Pub Date : 2024-02-28DOI: 10.1109/TCC.2024.3370909
Xinglin Zhang;Zhongling Wang;Fengsen Tian;Zheng Yang
Mobile edge computing (MEC) brings abundant computing resources to the edge networks, which supports users in offloading their tasks to the edge instead of the cloud, thereby reducing service delay and improving users’ quality of experience. In this article, we consider a three-tier multi-user multi-task offloading model, which contains multiple users with each user possessing multiple tasks, multiple base stations (BSs) with edge servers and a remote cloud. Taking into account the selfishness of individuals in the MEC system, we respectively formulate optimization problems for users, BSs and the cloud. Users aim to make their offloading strategies to minimize their respective costs, while BSs and the cloud aim to make their computation resource allocation decisions to minimize their respective task completion delays. We model the interaction among these selfish individuals based on Stackelberg game, where users act as leaders and BSs and the cloud act as followers. By using backward induction, we prove the existence of Stackelberg Equilibrium (SE). We further propose a distributed algorithm that enables the system to reach the SE, which includes three user selection strategies for the BSs. The numerical results demonstrate the superiority of the proposed scheme compared with several approaches.
{"title":"Stackelberg-Game-Based Multi-User Multi-Task Offloading in Mobile Edge Computing","authors":"Xinglin Zhang;Zhongling Wang;Fengsen Tian;Zheng Yang","doi":"10.1109/TCC.2024.3370909","DOIUrl":"10.1109/TCC.2024.3370909","url":null,"abstract":"Mobile edge computing (MEC) brings abundant computing resources to the edge networks, which supports users in offloading their tasks to the edge instead of the cloud, thereby reducing service delay and improving users’ quality of experience. In this article, we consider a three-tier multi-user multi-task offloading model, which contains multiple users with each user possessing multiple tasks, multiple base stations (BSs) with edge servers and a remote cloud. Taking into account the selfishness of individuals in the MEC system, we respectively formulate optimization problems for users, BSs and the cloud. Users aim to make their offloading strategies to minimize their respective costs, while BSs and the cloud aim to make their computation resource allocation decisions to minimize their respective task completion delays. We model the interaction among these selfish individuals based on Stackelberg game, where users act as leaders and BSs and the cloud act as followers. By using backward induction, we prove the existence of Stackelberg Equilibrium (SE). We further propose a distributed algorithm that enables the system to reach the SE, which includes three user selection strategies for the BSs. The numerical results demonstrate the superiority of the proposed scheme compared with several approaches.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140001458","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-28DOI: 10.1109/TCC.2024.3370834
Jin Wang;Wei Jiang;Jingya Zhou;Zhaobo Lu;Kejie Lu;Jianping Wang
In recent years, �Coded Edge Computing� (CEC) has been greatly studied as a promising technology to effectively mitigate the impact of stragglers and provide confidentiality in edge collaborative computing. It is crucial to verify the correctness of both intermediate results and the final result especially in untrustable and unreliable edge computing scenarios. However, the existing works on verification in CEC always verify and directly discard the whole incorrect intermediate results. In this paper, we propose the �Partial Decode and Compare� (PDC) verification scheme, which can fully utilize the correct part in the incorrect intermediate results to reduce the complexity and tolerate more abnormal edge devices. The PDC verification scheme consists of two parts: �Final Result Verification� (FRV) and �Abnormal Edge Device Identification� (AEDI). By deeply analyzing the decoding impact of the intermediate results on the final result, the PDC verification scheme divides the intermediate results and final results into �subresult vectors�. It decodes, compares, and verifies the final result in units of subresult vectors. In this way, the obtained parts which verified to be correct do not need to participate in the following verification. Therefore, it can significantly reduce the verification overhead including both the number of required decoding rounds and the complexity of each decoding round. Based on the correct final result verified by the PDC verification scheme, we also propose an �Abnormal Edge Devices Identification� scheme to identify all abnormal edge devices that return incorrect intermediate results. We then present extensive theoretical analyses and simulation experiments of the PDC verification scheme, which demonstrates that the PDC verification scheme can tolerate a higher ratio of incorrect intermediate results and achieve lower verification overhead than the state-of-the-art verification works. Therefore, the proposed PDC verification scheme enables CEC to provide reliable services in unstable and unreliable edge computing scenarios.
