RELATIONSHIP BETWEEN DUPLICATES AND IN-NETWORK PROCESSING

We assert that, in many delay tolerant networks, duplicates may pose a larger problem: they hinder
the ability to partially process data within the network. In-network processing is seen as
desirable because it can dramatically reduce bandwidth requirements. Unfortunately, as we will
see, if data is coarsely aggregated within the network it can be difcult to detect or eliminate
duplicates, which can lead to incorrect answers.

In-network processing has been proposed in a number of delay-prone environments. For example, in
sensor networks, bandwidth is generally scarce, especially at the edges of the network, and thus
doing some fusion or aggregation of sensor readings as data is routed is potentially benecial. A
number of papers note the benets of in-network aggregation, citing orderof magnitude or greater
bandwidth reductions for some classes of operations given particular network topologies. Similarly,
when moving data between different classes of networks (e.g. the Internet and GPRS), it may be
useful to transcode or downsample data items, sometimes in a non-deterministic way, as when
dithering an image.

If the network cannot guarantee duplicate-free semantics, some in-network operations might produce
incorrect answers: consider a sensor network attempting to compute an average over the readings
from a number of sensors. If one of these readings is duplicated, it will obviously skew answers.
We call such operations duplicate sensitive. Of course, some in-network operations are duplicate
insensitive – computing a minimum of a set of readings, for example, has this property.

Thus, we have seen that, unless we wish to sacrice the availability of our network, duplicates may
arise in disconnection-prone delay tolerant networks. Furthermore, because many such networks may
wish to perform in-network computation, duplicates can be more problematic than in traditional
networks. In the next section, we examine possible techniques for mitigating the overhead of
duplicate elimination.

The Multiplexing Transport Protocol Suite

The two transport protocols most commonly used in the Internet are TCP, which offers a reliable
stream, and UDP, which offers a connectionless datagram service. We do not offer a connectionless
protocol, because the mechanisms of a rate-based protocol need a longer-lived connection to
work, as they use feedback from the receiver. The interarrival time of packets is measured at the
receiver and is crucial for estimating the available bandwidth and for discriminating congestion
and transmission losses. On the other hand, a multiplexing unreliable protocol that offers
congestion control can be used as a basis of other protocols. The regularity of a rate-based
protocol lends itself naturally to multimedia applications. Sound and video need bounds on arrival
time so that the playback can be done smoothly. A multimedia protocol is the natural offshoot.
Most multimedia applications need timely data. Data received after the playback time is useless.
Moreover, for a system with bandwidth constraints, late data is adverse to the quality of playback,
as it robs bandwidth from the flow. There are many strategies to deal with losses, from forgiving
applications to forward error correction (FEC) schemes. Retransmissions are rarely used, because
they take the place of new data, and the time to send a request and receive the retransmission may
exceed the timing constraints.

When multiple channels are available, and the aggregated bandwidth is greater than the bandwidth
necessary to transmit the multimedia stream, retransmissions can be done successfully without
harming the quality of playback. The simultaneous use of multiple link layers generates extra
bandwidth. The best-case scenario is the coupling of a low bandwidth, low delay interface with a
high bandwidth, high delay interface. The high bandwidth interface allows for a good quality
stream, while the low delay interface makes retransmissions possible by creating a good feedback
channel to request (and transmit) lost frames.

When the aggregated bandwidth is not enough to transmit packets at the rate required by the
application, packets have to be dropped or the application has to change the characteristics of
its stream. Adapting applications can change the quality of the stream on the fly to deal with
bandwidth variations, but for non-adapting applications, the best policy is to drop packets at
the sender. Sending packets that will arrive late will cause further problems by making other
packets late, which can have a snowball effect.

In contrast to a multimedia protocol, a reliable protocol has to deliver intact every packet that
the application sent. In this case, time is not the most important factor. Lost or damaged frames
will have to be retransmitted until they are successfully received. If the application expects the
data to be received in the same order it was sent, the protocol will have to buffer packets
received after a loss until the lost packet retransmission is received. Using the channel
abstraction to multiplex the data increases the occurrence of out-of-order deliver, increasing the
burden in the receiving end.

