Pramod S. Pawar, Srijith K. Nair, Fadi Ali El-Moussa, Theo Dimitrakos, Muttukrishnan Rajarajan and Andrea Zisman, Opinion Model Based Security Reputation Enabling Cloud Broker Architecture.,
3rd International Conference on Cloud Computing 24 - 26 Sep 2012, Wien, Austria.
PDF, DOI, Show Abstract
Security and trust in service providers is a major concern in the use of cloud services and the associated process of selecting a cloud service provider that meets the expectations and needs of one’s security requirements is not easy. As a solution, we propose a broker architecture model that enables us to build a security reputation framework for cloud service providers, capturing comprehensive evidence of security information to build its trust and security reputation.
Anirban Basu, Jaideep Vaidya, Hiroaki Kikuchi, Theo Dimitrakos and Srijith K Nair, Privacy preserving collaborative filtering for SaaS enabling PaaS clouds,
Journal of Cloud Computing: Advances, Systems and Applications, Vol 1, Issue 1, Article 8, July 2012.
PDF, DOI, Show Abstract
Recommender systems use, amongst others, a mechanism called collaborative filtering (CF) to predict the rating that a user will give to an item given the ratings of other items provided by other users. While reasonably accurate CF can
be achieved with various well-known techniques, preserving the privacy of rating data from individual users poses a significant challenge. Several privacy preserving schemes have, so far, been proposed in prior work. However, while
these schemes are theoretically feasible, there are many practical implementation difficulties on real world public cloud computing platforms. In this paper, we present our implementation experience and experimental results on
two public Software-as-a-Service (SaaS) enabling Platform-as-a-Service (PaaS) clouds: the Google App Engine for Java (GAE/J) and the Amazon Web Services Elastic Beanstalk (AWS EBS).
Yair Diaz-Tellez, Eliane L. Bodanese, Srijith K. Nair and Theo Dimitrakos, An Architecture for the Enforcement of Privacy and Security Requirements in Internet-Centric Services, 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), pp. 1024-1031, June 25-27, 2012, Liverpool, United Kingdom.
DOI, Show Abstract
This paper focuses on the problem of how to protect personal data and privacy in the context of internet-centric services. Two main challenges are considered: how to enable individuals to express data protection requirements on their data in a disclosure request; and how to ensure data is actually protected and processed according to the intended purpose of use after being disclosed. As part of our solution, we introduce the notion of a distinctive online service and architectural component, called the Privacy and Security Broker (PSB), responsible for the protection of personal data. The PSB enables a user to express their data protection requirements and translates them into "Data Protection Property Policies" (DPPPs). A high level architecture and the corresponding protocols involving the interaction of the main actors of our solution are presented.
- P. S. Pawar, M. Rajarajan, S. Krishnan Nair and A. Zisman, Trust Model for Optimized Cloud Services,
6th IFIP WG 11.11 International Conference on Trust Management (IFIPTM 2012), pp. 97-112, May 21-25, 2012, Surat, India
PDF, DOI, Show Abstract
Cloud computing with its inherent advantages draws attention for business critical applications, but concurrently expects high level of trust in cloud service providers. Reputation-based trust is emerging as a good choice to model trust of cloud service providers based on available evidence. Many existing reputation based systems either ignore or give less importance to uncertainty linked with the evidence. In this paper, we propose an uncertainty model and define our approach to compute opinion for cloud service providers. Using subjective logic operators along with the computed opinion values, we propose mechanisms to calculate the reputation of cloud service providers. We evaluate and compare our proposed model with existing reputation models.
- Django Amstrong, Karim Djemame, Srijith Nair, Johan Tordsson and Wolfgang Ziegler, Towards a Contextualization Solution for Cloud Platform Serices,
3rd IEEE International Conference on Cloud Computing Technology and Science (IEEE CloudCom 2011), pp.328-331, Nov 29 -
Dec 1, 2011, Athens, Greece DOI, Show Abstract
We propose a cloud contextualization mechanism which operates in two stages, contextualization of VM images prior to service deployment (PaaS level) and
self-contextualization of VM instances created from the image (IaaS level). The contextualization tools are implemented as part of the OPTIMIS Toolkit, a set of
software components for simplified management of cloud services and infrastructures. We present the architecture of our contextualization tools and the
feasibility of our contextualization mechanism is demonstrated in a three-tier web application scenario. Preliminary performance results suggest acceptable
performance and scalability.
