Abstract In network (e.g., Web) servers, it is often desirable to isolate the performance of different classes of requests from each other. That is, one seeks to achieve that a certain minimal proportion of server resources are available for a class of requests, independent of the load imposed by other requests. Recent work demonstrates how to achieve this performance isolation in servers consisting of a single, centralized node; however, achieving performance isolation in a distributed, cluster based server remains a problem. This paper introduces a new abstraction, the cluster reserve, which represents a resource principal in a cluster based net- work server. We present a design and evaluate a prototype implementation that extends existing techniques for perfor- mance isolation on a single node server to cluster based servers. In our design, the dynamic cluster-wide resource manage- ment problem is formulated as a constrained optimization problem, with the resource allocations on individual ma- chines as independent variables, and the desired cluster-wide resource allocations as constraints. Periodically collected re- source usages serve as further inputs to the problem. Experimental results show that cluster reserves are effective in providing performance isolation in cluster based servers. We demonstrate that, in a number of different scenarios, cluster reserves are effective in ensuring performance isola- tion while enabling high utilization of the server resources.
Abstract A scalable architecture for content-aware request distribution in Web servers clusters is presented. In this architecture, a level-4 switch acts as the point of contact for the server on the Internet and distributes the incoming requests to a number of back-end nodes.The switch does not perform any content-based distribution. This function is performed by each of the back-end nodes, which may forward the incoming request to another back-end based on the requested content. In terms of scalability, this architecture compares favorably to existing approaches where a front-end node performs content-based distribution. In this architecture, the expensive operations of TCP connection establishment and handoff are distributed among the back-ends, rather than being centralized in the front-end node. Only a minimal additional latency penalty is paid for much improved scalability. This architecture has been implemented, and its superior scalability is demonstrated by comparing it to a system that performs content-aware request distribution in the front-end, both under synthetic and trace-driven workloads.
Abstract Previous research has addressed the scalability and avail-ability issues of building large-scale cluster-based network services. This paper studies the clustering of replicated ser-vices when the persistent service data is frequently updated. To this end we propose Neptune, an infrastructural middle-ware that provides a flexible interface to aggregate and repli-cate existing service modules and accommodate a variety of underlying storage mechanisms. Neptune maintains dynamic and location-transparent service mapping to isolate faulty service modules and enforce replica consistency. It allows efficient use of a multi-level replica consistency model with a staleness control at its highest level. This paper describes Neptune's overall architecture, data replication support, and its performance.
Abstract Under high loads, a Web server may be servicing many hundreds of connections concurrently. In traditional Web servers, the question of the order in which concurrent connections are serviced has been left to the operating system. In this paper we ask whether servers might provide better service by using non-traditional service ordering. In particular, for the case when a Web server is serving static files, we examine the costs and benefits of a policy that gives preferential service to short connections. We start by assessing the scheduling behavior of a commonly used server (Apache running on Linux) with respect to connection size and show that it does not appear to provide preferential service to short connections. We then examine the potential performance improvements of a policy that does favor short connections (shortest-connection-first). We show that mean response time can be improved by factors of four or five under shortest-connection-first, as compared to an (Apache-like) size-independent policy. Finally we assess the costs of shortest-connection-first scheduling in terms of unfairness (i.e., the degree to which long connections suffer). We show that under shortest-connection-first scheduling, long connections pay very little penalty. This surprising result can be understood as a consequence of heavy-tailed Web server workloads, in which most connections are small, but most server load is due to the few large connections. We support this explanation using analysis.
Abstract Language-based extensible systems, such as Java Virtual Machines and SPIN, use type safety to provide memory safety in a single address space. By using software to provide safety, they can support more efficient IPC. Memory safety alone, however, is not sufficient to protect different applications from each other. Such systems need to support a process model that enables the control and management of computational resources. In particular, language-based extensible systems should support resource control mechanisms analogous to those in standard operating systems. They need to support the separation of processes and limit their use of resources, but still support safe and efficient IPC. We demonstrate how this challenge is being addressed in several Java-based systems. First, we lay out the design choices when implementing a process model in Java. Second, we compare the solutions that have been explored in several projects: Alta, K0, and the J-Kernel. Alta closely models the Fluke operating system; K0 is similar to a traditional monolithic kernel; and the J-Kernel resembles a microkernel-based system. We compare how these systems support resource control, and explore the tradeoffs between the various designs.
