We have proposed a method of identifying superspreaders by flow sampling and a method of filtering legitimate hosts from the identified superspreaders using a white list. However, the problem of how to optimally set parameters of φ, the measurement period length, m*, the identification threshold of the flow count m within φ, and H*, the identification probability for hosts with m=m*, remained unsolved. These three parameters seriously impact the ability to identify the spread of infection. Our contributions in this work are two-fold: (1) we propose a method of optimally designing these three parameters to satisfy the condition that the ratio of the number of active worm-infected hosts divided by the number of all vulnerable hosts is bound by a given upper-limit during the time T required to develop a patch or an anti-worm vaccine, and (2) the proposed method can optimize the identification accuracy of worm-infected hosts by maximally using a limited amount of memory resource of monitors.

Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.

In this paper, we derive a set of discrete time difference equations that models the spreading process of computer worms such as Code-Red and Slammer, which uses a common strategy called “random scanning” to spread through the Internet. We show that the derived set of discrete time difference equations has an exact relationship with the Kermack and McKendrick susceptible-infectious-removed (SIR) model, which is known as a standard continuous time model for worm spreading.

Worms are a common phenomenon in today's Internet and cause tens of billions of dollars in damages to businesses around the world each year. This article first presents various concepts related to worms, and then classifies the existing worms into four types- Internet worms, P2P worms, email worms and IM (Instant Messaging) worms, based on the space in which a worm finds a victim target. The Internet worm is the focus of this article. We identify the characteristics of Internet worms in terms of their target finding strategy, propagation method and anti-detection capability. Then, we explore state-of-the-art worm detection and worm containment schemes. This article also briefly presents the characteristics, defense methods and related research work of P2P worms, email worms and IM worms. Nowadays, defense against worms remains largely an open problem. In the end of this article, we outline some future directions on the worm research.

Interconnection networks play a crucial role in the performance of massively parallel computers. Hierarchical interconnection networks provide high performance at low cost by exploring the locality that exists in the communication patterns of massively parallel computers. A Tori connected Torus Network (TTN) is a 2D-torus network of multiple basic modules, in which the basic modules are 2D-torus networks that are hierarchically interconnected for higher-level networks. This paper addresses the architectural details of the TTN and explores aspects such as node degree, network diameter, cost, average distance, arc connectivity, bisection width, and wiring complexity. We also present a deadlock-free routing algorithm for the TTN using four virtual channels and evaluate the network's dynamic communication performance using the proposed routing algorithm under uniform and various non-uniform traffic patterns. We evaluate the dynamic communication performance of TTN, TESH, MH3DT, mesh, and torus networks by computer simulation. It is shown that the TTN possesses several attractive features, including constant node degree, small diameter, low cost, small average distance, moderate (neither too low, nor too high) bisection width, and high throughput and very low zero load latency, which provide better dynamic communication performance than that of other conventional and hierarchical networks.

Abnormal traffic that causes various problems on the Internet, such as P2P flows, DDoS attacks, and Internet worms, is increasing; therefore, the importance of methods that identify and control abnormal traffic is also increasing. Though the application of frequent-itemset-mining techniques is a promising way to analyze Internet traffic, the huge amount of data on the Internet prevents such techniques from being effective. To overcome this problem, we have developed a simple frequent-itemset-mining method that uses only a small amount of memory but is effective even with the large volumes of data associated with broadband Internet traffic. Using our method also involves analyzing the number of distinct elements in the itemsets found, which helps identify abnormal traffic. We used a cache-based implementation of our method to analyze actual data on the Internet and demonstrated that such an implementation can be used to provide on-line analysis of data while using only a small amount of memory.

From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90% vulnerable hosts.

Large-throughput anomaly prevention mechanism in the upstream side of high-speed (over 10-Gbps) networks is required to prevent various anomalies such as distributed denial of service (DDoS) from causing various network problems. This mechanism requests the processors achieving not only high-speed response for analyzing many packets in a short time but also the flexibility to update the anomaly prevention algorithm. In this research, I assumed a dynamic reconfigurable processor (DRP) was most effective in achieving this anomaly prevention mechanism, for processors used in nodes with the mechanism, and I designed an anomaly prevention mechanism using DRPs. The mechanism can shorten anomaly prevention time in high-speed (10 Gbps) lines using an all-packet analysis. Through a simulation, I achieved the goal of the mechanism achieving a throughput of 83-M packets per second using three DRPs (432 execution elements used). Moreover, with the prototype, it was confirmed that the proposed mechanism prevented anomalies in a short time (constant 0.01 second), which was 3000 times faster than that of a legacy mechanism using a packet sampling method. I also proposed integrated prevention, which was able to reduce the number of execution elements comprising anomaly prevention algorithm against various kinds of anomalies. It was achieved with a simulation that the proposed integrated prevention against three kinds of anomalies (DDoS, worm, and peer to peer (P2P)) reduced the number of execution elements by 24% compared to legacy prevention. In addition, non-stop update was proposed to maintain throughput when updating an anomaly prevention algorithm without packet loss. It was confirmed with a simulation that there was enough time for non-stop update in 10 Gbps 4 lines.