Rajarajan, M., Sajjad, A., Zisman, A., Nair, S. K. and Dimitrakos, T., Dynamic virtual private
network provisioning from multiple cloud infrastructure service providers. 4th
European Conference ServiceWave 2011, 26 - 28 Oct 2011, Poznan, Poland.
PDF, Show Abstract
The Cloud infrastructure service providers currently provision basic virtualized computing resources as on demand and dynamic services but there is no common framework in existence that allows the seamless provisioning of even these basic services across multiple cloud service providers, although this is not due to any inherent incompatibility or proprietary nature of the foundation technologies on which these cloud platforms are built. We present a solution idea which aims to provide a dynamic and service oriented provisioning of secure virtual private networks on top of multiple cloud infrastructure service providers. This solution leverages the benefits of peer to peer overlay networks, i.e., the flexibility and scalability to handle the churn of nodes joining and leaving the VPNs and can adapt the topology of the VPN as per the requirements of the applications utilizing its intercloud secure communication framework.
- Johan Tordsson, Karim Djemame, Daniel Espling, Gregory Katsaros, Wolfgang Zielgler, Oliver Waldrich, Kleopatra
Konstanteli, Ali Sajjad, Muttukrishnan Rajarajan, Georgina Gallizo and Srijith K. Nair, Towards Holistic Cloud
Management, book chapter in "European Research Activities in Cloud Computing"
PDF, Show Abstract
Despite significant attention and substantial efforts both in industry and academia, cloud computing has yet to reach its full potential. Commonly stated obstacles for cloud adoption include confusion due to multiple delivery models (SaaS, PaaS, IaaS) and deployment scenarios (public clouds, private clouds, cloud bursting etc.). Other frequent concerns relate to risks with outsourcing, data legislation issues, inability to assess trust in external providers, etc. In addition to these obstacles to cloud computing as a concept, there are also technical thresholds in today's cloud offerings, making cloud infrastructure provisioning and service lifecycle management tedious processes. We aim to address these issues by research in five main directions: cloud service lifecycle optimization, adaptive self-preservation, self-management based on non-functional criteria, support for multiple cloud architectures, as well as market and legislative studies. The main outcome of our research is the OPTIMIS Toolkit, a set of flexible tools for service and infrastructure self-management.
- Chittaranjan Hota, Sunil Sanka, Muttukrishnan Rajarajan, Srijith K. Nair, Capability-based Cryptographic Data Access Control
in Cloud Computing, International Journal of Advanced Networking and Applications (IJANA) (accepted)
PDF, Show Abstract
Cloud computing has emerged as a popular model in computing world to support processing large volumetric data using clusters of commodity computers. It is the latest effort in delivering computing resources as a service. It is used to describe both a platform and a type of application. A cloud computing platform dynamically provisions, configures, and deprovisions servers as needed. Cloud computing also describes applications that are extended to be accessible through the Internet. Data security and access control is one of the most challenging ongoing research work in cloud computing, because of users outsourcing their sensitive data to cloud providers. Existing solutions that use pure cryptographic techniques to mitigate these security and access control problems suffer from heavy computational overhead on the data owner as well as the cloud service provider for key distribution and management. This paper addresses this challenging open problem using capability based access control technique that ensures only valid users will access the outsourced data. This work also proposes a modified Diffie-Hellman key exchange protocol between cloud service provider and the user for secretly sharing a symmetric key for secure data access that alleviates the problem of key distribution and management at cloud service provider. The simulation run and analysis shows that the proposed approach is highly efficient and secure under existing security models.
Sakshi Porwal, Srijith K. Nair and Theo Dimitrakos, "Regulatory Impact of Data Protection and Privacy in the Cloud", (short paper) 5th IFIP International Conference on Trust Management (IFIPTM 2011), June 29 - July 1, 2011, Copenhagen, Denmark.
