we get

P =

8410619823212514624871063822031862074478

(13)

This is the final result of permutation. On using (7 – 9), and applying the encryption algorithm, given in section 2, with r=16, we get

C =

58104151958254217110

17510617010823415313197

(14)

On adopting the decryption algorithm, we get back the original plaintext given by (7).

Now, in order to examine the strength of the algorithm, let us study the avalanche effect. To this end, let us modify the plaintext (6) by changing the character G to F. The EBCDIC code of G and F are 199 and 198 respectively, and they differ in one binary bit. Thus, on using the modified plaintext and the encryption algorithm, let us compute the corresponding ciphertext. This is given by

C =

14251223171772212162333224713512723114206238

(15)

On converting (14) and (15) into their binary form, we notice that the two ciphertexts differ by 65 bits (out of 128 bits). This shows that the cipher is a strong one. Let us now change a number in one of the keys, say key, K. Here we change the third row first column element of 8 from 48 to 49, which differ only by one binary bit. On carrying out the process of encryption with the modified key, keeping the other key and the original plaintext intact, we get the ciphertext given by


108

C =

150219121190180230133751714118237110111115211

(16)

On comparing (14) and (16), after converting them into their binary form, we find that they differ by 69 bits (out of 128 bits). This also shows that the cipher is a potential one.

4. Cryptanalysis

In the literature of Cryptography, the general types of attacks on a cipher are

1. Ciphertext only attack (brute force attack) 2. Known plaintext attack 3. Chosen plaintext attack 4. Chosen ciphertext attack

In the cipher under consideration, the keys K and L, both put together, are containing 2n2 numbers, wherein each number can be represented in terms of 8 binary bits. Thus the key space is of size

216n2 = (210)1.6n2 ≈ 104.8n2

On assuming that the computation of the cipher with a specified pair of values of the keys takes 10-7 seconds, the time required for the brute force attack is obtained as

60x60x24x365

710x2n8.410

−

−= 1510x

2n8.410x57

−= 152n8.410x57

This shows that the time required for computation is several years when n>=2. Thus the cipher cannot be broken by the cipher text only attack. In the case of known plaintext attack, we have as many plaintext and ciphertext pairs as we require for our attack. Here in this analysis, as the plaintext undergoes several transformations on account of multiplication by the key matrices and permutation, in each round of the iteration, before the plaintext becomes the ciphertext, the nonlinearity involved in the process does not allow any one to break the cipher. Intuitively choosing a plaintext or a ciphertext is an impossible one as the process involved in the cipher is a complex one. Thus the cipher cannot be broken by chosen plaintext/ciphertext attack. In the light of the above discussion, we conclude that the cipher is a strong one.

6. Summary of the Results

The avalanche effect presented in section 3 clearly indicates that the cipher is a strong one. The cryptanalysis discussed in section 4 shows that the cipher cannot be broken by any cryptanalytic attack.

6. Computations and Conclusions

In this analysis we have written java programs corresponding to the algorithms for encryption and decryption presented in section 2.

On dividing the complete plaintext (5) into blocks, wherein each block contains 16 characters, we have adopted the process of the encryption. However, in the last block whose length is less than 16 characters, we have appended blank spaces at the end. Thus we get the ciphertext for the entire plaintext in the form as shown below:

10815211766387815212916822138114229994719129115228671321873816721335138151192031062221867229174107192131199192197541385818717464

2228254161951032113153651921082476252842488568622021401141534113818717221191215148185137240126151441723767019314621920216721371582440240140190892314810423122625386

224141241051922124520113190882723015142214961188118535352385169174197167125141581505810415195825421711017510617010823415313197

The avalanche effect, discussed in section 3, and the cryptanalysis, performed in section 4, clearly indicate that the cipher is a strong one. The pair of key matrices, one on the left side of the plaintext and the other on the right side of the plaintext and the process of permutation are totally responsible for the strength of the cipher. This analysis can be extended to a large block of plaintext by enhancing the size of K and L appropriately. References:

[1] William Stallings, Cryptography and Network Security, Principles and Practice, Third edition, Pearson, 2003.

[2] V.U.K.Sastry, S.Udaya Kumar, A.Vinaya Babu, “ A Large Block Cipher using Modular Arithmetic Inverse of a Key Matrix and Mixing of the Key Matrix and the Plaintext”, Journal of Computer Science 2(9),pp.698-703,2006.

[3] V.U.K.Sastry, V.Janaki, “A Block Cipher Using Linear Congruences”, Journal of Computer Science 3(7), pp.556-561,2007.

[4] V.U.K.Sastry, V.Janaki, “A Modified Hill Cipher with Multiple Keys”, International Journal of Computational Science, Vol.2, No.6,pp.815-826, Dec.2008.

[5] V.U.K.Sastry, D.S.R.Murthy, S. Durga Bhavani, “A Large Block Cipher Involving a Key Applied on Both the Sides of the Plaintext”, Vol.2, No.2, pp.10-13,February.


109

Evaluation of Intrusion Detection Techniques for Enterprise Information Security

Kanwarpreet Singh1, Yogesh Chaba2 and Amritpal3 1IBM India

[email protected] 2Deptt of CSE, GJUST Hisar

[email protected] 3Deptt of CSE, St MEC, Alwar

Abstract: Intrusion detection systems (IDSs) aim at detecting attack against computer systems and networks or in general, against information system. With the rapid growing unauthorized activities in network, Intrusion Detection as a component of defence is very necessary because traditional firewall techniques cannot provide complete protection against intrusion. Network – based IDSs are designed to monitor potential attacks in enterprise network information security. Detection of intrusions falls in two categories anomaly and signature detection. This paper describes about various types of IDS like Network–based IDS, Host-based IDS and Hybrid IDSs. Further, evaluation of average intrusive events using signature detection technique for enterprise information security is presented. Keywords : IDS, Attack, Security, Enterprise, Events

1. Introduction The movement towards a more secured computing system continues to rise as management becomes cognizant of numerous threats that exist to their enterprises [3]. As internet-based and Intranet-based network system are growing, to share information and conduct business with online partners. However hackers have also learned to use these systems to access private networks and resources. Studies show that many enterprises have suffered external and internal network intrusions, including some that resulted in sizable loss of money. Enterprise systems are subject to various types of attacks. For example, hackers can penetrate systems by taking advantage of bugs or by acquiring passwords. Traditional security products can be penetrated from outside and can also leave organization vulnerable to internal attacks. Network – based IDSs solve these problems by detecting external and internal security breaches as they happen and immediately notifying security personnel and network administrator by email or pager[2] This type of system covers an entire organization by deploying monitoring agents on local networks, between subnets, and even on remote networks on internet. The rest of paper is organized as follows. Second section discusses character tics of good intrusion detection system and need of intrusion detection system to secure enterprise information. Section three presents various types of intrusion detection systems like Host–based IDS, Network-based IDS and Hybrid IDS and fifth section evaluates Intrusion Detection

techniques for Enterprise Information Security. 2. Intrusion Detection System An intrusion detection system is software and/ or hardware designed to detect unwanted attempt at accessing, manipulating and disabling of computer systems, mainly through a network, such as the internet. These attempts may take the forms of attacks, as i.e. by crackers, malware and disgruntled employees. An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files and malware.

2.1 Need of Intrusion Detection System The security incidents that occur on a network, the vast majority (up to 85 percent by many estimates) come from inside the network. These attacks may consist of otherwise authorized users who are disgruntled employees. The remainder come from the outside, in the form of denial of service attacks or attempts to penetrate a network infrastructure. An intrusion detection system remains the only proactive means of detecting and responding to threats that stem from both inside and outside a corporate network. Intrusion detection Systems are integral and necessary element of a complete information security infrastructure performing as “the logical complement to network firewalls”[1]. Simply put, IDS tools allow for complete supervisions of networks, regardless of the action being taken such that information will always exist to determine the nature of the security incident and its source. Study shows that nearly all large enterprises and most medium-sized organizations have installed some form of intrusion detection tools [6]. However it is clear that given the increasing frequency of security incidents, any entity with a presence on the internet should have some form of IDS running as a line of defence. Network attacks and intrusions can be motivated by financial, political, military, or personal reasons, so no company should feel immune. Realistically, if there is a network then this is a potential target, and should have some form of IDS installed on system.