Abstract It is a common belief that most of computer system failures nowadays stem from programming errors. Computer systems are becoming more complex and harder to maintain and administer, making software errors an even more common case, while contemporary computer architectures are optimized for price and performance and not for availability. In this paper, we raise a case for an increasing relevance of memory hardware soft-errors. In particular with the introduction of 64-bit processors, memory scaling is significantly increased, resulting in higher probability for memory errors. At the same time, due to the ubiquitous use of computers, such as at higher altitudes, environmental conditions impact errors (terrestrial cosmic rays). Finally, in shared memory systems, the failure of one node's memory can take the whole machine down. Current commodity systems do not tolerate memory errors, neither commodity hardware (processors, memories, interconnects) nor software (operating systems, applications, application environments). At the same time, users expect increased reliability. We present the problems of such errors and some solutions for memory error recovery at the processor, operating system and programming model level. Zoran's part: Main memories are getting larger and experience a number of memory hardware soft-errors caused by various sources including cosmic rays. Modern commodity processor architectures like the IA-64 support machine check aborts, which enable operating system to detect and to recover from the memory soft-errors. It is becoming possible to add support to operating systems running on the top of commodity hardware to recover from the number of memory soft-errors. We believe that simple handling of most common cases can significantly increase commodity system availability. We have studied linux operating system for providing support to signal process if the memory soft-error occurred in user space. Using detailed profile of linux data structures we show that file and network intensive applications spend substantial time running operating system code. This increases the need for advanced kernel data structures and support for recovery from errors detected while in kernel mode. Added mechanisms for recovery from memory soft-errors increases commodity systems availability.
Abstract For some real time applications, estimation of an upper bound on execution time is very important. In general the worst time analysis methods use worst case instruction execution time to guess the worst case behavior of the code. The authors of this paper are trying to prove this assumption is wrong under some arcitectures. As an example, these architectures can introduce an anomaly that might cause a cache miss to result in a faster execution time than a cache hit. Besides the problem gets worse because of the reason that the known analysis methods are not very helpful to include the effects of these anomalies. The authors first show a variaty of anomalies. They also propose some simple code modification techniques to prevent such anomolies.
I. Definition of an IDS
A. Abstract Model of an IDS (CIDF)
B. Classification of IDSs
1. Host-based vs. Network-based
2. Anomaly/behavior-based vs Signature/misuse-based
3. Pros/Cons of each
C. Brief history of research in IDS to give perspective
1. Started Host-based
2. Moved Network-based
3. moving to a hybrid
II. The Limitations of IDSs, primarily Network-based IDSs (NIDSs)
A. Theoretical Limitation (Halting Problem)
B. Practical Limitations of NIDSs
1. Insertion Attacks
2. Deletion Attacks
3. Denial of Service Attacks
III. Current directions in research
A. Hybrid approach
B. OS wrappers
Abstract
All currently available network intrusion detection (ID) systems rely
upon a mechanism of data collection---passive protocol
analysis---which is fundamentally flawed. In passive protocol
analysis, the intrusion detection system (IDS) unobtrusively watches
all traffic on the network, and scrutinizes it for patterns of
suspicious activity.
We outline in this paper two basic problems with the reliability of
passive protocol analysis: (1) there isn't enough information on the
wire on which to base conclusions about what is actually happening on
networked machines, and (2) the fact that the system is passive makes
it inherently "failopen," meaning that a compromise in the
availability of the IDS doesn't compromise the availability of the
network. We define three classes of attacks which exploit these
fundamental problems---insertion, evasion, and denial of service
attacks --- and describe how to apply these three types of attacks to
IP and TCP protocol analysis.
We present the results of tests of the efficacy of our attacks against
four of the most popular network intrusion detection systems on the
market. All of the ID systems tested were found to be vulnerable to
each of our attacks. This indicates that network ID systems cannot be
fully trusted until they are fundamentally redesigned.