PDF, Show Abstract
The use of cloud computing services has developed into a new method for deploying software and services and hosting data. The model has provided
enormous social and economic benefits but at the same time it has also created potential privacy and security challenges for businesses, individuals and the
governments. For example, the use of shared compute environment, data storage and access via internet has made information vulnerable to misuse, and
thus, has made privacy a major concern for organisations adopting cloud services for storage and computation purpose. Generally, each country maintains their own
laws and regulations to prevent frauds and protect their citizens from harm, including the potential dangers of data privacy, essential when
internet and related technologies are involved. The European Union, for example, follows the overarching governmental regulations while the United States prefers
the Sectoral Approach to Data Protection legislation, which relies on the combination of legislation, regulation and self regulation. This report discusses
data protection issues related to cloud computing and identifies privacy laws enforced in the EU that can be applied to this model. Moreover, it also provides recommendations that cloud service providers
can consider to implement in order to provide enhancements to their services and to demonstrate that they have taken all necessary measures to comply with the data protection principals in place.
Srijith K. Nair, Sakshi Porwal, Theo Dimitrakos, Ana Juan Ferrer, Johan Tordsson, Tabassum Sharif,
Craig Sheridan, Muttukrishnan Rajarajan and Afnan Ullah Khan, "Towards Secure Cloud Bursting,
Brokerage and Aggregation", 8th European Conference on Web Services (ECOWS10), Industry Track, Dec. 1-3, 2010, Ayia Napa, Cyprus.
PDF, Show Abstract
The cloud based delivery model for IT resources is revolutionizing the IT industry. Despite the marketing hype around "the cloud", the paradigm itself is in a critical transition state from the laboratories to mass market. Many technical and business aspects of cloud computing need to mature before it is widely adopted for corporate use. For example, the inability to seamlessly burst between internal cloud and external cloud platforms, termed cloud bursting, is a significant shortcoming of current cloud solutions. Furthermore, the absence of a capability that would allow to broker between multiple cloud providers or to aggregate them into a composite service inhibits the free and open competition that would help the market mature. This paper describes the concepts of cloud bursting and cloud brokerage and discusses the open management and security issues associated with the two models. It also presents a possible architectural framework capable of powering the brokerage based cloud services that is currently being developed in the scope of OPTIMIS, an EU FP7 project.
Ana Juan Ferrer, Francisco Hernández, Johan Tordsson, Erik Elmroth, Csilla Zsigri, Raül Sirvent, Jordi Guitart, Rosa M. Badia, Karim Djemame, Wolfgang Ziegler, Theo Dimitrakos, Srijith K. Nair, George Kousiouris, Kleopatra Konstanteli, Theodora Varvarigou, Benoit Hudzia, Alexander Kipp, Stefan Wesner, Marcelo Corrales, Nikolaus Forgó, Tabassum Sharif and CraigSheridan,OPTIMIS: a Holistic Approach to Cloud Service Provisioning, First International Conference on Utility and Cloud Computing (UCC 2010), December 14-16, 2010, Chennai, India.
PDF, Show Abstract
We present the fundamentals for a toolkit for scalable and dependable service platforms and architectures that enable flexible and dynamic provisioning of cloud services. The innovations behind the toolkit are aimed at optimizing the whole service life cycle, including service construction, deployment, and operation, on a basis of aspects such as trust, risk, eco-efficiency and cost. Notably, adaptive self-preservation is crucial to meet predicted and unforeseen changes in resource requirements. By addressing the whole service life cycle, taking into account the multitude of future cloud architectures, and a by taking a holistic approach to sustainable service provisioning, the toolkit is aimed to provide a foundation for a reliable, sustainable, and trustful cloud computing industry.
Stelios Erotokritou, Srijith K. Nair, Theo Dimitrakos, "An efficient secure shared storage service with fault and investigative disruption tolerance", 2nd International Workshop on Security in Cloud Computing (SCC'2010), Sept. 13-16, 2010, San Diego, California, USA. PDF,
In this work we focus on solutions to an emerging threat to cloud-based services - namely that of data seizures within a shared multiple customer architecture. We focus on the problem of securing distributed data storage in a cloud computing environment by designing a specialized multi- tenant data-storage architecture. The architecture we present not only provides high degrees of availability and confidentiality of customer data but is also able to offer these properties even after seizures of various parts of the infrastructure have been carried out through a judicial process. Our solution uses a novel way of storing customer data - combining the cryptographic scheme of secret sharing and combinatorial design theory, to ensure that the requirements of the architecture are met. Furthermore, we show that our proposed solution is efficient with respect to the amount of hardware infrastructure required, thus making the implementation and use of our proposed architecture cost- efficient for adoption by IT enterprises.
