Xiaobo Zhou C. Edward Chow Yu Cai Ganesh Godavari Department of Computer Science

1. Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats Xiaobo Zhou C. Edward Chow Yu Cai Ganesh Godavari Department of Computer Science UC. Colorado Springs http://www.cs.uccs.edu/~zbo Email: zbo@cs.uccs.edu

2. Hard Attacks vs. Soft Threats • Examples: according to the impact of a DDoS attack, DDoS attacks can be classified into two categories • Traditional DDoS attacks: disruptively and completely disable the victim system’s service to its clients. Most known attacks belong to this category. • Degrading DDoS attacks: increasingly and/or periodically consume portions of a victim system’s resources so as to result in denial of service or poor quality of service (QoS) to some legitimate clients and/or important applications during high load periods • To remain undetected for a long time period • Current on/off admission model not enough

3. Project Goals • The project goal is to design effective admission control strategies, in combination with QoS-adaptive resource management mechanisms to mitigate the impact of degrading DDoS attacks and other similar cyber threats • Specifically, we plan to do: • Measurement-based admission control mechanisms that can admit and classify incoming traffic into multiple classes with different priority levels or QoS expectations according to clients’ behaviors and servers’ resources • QoS-driven resource management mechanisms that can provide QoS isolation and differentiation to the multiple classes by regulating the movement of traffic • Feedback control methods that can improve the robustness of system performance under changing traffic patterns

4. QoS Differentiation for 3DoS Mitigation

5. What is Service Differentiation • Differentiated Services (DiffServ) • A proposed architecture by the IETF, 1998 • to define configurable types of packet forwarding (called Per-Hop Behaviors, PHBs), which can provide local (per-hop) different levels of service quality for large aggregates of network traffic, as opposed to end-to-end performance guarantees for individual flows. Best-effort services (Same-service-to-all) Integrated ServicesDifferentiated Services (Reservations-based) (relative vs. absolute)

6. Models and Properties • Models: • Absolute differentiated services: clients receive an absolute share of resource usages; possible low resource utilization • Relative differentiated services: higher classes will receive relatively better (or no worse) QoS than lower classes • Proportional differentiation model • Properties: • Predictability: differentiation schedules must be consistent, independent of variations of the class workloads • Controllability: a number of controllable parameters adjustable for quality differentiation between classes • Fairness: lower classes not be over-compromised, especially when workload is low

7. Proportional Responsiveness DiffServ • Objective: average response time of different traffic classes should be kept proportional to their pre-specified differentiation weight • A queueing-theoretical processing rate allocation scheme • A static process allocation mechanism on Apache Web servers • not all allocated processes are always active due to dynamics • An adaptive process re-allocation mechanism (IEEE ICWS 04; 28%) • dynamically and adaptively change the number of processes allocated to process pools while ensuring the ratios of allocations

8. Implementations • We modified Apache Web server at application level to make one Apache listen to two different ports, and requests from different classes were routed to different ports • Modified child_main() func. in http_main.c for process allocation

9. Performance Evaluation

10. Performance Evaluation (Cont.)

11. Future Work