In this paper, a methodology based on a mix-mode interconnection architecture is proposed for constructing an application specific network on chip to minimize the total communication time. The proposed architecture uses a globally asynchronous communication network and a locally synchronous bus (or cross-bar or multistage interconnection network MIN). First, a local bus is given for a group of IP cores so that the communications within this local bus can be arranged to be exclusive in time. If the communications of some IP cores should be required to be completed within a given amount of time, then a non-blocking MIN or a crossbar switch should be made for those IP cores instead of a bus. Then, a communication ratio (CR) for each pair of local buses is provided by users, and based on the Huffman coding philosophy, a process is applied to construct a binary tree (BT) with switches on the internal nodes and buses on the leaves. Since the binary tree system is deadlock free (no cycle exists in any path), the router is just a relatively simple and cheap switch. Simulation results show that the proposed methodology and architecture of NOC is better on switching circuit cost and performance than the SPIN and the mesh architecture using our developed deadlock-free router.

Although the Internet is playing an increasingly significant role in global communication, it remains vulnerable to malicious traffic such as worms and DoS/DDoS attacks. In the last few years, the emergence of high speed active worms, such as Code Red II, Nimda, SQL Slammer and MS Blaster, has become a serious issue. These worms cause serious damage to communication networks throughout the world by using up network bandwidth. In addition, since conventional firewall systems are located just in front of the server and do not prevent malicious traffic from entering the network, they cannot prevent such network congestion. Therefore, the firewall between domains or between core routers should play important roles in the photonic networks. We have developed a prototype system of a network firewall using reconfigurable processors. In this paper, we overview the developed system and present its evaluation results.

Three-dimensional (3D) wafer stacked implementation (WSI) has been proposed as a promising technology for massively parallel computers. A hierarchical 3D-torus (H3DT) network, which is a 3D-torus network of multiple basic modules in which the basic modules are 3D-mesh networks, has been proposed for efficient 3D-WSI. However, the restricted use of physical links between basic modules in the higher level networks reduces the dynamic communication performance of this network. A torus network has better dynamic communication performance than a mesh network. Therefore, we have modified the H3DT network by replacing the 3D-mesh modules by 3D-tori, calling it a Modified H3DT (MH3DT) network. This paper addresses the architectural details of the MH3DT network and explores aspects such as degree, diameter, cost, average distance, arc connectivity, bisection width, and wiring complexity. We also present a deadlock-free routing algorithm for the MH3DT network using two virtual channels and evaluate the network's dynamic communication performance under the uniform traffic pattern, using the proposed routing algorithm. It is shown that the MH3DT network possesses several attractive features including small diameter, small cost, small average distance, better bisection width, and better dynamic communication performance.

Interconnection networks play a crucial role in the performance of massively parallel computers. Hierarchical interconnection networks provide high performance at low cost by exploring the locality that exists in the communication patterns of massively parallel computers. A Hierarchical Torus Network (HTN) is a 2D-torus network of multiple basic modules, in which the basic modules are 3D-torus networks that are hierarchically interconnected for higher level networks. The static network performance of the HTN has already been studied and has been shown to be good. Dynamic communication performance has been evaluated under uniform traffic pattern but not under non-uniform traffic patterns. In this paper, we present a deadlock-free routing algorithm for the HTN using 3 virtual channels and evaluate the network's dynamic communication performance under three non-uniform traffic patterns, using the proposed routing algorithm. We evaluate the dynamic communication performance of HTN, H3D-mesh, H3D-torus, TESH, and mesh networks by computer simulation. We find that the dynamic communication performance of HTN is better than that of the H3D-mesh, H3D-torus, TESH, and mesh networks.

Conventional worms and super-worms focus on the infection of end-systems. They exploit network vulnerabilities and use the network resources only to route their processes appropriately. We describe a new class of super-worms which target to infect network resources and utilizes routing information to effectively partition the address space of Internet.

In this paper, we propose an efficient dual-tree-based multicasting scheme with three destination-switch partition strategies on irregular switch-based networks. The dual-tree-based routing scheme supports adaptive, distributed, and deadlock-free multicast on irregular networks with double channels. We first describe a dual-tree structure constructed from the irregular networks and prove that the multicasting based on such a structure is deadlock-free. Then, an efficient multicast routing algorithm with three destination-switch partition strategies: source-switch-based partition, destination-switch-based partition, and all-switches-based partition, is proposed. Finally, we perform simulations to evaluate our proposed algorithm under various impact parameters: system size, message length, and startup time. The experimental results show that the improved tree-based multicasting scheme outperforms the usual tree-based multicasting scheme. The dual-tree-based multicasting scheme with destination-switch-based partition is shown to be the best for all situations.