Theo Dimitrakos, David Brossard, Pierre de Leusse and Srijith K. Nair, "Security of Service Networks",
Handbook of Information and Communication Security, Stavroulakis, Peter; Stamp, Mark (Eds.), Springer, pp. 349--380, January 2010.
Pierre de Leusse, Panos Periorellis, Theo Dimitrakos and Srijith K. Nair, "Self Managed Security Cell: A Security Model for the Internet of
Things and Services",The First International Conference on Advances in Future Internet, AFIN 2009, 18-23 June 2009, Athens/Glyfada, Greece.
pp. 47--52, IEEE Computer Society (Best Paper Award). PDF,
The Internet of Things and Services is a rapidly
growing concept that illustrates that the ever increasing amount
of physical items of our daily life which become addressable
through a network could be made more easily manageable and
usable through the use of Services. This surge of exposed
resources along with the level of privacy and value of the
information they hold, together with the increase of their usage
make for an augmentation in the number of the security threats
and violation attempts that existing security systems do not
appear robust enough to address. In this paper, the authors
underline this increase in risk and identify the requirements for
resources to be more resilient in this type of environment while
keeping an important level of flexibility. In addition, the authors
propose an architectural model of Self Managed Security Cell,
which leverages on current knowledge in large scale security
systems, information management and autonomous systems.
Gian Paolo Jesi, Edoardo Mollona, Srijith K. Nair and Maarten van Steen, "Prestige-based Peer Sampling Service:
Interdisciplinary Approach to Secure Gossip", 24th Annual ACM Symposium on Applied Computing, March 8-12, 2009,
Honolulu, Hawaii, USA. PDF,
The Peer Sampling Service (PSS) has been proposed as a mechanism
to initiate and maintain the set of connections between
nodes in unstructured peer to peer (P2P) networks. The PSS
usually relies on gossip-style communication where participants
exchange their links in a randomized way. However, the PSS network
organization can be easily modified by malicious nodes running
a "hub attack", in which they achieve a leading structural position.
From this prestigious status, the malicious nodes can severely
affect the overlay and achieve several application dependent advantages.
We present a novel method to overcome this attack and provide
results from simulation experiments that validate our claim.
This method is inspired by a simple technique used to detect social
leaders in firm's organizations that is based on the social (structural)
"prestige" of actors.
- Mohammad T. Dashti, Srijith K. Nair and Hugo L. Jonker, "Nuovo DRM Paradiso:Designing a Secure, Verified Fair DRM Scheme",
Fundamentae Informatica (FI), IOS Press, 89, pp. 1--25, 2008. PDF, IOS
Press, Show Abstract
We introduce Nuovo DRM, a digital rights management scheme aimed to be
secure from both a formal and a practical point of view. The scheme is
based on the recent DRM scheme of Nair et al., which we formally specify
in the µcrl process algebraic language. Nair et al. state the
following security requirements: effectiveness, secrecy, resistance of
content masquerading and strong fairness. These security requirements
are formalised and the scheme is formally checked against
these requirements. The finite model-check uncovered several security
weaknesses, which are addressed by Nuovo DRM. In addition to that, Nuovo
DRM introduces several procedural practices to enhance the security of
the scheme. A finite model of Nuovo is subsequently model-checked and
shown to satisfy its design requirements, including secrecy, fairness
and resistance to content masquerading.
- Srijith K. Nair, Gabriela Gheorghe, Bruno Crispo and Andrew S. Tanenbaum, "Enforcing DRM Policies Across Applications",
8th ACM DRM Workshop (DRM 2008), Co-located with ACM CCS 2008, pp. 87-94,
October 27, 2008, Alexandria, Virginia, USA. PDF, Show Abstract
In this paper we present Trishul-UCON (T-UCON), a DRM system based on the UCON_ABC model. T-UCON is designed to be capable of
enforcing not only application-specific policies, as any existing software-based DRM solution does, but also DRM policies across
applications. This is achieved by binding the DRM policy only to the content it protects with no relations to the application(s)
which will use this content. Furthermore, to guarantee that the policy is continuously enforced, we designed T-UCON as a JVM-based
middleware that mediates the usage requests of any Java application to the protected content. Each request is granted or denied
according to the content policy. We illustrate the unique features of T-UCON by using typical examples of DRM policies such as
the pay-per-use and the use only N times scenarios. Preliminary results on the overhead of our solution are also provided.