Signaling System Number 7 (SS7)

SS7 is the network control signaling protocol utilized by the Integrated Services
Digital Network (ISDN) services framework. ISDN control information for call handling
and network management is carried by SS7. SS7 is a large and complex network
designed to provide low latency and to have redundancy in many network elements. The
SS7 control-signaling network consists of signaling points, signaling links and signaling
transfer points. Signaling links or SS7 links interconnect signaling points. Signaling
points (SSP) use signaling to transmit and receive control information. A signaling point
that has the ability to transfer signaling messages from one link to another at level 3 (SS7
level 3 will be described in detail later) is a Single Transfer Point (STP). There is a
fourth entity, the Service Control Point (SCP), which acts as a database for the SS7
network. The STP queries the SCP to locate the destination of the calls. The design of
the SS7 protocol is such that it is independent of the underlying message transport
network. The design of the signaling network is very important in that it will directly
impact the availability of the overall system. In general, the network will be designed to
provide redundancy for signaling links and for STPs. Figure 1 shows a basic SS7
network.

Figure 1: SS7 Signaling Endpoints in a Switched-Circuit Network

A typical call can be illustrated using Figure 1. User A goes off-hook in New York
and begins dialing. User A is calling User C in San Francisco. The dialed digits are
transmitted across the local loop connection to a local switch that has signal point
functionality (SSP). The local switch translates the digits and determines the call is not
local to itself. The local switch will use its signal point functionality to signal into the
SS7 network to a Signal Transfer Point (STP). The STP queries a SCP to locate the
destination local switch. The STP signals to the destination local switch to alert it of the
incoming call. The destination local switch rings the phone of User C. User C answers
and the two local switches signal across the SS7 network and determine the bearer path
through the PSTN. Once the path is setup the call begins. When either user goes on
hook, the network signals the other end to tear down the bearer path and the call is
terminated. The worldwide SS7 network is divided into national and international levels.
This allows the numbering plans and administration to be separated.

Position and orientation tracking in VR devices

The absolute minimum of information that immersive VR (Virtual Reality) requires, is the position and
orientation of the viewer’s head, needed for the proper rendering of images. Additionally other
parts of body may be tracked e.g., hands – to allow interaction, chest or legs – to allow the
graphical user representation etc. Three-dimensional objects have six degrees of freedom
(DOF): position coordinates (x, y and z offsets) and orientation (yaw, pitch and roll angles for
example). Each tracker must support this data or a subset of it. In general there are
two kinds of trackers: those that deliver absolute data (total position/orientation values) and
those that deliver relative data (i.e. a change of data from the last state).

The most important properties of 6DOF trackers, to be considered for choosing the right
device for the given application are,

1. update rate – defines how many measurements per second (measured in Hz) are made.
   Higher update rate values support smoother tracking of movements, but require more
   processing.
2. latency – the amount of time (usually measured in ms) between the user’s real (physical)
   action and the beginning of transmission of the report that represents this action. Lower
   values contribute to better performance.
3. accuracy – the measure of error in the reported position and orientation. Defined
   generally in absolute values (e.g., in mm for position, or in degrees for orientation).
   Smaller values mean better accuracy.
4. resolution – smallest change in position and orientation that can be detected by the
   tracker. Measured like accuracy in absolute values. Smaller values mean better
   performance.
5. range – working volume, within which the tracker can measure position and orientation
   with its specified accuracy and resolution, and the angular coverage of the tracker.Beside these properties, some other aspects cannot be forgotten like the ease of use, size and
   weight etc. of the device. These characteristics will be further used to determine the quality and
   usefulness of different kinds of trackers.

DMA Controller in Embedded System

Consider an office that contains a file cabinet. In that file cabinet is paperwork
that several office workers need to access. Some only need to access it once in
a while, while others require the paperwork much more often. The manager of the
office sets up a policy so that some of the individuals have a personal key to get
into the file cabinet, while others must get a shared key from the manager. In other
words, some office workers have direct access to the file cabinet, and others have
indirect access.

In many embedded system designs, the CPU is the only device that is connected
to the memory. This means that all transactions that deal with memory must use
the CPU to get the data portion of that transaction stored in memory, just as some
office workers had to obtain the manager’s key. Direct memory access (DMA) is a
feature that allows peripherals to access memory directly without CPU intervention.
These peripherals correspond to the office workers with their own keys.

For example, without DMA, an incoming character on a serial port would generate
an interrupt to the CPU, and the firmware would branch to the interrupt handler,
retrieve the character from the peripheral device, and then place the
character in a memory location. With DMA, the serial port places the incoming
character in memory directly. When a certain programmed threshold is reached, the
DMA controller (not the serial port) interrupts the CPU and forces it to act on
the data in memory. DMA is a much more efficient process. Many integrated
microprocessors have multiple DMA channels that they can use to perform
I/O-to-memory, memory-to-I/O, or memory-to-memory transfers.