2.2 Characteristics of good Intrusion Detection System Regardless of whether the IDSs are based on misuse or anomaly detection, it should possess the following characteristics [4]


110

• Run continually without human supervision – must be adequately reliable to operate in the background.

• Fault tolerant – able to survive a system crash without requiring its knowledge to re-built when restarted.

• Resist subversion – able to be monitor itself to ensure it is not being subverted.

• Minimal system overhead – must not adversely affect the system performance.

• Observe deviations from normal behavior. • Easily tailored and adaptable to changing usage

patterns of the host system. • Cope with changing system behavior over time as new

applications are added.

2.3 Types of Intrusion Detection System Intrusion detection system has various types and approaches for the goal of detecting suspicious traffic in different ways. There are network based (NIDS), host based (HIDS) and hybrid intrusion detection systems. • Network-Based Intrusion Detection System : Network-

Based IDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally this would scan all inbound and outbound traffic; however doing so might create a bottleneck that would impair the overall speed of network.

• Host-Based Intrusion Detection System : Host-Based IDS are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the devices only and will alert the user or administrator of suspicious activity is detected.

Hybrid Systems : A hybrid system is simply an IDS that has features of both host-based and network-based systems are becoming the norm, but most IDS’s still are stronger in one area or the other. A host-based system complemented by a handful of inexpensive network monitoring tools can make for a complete strategy [7].

3. Intrusion Detection Techniques This section presents basically two types of intrusion detection system techniques for enterprise information security first, anomaly detection and second is signature or misuse detection.

3.1 Anomaly Detection The IDS establishes a baseline of normal usage patterns, and anything that widely deviates from it gets flagged as a possible intrusion. What is considered to be an anomaly can vary, but normally, any incident that occurs on frequency greater than or less than two standard deviations from the statistical norms raise an eyebrow. For an example, if a computer used at 2.00 am when normally no one outside of business hours should have access, this should raise some suspicious activity. At another level, anomaly detection can investigate user patterns, such as profiling the programs executed daily. If a user in a graphics department suddenly starts accessing accounting programs or compiling code, the system can properly alerts its administrator.

3.2 Signature Detection This method uses specifically known patterns of unauthorized behaviour to predict and detect subsequent

similar attempts. These specific patterns are called signatures. For HIDS, one example of a signature is “three failed logins” and for NIDS, a signature can be simple as a specific pattern that matches a portion of network packet. For instance, packet content signatures and /or header content signature can indicate unauthorized actions, such as improper FTP initiation. The occurrence of a signature might not signify an actual attempted unauthorized access, but it is good idea to take each alert seriously. Depending on the robustness and seriousness of a signature that is triggered, some alarm, response, or notification should be sent to proper authorities [5]

4. Evaluation of ID Techniques For Enterprise Information Security This section, presents the implementation of Intrusion Detection techniques using signature detection algorithms through Sax2 simulator, which provides a simulation platform to detect intrusion events in the enterprise network. Sax2 is a professional intrusion detection and response system that performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing and automatic expert detection. These specific patterns are called signatures. Depending the robustness and seriousness of a signature that is triggered, some alarm, response, or notification should be sent to proper authorities.

4.1 Results Analysis and observation of average intrusion detection in real-time network using signature detection technique as shown in figure 1, 2, 3, 4 and 5 with respect to different timings is done. Attack events are categorized as notice based, warning based, information and others. • Average Intrusion Events in percentage for 17 Hosts on

Network after 15 minutes is shown in figure 1. (45% notice based, 3% warning based, 45% information based and 7% others type).

0

5

10

15

20

25

30

35

40

45

50

Stat is tics Item

45%, No t ice

3% , Warning

45% ,Info rmat io n7%, Others

Figure 1: Average intrusion due to various statistics item for 17 hosts on real-time network after 15 minutes


111

• Average Intrusion Events in percentage for 17 Hosts on Network after 30 minutes is shown in figure 2. (46% notice based, 3% warning based, 43% information based and 8% others types).

• Average Intrusion Events in percentage for 17 Hosts on

Network after 45 minutes is shown in figure 3. (46% notice based, 3% warning based, 44% information based and 7% others types).

•

• Average Intrusion Events in percentage for 17 Hosts on Network after 60 minutes is shown in figure 4. (46% notice based, 3% warning based, 43% information based and 8% others types).

• Average Intrusion Events in percentage for 17 Hosts on

Network after 75 minutes is shown in figure 5. (47% notice based, 3% warning based, 42% information based and 8% others types).

After observing the results it is found that majority of attacks on Enterprise information are of notice and information based (around 89 %) so there is a need to design an Intrusion Detection system with better protection in these two areas for Enterprise information security. 5. Conclusion A computer system should provide confidentiality, integrity and assurance against viruses, worms and denial of service. However due to increased connectivity on the internet and vast spectrum of financial possibilities that are opening up, more systems are subject to attack by intruder. Network–based IDSs solves these problems by detecting external and internal security breaches as they happen and immediately

0

5

10

15

20

25

30

35

40

45

50

Statis tics Item

4 6 %, No t ice

3 % , W arning

4 3 % ,Inf o rmat ion

8 %, Ot hers

Figure 4: Average intrusion events due to various statistics items for 17 hosts on real-time network after 60 minutes

0

5

10

15

20

25

30

35

40

45

50

St at ist ics It em

4 6 %, Not ice

3 % , Warning

4 3 % ,Inf ormat ion

8 %, Ot hers

Figure 2: Average intrusion events due to various statistics items in real-time network after 30 minutes

0

5

10

15

20

25

30

35

40

45

50

Statistics Item

46%, Notice

3% , Warning

44% , Information

7%, Others


0

5

10

15

20

25

30

35

40

45

50

Statistics Item

4 7%, Not ice

3 % , Warning

4 2 % ,Inf ormat ion8 %, Ot hers



112

notifying security personnel and network administrator by email or pager. Evaluation of Intrusion Detection techniques for Enterprise Information Security was done using Sax2 simulator. Evaluation of average intrusive events in real-time network for different hosts with respect to different timings is also done. After analysis and observation of intrusion detection in real-time network using signature detection technique as shown in above mentioned figures, it is concluded that notice and information based attacks require more attention than warning based and others types of attack on network. Attacks can be detected very efficiently using signature detection technique on enterprise network.

References [1]. Bace and Rebecca, “An Introduction to Intrusion

Detection and Assessment: System and Network Security Management”. ICSA White paper, 1998.

[2]. Chris H, Detecting Attacks on Network, McGraw Hill, 1997.

[3]. Garuba M, Liu C and Fraites D, “Intrusion Techniques: Comparative Study of Network Intrusion Detection Systems” Proc of IEEE Fifth International Conference on Information Technology, IEEE Computer Society, pp 794-798, 2008.

[4]. Hart R, Morgan D and Tran H, “Introduction to automated intrusion detection approaches” Journal of Information Management and Computer Security, pp 76-82, 1999.

[5]. Paul I and Oba M, An introduction to Intrusion Detection System, John Wiley & Sons, 2001.

[6] Sans, “Intrusion Detection and Vulnerability Testing Tools: 101 security solution” E-Alert News letters, 2001.

[7] Tony B, Introduction to Intrusion Detection Systems: [Online] www.aboutids.com, 2001.