- Srijith K. Nair, Erik Zentveld, Bruno Crispo, Andrew S. Tanenbaum, "Floodgate: A Micropayment Incentivised P2P Content
Delivery Network" - 17th IEEE International Conference on Computer Communications and Networks (ICCCN 2008),
August 3 - 7, 2008, St. Thomas U.S. Virgin Islands, USA. - PDF, Show Abstract
As the sale of digital content is moving more and more online, the content providers are beginning to realise that bandwidth infrastructures are
not easily scalable. The emergence of peer-to-peer content delivery networks presents these providers with a way to overcome this limitation.
However, such networks have so far been ad-hoc in nature. One of the main reason for this
has been the lack of incentives for end users to contribute their bandwidth to the network. In this paper we present the design and implementation of
a peer-to-peer protocol named Floodgate that provides a micropayment based incentive for peers to contribute their bandwidth.
Floodgate implements an optimistic fair exchange protocol and is designed to be resilient against targeted attacks.
Performance measurements, including those conducted over the PlanetLab infrastructure, show that Floodgate's security and cryptographic overheads are low
when compared to the popular BitTorrent protocol. (pre-proceedings version)
- Srijith K. Nair, Patrick N.D. Simpson, Bruno Crispo and Andrew S. Tanenbaum, "A Virtual Machine Based Information Flow Control System for Policy
Enforcement" - Electronic Notes in Theoretical Computer Science, Vol. 197, Issue 1, 21 February 2008, pp. 3-16, Proc. of the First International Workshop on
Run Time Enforcement for Mobile and Distributed Systems (REM 2007), Sep 27, 2007, Dresden,
Germany. (doi:10.1016/j.entcs.2007.10.010), - PDF (pre-proceeding version),
The ability to enforce usage policies attached to data in a fine grained manner requires that the system be
able to trace and control the flow of information within it. This paper presents the design and implementation
of such an information flow control system, named Trishul, as a Java Virtual Machine. In particular
we address the hard problem of tracing implicit information flow, which had not been resolved by previous
run-time systems and the intricacies added on by the Java architecture. We argue that the security benefits
offered by Trishul are substantial enough to counter-weigh the performance overhead of the system as shown
by our experiments.
- Srijith K. Nair, Ron Gerrits, Bruno Crispo, Andrew S. Tanenbaum "Turning Teenagers into Stores", IEEE Computer, vol. 41, no. 2, pp. 58-62, Feb., 2008
Paradiso is a prototype of a system that lets consumers contact content providers to buy
songs and videos, and to buy optional content-resale rights. In essence, the scheme would
turn customers into content distributors, provide wider reach, and free up content providers'
bandwidth. However, such an architecture requires strict security precautions and interoperable
digital rights management standards among player manufacturers and content providers.
- Srijith K. Nair, Ivan Djordjevic, Bruno Crispo, Theo Dimitrakos, "Secure Web Service Federation Management
using TPM Virtualisation" - 4th ACM Workshop on Secure Web Services (SWS
2007), pp. 73-82, Nov 2, 2007, Alexandria, VA, USA. PDF
Web Services and SOA provide interoperability and architectural
baseline for flexible and dynamic cross-enterprise collaborations,
where execution and use of the participating services contributes
to the common objective. Relationships within these
collaborations are complex, with services joining and leaving
throughout the life cycle, or the same services being offered in
several collaborations simultaneously. This provides strong
requirements for federated security, where integrity and
confidentiality of the collaboration must be maintained through
membership control, security policy enforcement and separation
of web service instance interactions in different collaborations.
In this paper we propose a new Web Services (WS) framework for
managing and controlling WS interactions in a federated
environment, leveraging on platform virtualisation architecture
and the functionalities provided by trusted secure hardware. The
framework allows configuring policies that define collaboration
membership, and enforce access to the collaboration per-WS
instance. In addition, since the access to the configurations is
restricted, it provides master-slave model where only authorised
administrative entity can modify any of the above - either at the
deployment or at the execution time. Some of the benefits of the
proposed approach are: fine-grained external exposure of WSs, a
flexible model for group membership control and revocation and
hardware-enabled secure virtualised system providing functional
process isolation and strong data security.