Trusted Internet Connection

Similar to Departments and Agencies that utilize Networx MTIPS, those using a TIC will already have a contractual relationship in place with their ISP, usually a Networx ISP. Pursuant to that relationship, the ISP, in its ordinary course of business, will use routing tables to ensure that only traffic intended for the Department or Agency’s IP addresses is routed to the Department or Agency’s networks. And the Department or Agency remains responsible for ensuring that only traffic intended for, or originating from, that Department or Agency is routed through the EINSTEIN sensor.

Since EINSTEIN collects network flow information for all traffic traversing a sensor, if, in a rare case the required contractual routing protections fail, in the normal course only network flow information associated with the improperly routed traffic would be collected. This mechanism minimizes the possibility of capturing or releasing Personally Identifiable Information (PII). If improperly routed network traffic matched a pattern of known malicious activity an alert would be triggered. In the event of an alert, and upon further inspection and investigation with the Department or Agency receiving the incorrectly routed traffic, a US-CERT analyst would be able to identify an incorrectly routed traffic error. US-CERT would then work with NCSD’s Network Security Deployment and Federal Network Security branches, the relevant Department or Agency, the ISP and, if necessary, the MTIPS vendor, to remedy the routing problem. In the unlikely event that an ISP’s routing tables mistakenly assign a government IP address to a commercial client, a routing loop would result. The routing loop would cause errors and break the commercial customer’s connection. When the ISP detects the routing loop or the customer reports its broken connections to the ISP, the ISP would correct the error in its ordinary course of business.

Power Analysis Attacks on Secure Embedded Systems

The power consumption of any hardware circuit (cryptographic ASICs or processors running
cryptographic software) is a function of the switching activity at the wires inside it.
Since the switching activity (and hence, power consumption) is data dependent, it is not
surprising that the key used in a cryptographic algorithm can be inferred from the power
consumption statistics gathered over a wide range of input data. These attacks are called
power analysis attacks and have been shown to be very effective in breaking embedded
systems such as smartcards. Power analysis attacks are categorized into two main classes:
Simple Power Analysis (SPA) attacks and Differential Power Analysis (DPA) attacks.

SPA attacks rely on the observation that in some systems, the power profile of
cryptographic computations can be directly used to reveal cryptographic information. For
example, Figure 1 shows the power consumption profile for an ASIC implementing the DES
algorithm. From the profile, one can easily identify the 16 rounds of the DES algorithm.
While SPA attacks have been useful in determining higher granularity information such as
the cryptographic algorithm used, the cryptographic operations being performed, etc.,
they require reasonably high resolution to reveal the cryptographic key directly. In
practice, SPA attacks have been found be useful in augmenting or simplifying brute-force
attacks. For example, it has been shown in that the brute-force search space for a SW DES
implementation on an 8-bit processor with 7 Bytes of key data can be reduced to 2^40 keys
from 2^56 keys with the help of SPA.

Figure 1: The power consumption profile of a custom hardware implementation
of the DES algorithm

DPA attacks employ statistical analysis to infer the cryptographic key from power
consumption data. These attacks use the notion of differential traces (difference between
traces) to overcome the disadvantages of measurement error and noise associated with SPA
techniques. DPA has been shown to be highly robust and effective in extracting keys from
several embedded systems, not limited to smartcards. Recent approaches such as enhance the
effectiveness of DPA attacks by providing techniques that improve the signal to noise
ratio. While the initial DPA attacks targeted DES implementations, DPA has also been used
to break public-key cryptosystems.

Computer Security Research with Human Subjects and Risks

As researchers it is in our best interests to determine how risks, benefits, and
informed consent apply to our research. We have the deepest knowledge of the
area, however, may not have sufficient experience in applied ethics to imme-
diately determine suitable guidelines. We ought to leverage other fields when
possible, since this is an issue for other disciplines as well. A step toward achiev-
ing this goal is to understand how our research compares to other fields.

To continue the discussion of computer security research with human subjects
we ought to compare and contrast our field with medical and behavioral research,
the two primary fields of human subjects research. To give a few examples of how
our research may differ, in our research there may be the need to collect large
amounts of potentially sensitive data, observe login credentials, actively attack
the subject, or obfuscate the true purpose of the study. It is reasonable to
ask whether our research is different in practice, since many of these examples
appear to be quite similar to medical or psychology research. A question that
ought to be addressed directly.