Authors Profile

Kanwarpreet Singh received the MBA degree from FIIB New Delhi, India in year 1999. He is doing PhD degree in the area of Management Information System and Computer Forensics. He has more then 10 years of experience in IT industry. He is currently working with IBM India. His research interests include Computer Forensic

and information security.

Yogesh Chaba received the B.E. degree in Computer Science and Engineering from Marathwada University, Aurangabad with Distinction in year 1993. He obtained his MS degree in Software Systems from BITS Pilani and PhD degree in Computer Science and Engineering from GJ University of Science and

Technology, Hisar, India respectively. He worked as Chairman, Department of Computer Science and Engineering, Guru Jambheshwar University of Science and Technology, Hisar for three years. He has 15 years of teaching and research experience in field of Computer Science and Engineering. He has 68 national and international publications to his credit in reputed journals and

conferences. He is recipient of Young Scientist Award by International Academy of Physical Sciences for research work. He is also Principal Investigator of two projects funded by National agencies in area of Ubiquitous computing and MANET security. His research interests include mobile communication, computer networks and information security.

Amrit Pal received the B.E. degree in Computer Science and Engineering from LIET Alwar affiliated to Rajasthan University, India in year 2005. He obtained his MTech degree with DISTINCTION in Computer Sc & Engg from GJ University of Science and Technology, Hisar, India. He is working as Assistant Professor in St

MEC Alwar, India. His research interests include Computer Forensic and information security.


113

Evaluation of Destructive and Negative Effects of using Computers, the Internet and Computer Games

on Students

Mehdi Soltani

Azerbaijan National Academy of Sciences, Institute of Information Technology,

Baku, Azerbaijan [email protected]

Abstract: Information Technology (IT) in present world is developing swiftly, even our daily life is affected, as well and its presence is felt at school, home, and office etc. Children benefit these facilities more than adults. Despite the positive aspects, if IT is not controlled, it can have negative impacts as well as destructive mental and social effects on children. This paper evaluates destructive effects of using computers and the Internet on children so that through controlling these technologies, cause children to improve and develop in IT era.

Keywords: Computer; Internet; children; adolescents

1. Introduction Psychologists believe that addiction to Internet games causes serious behavior disorders and could have destructive effects on their social relationships. Many online games addicts due to failure in these games or negative excitement are obsessed by stress, depression or anger and even commit suicide. One of the reasons for children’s bedwetting (nocturnal enuresis) is horrifying computer games. They play the games alone and sometimes for hours unchecked. Childhood experiences will be continued in adult life. Person who plays sentimentally will be sentimental to end of their lives. Some families prevent their children from playing electronic games. In fact when the parents prevent them from playing such games, children get much more enthusiastic play and they use every opportunity, even secretly, to play these games [6]. American psychologists have mentioned addiction to online games as a serious behavior disorder among the users and have warned about its destructive effects on social relationships. Almost 6.5 million people pay monthly average of 15$ for the online games subscription worldwide. Studies have shown that there is an addiction behavior pattern among the Internet users. Investigations have reported the prevalence of 6% to 80% [4]. The most disturbing aspect of the Internet addiction is the damage to children. They get attached to multiplayer games and even vulgar sites easily [14]. In this paper, I have described Evaluation of destructive and negative effects of using computers in five parts, the Internet and computer games on students in the four parts. In first part, I have presented Physical complications resulting from using computer. I have defined Negative effects of using computer games in the second part. Negative effects of using

the Internet is a third part of paper. Finally I have described conclusion of this paper.

2. Physical complications resulting from using computer

2.1 Vision problems Vision problems are the most common problems that are resulted by long hours of working with computer. Restless Legs Syndrome (RLS) include exhaustion, pain, burning, redness, headache, runny eyes, drowsiness, hyperopic, myopia, weakness and blurred vision are some of complains that bring patients to clinics [7, 8]. Also the eye’s muscles get tired of light or brightness changes or direction of sight change between the screen and the characters that are being typed. Besides, due to the large displacement of words, the eyes gradually lose their adaptation ability [5]. People with uncorrected refractive disorders are more at risk [8]. These diseases are due to:

• Excessive look to the screen. • Inappropriate distance between the screen and the

person. • Insufficient light in the room. • Unsuitable glasses while working with computer.

2.2 Joint, muscular and skeletal systems complications Other most common syndromes due to working with computer are: Muscular pains, carpal tunnel and arm syndrome or tendonitis [9]. Neck and back pain in the long term, hypnosis and positional scoliosis are among other complications [11]. Usually computer users keep their wrists, forearms, hands, arms, back and neck in a fixed mode and this puts great pressure on their muscles in long term and therefore, it can also lead to problems in muscles, joints and skeleton. In this regard, ergonomic factors such as repetitive motion, way of sitting, view angle, desk and chair position, height of keyboard and monitor, lighting conditions, typing speed, lack of mental composure, etc can be major risk factors. Children who sit for a long time in front of computer and participate less in physical activities (such as sports) are at risk of obesity [10]. As the time passes, they will have spinal and skeleton problems and rigidity in neck, shoulder and wrist [16, 17].


114

2.3 Skin problems High voltage of picture tube causes to produce electrostatic field and a positive electric charge in the external surface of the screen. Dust particles move in all directions in the field between the positive charge and operator’s face. Although the amounts of dust particles, depending on room ventilation, flooring and other factors changes, they, always exist. The positive charge current in this field may cause dryness and crack in hands and face skin in people who have skin allergies. Other studies have also shown that people who complain about skin allergies and are under mental and psychic pressure when working more, the pressure and stress can cause hormonal changes, such as thyroxin (thyroid hormone) and prolactin (pituitary hormone) and also skin loss. Another research, which was conducted in Sweden, attributes the face skin loss and working with computers to psychosocial factors and workplace issues. Of course, personal factors are effective in the incidence of these losses.

2.4 Stress and neurotic-psychic issues Initially convulsion is created by a special form of epilepsy. Light sensitive epilepsy is formed when children have high sensitivity to flickering lights. In this case, the convulsion begins when they are in front of the screen bright lights and the flash caused by computer games. Symptoms are varies, including headache, change in sight field, vertigo, dizziness, cognizance decrease and convulsion. Symptoms will disappear as soon as they stop using the computer [1, 15]. High workload and remoteness from colleagues at work can lead to psychological problems. It should be noted, however, that working with computer does not necessarily cause depression, but high workload plays a role in creating psychological stress. These diseases are nervous or mental tic such as blinking, shoulder unusual movements, nausea and vertigo [13].

2.5 Breathing hazardous gases Latest research shows PC hardware is full of variety of metals and toxic substances contaminating the environment. “Lead” (used in cathode ray tubes), “Arsenic” (used in older CRTs), “Antimony trioxide” (used as anti-fire), “Polybrominated materials” (Used as anti-fire in cables, circuits and plastic materials in computers) are some materials that could be mentioned. "Selenium" (as a power supply circuits’ rectifier), "Cadmium" (used in computer’s circuit boards and semiconductors), "chromium" (to prevent corrosion of metal parts of the computer), "cobalt" (used in metals for plasticity and magnetic) and "Mercury" (in the computer’s switch) are other toxic and pollutant substances used in PCs. Computer framework and screens have a special smell when they get warm. Dioxins gas produced by the computer body (because of heat) and the screen is an example of these odors. These materials are used in the framework of the screens and boards as fireproof. The ozone gas is produced

while laser printer is working which harms nasal mucous tissue, eyes and throat. Therefore, importers or producers of computers have to observe the required standards.

3. Negative effects of using computer games Many of these people play in a fictional universe for a long time. Disadvantages of computer games are:

3.1 Physical damages Because of staring at the screen continuously, the eyes are under strong pressure of light and will undergo complications. Observations have shown that teenagers are so much absorbed by the games that do not notice the amount of visual and mental pressure putt on themselves. Since they sit in a constant fixed position, the skeleton will be afflicted by some abnormalities. Also twinge and stiff neck, shoulders and wrists are the other complications caused by relatively fixed and long-term working with computers. Skin exposes to continuous radiation of monitor. Nausea and vertigo, especially in children and teenagers with epilepsy background, are other computer complications. Stirring computer games result in bone and nerve diseases in hands and arms.