- Ivan Djordjevic, Srijith K. Nair, Theo Dimitrakos, "Virtualised Trusted Computing Platform for Adaptive Security
Enforcement of Web Services Interactions" - IEEE 2007 International Conference on Web Services
(ICWS07), pp. 615-622, July 9-13, 2007, Salt Lake City, Utah, USA -
Security enforcement framework is an important
aspect of any distributed system. With new
requirements imposed by SOA-based business models,
adaptive security enforcement on the application level
becomes even more important.
Our work on the enforcement framework to date has
resulted in a comprehensive middleware-based
solution leveraging on web services technologies.
However, potential merits of hardware-based solutions
to further secure application exposure have not been
considered so far.
This paper describes a method for combining software
resource level security features offered by Web
Services technologies, with the hardware-based
security mechanisms offered by Trusted Computing
Platform and system virtualisation approaches. In
particular, we propose trust-based architecture for
protecting the enforcement middleware deployed at the
policy enforcement endpoints of web and grid services.
The main motivation is to additionally secure execution
environment of the applications, by providing virtual
machine level separation that maps from logical
domains imposed by web services level enforcement
- Nair, S.,Dashti, M.,Crispo, B., and Tanenbaum, A., "A Hybrid PKI-IBC Based Ephemerizer System", 2007, in IFIP
International Federation for Information Processing, Volume 232,
New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., Efloff, M.,Labuschagne, L., Eloff, J., von
Solms, R., (Boston: Springer), pp. 241-252. - PDF, SpringerLink,
The concept of an Ephemerizer system has been introduced
in earlier works as a mechanism to ensure that a file deleted from the
persistent storage remains unrecoverable. The principle involved storing
the data in an encrypted form in the user's machine and the key to de-
crypt the data in a physically separate machine. However the schemes
proposed so far do not provide support for fine-grained user settings on
the lifetime of the data nor support any mechanism to check the in-
tegrity of the system that is using the secret data. In addition we report
the presence of a vulnerability in one version of the proposed scheme
that can be exploited by an attacker to nullify the ephemeral nature of
the keys. We propose and discuss in detail an alternate Identity Based
cryptosystem powered scheme that overcomes the identified limitations
of the original system.
- Mohammad T. Dashti, Srijith K. Nair, Hugo L. Jonker, "Nuovo DRM Paradiso: Towards a Verified Fair DRM Scheme" -
Proceedings of IPM International Symposium on Fundamentals of Software Engineering (FSEN07), pp. 33-48, April 17-19 2007, Tehran, Iran. - PDF, SpringerLink
, Show Abstract
We formally specify the recent DRM scheme of Nair et al.
in the µcrl process algebraic language. The security requirements of
the scheme are formalized and using them as the basis, the scheme is
verifed. The verifcation shows the presence of security weaknesses in the
original protocols, which are then addressed in our proposed extension
to the scheme. A fnite model of the extended scheme is subsequently
model checked and shown to satisfy its design requirements, including
secrecy, fairness and resisting content masquerading. Our analysis was
distributed over a cluster of machines, allowing us to check the whole
extended scheme despite its complexity and high non-determinacy.
- Hugo Jonker, Srijith Krishnan Nair, Mohammad Torabi Dashti, "Nuovo DRM Paradiso: towards a verified fair DRM protocol", 1st Benelux Workshop on Information
and System Security (WISSEC2006), November 8-9, 2006, Antwerpen, Belgium. -
The NPGCT DRM scheme, that proposes a unique concept of DRM-preserving
content redistribution, has some security issues. These issues are addressed in this paper
by an extension of NPGCT. A security mechanism that provides fairness in unsupervised
exchanges is introduced, and the mechanism of detecting and revoking circumvented devices
is reexamined devices. The resulting DRM scheme, Nuovo DRM, and its requirements are
formally specifed. A fnite model of the scheme is subsequently model-checked and shown
to satisfy its design requirements.
- Srijith K. Nair "Policy binding and enforcement in Java", Workshop on Run-time Software Integrity and Authenticity, September 18-19,
2006, Trento, Italy.