{"title":"Partial Decode and Compare: An Efficient Verification Scheme for Coded Edge Computing","authors":"Jin Wang;Wei Jiang;Jingya Zhou;Zhaobo Lu;Kejie Lu;Jianping Wang","doi":"10.1109/TCC.2024.3370834","DOIUrl":"10.1109/TCC.2024.3370834","url":null,"abstract":"In recent years, \u0000<italic>Coded Edge Computing</i>\u0000 (CEC) has been greatly studied as a promising technology to effectively mitigate the impact of stragglers and provide confidentiality in edge collaborative computing. It is crucial to verify the correctness of both intermediate results and the final result especially in untrustable and unreliable edge computing scenarios. However, the existing works on verification in CEC always verify and directly discard the whole incorrect intermediate results. In this paper, we propose the \u0000<italic>Partial Decode and Compare</i>\u0000 (PDC) verification scheme, which can fully utilize the correct part in the incorrect intermediate results to reduce the complexity and tolerate more abnormal edge devices. The PDC verification scheme consists of two parts: \u0000<italic>Final Result Verification</i>\u0000 (FRV) and \u0000<italic>Abnormal Edge Device Identification</i>\u0000 (AEDI). By deeply analyzing the decoding impact of the intermediate results on the final result, the PDC verification scheme divides the intermediate results and final results into \u0000<italic>subresult vectors</i>\u0000. It decodes, compares, and verifies the final result in units of subresult vectors. In this way, the obtained parts which verified to be correct do not need to participate in the following verification. Therefore, it can significantly reduce the verification overhead including both the number of required decoding rounds and the complexity of each decoding round. Based on the correct final result verified by the PDC verification scheme, we also propose an \u0000<italic>Abnormal Edge Devices Identification</i>\u0000 scheme to identify all abnormal edge devices that return incorrect intermediate results. We then present extensive theoretical analyses and simulation experiments of the PDC verification scheme, which demonstrates that the PDC verification scheme can tolerate a higher ratio of incorrect intermediate results and achieve lower verification overhead than the state-of-the-art verification works. Therefore, the proposed PDC verification scheme enables CEC to provide reliable services in unstable and unreliable edge computing scenarios.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140001397","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-28DOI: 10.1109/TCC.2024.3370688
Yufei Kang;Baochun Li
Federated learning has garnered significant research attention as a privacy-preserving learning paradigm. Asynchronous federated learning has been proposed to improve scalability by accommodating slower clients, commonly referred to as stragglers. However, asynchronous federated learning suffers from slow convergence with respect to wall-clock time, due to the existence of data heterogeneity and staleness. Existing strategies struggled to tackle both difficulties for a wide range of deep learning models. To address the problem, we propose �Polaris�, a theoretically sound design and a new take to client selection for asynchronous federated learning. With �Polaris�, we first theoretically investigated the design space of client sampling strategies from a geometric optimization perspective, taking both data heterogeneity and staleness into account. Our design is not only theoretically proven, but also thoroughly tested in our reproducible experimental open-source testbed. Our experimental results demonstrates overwhelming evidence that �Polaris� outperformed existing state-of-the-art client selection strategies by a substantial margin over a wide variety of tasks and datasets, as we train image classification models using �CIFAR-10�, �CIFAR-100�, �CINIC-10�, �Federated EMNIST�, and a language modeling model using the �Tiny Shakespeare� dataset. Further, our extensive array of ablation studies have also shown that �Polaris� is both scalable and robust as the size of datasets scale up and data heterogeneity vary.