3.2 Psychological and nurturing injuries 3.2.1 Strengthen the sense of aggression

The main characteristic of computer games is that most of them are in warlike settings and the gamer must fight with so-called enemy forces to reach the next stage of the game. The continuation of playing such games will make children aggressive and quarrelsome.“Violence” is the most important motivation used extremely in designing the newest and most attractive computer games. Hollywood celebrities, who are immoral and anti-value in our culture, are being shown as an insuperable hero in these games.

3.2.2 Isolationism Children who continuously involved with these games tend to be introvert and they are recluse in society and have anomalies in social communication [1].

3.3 Mental retardation In these games because children and teenagers play created programs with others, and since they are not able to change them, their confidence of creation and improvement will be instable. Most families think that the gamer has a continuous mental involvement in the games, but this involvement is not mentally, rather they deceive brain cells and from the physical active point of view there is only some fingers movement. If we continue this manner and develop the games, the society will have frustrated, depressed, non-active and uncreative members. They would be less self reliant and creative, while society needs creative, innovative and contemplative people [12]. Recent researches indicate that computer games lead to chronic brain damage. Games just stimulate parts of the brain that are dedicated to the vision and motion and do not help developing other parts. Frontal lobe does not develop in children who devote long hours to play computer games. Frontal lope plays an important role in the development of


115

memory, emotion and learning. People, whose frontal lobes are not evolved, are susceptible being violent and have less ability to control their behavior.

3.4 Impact on family relationships Considering that life in our country, Iran is going towards machinelike life and in some families, parents are employed or some fathers have more than one job, emotional relationships and getting together in families have been decreased automatically. A lot of people are not satisfied with this situation and existence of computer as a magic box which has resulted in cold family relationships [4, 12].

3.5 Educational failure Due to the glamorous attraction of these games, children spend a lot of their time and put their energy to play. Even some children, wake up earlier than usual in the morning to play a little before school and compensate for the wasted time in this way. One parent states that last year her son had had the best scores, but since they had bought a computer for him, he spends 2-3 hours a day to play and has had educational failure [4, 12].

4. Negative effects of using the Internet

4.1 Internet Addiction The addicts to the Internet spend long hours during the day using this media, in a way that their job and social performance is influenced. This type of abnormal usage is called internet addiction by experts. The reason for internet addiction in many of these people is to find a way to suppress anxiety and stress in their lives. According to the researchers, dissociable people and those who have problem in their social and interpersonal communications, are more likely to become the Internet addicts. Known symptoms of this disorder include:

• Using computers for fun, enjoyment or stress relief.

• Extreme depression when they do not use the Internet.

• Spending a lot of time and money for software, hardware and computer-related activities.

• Being carefree towards work, school and family.

• Uncontrollable feeling of irritability while using computer

One of the negative aspects of the Internet is entering anonymously. Teenagers have the opportunity to do whatever they would like to in the Internet. They get disturbed when they are asked about how they use the Internet by adults because they regard the Internet as a private place for themselves. Internet is replaced with public space for them. In this case they will have more experiences and information about how to control and use this new medium. The only problem is that the relationship between youth and adults vanishes in cyberspace. Puberty is a critical stage that an adolescent discovers and internalizes the values. Internet with its unlimited volume of information and instant communication tools, introduces other tools to create

identity for teenagers through search. We should know that many interactions in the Internet require no human contacts [14].

4.2 Immoral websites Immoral websites have become a catastrophe on the Internet these days. Through providing immoral and obscene content and images, these sites have jeopardized mental and emotional health of teenagers and therefore societies’ health. Most of these sites try to destroy the culture and values of a society.

4.3 Chat Chat rooms are used by a great deal of teenagers on the internet. These rooms are suitable place to meet and converse with other children and teenagers around the world. But a lot of abuse is done by swindlers in these rooms including:

• presenting invalid personal information, • Abuse of people’s information • Deceiving adolescents by contacting and making

appointments. These matters lead to seducing adolescents and therefore corruption in societies.

4.4 Impact of internet games Today, electronic and computer games development has become a great threat for teenagers and youth. This can lead to mental disorders and depression among youth as well. In the past, games were done through children's communication with each other.

But today, they spend most hours of the day to play computer games since having being aware of such games, while this communication does not make any emotional and human relations. Effect of games in children and teenagers is especially creating violence among them. Researches show that the effect of games on violent behavior in children and teenagers depends on several factors [4, 3]:

• Severity of violence in games. • Child's ability to discern and differentiate between

imaginary world and real life. • Child's capability to restrain the natural tendency

and motivations. • The value framework in which the child is growing

or living now and the values that game content is presenting.

4.4.1 Social impact on person Relationships between individuals on the Internet is superficial and does not have the depth, this type of communication lacks features such as proximity, regular contact, deep influence, exchanging information about social context [2].

4.4.2 Being cut off While the Internet can connect human being electronically, but it stops "face to face" communication. So it will reduce human relations and social cohesion.

4.4.3 Mental involvement One of the problems mentioned by psychiatrists about children and teenagers who spend long hours in chat rooms


116

is mental involvement which is caused by creating mental images that are produced by the materials exchanged among people in these chat rooms. It causes mental disorders including depression.

4.4.4 Internet effect on social skills Online games delay appropriate development of child’s social skills. When the child becomes addicted to the Internet, his motivation for interacting with others will decrease. This has negative effects on their personal relationship and social interactions [2]. Recent studies show that using the Internet cause to feel misery, loneliness and totally reduced mental health. People who use the Internet more keep the friendships less. They spend less time to talk to family, experience more stress and feel lonely and depressed.

4.4.5 Internet and families Using the Internet affects family relationships for several reasons:

• Using Internet is a time-consuming activity so it can reduce children’s interaction with family. Dedicated time to interact with each other is prerequisite for a high quality relationship. In a study, 50% of families stated when they are online they speak less and 41% admitted they had learned anti-social behavior during this time.

• Internet creates new conflicts within the family. When there is only one computer at home, there will be a competition between children and parents to use the computer which sometimes causes struggle.

• Visiting web pages that have inappropriate contents for child's age causes argument and conflict between parents and children.

• Sometime conflict is because of child’s access to parents’ private information.

• Parents are concerned that Internet may prevent children from other activities and have isolating effects on them.

5. Conclusion In recent years, computer and internet gradually have been replaced with television to some extent and likely in the near future will play more significant role than television in children and teenagers’ lives. If this technology is used correctly, it has positive effects. Yet it is inferred from the content of this paper that the risks of its uncontrolled and incorrect application, threatens all users especially children.

To ensure optimum use and that computer improves children's lives in the present and future considering the following suggestions may help in general:

• Parents should get familiar with computers and take training courses in this field and learn some tips from children, if necessary.

• Talk with children about how to use computers and risks that may threaten them while they are online.

• Putting the computer in a place at home that child’s activities could be controllable.

• Limit the time of computer use, if the child has reduced social contacts. Excessive use of computer usually indicates a problem.

• Accompany children when they are in chat room. • Revise children’s e-mail and delete inappropriate

messages. • Using filter software to prevent from visiting

inappropriate content. Such software could also log the child’s visited site addresses so parents can review them later.

• Of course, no software can be replaced with parents association with children.

• Programs should be suitable with the child's growth and development.

• Encourage child to interact with the family rather than excessive use of computers.

• Computer should be as an educational complement tool; not as the only way of training.