- Srijith K. Nair, Bruno Crispo, Andrew S. Tanenbaum, "Towards a Secure Application-semantic Aware Policy Enforcement Architecture",
in Proceedings of the 14th International Workshop on Security Protocols 2006, Cambridge,
UK, pages 26-31. Springer-Verlag LNCS 5087, 2009. (B. Christianson, B. Crispo, J.A. Malcolm, and M. Roe, editors)
Even though policy enforcement has been studied from different angles including notation, negotiation and enforcement, the
development of an application-semantic aware enforcement architecture remains an open problem. In this paper we present
and discuss the design of such an architecture.
- Srijith K. Nair, Bogdan C. Popescu, Chandana Gamage, Bruno Cripso, Andrew S. Tanenbaum, "Enabling DRM-preserving Digital Content Redistribution" -
Proceedings of 7th International IEEE Conference on E-Commerce Technology 2005 (CEC2005), pp. 151-158
July 19-22, 2005, Munich, Germany. - PDF
File, IEEE Xplorer, DBLP,
Traditionally, the process of online digital content distribution has involved a limited number of centralised distributors
selling protected contents and licenses authorising the use of these contents, to consumers. In this paper, we extend
this model by introducing a security scheme that enables DRM preserving digital content redistribution. Essentially
consumers can not only buy the rights to use digital content but also the rights to redistribute it to other consumers in
a DRM controlled fashion. We examine the threats associated with such a redistribution model and explain how our
scheme addresses them.
- Srijith K. Nair, Lillykutty Jacob, Akkihebbal L. Ananda, "TCP Vegas-A: Improving the performance of TCP Vegas", Computer Communications, vol. 28,
no. 4, pp. 429-440, March 2005 - PDF File, DBLP,
While it has been shown that TCP Vegas provides better performance compared to TCP Reno, studies have identified various issues
associated with the protocol. We propose modifications to the congestion avoidance mechanism of the TCP Vegas to overcome these
limitations. Unlike the solutions proposed in the past, our solution, named TCP Vegas-A, is neither dependent on optimising any critical
parameter values nor on the buffer management scheme implemented at the routers and hence can be implemented solely at the end host. Our
simulation experiments over wired as well as over geosynchronous and lower earth orbit satellite links show that TCP Vegas-A is able to
overcome several of the identified problems-it can obtain a fairer share of the network bandwidth in wired and satellite scenarios, tackle
rerouting issues, rectify Vegas's bias against higher bandwidth flows and prevail over fluctuating RTT conditions of a
lower earth orbit
satellite link. At the same time, Vegas-A is able to preserve the unique properties of Vegas that had made it a noteworthy protocol.
- K.N. Srijith, Lillykutty Jacob and A.L. Ananda, "TCP Vegas-A: Solving the Fairness and Rerouting Issues of TCP Vegas", - Proceedings of 22nd IEEE
International Performance, Computing, and Communications Conference (IPCCC) 2003, pp. 309-316, Phoenix, Arizona, April 9 - 11, 2003.
- PDF File, IEEE Xplorer,
In spite of the larger performance gain such as higher throughput and almost zero packet retransmissions compared to TCP Reno, TCP Vegas still has a few obstacles
for it to be deployed in the Internet. Studies have shown unfair treatment to Vegas connections when they compete with Reno connections. Other issues identified
with TCP Vegas are problems of rerouting, persistent congestion, and discrepancy in flow rate tied with starting times and link bandwidth. We reinvestigate these
issues rind propose modifications to the congestion avoidance mechanism of the TCP Vegas, with the slow-start and congestion recovery algorithms of Vegas remaining
untouched. Unlike the solutions proposed in the recent past to deal with some of these issues, our solution it neither dependent on any critical parameter values
nor on the buffer management scheme at the routers (e.g., RED). Our experiments show that the modified TCP Vegas (Vegas-A) it able to obtain a fairer share of the
network bandwidth when competing with other TCP flows. We also show that Vegas-A can tackle rerouting issues and rectify Vegas's bias against higher bandwidth
flows. At the same time, our experiments prove that Vegas-A preserves the properties of Vegas that have made it a noteworthy protocol.