{"title":"Polaris: Accelerating Asynchronous Federated Learning With Client Selection","authors":"Yufei Kang;Baochun Li","doi":"10.1109/TCC.2024.3370688","DOIUrl":"10.1109/TCC.2024.3370688","url":null,"abstract":"Federated learning has garnered significant research attention as a privacy-preserving learning paradigm. Asynchronous federated learning has been proposed to improve scalability by accommodating slower clients, commonly referred to as stragglers. However, asynchronous federated learning suffers from slow convergence with respect to wall-clock time, due to the existence of data heterogeneity and staleness. Existing strategies struggled to tackle both difficulties for a wide range of deep learning models. To address the problem, we propose \u0000<italic>Polaris</i>\u0000, a theoretically sound design and a new take to client selection for asynchronous federated learning. With \u0000<italic>Polaris</i>\u0000, we first theoretically investigated the design space of client sampling strategies from a geometric optimization perspective, taking both data heterogeneity and staleness into account. Our design is not only theoretically proven, but also thoroughly tested in our reproducible experimental open-source testbed. Our experimental results demonstrates overwhelming evidence that \u0000<italic>Polaris</i>\u0000 outperformed existing state-of-the-art client selection strategies by a substantial margin over a wide variety of tasks and datasets, as we train image classification models using \u0000<monospace>CIFAR-10</monospace>\u0000, \u0000<monospace>CIFAR-100</monospace>\u0000, \u0000<monospace>CINIC-10</monospace>\u0000, \u0000<monospace>Federated EMNIST</monospace>\u0000, and a language modeling model using the \u0000<monospace>Tiny Shakespeare</monospace>\u0000 dataset. Further, our extensive array of ablation studies have also shown that \u0000<italic>Polaris</i>\u0000 is both scalable and robust as the size of datasets scale up and data heterogeneity vary.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140001473","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-22DOI: 10.1109/TCC.2024.3362355
Ping Zhao;Ziyi Yang;Guanglin Zhang
In Mobile Edge Computing (MEC), the collaboration between end devices and servers guarantees the low-latency and high-accuracy video stream analysis. However, such paradigm of video stream offloading poses a serious threat to the location privacy and the usage pattern privacy of end devices. The existing works offer strict privacy guarantee for users, but they do not take the features of video stream into consideration, thus leading to the relatively higher computation cost. To tackle this issue, we propose a personalized and differential privacy-aware video stream offloading scheme that supports users personalized and time-varying privacy requirements, provides corresponding differential privacy preservation, and generates minimal latency and energy cost. Specifically, we formulate an NP-hard optimization that jointly optimizes the video frame rate, frame resolution and offloading ratio to maximize the analysis accuracy of video stream and minimize the energy cost and the latency subject to the channel bandwidth, computing resources, and personalized and time-varying privacy requirements. Then, we design a online learning-based and personalized privacy-aware video stream offloading algorithm for the optimization problem and thereby obtain the optimal video stream offloading scheme. Last, the extensive experimental results validate the superior performance of the proposed scheme, compared to the three latest existing works.
{"title":"Personalized and Differential Privacy-Aware Video Stream Offloading in Mobile Edge Computing","authors":"Ping Zhao;Ziyi Yang;Guanglin Zhang","doi":"10.1109/TCC.2024.3362355","DOIUrl":"10.1109/TCC.2024.3362355","url":null,"abstract":"In Mobile Edge Computing (MEC), the collaboration between end devices and servers guarantees the low-latency and high-accuracy video stream analysis. However, such paradigm of video stream offloading poses a serious threat to the location privacy and the usage pattern privacy of end devices. The existing works offer strict privacy guarantee for users, but they do not take the features of video stream into consideration, thus leading to the relatively higher computation cost. To tackle this issue, we propose a personalized and differential privacy-aware video stream offloading scheme that supports users personalized and time-varying privacy requirements, provides corresponding differential privacy preservation, and generates minimal latency and energy cost. Specifically, we formulate an NP-hard optimization that jointly optimizes the video frame rate, frame resolution and offloading ratio to maximize the analysis accuracy of video stream and minimize the energy cost and the latency subject to the channel bandwidth, computing resources, and personalized and time-varying privacy requirements. Then, we design a online learning-based and personalized privacy-aware video stream offloading algorithm for the optimization problem and thereby obtain the optimal video stream offloading scheme. Last, the extensive experimental results validate the superior performance of the proposed scheme, compared to the three latest existing works.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139951365","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-16DOI: 10.1109/TCC.2024.3366534