Ethics committees and IRBs are tasked with protecting the welfare of human
subjects, this includes evaluating whether subjects are suciently informed of
the risks and benefits of the research, whether the potential risks have been
minimized as much as possible, and if expected benefits outweigh the potential
risks. Additional factors are considered, but these represent most of the largest
concerns. Given that this is an area of expertise for IRB members, but not
necessarily for researchers, why would we suggest our community take an active
role in discussing how these terms apply to our research? IRBs clearly have
expertise in areas that security researchers do not, but it would be a mistake to
rely on the existing structure to be the primary source of ethical guidance.

We should look beyond the IRB because, we conjecture, few IRBs have a
member with sufficient technical expertise to thoroughly review computer secu-
rity research. IRBs have deep roots in medical research, other fields that conduct
human subjects research have a history of attempting to distinguish themselves
from medical research. Many institutions have responded by creating a
non-medical IRB. However, given the nascency of security research with human
subjects, and the wide array of expertise IRBs are expected to have, it’s un-
clear how many IRBs have adapted their membership to include the necessary
expertise.

Risks

Determining the continuum of risks that may be present in computer security
human subjects research is critical, and may benet ethical decision making for
other areas as well. Comprehension of the risks involved is an essential part of
IRB review, and is also essential to the primary schools of ethics, consequential-
ism and deontological. Due to the medical origins of regulations guiding human
subjects research, behavioral science researchers have aimed to distinguish them-
selves from biomedical researchers. Behavioral researchers have asserted that the
risks involved in their studies tend to be qualitative, compared to the physical
nature of biomedical research. The types of risks include physical, psycho-
logical, social, economic, legal, and dignity. Computer security research is
more like behavioral research in the sense that the risks typically aren’t physical,
and can be difficult to quantify and to describe.

Modeling Complex Systems

One way to examine what may be happening in self-organizing complex systems is through the use of computer simulations. Two free software programs, StarLogo (“Starlogo”, 2004) and NetLogo (Wilensky, 1999, 2004), offer users opportunities to witness self-organization in action by modeling the dynamics of complex systems. The Logo language, which is the foundation of these modeling systems, was developed by Seymour Papert at MIT in order to teach children the basics of computer programming. As such, it is user-friendly and easy to learn. The novice can explore models that are included in the model libraries, manipulating the variables through sliders and simple commands. Those with greater interest or more experience can create models of their own. Because of their accessibility and ease of use, these software programs can be found in labs and classrooms all over the world.

The three main components of the modeling environment are turtles, patches, and the observer. The individual agents in the system are called turtles, although they can represent any kind of agent from a molecule to a person. The environment in which the turtles operate is divided into patches. Patch size and movement by turtles within and between patches is determined by the program designer. Patches are not necessarily passive but may be, and typically are, active components of the system. Commands may apply either to turtles or to patches. The third component, the observer, can issue commands that affect both patches and turtles. The observer also conducts maintenance and documentation of the turtle world.

Variables within a model may be set up as sliders, and in many models the sliders can be manipulated while the model is running. This feature allows the user to alter variables and search for excellent solutions within the constraints identified by the model designer. For example, a simple model of an ecosystem might include agents identified as predators, other agents called prey and patches with food for the prey in varying amounts. The interactions between the two different kinds of agents, as well as between the agents and the patches, can be defined by simple commands that identify when predators eat prey, when prey eat food, under what conditions new agents are “born” and “die,” and so on. If such a model is designed with sliders to control the numer of predators and prey, as well as the proportion of food available, the user can experiment to try to determine how a change in one part of the system affects the system as a whole and how a system might adapt in order to survive or thrive.

The beauty of these modeling tools with regard to building the scientific mind is that they provide the user with a dynamic visual and interactive medium through which to explore the concepts of complex systems. They are simple enough to be used by students in middle or high school, while at the same time they have the potential sophistication required of graduate level research. As such, the use of these free modeling tools opens up the world of complex systems to a broad audience, including those without advanced understanding of science and mathematics. The medium itself can describe and explain, through color, pattern and motion, concepts that previously might have been incomprehensible.