We present efficient all-to-all personalized communication algorithms for a 2D torus in wormhole-routed networks. Our complete exchange algorithms reduce the number of start-up by a factor of up to 2, which is a good metric for network performance in wormhole networks. Our algorithms divide the whole network into 22 networks, giving two contention-free networks with N/2N/2. After specially designated nodes called master nodes have collected messages, whose destinations are the rest of the basic cells, only master nodes perform complete exchange with a reduced network size. When finished with this complete exchange among master nodes, these nodes distribute messages to the rest of the master nodes, which results in the desired complete exchange. Then, we present a modified algorithm that further reduces the data transmission time sacrificing the start-up time. After we present our new algorithms, we analyze time complexities and compare several algorithms. We show that our practical algorithm is efficient by a factor of 2 in the required start-up time which means that our algorithms are suitable for wormhole-routed networks.

In this paper, we propose a novel fault-tolerant multicast algorithm for n-dimensional wormhole routed hypercubes. The multicast algorithm will remain functional if the number of faulty nodes in an n-dimensional hypercube is less than n. Multicast is the delivery of the same message from one source node to an arbitrary number of destination nodes. Recently, wormhole routing has become one of the most popular switching techniques in new generation multicomputers. Previous researches have focused on fault-tolerant one-to-one routing algorithms for n-dimensional meshes. However, little research has been done on fault-tolerant one-to-many (multicast) routing algorithms due to the difficulty in achieving deadlock-free routing on faulty networks. We will develop such an algorithm for faulty hypercubes. Our approach is not based on adding physical or virtual channels to the network topology. Instead, we integrate several techniques such as partitioning of nodes, partitioning of channels, node label assignments, and dual-path multicast to achieve fault tolerance. Both theoretical analysis and simulation are performed to demonstrate the effectiveness of the proposed algorithm.

A fault-tolerant wormhole routing algorithm on mesh-connected processors is proposed. The proposed algorithm is based on the solid fault model and allows the fault polygons to be overlapped. The algorithm compares the position of fault region relative to current channel with the fault direction field of a misrouted message to route around overlapped fault polygons. A node deactivating algorithm to convert non-solid fault region into solid fault region is also proposed. The proposed routing algorithm uses four virtual channels and is deadlock and livelock free.

We propose a fault-tolerant routing algorithm for 2D meshes. Our routing algorithm can tolerate any number of concave fault regions. It is based on xy-routing and uses the concept of the fault ring/chain composed of fault-free elements surrounding faults. Three virtual channels per physical link are used for deadlock-free routing on a fault ring. Four virtual channels are needed for a fault chain. For a concave fault ring, fault-free nodes in the concave region have been deactivated to avoid deadlock in the previous algorithms, which results in excessive loss of the computational power. Our algorithm ensures deadlock-freedom by restricting the virtual channel usage in the concave region, and it minimizes the loss of the computational power. We also extend the proposed routing scheme for adaptive fault-tolerant routing. The adaptive version requires the same number of virtual channels as the deterministic one.

A processor allocation scheme for mesh computers greatly affects their system utilization. The performance of an allocation scheme is largely dependent on its ability to detect available submeshes. We propose a new type of submesh, called a link-disjoint submesh, for processor allocation in mesh computers. This type of submesh increases the submesh recognition capability of an allocation scheme. A link-disjoint submesh is not a contiguous submesh as in the previous scheme, but this submesh still has no common communication link with any other submesh. When wormhole routing or circuit switching is used, the communication delay caused by non-contiguous processor allocation is minor. Through simulation, the performance of our scheme is measured and compared to the previous schemes in terms of such parameters as finish time and system utilization. It is shown through simulation that the link-disjoint submesh increases the performance of an allocation scheme.

This paper presents the results of a simulation study of blocking and non-blocking switching for hierarchical ring networks. The switching techniques include wormhole, virtual cut-through, and slotted ring. We conclude that slotted ring network performs better than the more popular wormhole and virtual cut-through networks. We also show that the size of the node buffers is an important parameter and that choosing them too large can hurt performance in some cases. Slotted rings have the advantage that the choice of buffer size is easier in that larger than necessary buffers do not hurt performance and hence a single choice of buffer size performs well for all system configurations. In contrast, the optimal buffer size for virtual cut-through and wormhole switching nodes varies depending on the system configuration and the level in the hierarchy in which the switching node lies.