• Choosing appropriate programs with children's age. • Controlling the access ways to computer. • Enhancing parents and teachers’ computer literacy. • Providing educational programs for parents, teachers

and others who work with children. • Some researches should be done on the effects of

computer on physical, intellectual, rational, social and psychological development of children.

References [1] M.K Shields, R.E Beharman, “Children and computer

technology:Analysis and recommendations”, The future of children and computer technology, Vol.10. No.2, pp. 4-30, Fall/winter2000.

[2] “Internet & its affect on social live” Website, May 2005, Available: http://www.ayandehnegar.com.

[3] “ICTs and children” Website, April 2004, Available: www.wiki.media-culture.org.au.

[4] B. Affonoso, “Is the internet affecting the social skills of our children?”, December 1.1999, Available:http://www.sierrasource.com/cep612/internet.html.

[5] L.K. Wan. “Children and computer vision syndrome”, 2005, Available: www.allaboutvision.com.

[6] Saeed. Shamlou, “Mental Health”, Roshd Publication, 2001, pp. 4-30.

[7] M. Emick, “Study finds direct link between computer use and vision problems in children”, Mar 2002, Available:www.allaboutvision.com/cvs/productivity.htm

[8] A. Azimi, M. Salehi, F. Salehi, H. Masoudi, “affect of work with computer on vision performance”, the secret of better life. Vol 30, pp. 33-41, Fall 2004.

[9] “What’s new in health care computers cause vision problems in children. Johns Hopkins University Website”, April 1.2002, Available: www.jhu.edu.

[10] S.S Lang, “Cornell ergunomist offers web guide lines on how children can avoid injury while at their computers”, Available:http://ergo.human.cornell.edu/MBergo/schoolguide.html, Feb 2010.


117

[11] Health Development, “Computer technology and children-physical and psychological development”, Oct 2004, Available: www.public.iastate.edu.

[12] “The internet: A positive or negative influence on children”,2005,Available: www.firstclass.wellesley.edu.

[13] “Computer illnesses”, July 2002, Available:www.hasht.com.

[14] “Recognize of adict to Internet”, September 2002, Available: www.hasht.com.

[15] “Stress is main reason of Internet Adict”, August 2002, Available: www.hasht.com.

[16] M. Carelse, “Computer games:Are they harming your children?”, 2005, Available: www.gentleparents.com.

[17] “Computer games linked to learning problems”, August 2001, Available: www.news.zdnet.com.


118

Efficient Buffer management Policy DLA for DTN Routing Protocols under Congestion

Sulma Rashid1, Qaisar Ayub2

Universiti Teknologi Malaysia (UTM) , Faculty of Computer Science & Information System, Department of Computer System & Communication Skudai - Johor, 81310, Malaysia [email protected]

[email protected] Abstract: In DTN networks end-to-end path may not be exist and disconnections may occur frequently due to propagation delay, node mobility, power outage and operational environment (deep space underwater). Thus transmission in such environments follow store-carry-forward strategy in which a node store the message in buffer, carries it while moving and transmit when connection becomes available. In addition multiple copies of message may be forwarded to increase the delivery probability. In such case the node buffer becomes the critical recourse and need to be managed effectively to overcome congestion and message drop ratio. The efficient buffer management policy deals which message to drop when congestion arises. In this paper we propose a new buffer management policy for DTN in which when the node buffer is congested and it needs to store a new message, the large size message from the buffer will be dropped. The strategy is called drop largest (DLA). We prove through the simulation that our buffer management policy (DLA) outperforms well as compared to existing Drop Oldest.

Keywords: Delay Tolerance Network DTN, DLA (Drop largest), DO (Drop oldest), Algorithm

1. Introduction The traditional network (Ad-hoc, TCP/IP) required end-to-end path and can not be implemented in rebellion wireless applications e.g. Military networks, vehicle ad hoc network, wild life tracking sensor networks where the connectivity is not stable due to node mobility, low power nodes periodically shutting down. In order to cope with disconnections researcher have proposed a new protocol Delay Tolerance Network DTN [1], [2], [7] and [14]. DTN routing protocols have adopted a “store-carry forward” paradigm, where each node in the network stores a packet that has been forwarded to it by other nodes, carries the packet while it moves around, and forwards or duplicates it to other nodes (or the destination node) when they come within transmission range. Nodes under DTN protocol may not have complete information about network; therefore message is replicated to increase the delivery probability like Epidemic [6]. Due to low data rates and short duration of node encounters epidemic was modified by spray-and-wait [2-4], K-hop probabilistic forwarding [12]. It is evicted that storage of message for long time and its replication [6], [14], [3] make buffer run out of capacity and effect the performance of router. Some recent work [8]-[11], [17] and [18] addressed few transmission scheduling and

buffer management issues, but an efficient [13] buffer management scheme is still required to overcome congestion. In this work we propose an efficient buffer management policy (DLA) to improve message delivery, message drop, overhead ratio and buffer time average under highly congested network. To evaluate the performance of our proposed buffer management policy we use ONE simulator [5]. We have performed the simulations with spray&wait, direct contact, First contact and Epidemic routing protocols. The proposed scheme performs well only delivery ratio in case of epidemic routing is minimized.

The rest of paper is organized follows Section 2 discuss existing buffer management policies. Section 3 summarizes performance metrics. Section 4 describes evaluation our buffer management policy under routing protocols. Section 5 is about proposed algorithm (DLA). Section 6-7 is for simulation results and conclusion.

2. Existing buffer management policies 2.1 Drop Random(DR)

The selection of message to be dropped is random.

2.2 Drop –Least-Recently-Received (DLR) The message with the long stay time in buffer will be dropped. The idea is that the packet with in buffer for long time has less probability to be passed to other nodes.

2.3 Drop-Oldest (DOA) The message with the shorted remaining life time (TTL) in network is dropped. The idea of dropping such packet is that if packet TTL is small, it is in the network for long time and thus has high probability to be already delivered.

2.4 DL-Drop last(DL) It drops the newly received message.

2.5 Drop front(DF) The message that enters first in the queue is dropped first.

2.6 N-Drop In N-Dropt [17], the message that does N number of forwarding will be selected to drop.


119

3. Performance metrics

3.1 Message delivery It is a function of measuring messages that are correctly received by the final destination within a given time period.

3.2 Buffer time average The buffer time average is the function of measuring the average time spends by all messages in node buffer.

3.3 Message drop It is a function to count number of messages dropped during transmission.

3.4 Overhead ratio It is negation of number of message relayed to message delivered.

4. Routing protocol under evaluation 4.1 Spray&wait (SW)

Spray & wait [3] is a routing protocol that attempts to gain the delivery ratio benefits of replication-based routing as well as the low resource utilization benefits of forwarding-based routing like direct transmission. The Spray and Wait protocol is composed of two phases: the spray phase and the wait phase. When a new message is

created in the system, a number L is attached to that message indicating the maximum allowable copies of the message in the network. During the spray phase, the source of the message is responsible for "spraying", or delivery, to

one copy to L distinct "relays". When a relay receives the copy, it enters the wait phase, where the relay simply holds that particular message until the destination is encountered directly. In other words, Spray and Wait could be viewed as a tradeoff between single and multi-copy schemes.

4.2 First contact (FC)

In first contact [15] and [16] routing, the router transmits the message randomly as other nodes come under its communication range. Under congested networks the messages can not route.

4.3 Direct delivery (DD)

The source node [16] transmits the message to other node only when other node is its destination. Direct delivery can be considered a hybrid technique as one can include it in flooding where Direct Delivery always select the direct path between source and destination.

4.4 Epidemic routing

Epidemic Routing [6] spread application messages to nodes, called carriers, within connected areas of ad hoc networks. In Epidemic Routing when carriers coming into contact with another connected portion of the network through node mobility it spread the message to nodes. Through such iterative transmission of data, messages have a high

probability of reaching their destination.