Supporting ATM functions over multiple interfaces in the IMA group

IMA’s ability to preserve ATM cell order is only part of the reason why ATM attributes such as traffic
management and QoS control continue to function reliably over IMA links. The other key element is IMA’s
link management and framing capabilities. This section provides a conceptual overview of IMA framing
and how IMA uses the cells within IMA frames to regulate cell transmission rates (and cell delay) while
managing the IMA group and its constituent links.

Understanding IMA framing

An IMA process resides at each end of an IMA link. The two IMA processes communicate using IMA frames
to control data flow and manage the logical IMA group as well as its constituent DS1 (or E1) physical
links. Each IMA frame contains a fixed number of ATM cells. There are typically 128 cells in each IMA
frame, although operators can also set the frame size to 32, 64, or 256 cells, depending on the
specific IMA implementation.

As the ATM layer hands cells to the IMA process for transmission over the WAN, the IMA process
distributes them in round robin fashion among the constituent links, counting them, and grouping them
into IMA frames that span all of the constituent DS1 or E1 links. When the IMA process reaches the IMA
frame size limit, it begins creating a new IMA frame. Figure 1 illustrates this process for an IMA group
of three DS1 links.

Figure 1 — The two IMA processes associated with this IMA group communicate using IMA frames that
span across the three DS1 lines used to create the virtual 4.5 Mbps connection.

Regulating cell transmission rates and cell delay

Each IMA frame contains ATM data cells, ATM idle cells, and a few ATM cells marked as IMA Control Protocol
(ICP) cells. When an IMA process receives a frame, it hands off the ATM data cells to the ATM layer. The
IMA process uses the ICP cells, which are identified by a special code in the cell header, to communicate
with each other, control data flow, and manage both the IMA group and its constituent links.

Each IMA frame contains primarily ATM data cells. IMA frames include ATM idle cells only when there are no
ATM cells ready to transmit — that is, when the cell rate offered by the ATM layer for transmission over
the WAN is less than the virtual link cell rate. This use of idle cells is known as cell rate decoupling.
Because the WAN transmits cells at full speed even when the real ATM cell traffic is at a lower speed, the
two rates are decoupled.

Each IMA frame also contains one ICP cell per constituent DS1 or E1 link. The ICP cells are always
transmitted in the same location on a given DS1 or E1 link; however, the ICP cells can be transmitted in
different locations on different links. For example, one constituent link may always transmit the ICP cell
as the fourth cell in the IMA frame, while another link in the same IMA group may always transmit its ICP
cell as the twelfth cell in the IMA frame. In Figure 1, the DS1 WAN link 1 always transmits its ICP cell in
the second cell of the IMA frame, while DS1 WAN link 2 transmits its ICP cell in the first cell of the IMA
frame, and DS1 WAN link 3 transmits its ICP cell in the last cell of the IMA frame. (Figure 1 shows the ICP
cells as highlighted cell boxes.)

Because it inserts one ICP cell on each DS1 link per frame, the IMA process can introduce some delay into
the cell flow. However, the standard includes smoothing buffers that remove the delay and support virtual
circuits of all QoS classes, including those requiring minimal cell delay and predictable cell delay variation.
In addition, the IMA standard includes bit stuffing and other techniques that allow predictable cell delay
variation even when the different DS1 links use different clocks and have different delay variations.

Managing individual links

The IMA specification relies on ICP cells to monitor the status of the links in the IMA group and
dynamically adjust the bandwidth available on the IMA link. This function is critical to IMA’s ability
to bundle multiple DS1 or E1 links into a persistent virtual connection that can transmit ATM cells in
both directions.

During normal operations, individual links in the IMA group can be added, removed from service, or
simply fail — affecting the amount of bandwidth available for the IMA group. The IMA specification
requires the IMA group to dynamically adjust to these changing conditions without requiring operators to
stop and restart the overall traffic flow. The two IMA processes use ICP cells to communicate the status
of the constituent links as well as the IMA group as a whole. The IMA processes use the ICP cells to
remove failed links from the IMA group, and to restore recovered links to the IMA group.

This dynamic response to changing network conditions improves the fault tolerance on the IMA link. If
one constituent link in the IMA group fails, the throughput on the link will drop, but the IMA group will
automatically shift the traffic to the remaining links. The IMA group continues to transmit traffic as
long as at least one of its constituent links remains operational. Similarly, if an operator restores a
failed link to the IMA group or adds a new link, the IMA processes automatically adjust to the IMA group’s
new maximum bandwidth rate — again without interrupting the existing traffic flow.