- K.N. Srijith, Lillykutty Jacob and A.L. Ananda, "Worst-case Performance Limitation of TCP SACK and a Feasible Solution", - Proceedings of 8th IEEE
International Conference on Communications Systems (ICCS), pp. 1157-1161, November 25-28, 2002, Singapore. - PDF File, Citeseer
In the present implementation of the transmission control protocol (TCP) selective acknowledgment (SACK), every SACK block needs 8 bytes to carry information about
the received packets, back to the sender. Since TCP options field has a fixed length, there is a limit on the number of SACK block that can be carried by the
acknowledgment packets. Under some error conditions, this limitation can force the TCP sender to retransmit packets that have already been received successfully by
the receiver. This paper puts forward a proposal to modify the present SACK implementation, in order to prevent these unwanted retransmissions. We show that the
proposed implementation of SACK mechanism increases the throughput of SACK enabled TCP connections.
- Lillykutty Jacob, K.N. Srijith, Huang Duo and A.L.Ananda, "Effectiveness of TCP SACK, TCP HACK and TCP Trunk over Satellite Links" - IEEE International
on Communications (ICC 2002), Vol.5, pp. 3038 - 3043, April 28 - May 2, 2002. - PDF
File, Citeseer Index,
This paper reports a study on the performance enhancements of two extensions to the standard TCP implementation - Selective Acknowledgement (SACK) and Header
Checksum (HACK) - over satellite links that are characterized by high latency and high bit error rate. We also examine the effectiveness of TCP Trunk, an
edge-to-edge aggregation and congestion control mechanism, over the satellite link. Our study on the effect of varying the TCP window size over a long latency link
for New Reno, SACK, HACK and TCP Trunk implementations show that increasing window size does improve the performance, but only up to a certain value of the window
size, and a further increase actually reduces the performance. Other interesting observations from our experimental study are: SACK enabled TCP Trunk across the
satellite link edge routers can improve the throughput regardless of the end host TCP implementation; disabling the link layer CRC and instead implementing the
HACK extension to the TCP (and of course HACK+ SACK) can improve the throughput further.
- Yongxiang Liu, K.N. Srijith, L. Jacob and A.L.Ananda,"TCP-CM: A Transport Protocol for TCP-friendly Transmission of Continuous Media" - Proceedings of
International Performance, Computing and Communications Conference (IPCCC 2002), pp. 83-91, April 3-5, 2002, Phoenix, Arizona. -
PDF File, Citeseer
We propose a new TCP friendly transport protocol, called TCP-CM, for continuous media applications over the Internet. TCP-CM is a direct modification of TCP to
support continuous media applications without compromising the congestion control feature of TCP, which is critical to the stable functioning of the Internet. We
design TCP-CM API to be compatible with the BSD socket interface, which requires minimum changes for applications to adopt TCP-CM. Continuous media applications
that adopt TCP-CM as the transport protocol can be relieved from burdens such as rate control and scheduling for timely delivery, and hence can focus solely on
advanced coding or compression techniques for adapting the content according to the available network bandwidth. We implement the TCP-CM in Linux 2.2.15 TCP/IP
protocol stack, and run extensive experiments on TCP-CM using emulated video flows. Our experiments show that TCP-CM can be used for the timely delivery of
continuous media data within the constraints of the available network bandwidth and can compete with TCP connections fairly.
- K.N. Srijith, V. Ranjit, B.S. Ooi, Y.C. Chan, Y.L. Lam, C.H. Kam, "Fabrication And Characterisation of Bandgap Tuned Lasers in GaAs/AlGaAs
Quantum Well Structures Using Pulsed Laser Irradiation", Proceeding of 4th National Symposium On Progress in Materials Research, (Best Poster Award), pp. 137--139, March 27, 1998, Singapore, PDF.
V. Ranjit, K.N. Srijith, B.S. Ooi, Y.C. Chan, Y.L. Lam, C.H. Kam, "Characterisation of GaAs/AlGaAs Extended Cavity lasers fabricated using dielectric
cap induced quantum well intermixing", Proceeding of 4th National Symposium On Progress in Materials Research, pp. 133-136, Singapore, 27th March 1998.
These materials (conference and journal papers) are presented to ensure timely dissemination of scholarly and
work. Copyright and all rights therein are retained by authors or by other copyright holders. All person copying this
information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these
works may not be reposted without the explicit permission of the copyright holder.
ACM Copyright Notice. Copyright © by the Association for Computing Machinery, Inc. Permission to make digital or hard
copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the
first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is
permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific
permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or
IEEE Copyright Notice: © IEEE. Personal use of this material is permitted. However, permission to reprint/republish
material for advertising or promotional purposes or for creating new collective works for resale or redistribution to
servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.