5. Algorithm (DLA) In normal scenario there are two possibilities where a message will be dropped, after expiration of TTL, when delivered to destination. When node buffer is fully occupied and a new message turns up, the problem is which message from buffer will be chosen to drop (Congestion drop). Assume M messages are propagated in the network using replication. We consider a time instant where NODE-A is packed full and a new message copy M6 of size 300kb arrives from NODE-B.

Node-A Node-B

Figure 1. Congested buffer

DOA algorithm drop oldest messages from buffer until room of 300kb becomes available, NODE-A will drop M1, M2, M3, and M4 to free enough space (300kb) for new message. DOA algorithm drop oldest messages from buffer until room of 300kb becomes available, NODE-A will drop M1, M2, M3, and M4 to free enough space (300kb) for new message. DLA policy drop large size message which is M5. Hence the drop and overhead is considerably reduced while message (M1, M2, M3, and M4) stay in network which increase the delivery of messages.

Table 1: Variables Variable Description Ni Number of i node i={1,2,3….n} SM Size of message BN Buffer size at each node BNA Buffer available at each node Nc Node holding the connection counter MN New message MR Messages currently help by router Bu Buffer in use

Check available buffer space for each message in MR Bu = getsize (MRi) +Bu; end loop; BNA = BN-Bu if SM (Node or Relay) < BNA THEN ADD (MRiàBN, MN) end if; if SM(Source or Relay) > BNA THEN /* drop some message to make room for new message*/ Greatest = 0; /* Find the message with large size */ while (SM >BNA) For each message M in MR

begin If Size (MRi ) > Greatest Then Greatest= Sizeof (MRi) end if end loop; //for loop end loop; //while loop Remove (MRàBNA, Greatest); end; Algorithm DLA


120

6. Simulation and results In the following section we have examined routing protocols (Section 4), with exiting (DOA) and proposed (DLA). All the experiments were performed using ONE Simulator. The ONE [5] Simulator is a discrete event simulator written in Java. The main objective of simulator is to implement DTN (store-carry-forward) of message for long time, where the probability of disconnections and failures increased.

Table 2: Simulation setup Number of Nodes 126 Movement model 1 Shortest path map based movement Movement model 2 Map rout movement Number of groups 06 Buffer size 5MB Transmission range 10M Transmission speed 250 K Message creation interval 24-35 (seconds)

Figure 2. Message delivery (DLA, DOA)

First we consider message delivery of routing protocols with DOA and DLA, which is shown in figure 2. It is easy to see that different routers have varying impact on message delivery, but higher delivery in case of spray&wait and direct delivery router. First contact with DLA lies between spary&waits and Direct delivery, but gain high message delivery then DOA. However in all the configuration of routers, message delivery of DLA is improved then DOA only effected in Epidemic router but improves other metrics discussed later and is trade off.

Figure 3. Message dropped (DLA, DOA)

Figure 3 plot the impact of message drop with DLA and DOA. In all router configurations DLA reduce the message drops to a significant quantity. We can observe the strength of DLA, which drop large size message and free more buffer

space as described in algorithm (section 4). In Epidemic routing the message delivery was affected but message drop is almost half then then existing DOA, DLA have optimized the message drop metric.

Figure 4. Overhead ratio (DLA, DO) Figure 4 represents the influence of DLA and DOA with respect to overhead. We can see clearly that overhead ratio with DLA is decrease in all routers. In DD due to direct transmission overhead is zero for both algorithms, while Epidemic overhead is reduced to considerable extent.

Figure 5. Buffer time average

Fig 5 observes buffer time average with DLA and DOA. It can be clearly seen that DLA has high value of buffer time average with all router. 7. Conclusion & future work In this paper we propose an efficient buffer management policy DLA which drop large size messages when the node buffer is congested. Its also optimize the routers performance metrics like message delivery , message drop, overhead ratio and buffer time average compared to DOA. Future work is to investigate the DLA (Drop Largest) technique with all existing buffer management policies.

References [1] S. Jain, K. Fall, and R. Patra, “Routing in a delay

Tolerant network,” in Proceedings of ACM SIGCOMM, pp.145-158, 2004.

[2] T. Small and Z. J. Haas.” Resource and performance


121

Trade offs in delay-tolerant wireless networks,” in SIGCOMM Workshop on Delay Tolerant Networking (WDTN), pp.260-267, 2005.

[3] T. Spyropoulos, K. Psounis, and C. S. Ranghavendra “Spray and wait: an efficient routing scheme for intemitteltly connected mobile networks,” in Proceedings of the ACM SIGCOMM workshop on Delay-tolerant networking.pp. 252-259, 2005.

[4] T. Spyropoulos, K. Psounis, and C. Raghavendra. “Efficient Routing in Intermittently Connected Mobile Networks: The Multi-copy Case,”IEEE/ACM Transactions on Networking (TON), vol. 16 , pp. 77-90,Feb. 2008

[5] Homepage of Opportunistic Network Environment (ONE). http://www.netlab.tkk._/%7Ejo/dtn/#one, Version 1, Accessed July 2010.

[6] A. Vahdat and D. Becker, “Epidemic routing for partially connected ad hoc networks,” Duke University, Tech. Rep. CS-200006, Apr. 2000.

[7] K. Scott and S. Burleigh, “Bundle protocol Specification.” RFC 5050, November 2007.

[8] J. Burgess, B. Gallagher, D. Jensen, and B. N. Levine. “MaxProp: Routing for Vehicle-Based Disruption-Tolerant Networks”. In IEEE International Conference on Computer Communications (INFOCOM),pp. 1-1, 2006.

[9] A. Balasubramanian, B. N. Levine, and A. Venkataramani. “DTN Routing as a Resource Allocation Problem,”. In ACM Conference on Applications, Technologies, and Protocols for Computer Communication (SIGCOMM), pp. 373 – 384, 2007.

[10] D. Aldous and J. Fill, “Reversible markov chains and random walks on graphs. (monograph in preparation.),” http://statwww.berkeley.edu/users/aldous/RWG/book.html.

[11] A. Krifa, C. Barakat, and T. Spyropoulos.” Optimal buffer management policies for delay tolerant networks”.In IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON), pp. 260-268, 2008.

[12] A. Lindgren, A. Doria, and O. Schelen, “Probabilistic routing in intermittently connected networks,” SIGMOBILE Mobile Computing and Communication Review, vol. 7, no. 3, 2003.

[13] Ms. E. Jenefa JebaJothi , Dr. V. Kavitha , Ms. T. Kavitha “Contention Based Routing in Mobile Ad Hoc Networks with Multiple Copies” JOURNAL OF COMPUTING, VOLUME 2, ISSUE 5, pp.14-19, MAY 2010.

[14] J.-Y. L BOUDEC, AND M. VOJNOVIC, “Perfect Simulation and Stationary of a Class of Mobility Models”. In Proc. Of IEEE Infocom, pp.2743 - 2754, 2005.

[15] A. KERÄNEN AND J. OTT, Increasing Reality for DTN Protocol Simulations. Tech. rep., Helsinki University of Technology, Networking Laboratory, July 2007.

[16] T. Spyropoulos, K. Psounis, and C. Raghavendra A, C. S. “Single-copy routing in intermittently connected mobile networks,” IEEE/ACM Transactions on Networking (TON), vol. 16, pp. 63-76, Feb. 2008.

[17] Yun Li, Ling Zhao ,Zhanjun Liu,Qilie Liu.” N-Drop Congestion Control strategy under Epidemic Routing in DTN.” Research center for wireless information networks,chongqing university of posts & Telecommunications ,chongqing 400065,china, pp. 457-460, 2009.

[18] indgren and K. S. Phanse, “Evaluation of queuing policies and forwarding strategies for routing in intermittently connected networks,”in Proc. of IEEE COMSWARE, pp. 1-10, Jan. 2006.