Zhaoyi Li;Jiawei Huang;Shiqi Wang;Wenjun Lyu;Jianxin Wang
Multi-path Transmission Control Protocol (MPTCP) has shown great potential in improving network bandwidth and robustness by utilizing multiple subflows in data center networks (DCNs). However, the delay and loss heterogeneities of multiple paths potentially cause packet reordering, resulting in the ACK blocking and increased latency. Recent coding-based solutions use forward error correction (FEC) to mitigate path heterogeneity with redundant encoded packets. However, current FEC-based solutions work at the subflow level, that is, each subflow independently generates redundant encoded packets. This intra-subflow coding, however, does not leverage the path diversity, easily suffering from long tail latency. In this article, we propose a new MPTCP based on cyclic matrix coding, called as CM-MPTCP, which encodes packets inter subflow to leverage the path diversity. Specifically, to let good paths help bad ones, the good paths deliver more redundant packets encoded based on cyclic matrix, which gives more coding opportunities to packets on bad paths, thus achieving high packet decoding ratio at the receiver side. The results of large-scale NS2 simulations show that CM-MPTCP effectively mitigates the ACK blocking and reduces the average flow completion time (AFCT) by about �$45% sim 70%$� under a wide variety of network conditions compared with the state-of-the-art coding-based MPTCPs.
{"title":"Cyclic Matrix Coding to Mitigate ACK Blocking of MPTCP in Data Center Networks","authors":"Zhaoyi Li;Jiawei Huang;Shiqi Wang;Wenjun Lyu;Jianxin Wang","doi":"10.1109/TCC.2024.3366534","DOIUrl":"10.1109/TCC.2024.3366534","url":null,"abstract":"Multi-path Transmission Control Protocol (MPTCP) has shown great potential in improving network bandwidth and robustness by utilizing multiple subflows in data center networks (DCNs). However, the delay and loss heterogeneities of multiple paths potentially cause packet reordering, resulting in the ACK blocking and increased latency. Recent coding-based solutions use forward error correction (FEC) to mitigate path heterogeneity with redundant encoded packets. However, current FEC-based solutions work at the subflow level, that is, each subflow independently generates redundant encoded packets. This intra-subflow coding, however, does not leverage the path diversity, easily suffering from long tail latency. In this article, we propose a new MPTCP based on cyclic matrix coding, called as CM-MPTCP, which encodes packets inter subflow to leverage the path diversity. Specifically, to let good paths help bad ones, the good paths deliver more redundant packets encoded based on cyclic matrix, which gives more coding opportunities to packets on bad paths, thus achieving high packet decoding ratio at the receiver side. The results of large-scale NS2 simulations show that CM-MPTCP effectively mitigates the ACK blocking and reduces the average flow completion time (AFCT) by about \u0000<inline-formula><tex-math>$45% sim 70%$</tex-math></inline-formula>\u0000 under a wide variety of network conditions compared with the state-of-the-art coding-based MPTCPs.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139951364","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-15DOI: 10.1109/TCC.2024.3366435
Yang Ming;Hang Liu;Chenhao Wang;Yi Zhao
The Snowden incident illustrates that an adversary may launch an algorithm substitution attack (ASA) by tampering with the algorithms of protocol participants to obtain users’ secret information. A measure against ASA is to equip the protocol participants with cryptographic reverse firewalls (CRF). Public key encryption with keyword search (PEKS) as a cryptographic primitive allows users to search encrypted file in cloud servers while ensuring the security of the original file. The existing CRF constructions for PEKS does not consider the trust level of CRFs, leaving honest-but-curious CRF to deal with trapdoors that should be sent in the secure channels, which brings new security risks. This article first introduces the notion of malleable designated tester public key encryption with keyword search (M-DPEKS). Based on M-DPEKS, we propose the generic construction of public key encryption with keyword search with cryptographic reverse firewalls to overcome the privacy leakage issue in cloud storage. Security proof indicates the generic construction is secure against ASA. Lastly, we instantiate the generic construction with a concrete M-DPEKS scheme and analyze the computation cost and communication overhead to evaluate the efficiency.
