150 likes | 310 Views
Devising Secure Sockets Layer-Based Distributed Systems: A Performance-Aware Approach. Norman Lim, Shikharesh Majumdar, Vineet Srivastava, Dept. of Systems and Computer Engineering, Cistech Limited, Carleton University, Ottawa, Canada Ottawa, Canada. Presentation Outline.
E N D
Devising Secure Sockets Layer-Based Distributed Systems: A Performance-Aware Approach Norman Lim, Shikharesh Majumdar, Vineet Srivastava, Dept. of Systems and Computer Engineering, Cistech Limited, Carleton University, Ottawa, Canada Ottawa, Canada
Presentation Outline • Motivation and Proposed Solution • Additional Performance Optimizations • PO1: Multiple Channels • PO2: Batching • Performance Evaluation • Conclusions and Future Work Department of Systems and Computer Engineering
Motivation • In a distributed environment, exchanging documents containing sensitive information is common. • The state of the art: Transmit the entire document over a secure channel. • Problem: Can result in long document transmission times due to CPU-intensive operations (e.g. encryption/decryption) used by security protocols. • However, some documents can contain both sensitive and non-sensitive components • E.g., Document containing a patient’s medical history • Secure components (that can identify the person) • Non-Secure components Department of Systems and Computer Engineering
Proposed Solution • A performance enhancement technique called Security Sieve, is proposed. • Security sieve uses selective security which is based on two performance optimization principles: • Processing vs. Frequency principle • Centering principle Department of Systems and Computer Engineering
MS Word Macro 2 1 3 Department of Systems and Computer Engineering 5
Additional Performance Optimizations • Along with basic security sieve, two other performance optimizations (POs) are introduced: • PO1: Adds multiple channels to achieve concurrent data transmission • Based on parallel processing principle • PO2: Batches multiple document transfer requests that have the same destination • Based on batching principle Department of Systems and Computer Engineering
Split/Combine Algorithms • Even Split/Combine (ES) • Evenly divides data among the channels • Segment Split/Combine (SS) • Distributes entire text segments Department of Systems and Computer Engineering
Combining PO1 and PO2 • Combining PO1 and PO2, requires dividing the batch data lists (containing data for multiple files) into multiple sub-batch data lists. • Batch File Split/Combine (BFS) • Batch Even Split/Combine (BES) • Batch Segment Split/Combine (BSS) Department of Systems and Computer Engineering
Performance Analysis of Security Sieve: Sample Results • Performance Metric: Total Time: • Data transfer Time (Response Time) • Sieving and integration Times • Effect of P • Proportion of data corresponding to the secure components • When P is less than approximately 95% the security sieve system starts outperforming the secure-only system. Department of Systems and Computer Engineering
Evaluation of PO1: Multiple Channels • For the 1MB file, the mean total time increases, as the number of channels increases. • For the 10MB file, the lowest total time is achieved when using two channels.
Comparison of ES and SS Algorithm • The ES algorithm starts to outperform the SS algorithm when proportion of non-secure data is less than 40% • For all other values, the SS-based system has slightly lower response times because the split/combine times are lower. Department of Systems and Computer Engineering
Evaluation of PO2: Batching • PO2 is evaluated when a stream of file transfer requests arrives (following a Poisson process). • At higher λ, batching becomes more effective. • At low λ, system without batching displays higher performance. Department of Systems and Computer Engineering
Conclusions • Security sieve, a performance enhancement technique for improving the performance of transferring documents containing both sensitive and non-sensitive components • Performance measurements made on the prototype demonstrates the effectiveness of the security sieve technique. • Evaluation of PO1: Using multiple channels is effective in reducing response times but only when enough data is transferred • Evaluation of PO2: Batching is most effective at higher arrival rates. Department of Systems and Computer Engineering
Future Work • Development of a tool that searches a document and automatically marks the confidential data warrant further investigation. • Such a technique can be based on a user provided list of keywords and/or phrases that are associated with confidential information. Department of Systems and Computer Engineering
Evaluation of Combining PO1 and PO2 • When using the BSS and BES algorithm we observe that the mean total times are nearly identical. • When the BFS algorithm is used, the mean total time is higher, especially for medium and high values of x. Department of Systems and Computer Engineering