Sulma Rashid She has received her MS Degree in computer science in 2007 from IQRA University Islamabad Pakistan and MCS degree in 2001 from UAAR Pakistan. She has 10 years of teaching experience. Her areas of interest are DTN, Adhoc, security, Network

programming, Operating system, wireless networks and MANETS. As a part of this paper she is working on Optimizing and forwarding research issues in DTN routing.

Qaisar Ayub He has obtained his MCS Computer Science degree in 2005 from Comsat Institute of Information Technology Pakistan. And BCS (Hons.) computer science from Allama Iqbal Open University Pakistan in 2003. He has 5 years of experience in conducting

professional trainings (Oracle, Java,) and software development. As a part of this paper he is working on QOS in DTN routing.


122

Overview of Detecting Stego-Content in Corporate Emails: a Web Based Steganalysis

Ms. P. T. Anitha1 and Dr. M. Rajaram2

1Asst. Prof./MCA, Karpagam College of Engineering,

Coimbatore 641032, Tamilnadu, India [email protected]

2HOD/ EEE,

Government College Engineering, Trinelveli, Tamilnadu, India, [email protected]

Abstract: Information Security and integrity are becoming more important as we use email for personal communication and business. Steganography is used to hide the occurrence of communication. Recent suggestions in US newspapers indicate that terrorists use steganography to communicate in secret with their accomplices. In particular, images on the Internet were mentioned as the communication medium. While the newspaper articles sounded very dire, none substantiated these rumors. Today, email management is not only a filing and storage challenge. Because law firms and attorneys must be equipped to take control of litigation, email authenticity must be unquestionable with strong chains of custody, constant availability, and tamper-proof security. Email is insecure. This Paper is designed to give the survey about how the stego content can be detected with the help of the steganalysis methods. This proposed will develop a steganalysis framework that will check the Email content of corporate mails by improving the DES algorithm with the help of neural network approach. We anticipate that this paper can also give a clear picture of the current trends in steganography so that we can develop and improvise appropriate steganalysis algorithms. Keywords: Steganalysis, Steganography, Information Hiding, LSB, Stegdetect, Stego, Outguess 1. Introduction The goal of steganalysis is to detect and/or estimate potentially hidden information from observed data with little or no knowledge about the steganography algorithm and/or its parameters. Steganalysis is both an art and a science. The art of steganalysis plays a major role in the selection of features or characteristics a typical stego message might exhibit while the science helps in reliably testing the selected features for the presence of hidden information. While it is possible to design a reasonably good steganalysis technique for a specific steganographic algorithm, the long term goal is to develop a steganalysis framework that can work effectively at least for a class of steganography methods, if not for all. Current trend in steganalysis seems to suggest two extreme approaches: (a) little or no statistical assumptions about the image under investigation. Statistics are learnt using a large database of training images and (b) a parametric model is assumed for the image and its statistics are computed for steganalysis detection. This proposed research is going to

analyze the techniques available to detect the stego content in corporate emails. 1.1 Steganography vs. Steganalysis Steganography is the art of covered or hidden writing [7]. The purpose of Steganography is covert communication to hide a message from a third party. Steganography is often confused with cryptology because the two are similar in the way that they both are used to protect important information [7]. The difference between the two is that Steganography involves hiding information so it appears that no information is hidden at all. If a person or persons views the object that the information is hidden inside of he or she will have no idea that there is any hidden information[11], therefore the person will not attempt to decrypt the information. Steganography in the modern day sense of the word usually refers to information or a file that has been concealed inside a digital Picture, Video or Audio file. New steganographic techniques are being enveloped and information hiding is becoming more advanced based on the motives of its use. Besides the hype of terrorists using steganography, very recently there has been a case of corporate espionage reported by Phadnis (2007), where confidential information was leaked to a rival firm using steganographic tools that hid the information in music and picture files[9]. Although the perpetrator was caught in this case, it does give an idea of the wide landscape in which steganography can be applied in [9]. In modern approach, depending on the nature of cover object, steganography can be divided into five types: • Text Steganography • Image Steganography • Audio Steganography • Video Steganography • Protocol Steganography So, in the modern age so many steganographic techniques have been designed which works with the above concerned objects. Steganalysis is the science of detecting the presence of hidden data in the cover media files and is emerging in parallel with steganography. Steganalysis has gained prominence in national security and forensic sciences since detection of hidden (ciphertext or plaintext) messages can


123

lead to the prevention of disastrous security incidents. Steganalysis is a very challenging field because of the scarcity of knowledge about the specific characteristics of the cover media (an image, an audio or video file) that can be exploited to hide information and detect the same. The approaches adopted for steganalysis also sometimes depend on the underlying steganography algorithm(s) used. 2. Steganalysis techniques In this paper we discuss image steganalysis though many of the techniques are applicable to other data types as well. Several approaches have been proposed to solve the steganalysis problem and we broadly classify them into the following groups: Supervised learning based steganalysis: Supervised learning based steganalysis techniques employ two phase strategies: (a) training phase and (b) testing phase. In the training phase, examples of the type f(di; ti)g where di denotes a stego image feature(s) and ti denotes whether a secret message is embedded or not, are provided to a statistical classifier. The classifier “learns” the best classification rule using these examples[2]. In the testing phase unknown images are given as input to the trained classifier to decide whether a secret message is present or not. There are some steganalysis methods that do not directly use this type of classical learning by example rather training data is used to compute a regression model for a set of selected features. This model is then used for steganalysis. Blind identification based steganalysis: Blind identification methods pose the steganalysis problem as a system identification problem. Some statistical properties such the independence of host and secret message etc. are exploited. The embedding algorithm is represented as a channel and the goal is to invert this channel to identify the hidden message. Parametric statistical steganalysis: These approaches tend to assume a certain parametric statistical model for the cover image, stego image and the hidden message. Steganalysis is formulated as a hypothesis testing problem, namely, H0 :no message (null hypothesis) and H1 :message present (alternate hypothesis). A statistical detection algorithm is then designed to test between the two hypotheses[10]. Hybrid techniques: Hybrid techniques overlap more than one of the above approaches. The type and amount of information needed for successful steganalysis is a critical issue. The following two information types for steganalysis have been identified Spatial diversity information based steganalysis: Steganalysis methods can look for information in the spatial domain that repeats itself in various forms in different spatial locations (e.g., different blocks within an image or, in different images). We call this spatial diversity based steganalysis. Temporal diversity information based steganalysis: Steganography information that appears repeatedly over time can also aid steganalysis. Such techniques are called temporal diversity information based steganalysis, e.g., video steganalysis[10].

Clearly, it is important to choose a proper steganalysis domain, appropriate features, statistical models and parameters, detector design, user inputs such as detection error probability etc. We discuss later some of the popular choices of current steganalysis algorithms in this regard. 3. Image steganalysis Algorithms for image steganalysis are primarily of two types: Specific and Generic. The Specific approach represents a class of image steganalysis techniques that very much depend on the underlying steganographic algorithm used and have a high success rate for detecting the presence of the secret message if the message is hidden with the algorithm for which the techniques are meant for. The Generic approach represents a class of image steganalysis techniques that are independent of the underlying steganography algorithm used to hide the message and produces good results for detecting the presence of a secrete message hidden using new and/or unconventional steganographic algorithms. The image steganalysis techniques under both the specific and generic categories are often designed to detect the presence of a secret message and the decoding of the same is considered complementary not mandatory[8]. 3.1. Specific Image Steganalysis Algorithms Image steganography algorithms are more often based on an embedding mechanism called Least Significant Bit (LSB) embedding. Each pixel in an image is represented as a 24-bitmap value, composed of 3 bytes representing the R, G and B values for the three primary colors Red, Green and Blue respectively. A higher RGB value for a pixel implies larger intensity. For instance, a pixel p represented as FF FF FF16 is composed of all of these three primary colors at their maximum intensity and hence the color represented by this pixel is “white”. LSB embedding exploits the fact that changing the least significant bit of each of the three bytes of a pixel would produce only a minor change in the intensity of the color represented by the pixel and this change is not perceptible to the human eye [2]. For example, changing the color values of pixel p to FE FE FE16 would make the color darker by a factor of 1/256. Steganography algorithms based on LSB embedding differ on the pattern of modification – a modification of randomly chosen pixels or modification restricted to pixels located in certain areas of the image[3]. Images can be represented in different formats, the three more commonly used formats are: GIF (Graphics Interchange Format), BMP (Bit Map) and JPEG (Joint Photographic Exchange Group). Each of these image formats behaves differently when a message is embedded in it. Accordingly, there exist different image steganalysis algorithms for each of these three image formats. We now discuss the algorithms for each of these formats. 3.1.1. Palette Image Steganalysis Palette image steganalysis is primarily used for GIF images. The GIF format supports up to 8 bits per pixel and the color of the pixel is referenced from a palette table of up to 256 distinct colors mapped to the 24-bit RGB color space. LSB