{"title":"Generic Construction: Cryptographic Reverse Firewalls for Public Key Encryption With Keyword Search in Cloud Storage","authors":"Yang Ming;Hang Liu;Chenhao Wang;Yi Zhao","doi":"10.1109/TCC.2024.3366435","DOIUrl":"10.1109/TCC.2024.3366435","url":null,"abstract":"The Snowden incident illustrates that an adversary may launch an algorithm substitution attack (ASA) by tampering with the algorithms of protocol participants to obtain users’ secret information. A measure against ASA is to equip the protocol participants with cryptographic reverse firewalls (CRF). Public key encryption with keyword search (PEKS) as a cryptographic primitive allows users to search encrypted file in cloud servers while ensuring the security of the original file. The existing CRF constructions for PEKS does not consider the trust level of CRFs, leaving honest-but-curious CRF to deal with trapdoors that should be sent in the secure channels, which brings new security risks. This article first introduces the notion of malleable designated tester public key encryption with keyword search (M-DPEKS). Based on M-DPEKS, we propose the generic construction of public key encryption with keyword search with cryptographic reverse firewalls to overcome the privacy leakage issue in cloud storage. Security proof indicates the generic construction is secure against ASA. Lastly, we instantiate the generic construction with a concrete M-DPEKS scheme and analyze the computation cost and communication overhead to evaluate the efficiency.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139951358","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-13DOI: 10.1109/TCC.2024.3365075
Zhaoyi Li;Jiawei Huang;Shiqi Wang;Jianxin Wang
Remote Direct Memory Access (RDMA) achieves ultra-low latency, high throughput and low CPU overhead in data center by implementing the transport logic in hardware network interface card (NIC). However, RDMA faces new challenges in the heterogeneous multipath environment as it is very sensitive to packet reordering. When some packets are blocked in slow paths, the other packets delivered through fast paths have to be buffered at the receiver's NIC, consuming the limited on-chip memory resources. In this paper, we propose a new RDMA-based multipath transmission scheme with advanced fast retransmission called as AFR-MPRDMA. Specifically, once detecting congestion at the slow path, the sender will retransmit the blocked packets on other fast paths to speed up the transmission of blocked packets. Moreover, the receiver dynamically adjusts the buffer size for the out-of-order packets to avoid either unnecessary retransmission or long latency. The results of large-scale tests show that AFR-MPRDMA effectively mitigates packets blocking issue and reduces average flow completion time (AFCT) by up to 61% compared with the state-of-the-art RDMA-based schemes.
{"title":"Achieving Low Latency for Multipath Transmission in RDMA Based Data Center Network","authors":"Zhaoyi Li;Jiawei Huang;Shiqi Wang;Jianxin Wang","doi":"10.1109/TCC.2024.3365075","DOIUrl":"10.1109/TCC.2024.3365075","url":null,"abstract":"Remote Direct Memory Access (RDMA) achieves ultra-low latency, high throughput and low CPU overhead in data center by implementing the transport logic in hardware network interface card (NIC). However, RDMA faces new challenges in the heterogeneous multipath environment as it is very sensitive to packet reordering. When some packets are blocked in slow paths, the other packets delivered through fast paths have to be buffered at the receiver's NIC, consuming the limited on-chip memory resources. In this paper, we propose a new RDMA-based multipath transmission scheme with advanced fast retransmission called as AFR-MPRDMA. Specifically, once detecting congestion at the slow path, the sender will retransmit the blocked packets on other fast paths to speed up the transmission of blocked packets. Moreover, the receiver dynamically adjusts the buffer size for the out-of-order packets to avoid either unnecessary retransmission or long latency. The results of large-scale tests show that AFR-MPRDMA effectively mitigates packets blocking issue and reduces average flow completion time (AFCT) by up to 61% compared with the state-of-the-art RDMA-based schemes.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139951370","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-13DOI: 10.1109/TCC.2024.3365736
Salman Manzoor;Antonios Gouglidis;Matthew Bradbury;Neeraj Suri
Most Threat Analysis (TA) techniques analyze threats to targeted assets (e.g., components, services) by considering static interconnections among them. However, in dynamic environments, e.g., the Cloud, resources can instantiate, migrate across physical hosts, or decommission to provide rapid resource elasticity to its users. Existing TA techniques are not capable of addressing such requirements. Moreover, complex multi-layer/multi-asset attacks on Cloud systems are increasing, e.g., the Equifax data breach; thus, TA approaches must be able to analyze them. This article proposes ThreatPro, which supports dynamic interconnections and analysis of multi-layer attacks in the Cloud. ThreatPro facilitates threat analysis by developing a technology-agnostic information flow model, representing the Cloud's functionality through conditional transitions. The model establishes the basis to capture the multi-layer and dynamic interconnections during the life cycle of a Virtual Machine. ThreatPro contributes to (1) enabling the exploration of a threat's behavior and its propagation across the Cloud, and (2) assessing the security of the Cloud by analyzing the impact of multiple threats across various operational layers/assets. Using public information on threats from the National Vulnerability Database, we validate ThreatPro's capabilities, i.e., identify and trace actual Cloud attacks and speculatively postulate alternate potential attack paths.