124

embedding of a GIF image changes the 24-bit RGB value of a pixel and this could bring about a change in the palette color (among the 256 distinct colors) of the pixel. The strength of the steganographic algorithm lies in reducing the probability of a change in the palette color of the pixel and in minimizing the visible distortion that embedding of the secret image can potentially introduce. The steganalysis of a GIF stego image is conducted by performing a statistical analysis of the palette table vis-à-vis the image and the detection is made when there is an appreciable increase in entropy (a measure of the variation in the palette colors). The change in entropy is maximal when the embedded message is of maximum length. 3.1.2. Raw Image Steganalysis The Raw image steganalysis technique is primarily used for BMP images that are characterized by a lossless LSB plane. LSB embedding on such images causes the flipping of the two grayscale values. The embedding of the hidden message is more likely to result in averaging the frequency of occurrence of the pixels with the two gray-scale values. For example, if a raw image has 20 pixels with one gray-scale value and 40 pixels with the other gray-scale value, then after LSB embedding, the count of the pixels with each of the two gray-scale values is expected to be around 30. This approach was first proposed by Westfeld and Pfitzmann [5], and it is based on the assumption that the message length should be comparable to the pixel count in the cover image (for longer messages) or the location of the hidden message should be known (for smaller messages). 3.1.3. JPEG Image Steganalysis JPEG is a popular cover image format used in steganography. Two well-known Steganography algorithms for hiding secret messages in JPEG images are: the F5 algorithm [11] and Outguess algorithm [6]. The F5 algorithm uses matrix embedding to embed bits in the DCT (Discrete Cosine Transform) coefficients in order to minimize the number of changes to a message. 3.2. Generic Image Steganalysis Algorithms The generic steganalysis algorithms, usually referred to as Universal or Blind Steganalysis algorithms, work well on all known and unknown steganography algorithms. These steganalysis techniques exploit the changes in certain innate features of the cover images when a message is embedded. The focus is on to identify the prominent features of an image that are monotonic and changes statistically as a result of message embedding. The generic steganalysis algorithms are developed to precisely and maximally distinguish these changes[9]. The accuracy of the prediction heavily depends on the choice of the right features, which should not vary across images of different varieties[12]. 4. Evaluation of steganalysis tools In order to evaluate the steganalysis tools, it is essential that the whole process is forensically sound to ensure the validity

of the findings. Therefore, the following are the steps that will be followed throughout the process: 1. Obtain the steganographic and steganalysis tools 2. Verify the tools (to ensure the tools is doing what it claims) 3. Obtain cover images, and generate MD5 hashes 4. Apply steganalysis on cover images, and generate MD5 hashes 5. Generate steganographic images, and generate MD5 hashes 6. Apply steganalysis on the steganographic image, and generate MD5 hashes In each of the steps where the cover images or the steganographic images are involved, MD5 hashes have been used to verify whether the image has changed in any sense[1].

5. Detecting Stego content in corporate mails The proposed research is going to analyze the performance of the improved version of image steganalysis algorithms in corporate mails. A hybrid algorithm is under processing for detection purpose which is going to detect the stego content accurately. A large database is used to store the images. The performance and the detection ratio are going to be measured in corporate mails. 5. Conclusions In this paper, we have analyzed the steganalysis algorithms available for Image Steganography. In summary, each carrier media has its own special attributes and reacts differently when a message is embedded in it. Therefore, the steganalysis algorithms have also been developed in a manner specific to the target stego file and the algorithms developed for one cover media are generally not effective for a different media. This paper would cater well to providing an overview of the steganalysis algorithms available for images and proposed a new . References [1] Ahmed Ibrahim, Steganalysis in Computer Forensics,

Security Research Centre Conferences, Australian Digital Forensics Conference, Edith Cowan University Year 2007.

[2] I. Avcibas, N. Memon, and B. Sankur, “Steganalysis using image quality metrics,” IEEE Trans. on Image Processing, vol. 12, no. 2, pp. 221–229, Feb. 2003.

[3] R. Chandramouli, A Mathematical Approach to Steganalysis, Proc. SPIE Security and Watermarking of Multimedia Contents IV, California, Jan. 2002.

[4] S. Geetha , S. Siva and Sivatha Sindhu, Detection of Stego Anomalies in Images Exploiting the Content Independent Statistical Footprints of the Steganograms, Department of Information Technology, Thiagarajar College of Engineering, Madurai, , Informatica 33 (2009) 25–40


125

[5] Greg Goth, Steganalysis Gets Past the Hype, IEEE, Distributed Systems Online 1541-4922 © 2005 Published by the IEEE Computer Society Vol. 6, No. 4; April 2005.

[6] Guillermito, Steganography: a few tools to discover hidden data. Retrieved September 29, 2007,from http://www.guillermito2.net/stegano/tools/index.html

[7] J. Kelley, Terrorist instructions hidden online. Retrieved September 14, 2007, from http://www.usatoday.com /tech/news/2001-02-05-binladen-side.htm

[8] Liu Shaohui, Yao Hongxun, and Gao Wen, NEURAL NETWORK BASED STEGANALYSIS IN STILL IMAGES, Department of Computer Science, Harbin Institute of Technology, ICME 2003.

[9] Niels Provos, Peter Honeyman, Hide and Seek: Introduction to Steganography, University of Michigan, Published by the IEEE Computer Society, 2003.

[10] N. Provos, and P. Honeyman, Detecting steganographic content on the internet. Retrieved September 2, 2007, from http://www.citi.umich.edu/u/provos/papers/detecting.pdf

[11] Samir K Bandyopadhyay, and Debnath Bhattacharyya, A Tutorial Review on Steganography, University of Calcutta, Senate House, 87 /1 College Street, Kolkata, UFL & JIITU,2008.

[12] Vajiheh Sabeti; Shadrokh Samavi, Mojtaba Mahdavi and Shahram Shirani, Steganalysis of Embedding in Difference of Image Pixel Pairs by Neural Network, Department of Electrical and Computer Engineering, Isfahan University of Technology, Isfahan, Iran McMaster University, Hamilton, Canada, January 2009, Volume 1, Number 1 (pp. 17{26), http://www.isecure-journal.org.

Ms. P T Anitha received B.Sc. Computer Applications and Master of Computer Applications degree from Bharathiar University in 1993 and 1996 respectively. I am having twelve years experience in teaching. I am Pursuing Doctorate degree in

computer Science under the guidance of Dr. M. Rajaram, who is working as a HOD in the Department of Electrical and Electronic Engineering, Govt. College of Engineering, Trinelveli. My area of research is Steganalysis. Currently I am working to improve the performance of the steganalysis algorithms used in corporate E-mails.

vol2 no 9

Documents

Transcript of vol2 no 9