{"title":"Enabling Multi-Layer Threat Analysis in Dynamic Cloud Environments","authors":"Salman Manzoor;Antonios Gouglidis;Matthew Bradbury;Neeraj Suri","doi":"10.1109/TCC.2024.3365736","DOIUrl":"10.1109/TCC.2024.3365736","url":null,"abstract":"Most Threat Analysis (TA) techniques analyze threats to targeted assets (e.g., components, services) by considering static interconnections among them. However, in dynamic environments, e.g., the Cloud, resources can instantiate, migrate across physical hosts, or decommission to provide rapid resource elasticity to its users. Existing TA techniques are not capable of addressing such requirements. Moreover, complex multi-layer/multi-asset attacks on Cloud systems are increasing, e.g., the Equifax data breach; thus, TA approaches must be able to analyze them. This article proposes ThreatPro, which supports dynamic interconnections and analysis of multi-layer attacks in the Cloud. ThreatPro facilitates threat analysis by developing a technology-agnostic information flow model, representing the Cloud's functionality through conditional transitions. The model establishes the basis to capture the multi-layer and dynamic interconnections during the life cycle of a Virtual Machine. ThreatPro contributes to (1) enabling the exploration of a threat's behavior and its propagation across the Cloud, and (2) assessing the security of the Cloud by analyzing the impact of multiple threats across various operational layers/assets. Using public information on threats from the National Vulnerability Database, we validate ThreatPro's capabilities, i.e., identify and trace actual Cloud attacks and speculatively postulate alternate potential attack paths.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139951362","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Tracking the process of remote task execution is critical to timely process analysis by collecting the evidence of correct execution or failure, which generates a process digital twin (DT) for remote supervision. Generally, it will encounter the challenge of constrained communication, high overhead, and high traceability demand, leading to the efficient remote process tracking issue. Existing approaches can address the issue by monitoring or simulating remote task execution. Nevertheless, they do not provide a cost-effective solution, especially when unexpected situation occurs. Thus, we proposed a new cloud-edge collaboration framework for process DT generation. It addresses the efficient remote process tracking issue with a real-virtual collaborative process tracking (RVCPT) approach. The approach contains three patterns of real-virtual collaboration for tracking the entire process of task execution with a coevolution pattern, identifying unexpected situations with a discrimination pattern, and generating a process DT with a real-virtual fusion pattern. This approach can minimize tracking overhead, and meanwhile maintains high traceability, which maximizes the overall cost-effectiveness. With prototype development, case study and experimental evaluation show the applicability and performance advantage of the new cloud-edge collaboration framework in remote supervision.
{"title":"A Cloud-Edge Collaboration Framework for Generating Process Digital Twin","authors":"Bingqing Shen;Han Yu;Pan Hu;Hongming Cai;Jingzhi Guo;Boyi Xu;Lihong Jiang","doi":"10.1109/TCC.2024.3362989","DOIUrl":"10.1109/TCC.2024.3362989","url":null,"abstract":"Tracking the process of remote task execution is critical to timely process analysis by collecting the evidence of correct execution or failure, which generates a process digital twin (DT) for remote supervision. Generally, it will encounter the challenge of constrained communication, high overhead, and high traceability demand, leading to the efficient remote process tracking issue. Existing approaches can address the issue by monitoring or simulating remote task execution. Nevertheless, they do not provide a cost-effective solution, especially when unexpected situation occurs. Thus, we proposed a new cloud-edge collaboration framework for process DT generation. It addresses the efficient remote process tracking issue with a real-virtual collaborative process tracking (RVCPT) approach. The approach contains three patterns of real-virtual collaboration for tracking the entire process of task execution with a coevolution pattern, identifying unexpected situations with a discrimination pattern, and generating a process DT with a real-virtual fusion pattern. This approach can minimize tracking overhead, and meanwhile maintains high traceability, which maximizes the overall cost-effectiveness. With prototype development, case study and experimental evaluation show the applicability and performance advantage of the new cloud-edge collaboration framework in remote supervision.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139956141","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-02-05DOI: 10.1109/TCC.2024.3361882
Axin Wu;Xiangjun Xin;Jianhao Zhu;Wei Liu;Chang Song;Guoteng Li
Laconic Private Set Intersection (LPSI) is a type of PSI protocols characterized by the requirement of only two-round interactions and by having a reused message in the first round that is independent of the set size. Recently, Aranha et al. (CCS’2022) proposed a LPSI protocol that utilizes the pairing-based accumulator. However, this protocol heavily relies on time-consuming bilinear pairing operations, which can potentially cause a bottleneck. Furthermore, in certain scenarios like contact tracing, it is sufficient to only reveal the intersection cardinality. To tackle this problem and expand on its functionalities, we introduce a cloud-assisted two-party LPSI cardinality (TLPSI-CA) that inherits the properties of LPSI. Interestingly, the cloud-assisted TLPSI-CA eliminates the direct interaction between the sender and receiver, enabling the sender's message to be reused across any number of protocol executions. Besides, we further extend it to the multi-party scenario, which also possesses laconic properties. Then, we prove the two protocols’ security in achieving the defined ideal functionalities. Finally, we evaluate the performance of both protocols and find that TLPSI-CA successfully reduces the local computation costs for participants. Additionally, the multi-party protocol performs similarly to TLPSI-CA, with the exception of the higher communication costs incurred by the receiver.
{"title":"Cloud-Assisted Laconic Private Set Intersection Cardinality","authors":"Axin Wu;Xiangjun Xin;Jianhao Zhu;Wei Liu;Chang Song;Guoteng Li","doi":"10.1109/TCC.2024.3361882","DOIUrl":"10.1109/TCC.2024.3361882","url":null,"abstract":"Laconic Private Set Intersection (LPSI) is a type of PSI protocols characterized by the requirement of only two-round interactions and by having a reused message in the first round that is independent of the set size. Recently, Aranha et al. (CCS’2022) proposed a LPSI protocol that utilizes the pairing-based accumulator. However, this protocol heavily relies on time-consuming bilinear pairing operations, which can potentially cause a bottleneck. Furthermore, in certain scenarios like contact tracing, it is sufficient to only reveal the intersection cardinality. To tackle this problem and expand on its functionalities, we introduce a cloud-assisted two-party LPSI cardinality (TLPSI-CA) that inherits the properties of LPSI. Interestingly, the cloud-assisted TLPSI-CA eliminates the direct interaction between the sender and receiver, enabling the sender's message to be reused across any number of protocol executions. Besides, we further extend it to the multi-party scenario, which also possesses laconic properties. Then, we prove the two protocols’ security in achieving the defined ideal functionalities. Finally, we evaluate the performance of both protocols and find that TLPSI-CA successfully reduces the local computation costs for participants. Additionally, the multi-party protocol performs similarly to TLPSI-CA, with the exception of the higher communication costs incurred by the receiver.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":null,"pages":null},"PeriodicalIF":6.5,"publicationDate":"2024-02-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139951363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: